[Senate Hearing 109-1089]
[From the U.S. Government Publishing Office]
S. Hrg. 109-1089
IDENTITY THEFT
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
JUNE 16, 2005
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
U.S. GOVERNMENT PRINTING OFFICE
61-846 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana Chairman
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
JIM DeMINT, South Carolina FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
Lisa J. Sutherland, Republican Staff Director
Christine Drager Kurth, Republican Deputy Staff Director
David Russell, Republican Chief Counsel
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Samuel E. Whitehorn, Democratic Deputy Staff Director and General
Counsel
Lila Harper Helms, Democratic Policy Director
C O N T E N T S
----------
Page
Hearing held on June 16, 2005.................................... 1
Statement of Senator Allen....................................... 24
Statement of Senator Burns....................................... 2
Statement of Senator Inouye...................................... 2
Prepared statement........................................... 2
Statement of Senator Ben Nelson.................................. 23
Statement of Senator Bill Nelson................................. 3
Statement of Senator Pryor....................................... 23
Statement of Senator Smith....................................... 1
Prepared statement of Hon. Hardy Myers, Attorney General of
Oregon..................................................... 54
Witnesses
Feinstein, Hon. Dianne, U.S. Senator from California............. 7
Harbour, Hon. Pamela Jones, Commissioner, Federal Trade
Commission..................................................... 35
Hooley, Hon. Darlene, U.S. Representative from Oregon............ 10
Leary, Hon. Thomas B., Commissioner, Federal Trade Commission.... 34
Leibowitz, Hon. Jon, Commissioner, Federal Trade Commission...... 36
Majoras, Hon. Deborah Platt, Chairman, Federal Trade Commission.. 25
Prepared statement........................................... 27
Schumer, Hon. Charles E., U.S. Senator from New York............. 4
Sorrell, Hon. William H., Vermont Attorney General; President,
National Association of Attorneys General...................... 12
Prepared statement........................................... 13
Swindle, Hon. Orson, Commissioner, Federal Trade Commission...... 33
Appendix
Boxer, Hon. Barbara, U.S. Senator from California, prepared
statement...................................................... 58
Dorgan, Hon. Byron L., U.S. Senator from North Dakota, prepared
statement...................................................... 57
Lautenberg, Frank R., U.S. Senator from New Jersey, prepared
statement...................................................... 59
IDENTITY THEFT
----------
THURSDAY, JUNE 16, 2005
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m. in room
SR-253, Russell Senate Office Building, Hon. Gordon H. Smith,
presiding.
OPENING STATEMENT OF HON. GORDON H. SMITH,
U.S. SENATOR FROM OREGON
Senator Smith. Ladies and gentlemen, we welcome you to this
hearing of the Senate Commerce Committee.
I thank our witnesses for being here today. Today's hearing
takes place against the backdrop of one of the most rapidly
growing crimes in America, identify theft. We'll hear from the
Federal Trade Commission today that over ten million Americans
are victimized by identity thieves every year. These numbers
translate into losses of over $55 billion per year, averaging
over $10,000 stolen per fraudulent incident.
In 2005 alone there were at least 43 known incidents of
data breaches potentially affecting over 9 million individuals.
In my own State of Oregon, we rank ninth in the Nation for
fraud complaints and identity theft. These breaches range from
sloppy recordkeeping and security procedures by companies to
extremely sophisticated online thefts by computer hackers.
Last month, this Committee held a hearing on the recent
data breaches at ChoicePoint, Inc., and LexisNexis, and methods
used by private industry to prevent future data breaches. At
today's hearing, the Committee will hear testimony concerning
the current treatment of data broker services under existing
state and Federal privacy laws, as well as proposals of public
solutions to mitigate future data breaches and identity theft.
Protecting sensitive information is an issue of great
importance for all Americans. Consumers should have confidence
when they share their information with others that their
information will be protected. At the same time, the ability of
legitimate companies to access personal information certainly
does facilitate commerce and continues to benefit consumers.
Data broker companies perform important commercial and
public functions through their ability to quickly and securely
access consumer data. Following today's hearing, I will be
introducing legislation with my colleagues of this Committee.
The principles of our bipartisan effort will include, one, a
national obligation for companies to have a security procedure
in place to safeguard sensitive and personal information, and,
two, a balanced breach notification trigger to inform consumers
when real risks of identity theft are at stake. We need to make
sure that this legislation strikes the right balance to ensure
the continued existence of the critical services while ensuring
security of personal information to prevent its misuse and
subsequent breaches and thefts.
I'd also like to pay a particular welcome to one of my
fellow Oregonians, Congresswoman Darlene Hooley, who is here to
share her thoughts with us today. She has been a great leader
on this issue in the House of Representatives, and I
appreciate, especially, her coming across the Hill to be with
us today.
Before we turn to our first panel, it's my pleasure to turn
the mike over to the Ranking Member of this Committee, Senator
Daniel Inouye.
STATEMENT OF HON. DANIEL K. INOUYE,
U.S. SENATOR FROM HAWAII
Senator Inouye. Thank you very much, Mr. Chairman. I
commend you for conducting this hearing.
I have a statement, but you've covered it adequately. I'd
ask unanimous consent that it be placed in the record.
Senator Smith. Without objection.
[The prepared statement of Senator Inouye follows:]
Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
Data breach and identity theft is a serious problem that this
Committee is committed to addressing. A 2003 Federal Trade Commission
survey report found that during a 1-year period nearly 10 million
Americans--or roughly 4.6 percent of the domestic adult population--
were victimized by identity thieves. Public opinion polls consistently
find strong support among Americans for privacy rights to protect their
personal information.
The FTC and others have been working diligently to come up with a
Federal legislative solution to protect America's consumers from the
data breaches that lead to identity theft.
Any solution must include a provision that notifies consumers of
data breaches so that they can protect themselves from the misuse of
their personal information. In addition, consumers deserve to have
certain rights in their dealings with the information industry, and to
have those rights protected by their government.
Senator Bill Nelson has undertaken a tremendous amount of work on
this issue, and I appreciate his interest and guidance. We are looking
forward to working in bipartisan friendship with Chairman Stevens and
Senator Smith to produce a bill that serves American consumers and
allows them to take advantage of our great marketplace without fear.
Senator Smith. Senator Burns, do you have an opening
statement?
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. I do, and I shall be brief, Mr. Chairman.
I want to thank you and Senator Stevens for setting this
hearing up today, and I want to congratulate you for all the
hard work you've done on this issue. I don't think there's
anybody in the country that I don't talk to that doesn't fear
identity theft. We've had all kinds of news articles and
information on identity theft and how it has harmed them with
regard to credit cards and multiple other situations. It's
timely.
And it is something that we've been dealing with here on
this Committee a long time, all the way back to wherever we
started to become really aware how big Internet commerce is and
the dangers that were out there through the encryption debate,
security and safety debates, and through spam and ham and
everything else--we went through all of that--and yet we still
have--problems keep cropping up about the shortfalls that we
have been guilty of here in protecting people's security and,
of course, their privacy. And privacy is utmost in the minds of
a lot of people. They have a right to be concerned, and they're
very angry about this situation.
I look forward to hearing the witnesses today. I also
would--after these witnesses we can draw some sort of a
conclusion that there might be legislation; and, if there is, I
will be very supportive of what Senator Smith and the rest of
the people in this Committee do, and would hope that we have
some sort of input.
But we've also got to be careful on this issue, because we
sure could throw the baby out with the bath water. There's a
very fine line. The services that data brokers provide help
make business more efficient, they keep costs low for all
Americans across a wide range of services, from mortgage rates
to online shopping and a wide range of financial services. So,
we need to make sure that we preserve the positive uses of this
data, as well.
And, of course, I look forward to working with you and the
rest--and the balance of the Members of this Committee, because
it is timely, it is necessary, and we've got to do it right.
Thank you.
Senator Smith. Thank you, Senator Burns.
Senator Nelson?
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Bill Nelson. Mr. Chairman, thank you for holding
this hearing, and thank you for your personal interest.
One of the bills that is in front of us, Mr. Chairman, is
the bill that Senator Schumer and I have filed. The hearing is
timely, because we just had another example of missing records,
to the tune of 3.9 million records. We don't know if it's
identity theft, but it's certainly subject to identity theft,
because they are now missing. And if you add up all of the
records that have been lost, missing, or stolen, starting back
with ChoicePoint, which is the Georgia company that first came
to light because of a California law that said that the people
whose records were missing had to be notified--that was just a
few months ago--in that short period of time, 8.8 million
people's records are missing.
Now, if this isn't an eye-opening threat to Americans'
privacy, then I don't know what is. And it's not only the
individual threats and how to go about getting your identity
back that Senator Schumer and I address in this legislation,
but look at the national security implications, look at what a
terrorist can do, in trying to steal someone's identity. And,
if that's not enough, look at the threat to electronic
commerce. Consumers are losing trust in our system of
electronic commerce, especially when they learn about these
huge unsecured data warehouses, and suddenly their information
is missing. And now you will find that identity theft is the
number-one skyrocketing consumer fraud.
So, I believe, Mr. Chairman, that the Congress needs to act
now. That's the timely manner. And I want to thank you again
for holding this hearing.
Senator Smith. Thank you, Senator Nelson. We look forward
to sharing ideas with you on how to make a good bill better, if
we can.
And, in that spirit, we welcome our colleague, Senator
Schumer here, and we'll ask you to go first, and then my fellow
statesman, Congresswoman Darlene Hooley.
Senator Schumer?
STATEMENT OF HON. CHARLES E. SCHUMER,
U.S. SENATOR FROM NEW YORK
Senator Schumer. Well, thank you, Mr. Chairman. I want to
thank you, Chairman Stevens, and Ranking Member Inouye for
having this hearing, and more importantly is the general
interest that this Committee has shown in this very important
issue.
I'd like to commend my colleague, Senator Feinstein, who I
believe will be coming----
Senator Smith. She has just arrived.
Senator Schumer.--as well. Oh.
Senator Smith. Welcome, Senator Feinstein.
Senator Schumer. See, I didn't even know you were in the
room.
Senator Smith. I'm very pleased she got the memo about--
this is Seersucker day.
Senator Feinstein. Yes.
Senator Smith. So, I'm not the only one looking like an ice
cream salesman here.
[Laughter.]
Senator Schumer. Well, I'd like to comment on my National
Seersucker Day Resolution that----
[Laughter.]
Senator Schumer. Anyway, I want to thank you, and I want to
thank Senator Feinstein for her leadership on this issue, as
well.
Identity theft is just everywhere. And the number of people
who call every one of our offices for advice, just to express
their outrage, is growing and growing and growing. It's, of
course, natural. Technology has allowed us to transfer
information quickly, and, Senator Burns is right, it's an
important part of the economy, and we don't want to stop it.
But, at the same time, given all the new technology, it makes
information about people, which used to be just proprietary--it
makes it valuable. These days, information about people is as
valuable as gold, and it ought to be treated that way. We don't
transport gold the way we transport a crate of oranges, and we
shouldn't transport people's identities, people's information,
the way we transport a crate of oranges. We don't store it the
same way. We have Fort Knox. Well, we ought to store this
information in a different way.
The bottom line is very simple, Mr. Chairman. What bank
robbery was to the Depression Era, identity theft is to the
Information Age. But, in a sense, identity thieves are even
worse than bank robbers, because they not only steal your
money, they steal your time, your sense of security, and your
peace of mind. That's what the thieves, the identity thieves,
do. And unless Congress, companies, and consumers take action,
this is an epidemic that threatens to spiral out of control.
Senator Nelson and I believe that Congressional action must
be quick, but it also must be comprehensive. If you plug one
part of the loophole, the identity thieves are going to find
another way to do it. That's what the technology allows them to
do, all this--all of us, in the Information Age. And I'm glad
to say that identity theft is not a partisan issue--it's not a
Democratic issue, a Republican issue--it's a nonpartisan
consumer and economic crisis, and there's no excuse for
Congress failing to act in a bipartisan way.
The legislation that Senator Nelson and I have introduced
offers a truly comprehensive solution. Instead of just adding
another square to the current patchwork quilt of regulations,
our bill provides a real security blanket for the American
consumer. To really tackle identity theft, our bill takes an
aggressive approach in three areas.
One, empowering consumers. The average consumer, it's
estimated--by the FTC--who's a victim of identify theft, spends
175 hours restoring their credit information and their credit
integrity. That is more than four 40-hour workweeks. So,
people, who are busy with their jobs, with their families, with
life's joys and life's trials, have to then take a huge amount
of time to try and restore their good name back, even though
they did nothing wrong. So, we empower consumers, and give them
more rights there.
Second, we protect our most personal information. We say,
to people who carry this information, ``You have a new special
responsibility. You can't just say, ``Well, it wasn't my fault;
we were just doing what we did years ago.'' What they did 10
years ago was not good enough 5 years ago, and what they did 5
years ago is not good enough for today.
And, finally, what we do is, we try to make sure that
consumers are empowered. And let me describe that. We make
companies, of course, tell consumers when their information has
been breached. We also require companies to tell them if the
company plans to sell sensitive personal information they
collect. So, consumers can make intelligent decisions about
whom to trust. When you buy something, if somebody's going to
use all your information, you should have a right to say, ``I
don't want to buy it here. I want to go somewhere else, where
they won't sell the information about me.'' We protect the
information.
We believe an ounce of prevention is worth a pound of cure.
And our bill makes prevention a centerpiece of the effort
against identity theft. We establish procedures for the FTC to
require companies to authenticate those who try to buy
sensitive personal information from them, to stop situations
where companies like ChoicePoint, for example, sell their
personal information to identity-theft rings posing as
legitimate businesses.
We also insist that every company that stores sensitive
information take reasonable steps to protect it, a simple
minimum requirement. The Federal Trade Commission recently
applauded this provision because of its potential, in their
words, to reduce the risk of identity theft.
All companies who keep sensitive personal information need
to take responsibility. They need to guard our identities as if
they were gold, because, in the hands of identity thieves, they
are gold.
We also intend--we are now adding an additional provision
to our bill to deal with the transportation or storage of
sensitive personal information. What we've learned from what
happened at Citigroup is that we need standards when that
information is transported. You can't just treat it like you're
transporting any good, because it's too valuable, it's too
important; and, therefore, we require standards, in terms of
transportation, depending on how much information and how
valuable it is, and we also encourage encryption, so that, even
if it's stolen, this identity thief is not able to use it.
Right now, we have a better chance of tracking down a lost
book from Amazon than some banks have had in tracking down
millions of sensitive records lost in transit. That has to
stop.
And, finally, helping victims. Our bill tries to provide
relief to the millions of Americans each year who fall victim
to identity theft. We create an Office of Identity Theft,
within the FTC, which will serve as a one-stop shop. When a
consumer's identity is stolen, they can call and say, ``Help
me. How do I deal with all the various things that I have to
deal with because of that?''
So, Mr. Chairman, I encourage every company in America, and
especially in my State of New York, to do a top-to-bottom
review of its procedures for handling consumers' sensitive
personal information to stave off more incidents where
information is exposed. We can--companies can do that even
before any legislation passes, and help their customers and
help themselves.
In conclusion, Mr. Chairman--I see the yellow light is on--
identity theft is a serious issue that deserves real
comprehensive action. I hope this Committee will give the
Schumer-Nelson bill the consideration that we believe it
deserves.
Thank you for your interest and the opportunity to testify.
And I apologize, I'll have to excuse myself, because--they're
buzzing me--we have a--I need to make a quorum in the Judiciary
Committee.
Senator Smith. Why don't you stick around?
[Laughter.]
Senator Schumer. I'll come back.
[Laughter.]
Senator Feinstein. Ulterior motive.
[Laughter.]
Senator Smith. No, we understand, Senator Schumer.
Senator Schumer. It's to make a quorum. That's good for
you.
Senator Smith. Oh, OK. OK.
[Laughter.]
Senator Schumer. How I vote may not be, but my quorum
presence is.
[Laughter.]
Senator Smith. Senator Feinstein, I had announced
Congresswoman Hooley, but does your schedule permit----
Senator Feinstein. If there--I, also, am on Judiciary. If
he makes the quorum----
Senator Smith. Is that all right----
Senator Feinstein.--I will stay----
Senator Smith.--with you, Congresswoman Hooley?
Senator Feinstein.--for a while.
Senator Smith. Thank you.
Senator Feinstein?
Senator Feinstein. Thank you.
For me? All right, thank you.
STATEMENT OF HON. DIANNE FEINSTEIN,
U.S. SENATOR FROM CALIFORNIA
Senator Feinstein. I'm--can't see over the table. This is a
first for me. I'm tall, but this chair--if you don't mind, I'll
just move one.
Mr. Chairman, I--and Ranking Member Inouye and Members on
both sides--I've been working on this issue for over 3 years
now. It has to do, really, with privacy. And I think most
people don't understand----
Senator Burns. Senator, could you pull that up so everybody
can hear?
Senator Feinstein. Sorry. I think--my low voice? Yes. I
think most people don't understand that virtually everything
they buy, do--when they buy from a catalog, when they buy
insurance, when they buy a car, when they mortgage a home, when
they get a loan--that all of that data is collated, and it has
become big business. It's sold by banks to their affiliates.
Citibank, I believe, sells to thousands of different
businesses, all this data. And its database companies have
developed programs which compile this data and then sell it
out.
Well, identity theft has become the largest-growing crime
in America, with ten million victims. It's bigger than all of
the theft and burglary in history was, in terms of loss. And
nobody knows that their identity has been compromised.
I've presented three bills. One is a notification bill,
which is in Judiciary, and I'd like to have you take a look at
it. Essentially, it says that when a database is breached, the
data company must, within a reasonable period of time, alert
the consumer that their data has been breached and tell them
how to take the necessary steps to keep their credit intact.
Notification is really important. Over the past 2 years,
there have been 34 major data breaches. Just this morning, the
FDIC, the second Federal agency, had its database breached,
with people illegally, now, joining credit bureaus with data
from that breach.
Over the past 2 years, approximately 18,393,180 people in
this country have been exposed or affected by identity theft.
Last year, the total cost to individuals and businesses from
this theft, believe it or not, was $52.6 billion. It is huge.
Let me give you a few examples. CitiFinancial, earlier this
month, announced that a box of computer tapes with unencrypted
account information for 3.9 million customers had been lost in
shipment. Look at the value of that loss. Somebody picks it up,
they can go to Paris and sit there and assume other people's
identities. They can be in Chicago and rip somebody off in San
Diego. It is an insidious kind of opening.
The Bank of America announced they lost tapes containing
1.2 million Federal employees. ChoicePoint, 145,000. Both the
California and Colorado Departments of Health had laptops
stolen, which jeopardized personal information of 25,000
residents. And the list goes on and on. DSW, LexisNexis, the
University of California system, Boston College, HSBC,
Ameritrade, Department of Justice, and now FDIC.
California, in 2003, was the first state to require
notification in the event of a data breach. Now, I believe that
that bill is really responsible for the notice that's now being
given throughout the United States, and that if it had not been
for the California law, we may well not be privy to all of the
breaches we are aware of today. So, California began a trend,
and we're now seeing other states seeing the notification--the
necessity of notification laws.
At present, the states are out ahead of the Congress.
States like Arkansas, Georgia, Indiana, Montana, North Dakota,
and Washington State are moving. Now, this creates problems,
because different states are going to have different laws.
Now, earlier this year I introduced a second version of my
earlier bill--and we're still working on it--and this would
require the Federal Government or a business notify individuals
when there has been a breach that involves Social Security
numbers, driver's licenses, or state identification numbers,
and financial account information. The bill would require that
notice be sent out, without unreasonable delay, by mail or e-
mail. It would allow for exceptions to notice for law
enforcement and national security purposes. It would impose
civil penalties for failures to notify, such as $1,000 per
individual whose personal data was compromised, or not more
than $50,000 per day while the failure to notify continues. It
would allow individuals to place an extended fraud alert on
their credit report to protect themselves. And it would allow
state attorneys general to protect the interests of residents
in their state when the Federal Government or businesses fail
to notify individuals of a breach.
Now, there are some contentious issues that I've found that
I want to make you aware of.
The first is the issue of preemption, whether preemption
should be a floor or a ceiling. The consumer groups believe
that the states should have the right to enter this area, as
well. And that comes directly into conflict with the concept of
one uniform law all across the United States. We're trying to
work that out.
Second, exactly what triggers notice to be given to
individuals, and striking a balance between over-notification
and inadequate notice in dealing with companies--that has
become a problem.
And, finally, whether alternative notification procedures
or so-called safe-harbor provisions--the California bill had a
safe-harbor provision. Consumer groups do not like a safe-
harbor provision. Businesses will adamantly oppose anything
without a safe-harbor provision. So, we are trying to work out
a safe-harbor provision that protects individuals against
identity theft in certain situations.
