[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
IDENTITY THEFT: ASSESSING THE PROBLEM AND EFFORTS TO COMBAT IT
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
DECEMBER 15, 2003
__________
Serial No. 108-60
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2004
91-576PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas Ranking Member
FRED UPTON, Michigan HENRY A. WAXMAN, California
CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts
PAUL E. GILLMOR, Ohio RALPH M. HALL, Texas
JAMES C. GREENWOOD, Pennsylvania RICK BOUCHER, Virginia
CHRISTOPHER COX, California EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey
RICHARD BURR, North Carolina SHERROD BROWN, Ohio
Vice Chairman BART GORDON, Tennessee
ED WHITFIELD, Kentucky PETER DEUTSCH, Florida
CHARLIE NORWOOD, Georgia BOBBY L. RUSH, Illinois
BARBARA CUBIN, Wyoming ANNA G. ESHOO, California
JOHN SHIMKUS, Illinois BART STUPAK, Michigan
HEATHER WILSON, New Mexico ELIOT L. ENGEL, New York
JOHN B. SHADEGG, Arizona ALBERT R. WYNN, Maryland
CHARLES W. ``CHIP'' PICKERING, GENE GREEN, Texas
Mississippi KAREN McCARTHY, Missouri
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine
MARY BONO, California JIM DAVIS, Florida
GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois
LEE TERRY, Nebraska HILDA L. SOLIS, California
ERNIE FLETCHER, Kentucky
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
Dan R. Brouillette, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Oversight and Investigations
JAMES C. GREENWOOD, Pennsylvania, Chairman
MICHAEL BILIRAKIS, Florida PETER DEUTSCH, Florida
CLIFF STEARNS, Florida Ranking Member
RICHARD BURR, North Carolina DIANA DeGETTE, Colorado
CHARLES F. BASS, New Hampshire JIM DAVIS, Florida
GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois
Vice Chairman HENRY A. WAXMAN, California
MIKE FERGUSON, New Jersey BOBBY L. RUSH, Illinois
MIKE ROGERS, Michigan JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Able, John M., Pennsylvania Attorney General................. 55
Broder, Betsy, Assistant Director, Division of Planning and
Information, Bureau of Consumer Affairs, Federal Trade
Commission................................................. 42
Burke, Kevin J., Deputy Chief Inspector, Eastern Field
Operations, U.S. Postal Inspector.......................... 50
Kane, Michelle............................................... 11
Lenahan, Milissa J., Assistant VP/Assistant Operations
Officer, First National Band and Trust Company of Newtown.. 30
O'Neill, Hon. Bernard T., Pennsylvania State Representative.. 5
O'Neill-Lagier, Brigid, Red Cross, Chief Executive Officer,
American Red Cross Blood Services, Penn-Jersey Region...... 13
Periandi, Lt. Col. Ralph M., Deputy Commissioner, Operations,
Pennsylvania State Police.................................. 61
Ryan, Robert, Senior Director of Government Relations,
TransUnion................................................. 25
(iii)
IDENTITY THEFT: ASSESSING THE PROBLEM AND EFFORTS TO COMBAT IT
----------
MONDAY, DECEMBER 15, 2003
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Oversight and Investigations,
Langhorne, PA.
The subcommittee met, pursuant to notice, at 10:12 a.m., in
Middleton Township Municipal Building, Langhorne, Pennsylvania,
Hon. James C. Greenwood (chairman) presiding.
Members present: Representatives Greenwood and Gerlach.
Staff present: Ann Washington, majority counsel and Billy
Harvard, legislative clerk.
Mr. Greenwood. Good morning, everyone. I am Congressman Jim
Greenwood, and I am chairman of the Subcommittee on Oversight
and Investigations of the Energy and Commerce Committee, and I
would like call this hearing to order.
We thank you all for being here. Welcome to this field
hearing of the Subcommittee on Oversight and Investigations of
the House Energy and Commerce Committee.
We are here today to discuss the problem of identity theft,
one of the fastest growing white collar crimes in the United
States. The Federal Trade Commission estimates that each year,
10 million Americans fall victim to identify theft, which
translates into tremendous costs, both for the defrauded
businesses and for the victimized consumers.
What I hear from victims time and again is how draining the
experience is, both emotionally and financially. Luckily, most
victims are protected so that they usually do not incur any
actual out of pocket loss. The problem lies in the other ways
in which the theft of Social Security numbers, bank account
numbers and related financial and personal information affects
an individual's life.
A victim's good credit can be severely damaged to the point
of preventing the legitimate purchase of a new car or house,
and the damage can take months to correct.
What is astounding is the audacity of these thieves. They
steal bill payments from your mailbox, they make scamming phone
calls to banks. We have all heard some of the stories, but let
me highlight a few particularly egregious ones.
In 2001, a restaurant busboy in Brooklyn, New York used
computers at a library, web-enabled cell phones, virtual
voicemail and courier services to try to steal the identities
of more than 200 CEOs, celebrities and tycoons. Their names
were posted in a Forbes article on the 400 richest people in
America. The crook was caught when one of the transactions he
attempted drew attention because of its size, a transfer of $10
million from an account owned by Thomas Siebel, founder of
Siebel Systems.
In 2002, the largest ring of identity thieves was
apprehended for stealing tens of thousands of credit reports
over a period of 3 years. The ring members allegedly stole
credit reports from three major commercial credit reporting
agencies and used that information to siphon funds from bank
accounts and to make fraudulent purchases. Authorities have
accounted for $2.7 million in losses from that ring so far.
And just last month, a California man was arrested for
stealing computers containing the personal information of
thousands of Wells Fargo Bank customers. The man was
apprehended at his home with the computer and equipment used
for scanning identity cards and checks.
According to the FTC's Identity Theft Clearinghouse Data
base, in Pennsylvania alone, 5,080 consumers reported that they
were victims of identify theft in 2002. People between the ages
of 30 and 39 were hardest hit. This is the time in life when
typically people are starting to accumulate good credit and
considering some of those important life decisions like buying
a home or having a child, decisions that can be greatly
complicated if one's credit has been damaged.
Today, we will hear testimony from several victims of
identity theft, Michelle Kane, whom I had the pleasure of
meeting recently, and State Representative Bernie O'Neill, who
as a victim himself and how assists other victims with their
plight.
We will hear from the Red Cross, which has also fallen
victim to identity theft. This is a double travesty. The
services that a reputable organization like the Red Cross
provides, are essential to us all in times of great need. For
someone to put an organization of the Red Cross' caliber at
jeopardy by attempting to steal personal information from its
blood donors is deplorable. I hope the Federal law enforcement
agencies currently pursuing such actions will quickly find the
perpetrators and swiftly bring them to justice.
We will also hear today testimony from representatives from
the private sector organizations that have to contend with
identity theft, Bob Ryan from TransUnion and Missy Lenahan from
a local financial institution, First National Bank and Trust.
Banks are on the front line of this type of fraud, fielding the
initial calls from victims and taking most of the financial
losses.
We will hear from Betsy Broder of the Federal Trade
Commission, and Kevin Burke of the U.S. Postal Inspection
Service this morning. They will discuss their efforts to assist
victims and to chase down the fraudsters who so callously use
other people's identities for their own purposes.
John Abel from the Pennsylvania Attorney General's Office
and Lieutenant Colonel Ralph M. Periandi from the Pennsylvania
State Police will testify about their offices' efforts to
combat this problem here at home and what services they can
offer to victims.
I want to thank everybody for participating this morning.
We want to provide the public with as much assistive
information as we can this morning as to what steps they can
take to avoid becoming victims, and in the event that they do
fall victim to this fraud, what they can do to stop the
financial bleeding as quickly as possible.
We recognize and are pleased that the Fair and Accurate
Credit Transaction Act, or the FACT Act, was just signed into
law by President Bush on December 4. This will provide victims
of identity theft with additional assistance and protections by
giving national uniformity to industry best practices regarding
identity theft prevention and aid. I am eager to see the
benefits flowing from this implementation of this Act, but also
believe it is prudent to build a record on this important issue
in this Subcommittee in case it becomes necessary to consider
additional legislation within our Committee's jurisdiction on
this topic further down the road.
So I thank all of the witnesses for being, and I would like
to yield now to my Pennsylvania Congressman--colleague,
Congressman Jim Gerlach, who while not a member of this
Subcommittee, is an active participant in legislating on this
issue. Mr. Gerlach, welcome to Bucks County, and the microphone
is yours.
Mr. Gerlach. Thank you, Mr. Chairman, and thank you very
much for the opportunity to be here today and to listen to the
testimony of those that present to us on this very important
issue.
In addition to the facts that you have set forth to give us
a sort of broad opening view of this problem nationwide, I
wanted to have an opportunity to submit some remarks for the
record which we have here on the issue that I have been
involved in since being contacted by the Montgomery County
District Attorney, Bruce Castor, on this issue some time ago.
And what I would like to do is just maybe highlight some of
those remarks very briefly, and hopefully allow that to also
set a stage for what we are going to hear today from our
presenters. In Montgomery County, hundreds of individuals were
victimized by the owner of an auto dealership in Limerick
Township. The victims provided their personal information to
the alleged thief in their efforts to buy a new car. He then
allegedly used that information to obtain more than $4 million
in loans, some of which were fraudulent on their face and some
which were legitimate loans used for fraudulent purposes. For
instance, the thief secured the loans as requested by the
victims, but instead of paying off the liens on the victims'
old cars, used the money for his own purposes.
Civil and criminal cases were then brought in Montgomery
County, and those are pending, as a result of that fraudulent
conduct, and while these victims may eventually receive
financial damages, they have found themselves in a quagmire
when it comes to getting their credit record repaired. After
receiving notification from the Montgomery County District
Attorney that these loans were fraudulently obtained, many
creditors refused to withdraw any negative notations or entries
on the victims' credit record. Further, many of these victims
continue to be harassed by creditors or collection agencies,
and some face foreclosure on their belongings, loss of life
savings, and an inability to get loans of any kind.
As many of the Montgomery County victims have found, while
the thief may be criminally prosecuted, the burden to repair
the damage inflicted by an identity thief is on the one that is
harmed, and the only method by which one can individually
attempt to repair his or her good name and credit is by
pursuing civil action against the creditors and debt
collectors. This has proven very difficult, very time consuming
and very expensive. That is why we have introduced legislation
called PITFALL, Prevent Identity Theft From Affecting Lives and
Livelihoods Act, which provides relief and alternatives to
those who have already been victimized by an identity thief.
While existing legislation primarily focuses on prevention or
mitigation of the crime, this legislation is designed to aid
those for whom prevention and mitigation is too late. When
existing laws fail to protect identify theft victims, this
legislation prevents creditors, debt collectors, consumer
reporting agencies and financial institutions from harassing
victims and further sabotaging their financial well-being.
Once the State's highest law enforcement officer, or in
this case, a District Attorney of one of the counties of the
Commonwealth of Pennsylvania, has conclusively determined that
the debt or loan was fraudulently incurred, under the
legislation, once the law enforcement official determines that
a person is, in fact, a victim, a no fault statement would be
issued. This statement would cite the victim's lack of
involvement in obtaining the debt or loan, and the victim may
then forward the statement to creditors, debt collectors,
credit reporting agencies and financial institutions.
Upon receipt of the no fault statement, any business acting
as a creditor, credit agency, or collector would be required to
cease all collection activities and hold the victim harmless
from any fraudulently incurred financial obligations. They
would further be required to withdraw or correct any negative
entries on the victim's credit history with regard to those
transactions or obligations created by the identity theft.
Failure to recognize this no fault statement by those
institutions and to cease collection activities or remove
negative entries from the credit record would result in State
enforcement and civil liability. It would also, the
legislation, fill gaps in the law such as that which has
allowed creditors to continue harassing the Montgomery County
victims despite a determination by the law enforcement
officials in that locality that they were not involved in
incurring the debt.
This legislation makes enforcement provisions in the Truth
in Lending Act, the Fair Credit Reporting Act, the Fair Debt
Collections Practices Act and the Electronic Funds Transfer Act
consistent. Each of these Acts currently provide for civil
liability and administrative enforcement, and the Fair Credit
Reporting Act also provides for State enforcement in Federal
District Court, and the Electronic Funds Transfer Act provides
for criminal liability. The Truth in Lending Act currently
permits State enforcement, but only for predatory lending
practices.
To make these four important Acts consistent, this
legislation, H.R. 2396, will amend the Fair Debt Collection
Practices Act and Electronic Funds Transfer Act to permit a
State to bring about an action against a person or entity
acting in violation of the PITFALL provisions. The PITFALL
legislation will also expand State action provisions in Truth
in Lending Act and provide actual damages, monetary fines and
in the severest cases, imprisonment for violations.
So you can see that, given what is even happening in our
local area, there is a lot of need for continued Federal
oversight and legislative action on this issue, and I want to
extend my appreciation for you for taking on this issue as
chairman of the subcommittee, and look forward to all the
important information and testimony we will receive today.
Thank you.
Mr. Greenwood. Thank you, Congressman Gerlach. Before we
call our first witness, I thought it would be an interesting
way to introduce this subject. We are going to present a video
made by the Postal Inspection Services that outlines, rather
dramatically, what the--how this crime takes place and what its
consequences may be. Technical difficulties here. Is it
rewound? Here we go.
[Video shown.]
Mr. Greenwood. Okay. Now playing the part of our first
witness will be State Representative Bernie O'Neill, and Mr.
O'Neill, will you please come forward.
Welcome, thanks for being with us this morning.
Mr. O'Neill. Thank you.
Mr. Greenwood. You can have a seat. As you--and if you want
to bring one of the black microphones in front of you. As you
probably have been told, this is an investigative hearing, and
when we----
Mr. O'Neill. Sure.
Mr. Greenwood. [continuing] take testimony at an
investigative hearing, we do it under oath. Do you have any
objections to giving your testimony under oath?
Mr. O'Neill. Not at all.
Mr. Greenwood. Okay. I also need to advise you you are
entitled to counsel. This was something that was very important
to our Enron witnesses, but probably not important to you. Do
you wish to be advised by counsel?
Mr. O'Neill. Not at all.
Mr. Greenwood. Okay. Then if you would stand and raise your
right hand.
[Witnesses sworn.]
Mr. Greenwood. You are under oath and you are recognized
for your statement, sir.
TESTIMONY OF HON. BERNARD T. O'NEILL, PENNSYLVANIA STATE
REPRESENTATIVE; MICHELLE KANE; AND BRIGID O'NEILL-LAGIER, RED
CROSS CHIEF EXECUTIVE OFFICER, AMERICAN RED CROSS BLOOD
SERVICES
Mr. O'Neill. Thank you, Mr. Chairman. Good morning. Good
morning, Congressman Gerlach.
Mr. Greenwood. Probably want to bring the microphone even a
little closer than that. There.
Mr. O'Neill. How is that? Here? I am State Representative
Bernie O'Neill, from the 29th Legislative District here in
Central Bucks County, and with me today is my legislative aide,
Cindy Beck, who is leading the education effort on identify
theft here in Bucks County.
Identity thieves steal more than $1 billion a year from
unsuspecting and unprepared consumers. In the bulk of cases,
the consumers don't know their identity theft--were stolen.
Credit card fraud accounts--or excuse me, credit card fraud
accounts for 42 percent of the complaints, followed by scams
where phone and utility accounts were created in a person's
name without his or her knowledge.
With these, criminals make thousands of dollars at their
victim's expense. The victim is left with years of anguish and
frustration trying to sort out and restore his good name and
credit, or clear a criminal record.
I am here today to share with you how identity theft has
grown, especially here in Bucks County, and what we are trying
to do to stop it. While the other witnesses today will go into
the staggering statistics and efforts being undertaken to
combat identity theft, I am here to put a face on this
appalling crime.
Anyone can become a target of identity theft. Thieves are
stealing personal information from a number of different
sources, including credit card receipts, birth certificates and
Social Security cards. Just putting your bills in your mailbox
to be sent out is a sign to a would-be identity thief that you
are an easy target.
To educate my constituents about this growing crime, I am
holding public forums on identity theft throughout my
legislative district. These forums will continue through the
month of February. These forums have been very well attended.
Our first forum was in Solebury Township on November 14. We
have had presentations by local law enforcement officials,
including Chief Richard Mangan of Solebury Township Police
Department, Chief Henry ``Rick'' Pasqualini of the New Hope
Borough Police Department and representatives from the
Pennsylvania's Attorney General Office and the United States
Postal Inspection Service.
Dates are being finalized for the series of upcoming
identity theft forums throughout the 29th Legislative District.
January programs have been scheduled for Buckingham Township
with Chief Daniels, Warminster Township with Chief Jim
Gorczynski and a second evening forum in New Hope-Solebury with
Chief Mangan and Pasqualini. February programs have been
scheduled in Warwick Township with Chief Costello and Upper
Southampton Township with Chief Schultz. Topics have included
tips on avoiding identity theft, ways in which identity theft
occurs and why students as well as senior citizens are
targeted.
It is sad that victims do not become aware that their
identities have been stolen until they get an astronomical
credit card statements, cell phone bills and other charges.
I can personally attest that obtaining this information is
far too easy. From my own personal experience, my phone number
was stolen and for 3 to 4 months, my phone bill exceeded $300
to $500 in total charges. That number was used from the same
pay phone in New York City, and my case is minor compared to
other stories that have been shared with me. Even local
enforcement officials who I have been dealing with have been
victims of identity theft themselves.
As a State legislator, I have been involved in helping make
identity theft less attractive to would-be thieves. Last year,
a new law was enacted that escalates the penalties for this
crime. Through legislation introduced by Representative Matt
Baker of Wellsboro, Tioga County, the Pennsylvania House of
Representatives has taken steps to increase the penalties for
identity theft, making a first offense of the crime a felony of
the third degree, carrying a maximum penalty of 7 years in
prison and a $15,000 fine. A third or subsequent offense raises
the crime to a felony of the second degree, with a maximum
penalty of 10 years in prison or a $25,000 fine.
I am hopeful these forums will help residents become more
educated about identity theft and will learn how they can
protect themselves and their identities. There is nothing more
frustrating than finding out that your whole identity has been
stolen and used for fraudulent purposes. And I can tell you
since we began the forums, my wife and I have stopped putting
our mail in our mailbox with the little red flag up, and we
have purchased a shredder for our home. I have always used one
in the office, but it never dawned on me of using one at home.
So, I am more than welcome to answer any questions that you
may have.
[The prepared statement of Hon. Bernard T. O'Neill
follows:]
Prepared Statement of Hon. Bernie O'Neill, Representative, Pennsylvania
State House
Good morning. I am State Rep. Bernie O'Neill from the 29th
Legislative District in central Bucks County.
Identity thieves steal more than $1 billion a year from
unsuspecting and unprepared consumers. In the bulk of the cases, the
consumers don't know how their identities were stolen. Credit card
fraud accounts for 42 percent of the complaints, followed by scams
where phone or utility accounts were created in a person's name without
his or her knowledge.
While these criminals make thousands of dollars at their victim's
expense, the victim is left with years of anguish and frustration
trying to sort out and restore his good name and credit or clear a
criminal record.
I'm here today to share with you how identity theft has grown,
especially here in Bucks County and what we're trying to do to stop it.
While the other witnesses today will go into the staggering statistics
and efforts being undertaken to combat identity theft, I'm here to put
a face on this appalling crime.
Anyone can become a target of identity theft. Thieves are stealing
personal information from a number of different sources, including
credit card receipts, birth certificates and Social Security cards.
Just putting your bills in your mailbox to be sent out is a sign to a
would-be identity thief that you are an easy target.
To educate my constituents about this growing crime, I am holding
public forums on identity theft throughout my legislative district.
These forums will continue through February.
These forums have been very well attended, with 50 to 60 people
coming out for our first forum in Solebury on Nov. 14, 2003. We have
had presentations by local law enforcement officials, including Chief
Richard Mangan of Solebury Township Police Department, Chief Henry
``Rick'' Pasqualini of the New Hope Borough Police Department, and
representatives from the Pennsylvania Attorney General's Office and the
United States Postal Inspection Service.
Dates are being finalized for the series of upcoming identity theft
forums throughout the 29th legislative district. January programs have
been scheduled in Buckingham Township with Police Chief Stephen
Daniels, Warminster Township with Police Chief Jim Gorczynski, and a
second evening forum in New Hope-Solebury, with Chief Richard Mangan
and Chief Henry ``Rick'' Pasqualini. February programs have been
scheduled in Warwick Township with Police Chief Joe Costello, and Upper
Southampton Township with Police Chief David Schultz.
Topics have included tips on avoiding identity theft, ways in which
identity theft occurs, and why students as well as senior citizens are
targeted.
It is sad that victims do not become aware their identities have
been stolen until they get astronomical credit card statements, cell
phone bills, or other charges.
I can personally attest that obtaining this information is far too
easy. From personal experience, my phone number was stolen and for
three months my phone bill exceeded $300 in toll charges. That number
was used from a pay phone in New York City. And my case is minor
compared to other stories that have been shared with me. Even local law
enforcement officials are identity theft victims.
