b"<html>\n<title> - IDENTITY THEFT: VICTIMS BILL OF RIGHTS</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n                 IDENTITY THEFT: VICTIMS BILL OF RIGHTS \n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON INFORMATION POLICY,\n                     CENSUS, AND NATIONAL ARCHIVES\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 17, 2009\n\n                               __________\n\n                           Serial No. 111-21\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                     http://www.oversight.house.gov\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n53-643 PDF                       WASHINGTON : 2010 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                   EDOLPHUS TOWNS, New York, Chairman\nPAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California\nCAROLYN B. MALONEY, New York         DAN BURTON, Indiana\nELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York\nDENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida\nJOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana\nWM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee\nDIANE E. WATSON, California          MICHAEL R. TURNER, Ohio\nSTEPHEN F. LYNCH, Massachusetts      LYNN A. WESTMORELAND, Georgia\nJIM COOPER, Tennessee                PATRICK T. McHENRY, North Carolina\nGERRY E. CONNOLLY, Virginia          BRIAN P. BILBRAY, California\nMIKE QUIGLEY, Illinois               JIM JORDAN, Ohio\nMARCY KAPTUR, Ohio                   JEFF FLAKE, Arizona\nELEANOR HOLMES NORTON, District of   JEFF FORTENBERRY, Nebraska\n    Columbia                         JASON CHAFFETZ, Utah\nPATRICK J. KENNEDY, Rhode Island     AARON SCHOCK, Illinois\nDANNY K. DAVIS, Illinois             ------ ------\nCHRIS VAN HOLLEN, Maryland\nHENRY CUELLAR, Texas\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\nPETER WELCH, Vermont\nBILL FOSTER, Illinois\nJACKIE SPEIER, California\nSTEVE DRIEHAUS, Ohio\n------ ------\n\n                      Ron Stroman, Staff Director\n                Michael McCarthy, Deputy Staff Director\n                      Carla Hultberg, Chief Clerk\n                  Larry Brady, Minority Staff Director\n\n   Subcommittee on Information Policy, Census, and National Archives\n\n                   WM. LACY CLAY, Missouri, Chairman\nPAUL E. KANJORSKI, Pennsylvania      PATRICK T. McHENRY, North Carolina\nCAROLYN B. MALONEY, New York         LYNN A. WESTMORELAND, Georgia\nELEANOR HOLMES NORTON, District of   JOHN L. MICA, Florida\n    Columbia                         JASON CHAFFETZ, Utah\nDANNY K. DAVIS, Illinois\nSTEVE DRIEHAUS, Ohio\nDIANE E. WATSON, California\n                     Darryl Piggee, Staff Director\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 17, 2009....................................     1\nStatement of:\n    Allen, Catherine, chairman and CEO, the Santa Fe Group; Marc \n      Rotenberg, executive director, Electronic Privacy \n      Information Center; Donald Rebovich, executive director, \n      Center for Identity Management and Information Protection; \n      Anne Wallace, president, Identity Theft Assistance Corp.; \n      and Eric Handy, representative, Identity Theft Resource \n      Center.....................................................    71\n        Allen, Catherine.........................................    71\n        Handy, Eric..............................................   120\n        Rebovich, Donald.........................................    97\n        Rotenberg, Marc..........................................    87\n        Wallace, Anne............................................   114\n    Broder, Betsy, Assistant Director, Federal Trade Commission, \n      Division of Privacy and Identity Protection; Jason M. \n      Weinstein, U.S. Department of Justice, Deputy Assistant \n      Attorney General, Criminal Division; and Daniel Bertoni, \n      Government Accountability Office, Director, Education, \n      Workforce and Income Security..............................     5\n        Bertoni, Daniel..........................................    38\n        Broder, Betsy............................................     5\n        Weinstein, Jason M.......................................    26\nLetters, statements, etc., submitted for the record by:\n    Allen, Catherine, chairman and CEO, the Santa Fe Group, \n      prepared statement of......................................    74\n    Bertoni, Daniel, Government Accountability Office, Director, \n      Education, Workforce and Income Security, prepared \n      statement of...............................................    40\n    Broder, Betsy, Assistant Director, Federal Trade Commission, \n      Division of Privacy and Identity Protection, prepared \n      statement of...............................................     9\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................     3\n    Handy, Eric, representative, Identity Theft Resource Center, \n      prepared statement of......................................   122\n    McHenry, Hon. Patrick T., a Representative in Congress from \n      the State of North Carolina, prepared statement of.........   147\n    Rebovich, Donald, executive director, Center for Identity \n      Management and Information Protection, prepared statement \n      of.........................................................    99\n    Rotenberg, Marc, executive director, Electronic Privacy \n      Information Center, prepared statement of..................    89\n    Wallace, Anne, president, Identity Theft Assistance Corp., \n      prepared statement of......................................   116\n    Watson, Hon. Diane E., a Representative in Congress from the \n      State of California, prepared statement of.................   144\n    Weinstein, Jason M., U.S. Department of Justice, Deputy \n      Assistant Attorney General, Criminal Division, prepared \n      statement of...............................................    28\n\n\n                 IDENTITY THEFT: VICTIMS BILL OF RIGHTS\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 17, 2009\n\n                  House of Representatives,\n   Subcommittee on Information Policy, Census, and \n                                 National Archives,\n              Committee on Oversight and Government Reform,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:03 p.m., in \nroom 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay \n(chairman of the subcommittee) presiding.\n    Present: Representatives Clay, Driehaus, Watson, and \nMcHenry.\n    Staff present: Darryl Piggee, staff director/counsel; Frank \nDavis, professional staff member; Jean Gosa, clerk; Charisma \nWilliams, staff assistant; Adam Hodge, deputy press secretary, \nfull committee; Dan Blankenburg, minority director of outreach \nand senior advisor; Adam Fromm, minority chief clerk and Member \nliaison; Stephen Castor, minority senior counsel; and John \nOhly, minority professional staff member.\n    Mr. Clay. The Information Policy, Census, and National \nArchives Subcommittee will come to order. Good afternoon, and \nwelcome to today's hearing entitled, ``Identity Theft: A \nVictims Bill of Rights.'' Today's hearing will examine identity \ntheft and its impact on victims.\n    On our first panel we will hear from government witnesses \nwho will testify about how the Federal Government addresses \nidentity theft. Our second panel comes from outside the \ngovernment, and they will tell us about their experience with \nand research on identity theft. Both panels with offer \nrecommendations that they believe will improve current \nassistance programs to victims and discourage identity theft.\n    And without objection, the Chair and ranking member will \nhave 5 minutes to make opening statements followed by opening \nstatements not to exceed 3 minutes by any other Member who \nseeks recognition.\n    Without objection, Members and witnesses may have 5 \nlegislative days to submit a written statement or extraneous \nmaterials for the record.\n    The purpose of today's hearing is to examine actions the \nFederal Government has taken to address the problem of identity \ntheft and how to provide protection to victims. We will \nconsider many important topics today, including current and \nemerging issues on identity theft, how to improve both public \nand private assistance efforts to victims of identity theft, \nand how to increase prosecution and deterrence of identity \nthieves.\n    According to recent studies, identity theft affected nearly \n10 million Americans in 2008 alone, an increase of 22 percent \nfrom 2007. It is estimated that the average costs to consumers \nand businesses top $49 billion. Identity theft is now the No. 1 \nconsumer complaint received by the Federal Trade Commission, \naccounting for 26 percent of all complaints received from \nconsumers in 2008.\n    Identity theft is not a victimless crime. There are many \nvictims of identity theft, and commonly the same victim is \ntargeted over and over again. Victims include 18-month-old \nchildren, deceased loved ones, banks, insurance companies, \nsmall businesses and the Federal Government. Women, Hispanic \nAmericans, military personnel and Medicare recipients are most \nlikely to be victims of identity theft. Secondary and tertiary \nvictims of identity theft include families, employers and \nfinancial institutions.\n    Identity theft itself includes not only financial losses, \nbut also nonfinancial identity theft, such as criminal and \nmedical identity theft. The identity thief uses the victim's \nidentity to commit a crime or to receive medical services. Many \ntimes it is difficult for the victim to expunge their criminal \nand medical records from incorrect information, leading to \nfalse arrests or wrong diagnoses.\n    Experts agree that identity theft prevention and assistance \nefforts are lagging far behind the needs of the victims. All \nidentity crime victims today run into a vast number of problems \nwhen trying to restore their identity. And identity thieves are \nquick to overcome any obstacles set in place by legislation. \nToday this subcommittee will focus on these concerns voiced by \nthe public in a collaboration to combat and prevent identity \ntheft.\n    I thank all of our witnesses who are appearing today and \nlook forward to their testimonies.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. And now we will proceed with swearing in the \nwitnesses. Let me start first by introducing our first panel.\n    We will hear first from Ms. Betsy Broder, an Assistant \nDirector in the Division of Privacy and Identity Protection for \nthe Federal Trade Commission. In this capacity she helps \ncoordinate the agency's law enforcement, research and outreach \nefforts on privacy issues, including identity theft, pretexting \nand security.\n    Next we will hear from Mr. Jason Weinstein, who currently \nserves as a Deputy Assistant Attorney General in the Department \nof Justice's Criminal Division. Prior to working at the \nDepartment of Justice, he was an assistant U.S. attorney in the \nSouthern District of New York, where he prosecuted criminal \ncases involving violent crime, gangs, public corruption and \nfinancial crimes. Welcome to you.\n    Our last witness on the first panel is Mr. Dan Bertoni, a \nDirector with GAO's Education, Workforce and Income Security \nTeam. Mr. Bertoni began his career with GAO in 1989, and over \nthe course of his career, he has focused on identifying and \npreventing fraud, waste and abuse in Federal programs, and has \nalso developed a body of work related to identity theft.\n    And thank you all for appearing before the subcommittee \ntoday.\n    It is the policy of the Oversight and Government Reform \nCommittee to swear in all witnesses before they testify. I \nwould like to ask each one to please stand and raise your right \nhands.\n    [Witnesses sworn.]\n    Mr. Clay. Let the record reflect that the witnesses \nanswered in the affirmative.\n    You may be seated.\n    Each of you will have 5 minutes to make an opening \nstatement. Your complete written testimony will be included in \nthe hearing record. The yellow light in front of you will \nindicate that it is time to sum up. The red light will indicate \nthat your time has expired. Hopefully we can get through both \npanels before we are interrupted for votes.\n    And we will start with you, Ms. Broder. You may proceed.\n\n STATEMENTS OF BETSY BRODER, ASSISTANT DIRECTOR, FEDERAL TRADE \nCOMMISSION, DIVISION OF PRIVACY AND IDENTITY PROTECTION; JASON \n  M. WEINSTEIN, U.S. DEPARTMENT OF JUSTICE, DEPUTY ASSISTANT \n   ATTORNEY GENERAL, CRIMINAL DIVISION; AND DANIEL BERTONI, \n    GOVERNMENT ACCOUNTABILITY OFFICE, DIRECTOR, EDUCATION, \n                 WORKFORCE AND INCOME SECURITY\n\n                   STATEMENT OF BETSY BRODER\n\n    Ms. Broder. Thank you very much, Chairman Clay. I am \nAssistant Director, as you said, in the FTC Division of Privacy \nand Identity Protection.\n    The written testimony that we submitted reflects the views \nof the Commission, but my oral remarks today are my own and \ndon't necessarily reflect the views of the Commission or any \nCommissioner.\n    Our written testimony details the approach the Commission \nhas taken with respect to identity theft: Our data security, \neducation and law enforcement program; our leadership; the \nPresident's Identity Theft Task Force; and our measures to \nimprove consumer authentication.\n    Right now, however, I want to focus on three specific \nareas: First, how the FTC helps consumers recover from identity \ntheft; second, remedies for identity theft victims; and \nfinally, the FTC's recommendation for ways to improve efforts \non this front.