[Senate Hearing 109-60]
[From the U.S. Government Publishing Office]
S. Hrg. 109-60
SECURING ELECTRONIC PERSONAL DATA: STRIKING A BALANCE BETWEEN PRIVACY
AND COMMERCIAL AND GOVERNMENTAL USE
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
APRIL 13, 2005
__________
Serial No. J-109-11
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
22-293 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON THE JUDICIARY
ARLEN SPECTER, Pennsylvania, Chairman
ORRIN G. HATCH, Utah PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
JON KYL, Arizona JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
JEFF SESSIONS, Alabama DIANNE FEINSTEIN, California
LINDSEY O. GRAHAM, South Carolina RUSSELL D. FEINGOLD, Wisconsin
JOHN CORNYN, Texas CHARLES E. SCHUMER, New York
SAM BROWNBACK, Kansas RICHARD J. DURBIN, Illinois
TOM COBURN, Oklahoma
David Brog, Staff Director
Michael O'Neill, Chief Counsel
Bruce A. Cohen, Democratic Chief Counsel and Staff Director
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Feingold, Hon. Russell D., a U.S. Senator from the State of
Wisconsin...................................................... 24
prepared statement........................................... 142
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California..................................................... 4
prepared statement........................................... 145
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 2
prepared statement........................................... 155
Schumer, Charles E., a U.S. Senator from the State of New York... 26
prepared statement........................................... 181
Specter, Hon. Arlen, a U.S. Senator from the State of
Pennsylvania................................................... 1
WITNESSES
Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation,
Little Rock, Arkansas.......................................... 33
Curling, Douglas C. President and Chief Operating Officer,
ChoicePoint, Alpharetta, Georgia............................... 31
Dempsey, James X., Executive Director, Center for Democracy &
Technology, Washington, D.C.................................... 35
Douglas, Robert, Chief Executive Officer, PrivacyToday.Com,
Steamboat Springs, Colorado.................................... 7
Johnson, Larry, Special Agent in Charge, Criminal Investigative
Division, U.S. Secret Service, Washington, D.C................. 13
Majoras, Deborah Platt, Chairman, Federal Trade Commission,
Washington, D.C................................................ 9
Sanford, Kurt P., President and Chief Executive Officer, U.S.
Corporate and Federal Markets, LexisNexis, Miamisburg, Ohio.... 29
Sorrell, William H., Attorney General, State of Vermont, and
President, National Association of Attorneys General,
Montpelier, Vermont............................................ 15
Swecker, Chris, Assistant Director, Criminal Investigative
Division, Federal Bureau of Investigation, Washington, D.C..... 11
QUESTIONS AND ANSWERS
Responses of Jennifer T. Barrett to questions submitted by
Senator Leahy.................................................. 49
Responses of Douglas Curling to questions submitted by Senators
Specter and Leahy.............................................. 52
Responses of Deborah Platt Majoras to questions submitted by
Senators Leahy and Biden....................................... 66
Responses of Kurt P. Sanford to questions submitted by Senators
Specter and Leahy.............................................. 79
SUBMISSIONS FOR THE RECORD
Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation,
Little Rock, Arkansas, prepared statement...................... 87
Consumers Union, Gail Hillebrand, San Francisco, California,
prepared statement............................................. 95
Curling, Douglas C. President and Chief Operating Officer,
ChoicePoint, Alpharetta, Georgia, prepared statement........... 97
Dempsey, James X., Executive Director, Center for Democracy &
Technology, Washington, D.C., prepared statement............... 103
Douglas, Robert, Chief Executive Officer, PrivacyToday.Com,
Steamboat Springs, Colorado, prepared statement and attachments 120
Johnson, Larry, Special Agent in Charge, Criminal Investigative
Division, U.S. Secret Service, Washington, D.C., prepared
statement...................................................... 148
Kuhlmann, Arkadi, Cheif, Executive Officer, ING Direct,
Wilmington, Delaware, prepared statement....................... 153
Majoras, Deborah Platt, Chairman, Federal Trade Commission,
Washington, D.C., prepared statement........................... 160
Sanford, Kurt P., President and Chief Executive Officer, U.S.
Corporate and Federal Markets, LexisNexis, Miamisburg, Ohio,
prepared statement............................................. 184
Sorrell, William H., Attorney General, State of Vermont, and
President, National Association of Attorneys General,
Montpelier, Vermont, prepared statement........................ 198
Swecker, Chris, Assistant Director, Criminal Investigative
Division, Federal Bureau of Investigation, Washington, D.C.,
prepared statement............................................. 214
SECURING ELECTRONIC PERSONAL DATA: STRIKING A BALANCE BETWEEN PRIVACY
AND COMMERCIAL AND GOVERNMENTAL USE
----------
WEDNESDAY, APRIL 13, 2005
United States Senate,
Committee on the Judiciary,
Washington, D.C.
The Committee met, pursuant to notice, at 9:30 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Arlen
Specter, Chairman of the Committee, presiding.
Present: Senators Specter, Coburn, Leahy, Kohl, Feinstein,
Feingold, and Schumer.
OPENING STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM
THE STATE OF PENNSYLVANIA
Chairman Specter. It is 9:30 and our practice is to begin
these hearings precisely on time. We have a long list of
witnesses today, ten in number. We have a vote scheduled for
11:15, and once Senators disperse to go to vote, it is pretty
hard to get the attention of the Senators after that. So we are
going to be operating under our usual time limit of five
minutes for statements by witnesses. All statements will be
made a part of the record in full and that will be our method
of proceeding.
First, on a brief personal note, I was stopped coming over
by a young woman who told me her father has a situation similar
to mine. And I get a tremendous number of questions and I am
glad to report that I am doing fine with certain treatments. I
have a new hair stylist. That is the most marked change in my
situation. I have been on the job. We have had the hearings,
persevering with the work of the Senate. Some days are better
than others, but it is all fine.
Our subject matter today is an issue of great importance on
breaches of data security involving the invasion of privacy.
The statistics show that--you can start to run the clock now
that I am on the subject matter. I adhere to the strict time
limits myself.
The statistics show that there were 10 million victims of
identity theft and identity fraud in the year 2003, at a cost
to those individuals of some $5 billion, $50 billion in
business losses; very extensive participation by the Government
on data, with the Department of Justice having paid some $75
million to ChoicePoint last year on data processing.
We are in a field of phenomenal electronic advances. Chief
Justice Warren was prescient back in 1963 in a decision on
Lopez v. United States, saying that, quote, ``The fantastic
advances in the field of electronic communications constitute a
great danger to the privacy of the individual.'' And where we
have moved from 1963 is enormous and we now see the breaches in
security and it is a matter of serious consequences for our
individual privacy and also for law enforcement, which is
relying upon these electronic mechanisms to identify suspects
and pursue legitimate law enforcement interests.
There has been an entire industry which has grown up on
this subject providing very, very important services, having
databanks which enable applicants for mortgages to get them the
same day, applicants for leases on apartments to get them the
same day, credit card applications being processed, so that it
has facilitated our lives, but it has had the corollary problem
of the invasions of privacy.
There has been limited governmental response. Some States
have laws. There is no Federal legislation on the issue. The
United States General Accounting Office reports that, quote,
``Criminal law has thus far proven to be quite ineffective in
grappling with identity theft in that States devote
insufficient attention and resources to prosecuting identity
theft.'' The major companies who are represented here today--
ChoicePoint, LexisNexis and Acxiom--have personal data on
millions of Americans, including the identity as to name,
address, Social Security numbers, insurance claims history,
credit history, vehicle ownership, military service,
educational history, outstanding liens or judgments,
fingerprints, and even DNA. So it is a very, very wide array of
information which is available.
There is no Federal legislation on the subject, and after
the review for this hearing it is my conclusion that we do need
Federal legislation, that there needs to be uniformity as we
approach an enormous problem of this sort.
I took about a minute before the clock went on, so I am
going to stop at this juncture and yield to my distinguished
ranking member, Senator Leahy.
STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE
STATE OF VERMONT
Senator Leahy. That is a hint for the ranking member not to
go overly long, too, but I want to thank the Chairman for doing
this hearing. I wrote to him earlier this year and asked that
we do it. I know that we both share this concern about privacy
and this helps a great deal.
I am glad to see Senator Feinstein here, who has been a
leader on this, and Senator Schumer and other members of the
Committee, and Senator Nelson from Commerce. I am glad to see a
fellow Vermonter, Bill Sorrell, who is the Attorney General of
Vermont and President of the National Association of Attorneys
General.
I think of all the major security breaches involving large
firms such as ChoicePoint, Bank of America and Seisint, a
LexisNexis subsidiary, and it shows the susceptibility of our
most personal data to relatively unsophisticated scams. These
are not major things where somebody went in with some major,
high-tech hacking. This was something where they used basically
con games and got so much of this information.
It raises broader concerns, like industry's failure to know
its own customers by properly screening the buyers of
consumers' data. Advanced technology, combined with the
realities of the post-9/11 digital era, have created strong
incentives and opportunities for collecting and selling
personal information about each and every American. Every
single American in this room, as well as every American
throughout the country--there is an incentive to collect the
data about them and then to sell it.
All types of corporate entities routinely traffic in
billions of digitized personal records to move commerce along.
Our Government is using it now to know its residents. There is
a certain Orwellian twist to this. I can make a lot of
arguments of why business needs it, but I can also make a
strong argument why if business is not careful with their trust
or Government is not careful with their trust, we Americans are
severely damaged and the country is severely damaged. Our
privacy and our security is damaged.
Increasingly, those who trade in data have no direct
relationship with the individuals and faces behind the numbers
or letters that identify them. So the normal market discipline
of disgruntled consumers does not save the companies from
themselves.
We had one major company that sent the most personal data
about their consumers on an airplane just to ship it off to
another area. All of us who fly very much, we know our
suitcases get lost. This was a case, and they were cavalier
about that, where they just sent it out, showing absolutely no
concern for their customers. And then I read in the paper two
days ago that their former president is given, even though he
is retired, lifetime use of the corporate jet. No wonder they
treated it so cavalierly. They don't have to worry about lost
luggage. If they did, maybe they would be concerned about the
lost data of their customers. Frankly, if I were a customer of
that company, I would change companies.
The case of Amy Boyer is a poignant reminder. In 1999, a
man who had been obsessed with her since high school bought
Amy's Social Security number, work address and other
information from data broker Docusearch for $154. He used that
information to track her down, and one day as she was leaving
work he fatally shot her just before killing himself. For $154,
he could track her down.
For others, inaccurate or misused data has meant job
refusals or in many cases a life-consuming cycle of watching
their credit unravel and undoing the damage caused by security
breaches and identity theft. Individuals working for an Indian
data processor stole personal information of Citibank
customers, along with $350,000 just to make it worthwhile.
Last year, a Pakistani transcriber of medical files from a
San Francisco hospital threatened to post that information on
the Internet unless she received back pay. We outsource this to
other countries anyway. They are holding our information in
other countries and if they want to blackmail us with it, there
is not much we can do.
I think weaknesses in the data industry can jeopardize our
law enforcement and our homeland security. Government contracts
that provide critical data and processing tools have to get it
right. Our hearing today is not about shutting down these data
brokers or abandoning their services. It is about shedding a
little sunshine on current practices and weaknesses, and
frankly, in my estimation, some very, very sloppy, sloppy
business practices by some of these companies, and then to
establish a sound legal framework to ensure that privacy,
security and civil liberties will not be pushed aside.
Industry leaders like ChoicePoint, Acxiom and LexisNexis
play a legitimate and a valuable role in the information
economy. But because they are so valuable, they also need to
treat these more carefully.
I will put the rest of my statement in the record, Mr.
Chairman, but I am extremely concerned that we are not
protecting customers and consumers around this country in the
way we should. The companies get the benefit of having the
data, but they also have a responsibility. We have to also
consider some of the privacy issues that should affect every
single one of us.
Chairman Specter. Without objection, Senator Leahy's full
statement will be made a part of the record, as will my full
statement.
[The prepared statement of Senator Leahy appears as a
submission for the record.]
Chairman Specter. We turn now to a distinguished member of
this panel who has taken initiative in introducing legislation
in the field, as has Senator Schumer and some other Senators,
but I think Senator Feinstein has put in the lead legislation,
with some substantial experience from her home State of
California.
We are going to waive the oath for you, Senator Feinstein,
but everybody else is going to be put under oath.
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Senator Feinstein. Thank you very much, Mr. Chairman, and
because you referred to what you have been going through in
your opening statement, I just want to say how much personal
respect I have for you for doing what you are doing in the way
in which you are doing it. You have been an extraordinarily
fair Chairman and this Senator really appreciates it. I think
your vigor and your ability to carry out this work is truly
amazing.
Chairman Specter. Thank you very much. Thank you.
Senator Feinstein. You are welcome.
Chairman Specter. Start Senator Feinstein's clock at five
minutes.
Senator Feinstein. Thank you.
[Laughter.]
Chairman Specter. And anything else she may care to say
about me, we will restart it at five minutes, so long as it is
similarly laudatory.
Senator Feinstein. Thank you very much.
I think most people don't understand that when they shop,
when they buy a car, when they buy a home, what they buy, when
they buy out of a catalog, when they use a credit card, all
bits and pieces about their personal data are collated and put
together--their Social Security number, their driver's license,
their personal financial data, their personal health data.
And it is used; it is used by banks who sell to
subsidiaries. I am told Citibank sells to 2,000 different
companies. There are companies that put this data together that
are here today that also sell it, and the individual has no
knowledge of this, has not given their permission, knows
nothing about it, until one day they are a victim of identity
theft.
And this is not a small thing. There were 9 million victims
this last year alone. Of the 12 big breaches of databases that
took place this year and during last year, the personal data of
10.7 million Americans has been put in jeopardy of identity
theft. That is where we are going. It is huge and it is large.
This is the third Congress in which I have introduced
bills, bills to give an individual some control. You have to
give your permission before your personal data is sold. That is
called opt-in. For less personal data, it is opt-out. To
restrict use of Social Security numbers, to require that they
be redacted from public documents--that is a second bill, and
so on.
This bill, S. 115, is patterned after the California law.
We would not have known of these breaches had it not been for
California law. As a matter of fact, I am told that
ChoicePoint--and I am sure if this is not correct, they will
say so when they testify--had a prior breach and didn't notify
anyone until the California law required them to notify
Californians, and then others protested and they notified more
people. So we have a bill that follows California law.
On Monday, I introduced a new bill after working with
consumer advocates to broaden the scope, and the new bill's
number is 751. This bill will ensure that Americans are
notified when their most sensitive personal information--their
Social Security number, their driver's license or State
identification number, their bank account and credit card
information--is part of a data breach, putting them at risk of
identity theft.
This bill would require a business or government entity to
notify an individual in writing or e-mail when it is believed
that personal information such as a Social Security number,
driver's license, credit card number has been compromised. Only
two exceptions exist: first, upon the written request of law
enforcement--that is obviously pending an investigation--for
purposes of criminal investigation, and, second, for national
security purposes.
The bill is based on California law, but California law
really opened our eyes to the breadth and depth of the problem.
This bill covers both electronic and non-electronic data, as
well as encrypted and unencrypted data. California law only
includes unencrypted electronic data.
This new bill would allow individuals to put a seven-year
fraud alert on their credit report. The California law doesn't
address fraud alerts. It doesn't include a major loophole
allowing companies to follow weaker notification requirements,
as the California law does. Our bill lays out specific
requirements for what must be included in notices, including a
description of the data that may have been compromised, a toll-
free number to learn what information and which individuals
have been put at risk, and the numbers and addresses for the
three major credit reporting agencies. By contrast, California
law is silent on what should be in notices.
This bill has tougher civil penalties--$1,000 per
individual they fail to notify, or not more than $50,000 a day
while the failure to notify continues or exists. In California,
a victim may bring a civil action to recover damages or the
company may be enjoined from further violations. And most
importantly, this bill sets a national standard so that
individuals in Iowa, Oklahoma and Maine have the same
protection as consumers in California.
