[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
                 IDENTITY THEFT: VICTIMS BILL OF RIGHTS 

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 17, 2009

                               __________

                           Serial No. 111-21

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

53-643 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, 
Washington, DC 20402-0001 

















              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      LYNN A. WESTMORELAND, Georgia
JIM COOPER, Tennessee                PATRICK T. McHENRY, North Carolina
GERRY E. CONNOLLY, Virginia          BRIAN P. BILBRAY, California
MIKE QUIGLEY, Illinois               JIM JORDAN, Ohio
MARCY KAPTUR, Ohio                   JEFF FLAKE, Arizona
ELEANOR HOLMES NORTON, District of   JEFF FORTENBERRY, Nebraska
    Columbia                         JASON CHAFFETZ, Utah
PATRICK J. KENNEDY, Rhode Island     AARON SCHOCK, Illinois
DANNY K. DAVIS, Illinois             ------ ------
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      PATRICK T. McHENRY, North Carolina
CAROLYN B. MALONEY, New York         LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of   JOHN L. MICA, Florida
    Columbia                         JASON CHAFFETZ, Utah
DANNY K. DAVIS, Illinois
STEVE DRIEHAUS, Ohio
DIANE E. WATSON, California
                     Darryl Piggee, Staff Director

























                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 17, 2009....................................     1
Statement of:
    Allen, Catherine, chairman and CEO, the Santa Fe Group; Marc 
      Rotenberg, executive director, Electronic Privacy 
      Information Center; Donald Rebovich, executive director, 
      Center for Identity Management and Information Protection; 
      Anne Wallace, president, Identity Theft Assistance Corp.; 
      and Eric Handy, representative, Identity Theft Resource 
      Center.....................................................    71
        Allen, Catherine.........................................    71
        Handy, Eric..............................................   120
        Rebovich, Donald.........................................    97
        Rotenberg, Marc..........................................    87
        Wallace, Anne............................................   114
    Broder, Betsy, Assistant Director, Federal Trade Commission, 
      Division of Privacy and Identity Protection; Jason M. 
      Weinstein, U.S. Department of Justice, Deputy Assistant 
      Attorney General, Criminal Division; and Daniel Bertoni, 
      Government Accountability Office, Director, Education, 
      Workforce and Income Security..............................     5
        Bertoni, Daniel..........................................    38
        Broder, Betsy............................................     5
        Weinstein, Jason M.......................................    26
Letters, statements, etc., submitted for the record by:
    Allen, Catherine, chairman and CEO, the Santa Fe Group, 
      prepared statement of......................................    74
    Bertoni, Daniel, Government Accountability Office, Director, 
      Education, Workforce and Income Security, prepared 
      statement of...............................................    40
    Broder, Betsy, Assistant Director, Federal Trade Commission, 
      Division of Privacy and Identity Protection, prepared 
      statement of...............................................     9
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    Handy, Eric, representative, Identity Theft Resource Center, 
      prepared statement of......................................   122
    McHenry, Hon. Patrick T., a Representative in Congress from 
      the State of North Carolina, prepared statement of.........   147
    Rebovich, Donald, executive director, Center for Identity 
      Management and Information Protection, prepared statement 
      of.........................................................    99
    Rotenberg, Marc, executive director, Electronic Privacy 
      Information Center, prepared statement of..................    89
    Wallace, Anne, president, Identity Theft Assistance Corp., 
      prepared statement of......................................   116
    Watson, Hon. Diane E., a Representative in Congress from the 
      State of California, prepared statement of.................   144
    Weinstein, Jason M., U.S. Department of Justice, Deputy 
      Assistant Attorney General, Criminal Division, prepared 
      statement of...............................................    28


                 IDENTITY THEFT: VICTIMS BILL OF RIGHTS

                              ----------                              


                        WEDNESDAY, JUNE 17, 2009

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:03 p.m., in 
room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay 
(chairman of the subcommittee) presiding.
    Present: Representatives Clay, Driehaus, Watson, and 
McHenry.
    Staff present: Darryl Piggee, staff director/counsel; Frank 
Davis, professional staff member; Jean Gosa, clerk; Charisma 
Williams, staff assistant; Adam Hodge, deputy press secretary, 
full committee; Dan Blankenburg, minority director of outreach 
and senior advisor; Adam Fromm, minority chief clerk and Member 
liaison; Stephen Castor, minority senior counsel; and John 
Ohly, minority professional staff member.
    Mr. Clay. The Information Policy, Census, and National 
Archives Subcommittee will come to order. Good afternoon, and 
welcome to today's hearing entitled, ``Identity Theft: A 
Victims Bill of Rights.'' Today's hearing will examine identity 
theft and its impact on victims.
    On our first panel we will hear from government witnesses 
who will testify about how the Federal Government addresses 
identity theft. Our second panel comes from outside the 
government, and they will tell us about their experience with 
and research on identity theft. Both panels with offer 
recommendations that they believe will improve current 
assistance programs to victims and discourage identity theft.
    And without objection, the Chair and ranking member will 
have 5 minutes to make opening statements followed by opening 
statements not to exceed 3 minutes by any other Member who 
seeks recognition.
    Without objection, Members and witnesses may have 5 
legislative days to submit a written statement or extraneous 
materials for the record.
    The purpose of today's hearing is to examine actions the 
Federal Government has taken to address the problem of identity 
theft and how to provide protection to victims. We will 
consider many important topics today, including current and 
emerging issues on identity theft, how to improve both public 
and private assistance efforts to victims of identity theft, 
and how to increase prosecution and deterrence of identity 
thieves.
    According to recent studies, identity theft affected nearly 
10 million Americans in 2008 alone, an increase of 22 percent 
from 2007. It is estimated that the average costs to consumers 
and businesses top $49 billion. Identity theft is now the No. 1 
consumer complaint received by the Federal Trade Commission, 
accounting for 26 percent of all complaints received from 
consumers in 2008.
    Identity theft is not a victimless crime. There are many 
victims of identity theft, and commonly the same victim is 
targeted over and over again. Victims include 18-month-old 
children, deceased loved ones, banks, insurance companies, 
small businesses and the Federal Government. Women, Hispanic 
Americans, military personnel and Medicare recipients are most 
likely to be victims of identity theft. Secondary and tertiary 
victims of identity theft include families, employers and 
financial institutions.
    Identity theft itself includes not only financial losses, 
but also nonfinancial identity theft, such as criminal and 
medical identity theft. The identity thief uses the victim's 
identity to commit a crime or to receive medical services. Many 
times it is difficult for the victim to expunge their criminal 
and medical records from incorrect information, leading to 
false arrests or wrong diagnoses.
    Experts agree that identity theft prevention and assistance 
efforts are lagging far behind the needs of the victims. All 
identity crime victims today run into a vast number of problems 
when trying to restore their identity. And identity thieves are 
quick to overcome any obstacles set in place by legislation. 
Today this subcommittee will focus on these concerns voiced by 
the public in a collaboration to combat and prevent identity 
theft.
    I thank all of our witnesses who are appearing today and 
look forward to their testimonies.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. And now we will proceed with swearing in the 
witnesses. Let me start first by introducing our first panel.
    We will hear first from Ms. Betsy Broder, an Assistant 
Director in the Division of Privacy and Identity Protection for 
the Federal Trade Commission. In this capacity she helps 
coordinate the agency's law enforcement, research and outreach 
efforts on privacy issues, including identity theft, pretexting 
and security.
    Next we will hear from Mr. Jason Weinstein, who currently 
serves as a Deputy Assistant Attorney General in the Department 
of Justice's Criminal Division. Prior to working at the 
Department of Justice, he was an assistant U.S. attorney in the 
Southern District of New York, where he prosecuted criminal 
cases involving violent crime, gangs, public corruption and 
financial crimes. Welcome to you.
    Our last witness on the first panel is Mr. Dan Bertoni, a 
Director with GAO's Education, Workforce and Income Security 
Team. Mr. Bertoni began his career with GAO in 1989, and over 
the course of his career, he has focused on identifying and 
preventing fraud, waste and abuse in Federal programs, and has 
also developed a body of work related to identity theft.
    And thank you all for appearing before the subcommittee 
today.
    It is the policy of the Oversight and Government Reform 
Committee to swear in all witnesses before they testify. I 
would like to ask each one to please stand and raise your right 
hands.
    [Witnesses sworn.]
    Mr. Clay. Let the record reflect that the witnesses 
answered in the affirmative.
    You may be seated.
    Each of you will have 5 minutes to make an opening 
statement. Your complete written testimony will be included in 
the hearing record. The yellow light in front of you will 
indicate that it is time to sum up. The red light will indicate 
that your time has expired. Hopefully we can get through both 
panels before we are interrupted for votes.
    And we will start with you, Ms. Broder. You may proceed.

 STATEMENTS OF BETSY BRODER, ASSISTANT DIRECTOR, FEDERAL TRADE 
COMMISSION, DIVISION OF PRIVACY AND IDENTITY PROTECTION; JASON 
  M. WEINSTEIN, U.S. DEPARTMENT OF JUSTICE, DEPUTY ASSISTANT 
   ATTORNEY GENERAL, CRIMINAL DIVISION; AND DANIEL BERTONI, 
    GOVERNMENT ACCOUNTABILITY OFFICE, DIRECTOR, EDUCATION, 
                 WORKFORCE AND INCOME SECURITY