As a state legislator, I have been involved in helping make
identity theft less attractive to would-be thieves. Last year, a new
law was enacted that escalates the penalties for this crime. Through
legislation introduced by Rep. Matt Baker from Wellsboro, Tioga County,
the Pennsylvania House of Representatives has taken steps to increase
the penalties for identity theft, making a first offense of the crime a
felony of the third degree, carrying a maximum penalty of seven years
in prison and a $15,000 fine. A third or subsequent offense raises the
crime to a felony of the second degree with a maximum penalty of 10
years in prison and a $25,000 fine.
I am hopeful these forums will help residents become more educated
about identity theft and will learn how they can protect themselves and
their identities. There's nothing more frustrating than finding out
that your whole identity has been stolen and used for fraudulent
purposes.
Mr. Greenwood. Thank you, Representative O'Neill. The Chair
will recognize himself for questioning. Tell us about after you
discovered that your telephone bill was inflated and calls were
being made from a pay phone in New York City. Was it difficult
for you to--what did you go through with the phone company so
that they would accept the fact that these were not your
obligations?
Mr. O'Neill. Right. The first thing I did was I--when I got
the first phone bill, which exceeded $300, I called the phone
company and I explained to them that these weren't my charges
and I didn't understand where they were coming from, and they
said they would investigate it, and they actually sent me some
paperwork to fill out.
It continued for several months after that, and they
eventually were able to find out that what was actually stolen
was my phone card ID number, which is very interesting, because
I didn't carry the card with me. I never had the card. I knew
it by rote memory, so what is really appalling is how they were
able to get that number and use it.
Mr. Greenwood. Did you ever figure out how they did that?
Mr. O'Neill. To this day, we have never figured out how
they ever got the number. The number was subsequently canceled,
and that is when the charges certainly stopped. I believe, if I
am not mistaken, I was held accountable for $50 each month for
those expenses, and I did receive a phone call from the phone
company several months later telling me that they finally
tracked that all the phone calls were--every one of them were
made from the same pay phone in--somewhere in the city of New
York.
Mr. Greenwood. And they were never able to catch the
perpetrator?
Mr. O'Neill. No, they never did catch him or her, no.
Mr. Greenwood. And of course, you were personally
responsible for the $50.
Mr. O'Neill. Yes.
Mr. Greenwood. The phone company picked up the rest. That
means we all----
Mr. O'Neill. Yes.
Mr. Greenwood. [continuing] picked up the rest.
Mr. O'Neill. Everyone paid for it. That is correct.
Mr. Greenwood. And I think that is an interesting thing
that we found, is that frequently, as I mentioned in my opening
statement, the victim him or himself may have limited financial
exposure, and the credit card companies frequently have limited
exposure, and it frequently falls to the--if it is a retail
purchase, the retail store ends up absorbing the loss, which
again means that in terms of the billions of dollars that are
stolen in this method, that it is built into the prices that we
all pay for goods and services.
One of the issues that the Congress wrestles with in
general, but in this case specifically, is whether to act
Federal legislation, given the fact that obviously, here in
your case, it was a crime perpetrated--you could say it was
perpetrated in New York, you could say it was perpetrated in
Pennsylvania.
Mr. O'Neill. Correct.
Mr. Greenwood. Or both. And the need for interstate
cooperation is--and harmonization is important. On the other
hand, some states, particularly California, which has a very
strict law, doesn't like the fact that the U.S. Congress, most
notably just on the bill signed by the President on December 4,
superseded State law.
Now, you are a State legislator. Do you have a view on
whether you think it is appropriate for the Congress to
supersede State laws, or do you think the states need to have
their own----
Mr. O'Neill. Well, I would think--I think each State needs
to certainly enact their own laws and make them as stiff as
possible for what happens within the confines of their own
state, but I would agree with you that I think the Congress has
to--I can tell you that I am the guardian of my aunt, who is
well along in Alzheimer's. And I am now dealing with her credit
cards, which we are beginning to think they were fraudulently
used, because we are talking about $28,000 were run up on her
charge cards and not in this state, and we have no idea how
these numbers ever got out, other than the fact that, you know,
when she----
Mr. Greenwood. Is your credit card number, which was what
was stolen from you, is that printed on your phone bill?
Mr. O'Neill. No.
Mr. Greenwood. That doesn't show up on your phone bill.
Mr. O'Neill. Not that I am aware of, no. No.
Mr. Greenwood. And certainly the PIN number does not.
Mr. O'Neill. No.
Mr. Greenwood. So someone would have either----
Mr. O'Neill. Yeah, I----
Mr. Greenwood. [continuing] I guess just hacked into the
system to get your--to match your phone number----
Mr. O'Neill. Somehow, I actually saw on--a couple years
ago, I saw on--it was either 20/20 or one of those type of
shows on television, ways that they were stealing numbers at
airports and that sort of thing when you were using them, and
that may have been how it was taken. We are not really sure.
Mr. Greenwood. And I suppose also someone could
theoretically stand next to you at a phone and watch and listen
as you----
Mr. O'Neill. Well, that is basically what they do in an
airport, in a busy airport. They sit there and--they make--
pretend they are making a phone call, and they are standing
right next to you and you are punching in your number and they
are just watching your numbers go in, which is also your PIN
number as well, after you----
Mr. Greenwood. Right.
Mr. O'Neill. [continuing] punch in the number.
Mr. Greenwood. Thank you. Congressman Gerlach?
Mr. Gerlach. No questions, but the exact same thing
happened to me.
Mr. O'Neill. Oh, jeez.
Mr. Gerlach. With my long distance credit card number,
phone number, and----
Mr. O'Neill. Right.
Mr. Gerlach. [continuing] had about 2 months worth of
couple hundred dollars charges, calls to Europe, which I know
I----
Mr. O'Neill. Yeah.
Mr. Gerlach. [continuing] wouldn't have made, and you know,
the phone company resolved it, but the exact same situation as
yours.
Mr. O'Neill. Right.
Mr. Gerlach. And I had no idea how they got the numbers to
do that, other than maybe, you know, the service plaza on the
turnpike. I went back from Harrisburg at that time, and maybe
somebody was standing next to me, but you know, you punch those
numbers pretty darn quick.
Mr. O'Neill. Yeah.
Mr. Gerlach. You wonder how they can even keep track of it,
but it is a bad problem, so I know exactly what you mean. But
thank you.
Mr. O'Neill. Thank you.
Mr. Greenwood. Thank you. We have no further questions for
you.
Mr. O'Neill. Thank you.
Mr. Greenwood. We appreciate your appearance here this
morning. Thank you.
Mr. O'Neill. Have a good day.
Mr. Greenwood. And the Chair would now call forward our two
next witnesses for the first panel, Mrs. Michael Kane of
Warminster and Brigid O'Neill-LaGier, Chief Executive Officer
of the American Red Cross Blood Services for the Penn-Jersey
Region.
Welcome. And I think we need you to make sure you pull
those--each pull your microphone quite close to you as you
testify, because they are apparently very directional. As--
welcome and thank you again for being here this morning, both
of you.
As you heard me indicate to Mr. O'Neill, we take our
testimony under oath in this Committee. Do either of you have
any objections to giving your testimony under oath?
Ms. O'Neill-LaGier. No.
Mrs. Kane. No.
Mr. Greenwood. Okay. And you are both represented--entitled
to be represented by counsel. Do either of you wish to be
represented by counsel this morning?
Ms. O'Neill-LaGier. No.
Mrs. Kane. No need.
Mr. Greenwood. Okay. If you would stand, then, and raise
your right hands.
[Witnesses sworn.]
Mr. Greenwood. You are under oath, and I think we will
start alphabetically with Mrs. Kane. Welcome, and----
Mrs. Kane. Good morning. How are you?
Mr. Greenwood. I am very well. How are you?
Mrs. Kane. Nervous.
Mr. Greenwood. Nervous. No need to be nervous. And you have
as much time as you would like to make a statement for us this
morning.
Mrs. Kane. Okay. Can you hear me? No? Okay.
Mr. Greenwood. All right. Tap on your--on that--okay. We
have some ability to control the volume of the microphone. It
seems to be on, but not----
Mrs. Kane. Okay. Is that better?
Mr. Greenwood. Can you hear in the back yet?
TESTIMONY OF MICHELLE KANE
Mrs. Kane. All right. Identity theft has been referred to
as an invisible assault, and I should know, because unbeknownst
to me, a woman from Schenectady, New York was able to steal my
good name.
A little over 2 years ago, I was offered a free credit
report. My credit was perfect, and I was expecting to receive a
report that reflected that. Imagine my surprise when my report
history came back 33 pages thick. I assumed there must be some
sort of mistake of the credit agencies. Perhaps my name was
mingled with another Michelle Kane. I had heard of that
happening. After all, I had always been very careful with the
use of my credit cards and my Social Security number. Boy, was
I wrong.
Unfortunately, the credit agencies were not mistaken. A
woman from Schenectady, New York had been using my Social
Security number for approximately 2 years, and managed to
charge over $70,000 in my name. She started out small, opening
a few credit cards, and then gained more confidence, obtaining
a car loan and eventually a mortgage.
The perpetrator, who is also named Michelle Kane, said she
received the Social Security number from a friend and just
thought she was able to use it. However, investigators believed
that she obtained it through her place of employment. She
worked for a vision company and had access to insurance company
data bases. The Schenectady, New York Michelle Kane did get
caught and served a year in prison, thank to the fact that
investigators hired by the mortgage company worked so
diligently.
Even though the woman went to jail, the task of clearing my
credit history still existed. The red tape and jumping through
hoops started from the very beginning. The first step of
reporting the crime was not very simple. I first called the
Schenectady Police Department, and they were unable to do
anything because I could not file a report in person. It was 5
hours away.
When I called my local police department and they were
unable to do much, because it was not in their jurisdiction. It
did not get much easier with the three credit agencies,
TransUnion, Experian and Equifax. They did send the information
to me in my credit reports, but it was up to me to decipher it.
The agencies' listed the creditors. However, many times as an
abbreviation, and the biggest hassle was getting a phone number
to go along with the bank. Sometimes, it was listed and
sometimes, it was not. To get a number that was a 1-800 number
that corresponded to the correct department in the bank was a
rarity. For example, my husband and I spent countless hours
trying to contact one of the names that was on the list, which
was Verizon NE. It sounds simple enough until you try and
actually find them. No one in the company knew who Verizon NE
was when you called Verizon. Was it Northeast, New England,
Nebraska? Which division did Verizon--which division of Verizon
were we trying to contact? A wireless line, a land line, the
Internet? So the countless hours of trying to figure out who
you are contacting was very hassle-some.
Aside from the financial burden of huge phone bills and
trying to track down the banks, and the countless hours wasted
trying to sort through the red tape, the biggest problem is
proving your identity to the creditors and convincing them that
you did not make the charges. Over 2 years have passed, and I
am hopeful that my credit history will soon be clear. I am
hopeful that this does not come back to haunt me, and I am
hopeful that there will be some improvements for the rest of
the victims out there.
Now, I was told if I wanted to make some suggestions, which
I did.
[The prepared statement of Michelle Kane follows:]
Prepared Statement of Michelle Kane
Identity Theft has been referred to as the ``invisible assault'',
and I should know because unbeknownst to me, a woman was able to steal
my good name.
A little over two years ago, I was offered a free credit report. My
credit was perfect and I was expecting to receive a report that
reflected that. Imagine my surprise when my report history came back 33
pages thick.
I assumed there must be some sort of mistake with the credit
agencies. Perhaps my name was mingled with another Michelle Kane; I
have heard of that happening. After all, I have always been very
careful with the use of my credit cards and Social Security Number.
Boy, was I wrong!
Unfortunately, the credit agencies were not mistaken. A woman from
Schenectady, New York had been using my Social Security Number fro
approximately two years and had managed to charge over $70,000 in my
name. She stated out small, opening a few credit cards, then gained
more confidence obtaining a car loan and eventually a mortgage.
The perpetrator, who is also named Michelle Kane, said she received
the Social Security Number from a friend and thought she was able to
use it. However, investigators believe she obtained it through her
place of employment. She worked for a vision company and had access to
insurance company databases. The Schenectady, New York Michelle Kane
did get caught and served a year in prison thanks to the fact
investigators hired by the mortgage company work so diligently.
Even though this woman went to jail, the task of clearing my credit
history still existed. The red tape and the jumping though hoops
started from the very beginning. The first step of reporting the crime
was not very simple. I first called the Schenectady Police Department
and they were unable to do anything unless I filed a police report in
person. I then called my local police department they were unable to do
much because it was not in their jurisdiction.
It did not get any easier with the three credit agencies
(Transunion, Experian and Equifax). They sent the information, but it
was up to me to decipher it. The agencies listed the creditors, however
many times just as an abbreviation. One of the biggest hassles was
getting a phone number to the bank. Sometimes it was listed and
sometimes it was not. To get a phone number that was a 1-800 number
that corresponded to the correct department in the bank was a rarity.
I.e., My husband and I spent countless hours trying to contact Verizon
NE. No one in the company knew who this was; did NE stand for North
East, New England, Nebraska? Which division of Verizon was this;
wireless, landline or Internet?
Aside from the financial burden of huge phone bills trying to track
down the banks, and the countless hours wasted trying to sort though
the red tape, the biggest problem is proving your identity to the
creditors and convincing them you didn't make the charges.
Over two years have passed and I am hopeful that my credit history
will soon be cleared. I am hopeful that this does not come back to
haunt me. And I am hopeful that there will be improvements for the rest
of the victims out there.
My Suggestions for Improvement:
� Free yearly credit reports
� Transunion, Experian and Equifax list a local advocates phone number
on the credit report. (Consumer Protection Number).
� Mandatory listing of all creditors' phone numbers that appears on
credit report. (1-800).
Mr. Greenwood. Go ahead.
Mrs. Kane. Okay. My first suggestion is that there be some
sort of legislation, which I know there are some people working
on this for a free credit report from the credit agency,
whether it be via email or, you know, it is expensive to send
postage to thousands and thousands of people, but I think in
the long run, it could save lots of money.
TransUnion, Experian and Equifax, I think should list a
local advocate, a phone number on their credit report, which I
was just going blindly through this, and I think it would save
a lot of hassle if maybe at the end of the credit report, they
say you can contact your local consumer report person and here
is the steps which you follow, so you just don't go blindly
through this.
And last, a mandatory listing of all of the creditors'
phone numbers that appear on your credit report, so you don't
have to, once again, track down these people and try and clear
your credit. They don't even give you, for security purposes,
your account number. So when you are trying to tell them who
you are, the first thing they say is your account number,
please, and you don't have it, so.
Anyway, they are my suggestions, oh, and, of course, a 1-
800 number at which to contact them, so.
Mr. Greenwood. Those are very good suggestions, and that is
why we are holding this hearing, to learn things like that.
Thank you.
Mrs. Kane. You are welcome.
Mr. Greenwood. Ms. O'Neill-LaGier, am I pronouncing that
right?
Ms. O'Neill-LaGier. Yes, you are.
Mr. Greenwood. Okay.
Ms. O'Neill-LaGier. Thank you.
Mr. Greenwood. Make sure you speak directly into the
microphone, please.
Ms. O'Neill-LaGier. I will try to do that.
Mr. Greenwood. You are recognized for your testimony.
TESTIMONY OF BRIGID O'NEILL-LAGIER
Ms. O'Neill-LaGier. Good morning, Mr. Chairman, and
Congressman Gerlach. Thank you for your invitation to testify
on the important subject of identity theft.
I am Brigid O'Neill-LaGier, Chief Executive Officer of the
Penn-Jersey Blood Services Region of the American Red Cross,
headquartered in Philadelphia. I would respectfully ask that my
entire statement and attachments be included in the record.
Mr. Greenwood. And will be without objection.
Ms. O'Neill-LaGier. The Red Cross has been helping people
since 1881. You can see us at work in communities across the
country and here in southeastern Pennsylvania and New Jersey,
thousands of times a day, teaching first aid or CPR classes,
keeping members of the military and their families connected
through emergency communications, caring for disaster victims,
and collecting and delivering blood.
Thousands of area residents participate in that work as
volunteers, blood donors and financial contributors. As one of
36 Red Cross regional blood services, the Penn-Jersey region is
the major supplier of blood in southeastern Pennsylvania and
New Jersey.
Continuing a tradition begun more than 50 years ago, the
mission of the Penn-Jersey region is to fulfill the community's
need for the safest, most reliable and cost-effective blood
products and transfusion services.
In 1994, the Red Cross dedicated the Musser Blood Center,
which houses the blood supply for more than 125 southeastern
Pennsylvania and New Jersey hospitals; the Philadelphia
National Testing Laboratory, which provides infectious disease
and type testing of blood donations for 4 Red Cross blood
centers and several non-Red Cross blood centers; and the
National Reference Laboratory for Blood Group Serology, serving
more than 3,000 hospitals nationwide.
Hospitals and patients in southeastern Pennsylvania and New
Jersey benefit from an array of transfusion support services
including lifesaving blood products delivered 24 hours a day,
365 days a year, and physicians and technical experts available
for consultation around the clock.
Mr. Chairman, last year, the Penn-Jersey Region collected
more than 262,000 whole blood donations and nearly 11,000
platelet and granulocyte donations, and additionally imported
135,000 blood products to meet the local community transfusion
needs of over 800,000 blood products.
In southeastern Pennsylvania and New Jersey, the Red Cross
conducted over 11,000 blood drive operations, which assisted
over 300,000 volunteer blood donors who stepped forward to save
lives. The Red Cross takes the confidentiality of our blood
donors very seriously. As a regulated service, blood collection
is a very detailed process designed to ensure the safety and
security of the blood donor, the blood supply and those who are
trained to collect, manufacture and distribute blood products.
The Food and Drug Administration Center for Biologics
Evaluation and Research is responsible for regulatory oversight
of the U.S. blood supply. FDA promulgates and enforces
standards for blood collection and for the manufacturing of
blood products, including both transfusable components of whole
blood, pharmaceuticals derived from blood cells or plasma, and
related medical devices. The American Red Cross Penn-Jersey
Blood Region activity is regulated not only by the FDA, but
also, on a local level, by the State of Pennsylvania, the State
of New Jersey, AABB, as well as national American Red Cross
standards, policies and procedures.
As you may know, an investigation is currently being
conducted by Federal authorities into identity theft at the
American Red Cross Penn-Jersey Blood Region. Investigators
learned that several individuals' personal identification
information, such as names and Social Security numbers, had
been used to obtain credit and make purchases. A common
denominator was that they had all donated at one of four Red
Cross blood drives held in the southeastern Pennsylvania area
in November and December 2002.
We have recently learned that several donors at two
additional blood drives during the same period were victims of
identity theft. Social Security numbers are utilized during the
donation process to uniquely identify each blood donor and help
us accurately connect the donor with his or her donation
history, which is important for both donor and patient safety.
While advances in technology and record keeping have afforded
us increased security options, Social Security numbers remain
the universally accepted means of identification.
Upon learning of the problem in February 2003, we
immediately contacted the U.S. Attorney's Office for the
Eastern District of Pennsylvania and requested that an
investigation be opened and a task force of Federal law
enforcement officials be developed to fully investigate the
matter. We are also working closely with the Federal Bureau of
Investigation and the U.S. Postal Inspection Service. We have
acted aggressively and cooperated fully with investigators to
assist them in resolving this matter quickly and thoroughly. We
have also launched a rigorous review of our security
procedures. We have no reason to believe that our electronic
data base has been compromised. This continues to be an open
case, and consequently, I am sharing with you only the details
that have been made public and will not hinder the ongoing
investigation. We want to make clear that the safety of the
blood supply has in no way been compromised.
To date, the investigation has been contained in the
southeastern Pennsylvania area, and limited to six blood drives
in the November through December 2002 timeframe. We are aware
of at least 23 individuals who were blood donors and were also
victims of identity theft. Our first concern is for those who
may have been victimized. I have personally contacted
representatives of the four blood drive sponsor groups, and I
am in the process of contacting the two new groups we learned
about last week. We have notified 1,400 donors in writing who
participated in the first four blood drives, and letters are
going out to all donors from the two additional identified
blood drives. I have attached a generic copy of that
correspondence for the record. This letter gives step by step
actions they should take if they are concerned about the
security of their personal information. The information was
provided to us by Federal law enforcement officials.
In addition to the information in the letter, we have set
up a special Red Cross toll-free telephone number to assist
donors who believe they may have been victims. This line is
answered by specially trained staff to provide more detailed
information about security of donor information and to assist
donors in checking their credit reports.
Despite this isolated situation, you can be certain that
specific steps are taken throughout the Penn-Jersey Region's
blood donor centers to ensure that blood donor information is
secure. Some of them include that donor records are handled
exclusively by authorized personnel trained to deal with
confidential information. Before interacting with the public,
our blood service region employees go through in-depth training
that also requires signing a confidentiality agreement and a
Code of Conduct agreement.
Information entered on the blood donation record form
completed by donors at the blood drive is protected from view
by others during the donation process, and access to
information is limited to authorized staff who need it in order
to process the blood donation.
Every person who handles this information is known and
identified to us. Also, once donor information is entered into
a computer at the blood center, the blood donation record form
is shredded, and access to our computers and computer data
bases is strictly limited.
Mr. Chairman, the Red Cross relies on voluntary donations
to ensure a safe and adequate blood supply. We regret that any
donor has had to question his or her desire to give blood
because of security concerns. We are committed to ensuring the
safety and privacy of our donors and are working diligently to
ensure that this situation is not repeated. We are appreciative
of the thousands of donors who continue to support us every
day. Without their generous donation of the gift of life, lives
would be lost.