We also have a bill that would do something on the privacy
issue. Senator Schumer spoke of it. I mean, consider this. Our
Social Security number and driver's license are the two major
breeder documents that are there. Falling into the wrong hands,
they allow people all kinds of access. In the wrong hands,
that's fraudulent access; but, nonetheless, it happens.
Personal financial data and personal health data, I think, used
for commercial purposes without the individual's assent or even
knowledge, I believe, is wrong.
Now, California passed a law having to do with this. The
banks and insurance companies supported it. Then when I tried
to do it here, the same law, they came back and opposed it, and
killed it.
So, we're fighting, in this whole arena, big interests out
there who make a lot of money on these databases and don't want
the public to receive a notice that says, ``We sell your data,
as indicated here. May we have your permission to do so, yes or
no?'' They don't want to do that. So, that is a significant
issue as identity theft reaches epic proportions.
And the last point, and the last bill that we've worked on
now for 5 years, and it would seem so simple--it has gone to
Finance, it runs into trouble with Finance staff--and that is
protection through the redaction of Social Security numbers on
public documents. And, also, both of these documents, driver's
license and Social Security, being sold through the Internet,
where you can buy somebody's number for $12 or $15.
These are huge questions that this new Internet technology,
as well as database technology, presents to the Congress. I
think, because of the excruciating pain caused, in terms of the
loss of identity to so many people, the inordinate cost of
this, that Congress really has a major issue before it.
So, I'd like to just put into your record, if I might, my
three bills on the subject that you could take a look at and,
obviously, do with what you wish.
Senator Smith. We'll receive those without objection, and
we appreciate so much your concern about the issue, Senator
Feinstein.
A point of clarification for me, and perhaps my colleagues.
In your view, why did the banks support the legislation in
California, but oppose it nationally?
Senator Feinstein. I've had conversations with CEOs on this
subject. And one of the things, banks are buying more
industries, and they want to be able to share this information
with those industries. So, there is a question of liaison,
there is a question of transmitting data within those
industries. Now, what happens is, with--you have data breaches
which is happening. This is exposing literally tens of millions
of people. And it's all without their knowledge. So, this has
added an additional dimension.
The bill that I'm speaking of, that you just asked about,
Senator Smith, actually was before we knew about these database
breaches. The database breaches, I think, gives more momentum
to my--we'll see, because there are powerful interests.
Senator Smith. Well, thank you for your interest in this
very important legislation, and we'll look forward to working
with the ideas in your bill, and perhaps ultimately
incorporating many, or most, into a Committee bill.
Senator Feinstein. Thanks very much, I appreciate it.
Senator Smith. Thank you.
Senator Feinstein. Thank you.
Senator Smith. Congresswoman Hooley, the mike is yours.
STATEMENT OF HON. DARLENE HOOLEY,
U.S. REPRESENTATIVE FROM OREGON
Ms. Hooley. Thank you, Chairman Smith. And I really
appreciate the opportunity to testify in front of you. Thanks
to all the Committee Members and Ranking Member Inouye.
I am one of millions of former credit-card fraud victims
and a Member of the House Financial Services Committee, and
I've had a long interest in protecting consumers from potential
identity theft. I'm delighted that you're working on this, that
you're going to introduce a bill on this, and I hope it is as
comprehensive as you can make it.
When I started on this issue about 6 years ago, there were
thousands of victims of identity theft. Today, there are over
ten million victims of identity theft, and it is growing. This
is a way to steal your money without putting a gun to your
head. They can do it over the Internet and through computers.
It represents a fundamental threat to our e-commerce, to our
overall economy and, frankly, to our homeland security. We are
no longer facing just hobby hackers; these are skilled
criminals. ID theft is big business. It is imperative that
Congress and the private sector work together to make certain
that sensitive personal information is protected.
Congress, last year, with the passage of the FACT Act,
provided landmark consumer protections, including free annual
access to credit reports. We know that if people know what's on
their credit report, they will take some responsibility to make
sure that credit report is accurate. We have to build on that
success.
We all know that there were recent high-profile data-
security breaches. You've heard all about them from the other
two Members. And what that does is undermine the public
confidence in the data-security practices of U.S. companies
that have exposed millions of consumers to potential fraud and
identity theft. Theft of thousands of consumer files from
companies like ChoicePoint and LexisNexis illustrate how
broadly our private information is collected and sold without
our knowledge or consent, and how vulnerable these private
databases are to both traditional and high-tech forms of theft.
There are many consumers who think, ``Oh, I've kept tight
control over my personal and financial information,'' but they
can still be a victim of identity theft, because companies that
seek to profit from their personal information may have
inadequate security standards, or businesses may fall victims
to criminal activities.
With respect to data breaches, there are immediate steps.
First of all, data brokers should be required to operate by the
same information-sharing standards and consumer protections as
consumer-reporting agencies. Because credit reports contain
confidential personal information, the Fair Credit Report Act
only allows an individual's credit report to be released to
certain people for clearly defined purposes. FCRA requires that
consumer-reporting agencies certify the purpose for which the
report is being obtained, and that that report will not be used
for any other purpose. Despite harboring similar sensitive
personal information, data brokers currently face no such
restrictions.
Second, Congress should impose data-security obligations
and standards on data brokers and consumer-reporting agencies
as the Gramm-Leach-Bliley Act requires of regulated financial
institutions.
Third, Congress should establish uniform requirements for
data brokers, consumer-reporting agencies, and financial
institutions to notify consumers. And, again, I think, in all
of your bills, there are notification procedures, and that has
to be a balance. Congress should include in such a notice the
date of the breach, specific information that was acquired, the
actions being taken by the consumer-reporting agencies,
financial institution, or data broker, an explanation of how a
consumer may obtain a copy of their consumer report free of
charge, and how they may place fraud alert on their consumer
reports to discourage unauthorized use, and a toll-free number
where consumers can obtain additional information about the
security breach and their options to protect their consumer
file.
Finally, Congress must place greater responsibility on
retail merchants to protect their customer payment account
information.
By accomplishing these initial goals, Congress will provide
consumers with the protections they deserve, and provide the
clarity and uniformity that industry needs in order to service
their customers.
In addition, there are a whole host of identity-theft
proposals that I think warrant further examination and vigorous
debate, and I'm just going to go through a very quick list.
One, people have talked about--I think it needs to be
examined--an Office of ID Theft Czar at the FTC, or elsewhere.
You need more money in the Department of Justice and Secret
Service to investigate and prosecute perpetrators of mass ID
fraud. I think you need to allow consumers to protect their
consumer file with optional credit freezes, encourage industry
and consumer use of a second-factor authentication, effective
Federal legislation to combat the practice of phishing and
pharming--and that's with a ``p,'' and not an ``f ''--explore
effective biometric technology; and, last, but not least, I
think you have to seriously look at methamphetamine. There is
an incredibly close alliance between meth use and ID theft. And
if you don't go on the track of trying to stop
methamphetamines, it will only help identity theft grow.
Thank you again, very much, for this opportunity to testify
in front of the Committee.
Senator Smith. Thank you very much, Darlene. And I want to
highlight--what you just said as your last point, and that is
the linkage between methamphetamines and identity theft. Many
of the crimes that are committed by methamphetamine users
relate to identity theft because of the kinds of resources and
information that they are able to glean from this practice. So,
it has an implication well beyond just someone's finances.
Sometimes they're being put in touch without their notice or
knowledge, with some pretty shady characters peddling one of
the worst of the drugs in our society, that is truly becoming a
plague across our whole country.
Thank you very much.
Ms. Hooley. You're welcome. Thank you.
Senator Smith. Appreciate your being here.
I have been asked by several Members of the Committee to
allow Mr. Sorrell, the President of the National Association of
Attorneys General, to testify very briefly, before the FTC,
because his statement is short and the Committee has a few
questions for him. The normal protocol is for the FTC to
testify first, but I'm asking for the indulgence of the
Committee to allow this to occur.
So, Mr. Sorrell, if you will come forward, we'll receive
your testimony.
STATEMENT OF HON. WILLIAM H. SORRELL, VERMONT
ATTORNEY GENERAL; PRESIDENT, NATIONAL ASSOCIATION OF ATTORNEYS
GENERAL
Mr. Sorrell. Thank you, Senator Smith, members of the
Committee. I appreciate your giving me the opportunity to
appear before you today to speak on these important issues.
I am currently the President of the National Association of
Attorneys General, but I have not consulted with all of my
colleagues about the substance of my testimony. I'm confident
that most, if not all, would agree with the sentiments that I
will express today, and have expressed in my prepared, or
filed, testimony. But please let me testify as the Attorney
General of Vermont today.
Senator Smith. Thank you. You're welcome.
Mr. Sorrell. And I assume, Senator, that my pre-filed
testimony will be made part of the record.
Senator Smith. We'll include it in the record, if there's
no objection. Hearing none, so ordered.
Mr. Sorrell. And if you'd allow me, Senator, I didn't know
that Seersucker suits were allowed attire today, and--I have
one, and I don't find many opportunities in Vermont to wear it,
so I'm sorry I didn't get that information.
[Laughter.]
Senator Smith. We've adopted it, above the Mason-Dixon
Line, at the urging of our southern colleagues.
[Laughter.]
Senator Smith. And thank you, Senator Nelson, for wearing
yours today.
[Laughter.]
Senator Smith. And Senator Snowe, from Maine, absolutely.
Mr. Sorrell. As our culture changes, the way we go about
our commerce changes, not only for legitimate businesses, but
those scam-artists and thieves who, maybe in the past, broke
into our homes to steal our jewelry, our televisions, our
computers, our stereos, or whatever. But the reality is--and
we, as individuals, we lock our doors, we lock our cars, we
park in well-lit areas, we try to protect ourselves--but the
reality is that, quite apart from our cash assets and other
valuables--is that, as our economy has changed, our truly
valuable assets are frequently not our possessions, but our
access to credit. And we can't lock our doors in the same way
to protect ourselves from those who want to access our credit
or to, in this information and electronic age, to withdraw the
assets that we have with financial institutions. And, frankly,
consumers need government help to allow us to figuratively lock
our doors and protect ourselves from identity theft. We've
heard the earlier testimony today--I'm sure we'll hear more
from the Commission--about, you know, ten million Americans
victimized by identity theft, the number of hours that it takes
to try to regain your good name when you're the victim of
identity theft. And, you know, it's like the crime that keeps
victimizing you. As you try to access credit after someone has
assumed your identity, and scammed either you individually or
businesses to the tune of $50 billion a year in a crime that is
continuing to escalate.
And so, we do need government assistance to protect our
personal information. And I think we all owe a debt of
gratitude to the legislators of California for enacting their
security-breach notification law. But for the existence of the
law--I don't think we would be focused as much today as we are,
but for the California law and the ChoicePoint and then the
subsequent disclosures, which seem to be escalating in numbers
and volume of records and individuals affected. It's almost a
daily, certainly a weekly, occurrence of new security breaches
coming to the fore.
The states have followed California's lead. And a handful
of states have passed their own security-breach laws. Many
other state legislators are considering doing the same. We
believe, and strongly encourage, that there be a Federal
security-breach notification law. At the same time, we remain
concerned that what is done federally remain a floor, and not a
ceiling. Similar to what you did with the Gramm-Leach-Bliley
legislation, several years back, where you adopted a national
opt-out standard for financial institutions, banks, insurance
companies to traffic in our personal information, you allowed
states, if they wished, to go further. Vermont was one of the
states that took advantage of your lack of preemption; and so,
a more protective standard of opt-in standard is the law in
Vermont. And for those who feel that there has to be one
standard, we can't have these patchwork quilt--a quilt of
regulations--the Vermont economy has not suffered. Banks,
financial institutions, and insurance companies have continued
to come into Vermont since the more protective opt-in standard
has been implemented. So, we ask for a Federal law,
notification law, a floor, not a ceiling.
Similarly, we ask you to enact a Federal unified, one-place
program to regulate data brokers. Again, that is a floor, and
not a ceiling. We ask you to strengthen the so-called safeguard
rules under Gramm-Leach-Bliley to require definitive minimum
standards--minimum standards--for information security and
ensure that these rules are written broadly enough to cover
data brokers. And, finally, we just ask you to recognize the
important role of state legislatures and state regulators and
enforcement authorities in the development of laws in this area
of security breaches and security freeze legislation.
[The prepared statement of Mr. Sorrell follows:]
Prepared Statement of William H. Sorrell, Vermont Attorney General;
President, National Association of Attorneys General
I. Introduction
Chairman Stevens, Co-Chairman Inouye, and honorable Members of the
Committee, I am William H. Sorrell, Attorney General of the State of
Vermont and President of the National Association of Attorneys General.
I very much appreciate the opportunity to appear before you today to
discuss security breaches relating to personal information of consumers
and to discuss my recommendations for addressing some of the problems
in this area.
The public has become aware of numerous incidences of security
breaches in the past 2 months as a result of California's innovative
security breach notification laws. These security breaches expose
millions of consumers to potential identity theft, a serious and
rapidly growing crime that now costs our Nation $50 billion per year. I
make the following recommendations to address the problems of security
breaches:
Enact a Federal security breach notification law that
doesn't preempt more-protective state laws.
Enact a unified Federal program for regulation of data
brokers that doesn't preempt more-protective state laws.
Strengthen the Gramm-Leach-Bliley ``Safeguards Rules'' to
require definitive minimum standards for information security,
and ensure that these rules cover data brokers.
Recognize the important role of state legislative and law
enforcement efforts, particularly in developing security freeze
laws.
II. The Growth of Security Breaches
Over the past several months, consumers, law enforcement officials,
and policymakers have learned about a rising incidence of security
breaches at private companies and public institutions that have exposed
consumers' personal information to unauthorized third parties.
Separately, these breaches involve the personal information in tens of
thousands, hundreds of thousands, and even millions of records about
consumers nationwide.
A. Numerous Serious Incidences of Security Breaches Have Occurred Since
2002
Nine known incidences of serious security breaches have occurred in
the past few years. It is instructive to examine each one in some
detail.
Ford Motor Credit: In 2002, three individuals were arrested
for downloading credit reports on more than 30,000 consumers,
and then selling the credit reports to street criminals who
emptied the victims' bank accounts and opened credit cards in
their names. The scheme centered on an employee of Teledata, a
company that provides credit reports to banks and other
lenders. The employee stole the passwords and codes of Teledata
clients, such as Ford Motor Company, in order to download
credit reports from the three major credit reporting agencies.
Over a 10-month period, the password and code for Ford Motor
Credit alone was used to download 13,000 credit reports from
just one credit reporting agency, Experian. Losses were
originally calculated at $2.7 million, but were expected to
rise significantly in the weeks after the arrest.\1\
Acxiom: In 2003, the records of an unknown number of
consumers were stolen from Acxiom, a commercial data broker
based in Little Rock, Arkansas. Hackers were able to download
the passwords of 300 business accounts on Acxiom's system,
costing the company $5.8 million in losses.\2\
ChoicePoint: In February 2005, ChoicePoint notified 144,000
consumers nationwide that their personal data may have been
accessed by ``unauthorized third parties'' posing as small-
business customers. ChoicePoint, an Atlanta-based data broker
and specialty credit reporting agency with databases that
contain 19 billion public records about consumers and
businesses, reported that identity thieves created as many as
50 fake companies that posed as customers and gained access to
consumer data.\3\ The Los Angeles, California, Sheriff's
Department estimates that the number of consumers whose
personal data has been compromised is in the millions.\4\
Bank of America: Also in February 2005, Bank of America
announced that it lost computer back-up tapes containing
personal information, including names and Social Security
numbers (SSNs), relating to 1.2 million Federal workers. The
tapes had been lost 2 months earlier in December 2004. Bank of
America received permission from its Federal regulators to
notify consumers about the security problem in mid-February.\5\
DSW Shoe Warehouse: On March 8, 2005, DSW Shoe Warehouse
announced the theft of credit card information, including
account numbers and customer names, relating to customers at
more than 100 of its 175 stores. The theft took place over a
three-month period beginning in early December 2004. The theft
was originally reported to affect ``more than 100,000''
consumers. On April 18, 2005, DSW disclosed that the number of
affected consumers was 1.4 million, 10 times as many as
originally reported. DSW is a subsidiary of Retail Ventures,
Inc., based in Columbus, Ohio.\6\
LexisNexis: On March 10, 2005, LexisNexis owner Reed
Elsevier PLC announced that records of about 32,000 consumers
were accessed and compromised when intruders used log-ins and
passwords of a few legitimate customers to obtain access to a
database of public records. The records included names,
addresses, SSNs, and driver's license numbers. The breach
occurred at Boca Raton, Florida-based Seisint, a data broker
recently purchased by Reed Elsevier and integrated into
LexisNexis. Seisint stores millions of personal records about
consumers nationwide.\7\ On April 12, 2005, LexisNexis
announced that an additional 280,000 consumers nationwide had
been affected by other security breaches of Seisint data over
the past 2 years.\8\
Boston College: In late March 2005, Boston College notified
106,000 alumni that a hacker had gained access to a computer
database containing their personal information. College
officials stated that they had to tell the affected alumni
living in California about the theft due to California's
notification law. The officials therefore decided to tell
alumni who live in other states, too, to help them limit their
exposure to identity theft.\9\
University of California: On April 1, 2005, University of
California-Berkeley officials announced that a laptop computer
containing information about 98,000 students and alumni had
been stolen a month earlier. The information, including names,
SSNs, and in some instances birth dates and addresses, was
unencrypted, although the laptop was password-protected. This
breach followed another incident at UC-Berkeley in September
2004 in which a hacker obtained the names, SSNs, and other
identifying information belonging to 600,000 people.\10\
San Jose Medical Group: On April 8, 2005, the San Jose
(California) Medical Group notified nearly 185,000 current and
former patients that their financial and medical records might
have been exposed following the theft of computers. The theft
occurred after the group copied patient and financial
information from its secure servers to two local PCs as part of
a patient billing project and the group's year-end audit.\11\
Ameritrade: On April 19, 2005, Ameritrade reported that
account information relating to as many as 200,000 customers
may have been lost when a package containing tapes with back-up
information on customers' accounts went missing. A shipping
company Ameritrade uses misplaced the tapes.\12\
HSBC/Ralph Lauren: On April 13, 2005, the British financial
firm HSBC announced that criminals may have obtained access to
credit card information of at least 180,000 consumers who used
MasterCard credit cards to make purchases at Polo Ralph Lauren
Corp. The circumstances that led to the breach have remained
murky. Although the letter sent by HSBC told affected consumers
that the financial firm was ``unaware of any fraudulent
activity on your account,'' HSBC advised consumers to replace
their credit cards.\13\
Time Warner: On May 3, 2005, Time Warner announced that a
cooler-sized container of computer tapes containing personal
information about 600,000 current and former employees was lost
by data-storage company Iron Mountain, Inc., based in Boston,
apparently during a truck ride to a data-storage facility. The
lost tapes contained the names and SSNs, as well as other data,
about 85,000 current and over 500,000 former employees dating
to 1986.\14\
Bank of America, Commerce Bank, PNC Bank, and Wachovia: On
May 23, 2005, Hackensack, New Jersey, police announced that
bank employees may have stolen financial records of 700,000
customers of four banks: Charlotte, North Carolina-based Bank
of America and Wachovia, Cherry Hill, New Jersey-based Commerce
Bank, and PNC Bank of Pittsburgh. The bank employees sold the
financial records to collection agencies, according to the
police.\15\
CitiFinancial: On June 6, 2005, CitiFinancial, the consumer
finance division of Citigroup, Inc., said that computer tapes
containing personal data relating to 3.9 million U.S. customers
had been lost by shipper UPS. The data included account
information, payment histories, and SSNs.\16\
Several conclusions can be drawn from a review of these events.
Hackers and identity thieves employ both high-tech means for stealing
passwords and other log-in information to access consumers' personal
information, as evidenced by the LexisNexis and Acxiom breaches, as
well as low-tech techniques to breach information systems, as evidenced
by the ChoicePoint incident. Other security breaches, such as those
experienced by CitiFinancial, Time Warner, and HSBC, reveal gaps in
offline handling of personal information, including trucking, air
transport, and other traditional logistical systems. In addition,
although the pace of disclosures about these breaches has accelerated
over the past few months, it is safe to presume that breaches have been
occurring regularly over the past several years. What has changed is
not the existence of the problem, but rather the public's awareness of
it.
B. The Public Has Learned About These Breaches As a Result of
California's
Security Breach Notification Laws
On July 1, 2003, California's security breach notification laws
went into effect. These laws require businesses and California public
institutions to notify the public about any breach of the security of
their computer information system where unencrypted personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person.\17\ California's laws require that the notice be
given without unreasonable delay and consistent with the legitimate
needs of law enforcement, who can request a delay in notification if
the notice would impede a criminal investigation of the incidence.\18\
``Personal Information'' is defined as an individual's first name or
first initial and last name in combination with any one or more of the
following data elements, when either the name or the data element is
not encrypted:
Social Security number.