\n    First the Victim Assistance Program.\n    Mr. Clay. Can I ask you to pull the mic closer and make \nsure it's on?\n    Ms. Broder. Almost 2 million consumers----\n    Mr. Clay. Is your mic on? Press the button.\n    There you go. Thank you.\n    Ms. Broder. I hoped that tolled the clock.\n    Mr. Clay. You don't have to start over.\n    Ms. Broder. And I don't intend to, sir.\n    Almost 2 million consumers have turned to the Federal Trade \nCommission after they discovered that someone else has used \ntheir name to open up credit accounts, get a job or even obtain \nhealth care. Among these victims, a soldier returning from \nAfghanistan, a mother calling on behalf of her disabled child \nwhose identity was stolen, and people whose government benefits \nwere terminated because someone else is working in their name.\n    The FTC is the Nation's one-stop shop for identity theft \nvictims. We have a toll-free hotline that connects callers with \ntrained counselors, who, in English or Spanish, can walk the \nconsumer through the steps of recovery. On-line resources at \nftc.gov/idtheft provide the same types of assistance, \nexplaining how to set fraud alerts with the credit reporting \nagencies, how to dispute fraudulent charges or accounts, and \nhow to handle debt collectors. Last year alone we helped more \nthan 300,000 consumers who were victims of identity theft. In \nturn, their complaints are entered into our Consumer Sentinel \nNetwork, which is an on-line resource for law enforcers, with \ndirect access to these 2 million complaints and other useful \ninvestigative resources.\n    Other organizations, including ITAC that you will be \nhearing from later, also contribute data to Consumer Sentinel. \nThis robust data base is the Nation's clearinghouse of identity \ntheft complaints, and it is an essential tool for all \ninvestigative agencies that are investigating or prosecuting \nidentity crimes.\n    The FTC also has responded to new challenges with more \nrefined tools for victims. For example, victims often need \npolice reports in order to vindicate their good name. But many \nlaw enforcement agencies are overtaxed; they don't have \nsufficient resources to develop the kind of detailed police \nreport that's necessary for recovery. The FTC identified this \nissue was a priority, so now when consumers file complaints \nwith the FTC, law enforcers over 1,700 agencies who have access \nto Consumer Sentinel can pull up that consumer's complaint, \nvalidate it as an identity theft report, a police report. So \nnow the consumer has their police report, the police agency is \nable to greatly simplify this task for all involved.\n    We've also worked closely with the IRS, which has recently \nset up a dedicated help line for victims of tax-related \nidentity theft. We are launching a system to get callers \nconnected to the specialized office of the IRS to resolve what \nare often very complex issues dealing with tax refunds or \noutstanding liability resulting from identity theft.\n    And Commission staff coordinates with other organizations \nthat can provide more individualized help when that's what's \nneeded. For example, the Identity Theft Resource Center, which \nalso is testifying today, is the recipient of the Department of \nJustice grant to establish a model nationwide Victim Assistance \nProgram. Our call center has implemented a system to direct \npeople to that office.\n    The FTC also is collaborating with the American Bar \nAssociation to establish a program to provide pro bono \nassistance to victims of identity theft.\n    Next I would like to briefly discuss some new remedies for \nidentity theft victims. The FACT Act, which was passed in 2003, \nprovided important tools for victims of identity theft. We are \nnow all entitled to a free copy of our credit report every 12 \nmonths from each of the credit reporting agencies. A credit \nreport can offer an early warning sign or that fraud is afoot. \nThe FACT Act allows identity theft victims to block fraudulent \nitems in trade lines on their credit reports. They can place \nfraud alerts on their credit reports and obtain documents \nrelating to the fraud, such as a fraudulent application.\n    This last right is particularly important because many \nvictims used to find themselves in a Catch-22 where they would \nbe receiving dunning notices for the fraudulently opened \naccounts, but were denied access to the forged application \nbecause it was submitted by another person. This provision of \nthe FACT Act addresses the frustrating scenario.\n    Credit freezes, identity theft passports and other tools \nalso help prevent identity thieves from exploiting consumers' \ngood names.\n    Finally, now, I would like to mention the FTC's legislative \nrecommendations that address identity theft. We have come a \nlong way in building systems and processes to help identity \ntheft victims, but clearly more needs to be done. The FTC is \nnot a criminal enforcement agency, so we cannot prosecute the \ncrime. Our partners at the Department of Justice are working \naggressively on that front. Strong data security, locking down \nthe data that identity thieves target is essential if we are to \nreduce the overall incidence of the crime. That is where we can \nexert our law enforcement muscle in areas that have direct \nimpact on identity theft.\n    Although the FTC has maintained a vigorous presence, \nbringing cases against companies that failed to use reasonable \nprocedures to protect sensitive consumer information, we could \nhave an even greater impact if the Commission could assess \nseveral penalties for such violations. The Commission also has \ncalled for nationwide data-security standards for entities that \nare not already subject to such laws, as well as the national \nbreach notification law.\n    And finally, the Commission has recommended improved \nconsumer authentication as well as restrictions on the display \nand transmission of Social Security numbers as part of a \ncomprehensive approach to reducing the use of Social Security \nnumbers in the commission of an identity theft.\n    Chairman Clay, members of the committee, victims of \nidentity theft often suffer harms that can endure for years. \nAlthough there are now more effective tools to respond to this \ncrime, victims still face challenges in putting their lives \nback together. The FTC remains committed to working with \nvictims.\n    Thank you very much.\n    Mr. Clay. Thank you, Ms. Broder, for your testimony.\n    [The prepared statement of Ms. Broder follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. Mr. Weinstein.\n\n                STATEMENT OF JASON M. WEINSTEIN\n\n    Mr. Weinstein. Thank you. Good afternoon, Chairman Clay, \nRanking Member McHenry. Thank you for your invitation to \naddress the subcommittee this afternoon.\n    As you know, identity theft affects millions of Americans \nevery year and inflicts significant monetary and other harms \nupon its victims. Identity theft is by no means a new problem, \nbut the methods used to commit this crime are evolving. While \nmany criminals continue to use a variety of low-tech means to \nunlawfully acquire the personal information of others, in \nrecent years, identity thieves have begun to use a variety of \nnew technologies and new methods to access and exploit such \ninformation. As both individuals and businesses increasingly \nrely on computers and information technology to store, process \nand share confidential personal information, opportunities have \nincreased for criminals to exploit advances in information \ntechnology to hack into the computers that store this \ninformation.\n    Cybercrime, once the province of the lone hacker, is now a \nbig business, and a growing number of potential victims are \nvulnerable. But as criminals have adapted to take advantage of \nnew opportunities and data made available through networks and \nthe Internet, law enforcement has adapted as well. The \nDepartment of Justice, along with our law enforcement partners, \nhas been aggressively investigating and prosecuting crimes that \nfacilitate and constitute identity theft with tremendous \nsuccess. Our benchmark prosecutions of large-scale data \nbreaches and the identity theft that results from those \nbreaches highlight the range of our efforts to address this \ngrowing problem.\n    For example, most recently in late 2008, the FBI announced \nthe results of a 2-year undercover operation targeting members \nof the on-line carding forum known as Dark Market. At its peak \nthe Dark Market Web site had over 2,500 registered members \naround the world. The operation resulted in nearly 60 arrests \nworldwide and prevented an estimated $70 million in economic \nloss.\n    In August 2008, the Department and U.S. Secret Service \nannounced the largest hacking and identity theft case ever \nprosecuted in which charges were brought in three districts \nagainst 11 members of an international hacking ring. The \ndefendants, who hailed from the United States, Estonia, \nUkraine, the People's Republic of the China and Belarus, were \ncharged with, among other things, the theft and sale of more \nthan 40 million credit and debit card numbers obtained from \nvarious retailers.\n    In 2004, in Operation Firewall, the U.S. Secret Service and \nseveral components of the Department of Justice coordinated the \nsearch and arrest of more than 28 members of the Shadow Crew \ncriminal organization, who were located in 8 States here in the \nUnited States and in 6 foreign countries. Members of that group \nwere later charged in a 62-count indictment with trafficking \nand at least 1.5 million stolen bank and credit card numbers \nthat resulted in losses in excess of $4 million.\n    As a result of that case, the Shadow Crew Web site was \ndisabled, which we believe prevented hundreds of millions of \ndollars in additional losses. And to date, with the exception \nof two fugitives, all of the domestic Shadow Crew defendants \nhave pleaded guilty and received sentences of up to 90 months \nin prison. And Operation Firewall was one of our early efforts \nthat paved the way for some of the more recent successes I \nmentioned and that are outlined in my written testimony.\n    These cases that I've discussed and the others discussed in \nthe written testimony illustrate the scope of the Department's \nefforts to combat the growing identity theft problem, but \nnotably they also reveal the global reach that cybercriminals \ncan have. The identity thieves and the cybercriminals \nresponsible for many of these and other large-scale data \nbreaches live in and operate from foreign jurisdictions. \nBecause of the global nature of the Internet and the identity-\ntheft-related crimes it can facilitate, continued close \ncoordination and cooperation with foreign law enforcement is \ncritical to the success of our identity theft investigations \nand prosecutions here at home.\n    In addition to our efforts to investigate and prosecute \nidentity theft, we are also committed to continuing to work in \ncoordination other agencies to aid the victims of this serious \ncrime through grants such as grants at the Identity Theft \nResource Center and other agencies, training and other victim \nassistance programs.\n    Now, while the Department is proud of these cases and of \nall of our efforts to tackle the growing and evolving identity \ntheft problem, we recognize that there is much more to be done, \nand we will continue to work with the law enforcement and \nprivate-sector partners to meet that challenge. Our continued \nsuccess is dependent on our ability to, No. 1, buildupon the \nUnited States' existing relationships with international \npartners to strengthen law enforcement cooperation channels \ninternationally; and, No. 2, to explore legislation that will \nstrengthen the penalties for stealing identity information and \nother related cybercrimes, and that would require security \nbreach reports to Federal law enforcement so that we may pursue \nthe criminals responsible for the acts as quickly and \nvigorously as possible.\n    This, of course, is just a brief overview of the \nDepartment's role in combating these crimes and the primary \nissues we must focus on as we press ahead. We are very glad to \nhave the opportunity this afternoon to discuss these issues \nwith you further, and at the appropriate time I would be \npleased to answer questions.\n    Mr. Clay. Thank you so much.\n    [The prepared statement of Mr. Weinstein follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. Mr. Bertoni, you are recognized for 5 minutes.\n\n                  STATEMENT OF DANIEL BERTONI\n\n    Mr. Bertoni. Mr. Chairman, members of the subcommittee, \ngood afternoon. I am pleased to be here to discuss the role \nthat personally identifiable information plays in identity \ntheft. Such information, including one's name, date of birth \nand SSN, is key to carrying out so many activities of daily \nlife; however, this information is also valuable to persons \nseeking to commit fraud or identity theft. Advances in \ninformation technology have made it easier to collect and share \nsensitive information, but also result in more incidents of \nloss in unauthorized use.\n    My remarks today focus on three areas: Why we should be \nconcerned about identity theft; actions taken at the Federal, \nState and local levels; and continuing challenges to protecting \nsensitive information.\n    In summary, identity theft affects 10 million persons \nannually, translating into reported losses of $50 billion. \nVictims are often unaware that the crime has taken place until \nmuch harm has been done to their credit rating, and could face \nsubstantial costs and inconvenience repairing the damage. \nOthers have lost jobs, been refused loans or even arrested for \ncrimes they didn't commit.