[Senate Hearing 106-902]
[From the U.S. Government Publishing Office]
S. Hrg. 106-902
IDENTITY THEFT: HOW TO PROTECT AND RESTORE YOUR GOOD NAME
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
on
PREVENTING CRIMINALS FROM USING TECHNOLOGY TO PREY UPON SOCIETY,
FOCUSING ON IDENTITY THEFT PREVENTION MEASURES AND THE IMPLEMENTATION
OF THE IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT (PUB. LAW 105-318)
__________
JULY 12, 2000
__________
Serial No. J-106-97
__________
Printed for the use of the Committee on the Judiciary
__________
U.S. GOVERNMENT PRINTING OFFICE
69-466 WASHINGTON : 2001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
______
Subcommittee on Technology, Terrorism, and Government Information
JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
Stephen Higgins, Chief Counsel and Staff Director
Neil Quinter, Minority Chief Counsel and Staff Director
(ii)
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Kyl, Hon. Jon, U.S. Senator from the State of Arizona............ 1
Feinstein, Hon. Dianne, U.S. Senator from the State of California 3
CHRONOLOGICAL LIST OF WITNESSES
Panel consisting of Jodie Bernstein, Director, Bureau of Consumer
Protection, Federal Trade Commission, Washington, DC; and James
G. Huse, Jr., Inspector General, Social Security
Administration, Baltimore, MD.................................. 6
Panel consisting of Michelle Brown, identity theft victim, Los
Angeles, CA; Beth Givens, director, Privacy Rights
Clearinghouse, San Diego, CA; Steven M. Emmert, director,
Government and Industry Affairs, Reed Elseveir, Inc., and
Lexis-Nexis, and president, Individual Reference Service Group,
Washington, DC; and Stuart K. Pratt, vice president, Government
Relations, Associated Credit Bureaus, Inc., Washington, DC..... 23
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Bernstein, Jodie:
Testimony.................................................... 6
Prepared statement........................................... 9
Brown Michelle:
Testimony.................................................... 23
Prepared statement........................................... 25
Attachment 1............................................. 28
Emmert, Steven M.:
Testimony.................................................... 61
Prepared statement........................................... 63
Feinstein, Hon. Dianne: List of Internet Websites Where Personal
Information Can Be Purchased................................... 4
Givens, Beth:
Testimony.................................................... 30
Prepared statement........................................... 31
A Survey of Identity Theft Victims and Recommendations
for Reform............................................. 38
Huse, James E., Jr.:
Testimony.................................................... 13
Prepared statement........................................... 15
Pratt, Stuart K.:
Testimony.................................................... 69
Prepared statement........................................... 72
News Release: Contact Norm Magnuson, dated March 14, 2000 74
IDENTITY THEFT: HOW TO PROTECT AND RESTORE YOUR GOOD NAME
----------
WEDNESDAY, JULY 12, 2000
U.S. Senate,
Subcommittee on Technology, Terrorism,
and Government Information,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:03 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl
(chairman of the subcommittee) presiding.
Also present: Senator Feinstein.
OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE
STATE OF ARIZONA
Senator Kyl. Good morning. This hearing of the Senate
Judiciary Subcommittee on Technology, Terrorism, and Government
Information will come to order. The subject of our hearing this
morning is ``Identity Theft: How to Protect and Restore Your
Good Name.''
As chairman of this subcommittee, it has been my goal to
prevent criminals from using technology to prey on society.
There are few clearer violations of personal privacy than
having your identity stolen and used to commit a crime.
Criminals often use Social Security numbers and other personal
information to assume the identity of law-abiding citizens and
take their money. It is high-tech theft.
To combat this, I sponsored the Identity Theft and
Assumption Deterrence Act, which prohibits the stealing of a
person's identity. The aim of the Act, which is now law, is to
protect consumers and safeguard people's privacy. Almost 2
years after passage of the Act, identity theft unfortunately
continues to grow, particularly as the Internet grows in
popularity.
Teachers, housewives, doctors and, yes, even U.S. Senators
have been recent victims of identity theft. It can happen to
anyone.
Well, how does it happen? Technology enables new,
sophisticated means of identity theft. Using a variety of
methods, criminals steal Social Security numbers, credit card
numbers, drivers' license numbers, ATM cards, telephone calling
cards, and other key pieces of a citizen's identity. Victims
are often left with a bad credit report and must spend months
and even years regaining their financial wholeness.
In the meantime, they have difficulty writing checks,
obtaining loans, renting apartments, getting their children
financial aid for college, even getting hired. Victims of
identity theft need help as they attempt to untangle the web of
deception that has allowed another individual person to
impersonate them.
The key to prevention is businesses establishing
responsible information handling practices and for the credit
industry to adopt stricter application verification procedures
and to put limits on data disclosure. One provision in a bill
that Senator Feinstein and I have proposed would require a
credit card issuer to confirm any change of address with the
cardholder within 10 days. This could prevent the common method
of identity fraud where a criminal steals an individual's
credit card number and then obtains a duplicate card by
informing the credit issuer of a change of address. Credit
bureaus would be required to disclose to credit issuers that an
address on the application does not match the address on the
credit report.
Another provision of this legislation would ensure that
conspicuous fraud alerts would appear on credit reports, and
also it would impose penalties for non-compliance by credit
issuers and credit bureaus. Another provision would require the
credit issuers and credit bureaus to develop a universally
recognized form for reporting identity fraud. Victims could
then fill out one form and one affidavit to supply to the
numerous companies and entities involved in reporting an
identity theft.
These legislative changes, and the willingness of many here
to adapt to best business practices, will help victims to
detect errors on their credit history, report the errors
efficiently, and to act quickly to recover their good name.
Now, just a couple of statistics before we begin. I think
it is interesting that in fiscal year 1999, the Social Security
Administration's Office of Inspector General hotline for fraud
and abuse reported more than 62,000 instances of misuse of
Social Security numbers, something that Senator Feinstein has
been working on. Since November 1999, the FTC hotline and
website have logged more than 20,000 calls and 1,500 e-mail
complaints regarding identity theft. So this is an ongoing,
serious, significant problem.
Today, our subcommittee will hear from six witnesses about
the effect of identity theft and the help that victims of
identity theft can expect. On the first panel, we are glad to
welcome back Jodie Bernstein, who is the current Director of
the Bureau of Consumer Protection of the Federal Trade
Commission. She will discuss how the FTC has responded to
identity theft in carrying out its duties under the 1998 law.
She will also discuss what legislative and non-legislative
measures have been taken and what could reduce criminals'
access to sensitive data.
James G. Huse, the current Inspector General of the Social
Security Administration, is our next witness. He will discuss
how Social Security numbers are used in the commission of
identity theft, what steps can be taken to reduce the role of
Social Security
numbers in identity theft, why Social Security numbers can be
purchased on the Internet for as little as $40, current
undercover operations to prevent the sale of Social Security
numbers on the Internet, and what is the most common source of
Social Security numbers used for identity theft.
I will just mention who we will have on the second panel,
then call upon Senator Feinstein and our first panel to begin
its presentation.
Michelle Suzanne Brown will be one of the witnesses on the
second panel. She is a victim of identity theft, and she will
talk about her case and will share with us the very difficult
experience that she has had in clearing her good name through
endless telephone calls and correspondence with various credit
bureaus, credit card companies, her landlord, property manager,
police departments, the courts, and other government officials.
She will also discuss her ideas about how to streamline the
victim reporting process and how to recover and protect from
this crime.
Beth Givens, of the Privacy Rights Clearinghouse, will be
another witness on our second panel. The Clearinghouse has a
new report, called ``Nowhere to Turn,'' which describes common
obstacles experienced by identity theft victims and what
measures can be taken to reduce criminal access to sensitive
personal information, and how to better provide services to
identity theft victims.
Steve Emmert is the current president of the Individual
Reference Services Group, the IRSG, and the director of the
information company LEXIS-NEXIS. The IRSG is composed of 14
leading information industry companies that provide data to
help identify, verify, or locate individuals. President Emmert
will testify how the IRSG members limit the transmission of
personal information to prevent criminal misuse, and testify
about the progress of self-regulatory efforts, present some
statistics on enforcement, compliance, and monitoring of member
groups.
Finally, Stuart Pratt, executive vice president of
Government Relations for the Associated Credit Bureaus, the
ACB, will describe the use of fraud alerts within the credit
bureau industry, addressing the duration of the alert, how
credit card issuers use alerts, and he will testify about the
resources of the ACB, what it has available for identity theft
victims, and its plans to work with credit card issuers to
streamline reporting of identity theft.
I want to thank all of our witnesses for being with us
today. Before calling on our first panel here, I would like to
again thank Senator Feinstein for her leadership in helping to
get the identity theft bill passed into law and her continuing
interest in seeing that it is enforced properly, and to help
determine whether it goes far enough and whether we need to do
some additional things now that we have some experience with it
to ensure continued protection for consumers. It is always a
pleasure to work with her.
I would also like to make this brief announcement. They are
working on the air conditioning and I hope that we get it fixed
before this hearing is over.
Senator Feinstein.
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Senator Feinstein. Thanks very much, Mr. Chairman, and let
me thank you for your leadership. Let me thank the panelists,
some of whom have come from California for this hearing. I
think it is very important and I am just delighted that you are
here.
Identity theft really deserves our committee's very close
and careful attention. It is, I believe, one of the fastest
growing crimes in the Nation.
Now, what is identity theft? It occurs when one person uses
another person's Social Security number, birth date, driver's
license, or other identifying information to obtain credit
cards, car loans, phone plans, or other services in the
potential victim's name. In other words, you steal someone's
identity, credit documents, and then go out and commit fraud
against them.
Identity thieves get personal information in a myriad of
ways. They steal wallets and purses containing identification
cards. They use personal information they can buy on the
Internet. They steal mail, including pre-approved credit offers
and credit statements. They fraudulently obtain another's
credit reports, or they get another's personnel records.
Every 60 seconds in this country, an American becomes the
victim of identity theft. Some estimates of the theft run as
high as 700,000 cases a year. The chairman has quoted the
Social Security Administration's concerns, but the U.S. Postal
Inspection Service also reports that 50,000 people a year have
become victims of identity theft since that Service first began
collecting information of the crime in the mid-1990's. Treasury
estimates that identity theft annually causes $3 billion in
credit card losses.
Identity theft victims have actually been calling our
office with story after story of these crimes, and let me give
you a couple of examples.
My constituent, Kim Bradbury, of Castro Valley, reported
that an identity thief obtained a credit card in her name
through the Internet in just 10 seconds. The false application
only had her Social Security number and birth date correct. As
a matter of fact, my staff has compiled a list of about 12
different Internet websites where personal information can be
purchased for as little as $25. Let me read their comments on
one website called digdirt.com.
Here is one that is not online access, per se, but it will
blow your mind as to what they offer. You hire them, they do
the work, they get back to you--medical records, phone numbers,
assets, et cetera. I am not going to say the names of all these
websites, but I would like to enter them into the record, if I
might, Mr. Chairman.
Senator Kyl. Without objection.
[The information referred to follows:]
List Submitted by Senator Feinstein
An analysis of the services anyone can use on the World Wide Web
indicates that many sites sell Social Security numbers.
The following is just a short list of example sites that traffic in
personal information.
(1) www.fastbreakbail.com
(2) www.infoseekers.com
(3) www.e-backgroundchecks.com
(4) www.infotel.net
(5) www.docusearch.com
(6) www.1800ussearch.com
(7) www.locateme.com
(8) www.informus.com
(9) www.loc8fast.com
(10) www.merlindata.com
(11) www.digdirt.com
Senator Feinstein. Let me give you another example--Lynn
Kleinenberg, of Los Angeles. Her husband was an executive at
Cedars Sinai Medical Center. He died last December. The
identity thief in her case used her husband's obituary to get
the maiden name, then went to the Internet, and purchased
various identification documents. The thief attempted to charge
$200,000 in diamonds against her account. This included a
$160,000 wire transfer which she was fortunately able to head
off when the bank called her about her request.
Another person, Amy Boyer, a 20-year-old dental assistant
from Maine, was killed last year by a stalker who bought her
Social Security number off the Internet for $45 and used the
number to locate her work address. Incidentally, some of these
websites provide that you can buy the Social Security number
for $25 now.
I have two proposals pending before the Congress today, and
I hope we can discuss them. The first one prohibits the sale of
Social Security numbers. The Administration supports this
legislation. I am hopeful we can pass it. It is Senate bill
2699, entitled ``The Social Security Number Protection Act.''
That would restrict the sale and purchase of Social Security
numbers. It has some exceptions.
I am also right now writing legislation to amend that to
provide for the same stipulations to a driver's license, to
personal medical information, and personal financial data, and
to provide an opt-in. In other words, the Internet site would
have to get the permission of the individual before using their
Social Security number, their driver's license, their personal
medical information, or their personal financial information.
Now, this is very controversial, and we have met with many
of the companies. They want to put the obligation on the
individual. Well, if you put that obligation on me, I really
wouldn't know where to turn or how to opt out. I think if
somebody is going to make a profit off of my personal financial
data, my Social Security number, my driver's license, they
ought to ask me, find me and ask me if they can use it. I very
deeply believe that, and I believe that enough reputable
companies now are beginning to do it, so that it is not
something very extreme to do.
Senator Kyl, you and I and Senator Grassley have also
introduced a bill, S. 2328, entitled ``The Identity Theft
Prevention Act.'' This bill is supported by the Federal Trade
Commission. It has gone to the Banking Committee. I doubt very
much the Banking Committee is going to move the bill, but it is
widely supported. The bill's measures aim to prevent identity
theft. They give credit card holders written notice at their
original address if a new card is requested to be sent to a
different address.
The bill would impose penalties on credit issuers who
ignore fraud alerts on a credit report. That is another
problem. People just ignore it, you know, don't go and check.
It also directs credit bureaus to notify credit issuers if
there are inconsistencies in a credit application. This
legislation would also authorize the development of a single
reporting form that an identity theft victim could fill out to
notify creditors of fraudulent charges in their name, and it
would provide an individual with a free annual credit card
report. Six States already guarantee free access to these
reports.
I think there is really nothing so sacred as an
individual's good name, and that is one of the reasons why
identity theft is so devastating. It robs people of their
reputation and their security that they often spent years
building, and it can present untold problems. I believe we have
one witness today who will tell a story of being detained at
the airport, because of a crime committed in her name by the
identity thief. She had left the country for vacation, and upon
her return, Customs wouldn't let her back into the country. She
is an innocent victim.
So, Mr. Chairman, the bottom line is I think we need to
move and pass these bills, particularly the Social Security
number. The Social Security number is our No. 1 personal
identifier. It is meant for personal identification. It is not
meant as a barter tool to be able to encourage commerce, and I
think it is appropriate for the Federal Government to take some
action to set some strict restrictions on the use of this
national personal identifier.
So I would be hopeful that we would see fit, you and I, to
move that particular bill. And I hope to introduce tomorrow the
one that would add to the Social Security number also the
driver's license, personal financial data, and personal health
data. There are exceptions which we will put in which I think
kind of cover, for example, research that is done without
revealing the personal identity of the person. So for bona fide
medical purposes, it could be used, or bona fide credit rating
purposes it could be used, but not to reveal to the public at a
purchase price the individual data.
Thank you very much.
Senator Kyl. Thank you very much. As we discussed, I agree,
and we will try to move, whether we need to do it in the
subcommittee and the full committee. We should also talk to the
Banking Committee, and we will do that.
I really appreciate all of the witnesses being here today.
Let's begin with Ms. Bernstein, and then Mr. Huse will follow
that.
PANEL CONSISTING OF JODIE BERNSTEIN, DIRECTOR, BUREAU OF
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, DC;
AND JAMES G. HUSE, JR., INSPECTOR GENERAL, SOCIAL SECURITY
ADMINISTRATION, BALTIMORE, MD
STATEMENT OF JODIE BERNSTEIN
Ms. Bernstein. Thank you very much, Mr. Chairman. Thank you
for including us. I am pleased to be able to present the
Commission's testimony, but I also wanted to let you and
Senator Feinstein know just how important your attention on
this in terms of holding hearings has been for us. It has
focused attention on American consumers so that they can take
steps when they can to prevent these occurrences. And,
importantly, other parts of the Congress have been supportive
of our efforts, and I really do believe it is because of the
attention that you have focused on this issue. So thank you for
that as well.
I thought what I would do today would be to update you on
what our complaint data tells us about ID theft and how we can
all perhaps do a better job of trying to reduce identity theft
and fraud. As Senator Feinstein mentioned, we, the Commission,
has supported the legislation that you all have introduced, and
we thank you for that as well. We think that will be a great
help.
So here is what we have been able to do, and I think we
have made great strides in victim assistance and in data-
sharing. We do have a slide. I have my--I call her my technical
guru, but at another hearing she was asked to testify. So
perhaps I shouldn't introduce her that way, but she is
presenting the slides.
We distributed more than 83,000 copies of our popular
brochure, ``When Bad Things Happen to Your Good Name.'' Our
colleagues at the Social Security Administration distributed
115,000 copies on their own, and our Web version has been
viewed by over 110,000 consumers. The ID theft website,
www.consumer.gov/idtheft, has received about 110,000 visits.
These are very positive trends because we know that informed
consumers can protect themselves from some of the harm caused
by identity theft.
During my testimony in March, I also spoke about our
complaint clearinghouse, the central repository of identity
theft complaints, pursuant to the legislation passed earlier.
We pushed this project forward and we have had really terrific
results, I think.
First, we made the complaint data a click away for the law
enforcement officers that will prosecute the crimes. Law
enforcement officers can easily access complaints on Consumer
Sentinel, and that is a web-based system linking more than 250
agencies to a single and central body of consumer fraud
complaint data. The system now has more than 200,000 consumer
fraud complaints and has resulted in hundreds of successful
civil and criminal prosecutions. Consumer Sentinel users have
to sign a confidentiality agreement and then they have access
to the ID theft clearinghouse data.
Using a password, law enforcers use a desktop PC to link to
a secure website from which they can search for ID theft
perpetrators or victims in their backyards and seek out trends
and patterns. As you can see from the slide, we have developed
different ways to search for the data to enable law enforcement
users to customize their searches and to retrieve precisely the
data they are looking for. For example, users can also place
alerts on certain records, flagging a target as under
investigation or as an open file. In addition, FTC
investigators and data analysts will be scrutinizing the data
and we will refer cases to appropriate agencies. I think what
you can see from this is we have been trying to be at least as
smart as the ID thieves are in using the new technology, and
hopefully we will succeed.
We launched the web availability of our system just last
week, and already Social Security's Inspector General, Jim
Huse, sitting with me, the Postal Inspection Service, the
Department of Justice, and State attorneys general are on the
system, reviewing and analyzing the data through the website.
We are also finalizing an agreement with Social Security--I
think we will do it probably very shortly--to transfer their
complaint data into the central clearinghouse, which will then
enrich the clearinghouse. It will be increasingly valuable as
it grows. Since its creation, the launching of the online
complaint form, and the establishment of our toll-free consumer
complaint line, we have received more than 20,000 telephone
calls and 1,500 consumer complaints via our online complaint
form. That was a very significant development for people to be
able to use the form right on the website.
In March, I told you that we have received 400 calls a week
to the toll-free number. That number has doubled, to about 800
to 850 calls a week. We expect the rate to continue to climb,
and we expect and hope we will be able to manage the new volume
of calls.
The other clearinghouse news to share is what we have
learned from the data, and again we have a slide. Half of the
ID theft complaints report credit card fraud; that is, the
thief either opened a new account in their name or took over an
existing account. Approximately a quarter report that identity
theft opened up telephone, cellular, or other utility services
in their name. Bank fraud is the third category, and about 16
percent reported that a checking or savings account had been
opened in their name, and or that fraudulent checks had been
written. Approximately 11 percent reported that identity theft
obtained a loan, such as a car loan, in their name.
These figures have been consistent across geographic
regions in the country, and the top sources of complaints in
the Nation, as well as in your States, are also shown on our
reports; that is, Senator Feinstein, for example, you can get
the complaints that are from the State of California, and we
expect to be able to provide that to law enforcement officials
in those States.
So what about these trends? With credit card fraud
appearing in more than half of the complaints, it is time, we
think, to take a good hard look at business practices. As you
know, the Commission has supported the recent legislative
proposals that require credit grantors to take extra steps to
verify change of address requests for credit accounts.
We also endorse requiring credit bureaus to tell a consumer
when a credit application is made in the consumer's name but
with a different address. Each of these measures will help cut
back on the top category of complaints. Those are account
takeovers and fraudulently opened credit accounts. Free annual
credit reports may also encourage consumers to review their
credit reports and allow them to detect early warnings of
fraud. There are additional requirements in 2328 that I won't
detail because we have already discussed them. We think they
will be very, very helpful.
In closing, I would add that there are steps that we at the
FTC would like to implement to streamline and simplify the
process of reporting and responding to ID theft. We want to
implement an electronic notification system so that when a
consumer tells us that their identity has been stolen, we can
transmit that information to one of the three or all of the
three credit reporting agencies and they can enter a prominent
fraud alert on that consumer's file, on all three of them.
We can only take on this project and others like it by
working together with you, with the public, and the private
sector groups toward this common goal. We think it would go a
long way, and we remain prepared to do that if we receive that
cooperation from the industry involved.
I would be happy to answer any questions you may have, I
presume, following Jim's testimony. Thank you.
[The prepared statement of Ms. Bernstein follows:]
Prepared Statement of Jodie Bernstein
Mr. Chairman Kyl, and members of the Subcommittee, I am Jodie
Bernstein, Director of the Bureau of Consumer Protection, Federal Trade
Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity
to present the Commission's views on the important issue of identity
theft, and to describe to you the impressive strides we have made in
implementing the Identity Theft and Assumption Deterrence Act.\2\
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and response to questions are my
own, and do not necessarily represent the views of the Commission or
any Commissioner.
\2\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18
U.S.C. Sec. 1028).
---------------------------------------------------------------------------
The fear of identity theft has gripped the public as few consumer
issues have. Consumers fear the potential financial loss from someone's
criminal use of their identity to obtain loans or open utility
accounts. They also fear the long lasting impact on their lives that
results from the denial of a mortgage, employment, credit or an
apartment lease when credit reports are littered with the fraudulently
incurred debts of an identity thief.\3\
---------------------------------------------------------------------------
\3\ Data from the Identity Theft Clearinghouse, our central
repository of identity theft complaints, bear out these fears. See
discussion at pp. 7-10.