Driver's license number or California Identification Card
number.
Account number, credit or debit card number, in combination
with any required security code, access code, or password that
would permit access to an individual's financial account.\19\
The California law allows a business or public institution to
satisfy the notice requirement in several ways: written notice through
the mail; electronic notice in conformity with the Federal Electronic
Signatures Act; \20\ substitute notice through e-mail, website
publication, and major statewide news media if more than 500,000
consumers are affected; or in conformity with the business's or
institution's own notification system, if it meets the timeliness
requirements of the California security breach notification laws.\21\
California's unique and innovative laws in this area have ensured
awareness of the growing problem of data leaks that are plaguing our
Nation's businesses and public institutions.
III. The Effect of Security Breaches
Identity theft, already a growing problem, is likely to grow even
more rapidly as a result of security breaches. These data leaks expose
consumers to the threat of identity theft by the criminals who gain
access to consumers' personal information. MSNBC has noted that in the
six-week period from mid-February through early April, the rash of data
heists has exposed more than two million U.S. consumers to possible
identity theft.\22\ Since that time, an additional 4.6 million U.S.
consumers and employees have been exposed to possible identity theft,
bringing the total number of consumers affected by data heists in 2005
to 6.6 million U.S. consumers and employees.
Current estimates of the incidence of identity theft in the United
States are disturbingly high. According to a survey released in January
2005 by Javelin Strategy & Research, about 9.3 million U.S. adults were
victims of identity theft between October 2003 and September 2004.\23\
Even though the vast majority of victims of identity theft do not
report the crime to law enforcement authorities or credit bureaus,\24\
the reported incidence of identity theft has grown dramatically. The
Federal Trade Commission reported in February 2005 that the number of
identity theft complaints submitted to its Consumer Sentinel database
has grown from 161,896 in 2002 to 246,570 in 2004,\25\ representing a
growth rate of more than 50 percent in 2 years. Victims' information is
misused to perpetrate financial fraud in the vast majority of cases:
fraud involving credit cards, checking and savings accounts, and
electronic funds transfers represented 46 percent of the complaints in
2004.\26\ Out of the 50 Metropolitan Statistical Areas that have
generated the greatest number of complaints relative to population, six
are in California, four are in Texas, three each in of New York, Ohio,
Pennsylvania, and Wisconsin, and two are in Illinois.\27\ Arizona
victims of identity theft have filed the largest number of complaints
relative to population, followed by Nevada, California, Texas,
Colorado, Florida, New York, Washington, Oregon, and Illinois.\28\
Identity theft has a deeply negative impact on our Nation's
economy. According to a survey published by the Federal Trade
Commission in September 2003, the total cost of identity theft
approaches $50 billion per year, with victims bearing about $5 billion
of the losses and businesses bearing the remaining $45 billion. \29\
The average loss from the misuse of a victim's personal information is
$4,800, but for victims who had new credit card and other accounts
opened in their name, the average loss is $10,200. \30\ Overall,
victims spent almost 300 million hours resolving problems relating to
identity theft in 1 year, with almost two-thirds of this time--194
million hours--spent by victims who had new credit card and other
accounts opened in their name. \31\
IV. Consumers' and State Officials' Concerns about Security Breaches
The recent rash of information heists has had several important
effects on the state and local level. Consumers have expressed concern
about their current level of knowledge of security breaches and what
they realistically can do if they become a victim. State Attorneys
General and other state and local officials have taken action in a
number of areas to resolve these concerns.
A. Consumers Across the Nation Want to Receive Notice of Security
Breaches
The citizens of California have received notice of security
breaches as a result of their state's innovative law. Consumers in the
remaining 49 states, the District of Columbia, and the territories want
the same right to receive notice when their personal information is
accessed in an unauthorized manner. Unfortunately, in the absence of
other state laws or a Federal minimum standard, consumers in the other
states have not consistently received notices in the recent spate of
incidences. LexisNexis sent notices on a voluntary basis to affected
consumers nationwide. ChoicePoint originally sent notices only to
California residents; only after receiving letters from the Attorneys
General of numerous states did ChoicePoint expand its notification
process to include potentially affected consumers in all states. \32\
The Ohio Attorney General was forced to file suit against DSW, Inc.,
because the company had not provided individual notice to half of the
consumers--approximately 700,000 out of 1.4 million--affected by the
security breach it experienced. \33\
In addition to haphazard notification, the paucity of regulation in
this area has led to another problem. The notices that were actually
received by consumers came in envelopes from ``ChoicePoint.'' Consumers
have no idea who ChoicePoint is because consumers typically have no
business relationship with ChoicePoint. We learned of instances where
consumers tossed out the notification letters without opening them, on
the assumption that the letters were another unsolicited offer for a
credit card or some other piece of junk mail.
Rapid and effective notice of a security breach is an important
first step to limiting the extent of harm that may be caused by
identity theft. The Federal Trade Commission reports that the overall
cost of an incident of identity theft, as well as the harm to the
victims, is significantly smaller if the misuse of the victim's
personal information is discovered quickly. \34\ For example, when the
misuse was discovered within 5 months of its onset, the value of the
damage was less than $5,000 in 82 percent of the cases. When victims
did not discover the misuse for 6 months or more, the value of the
damage was $5,000 or more in 44 percent of the cases. In addition, new
accounts were opened in less than 10 percent of the cases when it took
victims less than a month to discover that their information was being
misused, while new accounts were opened in 45 percent of cases when 6
months or more elapsed before the misuse was discovered. \35\
To ensure that citizens across the Nation receive adequate notice
about security breaches, this past spring 28 states considered
legislation modeled on California's law. \36\ As of today, six states--
Arkansas, Georgia, Indiana, Montana, North Dakota, and Washington
State--enacted security breach notification laws this session. \37\
Legislatures in two additional states--Illinois and North Carolina--
have passed security breach notification bills, but these bills have
not yet been signed into law.
B. After Learning About a Breach of Their Personal Information,
Consumers Want to Review Their Credit Reports to Determine if
They Are Victims of Identity Theft
The 2003 amendments to the Federal Fair Credit Reporting Act \38\
gave consumers the right to receive a free copy of their credit report
once every 12 months, following the example previously set by 7 states
that require credit reporting agencies to provide free reports to their
citizens. \39\ However, because the FTC allowed the nationwide credit
reporting agencies to stagger the implementation of the national free
credit report, consumers in the Southern states--Alabama, Arkansas,
Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South
Carolina, Tennessee, and Texas--were not able to order their free
reports under Federal law until June 1, 2005. And consumers in the
Eastern states--Connecticut, Delaware, Maine, Maryland, Massachusetts,
New Hampshire, New Jersey, New York, North Carolina, Pennsylvania,
Rhode Island, Vermont, Virginia, and West Virginia, as well as the
District of Columbia, Puerto Rico, and all U.S. territories--are not
able to order their free reports under Federal law until September 1,
2005. \40\ As a result, many citizens have been unable to see their
credit report for free during this time of heightened anxiety over
possible identity theft, causing great frustration in the Eastern and
Southern states.
In addition, in those Eastern and Southern states--like Vermont--
that already require credit reporting agencies to provide free credit
reports under state law, consumers have been confused and frustrated
because the credit reporting agencies have not adequately adjusted
their systems to enable consumers in these states to easily access
their free report under state law. Many consumers in Vermont attempted
to obtain their free report under Vermont law after learning about the
ChoicePoint and other security breaches, only to be told--incorrectly--
by the credit bureaus' voice-mail systems that they were not eligible
for a free credit report.
C. Consumers Want to Control Access to Their Credit Reports so That
Identity Theft does not Occur
The 2003 amendments to the Federal Fair Credit Reporting Act also
gave consumers the right to place a ``fraud alert'' on their credit
reports for at least 90 days, with extended alerts lasting for up to 7
years in cases where identity theft occurs. \41\ Yet many states are
considering enacting stronger measures to assist consumers in combating
the rapidly escalating outbreak of security breaches. \42\ Two states,
California and Texas, allow consumers to place a ``security freeze'' on
their credit report. A security freeze allows a consumer to control who
will receive a copy of his or her credit report, thus making it nearly
impossible for criminals to use stolen information to open an account
in the consumer's name. \43\ Security freeze provisions will become
effective in 2 weeks--on July 1, 2005--in two additional states,
Louisiana and Vermont. \44\
Although the credit bureaus argue that security freezes are
overkill and cause consumers more harm than good, many members of the
business community in Vermont supported implementation of our security
freeze law enacted last year. Overall, consumer advocates and many
State Attorneys General believe that security freeze laws are one of
the most effective tools available to stop the harm that can result
from data heists. Twenty states considered security freeze bills this
past spring. \45\ As of today, three of these states enacted the
measure: Colorado, Maine, and Washington. \46\ The legislatures in
Connecticut and Illinois also passed security freeze bills, but these
bills have not yet been signed into law.
V. Recommendations on Addressing the Problem of Security Breaches
I recommend that this Committee take several actions to address the
security breach problem, with its concomitant potential effect on the
increased incidence of identity theft. The recommendations center on
enactment of better Federal laws to address the problem, while allowing
the states to continue to perform their vital functions in assisting
consumers and creating additional innovative solutions.
1. Enact a Federal Security Breach Notification Law: Enact a
Federal law requiring notice of security breaches in
appropriate circumstances. Allow states to enact laws that are
more protective of consumers, thus ensuring that states can
continue devising additional innovative solutions to this
issue.
2. Enact a Federal Program for Regulation of Data Brokers:
Enact a Federal law to regulate data brokers in a manner
similar to regulation of credit reporting agencies. Currently,
the regulation of data brokers comes under a scattered mixture
of Federal laws, including the Federal Fair Credit Reporting
Act, the Gramm-Leach-Bliley Act (GLBA), \47\ and a few other
laws, and arguably these laws do not cover all the practices of
data brokers. In developing a unified Federal regulatory scheme
for data brokers, only preempt state laws to the extent that
they are less protective of consumers.
3. Strengthen the ``Safeguards Rules'': Enact a Federal law
that will strengthen the GLBA Safeguards Rules issued by the
Federal financial regulators and the Federal Trade Commission.
\48\ Currently, these rules require the covered institutions to
develop a written information security plan that describes
their programs to protect customer information, and to maintain
reasonable security for customer information. The rules were
intended to provide flexibility to account for each covered
institution's size, complexity, scope of activities, and
sensitivity of information handled. However, in light of the
recent wave of security breaches, we believe that more
definitive minimum standards of information security should be
required, and that the Safeguards Rules should be expanded to
more clearly cover data brokers.
4. Recognize the Important Role of State Legislative and
Investigative Efforts: States are providing key additional
protections for consumers. Security breach notification laws in
California, Arkansas, Georgia, Indiana, Montana, North Dakota,
and Washington State and security freeze laws in California,
Louisiana, Texas, Vermont, Colorado, Maine, and Washington
State, are important examples of the critical role the states
play in developing innovative solutions to the complex problems
presented by data breaches. In addition, State Attorneys
General and local law enforcement are playing critical roles in
the investigations surrounding security breaches that have been
disclosed to date. State and local law enforcement officials
are cooperating with their Federal counterparts to investigate
and prosecute the perpetrators, and to determine if there were
defects in security systems that may have allowed the breaches
to occur. Congress should recognize these vital functions
provided by state and local authorities, and ensure that these
functions are not preempted.
Thank you for giving me the opportunity to testify on this
important subject.
ENDNOTES
\1\ Debaise & Dreazen, Federal Prosecutors Break Ring of Identity
Thieves, Wall Street Journal, Nov. 26, 2002, available at http://
online.wsj.com/PA@VJBNA4R/article_print/
0,,SB1038249179137636588,,00.html.
\2\ UDDOJ, ``Milford Man Pleads Guilty to Hacking Intrusion and
Theft of Data Cost Company $5.8 Million,'' Dec. 18, 2003, available at
http://www.usdoj.gov/criminal/cybercrime/baasPlea.htm.
\3\ Sullivan, Data base Giant Gives Access to Fake Firms;
Choicepoint Warns More Than 30,000 They May be at Risk, MSNBC.com, Feb.
14, 2005, available at
http://www.msnbc.msn.com/id/6969799/print/1/displaymode/1098/;
ChoicePoint: More ID theft warnings, CNN/Money, Feb. 17, 2005,
available at http://money.cnn.com/2005/02/17/technology/personaltech/
choicepoint/.
\4\ Perez & Brooks, For Big Vendor of Personal Data, A Theft Lays
Bare the Downside, Wall Street Journal, May 3, 2005, at A1.
\5\ Carrns, Bank of America Missing Tapes with Card Data, Wall
Street Journal, Feb. 28, 2005, at B2.
\6\ Credit Information Stolen From DSW Stores, AP, Mar. 8, 2005,
available at http://biz.yahoo.com/ap/050308/
dsw_credit_cards_4.html?printer=1; DSW Alerts Customers of Credit Card
and Other Purchase Information Security Issues, DSW, Mar. 8, 2005,
available at http://www.dswshoe.com/ccpressrelease/pr/index.html; DWS
data theft larger than predicted, USA Today, Apr. 19, 2005.
\7\ El-Rashidi, LexisNexis Owner Reports Breach of Customer Data,
Wall Street Journal, Mar. 10, 2005, at A3.
\8\ ``LexisNexis Concludes Review of Data Search Activity,
Identifying Additional Instances of Illegal Data Access,'' Apr. 12,
2005, available at http://www.lexis
nexis.com/about/releases/0789.asp.
\9\ Bank & Conkey, New Safeguards For Your Privacy, Wall Street
Journal, Mar. 24, 2005, at D1.
\10\ Fischer & Krupnick, UC informs people of data security breach,
Contra Costa Times, Apr. 1, 2005, available at http://
www.contracostatimes.com/mld/cctimes/newslocal/states/california/
counties/alameda_county/cities_neighborhoods/berkeley/11284658.htm.
\11\ Kawamoto, Medical Group: Data on 185,000 People was Stolen,
Apr. 8, 2005, available at http://www.nytimes.com/cnet/CNET_2100-
7349_3-5660514.html.
\12\ Ameritrade loses customer account info, CNN, Apr. 19, 2005.
\13\ Sidel & Conkey, Security Breach Hits Credit Cards; HSBC
Notifies 180,000 People Who Shopped at Ralph Lauren; Other Banks May Be
Affected, Wall Street Journal, Apr. 14, 2005, at D1.
\14\ Angwin & Bank, Time Warner Alerts Staff to Lost Data; Files
for 600,000 Workers Vanish During Truck Ride, Wall Street Journal, May
3, 2005, at A3.
\15\ Bank data Theft Could Hit Nearly 700,000, AP, May 23, 2005.
\16\ Citi Notifies 3.9 Million Customers of Lost Data, MSNBC, June
7, 2005, available at http://www.msnbc.msn.com/id/8119720.
\17\ Cal. Civ. Code Sec. Sec. 1798.29 and 1798.82.
\18\ Cal. Civ. Code Sec. 1798.82(a) and (c); Cal. Civ. Code
Sec. 1798.29(a) and (c).
\19\ Id. at 1798.82(e) and 1798.29(e).
\20\ 15 U.S.C.A. Sec. 7001.
\21\ Cal. Civ. Code Sec. 1798.82(g) and (h); Cal. Civ. Code
Sec. 1798.29(g) and (h).
\22\ Sullivan, Is Your Personal Data Next? Rash of Data Heists
Points to Fundamental ID Theft Problem, MSNBC, Apr. 4, 2005.
\23\ Saranow & Leiber, Freezing Out Identity Theft, Wall Street
Journal, Mar. 15, 2005, at D1.
\24\ Synovate, Federal Trade Commission--Identity Theft Survey
Report, Sept. 2003, at 9, available at http://www.ftc.gov/os/2003/09/
synovatereport.pdf. Only about 25 percent of all victims report the
crime to local police or to a credit bureau. The victims of the most
serious form of identity theft, involving ``new accounts and other
frauds,'' report the crime to law enforcement authorities only 43
percent of the time, and to credit reporting agencies 37 percent of the
time. Id.
\25\ National and State Trends in Fraud & Identity Theft, January-
December 2004, FTC, Feb. 1, 2005, at 9, available at http://
www.consumer.gov/idtheft/stats.html.
\26\ Id. at 10.
\27\ Id. at 13.
\28\ Id. at 14.
\29\ Synovate, Federal Trade Commission--Identity Theft Survey
Report, Sept. 2003, at 6.
\30\ Id.
\31\ Id.
\32\ See, e.g., ``ChoicePoint to Notify Vermont Consumers Affected
by Security Breach,'' Vermont Attorney General press release, Feb. 24,
2005, available at http://www.atg.state.vt.us/
display.php?pubsec=4&curdoc=881.
\33\ State of Ohio v. DSW, Inc., Case No. 05CVH06-6128 (Franklin
Cty, OH, June 6, 2005).
\34\ Synovate, Federal Trade Commission--Identity Theft Survey
Report, Sept. 2003, at 8.
\35\ Id.
\36\ According to the National Conference of State Legislatures,
the following states are considering ``breach of information''
legislation: Alaska, Arizona, Arkansas, Colorado, Georgia, Florida,
Illinois, Indiana, Maryland, Michigan, Minnesota, Missouri, Montana,
New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon,
Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia,
Washington, and West Virginia. See 2005 Breach of Information
Legislation, National Conference of State Legislatures, Apr. 1, 2005,
available at http://www.ncsl.org/programs/lis/CIP/priv/breach.htm. In
addition, Massachusetts in also considering a security breach bill.
See, e.g., Mass. S.B. 184 (2005).
\37\ Ark. Code Ann. Sec. Sec. 4-110-102 to 108; Fla. Stat. ch.
817.5681; Ga. Code Ann. Sec. Sec. 10-1-910 to 912; Ind. Code Sec. 4-1-
11; Mont. Code Ann. Sec. 31-3-115; N.D. Cent. Code Sec. 51-30-01 to 07;
Wash. Rev. Code Sec. 42.17.
\38\ Pub. L. No. 108-159 (2003).
\39\ See 15 U.S.C.A. Sec. 1681t(b)(4), grandfathering in the state
provisions allowing free reports in Colorado, Georgia, Maine, Maryland,
Massachusetts, New Jersey, and Vermont.
\40\ See ``Facts for Consumers: Your Access to Free Credit
Reports,'' FTC, available at http://www.ftc.gov/bcp/conline/pubs/
credit/freereports.htm.
\41\ See 15 U.S.C.A. Sec. 1681c-1.
\42\ See Saranow & Lieber, Freezing out Identity Theft, Wall Street
Journal, Mar. 15, 2005, at D1.
\43\ See Cal. Civ. Code Sec. 1785.11.2 (California); V.T.C.A., Bus.
& C. Sec. 20.034 (Texas).
\44\ See LSA-R.S. Sec. 9:3571.1 (Louisiana); 9 V.S.A. Sec. 2480b
(Vermont).
\45\ According to the National Conference of State Legislatures,
the following states are considering security freeze legislation:
Colorado, Connecticut, Hawaii, Illinois, Indiana, Kansas, Kentucky,
Maine, Maryland, Missouri, Nevada, New Jersey, New Mexico, New York,
Oregon, Pennsylvania, South Carolina, Utah, and Washington. See
Consumer Report Security Freeze Legislation 2005 Session, National
Conference of State Legislatures, Mar. 8, 2005, available at http://
www.ncsl.org/programs/banking/SecurityFreeze_2005.htm. In addition,
Massachusetts is considering a security freeze bill. See, e.g., Mass.
S.B. 184 (2005).
\46\ Colo. Rev. Stat. Sec. Sec. 12-14.3-106.6 to 106.9 (effective
July 1, 2006); Me. Rev. Stat. Ann. tit. 10, Sec. Sec. 1313-DC to E
(effective Feb. 1, 2006); Wash. Rev. Code Sec. 19.182 (effective July
24, 2005).
\47\ Title V of the Gramm-Leach-Bliley Act, 15 U.S.C.
Sec. Sec. 6801-09, and its implementing privacy rule, Privacy of
Consumer Financial Information, 16 C.F.R. Part 313.
\48\ GLBA requires Federal and state regulators of financial
institutions to issue ``safeguards rules''. See 15 U.S.C. Sec. 6801(b).
The Federal banking agencies, state insurance authorities, and the
Federal Trade Commission all issued comparable safeguards rules. See,
e.g., Interagency Guidelines Establishing Standards for Safeguarding
Customer Information, 66 Fed. Reg. 8, 616-8, 641 (Feb. 1, 2001). The
FTC's Safeguards Rule is found at 16 C.F.R. Part 314.