Finally, we are proud of our people and the job they do. We
hope that the details surrounding this case will not discourage
people from donating blood in the future. Increasing the
available supply of blood is critical to health care in our
community, because much of modern medicine is only made
possible because of blood donations. Yet, donations do not
always keep pace with demand.
Philadelphia is a major regional medical center with
teaching hospitals that provide advanced care, such as organ
transplants, specialized pediatric and neonatal care, cancer
and cardiac care, all of which require a stable blood supply.
For our region, blood donations given locally only meet 70
percent of our true need. Through planning and coordination,
the Red Cross is able to ship blood from communities where
there is an excess to those where there is a need. Still,
history shows that our reserves of blood are not--have not been
strong enough to compensate for seasonal swings in donations
and weather-related disruptions of normal blood collection
activities. Additionally, blood shortages seriously affect
patient care. As the population ages, the need for blood is
predicted to grow.
Experts agree that a stronger blood supply is an essential
part of community preparedness. After the terrorist attacks of
September 11, 2001, a multidisciplinary task force of
representatives from government agencies and the blood banking
community was formed to study this issue. The task force
concluded that the single biggest determinant of the success of
the blood community's first response to a disaster, is the
blood already on the shelves of blood centers and hospitals. It
recommended that planning for future disasters include the
requirement that all blood centers have available a 7-day
supply of all blood types at all times.
To meet our responsibility to the people we serve, the
Penn-Jersey Region will continue to increase our blood supply
by asking more people to donate blood, asking those already
giving blood to donate more often and asking business and
community groups to increase their support.
On behalf of the Red Cross, thank you again, Chairman
Greenwood, for the opportunity to testify before this
Subcommittee. It is imperative for our national preparedness
and the daily treatment of those with life-threatening
conditions that Americans generously donate blood. This act can
and does save lives. I would be happy to respond to your
questions.
[The prepared statement of Brigid O'Neill-LaGier follows:]
Prepared Statement of Brigid O'Neill LaGier, Chief Executive Officer,
Penn-Jersey Blood Services Region, American Red Cross
Good morning, Mr. Chairman, Congresswoman Hart and Congressman
Gerlach. Thank you for your invitation to testify on the important
subject of identity theft. I am Brigid O'Neill LaGier, Chief Executive
Officer of the Penn Jersey Blood Services Region of the American Red
Cross headquartered in Philadelphia.
The Red Cross has been helping people since 1881. You can see us at
work in communities across the country, and here in southeastern
Pennsylvania and New Jersey, thousands of times a day--teaching first
aid or CPR classes, keeping members of the military and their families
connected through emergency communications, caring for disaster
victims, and collecting and delivering blood. Thousands of area
residents participate in that work as volunteers, blood donors and
financial contributors.
As one of 36 Red Cross regional blood services, the Penn-Jersey
Region is the major supplier of blood in southeastern Pennsylvania and
New Jersey.
Continuing a tradition begun more than 50 years ago, the mission of
the Penn-Jersey Region is to fulfill the community's need for the
safest, most reliable and cost-effective blood products and transfusion
support services. In 1994, the Red Cross dedicated the Musser Blood
Center, which houses:
� The blood supply for more than 125 southeastern Pennsylvania and New
Jersey hospitals;
� The Philadelphia National Testing Laboratory, which provides
infectious disease and type-testing of blood donations for four
Red Cross blood centers and several non-Red Cross blood
centers; and
� The National Reference Laboratory for Blood Group Serology, serving
more than 3,000 hospitals nationwide.
Hospitals and patients in southeastern Pennsylvania and New Jersey
benefit from an array of transfusion support services, including:
� Lifesaving blood products delivered 24 hours a day, 365 days a year,
and physicians and technical experts available for consultation
around the clock;
� Products to meet special patient needs such as Granulocytes
(infection fighting white cells) and HLA-matched platelets;
� Self-donation for planned surgery;
� Perioperative autologous cell salvage--a transfusion option
benefiting orthopedic and other surgical patients;
� Reference laboratory services that identify and locate compatible
units of platelets and red cells for patients;
� The American Rare Donor Registry--a joint American Association of
Blood Banks (AABB) and Red Cross program that assists patients
who need rare blood across the country and world;
� Stem cell and therapeutic apheresis services to help patients with
cancer and other diseases;
� National Marrow Donor Program participation that helps cancer and
other patients through donor recruitment and education; and
� Research activities in support of--
� Cellular therapies to help cancer patients;
� Pathogen inactivation techniques that may prevent the
transmission of AIDS, hepatitis or bacterial contamination;
and
� Preservation and storage techniques for donated blood platelets
so patients will receive the optimal benefit from their
transfusion.
Mr. Chairman, last year the Penn-Jersey Region collected more than
262,000 whole blood donations and nearly 11,000 platelet and
Granulocyte donations and additionally imported 135,000 blood products
to meet the local community transfusion needs of over 800,000 blood
products. In southeastern Pennsylvania and New Jersey, the Red Cross
conducted over 11,000 blood drive operations, which assisted over
300,000 volunteer blood donors who stepped forward to save lives. The
Red Cross takes the confidentiality of our blood donors very seriously.
As a regulated service, blood collection is a very detailed process
designed to ensure the safety and security of the blood donor, the
blood supply, and those who are trained to collect, manufacture and
distribute blood products.
The Food and Drug Administration (FDA)'s Center for Biologics
Evaluation and Research (CBER) is responsible for regulatory oversight
of the U.S. blood supply. FDA promulgates and enforces standards for
blood collection and for the manufacturing of blood products, including
both transfusable components of whole blood, pharmaceuticals derived
from blood cells or plasma, and related medical devices. The American
Red Cross, Penn-Jersey Blood Region activity is regulated not only by
the FDA, but also on a local level by the State of Pennsylvania, the
State of New Jersey, AABB as well as national American Red Cross
standards, policies and procedures.
As you may know, an investigation is currently being conducted by
federal authorities into identity theft at the American Red Cross,
Penn-Jersey Blood Region. Investigators learned that several
individual's personal identification information, such as names and
social security numbers, had been used to obtain credit and make
purchases. A common denominator was that they had all donated at one of
four Red Cross blood drives held in the southeastern Pennsylvania area
in November and December 2002. We have recently learned that several
donors at two additional blood drives during the same period were
victims of identity theft.
Social security numbers are utilized during the donation process to
uniquely identify each blood donor and help us accurately connect the
donor with his or her donation history, which is important for both
donor and patient safety. While advances in technology and record
keeping have afforded us increased security options, social security
numbers remain the universally accepted means of identification.
Upon learning of the problem in February 2003, we immediately
contacted the U.S. Attorney's Office for the Eastern District of
Pennsylvania, and requested that an investigation be opened and a task
force of federal law enforcement officials be developed to fully
investigate the matter. We are also working closely with the Federal
Bureau of Investigation and the U.S. Postal Inspection Service. We have
acted aggressively and cooperated fully with investigators to assist
them in resolving this matter quickly and thoroughly. We also launched
a rigorous review of our security procedures. We have no reason to
believe that our electronic database has been compromised. This
continues to be an open case and, consequently, I am sharing with you
only the details that have been made public and will not hinder the
ongoing investigation. We want to make clear that the safety of the
blood supply has in no way been compromised.
To date, the investigation has been contained to the southeastern
Pennsylvania area and limited to six blood drives in the November
through December 2002 timeframe. We are aware of at least 23
individuals who were blood donors and were also victims of identity
theft. Our first concern is for those who may have been victimized. I
have personally contacted representatives of four blood drive sponsor
groups and I am in the process of contacting the two new groups we
learned about last week. We have notified 1,400 donors in writing who
participated in the first four blood drives and letters are going out
to all donors from the two additionally identified blood drives. I have
attached a generic copy of that correspondence for the record. This
letter gives step by step actions they should take if they are
concerned about the security of their personal information. The
information was provided to us by federal law enforcement officials.
In addition to the information in the letter, we have set up a
special Red Cross toll-free telephone number to assist donors who
believe they may have been victims. This line is answered by specially-
trained staff to provide more detailed information about security of
donor information and to assist donors in checking their credit
reports.
Despite this isolated situation, you can be certain that specific
steps are taken throughout the Penn-Jersey Region's blood donor centers
to ensure that blood donor information is secure. Some of them include:
� Donor records are handled exclusively by authorized personnel trained
to deal with confidential information. Before interacting with
the public, our Blood Services Region employees go through in-
depth training that also requires signing a confidentiality
agreement and a Code of Conduct agreement.
� Information entered on the blood donation record form completed by
donors at the blood drive is protected from view by others
during the donation process.
� Access to information is limited to authorized staff who need it in
order to process the blood donation.
� Every person who handles this information is known/identified to us.
� Once donor information is entered into a computer at the blood
center, the blood donation record form is shredded.
� Access to our computers and computer databases is strictly limited.
Mr. Chairman, the Red Cross relies on voluntary donations to ensure
a safe and adequate blood supply. We regret that any donor has had to
question his or her desire to give blood because of security concerns.
We are committed to ensuring the safety and privacy of our donors and
are working diligently to ensure that this situation is not repeated.
We are appreciative of the thousands of donors who continue to support
us everyday. Without their generous donation of the gift of life, lives
would be lost. Finally, we are proud of our people, and the job they
do. We hope that the details surrounding this case will not discourage
people from donating in the future.
Increasing the available supply of blood is critical to healthcare
in our community, because much of modern medicine is only made possible
because of blood donations. Yet, donations do not always keep pace with
demand.
Philadelphia is a major regional medical center with teaching
hospitals that provide advanced care, such as organ transplants,
specialized pediatric and neonatal care, cancer and cardiac are, all of
which require a stable blood supply.
For our region, blood donations given locally only meet 70 percent
of our true need. Through planning and coordination, the Red Cross is
able to ship blood from communities where there is an excess to those
where there is a need. Still, history shows that our reserves of blood
have not been strong enough to compensate for seasonal swings in
donations and weather-related disruptions of normal blood collection
activities. Additionally, blood shortages seriously affect patient
care. As the population ages, the need for blood is predicted to grow.
Experts agree that a stronger blood supply is an essential part of
community preparedness. After the terrorist attacks of September 11,
2001, a multi-disciplinary task force of representatives from
government agencies and the blood banking community was formed to study
this issue. The task force concluded that the single biggest
determinant of the success of the blood community's first response to a
disaster is the blood already on the shelves of blood centers and
hospitals. It recommended that planning for future disasters include
the requirement that all blood centers have available a seven-day
supply of all blood types at all times.
To meet our responsibility to the people we serve, the Penn-Jersey
Region will continue to increase our blood supply by asking more people
to donate blood, asking those already giving blood to donate more
often, and asking business and community groups to increase their
support.
On behalf of the Red Cross, thank you again, Chairman Greenwood,
for the opportunity to testify before this subcommittee. It is
imperative for our national preparedness, and the daily treatment of
those with life-threatening conditions, that Americans generously
donate blood. This act can, and does, save lives. I would be happy to
respond to your questions.
Mr. Greenwood. Thank you very much. Thank you for your
testimony, and we are very sensitive to the fact that, as you
said, the supply of blood in this area, blood products, is a
life and death matter, and we hope that it is helpful to let
people know in this region that the precautions that you have
taken now to fully their secure their personal identity and
that that will encourage more donation and not less, because it
is a matter of life and death.
Let me recognize myself for some questions, and start with
Mrs. Kane. Did the other Mrs. Kane, the bad Mrs. Kane.
Mrs. Kane. The evil one, yes.
Mr. Greenwood. The evil one. Went to jail for a year, you
said. Did she serve that entire year, do you know, or----
Mrs. Kane. Yes. She was supposed to get 2 to 7 originally,
but she served about a year.
Mr. Greenwood. She served about 1 year of a 2 to 7, but it
might have been a 2 to 7 year sentence.
Mrs. Kane. Right. Well, she----
Mr. Greenwood. Do you know if she was ever required to make
financial compensation to--either to yourself or to any of the
businesses that were defrauded by her?
Mrs. Kane. I have no idea if she was required to do that. I
don't know.
Mr. Greenwood. You didn't attend her trial or sentencing,
or----
Mrs. Kane. I wasn't even notified until after she was sent
to prison.
Mr. Greenwood. Well, that is interesting in and of itself,
isn't it, that you were the victim and you weren't notified of
what--you weren't kept abreast of what was going on with her
prosecution.
Mrs. Kane. It was mostly the banks that were the victim,
not me. So the banks knew about it and I found out after the
fact.
Mr. Greenwood. Now, you indicated in your testimony that
your--this happened--this--you discovered this how long ago?
Mrs. Kane. A little over 2 years ago.
Mr. Greenwood. A little over 2 years ago. And you are still
not finished cleaning up your mess.
Mrs. Kane. We are about 95 percent.
Mr. Greenwood. Okay. What remains to be done?
Mrs. Kane. We just received the latest with our lovely
Verizon. But we just received the third credit report of the
three, and now they just have to take the 90 days or 30 to 90
days to make certain everything does come off. So hopefully, we
are down to the last stretch.
Mr. Greenwood. All right. And it is interesting you said
that the banks were the victims, not you. I mean, one of the
things that we are trying to make clear here is yes, the banks
were holding the financial bag as a result of this, but you and
your husband obviously were victimized, because of the----
Mrs. Kane. Well, I certainly think so.
Mr. Greenwood. Right. Because--have you ever estimated how
many hours of your time this has consumed?
Mrs. Kane. Countless.
Mr. Greenwood. Countless hours of your time.
Mrs. Kane. Countless. I have----
Mr. Greenwood. And you have had some phone bills,
obviously, because you didn't have 800 numbers.
Mrs. Kane. The phone bills were a lot, and just the nitty-
gritty daily grind of having to get the $8 credit reports again
and again and again, and the notarized--every time you had to
send a bank a notarized statement that this was not you, the
$10 charge or whatever the nominal fee is, but it adds up.
Mr. Greenwood. And were there periods of time where you
couldn't use your own credit, your own credit cards and so
forth to----
Mrs. Kane. No, I was never----
Mr. Greenwood. That was not disrupted. Okay. Let me see
what else I was going to ask you. What would you say was the
best resource for you in trying to get this identity theft
problem taken care of? Who was most helpful to you?
Mrs. Kane. It wasn't until I staggered through that I found
out, through my own relatives, or people that I knew that had
gone through this, which way to go. My one relative worked for
the Social Security office and said, oh, make certain you check
Social Security, or my neighbor was a police officer that said
oh, make certain you do this. But it was not from the banks, it
was not from the credit agencies. It was networking and a
little bit of luck that we found our way through it, and I
hopefully don't find out more. We just 2 years after the fact,
I figured out that there was a credit protection agency that
could have helped me through this. I wish I would have known at
the beginning.
Mr. Greenwood. Well, that gives me an opportunity to segue
into the fact that for anyone in the room, there are materials
at the front desk here that give some information about how to
protect against--how to avoid identity theft, and also how to
respond to it should it happen to you.
Let me ask a question or two of the representative from the
Red Cross. You said that the Penn-Jersey Regional operation
office has changed significantly, and you illustrated some of
the ways that you changed your practices so that your staff is
trained to protect identities, that only select people are able
to view the identifying information for donated blood.
Do you know if those practices have been put into place in
the Red Cross' activities throughout--in other regions of the
country as well?
Ms. O'Neill-LaGier. Well, just to clarify, Mr. Chairman,
those processes were in place prior to us knowing of the
identity theft, so that is our standard practice.
Mr. Greenwood. Okay. It is--would--did you make changes--
did you find that there were changes you had to make as a
result or this, or not?
Ms. O'Neill-LaGier. We did a thorough review of our
security, and there were very few changes that we made. There
were a few things that we thought we could tighten up, but for
the most part, we felt that our system was very secure.
Mr. Greenwood. Are you able to speculate, and we want to be
sensitive to the fact that there is an ongoing investigation,
and so you are perfectly free to say that you can't answer any
of the questions, but have you been able to identify yet
whether this was an inside job, so to speak, someone who worked
for Red Cross, or whether it was someone who got access to this
information who was not part of your organization?
Ms. O'Neill-LaGier. I would respectfully have to decline
answering that.
Mr. Greenwood. Okay.
Ms. O'Neill-LaGier. As it is part of the investigation.
Mr. Greenwood. I understand that a person's Social Security
number is still considered as--you mentioned in your testimony,
the universally accepted means of ID, but in light of these
recent events, has the Red Cross considered using other
tracking methods besides the Social Security number?
Ms. O'Neill-LaGier. And that I can answer----
Mr. Greenwood. Okay.
Mr. O'Neill-LaGier. [continuing] with a positive yes. We
are currently--the Red Cross, the entire organization, is
currently producing a new donor card, which will have a unique
donor identification number, and the new card will replace the
Social Security number as the primary donor identifier, and
will eliminate the need for the donor to verbally communicate
their Social Security number at the blood drive. So, we expect
that this initial distribution will begin in March 2004, and we
expect to be fully implemented in the Red Cross system by the
summer. So, we are very----
Mr. Greenwood. And that would be nationwide?
Ms. O'Neill-LaGier. Yes.
Mr. Greenwood. Okay.
Ms. O'Neill-LaGier. For the Red Cross.
Mr. Greenwood. That is very good. So therefore, if somebody
needs access to that, knows the numerals, there is nothing----
Ms. O'Neill-LaGier. Right. It will be----
Mr. Greenwood. [continuing] they could do with them to----
Ms. O'Neill-LaGier. [continuing] just unique to their blood
donation----
Mr. Greenwood. Okay.
Ms. O'Neill-LaGier. [continuing] history.
Mr. Greenwood. The FDA oversees our Nation's blood supply,
and the Red Cross is therefore subject to its regulations. Are
there steps that the FDA should be taking to assist in
protecting the blood donors and their personal information,
because obviously, the Red Cross isn't the outfit involved in
the blood supply.
Ms. O'Neill-LaGier. Well, the FDA requires that we are
always able to track the blood donation back to the blood
donor, and that is for many safety and security reasons, so we
have to have a mechanism in place to always be able to take
that donation back to the donor. An example of something that
might require us to look back and be able to identify that
donor is if a subsequent--a positive test on that donor would
come up. We have to be able to go back to all of that donor's
donations and recall them from the inventory, so it is
critically important.
That is the requirement of the FDA, so when we moved to
this unique Red Cross identifier, that will allow us to do that
in the same way that the Social Security does.
Mr. Greenwood. But to your knowledge, the FDA hasn't come
up with a regulatory scheme that says that all of the Nation's
blood supplies should use these kind of non-Social Security
identifying numbers.
Ms. O'Neill-LaGier. Not to my knowledge.
Mr. Greenwood. Okay. The FTC is tasked with being the
flagship Federal Government agency for monitoring identity
theft and providing guidance to victims. Did the Red Cross
contact the FTC when this first happened?
Ms. O'Neill-LaGier. Well, we worked with the U.S.
Attorney's Office, the FBI and the Postal Inspector Office, and
they took care of any of that notification. We took their
advice on the information to send out to the blood donors,
which I have included, giving them some guidance on how to
contact the credit agencies and to put fraud alerts on the
credit reports.
Mr. Greenwood. Well, I think both of these cases illustrate
the depravity of people who would take these numbers with total
disregard to the impacts, in one case, very personal impact
within a family and in another case, an impact, a series of
impacts that could really be life and death matters, in terms
of keeping a secure supply of blood.
The Chair recognizes Mr. Gerlach for questions.
Mr. Gerlach. Thank you. Just as a follow-up to that last
comment. What has been the anecdotal feedback from those that
have been identity theft victims that come through the blood
drives that you have narrowed down as to be those that--
potentially, was where the fraudulent activity generated from.
What has been the anecdotal feedback as to what they have
experienced after being victimized that way?
Ms. O'Neill-LaGier. Well, the victims that we--the Red
Cross have talked to, you know, are very upset, very concerned.
And very concerned that this would happen to the American Red
Cross, because we truly have been victimized also. There has
been a variety of amounts of money that were stolen. This is
anecdotal to me. I mean, you could check with the investigators
for better information, but it is really quite devastating to
them and to us, because we just feel terrible about it.
Remarkably, many people have returned to donate again, and
feel that it is their obligation as members of the community
and are willing to work through this, and we have shared with
the victims our intent to move away from Social Security
number, and so they are willing to wait for us to get that in
place.
Mr. Gerlach. Okay. And Mrs. Kane, on your--in your
situation, the person that stole your identity was also named
Michelle Kane, and do you know whether or not she, in fact,
used other Michelle Kanes around the country, in addition to
yourself as being the basis for which she undertook that
fraudulent activity?
Mrs. Kane. I don't know if she found any other Michelle
Kanes in her medical data base that she was able to find their
Social Security numbers as well. All I know is my account.
Mr. Gerlach. Okay. When did you find out her identity as
being the person that stole your identity? When in relation to
the criminal prosecution she underwent and was convicted of and
thereafter served time, when did you learn of her identity, so
that you knew that was the person that stole your identity?
Mrs. Kane. When she applied for a mortgage and took out a
$40,000 loan, that is when it became big enough for the banks
to get involved, and the bank that was involved hired an
investigator.
Mr. Gerlach. Okay.