\n    During the course of our work, we have documented real-life \nexamples of identity theft, both domestic and international, \nincluding the 2006 case of an Ohio woman who led a group of \nidentity thieves in stealing information from public \nrecordkeeper Web sites, resulting in $450 million in losses. In \nthe 2007 case of an individual who partnered with thieves from \nRussia and Romania in an on-line phishing scam. In compromise \nthere were 4,000 credit card accounts and obtained full \nidentity information for over 1,600 victims.\n    Various laws and actions at the Federal, State and local \nlevel aim to deter identity theft. At the Federal level the \nPrivacy Act of 1974 and E-Government Act of 2002 define \nagencies' responsibility for protecting personal information. \nMoreover, the Federal Information Security Management Act of \n2002 requires agencies to develop programs for securing \nsensitive data in information systems.\n    Over the last several years, the Office of Management and \nBudget has also issued numerous directives requiring agencies \nto put in additional steps for safeguarding personal \ninformation, including establishing senior privacy officers and \ndeveloping data breach notification plans.\n    States and localities have also acted to prevent identity \ntheft and assist victims. More States now recognize identity \ntheft and related activities as a crime, while many others have \nincorporated victim assistance provisions into their laws, such \nas credit or security freezes. And some county governments have \nalso begun removing or truncating SSNs displayed in their \npublic records.\n    Despite these actions, vulnerabilities persist in three \nareas. First, issues related to the display and uses of the SSN \nhave not been sufficiently addressed. Because of its unique \nnature and broad applicability, the SSN has become the \nidentifier of choice for both the public and private sectors. \nUnfortunately--unfortunately, millions of electronic public \nrecords contain SSNs that can be easily compromised due to the \nabsence of a national standard for SSN truncation. That is the \npractice of blocking the first five or last four digits of the \nnumber. To illustrate, within a matter of minutes, we easily \nreconstructed full 9-digit SSNs and other identity information \nfor individuals in 10 States by combining various electronic \nrecords that use disparate truncation methods. We have \nrecommended that the Congress establish a national truncation \nstandard.\n    Second, Federal law does not cover all data or services \nprovided by information resellers in other industries. Today \ndata resellers and their contractors electronically amass and \nshare large amounts of personal information; however, no \nFederal law explicitly requires them to safeguard all personal \ndata even when it is sensitive and subject to misuse by \nidentity thieves. We have recommended the Congress strengthen \nrequirements for information resellers in other industries \nsimilar to those imposed on financial institutions.\n    Last, Federal agencies continue to experience security \nincidences that may expose sensitive information to identity \nthieves. Federal agencies rely heavily on automated systems and \nelectronic data which must be protected against unauthorized \nuse. We have made numerous recommendations to broadly \nstrengthen the integrity of Federal information systems and \nultimately reduce breaches and other security incidents; \nhowever, continued breaches at various Federal agencies and \nfacilities such as the National Archives underscore the \nimportance of vigilance in this area.\n    We have noted that data-breach notifications to affected \nparties can have clear benefits in terms of mitigating the \nimpacts of identity theft in enhancing public accountability, \nand have recommended that OMB develop guidance to help agencies \nmake risk-based decisions as to what services to offer \nindividuals whose personal information has been compromised, \nand we will continue to monitor progress in this area.\n    Mr. Chairman, this concludes my statement. I'm happy to \nanswer any questions that you or the other members of the \nsubcommittee may have. Thank you.\n    Mr. Clay. Thank you so much, Mr. Bertoni.\n    [The prepared statement of Mr. Bertoni follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. We have been joined by the ranking member, Mr. \nMcHenry of North Carolina. And I will recognize him first for 5 \nminutes of questioning.\n    Mr. McHenry.\n    Mr. McHenry. Thank you, Mr. Chairman.\n    I am sorry I was detained, but I certainly appreciate your \ntestimony. I have taken a look at your testimony before, but, \nyou know, it is obvious there is an identity theft challenge \nthat we're facing as a country. And Congress--in the House have \nlargely divided jurisdictions, and so we have jurisdictional \ncommittee issue on this issue as well. In terms of really \nacting to preclude some of the issues that you brought up \ntoday, I am on Financial Services; we certainly have a \nsubstantial amount of concern there with identity theft and how \nthat has ramifications for people's credit ratings and access \nto credit generally.\n    Mr. Bertoni, you reference a truncation standard. Now, \nyou're talking about to truncate someone's Social Security \nnumber?\n    Mr. Bertoni. Correct, correct.\n    Mr. McHenry. Now, would that--is that difficult to do, \nbecause what the Federal Government said, a Social Security \nnumber is only for Social Security, it is not an identification \nnumber. That's what we have stated in the law. Now, in fact, \nyou know, colleges, banks, institutions large and small use \nyour Social Security number as basically your identifier. Will \nwe have to change existing law there in order to acknowledge \nthat it is, in fact, an identification number?\n    Mr. Bertoni. We're taking questions. The fact is that the \nSSN has become the unique national identifier. SSA will say \nthat it is not to be used for identification purposes, but \nlet's face it, that's where we are at. You can't rent a movie \nfrom Blockbuster or get satellite television without providing \nyour SSN, and that is being bumped against other data elements \nto confirm identity.\n    And in our view the Social Security number is probably the \nmost critical piece of information that identity thieves would \nwant in terms of the personal identifying information that they \ncan get their hands on. Without the SSN the other elements are \nmuch more difficult to do anything with.\n    I don't believe you have to do anything to change the law. \nWe've--Gramm-Leach-Bliley has already determined or codified \nthat the SSN is part of personal identifying information that \ncan--needs to be protected.\n    Mr. McHenry. Sure it needs----\n    Mr. Bertoni. So it's a matter of taking some next steps to \nbroaden that voice to, I think, some other industries.\n    And as far as truncation goes, it is not difficult. It is a \nmatter of getting on a national level the standard to be \nconsistent, because if you're truncating on the front half, and \nan information--another information reseller is truncated on \nthe back end, within minutes I can find both sides of that SSN \nand probably find your name, date of birth and some other \nrecords, and have an identity very quickly.\n    Mr. McHenry. Certainly--and speaking of Social Security \nnumbers, in your--you mentioned the National Archives, a loss \nof information or theft of information. We're not certain of, \neven now, what exactly happened. But the hard drive \ndisappearance at the National Archives, it included 100,000 \nSocial Security numbers, including apparently Al Gore's \ndaughter's Social Security number is in this information, and \ncontact information, including addresses for various and high-\nranking Clinton administration officials, Secret Service--as \nwell as Secret Service and a number of other personnel that are \nincluded.\n    This is highly sensitive information. So I'm not asking you \nto testify about the procedures of the National Archives, but \nwhat can the government do to mitigate the damage or potential \ndamage of this loss of information?\n    Mr. Bertoni. I think right up front, some thought to \nencryption should have been at--in play. If you have encrypted \ndata, you leave it somewhere where it shouldn't be, it's going \nto be much more difficult for an identity thief to do something \nwith, especially if it is encrypted in accordance with NIST \nstandards. So on the front end, I don't know what that data \nlooked like, but I would hope--I don't know, it had some type \nof encryption technology.\n    After the fact we now have to do a risk-based assessment of \nwhere do we think this ended up, what was on it, and what's the \nlikelihood of identity theft. And from there you go to a go/no \ngo on data breach notification, and ultimately another risk \nassessment assessing what's the likelihood that this is out \nthere and being used. And then beyond that you have to think \nabout what services you're going to offer, passive monitoring \nor active alerts on credit records, or even credit freezes. So \nthere are some major decisions that have to be made after the \nfact.\n    Mr. McHenry. Do you have any comments, Ms. Broder?\n    Ms. Broder. Yes, briefly. The Social Security number is \nindeed a very sensitive and valuable piece of identity for \nidentity thieves, but partly that is because it is used not \nonly as an identifier to link you with your information, but \nalso as an authenticator to establish that you are indeed the \nperson who you purport to be. And one of the recommendations \nthat the Federal Trade Commission has made was that companies \nthat open up consumer accounts have more rigorous standards to \nauthenticate consumers so it is not so easy, so that the Social \nSecurity number is not the de facto key to the kingdom, but \nthat more robust systems are in place to prevent that type of \nfraud from happening.\n    And, of course, other recommendations. Certainly locking \ndown Social Security numbers, having appropriate data security \nare important front end, but authentication also could go a \nlong way to reducing the incidence of identity theft.\n    Mr. McHenry. Mr. Weinstein, any comments?\n    Mr. Weinstein. No.\n    Mr. McHenry. Well, thank you so much for testifying. I know \nwe have other questions as well. Thank you.\n    Mr. Clay. Thank you, Mr. McHenry.\n    Ms. Broder, ID breaches are very devastating to consumers, \nand oftentimes are caused by simple negligence by businesses or \ntheir refusal to make any attempts at compliance with privacy \npolicies. I noted in your statement that the FTC has, since \n2001, used its authority under the FTC Act to bring 26 cases \nagainst businesses that allegedly failed to protect consumers' \npersonal information. And can you give me examples of the types \nof punishment that is given to these businesses that disregard \nthose safeguards designed to protect privacy? Are they \nsufficient as deterrents? Are they too soft? Does the FTC Act \nneed strengthening?\n    Ms. Broder. One of our recommendations is that we can now \nbring cases, data security cases, under section 5 of the \nFederal Trade Commission Act under the Gramm-Leach-Bliley Act, \nbut we can't seek civil penalties. Those laws do not give us \nthe authority to impose civil penalties against those \ncompanies. So while we can get injunctive relief that requires \nthem to subject themselves to audits, that requires them to \ntake certain steps to improve their data security program, at \nthis present time, sir, we cannot assess civil penalties. That \nis one of the legislative recommendations that the Commission \nhas made, because we think a financial deterrent will go a long \nway to encouraging greater compliance with these laws.\n    Mr. Clay. You mentioned a grant for a nationwide model for \nrelief for victims. Have you come up with a nationwide model?\n    Ms. Broder. The Department of Justice's Office of Victims \nof Crime have given grants to four different organizations \naround the country to develop nonprofit centers for victims of \nidentity theft that can provide greater assistance, more \nindividualized care for people who have more engaged problems.\n    What we find at the FTC, of the 300,000 people who \ncontacted us last year seeking assistance, many of them are \nable to use these tools themselves to restore their credit \nhistory, to dispute fraudulent accounts. There are tools in \nplace, and many consumers are able to exercise them.\n    In more complex problems, or with consumers who are not \nable to exercise those rights, we find that those organizations \noften can provide additional assistance.\n    So the FTC is doing a lot of work there every day, 20,000 \ncontacts every week from consumers asking for information or \nseeking advice on identity theft. But there are some cases that \nare more complex that need more--that grant is still underway, \nand I think a final assessment has not been made on the success \nof those programs.\n    Mr. Clay. OK. We would be interested in seeing what the \nassessments are.\n    Mr. Weinstein, you know, ID theft is on the rise. What are \nsome of the new or emerging forms of the crime?