The law would be enforced by the Federal Trade Commission
or other relevant regulators, or by a State attorney general
who could file a civil suit. And because the bill is stronger
than California law, leading privacy groups, including
Consumers Union and Privacy Rights Clearinghouse, have endorsed
this legislation.
I would like, if I might, to put these letters in the
record, Mr. Chairman.
Chairman Specter. Without objection, they will be made part
of the record.
Senator Feinstein. I would like to end with one case that I
think depicts what has happened. You can't tell the true impact
of identity theft by looking at numbers. Let me give you the
case of Rebecca Williams. She lived in San Diego in 2000. A
thief was using her Social Security number, her birth date and
her name to establish a parallel identity thousands of miles
away in the Chicago area.
The thief opened a phone line and utilities, obtained a
driver's license and signed up for credit cards in her name. He
even tried to use her identity to purchase a car. In all, the
thief used Ms. Williams' identity to open more than 30
accounts, accruing tens of thousands of dollars' worth of goods
and services. Sometimes, accounts were opened despite the fact
that fraud alerts had been issued.
Ms. Williams said that restoring her identity is like a
full-time job, and estimates that she spent the equivalent of
eight hours a day for three full months working with credit
bureaus, credit card companies and various government agencies.
Chairman Specter. Senator Feinstein, I note you have
considerably more text. Could you summarize?
Senator Feinstein. I certainly will. The point is that five
years later, she has not fully restored her identity. That is
how serious this is.
So I thank you for holding this hearing, and I would ask
that my full statement be entered into the record.
Chairman Specter. Without objection, it will be made a part
of the record in full. Again, thank you, Senator Feinstein for
your leadership and your early leadership in this field.
[The prepared statement of Senator Feinstein appears as a
submission for the record.]
Chairman Specter. We are going to start the hearing today
with a video demonstration on what the impact is of knowing
someone's Social Security number. We all know that the Social
Security number is an entry point to a great deal of
information about people, and we similarly know that we are
frequently asked to give our Social Security number in contexts
where we question the necessity for it. It may well be that
Congress will consider prohibitions against disclosure of
Social Security numbers and some very heavy tightening up of
this very basic point of identification which we all
necessarily have.
We have with us Mr. Robert Douglas, who is the CEO of
PrivacyToday.com. His full background will be made a part of
the record, but in the interest of brevity I want to turn to
him right now for his video demonstration.
STATEMENT OF ROBERT DOUGLAS, CHIEF EXECUTIVE OFFICER,
PRIVACYTODAY.COM, STEAMBOAT SPRINGS, COLORADO
Mr. Douglas. Thank you, Chairman Specter, ranking member
Leahy, distinguished members of the Committee. My name is
Robert Douglas.
Chairman Specter. Excuse me. Do you have similar screens
for Senator Feinstein and Senator Feingold so they can follow
this?
Senator Feinstein. It is right over there.
Chairman Specter. Can you see it?
Senator Feinstein. No, but it is there.
[Laughter.]
Chairman Specter. Let the record show it is there.
Proceed, Mr. Douglas.
Mr. Douglas. We do have hard copies of these available for
the members.
My name is Robert Douglas. I have been a private
investigator and security consultant for the last 22 years, the
last 8 years of which I have specialized in identity crimes and
fraud. This is my fifth appearance before the United States
Congress testifying on these types of crimes.
I have provided expert testimony to the Federal Trade
Commission in Operation Detect Pretext, the Florida statewide
grand jury on identity theft, and on the murder case of Amy
Boyer that Senator Leahy--
Chairman Specter. Your credentials as an expert are taken.
On to the issue.
Mr. Douglas. Thank you, sir. I have been asked to provide a
brief demonstration of how it is to obtain a Social Security
number, the other types of information that are available, and
what harm can come from that information.
The first screen up is a website called SecretInfo.com,
which when asked by the Washington Post to obtain a Social
Security of one of their reporters, I was able to do so on this
search right here, locate a Social Security in 36 hours. I
would note that from another company, U.S. Records Search, I
received it in two hours telephonically.
To place the search online, all I did was go to the order
page. I put in the name of the reporter, Jonathan Krim. I
provided his current address, which we won't do for obvious
reasons in the presentation here, and no other information. I
scrolled down. I entered my name in the appropriate spot,
entered my address information, which once again we won't
share, and phone numbers that I could be contacted at.
I scrolled down a little further, provided a credit card
number to make payment, hit the ``I agree'' button, and in 36
hours back came a very brief e-mail from Michael at
SecretInfo.com providing the search results, the charge that
had been applied to my credit card, the company that had
applied the charge, and at the bottom Jonathan Krim, and
obviously we have redacted his Social Security number for the
presentation this morning. I would once again say that the
other company, in two hours--they called me on my cell phone
while I was driving home two hours afterwards.
This is another company that gives a very good example of
the scope of the information that is available on the
Internet--name and address information, phone record
information, Social Security numbers, post office box--I would
much of this already protected by Federal law--utility
information, DMV information. I am sure the Senators are
familiar with the Driver's Privacy Protection Act.
This is another search site that gives descriptions of the
types of searches available. I would point out once again
driving records, credit reports, and they often will have
language that qualifies who they will sell this to. But the
experience in the FTC operation when we called more than a
hundred of these companies is if they trusted you, they would
sell anything to anybody over the phone--credit card activity,
including specific details of purchases; telephone records,
including specific numbers that have been called; bank account
information which, depending on how it is obtained, is in
violation of Gramm-Leach-Bliley; airline travel records, which
is a terrorist's dream.
Finally, I would like to just mention--and Senator Leahy
mentioned the Amy Boyer case. That is the case that I worked on
in New Hampshire. This is the firm that sold Amy's information,
Docusearch.com. They are still in business today. In fact,
Forbes magazine lists them as number one, and ChoicePoint is
number two, of the firms that they recommend that people go to
to buy information.
Why is that dangerous? In Amy's case, it ended up in this
gentleman's hands, and I use the term ``gentleman'' quite
loosely. This is Liam Youens standing in the corner of his
bedroom with an AK-47. That is the gentleman that killed Amy
Boyer once he bought her Social Security number, data of birth
and place of employment.
That is the conclusion of my presentation, Mr. Chairman.
Chairman Specter. Thank you very much, Mr. Douglas. That is
very informative.
We will now turn to our first panel--the Honorable Deborah
Platt Majoras, Mr. Chris Swecker, Mr. Larry Johnson and Mr.
Bill Sorrell. Would you all please step forward?
As a matter of practice, the Committee will swear in all
witnesses. We are non-discriminatory. We had the Attorney
General in last week and the Director of the FBI, so we want
you to know that regardless of rank, station, et cetera, we
think this is a preferred policy.
If you would all rise and raise your right hands, do you
swear that the testimony you will provide to the Senate
Judiciary Committee will be the truth, the whole truth and
nothing but the truth, so help you God?
Ms. Majoras. I do.
Mr. Swecker. I do.
Mr. Johnson. I do.
Mr. Sorrell. I do.
Chairman Specter. May the record show that all of the
witnesses answered in the affirmative.
Our first witness is the Honorable Deborah Platt Majoras,
Chairman of the Federal Trade Commission. Prior to her service
at the FTC, she practiced law with the prestigious firm of Day
Jones in Washington. In 2001, she was appointed Deputy
Assistant Attorney General for the Antitrust Division, and
Principal Deputy in 2002. She has an excellent academic record,
summa cum laude from Westminster and a law degree from the
University of Virginia.
Thank you for joining us, Madam Chairman, Madam Chairwoman,
Madam Chairperson, and you have five minutes. We look forward
to your testimony.
STATEMENT OF HON. DEBORAH PLATT MAJORAS, CHAIRMAN, FEDERAL
TRADE COMMISSION, WASHINGTON, D.C.
Ms. Majoras. Thank you very much, Mr. Chairman, ranking
member Leahy, Members of the Committee. I am Deborah Majoras,
Chairman of the Federal Trade Commission. I am grateful for the
opportunity to testify today about securing personal
information collected by data brokers and reducing the risks of
identity theft.
Although the views expressed in my written testimony
represent the views of the Commission, my oral presentation and
responses to your questions are my own and do not necessarily
reflect the views of the Commission or any individual
commissioner.
Recent revelations about security breaches that resulted in
disclosure of sensitive personal information about thousands of
consumers have put the spotlight on data brokers like
ChoicePoint and LexisNexis which collect and sell this
information. This data broker industry includes many types of
businesses providing a variety of services to an array of
commercial and government entities.
The information they sell is used for many purposes, from
marketing to assisting in law enforcement. Despite the
potential benefits of these services, the data broker industry
is the subject of both privacy and information security
concerns. As recent events demonstrate, if the sensitive
information they collect gets into the wrong hands, it can
cause serious harm to consumers, including identity theft.
As the FTC is well aware, identity theft is a pernicious
problem. Our 2003 survey estimated that almost 10 million
consumers discovered that they were victims of some form of
identity theft in the preceding 12 months, costing consumers $5
billion in out-of-pocket losses and American businesses $48
billion in losses.
The survey looked at two major categories of identity
theft--the misuse of existing accounts and the creation of new
accounts in the victim's name. Not surprisingly, the survey
showed a direct correlation between the type of identity theft
and its cost to victims in both time and money spent solving
the problem. So, of course, people who had new accounts opened
in their names, while they made up only one-third of the
victims, nonetheless suffered two-thirds of the direct
financial harm. Our survey also found that victims spent almost
300 million hours correcting their records and reclaiming their
good names. That is a substantial toll and we take seriously
the need to reduce it.
There is no single Federal law governing data brokers.
There are, however, some statutes and regulations that address
the security of access to the information they maintain,
depending on how the information is collected and used.
The Fair Credit Reporting Act, for example, makes it
illegal to disseminate consumer report information like credit
reports to someone who does not have a permissible purpose;
that is, a legitimate business need for the information.
Similarly, the Gramm-Leach-Bliley Act imposes restrictions on
the extent to which financial institutions may disclose
consumer information related to financial services and
products.
Under that Act, the Commission issued its Safeguards Rule,
which imposes security requirements on a broadly defined group
of financial institutions that hold customer information. The
Commission recently brought two cases in which we alleged that
the companies there had not taken reasonable precautions to
safeguard consumer information.
Finally, Section 5 of the FTC Act prohibits unfair or
deceptive practices by a broad spectrum of businesses,
including those involved in the collection and use of personal
information. Using this authority, the Commission has brought a
number of actions against companies that made false promises to
consumers about how they would use or secure their sensitive
personal information.
These cases make clear that an actual breach of security is
not necessary for us to enforce under Section 5 if we determine
that a company's security procedures were not reasonable in
light of the sensitivity of the information the company
maintains. Evidence of a breach, of course, however, may
indicate that the company's procedures were not adequate, and
our Commission staff monitors reports of breaches and initiates
investigations where appropriate.
The Commission, consistent with the role Congress delegated
in 1998, has worked hard to educate consumers and businesses
about the risks of identity theft, as well as to assist victims
and law enforcement officials. The Commission maintains a
website and a toll-free hotline staffed with trained counselors
to advise victims on how to reclaim their identities. We
receive roughly 15,000 to 20,000 contacts per week on our
hotline or through our website or from mail from consumers who
want to avoid becoming victims and from victims themselves. The
Commission also facilitates cooperation, information-sharing
and training among Federal, State and local law enforcement
authorities.
Although data brokers are currently subject to a patchwork
of laws, depending on the nature of their operations, recent
events raise the issue of whether these laws are sufficient.
Although several alternatives have been proposed and we are
considering each very carefully, the most immediate need is to
address the risks to security.
One sensible step would be to mandate security requirements
for sensitive personal information collected by data brokers
much like the Commission's Safeguards Rule imposes on certain
companies. It also is appropriate--
Chairman Specter. Chairman Majoras, could you summarize at
this point?
Ms. Majoras. Yes, I will.
Finally, it is also appropriate to consider a workable
Federal requirement for notice to consumers when there has been
a security breach that raises significant risks to consumers.
Mr. Chairman, members of the Committee, thank you very
much. I look forward to working with all of you.
[The prepared statement of Ms. Majoras appears as a
submission for the record.]
Chairman Specter. Thank you.
We turn now to Mr. Chris Swecker, who is the Assistant
Director of the Criminal Division of the Federal Bureau of
Investigation. Mr. Swecker has a very extensive background in
field work, has been with the FBI since 1982. His academic
record is a bachelor's degree from Appalachian State University
and a law degree from Wake Forest. He also served as--this is
the highlight of your resume, Mr. Swecker. You were an
assistant district attorney. People sometimes ask me what is
the best job I ever held and expect to hear Senator, maybe D.A.
And I say, no, assistant D.A.
Start the clock at five minutes for Mr. Swecker.
STATEMENT OF CHRIS SWECKER, ASSISTANT DIRECTOR, CRIMINAL
INVESTIGATIVE DIVISION, FEDERAL BUREAU OF INVESTIGATION,
WASHINGTON, D.C.
Mr. Swecker. Good morning, Mr. Chairman and members of the
Committee. I want to thank you for the opportunity to testify
today on the FBI's efforts to combat identity theft, as well as
the FBI's use of public source data.
The FBI views identity theft as a significant and growing
crime problem, especially as it relates to the theft of
consumer information from large wholesale data companies. The
FBI opened 1,081 investigations related to identity theft in
fiscal year 2003, and 889 in fiscal year 2004. I might add that
a case that involves the theft of 1,000 identities would only
be counted as one investigation within the FBI's structure.
That number is expected to increase as identity thieves
become more sophisticated and as the technique is further
embraced by large criminal organizations, placing more identity
theft crime within the FBI's investigative priorities. At
present, we have over 1,600 active investigations involving
some aspect of identity theft.
The FBI does not specifically track identity theft
convictions and indictments, as identity theft crosses all
program lines and is usually perpetrated to facilitate other
crimes such as credit card fraud, check fraud, mortgage fraud
and health care fraud.
Armed with a person's identifying information, an identity
thief can open new accounts in the name of a victim, borrow
funds in the victim's name, or take over and withdraw funds
from existing accounts of the victim, such as their checking
account or their home equity line of credit. Although by far
the most prevalent, these financial crimes are not the only
criminal uses of identity theft information, which can even
include evading detection by law enforcement in the commission
of violent crimes.
Identity theft takes many forms, but generally includes the
acquiring of an individual's personal information such as
Social Security number, date of birth, mother's maiden name, et
cetera. Identity theft has emerged as one of the dominant white
collar crime problems of the 21st century. Estimates vary
regarding the true impact of the problem, but agreement exists
that it is pervasive and growing.
In addition to the significant monetary harm caused to the
victims of the frauds, often by providers of financial,
government or other services, the individual victim of the
identity theft may experience a severe loss in their ability to
utilize their credit and their financial identity.
In a May 2003 survey commissioned by the FTC, they
estimated that the number of consumer victims of identity theft
over the year prior to the survey at 4.6 percent of the
population of U.S. consumers over the age of 19, or 9.9 million
individuals, with losses totaling $52.6 billion. Half of these
individuals experienced the takeover of existing credit cards,
which is generally not considered identity theft. New account
frauds, more generally considered to be identity theft, were
estimated to have victimized 3.23 million consumers and to have
resulted in losses of $36.7 billion.
The FBI's Cyber Division also investigates instances of
identity theft which occur over the Internet or through
computer intrusions by hackers. The Internet Crime Complaints
Center, also known as IC3, is a joint project between the FBI
and the National White Collar Crime Center. This joint
collaboration serves as a vehicle to receive, develop and refer
criminal complaints regarding the rapidly expanding arena of
cyber crime.
The IC3 receives an average of 17,000 complaints every
month from consumers alone, and additionally receives a growing
volume of referrals from key e-commerce stakeholders. Of the
more than 400,000 complaints referred to IC3 since its opening
in May of 2000, more than 100,000 were either characterized as
identity theft or involved conduct that could be characterized
as identity theft.
The FBI is developing cooperative efforts to address the
identity theft crime problem in cities such as Detroit,
Chicago, Memphis and Mobile. Task forces are currently
operating in conjunction with our other State, Federal and
local partners.