Mrs. Kane. And it was through the investigator, he asked me
did I wear glasses, which I thought was an odd question,
because I only wore them for college, and I rarely wore them. I
think I have worn them 10 times total, and at first, I said no,
because it was so long ago, and then I said well, I do have a
pair, and here, she worked for a vision company, and she was
able to go through the medical data bases. According to the
investigator, she denies that this is how it came to be, but--
so it was once the mortgage company got involved that they told
me how they think it went down.
Mr. Gerlach. And that information was passed along to law
enforcement where she resided?
Mrs. Kane. Yes. They were----
Mr. Gerlach. And that was where?
Mrs. Kane. Schenectady, New York.
Mr. Gerlach. Schenectady. And then you had no contact
yourself, however, with the Schenectady Police Department or
the prosecuting attorney in that county----
Mrs. Kane. No.
Mr. Gerlach. [continuing] where Schenectady is located.
Mrs. Kane. No, I did not. I had only had contact with the
investigator, who kept me abreast of the information.
Mr. Gerlach. Okay. And after these activities occurred, was
anybody coming to you, either credit reporting agencies, with
information? Obviously, you saw that it was inappropriate, but
were any debt collectors or anybody coming, financial
institutions coming after you for payment on loans or
indebtedness that had been incurred in your name?
Mrs. Kane. Up until--once we got in touch with the credit
agencies and once we told them we were victims, our number must
have gotten onto the credit reports. Obviously, our phone
number, our address, and then the debt collectors started
calling us, but not beforehand, because she had her own Post
Office box set up.
Mr. Gerlach. Okay.
Mrs. Kane. So once we got in the system, you would think
the credit agencies would help. Instead, they put us down as--
they--just mistaken. It was a mistake of which Michelle Kane
they should call, and they started calling us to pay off these
debts.
Mr. Gerlach. And what was your experience with those debt
collectors?
Mrs. Kane. Well, it was not pleasant.
Mr. Gerlach. Did they accept your explanation that you were
a victim?
Mrs. Kane. No, they just denied--they said, I am sorry, we
don't believe you. You know, pay up, honey.
Mr. Gerlach. Okay.
Mrs. Kane. So.
Mr. Gerlach. And how long did that--how many different
collectors were after you in that fashion?
Mrs. Kane. Well, it was----
Mr. Gerlach. And how long did it take them to realize
that----
Mrs. Kane. It wasn't very long. It was only two banks, and
it did eventually get cleared up, but it was still not
something I was expecting.
Mr. Gerlach. Okay. And upon what information, if you know,
did they rely upon to understand that you were a victim in this
situation, and therefore should not be harassed with dunning
notes or telephone calls? Did they receive information from
some other source, either law enforcement in Schenectady or the
private investigator hired by the one bank? Do you know how it
was that they finally let you off the hook in terms of their
thought that you should be paying on the debt?
Mrs. Kane. I think, and this is just my own personal
thoughts, I don't think that they got any information from any
other outside sources. I think they just probably did their
homework and looked at the information that was in front of
them and realized----
Mr. Gerlach. That you were telling the truth.
Mrs. Kane. That we were telling the truth.
Mr. Gerlach. Yeah.
Mrs. Kane. By looking at their information that we had sent
through our credit--our criminal record. What did we send? The
police reports and the ID and the notarized forms that they
probably just put two and two together once we persisted enough
and said that this is not us. But it took a few phone calls.
Mr. Gerlach. Okay. Thank you.
Mr. Greenwood. Thank you. One more question for Ms.
O'Neill-LaGier. Are blood collection activities subject to the
Act that protects the privacy of health information, HIPAA?
Ms. O'Neill-LaGier. The HIPAA. We are not obligated to
HIPAA, but I would have to check on that for you and get back
to you on that.
Mr. Greenwood. Okay. Would you do that and----
Ms. O'Neill-LaGier. Yeah. I will do that.
Mr. Greenwood. [continuing] communicate with the committee
staff on that. Okay. We thank you both for being here and for
your testimony and for your willingness to help us in our
investigation, and you are both excused.
Mrs. Kane. Thank you.
Ms. O'Neill-LaGier. Thank you.
Mr. Greenwood. For the rest of the day. And we will now
call forward the second panel, consisting of Mr. Robert Ryan
from--he is the Senior Director of Government Relations for
TransUnion, which is out of Chicago; and also Milissa Lenahan,
who is the Assistant Vice President and Assistant Operations
Officer for First National Bank and Trust, nearby in Newtown,
Pennsylvania. Welcome, both of you.
Mr. Ryan. Thank you.
Ms. Lenahan. Thank you.
Mr. Greenwood. You may sit down. Then I will ask you to
stand up. As you have heard me say to the other witnesses that
we take testimony here under oath, and so I need to ask if
either of you objects to taking--giving your testimony under
oath.
Mr. Ryan. No.
Mr. Greenwood. Okay. And you are both entitled to be
represented by counsel. Do either of you choose to be
represented by counsel?
Ms. Lenahan. No.
Mr. Ryan. No, Mr. Chairman.
Mr. Greenwood. Okay. Now, if you would stand up again and
raise your right hands.
[Witnesses sworn.]
Mr. Greenwood. Okay. You are both under oath, and I am
going to start with you, Mr. Ryan. You are recognized to give
your testimony.
TESTIMONY OF ROBERT RYAN, SENIOR DIRECTOR OF GOVERNMENT
RELATIONS, TRANSUNION; AND MILISSA J. LENAHAN, ASSISTANT VP/
ASSISTANT OPERATIONS OFFICER, FIRST NATIONAL BANK AND TRUST
COMPANY OF NEWTOWN
Mr. Ryan. Good morning, Mr. Chairman Greenwood, Congressman
Gerlach. My name is Bob Ryan, and I am the Senior Director of
Government Relations for TransUnion. We are a leading global
provider of consumer report information supported by more than
4,100 employees in more than 24 countries worldwide. I
appreciate the opportunity to appear before you here today to
discuss the role of TransUnion in the credit granting process,
and in assisting consumers, and our business customers in
preventing and remediating identity theft.
I would like to explain briefly how TransUnion plays a
critical role in the economic engine of credit availability. We
provide the information necessary to lenders, regardless of
where they are located, to make credit available to consumers
all across the United States. In order for a lender to extend a
loan to a consumer, the lender needs to evaluate the credit
risks inherent in lending to that consumer, and the proper
evaluation of the consumer's credit risks allows the lender to
determine whether to provide credit to the consumer and at what
price.
We believe that the most accurate and predictive piece of
information a lender can use in evaluating credit risk is a
consumer report, also commonly called a credit report, and we
take great pride in our ability to collect and disseminate
credit report information. We receive and process approximately
2 billion updates to consumers' credit files each month.
Now, let me turn to our role in thwarting identity theft.
Identify theft is a serious problem and TransUnion is part of
the solution. Since the 1980's, when TransUnion developed the
first application fraud detection services for credit grantors,
we have been helping our business customers detect and avoid
application fraud, thus reducing the number of consumers
affected by identity theft. In the mid-1980's, we were the
first consumer reporting agency to initiate the development of
special procedures to assist identity theft victims, including
expedited dispute verification processes. In the late 1980's,
we developed the innovation of a security alert flag on credit
reports, to alert our customers to use extra caution in opening
new accounts in the cases of prospective victims or actual
victims of identity theft.
In 1992, we were the first consumer reporting agency to
establish a special Fraud Victim Assistance group within our
organization that is solely dedicated to identify theft
problems. In 1997, we began immediate suppression at the same
time the dispute investigation process was initiated, of fraud-
related information on a consumer's file, upon their
presentation to us of a police report or other documentation,
such as a Postal Service report confirming the fraud. In March
2000, this process became an industry standard.
Our identify fraud specialists work with consumers,
industry and government agencies to remediate damaged credit
files as quickly as possible, to take preventative steps that
reduce further victimization and to cooperate with law
enforcement authorities in their investigations and
prosecutions of this crime. Our processes include posting a
security alert to the victim's file, opting the victim out of
prescreened, pre-approved offers of credit or insurance, if he
or she wishes, providing the victim a free credit report and
notifying credit grantors and others, whose inquiries on the
victim's file are due to fraud.
Congress, as you noted, Mr. Chairman, is also taking
important steps with respect to identity theft. We applaud
Congress for enacting the Fair and Accurate Credit Transactions
Act, or the FACT Act, which makes permanent important national
standards in the credit reporting system and includes a
comprehensive set of provisions pertaining to identity theft.
A significant provision of the new law is a requirement to
provide a free credit report annually to consumers upon their
request, so that was item one on Ms. Kane's suggestions. For
many years, we have provided free credit reports to victims,
and to individuals who think they may be--there may be
fraudulent information on their reports.
The new law also provides for three types of security
alerts in credit reports: an initial alert, for cases of
potential fraud; an extended alert, in cases of actual identity
theft; and a special active duty alert for our men and women
serving in the armed forces stationed away from home.
TransUnion was a pioneer in giving consumers the
opportunity to place security alerts in their credit files, as
I noted a moment ago. The FACT Act also codifies what has been
our industry's voluntary practice concerning the immediate
blocking of information related to identity theft upon the
consumer's providing us with an identity theft report. The FACT
Act will also benefit consumers by requiring the Federal Trade
Commission to develop a summary of consumer rights with respect
to the procedures for remedying the effects of fraud or
identity theft. The FACT Act also requires the consumer
reporting agency to provide a heads-up, a notice, to a credit
grantor if the grantor submits to a consumer reporting agency
an address for a consumer that doesn't match an address in the
consumer reporting agency's files.
At TransUnion, we are proud of our leadership in the
development of processes and procedures to prevent and
remediate identity theft. We applaud the 108th Congress for
enacting the FACT Act, creating important, new national
standards to help remediate identity theft, and we are
gratified that many of the provisions of the bill were based on
credit reporting industry standards that TransUnion helped to
put in place.
Mr. Chairman, Congressman Gerlach, I sincerely appreciate
your invitation to testify today on identity theft. TransUnion
looks forward to continuing to be part of the solution to this
terrible crime, and I would be pleased to answer any questions
that you may have.
[The prepared statement of Robert Ryan follows:]
Prepared Statement of Robert Ryan, Senior Director of Government
Relations, TransUnion
introduction
Good morning, Chairman Greenwood, Congressman Deutsch, and Members
of the Subcommittee. My name is Robert Ryan, and I am Senior Director
of Government Relations for TransUnion, LLC. TransUnion is a leading
global provider of consumer report information supported by more than
4,100 employees in more than 24 countries worldwide. I appreciate the
opportunity to appear before you today to discuss the role of
TransUnion in the credit granting process and in assisting consumers
and our business customers in preventing and remediating identity
theft.
the role of transunion in the credit granting process
Consumer spending makes up approximately two-thirds of the U.S.
gross domestic product. A critical component of this economic driver is
the availability of consumer credit. Consumers in the United States
have access to a wide variety of credit from a number of sources at
extremely competitive prices. Consumers rely on the availability of
credit for a variety of purposes, such as the purchase of homes, cars,
education, and daily needs. In fact, there is approximately $7 trillion
in outstanding mortgages and other consumer loans in the United States.
There is no question that our economy would suffer if consumers could
not easily access credit as they do today.
It is my pleasure to explain how TransUnion plays a critical role
in the economic engine of credit availability. In sum, we provide the
information necessary for lenders, regardless of where they are
located, to make credit available to consumers all across the United
States. In order for a lender to extend a loan to a consumer, the
lender must evaluate the credit risks inherent in lending to that
consumer. The proper evaluation of the consumer's credit risks allows
the lender to determine whether to provide credit to the consumer and
at what price. We believe that the most accurate and predictive piece
of information a lender can use in evaluating a consumer's credit risk
is a consumer report (also commonly called a credit report). TransUnion
is in the business of providing lenders with this critical information.
The Credit Reporting Process
In order to more fully understand TransUnion's role in the credit
availability process, it is important to understand the credit
reporting process itself. TransUnion is a national consumer reporting
agency. We are a nationwide repository of consumer report information
with files on approximately 200--million individuals in the United
States. The information in our files generally consists of: (i)--
identification information (including social security numbers); (ii)--
credit history; (iii)--public records (e.g. tax liens, judgments,
etc.); and (iv)--a list of entities that have received the consumer's
credit report from us. It is also important to clarify what is not in a
credit report. A TransUnion credit report does not include checking or
savings account information, medical histories, purchases paid in full
with cash or check, business accounts (unless the consumer is
personally liable for the debt), criminal histories, or race, gender,
religion, or national origin.
Most of the information in our files is provided to us voluntarily
by a variety of sources. Although the Fair Credit Reporting Act (FCRA)
does not require anyone to furnish information to consumer reporting
agencies, or have any rules on the scope or nature of such information,
the law does establish certain important guidelines for those who
voluntarily furnish information to consumer reporting agencies. For
example, furnishers must meet certain accuracy standards when providing
information to consumer reporting agencies. Furnishers must also meet
requirements ensuring that the information the furnishers have reported
to consumer reporting agencies remains complete and accurate. Despite
these legal obligations imposed on data furnishers, lenders and others
participate in the credit reporting process due to the recognized value
of complete and up-to-date credit reporting. In essence, if lenders
want accurate, complete, and up-to-date information on which they are
to base credit decisions, they must ensure a continuing supply of such
data to consumer reporting agencies.
We take great pride in our ability to collect and disseminate
credit report information. In fact, TransUnion receives and processes
approximately 2 billion updates to consumers' credit files each month.
However, we do not distribute credit reports to just anyone. Under the
FCRA, we may not provide a credit report to anyone who does not certify
to us that they have a permissible purpose for such information. This
protection ensures that the distribution of credit reports is made only
to those with a need for such information (e.g. granting credit).
the role of transunion in identity theft prevention and remediation
TransUnion Is Part of the Solution
Identity theft is a serious problem and TransUnion is part of the
solution. Since the 1980s, when TransUnion developed the first
application fraud detection suite of services for credit grantors (our
HAWK ' products, introduced in 1983), we have recognized
that fraud through identity theft is a problem for which we can be part
of the solution. We have been helping our customers detect and avoid
application fraud for over 20 years, thus reducing the number of
consumers affected by identity theft. In the mid-1980s we were the
first consumer reporting agency to initiate the development of special
procedures to assist identity theft victims, including expedited
dispute verification processes and the deletion of fraudulent
information. In the late 1980s we developed the innovation of a
``security alert'' flag on credit reports, to alert our customers to
use extra caution in opening new accounts.
In 1992, we were the first national consumer reporting agency to
establish a special Fraud Victim Assistance group within our
organization that is solely dedicated to identity theft problems. In
the 1997 we began immediate suppression, at the same time the dispute
investigation process was initiated, of fraud-related information on a
consumer's file upon their presentation of a police report or other
documentation confirming the fraud. In March 2000, this process became
an industry standard.
Our identity fraud specialists work with consumers, industry, and
government agencies to remediate damaged credit files as quickly as
possible, to take preventive steps that reduce further victimization,
and to cooperate with law enforcement authorities in their
investigations and prosecutions of this crime. As we explain on our
website, www.transunion.com, our process includes posting a security
alert, opting the victim out of prescreening if the victim wishes,
providing the victim a free credit report, and notifying inquirers
whose inquiries were due to fraud. We are proud to have played a
leadership role in the development of processes that have become
national standards today and expect to continue this leadership to
combat this growing crime.
the importance of national standards in combating identity theft: the
fact act of 2003
The Fair and Accurate Credit Transactions Act of 2003
As you know, on December 4, 2003, President Bush signed into law
the Fair and Accurate Credit Transactions Act of 2003, or the FACT Act.
We applaud Congress for enacting the FACT Act, which makes permanent
important national standards in the credit reporting system, and
includes a comprehensive set of provisions pertaining to identity
theft. I am pleased to note that many of the identity theft provisions
in the FACT Act are based on innovations that TransUnion and other
consumer reporting agencies have developed to help consumers in the
fight against identity theft.
A significant provision in the new law is a requirement to provide
free credit report annually to consumers upon request. This new
obligation springs from the idea that if the credit report is free
there will be increased access to credit histories by more people, and
that increased access will improve accuracy and reduce identity theft
by encouraging individuals to regularly review their credit reports.
There remains significant debate as to the validity of this logic since
credit reports were always accessible for a modest fee (currently $9)
and for many years all national consumer reporting agencies have
provided free credit reports, upon request, to identity theft victims
and to individuals who think there may be fraudulent information on
their reports.
The new law also provides for three types of security alerts in
credit reports--an initial alert (upon a good faith suspicion that the
individual may be subject to identity theft), a ``military'' alert (for
our men and women serving in the military away from home), and an
extended alert (in cases of actual identity theft). As a general
matter, certain users of consumer reports (e.g. creditors) are required
to take steps to confirm a consumer's identity prior to extending
credit when these alerts are present on credit reports. As I mentioned
above, TransUnion was a pioneer in giving consumers the opportunity to
place security alerts in their credit files.
The FACT Act also codifies what has been our industry's voluntary
practice concerning the immediate blocking of information related to
identity theft upon the consumer's providing us with an identity theft
report--usually a police report. This practice is also known as
``tradeline blocking.'' The national consumer reporting agencies are
required to share information about security alerts and blocked data
among themselves, so that a consumer's actions with one consumer
reporting agency will flow to the others, and be reflected on their
credit reports.
The FACT Act will also benefit consumers by requiring the Federal
Trade Commission to develop a summary of consumer rights under the FCRA
with respect to the procedures for remedying the effects of fraud or
identity theft involving credit or other financial accounts or
transactions. This provision is designed to assist identity theft
victims in understanding the numerous tools at their disposal, such as
the use of security alerts or tradeline blocking, to mitigate the harms
of identity theft. Consumer reporting agencies will provide a summary
of these rights to any consumer who contacts them and expresses a
belief that he or she is a victim of fraud or identity theft involving
a financial transaction.
The FACT Act also requires a consumer reporting agency to provide a
``heads up'' to a user of credit reports if the user submits to a
consumer reporting agency an address for a consumer that does not match
an address in the consumer reporting agency's files. This provision is
based on existing practices used by TransUnion to notify creditors and
others that the consumer's address does not match one we have on file.
This serves as another protection against identity theft, where the
criminal may use a victim's identification information but the
criminal's address in order to obtain credit or other goods or
services. Under the FACT Act, the user of a credit report that contains
such a notice of discrepancy will need to take certain steps to reduce
the risk that the transaction is the result of identity theft.
The issue of data furnishers providing the consumer reporting
agency information that has been identified as fraudulent by the
consumer reporting agency, and has been ``blocked'' by the consumer
reporting agency, has been addressed by the FACT Act in two ways.
First, in certain circumstances, the law prohibits the sale to third
parties of accounts on which the creditor has received a notice of
identity theft from either the consumer directly, or from the consumer
reporting agency. The intent is to prevent the fraudulent information
from finding its way back onto the credit report in the form of a
report from a third party collection agency. Second, the FACT Act
prohibits data furnishers from providing information to a consumer
reporting agency if the consumer provides them an identity theft report
identifying the relevant information as resulting from identity theft,
or if the furnishers are notified by a consumer reporting agency that
an identity theft report has been filed with respect to such
information.
Furnisher Obligations
Because the FACT Act makes permanent the national standards
pertaining to data furnisher obligations, it removed the danger that
state laws pertaining to furnisher obligations could have reduced the
number of entities willing to provide information to consumer reporting
agencies. Withdrawal of data furnishers from the system would result
not only in a loss of the credit information they provide but would
also result in the loss of the address updates they provide.
TransUnion's database relies on addresses that are in active use by
creditors in mailing monthly statements to their customers. The fact
that most data furnishers today also provide us with the social
security number of their customers allows us to bridge address changes
and name variations that commonly occur in our society. Businesses and
government agencies with a permissible purpose to obtain a consumer
report rely on our robust national database of names, social security
numbers, and up to date addresses for a variety of fraud prevention and
identity authentication services. With less current identification or
address information coming into the database, the performance of these
services would suffer.
Reinvestigation Timeframes
In identity theft cases, the consumer reporting agency is tasked
with sorting out accurate and inaccurate information about the
consumer. This is a difficult process and, if not done properly, could
affect not only the consumer's ability to obtain credit but the safety
and soundness of our financial institutions. We were gratified that the
FACT Act preserved the national standard for reinvestigation processes
and timeframes. In this regard, identity theft victims in Pennsylvania
will continue to be treated no differently than victims from California
to Florida. As a nation, we cannot have any other result.
conclusion
At TransUnion, we are proud of our leadership in the development of
processes and procedures to prevent and remediate identity theft. We
applaud the 108th Congress for enacting the FACT Act, creating
important new national standards that will help remediate identity
theft. We are gratified that many of the provisions in the bill were
based on credit reporting industry standards that TransUnion helped put
in place.
Mr. Chairman, Congressman Deutsch, and members of the Subcommittee,
I sincerely appreciate your invitation to testify today on identity
theft. TransUnion looks forward to continuing to be part of the
solution to this terrible crime.
Mr. Greenwood. Thank you very much, Mr. Ryan. Ms. Lenahan.
TESTIMONY OF MILISSA LENAHAN
Ms. Lenahan. Hi. Thank you for the opportunity, and I would
like to recognize American Bankers Association for giving me
the opportunity to speak and they provided some materials,
including a video, and I would just like for the record to
recognize that.
Mr. Greenwood. Okay.