\n    Mr. Weinstein. You know, the crime varies from low-tech to \nhigh-tech. There are still plenty of identity thieves who use \nlow-tech means to get personal identifying information and to \nexploit it, using a telephone and their own personal skill at \ndealing with people. But the high-tech trend, I think the most \ntroubling is the carding forum. And the carding forum is an on-\nline active marketplace for the sale and exploitation of \ntechnology and tools to commit intrusions and to buy and sell \nthe data from those intrusions.\n    A number of the cases that our division and U.S. attorneys' \noffices nationwide have been prosecuting--investigating and \nprosecuting and have been most challenging have involved \ncarding forms, and they are challenging on a number of levels. \nFirst, they have numerous members. The Dark Market, the one I \nmentioned, had 2,100 active members at one time. Second, those \nnumbers are worldwide, and so they present a lot of challenges \nthat any international case presents. But what makes those such \ndisturbing trends in identity theft is that they are so \nsophisticated, and they are so organized. As I said it in my \nstatement, identity thieves used to be solo actors. Now \nidentity thieves are often linked with organized crime. And we \nfind that organized crime, especially international criminal \norganizations, are capitalizing on the value of personal \nidentifying information and exploiting that to make lots of \nmoney very quickly.\n    If you go on to one of these carding forums, if you are \nvouched for and able to get access to it, or, as we do, if an \nundercover officer is able to get access, your mind will be \nblown by what is going on these sites. Stolen credit card and \nATM information that has been obtained through computer \nintrusions is there for sale. People who can commit hacking and \nother types of intrusions are offering their services for \nmoney. False identification documents, fraudulent credit cards \nthat have been manufactured using information that's stolen are \nbeing offered for sale. Tools and equipment to manufacture \nfraudulent credit cards are being offered for sale. And that \ninformation is exploited for--to make massive amounts of money, \nto steal massive amounts of money in a short period of time. \nThat, I think, is the most difficult trend in high-tech \nidentity theft, and that's the one we're most concerned about.\n    Mr. Clay. What type of legislation could we enact that \nwould reduce the threat of identity theft? Have you come up \nwith any good ideas or suggestions?\n    Mr. Weinstein. Well, there's two--legislation in two areas \nthat I think would be useful, and that would make what we're \nalready doing more effective. We work very hard to keep pace \nwith the increasingly sophisticated criminals we investigate \nand prosecute. We continually train investigators and agents. \nWe have the highest-tech tools and the best-trained \ninvestigators and prosecutors anywhere in pursuing these types \nof crime--this type of crime. And we try to keep pace with and \nanticipate what the cybercriminals will do next.\n    But there are two areas in the law that I think, even after \nthe Identity Theft Enforcement and Restitution Act of 2008, \nthat there are areas we can still improve our efforts: No. 1, \nlegislation that will enable us to better coordinate and \ncooperate with our international partners. As the examples I \ngave in my statement and the others that are mentioned in the \nwritten testimony indicate this is increasingly an \ninternational crime, a transnational crime. And as I indicated \na moment ago, because the crime is increasingly committed or \nparticipated in by international criminal organizations, it is \nabsolutely essential that we be able to work cooperatively with \nlaw enforcement. And cooperation with law enforcement is a two-\nway street. Every day we ask foreign governments and foreign \nlaw enforcement agencies to help us in prosecutions that we're \nengaging over here, but they need our help as well. And so \nlegislation that clarifies the authority of U.S. courts to \ncompel the production of evidence that can be used in a foreign \ncriminal investigation, something, by the way, that was one of \nthe recommendations in the Identity Theft Task Force a few \nyears ago but hasn't made it into law yet, would be a very \neffective tool, because the more we can offer help to foreign \npartners who are fully engaged on this issue, the more we can \nexpect them to help us. So that's No. 1.\n    No. 2 is closer to home, and that's sentencing. The \nCongress, in the Identity Theft Enforcement and Restitution \nAct, directed the sentencing commission to examine the \nguidelines related to identity theft and to explore amendments \nto them. And in a sense the Commission has come up with some \namendments to the guidelines that govern identity theft, but \nthose amendments, I think, are lacking. As these criminals \nbecome more sophisticated, using proxies, using keystroke \nloggers and spyware, using increasing--increasingly \nsophisticated technology to exploit our personal information, \nwe need the sentencing schemes to keep up, and so we believe \nthe Computer Fraud and Abuse Act, which is codified at Title 18 \nU.S. Code section 1030, which is the statute that we \nprincipally charge in this area for computer-related identity \nthief--identity theft, should be amended to adopt harsher \npenalties for this kind of crime, and that the guidelines \nshould be amended accordingly for even greater enhancements for \nthe use of sophisticated technologies.\n    Identity theft involving high-tech means it is harder to \ninvestigate, and it is harder to prosecute. It is much more \nresource-intensive, and it's much more dangerous, because using \nhigh technology, identity thieves can get more people's \ninformation and use it to steal more money in a shorter period \nof time. The guidelines should punish that kind of identity \ntheft involving that kind of technology and those kinds of \nmeans much more harshly that other forms of this crime. And so \nwe think that the guidelines should be amended as well to keep \npace with the increasingly sophisticated technology and \ntechniques that these criminals are using.\n    Mr. Clay. Thank you for that response.\n    I will go to my colleague from Ohio Mr. Driehaus for 5 \nminutes.\n    Mr. Driehaus. Thank you, Mr. Chairman, and thank you for \nholding this panel and the next panel. I think this is a \ncritically important issue.\n    As a State legislator in Ohio for 8 years, we often \nwrestled with the issue of identity theft, and I recall one of \nmy colleagues in the legislature calling me one time and \nreciting to me my Social Security number that he found on a \nlocal government Web site, because I had gotten a traffic \nticket, and the clerk of courts, in his infinite wisdom, \ndecided that all records are not only public, but should be \npublished on the Internet. And so we worked to modify that in \nthe State of Ohio, but I've got to tell you, it took a long \ntime to make that happen.\n    So I'm interested in the perspective, all of you, really \nall three of you, as to what we can do at the congressional \nlevel to--this always happens when I'm asking questions, by the \nway--but what we might be able to do to provide guidance to \nState and local governments, because they continue to have this \nproblem, this quandary, between making information available to \nthe public and protecting the privacy of the citizens of their \nvarious jurisdictions. And you find that the policies are all \nover the place. And in the case of Hamilton County, where I am, \nin Cincinnati, the clerk of courts was simply taking documents, \nscanning documents and putting them directly onto the Internet, \ndespite--despite the fact that they had information about \npeople's bank accounts, they had Social Security numbers, they \nhad private information. They weren't redacting the \ninformation. His excuse was that they couldn't redact the \ninformation because it was documents being scanned, which I \nfound to be kind of lame.\n    But I would like your input as to how we might do a better \njob in informing policy at the State and local level so that \nthose local entities aren't making this information available, \nbecause we see this happen all the time.\n    Mr. Bertoni. I can take a shot at that. Before you came in, \nI had a lot to say about public recordkeepers.\n    I think one thing we have here, you know, issues of \nfederalism in State rights, certainly. But, no, I do believe \nthrough the years and opportunities we've had to look at this, \nthat States are becoming more aware of the value of SSN and \nother personally identifiable information in public records. So \nwe see, we do see movement in many cases of States trying to at \nleast truncate or redact SSNs. Florida wholesale has redacted \nSSNs from their records, but there is variability.\n    One thing that we have tried to do or perhaps suggested is \nperhaps the Association of Governors can come together and talk \nabout best practices for redaction and truncation, but that \nwill take some cooperation across States.\n    As far as guidance, I think there is--there are good things \nhappening out there that States are doing. It is a matter of \nraising it up to the level of a national level where we can \nhave a forum. And we have done that in various forums in \ntestifying about what States are doing.\n    Mr. Driehaus. But given the number of entities of State and \nlocal governments that are out there, there doesn't tend to be \nany uniformity, and I guess that's what I am trying to get at. \nHow do we bring uniformity to the practices at the local level \nin terms of the availability of documents? You know, they are \ndealing with their own States' sunshine laws in what records \nneed to be made available, but how do we get to a point where \nthere is uniformity at the State and local government level in \nterms of the information being made available?\n    Mr. Bertoni. I don't know if we're going to be able to--\nyou're going to be able to direct States to either include or \nnot include information. I'm not--we're getting into issues of \nfederalism and State rights. But we believe there is \nopportunity to establish at the congressional level a national \nstandard for truncation, so at least what's in there will be \nconsistent in terms of how SSNs are truncated in either the \nfront end or back end, because right now it is very easy to go \ninto any single State set of records and find, because of \nvariance in truncation, the front end and the back end of an \nSSN and put it together very quickly. So, step one, we have \nrecommended that the Congress establish a national truncation \nstandard.\n    Ms. Broder. Mr. Driehaus, we actually submitted testimony \nto the Ohio committee that was addressing this very issue about \npublic access to data and SSNs, and it is a challenging one, as \nMr. Bertoni set out. There are some models going forward. \nCertainly the Federal court system and the bankruptcy court \nsystem have undertaken a system to truncate from their records \nSocial Security numbers and other personally identifying \ninformation for which there is no public value in revealing.\n    Of course, we have a public interest in making--giving \ntransparency to process, but there is a point at which some of \nthis information does not serve that purpose. And so in the \nFederal court electronic system, none of this data is readily \navailable. But there are many people who say that with respect \nto, for example, the Social Security number, the cost \nassociated with doing this process retroactively is \noverwhelming, going through all of the records, all the housing \nrecords and anything else that may now be available \nelectronically. It is a very costly undertaking. In other \nwords, maybe the feathers are already out of the pillow, can't \nput them back in.\n    And then I would return to the issue of authentication. If \ncompanies took better care in making sure they were dealing \nwith the right person rather than just seeing a Social Security \nnumber and assuming that was adequate for opening an account, \nthen the availability of this information would be much less of \na threat. I'm not saying it shouldn't be protected, but this is \nall part of a comprehensive program to protect the data and \nmake it less available, but also less useful for identity \nthieves.\n    Mr. Bertoni. If I could add to that. You're right, I think, \nin the case of Ohio, they sell public records to--in bulk to \nvarious vendors. So even if you were to start redacting or \nremoving or truncating today, those records have been sold and \nresold and resold already many, many times. So going forward \nyou could sort of stop this flow of SSNs in the public records.\n    But keep in mind this information has already been sold to \nmany vendors, and that's where we get at the other piece of our \nother recommendations, that regardless of industry, you have to \nlook at the sensitivity of the information and mandate that \ninformation be controlled regardless of who you are and what \nyou're using it for. Information resellers, tax preparations, \ntelecommunications, all those right now are held to a lower bar \nin terms of information disclosure and protection.\n    Mr. Driehaus. Thank you, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Driehaus.\n    Mr. Bertoni, are there currently any plausible alternatives \nto the Social--Social Security number as a personal identifier \nin government systems?\n    Mr. Bertoni. I don't think any widely plausible \nalternatives currently exist. Again, this started in 1935 with \nan Executive order that all Federal agencies were going to use \nthe SSN for internal and external management of their programs. \nSo this is longstanding, ingrained use--usage.