An example of some of the cases involve a case involving,
in September 2004, Phillip Cummings in the theft of over 30,000
consumer credit histories from 2000 to 2002. Losses to
financial institutions in this case exceeded $11 million. He
was sentenced to 14 years in Federal prison.
In January of 2003, another case involved the theft of over
100 credit reports by someone posing in the account name of
NEXTEL. The cases go on and on. I won't belabor you with all of
the different investigations. There is a case, as you well
know, involving ChoicePoint, where there wasn't an IT
intrusion. It was actually a socially-engineered con effort, as
Senator Leahy pointed out, involving a customer who used over
23 business identities to access accounts through ChoicePoint.
Chairman Specter. Mr. Swecker, your red light is on. Time
has expired. If you could summarize at this point, we would
appreciate it.
Mr. Swecker. ChoicePoint information is not considered in a
vacuum. It is one of the many investigative tools which are
used in law enforcement by investigators and analysts. As with
any source of information, it is considered in relation to the
totality of available information. It is particularly useful in
that it allows analysts to inductively and deductively develop
information about subjects, their confederates, witnesses and
corporations that are associated with an investigation.
Once again, I appreciate the opportunity to come before you
today and share the work that the FBI has undertaken involving
identity theft. The FBI's efforts in this arena will continue
and we will continue to keep the Committee informed of our
progress.
[The prepared statement of Mr. Swecker appears as a
submission for the record.]
Chairman Specter. Thank you very much, Mr. Swecker.
We turn now to Mr. Larry Johnson, who is the Special Agent
in Charge of the Criminal Investigative Division of the Secret
Service. Mr. Johnson is a 20-year-plus veteran of the Secret
Service, having started in 1982. He has worked in quite a
number of field offices around the country and was the
Assistant Special Agent in Charge of the Presidential
Protective Division. He has a bachelor's degree from Eastern
Kentucky.
Thank you very much for joining us, Mr. Johnson.
STATEMENT OF LARRY JOHNSON, SPECIAL AGENT IN CHARGE, CRIMINAL
INVESTIGATIVE DIVISION, U.S. SECRET SERVICE, WASHINGTON, D.C.
Mr. Johnson. Thank you, Mr. Chairman. In addition to
providing the highest level of physical protection to our
Nation's leaders, the Secret Service exercises broad
investigative jurisdiction over a wide variety of financial
crimes. As the original guardian of our Nation's financial
payment system, the Secret Service has a long history of
protecting American consumers and industry from financial
fraud.
With the passage of Federal laws in 1984, the Secret
Service was provided primary authority for the investigation of
access device fraud, including credit card, debit card fraud,
and parallel authority with other law enforcement agencies in
identity crime cases.
In recent years, the combination of the information
revolution, the effects of globalization and the rise of
international terrorism have caused the investigative mission
of the Secret Service to evolve dramatically. With the
expanding use of the Internet and lower cost of information
processing, legitimate companies have found it profitable to
specialize in data mining, data warehousing and information
brokering.
Information collection has become a common by-product of
newly emerging e-commerce. Internet purchases, credit card
sales and other forms of electronic transactions are being
captured, stored and analyzed by businesses seeking to find the
best customers for their products.
This has led to a new measure of growth within the data
collection industry that promotes the buying and selling of
personal information. In today's markets, consumers routinely
provide personal and financial identifiers to companies engaged
in business on the Internet. They may not realize that the
information they provide in credit card applications, loan
applications or with merchants they patronize are valuable
commodities in this new age of information trading.
This wealth of available personal information creates a
target-rich environment for today's sophisticated criminals,
many of whom will organize and operate across international
borders. But legitimate businesses can provide a first line of
defense against identity crime by safeguarding the information
they collect. Creating industry standards in this area can
significantly limit the opportunities for identity crime even
while not limiting its occurrence altogether.
With the proliferation of computers and the increased use
of the Internet, high-tech identity criminals began to obtain
information from company databases and websites. In some cases,
the information obtained is in the public domain, while in
others it is proprietary and is obtained by means of computer
intrusion or by means of deceptions such as Web spoofing,
phishing and social engineering.
The method that may be most difficult to prevent is the
theft by a collusive employee. Individuals or groups who wish
to obtain personal or financial identifiers for a large-scale
fraud ring will often pay or extort an employee who has access
to this information through their employment. This collusive
employee will access the proprietary database, or copy or
download the information or remove it from the workplace either
electronically or simply by walking it out.
The Secret Service has seen Internet crime increase
significantly within the last several years. Since the early
1990s, the Eurasia-based computer underground in particular has
developed a prodigious record for malicious software
development. Starting in the late 1990s and increasing over the
last few years, the criminal element has used such malicious
software to penetrate financial and government institutions,
extract data and illicitly traffic in stolen financial identity
information. We believe that the exploitation of identity theft
information is primarily for financial purposes.
I would like to talk briefly about agency coordination and
criminal sophistication. It has been our experience that
criminal groups involved in these types of crimes routinely
operate in a multi-jurisdictional environment. This has created
problems for local law enforcement agencies that generally act
as first responders to criminal activity.
By working closely with other Federal, State and local law
enforcement, as well as international police agencies, we are
able to provide a comprehensive network of intelligence-
sharing, resource-sharing and technical expertise that bridges
jurisdictional boundaries. This partnership approach to law
enforcement is exemplified by our financial and electronic
crime task forces located throughout the country. These task
forces primarily target suspects and organized criminal
enterprises in financial and electronic criminal activity that
fall within the investigative jurisdiction of the Secret
Service.
Chairman Specter. Mr. Johnson, your time is expired. If you
would summarize, we would appreciate it.
Mr. Johnson. Finally, the best example of agent
coordination was on October 24, 2004, when the Secret Service
arrested 30 individuals across the United States and abroad for
credit card fraud. The suspects were part of a multi-count
jurisdiction investigation out of the district in New Jersey.
We had 30 arrests, 28 search warrants served simultaneously not
only in the United States, but in 11 different countries
throughout the world in conjunction with this investigation.
Thank you.
[The prepared statement of Mr. Johnson appears as a
submission for the record.]
Chairman Specter. Thank you very much, Mr. Johnson.
I note that there are still some people in the hall. If
there are, you ladies and gentlemen are welcome to move into an
area here where we have some space. Are there others who are
still in the hall without being able to come into the hearing
room? We don't want anybody to miss our hearing. Well, if
anybody comes, they are welcome to come, and if you folks would
move over into some open space to give some room, we would
appreciate it.
I want to turn now to the distinguished ranking member to
introduce his home State attorney general.
Senator Leahy. Well, thank you, Mr. Chairman. I am glad to
have Bill Sorrell here. He has been Attorney General of Vermont
since May of 1997--that is an elective office--first appointed
when the then attorney general went on to become chief justice
of the State. In elections, he has ended up being basically
endorsed by both parties. While everybody else worries about
reelection, he just sort of walks in with the strong support of
all Vermonters.
But I mention that, really, before being attorney general
he held the best elected job that there has ever been in the
State of Vermont, and that is he was Chittenden County State's
attorney. Anyone who has been Chittenden County State's
attorney will tell you that there is no finer job that you
could have in the State of Vermont, even the United States
Senate. So I am glad he is here. He is now President of the
National Association of Attorneys General, and I think we are
fortunate to have him here with us. I thank you, Mr. Chairman,
for inviting him.
Chairman Specter. Welcome, Mr. Sorrell. Were you ever an
assistant prosecutor?
STATEMENT OF WILLIAM H. SORRELL, ATTORNEY GENERAL, STATE OF
VERMONT, AND PRESIDENT, NATIONAL ASSOCIATION OF ATTORNEYS
GENERAL, MONTPELIER, VERMONT
Mr. Sorrell. I was, yes, and that was a great job, too.
Chairman Specter. Thank you for joining us and the floor is
yours.
Mr. Sorrell. Thank you, Mr. Chairman, Senator Leahy, and
other members of the Committee, for giving me the opportunity
to be here and talk about some issues that are of great
importance to me and my fellow attorneys general.
I am the President of the National Association of Attorneys
General, and I am confident that most of my colleagues, if not
all--and it could be all--agree with the thoughts that I will
present today. But I would ask the Committee to consider that
these are my remarks as the Vermont Attorney General.
First of all, I want to start, Senator Feinstein, by
thanking California for enacting the disclosure law. But for
that law, ChoicePoint might not have disclosed the security
breaches. We might not have seen and had the scrutiny we have
on these issues. We might well not be here today. So my thanks.
In thinking about my remarks today, I was reminded of the
quote that is attributed to the famous bank robber Willie
Sutton. Asked why he robbed banks, he said that is where the
money is. Unlike the days perhaps when Senator Leahy and I were
county prosecutors and you were worried about losing your TV or
your stereo and maybe your money, these days where the money is
is in the computers of data brokers, credit reporting agencies
and other large financial institutions, academic institutions
and the like, the personal information that they have, because
if they can gain that personal information, they can not only
drain your finances from the accounts that you have, but more
importantly, and in the case of so many Americans, more than
the value of what they have in accounts is their access to
credit. What identity theft is about in many, many cases is
stealing one's access to credit.
I am maybe dating myself a bit, but five or so years ago I
was here in D.C. speaking to one of the Senate committees on
Gramm-Leach-Bliley issues and saying at that time that with the
way the economy was changing, with the ability to collect more
and more information, we might well have been looking back on
that time someday and saying that was the good old days when
privacy was privacy.
Well, here we are today and we see that more information is
being gathered and that clever criminals are finding more and
more ways to steal from us, to the tune of what the Chair of
the FTC indicated to be $50 billion a year, and that number
going up.
We are here to say that the time for Federal action is now.
We much appreciate the fact several bills are being considered
in this area of the importance of the privacy and protection of
our personal information. We hope that the Congress will follow
the lead of California, and now up to 30 States that are
considering disclosure laws, to enact a security breach
notification law.
To the extent that you can take into account the fact that
the quicker the notification goes out to consumers that their
personal information has been accessed, then the FTC studies
show rather dramatically that the amount of the loss can be
significantly reduced. So time and effectiveness of the notice
are of significant importance.
We ask you, if you enact such a law, to have your law be a
floor rather than a ceiling in the same way under Gramm-Leach-
Bliley the opt-out standard applies nationally. You have
allowed States like Vermont to go forward and protect our
citizens more and to adopt an opt-in standard if we wish. And
we ask in this arena that you do the same thing, that you be
respectful of the ability of the States; if the State wishes to
be more protective, to be able to do so.
The Chair indicated that the regulation of data brokers is
sort of piecemeal. We ask you to pass a Federal statute that
regulates data brokers, again, not to preempt the States with
whatever you might do. Finally, we ask you to strengthen the
safeguards rules under Gramm-Leach-Bliley and to include in
those safeguard rules data brokers. We trust and hope that you
will remain mindful and appreciative of the role that the
States have played both legislatively and in investigations in
this area of personal information, the importance of it, and we
look forward to working with you going forward.
Thank you for asking me to be here today.
[The prepared statement of Mr. Sorrell appears as a
submission for the record.]
Chairman Specter. Thank you very much, Attorney General
Sorrell.
Senator Coburn has appropriately noted that some of the
testimony was submitted late, and we are going to be enforcing
a strong rule that where testimony is not submitted in time,
then witnesses will not be permitted to make opening
statements, but only to respond to questions, because it is
very important that we get that on time. There is a tremendous
amount of work to do to collate these materials and I thought
that cautionary word would be in order at this time.
Thank you, Senator Coburn, for focusing on that.
Senator Leahy. Mr. Chairman, I have a question on that.
What do we do in those cases where testimony is submitted, but
then entirely different testimony is given? I am thinking, for
example, of the Attorney General the other day submitted
testimony, but then the testimony he gave was considerably
different. I wouldn't to preclude him.
Chairman Specter. Well, that happens from time to time and
leads to more vigorous cross-examination. I heard you, Senator
Leahy. He paid the price by offering different testimony from
what he had submitted in writing.
Senator Leahy. Thank you.
Chairman Specter. I don't think there is any way you can
control that. If people have to submit testimony, they will
have to focus on it and we will have at least that advanced
notice. But I do agree with you that it is problemsome when you
have something new that you haven't been prepared for, but I
thought you handled it very adroitly.
Senator Leahy. We are talking about the U.S. Attorney
General, not the Vermont Attorney General.
Mr. Sorrell. I understand that. Thank you.
Chairman Specter. Each member will now have five minutes on
questioning, and I would ask that the responses be brief.
Starting with you, Madam Chairwoman Majoras, what kind of
Federal legislation would you like to see?
Ms. Majoras. Well, as I said briefly in my opening
statement, Senator, we think that looking at extending our GLB
Safeguards Rule across a broader spectrum of companies so that
companies are required by law to have in place security
measures would be a terrific first step. And as a second step,
we think we ought to look at notice provisions where consumers
are at risk from breaches.
Chairman Specter. Well, we will be submitting to you the
draft legislation we have. You have had a lot of experience in
the FTC.
I want to address a question to both Mr. Swecker and Mr.
Johnson. Both the FBI and the Secret Service has contracted
out; the FBI paid about $75 million last year. What are you
doing, Mr. Swecker, to guarantee the security of information
which is so critical to law enforcement?
Mr. Swecker. Well, the existence of our queries by
contractor are not known--I mean, the existence is known, but
the substance of the queries are not known to ChoicePoint or
any of the data brokers that we contract with. They collect the
number and other information, but they do not collect the
subject of the query.
Chairman Specter. Are you saying then that the security
breaches like we have seen do not impact on the FBI and the
security of the information that you deal with?
Mr. Swecker. Not in the sense of knowing who we have
initiated queries on. That data, ChoicePoint and other data
brokers tell us, is not collected by them, only the number of
queries and some other basic information for billing purposes.
Chairman Specter. From the point of view of the Secret
Service, Mr. Johnson, do you face any security problems on
breaches that we have seen here?
Mr. Johnson. Mr. Chairman, no, we have not. In similar form
and fashion with the FBI, that is not known to the broker.
Other things that the Secret Service does is we continuously
monitor the information. We have assessment teams only looking
at the information flow to see if we are vulnerable in any
aspect of the information being leaked.
Chairman Specter. Attorney General Sorrell, you have
testified that you would not like to see the State laws
preempted. We have now many States which have legislated in the
field and we are considering Federal legislation. You have
these companies which will have to comply with a patchwork of
legislation.
There has been some thought that this ought to be a matter
for Federal jurisdiction on lawsuits, and at least at this
point I have grave reservations about that, first, because the
Federal courts are so heavily burdened at the present time.
And, secondly, if you come from a rural part illustratively of
Pennsylvania, Fulton County, you don't want to go to Harrisburg
or Pittsburgh to litigate your case. You can litigate Federal
claims in the State court.
I would like you to address the two issues. First, why not
preempt State laws so that these companies know what they are
dealing with and don't have to familiarize themselves with the
many, many differences?
Mr. Sorrell. First of all, Senator, on this idea of a
patchwork of different laws, our economy, with globalization,
is becoming a world economy so that there are clearly
differences between countries. We have some States which have
economies larger than most of the countries of the world, and
since we are talking about computers and information, it is
really more of a system of programming.
I mentioned Gramm-Leach-Bliley. We have for our insurance
and financial services and banking industry in Vermont an opt-
in standard rather than the national opt-out standard. Our
Vermont economy has not suffered. Companies want to come in and
do business there. It is doable and it is a minimum burden to
become aware of the level of laws in each of the States and to
stay in compliance with that.
Roughly 30 of the States are looking at disclosure laws now
and many of the States are looking at the security freeze laws.
These same companies are very mindful of what is going on in
the State houses and are in there lobbying. They want a single
standard which would be easier for them. But in our view, in
Vermont, Vermonters, if they want to go further, should be
allowed to do so.
Chairman Specter. My time has expired and I will yield at
this point to Senator Leahy.
Senator Leahy. Well, thank you, Mr. Chairman.
Madam Chair, we talked about ChoicePoint, LexisNexis, and
so on. These are well-known, but there are a whole lot of other
companies that operate well beneath the radar. Some get even
more involved in our personal life and data.
Does the FTC have any current plans to examine, identity
and check these other industry players?