Ms. Lenahan. My name is Milissa Lenahan. I have been
employed by First National Bank and Trust Company of Newtown
for 20 years. My current position is Assistant Vice President
and Assistant Operations Officer, Security Officer and
Custodian of Records.
Mr. Greenwood. Can you hear all right in the back, then?
Okay.
Ms. Lenahan. Okay. One of my primary functions as a
Security Officer is researching and responding to fraud. I am
currently working 20 cases of fraud that involve some form of
identity theft. Twenty cases may not seem like a large number.
However, First National Bank is a community bank, with our
service area being in central and lower Bucks County. To us,
one fraud is too many.
Identify theft is on the rise and no one is exempt from the
possibilities of having their identity compromised. Identity
theft takes several forms, from a stolen piece of mail to a
wealth of counterfeit documents with unknowing victims'
information.
My definition of identity theft is any time a person's
information is used by someone other than themself. You don't
have to have a fake driver's license to impersonate somebody
and purchase something online with their stolen credit card. It
has been my experience that retail locations rarely check the
signature on the back of a credit card.
Our bank takes pride in its customer service and we will
use our abilities and resources to assist our customers who
have victimized by identity theft. We provide whatever
assistance is necessary to stop any further damage to our
customer's good name.
The following is a summary of the steps we take. Once
notified by the customer, a hold is placed on all accounts.
Notification is then broadcasted to every computer within the
bank, tellers as well as back offices, as an alert. It is our
practice to close customers' accounts and open new ones to
prevent any future loss. We work with the customer in making
sure legitimate payments are honored. We assist our customers
with the paperwork necessary to credit back any missing funds
as a result of the fraud, and in addition, we provide the
customer with information on each credit reporting agency with
the appropriate phone numbers, so that they can have an alert
placed on their credit report.
We recommend that our customers file a police report, and
we will cooperate with police in an attempt to catch the
fraudster and bring them to justice. Training and education is
a large part of what we do. It is an ongoing process and we
will pool any and all resources available to us that is put out
by organizations such as the American Bankers Association. We
will use these resources in training, as well as provide them
to our customers in their monthly statement. We post security
alerts on our website as another type of warning to our
customers, and we will speak to organizations and schools when
asked.
The tellers on the front line are the most vulnerable to a
perpetrator of identity theft. Split deposit fraud is one of
the more common ways to pass yourself off as a customer by
using a counterfeit or stolen check, presenting a portion for
deposit and receiving a larger portion in cash back. The
fraudster is usually prepared to present identification. The
problem is there is no way for the teller to know that this
identification is legitimate or not.
Our new accounts people are also at risk. Technology has
broadened the spectrum for someone intent on committing fraud.
The only equipment you need is a home computer and a printer. A
fake ID on the street would cost maybe $50. Check stock is
readily available at stores that sell office supplies. All you
need now is to take information off of someone's check. That
check alone is a wealth of information, name, address, phone
number, bank name, bank routing number and account number.
When I started my career in banking in 1983, the only way
you could get a supply of checks was by submitting your order
to your bank. A bank would have the tools necessary to
determine if this order is fraudulent, as would the check
printing company they contracted their business with.
Unfortunately, resources necessary are not always available or
practical. We no sooner put tools and policies into place and
then you are hit with a fraud with a new twist.
Prevention is the key, but how do you prevent someone from
stealing? If you are lucky enough to get an arrest, what is the
punishment? Credit for time served and restitution that could
take years. Our bank has a very good working relationship with
local police departments, but police also have limited
resources and tools to pursue these types of criminals. When
our customer needs to file a police report, it is not clear
which department they need to file with. Do you file in the
municipality you live, or do you have a file in each location
that an item was negotiated? One example of this that I had
recently was our customer had to file a report in three
separate municipalities after being turned away by their home
municipality.
The consumer is depending on the police to help. Identity
theft leaves consumers with the feeling of total personal
violation regardless of the dollar amount. The consumer spends
countless hours trying to repair the damage. That is why we
depend on organizations such as the ABA, the FBI, the FTC and
local law enforcement to communicate and provide new tools to
assist us in educating not only ourselves but our customers as
well.
Identity theft is one form of fraud that is extremely hard
to prevent without access to certain tools only available to
law enforcement. We can't call the police every time someone
presents us with a driver's license to verify the validity of
the document and the picture to the person in front of the
teller. New technology is being made available in some states
for this type of verification. Unfortunately, not in all
states.
New regulations and policies, such as the PATRIOT Act and
the Customer Identification Program will help in the prevention
of new account identity theft, but for how long? If the people
responsible for the crime are not punished for their actions,
regardless of the dollar amount, it is only a matter of time
before a new type of fraud surfaces. Government organizations,
law enforcement, financial institutions and consumers all need
to work together to stop this growing fraud.
Thank you.
[The prepared statement of Milissa Lenahan follows:]
Prepared Statement of Milissa J. Lenahan, First National Bank and Trust
My name is Milissa J. Lenahan, I have been employed by The First
National Bank and Trust Company of Newtown for 20 years. My current
position is Assistant Vice President, Assistant Operations Officer,
Security Officer and Custodian of Records. One of my primary functions
as a Security Officer is researching and responding to fraud. I am
currently working 20 cases of fraud that involve some form of Identity
Theft. 20 cases may not seem like a large number however, First
National Bank is a Community Bank with our service area being within
Central and Lower Bucks County. To us one fraud is too many.
Identity Theft is on the rise and no one is exempt from the
possibilities of having their identity compromised. Identity Theft
takes several forms from a stolen piece of mail to a wealth of
counterfeit documents with unknowing victims information. My definition
of Identity Theft is any time a persons information is used by someone
other than them self. You don't have to have a fake Drivers License to
impersonate someone and purchase something online with their stolen
credit card. It has been my experience that retail locations rarely
check the signature on the back of a credit card. Our bank takes pride
in it customer service and we will use our abilities and resources to
assist our customers who have been victimized by Identity Theft. We
provide what ever assistance is necessary to stop any further damage to
our customers good name. The following is a summary of the steps we
take: Once notified by the customer, a hold is placed on all accounts.
Notification is broadcasted to every computer, tellers as well as back
offices as an alert throughout the bank. It is our practice to close
the customers account and open new to prevent any further loss. We work
with the customer in making sure legitimate payments are honored. We
assist our customers with the paperwork necessary to credit back any
funds missing as a result of the fraud. In addition we provide the
customer with information on each credit reporting agency with the
appropriate phone numbers so that they can have an alert placed on
their credit report. We recommend that the customer file a police
report. We will cooperate with police in an attempt to catch the
``Fraudster'' and bring them to justice.
Training and education is a large part of what we do. It is an on
going process and we will pull any and all resources available to us
that is put out by organizations such as American Bankers Association.
We will use these resources in training as well as providing them to
our customers in their monthly statement. We post security alerts on
our web site as another type of warming to our customers, and will
speak to organizations and schools when asked.
The tellers on the front line are the most vulnerable to a
perpetrator of Identity Theft, split deposit fraud is one of the more
common ways to pass yourself off as a customer by using a counterfeit
or stolen check and presenting a portion for deposit and receiving a
larger portion in cash back.
The ``Fraudster'' is usually prepared to present identification.
The problem is there is no way for the teller to know if this
identification is legitimate or not.
Our new accounts people are also at risk. Technology has broadened
the spectrum for someone intent on committing fraud. The only equipment
you need is a home computer and a printer.
A fake ID on the street would cost maybe $50.00. Check stock is
readily available at stores that sell office supplies. All you need now
is to take information off of someone's check. That check alone is a
wealth of information, name, address, phone number, bank name, bank
routing number and account number. When I started my career in banking
in 1983, the only way you could get a supply of checks was by
submitting your order to your bank. A bank would have the tools
necessary to determine if this order is fraudulent as would the check
printing company they contracted their business with.
Unfortunately resources necessary are not always available or
practical. We no sooner put new tools and policies in place and then
you are hit with a fraud with a new twist. Prevention is the key, but
how do you prevent someone from stealing? If you are lucky enough to
get an arrest, what is the punishment, credit for time served and
restitution that could take years?
Our bank has a very good working relationship with local Police
departments. But Police also have limited resources and tools to pursue
these types of criminals. When our customer needs to file a Police
Report it is not clear which department they need to file with. Do you
file in the municipality you live in or do you have to file in each
location that an item was negotiated.
One example of this I had recently was our customer had to file a
report in three separate municipalities after being turned away by his
home municipality. The consumer is depending on the Police to help.
Identity Theft leaves consumers with the feeling of total personal
violation regardless of the dollar amount. The consumer spends
countless hours trying to repair the damage. That is why we depend on
organizations such as the ABA, FBI, FTC and local Law Enforcement to
communicate and provide new tools to assist us in educating not only
ourselves but consumer as well.
Identity Theft is one form of fraud that is extremely hard to
prevent without access to certain tools only available to Law
Enforcement. We can't call the Police every time someone presents us
with a drivers license to verify the validity of the document and the
picture to the person in front of the teller. New technology is being
made available in some States for this type of verification,
unfortunately not in all States.
New regulations and policies such as the Patriot Act and Customer
Identification Program will help in the prevention of new account
Identity Theft but for how long? If the people responsible for the
crime are not punished for their actions regardless of the dollar
amount, it is only a matter of time before a new type of fraud
surfaces.
Government, Organizations, Law Enforcement, Financial Institutions
and Consumers all need to work together to stop this growing fraud
trend.
Mr. Greenwood. Thank you very much. The Chair recognizes
himself for questioning. And we will start with you, Mr. Ryan.
You have heard the stories, including from Ms. Kane
particularly this morning, that victims of identity theft find
that the portion of their recovery that takes the longest is
getting the fraudulent information off the victim's credit
bureau. Can you explain what part of the process can take--why
this part of the process can take such a long time, and what if
anything is being done to shorten the time? Because I think Ms.
Kane said that she was still trying to get--and one of the
things she was--and I am a little bit confused, because you
talked about free reports, and she said it was annoying to her
to have to keep paying the $8 for the credit report. Was she
not aware--do you think that she could get these for free?
Mr. Ryan. I can't--I can only speak, Mr. Chairman, for
TransUnion, and to identity theft victims----
Mr. Greenwood. She mentioned TransUnion by name, I think,
in her testimony.
Mr. Ryan. Our policy is to provide free disclosures to
identity theft victims and has been for years, so I----
Mr. Greenwood. Well, let me--let us pursue that. If I am a
victim of identity theft, and I say to myself, I better get my
credit report, how would I--ordinarily, if I just go about the
normal process of seeking a copy of my credit report, I would
pay a fee unless--how would I know that I could get it for
free?
Mr. Ryan. Well, no, that is part of our script--part of the
VRU, part of our--both our 1-800 telephone toll-free number
that is provided to consumers for calling in for your credit
disclosure, for your credit report, and part of our Internet
website disclosure is that under certain circumstances, you can
be entitled--you are--may be entitled to a free disclosure.
Obviously, in the case of any adverse action, under the Fair
Credit Reporting Act, but also under Fair Credit Reporting Act
and our longstanding policy, you are entitled to a free
disclosure if you believe there may be fraudulent information
on your credit report as a result of identity theft or other
fraud, and so that is part of our phone script and part of our
Internet scripting as well. So, I can't, you know, reply in
particular. Obviously, we will be happy to follow up and--if, I
mean, if it was our company, we would be happy to refund or
whatever.
Mr. Greenwood. Is a credit bureau report easy for a
layperson to read and understand? You heard Ms. Kane saying
that sometimes there are abbreviations, there aren't
necessarily numbers, toll-free numbers that can be gleaned from
the report. Would I really know what to look for on my credit
bureau report to determine whether I had been a victim of
identity theft?
Mr. Ryan. I may be a bit biased, Mr. Chairman, because I
have been in the business so long, but when I--we have done a
lot of work and testing of our consumer disclosure form. It is
not the same credit report that would go to a bank, or you
know, other financial institutions, so it is recast in English,
and we do explain the different sections, so it is as clear as
a very--typically long, 6, 7, 8 page, rather arcane listing of
financial information, dates and dollar amounts can be, in my
opinion.
Mr. Greenwood. Okay. Another one of the major problems we
hear regarding victims of identity theft is that they usually
did not discover the theft for a long time, in some cases, for
over a year. The question is what type of fraud detection
systems or services could the credit bureaus provide to try and
identify the fraud before the victim even becomes aware of it?
Mr. Ryan. We are, as an ongoing matter of our business
practice, we are looking at better ways to alert all of our
constituents to possible fraud. We maintain, though, again,
files on 220 million--all the credit active people in the
United States, and so, I don't--we have not identified a way to
proactively notify individual consumers. We certainly do--we
are very available, you know, we are very open. And the new
FACT Act, again, provides a free annual disclosure to everybody
in the country, plus, as again, as I said, we have been open
and available to providing free disclosures to consumers who
even think there may be fraudulent information on their file.
But--and that's the state-of-the-art pretty much today on this.
Mr. Greenwood. Are there provisions that you would have
preferred to see get into the FACT Act that were not?
Mr. Ryan. I think that--no, the FACT Act is--it is a very
comprehensive law. If, Mr. Chairman, you are asking if there
are other issues pertaining to identity theft, that as a matter
of public policy or legislation, were not addressed in the FACT
Act, you--the committee has heard some of those earlier today.
One is the issue of the robustness of our State identification,
the driver's license system and ID cards and there is certainly
legislation in Congress or it has been considered in Congress,
aid to the states in making--providing for a more robust,
perhaps biometric base identification system.
Mr. Greenwood. I think that is where we are headed. That
has been what has been going through my mind this morning is
that eventually, we are going to have to--as a technological
response that we are going to have to go to a more
sophisticated system, that uses some kind of biometrics in
order to really protect our financial security. Is that where
you think we are headed?
Mr. Ryan. That is where--that is at least one public policy
issue that certainly is appropriate for Congress and perhaps
this Committee to consider. Another issue that you heard
mentioned earlier that I--we fully support are more resources
for law enforcement for both data sharing, the FTC and the FBI,
the Postal Inspector are all doing a lot, and as you also
heard, the record is more uneven in the states. You know, some
are doing more than others, but data sharing----
Mr. Greenwood. Do you think some states are doing too much?
You know, there is an issue that I asked Representative
O'Neill, which is how he felt about the Federal Government
superseding the State laws, and I know California particularly
felt that their law was more stringent and they weren't happy
about having it superseded by the Federal Law. Is that your
experience?
Mr. Ryan. Well, I think the FACT Act got the preemptions on
identity theft about right, Mr. Chairman. The preemptions were
very narrow. They only--what got preempted by the FACT Act were
the national standards for the security alerts, for example, or
the national standards for the trade line blocking with a
police report, and to us, it makes a lot of sense to have one
national standard for how security alerts work.
And apart from the benefits to business, the benefit is to
consumer empowerment, consumer education. So this way, what
gets published in the FTC education program that they will--
they are going to be working on in the next year or so, we will
have a national standard, and one way security alerts and
military active duty alerts operate one way. But in other
areas, the preemptions were not there. The preemptions were
narrow. I think they got it about right.
Mr. Greenwood. Let me--before I turn to Mr. Gerlach, let me
just ask some questions of Ms. Lenahan. When you look at the 20
cases that you are investigating, could you give us a sense
of--you mentioned one specific act where someone will come in
to one of your branches with a stolen check, let us say, and
write the check to himself for $500 and then deposit $50 and
take $450. Are the crimes that you are investigating, do they
tend to actually occur in your branches where people walk in
and do that, or is it more the case that they are just figuring
out how to drain someone's account from an ATM machine, for
instance?
Ms. Lenahan. I would say that it is probably about even. We
have about--we have 12 locations in Bucks County only, and
usually, what happens is if we happen to be unfortunate enough
to get hit inside the branch, it is all within a day. And they
go from location to location, and----
Mr. Greenwood. Have your video cameras or your security
cameras ever assisted in the----
Ms. Lenahan. Yes. Yes, they have.
Mr. Greenwood. That is interesting.
Ms. Lenahan. We have an excellent system called AccuTrack,
and it provides beautiful pictures.
Mr. Greenwood. So you can match, obviously, the transaction
with the----
Ms. Lenahan. Yes, we can.
Mr. Greenwood. [continuing] time of the transaction?
Ms. Lenahan. Yes, we can.
Mr. Greenwood. To the place with the--that moment in your
videotape and try to identify the person on there.
Ms. Lenahan. Yes, we can.
Mr. Greenwood. When I go to an ATM machine and forget to
say no, I don't want a receipt and a receipt comes out, and I
crumple it up and stick it in that little slot that says trash.
Do I have to worry about that receipt being used for
fraudulently?
Ms. Lenahan. No, you do not. It only lists the last four
digits of the debit card number.
Mr. Greenwood. Which brings me to another point. One of the
things I have learned in this investigation is that, of course,
the ideal is to have a truncated--in every transaction, to have
a truncated credit card number, so you just have the last four
numbers indicated and then lots of Xes, but not every vendor
uses that, because it can be costly to have equipment that does
that. And so, the perpetrator can make a purchase--well, it
is--a purchase can be made in a--let us say, a smaller retail
shop that doesn't truncate that information. That receipt can
be picked up by a perpetrator, taken to a department store, and
that number used there to perpetrate a crime on another
retailer, and so the retailer who may have a truncated system
is being victimized as a result of the fact that the smaller
retailers don't.
Ms. Lenahan. Right.
Mr. Greenwood. And that is a problem. And it is not easily
solved, because it is tough--because of the cost of that
equipment, it is tough to mandate that all retailers do that.
It is tempting to do that, but it is expensive for the----
Ms. Lenahan. You only need the credit card number. If that
happened in a location, you wouldn't be able to take that piece
of carbon number, or the number and go make a physical
purchase.
Mr. Greenwood. Right. You don't need to.
Ms. Lenahan. But----
Mr. Greenwood. You can go online and go to Macy's and----
Ms. Lenahan. Online, telephone.
Mr. Greenwood. [continuing] buy stuff all day long.
Ms. Lenahan. Right.
Mr. Greenwood. What types of security measures does your
make take to ensure that your bank employees who have access to
customers' personal information, are not abusing that
information and potentially committing identity theft?
Ms. Lenahan. Well, we are all bound to a code of ethics,
and I don't think that there is anybody that is scrutinized
more closely than our own employees. I am not going to say that
is 100 percent foolproof, but in my experience, I have not had
any experience in the last--since May 2002, of any negativity
on an employee's end. Everything is security code and password
sensitive. There is reports that we receive on a daily basis
that are security department reviews, which includes employees'
account activity. So it is watched.
Mr. Greenwood. Okay. Mr. Gerlach, questions?
Mr. Gerlach. A couple questions, thank you. Mr. Ryan,
first, I am just looking at your testimony. On page 4, ``The
FACT Act also codifies what has been our industry's voluntary
practice concerning the immediate blocking of information
related to identity theft upon the consumer's providing us with
an identity theft report--usually a police report. This
practice is also known as `tradeline blocking' ''. Can you
describe that a little bit more fully for me, what ``tradeline
blocking'' is, when a consumer says he or she is a victim of
theft, perhaps gives you a police report? What do you do at
that point?
Mr. Ryan. Yes. Yes, I can, Congressman. The process
typically begins when we provide the consumer a free copy of
their complete credit report, so they--so in other words, the
first step is the prospective identity theft victim, or the
victim contacts us. We give them a copy of the free report.
They may or may not at that point have a police report, but
then at some point thereafter, or if they don't already have
it, they get a police report, or a report by the U.S. Postal
Service, or some other official document documenting the--make
sure the fact of the identity theft. At that point, our
consumer relations department, our Fraud Victim Assistance
folks will receive from--the consumer tells us this, this, this
and this item either trade--a trade line is a record of an
account, so a Citibank, a record of the Citibank charge account
or a Sears charge account.
Mr. Gerlach. Right.
Mr. Ryan. Or an inquiry could be associated--on the file
could be associated with fraud. In other words, an--just the
record of an inquiry by an institution that again, the consumer
informs us is not a place they applied to, and therefore
associated with a fraud. What happens in those cases of each
element of information that is identified by the consumer, at
that point gets suppressed from display. It gets blocked from
display, so that it does not appear, can not appear on any
future credit report, and we initiate a notice to the furnisher
of each of those--the institution that furnished each of those
elements of information, informing them that the data has been
blocked from display, won't appear on future credit reports,
has been associated to be connected with identity theft, and
then they are--they have an opportunity, or an obligation,
under the Fair Credit Reporting Act, to initiate their own
investigation and take steps to not reintroduce it in
subsequent reports to the credit reporting agency. Obviously,
if they have--in their investigation, feel there is--that it
was not identity theft, or it was some other kind of fraud
going on there, there may be--they may come back to us, but the
ordinary process stops there with our notice to them and their
prevention of having it reintroduced.
Mr. Gerlach. Okay. So, at this point, the consumer can
initiate that simply by having noticed this information on the
report, and you take that individual's objection to that
information on face value, and you block it.
Mr. Ryan. Once they have a police report. Yes, with a
police report.
Mr. Gerlach. Okay. And the police report being simply an
incident report that they have gone, made contact with the
local police, explained the situation to the police, issues a
report, not necessarily a finding of----
Mr. Ryan. No.
Mr. Gerlach. [continuing] criminality, or any of that sort,
but that is--that paper is sufficient for you then to block
that item for future use of that report by some other entity.
Mr. Ryan. Yes, Congressman.