\n    I do know that there are alternatives being considered at \nleast on a case-by-case basis. The health industry is starting \nto move away from the Social Security number as your identifier \nand assigning alternative patient numbers. The Office of \nManagement and Budget in 2007 directed agencies to look for \nalternatives to the SSN in assigning numbers to personnel for \neither travel management or payroll, etc. And even in GAO we \nhave gone in that direction; we have alternatives to the SSN. \nBut as far as a broadly used national number, no. And if we go \nin that direction, we are in the same position that we have to, \nfrom day one, think about how we would protect it.\n    Mr. Clay. Yeah. Does any single Federal agency have the \nauthority to regulate the use of the Social Security number in \nFederal information systems?\n    Mr. Bertoni. Not that I'm aware of. Originally many had \nargued that SSA--SSA would be the one that would do that. But \ntheir view is that their regulation stops once it leaves the \nagency. So within the agency they regulate and control; once it \ngoes to another Federal agency, they do not believe they have \njurisdiction to tell that other agency what to do with the \nnumber.\n    Mr. Clay. OK. Anyone else on the panel have anything to \nadd? If not, let me--we will dismiss this panel and then go \ninto recess for two votes on the floor, and, when we come back, \nswear in the second panel. And Members are reminded that you \nhave up to 5 legislative days to submit opening statements or \nany other materials for the record. And, Mr. McHenry, your \nopening statement will be included without objection.\n    We stand in recess.\n    [Recess.]\n    Mr. Clay. The subcommittee will come to order.\n    On our second panel, our first witness is Ms. Catherine \nAllen, the founder and chairman and CEO of the Santa Fe Group, \na strategic consulting company based in Santa Fe, NM. The Santa \nFe Group specializes in briefings to executives and boards of \ndirectors at financial institutions and other critical \ninfrastructure companies, and provides management for strategic \nindustry and institutional projects.\n    Welcome to the subcommittee.\n    Next, we will hear from Mr. Marc Rotenberg, the executive \ndirector of the Electronic Privacy Information Center in \nWashington, DC. He teaches information privacy law at \nGeorgetown University Law Center and has testified before \nCongress on many issues, including access to information, \nencryption policy, consumer protection, computer security and \ncommunications privacy.\n    Welcome to you, Mr. Rotenberg.\n    Our third witness is Mr. Donald J. Rebovich, the executive \ndirector of Utica College's Center for Identity Management and \nInformation Protection and executive director of Utica \nCollege's Economic Crime and Justice Studies program. His \nbackground includes research in identity theft, economic crime, \nvictimization, white collar crime prosecution, and \nmultijurisdictional task force development.\n    Thank you for being here.\n    Next we will hear from Ms. Anne Wallace, president of the \nIdentity Theft Assistance Corp., a nonprofit corporation that \noperates ITAC, the Identity Theft Assistance Center. Ms. \nWallace is a nationally recognized expert on privacy and \nfinancial services law, and she works to protect all consumers \nthrough consumer education and partners with law enforcement to \ncombat identity theft.\n    The final witness is Mr. Eric Handy, a representative for \nthe Identity Theft Resource Center. Mr. Handy is an IT security \nand privacy specialist with over 15 years of information \ntechnology consulting experience. He specializes in privacy and \ninformation security program implementation and program \nmanagement oversight.\n    Thank you all for appearing before the subcommittee today. \nIt is the policy of the subcommittee to swear in all witnesses \nbefore they testify. I would like to ask you to stand and raise \nyour right hands.\n    [Witnesses sworn.]\n    Mr. Clay. Let the record reflect that the witnesses \nanswered in the affirmative.\n    Each of you will have 5 minutes to make opening statements. \nYour complete written testimony will be included in the hearing \nrecord. The yellow light in front of you will indicate that it \nis time to sum up. The red light will indicate that your time \nhas expired.\n    Ms. Allen, you may begin.\n\n STATEMENTS OF CATHERINE ALLEN, CHAIRMAN AND CEO, THE SANTA FE \n GROUP; MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY \nINFORMATION CENTER; DONALD REBOVICH, EXECUTIVE DIRECTOR, CENTER \n   FOR IDENTITY MANAGEMENT AND INFORMATION PROTECTION; ANNE \n WALLACE, PRESIDENT, IDENTITY THEFT ASSISTANCE CORP.; AND ERIC \n     HANDY, REPRESENTATIVE, IDENTITY THEFT RESOURCE CENTER\n\n                  STATEMENT OF CATHERINE ALLEN\n\n    Ms. Allen. Thank you, Chairman Clay and members of the \nsubcommittee. Thank for your leadership in highlighting the \nissue of victims of identity crime in the often long and lonely \nroad they walk toward restoration.\n    I have spent most of my career in the financial services \nindustry, most recently as the founding CEO of BITS, a CEO-\ndriven, nonprofit financial services industry consortium. I \ngrew up in a small town in Missouri, and my dad was a banker, \nso I have been in the banking industry for awhile.\n    Today I am involved in efforts to examine the way the \nfinancial services industry is regulated and the impact of \npolicy on consumers. In this area of identity theft, I believe \nwe are just at the tip of the iceberg because of the growing \ncybersecurity threats we face. And it is why we think that a \nVictims Bill of Rights is necessary. The victim's voice is \nseldom heard in the debate.\n    This testimony reflects the work of the Santa Fe Group \nVendor Council, formed in 2006 to bring together leaders at \nservice provider organizations. The vendor council promotes the \ndevelopment of secure, best-in-class technology solutions, \nstandards and best practices related to fraud, payments, \ncybersecurity, data protection and identity crime. Last fall \nthe vendor council formed an identity management working group \nto develop an inventory of best practices for assisting victims \nof identity crime and suggesting improvements in law and \ncorporate practice to make it easier for victims to dispute \nfalse claims and reclaim their identity. My testimony today \nwill speak to the victims' bill of rights and the written \ntestimony has much other background information.\n    Identity crime victims deserve the same rights as other \ncrime victims. Identity crimes can be physical, emotional, and \nfinancial. Today, most identity crimes will be treated as \nmisdemeanors or very low-level felonies, and the majority of \nprosecutions will be civil as opposed to criminal actions. We \nneed better coordination, awareness of the victim experience, \nand concrete steps for correcting identity records.\n    For the benefits of individuals, business and society, we \npropose the following bill of rights for identity crime \nvictims: the right to assessment; the right to restoration; the \nright to freedom from harassment; the right to potential \nprosecution of the offenders; and the right to restitution. And \nI will explain a little bit on each.\n    In the right to assessment, consumers who suspect that they \nhave become a victim of identity theft should have the right to \nassess the nature and extent of damages to their identity. \nFACTA already grants many of these rights, but there is \nsometimes procedural Catch-22s. All businesses and governmental \nagencies should be required to provide notice to consumers when \nthey suffer a data breach involving loss of sensitive personal \ninformation, but the present patchwork of State laws and \ngovernment policy needs to be replaced with a uniform Federal \nstatute spelling out notification requirements.\n    The right to restoration is, ideally victims should be able \nto restore their identities to their pretheft state. However, \nthis is not always possible, especially with the complexity of \nthe crime and especially with financial identity theft. Whether \nor not they can fully recover, it is imperative that victims be \nable to establish correct records and access all of those \nrecords in all kinds of institutions.\n    Relevant privacy laws need to be reviewed and amended, \ngiving victims the power to access and correct their own \nrecord.\n    The right to freedom from harassment comes because \nsometimes collection agencies and others during and after the \nidentity restoration process harass the individuals. The \nharassment happens because business and law enforcement have no \nway to distinguish victims from the thieves. To combat this, \nsome States have issued identity theft passports to identify \nthat the victim has been a victim of identity theft and help \nthe person prove his or her identity. However, these can be \neasily forged.\n    So however effective the documents are, it remains to be \nseen, but some system for identifying and verifying victims is \nneeded.\n    The right to potential prosecution of offenders: One of the \ngreat frustrations to identity crime victims is the lack of \nbusiness and law enforcement resources to prosecute identity \ntheft. Again, there is always a need to balance priorities and \nbudgets, but these organizations need to take the long view in \nthe impact of identity crimes--first, that identity crime \ncontinues precisely because it pays; second, the FBI and Secret \nService have found where there is one victim, there are usually \nmore, and we need to look at this in an aggregate; third, not \nall of the costs of identity crime are immediately visible or \nmeasurable.\n    The right to restitution is where identity crime victims \ncan spend hundreds of dollars and they deserve restitution, the \nsame as victims of any other crime. Yet studies show that the \ndefendants were ordered to pay in only about a third of the \ncases. Restitution will help make victims whole, send a message \nthat identity crime is a real crime, and helps ensure when \nperpetrators are caught, identity crime does not pay.\n    To further help victims, the definition of compensable \ncrime under Federal and State statutes should be expanded to \ninclude identity crimes.\n    In summary, I am recommending three things in terms of \npossible legislative actions, and then four other things.\n    First, to enact a uniform scheme across industry and \ngovernment to assist identity theft victims and that is to \ninclude the five items included in the Identity Theft Victims \nBill of Rights.\n    Second, to create a national standard of identification, \none that cannot be forged by identity thieves that victims can \nuse to distinguish themselves.\n    Third is to expand the definition of compensable crime \nunder Federal and State law to include identity crime.\n    Four other things are to invest in independent research on \nthe effects of identity crime:\n    We need to get beyond the anecdotes to understand the \nactual relationship between data breaches and identity theft \nand to be able to understand what policies and law enforcement \nprocedures are effective.\n    Second, there need to be standard dispute procedures in \nindustry and law enforcement where, upon resolution, victims \ncould receive standardized verifiable letters proving the \nissues have been resolved.\n    Third is the Federal Trade Commission does a terrific job \nin overseeing victims' rights, but it could be expanded; and \nperhaps the role to make sure there is cohesiveness across \nnational laws and to also make sure that law enforcement is \ninvestigating identity crime in a consistent way.\n    Last, there is much discussion, especially after today's \nannouncement on a consumer financial protection agency; in that \ndialog, the idea of identity theft policies and education \nshould be included.\n    We thank you for this opportunity to present testimony. And \nagain, if there are any questions, I would be happy to answer \nthem.\n    Mr. Clay. Thank you for your testimony.\n    [The prepared statement of Ms. Allen follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. Mr. Rotenberg.\n\n                  STATEMENT OF MARC ROTENBERG\n\n    Mr. Rotenberg. Mr. Chairman, I appreciate the opportunity \nto testify today on this very important issue for American \nconsumers.\n    My organization, the Electronic Privacy Information Center, \nhas been working on the issue of identity theft almost since \nour founding 15 years ago. In fact, I was going to mention to \nMr. Driehaus that one of our first cases concerned the privacy \nof the Social Security numbers of employees in the State of \nOhio, and we succeeded in that case. They limited the use of--\nthe publication of the SSNs, but that continues to be a very \nserious problem.\n    My comments today are directed toward what we see as the \nroot causes. On the first panel you heard from the Federal \nTrade Commission. They talked about how they are assisting the \nvictims of identity theft after they run into problems.\n    The Department of Justice is prosecuting the crime after \nthe crime occurs, but in our opinion, not enough is being done \nto address the root causes of the identity theft problem. And \nso in my statement, which I will briefly summarize now, I am \ngoing to try to speak to that issue and suggest specifically \nfor this committee some steps you might take to reduce the \nproblem of identity theft in this country. Because, as you \nknow, not only is it a significant problem, but in fact the No. \n1 concern of American consumers. According to the Federal Trade \nCommission, it is a growing problem and that number has been \nincreasing since the FTC has been keeping track of it.