---------------------------------------------------------------------------
The Identity Theft and Assumption Deterrence Act (``the Identity
Theft Act'') has raised the public's appreciation for the hardship
suffered by identity theft victims. The Identity Theft Act's focus on
the individual as the victim--rather than just the financial
institutions that often absorb the bulk of the financial loss--has
brought focus to business practices that may place consumers at higher
risk of having their identities stolen. It has heightened consumers'
awareness of the ways they can change their everyday practices to
minimize the risk that they will be victimized. The Federal Trade
Commission has worked to strengthen these measures through our
responsibilities under the Act. In particular, we have expanded our
consumer education campaign, encouraged increased use of our toll-free
help line, made our Identity Theft Clearinghouse available to law
enforcement through a secure website, continued to forge partnerships
with other law enforcement offices, and reached out to private industry
to help identify ways to establish identity theft prevention best
practices. By letter dated June 1, 2000, we also conveyed our support
for S. 2328, a bill introduced by Senator Feinstein, Chairman Kyl and
Senator Grassley, that seeks to protect consumers by providing them
with access to credit-related information that may reveal indicia of
identity theft. The bill would also restrict the release of information
through the sale of ``credit header'' information, and entitle
consumers to free annual credit reports.
The Commission's participation in the March Summit on Identity
Theft, hosted by the Department of Treasury, marked the beginning of a
new dialogue among government, private sector and consumer groups on
these critical issues. We continue to look for ways to expand on these
efforts.
I. MEETING THE GOALS OF THE IDENTITY THEFT ACT
In earlier testimony before this Committee, the Commission
described the ways in which we have carried out our responsibilities
under the 1998 Identity Theft Act.\4\ Since that time, we have built on
these achievements.
---------------------------------------------------------------------------
\4\ The Commission testified before this subcommittee on March 7,
2000. We also testified before this subcommittee in May 1998 in support
of the Act. Following the passage of the Act, the Commission testified
again, in April 1999, before the House Subcommittee on
Telecommunications, Trade and Consumer Protection and the Subcommittee
on Finance and Hazardous Materials of the Commerce Committee. That
testimony focused on identity theft in the financial services industry.
---------------------------------------------------------------------------
A. Centralized Complaint Handling--877 ID THEFT
The Commission established its toll-free telephone number, 1-877-ID
THEFT (438-4338) to help consumers avoid or resolve identity theft
problems. The Identity Theft Hotline phone counselors also enter
information from the consumer complaints into the centralized Identity
Theft Data Clearinghouse. In operation since November 1, 1999, the
Identity Theft Hotline now receives between 800 and 850 calls per
week.\5\ About two thirds of the calls are from victims, the remaining
calls coming from consumers who are looking for information on ways to
minimize their risk of identity fraud.
---------------------------------------------------------------------------
\5\ That figure has doubled since March, when we reported 400 calls
a week. To date, the hotline has received more than 20,000 calls.
---------------------------------------------------------------------------
The telephone counselors provide victims of identity theft with
specific information about how to try to prevent additional harm to
their finances and credit histories. The phone counselors advise
callers to contact each of the three consumer reporting agencies to
obtain copies of their credit reports and request that a fraud alert be
placed on their credit report.\6\ Fraud alerts request that the
consumer be contacted when new credit is applied for in that consumer's
name. We advise consumers to request copies of their credit reports,
and explain how to review the information on the reports carefully to
detect any additional evidence of identity theft. Because the credit
reports of identity theft victims often reflect the fraudulent accounts
opened or other misinformation, the counselors inform callers of their
rights under the Fair Credit Reporting Act and provide them with the
procedures for correcting their credit report.\7\ The counselors advise
consumers to contact each of the creditors or service providers where
the identity thief has established or accessed an account, and to
follow up in writing by certified mail, return receipt requested. Where
the identity theft involves ``open end'' credit accounts,\8\ consumers
are advised on how to take advantage of their rights under the Fair
Credit Billing Act, which, among other things, limits their
responsibility for unauthorized charges to fifty dollars in most
instances. Consumers who have been contacted by a debt collector trying
to collect on debts incurred by the identity thief are advised of their
rights under the Fair Debt Collection Practices Act, which limits debt
collectors' practices in their collection of debts.
---------------------------------------------------------------------------
\6\ The three consumer reporting agencies are Equifax Credit
Information Services, Inc., Experian Information Solutions, Inc. and
Trans Union, LLC.
\7\ In addition to fraudulently acquiring accounts or loans, the
identity thieves also may register a change of address in the victim's
name, routing bills and other correspondence to a different address. In
that way, it may take months for the victim to realize that his/her
identity has been hijacked.
\8\ The Fair Credit Billing Act generally applies to ``open end''
credit accounts, such as credit cards, revolving charge accounts, and
overdraft checking accounts. It does not cover installment contracts
such as loans or extensions of credit that are repaid on a fixed
schedule.
---------------------------------------------------------------------------
In addition, the FTC phone counselors advise consumers to notify
their local police departments, both because local law enforcement may
be in the best position to catch and bring the perpetrator to justice,
and because a police report is among the best means of demonstrating to
would-be creditors and debt collectors that they are genuine victims of
identity theft. More than half the states have enacted their own
identity theft laws, and our counselors, in appropriate circumstances,
will refer consumers to other state and local authorities for potential
criminal investigation or prosecution.
B. Outreach and Consumer Education
The FTC also reaches consumers through the Internet. The FTC's
identity theft website--www.consumer.gov/idtheft--gives tips on how
consumers can guard against identity theft, warns consumers about the
latest identity theft schemes and trends, and provides access to
consumer education materials on identity theft. This website has
received more than 108,000 hits since November, 1999. The site also
links to a secure complaint form on which identity theft victims can
enter the details of their complaints online, allowing consumers to
contact the Commission at all times. After review by FTC staff, these
complaints are entered into the Clearinghouse. To date we have received
more than 1500 complaints through this electronic form.
The Federal Trade Commission continues to distribute the
comprehensive consumer guide: ID Theft: When Bad Things Happen to Your
Good Name. Developed in consultation with more than a dozen federal
agencies,\9\ this booklet provides consumers with practical tips on how
best to protect their personal information from identity thieves,
summarizes the various federal statutes that protect consumer victims
of identity theft, and details the victim assistance mechanisms
available. The Federal Trade Commission has distributed more than
83,000 copies of the booklet, and is in the process of revising the
booklet for a second, and larger printing. The Social Security
Administration has also printed and distributed 115,000 copies of When
Bad Things Happen.\10\
---------------------------------------------------------------------------
\9\ These include: Department of Justice; Federal Bureau of
Investigation; Federal Communications Commission; Federal Deposit
Insurance Corporation; Federal Reserve Board; Internal Revenue Service;
National Credit Union Administration; Office of the Comptroller of the
Currency; Office of Thrift Supervision; Social Security Administration;
United States Postal Inspection Service; United States Secret Service;
United States Securities and Exchange Commission; and United States
Trustee.
\10\ The FTC has provided the booklet on zip disk to other agencies
who are interested in printing additional copies.
---------------------------------------------------------------------------
C. Identity Theft Clearinghouse--Launched Online
The Identity Theft Act authorized the Commission to establish a
central repository of consumer complaints about identity theft, and
refer appropriate cases to law enforcement for prosecution. The
Identity Theft Complaint Database, which was activated in November
1999, provides specific investigative material for law enforcement and
larger, trend-based information providing insight to both private and
public sector partners on ways to reduce the incidence of identity
theft. Currently, the Clearinghouse contains the data from consumers
who contact the FTC through the toll free number or website. We are
pursuing ways to collect complaint data from other agencies and private
sector entities to allow Clearinghouse users from law enforcement
agencies to see as much complaint data on identity theft as
possible.\11\
---------------------------------------------------------------------------
\11\ Our Consumer Sentinel database, which houses consumer fraud
complaints, receives complaint data from Better Business Bureaus,
consumer outreach organizations and others. We are looking to replicate
this approach with identity theft complaints.
---------------------------------------------------------------------------
With a database as rich as we envision the Clearinghouse becoming,
we can and do refer cases for potential prosecution. To maximize use of
the data, we now provide law enforcement partners with direct access to
the Clearinghouse through Consumer Sentinel, our secure website for
sharing complaints and other information with consumer protection law
enforcers. Starting this month, law enforcement and appropriate
regulatory offices can access the Clearinghouse through their desktop
personal computers. This access enables them to readily and easily spot
identity theft problems in their own backyards, and to coordinate with
other law enforcement officers where the database reveals common
schemes or perpetrators. The FTC will continue to comb through the data
to spot cases for referral, but has also enabled others to use the data
to ferret out the bad actors for prosecution.
The Identity Theft Act also authorized the Commission to share
complaint data with appropriate entities,'' \12\ including specifically
the three major consumer reporting agencies and others in the financial
services industry.\13\ The Commission does not envision providing
access to the complete database for these private sector entities.
Unfettered access could interfere with law enforcement efforts. FTC
data analysts can, however, identify patterns that reveal a business or
business practice that exposes consumers to a high risk of identity
theft. We will forward appropriate information about these complaints
to the entities involved so they can evaluate and revise those
practices.\14\ Similarly, we plan to share limited complaint data with
a business if data reveal that that business fails to respond to
legitimate consumer complaints about identity theft or frustrates their
efforts to correct misinformation on their credit reports.
---------------------------------------------------------------------------
\12\ The Identity Theft Assumption and Deterrence Act provides, in
pertinent part, ``the Federal Trade Commission shall establish
procedures to * * * refer [identity theft] complaints * * * to
appropriate entities, which may include referral to * * * the 3 major
national consumer reporting agencies.'' 18 U.S.C. Sec. 1028 (note).
\13\ The unique role of the consumer reporting agencies in
resolving the problems of identity theft victims is discussed below.
\14\ S. 2328, introduced by Senator Feinstein, Chairman Kyl and
Senator Grassley of this Subcommittee, identifies a set of best
practices that would minimize consumers' exposure to identity theft.
For example, S. 2328 would require that creditors notify consumers if
they receive a change of address notification.
---------------------------------------------------------------------------
II. WHAT THE CLEARINGHOUSE TELLS US ABOUT IDENTITY THEFT
The Identity Theft Act recognized the importance of creating a
single repository for identity theft complaints. Accordingly, the
Commission established the Identity Theft Clearinghouse to collect and
consolidate these complaints. We are already seeing the fruits of this
effort. Our basic complaint data show that the most common forms of
identity theft reported during the first seven months of operation
were:
Credit Card Fraud.--Approximately 54 percent of consumers
reported credit card fraud--i.e., a credit card account opened in their
name or a ``takeover'' of their existing credit card account;
Communications Services.--Approximately 26 percent
reported that the identity thief opened up telephone, cellular, or
other utility service in their name;
Bank Fraud.--Approximately 16 percent reported that a
checking or savings account had been opened in their name, and/or that
fraudulent checks had been written; and
Fraudulent Loans.--Approximately 11 percent reported that
the identity thief obtained a loan, such as a car loan, in their name.
Not surprisingly, the states with the largest populations account
for the largest numbers of complainants and suspects. California, New
York, Florida, Texas, and Illinois, in descending order, represent the
states with the highest number of complainants.\15\ About 55 percent of
victims calling the identity theft hotline report their age. Of these,
40 percent fall between the 30 and 44 years of age. Approximately 26
percent are between age 45 and 64, and another 25 percent are between
age 19 and 29. About 7 percent of those reporting their ages are 65 and
over; and slightly over 2 percent are age 18 and under.
---------------------------------------------------------------------------
\15\ Texas and Illinois had an equal number of complaints.
---------------------------------------------------------------------------
The data also reveal information about the perpetrators. Almost 60
percent of the caller-complainants provided some identifying
information about the identity thief, such as a name, address, or phone
number. More than one quarter of those victims reported that they
personally knew the suspect. We also are assessing the data on the
monetary impact of this theft. Some complainants provided estimates of
the dollar amounts obtained by the thief, because they have received
the resulting bills or been notified of the resulting bad debts. The
range of dollar amounts reported varies widely, with approximately 34
percent of complainants reporting theft of under $1,000; approximately
35 percent of complainants reporting theft totaling between $1,000 and
$5,000, approximately 13 percent of complainants reporting theft
totaling between $5,000 and $10,000, and approximately 18 percent of
complainants reporting theft of over $10,000.
Consumers also report the harm to their reputation or daily life.
The most common non-monetary harm reported by consumers is damage to
their credit report through derogatory, inaccurate information. The
negative credit information leads to the other problems most commonly
reported by victims, including loan denials, bounced checks, and
rejection of credit cards. Identity theft victims also report repeated
contacts by debt collectors for the bad debt incurred by the identity
thief. Many consumers report that they have to spend significant
amounts of time resolving the problems caused by identity theft.
The Clearinghouse data also reveal that consumers are often
dissatisfied with the consumer reporting agencies. The leading
complaints by identity theft victims against the consumer reporting
agencies are that they provide inadequate assistance over the phone, or
that they will not reinvestigate or correct an inaccurate entry in the
consumer's credit report. In one fairly typical case, a consumer
reported that two years after initially notifying the consumer
reporting agencies of the identity theft, following up with them
numerous times by phone, and sending several copies of documents that
they requested, the suspect's address and other inaccurate information
continues to appear on her credit report. In another case, although the
consumer has sent documents requested by the consumer reporting agency
three separate times the consumer reporting agency involved still
claims that it has not received the information.
Consumers also report problems with the institutions that provided
the credit, goods, or services to the identity thief in the consumer's
name. These institutions often attempt to collect the bad debt from the
victim, or report the bad debt to a consumer reporting agency, even
after the consumer believes that he or she has established the illegal
fraud. Consumers further complain that these institutions' inadequate
or lax security procedures failed to prevent the identity theft in the
first place; customer service or fraud departments were not responsive;
or the companies refused to close or correct the unauthorized accounts
after notification by the consumer.
Callers to the hotline are not limited to identity theft victims.
Indeed, approximately 36 percent of the callers simply requested
information on identity theft. Many felt they were vulnerable to
identity theft because, for example, their wallets had recently been
lost or stolen (23 percent); someone had attempted to open an account
in their name (19 percent); or they had given out their personal
information to someone they did not know (7 percent).\16\
---------------------------------------------------------------------------
\16\ Our data analysis covers the period from November 1, 1999
through May 31, 2000.
---------------------------------------------------------------------------
III. NEXT STEPS
The Commission has made great strides in assisting consumers and
law enforcement to combat identity theft, but recognizes that much
remains to be done. As mentioned earlier, the Identity Theft Act
authorizes the Commission to refer consumer identity theft complaints
and information to the three major national consumer reporting agencies
and other appropriate entities. The Commission envisions a streamlined
process that would decrease the amount of time spent by consumer
victims correcting credit report errors. Paramount among these efforts
would be the ability of a consumer to make a single call to report him
or herself as a victim of identity theft to the FTC or one of the three
major national consumer reporting agencies, and to have a fraud alert
posted on the credit reports from each of the reporting agencies.
Currently, a victim of identity theft must notify each of the three
national consumer reporting agencies separately, and then typically
make additional calls to the FTC and to all creditors. The Commission
looks forward to working with the three major national consumer
reporting agencies to develop a complementary process to allow identity
theft victims to share the details of their complaints simultaneously
with the FTC and the national consumer reporting agencies.
Further, the Commission will soon begin sharing certain limited
information from its Identity Theft Clearinghouse with businesses whose
practices are frequently associated with identity theft complaints. Our
goal is to encourage and enable industry and individual companies to
develop better fraud prevention practices and consumer assistance
techniques. To that end, the Commission, in conjunction with the
Department of Treasury and the other federal agencies who participated
in the Identity Theft Summit, will convene a workshop for law
enforcement and industry on Identity Theft victim assistance and
prevention in the fall of 2000.
IV. CONCLUSION
The Identity Theft Clearinghouse, our toll free number, and the
consumer education campaign have helped us begin to address the serious
problems associated with identity theft. Heightened awareness by
consumers and businesses will also help reduce the occurrences of this
fraud. We look forward to continued collaboration and cooperation in
these efforts. The FTC also looks forward to working with the
Subcommittee to find ways to prevent this crime and to assist its
victims.
Senator Kyl. Thank you very much, Ms. Bernstein. That is a
great update, and it shows both what is happening as a result
of our legislation and what more needs to be done, exactly what
we are all about here this morning.
Mr. Huse, thank you for being here.
STATEMENT OF JAMES G. HUSE, JR.
Mr. Huse. Thank you, Mr. Chairman, Senator Feinstein. I
want to thank you both for holding this hearing which focuses
on the victims of identity fraud. While it is the victims for
whom the Identity Theft Act was originally passed, and for whom
we are all working to stem the tide of identity theft, it is
also the victims whose plight is sometimes overlooked in the
day-to-day business of enacting and enforcing these laws.
We are each faced with a challenge in combatting identity
theft and protecting its victims. The challenge facing my
office is to reduce the number of victims by preventing these
crimes in the first instance, and punishing their perpetrators
when they do occur. The challenge facing the Congress is to
provide offices such as mine with the necessary tools to do so
successfully.
The importance of meeting these challenges was evident in a
survey reported in the June 13 issue of Investor's Business
Daily, in which the Chubb Group of insurance companies found
that 44 percent of 1,000 Americans polled had been victims of
identity fraud. This is a staggering statistic, but one which
is not surprising, as even at its simplest level the use of a
Social Security number to commit identity fraud leaves a trail
of victims in its wake.
Let me tell you about Waverly Burns, a Supplemental
Security Income recipient from Milwaukee whose story I have
used in the past as a classic identity fraud illustration. Mr.
Burns stole another person's SSN and used it to secure
employment as a cleaning crew supervisor. By hiding his work
behind this new identity, he could continue to draw his SSI
benefits under his own Social Security number. He went on to
steal over $80,000 in computer equipment from the Wisconsin
Supreme Court, obtained a State of Wisconsin identity card
using the stolen SSN, opened bank accounts in the name of his
victim, and filed fraudulent tax returns.
Our special agents arrested Mr. Burns in Chicago. He was
sentenced to 21 months in prison and ordered to pay over
$62,000 in restitution, including the full amount of benefits
fraudulently obtained from SSA. Mr. Burns' case illustrates not
only the central role of the SSN in identity theft crimes, but
how a single such crime can have multiple victims. In Mr.
Burns' case, the victims included the Social Security
Administration, the Wisconsin Supreme Court, the financial
institutions involved, the Internal Revenue Service, the State
of Wisconsin, and the proper owner of the Social Security
number.
In all likelihood, other ancillary victims included credit
reporting agencies and other members of the public, including
each of us in this room, who will have to bear the costs of Mr.
Burns' misdeeds. Identity theft is a crime in which we are all
victims.
My office employs an investigative staff of fewer than 300,
and our primary responsibility must be to the programs and
operations of the Social Security Administration. We alone
cannot hope to stem the tide of SSN misuse and identity fraud.
We are, however, taking every step we can in that direction.
A year ago, our Office of Investigations launched an SSN
misuse pilot project in five cities across the Nation, working
jointly with Federal and State law enforcement agencies to
target perpetrators of identity crimes and SSN misuse. By
joining forces with other law enforcement agencies in a task
force environment, we were able to pool resources and share
information aimed at fighting identity fraud.
Some of the accomplishments of those offices and the steps
they are taking to aid identity theft victims are discussed in
my written testimony, but already the pilot projects have been
an unparalleled success. In their first year, 197
investigations have been opened resulting in 61 convictions.
U.S. attorneys' offices and outside law enforcement entities
have enthusiastically welcomed these pilots and have thanked us
for taking the investigative lead.
Because of the increased role that the Internet is playing
in SSN misuse and identity theft, we have expanded the scope of
these pilots to include the sale of Social Security cards over
the Internet. Using undercover purchases of Social Security
cards, we can determine which vendors actually provide buyers
with fraudulent documents and which merely take the money and
run. We are very optimistic that we will be able to shut down
several important Internet distributors of false identification
documents through this initiative.
On the other side of e-commerce, we have recently launched
another operation targeted not at those who sell false
identification documents over the Internet, but at those who
buy them. This effort has two goals. First, we can locate and
stop those who purchase counterfeit Social Security cards that
might be used in identity theft crimes. And, second, it will
enable us for the first time to determine both the scope of
Internet trafficking in false identification documents and the
many ways one can use a false SSN.
Our efforts have been considerable and are aimed at
maximizing the impact of limited resources through
collaborative efforts with other agencies, particularly the
Federal Trade Commission. Still, I would be remiss if I did not
point out that there still exists a legislative void that to
some extent fosters the misuse of SSN's for purposes of
identity theft.
Senate bill 2328, introduced by Senator Feinstein, together
with you, Mr. Chairman, and Senator Grassley; Senate bill 2554,
introduced by Senator Gregg, together with Senator Dodd; and
Senator Feinstein's amendment to Senate bill 2448, which would
prohibit the sale of Social Security numbers, all represent
significant steps in the right direction.
Together, these bills create front-end limits on the use of
Social Security numbers, and authorize criminal and civil
sanctions and administrative penalties when violations occur.
My staff would be happy to assist you in combining all of this
legislation into a comprehensive bill that would enable us to
bring the full authority of the U.S. Government to bear against
those who would buy, sell, or otherwise misuse SSN's.
I welcome your interest in filling this legislative void,
one aspect of which was the subject of a recent op ed column by
the distinguished New York Times columnist William Safire, in
which he expressed shock that no law prohibited compelling an
individual to disclose his or her SSN. I am no less concerned
than Mr. Safire that this and other acts, such as the sale,
purchase, and public display of SSN's, remain legal. My office
shares your concern for the victims of identity theft and is
committed to providing those victims with the surest form of
assistance, ensuring that the crime never occurs in the first
place.
I welcome the subcommittee's continued support of our
efforts and would be happy to answer any questions.
[The prepared statement of Mr. Huse follows:]
Prepared Statement of James G. Huse, Jr.
Good Morning Mr. Chairman and members of the Subcommittee. I want
to thank you for holding this hearing on identity theft. Previously our
attention concentrated on the challenges we faced in implementing the
Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft
Act). Today, we focus on ways to prevent identity theft and how
individuals can protect themselves from this crime, or if already
victimized, repair the damage that has been done. Too little attention
has been paid to the victims of this increasingly prevalent crime and
there are other witnesses appearing today who can address the personal
aspects of identity theft. My office is committed to ensuring that this
type of crime is prevented, and if not prevented, then detected and
sent forward for prosecution.
SSN misuse and the crime of identity theft are becoming so
pervasive in our society, that it has become the subject of polls and
an issue in the current presidential campaign. A June 13, 2000 article
in Investor's Business Daily reported that an identity theft survey by
the Chubb Group of Insurance Companies showed that 44 percent of those
polled had been victims of identity theft. In fiscal year 1999, our
Fraud Hotline received over 75,000 allegations with about 62,000 of
these involving SSN misuse. Specifically, 32,000 had SSN misuse
implications involving SSA programs and an additional 30,000
represented SSN misuse with no direct program implications. I am sure
you will agree that these are alarming statistics.