Senator Smith. Thank you very, very much for your presence
and your testimony, and we will take into consideration,
obviously, the things you're requesting. As a former state
legislator, many of us, we appreciate that.
Mr. Sorrell. Thank you, Senator.
Senator Smith. Senator Burns have a----
Senator Burns. Mr. Chairman?
Senator Smith.--any of my colleagues have a question?
Senator Burns. Thank you. I just want to ask a question.
Like in Vermont and states, when we talk about people who
collate--in other words, your data brokers--that used to be
termed, I think, years ago, as their own credit bureaus. They
were licensed, they were bonded, they took the information that
was given to them by institutions on records, and that could
only be accessed by permission of the person, along with the
institution desiring the information. Are we headed in that
direction, where all data brokers would have to be licensed and
bonded and go through that procedure to be a legitimate broker,
number one? And, number two, anybody that does that outside of
that would be in an illegal business--we're trying to figure
out how do we get a handle on this, because by the time you're
notified, your information might be passed on to four or five
other parties before you can do anything about it. And the
biggest damage that we suffer is our credit. Once your credit
is destroyed, it takes forever--if it can be restored--it's a
very difficult thing.
Mr. Sorrell. I think that there's a balance here. Because
if we look at the way the economy functioned in the days of the
credit bureaus, that was something that you could fairly
readily get a handle on, and it was an important piece, but a
relatively small piece of the overall functioning of commerce.
Now, in the Information Age, with the ability to collect more
information and to transmit more information much more
efficiently and effectively, quickly, than was ever the case, I
would--and, speaking for myself--want to take a hard look at
the negative impacts on the economy if you were to have
specific individual registration of everyone that would fit
under the umbrella definition of a data broker. Depending on
how broad that definition is, you'd need a huge, potentially,
regulatory operation to register and enforce. That's why, I
think, that creating safeguards that clearly affect and control
all those that are in the data-broker--fit under that
definition, with minimum standards for any companies that are
collecting this personal information that we're talking about
today, of what they would need to do, as a minimum, to lock
that door to protect that consumer information, makes sense.
The specific registration of each individual data broker, I
don't, frankly, know, Senator, how many people would fit under
that category, and I'm reluctant to----
Senator Burns. Well----
Mr. Sorrell.--say we should do it.
Senator Burns. Well, we probably couldn't define, but I
finally figured out, though, that the only way, on identity
theft--and especially with the credit and credit cards--maybe
we should take our credit cards and maintain a balance in our
credit cards that would be almost to our limit----
[Laughter.]
Senator Burns. My wife does a good job of that.
[Laughter.]
Senator Burns. So that they--no fraud could be committed.
In other words, they wouldn't be accepted. But it is the most
fearful thing, I think, in my state about people, and--because
it has happened--and you just hear horror stories with regard
to that.
Mr. Sorrell. One of the things that certain of the states--
California, Texas, Louisiana, Vermont, and a couple of other
states now have enacted is to use security freeze legislation,
which allows the individual consumer to communicate with the
credit agencies--that all of the banks look to check your
credit, to see whether to extend credit to you--allow you to
put a freeze on your credit reports and--so that outside
companies cannot access your credit unless you specifically
give permission. You're allowed, under state statute, to so-
called ``thaw'' this, so that if you're going for a mortgage or
a car loan, that the potential lender will be able to access
your record.
Senator Smith. Senator Nelson had a brief question, as
well.
Senator Bill Nelson. Mr. Attorney General, you have
described your preference to approach this problem in many of
the elements of the legislation that's been filed by several of
the Members of this Committee. And you also recommend that the
regulation of these data information brokers be similar to the
way that we regulate the credit reporting agencies, without all
the mumbo-jumbo of the licensing and all of that stuff.
In addition to what you've already said, what--you would
certainly embrace the concept of having one-stop shopping,
where, identity theft, somebody has a place to go.
Mr. Sorrell. Yes.
Senator Bill Nelson. How about in the overall picture of
homeland security, having an Assistant Secretary of
Cybersecurity within the Department of Homeland Security?
Mr. Sorrell. Well, I think I understand what you're asking.
I think--it sounds like it makes sense to me, Senator.
Senator Bill Nelson. And, clearly, tightening up on the
commercial usage of Social Security numbers.
Mr. Sorrell. Yes. I think that that's critical.
Senator Bill Nelson. Do you embrace the concept that we
take the model of the California law, notification, and apply
that nationally?
Mr. Sorrell. Yes, I do, but with the ability, if states
wished, to go further, to be more protective of their citizens,
to allow them to do that. Yes, sir.
Senator Bill Nelson. Absolutely, I agree with you that this
ought to be a floor upon which the states can build and be more
creative.
Mr. Sorrell. Thank you much.
Senator Bill Nelson. How about the concept of utilizing the
Federal Trade Commission as the place of the Office of Identity
Theft?
Mr. Sorrell. I don't pretend to be fully versed on all the
nuances of the different Federal regulatory bodies, but that
makes sense to me, from my knowledge.
Senator Bill Nelson. It is the place that governs the
credit reporting agencies.
OK, thank you.
Senator Smith. Thank you, Senator Nelson.
Attorney General Sorrell, thank you for your presence and
your testimony today.
Mr. Sorrell. Thank you much.
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Mr. Chairman, can I say one--
Senator Smith. Oh.
Senator Pryor.--very briefly? And that is, I served with
General Sorrel when I was the Attorney General in my state--
fine person, fine Attorney General, fine public servant. And I
think this Committee would really benefit from his thoughts,
not just on this, but a number of other subjects, because he
has really committed his professional life to try to make his
state, and, in some ways, the Nation, better for consumers and
for, really, the marketplace. And so, he has been a real leader
on this. So, I hope we'll take his words to heart and consider
what he has to say.
Senator Smith. We'll do that, Senator Pryor.
Senator Ben Nelson apparently has a question, too.
STATEMENT OF HON. E. BENJAMIN NELSON,
U.S. SENATOR FROM NEBRASKA
Senator Ben Nelson. Thank you, Mr. Chairman.
And, Mr. Attorney General, I have a natural inclination to
support states' rights and the right of the state to protect
public health, welfare--in this case, the identity of its
citizens. There was a point made by Senator Feinstein that
there's a real question about preemption here and whether or
not there's a conflict where, if we permit every state to do a
patchwork quilt of regulation and/or legislation, that it will
adversely affect commerce, that it may not facilitate simply
identity theft protection, at the risk of harming commerce. And
she also said to me--I think it's very optimistic on her part,
and I hope it will be--it'll come to pass--and that is that
they're trying to work out the whole question of preemption to
permit the states to be able to protect at some level, but also
recognize the interstate aspects of this.
Could you give us maybe just a little bit more of your
opinion about what you think that might consist of----
Mr. Sorrell. Well, I----
Senator Ben Nelson.--and whether it's possible. I certainly
hope that it is.
Mr. Sorrell. I think it is possible, Senator. I hear the
arguments that we can't have this patchwork quilt of different
regulations, but the reality is, as I talked about, as the
commerce changes this really is a global economy now. And so,
we have many, many different countries that have their own
rules and regulations. We certainly, in the environmental
arena, have different rules and regulations at the state level,
that companies that do business nationally and internationally
must abide by when they're doing business in an individual
state. And they're--and the beauty of the information that we
gather now is that, for many companies, they are looking to
market to you, as an individual. They collect information about
you, your income level. They collect data from other places
about your buying habits. And it's a niche-niche-niche market.
And so, the companies that are able to figure out what you,
individually, might want, and to market to you, can certainly
program their computers to trigger different regulation--give
notice of different regulation provisions or standards at a
different--certain zip code levels, or whatever.
So, I am not one who buys the argument that we're going to
throw a wrench into the works of commerce by allowing states
that wish to go forward to do--go further--to do so. And I gave
the example of what Vermont has done to better protect our
consumers under Gramm-Leach-Bliley legislation that you've
enacted.
Senator Ben Nelson. Thank you.
Thank you, Mr. Chairman.
Senator Smith. Thank you very much.
Senator Allen. Mr. Chairman, may I ask----
Senator Smith. Yes.
Senator Allen.--the Attorney General a question?
Senator Smith. Sure.
STATEMENT OF HON. GEORGE ALLEN,
U.S. SENATOR FROM VIRGINIA
Senator Allen. Thank you, Mr. Chairman. Thank you for
holding this hearing.
Attorney General, thank you for being here. And the fact
that some states, such as you all, are acting on this shows
there's a need for us to strengthen existing laws. In a
somewhat analogous situation in dealing with spyware, there are
some of us, including the Chairman of the Committee, who
recognize this, similar to spyware, is not just in this
country, it's national, it's international. There should be a--
and the way I'm looking at it is, have a national standard. On
spyware, and possibly also on this issue here, of breach of
data, or data mining, and so forth, have a national standard,
tough standard, give assistance to the FTC to enforce it, but
also allow the states attorneys general to also enforce that
law. That's another level of enforcement. And could you share
with us what your view would be? Let's assume we have a
national standard, but allow you and others, attorneys general
in the country, to enforce it, with proper enhanced penalties
for those who are breaching or committing these sort of frauds.
What would your view be of that?
Mr. Sorrell. We, right now, have the ability to protect our
consumers against some of these issues with data brokers. For
example, through our state consumer-protection laws, unfair and
deceptive practices. Giving us--having a Federal standard set,
and giving the individual states the ability to enforce that
standard, we would welcome that. The reality is, with the
numbers, and the burgeoning numbers, of those perpetrating
these crimes of identity theft, the numbers of victims--numbers
of perpetrators, it will be very difficult for the Federal
authorities, alone, to try to catch all the bad guys, and we
would welcome the opportunity to have the authority to help in
that effort.
Senator Allen. Great, thank you. Thank you, Attorney
General.
Mr. Sorrell. Thank you.
Senator Allen. Thank you, Mr. Chairman.
Senator Smith. Thank you, Attorney General. We appreciate
your presence.
Mr. Sorrell. Thank you much.
Senator Smith. We will now call to the dais the Federal
Trade Commission. We are grateful for their patience. And the
first panel--or, this panel will consist of the Honorable
Deborah Majoras, Federal Trade Commission Chairman; the
Honorable Orson Swindle, Commissioner; the Honorable Thomas B.
Leary, Commissioner; the Honorable Pamela Jones Harbour, also a
Commissioner; and the Honorable Jon Leibowitz, recently put on
the Commission.
I don't know whether my colleagues saw it, but I'll include
it in the record, a story in the Washington Post this morning,
which begins, ``Thousands of current and former employees at
the Federal Deposit Insurance Corporation are being warned that
their sensitive personal information was breached, leading to
an unspecified number of fraud cases.'' That's our challenge--
to stop that.
I would also like to note and thank Commissioner Swindle
for his service to the FTC. Mr. Swindle is leaving the FTC at
the end of the month, and this will be his last time appearing
before the Committee. It's well known by many of us that
Commissioner Swindle has a distinguished military career, along
with his service to protect consumers at the FTC. And, sir, we
thank you for your public service.
Commissioner Swindle. Thank you, Mr. Chairman.
Senator Smith. Madam Chairman?
STATEMENT OF HON. DEBORAH PLATT MAJORAS, CHAIRMAN, FEDERAL
TRADE COMMISSION
Chairman Majoras. Thank you, Mr. Chairman, members of the
Committee. I am Deborah Majoras, Chairman of the Federal Trade
Commission.
My fellow Commissioners and I appreciate the opportunity to
appear before you today as we work to ensure the safety and
security of consumers' personal information. The views
expressed in the written testimony represent the views of the
Commission. Our oral presentations and responses to your
questions reflect our own views, and do not necessarily reflect
the views of the Commission or any individual Commissioner.
Advances in commerce, computing, and networking have
transformed the role of consumer information. New technologies
allow businesses to offer consumers a wide range of products
and payment options, greater access to credit, and faster
transactions. But with these benefits come some concerns about
privacy and security of consumer sensitive information and, in
particular, the threat of identity theft, which we've heard so
much about this morning, and which my colleague, Commissioner
Harbour, will address in more detail.
Several current laws protect consumer sensitive
information, depending on how that information is collected and
how it is used. Both the Fair Credit Reporting Act and the
Gramm-Leach-Bliley Act, for example, address access to, and the
security of, such information in specific contexts.
The Commission has brought five cases against companies,
such as Microsoft and Eli Lilly, challenging the failure to
maintain adequate data-security procedures. In each of these
cases, the Commission alleged that the business misrepresented
their privacy or security procedures, in violation of section 5
of the FTC Act.
Today, I am announcing that the Commission has brought and
settled its sixth action in this area, this one against BJ's
Wholesale Club, a Fortune 500 company with over $6 billion in
annual sales. For the first time, we allege that inadequate
data security can be an unfair business practice under section
5. This action should provide clear notice to the business
community that failure to maintain reasonable and appropriate
security measures, in light of the sensitivity of the
information, can cause substantial consumer injury and may
violate the FTC Act.
Our complaint alleges that BJ's stored personal information
from customers' credit and debit cards on computers at its
stores, even without a legitimate business reason for doing so,
and then failed to take appropriate steps to secure this
information. The complaint alleges that, as a result, the
customer data that BJ's left unsecured ended up on counterfeit
copies of cards that were used to make several million dollars
in fraudulent purchases. Federal law limits consumers'
liability for unauthorized use of the credit or debit card
numbers. In this case, after the fraud was discovered, banks
canceled and reissued thousands of credit and debit cards, and
have turned to BJ's to cover the cost of the identity theft and
corrective actions. According to SEC filings, as of May 2005,
the amount of outstanding claims was approximately $13 million.
Our settlement requires BJ's to establish a comprehensive and
rigorous information security program, and to obtain regular
security assessments of that program from a qualified
independent auditor.
Recent security breaches, such as that alleged in BJ's and
all the others we've discussed here this morning, raise
questions about whether companies that maintain sensitive
personal information are taking adequate steps to protect it.
My colleague to my right, Commissioner Swindle, will
discuss the Commission's efforts to promote greater information
security.
As detailed in our written testimony, as this Committee is
considering whether to enact new procedures for sensitive
consumer data--protections for sensitive consumer data, several
measures should be considered.
First, Congress should consider whether companies that
maintain sensitive consumer information should be required to
implement reasonable security procedures. Any such requirement
could be patterned after the Commission's Safeguards Rule under
GLB. The Safeguards Rule provides a strong, but flexible,
requirement to make sure that information is maintained
securely. It recognizes that security is an ongoing process,
and not a set of technical standards. Currently, the Safeguards
Rule applies only to customer information collected by
financial institutions. I believe the same principles embodied
in that rule makes sense for other entities that maintain
sensitive information.
Second, Congress should consider whether to require firms
to notify consumers if sensitive information about them has
been breached in a way that creates a significant risk of
identity theft. Obviously, many people agree that prompt notice
in appropriate circumstances can help consumers avoid or
mitigate identity theft. At the same time, however, requiring
notices for security breaches that pose little or no risk may
create confusion, even panic, and impose unnecessary costs. For
example, consumers may cancel credit cards or place fraud
alerts on their credit files even if such measures are not
needed and, not to mention, may suffer from unwarranted worry
and stress. Perhaps more importantly, if notices are sent too
often, consumers will become numb to them and will fail to pay
attention.
Formulating the right balance is difficult, and there are
different notices that could be considered. One, of course, is,
in effect, promulgated by the Federal banking agencies, and
another is in effect in California. And we think both of those
deserve a close look.
If Congress decides to enact a national breach requirement,
it might consider authorizing the FTC to conduct a rulemaking
to specify a standard that best meets the needs of consumers.
Through a rulemaking, we could examine the different standards
that have already been operating and determine how well they
have worked.
A third area for consideration is possible restrictions on
the selling of Social Security numbers. My colleague,
Commissioner Leary, will address Social Security numbers in
greater detail.
And, finally, given the globalization of the marketplace,
effective law enforcement against security breaches will
require effective cross-border efforts. Accordingly, the
Commission recommends that Congress enact cross-border fraud
legislation, which my colleague, Commissioner Leibowitz, will
discuss in more detail.
Mr. Chairman and Members of the Commission, thank you for
your attention and for the opportunity to be here. And I
welcome any questions you may have.
[The prepared statement of Chairman Majoras follows:]
Prepared Statement of Hon. Deborah Platt Majoras, Chairman,
Federal Trade Commission
I. Introduction
Mr. Chairman, I am Deborah Platt Majoras, Chairman of the Federal
Trade Commission.\1\ My fellow Commissioners and I appreciate the
opportunity to appear before you today as we work to ensure the safety
and security of consumers' personal information.
As we have testified previously, advances in commerce, computing,
and networking have transformed the role of consumer information.
Modern consumer information systems can collect, assemble, and analyze
information from disparate sources, and transmit it almost
instantaneously. Among other things, this technology allows businesses
to offer consumers a wider range of products, services, and payment
options; greater access to credit; and faster transactions.
Efficient information systems--data that can be easily accessed,
compiled, and transferred--also can lead to concerns about privacy and
security. Recent events validate concerns about information systems'
vulnerabilities to misuse, including identity theft.
II. Background
One particular focus of concern has been ``data brokers,''
companies that specialize in the collection and distribution of
consumer data. Data brokers epitomize the tension between the benefits
of information flow and the risks of identity theft and other harms.
Data brokers have emerged to meet the information needs of a broad
spectrum of commercial and government users.\2\ The data broker
industry is large and complex and includes companies of all sizes. Some
collect information from original sources, both public and private;
others resell data collected by others; and many do both. Some provide
information only to government agencies or large companies, while
others sell information to smaller companies or the general public as
well. The amount and scope of the information that they collect varies
from company to company, and many offer a range of products tailored to
different markets and uses. These uses include fraud prevention, debt
collection, law enforcement, legal compliance, applicant
authentication, market research, and almost any other function that
requires the collection and aggregation of consumer data. Because these
databases compile sensitive information, they are especially attractive
targets for identity thieves.
Identity theft is a crime that harms both consumers and businesses.
A 2003 FTC survey estimated that nearly 10 million consumers discovered
that they were victims of some form of identity theft in the preceding
12 months, costing American businesses an estimated $48 billion in
losses, and costing consumers an additional $5 billion in out-of-pocket
losses.\3\ The survey looked at the two major categories of identity
theft: (1) the misuse of existing accounts; and (2) the creation of new
accounts in the victim's name. Not surprisingly, the survey showed a
direct correlation between the type of identity theft and its cost to
victims, in both the time and money spent resolving the problems. For
example, although people who had new accounts opened in their names
made up only one-third of the victims, they suffered two-thirds of the
direct financial harm. The ID theft survey also found that victims of
the two major categories of identity theft cumulatively spent almost
300 million hours--or an average of 30 hours per person--correcting
their records and reclaiming their good names. Identity theft causes
significant economic and emotional injury, and we take seriously the
need to reduce it.
As detailed in our recent testimony on this subject,\4\ there are a
variety of existing Federal laws and regulations that address the
security of, and access to, sensitive information that these companies
maintain, depending on how that information was collected and how it is
used. For example, the Fair Credit Reporting Act (FCRA) \5\ regulates
credit bureaus, any entity or individual who uses credit reports, and
the businesses that furnish information to credit bureaus.\6\ The FCRA
requires that sensitive credit report information be used only for
certain permitted purposes. The Gramm-Leach-Bliley Act (GLBA) \7\
prohibits financial institutions from disclosing consumer information
to non-affiliated third parties without first allowing consumers to opt
out of the disclosure. GLBA also requires these businesses to implement
appropriate safeguards to protect the security and integrity of their
customer information.\8\
In addition, Section 5 of the Federal Trade Commission Act (FTC
Act) prohibits ``unfair or deceptive acts or practices in or affecting
commerce.'' \9\ Under the FTC Act, the Commission has broad
jurisdiction to prohibit unfair or deceptive practices by a wide
variety of entities and individuals operating in commerce. Prohibited
practices include deceptive claims that companies make about privacy,
including claims about the security they provide for consumer
information.\10\ To date, the Commission has brought five cases against
companies for deceptive security claims.\11\ These actions alleged that
the companies made explicit or implicit promises to take reasonable
steps to protect sensitive consumer information, but because they
allegedly failed to take such steps, their claims were deceptive. The
consent orders settling these cases have required the companies to
implement appropriate information security programs that generally
conform to the standards that the Commission set forth in the GLBA
Safeguards Rule.
In addition to deception, the FTC Act prohibits unfair practices.