\n    And it is an evolving problem. I think we are about to \nexperience new forms of identity theft. The Wall Street \nJournal, for example, reported just this week about an identity \ntheft investigation in Los Angeles involving improper use of \nmedical records information. We will hear more about that as \nmore of our personal medical information is digitized and made \navailable online.\n    So I would like to address five steps I believe the \ncommittee could take to try to reduce the problem at its \nsource.\n    One of the concerns today, I believe, should be the \nincreasing transfer of information within the government onto \nthe Internet. You've already heard about people getting access \nto public record information that contains Social Security \nnumbers and bank account numbers.\n    There is a big push right now in the Federal Government to \ntake advantage of some of the new Web 2.0 services; and we \ncertainly support the President's call to make public \ninformation more widely accessible to the public, but we think \nthat privacy protection has to be part of that process. Privacy \nissues have not been given enough attention so far in this new \npush to make Federal information available online. We hope more \ncan be done.\n    We think there are similar concerns with respect to the \noutsourcing of government services. A lot of personal data is \nmoved from government agencies to private contractors, and it \nis not always clear if those contractors are subject to privacy \nact obligations or other contractual obligations to protect the \npersonal information of the U.S. citizens that they now have \nobtained.\n    You may recall, in fact, Mr. Chairman, last year in the \nrun-up to the Presidential election, there was the case over at \nthe State Department involving the passport records of then \nSenator Obama and Senator Clinton and Senator McCain that were \nall improperly accessed by private contractors. That is closely \ntied to the issue of identity theft, and we believe it is an \nissue that this committee could look at.\n    Privacy legislation is a very important part of the way to \nget to the root cause of the problem. It is simply too easy \ntoday for companies to collect a lot of detailed information \nabout Americans. They have too few responsibilities, and it is \ntoo difficult, I believe, for Americans to protect their \ninformation once they have turned it over to a bank or to some \nother firm.\n    What privacy legislation will do is put some obligations on \nthose companies to ensure better security, better safeguards. \nAnd also, I hope it will get some of those companies to think \nabout whether it is such a good idea to collect Social Security \nnumbers, which we know will be the target for identity thieves \nwho are trying to get access to that information.\n    If fewer organizations in this country were collecting the \nSocial Security number and using the Social Security number, we \nthink the problem of identity theft would go down.\n    We would also like to see more emphasis on privacy \nprotection in the administration's focus on cybersecurity. \nThere is a lot of talk right now about strengthening the \nNation's infrastructure. Part of that has to be about the \nprotection of personal information that is being stored on \ncomputers and servers in the United States.\n    Finally, Mr. Chairman, I would like to raise one issue; it \nis a little bit futuristic, but at the same time we believe it \ngoes to the heart of the problem, and it is going to be with us \nfor some time. We think Americans need better tools for \nidentity management. By that I mean, we need better ways for \npeople to interact with government, for people to interact with \nbusinesses without being required to disclose so much personal \ninformation or to give up a number that links together all of \ntheir personal information.\n    That is the essential problem with the Social Security \nnumber: It links together too much data. We think new tools for \nidentity management could help address that problem as well.\n    Thank you again for this opportunity.\n    Mr. Clay. Thank you for your testimony.\n    [The prepared statement of Mr. Rotenberg follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. Mr. Rebovich, you are recognized for 5 minutes.\n\n                  STATEMENT OF DONALD REBOVICH\n\n    Mr. Rebovich. Good afternoon, Chairman Clay and members of \nthe subcommittee. I appreciate the opportunity to appear before \nyou to discuss the serious crime of identity theft, the impact \nit has on victims and what can be learned from criminological \nresearch in this area.\n    The research center I direct, the Center for Identity \nManagement and Information Protection, is housed at Utica \nCollege in central New York and is a research collaborative \ndedicated to the prevention and containment of identity theft.\n    While the term ``identity theft'' is familiar to many, \nquestions still remain about what the term really represents, \nwhat type of person is most likely to commit this type of \noffense, what criminal methods are most commonly used, and who \nis in most jeopardy to be victimized. As a criminologist, I \nbelieve that answering these questions brings us many steps \ncloser to helping to lower the incidence of this insidious \ncrime and protect the interests of those who fall victim to it.\n    Now, my center undertook a challenging research endeavor \nwith empirical analysis of over 500 U.S. Secret Service \nidentity theft cases. We studied it. It covered over a period \nof 6 years. When the results were released, they were met with \nan interesting mix of curiosity and surprise.\n    Contrary to some earlier victim surveys, this study found \nthat many victims did not know their offenders. The median loss \nfor a case was found to be over $30,000, much more than the \naverage estimates drawn from victim surveys. A full one-third \nof the offenders were found to have committed their crimes at \ntheir place of employment, spotlighting the problem of \nunscrupulous insiders who would use personal information for \ncriminal purposes.\n    Individuals were not the only victims. The financial \nservices industry was victimized in 37 percent of the cases. In \n21 percent of the cases, the victims were retail businesses. \nThe financial services industry was most frequently victimized \nby offenders using fraudulently obtained personal identifying \ninformation to obtain new credit card accounts, to apply for \nand obtain fraudulent loans, to pass checks, and to transfer \nfunds.\n    The retail industry was victimized by the use of stolen \nidentity information to open store accounts and by purchasing \nmerchandise with fraudulent credit cards.\n    As a criminologist, those study findings impressed upon me \nthe stark realities of identity theft in our modern society. \nMany of the crimes were carried out easily, and it really \ndidn't take, in many cases, our analyzing that, because some of \nthe offenders in case notes indicated and bragged about how \neasy it was.\n    A common characteristic of these offenses is that these \ncriminals are criminal opportunists. They look for the path of \nleast resistance, and they find it. And there are many \ncompromised points in our system that they can use to commit \nthese offenses. In the final analysis, the identity thief will \ntake the path of least resistance toward the ultimate goal of \nusing someone's identity in commit fraud in someone else's \nname.\n    But there are a series of vulnerabilities, system \nvulnerabilities that we can address to try to cutoff the blood \nflow to these offenders, for instance: Merchant recognition of \ncounterfeit cards: Time and again the actual cases indicated a \nfailure of merchants to detect that credit cards were not \nauthentic; bank oversight of new account creation: the failure \nof bank personnel to recognize false identification \ninformation; oversight of employee access to customer-client \ninformation: another failure of the employer to effectively \nmonitor employee use of customer-client personal information; \ncredit card issuers' oversight of adding users to existing \naccounts: a failure of issuers to effectively verify \nauthenticity and victim approval of requests to add offenders \nto existing accounts as credit card users; Government \nrecognition of altered forms: another failure, a failure of \ngovernment agencies to detect false documentation, leading to \nfraudulent use of documents in victims' names; and finally the \noversight of employee access to client-customer credit cards, \nskimming: another failure of employers to effectively monitor \nemployee use of credit cards in the course of legitimate credit \ncard transactions.\n    Just to summarize in terms of what we can do with this \ninformation to help apply the plight of victims, I have \ndistilled my recommendations in my testimony to three optimized \nprotections: Optimize authentication protection; optimize \nprotection of personal information; and, optimize protection by \nlaw enforcement.\n    In authentication protection, we need to have the best \ntools possible and standardize them to make sure we can \nauthenticate who these people are, whether they are actually \nthe people they say they are or criminal offenders.\n    Optimize protection of personal information: We are talking \nabout all of the different agencies, private sector and public \nsector, that have access to personal information and house it. \nIt is their responsibility to protect that information.\n    Finally, optimize protection by law enforcement: Half of \nthe cases that we looked at that were Secret Service cases \nstarted at the local level with local police officers. These \nwere people, these were officers who did the right thing; they \nunderstood what identity theft is, and they reacted. Other \nresearch unfortunately has shown that is not always the case. \nWhat we need to do is address these authentication optimized \nprotections to try to close the gap to prevent identity theft.\n    Thank you, sir.\n    Mr. Clay. Thank you for your testimony.\n    [The prepared statement of Mr. Rebovich follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. Ms. Wallace, you are recognized for 5 minutes.\n\n                   STATEMENT OF ANNE WALLACE\n\n    Ms. Wallace. Chairman Clay and members of the subcommittee, \nthank you very much for inviting me today and for giving me the \nopportunity to tell you about ITAC, the Identity Theft \nAssistance Center.\n    Six years ago, executives of the largest financial services \ncompanies in the country got together and realized that while \nthey were doing a great job helping their customers at the \ntime, there was more they could do to help their customers who \nbecame victims of identity theft.\n    One of the key problems that victims face is that the \ncriminal uses their information in more than one place; and the \nvictim then has to find all of the places where the fraud has \noccurred, tell their story again and again, and prove who they \nare. It is a very time-consuming and frustrating process.\n    This kind of fragmentation also occurs in law enforcement. \nIdentity crimes frequently involve many customers with small \ndollar losses across jurisdictional lines, and this kind of \nfragmentation really makes it difficult to investigate and \nprosecute these crimes.\n    So in 2003, under the leadership of the Financial Services \nRoundtable and BITS, 50 of the largest financial services \ncompanies came together to form ITAC, a nonprofit organization \ncommitted to helping victims recover from identity theft, \npartnering with law enforcement to catch and convict the \ncriminals and to provide consumer education.\n    Since 2004, ITAC has helped more than 55,000 consumers \nrecover from identity theft. The service is free to the \nconsumer and is paid for by the financial services company. \nVery briefly, here is how the service works.\n    It starts at an individual member company, who helps the \nvictim resolve any of the problems at that company. The company \nthen directly transfers the consumer's telephone call to an \nITAC agent who walks the consumer through their credit report \nto find any other cases where fraud may have occurred.\n    If fraud is found at other places, ITAC notifies all of \nthose companies, whether they are ITAC members or not. The ITAC \nmembers get instant notice from us, online notice; the other \ncompanies all get a letter from us saying this person is a \nvictim; you need to do something to fix this problem.\n    As you can imagine, this is a very rewarding job I have. It \nis wonderful to be in a position to help people at a time when \nthey need it most, and that is exactly what ITAC is. It is a \nhelping hand at a time when people need that help most of all.\n    Just one quick example. One of the people we helped was a \n71-year-old man from California. He was a tax preparer who, out \nof the kindness of his heart, rented an apartment in his home \nto a woman and her daughters. He treated her like a daughter. \nShe used his computer and stole his financial information. He \ndidn't find out about it until he got a bill in the mail for a \ncredit card that he had never applied for.\n    When he came to ITAC, the ITAC agent found one other \nfraudulent account in his name, and five other attempts to open \naccounts in his name. What he said to the ITAC agent was, ``You \ncan't imagine what a relief it is, in the middle of all of \nthis, having someone on your side.''