Ms. Majoras. Senator Leahy, the FTC has been interested in
this industry for some time, since before the recent
revelations that have been in the news. We are working hard to
try to get a better handle on this industry. It is hard to know
at this point whether we can even call it just an industry
because it seems to have many facets, depending on how you
define it.
So in addition to several investigations that we have
pending, we are, in fact, trying to get our arms around who the
players are here so that when we are working in law enforcement
and when we are asked by Congress to help with possible
legislation, we have the facts and we know what it ought to
pertain to.
Senator Leahy. Some of the privacy experts suggest applying
some kind of fair information practices, something similar to
the Fair Credit Reporting Act, to the data brokers that are not
currently subject to such similar protections. Would you
support such an application?
Ms. Majoras. I think we should look at whether some of
those provisions should be applied. For example, if we have a
data broker who is collecting information with respect to
marketing practices, consumers, for example, may not care very
much about the accuracy of that information that is being
collected. So that may be an area where consumers don't even
want to be bothered with checking the accuracy. So again we
want to make sure that if we extend these, we extend them in a
way that makes sense.
Senator Leahy. Thank you, and I may have my staff follow up
a little bit with yours on that subject.
Ms. Majoras. Yes, sir.
Senator Leahy. Mr. Swecker, just to follow up a little bit
on what the Chairman was asking you, has the FBI audited any of
the commercial data brokers with whom you have contracts to
evaluate how they comply with those contracts and security
products? I am thinking insofar as you use them sometimes for
criminal searches.
Mr. Swecker. No, Senator, we have not done a formal audit.
We have looked at their protocols and how they capture our
queries and the substance of the query is not captured. The way
it is explained to me is there is a logging protocol that is
used that masks the existence or the substance of our query,
but does capture other information just simply for their
billing purposes, but no formal audit.
Senator Leahy. And none planned?
Mr. Swecker. I am sorry, sir?
Senator Leahy. And none planned that you know of?
Mr. Swecker. None planned that I know of.
Senator Leahy. We may want to follow up further on that
with you.
We also have the whole question of data mining technology.
There are a lot of different forms of it, algorithms that look
for patterns, profiles, and so on. What kind of data mining
does the FBI utilize, and assuming you can answer this in an
open hearing, what kinds of protections are in place to prevent
abuse?
Mr. Swecker. There really isn't data mining, per se. Each
query is predicated and connected to an investigation, at least
a preliminary inquiry. So we don't data-mine through the data
broker's information. There are specific queries that are made
that are connected to specific investigations that are
predicated.
The closest that you could come to calling it data mining
would be large-batch queries that are sometimes done with 40,
50 names at one time. But as far as just mining through the
data, that does not occur.
Senator Leahy. I will follow up with a further question on
that.
Attorney General Sorrell, you said that many consumers in
Vermont attempted to obtain a free report under Vermont law
after learning about the ChoicePoint and the other security
breaches. And they were told incorrectly, it turned out, by the
credit bureau's voice mail systems that they were not eligible
for a free credit report.
Have the credit reporting bureaus since resolved this
problem? Have you heard from other attorneys general that they
have had in their State the same kind of problem?
Mr. Sorrell. I think there are about seven States that,
like Vermont, had a statute before the Federal statute granting
individuals annual access to their credit reports. I haven't
heard from the other States. We have communicated with the
credit reporting agencies reminding them of the Vermont law,
quite apart from the Federal law which, for Vermont, I don't
think is effective until this coming September.
I don't have up-to-date information to know whether
consumers have called in within the last couple of days to
complain about that. But, again, this is one of those issues
where Vermont and some other States were ahead of the Federal
Government in setting a more protective standard for our
consumers and the Congress followed suit, ultimately.
Senator Leahy. Thank you. Thank you, Mr. Chairman.
Chairman Specter. Thank you very much, Senator Leahy.
Senator Leahy. I have other questions I will submit for the
record.
Chairman Specter. Fine.
Senator Coburn.
Senator Coburn. Thank you, Mr. Chairman.
Attorney General Sorrell, if we were to make changes in
terms of trying to protect States' rights and States' options,
can you suggest a way to create an opt-in/opt-out phenomenon in
the Bliley bill that would incorporate your concerns and still
give you the flexibility as a State, but still we could have a
more uniform practice throughout the country?
Mr. Sorrell. I would be happy to. This is really an area
where I would be out in front of my colleagues, since we have
not discussed an opt-in/opt-out national standard. I think it
would depend on the nature of the information that is being
collected and for what purposes it may be accessed; as the
Chair suggested, marketing surveys as opposed to considerations
for extension of credit and such.
One thing that a number of the States are doing right now
which is very effective in terms of combatting identity theft
is to be able to freeze access to your credit reports.
California, Texas, Louisiana and Vermont have those laws or
they are about to go into effect.
There is some downside for consumers when you do that
because if you go to a store and want to open up an instant
credit account, you can't get it. If you haven't thought a
little bit ahead that you are looking for a mortgage to
refinance or a new mortgage, or rent an apartment or buy a car
or something like that, there is a time lag.
But on the other hand, when it is access to your credit
that is the main way that you can be the victim of identity
theft crimes, then you can put a hold on your credit history
going out. Four States have done it and others are considering
it, and it is a very effective tool that some of the States
have looked at to combat identity theft. And you can do it for
periods of time, you can do it on an ongoing basis, and it is
much more effective than just putting a security alert on your
credit history.
Senator Coburn. But for the State of Vermont and your
position, you can't see that you would object if you were left
with the flexibility to opt in or opt out for Vermont if we
were to have Federal legislation?
Mr. Sorrell. I am sorry if I missed the point of your
question, Senator. What I am asking for is that in this area of
privacy, if there is Federal legislation that it be a floor as
opposed to a ceiling and give the laboratory of the States,
mindful of their priorities, the ability to be more protective
if they wish, knowing that there might be some downside for
individuals or for the economy in those States if they are
willing to take on those burdens in return for the extra
protection.
There is some burden for the companies to be dealing with
different rules and regulations, but that is the case
environmentally with any number of other consumer laws right
now and it can be the case here.
Senator Coburn. Mr. Chairman, just for the record I would
note that I have a great deal of difficulty with my credit card
company because they are so aggressive, and as much as I travel
around the country they won't let me charge until they talk to
me on the phone. They are not sure I am who I think I am.
Sometimes, I am not sure I am who I think I am.
But either way, we have a broad continuum of security
checks that are going on now by individual businesses who offer
credit, and I just think that the hearing ought to focus in the
future on how do we create a better climate for the security of
consumers in terms of their credit, but also leave the States
the individual right to opt higher. I would agree with you.
I thank you, Mr. Chairman.
Chairman Specter. Well, those are very important
considerations, Senator Coburn. How do they tell it is you? Do
they know your voice?
Senator Coburn. They ask for my mother's maiden name and my
grandmother's maiden name.
Chairman Specter. You fellows from Oklahoma don't have such
distinct dialects as those of us from Kansas.
Senator Coburn. We have a twang, Mr. Chairman.
Chairman Specter. Thank you, Senator Coburn.
Senator Feinstein.
Senator Feinstein. Well, thanks very much. Just quickly in
response to Senator Coburn, the legislation that I have
introduced in terms of protections for people in the opt-in/
opt-out is that the opt-out is for significant personal data--
Social Security number, driver's license, personal health,
personal financial data. That would be opt-in. Lesser things
would be opt-out. That is just for your information.
Attorney General, thank you very much for your comment
about California. You mentioned that you thought this
legislation should be a floor and not a ceiling, and that other
States should be able to enter the arena. My concern is that if
you have a different standard for notification--I am going to
talk about that in a minute, but a different standard for
notification in every State, it makes it very difficult.
It seems to me that the standard for notification should be
the same; in other words, what kind of information you must
notify on, what the procedures for notification are, can you do
it in e-mail, must you do it in writing and e-mail. Those kinds
of things should be national, and then anything a State wants
to do in addition to that would be up to the State.
Could you comment?
Mr. Sorrell. Do you envision a standard of whether there is
substantial likelihood of misuse of the information or that it
is just notification that the information has been accessed?
Senator Feinstein. Well, this is what I wanted to talk with
the Chairman about because she has some quotes on this subject.
I think any time the database is breached, that information is
then out there. How do you know if it is significant risk,
because somebody who gets 100,000 I.D.s about different people
can sit back and use them in a year, in two years, can sell
them? I think it is very difficult to determine significant
risk.
Mr. Sorrell. I agree with you, Senator. I am pleased to
hear you say that. I guess in answer to your other question, it
depends on what standard you set. In the case of ChoicePoint,
and with all due respect to ChoicePoint, it is my understanding
that the notifications that they sent out originally to
California and then, under some pressure or encouragement, to
other Americans--these notices, or a number of them, when
coming through the mail, came in envelopes that just said
``ChoicePoint.''
Now, frankly, I had never heard of ChoicePoint until this
issue broke and if I had received something from ChoicePoint, I
would have assumed it was just another credit card offer and it
would have gone in the recycling bin. So, hopefully, to the
extent that a Federal standard is set, the notification will be
such that it will prominently let consumers know that this has
to do with access to your personal information as opposed to
something from a company maybe they never heard of.
Senator Feinstein. Thank you. You have made a very good
suggestion. We will take you up on it.
Good morning, Madam Chair. If I may, when you appeared
before the Senate Committee on Banking, you stated in response
to Senator Reed that prompt notification of breaches should be
given when there is significant risk to consumers. I think this
is one of the biggest areas in notice, the idea of what
triggers notice so as to avoid over-notification, but at the
same time ensure, just as I have pointed out, that individuals
are notified because you don't know what might be done with
that information. So I would like to explore this with you
further.
I would like to know why you take the position that notice
should only be sent if there is significant risk to consumers
and how you would define that.
Ms. Majoras. Thank you. That is an excellent question,
Senator Feinstein, and one that we are currently grappling with
at the FTC. The issue is exactly the one that you have raised--
over-notification. We have a lot of experience in dealing with
consumers on a lot of different types of security issues and,
of course, Gramm-Leach-Bliley, and what we have learned is that
eventually consumers will become numb to notices if they are
getting them consistently.
So, for example, when we have a young hacker who finds it
to be sport to hack into a significant database and then call
the company and say, ``ha, ha,'' I hacked into your database,
but who is then investigated and is seen not to have any
intention, and indeed no longer has access to the information
so that the person can commit the crime of identity theft,
there isn't a risk there to consumers.
There are other types of situations we are envisioning in
which, if we define breach very, very broadly, companies will
have no choice but to be sending out constant notices to avoid
liability. And we are worried that consumers will just think
that it is a cry of wolf and will stop worrying about it. That
is the concern.
Senator Feinstein. I think your point is well taken if you
have an opt-in/opt-out situation. Right now, consumers don't
know; they don't know the depth and breadth. For example, the
gentleman that ran the video--Senator Leahy pointed out health
information is advertised on that website. They can get your
hospital records. Now, how they do that I don't know.
Does anybody in this room want their hospital records sold
or available to anybody? I don't think so, and that is where we
are. So if we have for significant personal data the individual
has to say, yes, Wells Fargo Bank, yes, ChoicePoint, yes,
LexisNexis, you can sell my data, or you cannot sell my data,
and for less significant data that they must opt in, they must
write a letter and I say I don't want any of my personal data
sold for commercial profit--
Chairman Specter. Senator Feinstein, your time is a bit
past.
Senator Feinstein. It went by fast. Thank you, Mr.
Chairman.
Chairman Specter. We are going to be starting a vote in
just a few minutes. It has been advanced to 10:50 and I want to
be sure we cover this round.
Senator Feinstein, have you concluded?
Senator Feinstein. No, but my time is up.
Chairman Specter. Thank you.
Senator Feingold.
STATEMENT OF HON. RUSSELL D. FEINGOLD, A U.S. SENATOR FROM THE
STATE OF WISCONSIN
Senator Feingold. Thank you, Mr. Chairman. I do want to
thank you for holding this hearing today and I have benefitted
from listening to the witnesses. I ask that my full statement
be printed in the record.
Chairman Specter. Without objection, it will be made part
of the record.
[The prepared statement of Senator Feingold appears as a
submission for the record.]
Senator Feingold. Thank you, Mr. Chairman.
I am concerned about an aspect of the data broker business
that has not received a lot of attention. The information
gathered by these companies is sold not just to individuals and
businesses, but also to law enforcement agencies like the FBI.
While the Government should be able to access commercial
databases in appropriate circumstances, there are no existing
rules or guidelines to ensure that this information is used
responsibly, nor are there restrictions on the use of
commercial data for powerful, privacy-intrusive data mining
programs.
Mr. Chairman, that is why I am planning to reintroduce in
the next few days my Data Mining Reporting Act which would
require all Federal agencies to report to Congress on data
mining programs used to find patterns, including terrorist or
other criminal activity. I am glad this hearing gives us an
opportunity to explore both government and commercial reliance
on data brokers, and I look forward to working on Senator
Feinstein's legislation and the other legislation that is being
introduced to address this issue.
In terms of my time to question, Mr. Swecker, you testified
that the FBI subscribes to some of ChoicePoint's products. No
doubt that these databases are useful investigative tools and
can in appropriate circumstances enhance the efficiency of
investigations. But it would be helpful to understand more
about how the Bureau uses information from companies like
ChoicePoint.
So to begin, from what companies besides ChoicePoint does
the FBI currently subscribe?
Mr. Swecker. Senator, we contract with Dun and Bradstreet,
LexisNexis, Westlaw, the National Insurance Crime Bureau,
Credit Bureau Reports, as well. I think it is important to
emphasize this is all publicly available information. It is
just a compilation of public source information all in one
place.
Twenty-three years ago when I first came to the FBI, I
would have had to physically walk down to the courthouse to get
courthouse records or go places to collect these records. Being
able to make one query and get all these records at one time
saves investigative time and it saves resources. That is why we
use it. There is no data mining that takes place and I think
that is--
Senator Feingold. I am just trying to get some information
first.
Mr. Swecker. Okay.
Senator Feingold. You mentioned in your testimony that
ChoicePoint makes available public record information, but in
an aggregated form. What type of public record information is
contained in the products to which the FBI subscribes, and what
other types of records are available to the FBI through
commercial data brokers?
Mr. Swecker. Everything from driver's license information,
last known addresses, dates of birth, public court records,
court filings, liens, newspaper records. It runs the whole
gamut of public information.
Senator Feingold. And then how often do investigators use
these databases?
Mr. Swecker. The data that I looked at showed that we
conducted somewhere over a million inquires in 2003, I think,
or close to a million, and possibly about 1.2 million, I think,
just with ChoicePoint more recently, I think, in 2004. I may
have my fiscal years mixed up there.
Senator Feingold. Does the FBI have benchmarks regarding
the accuracy and security of data that it uses to evaluate
whether to enter into a contract with information brokers? Do
you have a process to review the quality and the accuracy of
the data?
Mr. Swecker. My understanding is that is why we contract
with all of these different companies because we are able to
compare the information that comes in on the same person from
four or five different data brokers and actually get to the
accurate information. So that is why we don't just contract
with one company. We contract with four or five different
companies.
Senator Feingold. But do you have a process to sort of
compare and evaluate the quality of what you are getting? I
mean, you are talking about contracting, you are talking
presumably about spending the taxpayers' dollars to purchase
this ability to do this. Is there an accountable and effective
way to evaluate the quality and accuracy and security of this
information?
Mr. Swecker. Coming from the data brokers? We compare it to
our own information as well and we have analysts that go
through this data. Yes, of course, we try to make sure this is
accurate information.
Senator Feingold. Do you make determinations as to whether
one is better than the other in terms of who you are going to
contract with? I assume you make judgments that some are better
than others.
Mr. Swecker. Each one of these data brokers has a different
strength in terms of what type of information they provide us
and a lot of it is lead information that takes us somewhere
else and it gives us places to start, comparing last known
addresses, for example.
Senator Feingold. Mr. Swecker, I understand from your
testimony--I think Senator Leahy talked about this--that FBI
agents use commercial databases to conduct individualized
searches to locate people who are already suspects or to
further an investigation of someone who is already a suspect.
Actually, on this one I am interested in hearing from Mr.