Practices are unfair if they cause or are likely to cause consumers
substantial injury that is neither reasonably avoidable by consumers
nor offset by countervailing benefits to consumers or competition.\12\
The Commission has used this authority to challenge a variety of
injurious practices that threaten data security.\13\
As the Commission has testified previously, an actual breach of
security is not a prerequisite for enforcement under Section 5;
however, evidence of such a breach may indicate that the company's
existing policies and procedures were not adequate.\14\ It is important
to note, however, that there is no such thing as perfect security, and
breaches can happen even when a company has taken every reasonable
precaution.\15\
Despite the existence of these laws, recent security breaches have
raised questions about whether data brokers and other companies that
collect or maintain sensitive personal information are taking adequate
steps to ensure that the information they possess does not fall into
the wrong hands, as well as about what steps should be taken when such
data is acquired by unauthorized individuals. Vigorous enforcement of
existing laws and business education about the requirements of existing
laws and the importance of good security can go a long way in
addressing these concerns. Nonetheless, recent data breaches have
prompted Congress to consider legislative proposals, and the Commission
has been asked to comment on the need for new legal requirements.
III. Increasing Consumer Information Security
The Commission recommends that Congress consider whether companies
that hold sensitive consumer data, for whatever purpose, should be
required to take reasonable measures to ensure its safety. Such a
requirement could extend the FTC's existing GLBA Safeguards Rule to
companies that are not financial institutions.
Further, the Commission recommends that Congress consider requiring
companies to notify consumers when the security of this information has
been breached in a manner that creates a significant risk of identity
theft.\16\ Whatever language is chosen should ensure that consumers
receive notices when they are at risk of identity theft, but not
require notices to consumers when they are not at risk. As discussed
below, the goal of any notification requirement is to enable consumers
to take steps to avoid the risk of identity theft. To be effective, any
such requirement must provide businesses with adequate guidance as to
when notices are required.
In addition, many have raised concerns about misuse of Social
Security numbers. It is critical to remember that Social Security
numbers are vital to current information flows in the granting and use
of credit and the provision of financial services. In addition, private
and public entities routinely have used Social Security numbers for
many years to access their voluminous records. Ultimately, what is
required is to distinguish between legitimate and illegitimate
collection, uses, and transfers of Social Security numbers.
Finally, law enforcement activity to protect data security is
increasingly international in nature. Given the globalization of the
marketplace, an increasing amount of U.S. consumer information may be
accessed illegally by third parties outside the United States or
located in offshore databases. Accordingly, the Commission needs new
tools to investigate whether companies are complying with U.S. legal
requirements to maintain the security of this information, and cross-
border fraud legislation would give the Commission these tools. For
that reason, the Commission recommends that Congress enact cross-border
fraud legislation to overcome existing obstacles to information sharing
and information gathering in cross-border investigations and law
enforcement actions.\17\
For example, if the FTC and a foreign consumer protection agency
are investigating a foreign business for conduct that violates both
U.S. law and the foreign country's law, current law does not authorize
the Commission to share investigative information with the foreign
consumer protection agency, even if such sharing would further our own
investigation. New cross-border fraud legislation could ease these
restrictions, permit the sharing of appropriate investigative
information with our foreign counterparts, and give us additional
mechanisms to help protect the security of U.S. consumers' data whether
it is located abroad or in the United States.
A. Require Procedures To Safeguard Sensitive Information
One important step to reduce the threat of identity theft is to
increase the security of certain types of sensitive consumer
information that could be used by identity thieves to misuse existing
accounts or to open new accounts, such as Social Security numbers,
driver's license numbers, and account numbers in combination with
required access codes or passwords.\18\ Currently, the Commission's
Safeguards Rule under GLBA requires financial institutions to implement
reasonable physical, technical, and procedural safeguards to protect
customer information. Instead of mandating specific technical
requirements that may not be appropriate for all entities and might
quickly become obsolete, the Safeguards Rule requires companies to
evaluate the nature and risks of their particular information systems
and the sensitivity of the information they maintain, and to take
appropriate steps to counter these threats. They also must periodically
review their data security policies and procedures and update them as
necessary. The Safeguards Rule provides a strong but flexible framework
for companies to take responsibility for the security of information in
their possession, and it reflects widely accepted principles of
information security, similar to those contained in the Organization
for Economic Cooperation and Development's Guidelines for the Security
of Information Systems and Networks.\19\
Currently, the Safeguards Rule applies only to ``customer
information'' collected by ``financial institutions.'' \20\ It does not
cover many other entities that may also collect, maintain and transfer
or sell sensitive consumer information. Although we believe that
Section 5 already requires companies holding sensitive data to have in
place procedures to secure it if the failure to do so is likely to
cause substantial consumer injury, we believe Congress should consider
whether new legislation incorporating the flexible standard of the
Commission's Safeguards Rule is appropriate.
B. Notice When Sensitive Information Has Been Breached
Unfortunately, even if the best efforts to safeguard data are made,
security breaches can still occur. The Commission believes that if a
security breach creates a significant risk of identity theft or other
related harm, affected consumers should be notified. Prompt
notification to consumers in these cases can help them mitigate the
damage caused by identity theft. Notified consumers can request that
fraud alerts be placed in their credit files, obtain copies of their
credit reports, scrutinize their monthly account statements, and take
other steps to protect themselves.
The challenge is to require notices only when there is a likelihood
of harm to consumers. There may be security breaches that pose little
or no risk of harm, such as a stolen laptop that is quickly recovered
before the thief has time to boot it up. Requiring a notice in this
type of situation might create unnecessary consumer concern and
confusion. Moreover, if notices are required in cases where there is no
significant risk to consumers, notices may be more common than would be
useful. As a result, consumers may become numb to them and fail to spot
or act on those risks that truly are significant. In addition, notices
can impose costs on consumers and on businesses, including businesses
that were not responsible for the breach. For example, in response to a
notice that the security of his or her information has been breached, a
consumer may cancel credit cards, contact credit bureaus to place fraud
alerts on his or her credit files, or obtain a new driver's license
number. Each of these actions may be time-consuming for the consumer,
and costly for the companies involved and ultimately for consumers
generally.
Currently there are two basic approaches in place that are used to
determine when notices should be triggered. The first is the bank
regulatory agency standard.\21\ Under that standard, notice to the
Federal regulatory agency is required as soon as possible when the
institution becomes aware of an incident involving unauthorized access
to or use of sensitive customer information. In addition, notice to
consumers is required when, based on a reasonable investigation of an
incident of unauthorized access to sensitive customer information, the
financial institution determines that misuse of its information about a
customer has occurred or is reasonably possible.\22\
The second approach is found in the California notice statute.\23\
Under that approach, all businesses are required to provide notices to
their consumers when a defined set of sensitive data, in combination
with information that can be used to identify the consumer, has been or
is reasonably likely to have been acquired by an unauthorized person in
a manner that ``compromises the security, confidentiality, or integrity
of personal information.'' \24\
The California ``unauthorized acquisition'' approach to requiring
consumer notice does not compel notice in every instance of improper
access to a database. Instead, it allows businesses some flexibility to
determine when a notice is necessary, while also providing a fairly
objective standard against which compliance can be measured by the
broad range of businesses subject to the law. Under guidance issued by
the California Office of Privacy Protection, a variety of factors can
be considered in determining whether information has been ``acquired,''
such as: (1) indications that protected data is in the physical
possession and control of an unauthorized person (such as a lost or
stolen computer or other device); (2) indications that protected data
has been downloaded or copied; or (3) indications that protected data
has been used by an unauthorized person, such as to open new
accounts.\25\ One issue that is not directly considered is what action
to take in cases in which, prior to sending consumer notification, the
business already has taken steps that remedy the risk. For example, one
factor to consider in deciding whether to provide notice is whether the
business already has canceled consumers' credit card accounts and
reissued account numbers to the affected consumers.
We have growing experience under both models to inform
consideration of an appropriate national standard. Because formulating
any standard will require balancing the need for a clear, enforceable
standard with ensuring, to the extent possible, that notices go to
consumers only where there is a risk of harm, we believe that if
Congress decides to enact a notice provision, the best approach would
be to authorize the FTC to conduct a rulemaking under general statutory
standards. The rulemaking would set the criteria under which notice
would be required for data breaches involving non-regulated industries.
The rulemaking could address issues such as the circumstances under
which notice is required, which could depend on the type of breach and
risk of harm, and the appropriate form of notice. This approach would
also allow the Commission to adjust the standard as it gains experience
with its implementation.
C. Social Security Numbers
Social Security numbers today are a vital instrument of interstate
commerce. With 300 million American consumers, many of whom share the
same name,\26\ the unique 9-digit Social Security number is a key
identification tool for business. As the Commission found in last
year's data matching study under FACTA, Social Security numbers also
are one of the primary tools that credit bureaus use to ensure that the
data furnished to them is placed in the right file and that they are
providing a credit report on the right consumer.\27\ Social Security
numbers are used in locator databases to find lost beneficiaries,
potential witnesses, and law violators, and to collect child support
and other judgments. Social Security number databases are used to fight
identity fraud--for example, they can confirm that a Social Security
number belongs to a particular loan applicant and is not stolen.\28\
Without the ability to use Social Security numbers as personal
identifiers and fraud prevention tools, the granting of credit and the
provision of other financial services would become riskier and more
expensive and inconvenient for consumers.
While Social Security numbers have important legitimate uses, their
unauthorized use can facilitate identity theft. Identity thieves use
the Social Security number as a key to access the financial benefits
available to their victims. Currently, there are various Federal laws
that place some restrictions on the disclosure of specific types of
information under certain circumstances. The FCRA, for example, limits
the provision of ``consumer report'' information to certain purposes,
primarily those determining consumers' eligibility for certain
transactions, such as extending credit, employment, or insurance. GLBA
requires that ``financial institutions'' \29\ provide consumers an
opportunity to opt out before disclosing their personal information to
third parties, outside of specific exceptions, such as for fraud
prevention or legal compliance.\30\ Other statutes that limit
information disclosure include the privacy rule under the Health
Insurance Portability and Accountability Act of 1996,\31\ which applies
to health care providers and other medical-related entities, and the
Drivers Privacy Protection Act,\32\ which protects consumers from
improper disclosures of driver's license information by state motor
vehicle departments.
While these laws provide important privacy protections within their
respective sectors, they do not provide comprehensive protection for
Social Security numbers.\33\ For example, disclosure of a consumer's
name, address, and Social Security number may be restricted under GLBA
when the source of the information is a financial institution,\34\ but
in many cases the same information can be purchased on the Internet
from a non-financial institution. The problem of how to strengthen or
expand existing protections in ways that would not interfere with the
beneficial uses of Social Security numbers is challenging.
Although the Commission has extensive experience with identity
theft and the consumer credit reporting system, restrictions on
disclosure of Social Security numbers could have a broad impact on
areas where the Commission does not have expertise. These areas include
public health, criminal law enforcement, and anti-terrorism efforts.
Moreover, efforts to restrict disclosure of Social Security numbers are
complicated by the fact that among the primary sources of Social
Security numbers are the public records on file with many courts and
clerks in cities and counties across the Nation. Regulation or
restriction of Social Security numbers in public records thus poses
substantial policy and practical concerns.
Ultimately, what is required is to distinguish between legitimate
and illegitimate collection, uses, and transfers of Social Security
numbers. The Commission would appreciate the opportunity to work with
Congress to further evaluate the costs and benefits to consumers and
the economy of regulating the collection, transfer, and use of Social
Security numbers.
IV. Conclusion
New information systems have brought benefits to consumers and
businesses alike. Never before has information been so portable,
accessible, and flexible. Indeed, sensitive personal financial
information has become the new currency of today's high tech payment
systems. But with these advances come new risks, and identity thieves
and other bad actors have begun to take advantage of new technologies
for their own purposes. As the recent focus on information security has
demonstrated, Americans take their privacy seriously, and we must
ensure that the many benefits of the modern information age are not
diminished by these threats to consumers' security. The Commission is
committed to ensuring the continued security of consumers' personal
information and looks forward to working with you to protect consumers.
ENDNOTES
\1\ This written statement reflects the views of the Federal Trade
Commission. Our oral statements and responses to any questions you may
have represent the views of individual Commissioners and do not
necessarily reflect the views of the Commission.
\2\ For more information on how consumer data is collected,
distributed, and used, see generally Government Accountability Office,
Private Sector Entities Routinely Obtain and use SSNs, and Laws Limit
the Disclosure of this Information (GAO-04-11) (2004); Government
Accountability Office, Social Security Numbers: Use is Widespread and
Protections Vary, Testimony Before the House Subcommittee on Social
Security, Committee on Ways and Means (GAO-04-768T) (statement of
Barbara D. Bovbjerg, June 15, 2004); Federal Trade Commission,
Individual Reference Services: A Report to Congress (December 1997),
available at http://www.ftc.gov/os/1997/12/irs.pdf). The Commission
also has held two workshops on the collection and use of consumer
information: ``Information Flows, The Costs and Benefits to Consumers
and Businesses of the Collection and Use of Consumer Information,'' was
held on June 18, 2003; and ``The Information Marketplace: Merging and
Exchanging Consumer Data,'' was held on March 13, 2001. An agenda,
participant biographies, and a transcript for these workshops are
available at http://www.ftc.gov/bcp/workshops/infoflows/
030618agenda.html and http://www.ftc.gov/bcp/workshops/info
mktplace/index.html, respectively.
\3\ Federal Trade Commission, Identity Theft Survey Report (Sept.
2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
\4\ See, e.g., Statement of the Federal Trade Commission Before the
Subcommittee on Financial Institutions and Consumer Credit, Committee
on Financial Services, U.S. House of Representatives, on Enhancing Data
Security: The Regulators' Perspective (May 18, 2005), available at
http://www.ftc.gov/opa/2005/05/data
brokertest.htm.
\5\ 15 U.S.C. Sec. Sec. 1681-1681x.
\6\ Credit bureaus are also known as ``consumer reporting
agencies.''
\7\ 15 U.S.C. Sec. Sec. 6801-09.
\8\ The FTC's Safeguards Rule implements GLBA's security
requirements for entities under the FTC's jurisdiction. See 16 C.F.R.
pt. 314 (``GLBA Safeguards Rule''). The Federal banking regulators also
have issued comparable regulations for the entities under their
jurisdiction.
\9\ 15 U.S.C. Sec. 45(a).
\10\ Deceptive practices are defined as material representations or
omissions that are likely to mislead consumers acting reasonably under
the circumstances. Cliffdale Associates, Inc., 103 FTC 110 (1984).
\11\ Petco Animal Supplies, Inc. (FTC Docket No. C-4133) (Mar. 4,
2005); MTS Inc., d/b/a Tower Records/Books/Video (FTC Docket No. C-
4110) (May 28, 2004); Guess?, Inc. (FTC Docket No. C-4091) (July 30,
2003); Microsoft Corp. (FTC Docket No. C-4069) (Dec. 20, 2002); Eli
Lilly & Co. (FTC Docket No. C-4047) (May 8, 2002). Documents related to
these enforcement actions are available at http://www.ftc.gov/privacy/
privacyinitiatives/promises_enf.html.
\12\ 15 U.S.C. Sec. 45(n).
\13\ These include, for example, unauthorized charges in connection
with ``phishing,'' which are high-tech scams that use spam or pop-up
messages to deceive consumers into disclosing credit card numbers, bank
account information, Social Security numbers, passwords, or other
sensitive information. See FTC v. Hill, Civ. No. H 03-5537 (filed S.D.
Tex. Dec. 3, 2003), available at http://www.ftc.gov/opa/2004/03/
phishinghilljoint.htm; FTC v. C.J., Civ. No. 03-CV-5275-GHK (RZX)
(filed C.D. Cal. July 24, 2003), available at http://www.ftc.gov/os/
2003/07/phishingcomp.pdf.
\14\ See Statement of the Federal Trade Commission Before the House
Subcommittee on Technology, Information Policy, Intergovernmental
Relations, and the Census, Committee on Government Reform (Apr. 21,
2004) at 5, available at http://www.ftc.gov/os/2004/04/
042104cybersecuritytestimony.pdf.
\15\ Id. at 4.
\16\ Commissioner Harbour is concerned about the use of the term
``significant'' to characterize the level of risk of identity theft
that should trigger a notice to consumers.
\17\ The U.S. Senate passed cross-border fraud legislation last
year by unanimous consent: S. 1234 (``International Consumer Protection
Act'').
\18\ The FTC also would seek civil penalty authority for its
enforcement of these provisions. A civil penalty is often the most
appropriate remedy in cases where consumer redress is impracticable and
where it is difficult to compute an ill-gotten gain that should be
disgorged from a defendant.
\19\ FTC Commissioner Orson Swindle led the U.S. delegation to the
OECD Committee that drafted the 2002 OECD Security Guidelines. See
Organization for Economic Cooperation and Development, Guidelines for
the Security of Information Systems and Networks: Toward a Culture of
Security (July 25, 2002), available at http://www.oecd.org/document/42/
0,2340,en_2649_34255_15582250_1_1_1
_1,00.html.
\20\ Under GLBA, a ``financial institution'' is defined as an
entity that engages in one or more of the specific activities listed in
the Bank Holding Company Act and its implementing regulations. See 15
U.S.C. Sec. 6809(3). These activities include extending credit,
brokering loans, financial advising, and credit reporting.
\21\ See Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice, 70 Fed. Reg.
15,736-54 (Mar. 29, 2005).
\22\ Under the guidance, this determination can be made by the
financial institution in consultation with its primary Federal
regulator.
\23\ Cal. Civ. Code Sec. 1798.82.
\24\ Id. at Sec. 1798.82(d).
\25\ These factors are discussed in the California Office of
Privacy Protection's publication, Recommended Practices on Notification
of Security Breach Involving Personal Information, at 11 (Oct. 10,
2003), available at http://www.privacy.ca.gov/recommendations/
secbreach.pdf.
\26\ According to the Consumer Data Industry Association, 14
million Americans have one of ten last names, and 58 million men have
one of ten first names.
\27\ See Federal Trade Commission, Report to Congress Under
Sections 318 and 319 of the Fair and Accurate Credit Transactions Act
of 2003 at 38-40 (Dec. 2004), available at http://www.ftc.gov/reports/
facta/041209factarpt.pdf.
\28\ The Federal Government also uses Social Security numbers as an
identifier. For example, HHS uses it as the Medicare identification
number, and the IRS uses it as the Taxpayer Identification Number. It
also is used to administer the Federal jury system, Federal welfare and
workmen's compensation programs, and the military draft registration.
See Social Security Administration, Report to Congress on Options for
Enhancing the Social Security Card (Sept. 1997), available at
www.ssa.gov/history/reports/ssnreportc2.html.
\29\ See supra n.20 (defining financial institution).
\30\ GLBA protects some, but not all Social Security numbers held
by financial institutions. It does not, for example, cover Social
Security numbers in databases of Social Security numbers furnished by
banks to credit bureaus under the Fair Credit Reporting Act (i.e., so-
called ``credit header'' information) prior to the GLBA Privacy Rule's
July 2001 effective date.
\31\ 45 C.F.R. pts. 160 and 164 (implementing Sections 262 and 264
of the Health Insurance Portability and Accountability Act of 1996,
Pub. L. No. 104-191).
\32\ 18 U.S.C. Sec. Sec. 2721-25.
\33\ The Commission may, however, bring enforcement actions under
Section 5 of the Federal Trade Commission Act against entities whose
privacy or security practices are unfair or deceptive.
\34\ See supra n.30 (discussing limitations of GLBA protection).
Senator Smith. Thank you, Chairman Majoras.
I think we'll go to Commissioner Swindle.
STATEMENT OF HON. ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE
COMMISSION
Commissioner Swindle. Thank you, Mr. Chairman and members
of the Committee. And I also thank you very much for your
comments and the courtesies that have been shown to me by this
Committee, its Members, and its staff. It has really been a
pleasure working with you, as well as with the Federal Trade
Commission.
Information security is a complex and huge issue involving
many challenges, such as database intrusions, theft of
sensitive information, viruses, and phishing. And recent
headlines in the news have certainly brought into dramatic
focus the need for data security. The FTC has been actively
involved in promoting the importance of information security.
And, personally, information security has been a passion of
mine for several years.
The FTC has held workshops with representatives from
industry, from Congress, consumer groups, government agencies,
and international organizations in an effort to educate
ourselves, as well as others, about the issues, and to explore
possible solutions to securing electronic data. We also have
taken law enforcement action against companies failing to keep
promises that they would keep consumers' personal information
secure. In addition, the FTC has focused on educating
businesses and consumers about the importance of information
security.
Security begins with people, each individual being aware of
the risk and the importance of doing their part to keep
information secure. We simply must establish a culture of
security in this country, and--as was mentioned earlier, this
is a global economy--and, therefore, the world, where security
awareness and the best practices become a subconscious, yet
reliable, aspect of our daily lives.
Despite recent security-breach revelations, it is important
to recognize that many businesses are making progress and
improving information security. On the other hand, it's quite
obvious many businesses do not appear to have raised the issue
of information security to the CEO/Board-of-Directors level.
CEOs must make information-security and privacy-protection
practices a priority, devoting the necessary resources to the
issue.