THE EVOLUTION OF THE SSN INTO A TOOL FOR IDENTITY FRAUD
The Social Security number (SSN) is frequently the starting point
for identity theft crimes. The SSN was created 65 years ago for the
sole purpose of tracking the earnings of working Americans in order to
implement and maintain the new Social Security system. The SSN was
never intended to be the de facto national identifier that it has
slowly become. For example, it was not until 1967 that the Department
of Defense adopted the SSN in lieu of a military service number for
identifying Armed Forces personnel. The SSN quickly became an integral
part of enrolling in school, receiving financial assistance, applying
for drivers' licenses; opening bank accounts, applying for credit, and
myriad other activities. Today, Americans are asked for their Social
Security number as a part of any number of transactions in both the
public and private sectors. The SSN has grown to become one of the most
critical pieces of personal information.
REASONS BEHIND THE INCREASE IN SSN MISUSE
Perhaps the most obvious reason for the increase in SSN misuse is
because people come from all over the world to take advantage of our
free enterprise system. There are no realistic numbers available on how
many tourists, students, and migrants remain in this country after
their visas expire and work under a false SSN. The popularity and
availability of the Internet in this day and age provides for an
international marketplace for the sale of SSN's and if one is
enterprising a new identity.
CRIMES COMMITTED WITH FRAUDULENT SSN'S
We have only begun to scratch the service in discovering the
innovative ways in which the SSN is used to commit identity theft
crimes. The most obvious example is the assumption of another person's
name and SSN for purposes of committing simple financial crimes--
today's version of the wild west bank robberies.
For example, our Special Agents, working as part of the Delaware
Financial Crimes task force, investigated Zaid Gbolahan Jinadu as he
schemed to defraud several federally insured financial institutions. He
solicited the assistance of bank employees to obtain SSN's and other
identifying data to open fraudulent credit card and bank accounts.
These compromised employees also helped him to take over current
accounts, make fraudulent wire transfers, receive cash advances, and
negotiate numerous checks. Mr. Jinadu was indicted by a Federal grand
jury in the District of Delaware on October 26, 1999 on four counts:
one of bank fraud, one of identity theft, one of fraud in connection
with access devices, and one of SSN misuse. On December 20, 1999, Mr.
Jinadu and his co-defendants entered a guilty plea to the bank fraud
and identity theft counts. Mr. Jinadu is responsible for fraud losses
totaling approximately $281,122. The total known losses to financial
institutions due to the actions of Mr. Jinadu and his claimed
associates over the past 4 years exceeds $4 million.
The use of SSN's to commit identity theft can have a direct impact
on SSA programs. Waverly Burns, a Supplemental Security Income (SSI)
recipient in Milwaukee, stole another person's SSN and used it to
secure employment as a cleaning crew supervisor. By taking on a new
identity, he continued to draw SSI payments based on disability while
also drawing a salary which would disqualify him as a benefit
recipient. Under his new identity, Mr. Burns stole over $80,000 in
computer equipment from the offices of the Wisconsin Supreme Court,
used the stolen SSN to obtain a State of Wisconsin identity card, to
open bank accounts in the victim's name, and filed fraudulent tax
returns. Office of the Inspector General (OIG) Special Agents arrested
Mr. Burns in Chicago. He was sentenced to 21 months in prison and
ordered to pay over $62,000, including the full amount of benefits
fraudulently obtained from SSA.
Mr. Burns' case illustrates how identity theft through the use of
SSN's can have many victims--in his case SSA, the Wisconsin Supreme
Court, the financial institutions, the Internal Revenue Service, the
State of Wisconsin, and the proper owner of the SSN were all victims.
In all likelihood, other ancillary victims included credit reporting
bureaus and other members of the public who will have to bear the cost
of Mr. Burns' misdeeds. Identity Theft is a crime in which we are all
victims.
These examples show how the SSN is at the core of assuming the
identity of another or establishing wholly fictitious identities.
Unscrupulous individuals can hide behind either while committing a
broad range of crimes. I would like to inform you of the initiatives
this office has taken and how we expect to keep pace, if not a step
ahead, of this escalating problem.
EXISTING AND FUTURE INITIATIVES
The OIG's efforts in combating the use of SSN's to commit identity
theft crimes is widespread, but our small investigative staff, whose
primary responsibility must be to the programs and operations of the
Social Security Administration, cannot hope to stem the tide. This is
not to say, however, that we are not taking all available steps in that
direction. A year ago, our Office of Investigations launched an SSN
misuse pilot project in five cities across the Nation, working jointly
with Federal and State law enforcement agencies to target perpetrators
of identity crimes and SSN misuse. By joining forces with other law
enforcement agencies in a task force environment, we are able to pool
resources and share information aimed at fighting identity fraud. In
St. Louis, we have entered into a Memorandum of Understanding with the
United States Attorney's Office, under which a Federal prosecutor has
been assigned to our task force, facilitating additional prosecutions.
In Cleveland, in addition to its investigatory function, the task force
is developing a letter to inform individuals whose identities have been
compromised of actions they can take to minimize the effects of the
crime. And in Milwaukee, the task force is making presentations to
local law enforcement agencies, educating and sensitizing them to the
array of identity theft crimes.
Pilot projects are in the early stages in two additional cities,
and further expansion is planned. Already, the pilot projects have been
an unparalleled success; in the first year we have opened 197
investigations which have already resulted in 61 convictions. United
States Attorneys' Offices and outside law enforcement entities have
enthusiastically welcomed such pilots and have thanked our office for
taking the investigative lead.
Because of the increasing role that the Internet is playing in SSN
misuse and identity theft, we have expanded the scope of these pilots
to initiate programs in this area. Specifically they are investigating
the sale of Social Security cards over the Internet. Using undercover
purchases of Social Security cards, we can determine which vendors
actually provide the documents and which ones take the money and run.
Under either scenario, working with Federal, State and local
authorities allows us to take action that extends beyond our stated
mission of SSA program fraud and will prevent the conduct of identity
theft crimes. We are very optimistic that we will be able to shut down
several important Internet distributors of false identification
documents.
On the other side of e-commerce, we started another operation
targeted not at those who sell false identification documents over the
Internet, but at those who buy them. This effort has two goals. First,
we can locate and stop those who purchase counterfeit Social Security
cards that might be used in identity theft crimes. Second, it will
enable us, for the first time, to determine both the scope of Internet
trafficking in false identification documents and the many ways one can
use a false SSN.
THE NEED FOR LEGISLATION
While our efforts have been considerable, and are aimed at
maximizing the impact of limited resources through collaborative
efforts with other agencies, I would be remiss if I did not point out
that there still exists a legislative void that, to some extent,
fosters the misuse of SSN's for purposes of Identity Theft. Senate Bill
2328, introduced by Senator Feinstein, together with Senators Kyl and
Grassley, Senate Bill 2554, introduced by Senator Gregg, together with
Senator Dodd, and Senator Feinstein's amendment to Senate Bill 2448,
which would prohibit the sale of Social Security numbers, all represent
significant steps in the right direction. Together, these Bills create
front-end limits on the use of Social Security numbers and authorize
criminal and civil sanctions and administrative penalties when
violations occur. My staff would be happy to assist you in combining
all of this legislation into a comprehensive Bill that would enable us
to bring the full authority of the United States Government to bear
against those who would buy, sell, or otherwise misuse SSN's. Until
there are criminal statutes, civil sanctions, and administrative
penalties available to combat the many forms of SSN misuse that we see
on a daily basis, we are ill equipped to bring this epidemic under
control.
In a recent Op/Ed piece in the New York Times, columnist William
Safire expressed surprise that Federal law does not currently prohibit
the compelled disclosure of SSN's. We should be no less surprised.
CONCLUSION
Because the SSN is instrumental in perpetrating identity theft
crimes this office, by virtue of its congressional mandate, must be a
key player in the fight to control these crimes. The task is made all
the more difficult by the broad range of crimes that fall within the
identity theft category, the new role of the Internet in perpetrating
identity theft, and the difficulty inherent even in determining where
the crime begins, what course it takes, and who is the primary victim.
Nevertheless, we have put in place, and continue to implement,
strategies aimed at both better understanding and combating the use of
SSN's to commit identity fraud crimes. I thank the Subcommittee for
inviting me here today, and for its concern of this very real threat to
every American.
Senator Kyl. Thank you very much, Mr. Huse. Just with
respect to the last point you were making about the monitoring
of the sale and purchase over the Internet of Social Security
numbers, what are the current prohibitions on purchase, as well
as sale, of someone else's Social Security number?
Mr. Huse. There are no current prohibitions on the sale or
purchase of someone's Social Security number at all, and that
is the alarming issue here.
Senator Kyl. And what are the prohibitions on the use of
the Internet to therefore fraudulently sell or purchase
somebody else's Social Security number?
Mr. Huse. Again, Mr. Chairman, there are none.
Senator Kyl. And, finally, a point that I think you just
made, what is the current prohibition on forcing someone to
tell you what their Social Security number is, other than IRS
or Social Security?
Mr. Huse. There are no prohibitions there either.
Senator Kyl. Well, we could say case closed and get to work
on the legislation, but I think that illustrates a very, very
important point, and I appreciate your making that point very
clearly.
Ms. Bernstein, in your testimony, and also before, you
mentioned the practice of skimming, in which identity thieves
use sophisticated devices to intercept personal information on
credit cards and ATM cards. What is being done to combat this
practice, and what could we do to help combat that?
Ms. Bernstein. To the extent that we are able to get
information about those practices--that is, consumers who have
been victimized--and put it in our data base, we are trying to
compile it to get to the appropriate law enforcers in order to
try to make that a part of the criminal conduct; that is, it
would be part of identity theft. It would be one way in which
the thief could obtain the necessary information to pursue the
identity. There is no specific prohibition that I know of in
the criminal laws that makes that a specific crime, and it
perhaps could be addressed in legislation to make it more
specific.
Senator Kyl. Right. Could you describe the practice
specifically for those who hadn't heard your previous
testimony?
Ms. Bernstein. Well, at least from our anecdotal evidence
that we have gathered from the complaint data, they have
techniques of observing when you use your credit card to enter
the ATM or to use your other information that may be observable
by a thief.
For example, your telephone credit card has been used very
widely to begin the process of reconstructing your identity by
someone looking over your shoulder in an airport lounge, for
example. It was widely used until people became aware of it. It
still is an entry point for people because, from that number,
often through other data bases you can begin to compile all the
additional information that you need in order to be ``Senator
Kyl'' and enter either your other credit or your bank account.
Senator Kyl. Just as an aside, I serve on the Intelligence
Committee and it is amazing to me how completely information
about someone or something can be reconstructed starting with
just one number, a telephone number, a Social Security number,
a birth certificate, whatever it might be.
There are so many different entities in the country that
have access to different kinds of data, now that we have the
Internet, that it can be done literally with a click, as you
point out. That is why we are trying to identify the different
kinds of entry points, the places where there could be a crime
committed, especially where it is not yet a crime and we may
need to consider making it such. So, that is another area, in
addition to those that I talked to Mr. Huse about.
Just one more thing, you have talked about novelty Social
Security cards. Talk a little bit about that and just explain
the phenomenon to the subcommittee, if you would.
Mr. Huse. Well, Mr. Chairman, on the Internet there are
many companies that sell false identification documents. They
call them novelties. There is a disclaimer, if you purchase
these, when they arrive at your home. They could be anything.
There is nothing that can't be counterfeited today. With the
State of the art in terms of desktop publishing and computer
graphics, you can counterfeit anything. So they can replicate
any kind of a document, certificate, diploma. It makes no
difference.
These arrive at your home, if you purchase them over these
sites, with little pull-off stickers. The stickers, of course,
say ``this is a novelty, not to be used for identification.''
That, of course, covers the entity that is selling these, but
there is a plethora of these on the Net. I mean, you can become
anything you want today.
Senator Kyl. Well, obviously, we will have to look into how
to try to define around those kinds of techniques of avoiding a
criminal situation, and we will have to work with you very
carefully on doing that, I am sure.
Senator Feinstein.
Senator Feinstein. Mr. Chairman, when I introduced the
Social Security bill, and it was S. 2699, it went to Finance,
where it has sat. Then I introduced the amendment to 2448 that
Mr. Huse spoke about. That is an amendment to the Hatch Cyber
Crime bill, and the Social Security bill was redrafted to
involve Justice so that it could come to this committee.
I am trying to think of a way to at least control the
Social Security number as kind of a first step because that is
so much in the Federal domain. I would be interested in any of
your views in that regard. I think maybe just to stay with the
amendment to the Hatch Cyber Crime bill, put that on the Hatch
bill, if he will have us.
Senator Kyl. He will have us, I am sure. Yes, we will work
together to make this happen.
Senator Feinstein. All right, good. That is great.
Let me ask this question. With respect to the Internet, do
either one of you have any views on the opt-in versus opt-out
issue? Every time I discuss this, at least, with Silicon Valley
people, it always comes down to opt-in versus opt-out.
Ms. Bernstein. I could just offer a little bit of
experience we have had, Senator, with what I call the Kids Act,
COPA, the Children's Online Protection Act, which the Congress
passed 18 months ago and we have implemented through
rulemaking. It is now in effect. There is a requirement for
verifiable consent for parents before an operator can obtain
any information about an under-age consumer.
Senator Feinstein. So that is an opt-in?
Ms. Bernstein. It is opt-in, and we had a considerable
discussion both before the Act was passed and in the rulemaking
context, and I think have worked out methods by which the
consent can be obtained from parents, and I think it has worked
quite well to date. We are trying to encourage them, and there
have been some efforts to really develop technology that would
make it easier to go opt-in instead of opt-out, because I think
in the end that is probably the only real impediment, is how do
you get it done.
So we have had a positive experience in that area and it
has really worked quite well. So I don't believe that it would
shut down the Internet if you have opt-in for certain kinds of
use or misuse of very sensitive information. Medical/financial,
of course, are generally considered by most Americans as very
sensitive. In other words, you could make some discreet
differences, considering what kind of information was being
obtained or used.
Mr. Huse. I endorse everything that Jodie said, but I would
just like to take it from another tangent. We all know that the
Social Security number has become our own personal identifier
and, in fact, it is the national identifier. We all know it was
never intended to be that, but de facto it has become that.
Since it is synonymous with our name and our own
reputations, I personally believe that the biggest weakness we
have is this consent piece. If we build that in, all the rest
of legitimate commerce can go on. But I think every one of us
should have a personal right to decide whether and how our
financial information that is under the tent of this number,
and all the other uses of the SSN--we should have the right to
yes or no. And I think that is the piece that we really need to
work on. If we could fix that, the rest will follow. So I
agree, opt-in is really the way to go.
Senator Feinstein. So you are saying that the most
important part is the Social Security number. Now, with respect
to the Social Security number, at least in the legislation I
have submitted, there is no opt-in/opt-out. You are prohibited
from using it for commercial purposes----
Mr. Huse. Unless there is opt-in.
Senator Feinstein [continuing]. With certain exceptions,
and the exceptions are very carefully crafted.
Mr. Huse. Right, and I think that is the right way to go.
Senator Feinstein. You think that is the right way to go?
Mr. Huse. I do, because I think that that forces a positive
act on the part of anybody who wants to engage in commerce to
get your permission. I think that part of the victim violation
here is that none of us have any control over this.
Senator Feinstein. In the legislation as it is drafted, and
I believe this is correct, permission isn't part of it with
respect to the Social Security number.
Mr. Huse. No.
Senator Feinstein. It is, with consent. I beg your pardon.
Mr. Huse. That was my understanding.
Senator Feinstein. You were right. I was wrong.
Mr. Huse. That is OK. You are there and I am here.
[Laughter.]
Senator Kyl. If they only knew how frequently we were
wrong. [Laughter.]
I think they do know.
Senator Feinstein. I think they do, too.
Ms. Bernstein. Your secret is safe with us, Senator.
Senator Kyl. Us and C-SPAN, right?
Ms. Bernstein. Yes.
Senator Feinstein. In any event, with Senator Kyl's
enormous help, we may just be able to move that legislation.
Mr. Huse. I think it is really important, I do. It would be
a tremendous step forward.
Senator Kyl. Can I interrupt?
Senator Feinstein. Yes, please.
Senator Kyl. I have also been curious, though, about the
need. If we are going to do this, which seems to me a very big
step in the right direction, as you point out, don't we also
need to make the Social Security card itself as counterfeit-
proof as possible, and what is your view with respect to that?
Obviously, if you protect against one type of theft but it is
very easy to steal it in another way, then you simply move the
people from type A to type B crime.
Mr. Huse. The Senate has been focused on the Social
Security card itself for some time, and the Social Security
Administration has done an extensive study. There are
implications, of course, of improving the current card to a
point where it is more counterfeit-proof, and then we stray
into an area of actually, again, de facto adding more
underpinning to the use of the Social Security number as a
national identifier.
That has policy implications that, you know, is a greater
dialog than what we are talking about here.
Senator Feinstein. Such as, for example?
Mr. Huse. Well, if it becomes a national identifier, then
we have a national identity card and----
Senator Feinstein. But all he was saying is making it
counterfeit-proof. All Senator Kyl was saying--we weren't
getting into anything other than that. I mean, my Social
Security number is on a little piece of cardboard, you know.
Mr. Huse. Sure. But probably the folks who get a card today
have--there have been improvements to that card over time. But
as you add in more security features, then we need to add in a
better business process underpinning that type of a card. There
are tremendous costs involved to shift from the system we have
now to one--would you add a photograph? I mean, there are all
kinds of implications embedded in this that are a broader
discussion.
I think it is a dilemma because we are crossing a line
until this time we have never had to deal with in this country.
But some of it is being driven by technology and it certainly
is worthy of debate, but I don't have the answer right here.
Senator Feinstein. I guess what I understand him saying is
when you go into making it counterfeit-proof, you go into what
you use to make it counterfeit-proof, which ergo expands its
application into a more formal identifier than it is now. I
mean, the number is effectively our national identifier.
Mr. Huse. Right. It is the number, not the card.
Senator Feinstein. But we don't have a national
identification card, per se.
Mr. Huse. No, but by adding this strengthened number to a
better card, we are adding in the ingredients for something I
don't know that you want, or maybe you do. We are right on the
precipice here of an entirely different issue, and that is the
conundrum.
Senator Kyl. But we are there. I am not taking a position
one way or the other, because we had this debate with regard to
the Immigration Act and the possibility of a prototype. We had
a couple of demonstration projects for the purpose for which
Social Security is intended, namely indicating that you have a
number and therefore you are permitted to work in this country.
And even that raised huge questions.
But when we talk about opt-in and opt-out, what are we
talking about? We are talking about opt-in and opt-out of
allowing your number to be used for commercial purposes, OK? We
are there, and so the fact that you make the card tamper-proof
or fraud-proof doesn't force you to use it for commerce. It may
make it easier to use for commerce, but that is again only if
you agree that it be used in commerce, and you are already
being asked whether you will agree to allow your number to be
used in commerce. So we are there.
But, again, that is a subject with much larger implications
than we intended to cover in this hearing. I appreciate your
point about that, and I just asked the question for information
purposes and I think at some point maybe it would be worth
exploring further.
Mr. Huse. Adding any kind of security features to the card,
of course, makes it a better--we are in a better place
enforcing the law. I mean, I can give you a simple answer to
that, too.
Senator Kyl. It doesn't, of necessity, take you into
commercial uses. It simply makes it a better product for
commercial use. Is that correct?
Mr. Huse. Yes, Mr. Chairman.
Senator Kyl. Anything else for this panel?
Senator Feinstein. No, Mr. Chairman.
Senator Kyl. I know we need to move on to the next panel,
so I want to thank both of you again. You have been
tremendously helpful. We really appreciate your testimony.
Mr. Huse. Thank you.
Senator Kyl. I was just trying to determine here a proper
order, and I think just for ease of doing it, if we would start
with Ms. Michelle Suzanne Brown and just move down the table
this way, Beth Givens next, Steve Emmert, and then Stuart
Pratt, that will make an easy transition from one to the other.
I want to thank each of you for being here today as well. We
really appreciate your willingness to share your experiences
with us and we look forward to your testimony.
Michelle Suzanne Brown, why don't you begin?
PANEL CONSISTING OF MICHELLE BROWN, IDENTITY THEFT VICTIM, LOS
ANGELES, CA; BETH GIVENS, DIRECTOR, PRIVACY RIGHTS
CLEARINGHOUSE, SAN DIEGO, CA; STEVEN M. EMMERT, DIRECTOR,
GOVERNMENT AND INDUSTRY AFFAIRS, REED ELSEVIER, INC., AND
LEXIS-NEXIS, AND PRESIDENT, INDIVIDUAL REFERENCE SERVICE GROUP,
WASHINGTON, DC; AND STUART K. PRATT, VICE PRESIDENT, GOVERNMENT
RELATIONS, ASSOCIATED CREDIT BUREAUS, INC., WASHINGTON, DC
STATEMENT OF MICHELLE BROWN
Ms. Brown. Thank you, Senator Kyl, Senator Feinstein. If I
could ask one thing before I speak, I have one request. If we
could redact my middle name from anything of record, is that a
possibility?
Senator Kyl. Absolutely.
Ms. Brown. I don't know where that came from, but I
appreciate that to be suppressed.
I am pleased to be in your presence today, and I genuinely
thank you for the opportunity to elevate the invasive crime
known as identity theft. This is a topic, unfortunately, that I
am intimately familiar with.
My name is Michelle Brown. I am 29 years old and have been
working in the international banking field for the last 7
years. I am an ambitious and hard-working individual. I am
certain that I much like any of your cousins, your nieces, your
daughters, your sisters. I believe that I strongly represent
any average, respectable citizen of the United States.
However, there is one clear-cut issue that separates me
from nearly the rest of the population. I have lived and
breathed the nightmare of identity theft. I will tell you
firsthand this is a devastation beyond any outsider's
comprehension, a nearly unbearable burden that no one should
ever have to suffer.
Imagine establishing credit at age 17 and building a
perfect credit profile over the next 11 years. Imagine working
consistently since age 15 and helping to finance your education
at an accredited university to advance your future success in
life. Imagine never having been in trouble with the law.
Now, imagine the violation you would internalize as you
realize some vile individual you have never met nor wronged has
taken everything you have built up from scratch to grossly use
and abuse your good name and unblemished credit profile. That
is precisely what happened to me.
I discovered this new, blackened reality on January 12,
1999, when a Bank of America representative called me inquiring
about the first payment on a brand new truck which had been
purchased just the previous month. I immediately placed fraud
alerts on my credit reports, canceled all credit cards, and
even placed a fraud alert on my driver's license number. From
that day forward, I unearthed the trail of this menace's
impersonation, and attempted to work with a current faulty
system to protect myself from any further abuse. The system
clearly failed me.
To summarize, over a year-and-a-half, from January 1998
through July 1999, one individual impersonated me to procure
over $50,000 worth of goods and services. Not only did she
damage my credit, but she escalated her crimes to a level that
I never truly expected. She engaged in drug trafficking. This
crime resulted in my erroneous arrest record, a warrant out for
my arrest, and eventually a prison record, when she was booked
under my name as an inmate in a Chicago Federal prison.