                   STATEMENT OF BETSY BRODER

    Ms. Broder. Thank you very much, Chairman Clay. I am 
Assistant Director, as you said, in the FTC Division of Privacy 
and Identity Protection.
    The written testimony that we submitted reflects the views 
of the Commission, but my oral remarks today are my own and 
don't necessarily reflect the views of the Commission or any 
Commissioner.
    Our written testimony details the approach the Commission 
has taken with respect to identity theft: Our data security, 
education and law enforcement program; our leadership; the 
President's Identity Theft Task Force; and our measures to 
improve consumer authentication.
    Right now, however, I want to focus on three specific 
areas: First, how the FTC helps consumers recover from identity 
theft; second, remedies for identity theft victims; and 
finally, the FTC's recommendation for ways to improve efforts 
on this front.
    First the Victim Assistance Program.
    Mr. Clay. Can I ask you to pull the mic closer and make 
sure it's on?
    Ms. Broder. Almost 2 million consumers----
    Mr. Clay. Is your mic on? Press the button.
    There you go. Thank you.
    Ms. Broder. I hoped that tolled the clock.
    Mr. Clay. You don't have to start over.
    Ms. Broder. And I don't intend to, sir.
    Almost 2 million consumers have turned to the Federal Trade 
Commission after they discovered that someone else has used 
their name to open up credit accounts, get a job or even obtain 
health care. Among these victims, a soldier returning from 
Afghanistan, a mother calling on behalf of her disabled child 
whose identity was stolen, and people whose government benefits 
were terminated because someone else is working in their name.
    The FTC is the Nation's one-stop shop for identity theft 
victims. We have a toll-free hotline that connects callers with 
trained counselors, who, in English or Spanish, can walk the 
consumer through the steps of recovery. On-line resources at 
ftc.gov/idtheft provide the same types of assistance, 
explaining how to set fraud alerts with the credit reporting 
agencies, how to dispute fraudulent charges or accounts, and 
how to handle debt collectors. Last year alone we helped more 
than 300,000 consumers who were victims of identity theft. In 
turn, their complaints are entered into our Consumer Sentinel 
Network, which is an on-line resource for law enforcers, with 
direct access to these 2 million complaints and other useful 
investigative resources.
    Other organizations, including ITAC that you will be 
hearing from later, also contribute data to Consumer Sentinel. 
This robust data base is the Nation's clearinghouse of identity 
theft complaints, and it is an essential tool for all 
investigative agencies that are investigating or prosecuting 
identity crimes.
    The FTC also has responded to new challenges with more 
refined tools for victims. For example, victims often need 
police reports in order to vindicate their good name. But many 
law enforcement agencies are overtaxed; they don't have 
sufficient resources to develop the kind of detailed police 
report that's necessary for recovery. The FTC identified this 
issue was a priority, so now when consumers file complaints 
with the FTC, law enforcers over 1,700 agencies who have access 
to Consumer Sentinel can pull up that consumer's complaint, 
validate it as an identity theft report, a police report. So 
now the consumer has their police report, the police agency is 
able to greatly simplify this task for all involved.
    We've also worked closely with the IRS, which has recently 
set up a dedicated help line for victims of tax-related 
identity theft. We are launching a system to get callers 
connected to the specialized office of the IRS to resolve what 
are often very complex issues dealing with tax refunds or 
outstanding liability resulting from identity theft.
    And Commission staff coordinates with other organizations 
that can provide more individualized help when that's what's 
needed. For example, the Identity Theft Resource Center, which 
also is testifying today, is the recipient of the Department of 
Justice grant to establish a model nationwide Victim Assistance 
Program. Our call center has implemented a system to direct 
people to that office.
    The FTC also is collaborating with the American Bar 
Association to establish a program to provide pro bono 
assistance to victims of identity theft.
    Next I would like to briefly discuss some new remedies for 
identity theft victims. The FACT Act, which was passed in 2003, 
provided important tools for victims of identity theft. We are 
now all entitled to a free copy of our credit report every 12 
months from each of the credit reporting agencies. A credit 
report can offer an early warning sign or that fraud is afoot. 
The FACT Act allows identity theft victims to block fraudulent 
items in trade lines on their credit reports. They can place 
fraud alerts on their credit reports and obtain documents 
relating to the fraud, such as a fraudulent application.
    This last right is particularly important because many 
victims used to find themselves in a Catch-22 where they would 
be receiving dunning notices for the fraudulently opened 
accounts, but were denied access to the forged application 
because it was submitted by another person. This provision of 
the FACT Act addresses the frustrating scenario.
    Credit freezes, identity theft passports and other tools 
also help prevent identity thieves from exploiting consumers' 
good names.
    Finally, now, I would like to mention the FTC's legislative 
recommendations that address identity theft. We have come a 
long way in building systems and processes to help identity 
theft victims, but clearly more needs to be done. The FTC is 
not a criminal enforcement agency, so we cannot prosecute the 
crime. Our partners at the Department of Justice are working 
aggressively on that front. Strong data security, locking down 
the data that identity thieves target is essential if we are to 
reduce the overall incidence of the crime. That is where we can 
exert our law enforcement muscle in areas that have direct 
impact on identity theft.
    Although the FTC has maintained a vigorous presence, 
bringing cases against companies that failed to use reasonable 
procedures to protect sensitive consumer information, we could 
have an even greater impact if the Commission could assess 
several penalties for such violations. The Commission also has 
called for nationwide data-security standards for entities that 
are not already subject to such laws, as well as the national 
breach notification law.
    And finally, the Commission has recommended improved 
consumer authentication as well as restrictions on the display 
and transmission of Social Security numbers as part of a 
comprehensive approach to reducing the use of Social Security 
numbers in the commission of an identity theft.
    Chairman Clay, members of the committee, victims of 
identity theft often suffer harms that can endure for years. 
Although there are now more effective tools to respond to this 
crime, victims still face challenges in putting their lives 
back together. The FTC remains committed to working with 
victims.
    Thank you very much.
    Mr. Clay. Thank you, Ms. Broder, for your testimony.
    [The prepared statement of Ms. Broder follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Mr. Weinstein.

                STATEMENT OF JASON M. WEINSTEIN

    Mr. Weinstein. Thank you. Good afternoon, Chairman Clay, 
Ranking Member McHenry. Thank you for your invitation to 
address the subcommittee this afternoon.
    As you know, identity theft affects millions of Americans 
every year and inflicts significant monetary and other harms 
upon its victims. Identity theft is by no means a new problem, 
but the methods used to commit this crime are evolving. While 
many criminals continue to use a variety of low-tech means to 
unlawfully acquire the personal information of others, in 
recent years, identity thieves have begun to use a variety of 
new technologies and new methods to access and exploit such 
information. As both individuals and businesses increasingly 
rely on computers and information technology to store, process 
and share confidential personal information, opportunities have 
increased for criminals to exploit advances in information 
technology to hack into the computers that store this 
information.
    Cybercrime, once the province of the lone hacker, is now a 
big business, and a growing number of potential victims are 
vulnerable. But as criminals have adapted to take advantage of 
new opportunities and data made available through networks and 
the Internet, law enforcement has adapted as well. The 
Department of Justice, along with our law enforcement partners, 
has been aggressively investigating and prosecuting crimes that 
facilitate and constitute identity theft with tremendous 
success. Our benchmark prosecutions of large-scale data 
breaches and the identity theft that results from those 
breaches highlight the range of our efforts to address this 
growing problem.
    For example, most recently in late 2008, the FBI announced 
the results of a 2-year undercover operation targeting members 
of the on-line carding forum known as Dark Market. At its peak 
the Dark Market Web site had over 2,500 registered members 
around the world. The operation resulted in nearly 60 arrests 
worldwide and prevented an estimated $70 million in economic 
loss.
    In August 2008, the Department and U.S. Secret Service 
announced the largest hacking and identity theft case ever 
prosecuted in which charges were brought in three districts 
against 11 members of an international hacking ring. The 
defendants, who hailed from the United States, Estonia, 
Ukraine, the People's Republic of the China and Belarus, were 
charged with, among other things, the theft and sale of more 
than 40 million credit and debit card numbers obtained from 
various retailers.
    In 2004, in Operation Firewall, the U.S. Secret Service and 
several components of the Department of Justice coordinated the 
search and arrest of more than 28 members of the Shadow Crew 
criminal organization, who were located in 8 States here in the 
United States and in 6 foreign countries. Members of that group 
were later charged in a 62-count indictment with trafficking 
and at least 1.5 million stolen bank and credit card numbers 
that resulted in losses in excess of $4 million.
    As a result of that case, the Shadow Crew Web site was 
disabled, which we believe prevented hundreds of millions of 
dollars in additional losses. And to date, with the exception 
of two fugitives, all of the domestic Shadow Crew defendants 
have pleaded guilty and received sentences of up to 90 months 
in prison. And Operation Firewall was one of our early efforts 
that paved the way for some of the more recent successes I 
mentioned and that are outlined in my written testimony.
    These cases that I've discussed and the others discussed in 
the written testimony illustrate the scope of the Department's 
efforts to combat the growing identity theft problem, but 
notably they also reveal the global reach that cybercriminals 
can have. The identity thieves and the cybercriminals 
responsible for many of these and other large-scale data 
breaches live in and operate from foreign jurisdictions. 
Because of the global nature of the Internet and the identity-
theft-related crimes it can facilitate, continued close 
coordination and cooperation with foreign law enforcement is 
critical to the success of our identity theft investigations 
and prosecutions here at home.
    In addition to our efforts to investigate and prosecute 
identity theft, we are also committed to continuing to work in 
coordination other agencies to aid the victims of this serious 
crime through grants such as grants at the Identity Theft 
Resource Center and other agencies, training and other victim 
assistance programs.
    Now, while the Department is proud of these cases and of 
all of our efforts to tackle the growing and evolving identity 
theft problem, we recognize that there is much more to be done, 
and we will continue to work with the law enforcement and 
private-sector partners to meet that challenge. Our continued 
success is dependent on our ability to, No. 1, buildupon the 
United States' existing relationships with international 
partners to strengthen law enforcement cooperation channels 
internationally; and, No. 2, to explore legislation that will 
strengthen the penalties for stealing identity information and 
other related cybercrimes, and that would require security 
breach reports to Federal law enforcement so that we may pursue 
the criminals responsible for the acts as quickly and 
vigorously as possible.
    This, of course, is just a brief overview of the 
Department's role in combating these crimes and the primary 
issues we must focus on as we press ahead. We are very glad to 
have the opportunity this afternoon to discuss these issues 
with you further, and at the appropriate time I would be 
pleased to answer questions.
    Mr. Clay. Thank you so much.
    [The prepared statement of Mr. Weinstein follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Mr. Bertoni, you are recognized for 5 minutes.