Mr. Gerlach. Okay.
Mr. Ryan. And again, that has been our practice for several
years, and that is now codified under the FACT Act.
Mr. Gerlach. Right. Okay. Real quick, Ms. Lenahan. We have
heard information where the Mexican consulate could issue what
is called a matricula consular card to those coming from Mexico
and to have that card be the basis for coming into a bank and
establishing an account and starting transactions through that
account, but the individual that went into the consulate to say
I am so and so uses a birth certificate that may or may not be
valid or genuine or authentic and nonetheless gets that
consular card that is then used to open up accounts. Are you
aware of any problems with that in your area? I know you are
out of Newtown Square. Are you aware of any problems with banks
and how they, if at all, try to further evaluate the proper
identity of the person that tries to open up an account and
start undertaking financial transactions on that basis of that
card that was used initially?
Ms. Lenahan. I am not familiar with that particular
instance, but I would have to say that the Customer
Identification Program would eliminate somebody being able to
come in and just use that one card only. They would have to
come up with several other forms of identification to conduct
any type of business like that.
Mr. Gerlach. Okay. So the card itself is not a sufficient
enough basis for opening an account. At least at your bank?
Ms. Lenahan. Not at my bank.
Mr. Gerlach. Or are you aware of any other----
Ms. Lenahan. I can't speak for the industry. American
Bankers Association may be able to get back to you for the
record.
Mr. Gerlach. Okay.
Ms. Lenahan. In reference to the industry. But in my bank,
they would need more than that.
Mr. Gerlach. Okay. Good. Thanks. Just a couple more
questions. Do either of you, from your association or personal
experience, use an estimate or see numbers that would estimate
either how much it is costing the Nation as a whole a year from
identity theft, or what theft comes down to as a household?
Seen these numbers?
Mr. Ryan. The--I think, Mr. Chairman, the RTC will--the
recent report had some number--figures there, but they don't
stick--it is millions and millions, but----
Mr. Gerlach. Well, the numbers that I have seen----
Mr. Ryan. [continuing] I don't have that number in my head.
Mr. Gerlach. [continuing] are credit card theft, about $33
billion a year, and total identity theft numbers on an order of
magnitude of $50 billion a year, and my math tells me that that
is several hundred dollars a household, that every household in
America is paying several hundred dollars more a year, which
would be good about this time of year to have in your pocket
instead of having to put out, but that is what we are paying to
go shopping in the extra cost of goods that comes from this.
Just a couple more questions. Ms. Lenahan, what is the
banking industry as a whole doing about this? Do you have a
sense of that? Is this the kind of thing that financial
institutions are either--do you talk to your other--your fellow
bankers from Bucks County or national conventions, is this a
big part of what participants might be engaged in in educating
themselves about?
Ms. Lenahan. It is all of the above. I just attended a
large security conference in Texas, and it covered several
things, including the biometrics that you were speaking of,
which we see that as a future trend. Banks are continually
researching new software that would be compatible with their
own to combat these types of things and catch them before they
accelerate. My bank does not offer a credit card, so we don't
see what the rest of the industry is seeing in reference to the
credit card theft. However, we do offer the Visa check card,
and that in itself, you know, we do have our fraud instances
with those, but we are a little more fortunate than the bigger
guys, because we don't offer the credit card, per se. But----
Mr. Gerlach. Well, somebody--suppose somebody does what is
very easy now, every--most of us in this room probably, when
you go home today, will find at least a couple of lovely offers
of free credit cards that we don't even open any more and just
throw in the trash, and they become pretty easy for somebody to
pick up and fill out and send in and get a credit card. If
somebody fills one of those out with my name on it and gets a
credit card with my name in it and walks into your bank, and
says I would like to put $1,000 on my Visa card, what does your
bank do to make sure that that doesn't happen to me?
Ms. Lenahan. If it is an outside credit card, we are
relying on the credit card company to give us the appropriate
authorization, because that is the only tool that we have. For
our own card, we would have had to have identified them through
the Customer Identification Program before we would even
process their application, so----
Mr. Gerlach. If someone gets--suppose if someone gets an
extra copy, it wouldn't be difficult for someone to report to--
taking my place, that I--they lost a credit card, and ask for
copies to be sent, or pick up my credit card when it comes in
the--when it is renewed and it comes in the mailbox, to pick
that up and then go into a bank and it--I would assume that the
authorization would sail through.
Ms. Lenahan. Well, any new cards that are coming through
the mail have a sticker on it with an 800 number for activation
that you can only use from your home telephone. So that is one
feature that is in place to protect the consumer.
Mr. Gerlach. Okay, so that seems to work pretty well, then,
I guess.
Ms. Lenahan. Right. I think that the most difficulty right
now with credit card mailing is the ready access checks, get 0
percent if you use these checks. If the consumer doesn't open
the envelope, they are throwing away a checkbook, you know,
which is very easy for somebody else to pick up and try and
use.
Mr. Gerlach. That is an interesting point. Nowadays, I can
tell--there are things I can do so that I don't get certain
kinds of junk phone calls. Are there things that consumers can
do if you don't want to get any more of these checks, for
instance, because I get them all the time, and I try to
remember to tear them up before I discard them, but I don't
always open the envelopes, and I am not giving my address out
at this hearing, but--can you--can a consumer avoid being sent
those kinds of free checks?
Ms. Lenahan. Well, the--they can contact their credit card
company and just simply ask them to stop, and you don't usually
receive those types of checks until you already have an account
with that credit card company. It is after that that you start
to get a lot of the mailing, use the checks, get this
percentage rate. But there is----
Mr. Gerlach. I get checks from credit cards I haven't had
in 10 years.
Ms. Lenahan. Well, that is--they still have you--you didn't
close the account.
Mr. Gerlach. Right.
Ms. Lenahan. I would recommend closing an account for any
card that you are not using. But the State has the Do Not Call
list, which is supposed to include mailing as well, but I do
not believe that that covers an existing account, an open
account.
Mr. Gerlach. Mr. Ryan, did you have any comment on any of
that?
Mr. Ryan. No, I think that is exactly my sense.
Mr. Gerlach. Okay. Well, that is it. Okay. Thank you both--
--
Ms. Lenahan. Thank you.
Mr. Gerlach. [continuing] very much for your testimony. It
has been very helpful.
Mr. Greenwood. We are going to take about a 5-minute break
before we call our next panel.
[Brief recess]
Mr. Greenwood. Okay. The committee will come to order, and
I see that our third panel has arrived, and they are Ms. Betsy
Broder of the Federal Trade Commission. She is the Assistant
Director of the Division of Planning and Information of the
Bureau of Consumer Protection from Washington; Mr. Kevin Burke,
who is the Deputy Chief Postal Inspector for Eastern Field
Operations, here in the--he is a U.S. Postal Inspector here in
Langhorne, Pennsylvania, welcome; Mr. John M. Abel is the
Pennsylvania Attorney General--from the Pennsylvania Attorney
General's Office, Senior Deputy Attorney General, Bureau of
Consumer Protection, welcome, sir thank you for coming here
from Philadelphia; and from the State Police, we have
Lieutenant Colonel Ralph M. Periandi. Am I saying that right?
Mr. Periandi. Yes, sir.
Mr. Greenwood. Okay. He is a Deputy Commissioner of
Operations from Harrisburg, and we thank you for coming. As you
have heard me say to the other witnesses, we take testimony in
this Subcommittee under oath, and I have to ask if any of you
object to giving your testimony under oath. Okay. You are, also
pursuant to the rules of the committee and the House of
Representatives, entitled to be represented by counsel. Any of
you wish to be represented by counsel? You all have good clear
consciences. No need for that. Okay, in that case, if you would
stand and raise your right hands, please.
[Witnesses sworn.]
Mr. Greenwood. Okay. You are all under oath, and we will
begin with Ms. Broder. Welcome and thank you for your
testimony. You want to take that microphone there, not that
one. You want them both near. The stenographer needs the one on
the little white triangle, but you need to speak clearly into
that one.
Ms. Broder. Thank you, and----
Mr. Greenwood. And it is--thank you.
TESTIMONY OF BETSY BRODER, ASSISTANT DIRECTOR, DIVISION OF
PLANNING AND INFORMATION, BUREAU OF CONSUMER AFFAIRS, FEDERAL
TRADE COMMISSION; KEVIN J. BURKE, DEPUTY CHIEF INSPECTOR FOR
EASTERN FIELD OPERATIONS, U.S. POSTAL INSPECTOR; JOHN M. ABLE,
PENNSYLVANIA ATTORNEY GENERAL; AND LT. COL. RALPH M. PERIANDI,
DEPUTY COMMISSIONER, OPERATIONS, PENNSYLVANIA STATE POLICE
Ms. Broder. Good morning, Mr. Chairman and Congressman
Gerlach.
Identify theft has become a consumer protection issue of
dramatic proportions. As has been earlier stated, the numbers
are staggering. Within the space of 1 year, almost 10 million
persons suffered some form of identity fraud, from the misuse
of an existing account to the complete takeover of their
identity by opening new accounts, obtaining government
benefits, or even filing for bankruptcy.
In addition to the trauma to the victims, which cannot be
underestimated, this crime costs our society over $53 billion
in the space of 1 year, with an additional 300 million hours
spent by victims trying to undo the damage. We appreciate the
opportunity to describe today some of the initiatives the FTC
has undertaken to respond to this growing problem.
The Federal Trade Commission has been playing a key role in
addressing identity theft and the problem it spawns well before
the enactment of the Identity Theft and Assumption Deterrence
Act of 1998, but that Act directed us to take a more central
role in working with victims, educating the public,
coordinating with law enforcement, criminal law enforcement in
particular, and working with the private sector.
For consumers, we offer victim assistance through our toll-
free hotline at 877-IDTHEFT and our online complaint form and
other resources at consumer.gov/idtheft. Through either of
these portals, consumers provide us with information concerning
the episode of identity theft, and our trained phone counselors
guide them through the steps that they need to take to start
repairing the damage done by the theft and reducing the risk of
any additional harm. Online consumers can obtain the same
information from the materials we have posted on our website.
The ID Theft site also links to our identity theft affidavit, a
uniformly accepted affidavit that victims can use to dispute
fraudulently opened accounts. This takes the place of the
cumbersome process which I think Ms. Kane referred to, of
filling out separate and distinct forms for each of the
fraudulently opened accounts. It makes the recovery that much
easier, and a copy of the affidavit is contained in our
identity theft book, When Bad Things Happen to Your Good Name.
We have an additional identity theft piece, What's It All
About, which is a practical guide for identity theft, a
condensed version of our identity theft major publication, both
of which are available in both English and Spanish.
We want consumers to be empowered to take the steps that
they need to to safeguard their identity, to be mindful of how
they make information about themselves available online and
off, to take care in how they make their personally identifying
information available, how they handle our trash to whether
they put firewalls up and engage in commerce on the Internet
carefully and with due regard for their identifying
information.
I would just like to point out, Mr. Chairman, that you have
made great use of our resources online by linking directly from
your home site to our identity theft information, the booklets
and the affidavit. This is exactly what we are trying to do, to
leverage our resources, so that others make them available to
audiences that we might not be able to reach. We appreciate
very much all of your fine efforts in that regard.
The FTC's role also extends to supporting criminal law
enforcement and prosecution of these crimes. The FTC is a civil
agency. We do not have jurisdiction to enforce the identity
theft law, but our colleagues, some of whom are represented at
this table, do.
I mentioned that identity theft victims, when they contact
us either by the phone or online, provide information about the
incident of identity theft. That information we enter into our
Identity Theft Data Clearinghouse, and we share it with law
enforcement agencies around the country. Almost 800 individual
agencies, representing thousands of investigators, can log on
to this site through a secure Internet connection and get
access to the more than 400,000 identity theft complaints that
we have received and also that have been sent to us by the
Social Security Administration Office of Inspector General.
So law enforcement agencies from the Bucks County and
Montgomery County District Attorney's Office, to the U.S.
Postal Inspection Service nationwide, to a cop in the Los
Angeles Police Department can see the big picture. They are all
logging on to the same data at the same time. This aggregated
data takes the place of the individual complaints that may have
come across their desks, so rather than just seeing that one
complaint from the one person, they are able to add to that
complaint by searching the data base, and seeing how pervasive
the problem is, making ID theft more attractive for
prosecution.
We have also teamed with the Inspection Service, the Secret
Service and the U.S. Department of Justice to conduct training
for law enforcement around the country. We have reached more
than 1,000 of these first responders--with guidance on how to
deal with identity theft victims, and how to build a case for
prosecutors. So hopefully, what this means is that the story
that we heard from Mrs. Kane about how the law enforcement
would not listen to her, hopefully that tide is changing. They
are looking at the individual as a victim of this crime, not
simply the financial institutions that may have ultimately to
carry the financial weight, but also, the person whose
information has been misused are victims.
The International Association of Chiefs of Police have
passed a resolution urging their members to take police reports
in the jurisdiction where the victim resides. That is the one
thing that remains constant. The thief may be operating in many
jurisdictions, making it very hard for law enforcement to nail
it down, but the victim always remains where she is, and so the
police departments in the municipality of the victim are urged
to issue police reports. That is of even greater importance now
that we have the Police Report Blocking Initiative. The police
report is an essential piece of recovery for victims of
identity theft.
One other point on law enforcement. We provide our data in
the central data base that can be accessed by investigators one
by one, but we also reach out with more specialized assistance.
For example, the Identity Theft Task Force in Philadelphia
requested, and we provided, a set of data from our data base
that matched their jurisdictional range, so what we did was we
took from our data base the complaints pertaining to that
jurisdiction in the Philadelphia area, and I think there are
other jurisdictions represented on that Task Force. They add to
that some of their own data, so they have richer resources to
drill further into this crime and build better cases. We work
both in the collective and the individual groups on rooting out
this pervasive crime.
And finally, the business community plays a key role in
reducing the incidence of identity theft and working with
victims. In addition to using and accepting the identity theft
affidavit, the FTC has worked with companies who themselves
have had their customers' or clients' data stolen, for example,
the Red Cross. We provide direction to those companies on how
to contact the persons whose information has fallen into the
hands of criminals. The FTC staff also guides them to the
appropriate law enforcement agency, and to work with the credit
reporting agencies, so they can build together a mechanism to
facilitate the recovery for the victims, and to provide them
with the appropriate notice.
We also have drafted a standard letter for these companies
to use in sending out to the people whose information has been
compromised, so they get all of the appropriate contact
information. They don't have to do their own homework or
discover it for themselves. It also provides them with a link
to our identity theft materials.
We know that these sorts of wholesale incidents of identity
theft are becoming more commonplace, so rather than have our
staff on the phone each and every time this happened, we have
built an Identity Theft Response Kit that is posted on our home
site that companies can go to to download the contact letter to
see how to contact the credit reporting agencies and law
enforcement as well, to make it easier for them to do their
job.
Finally, the recent amendments to the FCRA, the FACT Act,
including the codification of the fraud alert process with the
credit reporting agencies, and the development of what are
called red flag indicators of identity theft for financial
institutions will certainly have an impact on this daunting
crime. But clearly there is much that remains to be done, and
the FTC will continue to make this a priority of its work.
We thank you very much for the opportunity to testify
today.
[The prepared statement of Betsy Broder follows:]
Prepared Statement of Betsy Broder, Assistant Director, Division of
Planning and Information, Bureau of Consumer Protection, Federal Trade
Commission
i. introduction
Mr. Chairman, and members of the Subcommittee, I am Betsy Broder,
Assistant Director of the Division of Planning and Information, Bureau
of Consumer Protection, Federal Trade Commission (``FTC'' or
``Commission'').1 I appreciate the opportunity to present
the Commission's views on the impact of identity theft on consumers.
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and responses to questions are my
own and do not necessarily represent the views of the Commission or any
Commissioner.
---------------------------------------------------------------------------
The Federal Trade Commission has a broad mandate to protect
consumers, and controlling identity theft is an important issue of
concern to all consumers. The FTC's role in combating identity theft
derives from the 1998 Identity Theft Assumption and Deterrence Act
(``the Identity Theft Act'' or ``the Act'').2 The Act
directed the Federal Trade Commission to establish the federal
government's central repository for identity theft complaints, to make
available and to refer these complaints to law enforcement for their
investigations, and to provide victim assistance and consumer
education. Thus, the FTC's role under the Act is primarily one of
facilitating information sharing among public and private
entities.3 The Commission also works extensively with
industry on ways to improve victim assistance, including providing
direct advice and assistance in cases of security breaches involving
sensitive information of customers or employees.
---------------------------------------------------------------------------
\2\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18
U.S.C. � 1028).
\3\ Most identity theft cases are best addressed through criminal
prosecution. The FTC itself has no direct criminal law enforcement
authority. Under its civil law enforcement authority provided by
Section 5 of the FTC Act, the Commission may, in appropriate cases,
bring actions to stop practices that involve or facilitate identity
theft. See, e.g., FTC v. Corporate Marketing Solutions, Inc., CIV-02
1256 PHX RCB (D. Ariz. Feb. 3, 2003) (final order) (defendants
``pretexted'' personal information from consumers and engaged in
unauthorized billing of consumers' credit cards) and FTC v. C.J., CIV-
03 5275 GHK (RZx) (C.D. Cal. July 24, 2003) (final order) (defendant
sent spam purporting to come from AOL and created an AOL look-alike
website in order to obtain credit card numbers and other financial data
from consumers which defendant used for unauthorized online
purchases.). In addition, the FTC brought six complaints against
marketers for purporting to sell international driver's permits that
could be used to facilitate identity theft. Press Release, Federal
Trade Commission, FTC Targets Sellers Who Deceptively Marketed
International Driver's Permits over the Internet and via Spam (Jan. 16,
2003), available at http://www.ftc.gov/opa/2003/01/idpfinal.htm.
---------------------------------------------------------------------------
ii. the federal trade commission's role in combating identity theft
The Identity Theft Act strengthened the criminal laws governing
identity theft 4 and focused on consumers as
victims.5 In so doing, Congress recognized that coordinated
efforts are essential to best serve the needs of identity theft victims
because these fraud victims often need assistance both from government
agencies at the national and state or local level and from businesses.
To fulfill the Act's mandate, the Commission implemented a program that
focuses on three principal components: (1) collecting complaints and
providing victim assistance through a telephone hotline and a dedicated
website; (2) maintaining and promoting the Identity Theft Data
Clearinghouse (the ``Clearinghouse''), a centralized database of victim
complaints that serves as an investigative tool for law enforcement;
and (3) providing outreach and education to consumers, law enforcement,
and private industry on prevention of identity theft.
---------------------------------------------------------------------------
\4\ 18 U.S.C. � 1028(a)(7). The statute broadly defines ``means of
identification'' to include ``any name or number that may be used,
alone or in conjunction with any other information, to identify a
specific individual,'' including, among other things, name, address,
social security number, driver's license number, biometric data, access
devices (i.e., credit cards), electronic identification number or
routing code, and telecommunication identifying information.
\5\ Because individual consumers' financial liability is often
limited, prior to the passage of the Act, financial institutions,
rather than individuals, tended to be viewed as the primary victims of
identity theft. Setting up an assistance process for consumer victims
is consistent with one of the Act's stated goals: to recognize the
individual victims of identity theft. See S. Rep. No. 105-274, at 4
(1998).
---------------------------------------------------------------------------
A. Understanding Identity Theft
On November 1, 1999, the Commission began collecting complaints
from consumers via a toll-free telephone number, 1-877-ID THEFT (438-
4338) (``ID Theft hotline''). Every year since has seen an increase in
complaints.6 The Clearinghouse now contains over 400,000
identity theft complaints from victims across the country. By itself,
though, this self-reported data does not allow the FTC to draw
conclusions about the incidence of identity theft in the general
population. Consequently, the FTC commissioned a survey to get a better
picture of the incidence of identity theft and the impact of the crime
on its victims.7 The results are startling. Identity theft
is more widespread and pernicious than previously realized. The data
show that within the 12 months preceding the survey, 3.2 million people
discovered that an identity thief opened new accounts in their name. An
additional 6.6 million consumers learned of the misuse of an existing
account. Overall, nearly 10 million people--or 4.6 percent of the adult
population--discovered that they were victims of some form of identity
theft. These numbers translate to nearly $48 billion in losses to
businesses, nearly $5 billion in losses to victims, and almost 300
million hours spent by victims trying to resolve the problem. Moreover,
according to the researchers, identity theft is a growing crime. The
survey indicates a significant increase in the past 2-3 years--nearly a
doubling from one year to the next, although the research shows that
the rate of increase slowed during the past 1-2 years. It also is worth
noting that most of the recent increase primarily involves the account
takeover form of identity theft that tends to cause less economic
injury to victims and is generally easier for them to identify and fix.
Overall, the survey puts the problem of identity theft into sharper
focus, and has spurred the FTC to even greater efforts to help victims
and support law enforcement in its aggressive prosecution of identity
thieves.
---------------------------------------------------------------------------
\6\ Charts that summarize data from the Clearinghouse can be found
at http://www.consumer.gov/idtheft/stats.html and
\7\ The research took place during March and April 2003. It was
conducted by Synovate, a private research firm, and involved a random
sample telephone survey of over 4,000 U.S. adults. The full report of
the survey can be found at http://www.consumer.gov/idtheft/stats.html.