The impersonation began with the perpetrator's theft of my
rental application from my landlord's property management
office in January 1998. Immediately, she set up cellular
telephone service, followed by residential telephone and other
utility services, and attempted to obtain time-share financing
and department store credit cards. She was successful in
purchasing a $32,000 truck, had nearly $5,000 worth of
lyposuction performed to her body, and even rented properties
in my name, including signing a year lease.
Not only did this person defraud the Department of Motor
Vehicles by obtaining a driver's license with my name and
number in October 1998, but she even presented herself as me
with this identification to the DEA and before a Federal judge
when she was caught trafficking 3,000 pounds of marijuana in
May 1999. She remained a fugitive for almost 6 months while
still assuming my name, and was finally turned in by an
acquaintance in July 1999.
Months later, after she was already in prison, in September
1999, I was stopped at LAX Customs after returning from a
vacation in Mexico. While I explained my innocence to several
agents in a stream of tears, and as I attempted to clearly
distinguish this Michelle Brown from the other Michelle Brown
with a criminal record, I was blatantly treated with strong
suspicion. I was, as is typical for an identity fraud victim,
guilty until proven innocent. I was finally let go after an
hour, after the police were called to vouch for me.
This situation reinforced my fear that I may be wrongly
identified as the criminal, which could end with my arrest or,
worse yet, being taken into custody and serving time in jail.
After having seen so many inefficiencies and blatant errors in
the system, I feel no assurance, nor can I receive any concrete
evidence from authorities that this type of insane mix-up would
never happen again.
It was tormenting to know someone was, in essence, living
the good life at my expense, and I was left with the taxing
chore of proving my innocence. The restoration of my credit and
my good name was a seemingly never-ending process. I was forced
to make literally thousands of phone calls, fill out various
forms, submit all sorts of documents, and have many documents
notarized.
Without a doubt, I was entirely consumed with the whole
pain-
staking process. I gained nothing from putting over 500 hours
into the chore of restoration. All in all, it was an exhausting
waste of a good person's time and a massive drain on my life
and energy. At one point, I even feared for my safety after I
learned that the perpetrator had been linked with a convicted
murderer. The whole identity fraud experience was by far the
darkest, most challenging and terrifying chapter of my life.
I faced many difficulties in clearing my name, and I still
face the fear that I will forever be linked with her criminal
record. I have encountered widespread inefficiency and general
insensitivity at nearly every turn. I know that there are most
definitely not enough dedicated resources and governmental
authorities to assist victims and to simplify the burdens on
the innocent's life.
Clearly, changes need to be made. The Government not only
needs to promote initiatives to shorten and simplify
restoration of one's name and credit, but also to facilitate
early detection and termination of an abused person's name, and
most importantly to deter criminals from the allure of such an
easy crime by enforcing swift and severe punishment.
I think that Senator Feinstein's Identity Theft Prevention
Act of 2000 is definitely a positive initiative and will put
the legislation in the right direction to fight this crime. I
support the two corresponding bills and recommend the
enforcement of such initiatives.
I came here today because I feel responsible to limit the
abuse of other victims' names. I know how terribly tormenting
it is to be a victim. I am living proof that identity theft is
a very real crime with very real victims and true life-altering
consequences. It is astounding that my life-long discipline to
be a law-abiding citizen and to have the diligence to establish
perfect credit was reversed so easily, so quickly, simply
because I represent the perfect victim in another's eyes.
This crime is clearly on the rise, and no one at this time
is completely protected from becoming the next victim. I
realize the scenario of becoming an identity fraud victim seems
entirely far-fetched and implausible to many of you. I know the
feeling; I was once in your shoes.
I thank you for your time and for the opportunity to
present my story and views today. I hope it is clear now that
many changes need to be effected to the current system to
combat this crime and protect victims. This fact is crystal
clear in my mind.
Thank you.
Senator Kyl. Ms. Brown, thank you very, very much for your
testimony. It is compelling and we appreciate it very much. It
is precisely the kind of sacrifice that you have made to come
here that will help us to prevent this happening to other
people, and you are to be commended for it. Thank you.
Ms. Brown. Thank you.
[The prepared statement of Ms. Brown follows:]
Prepared Statement of Michelle Brown
Mr. Chairman and Members of the Committee, it is my pleasure to
submit testimony to your committee today and hope that my presence will
shed some light on the invasive crime known as Identity Theft.
My name is Michelle Brown, I am 29 years old, and currently reside
in a respectable community in the surrounding area of Los Angeles,
California. I have been gainfully employed in international banking for
the last 7 years since my graduation from a University in California. I
am much like most other hard-working, conscientious individuals, eager
to get ahead in life and to make a respectable living; however, one
thing clearly sets me apart from the rest of the crowd. I have endured
the trying chores of realizing that I have become, and subsequently,
have been painstakingly trying to break free from being, an identity
fraud victim.
It was a scenario I had only previously known through unbelievable
stories painted in Hollywood: someone becomes you, erases your life,
and through their destructive behaviors, complicates your own existence
to an extreme level where you no longer know how to just live day after
day. Your life becomes the life consumed by unraveling the unthinkable
acts that your perpetrator has done in your perceived skin.
I discovered on January 12, 1999, the existence of this shadow
identity that I have been anxiously trying to expel from my life ever
since. To be truthful, I don't think I will ever be able to close the
books entirely on this menace's activities. I dearly wish I could, but
what I know now translates to the fact that I will always be dealing
with this alter reality I am plagued with.
Over the course of a year and a half, my name, personal identifiers
and records were grossly misused to obtain over $50,000 in goods and
services, to rent properties, and to engage in federal criminal
activities--namely drug trafficking. During the course of 1999, I spent
countless sleepless nights and seemingly endless days, dedicating my
valuable time, energy, peace of mind, and what should have been a
normal life, trying to restore my credit and my life.
I filed various statements and affidavits, had documents notarized,
made thousands of phone calls to creditors, governmental authorities,
etc., and continually set in motion the next level of protection for
further follow up and monitoring. I alerted all the proper authorities,
filed all the right papers, made the right phone calls, and diligently
remained actively adamant to restore my perfect credit and my good
name. I would estimate that the time lost toward clearing my credit,
attempting to clear my criminal record, and to sever myself free from
this menacing being, amounted to somewhere in excess of 500 hours of my
time. At the time, the burden seemed like it cost me a lifetime.
In the course of restoring my credit and my name, I realized that I
was victimized by someone without conscience. This person was not a
normal, socially responsible individual and would stop at nothing. In
restoring my name, I discovered the following about her and her
fraudulent activities:
The perpetrator: Heddi Larae Ille, is currently 33 years old, and
thankfully, is serving both state (2 years) and federal (73 months)
prison time for illegal acts she performed while assuming my name. She
is a Caucasian female, standing at about 5 foot 7 inches, weighing
about 200 pounds, brown hair, and brown eyes. I am Caucasian, height 5
foot 9 inches, weight 125 pounds, brown hair, hazel eyes. I believe we
look nothing alike in physical appearance.
January 1998: Just after I filed an application to rent a property,
the perpetrator stole my rental application from my landlord's property
management office. She apparently was at one time an acquaintance of my
landlord's; to this day, I still have never met her and do not know her
in any fashion.
February 1998: Heddi set up a wireless telephone service at my then
current address, and quickly switched the address within less than a
week. After 3 weeks, Pacific Bell deemed this account as fraud and
disconnected the service. Due to their fraud determination, this
account was never alerted to me.
March 1998: Heddi set up residential telephone service at a
property in L.A., which remained on for about 4 months; $1,443 remained
late and unpaid, therefore the service was finally shut off. This
account eventually hit my credit report in the form of a credit inquiry
through a credit bureau. [Of note, I simultaneously had telephone
service in my name for years non-stop through the same provider (GTE);
even though Heddi established the service through the same provider,
with my name, Driver's License Number, and Social Security Number, I
was never alerted of this new account, nor was this account cross-
referred to mine, even as it was in serious delinquency.]
July 1998: Heddi attempted to obtain timeshare financing. The
application was never activated, and when I spoke to the timeshare
financing company, they did not have a ``Fraud'' division set up and
could not tell me what happened with the application. I was later
informed that she was required to serve 45 days in jail (on a separate
fraud charge) shortly after the application was filed; likely this is
the reason nothing had been pursued.
July 1998: Heddi attempted to get a credit card through Target (a
``home/everything'' type store); the application was denied.
August and September 1998: Heddi served 45 days in jail.
October 1998: Heddi got a duplicate drivers license at a Fullerton,
CA Department of Motor Vehicles, in my name, my drivers' license
number, but an alternate address, and with her picture. The DMV issued
the duplicate, even though at the time, she weighed 40 pounds more than
me and was two inches shorter, and completely different in physical
appearance. The requirement of her fingerprint enabled the authorities
to clearly distinguish our different identities and made things much
easier for me to clear my credit, and to clearly establish the fact
that I was the victim of identity fraud and impersonation.
October 1998: Heddi rented a property in San Diego, CA, in my name,
set up utilities, and shortly thereafter vacated.
October 1998: Heddi signed a year lease at another property in San
Diego, in my name.
December 1998: Heddi filed applications for and received the
following: a $32,000 2000 Quad Cab D2500 Dodge Ram Pick-Up (zero down
lease), and $4,800 worth of liposuction in Long Beach, CA (she paid
$1,400; the rest was financed through a line of credit established in
my name).
January 12, 1999: I received a message at home from a Bank of
America representative inquiring about the new Dodge pick up. I
returned the call to tell them they had the wrong person and I knew
nothing of the truck. They explained they must have the wrong Michelle
Brown, all the numbers listed on the application were not working, and
a previous address was listed in my city; so they reached me via my 411
listing. I asked them for the SSN to ensure it wasn't mine, they
couldn't release it; I gave them mine and they told me that was in fact
the one used on the application.
January 12, 1999: I instantly put fraud alerts on all credit
reporting agencies, filed a police report, cancelled all of my credit
cards, put heightened security on all bank accounts, called the DMV to
find out if a duplicate drivers license was issued (it had been) and
subsequently put a ``pink flag'' fraud alert on my License number.
Subsequently filed another local police report, called the Postmaster,
Social Security Agency, U.S. Passport Agency, etc., and the nightmare
continued with each and every passing day.
Mid-January 1999: The Police Detective I was working with gets her
pager number, pages her, and has a conversation with her. After she
identifies herself as me when she returned the page, he tells her he
knows that she really is Heddi Ille, and to turn herself in the next
day. She agrees. Two subsequent times in the next week, she requests
more time to turn herself in. Within the next week, the Detective
issues a warrant out for her arrest and attaches required bond set at
$750,000.
May 1999: Heddi is arrested in Texas for smuggling 3,000 pounds of
marijuana, she identifies herself as me to the DEA and to a federal
magistrate. The arrest is recorded in my name, ``I'' am subsequently
named in the criminal complaint, and listed as the DEA's informant. She
was somehow set free even though my name and Drivers' License number
was flagged with fraud since January 1999. I know nothing of her
criminal activities at this time.
June 1999: Through my landlord's property manager, I was told that
they heard through one of Heddi's acquaintances that there was a
warrant out for my arrest somewhere in Texas. Since I was going out of
the country on vacation within 2 weeks, I asked the detective to write
a letter explaining the circumstances and my innocence. I also had the
police run my information in databases to tell what city/county the
warrant was in, and tell me how to clear it prior to my vacation. No
positive responses were found; I assumed it was a local county
warrant--it was a federal felony warrant as I found out in July when
she was arrested.
July 1999: Heddi called an acquaintance of hers while she was in a
suicidal state, and they turned her in. She identified herself as me
even still as the police came to her hotel door. She was found with
drugs in her possession, credit cards that had been melded down and re-
imprinted with my name, and her CDL in my name. She was brought in on
13 criminal counts.
September 1999: Returning from a trip to Cabo San Lucas, I was held
at LAX's Customs and Immigration for an hour while I explained the
circumstances of my erroneous link with her criminal record (after my
passport was swiped in the computer). As I presented endless
documentation of court records, police filings, etc., and explained my
situation in a stream of tears, I knew then that I had become
erroneously linked with Heddi's criminal record. The agents questioned
my story and documentation, and treated me very suspiciously--like I
was the criminal. After the Police Detective was called and vouched for
me, I was allowed to leave. I feared being arrested or being taken into
custody. I found out later that, even though Heddi had already been in
police custody at a jail since July, the DEA posted a lookout for
``me'' in the system. They neglected to let me know that I might want
to be prepared for this type of confusion at any time.
September 1999: Heddi is convicted of 3 felony counts (perjury,
grand theft, and possession of stolen property) at the state level at 2
years each, which she is serving simultaneously. Note that the specific
charge for identity theft/impersonation was not a charge that she was
actually convicted of.
October/November 1999: Heddi is transferred to the Chicago Federal
Prison and they book her as an inmate in my name. She even addressed
outgoing letters from the Federal Prison using my name in the return
address. Needless to say, I was furious. When I called the DA, they
told me they would have this corrected. I was told subsequently that it
was corrected; however, they could never provide me proof of this in
writing as I requested.
June 2000: Heddi is sentenced to 73 months in federal prison for
possession with intent to distribute 3,000 pounds of marijuana, with an
enhanced sentence for lying to a federal magistrate. She received a
reduced sentence from the pre-determined 110 months because she
provided assistance to the government. [I believe she was tied to a
major drug smuggling ring. Even though my name was used, I was never
privy to details of her crime; however, I was informed that there were
several defendants in this case.]
Through the course of uncovering her trail and waiting for her to
be caught, I honestly believed that the victimization would never end,
that I would never become whole again as the true ``Michelle Brown.''
My world had become a living nightmare. I personally was affected
extremely: I was significantly distracted at a job that I had just
started three weeks prior to the day of discovery, I suffered from a
nearly non-existent appetite, very little sleep, and was consumed with
the ferocious chore of restoring my name and attempting to quell any
future abuse. I lost identification with the person I really was inside
and shut myself out of social functions because of the negativity this
caused on my life. I know that a very meaningful 3 year relationship
with my then boyfriend suffered dearly because of the affect this
traumatic chapter of my life had on me--the relationship ended about 4
months later.
No words will ever be strong enough to completely convince others
what this period was like, filled with terror, aggravation, unceasing
anger and frustration as I woke every day (since my discovery of the
identity fraud in January 1999) with emotionally charged, livid angst.
I unceasingly was forced to view life through a clouded reality, one
seriously altered by a horrendous individual who committed a series of
unforgivable acts in my name. The existence of Heddi has robbed me of
the normal life I have strived for and entirely deserve. My life should
be one in which I, and I only, should be the only one being held
responsible and accountable for my personal credit history and what
should be, a lack of a criminal history.
For me, the most personally frightening moment was dealing with
LAX's Customs and fearing an erroneous arrest. Because of this
situation, I purposely have NOT gone out of the country for fear of
some mishap, confusion, language barrier, that may land me in prison
for some unknown period of time. I do not deserve to be in this
predicament and do not deserve to feel imprisoned by the U.S. Borders.
I still fear what might happen as I cross the U.S. Border and I cannot
get assurance from any governmental agency that this situation will
never happen again.
Identity fraud (especially those cases escalated to a criminal
level) leaves a very dark and filthy cloud around the victim. Although
I am the free Michelle Brown, living what may on the surface seem to be
a normal life with freedom on the streets, I have never deserved less
than that: a normal life, one free of the ill effects of a heinous
individual who deliberately and unabashedly used and abused my world
that I had always been so careful to create and maintain. I am a law-
abiding, good natured and caring individual, contributing through
legitimate business and upstanding citizenship, who never deserved to
be haunted with this naggingly irritating air Heddi has shadowed me
with.
Clearly many preventive measures and protective procedures need to
be enforced to prevent such a horrendous crime from being so easy and
attractive for a perpetrator to facilitate. Below I've attached a list
of items highlighting some of the weaknesses I see with the current
system.
I thank you for your time and consideration and hope that my case
can provide you with the awareness that this is truly a real crime,
with real victims, and dire life-altering consequences attached.
______
Attachment 1
During the course of the restoration of my credit and my personal
records, including criminal associations, I can identify the following
faults in the current system:
There should be a better system to clearly verify the innocent's
residency for the past.--Creditors and the credit reporting agencies
require various statements to prove residency over the course of time
(when services were actually established). The types of documents they
require as proof(s) of residency were rarely consistent with each
other. Additionally, most people do not keep old statements. How is one
to prepare for the occasion that you would have to prove residency for
any time period? I happen to keep all of my old credit card statements,
some utility bills, and most phone bills which allowed me to provide
sufficient documentation. I doubt the common citizen retains the same
level of credit card statements, utility bills, etc.
There should be a standardized form that would suffice to send to
all parties that were victims of extending credit, extending
identification/documentation of identity (Department of Motor Vehicles
for licenses, passport agencies), and reporting on these items (credit
reporting agencies).--To clear fraudulent items, I was asked to fill
out various forms from one creditor to the next, which is very time
consuming.
Credit restoration (at the credit reporting agencies) is rarely
timely, efficient, or effective.--Even though the fraudulent accounts
were erased from my credit reports, some items mysteriously resurfaced
months later. Also, several fraudulent inquiries still remain on my
Trans Union report despite repetitive efforts with both the creditors
and the credit reporting agency to clear these items.
Credit Monitoring Services should be provided free to victims of
identity fraud for several years.--I still need to monitor my credit
even though the perpetrator is in prison (she could use it again or
could have sold it off, etc). I continually call to ensure that neither
new inquiries nor accounts have been opened fraudulently. I also need
to ensure that my fraud statement remains attached to each credit
report. Many victims are re-victimized after the fraud alert expires on
their credit reports. This will always be a necessity despite the
appearance of a fraud alert tagged to each of the three credit
reporting agencies' reports, especially in the event a merchant does
not comply with the fraud instructions to contact the victim
telephonically.
Identity fraud victims should always be able to speak to a live
person at the credit reporting agencies.--As the attachment of a fraud
alert if the first level of prevention once someone has learned of
their victimization, it is a necessity to attach this as soon as
possible. This was the first means of comfort to me that I could take
this measure and discuss my situation with someone more familiar with
the situation. However, in subsequent calls to the credit reporting
agencies, I had discovered that often the call went straight to an
automated call receipt system with inadequate options. It would have
been quite unnerving if my first call to alert them of fraud had been
funneled to an answering machine where you are asked to leave your
name, number, social security number, etc., rather than speaking to a
live individual who can better instruct you and understand your crisis.
Authorities are not always sensitive to this type of crime.--When I
spoke to an LAPD, I was told blatantly not to file a report in their
office because they didn't want such an enormous case on their hands.
The DMV was also not sensitive to my case and was in fact accusatory:
they suggested that I was lying about someone getting a duplicate CDL
in my name, despite the fact that I had just spoken with another
employee who verified this for me. I was guilty until proven innocent--
like most identity fraud victims are treated time and time again.
In each Police Department, there should be an established Task
Force to which calls of Identity Fraud nature should be referred, where
expertise in this arena and sensitivity to the victim would be highly
appreciated.--On filing my first police report, I was told to file a
report in the county where the crime was committed. The first thing I
was alerted to was the truck purchase, which took place somewhere over
100 miles away from me in San Diego. Additionally, the officer I
initially spoke to in San Diego mistakenly thought that I should
collect all of the necessary paperwork and bring it to the San Diego
Police Department. Not only would this have been a major inconvenience,
but legally, I did not even have access to this ``proof:'' the
application for the $32,000 loan, copies of the perpetrators' drivers
license, etc. My feeling is that Law Enforcement Officers are not
trained to handle these types of calls and do not know the procedures.
The fraud alert posted on my driver's license in January 1999
obviously was not effective: either the various systems should be able
to share this information across the state borders, or the DMV should
be more careful about what they are telling victims.--What I understood
created a false sense of security for me. Had this fraud alert worked,
I would not be linked with: the perpetrator's arrest record, the
criminal complaint, the warrant out for her arrest, nor would I have
been detained at LAX's Customs and Immigration.
There are neither enough resources nor expertise dedicated to this
crime in general, and government information sharing across state lines
is poor.--I was highly frustrated by the length of time it took to
finally catch Heddi; when she was finally taken into custody, it was
not because of the diligence of the police, it was because she was
turned in. Also, it amazes me that she was actually arrested in Texas
in my name, taken into custody, and released even though California
records were flagged to show that someone was using my name and to be
on the look out. Clearly the current system and procedures failed
horribly and are not adequate at this time.
There need to be clear cut procedures and evidence provided to the
victim to break a victim free of an impersonator's crimes.--Authorities
cannot provide assurance that I am now cleared of hassles with the law,
Customs/Immigration, etc. In fact, I am told that I will always be
linked with Heddi's criminal record because I'm her A.K.A, meaning that
I will likely be questioned any time that my name and identifiers are
run in government systems. This is an enormous, haunting burden on a
victim, who has clearly already suffered enough. I believe the
government does not have solid procedures on how to de-link a victim
from its perpetrator, and they are uncertain of the flow of
information. I feel like I'm testing the system as if I'm walking
through a minefield.
Finally, there should be severe consequences to the perpetrator of
such crime.--Although my perpetrator is currently serving prison time,
she was never convicted of the identity fraud felony count. Her other
crimes carried more weight over the one most personally offensive and
life altering to me. I would recommend to impose a $5,000 fine to
anyone who steals another's identity, and require that this be paid to
the victim within 2 years of conviction.
Additional recommendations, while not directly applicable to my
case, would help prevent the extent of fraudulent activities:
Social security numbers should be treated as confidential
information, and therefore should not be required to be part of
passwords, medical identification numbers (this is usually clearly
stated of medical cards which should be carried at all times by the
insured), etc. Additionally, there are NO situations in which SSN's
should be sold.
Credit issuers: all duplicate card requests should be verified by a
mailer to the previous credit card address, or verified via telephone.
Credit issuers: change of address requests should be followed up
with a level of verification. Possibly there could be a better
communication system between the Postmaster, and credit reporting
agencies and creditors, to verify that authentic address changes have
been made.
Credit issuers: many unauthorized charges to a credit card holder
are facilitated by shipping goods to an alternate address.--Any items
billed to a credit card and shipped to another address should be
subject to the same verification/authentication requirements as if the
creditor were discussing private account information with the card
holder. Further, as the shipment is requested, the credit card holder
should be informed in writing of the shipment, including the address to
which the item was billed.
Credit reports should be offered free to individuals at least once
a year, at their request.
Unusual inquiry/account opening behavior should be flagged at the
credit reporting agencies and further investigated.--The bureaus should
take more responsibility for unusual activity as they are the first
ones to be alerted of consolidated fraud on one individual's record.
Fraud alerts should be CLEARLY POSTED on the first page of victims'
credit reports. Further there should be fines imposed to merchants who
do not properly act on these statements and fail to verify the
authenticity of an application.
Senator Kyl. Beth Givens.