                  STATEMENT OF DANIEL BERTONI

    Mr. Bertoni. Mr. Chairman, members of the subcommittee, 
good afternoon. I am pleased to be here to discuss the role 
that personally identifiable information plays in identity 
theft. Such information, including one's name, date of birth 
and SSN, is key to carrying out so many activities of daily 
life; however, this information is also valuable to persons 
seeking to commit fraud or identity theft. Advances in 
information technology have made it easier to collect and share 
sensitive information, but also result in more incidents of 
loss in unauthorized use.
    My remarks today focus on three areas: Why we should be 
concerned about identity theft; actions taken at the Federal, 
State and local levels; and continuing challenges to protecting 
sensitive information.
    In summary, identity theft affects 10 million persons 
annually, translating into reported losses of $50 billion. 
Victims are often unaware that the crime has taken place until 
much harm has been done to their credit rating, and could face 
substantial costs and inconvenience repairing the damage. 
Others have lost jobs, been refused loans or even arrested for 
crimes they didn't commit.
    During the course of our work, we have documented real-life 
examples of identity theft, both domestic and international, 
including the 2006 case of an Ohio woman who led a group of 
identity thieves in stealing information from public 
recordkeeper Web sites, resulting in $450 million in losses. In 
the 2007 case of an individual who partnered with thieves from 
Russia and Romania in an on-line phishing scam. In compromise 
there were 4,000 credit card accounts and obtained full 
identity information for over 1,600 victims.
    Various laws and actions at the Federal, State and local 
level aim to deter identity theft. At the Federal level the 
Privacy Act of 1974 and E-Government Act of 2002 define 
agencies' responsibility for protecting personal information. 
Moreover, the Federal Information Security Management Act of 
2002 requires agencies to develop programs for securing 
sensitive data in information systems.
    Over the last several years, the Office of Management and 
Budget has also issued numerous directives requiring agencies 
to put in additional steps for safeguarding personal 
information, including establishing senior privacy officers and 
developing data breach notification plans.
    States and localities have also acted to prevent identity 
theft and assist victims. More States now recognize identity 
theft and related activities as a crime, while many others have 
incorporated victim assistance provisions into their laws, such 
as credit or security freezes. And some county governments have 
also begun removing or truncating SSNs displayed in their 
public records.
    Despite these actions, vulnerabilities persist in three 
areas. First, issues related to the display and uses of the SSN 
have not been sufficiently addressed. Because of its unique 
nature and broad applicability, the SSN has become the 
identifier of choice for both the public and private sectors. 
Unfortunately--unfortunately, millions of electronic public 
records contain SSNs that can be easily compromised due to the 
absence of a national standard for SSN truncation. That is the 
practice of blocking the first five or last four digits of the 
number. To illustrate, within a matter of minutes, we easily 
reconstructed full 9-digit SSNs and other identity information 
for individuals in 10 States by combining various electronic 
records that use disparate truncation methods. We have 
recommended that the Congress establish a national truncation 
standard.
    Second, Federal law does not cover all data or services 
provided by information resellers in other industries. Today 
data resellers and their contractors electronically amass and 
share large amounts of personal information; however, no 
Federal law explicitly requires them to safeguard all personal 
data even when it is sensitive and subject to misuse by 
identity thieves. We have recommended the Congress strengthen 
requirements for information resellers in other industries 
similar to those imposed on financial institutions.
    Last, Federal agencies continue to experience security 
incidences that may expose sensitive information to identity 
thieves. Federal agencies rely heavily on automated systems and 
electronic data which must be protected against unauthorized 
use. We have made numerous recommendations to broadly 
strengthen the integrity of Federal information systems and 
ultimately reduce breaches and other security incidents; 
however, continued breaches at various Federal agencies and 
facilities such as the National Archives underscore the 
importance of vigilance in this area.
    We have noted that data-breach notifications to affected 
parties can have clear benefits in terms of mitigating the 
impacts of identity theft in enhancing public accountability, 
and have recommended that OMB develop guidance to help agencies 
make risk-based decisions as to what services to offer 
individuals whose personal information has been compromised, 
and we will continue to monitor progress in this area.
    Mr. Chairman, this concludes my statement. I'm happy to 
answer any questions that you or the other members of the 
subcommittee may have. Thank you.
    Mr. Clay. Thank you so much, Mr. Bertoni.
    [The prepared statement of Mr. Bertoni follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. We have been joined by the ranking member, Mr. 
McHenry of North Carolina. And I will recognize him first for 5 
minutes of questioning.
    Mr. McHenry.
    Mr. McHenry. Thank you, Mr. Chairman.
    I am sorry I was detained, but I certainly appreciate your 
testimony. I have taken a look at your testimony before, but, 
you know, it is obvious there is an identity theft challenge 
that we're facing as a country. And Congress--in the House have 
largely divided jurisdictions, and so we have jurisdictional 
committee issue on this issue as well. In terms of really 
acting to preclude some of the issues that you brought up 
today, I am on Financial Services; we certainly have a 
substantial amount of concern there with identity theft and how 
that has ramifications for people's credit ratings and access 
to credit generally.
    Mr. Bertoni, you reference a truncation standard. Now, 
you're talking about to truncate someone's Social Security 
number?
    Mr. Bertoni. Correct, correct.
    Mr. McHenry. Now, would that--is that difficult to do, 
because what the Federal Government said, a Social Security 
number is only for Social Security, it is not an identification 
number. That's what we have stated in the law. Now, in fact, 
you know, colleges, banks, institutions large and small use 
your Social Security number as basically your identifier. Will 
we have to change existing law there in order to acknowledge 
that it is, in fact, an identification number?
    Mr. Bertoni. We're taking questions. The fact is that the 
SSN has become the unique national identifier. SSA will say 
that it is not to be used for identification purposes, but 
let's face it, that's where we are at. You can't rent a movie 
from Blockbuster or get satellite television without providing 
your SSN, and that is being bumped against other data elements 
to confirm identity.
    And in our view the Social Security number is probably the 
most critical piece of information that identity thieves would 
want in terms of the personal identifying information that they 
can get their hands on. Without the SSN the other elements are 
much more difficult to do anything with.
    I don't believe you have to do anything to change the law. 
We've--Gramm-Leach-Bliley has already determined or codified 
that the SSN is part of personal identifying information that 
can--needs to be protected.
    Mr. McHenry. Sure it needs----
    Mr. Bertoni. So it's a matter of taking some next steps to 
broaden that voice to, I think, some other industries.
    And as far as truncation goes, it is not difficult. It is a 
matter of getting on a national level the standard to be 
consistent, because if you're truncating on the front half, and 
an information--another information reseller is truncated on 
the back end, within minutes I can find both sides of that SSN 
and probably find your name, date of birth and some other 
records, and have an identity very quickly.
    Mr. McHenry. Certainly--and speaking of Social Security 
numbers, in your--you mentioned the National Archives, a loss 
of information or theft of information. We're not certain of, 
even now, what exactly happened. But the hard drive 
disappearance at the National Archives, it included 100,000 
Social Security numbers, including apparently Al Gore's 
daughter's Social Security number is in this information, and 
contact information, including addresses for various and high-
ranking Clinton administration officials, Secret Service--as 
well as Secret Service and a number of other personnel that are 
included.
    This is highly sensitive information. So I'm not asking you 
to testify about the procedures of the National Archives, but 
what can the government do to mitigate the damage or potential 
damage of this loss of information?
    Mr. Bertoni. I think right up front, some thought to 
encryption should have been at--in play. If you have encrypted 
data, you leave it somewhere where it shouldn't be, it's going 
to be much more difficult for an identity thief to do something 
with, especially if it is encrypted in accordance with NIST 
standards. So on the front end, I don't know what that data 
looked like, but I would hope--I don't know, it had some type 
of encryption technology.
    After the fact we now have to do a risk-based assessment of 
where do we think this ended up, what was on it, and what's the 
likelihood of identity theft. And from there you go to a go/no 
go on data breach notification, and ultimately another risk 
assessment assessing what's the likelihood that this is out 
there and being used. And then beyond that you have to think 
about what services you're going to offer, passive monitoring 
or active alerts on credit records, or even credit freezes. So 
there are some major decisions that have to be made after the 
fact.
    Mr. McHenry. Do you have any comments, Ms. Broder?
    Ms. Broder. Yes, briefly. The Social Security number is 
indeed a very sensitive and valuable piece of identity for 
identity thieves, but partly that is because it is used not 
only as an identifier to link you with your information, but 
also as an authenticator to establish that you are indeed the 
person who you purport to be. And one of the recommendations 
that the Federal Trade Commission has made was that companies 
that open up consumer accounts have more rigorous standards to 
authenticate consumers so it is not so easy, so that the Social 
Security number is not the de facto key to the kingdom, but 
that more robust systems are in place to prevent that type of 
fraud from happening.
    And, of course, other recommendations. Certainly locking 
down Social Security numbers, having appropriate data security 
are important front end, but authentication also could go a 
long way to reducing the incidence of identity theft.
    Mr. McHenry. Mr. Weinstein, any comments?
    Mr. Weinstein. No.
    Mr. McHenry. Well, thank you so much for testifying. I know 
we have other questions as well. Thank you.
    Mr. Clay. Thank you, Mr. McHenry.
    Ms. Broder, ID breaches are very devastating to consumers, 
and oftentimes are caused by simple negligence by businesses or 
their refusal to make any attempts at compliance with privacy 
policies. I noted in your statement that the FTC has, since 
2001, used its authority under the FTC Act to bring 26 cases 
against businesses that allegedly failed to protect consumers' 
personal information. And can you give me examples of the types 
of punishment that is given to these businesses that disregard 
those safeguards designed to protect privacy? Are they 
sufficient as deterrents? Are they too soft? Does the FTC Act 
need strengthening?
    Ms. Broder. One of our recommendations is that we can now 
bring cases, data security cases, under section 5 of the 
Federal Trade Commission Act under the Gramm-Leach-Bliley Act, 
but we can't seek civil penalties. Those laws do not give us 
the authority to impose civil penalties against those 
companies. So while we can get injunctive relief that requires 
them to subject themselves to audits, that requires them to 
take certain steps to improve their data security program, at 
this present time, sir, we cannot assess civil penalties. That 
is one of the legislative recommendations that the Commission 
has made, because we think a financial deterrent will go a long 
way to encouraging greater compliance with these laws.
    Mr. Clay. You mentioned a grant for a nationwide model for 
relief for victims. Have you come up with a nationwide model?
    Ms. Broder. The Department of Justice's Office of Victims 
of Crime have given grants to four different organizations 
around the country to develop nonprofit centers for victims of 
identity theft that can provide greater assistance, more 
individualized care for people who have more engaged problems.
    What we find at the FTC, of the 300,000 people who 
contacted us last year seeking assistance, many of them are 
able to use these tools themselves to restore their credit 
history, to dispute fraudulent accounts. There are tools in 
place, and many consumers are able to exercise them.
    In more complex problems, or with consumers who are not 
able to exercise those rights, we find that those organizations 
often can provide additional assistance.
    So the FTC is doing a lot of work there every day, 20,000 
contacts every week from consumers asking for information or 
seeking advice on identity theft. But there are some cases that 
are more complex that need more--that grant is still underway, 
and I think a final assessment has not been made on the success 
of those programs.
    Mr. Clay. OK. We would be interested in seeing what the 
assessments are.
    Mr. Weinstein, you know, ID theft is on the rise. What are 
some of the new or emerging forms of the crime?
    Mr. Weinstein. You know, the crime varies from low-tech to 
high-tech. There are still plenty of identity thieves who use 
low-tech means to get personal identifying information and to 
exploit it, using a telephone and their own personal skill at 
dealing with people. But the high-tech trend, I think the most 
troubling is the carding forum. And the carding forum is an on-
line active marketplace for the sale and exploitation of 
technology and tools to commit intrusions and to buy and sell 
the data from those intrusions.
    A number of the cases that our division and U.S. attorneys' 
offices nationwide have been prosecuting--investigating and 
prosecuting and have been most challenging have involved 
carding forms, and they are challenging on a number of levels. 
First, they have numerous members. The Dark Market, the one I 
mentioned, had 2,100 active members at one time. Second, those 
numbers are worldwide, and so they present a lot of challenges 
that any international case presents. But what makes those such 
disturbing trends in identity theft is that they are so 
sophisticated, and they are so organized. As I said it in my 
statement, identity thieves used to be solo actors. Now 
identity thieves are often linked with organized crime. And we 
find that organized crime, especially international criminal 
organizations, are capitalizing on the value of personal 
identifying information and exploiting that to make lots of 
money very quickly.
    If you go on to one of these carding forums, if you are 
vouched for and able to get access to it, or, as we do, if an 
undercover officer is able to get access, your mind will be 
blown by what is going on these sites. Stolen credit card and 
ATM information that has been obtained through computer 
intrusions is there for sale. People who can commit hacking and 