Information security and privacy must become part of the
corporate or organizational culture. In today's world,
information is currency. Businesses take great steps to protect
their money. They need to treat information the same way. It is
their responsibility, at the highest levels of authority.
New or refined laws may be necessary. New technologies
certainly will help. But we must remember that poorly thought-
out legislation can have unintended and, often, adverse
consequences. Neither new laws, nor new technologies, will
provide perfect solutions. Consumers and businesses must
properly use the available technical tools and employ
responsible information security practices. This, alone, could
significantly reduce breaches.
Information security is a complex problem. We all must
recognize that achieving good information security is a
journey, not a destination. This will be a challenge for all of
us for many years to come.
And, in the immediate future, I look forward to answering
your questions. Thank you very much, again.
Senator Smith. Thank you, Commissioner Swindle.
Mr. Leary?
STATEMENT OF HON. THOMAS B. LEARY, COMMISSIONER, FEDERAL TRADE
COMMISSION
Commissioner Leary. Thank you, Mr. Chairman and Members of
the Committee.
I'm pleased to testify here today with my fellow
Commissioners on these important issues. I endorse the
collective views expressed in the Commission's written
testimony, and will, here, add some individual views on Social
Security numbers.
As explained in our written testimony, Social Security
numbers have many important legitimate uses. Instant access to
credit, which we all rely on for both large and small
transactions, would be compromised if Social Security numbers
could not be used to match consumers to their financial
information. Social-Security-number databases are also used for
other worthwhile purposes. For example, to locate lost
beneficiaries, potential witnesses and law violators, and to
collect child support and other judgments.
At the same time, we all recognize that Social Security
numbers are sensitive. There is no question that identity
thieves can use Social Security numbers as a key to access
other people's financial resources. The challenge is to find
the proper balance between the need to keep Social Security
numbers out of the hands of identity thieves and the ability of
businesses to have sufficient information to spot fraud and
attribute information to the correct person.
The Federal Trade Commission, as you know, has done
considerable research on the overall scope of the identity
theft problem. In all candor, however, I personally do not
think that we will ever be able to estimate with precision the
extent to which misuse of Social Security numbers contributes
to this problem or the downside costs of any particular effort
to revamp the way Social Security numbers are handled.
Congress, itself, will have to make some tough policy
decisions.
I also personally believe that the most promising approach
would be to consider an extension of the Gramm-Leach-Bliley
Act's safeguards rule beyond financial institutions and focus
on the way sensitive information is handled, rather than to
pass laws that would prohibit myriad private agencies from
collecting and preserving sensitive information in the first
place. You still have to recognize that a principal source of
Social Security numbers today is public records on file with
every court and country clerk across the Nation. Restriction of
access to this information would raise particularly difficult
issues.
We should, however, consider ways to discourage the routine
collection of Social Security numbers in circumstances where it
is not essential to have such a unique identifier. This might
be a very difficult matter to legislate, but, at the very
least, we might start with the more active encouragement of
private business initiatives and prudent actions by consumers,
themselves.
Thank you very much.
Senator Smith. Thank you, Commissioner Leary.
Commissioner Harbour?
STATEMENT OF HON. PAMELA JONES HARBOUR, COMMISSIONER, FEDERAL
TRADE COMMISSION
Commissioner Harbour. Mr. Chairman, Senators, I am pleased
to address a topic of great importance to the American people,
the privacy and security of their most proprietary information.
Almost weekly, it seems, a new story emerges about a
company or institution where files containing sensitive
information have been compromised, lost, or stolen. These data
breaches have been particularly frightening for consumers who
fear identity theft. Their apprehension is justified. Our 2003
survey showed that ten million victims had experienced some
form of identity fraud in 2002, with an out-of-pocket cost of
roughly $5 billion. Our survey also showed that victims of
identity theft believed they would have been helped by greater
consumer awareness and vigilance about how to safeguard their
personal information. Victims also wanted more responsive local
law enforcers and stiffer penalties for offenders.
Under Congressional mandate, the Commission has established
an extensive program to educate consumers and law enforcers
about identity theft, and to assist identity-theft victims.
Consumers may face the greatest risk from security breaches
or poor practices by data brokers, because information kept by
brokers can be easily used to create new accounts. Accordingly,
I believe that data brokers should not be allowed to buy, sell,
or transfer Social Security numbers, driver's licenses, and
other sensitive personally identifiable information, except for
specific permissible purposes, such as law enforcement, anti-
fraud measures, and certain legal requirements.
As consumers gain awareness that their personal information
is being bought and sold by data brokers, it might be useful to
consider whether the fair information practice principles of
notice, consent, access, security, and enforcement, could be
considered or used to elucidate this area. It is also worth
considering that inaccurate data, as well as data that is
stolen or misused, can have serious consequences for consumers.
Perhaps those who use such data can improve its accuracy by way
of best practices.
Finally, nationwide notification to potential victims in
the event of a security breach is a necessity. Notification is
not just good business guidance; it should be the law whenever
there is a risk of harm to consumers due to a security breach.
If consumers know as soon as possible that it is reasonably
likely their sensitive information has been compromised, they
can take steps immediately to mitigate any possible damage,
such as monitoring their accounts or availing themselves of the
benefits FACTA provides.
And, in conclusion, our national economy increasingly
depends on transactions that require the provision of sensitive
data. Our challenge in this electronic era is to strike the
right balance between the right to information and the right to
privacy. To protect sensitive data, we must develop strong
policies that nurture and enable the Information Age by
encouraging good use of technology while also raising consumer
awareness. I'm pleased to work with Members of Congress to
address this solution.
Thank you.
Senator Smith. Thank you very much, Commissioner Harbour.
Commissioner Leibowitz?
STATEMENT OF HON. JON LEIBOWITZ, COMMISSIONER, FEDERAL TRADE
COMMISSION
Commissioner Leibowitz. Good morning, Mr. Chairman and
members of the Committee. It's always great to be back here,
especially when it's not my nomination hearing.
We were all stunned to learn about Citigroup's computer
tapes that were lost during UPS transit. Senator Nelson, you
mentioned that earlier. Senator Feinstein did, too. But what
struck me the most was a remark by one privacy advocate in a
New York Times story on the breach. She said, and I'll just
read it to you, ``Your every day dumpster diver may not know
what to do with these tapes, but if these tapes ever find their
way into the hands of an international crime ring, I think
they'll figure it out.''
Let's hope by now these tapes are either buried deeply in a
landfill or that they're soon recovered untouched, but the
truth is that consumers' personal information is being
compromised every day, and that the data-security problem is
not confined to U.S. borders. Indeed, American consumers
routinely divulge personal information to foreign websites,
they routinely share credit-card numbers with telemarketers
from around the world, and they routinely receive spam from the
distant corners of the globe.
Let me share just a few disturbing examples with you. A
foreign website selling to U.S. consumers states that, ``We
take all reasonable steps to safeguard your personal
information.'' In fact, they don't. The company posts sensitive
consumer data in a publicly accessible manner.
Or, thieves from Eastern Europe use spyware to track U.S.
consumers' keystrokes as they shop over the Internet.
Or, overseas telemarketers obtain U.S. consumers' bank-
account information under false pretenses--we call that
pretexting--and use it to wipe out their accounts.
Sadly, these scenarios are based on real investigations,
many of which, unfortunately, are difficult for us to pursue,
because of limits on our ability to exchange information with
foreign law enforcement partners.
Mr. Chairman, the Commission expects to issue a report
later this summer that details the harm caused by transnational
fraud and the serious challenges we face in investigating these
international cases. Foreign law enforcement agencies may be
unwilling to share information with the FTC, because we cannot
sufficiently guarantee the confidentiality of that information.
And we are prohibited from sharing certain information we
obtain in investigations with our foreign counterparts, even if
sharing information would result in helping to stop fraud
against U.S. consumers.
To be sure, there is no panacea for the problems of
international data-security breaches, but legislation allowing
us to exchange information with foreign law enforcers under
appropriate circumstances would be a step forward.
The bottom line is this: If you want the FTC to be more
effective in stopping spam, spyware, and security breaches, you
need to give us the tools to pursue data crooks across borders.
Mr. Chairman, I won't go into detail about the legislation.
I know that you're looking at a draft of the bill, for which we
are enormously grateful. The draft is almost identical to the
noncontroversial measure Senators McCain and Hollings moved
unanimously through your Committee in the Senate in the
previous Congress. It still includes those minor changes made
last year to address the concerns of industry and privacy
groups.
Again, though, thank you for your willingness to listen to
us today. Along with my colleagues, I'd be happy to take any
questions.
Senator Smith. Thank you all so very much.
In the interest of order, we'll have questionings in the
order arrived. And I have that list in front of me. After my
questions, Senator Bill Nelson, Senator Burns, and Senator Ben
Nelson. If our other colleagues come back, we will insert them
in as they had arrived.
To all of you, in your testimony you stated that companies
should be required to notify consumers of a breach when the
breach, ``creates a significant risk of identity theft.'' How
would the Commission define ``significant risk?''
Chairman Majoras. Thank you, Mr. Chairman.
You raise the toughest point on this issue. We have been
criticized at times, in fact, by those who think significant
risk it not the right standard. The key here is completely
definitional. What we need to do is, we need to look at
instances in which we most certainly would want to have notice
given to consumers, and instances in which we haven't.
If you look, for example, at what the State of California
has done, the standard looks broad, but then if you look at
what the Office of Privacy in California has done, it accepts a
long list of types of breaches that, in general, do not present
risks of identity theft.
So, what we would do, for example, in a rulemaking, or,
obviously, in working with the Committee on a piece of
legislation, is try to define those instances in which we
believe consumers would most be at risk, or perhaps even except
those where they would not be so--for example, if data were
encrypted.
Senator Smith. And would that definition, whatever we
ultimately arrive at its meaning, would that then trigger
notification to the consumer?
Chairman Majoras. Yes, it would.
Senator Smith. Some forms of security-related breaches may
not pose a threat to having one's identity stolen, but might be
defined as such. We need to find a sensible solution to
determining when individuals should be notified that their
personal information may be at risk. What do you all believe is
the appropriate standard for determining whether to notify
consumers that their identity has, or may have, been stolen?
Chairman Majoras. Well, it really just goes back to what I
was----
Senator Smith. Back to the list.
Chairman Majoras. I'm sorry. I think you would have to go
back to the list. And one of the advantages, Senator, in doing
it in a rulemaking context, as opposed to trying to do all
specific instances in the statute, is that then we have the
freedom to change it as we perceive changes in the marketplace
and new threats to consumers.
Senator Smith. To the issue of preemption of states--you've
heard that talked a lot about--should it be a floor or a
ceiling? Should we preempt the states? Should we have a
national standard?
Chairman Majoras. Well, I think--are you asking
specifically about notice?
Senator Smith. Yes.
Chairman Majoras. Because there could be other parts of the
bill where preemption--where we might answer the question
differently.
This is a difficult question. No one ever likes to have to
preempt the states. What I would offer to you is that, if you
provide a Federal standard that is defined as a floor, as
opposed to a ceiling, I'm not sure why you would spend time
imposing it at all, because I do think that businesses are
going to have to respond to the very highest standard. They
can't--I don't think they can chop up their customer lists into
50 different standards, for example. And so, that's just a
reality, and it's something to think about, if you want to have
a Federal standard at all.
Senator Smith. To the issue of Social Security numbers, you
know Senator Burns and I were talking about how broadly we use
them. They were created for one purpose; and that was your
Social Security account. But now I understand they're even
using them on dog tags in the military. We give them out
whenever we're asked to--in various circumstances.
In your opinion, where do you think the use in sharing of
Social Security numbers ought to be accessible, or should we
begin trying to limit their use for other--for non-Social-
Security purposes?
Commissioner Leary. Well, Senator, I'll jump in on that
one. I certainly agree with you, 100 percent, that Social
Security numbers evolved very quickly away from their original
purpose.
I'll just give you a personal example. When I got my first
Social Security number, almost 60 years ago, we were instructed
to carry our Social Security card around with us at all times.
If you lost your wallet, you would lose your Social Security
card. The Internal Revenue Service asked us to put our Social
Security number on the envelope when we were mailing in a
check, in order to facilitate their filing of it.
So, for people my age, the ship has sailed, as a practical
matter. I am certain that my Social Security number is out
there in so many places that anyone could find it in 3 minutes.
You have however, a new generation coming in, and you also
have I think, a very interesting interim period before we may
be able to have even more rigorous individual identifiers,
which will enable people to figure out who you are a lot more
accurately even than the Social Security number will.
So, the question is, what is worth doing during this
interim period of time? And it is a very, very difficult issue.
One of the things I wanted to make clear to you, is that this
is not arithmetic, where you can figure out what the costs and
benefits are of doing it. You're going to have to make these
tough value judgments.
I am encouraged by the fact that there is a growing
awareness of the problem that you've addressed, and that we now
have options. For example, you can now get a driver's license--
or you certainly can in the District of Columbia and, I expect,
in most states--that no longer have your Social Security number
on them. That's a useful first step. We are cautioned not to
give away Social Security numbers to people who have no
legitimate reasons for them. I would hope that universities
would not cease the routine use of Social Security numbers to
identify their students who are making purchases in their
stores.
All of these things, I think, show a growing awareness of
this issue. But to try to put the cork in the bottle
retroactively, I suggest to you, is a very difficult thing to
do legislatively.
Senator Smith. My time on that first round is up.
Senator Bill Nelson?
Senator Bill Nelson. Thank you, Mr. Chairman.
I want to thank each of you for your public service. And,
Mr. Swindle, thank you for your exceptional service to our
country. And godspeed on your--the next chapter of your life.
Commissioner Swindle. Thank you.
Senator Bill Nelson. I want to ask each of you to respond
to a series of goals which I think is in legislation that is
before this Committee. And I think it will help the Committee
as we develop a composite piece of legislation. And I'll go
right down the line in the order in which you have used--first
with Madam Chairman. And if you all could keep your answers
short so that I can get all of this information--please respond
whether you support the following goals.
Requiring all businesses to take reasonable steps to
safeguard sensitive personal information.
Chairman Majoras. Yes.
Senator Bill Nelson. Mr. Swindle?
Commissioner Swindle. Yes.
Senator Bill Nelson. Mr. Leary?
Commissioner Leary. Yes.
Senator Bill Nelson. Ms. Harbour?
Commissioner Harbour. Yes.
Senator Bill Nelson. Mr. Leibowitz?
Commissioner Leibowitz. Yes.
Senator Bill Nelson. OK.
The next goal. Requiring all businesses to notify customers
when their sensitive personal information was, or reasonably
believed to have been, acquired by an unauthorized person?
Madam Chairman?
Chairman Majoras. It depends on the risk to consumers, for
identity theft. If there's a significant risk, then yes.
Commissioner Swindle. I agree with the Chairman.
Commissioner Leary. I agree with the Chairman.
Commissioner Harbour. I believe that if there is a risk
present, yes, then they should be notified. And, again, I do
agree with the Chairman, that it is a definitional question.
Senator Bill Nelson. Mr. Leibowitz?
Commissioner Leibowitz. I agree with notification if there
is significant risk or material risk--there needs to be some
sort of trigger.
Senator Bill Nelson. Thank you.
Next goal. Requiring that all data brokers register with
the FTC so that consumers can find out who has their sensitive
information.
Chairman Majoras. No, not as stated.
Commissioner Swindle. I don't think we can answer that
question, because it involves establishing a new regulatory
regime for something that we don't really know the details on.
Commissioner Leary. No.
Commissioner Harbour. I think it's a complex issue, and I
would like to continue to discuss it with staff, but I'm really
not ready to give you my opinion on it, at this point.
Senator Bill Nelson. Thank you.
Commissioner Leibowitz. Can I get back to you in a few
days?
[Laughter.]
Senator Bill Nelson. OK, the next goal. Ensuring that
consumers are given rights regarding their information held by
the data brokers, similar to the consumers rights that now
exist under the Fair Credit Reporting Act. For example, the
right to correct errors in that information.
Madam Chairman?
Chairman Majoras. It depends on the information in the
particular database that the data broker is maintaining. So,
for example, today, if the data broker is maintaining a
database that contains consumer-reporting agencies' information
used for credit eligibility or employment, for example, then,
even today, yes, a data broker would be required to give that
access. If it's a fraud database, on the other hand, giving a
fraudster access to his or her information would defeat the
purpose of the fraud database.
Commissioner Swindle. I could not have said it better.
Commissioner Leary. I agree with the Chairman.
Commissioner Harbour. Like you, Senator, I am very
concerned about the accuracy of information provided by the
data brokers. I think that data brokers should adhere to best
practices, possibly for accuracy, and it would be extremely
worthwhile for leading industry and consumer groups to suggest
possible best practices in this area.
Commissioner Leibowitz. I agree with my colleagues. And I
think you should think seriously about it.
Senator Bill Nelson. We've already discussed, I think, the
Social Security situation. So, two more goals. Creating a blue-
ribbon panel made up of industry and consumers to help develop
best practices for safeguarding sensitive consumer information.
Madam Chairman?
Chairman Majoras. I confess, Senator, that I have not spent
a lot of time thinking that through, but, in general, I am very
supportive of self-regulatory-type efforts, and I'm very
supportive of having the consumer groups and the industry
groups talking to each other.
Commissioner Swindle. I cannot attest, with certainty, that
they exist, but safe computing practices are everywhere.
Devices, tools, technologies to protect data is everywhere. The
problem is not so much the lack of it; it's the lack of
implementation and deployment of it. As we all know, and
several have reflected, people give away their Social Security
number at just the drop of a hat. So, to get back to my point
of a culture of security, we've got to change the way we think.
It's not a lack of tools that is hurting us. It's not employing
and thinking about those tools.
Commissioner Leary. Senator, I think it's an ingenious
idea, because it recognizes that what is adequate security is
an ever-moving target, and technology is moving a lot faster
than, at least, my ability to comprehend it. So, I think that
having some people who are really adept at this, with various
backgrounds, might be a very useful thing to do.
Commissioner Harbour. Senator, I think it's an excellent
idea. Having industry, the privacy groups, the consumer groups
come together and talk about this very complex issue would be
an excellent way to proceed.
Commissioner Leibowitz. I agree with my colleagues. It
could be very, very useful.
Senator Bill Nelson. OK. And the final goal, fully funding
a robust Office of Identity Theft within the FTC, with adequate
resources to assist victims of identity theft.
Madam Chairman?
Chairman Majoras. Well, I've been known to say, Senator,
that I don't think, in my 10-month tenure, I've ever turned
down additional resources, so I thank you for that. But I will
say, if the goal of that is--well, first of all, the FTC
assists identity-theft victims today, and we will continue to
do that. If what the legislation proposes, however, is that we
would individually help each of the ten million identity-theft
victims, that, I think, would be too much for any one agency to
handle, particularly for ours, simply because identity theft is
a crime, and we don't have criminal enforcement authority, so
we're not involved in that aspect of prosecution.
Commissioner Swindle. Senator, I agree, certainly, with the
Chairman's point about the crime being the issue here, but if I
may run some numbers by us here today very quickly. We received
roughly 250,000 identity-theft complaints in our complaint
center this past 12 months, and I think it has been a fairly
consistent figure. If we discounted half of those and said
that, only 120,000 were really identity-theft problems, and if
we took Senator Schumer's numbers--and I think he was referring
to some survey, as I recall--of 175 hours to resolve that on
the part of any individual--so, let's say it takes a month, and
we have 120,000 legitimate claims--it takes a month to do
this--that's one month's work out of one employee. The FTC,
right now--I think we have about 1,100 or 1,200 employees----
Chairman Majoras. Eleven hundred.
Commissioner Swindle.--we would be required to have at
least, using those numbers, another thousand employees. The FTC
would then start to lose--well, well beyond losing its identity
in its involvement with antitrust. We would become a completely
transformed agency.
Now, I used half of the complaints to make the illustration
here of what we're talking about when we throw this out, but
there's a lot more to it than meets the eye. Remember, in the
last 12 months there were approximately ten million people,
supposedly, who were victims of identity theft. I'm talking
about 120,000 resulting in the need to add 1,000 people in the
agency. It's a very complex issue.
And, again, I will repeat it until I am blue in the face,
even when I'm not a commissioner, that the first line of
defense for everyone is the individual, himself, using good
thinking about how he handles his financial and personal
information.
Commissioner Leary. Senator, I agree with my colleagues who
have spoken thus far, and I just want to add a couple of
thoughts for your consideration.
The skill set, if you will, and the capabilities to deal
with identity theft vary tremendously. For example, a
prosecutorial function aimed at getting the people who may have
committed identity theft or facilitated it through negligence,
one way or the other, is a very different function than
counseling individual consumers as to how best to deal with
their problem. And I think that, ultimately, this has to be
handled on a decentralized basis, under common standards, to
the extent possible.