STATEMENT OF BETH GIVENS
Ms. Givens. Chairman Kyl, Senator Feinstein, thank you for
the opportunity to testify today. I am Beth Givens, director of
the Privacy Rights Clearinghouse, a non-profit consumer group
in San Diego. We have been assisting victims since 1993 and we
have witnessed the ravages of this crime on the victims and
their families, and I commend you today for focusing on victims
and on prevention.
In May, the Privacy Rights Clearinghouse and CALPIRG,
another non-profit, released a survey on identity theft victims
who had contacted us for help in the past, and here is what we
learned.
On average, it took them 2 years to clean up their credit
report and to regain their financial health. Many were still
dealing with it after 4 years. Victims found that they spent an
average of 175 hours to resolve the problem. That is the
equivalent of 4 working weeks, and many were spending over 500
hours.
When victims are asked what would have prevented their
identities from being stolen, most, including those we
surveyed, said take the Social Security number out of
circulation so it can't be obtained by criminals. It certainly
should not be used as an ID for insurance companies, by
universities and others, and it certainly should be not for
sale on the Net. I am pleased that 2328 and 2699 have been
introduced because I think they address the prohibition of the
sale of the Social Security number.
Victims also State that the credit issuers need to be more
effective in weeding out fraudulent applications, especially in
instant credit situations. Half of the victims in our survey
told us that the fraud recurred after they put a fraud alert on
their credit report, and I am also pleased that 2328 addresses
that.
Victims have also stressed that early detection of fraud
would have greatly shortened the time needed to regain their
financial health. Our survey found that the average time it
took them before they even learned they were a victim was 14
months after the fraud had begun.
What about victim assistance? It is now much improved since
the Federal Trade Commission has opened its identity theft
clearinghouse, thanks to the bill that was passed last year,
your bill, Senator Kyl. But the credit bureaus and credit
issuers must improve their victim assistance tremendously. This
includes providing live staff members rather than voice mail
and long waits, and also the industry must develop fool-proof
methods to prevent fraud from recurring once a fraud alert has
been established. The Associated Credit Bureaus' efforts, I
think, are moving the industry in the right direction.
In closing, I want to bring to your attention to what I
call the worst case scenario of identity theft, and that is
when the imposter commits crimes using the victim's identity,
like we heard from Michelle, giving that person a criminal
record. These records are extraordinarily difficult to clear
up. Victims may be unable to find work. They live with the
constant fear of being arrested at any moment. Many of them
have been jailed.
They must carry with them a document from either law
enforcement or the courts, and they must carry it all times,
that is if they are fortunate to even get such a document. This
would be a letter of clearance. They face a lifetime of being
burdened with someone else's criminal record.
Now, with that, I close. I do wish to present the committee
with our identity theft survey, also with a documentary about
some California identity theft victims that was made by a
victim herself.
[The documentary will be retained in committee files.]
I thank you again for the opportunity to testify on behalf
of consumers and on behalf of the identity theft victims.
Senator Kyl. Thank you very much for your important work,
and we will be very pleased to accept that material for the
record of the hearing and try to promote its viewing by others
as well.
[The prepared statement and information referred to of Ms.
Givens follow:]
Prepared Statement of Beth Givens
The Privacy Rights Clearinghouse is a nonprofit consumer
information and advocacy program based in San Diego, California. The
PRC was established in 1992. We have been assisting victims of identity
theft since 1993, when we first started learning about this crime. Our
guides for identity theft victims can be found on our web site at
www.privacyrights.org. I estimate that I have assisted at least 4,000
victims of this crime, and that others on our staff have assisted many
thousands more over the years.
I appreciate the ability to provide written and oral testimony on
the skyrocketing crime of identity theft, its impact on victims, and
possible solutions. And I commend you and the Subcommittee members for
addressing this issue. My written testimony is in four parts.
Topic number one is the crime itself--what is identity
theft, how much of it is going on, and why is it happening in epidemic
proportions.
Second, I will discuss the many ways in which identity
thieves obtain the bits and pieces of information they need to
impersonate others--mainly Social Security numbers (SSN) and credit
card account numbers.
Third, I will explain some of the impacts on victims.
And fourth, I will recommend legislative and industry
measures to prevent identity theft and to expedite the ability of
victims to regain their financial health.
First, what is identity theft? There are numerous variations of
this crime. Essentially, it occurs when someone uses bits and pieces of
information about an individual--usually the Social Security number--to
represent him or herself as that person for fraudulent purposes.
Examples are obtaining credit cards and loans in someone else's name
and then not paying the bills, opening utility accounts, renting an
apartment, getting a cellular phone, purchasing a car or a home, and so
on. Another type of identity theft--what I call the worst case
scenario--is when the perpetrator commits crimes in the victim's name
and gives that person a criminal record.
Victims are not liable for the bills accumulated up by the
imposters, thanks to federal law. But they do have the anxiety and
frustration of spending months, even years, regaining their financial
health and restoring their good credit history.
How many victims of this crime are there? We don't have accurate
statistics. But I estimate that there are 500,000 to 700,000 victims
this year. A 1998 report by the U.S. General Accounting Office tracked
identity theft statistics from 1992 to 1997, based on figures provided
by the Trans Union credit reporting agency (CRA). A graph on page 40
shows a dramatic 16-fold increase in the volume of calls from
individuals to Trans Union's Fraud Department during the six-year
period from 1992 to 1997. Trans Union now receives well over 2,000
calls a day from victims of identity theft. [U.S. General Accounting
Office, www.gao.gov, ``Identity Fraud,'' Report No. GGD-98-100BR, 1998,
p. 40]
Why are these figures significant? When individuals learn they are
a victim of this crime, the first step they should take is to contact
the three bureaus and place a fraud alert on their file. The CRA's are
Trans Union, Equifax, and Experian (formerly TRW). Therefore, the
number of calls received by the CRA's fraud departments is a good
indicator of the volume of this crime.
Why is this crime so rampant today? It is very easy for the
criminals to obtain the information needed--in particular, Social
Security numbers. Non-Social Security Administration uses of the SSN
have not been prohibited by law, at least not to date. As a result,
SSN's are used as identification and account numbers by many entities--
insurance companies, universities, cable television companies, military
identification, banks, securities brokerage companies, and the like. In
about a dozen states, the SSN is used as the driver's license number.
Identity thieves can obtain SSN's by stealing mail where those
numbers are included. They sift through the trash outside of businesses
and residences in hopes of finding unshredded documents containing
SSN's and other data. Dishonest employees can obtain SSN's in the
workplace by obtaining access to personnel files or accessing credit
reporting data bases (commonly available in auto dealerships, realtors'
offices, banks and other businesses that approve loans).
Another reason identity theft is rampant is because of credit
industry practices. Credit grantors make it all too easy to obtain
credit. Many credit issuers do not adequately check the identities of
applicants before granting credit. Instant credit opportunities are
especially popular with identity thieves for this reason. Credit
grantors are all too eager, in their competitive zeal, to obtain new
customers. It is not uncommon for households to receive several pre-
approved offers of credit per week. In fact, a Los Angeles Times news
story reported that credit issuers mailed 3.4 billion pre-approved
offers of credit to consumers in 1998. (``Charges are flying over
credit card pitches,'' by Edmund Sanders, Los Angeles Times, June 15,
1999, p. D-1. www.latimes.com).
Another reason identity theft is skyrocketing is that it does not
yet get the attention of law enforcement that more violent crimes
receive--like breaking and entering, mugging, robbery by gunpoint, and
bank thefts. Many violent criminals and
organized crime rings are moving to identity theft because they know
that law enforcement resources are not yet sufficient to investigate
the majority of such crimes. Identity thieves are rarely apprehended
and sentenced. If they are, penalties are minimal and rarely include
jail time. Community service and parole are the usual sentences.
My second topic is the methods used by identity thieves to obtain
identifying information about their victims. Typically, they obtain the
Social Security number and name. That's often all that is needed to
apply for credit (called ``application fraud''). They also might obtain
credit card numbers and hijack existing accounts (called ``account
takeover). Other pieces of information useful to identity thieves are
dates of birth, mother's maiden name, and driver's license numbers.
One such method is the old fashioned way--by stealing a
wallet or purse. The thief either uses the information obtained or
provides the contents to a crime ring. Even if the individual does not
carry the Social Security card in the wallet (and we recommend that
they do not), he or she might have an insurance card or student ID with
that number on it.
Another strategy is to fish credit card slips and loan or
credit applications from the trash. Unfortunately many businesses,
banks, mortgage companies, and restaurants do not shred these
documents.
We are seeing an increase in the ``inside job'' in the
workplace--dishonest employees with access to computer terminals
connected to one of the credit reporting agencies. They might look for
names similar to theirs, or just someone with good credit. Obviously
what goes hand in hand with this type of access is the negligence of
the company which is permitting such uses in an unmonitored
environment.
``Insiders'' have also used their access to personnel records to
obtain Social Security numbers of identity theft victims. In a recent
case in San Diego, a dishonest employee had unfettered access to a
storage room where past payroll information was filed. She obtained
SSN's of over 100 current and former employees and used them to obtain
credit in their names.
We learned of a case where a member of a Nigerian crime ring was
employed temporarily at a very large corporation. He downloaded the
employee list containing SSN's and then one by one the employees'
identities were used for fraudulent purchases. The employees didn't
know about it until they started sharing stories and learned that many
of them had been hit. It wasn't until much later that the human
resources department confessed that they had known about the theft, but
they didn't want to tell the employees and cause them to panic.
Sadly, some identity theft is perpetrated by relatives or
friends, roommates, household workers like health care givers, and
spouses going through a divorce who have a grudge. These individuals
obtain Social Security numbers, driver's license numbers, and credit
card numbers by having access to their personal effects.
Mail theft is another way of obtaining identifying
information, as mentioned above. We urge people not to leave their paid
bills out at the mailbox for the carrier to pick up. It's better to
drop them off at the Post Office. There's also insider mail theft,
where credit card mall is stolen from the mail processing areas by
postal employees.
Then there's the change of address routine. The thief
fills out a change of address card so the victim's mail is diverted to
the thief's drop box. The thief obtains bank statements and credit card
bills, monthly investments reports, and pre-
approved offers of credit containing the information necessary to
impersonate the victim. The Postal Service has recently initiated
changes to make this more difficult.
Application fraud is another method. The imposter fills
out a credit application--perhaps a pre-approved offer of credit
retrieved from the trash--with the victim's name and identifying
information and has the credit card mailed to another address. The
major credit card issuers say they are now more wary of changes of
address, but their efforts are not foolproof.
The Internet is becoming a more popular resource for
identity thieves. Yes, there are web sites that sell individuals'
Social Security numbers. Visit www.infoseekers.com and
www.fastbreakbail.com for example. Social Security numbers can be
purchased for as little as $20. They are found in records called
``credit headers'' that are sold by credit reporting agencies to
information brokers. Credit headers include name and name variations,
current and former addresses, telephone numbers (including unlisted
numbers), year and month of birth, and SSN. At this time, there are no
restrictions on the sale of credit headers to information brokers.
Consumers have no way to ``opt-out'' of the sale of their credit header
data. The information broker industry adopted a voluntary privacy
policy in 1997, but it has been ineffective in restricting the sale of
sensitive personal information to the general public. (See the
Individual Reference Services Group guidelines at www.irsg.org.)
There are many more schemes. Most victims with whom we
have spoken haven't a clue as to how their identifying information was
obtained by the imposter.
My third topic is what happens to the victims of these crimes? Even
though each identity fraud case is different, what happens to the
victims is, sadly, all too similar.
They get little to no help from the authorities who issued
the identifying information to them in the first place.
Law enforcement doesn't investigate many such crimes.
There's just too much identity fraud occurring for them to handle all
such cases, although the financial fraud departments of many police
departments are being expanded.
Many police and sheriff's departments refuse to issue a police
report to the victims. They claim that the banks and credit card
companies are the real victims because they suffer the financial
losses. Many victims find they need the police report to prove their
innocence to the credit card companies and the check guarantee
services.
Many victims report they do not get effective help from
the credit grantors, banks, and the CRA's. They describe difficulty in
reaching the credit reporting agencies, and tell how they are treated
disbelievingly by some creditors. Victims also report that flagging
their credit report for fraud doesn't always stop the imposter from
obtaining more credit.
Victims must also deal with abusive collection agencies. They are
threatened with law suits, garnished wages, and having their homes
taken away from them.
Another common experience of victims is that they must
spend a great deal of time cleaning up the mess. I've talked to many
who are taking the day or the week off work so they can make the
necessary phone calls, write the letters, and get affidavits notarized.
This costs them money as well. Many victims are saddled with this
situation for years.
In a recent survey we conducted with CALPIRG, we found the average
amount of time spent by victims to regain their financial health was
175 hours. And those cases had dragged on for an average of two years,
with many cases taking more than four years to be resolved. (``Nowhere
to Turn: Victims Speak Out on Identity Theft.'' May 2000.
www.privacyrights.org/ar/idtheft2000.htm).
Victims are often scarred emotionally. They feel violated
and helpless--and very angry. I've heard people use the word ``rape''
to describe how they feel. I've talked to many who are crying or close
to it because they cannot stop what is happening to them, and no one
else will either. I've talked with elderly people who are terrified of
losing their life savings and their homes.
It's little wonder that victims feel violated, helpless and angry.
They are unable to rent an apartment, get a job, qualify for a
mortgage, buy a car, all because someone else's bad credit history is
recorded on their credit report. Essentially the entire burden of this
crime is placed on the shoulders of the victims.
The worst-case scenario is when the thief commits crimes
in the victim's name. We learned of a case where the imposter was a
major drug dealer, using the identity of a high-tech company president.
This man travels out of the country often and has to carry a letter
from law enforcement which explains he is not the drug dealer, because
he gets pulled into secondary inspection every time he comes back to
the U.S. Recently law enforcement from another state, who had not read
the entry on the FBI's NCIC crime data base completely, entered his
bedroom in the early morning hours and tried to arrest him at gunpoint.
He was able to convince them they were seeking the wrong person.
Another case that came to our hotline was an Hispanic man, a U.S.
citizen, who was visiting relatives in Tijuana, Mexico, across the
border from San Diego. He was taken into secondary inspection by U.S.
Customs on his return trip to San Diego. A search of his SSN showed he
was wanted for a crime in the Bay Area. He was transported from San
Diego to San Francisco and put in jail. It took him 10 days before one
of the officers believed him, took his fingerprints as he had requested
all along, and realized they had the wrong person.
Another worst-case scenario is when the imposter is
working under the victim's name and SSN, and the earnings show on the
victim's Social Security Administration record. We learned of one such
a case that had been going on for 10 years. The imposter obtained the
victim's birth certificate, a public record in California. And even
when the victim acquired a new SSN, the impersonator was able to obtain
it shortly thereafter. Victims of employment fraud often must deal with
the Internal Revenue Service because IRS records show they are under-
reporting their wages.
Finally, in order for victims to extricate themselves from
the identity theft mess they find themselves in, they have to be fairly
savvy consumers. They must be assertive with the credit card, banking
and credit reporting industries. They must be assertive with all kinds
of other officials as well. I have talked with many consumers who are
not equipped to deal with the challenges that this crime brings to
them--individuals whose first language is not English, or those whose
English language skills are such that they cannot communicate at the
level of complexity that this problem requires. Those who are semi-
literate or illiterate cannot write the necessary letters.
Unfortunately, there are not enough consumer assistance offices to help
these people.
My fourth and final topic is legislative and industry solutions to
the crime of identity theft.
The awareness of identity theft among consumers has skyrocketed in
the past year--primarily because of media coverage. I think consumers
are becoming much more wary of disclosing personal information and
having it given out without their consent, especially on the Internet.
These outcries by members of the public have resulted in some
legislative attention brought to the issue, both on the federal level
and in the states.
In 1998 Congress passed and the President signed the Identity Theft
and Assumption Deterrence Act (18 U.S.C. 1028). It makes identity theft
a federal felony when someone knowingly uses the identification of
another person with the intention to commit any unlawful activity under
federal and state law. Violations of this Act are investigated by
federal agencies like the U.S. Secret Service, the FBI, and the U.S.
Postal Inspection Service. Such crimes are prosecuted by the U.S.
Department of Justice.
This new law allows for restitution for victims. It established an
identity theft clearinghouse within the Federal Trade Commission. The
FTC now offers a toll-free number for consumers to call, 877-IDTHEFT,
as well as a web site, www.consumer.gov/idtheft.
In recent years nearly 40 states have criminalized identity theft.
Most of them have made it a felony. A list of those states can be found
on the FTC's web site at www.consumer.gov/idtheft/statelaw.htm.
On the one hand, I'm pleased that this crime has been criminalized
by these new laws. But I believe that in order to make a dent in
identity theft, the practices of the credit industry must change
dramatically. Until laws create incentives for the credit industry to
change how they do business, the crime of identity theft will continue
to climb at epidemic proportions.
I am encouraged by the introduction of Senate Bill 2328 by Senators
Feinstein, Kyl, and Grassley, titled the ``Identity Theft Prevention
Act of 2000.'' It places the emphasis on prevention where it rightfully
belongs. The points that follow include discussion of the key
provisions of S. 2328 (http://thomas.loc.gov).
Here are some suggestions for making credit industry practices more
fraud-proof:
A change of address is often an indicator of fraud. Simple
steps by both credit grantors and reporting agencies in verifying
address changes would greatly reduce fraud incidents. S. 2328 requires
that if the card issuer receives a change of address notification, it
must send a confirmation notice to both the new and former addresses.
Further, if a card issuer receives a request for an additional credit
card within 30 days of receiving a change of address, it must also
notify the cardholder at the old and new addresses. Credit reporting
agencies must notify credit issuers when it becomes aware that a credit
application bears an address for the consumer that is different from
the address they have on file.
A penalty should be assessed whenever a credit grantor
extends credit to an imposter after the victim has placed a fraud alert
on the credit file (a provision of S. 2328).
All consumers should be able to receive one free copy of
their credit report annually (a provision of S. 2328). With more
consumers checking their credit reports frequently, identity theft will
be detected earlier and the impact will be minimized. Six states have
passed such laws: Colorado, Georgia, Massachusetts, Maryland, New
Jersey, and Vermont.
Consumers should be able to notify the credit bureaus to
put a ``freeze'' on their credit report--to prevent their credit report
from being furnished without specifically authorizing the release. A
Vermont law requires that users of credit reports obtain permission
from the consumer prior to obtaining the credit report (Title 9 sec.
2480e at www.state.vt.us. Click on ``Statutes Online''). In California,
state Senator Debra Bowen's SB 1767 would adopt the Vermont ``opt-in''
model.
Another important piece of legislation that needs to be
enacted is a provision that takes the Social Security number out of
circulation. A separate bill introduced by Senator Dianne Feinstein
would prohibit the commercial sale of SSN's (Social Security Privacy
Act of 2000). This measure would also limit uses of the SSN by private
sector entities. Government agencies could not display the SSN on
mailing labels and documents available to the public.
In California, a bill introduced by state Senator Debra Bowen
during the 2000 session would prohibit the use of the SSN as an account
or member number by such entities as insurance companies and
universities. (SB 1767 can be found at www.leginfo.ca.gov. Click on
``Bill Information.'')
Credit grantors should be required to verify at least four
pieces of information--name, address, date of birth, SSN, driver's
license number, and place of employment--with information on the credit
report. This is especially important in instant credit situations. If
the consumer is applying in person, the credit grantor must inspect a
photo ID.
As discussed earlier in this testimony, we consider the
worst-case scenario of identity theft to be when the victim is burdened
with a wrongful criminal record because of the activities of the
imposter. This usually occurs when the imposter is arrested and
released, perhaps for a traffic violation or shoplifting, and then does
not appear in court. This results in a warrant for the arrest of the
identity theft victim.
Victims of criminal record identity theft can find it impossible to
obtain employment. Many have been jailed. It is common for such victims
to be detained by U.S. Customs when entering the country after
traveling abroad. They must carry a letter with them from law
enforcement or the courts at all times in order to prevent wrongful
detention. Such victims are faced with having their identity associated
with a criminal record for the rest of their lives.
It is critical that legislation address the plight of such identity
theft victims. There must be a way for them to learn that they have a
wrongful criminal record. S. 2328 includes an excellent provision
enabling individuals to obtain the content of information about them
that is compiled by an information broker, employment background check
service, or individual reference service. If erroneous information is
compiled in a background check for employment or other purposes, it is
essential that the subjects of those investigations know the exact
information that has been disclosed and the source from which the
information was obtained.
Individuals who have wrongful criminal records must also be able to
clear such records through an expedited process involving the law
enforcement agency that made the arrest, the court system where the
warrant was issued, and the official criminal records data bases at the
state and federal levels. At present, there is no such process easily
available to victims of criminal records identity theft. You might want
to read about such a measure currently being considered in the
California legislature, Assemblymember Susan Davis's AB 1897.
Victims of criminal record identity theft must also be able to
locate all the information brokers that have obtained the erroneous
information so they can have those records cleared as well. One
solution would be to develop a national registry of individuals who are
victims of criminal record identity theft and require all entities who
conduct criminal records background checks to access that data base
before reporting the criminal records information. In California,
Assemblymember Tom Torlakson's AB 1862 would call for the development
of such a data base within the California Department of Justice.
Legislation is not the entire answer to the vexing problem of
identity theft. The credit granting and reporting industries must step
up their efforts to assist consumers in preventing fraud altogether and
in recovering from identity theft. The Associated Credit Bureaus
announced an identity theft initiative in March 2000 that would
streamline fraud-handling by the credit reporting industry (www.acb-
credit.com). The ultimate goal of this endeavor should be ``one-stop
shopping'' for fraud victims--a single phone call to launch the fraud
clean-up process.
Both creditors and the CRA's should increase the use of artificial
intelligence computer programs to identify patterns of fraud and to
quickly notify consumers of suspected fraud activity. The May 2000
identity theft victims survey conducted by the Privacy Rights
Clearinghouse and CALPIRG found that the average amount of time that
had transpired before individuals learned they were victims of identity
theft was 14 months. (www.privacyrights.org/AR/idtheft2000.htm). Yet,
evidence of fraudulent activity can often be easy to detect--numerous
inquiries on the credit report in a short period of time, changes of
address, monthly credit account bills that are much higher than usual,
many late payments when the individual had none previously, and so on.
Before closing, I want to briefly discuss the role of law
enforcement in investigating identity theft crimes and assisting
victims. Three-fourths (76 percent) of the respondents to the PRC/
CALPIRG identity theft survey reported that the police whom they
contacted were unhelpful. Detectives were assigned to their cases less
than half of the time. And one-fourth of the victims were not able to
obtain a police report.
It is clear that the crime of identity theft calls for some new
approaches by law enforcement. One approach that is being explored in
California is the development of a single unit within the police
department that specialize in identity theft. The Los Angeles Sheriff's
Department has established such a unit. Assemblymember Robert Hertzberg
has introduced AB 1949 to fund three pilot projects in the state to
establish such specialized units.