other types of intrusions are offering their services for 
money. False identification documents, fraudulent credit cards 
that have been manufactured using information that's stolen are 
being offered for sale. Tools and equipment to manufacture 
fraudulent credit cards are being offered for sale. And that 
information is exploited for--to make massive amounts of money, 
to steal massive amounts of money in a short period of time. 
That, I think, is the most difficult trend in high-tech 
identity theft, and that's the one we're most concerned about.
    Mr. Clay. What type of legislation could we enact that 
would reduce the threat of identity theft? Have you come up 
with any good ideas or suggestions?
    Mr. Weinstein. Well, there's two--legislation in two areas 
that I think would be useful, and that would make what we're 
already doing more effective. We work very hard to keep pace 
with the increasingly sophisticated criminals we investigate 
and prosecute. We continually train investigators and agents. 
We have the highest-tech tools and the best-trained 
investigators and prosecutors anywhere in pursuing these types 
of crime--this type of crime. And we try to keep pace with and 
anticipate what the cybercriminals will do next.
    But there are two areas in the law that I think, even after 
the Identity Theft Enforcement and Restitution Act of 2008, 
that there are areas we can still improve our efforts: No. 1, 
legislation that will enable us to better coordinate and 
cooperate with our international partners. As the examples I 
gave in my statement and the others that are mentioned in the 
written testimony indicate this is increasingly an 
international crime, a transnational crime. And as I indicated 
a moment ago, because the crime is increasingly committed or 
participated in by international criminal organizations, it is 
absolutely essential that we be able to work cooperatively with 
law enforcement. And cooperation with law enforcement is a two-
way street. Every day we ask foreign governments and foreign 
law enforcement agencies to help us in prosecutions that we're 
engaging over here, but they need our help as well. And so 
legislation that clarifies the authority of U.S. courts to 
compel the production of evidence that can be used in a foreign 
criminal investigation, something, by the way, that was one of 
the recommendations in the Identity Theft Task Force a few 
years ago but hasn't made it into law yet, would be a very 
effective tool, because the more we can offer help to foreign 
partners who are fully engaged on this issue, the more we can 
expect them to help us. So that's No. 1.
    No. 2 is closer to home, and that's sentencing. The 
Congress, in the Identity Theft Enforcement and Restitution 
Act, directed the sentencing commission to examine the 
guidelines related to identity theft and to explore amendments 
to them. And in a sense the Commission has come up with some 
amendments to the guidelines that govern identity theft, but 
those amendments, I think, are lacking. As these criminals 
become more sophisticated, using proxies, using keystroke 
loggers and spyware, using increasing--increasingly 
sophisticated technology to exploit our personal information, 
we need the sentencing schemes to keep up, and so we believe 
the Computer Fraud and Abuse Act, which is codified at Title 18 
U.S. Code section 1030, which is the statute that we 
principally charge in this area for computer-related identity 
thief--identity theft, should be amended to adopt harsher 
penalties for this kind of crime, and that the guidelines 
should be amended accordingly for even greater enhancements for 
the use of sophisticated technologies.
    Identity theft involving high-tech means it is harder to 
investigate, and it is harder to prosecute. It is much more 
resource-intensive, and it's much more dangerous, because using 
high technology, identity thieves can get more people's 
information and use it to steal more money in a shorter period 
of time. The guidelines should punish that kind of identity 
theft involving that kind of technology and those kinds of 
means much more harshly that other forms of this crime. And so 
we think that the guidelines should be amended as well to keep 
pace with the increasingly sophisticated technology and 
techniques that these criminals are using.
    Mr. Clay. Thank you for that response.
    I will go to my colleague from Ohio Mr. Driehaus for 5 
minutes.
    Mr. Driehaus. Thank you, Mr. Chairman, and thank you for 
holding this panel and the next panel. I think this is a 
critically important issue.
    As a State legislator in Ohio for 8 years, we often 
wrestled with the issue of identity theft, and I recall one of 
my colleagues in the legislature calling me one time and 
reciting to me my Social Security number that he found on a 
local government Web site, because I had gotten a traffic 
ticket, and the clerk of courts, in his infinite wisdom, 
decided that all records are not only public, but should be 
published on the Internet. And so we worked to modify that in 
the State of Ohio, but I've got to tell you, it took a long 
time to make that happen.
    So I'm interested in the perspective, all of you, really 
all three of you, as to what we can do at the congressional 
level to--this always happens when I'm asking questions, by the 
way--but what we might be able to do to provide guidance to 
State and local governments, because they continue to have this 
problem, this quandary, between making information available to 
the public and protecting the privacy of the citizens of their 
various jurisdictions. And you find that the policies are all 
over the place. And in the case of Hamilton County, where I am, 
in Cincinnati, the clerk of courts was simply taking documents, 
scanning documents and putting them directly onto the Internet, 
despite--despite the fact that they had information about 
people's bank accounts, they had Social Security numbers, they 
had private information. They weren't redacting the 
information. His excuse was that they couldn't redact the 
information because it was documents being scanned, which I 
found to be kind of lame.
    But I would like your input as to how we might do a better 
job in informing policy at the State and local level so that 
those local entities aren't making this information available, 
because we see this happen all the time.
    Mr. Bertoni. I can take a shot at that. Before you came in, 
I had a lot to say about public recordkeepers.
    I think one thing we have here, you know, issues of 
federalism in State rights, certainly. But, no, I do believe 
through the years and opportunities we've had to look at this, 
that States are becoming more aware of the value of SSN and 
other personally identifiable information in public records. So 
we see, we do see movement in many cases of States trying to at 
least truncate or redact SSNs. Florida wholesale has redacted 
SSNs from their records, but there is variability.
    One thing that we have tried to do or perhaps suggested is 
perhaps the Association of Governors can come together and talk 
about best practices for redaction and truncation, but that 
will take some cooperation across States.
    As far as guidance, I think there is--there are good things 
happening out there that States are doing. It is a matter of 
raising it up to the level of a national level where we can 
have a forum. And we have done that in various forums in 
testifying about what States are doing.
    Mr. Driehaus. But given the number of entities of State and 
local governments that are out there, there doesn't tend to be 
any uniformity, and I guess that's what I am trying to get at. 
How do we bring uniformity to the practices at the local level 
in terms of the availability of documents? You know, they are 
dealing with their own States' sunshine laws in what records 
need to be made available, but how do we get to a point where 
there is uniformity at the State and local government level in 
terms of the information being made available?
    Mr. Bertoni. I don't know if we're going to be able to--
you're going to be able to direct States to either include or 
not include information. I'm not--we're getting into issues of 
federalism and State rights. But we believe there is 
opportunity to establish at the congressional level a national 
standard for truncation, so at least what's in there will be 
consistent in terms of how SSNs are truncated in either the 
front end or back end, because right now it is very easy to go 
into any single State set of records and find, because of 
variance in truncation, the front end and the back end of an 
SSN and put it together very quickly. So, step one, we have 
recommended that the Congress establish a national truncation 
standard.
    Ms. Broder. Mr. Driehaus, we actually submitted testimony 
to the Ohio committee that was addressing this very issue about 
public access to data and SSNs, and it is a challenging one, as 
Mr. Bertoni set out. There are some models going forward. 
Certainly the Federal court system and the bankruptcy court 
system have undertaken a system to truncate from their records 
Social Security numbers and other personally identifying 
information for which there is no public value in revealing.
    Of course, we have a public interest in making--giving 
transparency to process, but there is a point at which some of 
this information does not serve that purpose. And so in the 
Federal court electronic system, none of this data is readily 
available. But there are many people who say that with respect 
to, for example, the Social Security number, the cost 
associated with doing this process retroactively is 
overwhelming, going through all of the records, all the housing 
records and anything else that may now be available 
electronically. It is a very costly undertaking. In other 
words, maybe the feathers are already out of the pillow, can't 
put them back in.
    And then I would return to the issue of authentication. If 
companies took better care in making sure they were dealing 
with the right person rather than just seeing a Social Security 
number and assuming that was adequate for opening an account, 
then the availability of this information would be much less of 
a threat. I'm not saying it shouldn't be protected, but this is 
all part of a comprehensive program to protect the data and 
make it less available, but also less useful for identity 
thieves.
    Mr. Bertoni. If I could add to that. You're right, I think, 
in the case of Ohio, they sell public records to--in bulk to 
various vendors. So even if you were to start redacting or 
removing or truncating today, those records have been sold and 
resold and resold already many, many times. So going forward 
you could sort of stop this flow of SSNs in the public records.
    But keep in mind this information has already been sold to 
many vendors, and that's where we get at the other piece of our 
other recommendations, that regardless of industry, you have to 
look at the sensitivity of the information and mandate that 
information be controlled regardless of who you are and what 
you're using it for. Information resellers, tax preparations, 
telecommunications, all those right now are held to a lower bar 
in terms of information disclosure and protection.
    Mr. Driehaus. Thank you, Mr. Chairman.
    Mr. Clay. Thank you, Mr. Driehaus.
    Mr. Bertoni, are there currently any plausible alternatives 
to the Social--Social Security number as a personal identifier 
in government systems?
    Mr. Bertoni. I don't think any widely plausible 
alternatives currently exist. Again, this started in 1935 with 
an Executive order that all Federal agencies were going to use 
the SSN for internal and external management of their programs. 
So this is longstanding, ingrained use--usage.
    I do know that there are alternatives being considered at 
least on a case-by-case basis. The health industry is starting 
to move away from the Social Security number as your identifier 
and assigning alternative patient numbers. The Office of 
Management and Budget in 2007 directed agencies to look for 
alternatives to the SSN in assigning numbers to personnel for 
either travel management or payroll, etc. And even in GAO we 
have gone in that direction; we have alternatives to the SSN. 
But as far as a broadly used national number, no. And if we go 
in that direction, we are in the same position that we have to, 
from day one, think about how we would protect it.
    Mr. Clay. Yeah. Does any single Federal agency have the 
authority to regulate the use of the Social Security number in 
Federal information systems?
    Mr. Bertoni. Not that I'm aware of. Originally many had 
argued that SSA--SSA would be the one that would do that. But 
their view is that their regulation stops once it leaves the 
agency. So within the agency they regulate and control; once it 
goes to another Federal agency, they do not believe they have 
jurisdiction to tell that other agency what to do with the 
number.
    Mr. Clay. OK. Anyone else on the panel have anything to 
add? If not, let me--we will dismiss this panel and then go 
into recess for two votes on the floor, and, when we come back, 
swear in the second panel. And Members are reminded that you 
have up to 5 legislative days to submit opening statements or 
any other materials for the record. And, Mr. McHenry, your 
opening statement will be included without objection.
    We stand in recess.
    [Recess.]
    Mr. Clay. The subcommittee will come to order.
    On our second panel, our first witness is Ms. Catherine 
Allen, the founder and chairman and CEO of the Santa Fe Group, 
a strategic consulting company based in Santa Fe, NM. The Santa 
Fe Group specializes in briefings to executives and boards of 
directors at financial institutions and other critical 
infrastructure companies, and provides management for strategic 
industry and institutional projects.
    Welcome to the subcommittee.
    Next, we will hear from Mr. Marc Rotenberg, the executive 
director of the Electronic Privacy Information Center in 
Washington, DC. He teaches information privacy law at 
Georgetown University Law Center and has testified before 
Congress on many issues, including access to information, 
encryption policy, consumer protection, computer security and 
communications privacy.
    Welcome to you, Mr. Rotenberg.
    Our third witness is Mr. Donald J. Rebovich, the executive 
director of Utica College's Center for Identity Management and 
Information Protection and executive director of Utica 
College's Economic Crime and Justice Studies program. His 
background includes research in identity theft, economic crime, 
victimization, white collar crime prosecution, and 
multijurisdictional task force development.
    Thank you for being here.
    Next we will hear from Ms. Anne Wallace, president of the 
Identity Theft Assistance Corp., a nonprofit corporation that 
operates ITAC, the Identity Theft Assistance Center. Ms. 
Wallace is a nationally recognized expert on privacy and 
financial services law, and she works to protect all consumers 
through consumer education and partners with law enforcement to 
combat identity theft.
    The final witness is Mr. Eric Handy, a representative for 
the Identity Theft Resource Center. Mr. Handy is an IT security 
and privacy specialist with over 15 years of information 
technology consulting experience. He specializes in privacy and 
information security program implementation and program 
management oversight.
    Thank you all for appearing before the subcommittee today. 
It is the policy of the subcommittee to swear in all witnesses 
before they testify. I would like to ask you to stand and raise 
your right hands.
    [Witnesses sworn.]
    Mr. Clay. Let the record reflect that the witnesses 
answered in the affirmative.
    Each of you will have 5 minutes to make opening statements. 
Your complete written testimony will be included in the hearing 
record. The yellow light in front of you will indicate that it 
is time to sum up. The red light will indicate that your time 
has expired.
    Ms. Allen, you may begin.