Johnson. I believe you already covered this.
Mr. Johnson, is the Secret Service also using commercial
data to run more open-ended data mining searches to look for
people who might fit a certain pattern of criminal or terrorist
activity?
Mr. Johnson. We do. The way the Secret Service is, through
partnerships and our electronic crimes task forces, most, if
not all, data brokers are members of our task forces. So in
conjunction with an investigation, they provide that small part
of what we might need to further that investigation. Does that
answer your question?
Senator Feingold. So you use it, but you--
Chairman Specter. Senator Feingold, your time is expired.
If you would conclude perhaps with another question--
Senator Feingold. Thank you, Mr. Chairman. I am fine.
Chairman Specter. Senator Schumer has just joined us. His
timing is impeccable. Economizing on his own time, he was here
at the start and now comes right in when he is recognized.
Senator Schumer.
STATEMENT OF HON. CHARLES E. SCHUMER, A U.S. SENATOR FROM THE
STATE OF NEW YORK
Senator Schumer. Thank you, Mr. Chairman. I want to thank
you for holding this hearing and Senator Leahy for requesting
that the hearing be held. I have a couple of questions, but
before I do I just want to note that yesterday Senator Nelson,
of Florida, and I dropped in a comprehensive bill on identity
theft and here are some of the things it would do.
It would create an FTC office of identity theft that would
help millions of victims of I.D. theft each year get their
identities back through an accessible website, a toll-free
phone number and consumer service teams. We all know the
hundreds of hours people spend trying to get their identities
back.
Second, we would regulate data merchants. It would be
similar to the regulation we have done in the Banking
Committee. I know you testified before them, Madam Chairperson.
It would be akin to what we do with credit bureaus. We would
make them register with the FTC. We would institute safeguards
to prevent fraudulent access by unauthorized parties and
require them to develop authentication processes. In other
words, we would actually regulate the use of people's
information.
We have a tightrope to walk here. On the one hand, in this
new society with computers we want information to be available.
It helps commerce. On the other hand, when so much information
is available, it is part of people's identity and they have
some right to be protected. I think our legislation--we have
worked long and hard at it--does walk that tightrope in terms
of accuracy and in terms of what can be done.
We do a disclosure box so that people will know what has
happened with their information. It is similar to the Schumer
box which has been on credit cards for a long time, which I had
championed while I was in the House. We require companies to
take reasonable steps to protect sensitive information and we
have a whole bunch of provisions about Social Security numbers
which make it much harder, not impossible, but harder, without
justification, to use Social Security numbers.
So this is the basic outline of the legislation, which I
think is comprehensive. I think we have had lots of pieces out
there from the States, a few here federally. The notification
proposal that Senator Feinstein has championed, I think, is
excellent and we want to support that as well. But these are
things in terms of regulating the companies and things like
that.
[The prepared statement of Senator Schumer appears as a
submission for the record.]
Senator Schumer. So I want to ask you, Chairwoman Majoras,
when I talked with you in front of the Senate Banking Committee
you were unsure whether the FTC had jurisdiction over data
brokers like ChoicePoint and some of the others where we have
seen problems. This lack of clear jurisdiction risks leaving
data brokers subject to a confusing and incomplete patchwork of
laws. In our legislation, Senator Nelson and I give the FTC
clear jurisdiction to regulate data merchants like ChoicePoint.
Do you agree that a clear mandate for the FTC would go a
long way in clearing up the confusion about the laws and better
protect consumers? Do you also agree that it would help stop
the situations we have seen with many companies like
ChoicePoint and LexisNexis to have clear jurisdiction over
these companies?
Ms. Majoras. Thank you, Senator. The FTC currently does
have jurisdiction, but it is under a patchwork of a couple of
different laws. Just to be absolutely clear, I haven't had an
opportunity yet, Senator, nor has my staff to review your bill
closely.
Senator Schumer. We sent it to you.
Ms. Majoras. Yes, and we appreciate that. We look forward
to reviewing it very carefully and, where we have found any
gaps in the law, to work with you on whether this is the right
legislation to fill those gaps.
Senator Schumer. I would just ask could you respond to us
for the Committee record about the legislation in, say, within
a week? Could I ask unanimous consent that we get a response
within a week, or is that too quick?
Ms. Majoras. It is a bit quick because lots of bills are
coming in at a rapid rate, and so a couple of--
Senator Schumer. Then I will just ask you to get a response
to us quickly.
My final question is this: One of the biggest complaints I
have heard from constituents on identity theft is people don't
know where to go or what to do when their identity has been
compromised. When your car breaks down, you know where to go.
When you are the victim of a burglary, you know where to go,
the local police station. But when you get your identity
stolen, you don't know where to go.
What do you think off the top of your head of the idea of
creating this office in the FTC of identity theft--we would
fund it, obviously; we would spend $60 million--so that people
would have a place to go with experts who could help them clear
their names?
Ms. Majoras. In my eight months on the job, I don't think I
have ever turned down any additional funding, Senator. Thank
you. It does sound like perhaps--and, of course, I haven't
looked at it, so I have to be cautious.
Senator Schumer. Yes, I understand.
Ms. Majoras. But it does sound like an expansion of what we
are already doing in our office. We have been the clearinghouse
for identity theft information and for education and training
for consumers, businesses and other law enforcement for years
now. We think that message is getting out, which is why we get
15 to 20,000 contacts from consumers a week on identity theft.
But by all means, education empowers consumers and we would be
happy to expand our education efforts.
Senator Schumer. I know my time is about to expire.
Chairman Specter. No, no, it has expired.
[Laughter.]
Senator Schumer. I would just say the job is not just
education, but it is also helping people with their problems,
and that is what we would want the office to do.
Ms. Majoras. I understand. Thank you.
Senator Schumer. Thank you. Thank you, Mr. Chairman.
Chairman Specter. Thank you very much, Senator Schumer.
Thank you, Chairman Majoras. Thank you, Mr. Swecker. Thank
you, Mr. Johnson. Thank you, Attorney General Sorrell. We very
much appreciate your testimony and coming in.
The time of the vote has now been deferred until 12:15. You
just can't rely on times for votes, but we are still going to
maintain meticulous observance of our time limits, and we are
going to have a job in getting through the next panel even
thus.
If we could now have Mr. Curling, Mr. Sanford, Ms. Barrett,
Mr. Dempsey and Mr. Douglas step forward, I would appreciate
it.
If you would raise your right hands, do you solemnly swear
that the testimony you will present before the Senate Judiciary
Committee will be the truth, the whole truth and nothing but
the truth, so help you God?
Mr. Sanford. I do.
Mr. Curling. I do.
Ms. Barrett. I do.
Mr. Dempsey. I do.
Mr. Douglas. I do.
Chairman Specter. Let the record show that all five
answered in the affirmative.
Our first witness is Mr. Kurt Sanford, President and Chief
Executive Officer of U.S. Corporate and Federal Markets for
Reed Elsevier's Global Division of LexisNexis Group. He was
previously the CEO of LexisNexis Asia-Pacific, a $2 billion
division.
We welcome you here, Mr. Sanford, and the floor is yours
for five minutes.
STATEMENT OF KURT P. SANFORD, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, U.S. CORPORATE AND FEDERAL MARKETS, LEXISNEXIS,
MIAMISBURG, OHIO
Mr. Sanford. Chairman Specter, ranking member Leahy and
distinguished members of the Committee, good morning. My name
is Kurt Sanford. I am the President and Chief Executive Officer
for Corporate and Federal Markets at LexisNexis. I appreciate
the opportunity to be here today to discuss the important
issues surrounding data security and privacy in the use of
commercial data.
LexisNexis is a leading provider of authoritative legal
public records and business information. LexisNexis plays a
vital role in supporting government, law enforcement and
business customers who use our information services for
important uses, including detecting and preventing identity
theft and fraud, locating suspects, finding missing children,
and preventing and investigating criminal and terrorist
activities.
LexisNexis works closely with Federal, State and local law
enforcement agencies on a variety of criminal investigations.
For example, information provided by LexisNexis was recently
used to locate and apprehend an individual who threatened a
district court judge and his family in Louisiana.
LexisNexis products are also used by financial institutions
to help address the growing problem of identity theft and
fraud. In 2004, 9.3 million consumers were victimized by
identity fraud. Credit card companies report $1 billion in
losses each year from credit card fraud. With the use of
LexisNexis, a major bank card issuer experienced a 77-percent
reduction in the dollar losses due to fraud associated with
identity theft. These are just a few examples of some of the
important ways in which our products are used by our customers.
While we work hard to provide our customers with effective
products, we also recognize the importance of protecting the
privacy of the consumer information in our databases. We have
privacy policies, practices and procedures in place to protect
this information. Our chief privacy officer and privacy policy
review board work together to ensure that LexisNexis has strong
policies to help safeguard consumer privacy. LexisNexis also
has multi-layer security processes and procedures in place to
protect our systems and the information contained in our
databases.
Maintaining security is not a static process; it requires
continuously evaluating and adjusting our security procedures
to adjust to the new threats we face everyday. Even with these
safeguards, we recently discovered some security incidents at
our Seisint business which we acquired last September.
In February 2005, a LexisNexis integration team became
aware of some billing irregularities and unusual usage patterns
with several customer accounts. Upon further investigation, we
discovered that unauthorized persons using I.D.s and passwords
of legitimate Seisint customers may have accessed personal
identifying information such as Social Security numbers and
drivers' license numbers. No personal financial, credit or
medical information was involved, since LexisNexis and Seisint
do not collect that type of information.
In March, we notified approximately 30,000 individuals
whose personal identifying information may have been unlawfully
accessed. Although no individuals who have responded to our
notice have reported any incidents of identity theft or fraud,
law enforcement has recently informed us of ten incidents of
potential identity fraud where new accounts have been opened.
Most of these incidents involve the opening of a new e-mail
account or similar activity, while a few involve potential
credit card fraud. We are in the process of reaching out to
those individuals to put them in touch with the identity theft
counselors.
Based on these incidents at Seisint, I ordered an extensive
review of data search activity going back to January 2003 at
our Seisint unit and across all LexisNexis databases that
contain personal identifying information. We have just
completed that review and concluded that unauthorized persons,
primarily using I.D.s and passwords of legitimate Seisint
customers, may have accessed personal identifying information
on approximately 280,000 additional individuals. At no time was
the LexisNexis or Seisint technology infrastructure hacked into
or penetrated, and no customer data was accessed or
compromised.
We sincerely regret these incidents and any adverse impact
they may have on the individuals whose information may have
been accessed. We will begin notifying those individuals
immediately. We are providing all individuals with a
consolidated credit report and credit monitoring services. For
those individuals who do become victims of fraud, we will
provide counselors to help them clear their credit reports of
any information relating to fraudulent activity. We also
provide them with identity theft insurance to cover expenses
associated with restoring their identity and repairing their
credit reports.
We are working cooperatively with the U.S. Secret Service
and the Electronic Crimes Task Force in their investigation of
these crimes. We greatly appreciate the professionalism,
specialized skills and efforts provided by the Secret Service
and other law enforcement organizations.
We have learned a great deal from the security incidents at
Seisint and are making substantial changes in our business
practices and policies across all LexisNexis businesses to help
prevent any future incidents. I have included the details of
these enhancements in my written statement.
I note my time is expired. I appreciate the opportunity to
be here. In my written statement, I indicated the type of
legislation that LexisNexis has already indicated it would
support.
[The prepared statement of Mr. Sanford appears as a
submission for the record.]
Chairman Specter. Thank you very much, Mr. Sanford.
We turn now to Mr. Douglas Curling, President and Chief
Operating Officer of ChoicePoint. Mr. Curling has had a variety
of positions with ChoicePoint, and before was Vice President
and Assistant Corporate Controller at Equifax.
We welcome you here, Mr. Curling, and we would be
interested to know what your company has found, the breaches,
and what you have done about them. The floor is yours for five
minutes.
STATEMENT OF DOUGLAS C. CURLING, PRESIDENT AND CHIEF OPERATING
OFFICER, CHOICEPOINT, ALPHARETTA, GEORGIA
Mr. Curling. Chairman Specter, Senator Leahy and members of
the Committee, good morning. I am Doug Curling, President and
Chief Operating Officer of ChoicePoint. At ChoicePoint, we
recognize that in an increasingly risky world, information and
technology can be used to help create a safer, more secure
society. At the same time, we know, and have been painfully
reminded by recent events, that there can be negative
consequences to the improper access of personally identifiable
information.
On behalf of ChoicePoint, let me again offer our sincere
apology to those consumers whose information may have been
accessed by criminals who perpetrated this recent fraud. As a
result of these experiences, we have made fundamental changes
to our business model and products to prevent this from
happening in the future.
By way of background, ChoicePoint is a leading provider of
identification and credential verification to businesses,
governments and non-profit organizations. We have 5,000
associates in 60 locations. We serve more than 7,000 Federal,
State and local law enforcement agencies, as well as a
significant number of Fortune 500 companies, more than 700
insurance companies and many large financial services
institutions.
The majority of transactions our business supports are
initiated by consumers. Last year, ChoicePoint helped over 100
million American consumers secure home and auto insurance, more
than 7 million American consumers get jobs from our workplace
solutions pre-employment screening services, and more than 1
million consumers obtain expedited copies of their vital
records--birth, death and marriage certificates.
In addition to helping consumers, ChoicePoint helps
agencies at all levels of government fulfill their mission to
safeguard our country and its citizens. Our products and
services are also used by many non-profit organizations. For
example, we have identified 11,000 undisclosed felons among
those volunteering or seeking to volunteer with the Nation's
leading youth service organizations.
Mr. Chairman, apart from what we do, I also understand that
the Committee is interested in how our business is regulated by
Federal legislation as well as various State regulations,
including the FCRA, the recently enacted companion FACT Act,
the Gramm-Leach-Bliley Act and the Drivers' Protection Act.
Sixty percent of ChoicePoint's business is driven by
consumer-initiated transactions, most of which are regulated by
the FCRA. These include pre-employment screening, auto and home
insurance underwriting services, tenant screening services, and
facilitating the delivery of vital records to consumers.
Nine percent of ChoicePoint's business is related to
marketing services, none of which include the distribution of
personally identifiable information. Five percent of
ChoicePoint's business is related to supporting law enforcement
agencies in pursuit of their investigative missions through
information and data services.
Six percent of our business supports law firms, financial
institutions and general businesses to help mitigate fraud
through data and authentication services. Finally, 20 percent
of our business consists of software and technology services
that do not include the distribution of personally identifiable
information.
Financial and identity fraud is a rapidly growing and
costly threat to our Nation's economy. While we offer a wide
range of tools to help avoid fraud, no one is immune to it, as
we and other companies and institutions have learned.
ChoicePoint has previously provided Congress with information
about how identity thieves in California were able to access
our products. As you know, California has been the only State
that requires consumers to be notified of a potential breach of
personally identifiable information.
Contrary to prior statements at this hearing, we not only
followed California law, we built upon it and voluntarily
notified consumers who may have been impacted across the
country, and we did that before anyone called upon us to do so.
We have also taken other steps to help the system protect
consumers who may have been harmed in this incident. First, we
arranged for a dedicated website and toll-free number. Second,
we provided free of charge a three-bureau credit report. And,
third, we are providing free of charge a one-year subscription
to Credit Monitoring Service.
In addition to helping those affected consumers, we have
taken strong remedial action and made fundamental changes to
our business and products. First and most importantly,
ChoicePoint has decided to discontinue the sale of information
products that contain personally identifiable information,
unless these products and services meet one of three tests.
First, the product supports consumer-driven transactions
such as insurance, employment and tenant screening, or provides
consumers with access to their own data. Second, the product
provides authentication or fraud prevention tools to large
accredited corporate customers where consumers have existing
relationships, and, third, when personally identifiable
information is needed to assist Federal, State or local
government and criminal justice agencies in their important
missions.
We have also significantly reviewed and strengthened our
credentialing process. We are recredentialing broad sections of
our customer base, including more stringent diligence like bank
references and site visits. We have created an independent
office of credentialing compliance and privacy that reports
directly to the board of directors' privacy committee. Finally,
we appointed Robert McConnell, a 28-year veteran of the Secret
Service and former chief of the Federal Government's Nigerian
organized fraud crime task force, to serve as our liaison to
law enforcement.