Additional suggestions for addressing the multi-faceted crime of
identity theft can be found in the PRC/CALPIRG identity theft survey, a
copy of which has been provided to the Subcommittee.
Thank you for the opportunity to testify about the crime of
identity theft. Please feel free to contact the Privacy Rights
Clearinghouse if you seek additional information or assistance.
[GRAPHIC] [TIFF OMITTED] T9466.001
[GRAPHIC] [TIFF OMITTED] T9466.002
[GRAPHIC] [TIFF OMITTED] T9466.003
[GRAPHIC] [TIFF OMITTED] T9466.004
[GRAPHIC] [TIFF OMITTED] T9466.005
[GRAPHIC] [TIFF OMITTED] T9466.006
[GRAPHIC] [TIFF OMITTED] T9466.007
[GRAPHIC] [TIFF OMITTED] T9466.008
[GRAPHIC] [TIFF OMITTED] T9466.009
[GRAPHIC] [TIFF OMITTED] T9466.010
[GRAPHIC] [TIFF OMITTED] T9466.011
[GRAPHIC] [TIFF OMITTED] T9466.012
[GRAPHIC] [TIFF OMITTED] T9466.013
[GRAPHIC] [TIFF OMITTED] T9466.014
[GRAPHIC] [TIFF OMITTED] T9466.015
[GRAPHIC] [TIFF OMITTED] T9466.016
[GRAPHIC] [TIFF OMITTED] T9466.017
[GRAPHIC] [TIFF OMITTED] T9466.018
[GRAPHIC] [TIFF OMITTED] T9466.019
[GRAPHIC] [TIFF OMITTED] T9466.020
[GRAPHIC] [TIFF OMITTED] T9466.021
[GRAPHIC] [TIFF OMITTED] T9466.022
[GRAPHIC] [TIFF OMITTED] T9466.023
Senator Kyl. Steve Emmert.
STATEMENT OF STEVEN M. EMMERT
Mr. Emmert. Thank you, Chairman Kyl, Senator Feinstein. I
appreciate the opportunity to testify before the subcommittee
today about the information practices of our company, LEXIS-
NEXIS, and the industry's leadership efforts to balance privacy
protections with legitimate, socially beneficial information
needs.
Among the services that LEXIS-NEXIS offers are people-
finder or individual reference services that customers use to
locate individuals and to verify identities. Individual
reference service products contain only basic identifying
information, such as name and address, not financial
information.
LEXIS-NEXIS is a founding member of the IRSG, which
represents leading information industry companies, including
the three major credit reporting agencies. We provide
commercial information services to help verify the identity of
or to locate individuals. Customers use individual reference
services for a variety of purposes, including finding
witnesses, heirs, pension beneficiaries, and hidden assets. In
fact, there are a number of Federal regulations that require
the use of location services for these very purposes. They are
also used to track down missing and exploited children; locate
deadbeat dads, parents; to locate bone, blood and organ donors;
and to verify identities of contributors to political
campaigns.
Each of the companies who belong to the IRSG has adopted
self-regulatory principles governing the dissemination and use
of personal data. The IRSG developed these principles in 1997
in conjunction with the Federal Trade Commission.
As part of these principles, companies commit, among other
things, to restrict their distribution of non-public
information through appropriate safeguards. One such safeguard
prohibits the display of Social Security numbers and dates of
birth in individual reference service products distributed to
the general public, the types of websites that Senator
Feinstein referred to at the beginning of the hearing; also,
for products distributed to professional and commercial users,
a prohibition on the display of such information in a less
truncated and appropriate manner.
The example of that would be to mask the last four digits
of the number so that you can use the initial numbers to
identify the place of issuance and the year of issuance. This
principle has helped reduce the availability of Social Security
numbers for sale on the Internet. I have summarized in my
written testimony the other key safeguards contained in the
IRSG principles.
Given the subcommittee's focus on identity theft today, I
know you are interested in the substantial use that is made of
these services in the fight against identity theft where
verifying an individual's identity is crucial. Banks, credit
card companies, and other types of credit institutions, as well
as gas, electric and telephone utility companies and government
entities, distributing public entitlement programs are all
becoming increasingly plagued by frauds who use existing
persons' identity to illegally extract products, services and
money.
Individual reference service products are also an important
tool for other types of fraud prevention efforts by businesses.
The insurance industry, for example, relies on individual
reference service products to investigate fraudulent claims.
Credit card companies and department stores use them to detect
and limit credit card fraud. Banks use them to detect and
report credit card fraud, insider abuse, and money laundering.
Many businesses use them to minimize the risk of financial
fraud when they receive an unusual order for the delivery of
merchandise.
Since the victims of identity theft are not only the
businesses that lose billions to various forms of identity
theft per year, but also the consumers whose credit is often
ruined by this insidious act, everybody directly benefits by
this application of personal identifying information provided
by individual reference services. My point is that the
availability of individual reference services helps to reduce
identity theft.
Although some have alleged that the availability of
identifying information from individual reference services
contributes to identity theft, two Federal agencies, the
Federal Reserve Board and the Federal Trade Commission, have
studied this question, and neither agency was able to find any
support for this proposition.
With respect to S. 2328, our concern is that if enacted in
its current form, it would jeopardize the usefulness of such
services. Specifically, we believe it goes too far in sections
7 and 8. Section 7 would have the effect of cutting off
identifying information that we use to index and organize
disparate information, distinguishing between John Smiths that
live in the same town.
I actually checked this morning. Currently, there are
34,516 entries for ``John Smith'' on a nationwide basis. Trying
to determine which John Smith you are looking for is a little
bit of a trick sometimes. When we have the availability of
prior addresses, age, and Social Security information, we can
make those distinctions. These indexing and verification uses
are critical to ensure that the products that we and other IRSG
members offer to professional and government agencies contain
accurate and complete information.
Section 8 would mandate that individual reference service
companies enter a very different market than they ever sought
to enter, the consumer market for public record information, as
a condition of selling public record information to lawyers,
law enforcement officials, journalists, and other
professionals.
We do not object to providing an individual with non-public
information contained in an individual reference service
product that specifically identifies him or her. The IRSG
principles already require this. Nor do we object to advising
an individual about the nature of public record information
that an individual reference service makes available in its
products, if reasonably available, where you can obtain a
correction and where a correction request can be directed. The
IRSG principles also require this.
We do object, however, to having to undertake the enormous
burden associated with retrieving potentially relevant
information from a large number of data bases of public records
and verifying that it pertains to the individual making the
request. In addition to being burdensome, it would be
ineffective for the consumer.
To be effective, any correction of errors must be made with
the government entities where the sources of the information
originate. The task of individual reference services in this
regard is to reflect reliably the data made available by the
originating public record source.
Again, I would like to thank you for the opportunity to
testify this morning and welcome any questions you may have.
[The prepared statement of Mr. Emmert follows:]
Prepared Statement of Steven M. Emmert
I. INTRODUCTION
I am the Director of Government and Industry Affairs for Reed
Elsevier Inc. and LEXIS-NEXIS, a wholly owned division of Reed
Elsevier. On behalf of both LEXIS-NEXIS and the Individual Reference
Services Group, I very much appreciate the opportunity to testify
before your Committee about the information practices of my company,
our efforts in the area of acquisition, security, and use of personally
identifiable information from non-public sources, and industry's
leadership efforts to balance privacy protections with legitimate,
socially beneficial information needs.
LEXIS-NEXIS leads the information industry with the largest one-
stop, dial-up information service, the LEXIS-NEXIS service for legal,
business, and government professionals. The LEXIS-NEXIS service
contains more than 2.2 trillion characters and approximately 2.5
billion documents in more than 10,200 data bases. It adds 14.7 million
documents each week.
Today, two million professionals worldwide--lawyers, accountants,
financial analysts, journalists, law enforcement officials, and
information specialists--subscribe to the LEXIS-NEXIS services. They
perform more than 400,000 searches per day. The combined services
contain more than 24,800 sources: 18,800 news and business sources and
6,000 legal sources.
The NEXIS service is the largest news and business online
information service, with not only news, but company, country,
financial, and demographic information, as well as market research and
industry reports. The NEXIS service is unmatched in depth and breadth
of information. In fact, 120,000 new articles are added each day from
worldwide newspapers, magazines, news wires and trade journals.
Although the overwhelming majority of the information sources on
the LEXIS and NEXIS services are public in nature, all of which are
available to the general public through their public libraries, the
local news stand or bookstore, or from government offices, a handful of
the data sources that contribute to our services are not available to
the general public. These data sources include consumer credit
reporting files but contain only basic identifying information (e.g,
name, address) that is used by customers of LEXIS and NEXIS to locate
specific individuals.
LEXIS-NEXIS also is a founding member of the Individual Reference
Services Group (IRSG), which represents leading information industry
companies, including the three major credit reporting agencies, that
provide commercial information services to help verify the identity of
or locate individuals. Each of the member companies has adopted self-
regulatory principles governing the dissemination and use of personal
data, principles which the IRSG developed in 1997 in conjunction with
the Federal Trade Commission. While I will concentrate on LEXIS-NEXIS'
practices, we believe that these are typical of the practices of
members of the IRSG.
Our company and the other members of the IRSG are committed to the
responsible acquisition and use of personally identifiable information,
and share the Subcommittee's concern about the potential misuse of data
for identity theft and other harmful purposes. Indeed, in the fight
against identity theft, where verifying an individual's identity is
crucial, individual reference service products are absolutely
essential.
My remarks today will focus on three areas. First, because most
people know relatively little about our industry and may confuse the
sort of services that are the topic of this hearing with the mainstream
of the industry, I will explain the customer base and socially
beneficial uses for individual reference information. For example, law
enforcement agencies and fraud investigators are major users of these
services, and at a 1997 FTC workshop on data base privacy the Secret
Service, the Treasury Department's Financial Crimes Enforcement Network
(``FINCEN''), American Bankers Association, and National Retail
Federation all testified to the importance of these services for their
work preventing and pursuing fraud.
Second, I will provide some background about the IRSG principles
and their enforcement mechanisms. I also will illustrate some of the
IRSG principles by explaining how LEXIS-NEXIS implements them.
Finally, I will make some observations about the impact of sections
7 and 8 of S. 2328 upon LEXIS-NEXIS and other individual reference
services.
II. USES OF INDIVIDUAL REFERENCE SERVICE INFORMATION
Individual reference services are companies that furnish timely and
reliable information to identify and locate individuals. The
information is used by governmental, private sector, and non-profit
entities for a wide range of beneficial purposes.
Individual reference services, such as those provided by LEXIS-
NEXIS, are often the only way that individuals with limited resources,
through the assistance of a professional who has access to these
services, can obtain critical information. LEXIS-NEXIS' customers are
professionals, primarily in the fields of law, business, journalism,
and law enforcement.
For example, law enforcement agencies use these services to locate
criminals and witnesses to crimes, and to confirm identities. In fact,
individual reference services play an important role in combating the
very sorts of fraud that flow from personal financial information
falling into the wrong hands. At the June 1997 FTC workshop examining
reference services, witnesses from both FINCEN and the Financial Crimes
Section of the U.S. Secret Service testified to the value and
importance of these services for their work.
In the fight against identity theft, where verifying an
individual's identity is crucial, individual reference service products
are absolutely essential. Banks, credit card companies, and other types
of credit institutions, as well as gas, electric, and telephone
companies and governmental entities distributing public entitlement
programs, are all becoming increasingly plagued by fraudsters who use
an existing person's identity to illegally obtain products, services
and money. The best, and perhaps only, means of preventing this type of
fraud is to crosscheck through the use of personal identifying data,
often provided by individual reference services. Since the victims of
identity theft are not only the businesses that lose billions to
various forms of identity theft per year, but also the consumers whose
credit is often ruined by this insidious act, everyone directly
benefits by this application of the personal identifying information
provided by individual reference services.
Individual reference service products also are an important tool
for other types of fraud prevention efforts by businesses. The
insurance industry, for example, relies on individual reference service
products to investigate fraudulent claims. Credit card companies and
department stores use them to detect and limit credit card fraud. Banks
use them to detect and report credit card fraud, insider abuse, and
money laundering. Many businesses use them to minimize the risk of
financial fraud when they receive an unusual order for delivery of
merchandise. Other businesses use them when performing due diligence
before engaging in a business venture with a little-known corporation
in the increasingly mobile world economy. The Insurance Information
Institute reports that special investigation units save their companies
about $10 for every dollar invested in them.
Reference services help people in many other ways. One of the most
compelling is child support enforcement. Whereas government-compiled
child support data bases have encountered difficulties in some
instances, individual reference services have proven to be invaluable
in tracking down parents who are delinquent in these obligations. In
this way, these services advance personal responsibility, give much-
needed income to divorced parents and their children, help free
families from welfare dependency, and provide an additional source of
revenue to state welfare programs. Individual reference services can
locate non-custodial parents--quickly and inexpensively, even in
circumstances where they move to a different state or begin using a
different name. The Association for Children for Enforcement of Support
(``ACES''), the leading child support advocacy organization, uses
LEXIS-NEXIS' P-TRAK service to assist families--approximately 80
percent of whom are on welfare--in locating parents who have failed to
meet legal child support obligations. ACES has reported tremendous
success with the service, locating more than 75 percent of the
``deadbeat'' parents they sought, and helping families receive much-
needed support.
Among the many other important uses of individual reference
services are:
finding long-lost family members,
locating heirs to estates who have moved or changed their
names through marriage,
locating pension fund beneficiaries who have left a
company,
locating victims of fraud schemes or environmental
hazards,
protecting consumers from unlicensed professionals and
sham businesses,
locating blood, organ and bone marrow donors,
promoting the transparency of the political process by
providing easy-to-search information on individuals' campaign
donations,
locating witnesses, and
providing citizens with efficient, ready access to
Federal, state, and local government information.
From these examples, I hope the Subcommittee will appreciate the
value of individual reference services.
III. THE IRSG APPROACH
Privacy Protection
Rapid advances in technology, a highly mobile society, the need to
prevent fraud, and other market demands for information have spurred
increased reliance upon information services provided by companies like
LEXIS-NEXIS. These changes in society and technology also have resulted
in a heightened interest in the privacy considerations implicated by
such services. At LEXIS-NEXIS we are attuned to these issues and have
strongly committed to taking a leadership role in effectively
addressing them.
Privacy protection in the United States has evolved in a way that
offers individuals effective protections while, at the same time, not
limiting the benefits of technological advances. The ability to
preserve both of these important interests results from a network of
different policies. These policies are tailored to provide protections
in specific circumstances in order to prevent actual or potential
abuses of personal information. This sectoral approach is preferable to
an omnibus or ``one-size-fits-all'' privacy policy that would govern
all industries. Addressing privacy issues within specific industry
sectors has proven very effective in evolving and responding to changes
in industry and society.
The IRSG Principles
The importance of defining privacy practices tailored to specific
types of information is demonstrated in the IRSG principles.
In September 1996, in the closing hours of the 104th Congress, the
Federal Trade Commission proposed a broad prohibition on the use of
credit header information--non-financial identifying information
obtained from a consumer reporting agency's data base. Members of the
individual reference service industry and those who rely on credit
header information alerted Congress that such a prohibition would
severely limit important uses of this information. As a result of
arguments made by industry, regulatory efforts were postponed until a
further study of the issues could be conducted.
This gave LEXIS-NEXIS the opportunity to join together with 13
other companies in the individual reference services industry to form
the IRSG. The companies that comprise the IRSG are the leaders in
providing information and assisting users in identifying and locating
individuals. In close consultation with the Federal Trade Commission,
the IRSG developed a comprehensive set of self-regulatory principles
backed by third-party assessments and government enforcement that these
companies follow.
These principles focus on non-public information, that is,
information about an individual that is of a private nature and neither
available to the general public nor obtained from a public record. For
example, the principles govern information obtained from credit
headers, such as social security numbers and addresses and telephone
numbers.
Companies that sign on to the IRSG principles commit--among other
things--to:
acquire individually identifiable information only from
sources known as reputable,
restrict their distribution of non-public information
through appropriate safeguards,
educate the public about their data base services, and
furnish individuals with a copy of the information
contained in services and products that specifically identifies them,
unless the information is publicly available.
One of the safeguards on the distribution of non-public information
is a prohibition on the display of social security numbers and dates of
birth in individual reference service products distributed to the
general public and, for products distributed to professional or
commercial users, a prohibition on the display of such information
unless truncated in an appropriate manner (e.g., masking of the last
four or more digits of social security numbers). This IRSG principle
has helped reduce the availability of social security numbers for sale
on the Internet.
Self-Regulation with ``Teeth''
Third-party assessments backed by government enforcement provide
real ``teeth'' for enforcing these principles. Enforcement rests on the
following three pillars:
Legal sanctions--Any company that holds itself out to the
public as following the principles may be responsible under existing
Federal and state law if the company fails to live up to them. Both the
Federal Trade Commission and state attorneys general can bring charges
under Section 5 of the Federal Trade Commission Act and similar state
laws against member companies that fail to adhere the principles.
Cut-off of data supply--Signatories to these principles
require by contract that all companies buying non-public data from them
for resale abide by the principles. Non-complying companies risk losing
access to the data they need for their products or services. This is
particularly significant in that it is estimated that IRSG signatories
control 90 percent of all non-public information obtained from credit
headers.
Independent assurance reviews--Every IRSG company must
undergo a third-party assessment to verify compliance with the
principles. I will describe this in more detail below.
Information Practices
In the spirit of openness, the principles require individual
reference services to have an information practices policy statement
available to the public upon request. These statements describe:
the types of information included,
the types of sources from which that information is
obtained,
the nature of how the information is collected,
the type of entities to whom the information may be
disclosed, and
the type of uses to which the information may be put.
This openness enables individuals to understand the reference
service's use of the information it possesses. Individual reference
services also inform individuals, upon request, of the choices
available to limit access to or use of information about them contained
in a company's products and services. Further, the principles require
an individual reference service to provide information about the nature
of public record and publicly available information that it makes
available in its products and services and the sources of such
information.
Third-Party Assessments
To help ensure that member companies do not make unsubstantiated
assertions of compliance, the IRSG principles require that independent
professional services conduct annual third-party assessments of their
compliance. These independent professional services can be accounting
firms, law firms, or security consultants who use the criteria
developed by PriceWaterhouseCoopers for the IRSG.
When the principles were adopted in December 1997, these companies
agreed that the assurance reviews would be completed within 15 months.
I am pleased to report that this is the second consecutive year in
which the companies that offer products that fall within the scope of
the IRSG principles and subscribe to the principles have successfully
undergone these assessments. As this milestone attests, the IRSG has
made great strides through self-regulation to secure the benefits of
information service resources and ensure effective protection of
consumer privacy.
IV. LEXIS-NEXIS' PRACTICES: THE IRSG PRINCIPLES AT WORK
In addition to the IRSG principles, LEXIS-NEXIS maintains its own
code of fair information practices. While these practices are based
upon LEXIS-NEXIS' policies, they also provide an example of how the
IRSG principles are implemented.
A. LEXIS-NEXIS Acquires Information Only From Reputable Sources
Section II of the IRSG principles requires that information be
acquired ``from only sources known as reputable in the government and
private sectors.'' IRSG members are specifically required ``to
understand an information source's data collection practices and
policies before accepting information from that source.''
The majority of the information contained in LEXIS-NEXIS data bases
is public record information. Moreover, a significant portion of the
information we provide comes from publicly available information such
as news reports. A few of our many data bases contain some information
from non-public sources, such as credit header information (the non-
financial, individual identifying information derived from the top of a
credit report).
At present, we do not provide individually identifiable financial
information from non-public sources. However, as discussed above, the
IRSG principles are sufficiently broad to encompass, and would apply
to, any member company's provision of this sort of non-public
information.
Because most of our services offer public records, in many cases
LEXIS-NEXIS obtains information directly from the government entity
that originated it. In addition to governmental sources, the
information gathered for our data bases is collected from a wide
variety of other sources, some of which are large, well-known companies
and smaller, lesser-known businesses. Regardless of the size of the
source, in our acquisition of information, we must be confident that
all of the information we obtain is owned by the sources and possessed
in a legal manner. We review the data collection practices and policies
of our sources before accepting information from them to determine
whether the data they propose to furnish to us was compiled in a lawful
and ethical manner. Furthermore, in order to continue to ensure the
accuracy and acceptable origin of information in our data bases, we
also engage in occasional site visits to evaluate directly the
information practices of the source.
In addition, Section III of the IRSG principles requires that
``[r]easonable steps be taken to help assure the accuracy of
information in individual reference services.'' LEXIS-NEXIS has
embraced this as one of our core policies for many years and through
the IRSG we have reaffirmed our commitment to this important principle.
LEXIS-NEXIS strives to obtain or create exact reproductions of the
machine-readable versions of public records as copied and maintained by
the official custodian of the records. We enter into written contracts
with all of our sources that contain provisions attesting to the
accuracy of the information the source provides LEXIS-NEXIS. These
provisions instill confidence that our information is accurate by
providing both a deterrent against providing us with inaccurate
information, as well as recourse against sources that may violate these
provisions.
LEXIS-NEXIS' commitment to accuracy, however, does not end with the
contractual commitment from the source. We also engage in original
source checks to verify that the source is in compliance with our
agreement. From time to time LEXIS-NEXIS will go to the original
jurisdiction where information is generated and compare samples of
information obtained from the jurisdiction with the information
provided to LEXIS by its source. This procedure allows us to measure
the level of accuracy of our suppliers.
B. Security
Section VI of the IRSG principles requires signatories to maintain
facilities and systems to protect information from unauthorized access
and from persons who may exceed their authorization. LEXIS-NEXIS
employs a wide array of measures to protect at all times the security
of our products and the information obtained from our suppliers. Our
security measures are deployed both within our computer systems and
within our physical plant.
To establish security within our data base system, we employ the
most effective security programming available. We constantly evaluate
our system looking for weaknesses in order to eliminate them and
upgrade security.
Our physical plant also uses the most effective security available,
including state-of-the-art surveillance systems. Access to the various
sections of our facilities is limited to authorized employees. This is
done through the use of a ``swipe-in''/``swipe-out'' card system that
allows us to account for individuals who are working in certain areas
and the times that they are in these areas. Security guards,
surveillance cameras, and other surveillance techniques also are
employed. Our security system provides the highest level of
accountability, and has proved extremely successful in eliminating
unauthorized use of information. Additionally, all LEXIS-NEXIS
employees are required to sign a non-disclosure agreement stating that
they will not disclose confidential information to which they have
access as part of their job responsibilities.
C. Selective and Limited Distribution
Section V of the IRSG principles addresses distribution of non-
public information. Section V.A requires that individual reference
services distribute non-public information only to qualified
subscribers and sets out a lengthy set of conditions that determine
these qualifications, as well as recordkeeping requirements concerning
subscribers.