\n    This is a terrific service, and people really appreciate \nit.\n    I want to turn quickly to law enforcement because that is \nanother key area that we operate in. We share data with both \nthe Postal Inspection Financial Crimes Data base and with the \nFTC's Consumer Sentinel Data base; and this information is used \nby inspectors and law enforcement all over the country. The \nreason this is so important is because, instead of each company \nsharing information individually, we have data from multiple \ncompanies; it is national in scope and it is in a consistent \nformat. And law enforcement tells us that they are using it \nvery effectively. In a number of cases around the country, it \nhas helped them crack the cases.\n    The third element of our mission is education. We work very \nclosely with the Federal Trade Commission. We helped when they \nlaunched their Deter, Detect, Defend Campaign, and we also have \na terrific Web site of our own, identitytheftassistance.org, to \nhelp on this consumer education effort.\n    In summary, I would say a lot of progress has been made \nover the last 6 years when I have been head of ITAC. We have \nhad great laws passed, more consumer education, and a much \nbetter response on the part of law enforcement. But there is \ncertainly a lot more to be done.\n    Consumers still have difficulty filing police reports in \nmany jurisdictions. There are still gaps in the enforcement \nefforts, and the lack of comprehensive data makes it difficult \nfor policymakers, such as this committee, to make the best kind \nof legislative choices.\n    In closing, what I would say is that we believe that the \nITAC model, a collaborative private sector approach that is \nfocused on best practices and, most importantly, focused on \nhelping the consumer recover from this crime, has great \npotential in other industry sectors and for government \nagencies.\n    So thank you for the opportunity to testify. I will be \nhappy to answer any questions you might have.\n    Mr. Clay. Thank you for your testimony.\n    [The prepared statement of Ms. Wallace follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Clay. Mr. Handy, you have 5 minutes.\n\n                    STATEMENT OF ERIC HANDY\n\n    Mr. Handy. Chairman Clay and subcommittee members, my name \nis Eric Handy, and I am here to represent the Identity Theft \nResource Center [ITRC]. I am here for the founder, Linda Foley, \nand they are based in San Diego, CA.\n    Very similar to ITAC, we are also a free service for \nvictims. We do quite a bit with victims. We also do quite a bit \nwith legislation, government, law enforcement, training, \ngeneral awareness training in a lot of areas.\n    Going forward, we also have a nice survey called Identity \nTheft: The Aftermath. This year's version is Identity Theft: \nThe Aftermath 2008. There, you can really hear the voices of \nthe victims call out to you when you read the statements from \nactual victims; that is, the one beauty of the ITRC is that we \nget to deal with the victim from start to finish in a lot of \ncases, and we get to work through all of the systems and all of \nthe quirks in the systems, and we get to find out what does \nwork and what doesn't work.\n    You can read that document and very clearly see over the \nlast 6 years how things have changed.\n    What I want to emphasize are three emerging areas. I know \nthat you asked that question of the last panel, that we see \nthat is happening out in the identity theft world right now.\n    No. 1 is, child identity theft is something that is \nincreasing; No. 2 is medical identity theft, which has been \nelaborated on already; and, No. 3 is identity theft in the \ndeceased, believe it or not. So this is a real cradle-to-grave \nsituation where the average person is usually age 26 to 34 that \nis affected by identity theft. But it can happen at any point \nin time.\n    When we talk about child identity theft, I just read a \nstatistic today before I came here, if you took every classroom \nin the United States, you would probably find one child \nidentity theft victim in that class, and that seems like an \nawful lot to me.\n    We can play around with numbers and statistics, but there \nis a big problem because a lot of cases, the creditor or person \noffering the credit account does not know the age of the person \nor their Social Security number, because Social Security is \nassociated by date of issue not birth date. So there is an \nissue there. They don't know if the person is a minor or not, \nso they will most likely allow the account to exist and that \ncauses what we have here, the child identity theft problem.\n    A solution that we offer up is to create a data base; we \ncall it the 17-10 data base. That is a data base that has \neverybody, everybody from 1 day old to 17 years and 1 month \nincluded in this data base. This would be done through SSA, the \nSocial Security Administration. This has been bandied about a \nlittle bit, and so it is possible everyone who is giving credit \nwould have the ability to check that data base based on Social \nSecurity numbers. You would check that to make sure that person \nis not a minor. That would automatically, in a lot of cases, \neliminate some of the child identity theft problems.\n    Issue No. 2, medical identity theft: We all know the \nPresidential movement for 2014 is for all medical records to be \nonline, and that is quite daunting. Being in the profession of \nIT security, that concerns me. It always concerned me because \n95 percent of our medical information is being held by the \nsmall provider, who is least likely or least able to protect \nthemselves because of resources. So it is already a \npredicament, but when you put everything online, it is easier \nfor thieves to get.\n    We have all heard the stories of persons, who got the \nmedical bill for the foot amputation, and they never had an \namputation and no one believed them. When they called the \ncreditors, they didn't believe them. They made jokes about it. \nThe person has to go to the billing office and show them they \nhave both feet.\n    That is sometimes what this leads to with some of the \nvictims. We deal with the victims, and I get all of these \nfantastic stories about these things that happen. No one \nbelieves the victims. We are here to be the voice of the victim \ncurrently, right now.\n    There are a lot of procedures that are in place, but they \nare not always followed or enforced, and that is why we have \nthe situation I just mentioned where you bring the bill and \nshow you haven't had your foot amputated; and they still don't \nalways 100 percent believe you.\n    So that is where we are when it comes to medical identity \ntheft. We have medical identity theft red flag rules that will \nhelp out with medical identity theft coming up in the future, \nand what we do need are more privacy laws.\n    For instance, if someone stole my medical identity and I \nfound out about it and corrected it--and say I had diabetes--\nnow it shows I don't have diabetes, that is a problem health-\nwise. But I can't go back and change that to diabetes because I \ncan't see my records anymore because the imposter has the \nright.\n    So something is wrong with that story. I no longer have the \nright to my own medical records to make the change that I need \nto correct it.\n    Now there are some solutions--make an alias, a card that \nshows that there has been a mishap that occurred and you can \ntrack it. One problem is, if we do clear that record up \ntotally, and they come back and strike again, you can be hit \nover and over again. So we do need some kind of record on that.\n    Identity theft in the deceased, even when people die, those \nare the best people to get for identity theft because they are \nnot able to watch themselves--or kids. So that is the perfect \nsituation. In the kids' case, you have 18 years to operate as \nan identity thief. That is a beautiful situation if that is \nwhat you are into doing.\n    The problem we have with the deceased is when the death \ncertificates go out; they must all be tracked properly and \nnotified.\n    A lot of these solutions have been drawn up in my testimony \nfor further reference.\n    Last, in the world of identity theft, today is tomorrow. In \nother words, the thieves are way ahead. So we have to stay one \nstep ahead. This is like riding a bronco, we don't know where \nit is going, and we need more enforcement. There is no \nenforcement, so people don't care to protect these situations.\n    Thank you for your time. I look forward to answering \nquestions.\n    Mr. Clay. Thank you, Mr. Handy.\n    [The prepared statement of Mr. Handy follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Mr. Clay. I thank all of you for your testimony. Let me \nstart the questioning with Ms. Allen.\n    Ms. Allen, will the move to electronic medical records \nbring with it an increase in medical identity theft and why? \nWhy is that?\n    Ms. Allen. I believe it will, because you are aggregating \ndata and making it easier for the criminals to detect. I think \nit is a good thing. I am not opposed to this happening, but any \ntime you make it easier, in a way, to create a larger data \nbase, it makes it more attractive to thieves.\n    The thieves are going to be interested in it because they \ndon't have insurance or want to have insurance to cover some \nprocedure in a hospital. It may be that they want to get access \nfor prescriptions for drugs, and that is a big issue for having \nthe data for legitimate drugs, but drugs they may be after.\n    The third part of it is, they will be looking to scam the \nsystem, whether the Medicare system, Medicaid, or the hospital \nsystem. There is a lot of money flowing right now that it would \nbe very easy, if you had a false ID, to be able to access.\n    All of this would be prevented if, when they were \ndeveloping the procedures and requirements for the medical data \nbases, they make sure that there is adequate security and \nlayers of security and the technology that will help to limit \nthe access to that data; that we will make sure that only those \nthat have--that are enabled or should have access to it can \nhave access to it. But it is going to bring security problems.\n    Mr. Clay. Mr. Rotenberg, Mr. Handy addressed an issue that \nis a mystery, I guess, to lawmakers here. How do we rectify \nthat person's medical record that has been stolen so they can \nget back to it to correct it when the imposter, in accordance \nwith our laws, now has rights to that medical record that the \nimposter stole? How do we fix that?\n    Mr. Rotenberg. Sir, I need to look a little more closely at \nthe relevant regulation.\n    I know a lot of the agencies are working to implement the \nprivacy law that was recently signed, the HITECH Act. But my \ninstinct would be that there is going to be some entity out \nthere, maybe it is the hospital, maybe the insurer, but \nsomebody has that record. And whoever has that record has the \nresponsibility to ensure that it is accurate.\n    I don't think that they get to say to the actual patient, \n``we are terribly sorry there has been some confusion here; you \nare going to have to sort it out.'' It is the organization that \nhas the record that has to sort it out. You are going to have \nto put some new incentives on those organizations that have the \nrecord and say, ``There is a problem here and you are the ones \nwho are best able to fix it.''\n    Mr. Clay. Let me ask you, Ms. Allen, why do you feel a \nFederal preemption law on privacy is better than those in \nindividual States?\n    Ms. Allen. I think we have a complex system of State laws, \nand it makes it more expensive for any business.\n    For example, 95 percent of health care providers are small \nbusinesses or small practitioners. It becomes almost impossible \nfor a small business to understand what the privacy laws are in \neach State; therefore, they sometimes they don't pay attention \nto it.\n    So if you had one Federal law, it would be easier to make \npeople aware of it and consistent. And it would be more cost \neffective; it would be better for consumers because they would \nunderstand what their rights were in each State. And there are \nsome excellent laws out there. There is a new Massachusetts law \nthat might be a model.\n    One of the other issues, it has to be on all businesses, \nnot just on financial services companies, because all \nbusinesses have sensitive data either about their employees or \ntheir customers. And so it needs to be something that goes \nacross industries.\n    Mr. Rotenberg. I want to speak briefly on this issue \nbecause it is one that people in the privacy community feel \nvery strongly about.\n    I think it would be a tragic mistake to have Federal \npreemption specifically in the area of identity theft because \none of the things that we have observed over the last several \nyears is that the State legislatures, which are close to this \nproblem, are coming up with new solutions to try to respond as \nthey uncover new problems.\n    The Federal law is a very good baseline, but in California, \nfor example, they just recently amended their identity theft to \ndeal with this problem of medical identity theft, because they \nwere now experiencing a new problem. If they had been \npreempted, prevented from doing that, I think many more people \nwould have been suffering as a consequence.\n    Mr. Clay. Ms. Allen, you recommend the government conduct \nmore research in this area of identity theft. Could you be more \nspecific and how would you propose more standardized approaches \nto dispute procedures?