 STATEMENTS OF CATHERINE ALLEN, CHAIRMAN AND CEO, THE SANTA FE 
 GROUP; MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY 
INFORMATION CENTER; DONALD REBOVICH, EXECUTIVE DIRECTOR, CENTER 
   FOR IDENTITY MANAGEMENT AND INFORMATION PROTECTION; ANNE 
 WALLACE, PRESIDENT, IDENTITY THEFT ASSISTANCE CORP.; AND ERIC 
     HANDY, REPRESENTATIVE, IDENTITY THEFT RESOURCE CENTER

                  STATEMENT OF CATHERINE ALLEN

    Ms. Allen. Thank you, Chairman Clay and members of the 
subcommittee. Thank for your leadership in highlighting the 
issue of victims of identity crime in the often long and lonely 
road they walk toward restoration.
    I have spent most of my career in the financial services 
industry, most recently as the founding CEO of BITS, a CEO-
driven, nonprofit financial services industry consortium. I 
grew up in a small town in Missouri, and my dad was a banker, 
so I have been in the banking industry for awhile.
    Today I am involved in efforts to examine the way the 
financial services industry is regulated and the impact of 
policy on consumers. In this area of identity theft, I believe 
we are just at the tip of the iceberg because of the growing 
cybersecurity threats we face. And it is why we think that a 
Victims Bill of Rights is necessary. The victim's voice is 
seldom heard in the debate.
    This testimony reflects the work of the Santa Fe Group 
Vendor Council, formed in 2006 to bring together leaders at 
service provider organizations. The vendor council promotes the 
development of secure, best-in-class technology solutions, 
standards and best practices related to fraud, payments, 
cybersecurity, data protection and identity crime. Last fall 
the vendor council formed an identity management working group 
to develop an inventory of best practices for assisting victims 
of identity crime and suggesting improvements in law and 
corporate practice to make it easier for victims to dispute 
false claims and reclaim their identity. My testimony today 
will speak to the victims' bill of rights and the written 
testimony has much other background information.
    Identity crime victims deserve the same rights as other 
crime victims. Identity crimes can be physical, emotional, and 
financial. Today, most identity crimes will be treated as 
misdemeanors or very low-level felonies, and the majority of 
prosecutions will be civil as opposed to criminal actions. We 
need better coordination, awareness of the victim experience, 
and concrete steps for correcting identity records.
    For the benefits of individuals, business and society, we 
propose the following bill of rights for identity crime 
victims: the right to assessment; the right to restoration; the 
right to freedom from harassment; the right to potential 
prosecution of the offenders; and the right to restitution. And 
I will explain a little bit on each.
    In the right to assessment, consumers who suspect that they 
have become a victim of identity theft should have the right to 
assess the nature and extent of damages to their identity. 
FACTA already grants many of these rights, but there is 
sometimes procedural Catch-22s. All businesses and governmental 
agencies should be required to provide notice to consumers when 
they suffer a data breach involving loss of sensitive personal 
information, but the present patchwork of State laws and 
government policy needs to be replaced with a uniform Federal 
statute spelling out notification requirements.
    The right to restoration is, ideally victims should be able 
to restore their identities to their pretheft state. However, 
this is not always possible, especially with the complexity of 
the crime and especially with financial identity theft. Whether 
or not they can fully recover, it is imperative that victims be 
able to establish correct records and access all of those 
records in all kinds of institutions.
    Relevant privacy laws need to be reviewed and amended, 
giving victims the power to access and correct their own 
record.
    The right to freedom from harassment comes because 
sometimes collection agencies and others during and after the 
identity restoration process harass the individuals. The 
harassment happens because business and law enforcement have no 
way to distinguish victims from the thieves. To combat this, 
some States have issued identity theft passports to identify 
that the victim has been a victim of identity theft and help 
the person prove his or her identity. However, these can be 
easily forged.
    So however effective the documents are, it remains to be 
seen, but some system for identifying and verifying victims is 
needed.
    The right to potential prosecution of offenders: One of the 
great frustrations to identity crime victims is the lack of 
business and law enforcement resources to prosecute identity 
theft. Again, there is always a need to balance priorities and 
budgets, but these organizations need to take the long view in 
the impact of identity crimes--first, that identity crime 
continues precisely because it pays; second, the FBI and Secret 
Service have found where there is one victim, there are usually 
more, and we need to look at this in an aggregate; third, not 
all of the costs of identity crime are immediately visible or 
measurable.
    The right to restitution is where identity crime victims 
can spend hundreds of dollars and they deserve restitution, the 
same as victims of any other crime. Yet studies show that the 
defendants were ordered to pay in only about a third of the 
cases. Restitution will help make victims whole, send a message 
that identity crime is a real crime, and helps ensure when 
perpetrators are caught, identity crime does not pay.
    To further help victims, the definition of compensable 
crime under Federal and State statutes should be expanded to 
include identity crimes.
    In summary, I am recommending three things in terms of 
possible legislative actions, and then four other things.
    First, to enact a uniform scheme across industry and 
government to assist identity theft victims and that is to 
include the five items included in the Identity Theft Victims 
Bill of Rights.
    Second, to create a national standard of identification, 
one that cannot be forged by identity thieves that victims can 
use to distinguish themselves.
    Third is to expand the definition of compensable crime 
under Federal and State law to include identity crime.
    Four other things are to invest in independent research on 
the effects of identity crime:
    We need to get beyond the anecdotes to understand the 
actual relationship between data breaches and identity theft 
and to be able to understand what policies and law enforcement 
procedures are effective.
    Second, there need to be standard dispute procedures in 
industry and law enforcement where, upon resolution, victims 
could receive standardized verifiable letters proving the 
issues have been resolved.
    Third is the Federal Trade Commission does a terrific job 
in overseeing victims' rights, but it could be expanded; and 
perhaps the role to make sure there is cohesiveness across 
national laws and to also make sure that law enforcement is 
investigating identity crime in a consistent way.
    Last, there is much discussion, especially after today's 
announcement on a consumer financial protection agency; in that 
dialog, the idea of identity theft policies and education 
should be included.
    We thank you for this opportunity to present testimony. And 
again, if there are any questions, I would be happy to answer 
them.
    Mr. Clay. Thank you for your testimony.
    [The prepared statement of Ms. Allen follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Mr. Rotenberg.