All of our subscribers enter into formal agreements with LEXIS-
NEXIS that define the limits and appropriate uses of information
obtained from our data bases. For example, in its customer agreements,
LEXIS-NEXIS requires customers to agree contractually not to use
information obtained from the data bases for purposes that would
violate the Fair Credit Reporting Act. In addition, a warning about
FCRA restrictions is prominently visible to LEXIS-NEXIS customers
before they access many of the data bases contained in the public
record library, as well as files containing non-public information.
This warning states:
The Fair Credit Reporting Act (15 U.S.C. Sec. 1681) prohibits
use of information from this file to determine a consumer's
eligibility for credit or insurance for personal, family or
household purposes, employment or a government license or
benefit.
To become a LEXIS-NEXIS subscriber, the prospective customer must
furnish information including company/organization name, address,
contact person and telephone number. We do not respond to anonymous
requests for information, and we thus would be able to assist
authorities in the event that subscribers were ever to misuse
information.
V. ADVERSE IMPACT OF SECTIONS 7 AND 8 OF S. 2328
S. 2328 would directly affect individual reference services in two
ways. First, section 7 would cut off the supply of the type of
identifying information we obtain from consumer reporting agencies and
use to help ensure accuracy in indexing and compiling disparate
information. Second, section 8 would mandate that individual reference
service companies enter a very different market than they ever sought
to enter--the consumer market for public record information--as a
condition of selling public record information to lawyers, law
enforcement officials, journalists, and other professionals. These
proposals are, at best, burdensome and unnecessary and, at worst,
unconstitutional and harmful to consumers.
Section 7--Cutting Off the Supply of Identifying Information
In prohibiting consumer reporting agencies from supplying anything
other than a consumer's name and current address without a
``permissible purpose,'' as defined by the Fair Credit Reporting Act,
section 7 would have the effect of cutting off identifying information
that we use to index and organize disparate information. Distinguishing
between ``John Smiths'' who live in the same town is far more effective
when we have available to us prior addresses, age, and social security
number information. These indexing and verification uses are critical
to ensuring that the products we, and other IRSG members, offer to
professional and government agencies contain accurate and complete
information.
The use of social security number information for indexing and
verification purposes is different than the display of such information
in individual reference service products. As noted earlier, the IRSG
principles prohibit the display of social security numbers and dates of
birth in individual reference service products distributed to the
general public and, for products distributed to professional or
commercial users, prohibit the display of such information unless
truncated in an appropriate manner.\1\
---------------------------------------------------------------------------
\1\ This IRSG principle has helped reduce the availability of
social security numbers for sale on the Internet. The most common
sources of such information today are Web sites operated by private
investigators and Web sites selling ``stale'' information they obtained
prior to the implementation of the IRSG principles.
---------------------------------------------------------------------------
Cutting off the availability of social security numbers and similar
identifying information for indexing and verification purposes is
particularly ironic in light of the requirement in section 8, discussed
below, that individual reference service companies provide consumers
with copies of ``their files,'' who in turn will probably review the
information for accuracy and completeness.
Section 8--Consumer Review of Public Record Information in their
``Files''
Requiring individual reference service providers, upon request, to
disclose to a consumer ``the nature, content, and substance of all
information in the file maintained by the provider,'' is unnecessary,
burdensome, and unwise.
Section 8's requirement is unnecessary insofar as the IRSG's access
principle already requires an individual reference service to provide
an individual with ``non-public information contained in'' its look-up
products that specifically identifies him or her. (Two types of
information are exempted from this requirement: information obtained on
a limited use basis from a governmental agency and information whose
disclosure is limited by law or legally recognized privilege.)
For public record information (and publicly available information)
contained in an individual reference service's products, the IRSG
principles require a company, upon request, to advise an individual
about the nature of such information that it makes available in its
products and the sources of such information. Public record information
is information about or related to an individual that has been obtained
originally from the records of a Federal, state, or local government
entity that are open for public inspection. Examples of public records
include titles to real property, real property tax assessor records,
bankruptcies, judgments, liens, state professional licenses, and death
records.
When contacted by an individual concerning an alleged inaccuracy
about that individual in its public record information, the IRSG
principles further require an individual reference service company to
inform the individual of the source of the information and, if
reasonably available, where a request for correction may be directed.
To be effective, any correction of errors must be made with the
government entities that are the sources of this information. The task
of individual reference services in this regard is to reflect reliably
the data made available by the originating public record source.
Moreover, neither inaccuracies nor consumer harm are a significant
issue in connection with individual reference services. Technological
developments and quality assurance measures yield information that
reliably mirrors the original public records. Furthermore, the FTC
acknowledged in its 1997 Report to Congress on Individual Reference
Services that ``neither workshop participants nor commentators
identified concrete evidence of harm linked directly to inaccurate
records offered by look-up services.'' Nor has any evidence to the
contrary emerged since 1997. In addition, statutory safeguards do exist
for individuals in the vast majority of circumstances in which the
distribution of inaccurate public record information might cause them
real harm. For example, the Fair Credit Reporting Act already regulates
extensively the use of public record information in connection with
decisions about a consumer's eligibility for employment, credit, or
insurance.
Weighed against this dearth of evidence of inaccuracies or consumer
harm is the enormous potential burden associated with retrieving
potentially relevant information from the large number of data bases of
public records and verifying that it pertains to the individual making
the request. This is necessary because many individual reference
services, unlike consumer reporting agencies, do not maintain ``files''
in connection with specific individuals. For example, individual
reference services leave to their customers the tasks of formulating
their search inquiries, of personally reviewing the search results to
determine whether the search might have been under-inclusive and, where
the search inquiry is over-inclusive, of personally reviewing the
search results to determine what records may be relevant. To meet the
bill's demands, however, individual reference services would need to
hire teams of customer service representatives, train them, and assume
the risk of error in formulating search inquiries and making associated
decisions. In short, it would force individual reference services to
assume risks they long ago shifted to their customers.
Finally, section 8 would require that, as a condition of selling
public record information to lawyers, law enforcement officials,
journalists, and other professionals, individual reference services
enter the consumer market for public record information. This is a very
different market than most individual reference services ever sought to
enter. Moreover, imposing this condition would run afoul of the First
Amendment because it would unduly burden the publication of information
already in the public domain. See, e.g., The Florida Star v. B.J.F.,
491 U.S. 524 (1989) (striking down statute that imposed civil liability
upon a newspaper for publishing the name of a rape victim which it had
obtained from a publicly released police report); Smith v. Daily Mail
Publishing Co., 443 U.S. 97 (1979) (finding unconstitutional the
indictment of two newspapers for violating a state statute forbidding
newspapers to publish the name of any youth charged as a juvenile
offender).
VI. CONCLUSION
Our company and the IRSG are committed to the responsible
acquisition and use of personally identifiable information, and share
the Subcommittee's concern about the potential misuse of data for
identity theft and other harmful purposes. Nevertheless, individual
reference service products are absolutely essential in the fight
against identity theft, and the Congress should not take any steps that
would jeopardize the usefulness of such services.
Senator Kyl. Thank you.
Mr. Pratt.
STATEMENT OF STUART K. PRATT
Mr. Pratt. Chairman Kyl and Senator Feinstein, let me join
with the others who have testified already and thank you very
much for holding this hearing. It is important to us, as the
Associated Credit Bureaus, because we represent 500 or so
companies out in the marketplace who, in fact, are the
information companies who ultimately have their data bases
polluted by the crime of identity theft.
Mr. Chairman, in particular, we thank you for your
thoughtful leadership on the enactment of the Identity Theft
Assumption and Deterrence Act of 1998. It was the right step,
it was the right time. In fact, at several hearings that I have
attended--and one of the reasons we go to these hearings is
that it isn't just a matter of telling you what we think. It is
a matter of hearing what else is said.
Each time I hear a victim, it gives me a chance to go back
to our own industry and make it more real to our chief
executives, to encourage them to be more efficient, to make
sure that they understand that we all have personal lives. I
have two children and they go to swim team and they do other
things, and if I am spending most of my time unraveling a
problem, I am not spending my time on what I guess I would
think of as higher priorities in our personal lives.
In fact, that is really what drove the Associated Credit
Bureaus to establish an identity theft task force that
consisted of the chief executive officers. It was a
longitudinal process. We actually hired a former attorney
general to work with us and we have launched our first series
of initiatives. They were announced March 14 and were a part of
the identity theft summit that was hosted by the Department of
the Treasury earlier this year.
We are not finished in terms of our work. I think it is
time for industry to be progressive. It is time for industry to
look at what we can do. I remember Jim Bauer a number of years
ago testifying, in fact, to a Senate Banking Committee
subcommittee encouraging industry to step forward and take its
responsibility seriously in terms of how this crime affects
consumers. It is invasive, it is longitudinal. There is a snarl
of problems that result from this, and I think each one of us
has our role in trying to solve that problem. We are unhappy,
again, with that data that is in our file that is inaccurate
that causes a legitimate consumer to not have access to the
benefits and the services that they would like to have in this
society today.
So with that, let me just focus a few comments on the types
of initiatives that we have undertaken so far, at least some of
which are consistent with some of the ideas we have heard
discussed already.
We think it is very important that we do what we can to
improve both the use of and the effectiveness of the security
alerts that we add to the credit files. You have heard
testimony today saying are these effective. We want them to be
effective, obviously. So, in fact, just this past month we have
decided to standardize both the literal statement as well as
the coding of what goes into a security alert to ensure that
our customers across any technology platform can look for and
identify that security alert to make sure that they can then
take the actions that they feel are appropriate.
We also think that consumers, when they are calling three
different consumer reporting agencies for credit fraud, for
example, need an even experience. We interviewed victims who
said, you know, it is hard for me if you are asking for this
data, but you are asking for this data; you ask me to jump
through this hoop, but you ask me to jump through this hoop. So
can we harmonize, can we standardize some of that experience?
We are moving to standardize the advice we give consumers.
We are moving to standardize the communications that we give to
consumers. We are moving, in fact, to standardize what steps we
take first in the process for consumers.
Another step was, in fact, even on a weekend where a
consumer would get an automated voice attendant potentially
rather than get live personnel. One of the keys is to assure
that consumers have confidence in what is being done. I think I
heard testimony today, and I have heard this before: I am still
not sure I feel good, I am not sure I am safe.
We want to create a safer world, and so in our case we will
add a security alert automatically even if you just leave a
message--no verification, no authentication, no hoops. So, that
is going to be a change that we are making this year.
We will also take you out of all pre-screened offers of
credit automatically, no verification, no efforts to check
further, but just do it. And we will also issue your file
within 3 business days and get that out into the mail so that
you can look at that file, and then you will have access to an
800 number and live personnel where you can continue the
process of working through this.
We will escalate communications to credit grantors even
where we do not yet see credit on the file. This is a change in
our practices, so that we will communicate electronically
through a network that we have established and funded through
the 1990's which allows us to communicate with a majority of
our data furnishers so that even where there is just what we
call an inquiry on the file, and if a consumer says I don't
recognize doing business with that bank, and we don't see an
account yet on the file, but we wonder what is happening, is
there something in the pipeline, that is part of the
longitudinal effect. You see what is on the file. It is a
snapshot, but there may be more that is cycling in, and this is
the experience that consumers have. It seems to go on and on
and on.
One of the most important steps I think we have taken is
that we are going to build new software technologies that will
be available within 7 months of that announcement we made
earlier this year. We are going to monitor the file, and I
think this is going to help solve one of the problems.
One of the problems is that consumer says, ``You know, it
is on my shoulders to check the file, and to check it again and
check again and make sure I am still OK.'' Well, we are going
to trigger communications to consumers where we see unusual
file activity. We are actually going to mail or communicate
with that consumer and say we have seen something happen to
your file that doesn't look right, can you call us again on the
800 number, free of charge, and escalate our linkage with the
consumer who has been victimized.
Again, I think it makes good business sense, by the way, to
keep the file clean once we have gotten it cleaned back up
again. But we can't be confident that all of the credit
problems out there have been cleaned up as well. So we have to
try to keep it clean by staying in touch with that consumer.
So, that is a sampling of the efforts that we are
undertaking, and we have more on the way, actually. I have a
conference call next week with another segment of our industry
to further refine and take some additional steps to try and
build these efficiencies into the system.
So I am happy to be here today. We are happy to answer your
questions and we appreciate the opportunity you are taking to
learn and get the big picture of what is happening on this
issue of identity theft.
[The prepared statement of Mr. Pratt follows:]
Prepared Statement of Stuart K. Pratt
Mr. Chairman and Members of the Subcommittee, my name is Stuart
Pratt and I am vice president of government relations for the
Associated Credit Bureaus, headquartered here in Washington, D.C. ACB,
as we are commonly known, is the international trade association
representing over 500 consumer information companies that provide fraud
prevention and risk management products, credit and mortgage reports,
tenant and employment screening services, check fraud and verification
services, and collection services to hundreds of thousands of customers
across the United States and the globe.
Our members are the information infrastructure that contributes to
the safety and soundness of our banking and retail credit systems;
which:
allows for the efficiencies of a secondary mortgage
securities marketplace that saves consumers an average of 2 percentage
points on the cost of a mortgage.
helps e-commerce and bricks-and-mortar businesses
authenticate applicant data, thus reducing the incidence of fraud.
gives child support enforcement agencies the information
tools necessary to accomplish their mission.
allows states to reduce the incidence of many forms of
entitlement fraud.
On behalf of ACB, I want to commend you for holding this hearing on
the issue of identity theft and for your efforts in the previous
Congress, leading to the enactment of the Identity Theft Assumption and
Deterrence Act of 1998. Identity theft is an equal-opportunity crime
that can affect any of us in this hearing at any time. It is a
particularly invasive form of fraud where consumers, consumer reporting
agencies and creditors must untangle the snarl of fraudulent accounts
and information resulting from a criminal's actions. This task is often
frustrating and time-consuming for all concerned.
Before I specifically address how our industry has responded to the
needs of creditors and victims of identity theft, I have found it
helpful to provide a short review of what a consumer reporting agency
is, what is contained in a consumer report, and the law that governs
our industry.
CONSUMER REPORTING AGENCIES AND CONSUMER REPORTS
Consumer reporting agencies maintain information on individual
consumer payment patterns associated with various types of credit
obligations.\1\ The data compiled by these agencies is used by
creditors and others permitted under the strict prescription of the
Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) to review the
consumer's file.
---------------------------------------------------------------------------
\1\ Our members estimate that there are approximately 180 million
credit active consumers. Since our members operate in competition with
each other, these consumers are likely to have more than one credit
history maintained.
---------------------------------------------------------------------------
Consumer credit histories are derived from, among other sources,
the voluntary provision of information about consumer payments on
various types of credit accounts or other debts by thousands of data
furnishers such as credit grantors, student loan guarantee and child
support enforcement agencies. A consumer's file may also include public
record items such as a bankruptcy filing, judgment or lien. Note that
these types of data sources often contain SSN's as well.
For purposes of data accuracy and proper identification, generally
our members maintain information such as a consumer's full name,
current and previous addresses, Social Security Number (when
voluntarily provided by consumers), date of birth or age, and sometimes
places of employment. This data is loaded into the system on a regular
basis to enhance the completeness and accuracy of data.\2\
---------------------------------------------------------------------------
\2\ Note that there are in fact a number of major credit reporting
systems in this country. Within ACB's membership the three most often
recognized systems are Equifax, Atlanta, GA; Experian, Orange, CA; and
Trans Union, Chicago, IL. These systems not only manage their own data
but also provide data processing services for the over 400 local,
independently-owned, automated credit bureaus in the Association's
membership.
---------------------------------------------------------------------------
It is important to note that the vast majority of data in our
members' systems simply confirms what you would expect: that most
consumers pay their bills on time and are responsible, good credit
risks. This contrasts with the majority of systems maintained in other
countries, such as Japan, Australia, or Italy, which store only
negative data and do not give consumers recognition for the responsible
management of their finances.
As important as knowing what we have in our files is also knowing
what types of information our members do not maintain in files used to
produce consumer reports. Our members do not know what consumers have
purchased using credit (e.g., a refrigerator, clothing, etc.) or where
they used a particular bank card (e.g., which stores a consumer
frequents). They also do not have a record of when consumers have been
declined for credit or other benefit based on the use of a consumer
report. Medical treatment data is not a part of the data bases, and no
bank account balance information is available in a consumer report.
THE FAIR CREDIT REPORTING ACT (FCRA)
In addition to our general discussion of the industry, we believe
it is important for your Subcommittee to have a baseline understanding
of the law that regulates our industry. Enacted in 1970, the Fair
Credit Reporting Act was significantly amended in the 104th Congress
with the passage of the Credit Reporting Reform Act.\3\
---------------------------------------------------------------------------
\3\ Public Law 104-208, Subtitle D, Chapter 1.
---------------------------------------------------------------------------
Congress, our Association's members, creditors and consumer groups
spent over 6 years working to modernize what was the first privacy law
enacted in this country (1970). This amendatory process resulted in a
complete, current and forward-looking statute. The FCRA serves as an
example of successfully balancing the rights of the individual with the
economic benefits of maintaining a competitive consumer reporting
system so necessary to the efficient operation and growth of a market-
oriented economy.
The FCRA is an effective privacy statute, protecting the consumer
by narrowly limiting the appropriate uses of a consumer report (often
we call this a credit report) under Section 604 (15 U.S.C. 1681b),
entitled ``Permissible Purposes of Reports.''
Some of the more common uses of a consumer's file are in the
issuance of credit, subsequent account review and collection processes.
Reports are also, for example, permitted to be used by child support
enforcement agencies when establishing levels of support.
Beyond protecting the privacy of the information contained in
consumer reports, the FCRA also provides consumers with certain rights
such as the right of access; the right to dispute any inaccurate
information and have it corrected or removed; and the right to
prosecute any person who accesses their information for an
impermissible purpose. The law also includes a shared liability for
data accuracy between consumer reporting agencies and furnishers of
information to the system.
FRAUD PREVENTION AND IDENTITY THEFT
Let me now turn to our industry's efforts with regard to fraud. Our
industry has a history of bringing forward initiatives to address
fraud. These efforts focus on use of new technologies, better
procedures and education.
Consider the following efforts undertaken during this past decade:
ACB formed a Fraud and Security Task Force in 1993.
A ``membership alert form'' was developed for use in
notifying other ACB credit bureau members of customers who were
committing fraud through the misuse of data. Implemented in 1994.
A ``Universal Fraud Information Form'' was developed for
use by creditors when communicating the incidence of fraud to national
consumer reporting systems.
The credit reporting industry developed a comprehensive
presentation on ACB fraud and security initiatives for delivery to
customer segments during 1995.
Minimum standards for data access equipment and software
were announced to industry suppliers in March 1995.
ACB members have implemented company-specific limitations
on the availability of account numbers, and truncation of Social
Security Numbers on consumer reports sold to certain customer segments.
Experian, Equifax and Trans Union voluntarily formed
special fraud units with toll-free number service and consumer
relations personnel specially trained to work with fraud victims.
A hardware and software certification program has been
created by the industry and administered by a third-party certification
authority for those access products, which have implemented industry
security standards.
Over 150,000 copies of a new customer educational brochure
entitled ``We Need Everyone's Help to Protect Consumer Privacy and
Reduce Fraud'' have been distributed since its first printing in 4th Q.
1997. An education program was also developed for use by ACB members in
presenting the information found in the brochure. 2nd Q. 1998.
On March 14, 2000, the ACB announced new voluntary
initiatives to assist consumers who have been victimized by identity
theft. Following is a description of each initiative and also attached
is our press release.
Advocate the use and improve the effectiveness of security
alerts through the use of codes transmitted to creditors. These alerts
and codes can help creditors avoid opening additional fraudulent
accounts.
Implement victim-assistance best practices to provide a
more uniform experience for victims when working with personnel from
multiple fraud units.
Assist identity theft victims by sending a notice to
creditors and other report users when the victim does not recognize a
recent inquiry on the victim's file.
Execute a three-step uniform response for victims who call
automated telephone systems: automatically adding security alerts to
files, opting the victim out of prescreened credit offers, and sending
a copy of his or her file within three business days.
Launch new software systems that will monitor the victim's
corrected file for 3 months, notify the consumer of any activity, and
provide fraud unit contact information.
Fund, through ACB, the development of a series of consumer
education initiatives through ACB to help consumers understand how to
prevent identity theft and also what steps to take if they are victims.
CONCLUSION
In conclusion, you can see by our actions that our members have a
history of combating fraud of all types including identity theft. We
were the first industry trade association to form a task force to
consider how best to address the plight of victims who through no fault
of their own are left with, as we said at the beginning of this
testimony, a snarl of fraudulent accounts to deal with.
Along with our progress, there are a few cautionary thoughts that I
would like to leave with each of you. It is difficult for laws to
prescribe procedures and practices that actually prevent crime. Crime
is a moving target and, thus, our fraud prevention strategies must be
as agile as the tactics of the criminals.
Information is a key economic growth factor in this country. Laws
that limit legitimate and beneficial information use are most likely to
take fraud prevention tools out of the hands of legitimate industry.
Ironically, to prevent fraud, we must be able to crosscheck
information. Absent this ability to authenticate identifying
information, we will be less able to prevent the very crime we are
discussing here today.
I think the initiatives I have discussed here today provide ample
evidence that our industry is serious about doing its part in reducing
the crime of identity theft and fraud and in helping consumers restore
their good name and an accurate credit file. Just as it is to
consumers, the integrity, accuracy and reliability of the credit files
our members maintain is vitally important.
Thank you for this opportunity to testify.
______
News Release
[Norm Magnuson]
CREDIT REPORTING INDUSTRY ANNOUNCES IDENTITY THEFT INITIATIVES
Associated Credit Bureaus, the international trade association for
the consumer reporting industry, announced today a commitment on behalf
of the nation's leading credit reporting agencies to voluntarily
implement a comprehensive series of initiatives to assist victims of
identity theft in a more timely and effective manner.
``While there is no evidence to show that the credit report
is a source for identity theft, our industry has always taken
an active role in assisting consumers who are fraud victims.
Our members have taken this responsibility seriously, and we're
very proud of these initiatives that help consumers who are
victims of identity theft or fraud,'' noted D. Barry Connelly,
president of Associated Credit Bureaus. ``Designing and
implementing these initiatives is a significant milestone in
the ongoing efforts of our industry to help address the problem
of identity theft. As long as there are criminals who prey on
innocent consumers, we will continue to seek even better ways
to serve consumers and work with law enforcement and our
industry's customers to address this threat.''
Connelly outlined the industry's six-point program to improve
identity theft victim assistance:
Advocate the use and improve the effectiveness of security
alerts through the use of codes transmitted to creditors. These alerts
and codes can help creditors avoid opening additional fraudulent
accounts.
Implement victim-assistance best practices to provide a
more uniform experience for victims when working with personnel from
multiple fraud units.
Assist identity theft victims by sending a notice to
creditors and other report users when the victim does not recognize a
recent inquiry on the victim's file.
Execute a three-step uniform response for victims who call
automated telephone systems: automatically adding security alerts to
files, opting the victim out of prescreened credit offers, and sending
a copy of his or her file within three business days.