My testimony includes the legislation we would support and
we welcome the opportunity to work with this Committee in
trying to address this important issue.
[The prepared statement of Mr. Curling appears as a
submission for the record.]
Chairman Specter. Thank you very much, Mr. Curling.
Our next witness is Ms. Jennifer Barrett, Chief Privacy
Officer of Acxiom Corporation. She has been with the company
since 1974, after receiving a degree in mathematics and
computer science at the University of Texas. She has had a
series of important positions with the company.
We welcome you here today, Ms. Barrett, and look forward to
your testimony.
STATEMENT OF JENNIFER BARRETT, CHIEF PRIVACY OFFICER, ACXIOM
CORPORATION, LITTLE ROCK, ARKANSAS
Ms. Barrett. Thank you, Chairman Specter, Senator Leahy,
distinguished members of the Committee. Thank you for allowing
Acxiom the opportunity to participate in today's hearing, and I
ask that my written statement be inserted into the record.
Chairman Specter. Without objection, your full statement
will be made a part of the record.
Ms. Barrett. Thank you.
Mr. Chairman, let me be blunt. The bad guys are smart and
they are getting more organized. They are using their skills to
illegally and fraudulently access information. Acxiom must
therefore remain diligent and innovative by constantly
improving, auditing and testing our systems and, yes, even
learning from security breaches in the marketplace.
Information is an integral part of the American economy and
Acxiom recognizes its responsibility to safeguard the personal
information it collects and brings to market. As FTC Chairman
Majoras recently stated in testimony before both the Senate and
the House, there is no such thing as perfect security and
breaches can happen even when a company has taken every
reasonable precaution. Although we believe this is true, no one
has a greater interest than Acxiom in protecting its
information because our very existence depends on it.
Acxiom's U.S. business includes two distinct components--
our customized computer services and a line of information
products. Our computer services represent more than 80 percent
of the company's business and help businesses, not-for-profit
organizations, political parties and government manage their
own information. Less than 20 percent of Acxiom's business
comes from its four information product lines--fraud management
products, background screening products, directory products and
marketing products. Our fraud management and background
screening products are the only Acxiom products containing
sensitive information and they represent less than 10 percent
of our business.
Acxiom would like to set the record straight in response to
a number of misunderstandings that have developed about the
company. First, Acxiom does not maintain one database
containing dociers on anyone. Instead, we maintain discreet,
segregated databases for every product.
Second, Acxiom does not commingle client information from
our computer services with our information products. Such
activity would constitute a violation of our contracts and
consumer privacy.
Third, Acxiom's fraud management products are sold only to
a handful of large companies and government agencies who have a
legitimate need for them. The information utilized in these
products is covered under the safeguard and use rules of the
Gramm-Leach-Bliley Act and both State and Federal drivers'
privacy protection laws.
Fourth, Acxiom's management verification services only
validate information already in our clients' possession. Access
to additional information is only available to law enforcement
and the internal fraud departments of large financial
institutions and insurance companies. Fifth, our background
screening products are covered under the Fair Credit Reporting
Act. We do not pre-aggregate any of the information for this
purpose.
Beyond these protections, the following additional
safeguards exist. First, because Acxiom has blended public
information with regulated information in both our fraud
management and background screening products, we voluntarily
apply the more stringent security standards to all such blended
data, even though not required by law.
Since 1997, Acxiom has posted a privacy policy on our
website describing our on- and offline practices, thus
voluntarily subjecting the company to the FTC rules governing
unfair and deceptive conduct.
Third, the company has imposed our own more stringent,
restrictive guidelines on sensitive information such as Social
Security numbers. Fourth, all of Acxiom's products and
practices have been audited on an annual basis since 1997 and
our security policies are regularly audited both internally and
externally by our clients.
Two years ago, Acxiom experienced a security breach on one
of our external file transfer servers. Fortunately, the vast
majority of the information involved was of a non-sensitive
nature and law enforcement was able to apprehend the suspects
and ascertain that none of the information was used to commit
identity fraud. Since then, Acxiom has put even greater
protections in place for the benefit of both consumers and our
clients.
In concluding, ongoing privacy concerns indicate that
adoption of additional legislation may be appropriate. Acxiom
supports efforts to pass federally preemptive legislation
requiring notice to consumers in the event of a security breach
which places the consumer at risk of identity fraud, and we
also support the recent proposal from FTC Chairman Majoras and
her comments today extending the GLBA safeguards rule.
Mr. Chairman, on behalf of Acxiom, I want to express our
gratitude for the opportunity to participate in this hearing
and we are happy to answer any questions the Committee may
have.
[The prepared statement of Ms. Barrett appears as a
submission for the record.]
Chairman Specter. Thank you very much, Ms. Barrett.
We now turn to Mr. James Dempsey, who is the global
Internet policy head for the Center for Democracy & Technology.
He has a record of having been deputy director for the Center
for National Security Studies, special counsel to the National
Archives, and with a House Judiciary subcommittee in the past.
Thank you for joining us, Mr. Dempsey, and we look forward
to your testimony.
STATEMENT OF JAMES X. DEMPSEY, EXECUTIVE DIRECTOR, CENTER FOR
DEMOCRACY & TECHNOLOGY, WASHINGTON, D.C.
Mr. Dempsey. Good morning, Mr. Chairman, Senator Leahy.
Thank you for the opportunity to testify this morning.
We are at a historic moment, I think, today at this hearing
for four reasons. First of all, the recent security breaches at
a range of companies and institutions have opened a window on
the really extraordinary changes that have occurred to the
information landscape in recent years.
There is no need to demonize the information service
companies. The goal is not to put them out of business. They
serve very legitimate purposes, as we have heard today, but
they have grown up very rapidly and now it is time for the law
to catch up, to provide a framework of oversight and
accountability.
Secondly, the debate over harms is now ended. It is clear
that the lack of a privacy and security framework is causing
real harm to individuals. This isn't some hypothetical debate
about marketing data.
Third, the concerns go beyond security and the harms go
beyond identity theft. If people are being screened for
employment or being denied jobs or screened by landlords and
denied the ability to rent an apartment, those are real harms.
People should have a right to see that information that is used
and the right to challenge it, and the companies compiling it
should have some responsibility for its accuracy. The Fair
Credit Reporting Act covers many of those applications, but has
gaps.
Finally, the industry itself is now open to closing some of
the gaps in the law, as you have heard at the table today. So
we have an urgent situation. We clearly lack an adequate policy
framework. How do we make sure we do not squander this
opportunity? There are five sets of policy responses for this
Committee and for the Congress.
As a first step toward mitigating identity theft, entities,
including universities and government agencies, holding
sensitive personal data should be required to notify
individuals in the event of a security breach. Since leading
information service companies already have spoken in favor of
Federal legislation, there is no need to dwell on this other
than to say that it makes no sense to enact a law weaker or
less comprehensive than the California law. Also, part of the
notice solution should be options about what consumers can do
when they receive notice. There should be easier ways to freeze
credit reports or to put more permanent fraud alerts on credit
reports.
Secondly, since notice only kicks in after a breach has
occurred, Congress should require entities that electronically
store personal information to implement security safeguards
similar to those required by a California law AB 1950 and the
regulations under Gramm-Leach-Bliley.
Third, Congress should impose tighter controls on the sale,
disclosure and use of Social Security numbers. Senator
Feinstein has been a leader on this issue for a number of years
and the time to address this issue has clearly come. We should
take the Social Security number out of the credit header. I
don't see any need to send that out in response to a name
query, or to use that in the credit header.
I think we need to shut down the kinds of sales of Social
Security numbers illustrated by Mr. Douglas. Keep the Social
Security number off student I.D. cards and employee cards and
medical insurance cards. Also, we need somehow to break the
habit of using the Social Security number as an authenticator.
People treat it as if it is a secret or a PIN number, when it
is clearly widely available.
The fourth and fifth areas of policy that require
addressing concern the legitimate uses of data, because even
legitimate uses of data have consequences if the data is
inaccurate. Several Senators raised what I consider to be the
fourth set of policy issues, which is the Federal Government
and other government agencies' use of information brokers.
Clearly, national security and law enforcement are legitimate
uses, but that doesn't mean we should leave aside questions of
accuracy. As a first step, we clearly need to get a handle at
least on what information the Federal Government is purchasing
and how it is using it.
Finally, Congress needs to look at the fair information
practices that have helped define privacy in the credit and
financial sectors and adapt them as appropriate to this new
data landscape. It is most important here--and I will
conclude--to focus on consequences. When data is used in ways
that have implications for people's insurance or whether their
claims get paid or for a host of other reasons that may not be
covered by current law, we need to fill those gaps.
A book was written recently entitled No Place to Hide.
Chairman Specter. Mr. Dempsey, your time has expired. Would
you please summarize?
Mr. Dempsey. Is there no place to hide? Senator, really it
doesn't have to be that way. We can shape the policy to reclaim
our privacy and to set some framework of accountability.
Thank you.
[The prepared statement of Mr. Dempsey appears as a
submission for the record.]
Chairman Specter. Thank you very much, Mr. Dempsey.
We now turn to Mr. Robert Douglas, who has already been
introduced and has already testified.
You still have five minutes left, Mr. Douglas.
Mr. Douglas. Thank you. I appreciate that.
As I discussed in the opening presentation and concluded
with the murder of Amy Boyer, I would like to concentrate on
some of the facts in that case that illuminate, I think, many
of the issues that we are discussing here today and what I have
learned over the last eight years about information brokers and
the harm that can occur.
The facts behind the murder of Amy encapsulate all the
issues before this Committee today. Amy's murder demonstrates
the problem is much larger than recent breaches of information
broker databases.
In October 1999, Amy was entering her car, having just left
work. A stalker named Liam Youens pulled alongside Amy and shot
and killed her, then killed himself. Youens published his plans
to murder Amy on a website for several years, but that website
contained more than the perversity of Youens. It contained a
trail of evidence proving personal information gathered with
good intent can lead to incalculable harm.
Youens decided to ambush Amy at work, but didn't know where
she worked. He used information brokers and private
investigators to find her. On the Internet, Youens bought Amy's
date of birth, Social Security, home address, and finally place
of employment. Youens himself was struck by how easily he could
buy Amy's personal information, writing on his website ``It is
actually obscene what you can find out about a person on the
Internet.''
The Internet site Youens found was Docusearch.com.
Docusearch located Amy's work address by using her Social
Security number and other personal information as elements of a
deceit designed to fool Amy and/or her mother into revealing
the employment address. Indeed, this was Docusearch's
expertise. Like many other companies that I demonstrated this
morning, at the time of Amy's murder Docusearch specialized in
defeating the information security systems of financial
institutions, telecommunications companies and unsuspecting
citizens with information about loved ones.
But the evidence in Amy's murder doesn't end there. It
leads to thousands of documents showing how databases of
American businesses that contain our most personal information
are breached everyday. As mentioned, Docusearch was penetrating
the information systems of financial institutions,
telecommunications firms, other utility companies, and selling
that information to just about anyone.
In the files of Docusearch and other similar companies is
evidence that when it comes to being guardians of personal
information, both government and the private sector deserve a
failing grade. Several years ago, I worked with the FTC to
catch information brokers selling citizens' personal financial
information. The investigation revealed hundreds of Internet-
based information brokers and private investigators advertising
the sale of personal information, in violation of laws Congress
has already passed, including Gramm-Leach-Bliley, the FCRA, the
DPPA and the Unfair and Deceptive Trade Practices Act.
Many of the illicit information brokers have subscriber
access to legitimate information brokers similar to those at
the table here at this moment. The illegitimate brokers, along
with I.D. thieves, as we have learned, need the biographical
information contained in the databases of the legitimate
information brokers in order to carry out their crimes.
Specifically, some will purchase the biographical data
needed by means of a legitimate information broker via a
fraudulent subscriber agreement, as in the ChoicePoint case, or
via a reseller who obtains the information from a legitimate
broker, then willingly violates the ``no resale'' clause of
their contract. This is the worst-kept secret in the
information broker-private investigative world today.
While a number of the major brokers have announced they
will restrict access to certain subscriber classes, absent
legislation, other companies will step in. But even if all
legitimate information brokers were secure, the flow of
information would continue. Criminals and others will just
continue to access databases from the government and private
sector.
And there is a reason these databases are easily defeated.
Far too often, personal biographical information, as we see for
sale on the charts in the Committee room today, is the key to
unlocking the databases. So even if Social Security numbers
were not for sale on the Internet, the reality is Social
Security numbers have been compromised in this country in many
ways for such a long period that it is laughable that either
government or commercial enterprises use the number or other
biographical personal information as identifiers for
maintaining security of databases.
Yet, this is the method chosen by more than 50 percent of
the Nation's banks, telecommunications companies, hospitals,
doctors' offices, universities, utility providers, government
programs and almost any government or commercial entity one can
name. The bottom line: any information security system using
personal biographical information as the primary security
identifier is fatally flawed.
Thank you.
[The prepared statement of Mr. Douglas appears as a
submission for the record.]
Chairman Specter. Thank you very much, Mr. Douglas.
Mr. Sanford, I am advised that LexisNexis just yesterday
announced a breach of security involving some 310,000 people.
Did that announcement yesterday have any connection with this
hearing scheduled for today?
Mr. Sanford. The announcement had everything to do with the
conclusion of a review that I commenced in February of 2005. As
I testified, we acquired the Seisint business in the fall of
2004. One of our integration teams became aware of some
irregular billing activities in February.
Chairman Specter. That is a no?
Mr. Sanford. That would be a no, Senator.
Chairman Specter. You stated an investigation in February,
but you knew about the breach in February?
Mr. Sanford. We became aware of some irregular billing
activities in February.
Chairman Specter. Did you know about the breach in
February?
Mr. Sanford. I didn't know what I had until I did an
investigation, Senator.
Chairman Specter. Well, I am still uncertain as to whether
you knew about the breach. Did you have enough information--
Mr. Sanford. We were not--
Chairman Specter. Let me finish the question, since I
didn't get an answer to the last one.
Did you know in February that there was a breach?
Mr. Sanford. I knew in February that I had irregular
billing activity in a handful of customer accounts.
Chairman Specter. Well, why would it take until mid-April
to make a determination sufficient to notify the people whose
information had been breached?
Mr. Sanford. That is an excellent question and I am glad
you have asked it because it seems to have been misreported in
the press. We are not talking about an incident. In March, we
made a statement acknowledging that we had discovered a handful
of security breaches and we immediately made notice.
Based on those incidents, I ordered a review going back
some 27 months in our business that we had--
Chairman Specter. Mr. Sanford, I don't want to cut you off,
but there are five minutes and I have got a lot of questions of
this panel. I would like the specifics in writing focusing on
why the people whose information was breached couldn't have
been notified earlier.
Those people are all at risk and you have a duty to notify
them at the earliest possible moment. So I want to know
precisely what you did, what was the intensity of your
investigation and whether it could have been done faster.
Mr. Sanford. I would be happy to provide that.
Chairman Specter. Mr. Curling, I am advised that
ChoicePoint had a breach in the past and did not report it. Is
that true.
Mr. Curling. There has been a recent arrest, or conviction,
rather, reported by the Secret Service that involved
ChoicePoint information. My understanding is that the subpoena
was issued on that individual in 2001.
Chairman Specter. Well, see, I am having a hard relating
your answer to my question. Did ChoicePoint have a breach of
security and failed to report it and notify the people whose
information had been breached?
Mr. Curling. Yes, sir, it would appear in 2001 that
happened.
Chairman Specter. And it was not reported?
Mr. Curling. No, it was not reported.
Chairman Specter. Why not?
Mr. Curling. No one was made aware of it, sir. We turned
over the information to law enforcement, didn't know the
purpose of their investigation.
Chairman Specter. No one was made aware of it? Well, how
about the person who turned it over to law enforcement?
Mr. Curling. I don't think that person understood the
purpose of the subpoena, sir.