                  STATEMENT OF MARC ROTENBERG

    Mr. Rotenberg. Mr. Chairman, I appreciate the opportunity 
to testify today on this very important issue for American 
consumers.
    My organization, the Electronic Privacy Information Center, 
has been working on the issue of identity theft almost since 
our founding 15 years ago. In fact, I was going to mention to 
Mr. Driehaus that one of our first cases concerned the privacy 
of the Social Security numbers of employees in the State of 
Ohio, and we succeeded in that case. They limited the use of--
the publication of the SSNs, but that continues to be a very 
serious problem.
    My comments today are directed toward what we see as the 
root causes. On the first panel you heard from the Federal 
Trade Commission. They talked about how they are assisting the 
victims of identity theft after they run into problems.
    The Department of Justice is prosecuting the crime after 
the crime occurs, but in our opinion, not enough is being done 
to address the root causes of the identity theft problem. And 
so in my statement, which I will briefly summarize now, I am 
going to try to speak to that issue and suggest specifically 
for this committee some steps you might take to reduce the 
problem of identity theft in this country. Because, as you 
know, not only is it a significant problem, but in fact the No. 
1 concern of American consumers. According to the Federal Trade 
Commission, it is a growing problem and that number has been 
increasing since the FTC has been keeping track of it.
    And it is an evolving problem. I think we are about to 
experience new forms of identity theft. The Wall Street 
Journal, for example, reported just this week about an identity 
theft investigation in Los Angeles involving improper use of 
medical records information. We will hear more about that as 
more of our personal medical information is digitized and made 
available online.
    So I would like to address five steps I believe the 
committee could take to try to reduce the problem at its 
source.
    One of the concerns today, I believe, should be the 
increasing transfer of information within the government onto 
the Internet. You've already heard about people getting access 
to public record information that contains Social Security 
numbers and bank account numbers.
    There is a big push right now in the Federal Government to 
take advantage of some of the new Web 2.0 services; and we 
certainly support the President's call to make public 
information more widely accessible to the public, but we think 
that privacy protection has to be part of that process. Privacy 
issues have not been given enough attention so far in this new 
push to make Federal information available online. We hope more 
can be done.
    We think there are similar concerns with respect to the 
outsourcing of government services. A lot of personal data is 
moved from government agencies to private contractors, and it 
is not always clear if those contractors are subject to privacy 
act obligations or other contractual obligations to protect the 
personal information of the U.S. citizens that they now have 
obtained.
    You may recall, in fact, Mr. Chairman, last year in the 
run-up to the Presidential election, there was the case over at 
the State Department involving the passport records of then 
Senator Obama and Senator Clinton and Senator McCain that were 
all improperly accessed by private contractors. That is closely 
tied to the issue of identity theft, and we believe it is an 
issue that this committee could look at.
    Privacy legislation is a very important part of the way to 
get to the root cause of the problem. It is simply too easy 
today for companies to collect a lot of detailed information 
about Americans. They have too few responsibilities, and it is 
too difficult, I believe, for Americans to protect their 
information once they have turned it over to a bank or to some 
other firm.
    What privacy legislation will do is put some obligations on 
those companies to ensure better security, better safeguards. 
And also, I hope it will get some of those companies to think 
about whether it is such a good idea to collect Social Security 
numbers, which we know will be the target for identity thieves 
who are trying to get access to that information.
    If fewer organizations in this country were collecting the 
Social Security number and using the Social Security number, we 
think the problem of identity theft would go down.
    We would also like to see more emphasis on privacy 
protection in the administration's focus on cybersecurity. 
There is a lot of talk right now about strengthening the 
Nation's infrastructure. Part of that has to be about the 
protection of personal information that is being stored on 
computers and servers in the United States.
    Finally, Mr. Chairman, I would like to raise one issue; it 
is a little bit futuristic, but at the same time we believe it 
goes to the heart of the problem, and it is going to be with us 
for some time. We think Americans need better tools for 
identity management. By that I mean, we need better ways for 
people to interact with government, for people to interact with 
businesses without being required to disclose so much personal 
information or to give up a number that links together all of 
their personal information.
    That is the essential problem with the Social Security 
number: It links together too much data. We think new tools for 
identity management could help address that problem as well.
    Thank you again for this opportunity.
    Mr. Clay. Thank you for your testimony.
    [The prepared statement of Mr. Rotenberg follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Mr. Rebovich, you are recognized for 5 minutes.

                  STATEMENT OF DONALD REBOVICH

    Mr. Rebovich. Good afternoon, Chairman Clay and members of 
the subcommittee. I appreciate the opportunity to appear before 
you to discuss the serious crime of identity theft, the impact 
it has on victims and what can be learned from criminological 
research in this area.
    The research center I direct, the Center for Identity 
Management and Information Protection, is housed at Utica 
College in central New York and is a research collaborative 
dedicated to the prevention and containment of identity theft.
    While the term ``identity theft'' is familiar to many, 
questions still remain about what the term really represents, 
what type of person is most likely to commit this type of 
offense, what criminal methods are most commonly used, and who 
is in most jeopardy to be victimized. As a criminologist, I 
believe that answering these questions brings us many steps 
closer to helping to lower the incidence of this insidious 
crime and protect the interests of those who fall victim to it.
    Now, my center undertook a challenging research endeavor 
with empirical analysis of over 500 U.S. Secret Service 
identity theft cases. We studied it. It covered over a period 
of 6 years. When the results were released, they were met with 
an interesting mix of curiosity and surprise.
    Contrary to some earlier victim surveys, this study found 
that many victims did not know their offenders. The median loss 
for a case was found to be over $30,000, much more than the 
average estimates drawn from victim surveys. A full one-third 
of the offenders were found to have committed their crimes at 
their place of employment, spotlighting the problem of 
unscrupulous insiders who would use personal information for 
criminal purposes.
    Individuals were not the only victims. The financial 
services industry was victimized in 37 percent of the cases. In 
21 percent of the cases, the victims were retail businesses. 
The financial services industry was most frequently victimized 
by offenders using fraudulently obtained personal identifying 
information to obtain new credit card accounts, to apply for 
and obtain fraudulent loans, to pass checks, and to transfer 
funds.
    The retail industry was victimized by the use of stolen 
identity information to open store accounts and by purchasing 
merchandise with fraudulent credit cards.
    As a criminologist, those study findings impressed upon me 
the stark realities of identity theft in our modern society. 
Many of the crimes were carried out easily, and it really 
didn't take, in many cases, our analyzing that, because some of 
the offenders in case notes indicated and bragged about how 
easy it was.
    A common characteristic of these offenses is that these 
criminals are criminal opportunists. They look for the path of 
least resistance, and they find it. And there are many 
compromised points in our system that they can use to commit 
these offenses. In the final analysis, the identity thief will 
take the path of least resistance toward the ultimate goal of 
using someone's identity in commit fraud in someone else's 
name.
    But there are a series of vulnerabilities, system 
vulnerabilities that we can address to try to cutoff the blood 
flow to these offenders, for instance: Merchant recognition of 
counterfeit cards: Time and again the actual cases indicated a 
failure of merchants to detect that credit cards were not 
authentic; bank oversight of new account creation: the failure 
of bank personnel to recognize false identification 
information; oversight of employee access to customer-client 
information: another failure of the employer to effectively 
monitor employee use of customer-client personal information; 
credit card issuers' oversight of adding users to existing 
accounts: a failure of issuers to effectively verify 
authenticity and victim approval of requests to add offenders 
to existing accounts as credit card users; Government 
recognition of altered forms: another failure, a failure of 
government agencies to detect false documentation, leading to 
fraudulent use of documents in victims' names; and finally the 
oversight of employee access to client-customer credit cards, 
skimming: another failure of employers to effectively monitor 
employee use of credit cards in the course of legitimate credit 
card transactions.
    Just to summarize in terms of what we can do with this 
information to help apply the plight of victims, I have 
distilled my recommendations in my testimony to three optimized 
protections: Optimize authentication protection; optimize 
protection of personal information; and, optimize protection by 
law enforcement.
    In authentication protection, we need to have the best 
tools possible and standardize them to make sure we can 
authenticate who these people are, whether they are actually 
the people they say they are or criminal offenders.
    Optimize protection of personal information: We are talking 
about all of the different agencies, private sector and public 
sector, that have access to personal information and house it. 
It is their responsibility to protect that information.
    Finally, optimize protection by law enforcement: Half of 
the cases that we looked at that were Secret Service cases 
started at the local level with local police officers. These 
were people, these were officers who did the right thing; they 
understood what identity theft is, and they reacted. Other 
research unfortunately has shown that is not always the case. 
What we need to do is address these authentication optimized 
protections to try to close the gap to prevent identity theft.
    Thank you, sir.
    Mr. Clay. Thank you for your testimony.
    [The prepared statement of Mr. Rebovich follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Ms. Wallace, you are recognized for 5 minutes.

                   STATEMENT OF ANNE WALLACE

    Ms. Wallace. Chairman Clay and members of the subcommittee, 
thank you very much for inviting me today and for giving me the 
opportunity to tell you about ITAC, the Identity Theft 
Assistance Center.
    Six years ago, executives of the largest financial services 
companies in the country got together and realized that while 
they were doing a great job helping their customers at the 
time, there was more they could do to help their customers who 
became victims of identity theft.
    One of the key problems that victims face is that the 
criminal uses their information in more than one place; and the 
victim then has to find all of the places where the fraud has 
occurred, tell their story again and again, and prove who they 
are. It is a very time-consuming and frustrating process.
    This kind of fragmentation also occurs in law enforcement. 
Identity crimes frequently involve many customers with small 
dollar losses across jurisdictional lines, and this kind of 
fragmentation really makes it difficult to investigate and 
prosecute these crimes.
    So in 2003, under the leadership of the Financial Services 
Roundtable and BITS, 50 of the largest financial services 
companies came together to form ITAC, a nonprofit organization 
committed to helping victims recover from identity theft, 
partnering with law enforcement to catch and convict the 
criminals and to provide consumer education.
    Since 2004, ITAC has helped more than 55,000 consumers 
recover from identity theft. The service is free to the 
consumer and is paid for by the financial services company. 
Very briefly, here is how the service works.
    It starts at an individual member company, who helps the 
victim resolve any of the problems at that company. The company 
then directly transfers the consumer's telephone call to an 
ITAC agent who walks the consumer through their credit report 
to find any other cases where fraud may have occurred.
    If fraud is found at other places, ITAC notifies all of 
those companies, whether they are ITAC members or not. The ITAC 
members get instant notice from us, online notice; the other 
companies all get a letter from us saying this person is a 
victim; you need to do something to fix this problem.
    As you can imagine, this is a very rewarding job I have. It 
is wonderful to be in a position to help people at a time when 
they need it most, and that is exactly what ITAC is. It is a 
helping hand at a time when people need that help most of all.
    Just one quick example. One of the people we helped was a 
71-year-old man from California. He was a tax preparer who, out 
of the kindness of his heart, rented an apartment in his home 
to a woman and her daughters. He treated her like a daughter. 
She used his computer and stole his financial information. He 
didn't find out about it until he got a bill in the mail for a 
credit card that he had never applied for.
    When he came to ITAC, the ITAC agent found one other 
fraudulent account in his name, and five other attempts to open 
accounts in his name. What he said to the ITAC agent was, ``You 
can't imagine what a relief it is, in the middle of all of 
this, having someone on your side.''
    This is a terrific service, and people really appreciate 
it.
    I want to turn quickly to law enforcement because that is 
another key area that we operate in. We share data with both 
the Postal Inspection Financial Crimes Data base and with the 
FTC's Consumer Sentinel Data base; and this information is used 
by inspectors and law enforcement all over the country. The 
reason this is so important is because, instead of each company 
sharing information individually, we have data from multiple 
companies; it is national in scope and it is in a consistent 
format. And law enforcement tells us that they are using it 
very effectively. In a number of cases around the country, it 
has helped them crack the cases.
    The third element of our mission is education. We work very 
closely with the Federal Trade Commission. We helped when they 
launched their Deter, Detect, Defend Campaign, and we also have 
a terrific Web site of our own, identitytheftassistance.org, to 
help on this consumer education effort.
    In summary, I would say a lot of progress has been made 
over the last 6 years when I have been head of ITAC. We have 
had great laws passed, more consumer education, and a much 
better response on the part of law enforcement. But there is 
certainly a lot more to be done.
    Consumers still have difficulty filing police reports in 
many jurisdictions. There are still gaps in the enforcement 
efforts, and the lack of comprehensive data makes it difficult 
for policymakers, such as this committee, to make the best kind 
of legislative choices.
    In closing, what I would say is that we believe that the 
ITAC model, a collaborative private sector approach that is 
focused on best practices and, most importantly, focused on 
helping the consumer recover from this crime, has great 
potential in other industry sectors and for government 
agencies.
    So thank you for the opportunity to testify. I will be 
happy to answer any questions you might have.
    Mr. Clay. Thank you for your testimony.
    [The prepared statement of Ms. Wallace follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Mr. Handy, you have 5 minutes.