---------------------------------------------------------------------------
B. Assisting Identity Theft Victims
In addition to taking complaints from victims, the FTC provides
advice on recovery from identity theft. Callers to the ID Theft hotline
receive telephone counseling from specially trained personnel who
provide general information about identity theft and help guide victims
through the steps needed to resolve the problems resulting from the
misuse of their identities.8 Victims are advised to: (1)
obtain copies of their credit reports from the three national consumer
reporting agencies and have a fraud alert placed on their credit
reports; 9 (2) contact each of the creditors or service
providers where the identity thief has established or accessed an
account, to request that the account be closed and to dispute any
associated charges; and (3) report the identity theft to the police and
get a police report, which is very helpful in demonstrating to would-be
creditors and debt collectors that the consumers are genuine victims of
identity theft.
---------------------------------------------------------------------------
\8\ Spanish speaking counselors are available for callers who are
not fluent in English.
\9\ These fraud alerts indicate that the consumer is to be
contacted before new credit is issued in that consumer's name. See
Section II.D.(3)(b) infra for a discussion of the credit reporting
agencies ``joint fraud alert'' initiative.
---------------------------------------------------------------------------
Counselors also advise victims having particular problems about
their rights under relevant consumer credit laws including the Fair
Credit Reporting Act, 10 the Fair Credit Billing Act,
11 the Truth in Lending Act, 12 and the Fair Debt
Collection Practices Act.13 If the investigation and
resolution of the identity theft falls under the jurisdiction of
another regulatory agency that has a program in place to assist
consumers, callers also are referred to those agencies.
---------------------------------------------------------------------------
\10\ 15 U.S.C. � 1681 et seq.
\11\ Id. � 1666. The Fair Credit Billing Act generally applies to
``open end'' credit accounts, such as credit cards, revolving charge
accounts, and overdraft checking accounts. It does not cover
installment contracts, such as loans or extensions of credit that are
repaid on a fixed schedule.
\12\ Id. � 1601 et seq.
\13\ Id. � 1692 et seq.
---------------------------------------------------------------------------
The FTC's identity theft website, located at www.consumer.gov/
idtheft, provides equivalent service for those who prefer the immediacy
of an online interaction. The site contains a secure complaint form
that allows victims to enter their identity theft information for input
into the Clearinghouse. Victims also can read and download all of the
resources necessary for reclaiming their credit record and good name.
One resource in particular is the FTC's tremendously successful
consumer education booklet, Identity Theft: When Bad Things Happen to
Your Good Name. The 26-page booklet, now in its fourth edition,
comprehensively covers a range of topics, including the first steps to
take for victims, how to correct credit-related and other problems that
may result from identity theft, tips for those having trouble getting a
police report taken, and advice on ways to protect personal
information. It also describes federal and state resources that are
available to victims who may be having particular problems as a result
of the identity theft. The FTC alone has distributed more than 1.2
million copies of the booklet since its release in February 2000, and
recorded over 1.2 million visits to the web version.14 Last
year, the FTC released a Spanish language version of the Identity Theft
booklet, Robo de Identidad: Algo malo puede pasarle a su buen nombre.
---------------------------------------------------------------------------
\14\ Other government agencies, including the Social Security
Administration, the SEC, and the FDIC also have printed and distributed
copies of Identity Theft: When Bad Things Happen to Your Good Name.
---------------------------------------------------------------------------
C. The Identity Theft Data Clearinghouse
Because one of the primary purposes of the Identity Theft Act was
for criminal law enforcement agencies to use the database of victim
complaints to support their investigations, the Commission took a
number of steps to ensure that the database would meet the needs of law
enforcement, before launching it. Initially, the FTC met with a host of
law enforcement and regulatory agencies to obtain feedback on what the
database should contain. Law enforcement access to the Clearinghouse
via the FTC's secure website became available in July of 2000. To
ensure that the database operates as a national clearinghouse for
complaints, the FTC has solicited complaints from other sources. For
example, in February 2001, the Social Security Administration Office of
Inspector General (SSA-OIG) began providing the FTC with complaints
from its fraud hotline, significantly enriching the FTC's database.
The Clearinghouse provides a picture of the nature, prevalence, and
trends of the identity theft victims who submit complaints. FTC data
analysts aggregate the data and develop them into charts and
statistics.15 For instance, the Commission publishes charts
showing the prevalence of identity theft by states and by cities. Law
enforcement and policy makers at all levels of government use these
reports to better understand the challenges identity theft presents.
---------------------------------------------------------------------------
\15\ Charts that summarize data from the Clearinghouse can be found
at http://www.consumer.gov/idtheft/stats.html and http://
www.consumer.gov/sentinel/index.html.
---------------------------------------------------------------------------
Since the inception of the Clearinghouse, more than 770 law
enforcement agencies, from the federal to the local level, have signed
up for access to the database. Individual investigators within those
agencies have the ability to access the system from their desktop
computers 24 hours a day, seven days a week. The Commission actively
encourages even greater participation.
As previously stated, one of the goals of the Clearinghouse and the
FTC's identity theft program is to support identity theft prosecutions
nationwide.16 Last year, in an effort to further expand the
use of the Clearinghouse among law enforcement, the FTC, in cooperation
with the Department of Justice, the United States Postal Inspection
Service, and the United States Secret Service, initiated full-day
identity theft training seminars for state and local law enforcement
officers. To date, sessions have been held in Washington, D.C., Des
Moines, Chicago, San Francisco, Las Vegas, Dallas, Phoenix, New York,
Seattle, and San Antonio. The FTC also helped the Kansas and Missouri
offices of the U.S. Attorney and State Attorney General conduct a
training seminar in Kansas City. More than 1200 officers have attended
these seminars, representing more than 300 different agencies. A
session to be held in Orlando in January will commence next year's
round of seminars.
---------------------------------------------------------------------------
\16\ The Commission testified last year in support of S. 2541, the
Identity Theft Penalty Enhancement Act of 2002, which would increase
penalties and streamline proof requirements for prosecution of many of
the most harmful forms of identity theft. See Testimony of Bureau
Director J. Howard Beales, Senate Judiciary Committee, Subcommittee on
Terrorism, Technology and Government Information (July 11, 2002). S.
2541 has been reintroduced in the 108th Congress as S. 153.
---------------------------------------------------------------------------
The FTC staff also developed an identity theft case referral
program.17 The staff creates preliminary investigative
reports by examining significant patterns of identity theft activity in
the Clearinghouse and refining the data through the use of additional
investigative resources. Then the staff refers the investigative
reports to appropriate Financial Crimes Task Forces and other law
enforcers located throughout the country for further investigation and
potential prosecution. The FTC is aided in this work by its federal law
enforcement partners including the United States Secret Service, the
Federal Bureau of Investigation, and the United States Postal
Inspection Service who provide staff and other resources.
---------------------------------------------------------------------------
\17\ The referral program complements the regular use of the
database by all law enforcers from their desktop computers.
---------------------------------------------------------------------------
D. Outreach and Education
The Identity Theft Act also directed the FTC to provide information
to consumers about identity theft. Recognizing that law enforcement and
private industry each play an important role in the ability of
consumers both to minimize their risk and to recover from identity
theft, the FTC expanded its outreach and education mission to include
these sectors.
(1) Consumers: The FTC has taken the lead in coordinating with
other government agencies and organizations in the development and
dissemination of comprehensive consumer education materials for victims
of identity theft and those concerned with preventing this crime. The
FTC's extensive consumer and business education campaign includes print
materials, media mailings, and radio and television interviews. The FTC
also maintains the identity theft website, which includes the
publications and links to testimony, reports, press releases, identity
theft-related state laws, and other resources.
To increase identity theft awareness for the average consumer, the
FTC recently developed a new primer on identity theft, ID Theft: What's
It All About? This publication discusses the common methods of identity
thieves, how consumers can best minimize their risk of being
victimized, how to identify the signs of victimization, and the basic
first steps for victims. Since its release in May 2003, the FTC has
distributed almost 268,000 paper copies, and over 15,000 web versions.
With the detailed victim recovery guide, Identity Theft: When Bad
Things Happen to Your Good Name, the publication helps to fully educate
consumers.
(2) Law Enforcement: Because law enforcement at the state and local
level can provide significant practical assistance to victims, the FTC
places a premium on outreach to such agencies. In addition to the
training described previously (see supra Section II.C.), the FTC staff
joined with North Carolina's Attorney General Roy Cooper to send
letters to every other Attorney General letting him or her know about
the FTC's identity theft program and how each Attorney General could
use the resources of the program to better assist residents of his or
her state. The letter encouraged each Attorney General to link to the
consumer information and complaint form on the FTC's website and to let
residents know about the hotline, stressed the importance of the
Clearinghouse as a central database, and described all of the
educational materials that each Attorney General can distribute to
residents. North Carolina took the lead in availing itself of the
Commission's resources in putting together for its resident victims a
package of assistance that includes the ID Theft Affidavit (see Section
II.D.(3)(b)), links to the FTC website and www.consumer.gov/idtheft.
Through this initiative, the FTC hopes to make the most efficient use
of federal resources by allowing states to take advantage of the work
the FTC already has accomplished and at the same time continuing to
expand the centralized database of victim complaints and increase its
use by law enforcement nationwide. Other outreach initiatives include:
(i) Participation in a ``Roll Call'' video produced by the Secret
Service, which has been sent to thousands of law enforcement
departments across the country to instruct officers on identity theft,
investigative resources, and assisting victims and (ii) the redesign of
the FTC's website to include a section for law enforcement with tips on
how to help victims as well as resources for investigations.
(3) Industry: The private sector can help with the problem of
identity theft in a number of ways. For instance, businesses can
prevent identity theft by keeping their customers' or employees'
sensitive information secure and out of the wrong hands. In addition,
businesses can implement procedures to assist identity theft victims in
the recovery process.
(a) Information Security Breaches: The FTC works with institutions
that maintain personal information to identify ways to help keep that
information safe from identity theft. Last year, the FTC invited
representatives from financial institutions, credit issuers,
universities, and retailers to an informal roundtable discussion of how
to prevent unauthorized access to personal information in employee and
customer records. The FTC will soon publish a self-assessment guide to
make businesses and organizations of all sizes more aware of how they
manage personal information and to aid them in assessing their security
protocols.
As awareness of the FTC's role in identity theft has grown,
businesses and organizations that have suffered compromises of personal
information have begun to contact the FTC for assistance. For example,
in the cases of TriWest 18 and Ford/Experian, 19
in which tens of thousands of consumers' files were compromised, the
Commission gave advice on how to notify those individuals and how to
protect the data in the future. To provide better assistance in these
types of cases, the FTC developed a kit, Information Compromise and the
Risk of Identity Theft: Guidance for Your Business, that will be posted
on the identity theft website in the coming weeks. The kit provides
advice on which law enforcement agency to contact, business contact
information for the three major credit reporting agencies, suggestions
for establishing an internal communication protocol, information about
contacting the FTC for assistance, and a detailed explanation of what
information individuals need to know. The kit also includes a model
letter for notifying individuals when their names and Social Security
numbers have been taken. Organizations are encouraged to print and
include copies of Identity Theft: When Bad Things Happen to Your Good
Name with the letter to individuals.
---------------------------------------------------------------------------
\18\ Adam Clymer, Officials Say Troops Risk Identity Theft After
Burglary, N.Y. Times, Jan. 12, 2003, � 1 (Late Edition), at 12.
\19\ Kathy M. Kristof and John J. Goldman, 3 Charged in Identity
Theft Case, LA Times, Nov. 6, 2002, Main News, Part 1 (Home Edition),
at 1.
---------------------------------------------------------------------------
The FTC particularly stresses the importance of notifying
individuals as soon as possible when information has been taken that
may put them at risk for identity theft. They can then begin to take
steps to limit the potential damage to themselves. For example,
individuals whose Social Security numbers have been compromised, and
who place a fraud alert promptly have a good chance of preventing, or
at least reducing, the likelihood that the theft or release of this
information will turn into actual misuse. Prompt notification also
alerts these individuals to review their credit reports and to watch
for the signs of identity theft. In the event that they should become
victims, they can quickly take action to clear their records before any
long-term damage is done. Besides providing Information Compromise and
the Risk of Identity Theft: Guidance for Your Business, the FTC staff
can provide individual assistance and advice, including review of
consumer information materials for the organization and coordination of
searches of the Clearinghouse for complaints with the law enforcement
officer working the case.
(b) Victim Assistance: Identity theft victims spend significant
time and effort restoring their good name and financial records. As a
result, the FTC devotes significant resources to conducting outreach
with the private sector on ways to improve victim assistance
procedures. One such initiative arose from the burdensome requirement
that victims complete a different fraud affidavit for each different
creditor with whom the identity thief had opened an
account.20 To reduce that burden, the FTC worked with
industry and consumer advocates to create a standard form for victims
to use in resolving identity theft debts. From its release in August
2001 through October 2003, the FTC has distributed more than 293,000
print copies of the ID Theft Affidavit. There have also been nearly
479,000 hits to the web version. The affidavit is available in both
English and Spanish.
---------------------------------------------------------------------------
\20\ See ID Theft: When Bad Things Happen to Your Good Name:
Hearing Before the Subcomm. on Technology, Terrorism and Government
Information of the Senate Judiciary Comm. 106th Cong. (2000) (statement
of Mrs. Maureen Mitchell, Identity Theft Victim).
---------------------------------------------------------------------------
Another initiative designed to assist victims is the ``joint fraud
alert'' administered by the three major credit reporting agencies
(``CRAs''). After receiving a request from an identity theft victim for
the placement of a fraud alert on his or her consumer report and for a
copy of that report, each CRA now shares that request with the other
two CRAs, thereby eliminating the requirement that the victim contact
each of the three major CRAs separately.
iii. new protections for identity theft victims
On December 4, President Bush signed the Fair and Accurate Credit
Transactions Act of 2003.21 Many of the provisions amend the
Fair Credit Reporting Act (``FCRA'') 22 and provide new and
important measures to prevent identity theft, enhance consumer ability
to detect it when it does occur, and facilitate identity theft victims'
recovery.23
---------------------------------------------------------------------------
\21\ Pub. L. No. 108-396 (2003) (codified at 15 U.S.C. � 1681 et
seq.).
\22\ 15 U.S.C. � 1681 et seq.
\23\ The Commission testified on July 9 and 10, 2003 before the
House Committee on Financial Services and the Senate Committee on
Banking, Housing, and Urban Affairs respectively. The testimony can be
found at http://www.ftc.gov/os/2003/07/fcratest.html and http:///
www.ftc.gov/os/2003/07/fcrasenatettest.htm.
---------------------------------------------------------------------------
A. Access to free consumer reports 24
---------------------------------------------------------------------------
\24\ Pub. L. No. 108-396, � 211 (2003).
---------------------------------------------------------------------------
Previously, under the FCRA consumers were entitled to a free
consumer report only under limited circumstances.25 Now
consumers have the right to request a free consumer report annually
from nationwide CRAs. This benefit will enhance consumers' ability to
discover and correct errors, thereby improving the accuracy of the
system, and also can provide an early alert to identity theft victims
about crimes committed in their names.
---------------------------------------------------------------------------
\25\ Previously, free reports were available only pursuant to the
FCRA when the consumer suffered adverse action, believed that
fraudulent information may be in his or her credit file, was
unemployed, or was receiving welfare benefits. Absent one of these
exceptions, consumers had to pay a statutory ``reasonable charge'' for
a file disclosure; this fee is set each year by the Commission and is
currently $9. See 15 U.S.C. � 1681j. In addition, a small number of
states required the CRAs to provide free annual reports to consumers at
their request.
---------------------------------------------------------------------------
B. National fraud alert system 26
---------------------------------------------------------------------------
\26\ Pub. L. No. 108-396, � 112 (2003).
---------------------------------------------------------------------------
Under this provision, consumers who reasonably suspect they have
been or may be victimized by identity theft, or who are military
personnel on active duty away from home, can place an alert on their
credit files. The alert will put potential creditors on notice that
they must proceed with caution when granting credit in the consumer's
name. The provision also codified and standardized the industry's
``joint fraud alert'' initiative (see Section II.D.(3)(b) supra).
C. Identity theft account blocking 27
---------------------------------------------------------------------------
\27\ Id. � 152.
---------------------------------------------------------------------------
This provision requires CRAs immediately to cease reporting, or
block, allegedly fraudulent account information on consumer reports
when the consumer submits a police report or similar document, unless
there is reason to believe the report is false. Blocking would mitigate
the harm to consumers' credit records that can result from identity
theft.
D. Truncation of credit and debit card receipts 28
---------------------------------------------------------------------------
\28\ Id. � 113.
---------------------------------------------------------------------------
In many instances, identity theft results from thieves obtaining
access to account numbers on credit card receipts. This source of fraud
could be reduced by requiring merchants to truncate the full card
number on the receipt. The use of truncation technology is becoming
widespread, and some card issuers already require merchants to
truncate. This law now requires truncation of credit and debit card
numbers on electronic receipts, but creates a phase-in period to allow
for the replacement of existing equipment.E. ``Red flag'' indicators of
identity theft 29
---------------------------------------------------------------------------
\29\ Id. � 114.
---------------------------------------------------------------------------
Under this provision, the banking regulators and the FTC will
jointly develop guidelines for ``red flag'' indicators of identity
theft. The goal of this provision is to give financial institutions and
creditors up-to-date information on identity theft patterns and
practices so that they can take appropriate action to prevent this
crime.
iv. conclusion
Identity theft places substantial costs on individuals and
businesses. The Commission, through its education and enforcement
capabilities, is committed to reducing identity theft as much as
possible. The Commission will continue its efforts to assist criminal
law enforcement with their investigations. Prosecuting perpetrators
sends the message that identity theft is not cost-free. Finally, the
Commission knows that as with any crime, identity theft can never be
completely eradicated. Thus, the Commission's program to assist victims
and work with the private sector on ways to facilitate the process for
regaining victims' good names will always remain a priority.
Mr. Greenwood. Thank you very much, Ms. Broder. Mr. Burke.
TESTIMONY OF KEVIN J. BURKE
Mr. Burke. Good morning, Mr. Chairman and Congressman
Gerlach. On behalf of the United States Postal Inspection
Service, thank you for holding this hearing and giving me the
opportunity to discuss the subject of identity crimes and the
significant role postal inspectors play in combating it.
I am Kevin Burke, Deputy Chief Inspector for Eastern Field
Operations for the Postal Inspection Service. The
responsibility of safeguarding 200 billion pieces of mail and
ensuring America's trust in the postal system falls squarely on
the shoulders of the United States Postal Inspectors. As
Federal law enforcement officers, we enforce over 200 Federal
statutes. Primary among those are the theft or possession of
stolen mail statute and the oldest, and still the most
effective consumer protection law, the mail fraud statute.
Mr. Greenwood. I am sorry, we are going to need you to pull
that microphone up.
Mr. Burke. Last year, Postal Inspectors made over 11,000
arrests. 3,000 of those arrests were made for identity theft.
Identity theft arrests have increased in each of the past 3
years.
I am sure all of you have received pre-approved credit
applications in the mail. In the past, those mailings were
prime targets for an identity thief, because they simply
required the thief to sign the application and return it to the
company. But times have changed, due to our efforts in raising
awareness of the problem. For example, credit card companies
have adopted recommendations we have made and have begun
automatically discarding suspicious looking applications for
credit, especially when there are differences between where the
consumer claims they reside and what address their customer
file indicates. In addition, credit card companies have changed
another of their practices. Credit offers sent through the mail
now contain much less information.
Another favorite vehicle for thieves used to be the
fraudulent change of address scheme, directing the Post Office
to forward a victim's mail to an address the thief controlled.
Not any more. A proactive effort by the Postal Service to
prevent a false change of address is the Move Validation
Letter. Now, whenever a change of address is filed, the Postal
Service sends a letter to both the new and old addresses. The
letter instructs the recipient to call an 800 number if they
have not recently requested a change. This simple measure has
virtually eliminated the placing of false change of address
with the Postal Service as an avenue for committing identity
theft.
According to a report released by the FTC this past
September, mail theft as a source of identity theft happened in
only 4 percent of the cases surveyed. As we have made it more
difficult for mail theft to be a component of identity theft,
criminals have turned to other means, oftentimes recruiting the
assistance of insiders, employees who have access to personal
information of clients or other employees. Personal information
contained in corporate and government records and computer data
bases is a fertile area for dishonest employees working in
conjunction with identity thieves.
Three years ago, a Philadelphia resident reported to police
that after her father's death, she continued receiving credit
card bills showing changes made in her father's name. The
statements even reflected a request for a new account. U.S.
Postal Inspectors and detectives from the Philadelphia Police
Department determined that her father's identity had been
stolen when his body was processed through the Medical
Examiner's Office. 16 suspects were ultimately identified, 10
of them employees working within the Medical Examiner's Office.
The employees used the credit cards to make purchases for
themselves or passed the credit cards on and other personal
information they found to outsiders. The scheme went on for 3
years before they got caught. All 16 defendants were caught and
convicted. Postal Inspectors were called in to participate in
the investigation as bills for illegally purchased items were
sent through the mail, as was financial information for newly
and fraudulently opened accounts.