Commissioner Harbour. I agree with the comments of my
colleagues, but I would like to add a few other things.
The functions of the Office of Identity Theft, in my view,
are already being fulfilled by the Federal Trade Commission.
Currently, much of what you're seeking, as I said, I believe
we're doing. We have victim assistance and counseling, we have
a hotline, we have a toll-free number, we have extensive
consumer education, we're the clearinghouse for all of the ID-
theft victims, and we report on trends. As the Chairman
indicated, individual representation would be extremely
difficult. As I said, the Commission currently assists
consumers. And what we do is, we educate them and we empower
them. So, one of the best lines of defense, as Commissioner
Swindle indicated, is educating them so that they will not
become a victim of identity theft. And, also, if they are, then
they know what steps to take to rectify it.
Commissioner Leibowitz. Yes, I agree with the collective
wisdom of my colleagues. I think, in your bill, you have a $60
million authorization. I think you'd probably have to put at
least one more zero after that to make it actually work--to
make it function and to not detract from the other missions of
our agency.
The one other thing I wanted to mention, which is a common
thread in all of the bills I've seen introduced, is civil
penalties or fines. I think we all agree, on the Commission,
that it is very important. It's a very useful deterrent. It'll
make companies think twice before they violate the law.
Senator Bill Nelson. Thank you all.
Senator Smith. Senator Burns?
Senator Burns. When you go out and--and I would say that
the collaboration of the industry coming together and using
best practices for this, you--like Mr. Leary brought up--does
bring up some of our own laws that, sort of, prevent that,
because of antitrust and other exchange of information on the
best practices, and all this. I'm wondering--and I'm coming
down on the side of that anybody that collects information that
doesn't have a license to do so is outside the law and should
be shut down. I'm--maybe that's the only way we've got to doing
it, but I think they have to have some reasonable license that
gives them the guidelines to do business in this arena. And so,
I'm coming down that----
But let's say that you go out, and you dealt with Microsoft
and the other companies that you mentioned a little while ago
for inadequate security systems. In other words, advertising, I
would imagine, a system that assured the public that their
privacy couldn't be--their information couldn't be breached,
but then it didn't work. Is that a correct assumption on my
part?
Chairman Majoras. On most of the cases we've brought, that
is exactly what happened, yes.
Senator Burns. OK. Now, when a person--say, you've got a
breach here in some of these firms. Do you go out--do you
actually ask them to explain their systems to you, and what
actions they've taken, in order to protect the information that
they might have stored?
Chairman Majoras. Absolutely. When we open an investigation
under section 5, or under our Safeguards Rule, we do--we
absolutely get behind what it is that a company has done to
safeguard the information, and----
Senator Burns. Would that be like Citicorp in this last----
Chairman Majoras. Well, we don't have jurisdiction over
banks. That, obviously, is with the OCC and other banking
agencies. So, we don't--we aren't--we do not investigate all of
the breaches that you've heard about. We are investigating
some.
Senator Burns. Well, where I'm going here--and, Mr.
Swindle, I think we've had this discussion before--do you have
the people and the expertise to go out to a commercial
organization and collect the information on the system that
they use, and make a judgment whether it's adequate or not?
Commissioner Swindle. Yes, sir. We have highly qualified
investigators. I think the limitation that the Chairman was
referring to is, we just don't have jurisdiction over the
banking industry; it's covered under a different jurisdiction.
But we have incredibly competent investigators that have got,
literally, years of experience, and we know how to do this.
Senator Burns. Are you looking at these organizations that
were in our briefing here? And did you look at their systems
and determine that they had adequate security systems?
Chairman Majoras. It depends on which ones you're talking
about. I mentioned a couple in which we actually did bring
cases, and we did----
Senator Burns. Well, let's go--let's go--here, we've got
Boston College.
Chairman Majoras. I'm sorry, Senator, I'm afraid I can't
comment on----
Senator Burns. OK. Well, I----
Chairman Majoras.--non-public investigations.
Senator Burns.--and we shouldn't----
Chairman Majoras. So, I apologize.
Senator Burns.--do that, either.
Chairman Majoras. Right.
Senator Burns. We don't do that, either. But I guess that's
where I'm going, that--and are we looking at them before
something happens, or after something happens? Do you have the
authority to monitor and advise that their system might not be
adequate for information protection?
Chairman Majoras. We don't have regulatory authority in the
same way, for example, that the banking agencies closely
regulate the banks. So, we don't have an ongoing dialogue, for
example, with various industries on what their security
measures are that they have in place.
Obviously, yes, we can enforce, if we learn that they don't
have adequate security in place. And, unfortunately, sometimes
the way we learn it is when there has been a breach. But we
don't need a breach in order to find that reasonable security
measures have not been taken, in violation of section 5 or GLB.
Commissioner Swindle. Senator, if I may interject, we've
had a couple of cases, in which we've been told by others who
watch, perhaps, more carefully than we do, because it's their
primary focus--we do a lot of antitrust work and other things--
but where we receive complaints, it has caused us to go make
inquiries. We don't, as a routine matter, audit anybody, in the
sense that the banking regulators might conduct, if that's the
right word, an audit. But we do look at things.
And, Mr. Chairman, I hate to leave this discussion--
because, as I said, I have a passion for all of this--but, as I
mentioned to you, I have a plane to catch. And I would just say
to you all, once again, it has been an absolute honor to work
with you. And I bid you adieu, and I'll probably be around
somewhere.
Senator Smith. Thank you so much.
Senator Burns. Keep your name in the phone book--we may
need you one of these days--would you?
Commissioner Swindle. I'm putting everything on the Do Not
Call List, sir.
[Laughter.]
[Applause.]
Senator Burns. I guess in that line of questioning, I'm
driving toward prevention, actions that we can take. And I
think Senator Nelson is, kind of, on target that it's going to
take an industry--the industry has to drive this, rather than
any kind of a regulatory regime that we could put in place. Am
I not correct on that?
Chairman Majoras. Well, I mean, I do think--I do think it
would be--it's extremely helpful for industry and--to help
drive this, Senator, because we can't be the eyes and ears
within every----
Senator Burns. Yes.
Chairman Majoras.--company, in terms of what they're doing.
And that's why we like our flexible and broad Safeguards Rule,
because it says to companies, hey, you have to put in place
appropriate procedures, depending on the kinds of information
you have and the kinds of business you have, and so forth, and
depending on what technology, for example, is available to you
today--and fives years from now, it's different--in order to
not run afoul of the law.
Senator Burns. The way technology's moving, next week it's
going to be different.
Chairman Majoras. Absolutely. And we want companies to take
that into account.
Senator Burns. But it's kind of like trying to put your
thumb on JELL-O; I mean, it just moves, but that's the
direction I'm going, I think, is prevention more than anything
else, and then very strict fines. I agree with Mr. Leibowitz, I
don't think you can make a fine too high for this kind of
activity.
I thank the Chairman. I'm sorry I ran over my time. And
thank you for coming today. We appreciate that very much.
Senator Smith. Senator Ben Nelson?
Senator Ben Nelson. Thank you, Mr. Chairman. And I, too,
thank the witnesses for helping enlighten us as we work our way
through this challenging issue.
I asked Attorney General Sorrell if he thought that there
was a way to square the challenge that you have of dealing with
states interested in this area, together with the Federal
interest. Is there a way to harmonize it? Recognizing that the
states do a great job at consumer protection, dealing at the
closest level with the residents is an important factor for us
to all consider. The closer it gets to Washington, except for
people in the area, the more removed it is from folks out in
the Midwest and on the West Coast.
Recognizing all that, in trying to--are you suggesting, Ms.
Majoras, that it's an either/or situation? Either--as it
relates to the standard? Either the Federal Government does it
or the states do it; otherwise, you get the patchwork quilt
problem, compliance, or companies will ignore whatever the
Federal standard is, if it's a floor, and go to the highest
level established by the states, because they don't want to
have to deal with individual differences between and among the
various states?
Chairman Majoras. Thank you, Senator.
First, I want to make sure I make absolutely clear that I
agree with you wholeheartedly that the states are tremendous
enforcers of consumer-protection laws, and we do--we do need
their help, and we work effectively with them. And, in this
space, we do believe that state AGs must be able to enforce.
My only point was a practical one. It's not philosophical;
it's simply practical. You could work very, very hard on a
standard, and try to come up with the perfect standard, but if
you say it's a floor, I'm just not sure that--and perhaps my
colleagues would like to comment--I'm not sure that it will be
meaningful, in the end, if other states enact higher standards.
States will automatically have to go to the higher standard, in
running their business. So, it just depends on how you feel
about that.
Commissioner Leibowitz. I'd just say that, for some things,
like a standard for notification, preemption seems to make a
lot of sense. On the other hand----
Senator Ben Nelson. That's what I was thinking----
Commissioner Leibowitz.--on the other hand, states are
wonderful laboratories for experimentation. They have been for
as long as--as long as there have been states. And so, for
something like a credit freeze, which California is
experimenting with, or Vermont's experimenting with, it may
make sense to let them continue to do so. You wouldn't have to
preempt in that area.
Senator Ben Nelson. Well, that--you're anticipating where I
was going with the laboratories of democracy. I think Jefferson
was, in fact, right; and, in fact, we have seen great things
come from the states. Am I right to say that the states moved
on this before the Federal Government did?
Chairman Majoras. On the notice requirement----
Senator Ben Nelson. On the----
Chairman Majoras.--they did.
Senator Ben Nelson.--notice requirement, yes.
Chairman Majoras. Yes.
Senator Ben Nelson. So, there is a concern, I would have,
that we not put into place a standard that would become, if you
will, a fixed standard, where there's no further
experimentation. It's one of the concerns I have when we take
the best practices of the states, and we put them into place at
the Federal level, and say, ``OK, we've solved that.'' But,
when we do that, we tend to stop experimentation, and things
remain static, rather than dynamic. I'm hopeful that there
would be a way to work through this, to where we permit the
states to continue to do the experimentation. We don't stop
commerce. We don't in any way impede the ability of commerce to
move forward on this, but yet we protect the public.
With the former Attorney General sitting next to me, I can
say that many of the Attorney Generals don't think that AG
stands for Aspiring Governor. And so, they----
[Laughter.]
Senator Ben Nelson.--so, they take--they take great care--
as a former Governor, I used to have to be concerned about
that.
[Laughter.]
Senator Ben Nelson. As they continue to work to bring about
protections of the consumers at the local level, they continue
to do a great job, and I would hate to see anything that would
get in the way, block, or would in any way impede their ability
to continue to do that. I'd like to get your thoughts about
that.
Commissioner Harbour. Senator, we've had this discussion
within the Commission. And I know the Chairman says she takes a
practical view. We've also discussed the philosophical view.
And everyone does love the dissenting opinion of Brandeis,
where he said one of the happy incidents of state--the Federal
system was that states may serve as a laboratory and try novel
social and economic experiments without risk to the rest of the
country. But I think whatever approach is chosen by Congress, I
believe that state attorney-general enforcement is essential.
Senator Ben Nelson. I don't think we're--this isn't a
challenge. It's the equivalent of squaring a circle. But it's
going to be a very delicate area to carve out the relationship
so that we get the best of both, so that we end up with the
best practices; because, after all, that's what the consumers
are expecting, and that's what they need; and they deserve it,
as well.
Well, thank you, Mr. Chairman, for the hearing.
Thank you very much.
Senator Smith. Thank you, Senator Nelson.
Senator Pryor?
Senator Pryor. Thank you, Mr. Chairman. Was Senator Allen
next?
Senator Smith. On my list, you got here before he did.
Senator Pryor. OK. Thank you, Mr. Chairman. And I want to
thank you, again, for this hearing. I know a number of our
colleagues have thanked you, as well, but we really appreciate
your leadership on this and other issues.
Ms. Harbour, let me start with you, if I may, and that is,
you mentioned, in your opening statement, Social Security
numbers. And, as I understand what you said--maybe I
misunderstood it, but as I understand what you said, you said
that, basically, data brokers should not be allowed to share
Social Security numbers, except within fairly narrow
parameters. Do I have that right?
Commissioner Harbour. Well, what I had in mind, Senator--I
think Congress should consider imposing stricter controls on
the sale, distribution, and use of Social Security numbers, and
that perhaps Congress should consider breaking the habit of
industry using Social Security numbers as authenticators. But I
also appreciate all of the very thoughtful comments that my
colleague, Commissioner Leary, indicated, as well. It's a very
complex area, and it's going to take a very delicate balance
between the right to privacy and the right to information and
the economic factors that go into the importance of Social
Security numbers.
Senator Pryor. I agree, it's complicated, and it's not an
easy fix, just a one--one simple solution isn't there,
probably.
Let me ask this, while I have you, on the subject of Social
Security numbers. Is it your view that Congress needs to act to
restrict Social Security numbers, or does the FTC have the
authority right now to implement a regulation?
Commissioner Leary. Well, Senator, the FTC has the
essential authority to attack people for unfairness or
deception if they misrepresent what they are going to do with
information that they collect, or if they misrepresent the
security with which they would treat it. But, in general, we do
not have the authority to say to any particular institution
that, ``You shall not transmit it,'' other than authority
specifically granted to us under Gramm-Leach-Bliley or Fair
Credit Reporting Act. We do not have a free-roving authority to
regulate it----
Senator Pryor. That's my sense----
Commissioner Leary.--in that area.
Senator Pryor.--of it, as well.
Chairman Majoras. Right.
Senator Pryor. Yes.
Chairman Majoras. Right. I was just going to add that,
under Gramm-Leach-Bliley today, if a Social Security number has
come from a financial institution, then there are some
restrictions on the transfer of that Social Security number.
And to the extent that we have jurisdiction to enforce GLB, we
do have that piece. But we don't have a general--we don't have
general rulemaking authority in this area.
Senator Pryor. While we're on the subject of Gramm-Leach-
Bliley, I'm curious for your thoughts--and, Ms. Majoras, maybe
we'll start with you--on how Gramm-Leach-Bliley is working,
from your standpoint and given the focus you have on it. How's
it working? And, also, I know that there has been some ideas
floated here about the Safeguard Rules in Gramm-Leach-Bliley,
and how that interfaces with privacy, and how we should proceed
into the future, and whether maybe we should expand a little
bit on Gramm-Leach-Bliley, et cetera. So, I'd just like to get
your thoughts on that.
Chairman Majoras. Thank you.
Gramm-Leach-Bliley, of course, is enforced by several
different agencies in the FTC. You know, the banking agencies,
for example, enforce against those financial institutions and
the like, and the FTC has whatever's left when you take those
regulatory agencies out of it. We do think that the Safeguards
Rules under it are working appropriately. There have been
questions raised about whether--under the privacy provisions,
whether the notice to consumers has been working very well. We
don't have exact numbers, but understand that consumers have
not responded well to those notices, that most have gone into
the trash can, as opposed to being read. And we are actually
working now with industry to see whether there's something that
could be done with those notices to make them more consumer-
friendly, if you will.
Senator Pryor. Let me interrupt just right there. So, do
you have the empirical data on that? Or is that what you're
trying to collect?
Chairman Majoras. We don't have empirical data today. I
don't have exact numbers for you.
With respect to extending the Safeguards Rule, the
Safeguards Rule is broad and flexible enough, I think, to be
applied beyond financial institutions, in GLB, to other
businesses that collect and hold sensitive consumer
information. And we think that would be--that that is a good
extension, that rule, if Congress sees fit.
Commissioner Leibowitz. I agree with the Chairman.
Commissioner Leary. Senator, I agree with the Chairman. I'd
just add, if it's not obvious, that Gramm-Leach-Bliley is a
classic illustration of the risks that you might encounter with
excessive notification. We're all bombarded with notices and
documents of various kinds, and, if there are just too many,
the message gets lost. For example, there might be some
theoretical compromise of your data, however limited. If every
time you automatically get a notice--eventually, it's like the
boy who cried wolf, in the old fairytale, you stop paying
attention.
Senator Pryor. My sense is that there are a lot of people
in this country that are just tuning them out. You know, maybe
the first couple of times they got a notice they got read. And,
you just get enough of them, you just start to tune it out,
they start to lose----
Commissioner Leary. Yes.
Senator Pryor.--their impact.
Commissioner Leary. Right.
Senator Pryor. Mr. Chairman, that's all I have. Thank you.
Senator Smith. Thanks, Senator Pryor.
Senator Allen?
Senator Allen. Thank you, Mr. Chairman.
Let me just make some prefacing remarks before I ask for
your insight.
The states are laboratories. Having been Governor, I think
the states come up with better ideas and are more responsive to
the needs and values of the people than is the Federal
Government. However, the states did create the Federal
Government, and our present Constitution is one in which we
wanted to make sure that there was a free flow of interstate
commerce. And if the states are doing something that is harmful
to interstate commerce, we don't want to be allowing that.
I look at this situation as akin to other areas, where,
actually, the states and the attorney generals are partners,
we're not in competition. But we--it's a national security
standard that we're concerned with. A lot--we get into privacy,
but this is more of a security issue, of information, data, and
identity, than it is a privacy issue. But the way it ought to
work--like in many other areas, everything from OSHA to mining
laws to even bank robbery--those are all tried in Federal
court, but most of the time it's local law enforcement, or
maybe a state police officer, who has apprehended the bank
robber. So, I think the FTC, obviously, is preeminent, but I
think, as the Chairman said, Chairman Majoras, this is one
where we do want to work with the states.
My view of this is that we should have uniform national
security standards. We do need to make sure information of
consumers is protected. If there's a breach, we've got to
figure out what circumstances should a custodian notify the
affected citizen where they reside.
Now, since we have all of you here, if--the question
really, for me, is, if the FTC--and you do have authority to
bring actions against these companies that fail to adequately
safeguard consumer information. In your testimony, you said you
have the Federal laws. Now, as a follow-up on this, if the FTC
has sufficient authority to bring enforcement actions against
so many companies, can you identify any gaps--any gaps in your
authority--where you would recommend--not just saying, ``Well,
it's financial institutions,'' and so forth--but are there any
gaps where you would recommend that we, as a Congress, grant
you all, with the Federal Trade Commission, further enforcement
authority?
Chairman Majoras. Thank you, Senator Allen.
One gap that could be filled is the extension of our GLB
Safeguards Rule to other businesses. It's a fair question to
ask why--if we can already bring these cases under section 5,
why would we need that? But if you take, for example, the BJ's
case, and our unfairness standard that we used in bringing this
case, today, that requires, first and foremost, that we prove
substantial consumer harm. And, of course, what we would prefer
is not to have to wait until substantial consumer harm is shown
all the time; in other words, to have companies recognizing
that putting in place reasonable security measures is what they
should be doing under the law, because what we most want to do
is prevent the breaches. And then, of course, you've pointed
out the notice provisions; and, as of today, of course, there
is no Federal notice law, Senator.
Senator Allen. Restate that again. Extension of what,
specifically? I want to make this very----
Chairman Majoras. OK.
Senator Allen.--clear----
Chairman Majoras. OK.
Senator Allen.--for all of us.
Chairman Majoras. All right. The FTC's Gramm-Leach-Bliley
Safeguards Rule.
Senator Allen. All right. Now, if you had had such
additional enforcement authority--and you mentioned one
particular case which you can't talk about--if you had this
enforcement authority at the beginning of this year, would you
have prevented the breaches that we've seen since January of
this year? And, if not, are we merely talking about how much we
can fine a company for failure to act responsibly?
Chairman Majoras. Well, I'm not sure that, with respect to
any specific breach, we could have prevented it. And, of
course, we're investigating some of them; and so, we'll learn
more information. But I do absolutely agree with Commissioner
Swindle that what we need to do is create a culture of security
in business. Businesses would not, of course, treat packages
with cash in them in a way in which that cash could be stolen
easily. And so, I think if the law is in place, and it is
adaptable to all manner of businesses, the industry will likely
respond to that. And there is no such thing as perfect
security, Senator. We know that with respect to national
security, and in all instances. But I do think that it will get
companies, who have not brought up to date their security
procedures, thinking, ``Gosh, now it's law, and we must do
this.''
Commissioner Leary. Senator, let me just expand on that a
minute----
Senator Allen. Yes, Commissioner Leary.
Commissioner Leary.--because I agree with it completely.
The mere fact that businesses are on notice, that they are now
subject to a specific legal requirement that they were not
specifically subject to before, will induce a level of
compliance, because most businesses are law compliant. The
prime enforcers of law in the United States are not people
sitting on this side of the table, but people who are
counselors to businesses, who say to them--to their clients--
that, ``Now we have a legal requirement, and we'd better set up
procedures to be in compliance with this, because you might get
sued someday down the road.''
Senator Allen. Thank you.