Chairman Specter. Well, where did that person stand in the
company hierarchy? Somebody who has the authority to turn it
over to law enforcement doesn't know enough to say confidential
information is now out and it ought to be reported and these
people ought to be told about it?
Mr. Curling. Current circumstances would certainly cause
that to happen. Going back four years--
Chairman Specter. Well, I am talking about before. Why not?
Mr. Curling. I can't explain why someone four years ago
didn't--
Chairman Specter. Well, Mr. Curling and Mr. Sanford, we may
well face the necessity for some really tough legislation that
will have you do your duty. It is very, very disconcerting that
ChoicePoint doesn't make a report of it. A lot of people are at
risk and subject to damage.
I would like you also to provide more detailed information
as to what you testified, Mr. Sanford, about identity theft
insurance--people have to pay for it--whether you have been
sued by people whose information has been disclosed.
Let me turn to the Social Security number question, Mr.
Dempsey and Mr. Douglas. You need the Social Security number to
report your wages and get that information to the Federal
Government so they know what your Social Security claim is.
What problem would arise if we legislated that you couldn't
use the Social Security number at all, except for purposes
relating to collecting Social Security taxes and having the
employee get the benefits?
You may both answer. My time is now expired.
Mr. Dempsey. Well, that was the original purpose, of
course, Senator, and over the years a lot of people became
dependent upon the Social Security number as an identifier for
purposes unrelated to Social Security. For connecting people,
it is not perfect, but it is better than name and address, and
that is how people use it.
Now, at the very least we need to begin to wean away from
that. I think you would need some kind of implementation time
frame to get people that are currently dependent upon the
Social Security number for aggregating data and for knowing
which Jim Dempsey it is--they use the Social Security number
for that. I think we should right away stop using it as an
authenticator, which is different from an identifier. People
are using it to determine that someone calling up and saying he
is Arlen Specter is, in fact, Arlen Specter, when the Social
Security number, we know, is widely available.
Chairman Specter. There are a lot of people with that name.
[Laughter.]
Mr. Dempsey. I can guarantee you that there are probably
more than one, Senator.
Chairman Specter. I doubt it, but okay.
[Laughter.]
Chairman Specter. Senator Leahy.
Senator Leahy. In the Senate, there is only one.
Mr. Dempsey. That is true.
Senator Leahy. I understand what you mean, Mr. Dempsey. The
name is not enough.
Mr. Curling, the CEO of ChoicePoint recently wrote a book
about the information industry entitled The Risk Revolution. In
the book he said everyone should have a right of access to data
that is used to make decisions about them, subject to law
enforcement and national security exceptions. He also
recommended that we expand the principles of the Fair Credit
Reporting Act to all types of information--right to access,
right to question the accuracy and prompt review, right to
comment if a negative record is found to be inaccurate. The
Fair Credit Reporting Act also includes procedures to delete
inaccurate information and identifying sources that furnish
disputed information.
Does ChoicePoint support the expansion of these principles
from fair credit to all types of information?
Mr. Curling. We certainly do, sir.
Senator Leahy. This past January 20, the Washington Post
quoted a ChoicePoint executive as saying, ``We do act as an
intelligence agency gathering data, applying analytics.'' He
also reported that ChoicePoint acquired I2, Inc., and quoted an
I2 company executive as saying, quote, ``We are principally a
company whose focus is all about converting large volumes of
information into actionable intelligence,'' close quote.
The article described I2 as a company that uses software to
head off crimes or attacks, not just investigate them after the
fact--sort of something like the movie ``Minority Report.'' How
would you head off a crime? How do you identify a potential
crime or criminal? Do you have predictive algorithms or
profiling, risk-scoring? It seems fascinating as a former
prosecutor. Can you just put us all out of business? Can you
tell who is going to commit a crime?
Mr. Curling. These are tools that ChoicePoint sells to law
enforcement agencies. They are the ones that use the tools to
try and figure out how to solve crimes, and largely the data
they are using is data they gather on their own. I2 is a
software company. It is a company that provides a robust
analytic engine to link disparate data together so you can look
for similarities.
If two people don't necessarily know each other but they
both made phone calls to the same phone number, you can look
for that kind of linkage through vast amounts of data. They use
it as an analyst aid for an analyst to almost interact with the
data iteratively and reach conclusions that they might
otherwise have reached doing manual research, but in a much
faster way.
Senator Leahy. To identify a crime before it happens?
Mr. Curling. Or just look at patterns to try and track down
criminals that have suspicious behavior going on.
Senator Leahy. ChoicePoint also purchased--is it Bode
Technology?
Mr. Curling. Yes, sir.
Senator Leahy. A company that specializes in the use of DNA
to identify people. The CEO, Derek Smith, wrote in his book,
``Biometrics provide an opportunity to shore up the society's
fundamental building blocks of identification through
technology.''
Biometrics is a technology with great potential, but there
are concerns. Unlike a Social Security number which actually is
changeable, with some difficulty, but can be changed, a
fingerprint or other biometric compromised by a security breach
can't be replaced. There are technological limitations. We
found that with facial recognition technology that that doesn't
always work.
What types and how much biometric information, if any, is
contained or accessible in the systems at ChoicePoint or any of
its subsidiaries, and under what conditions is it used or
provided and what are the protections?
Mr. Curling. We don't warehouse biometric data. We don't
maintain biometric databases on behalf of anyone. Bode Labs is
a forensic DNA laboratory that supports law enforcement
activities on an outsource basis. That laboratory was the lab
that identified the victims of the World Trade Center from a
DNA perspective. That laboratory had a scientist over in
Thailand recently for the tsunami aid.
It is a law enforcement outsource laboratory that does very
high-technology DNA assistance in prosecution of cases. They
receive samples directly from law enforcement. They manage the
chain of custody of that sample and they turn it back over to
law enforcement when the lab activities are processed.
Senator Leahy. Thank you.
Mr. Dempsey, government relies more and more on the
services and products of data brokers for law enforcement and
homeland security efforts. Is this allowing the government to
access and use information that otherwise it might not be
allowed to under privacy and information laws? In other words,
does it allow them to do a search that they wouldn't be allowed
to do if they were doing it directly through a government
agency?
Mr. Dempsey. Well, it does allow them to, in essence,
outsource data collection activities outside of the Privacy
Act. Right now, if the government is going to start a new
collection of data, it needs to comply with the Privacy Act and
it needs to perform a privacy impact assessment. But if it goes
and buys that same data or subscribes to it, some of those
rules don't apply, and I think that is an issue that needs to
be definitely included in the scope of these hearings and needs
to be addressed in legislation.
Senator Leahy. Thank you. Thank you, Mr. Chairman.
Chairman Specter. Thank you very much, Senator Leahy.
Senator Feinstein.
Senator Feinstein. Thank you very much.
The California law went into effect in 2003. I would like
to ask each of the people here representing companies to
indicate if, prior to 2003, you had a breach and did not notify
people.
Mr. Sanford?
Mr. Sanford. I believe there were security breaches in the
business that I acquired that I mentioned, Seisint. I believe
there may have been a security breach in LexisNexis prior to
2003, and we did not make notice prior.
Senator Feinstein. Thank you. I appreciate the honesty.
Mr. Curling?
Mr. Curling. Yes, ma'am, I previously indicated there was a
breach that we didn't notify them.
Senator Feinstein. Thank you.
Ms. Barrett?
Ms. Barrett. The breach that we had in 2003 did span the
enactment of the law in July. Our obligation as a provider,
since the breach did not involve--
Senator Feinstein. My question is did you have a breach
prior to the 2003 law going into effect?
Ms. Barrett. Yes, the breach that we had did span it, but
we did provide notice to our clients.
Senator Feinstein. Thank you. This is my point: If it
weren't for the California law, we would have no way of knowing
breaches that have occurred. It is really only because of that
law that we now know. We in no way, shape or form are able to
pierce the depth of what has happened in this industry.
Now, I would like to ask the question of each, how did the
data breach or breaches occur and what has been done to correct
it? Who would like to go first?
Mr. Sanford?
Mr. Sanford. The data breaches that we have reported
principally involve compromised passwords and I.D.s of
legitimate customers, and that happened through a variety of
methods.
Senator Feinstein. Could you explain ``compromised?''
Mr. Sanford. Sure. Where a company has individual users,
each person would have an I.D. and would have a password. A
company may report to us that they notice search activity that
showed up on their bill that they said that they didn't do.
Senator Feinstein. Now, take a big company. How many people
would have a password?
Mr. Sanford. In most companies, there would be individual
I.D.s and individual passwords. There were some instances in--
Senator Feinstein. But how many per company?
Mr. Sanford. It depends, Senator. You could have two. You
could have 10,000.
Senator Feinstein. That is correct, so that a large bank
like a Citibank could have a large number of individuals that
would have passwords to the system, correct?
Mr. Sanford. I.D.s and passwords, that is correct.
Senator Feinstein. I am asking for speculation. I don't
know what they have, but this is a weak link, shall we say.
Mr. Sanford. Well, passwords and I.D.s are part of the
security and when those password and I.D. protocols are not
strong, then you do have a weak link in the system. What we
have found is we have weak links in some of the passwords and
I.D.s in some of our customer environments that were
compromised and unauthorized persons gained access to those
passwords and I.D.s and did searches.
Sometimes that was because it was a weak password-I.D.
combination. Sometimes that was because there may have been
virus in that business and someone compromised it through
criminal means.
Senator Feinstein. Right, and did you find out who that
person was?
Mr. Sanford. We have referred all of these incidents to the
U.S. Secret Service and it is an ongoing investigation.
Senator Feinstein. Were those persons found out?
Mr. Sanford. I don't know. That is not the kind of
information they share with me.
Senator Feinstein. And you didn't think you would be
interested in finding out?
Mr. Sanford. Well, as the agent in charge advised me, he
will be briefing us on it as they conclude their investigation.
Senator Feinstein. You have had more than one breach,
though.
Mr. Sanford. That is correct.
Senator Feinstein. So there are a number of people whose
passwords have been compromised.
Mr. Sanford. That is correct.
Senator Feinstein. Which means they could have sold them
for a lot of money to somebody else who got into the system.
Mr. Sanford. That is a possibility, so each password and
I.D.--
Senator Feinstein. But you have no knowledge. How many
breaches have you had?
Mr. Sanford. We reported 59 incidents going back to the
beginning of 2003.
Senator Feinstein. And these were all from compromised
passwords?
Mr. Sanford. I believe all but four or five of them were
through compromised password I.D.s.
Senator Feinstein. And you don't know who compromised the
passwords?
Mr. Sanford. I don't know who did.
Senator Feinstein. Okay, that is fine.
I want to go down the line on this and then back on what
you have done. Mr. Curling, how many breaches have you had,
total?
Mr. Curling. The breaches that we investigated and reported
were a number between 45 and 50. It was an organized ring of
fraudsters and they hijacked legitimate business identities or
created false business identities and were able to get through
our credentialing processes. We ultimately identified that
activity when they were trying to set up accounts, but
unfortunately and regrettably, accounts had been set up prior
to that.
Senator Feinstein. Ms. Barrett?
Ms. Barrett. Yes. The breaches that we had in 2003 involved
two different individuals.
Senator Feinstein. How many breaches have you had, total--
has Acxiom had?
Ms. Barrett. These are the only two breaches.
Senator Feinstein. You have only had two breaches, okay.
Ms. Barrett. They involved a file transfer server sitting
outside of our main system that was used to send information
back and forth between our clients. They did not penetrate our
main firewalls of the system. The data on this server belonged
to our clients. The data was breached because an individual at
a client location with legitimate access to that server
downloaded the password file for that server and unencrypted a
portion of the encrypted passwords, then used those passwords
to access other people's data.
Senator Feinstein. My time is up. Can I ask just one other
question? I have sat here patiently all morning.
Chairman Specter. Yes, you may, Senator Feinstein.
Senator Feinstein. Just one other question and this is on
the subject of whether there should be a requirement that all
data in these data companies be encrypted and there should be a
prohibition on using PCs to hold this data. I am looking
specifically at University of California data breaches which
involved the names of over 700,000 people from thefts of
personal computers.
Would anyone care to comment on that?
Mr. Dempsey. Senator, I would only say that encryption is
not as easy to do as it sounds and I would hate to see the
Federal Government get into the posture of dictating specific
security measures that companies or institutions like
universities have to take.
Senator Feinstein. So you think it is okay for personal
data, for somebody to be walking around with a computer with
700,000 names in it?
Mr. Dempsey. Well, I think there is a separate question
about the physical custody of that kind of--at some level, that
is a physical custody issue. If you look at the Gramm-Leach-
Bliley regulations, they talk about technical, physical and
administrative safeguards. And I think without, again,
dictating what is the right balance of those, all three have to
be considered. And I agree with you that people have clearly
gotten far too lax about storage of data.
Senator Feinstein. Thank you. My time is up.
Chairman Specter. Thank you, Senator Feinstein.
Senator Schumer.
Senator Schumer. Thank you, Mr. Chairman, and I have a
question I am going to ask of the whole panel, but take your
pencils out because it has a few parts. I want to ask your
opinion on various ways to deal with identity theft, all of
which are embodied in the legislation that we have. If you
could give us a yes or no answer, that would be great and save
time. If you can't, keep your explanation as short as possible.
Do you support the goal of regulating data merchants,
similar to the way we regulate credit bureaus I would say, but
certainly data merchants? Do you support the idea of creating a
one-stop shop to help consumers get their identity back, as we
have done in the FTC? They have done something, but they are
not close to what is needed.
Do you support disclosure laws for companies that plan to
sell your information? Do you support making any company that
has sensitive personal information on its consumers take
reasonable steps to protect it? That would be the words of the
law--``reasonable steps to protect it.'' Do you support
limiting the sale of people's Social Security numbers on a
narrow needs basis--law enforcement and things like that?
Just two more. Would you support rules authenticating
customers? This relates to ChoicePoint, which actually sold the
information to criminals. And would you support increased
background examination of those within your companies and other
companies who have access to sensitive personal information?
I realize that is a long question. It will be my only one
and I await your answers.
Mr. Sanford?
Mr. Sanford. Senator, I don't know if I got it all down,
but I think the first one was with respect to regulating the
industry similar to FCRA. I think some of the portions of the
FCRA could be appropriate. I would like to see specifically
what the wording would be on that. I would be glad to work with
you on that.
A one-stop shop at the FTC.
Senator Schumer. But, in general, you support regulating
data companies like yours in terms of how they deal with the
data, data merchants?
Mr. Sanford. I certainly think the safeguards as contained
in GLBA would certainly be a step in the right direction.
Senator Schumer. Thank you.
Mr. Sanford. I don't know anybody who could argue with a
one-stop shop at the FTC and additional funding to help, given
the pervasiveness of identity theft. I am not sure I understand
the provision on disclosure laws on companies. I didn't quite
get the rest of it down here in my notes.
We would support data safeguards. We would support
legislation--
Senator Schumer. That is disclosure to the individual,
whoever gives it in, that we may be giving or selling that
information to somebody.
Mr. Sanford. I don't know, unless I saw the wording,
whether I could support that, given the number of transactions
we are talking about.
Senator Schumer. Okay.
Mr. Sanford. Limiting the sale of SSNs. Certainly, there
are limits today on the use of personally sensitive information
and I support the limits that are there. I think there could be
greater limits on the display of information, but perhaps not
the access because of the importance of using some of that
sensitive information to provide services to detect fraud, for
example.
And then on rules authenticating customers, I think I would
support, again, GLBA, and I think reasonable safeguards would
pretty much pick that up and say you have got to make sure you
are doing business with legitimate customers.
Senator Schumer. And then the last one was background
checks on the people who handle the sensitive information.
Mr. Sanford. I would have to learn more about that, but
again I think that would be part of an overall safeguard
program and make sure that the people who are dealing with
sensitive data--
Senator Schumer. Thank you.
Mr. Curling?
Mr. Curling. In the interest of time, Senator, obviously I
would like to read the specific proposals, but I would answer
yes, in general, to all of the questions.
Senator Schumer. Thank you.
Ms. Barrett?
Ms. Barrett. Yes, I would also say yes, in general, to all
of the questions. Many of what you are suggesting are already
policies of ours.