Launch new software systems that will monitor the victim's
corrected file for three months, notify the consumer of any activity,
and provide fraud unit contact information.
Fund, through ACB, the development of a series of consumer
education initiatives through ACB to help consumers understand how to
prevent identity theft and also what steps to take if they are victims.
ACB's initiatives, to be fully implemented within seven months of
this announcement, resulted from a task force comprising senior
executives from the ACB Board of Directors and former State Attorney
General, M. Jerome Diamond. Diamond interviewed consumer victims and
law enforcement officials, made onsite visits to credit reporting
agency fraud units, and obtained input from privacy advocates. His
counsel was an integral part of the decisionmaking process and
influenced the final content of the initiatives.
Connelly said: ``Identity theft is a crime that is deeply
unsettling for the victims. Our initiatives will make it easier for
victims to put their financial lives back together.'' Connelly
stressed, though, that the crime extends beyond individuals to
creditors and ACB members and added, ``We must all work together in the
areas of prevention and victim assistance. We supported the enactment
of the Identity Theft Assumption and Deterrence Act of 1998 and have
worked with more than half of the State legislatures on similar laws.
We urge law enforcement to vigorously investigate and prosecute the
criminals.''
Associated Credit Bureaus, Inc. is an international trade
association representing 500 consumer information companies that
provide fraud prevention and risk management products, credit and
mortgage reports, tenant and employment screening services, check fraud
and verification services, and collection services.
Senator Kyl. Thanks very much, and thanks to all of you.
Let me ask Senator Feinstein to begin. I will have to step
out for just a moment and be right back.
Senator Feinstein. Thanks, Mr. Chairman.
Mr. Pratt, I was very heartened by your testimony. Let me
just thank you for making changes in your system. One of the
problems that we have had is that identity theft victims report
that they have difficulties getting in touch with a person, as
opposed to a recording, when they call a credit bureau to
report an incident. And they are frustrated at having to call
each of the major main credit bureaus to report identity theft.
Is what you are saying that you will have this systematized
so that one call will be able to reflect through all credit
bureaus?
Mr. Pratt. It is a discussion item. I can't tell you yet
that that is where we will end up, but I will tell you that
what we want to be able to do is make sure that a consumer who
calls knows what is going to happen and has confidence in what
will happen so that they aren't frustrated, even if it is
Sunday night that they are learning about the problem and they
are making that phone call on a Sunday. Whether they are
calling and getting live personnel or not, either way we want
to make sure that experience is fairly standardized.
We have other data bases out there, Senator Feinstein, and
we are looking at how we can make sure that across a larger
spectrum of data bases consumers don't end up making more and
more phone calls down the road to help with that efficiency.
Senator Feinstein. How many credit bureaus are there?
Mr. Pratt. Well, there are three major credit reporting
systems that I think we commonly think of. There is a total of
500 members in the Associated Credit Bureaus, some of whom
produce mortgage reports, some of whom produce employment
screening reports or tenant screening reports of various types.
There are check services data bases. One million two hundred
thousand fraudulent checks are written a day in this country.
Senator Feinstein. Well, let me ask you, if Michelle, for
example, wanted to call a credit bureau to say, ``Look, I have
got a problem,'' how many calls would she have to make now?
Mr. Pratt. I think today she would make three main calls,
and with those major calls we would be able to take those
steps, making sure that a security alert works, but take those
steps that a security alert works and is effective, take the
steps that she wants us to take, and so on; three main calls.
Senator Feinstein. It would really be helpful, I think, if
an individual could make one call, and as a product of that
call the word could go out and they wouldn't have to do the
rest of it.
Mr. Pratt. I think that is an idea that goes far back, and
let me just say that, of course, Jodie Bernstein has been a
real thought leader and her division has been a real thought
leader in the area of identity theft, even as far back as some
of the workshops. We still have some of those ideas plugged
into the decisionmaking process to take the right steps in the
right order.
Senator Feinstein. Do you know how much business is
actually generated by the sale of marketing lists with Social
Security numbers?
Mr. Pratt. I really don't.
Senator Feinstein. Mr. Emmert, the FTC has made some
recommendations to my staff for the improvement of 2328,
particularly sections 7 and 8 that you spoke about. I would
like to ask that you talk with Tom Oscherwitz of my staff and
go over these and see if they satisfy your concerns.
I was reading the bill while you were speaking, and I
really didn't quite understand what the heart of your concern
was. Can you repeat that again?
Mr. Emmert. Sure. Thank you, Senator, and we would be very
happy to work with you and with Tom on the language.
One of the issues that we have is the same comment that
Inspector General Huse made, which is you should prohibit the
sale of Social Security numbers. I think you should prohibit
the sale in the consumer marketplace of Social Security
numbers, but there are sales that happen in a more restrictive
environment that we believe need to happen that will, in fact,
be counterproductive if you stop them. When we obtain a list of
names, addresses and Social Security numbers from the credit
bureaus, that is a sale.
Senator Feinstein. Go over what those are, those instances.
Mr. Emmert. Yes. What we will do is we will acquire data in
a large set and then we will, in turn, sell it on a limited
basis to a very finite group of customers that include
government law enforcement agencies, fraud investigation groups
within insurance----
Senator Feinstein. Well, now, there is an exception for
that in the bill. Keep going.
Mr. Emmert. OK. We also need an exception for us so that we
can obtain it to begin with.
Senator Feinstein. Right.
Mr. Emmert. You have insurance companies who have fraud
investigations units, many of which are established as mandated
by State law. The insurance companies are very big on this. I
believe the statistics show that they save $10 for every $1
they spend on fraud investigation. So they are very big on it,
but it is private sector-type law enforcement activity.
You have similar issues with the securities industry and
with the banking industry. We have child support enforcement
work. We have work with groups that locate missing children.
These are activities that we think that arguably we should
support and that we would like to continue to be able to
support.
We don't try to defend the use of Social Security numbers
for marketing or solicitation. It seems unnecessary. I don't
need to be able to get my neighbor's Social Security number
just because I am curious, and so a website that would make
that information available to the general public--I don't want
to defend that practice. I think it is reprehensible, and it is
a huge feeder for the types of persons who would commit fraud.
So, that is not what we are trying to defend. It is the notion
of ``no sale'' that is the problem because there are behind-
the-scenes types of transactions that need to continue.
Senator Feinstein. I think we are prepared to make specific
technical exceptions. As you said, the Social Security number
is one thing and other data is other things. If you would work
with our staffs, perhaps we can work this out. One bill is just
the Social Security number. Another one that I am looking at is
also the driver's license, personal financial data, and
personal health data.
Mr. Emmert. All of those are areas that have slightly
different issues. The driver's license issues are slightly
different from the health data and the financial data. We are
not in the market of distributing health or financial data. We
don't want to be in that market. We don't want to be
disseminating people's medical records or their personal
financial records. Again, I would agree there are reasons why
you don't want that in the general marketplace, in the public.
Driver's license records are an interesting category
because, first, they are public records. And, second, they can
be used to help with a number of functions. Again, the Drivers
Privacy Protection Act has helped to restrict those uses
considerably, and I will point out that even under the most
restrictive interpretations that have come through on the
recent amendments, 96 percent of our current customer base
qualifies under the most restrictive amendments because, again,
we don't sell for marketing or commercial solicitations or to
members of the general public who have curiosity.
We are selling to law enforcement, we are selling to the
courts, we are selling to attorneys who are working on
litigation, things of that nature. And so our concern is that
we can protect those uses which we believe are socially
beneficial. But we would be more than happy to work with you
and your staff on this.
Senator Feinstein. Great. I am a big fan of NEXIS-LEXIS.
Mr. Emmert. Thank you, Senator.
Senator Feinstein. On this personal financial data, I have
been told that there are places where I could purchase every
mortgage you have ever had, who gives the mortgage, what you
have owing on the mortgage, any delay in payment you may have
made, where the houses or house or property or whatever it
might be is, so that by buying this information, I could
actually develop a very good financial profile of you, any
weaknesses you might have, any strengths you might have. I find
that very dangerous to have out there in the public
marketplace.
Mr. Emmert. A couple of comments on that. First, my friend
Stuart here may, in fact, have that information, but we do not.
What we do have is we do have information about real estate
titles. As you know, lawyers do title searches. They help you
when you go to purchase a house or when you go to sell a house.
What we make available are the public records themselves that
you get from the county recorder's office.
So for a particular parcel of land, we can show who the
owner of the record is, where the parcel is situated, and a
legal description of the parcel. If there are liens currently
in existence against the parcel, the liens would show on the
title. That is so when you go to buy a house, you don't pay
$200,000 for a house, only to find out that there is also a
$150,000 tax lien that you personally are now liable for
because nobody found it when you made the purchase and it
wasn't settled. And so that basic information is available.
Also, you may find things like the assessed tax value of the
property. What are the property taxes on the property? What is
the assessed value for tax purposes?
In terms of the mortgages, I believe the initial mortgage
amount is stated on some of the deeds. These are records that
we don't create. We don't necessarily dictate what is in these
records. We simply report them as they are recorded in the
county recorder's office. It would not show the amount of the
payment. It would not show the current balance of the mortgage,
it would not show prior mortgages, but it may show a second
mortgage which would be filed as a matter of record against the
property as a lien.
Senator Feinstein. Can anyone get this information if they
are on some kind of a fishing expedition to find a good victim?
Mr. Emmert. Well, anyone can get this information at the
county recorder's office today in any county in the country. It
has been a public record for as long as we have had land
records in this country. So in that sense, the answer is yes.
Senator Feinstein. But it is difficult to get.
Mr. Emmert. Well, it is, but again you look at the
distributions. Certainly, for our company we have a fairly
limited distribution. We have a lot of users, but the users
tend to be in professional categories in the law enforcement
community, in major law firms, and in large corporations. It is
not something that we make generally available to the populace
at large over the Internet.
Legally, that can be done because those records are public.
Even if you can't afford a lawyer, even if you are not with a
law enforcement agency, you are entitled to go down to the
county recorder's office to find out when that tax bill comes
in whether your next-door neighbor's property has been assessed
at the same basic level as yours is.
I just went through that. I bought a new house. I had been
in the house less than 6 months and the assessed property value
was significantly above what I paid for the property. Well, I
am entitled under the law to go over and see how did they
assess the other properties on the street. Am I being treated
fairly with respect to my neighbors? That is one of the reasons
that those records are available to the public. I don't have to
hire a lawyer to do it. I can do it myself.
So there are some touchy issues here in a free society
because we want to protect persons from fraud, from theft,
certainly from any scenario of that nature. But it is kind of a
fine line between protecting people and allowing people to sort
of protect themselves as well in other contexts.
Senator Feinstein. Thank you very much. Mr. Pratt, did you
have something you wanted to add at one point?
Mr. Pratt. I think Steve really covered some of the basic
points. We would have mortgage information in a consumer file
that might show payment information, but that would be
controlled by the Fair Credit Reporting Act. So in that case, a
privacy statute is in place which limits distribution.
Obviously, that is a great challenge you have going
forward, and I know Tom and you and others on your staff are
working through that, about what does Graham-Leach-Bliley
cover, what does it not cover, what does Fair Credit cover and
what does it not, and so on and so forth. So this is the policy
issue that we are in today, how to parse through the laws that
currently exist and to look for, I guess, the element which
might lead to injury somewhere down the road.
Certainly, another context for mortgage information being
available is the efficiencies for a mortgage lending system
today, the fact that we securitize an enormous amount of
primary market loans into secondary markets. And in those large
automated underwriting contexts, the ability to draw from
electronic data bases which create the efficiency--that is, a
business-to-business transaction--allows them to do very
inexpensive assessments of values of property which allows
them, in fact, to approve up to 70, 75 percent of the loans
without all of the normal expensive closing costs processes
that we have seen in the past. So there are those issues to
think about when you are thinking about this larger context of
public record and the availability of it, and what are the
basic tenets of why it was there in the first place.
I have lived in other countries. Land ownership in this
country is kind of taken for granted in a lot of ways. We live
in a very stable society, comparatively. In a lot of countries,
people don't know who owns the land. They don't know why it is
being owned. They don't know who controls large swaths of
property.
That was one of the fundamental tenets behind the idea of
making ownership available. Environmental groups today use
ownership records of that sort to track down who, in fact,
really controls land, who, in fact, controls wetlands, who can
build on it, who cannot, that sort of thing. So are these other
societal benefits that just have to be weighed in context.
Unfortunately, I guess that is the job of U.S. Senators, to try
to divine the truth in all of that.
Senator Feinstein. Thank you. Thank you, Mr. Chairman.
Senator Kyl. The old saying ``knowledge is power'' is
really the fundamental of this hearing. That knowledge can be
very powerful in a very positive way. That is primarily what
has permitted the Internet and this kind of technology to
benefit our society in such a significant way.
But as we point out in this hearing, it can also be used in
a very powerful negative way, and the trick here is to find the
proper balance to protect people from the kind of
extraordinarily harmful activity that can occur, while not
unnecessarily interfering in the free flow of information for
positive purposes.
I was struck, Senator Feinstein, by the fact that if we
could have these four witnesses sit down with us, we could
probably craft a very, very good bill, with all of the
information that is represented at this table.
Incidentally, we may have a vote any minute here, and when
that vote is called, we will have about 7 or 8 minutes to
conclude the hearing and then we will have to finish, but that
perhaps will be enough.
Ms. Brown, I was going to ask you what assisted you the
most in your efforts to clear your name, and then, second, to
what extent did you receive assistance from the FTC. You have
given us in writing a lot of great recommendations, some of
which are being pursued, some we need to pursue. And if you
would like to add anything else there orally, that would be
fine, too.
Ms. Brown. I would say that the first resource that I found
actually was the Privacy Rights Clearinghouse. And I did
searches on the Internet for identity fraud that assisted me in
certain steps to take to not only report the crime, but also to
try to prevent further misuse of my name.
Senator Kyl. By the way, did you find that on the Internet?
Ms. Brown. On the Internet, yes, rapid information. That is
exactly why I went there. I didn't know where else really to
turn. If I didn't have access to the Internet, I am sure that
it would be a very, very lengthy process to figure out what
steps logically--where to go, to call the DMV, to call the
Social Security agency.
I looked onto, say, FBI sites and Secret Service sites, but
generally at that point the initial thing that I knew about was
the car loan. That was only $32,000, and to get into something
of the FBI and Secret Service, my case did not apply yet. I
think maybe down the line, it could have.
So I think that those resources from the FTC websites and
the Privacy Rights Clearinghouse give great information of how
to go about clearing the process. But I didn't receive any
further assistance from anybody. It was all just my own
diligence and my own persistence in calling the police
departments, and so forth. And like I said, there were many
times that authorities were not sensitive to my plight.
I actually called one time to the LAPD when I found out
that something had occurred in the L.A. County, basically, and
that is where I was to file a police report. I was told
blatantly not to bring the case there because, as the guy was
laughing, you know, he did not want a burdensome case like
that. So, often, there weren't resources and it was just my
persistence in going forward. And from there, it was just
logical. When you make a fraud report, they send you
documentation, they send you forms to fill out, and you just
continue to do that at every step of the way.
Senator Kyl. And, of course, one of the things you
suggested is much more uniformity in that.
Ms. Brown. Absolutely.
Senator Kyl. And we have heard here that that is a step
that is at least to be pursued.
Ms. Brown. Absolutely.
Senator Kyl. Did you talk to anybody at the FTC ever, and
did they provide any specific help?
Ms. Brown. Off the top of my head, I don't recall, but I
have extensive notes of every single phone call that I made.
Senator Kyl. Did you ever get a letter, a document that you
could carry with you, the kind of thing that Ms. Givens talked
about?
Ms. Brown. When I found out that there was a warrant out
for my arrest, then I specifically requested from the police
detective that was working on my case--I filed a police report
in January 1999. This is June 1999 when I found out I had a
warrant out for my arrest. Up until that point, even though I
filed a police report, I didn't have anything in my hand,
really, aside from a statement that I did file with my local
police, because I actually feared for my life and if something
happened to me, I wanted some record of that.
From that, I had a 1-page sheet that said that I had
reported identity theft, basically. But up until that point,
no, I had not received anything in my hand to show my
innocence. And because I was leaving the country and there was
a warrant out, I specifically requested this. But in most
cases, I don't think that victims would really be allowed that
information. Sometimes, you don't know that there is a clear
perpetrator. I knew blatantly because she went to the DMV, and
from their records, after they pulled that information, it was
clear someone had impersonated me.
Senator Kyl. So did you eventually get some kind of a
document that you could carry with you?
Ms. Brown. From the courts, yes, after she was tried.
Senator Kyl. So that was late in the process?
Ms. Brown. September 1999.
Senator Kyl. And just describe that document briefly.
Ms. Brown. Initially, I received a letter from the
probation officer saying that she was going to be convicted on
such-and-such date; you are allowed to put in a victim
statement, and so forth.
Senator Kyl. Excuse me. But when you try to come in the
country from Mexico, that wouldn't----
Ms. Brown. Exactly. When I came back from Mexico, that is
what I had in hand. I also had a letter from the detective.
Those were the only things I had in hand--well, not
necessarily. I also have certain statements and documentation
of filing disputes with credit agencies, and so forth. But the
real document came from her conviction in the San Diego court
in September 1999, and I specifically requested this out of the
court that I wanted them to say this person of such-and-such
description, and to provide my description----
Senator Kyl. Alias your name.
Ms. Brown. Used my name to perform all of these acts, you
know, burglary and what not.
Senator Kyl. Let me ask Ms. Givens, you talked about a
specific document. And this is one of the things I had in mind
when we introduced our original bill and it didn't come out
exactly the way I sort of had thought about, but there was at
least some reference to it.
What would you recommend, understanding that there are
different kinds of cases and there are different times in the
process here, but to try to respond to the precise problem Ms.
Brown had? What kind of document or series of documents could
we provide for? And I would think that this could be done, by
the way, perhaps without legislation. It doesn't necessarily
have to be a Federal law.
Ms. Givens. Well, we are working on two bills in California
that you might want to look to as models. One would be an
expedited court process where you would get a document from the
court in the jurisdiction where the arrest or the conviction
happened. And, by the way, you have to deal with both arrests
and convictions. Michelle's case is horrible, but the one good
thing is that the perpetrator was convicted and is in prison.
That is a rarity.
Most of the time, you are dealing with a nefarious unknown,
and you have an arrest warrant and you don't know where they
are or what they are doing. So you need to be able to address
both arrests and convictions. But perhaps something that you go
through your local law enforcement that goes to that court, an
official document from the court, but the document must be
accepted by U.S. Customs, by the FBI.
We have the case of a man who has a document for bad check-
writing that he carries with him. He came back into the country
and was jailed. U.S. Customs did not accept that document even
though it was from the courts in Missouri, and he lives in New
York City. And that was for bad check-writing. So there has to
be something that is standardized, that is official, that is
acceptable to all levels of law enforcement.
Senator Kyl. And it seems to me also something that pre-
dates an actual conviction like this or arrest. You may have
nothing more than the beginning of learning of the event, two
or three bad things that you find out about. You report it to,
say, the credit bureaus. You are starting the process of
clearing your name, but I mean at that point it seems to me
there is so much about your life that is now going to be
implicated in this that it would be useful to have something
from the FTC or somebody that says this person has at least
been reporting some really bad anomalies. There would have to
be some kind of verification--and we can verify that at least
the first one reported was, in fact, an anomaly, and so listen
to this person. When she tells you there is something wrong,
listen to her.
Senator Feinstein. I think we might look at a statement or
a letter signed by the chief law enforcement officer of the
jurisdiction that she has at least filed a case and that an
investigation is going on, and that he or she may well be the
unwitting victim of identity theft. The problem is you don't
want guilty people to go and get this document as well.
Senator Kyl. No.
Senator Feinstein. Therefore, it has to be something that
has some personal attention given to it. It would seem to me
the local law enforcement agency would be the best source
because they know whether the complaint, A, is valid or not; B,
whether there are really suspicious grounds for it and could
give you a clearance on those two bases without waiting for a
conviction or an arrest.
Senator Kyl. One thing that I need to say here for anybody
who might be watching is that by virtue of our legislation a
couple of years ago, we made this a crime against the
individual as well as the financial institutions and others
that might have been defrauded. Up until then, the individual
didn't really have standing to force this kind of information
and force this kind of action. So we have done that much.
We clearly have to try to refine the various bills and
amendments that Senator Feinstein has filed and that we have
been collaborating with here, and I think we will do that and
would like to be able to consult with all of you. And I would
suggest, Mr. Pratt, in particular, and Mr. Emmert with the
association that you represent, and so on, you ought to hire
people like Ms. Brown.
I mean, I don't know what she does for a living here, and
you don't need to tell us here on the record, but the point is
people with real experience like that, as well as, of course,
people like Ms. Givens who have a wide survey approach to this
based upon their extensive work in the area, to understand each
of the kinds of problems that a victim goes through. I think
bringing someone like Ms. Brown to some of your meetings and
saying, ``All right, listen to all of the different things that
have gone on here''--surely, can't we in the marketplace devise
ways of dealing with this and not have to rely upon the U.S.
Congress to pass some kind of law.
For example, I have been reluctant to force the credit
reporting agencies to provide a free report. You know, it is an
expense. I did want to ask you, are you at the point where you
think you can do that, if it is a reasonable kind of
requirement, without being too much of a financial burden on
the companies, Mr. Pratt?
Mr. Pratt. Senator, we really did deal with that question
in the many, many years of dialog about the Fair Credit
Reporting Act that took place in the decade of the 1990's. By
1996, we had new amendments which were, I think, extensive and
material, and changed remarkably the privacy statute originally
enacted in 1970.
In fact, we agreed at that time there were populations of
consumers that needed to have a free report. One of those
populations is a consumer who even just thinks they have been a
victim of fraud. They don't have to walk in with a police
report. So, in fact, we felt that that was a population that
deserved access. I lost my wallet, I want a free report. So we
agreed with that at the time. We also agreed for welfare
recipients, for those who are unemployed seeking employment,
any consumer who has ever been denied a benefit. So we provide
an enormous volume of free reports per year.
We do ask, I guess, for some equity, just as if you want in
and got a deed from the local courthouse, you might pay a fee.
As long as we can keep that fee reasonable so it doesn't deny
access merely by the cost, you give us a chance in those cases
to just handle it in the same way. Currently, the law caps that
fee at $8 plus the CPI.
Senator Kyl. Well, we will continue to work with you on
that, too.
Because we have this vote, I think we will have to bring
the hearing to a close, but I can't thank each of you enough. I
mean, you have all provided very important information for us,
and I am serious about relying upon your expertise as we move
forward with this legislation. Please understand we may be back
in touch with you. Thank you all very, very much.
Senator Feinstein. May I say ditto. Thank you.
Senator Kyl. This hearing will now adjourn.
[Whereupon, at 11:50 a.m., the subcommittee was adjourned.]