Commissioner Leibowitz. I agree with my colleagues. Let me
just add one point, which is: a useful gap that could be
plugged would be in the cross-border fraud area. We just don't
have the authority, often, to receive information from our
foreign law enforcement counterparts. And if we can get that
ability, we'll be able to more effectively go after malefactors
who are doing bad things to Americans from abroad. By the way,
that's not just in the context of data security; it's also in
the context of spam, spyware and----
Senator Allen. Right.
Commissioner Leibowitz.--various other problems.
Senator Allen. Well, Mr. Chairman, we were actually working
on that. That was one of the key components, on the spyware.
Thank you, Mr. Leibowitz. We'll make sure any legislation
gives whatever assistance in that regard to you all. Thank you.
Ms. Harbour?
Commissioner Harbour. And just to put a fine point on what
Commissioner Leibowitz said, with the ChoicePoint data breach,
as I recall, the information was given out to a Nigerian
national. And had we had the cross-border legislation, that
might have enabled us to share information with other
countries, and perhaps have facilitated an investigation, or
perhaps prevented something like that from happening in the
future.
Commissioner Leibowitz. One more thing to add, which is,
civil penalties or fines would be useful, too, in the context
of----
Senator Allen. Additional civil----
Commissioner Leibowitz.--this legislation.
Senator Allen.--higher civil fines and penalties.
Mr. Chairman, thank you.
Thank you all. In the event that we craft legislation, as
far as I'm concerned, you gave me the good framework for it,
and I very much appreciate it. And we want to make sure that
you all can do your job protecting our consumers in this
country, and, obviously, working with international
counterparts, as well. But thank you.
And thank you, Mr. Chairman.
Senator Smith. Any more questions?
Senator Allen. No, I don't have anything further.
Senator Smith. Thank you, Senator Allen.
Commissioners, the FTC, itself, has documented the
difficulty that peer-to-peer users have when they use software
programs. They can unwittingly share their tax returns, bank
account numbers, credit cards, medical records, resumes, e-mail
in-boxes, and legal documents of all kinds, with literally
millions of people. The question I have is, Do you have any
suggestions on how we can better educate consumers about the
ongoing risks of identity theft and fraud on P2P networks?
Chairman Majoras. Well, thank you, Senator. It's an
excellent question, and it's something that we, at the FTC,
have been working on. We have materials designed to educate
consumers. But what we are--what we have been doing is working
with the peer-to-peer file-sharing industry, because we think
that, to the extent that consumers need to be warned of risks,
if they can be warned the minute they pull up the--download the
software or begin working on the P2P file-sharing program, that
really is the best place. And in--when we first started this,
last year, after we had our peer-to-peer file-sharing
workshop--at which we were pleased to have you as a speaker,
Senator--really, almost none of the file-sharing companies had
disclosures and warnings on their software. And, today, that
has changed a great deal. I can't tell you that that's
absolutely going to be enough, but we have been focusing a lot
of efforts in that area.
Senator Smith. If it isn't enough, do you need more tools
from us?
Chairman Majoras. We are--I think, Senator, we'd like the
opportunity to finish what we're doing now, and then have the
opportunity to come back to you and talk to you, if we think
further tools are needed.
Senator Smith. OK.
Chairman Majoras. And, of course, the Supreme Court's
decision in Grokster may also give us some guidance.
Senator Allen. Yes.
Commissioner Harbour. If I might just add to what the
Chairman indicated, the Commission staff intends to continue to
encourage the development of best practices with regard to the
risk disclosures, but also the risk of inadvertent file sharing
appears to have decreased, due to technological measures
adopted by some of the peer-to-peer applications, although the
risk of inadvertent file sharing may vary, depending on what
the application is. I think there are new technological
developments that are coming onto the market that are
protecting consumers.
Senator Smith. Is the European Union--or Japan or other
nations, are they running into these issues, as well? And do
you have any--do you do any work with them across the ocean?
Chairman Majoras. We do, Senator. In fact, a great deal of
work with them across the ocean. The EU has a much broader
privacy and security scheme in place, as opposed to going after
areas in which there's harm. It's a very broad, comprehensive--
indeed, it's so broad that, when I recently, on behalf of the
Commission, attended the annual meeting of the International
Competition Network, we weren't allowed to have a list of who
was attending, because that might violate the privacy rights of
the folks who were actually in attendance. In Japan, I've had
folks go to conferences, where they're not--no one is given a
name tag, because, if someone wore a name tag, that might
violate privacy rights--so, in fact, there are broader schemes
out there with other countries. We do work very closely,
through several international organizations, and on a bilateral
basis, to share what has worked and what has not worked.
Senator Smith. Do you need any more tools in dealing with
these other nations? Do you have what you need now?
Chairman Majoras. Well, we have, in the cross-border fraud
legislation that we have promoted, there is some language in
there that would give us some more funding to be able to work
more closely with our counterparts in this space, which is
becoming so important to our work, as you know.
Senator Smith. Well, it's clearly a problem that doesn't
know borders, so I want to say that for the record. And we
appreciate what you're doing internationally.
I want to bring to your attention a constituent's problem
of mine. A constituent in Eugene, Oregon, contacted the Oregon
Department of Justice, filed a fraud report. Last year, she had
been a victim of identity theft, after which she filed a fraud
alert with her credit union, filed a police report, put a fraud
alert on her credit report, yet this same individual was
revictimized a year later. And I'm wondering, What do you say
to consumers who do everything right to protect themselves, and
yet still fall prey to identity theft?
Chairman Majoras. Well, we say we're working as hard as we
possibly can to make sure that that doesn't happen again, and
to make sure that it doesn't happen to additional consumers.
One of the things that we do--I commented on the fact,
Senator, that identity theft is a crime. And that means that
it's prosecuted, most often, except in very large national or
international rings, at the very local level. And so, one of
the things that we try to do is train local police officers. We
have a very big program with the Association of Police Chiefs
to try to train those who are on the ground dealing with these
consumers at the time. And I'll let my colleagues weigh in
here, as well, if they wish.
Commissioner Leibowitz. We're a consensus-driven
organization.
[Laughter.]
Senator Smith. I want to highlight a comment I made
earlier, and I do this in conclusion to our hearing today. I
have in front of me an article from the MSNBC.com website, and
it highlights the connection between ID theft and
methamphetamines. There was, in Eugene, Oregon, again, an ID-
theft ring that--their ring bosses use meth addiction to keep
their runners in line and to get new recruits. In the case of
Steven Massey, convicted for his role as a ringleader of an ID-
theft gang in 2000, methamphetamine was the glue that kept this
guy's ring together. Massey knew where to find meth addicts,
and he made them a simple proposal. Said he, ``I'll trade mail
for meth.'' Soon, he had an army of meth addicts prowling the
neighborhoods near Eugene, stealing mail out of hundreds of
mailboxes, and raiding the local recycling center, for pre-
approved credit-card applications. Others in the ring broke
into cars to steal purses and wallets, not for money, but for
ID papers. By the time Massey was arrested, investigators say
he had gained access to over 400 credit-card accounts and
netted close to $400,000. He eventually pleaded guilty to
conspiracy to commit computer fraud, and to mail theft. It's a
typical case in Oregon. ``Ninety percent of our ID-theft cases
deal with drugs,'' said the local policemen, ``and it's usually
methamphetamine, which is easy and cheap to produce in mass
quantities.''
I highlight this, not to bring attention to my state,
because I think it's a problem being experienced very broadly
in this country, but I do this only to let people know just how
dangerous this is. These are very dangerous people, and,
obviously, one of the most unsurly of trades in illegal drugs.
I don't know whether you would care to respond to that--
yes, Ms. Harbour?
Commissioner Harbour. I know that crystal meth is a very
serious and complicated problem. I do know that Senator
Cantwell was concerned that the use of crystal meth in the
State of Washington was fueling identity theft, as well. And I
know that she had worked very hard to get local law enforcers
in her state to take the issue very seriously; and, in fact,
had involved Representative David Reichert, the former King
County Sheriff, who, by the way, captured the Green River
serial killer. But, anyway, local law enforcers are on the
front lines, and I know that they're dealing with problems
related to both drug use and identity-theft victims. At the
Federal Trade Commission, obviously, we have no criminal law
enforcement jurisdiction. The expertise of dedicated on-the-
ground local law enforcers is irreplaceable. So, I suppose I
would urge all of the Senators and the Congressmen to use
some--to convince your state and local enforcers to really take
a look at this issue, and to take this seriously and step up to
the plate.
Senator Smith. Thank you very much.
I'm going to ask unanimous consent--I guess I'm alone, so I
agree----
[Laughter.]
Senator Smith.--to include in the Senate record a statement
from Oregon's Attorney General, Hardy Myers, that it speaks to
this whole issue and the connection of identity theft and
drugs, specifically methamphetamine.
[The information referred to follows:]
Prepared Statement of Hon. Hardy Myers, Attorney General of Oregon
Police investigating identity theft crimes are becoming
increasingly aware that the perpetrators are almost always users of
methamphetamines. Oregon has an especially high rate of Identity Theft
(9th in the Nation) and has the largest number of citizens in meth
treatment programs of any state in the country. Both of these dubious
distinctions lend themselves to one another. Meth users are many times
recruited by leaders of ID theft rings to steal personal information
from their victims. The meth users, in turn, are given drugs as payment
by the leader of the ID-theft ring.
IDs are especially easy to get in Oregon--in fact, Oregon ranks
48th out of 50 states in the ease of acquiring identification.
Currently, for example, the DMV has approximately 6 million active
Oregon driver's licenses on file, yet there are only 3.5 million
residents in Oregon. In once instance, the Marion County Sheriff's
Office shared one case in which an individual secured 20 DMV issued
licenses within a 5-hour period.
There are many reasons that identity theft seems to be so
inexorably tied to meth use. Meth users, by virtue of their addiction,
go on binges in which they are awake and focused for days at a time.
Consequently, they must spend days at a time sleeping off the
consequences of their actions. This means that part-time jobs are
difficult to hold. As meth is an expensive habit to maintain, sources
of income are needed to obtain the drug. Furthermore, according to a
professor at SJSU in San Jose, meth's ``unique psychopharmacological
properties would assist ID theft--the whole detail-oriented aspect of
it, the obsessive-compulsive aspect of it.''
Identity theft lends itself well to this because it can reap large
monetary benefits, with relatively smaller punishments. As a police
detective in Eugene put it, ``they (meth users) can make more money in
a fraud crime than they can sticking a gun in someone's face. If you
bring a gun in a bank, you can face life in prison. Or you can write a
series of bad checks and score 10 times that amount and just get
parole.''
There seems to be no official data that states the percentage of
ID-theft crimes that are connected to meth. The estimations vary--but
typically officials say between 85-95 percent of all ID theft crimes
are in some way connected to methamphetamine. In 2003, 100 percent of
identity theft case worked by the Fraud and Identify Theft Enforcement
Team investigators in Washington County, Oregon had a methamphetamine
nexus.
There have been many documented cases in which a meth users has
been caught with a number of identifications, financial records, and
Social Security numbers. In one example in Tualatin Oregon, officers
located 340 separate probable victim identities in a storage unit along
with a boxed up meth lab that only needed a few components to start
cooking again. Of the 1,240 separate identities, there was identify
information in the form of full profiles of persons, checks, ID cards,
credit applications, W2's tax information, and much more.
Oregon, by virtue of being among the most ravaged of states by both
identity theft and methamphetamine, can be a unique example of the
connection between the two. ID theft affects thousands of Oregonians
every year, and it is being perpetuated by users of methamphetamine.
Senator Smith. Let me just say how appreciative we are of
your presence here today, the contribution you've made. We look
forward to working with you to make sure you have the powers
and authorities necessary to get ahead of what is a burgeoning
problem in our country. We've got to protect our consumers from
this; and, clearly, new tools are called for. And your input is
valued, and will be included. And we look forward to working
with you as this legislation develops. And, most of all, thank
you for your public service.
Chairman Majoras. Thank you, Mr. Chairman.
Senator Smith. We're adjourned.
[Whereupon, at 12:15 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. Byron L. Dorgan,
U.S. Senator from North Dakota
North Dakota is first in the Nation in many good respects. But I am
happy to say that North Dakota ranks 49th in the Nation in the number
of ID theft cases, on a per-capita basis. There are almost five times
as many cases of ID theft in Arizona, on a per capita basis, than in
North Dakota.
Still, even though we have had relatively few cases in North
Dakota, the first-hand stories of North Dakota victims are certainly
devastating ones. This is clearly a national epidemic. And I am
particularly worried about the many instances in which data brokers
have lost the sensitive financial records of hundreds of thousands of
Americans.
I am a co-sponsor of S. 768, the Comprehensive Identity Theft
Prevention Act, which my colleague Senator Nelson (along with Senator
Schumer) has introduced.
This bill does a number of things:
It bans unregulated commercial trading of Social Security
numbers, and prohibits commercial entities from asking
individuals for their Social Security numbers, unless no other
alternative identifier that can be used.
It establishes an Office of Identity Theft within the
Federal Trade Commission (FTC), as a ``one stop shop'' to help
the millions of victims of identity theft each year restore
their identities. This office would also be responsible for
passing regulations to protect consumers' sensitive personal
information that is collected, maintained, sold, or transferred
by commercial entities. It would have the authority to bring
enforcement actions for violators of the regulations.
It requires safeguard rules for all commercial entities:
companies must take ``reasonable steps'' to protect all
sensitive personal information that they store.
It requires information brokers subject to full regulations
by the FTC; and consumers would be afforded the rights they
have under the Fair Credit Reporting Act regarding credit
bureaus.
It requires breach notification: all commercial entities
must notify individuals when there has been a breach of the
individual's sensitive personal information.
I am particularly concerned about the pervasive use of Social
Security numbers by businesses as a means of identifying potential
customers. I believe that the use of misappropriated Social Security
numbers is one of the main accelerants that fuels the epidemic of ID
theft. I know that many businesses will argue that they need Social
Security numbers to distinguish one customer from another. But the
Better Business Bureau estimates that there were 9.3 million victims of
identity theft in 2004. Clearly, there are competing interests here--
and given the number of victims, I think we need to provide much more
protection for the confidentiality of Social Security numbers.
When a company like LexisNexis is hacked into, and thieves steal
the personal data of 310,000 Americans--including not only their Social
Security numbers, but even the date and location where the Social
Security card was issued--it is clear that we have a serious problem on
our hands.
I have read through FTC testimony. It states that ``private and
public entities routinely have used Social Security numbers for many
years to access their voluminous records,'' and suggests that the
solution is not to restrict the use of Social Security numbers, but
rather to go after those who use Social Security numbers for criminal
purposes. I am certainly in favor of going after the bad guys, but I
think we also need to restrict the use of Social Security numbers far
beyond the status quo.
So I look forward to discussing this point with the other
commissioners today.
I am also interested to hear from Vermont Attorney General William
Sorrell on whether Federal legislation on the issue of ID theft should
create a ceiling that preempts recently enacted state laws in this
area. North Dakota is one of the states that has recently passed
legislation requiring notification of individuals when their personal
data has been compromised. I am not sure that we want to be capping the
efforts of states to protect individuals from ID theft. The bill that I
have co-sponsored with Senator Nelson does not do that.
With that, I thank the witnesses for attending today.
______
Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California
Mr. Chairman, thank you for calling this hearing on the vitally
important issue of identity theft. I commend you for making this issue
a top priority.
As you know, I am a strong and vocal proponent of privacy
protection--especially with regard to the distribution of personal
information that can lead to the physical, financial, or psychological
harm of an individual if the information falls into the wrong hands.
In 1994, after an actress in my state was murdered by a stalker who
obtained personal information about her from the Department of Motor
Vehicles, I authored the Driver's Privacy Protection Act to keep
personal information held by a state Department of Motor Vehicles from
being released without the consent of the individual. The Supreme Court
upheld this law on a unanimous 9-0 vote.
That was during the days of the Internet's infancy. While the
Internet has done wonderful things, it--and the computerization of more
and more data--is making it easier for identity thieves.
The Privacy Rights Clearinghouse, a nonprofit group in San Diego,
estimates that nearly 4 million people's identities have been
compromised through means such as hacking, dishonest insiders, and
computer theft since mid-February. This number does not even include 5
million people whose sensitive information is on the back-up tapes lost
by Bank of America and CitiFinancial.
According to a 2003 FTC study, over a period of 1 year, nearly 10
million Americans were victims of identity theft. Losses to business
and financial institutions were nearly $48 billion and consumer victims
reported an additional $5 billion in out-of-pocket expenses.
Criminals use misappropriated and stolen consumer information to
assume the identity of innocent individuals. They get credit cards and
mortgages in someone else's name and even use an assumed identity if
caught committing a crime. The identity thieves then disappear and it
is the victim who is left answering the calls of debt collectors and
the police.
Data brokers are of particular concern when it comes to identity
theft. These companies actively collect and sell information about
individuals.
As aggregators of sensitive information, data brokers are
attractive targets for identity thieves. And, unfortunately, the last
few months have shown that criminals are succeeding in stealing
information from them.
Since the beginning of the year, we have learned that breaches of
security at ChoicePoint and LexisNexis have resulted in information on
approximately 145,000 individuals in ChoicePoint's case and 300,000
records in LexisNexis's case being exposed.
What is worse is if this had happened a few years ago, we might not
have even known about them. It is only since a California credit law
went into effect in mid-2003 that companies have been forced to notify
Californians when their confidential information has been compromised.
That required notification to California's consumers has resulted in
the whole country knowing about these thefts. But, outside of
California, people do not have a right to know when their own personal
data may be compromised.
This must change. People have a right to know when they are at
risk. They have a right to know before they get turned down for a loan
because someone else ruined their credit record. They have a right to
know before they are arrested for someone else's crime. We, however,
should not focus solely on data brokers. Many other organizations
routinely store sensitive personal information. In April, DSW--the shoe
store--admitted that its computer system had been hacked allowing
criminals access to the credit card and driver's license numbers of
approximately 1.4 million customers.
Identity theft also raises serious homeland security concerns.
Terrorists, too, are able to use sensitive consumer information to
assume false identities. Unlike criminals, however, terrorists will
avoid the activities that normally alert a person to the fact their
identity was stolen. So long as the terrorist pays the credit card
bills, it could be years before the deception is revealed.
Legislation is needed to address the consumer harm and security
threat arising from identity theft. Therefore, I have cosponsored the
Comprehensive Identity Theft Prevention Act (S. 768).
The legislation would create and fund the Office of Identity Theft
in the FTC and create an Assistant Secretary for Cyber Security in the
Department of Homeland Security.
Moreover, it would regulate data brokers and ensure that companies
maintaining sensitive personal information protect that data. A notice
provision based on California's law would require companies to inform
affected individuals of security breaches and give those consumers
additional rights to protect their sensitive information.
This legislation is timely and necessary. I look forward to working
with my colleagues on this Committee to move the bill forward.
I thank you again, Mr. Chairman.
______
Prepared Statement of Frank R. Lautenberg, U.S. Senator from New Jersey
Mr. Chairman,
Thank you for holding this important second hearing on the
compilation, storage, and sale of sensitive personal information, and
the American public's increasing concern and susceptibility to identity
theft.
Whereas our focus in May was to look at the actors in the data
brokerage industry, today we focus on what the Federal Trade Commission
is doing to help combat identity theft and what Congress can and should
do to combat this increasing threat.
Recent security breaches at the Nation's largest data brokerage
firms have left millions of Americans vulnerable to identity theft and
scams. Overall, some 10 million Americans were victimized by identity
thieves last year.
And the situation is only getting worse. The year 2005 has brought
news of one security breach after another, with no end in sight. Some
of these breaches have been high-tech, resulting from improperly or
illegally accessed passwords. Others have been caused by mere
carelessness, sometimes during the transport of files or disks.
Regardless of method, these breaches have exposed sensitive
personal information about millions of Americans in the past year
alone. This is simply unacceptable, and it warrants our attention.
In the wrong hands, an individual's private data can wreak havoc on
a victim's life--ruining their finances and credit rating, their
ability to obtain a mortgage, and often their good name.
Victims of identity theft often spend years and large amounts of
money to repair the damage done by identity thieves.
Advances in technology allow more information to be compiled faster
and in fewer databases. The collection and storage of personal
information is a big business, and now is the time to exercise better
oversight of this problem and consider how we can play a role in
protecting Americans from identity theft.
Mr. Chairman, our laws must ensure that companies protect personal
information with great care.
We must work harder to protect Social Security numbers. Social
Security numbers should be requested and given based on need.
Furthermore, we must make sure Americans are aware of how and when
their Social Security number is being used.
We must also notify consumers when a breach has occurred that puts
them at risk of identity theft.
I'm interested to hear from the Federal Trade Commissioners on what
efforts the FTC currently employs to protect Americans, and what their
agency is prepared to do moving forward to help combat identity theft.
Thank you, Mr. Chairman.