                    STATEMENT OF ERIC HANDY

    Mr. Handy. Chairman Clay and subcommittee members, my name 
is Eric Handy, and I am here to represent the Identity Theft 
Resource Center [ITRC]. I am here for the founder, Linda Foley, 
and they are based in San Diego, CA.
    Very similar to ITAC, we are also a free service for 
victims. We do quite a bit with victims. We also do quite a bit 
with legislation, government, law enforcement, training, 
general awareness training in a lot of areas.
    Going forward, we also have a nice survey called Identity 
Theft: The Aftermath. This year's version is Identity Theft: 
The Aftermath 2008. There, you can really hear the voices of 
the victims call out to you when you read the statements from 
actual victims; that is, the one beauty of the ITRC is that we 
get to deal with the victim from start to finish in a lot of 
cases, and we get to work through all of the systems and all of 
the quirks in the systems, and we get to find out what does 
work and what doesn't work.
    You can read that document and very clearly see over the 
last 6 years how things have changed.
    What I want to emphasize are three emerging areas. I know 
that you asked that question of the last panel, that we see 
that is happening out in the identity theft world right now.
    No. 1 is, child identity theft is something that is 
increasing; No. 2 is medical identity theft, which has been 
elaborated on already; and, No. 3 is identity theft in the 
deceased, believe it or not. So this is a real cradle-to-grave 
situation where the average person is usually age 26 to 34 that 
is affected by identity theft. But it can happen at any point 
in time.
    When we talk about child identity theft, I just read a 
statistic today before I came here, if you took every classroom 
in the United States, you would probably find one child 
identity theft victim in that class, and that seems like an 
awful lot to me.
    We can play around with numbers and statistics, but there 
is a big problem because a lot of cases, the creditor or person 
offering the credit account does not know the age of the person 
or their Social Security number, because Social Security is 
associated by date of issue not birth date. So there is an 
issue there. They don't know if the person is a minor or not, 
so they will most likely allow the account to exist and that 
causes what we have here, the child identity theft problem.
    A solution that we offer up is to create a data base; we 
call it the 17-10 data base. That is a data base that has 
everybody, everybody from 1 day old to 17 years and 1 month 
included in this data base. This would be done through SSA, the 
Social Security Administration. This has been bandied about a 
little bit, and so it is possible everyone who is giving credit 
would have the ability to check that data base based on Social 
Security numbers. You would check that to make sure that person 
is not a minor. That would automatically, in a lot of cases, 
eliminate some of the child identity theft problems.
    Issue No. 2, medical identity theft: We all know the 
Presidential movement for 2014 is for all medical records to be 
online, and that is quite daunting. Being in the profession of 
IT security, that concerns me. It always concerned me because 
95 percent of our medical information is being held by the 
small provider, who is least likely or least able to protect 
themselves because of resources. So it is already a 
predicament, but when you put everything online, it is easier 
for thieves to get.
    We have all heard the stories of persons, who got the 
medical bill for the foot amputation, and they never had an 
amputation and no one believed them. When they called the 
creditors, they didn't believe them. They made jokes about it. 
The person has to go to the billing office and show them they 
have both feet.
    That is sometimes what this leads to with some of the 
victims. We deal with the victims, and I get all of these 
fantastic stories about these things that happen. No one 
believes the victims. We are here to be the voice of the victim 
currently, right now.
    There are a lot of procedures that are in place, but they 
are not always followed or enforced, and that is why we have 
the situation I just mentioned where you bring the bill and 
show you haven't had your foot amputated; and they still don't 
always 100 percent believe you.
    So that is where we are when it comes to medical identity 
theft. We have medical identity theft red flag rules that will 
help out with medical identity theft coming up in the future, 
and what we do need are more privacy laws.
    For instance, if someone stole my medical identity and I 
found out about it and corrected it--and say I had diabetes--
now it shows I don't have diabetes, that is a problem health-
wise. But I can't go back and change that to diabetes because I 
can't see my records anymore because the imposter has the 
right.
    So something is wrong with that story. I no longer have the 
right to my own medical records to make the change that I need 
to correct it.
    Now there are some solutions--make an alias, a card that 
shows that there has been a mishap that occurred and you can 
track it. One problem is, if we do clear that record up 
totally, and they come back and strike again, you can be hit 
over and over again. So we do need some kind of record on that.
    Identity theft in the deceased, even when people die, those 
are the best people to get for identity theft because they are 
not able to watch themselves--or kids. So that is the perfect 
situation. In the kids' case, you have 18 years to operate as 
an identity thief. That is a beautiful situation if that is 
what you are into doing.
    The problem we have with the deceased is when the death 
certificates go out; they must all be tracked properly and 
notified.
    A lot of these solutions have been drawn up in my testimony 
for further reference.
    Last, in the world of identity theft, today is tomorrow. In 
other words, the thieves are way ahead. So we have to stay one 
step ahead. This is like riding a bronco, we don't know where 
it is going, and we need more enforcement. There is no 
enforcement, so people don't care to protect these situations.
    Thank you for your time. I look forward to answering 
questions.
    Mr. Clay. Thank you, Mr. Handy.
    [The prepared statement of Mr. Handy follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Clay. I thank all of you for your testimony. Let me 
start the questioning with Ms. Allen.
    Ms. Allen, will the move to electronic medical records 
bring with it an increase in medical identity theft and why? 
Why is that?
    Ms. Allen. I believe it will, because you are aggregating 
data and making it easier for the criminals to detect. I think 
it is a good thing. I am not opposed to this happening, but any 
time you make it easier, in a way, to create a larger data 
base, it makes it more attractive to thieves.
    The thieves are going to be interested in it because they 
don't have insurance or want to have insurance to cover some 
procedure in a hospital. It may be that they want to get access 
for prescriptions for drugs, and that is a big issue for having 
the data for legitimate drugs, but drugs they may be after.
    The third part of it is, they will be looking to scam the 
system, whether the Medicare system, Medicaid, or the hospital 
system. There is a lot of money flowing right now that it would 
be very easy, if you had a false ID, to be able to access.
    All of this would be prevented if, when they were 
developing the procedures and requirements for the medical data 
bases, they make sure that there is adequate security and 
layers of security and the technology that will help to limit 
the access to that data; that we will make sure that only those 
that have--that are enabled or should have access to it can 
have access to it. But it is going to bring security problems.
    Mr. Clay. Mr. Rotenberg, Mr. Handy addressed an issue that 
is a mystery, I guess, to lawmakers here. How do we rectify 
that person's medical record that has been stolen so they can 
get back to it to correct it when the imposter, in accordance 
with our laws, now has rights to that medical record that the 
imposter stole? How do we fix that?
    Mr. Rotenberg. Sir, I need to look a little more closely at 
the relevant regulation.
    I know a lot of the agencies are working to implement the 
privacy law that was recently signed, the HITECH Act. But my 
instinct would be that there is going to be some entity out 
there, maybe it is the hospital, maybe the insurer, but 
somebody has that record. And whoever has that record has the 
responsibility to ensure that it is accurate.
    I don't think that they get to say to the actual patient, 
``we are terribly sorry there has been some confusion here; you 
are going to have to sort it out.'' It is the organization that 
has the record that has to sort it out. You are going to have 
to put some new incentives on those organizations that have the 
record and say, ``There is a problem here and you are the ones 
who are best able to fix it.''
    Mr. Clay. Let me ask you, Ms. Allen, why do you feel a 
Federal preemption law on privacy is better than those in 
individual States?
    Ms. Allen. I think we have a complex system of State laws, 
and it makes it more expensive for any business.
    For example, 95 percent of health care providers are small 
businesses or small practitioners. It becomes almost impossible 
for a small business to understand what the privacy laws are in 
each State; therefore, they sometimes they don't pay attention 
to it.
    So if you had one Federal law, it would be easier to make 
people aware of it and consistent. And it would be more cost 
effective; it would be better for consumers because they would 
understand what their rights were in each State. And there are 
some excellent laws out there. There is a new Massachusetts law 
that might be a model.
    One of the other issues, it has to be on all businesses, 
not just on financial services companies, because all 
businesses have sensitive data either about their employees or 
their customers. And so it needs to be something that goes 
across industries.
    Mr. Rotenberg. I want to speak briefly on this issue 
because it is one that people in the privacy community feel 
very strongly about.
    I think it would be a tragic mistake to have Federal 
preemption specifically in the area of identity theft because 
one of the things that we have observed over the last several 
years is that the State legislatures, which are close to this 
problem, are coming up with new solutions to try to respond as 
they uncover new problems.
    The Federal law is a very good baseline, but in California, 
for example, they just recently amended their identity theft to 
deal with this problem of medical identity theft, because they 
were now experiencing a new problem. If they had been 
preempted, prevented from doing that, I think many more people 
would have been suffering as a consequence.
    Mr. Clay. Ms. Allen, you recommend the government conduct 
more research in this area of identity theft. Could you be more 
specific and how would you propose more standardized approaches 
to dispute procedures?
    Ms. Allen. I think public funding should be available--and 
it could be administered through the FTC or the DOJ or whatever 
the appropriate agency is--but first of all, to really track 
the correlation between data breaches and actual incidents of 
identity theft, because it is growing.
    There are arguments on both sides that you can have data 
breaches of millions of records, but only a few turn into 
identity theft. I would argue that many of these organized 
criminals are holding that data. And the last time I testified 
before you, the CIO from the State of Missouri talked about 
apprehending a criminal who had stolen records from the 
University of Missouri, and they were going to hold it for 10 
years. That is strategic planning.
    So I think we have to look at the correlation between data 
breaches and incidents of identity theft and track that over 
time. I think we have to look at what policies and procedures 
are already in place, including legislation, and how effective 
is it; and a good example of that is the credit reports or 