\n    Ms. Allen. I think public funding should be available--and \nit could be administered through the FTC or the DOJ or whatever \nthe appropriate agency is--but first of all, to really track \nthe correlation between data breaches and actual incidents of \nidentity theft, because it is growing.\n    There are arguments on both sides that you can have data \nbreaches of millions of records, but only a few turn into \nidentity theft. I would argue that many of these organized \ncriminals are holding that data. And the last time I testified \nbefore you, the CIO from the State of Missouri talked about \napprehending a criminal who had stolen records from the \nUniversity of Missouri, and they were going to hold it for 10 \nyears. That is strategic planning.\n    So I think we have to look at the correlation between data \nbreaches and incidents of identity theft and track that over \ntime. I think we have to look at what policies and procedures \nare already in place, including legislation, and how effective \nis it; and a good example of that is the credit reports or \ncredit freezes, and track over time how effective that is.\n    I have mentioned we are on the tip of an iceberg. And I \ncome from the cybersecurity perspective, and I think it is \ngoing to blow open what is happening out there in terms of the \naccess to data from cybersecurity breaches. We need to be ready \nand prepared to help the victims and have the layers of \nsecurity, but we have a war coming.\n    Mr. Clay. Thank you.\n    Mr. Rebovich, what do you propose to bring the treatment of \nidentity theft victims in line with the way that the criminal \njustice system treats victims of other types of crime?\n    Mr. Rebovich. Frankly, I think we are behind in doing this \nas a society.\n    The treatment of identity theft victims, I would say, is--I \nwould sort of call them the second level of seriousness, where \nit should be a higher level of seriousness that we address. In \nother words, even though it is not a physical assault, it is an \nassault upon the finances of the people who are victimized.\n    My feeling is that actually the term ``identity theft'' has \nbecome sanitized to the point we are accepting it as, yes, it \nis a part of life. I think we have to change. I think we have \nto change our perspective as a system, the criminal justice \nsystem especially.\n    If it was a victim of domestic violence, as a society, we \nwould make sure that person who has been victimized gets all of \nthe possible help that they can to recover. Right now we are \nnot doing that; we are not doing that with identity theft \nvictims.\n    I am not saying that the particular crime is on the same \nlevel as a violent crime, but I think we have to treat it with \nmore seriousness.\n    Mr. Clay. Usually it is a financial harm that is committed \nso we need to first repair the financial damage that occurs and \nany other damage.\n    Mr. Rebovich. I would say the financial harm can be very \nserious and also lead to psychological harm and emotional harm. \nThat is something that I think criminal justice research has \nnot really tracked very effectively: What's the long-lasting \nharm that it brings to people who are victimized?\n    Mr. Clay. Ms. Wallace, the Identity Theft Assistance Corp. \nhas unique data-sharing agreements with several government \nagencies and private industries that are used in its mission in \nthe investigation and prosecution of identity crime.\n    Can you share this uniqueness with the committee at this \ntime?\n    Ms. Wallace. Absolutely, Mr. Chairman.\n    As I mentioned very briefly in my testimony, today and for \nyears individual companies have shared information about their \nown experiences with law enforcement. And they will work on \nindividual crimes.\n    But to do the best possible job today, as some of the other \nwitnesses have said, this is cybercrime. It may involve \nmultiple witnesses across multiple jurisdictional lines, so you \nreally have to have Federal, State and local enforcement \nagencies working together and data from multiple sources. That \nhas been the key to success of the regional identity theft task \nforce.\n    For example, there is a great task force in St. Louis that \nhas a great record of bringing together St. Louis County and \nthe district attorney's office and FBI and Secret Service to \nwork on a collective basis, so when they have information from \nvarious jurisdictions about multiple victims across \njurisdictional lines, they can do a far more effective job in \nusing their limited resources to catch the criminals.\n    Mr. Clay. How do we get better procedural help in the \nresolution of cases? How do we establish better clearance \nprocedures in national data bases for criminal identity theft \nvictims? Is a bill of rights the answer?\n    Ms. Wallace. I would say the law enforcement community has \nalready done the foundation for data-sharing on the Federal \nlevel. And I would be happy to respond in more detail in \nwriting with more information about some of the great projects \nthat we work with to share information among Federal and State \nlaw enforcement.\n    I am sure the Federal Trade Commission would be happy to \nprovide more information about how their Consumer Sentinel Data \nbase is used by about 1,400 law enforcement agencies around the \ncountry at the State, local and Federal level.\n    So the foundation is there. But certainly more training, \nmore funding, and frankly, more encouragement to do this kind \nof partnering would be very welcome.\n    Mr. Clay. Thank you.\n    Mr. Handy, H.R. 2221, the Data Accountability and Trust Act \nwas introduced in the House by Chairman Bobby Rush of the \nSubcommittee on Commerce, Trade and Consumer Protection. The \nITRC has been involved in monitoring the legislation as well as \nworking with those that have been aggrieved by theft.\n    What are your thoughts on this legislation? Does it go far \nenough? Please elaborate.\n    Mr. Handy. Our recommendation is that it probably does not \ngo far enough when it comes to identity theft regulations. The \nbill itself--and I'm trying to remember when we discussed that \nexact bill; but when it comes to identity theft, we felt there \nshould be a general ruling and you should give each State the \nopportunity to go further based on the situation. That was our \nstandpoint on that bill.\n    So general sentencing, but you want the ability to add more \nbased on the situation at hand.\n    Mr. Clay. Thank you.\n    Mr. Rotenberg, can you comment on the Fair Debt Collection \nPractices Act and its ability to adequately cover identity \ntheft victims? And where does your organization fit in this?\n    Mr. Rotenberg. Mr. Chairman, we are actually not familiar \nwith that legislation, so I don't think I have a comment on \nthat.\n    I did testify on Mr. Rush's bill, and I think that is good \nlegislation. I think it would help reduce some of the problems \nrelated to identity theft.\n    Mr. Clay. All right, thank you for that.\n    What policy changes can enhance the support of future \nresearch on identity theft and its victims, and what specific \nareas do you see as warranting future research?\n    Mr. Rotenberg. Well, I think the statistics are very \nuseful. I think that the information that the FTC has been \ncollecting over the years gives us a clear picture of the \nproblem and some of the trends that we need to be aware of. So \nwe certainly support that.\n    I think it would be helpful in anticipating some of the new \ntypes of problems that are about to emerge to expand some of \nthe data collection--looking at medical identity theft, for \nexample. And also some of the identity theft related to new \nonline services, I think the information is very, very helpful.\n    Mr. Clay. Ms. Allen, what more can be done by the \ntechnology community to mitigate identity theft, and what \nresponsibility do they have?\n    Ms. Allen. This gets back to the issue of cybersecurity \nbreaches, the application software--software providers are \noperating systems that have great vulnerabilities--some kind of \nboth accountability or perhaps liability on the technology \ncommunity to be partners with the user community in closing \nthose vulnerabilities or finding patches that will work more \nquickly, or staying ahead of some of the cybersecurity thieves.\n    The way it is right now, the user community pretty much has \nthe total responsibility and accountability.\n    Mr. Clay. As a final question to the entire panel, give me \nyour thoughts on what more can be done to educate the public \nand law enforcement about helping the victims of these crimes, \nMs. Allen?\n    Ms. Allen. I think showing the link between cybersecurity \nbreaches and identity theft will be very important; and as we \nhave a cybersecurity czar in the White House, having that is \npart of the mandate.\n    Second, in the dialog around a consumer financial \nprotection agency, having identity theft and cybersecurity \nthreats be part of that dialog.\n    Mr. Rotenberg. I think telling people about the very good \nresources of the Federal Trade Commission, as well as the \nresources provided by some of the organizations represented on \nthis panel, will help consumers. But I do believe very strongly \nthat in this area there is only so much the consumers can do.\n    I think we need to get to the root of some of these \nproblems about computer security, use of the Social Security \nnumber, and that will have to happen in Congress.\n    Mr. Clay. Mr. Rebovich.\n    Mr. Rebovich. I think that we have to attack the problem \nfrom several different areas at once. And in terms of the \neducation of the average citizen to prevent victimization, we \ncan't forget that cybersecurity is very important. Many more \npeople are on the Internet than ever before.\n    But we can't overlook the fact that many of these cases are \nlow-tech cases as well. People can be victimized from not \nshredding personal material. They can be victimized because \nthey don't have a lock box on their mailbox. Many of these \noffenders that we research in our study used very low-tech \nmethods. They didn't have to go any further; the opportunities \nwere there.\n    So in terms of educating the average citizen, I think we \nhave to educate the average citizen on awareness, on how to \nprotect themselves on the Internet and use of computers, but \nalso not forget, they have to be certain every day that they \nare doing everything they can to prevent victimization by the \nuse of low-tech methods.\n    Mr. Clay. Thank you.\n    Ms. Wallace.\n    Ms. Wallace. I would agree with most of the comments made \nby the other panelists; that is, the complex nature of identity \ntheft makes education extremely difficult because there are so \nmany kinds of risks, and it can happen in so many different \nways.\n    Having said that, I am particularly excited about an \ninitiative that we will be launching later this summer focused \non youth, an audience that perhaps has not been brought into \nthis debate as much as they need to be. And so it is a program \nto help the youth who are online on Facebook and YouTube and \nlots of other places, and understand that there are risks \nindeed in that environment.\n    Mr. Handy. From a consumer standpoint, we need more \nawareness training and reaching out to the public, for \ninstance, teaching people how to read credit reports and what \nthey are supposed to do on a yearly basis so they can catch it.\n    My theory is, it is not if it is going to happen, it is \nwhen it is going to happen; so prepare them for what can happen \nand how to defend themselves. And I think we can at least cut \ndown the loss. If you catch it early, it is not that bad of an \nissue. But if you don't, it drags on.\n    From a business standpoint, I like what the Federal \nGovernment has done with FISMA, the scorecards, put some \naccountability to a lot of people, and it seems to work to some \ndegree where people will move and make better--they use that in \nthe business world.\n    Mr. Clay. I want to thank all of you for your testimony. I \nfind this subject to be one of urgency. I find it also to be \nfascinating that in this day and age we haven't really figured \nout how to police this issue. And as a government, we need to \nget on top of this and stay on top of it.\n    And so I appreciate all of your testimony today and the \nfirst panel's testimony. I am sure that this will not be the \nlast of hearings like this on this subject matter. But it is \nnow time for us to act as an institution, as a legislative \nbody, to come up with sound law based on some of the advice you \nhave brought us today.\n    We have been joined by Ms. Watson of California. We were \nreally wrapping up, but if you have anything that you want to \ncontribute at this time you may, Ms. Watson.\n    Ms. Watson. Mr. Chairman, I am always pleased to come to \nyour committee. We were invited over to the Senate to meet with \nSenator Reid, and by the time I got there, the meeting had been \ncanceled.\n    But I do know that the issues that we wanted to raise, I \nhave been told that most of the questions have been addressed, \nso I just want to thank you. Sorry to be so late to catch you \nat the end, but do know that I am absolutely interested in the \nsubject matter, and I hope to hear more.\n    Mr. Clay. Thank you so much.\n    This subcommittee hearing stands adjourned.\n    [Whereupon, at 4:30 p.m., the subcommittee was adjourned.]\n    [The prepared statements of Hon. Diane E. Watson and Hon. \nPatrick T. McHenry follow:]\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"