Senator Schumer. Mr. Dempsey?
Mr. Dempsey. I have never seen a vote count like this,
Senator. I am a ``yes'' on all as well.
Senator Schumer. And Mr. Douglas?
Mr. Douglas. Absolutely.
Senator Schumer. Mr. Chairman, I yield back my 32 remaining
seconds.
Chairman Specter. It is greatly appreciated, Senator
Schumer.
Senator Schumer. I knew it would be.
Chairman Specter. You now owe the yield-back bank only 17
hours and 23 seconds.
Senator Schumer. No good deed goes unpunished.
Chairman Specter. On behalf of Senator DeWine, I am going
to direct this question to you, Mr. Sanford. Senator DeWine
could not be here. I understand that LexisNexis has been
working with the National Center for Missing and Exploited
Children and law enforcement to help find abducted children.
Can you explain to the Committee how LexisNexis contributes to
this effort?
Mr. Sanford. Senator, the National Center, as you know, has
been in existence for nearly 20 years. It provides critical
assistance to find abducted and missing children. I think in
the last 20 years, they have recovered 85,000 children.
What the National Center does is we provide our service to
them at no charge. They work with law enforcement and what they
have determined is the best way to find an abducted child in
the first 48 hours is to do searches and to find the
relationships of the custodial and non-custodial parents. And
by doing those searches with law enforcement, they are able to
recover many of the abducted and missing children rapidly.
Chairman Specter. Well, thank you very much, Mr. Sanford,
Mr. Curling, Ms. Barrett, Mr. Dempsey and Mr. Douglas.
Senator Leahy. Could I ask one more question?
Chairman Specter. Sure, Senator Leahy.
Senator Leahy. Mr. Dempsey, you and I have had discussions
over the years on some of these issues and I have appreciated
very much your input. I think about public records, and let's
just take one example. You have whatever court handles divorce
matters in your State and you may have divorce records in there
which contain a number of things because of payments--Social
Security numbers and maybe even the names of the banks that the
litigants have, and so on.
If you were to walk into that court and ask, they would
say, well, we can give you the judge's findings, the pleadings,
of course, but we can't give you this page that has all the
rest. So you kind of felt you were pretty safe because had to
go to court, to court, to court, to court and be turned down.
Now, if it is all electronic, you don't have that
inconvenience. Is there a responsibility on the part of data
brokers who might go through every single court in the Nation
pulling up Jones v. Jones or whatever--do they have a
responsibility in weeding out the things that the courts would
normally expect not to be shown?
Mr. Dempsey. Well, I think, Senator, you are on to a very
important point, which is just because information is in a
public record, does it mean that there are no privacy issues,
particularly in terms of accuracy, particularly in terms of
sensitivity?
The Supreme Court held in the Reporter's Committee case and
in the DPPA case, the Reno v. Condon case, that even if
information is publicly available, interests in accuracy apply,
and the computerized compilation of that data into a single
database changes the privacy equation. So you can't just say,
oh, it is public record information, therefore there are no
concerns.
There are still concerns about the accuracy in the
transcription of that data and still concerns about the fact
that, as you say, in bankruptcy court there is a lot of very
sensitive information. I know that bankruptcy judges are
struggling with that specifically.
Senator Leahy. Adoption courts; probate courts handle
adoptions. Courts have allegations that are made in initial
filings in a case, but the case may be heard six months later
and all the allegations thrown out.
Mr. Dempsey. So I think that that has to absolutely be part
of the equation here. Under the Fair Credit Reporting Act, we
have created this cycle of responsibility where the data
furnishers have a responsibility for accuracy, the data
aggregators and the credit reporting agencies have a
responsibility, and the users have a responsibility in terms of
accuracy.
It is a little bit different in the public record system,
in that the government entities are not pushing that data. It
is being pulled by sending people out, but we still have to
somehow address that, Senator, and work on what is the
responsibility for accuracy of the compilier of that so-called
public record information because it is being used against
people in ways that have implications.
Senator Leahy. And some of it is there for a very, very
specific purpose. I mean, you could actually have on public
record what kind of alarm systems you have in your house from
an appraisal that had been done of the house.
Mr. Dempsey. Well, for example, criminal history records.
There is a very important public policy interest in having
arrests be public, in having court proceedings be public. But
we also know that a lot of arrests don't result in convictions
for the charges. We have put limits in the fair credit
reporting area on reporting of old arrests reporting of so-
called naked arrests. I think we need to make sure that those
kinds of accuracy responsibilities spread across the data
landscape.
Senator Leahy. Thank you. Thank you, Mr. Chairman. I
appreciate again your holding this hearing. I think it is
extremely important and I am glad to see the Committee doing
this kind of oversight.
Chairman Specter. Well, thank you, Senator Leahy. You were
the first one on the Committee to ask for it and I promptly
responded and said yes. I think it has been a very, very
productive hearing and I believe that there will be some very
firm Federal legislation coming out of this issue.
Thank you all very much.
[Whereupon, at 12:00 p.m., the Committee was adjourned.]
[Questions and answers and submissions for the record
follow.]
[Additional material is being retained in the Committee
files.]
[GRAPHIC] [TIFF OMITTED] T2293.001
[GRAPHIC] [TIFF OMITTED] T2293.002
[GRAPHIC] [TIFF OMITTED] T2293.003
[GRAPHIC] [TIFF OMITTED] T2293.004
[GRAPHIC] [TIFF OMITTED] T2293.005
[GRAPHIC] [TIFF OMITTED] T2293.006
[GRAPHIC] [TIFF OMITTED] T2293.007
[GRAPHIC] [TIFF OMITTED] T2293.008
[GRAPHIC] [TIFF OMITTED] T2293.009
[GRAPHIC] [TIFF OMITTED] T2293.010
[GRAPHIC] [TIFF OMITTED] T2293.011
[GRAPHIC] [TIFF OMITTED] T2293.012
[GRAPHIC] [TIFF OMITTED] T2293.013
[GRAPHIC] [TIFF OMITTED] T2293.014
[GRAPHIC] [TIFF OMITTED] T2293.015
[GRAPHIC] [TIFF OMITTED] T2293.016
[GRAPHIC] [TIFF OMITTED] T2293.017
[GRAPHIC] [TIFF OMITTED] T2293.018
[GRAPHIC] [TIFF OMITTED] T2293.019
[GRAPHIC] [TIFF OMITTED] T2293.020
[GRAPHIC] [TIFF OMITTED] T2293.021
[GRAPHIC] [TIFF OMITTED] T2293.022
[GRAPHIC] [TIFF OMITTED] T2293.023
[GRAPHIC] [TIFF OMITTED] T2293.024
[GRAPHIC] [TIFF OMITTED] T2293.025
[GRAPHIC] [TIFF OMITTED] T2293.026
[GRAPHIC] [TIFF OMITTED] T2293.027
[GRAPHIC] [TIFF OMITTED] T2293.028
[GRAPHIC] [TIFF OMITTED] T2293.029
[GRAPHIC] [TIFF OMITTED] T2293.030
[GRAPHIC] [TIFF OMITTED] T2293.031
[GRAPHIC] [TIFF OMITTED] T2293.032
[GRAPHIC] [TIFF OMITTED] T2293.033
[GRAPHIC] [TIFF OMITTED] T2293.034
[GRAPHIC] [TIFF OMITTED] T2293.035
[GRAPHIC] [TIFF OMITTED] T2293.036
[GRAPHIC] [TIFF OMITTED] T2293.037
[GRAPHIC] [TIFF OMITTED] T2293.038
[GRAPHIC] [TIFF OMITTED] T2293.039
[GRAPHIC] [TIFF OMITTED] T2293.040
[GRAPHIC] [TIFF OMITTED] T2293.041
[GRAPHIC] [TIFF OMITTED] T2293.042
[GRAPHIC] [TIFF OMITTED] T2293.043
[GRAPHIC] [TIFF OMITTED] T2293.044
[GRAPHIC] [TIFF OMITTED] T2293.045
[GRAPHIC] [TIFF OMITTED] T2293.046
[GRAPHIC] [TIFF OMITTED] T2293.047
[GRAPHIC] [TIFF OMITTED] T2293.048
[GRAPHIC] [TIFF OMITTED] T2293.049
[GRAPHIC] [TIFF OMITTED] T2293.050
[GRAPHIC] [TIFF OMITTED] T2293.051
[GRAPHIC] [TIFF OMITTED] T2293.052
[GRAPHIC] [TIFF OMITTED] T2293.053
[GRAPHIC] [TIFF OMITTED] T2293.054
[GRAPHIC] [TIFF OMITTED] T2293.055
[GRAPHIC] [TIFF OMITTED] T2293.056
[GRAPHIC] [TIFF OMITTED] T2293.057
[GRAPHIC] [TIFF OMITTED] T2293.058
[GRAPHIC] [TIFF OMITTED] T2293.059
[GRAPHIC] [TIFF OMITTED] T2293.060
[GRAPHIC] [TIFF OMITTED] T2293.061
[GRAPHIC] [TIFF OMITTED] T2293.062
[GRAPHIC] [TIFF OMITTED] T2293.063
[GRAPHIC] [TIFF OMITTED] T2293.064
[GRAPHIC] [TIFF OMITTED] T2293.065
[GRAPHIC] [TIFF OMITTED] T2293.066
[GRAPHIC] [TIFF OMITTED] T2293.067
[GRAPHIC] [TIFF OMITTED] T2293.068
[GRAPHIC] [TIFF OMITTED] T2293.069
[GRAPHIC] [TIFF OMITTED] T2293.070
[GRAPHIC] [TIFF OMITTED] T2293.071
[GRAPHIC] [TIFF OMITTED] T2293.072
[GRAPHIC] [TIFF OMITTED] T2293.073
[GRAPHIC] [TIFF OMITTED] T2293.074
[GRAPHIC] [TIFF OMITTED] T2293.075
[GRAPHIC] [TIFF OMITTED] T2293.076
[GRAPHIC] [TIFF OMITTED] T2293.077
[GRAPHIC] [TIFF OMITTED] T2293.078
[GRAPHIC] [TIFF OMITTED] T2293.079
[GRAPHIC] [TIFF OMITTED] T2293.080
[GRAPHIC] [TIFF OMITTED] T2293.081
[GRAPHIC] [TIFF OMITTED] T2293.082
[GRAPHIC] [TIFF OMITTED] T2293.083
[GRAPHIC] [TIFF OMITTED] T2293.084
[GRAPHIC] [TIFF OMITTED] T2293.085
[GRAPHIC] [TIFF OMITTED] T2293.086
[GRAPHIC] [TIFF OMITTED] T2293.087
[GRAPHIC] [TIFF OMITTED] T2293.088
[GRAPHIC] [TIFF OMITTED] T2293.089
[GRAPHIC] [TIFF OMITTED] T2293.090
[GRAPHIC] [TIFF OMITTED] T2293.091
[GRAPHIC] [TIFF OMITTED] T2293.092
[GRAPHIC] [TIFF OMITTED] T2293.093
[GRAPHIC] [TIFF OMITTED] T2293.094
[GRAPHIC] [TIFF OMITTED] T2293.095
[GRAPHIC] [TIFF OMITTED] T2293.096
[GRAPHIC] [TIFF OMITTED] T2293.097
[GRAPHIC] [TIFF OMITTED] T2293.098
[GRAPHIC] [TIFF OMITTED] T2293.099
[GRAPHIC] [TIFF OMITTED] T2293.100
[GRAPHIC] [TIFF OMITTED] T2293.101
[GRAPHIC] [TIFF OMITTED] T2293.102
[GRAPHIC] [TIFF OMITTED] T2293.103
[GRAPHIC] [TIFF OMITTED] T2293.104
[GRAPHIC] [TIFF OMITTED] T2293.105
[GRAPHIC] [TIFF OMITTED] T2293.106
[GRAPHIC] [TIFF OMITTED] T2293.107
[GRAPHIC] [TIFF OMITTED] T2293.108
[GRAPHIC] [TIFF OMITTED] T2293.109
[GRAPHIC] [TIFF OMITTED] T2293.110
[GRAPHIC] [TIFF OMITTED] T2293.111
[GRAPHIC] [TIFF OMITTED] T2293.112
[GRAPHIC] [TIFF OMITTED] T2293.113
[GRAPHIC] [TIFF OMITTED] T2293.114
[GRAPHIC] [TIFF OMITTED] T2293.115
[GRAPHIC] [TIFF OMITTED] T2293.116
[GRAPHIC] [TIFF OMITTED] T2293.117
[GRAPHIC] [TIFF OMITTED] T2293.118
[GRAPHIC] [TIFF OMITTED] T2293.119
[GRAPHIC] [TIFF OMITTED] T2293.120
[GRAPHIC] [TIFF OMITTED] T2293.121
[GRAPHIC] [TIFF OMITTED] T2293.122
[GRAPHIC] [TIFF OMITTED] T2293.123
[GRAPHIC] [TIFF OMITTED] T2293.124
[GRAPHIC] [TIFF OMITTED] T2293.125
[GRAPHIC] [TIFF OMITTED] T2293.126
[GRAPHIC] [TIFF OMITTED] T2293.127
[GRAPHIC] [TIFF OMITTED] T2293.128
[GRAPHIC] [TIFF OMITTED] T2293.129
[GRAPHIC] [TIFF OMITTED] T2293.130
[GRAPHIC] [TIFF OMITTED] T2293.131
[GRAPHIC] [TIFF OMITTED] T2293.132
[GRAPHIC] [TIFF OMITTED] T2293.133
[GRAPHIC] [TIFF OMITTED] T2293.134
[GRAPHIC] [TIFF OMITTED] T2293.135
[GRAPHIC] [TIFF OMITTED] T2293.136
[GRAPHIC] [TIFF OMITTED] T2293.137
[GRAPHIC] [TIFF OMITTED] T2293.138
[GRAPHIC] [TIFF OMITTED] T2293.139
[GRAPHIC] [TIFF OMITTED] T2293.140
[GRAPHIC] [TIFF OMITTED] T2293.141
[GRAPHIC] [TIFF OMITTED] T2293.142
[GRAPHIC] [TIFF OMITTED] T2293.143
[GRAPHIC] [TIFF OMITTED] T2293.144
[GRAPHIC] [TIFF OMITTED] T2293.145
[GRAPHIC] [TIFF OMITTED] T2293.146
[GRAPHIC] [TIFF OMITTED] T2293.147
[GRAPHIC] [TIFF OMITTED] T2293.148
[GRAPHIC] [TIFF OMITTED] T2293.149
[GRAPHIC] [TIFF OMITTED] T2293.150
[GRAPHIC] [TIFF OMITTED] T2293.151
[GRAPHIC] [TIFF OMITTED] T2293.152
[GRAPHIC] [TIFF OMITTED] T2293.153
[GRAPHIC] [TIFF OMITTED] T2293.154
[GRAPHIC] [TIFF OMITTED] T2293.155
[GRAPHIC] [TIFF OMITTED] T2293.156
[GRAPHIC] [TIFF OMITTED] T2293.157
[GRAPHIC] [TIFF OMITTED] T2293.158
[GRAPHIC] [TIFF OMITTED] T2293.159
[GRAPHIC] [TIFF OMITTED] T2293.160
[GRAPHIC] [TIFF OMITTED] T2293.161
[GRAPHIC] [TIFF OMITTED] T2293.162
[GRAPHIC] [TIFF OMITTED] T2293.163
[GRAPHIC] [TIFF OMITTED] T2293.164
[GRAPHIC] [TIFF OMITTED] T2293.165
[GRAPHIC] [TIFF OMITTED] T2293.166
[GRAPHIC] [TIFF OMITTED] T2293.167
[GRAPHIC] [TIFF OMITTED] T2293.168
[GRAPHIC] [TIFF OMITTED] T2293.169
[GRAPHIC] [TIFF OMITTED] T2293.170
[GRAPHIC] [TIFF OMITTED] T2293.171
[GRAPHIC] [TIFF OMITTED] T2293.172
[GRAPHIC] [TIFF OMITTED] T2293.173
[GRAPHIC] [TIFF OMITTED] T2293.174