credit freezes, and track over time how effective that is.
    I have mentioned we are on the tip of an iceberg. And I 
come from the cybersecurity perspective, and I think it is 
going to blow open what is happening out there in terms of the 
access to data from cybersecurity breaches. We need to be ready 
and prepared to help the victims and have the layers of 
security, but we have a war coming.
    Mr. Clay. Thank you.
    Mr. Rebovich, what do you propose to bring the treatment of 
identity theft victims in line with the way that the criminal 
justice system treats victims of other types of crime?
    Mr. Rebovich. Frankly, I think we are behind in doing this 
as a society.
    The treatment of identity theft victims, I would say, is--I 
would sort of call them the second level of seriousness, where 
it should be a higher level of seriousness that we address. In 
other words, even though it is not a physical assault, it is an 
assault upon the finances of the people who are victimized.
    My feeling is that actually the term ``identity theft'' has 
become sanitized to the point we are accepting it as, yes, it 
is a part of life. I think we have to change. I think we have 
to change our perspective as a system, the criminal justice 
system especially.
    If it was a victim of domestic violence, as a society, we 
would make sure that person who has been victimized gets all of 
the possible help that they can to recover. Right now we are 
not doing that; we are not doing that with identity theft 
victims.
    I am not saying that the particular crime is on the same 
level as a violent crime, but I think we have to treat it with 
more seriousness.
    Mr. Clay. Usually it is a financial harm that is committed 
so we need to first repair the financial damage that occurs and 
any other damage.
    Mr. Rebovich. I would say the financial harm can be very 
serious and also lead to psychological harm and emotional harm. 
That is something that I think criminal justice research has 
not really tracked very effectively: What's the long-lasting 
harm that it brings to people who are victimized?
    Mr. Clay. Ms. Wallace, the Identity Theft Assistance Corp. 
has unique data-sharing agreements with several government 
agencies and private industries that are used in its mission in 
the investigation and prosecution of identity crime.
    Can you share this uniqueness with the committee at this 
time?
    Ms. Wallace. Absolutely, Mr. Chairman.
    As I mentioned very briefly in my testimony, today and for 
years individual companies have shared information about their 
own experiences with law enforcement. And they will work on 
individual crimes.
    But to do the best possible job today, as some of the other 
witnesses have said, this is cybercrime. It may involve 
multiple witnesses across multiple jurisdictional lines, so you 
really have to have Federal, State and local enforcement 
agencies working together and data from multiple sources. That 
has been the key to success of the regional identity theft task 
force.
    For example, there is a great task force in St. Louis that 
has a great record of bringing together St. Louis County and 
the district attorney's office and FBI and Secret Service to 
work on a collective basis, so when they have information from 
various jurisdictions about multiple victims across 
jurisdictional lines, they can do a far more effective job in 
using their limited resources to catch the criminals.
    Mr. Clay. How do we get better procedural help in the 
resolution of cases? How do we establish better clearance 
procedures in national data bases for criminal identity theft 
victims? Is a bill of rights the answer?
    Ms. Wallace. I would say the law enforcement community has 
already done the foundation for data-sharing on the Federal 
level. And I would be happy to respond in more detail in 
writing with more information about some of the great projects 
that we work with to share information among Federal and State 
law enforcement.
    I am sure the Federal Trade Commission would be happy to 
provide more information about how their Consumer Sentinel Data 
base is used by about 1,400 law enforcement agencies around the 
country at the State, local and Federal level.
    So the foundation is there. But certainly more training, 
more funding, and frankly, more encouragement to do this kind 
of partnering would be very welcome.
    Mr. Clay. Thank you.
    Mr. Handy, H.R. 2221, the Data Accountability and Trust Act 
was introduced in the House by Chairman Bobby Rush of the 
Subcommittee on Commerce, Trade and Consumer Protection. The 
ITRC has been involved in monitoring the legislation as well as 
working with those that have been aggrieved by theft.
    What are your thoughts on this legislation? Does it go far 
enough? Please elaborate.
    Mr. Handy. Our recommendation is that it probably does not 
go far enough when it comes to identity theft regulations. The 
bill itself--and I'm trying to remember when we discussed that 
exact bill; but when it comes to identity theft, we felt there 
should be a general ruling and you should give each State the 
opportunity to go further based on the situation. That was our 
standpoint on that bill.
    So general sentencing, but you want the ability to add more 
based on the situation at hand.
    Mr. Clay. Thank you.
    Mr. Rotenberg, can you comment on the Fair Debt Collection 
Practices Act and its ability to adequately cover identity 
theft victims? And where does your organization fit in this?
    Mr. Rotenberg. Mr. Chairman, we are actually not familiar 
with that legislation, so I don't think I have a comment on 
that.
    I did testify on Mr. Rush's bill, and I think that is good 
legislation. I think it would help reduce some of the problems 
related to identity theft.
    Mr. Clay. All right, thank you for that.
    What policy changes can enhance the support of future 
research on identity theft and its victims, and what specific 
areas do you see as warranting future research?
    Mr. Rotenberg. Well, I think the statistics are very 
useful. I think that the information that the FTC has been 
collecting over the years gives us a clear picture of the 
problem and some of the trends that we need to be aware of. So 
we certainly support that.
    I think it would be helpful in anticipating some of the new 
types of problems that are about to emerge to expand some of 
the data collection--looking at medical identity theft, for 
example. And also some of the identity theft related to new 
online services, I think the information is very, very helpful.
    Mr. Clay. Ms. Allen, what more can be done by the 
technology community to mitigate identity theft, and what 
responsibility do they have?
    Ms. Allen. This gets back to the issue of cybersecurity 
breaches, the application software--software providers are 
operating systems that have great vulnerabilities--some kind of 
both accountability or perhaps liability on the technology 
community to be partners with the user community in closing 
those vulnerabilities or finding patches that will work more 
quickly, or staying ahead of some of the cybersecurity thieves.
    The way it is right now, the user community pretty much has 
the total responsibility and accountability.
    Mr. Clay. As a final question to the entire panel, give me 
your thoughts on what more can be done to educate the public 
and law enforcement about helping the victims of these crimes, 
Ms. Allen?
    Ms. Allen. I think showing the link between cybersecurity 
breaches and identity theft will be very important; and as we 
have a cybersecurity czar in the White House, having that is 
part of the mandate.
    Second, in the dialog around a consumer financial 
protection agency, having identity theft and cybersecurity 
threats be part of that dialog.
    Mr. Rotenberg. I think telling people about the very good 
resources of the Federal Trade Commission, as well as the 
resources provided by some of the organizations represented on 
this panel, will help consumers. But I do believe very strongly 
that in this area there is only so much the consumers can do.
    I think we need to get to the root of some of these 
problems about computer security, use of the Social Security 
number, and that will have to happen in Congress.
    Mr. Clay. Mr. Rebovich.
    Mr. Rebovich. I think that we have to attack the problem 
from several different areas at once. And in terms of the 
education of the average citizen to prevent victimization, we 
can't forget that cybersecurity is very important. Many more 
people are on the Internet than ever before.
    But we can't overlook the fact that many of these cases are 
low-tech cases as well. People can be victimized from not 
shredding personal material. They can be victimized because 
they don't have a lock box on their mailbox. Many of these 
offenders that we research in our study used very low-tech 
methods. They didn't have to go any further; the opportunities 
were there.
    So in terms of educating the average citizen, I think we 
have to educate the average citizen on awareness, on how to 
protect themselves on the Internet and use of computers, but 
also not forget, they have to be certain every day that they 
are doing everything they can to prevent victimization by the 
use of low-tech methods.
    Mr. Clay. Thank you.
    Ms. Wallace.
    Ms. Wallace. I would agree with most of the comments made 
by the other panelists; that is, the complex nature of identity 
theft makes education extremely difficult because there are so 
many kinds of risks, and it can happen in so many different 
ways.
    Having said that, I am particularly excited about an 
initiative that we will be launching later this summer focused 
on youth, an audience that perhaps has not been brought into 
this debate as much as they need to be. And so it is a program 
to help the youth who are online on Facebook and YouTube and 
lots of other places, and understand that there are risks 
indeed in that environment.
    Mr. Handy. From a consumer standpoint, we need more 
awareness training and reaching out to the public, for 
instance, teaching people how to read credit reports and what 
they are supposed to do on a yearly basis so they can catch it.
    My theory is, it is not if it is going to happen, it is 
when it is going to happen; so prepare them for what can happen 
and how to defend themselves. And I think we can at least cut 
down the loss. If you catch it early, it is not that bad of an 
issue. But if you don't, it drags on.
    From a business standpoint, I like what the Federal 
Government has done with FISMA, the scorecards, put some 
accountability to a lot of people, and it seems to work to some 
degree where people will move and make better--they use that in 
the business world.
    Mr. Clay. I want to thank all of you for your testimony. I 
find this subject to be one of urgency. I find it also to be 
fascinating that in this day and age we haven't really figured 
out how to police this issue. And as a government, we need to 
get on top of this and stay on top of it.
    And so I appreciate all of your testimony today and the 
first panel's testimony. I am sure that this will not be the 
last of hearings like this on this subject matter. But it is 
now time for us to act as an institution, as a legislative 
body, to come up with sound law based on some of the advice you 
have brought us today.
    We have been joined by Ms. Watson of California. We were 
really wrapping up, but if you have anything that you want to 
contribute at this time you may, Ms. Watson.
    Ms. Watson. Mr. Chairman, I am always pleased to come to 
your committee. We were invited over to the Senate to meet with 
Senator Reid, and by the time I got there, the meeting had been 
canceled.
    But I do know that the issues that we wanted to raise, I 
have been told that most of the questions have been addressed, 
so I just want to thank you. Sorry to be so late to catch you 
at the end, but do know that I am absolutely interested in the 
subject matter, and I hope to hear more.
    Mr. Clay. Thank you so much.
    This subcommittee hearing stands adjourned.
    [Whereupon, at 4:30 p.m., the subcommittee was adjourned.]
    [The prepared statements of Hon. Diane E. Watson and Hon. 
Patrick T. McHenry follow:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