Just last month, in a separate investigation, Postal
Inspectors in Philadelphia and other task force member arrested
the ringleader of an identity theft gang. A search of his
Chester residence found a commercial grade credit card
embossing machine that the suspect had purchased over the
Internet. The suspect used a fictitious name and had his
purchase delivered by private courier to an abandoned
Philadelphia area address, all without arousing suspicion. When
searching his house, we also recovered 2,500 blank credit
cards, numerous counterfeited credit cards, valid credit cards
that had been stolen from the mail and counterfeit
Pennsylvania, Virginia, Florida and District of Columbia
drivers' licenses.
Postal Inspectors together with the FBI are also
investigating the identity theft of about 30 Montgomery and
Delaware County residents who donated blood to the American Red
Cross in November or December of last year. Donors are required
to supply their names, as was previously mentioned, Social
Security number and other identifying information before giving
blood. As was previously mentioned, this is a still active
investigation, and I am not at liberty to discuss any details.
However, I would like to commend the American Red Cross for
their efforts in proactively--and assisting in this
investigation.
In 2002, Patrick J. Meehan, U.S. Attorney for the Eastern
District of Pennsylvania, formed a regional working group to
facilitate the sharing of intelligence and investigative
resources in combating identity theft in and around the
Philadelphia area. As a member of the Group, the Postal
Inspection Service has taken the lead in developing a web-based
data base that tracks customer and financial industry reports
of mail theft and identity theft. The data base allows all
Group members to track loss information and perform advanced
searches on victims' names. The data base also performs what is
known as ``link analysis,'' by automatically matching common
addresses used by thieves.
One of the most insidious aspects of identity theft is the
length of time the scheme can be carried out before it is even
detected. It may be months before a victim realizes they have
been targeted. It is not until a consumer gets turned down for
credit, a car loan, or a mortgage on that dream house because
of bad credit ratings that they realize what has taken place.
Damaged credit ratings may take years to restore. Victims run
the gamut of society. They are wealthy, they are poor, they are
old and they are young. No one is immune. Anyone is a potential
victim.
Aggressive law enforcement efforts are a key component of
our mission. But arrests are not the only solution. We have
found that creating awareness and prevention programs for
consumers can go a long way to lessen the impact of this crime
on the public.
Over the past 10 years, the Inspection Service has
published and distributed a series of brochures and posters and
newsletters to enhance and raise public awareness. Our
publication Identity Theft--Safeguard Your Personal Information
has been distributed to over 2 million consumers and
businesses. Detecting and Preventing Account Takeover Fraud,
another of our publications, advises credit card companies on
steps they can take to detect and prevent takeover schemes.
Our most recent document is not going to be published,
because it is an ever-changing, evolving document. It is called
Fighting Identity Theft, and will be provided as a best
practices to the financial industry, to law enforcement
agencies and consumer groups and prosecutors throughout the
United States.
Just this past September, the Postal Inspection Service,
along with our partners in the FTC and the Postal Service,
launched a nationwide awareness campaign on identity theft. We
used a two-pronged approach, providing prevention and awareness
information to consumers and informing businesses on the need
to safeguard their files and data bases containing customer
information. Actor Jerry Orbach, or television's Law and Order
fame, who himself was a victim of identity theft, was the
campaign's spokesman.
The Mullen agency of Pittsburgh provided support for this
year's campaign on a pro bono basis. But what really makes this
campaign unique is the funding source. We have all the saying
``crime doesn't pay.'' In the case of this awareness campaign,
it does pay. The campaign was funded with a unique application
of fines and forfeitures paid by criminals in past fraud cased.
Sometimes, the most effective vehicle in getting out the
message is when the message comes directly from an
authoritative source, the criminals themselves. Last year,
Postal Inspectors in Pittsburgh caught a man who stole the
identities of several celebrities, including the actor Will
Smith. The thief, Carlos Lomax, was prosecuted by the U.S.
Attorney's Office in the Western District of Pennsylvania and
convicted. Lomax agreed to let us tape an interview of him
describing what he did and how he did it.
Educating the public and working to reduce opportunities
where the Postal Service and the mail can be used for illegal
purposes are crucial elements in our fight against identity
crimes. As always, we will do our part to remove criminals from
society. We appreciate the subcommittee's recognition of this
important issue, and with your permission, sir, we would like
to play a brief portion of that tape.
[The prepared statement of Kevin J. Burke follows:]
Prepared Statement of Kevin J. Burke, Deputy Chief Inspector, Eastern
Field Operations, United States Postal Inspection Service
Good morning, Mr. Chairman, members of the subcommittee. On behalf
of the United States Postal Inspection Service, thank you for holding
this hearing and giving me the opportunity to discuss the subject of
identity crimes and the significant role Postal Inspectors play in
combating it.
I'm Kevin Burke, Deputy Chief Inspector, Eastern Field Operations,
for the Postal Inspection Service.
The responsibility for safeguarding 200 billion pieces of mail a
year and ensuring America's trust in the postal system falls on the
shoulders of U. S. Postal Inspectors.
As federal law enforcement officers, we enforce over 200 federal
statutes; primary among those are the theft or possession of stolen
mail statute and the oldest, and still the most effective consumer
protection law, the mail fraud statute. Last year, Postal Inspectors
made over 11,000 arrests. Three thousand of those arrests were for
identity theft. Identity theft arrests have increased each year for the
past three years.
I'm sure all of you have received pre-approved credit applications
in the mail. In the past, those mailings were prime targets for an
identity thief because they simply required the thief to sign the
application and return it to the company. But times have changed, due
to our efforts in raising awareness of the problem. For example, credit
card companies have adopted recommendations we've made and have begun
automatically discarding suspicious-looking applications for credit,
especially when there are differences between where the ``customer''
claims they reside and what address their customer file indicates. In
addition, credit card companies have changed another of their
practices--credit offers sent through the mail now contain much less
information.
Another favorite vehicle for thieves used to be the fraudulent
change-of-address scheme, directing the Post Office to forward a
victim's mail to an address the thief controlled. Not any more. A
proactive effort by the Postal Service to prevent a false change-of-
address is the Move Validation Letter. Now, whenever a change-of-
address is filed, the Postal Service sends a letter to both the old and
new addresses. The letter instructs the recipient to call an ``800''
number if they had not recently requested a change. This simple measure
has virtually eliminated the placing of a false change of address with
the Postal Service as an avenue for committing identity theft.
According to a report released by the FTC this past September, mail
theft as a source for identity theft happened in only 4% of the cases
surveyed. As we have made it more difficult for mail theft to be a
component of identity theft, criminals have turned to other means,
oftentimes recruiting the assistance of insiders, employees who have
access to the personal information of clients or other employees.
Personal information contained in corporate and government records
and computer databases is a fertile area for dishonest employees
working in conjunction with identity thieves.
Three years ago, a Philadelphia resident reported to police that,
after her father's death, she continued receiving credit card bills
showing charges made in her father's name. The statements even
reflected a request for a new account. US Postal Inspectors and
detectives from the Philadelphia Police Department determined that her
father's identity had been stolen when his body was processed through
the Medical Examiner's Office. Sixteen suspects were ultimately
identified, ten of them employees working within the Medical Examiner's
Office. The employees used the credit cards to make purchases for
themselves or passed the credit cards and other personal information
they found to outsiders. The scheme went on for three years before they
got caught. All sixteen defendants were caught and convicted. Postal
Inspectors were called in to participate in the investigation as bills
for illegally purchased items were sent through the mail as was
financial information for newly--and fraudulently--opened accounts.
Just last month, in a separate investigation, Postal Inspectors in
Philadelphia and other task force members arrested the ringleader of an
identity theft gang. A search of his Chester residence found a
commercial-grade credit card embossing machine that the suspect had
purchased over the Internet. The suspect used a fictitious name and had
his purchase delivered by private carrier to an abandoned Philadelphia
area address, all without arousing suspicion. When searching his house,
we also recovered over 2,500 blank credit cards, numerous counterfeited
credit cards, valid credit cards that had been stolen from the mail,
and counterfeit PA, VA, FL and DC drivers' licenses.
Postal Inspectors together with the FBI are also investigating the
identity theft of about 30 Montgomery and Delaware County residents who
donated blood to the American Red Cross in November or December of last
year. Donors are required to supply their names, social security
numbers and other identifying information before giving blood. As this
is still an active investigation, I am not at liberty to offer any
details other than the Red Cross has been very forthcoming in
cooperating with authorities and the case is ongoing.
In addition to modifying industry practices and making financial
mailings less attractive to a thief, our partnerships with regulatory,
financial industry and other law enforcement groups have resulted in a
number of initiatives.
In 2002, Patrick J. Meehan, U.S. Attorney for the Eastern District
of PA, formed a regional working group to facilitate the sharing of
intelligence and investigative resources in combating identity theft in
and around the Philadelphia area. As a member of the Group, the Postal
Inspection Service has taken the lead in developing a web-based
database that tracks customer and financial industry reports of mail
theft and identity theft. The database allows all Group members to
track loss information and perform advanced searches on victims' names.
The database also performs what is known as ``link analysis,'' by
automatically matching common addresses used by thieves.
One of the most insidious aspects of identity theft is the length
of time the scheme can be carried out before it is even detected. It
may be months before a victim realizes they've been targeted. It's not
until a consumer gets turned down for credit, a car loan or a mortgage
on a dream house because of a bad credit rating do they realize what
has taken place. Damaged credit ratings may take years to restore.
Victims run the gamut of society--they're wealthy, they're poor;
they're old, they're young. No one is immune. Anyone is a potential
victim.
Aggressive law enforcement efforts are a key component of our
mission. But arrests are not the only solution. We have found that
creating awareness and prevention programs for consumers can go a long
way to lessen the impact of this crime on the public.
Over the past 10 years, the Postal Inspection Service has published
and distributed a series of brochures, posters and newsletters to raise
public awareness. Our publication ``Identity Theft--Safeguard Your
Personal Information,'' has been distributed to over two million
consumers and businesses. ``Detecting and Preventing Account Takeover
Fraud,'' another of our publications, advises credit card companies on
steps they can take to detect and prevent takeover schemes.
Just this past September, the Postal Inspection Service, along with
our partners the FTC and the Postal Service launched a nationwide
awareness campaign on identity theft. We used a two-pronged approach:
providing prevention and awareness information to consumers, and
informing businesses on the need to safeguard their files and databases
containing customers' information. Actor Jerry Orbach, of television's
Law and Order fame, who himself was a victim of identity theft, was the
campaign's spokesman.
The Mullen agency of Pittsburgh provided support for this year's
campaign on a pro bono basis. But what really makes this campaign
unique is the funding source. We've all heard the saying, ``crime
doesn't pay.'' In the case of this awareness campaign, it does pay.
This campaign was funded through a unique application of fines and
forfeitures paid by criminals in a past fraud case.
Sometimes the most effective vehicle for ``getting out the
message'' is when the message comes directly from an authoritative
source, the criminals themselves. Last year, Postal Inspectors in
Pittsburgh caught a man who stole the identities of several
celebrities, including the actor Will Smith. The thief, Carlos Lomax,
was prosecuted by the U.S. Attorney's Office in the Western District of
Pennsylvania and convicted. Lomax agreed to let us tape an interview of
him describing what he did and how he did it. I would like to play a
portion of that tape for you now.
Educating the public and working to reduce opportunities where the
Postal Service and the mail can be used for illegal purposes are
crucial elements in our fight against identity crimes. As always, we
will do our part to remove criminals from society. We appreciate the
subcommittee's recognition of the importance of this issue.
Mr. Greenwood. Please do.
[Video shown.]
Mr. Greenwood. Thank you. Mr. Abel, you are recognized for
your statement.
TESTIMONY OF JOHN M. ABEL
Mr. Abel. Good afternoon, Chairman Greenwood and
Congressman Gerlach. On behalf of the Pennsylvania Attorney
General, Mike Fisher, I am honored to be here this afternoon to
testify on this important topic. My name is John Abel, and I am
a Senior Deputy Attorney General in the Philadelphia Regional
Office of General Fisher's Bureau of Consumer Protection.
Identity theft, as we heard, is a serious crime, and
growing problem across the country with Pennsylvania's
experience being no exception. Victim of this crime face
devastating economic repercussions, and oftentimes spend
countless hours undoing the harm in order to get their finances
back in order. This can be a very stressful experience for the
ordinary consumer, who in many instances does not realize until
much later that their identity has been hijacked by an unknown
perpetrator. By this time, hundreds if not thousands of dollars
in unauthorized charges have been made in their name from any
number of sources.
I am here today to speak on behalf of the Bureau of
Consumer Protection that is housed within the Public Protection
Division. By way of background, the Bureau has several regional
offices which handle more than 40,000 written complaints
annually from consumers throughout the state. Nearly each of
these consumer complaints is assigned to an individual agent,
and in most instances, the agent will seek to mediate the case
with the business, with the hopes of achieving a satisfactory
resolution.
Should the Bureau detect a pattern or practice of consumer
fraud, based on the complaint history or from any other source,
the Bureau may then commence a formal investigation and take
legal action if necessary. With regard to the issue of identity
theft, I will focus, for my few moments, on the efforts of the
Bureau in educating consumers to avoid these thieves, and
assisting consumers with restoring their credit.
Although our office is vested with criminal authority to
pursue perpetrators of identity theft, as a civil law
litigator, I will not be able to speak specifically to the
details of any criminal investigations or prosecutions.
However, I would be happy to provide, later, any further
information the subcommittee might desire.
As for the scope of the problem, according to the Social
Security Administration, more than 750,000 incidents of
identity theft occurred nationwide last year. One study found
that on the average, it takes victims 175 hours and over $800
in out of pocket costs to clear their name.
Allow me to share with the committee some recent numbers
which pertain specifically to Pennsylvanians. Statistics on
identity theft are maintained by the Federal Trade Commission,
which established an Identity Theft Hotline and Data
Clearinghouse back in 1999. These records show that in 2002,
Pennsylvania had reports of victims in 5,080 cases. The
overwhelming majority, 46 percent, specifically experienced
credit card fraud. Next, the most common instance involved
unauthorized use of phone or utility services. Almost 1 in 4 of
these crimes occurred in Philadelphia. However, every region of
the State has experienced this brand of crime.
Data shows the typical victim of identity theft is between
30 and 40 years of age and does not notice the crime until
roughly a year after they have become a victim. Particularly
disturbing is the victimization of our seniors, who with their
good credit, retirement nest eggs and trusting nature are often
targeted by scam artists. Only the State of Florida has a
higher percentage of citizens over the age of 65 than
Pennsylvania, and Attorney General Fisher's efforts to protect
the Commonwealth's citizens include a special commitment to the
protection of our seniors.
As for efforts to combat the problem, the old saying that
an ounce of prevention is worth a pound of cure is particularly
true in this case. Attorney General Fisher has taken action to
educate Pennsylvanians on how to avoid these tactics. Through
various forms of outreach and public speaking, representatives
from the Bureau help to spread the word on the rather simple
and easy steps that consumers can take to avoid becoming a
victim. We appear before religious and other community
organizations, senior groups, numerous civic associations. We
staff information booths at shopping malls and county fairs all
throughout the state.
Just this last year, the Bureau joined the National
Consumer Protection Week by participating in education fairs
and activities throughout the state. The theme was ``Consumer
Confidential: The Privacy Story.''
Consistent with what I had said about the seriousness of
these crimes against seniors, the Attorney General's Office has
also launched a program known as the Senior Crime Prevention
University to educate older Pennsylvanians and their families
on crime prevention. This program is presented in conjunction
with other law enforcement agencies, who provide training to
help stop the multitude of crimes, including identity theft
against the senior citizens of Pennsylvania.
The Bureau has specially published a brochure with
particular tips on how to protect one's personal identification
information. For example, minimize identification information
in cards you carry. Don't carry your Social Security card with
you. Purchase a shredder. We have seen identity thieves that
commonly sift through garbage seeking discarded mail. Be
mindful of billing cycles. If it seems like one of your bills
didn't arrive, follow up with the business. Don't give out
personal information over the phone, through the mail, or over
the Internet, unless you have initiated the contact or know
with whom you are dealing. And last, order a copy of your
credit report at least on an annual basis.
If, despite taking these precautions, a person's
information does end up in the wrong hands, our Office then
recommends taking the following steps immediately. Call the
fraud departments of the credit bureaus and request that a
fraud alert be put on your file. You should also ask for a copy
of your credit report and then follow up with those bureaus by
asking that they remove any fraudulent or incorrect
information. Contact banks, credit card companies and all other
creditors who issued credit in your name and/or permitted
access to your existing account and close all affected
accounts. Finally, then contact your local police department
and file a criminal report on the incident.
As I mentioned before, each consumer complaint that the
Bureau receives is assigned to an individual agent. In the case
of identity theft, this agent is available to direct the
consumer to the appropriate agencies. Additionally, these
agents are available to work with and provide information to
other parties in an effort to address some of the problems
created by this theft.
The Bureau has also taken action within the context of
legal actions to protect consumer privacy and avoid identity
theft. For instance, when an online retailer of children's
education materials announced that it was going to cease
operations and sell off its assets, Pennsylvania, along with a
majority of other states, filed an Objection in the Bankruptcy
Court to prevent that company from selling its customer list.
Ultimately, through the efforts of Pennsylvania, the FTC and 42
other states, this company agreed to destroy the customer list.
In another, more recent case, the Bureau took action
against Bucks County based national seller of computers, and
made certain that the settlement there prohibited the sale or
disclosure of other consumer information.
Once again, thank you for the opportunity to comment today
on the Bureau of Consumer Protection's efforts to assist
consumers in preventing the growing problem of identity theft,
and we want to commend Congress for its recent enactment of the
Fair and Accurate Credit Transactions Act, which should further
assist consumers in combating this problem.
For instance, one of the two provisions that quickly come
to mind is the one providing for a free annual credit report
that will allow consumers to do this annual checkup that we
talked--that we heard about this morning that is so important.
Another provision is the one that speaks to the truncation
of credit card and debit card account information. These and
the other provisions should assist in combating this problem.
I will be happy to take any questions.
[The prepared statement of John M. Abel follows:]
Prepared Statement of John M. Abel, Senior Deputy Attorney General,
Pennsylvania Office of Attorney General, Bureau of Consumer Protection
i. introduction
Good morning Chairman Greenwood and distinguished members of the
House Subcommittee on Oversight and Investigations. On behalf of the
Pennsylvania Attorney General Mike Fisher, I am honored to be here this
morning to testify on the important topic of identity theft. My name is
John Abel and I am a Senior Deputy Attorney General in the Philadelphia
Regional Office of General Fisher's Bureau of Consumer Protection.
Identity theft is a serious crime and growing problem across the
country with Pennsylvania's experience being no exception. Victims of
this crime face devastating economic repercussions and oftentimes spend
countless hours undoing the harm in order to get their finances back in
order. This can be a very stressful experience for the ordinary
consumer who in many instances does not realize until much later that
their identity has been hijacked by an unknown perpetrator. By this
time, hundreds, if not thousands, of dollars in unauthorized charges
have been made in their name from any number of sources.
I am here today to speak on behalf of the Bureau of Consumer
Protection of the Attorney General's Office that is housed within the
Public Protection Division. Along with the Bureau of Consumer
Protection, a number of other offices are located within Public
Protection including the Health Care Section, AntiTrust Section,
Charitable Trusts and Organization Section and the Civil Rights
Enforcement Section.
ii. background
Before I begin to talk about this problem, let me start by giving
you a brief background of the Bureau of Consumer Protection. By law,
the Attorney General's Bureau of Consumer Protection is authorized to
perform the following duties:
� Investigate commercial and trade practices in the distribution,
financing and furnishing of goods and services for the use of
consumers;
� Conduct studies, investigations and research into matters affecting
consumer interests and make such information available to the
public;
� Advise the Pennsylvania Legislature on matters affecting consumer
interests, including the development of policies and the
proposal of programs to protect consumers;
� Investigate fraud and deception in the sale, servicing and furnishing
of goods and products, and strive to eliminate such illegal
actions;
� Promote consumer education and publicize matters relating to consumer
fraud, deception and misrepresentation.
The Bureau of Consumer Protection has seven regional offices which
handle more than 40,000 written complaints annually from consumers
throughout the Commonwealth. Over the past couple of years, the number
of complaints has risen dramatically by more than 30 percent. This
increase is due to a number of factors, one of which includes a growing
wave of bankruptcies of a number of large retail establishments. Each
of these consumer complaints is assigned to an individual agent and in
most instances, that agent will seek to mediate the case with the
business with hopes of achieving a satisfactory resolution. Should the
Bureau detect a patten or practice of consumer fraud, based on
complaint history or other sources, the Bureau may then commence a
formal investigation.
Under the law, the Bureau is authorized to file a formal legal
action where it has reason to believe that a business has engaged in
such a pattern of illegal practices and it is in the public interest to
do so. On average, the Bureau files 150 actions per year. Legal actions
take the form of a lawsuit filed in the Commonwealth Court or local
Court of Common Pleas. These actions also include a settlement
agreement permitted by law which is known as an Assurance of Voluntary
Compliance. Through these actions, the Bureau can seek injunctive
relief, such as prohibiting a company from doing business in the
Commonwealth, as well as consumer restitution. The Bureau is authorized
to seek a penalty of $1,000 per violation and $3,000 per violation
where the consumer is of age 60 or older.
With regard to the issues of identity theft, I will focus on the
efforts of the Bureau of Consumer Protection in educating consumers to
avoid these thieves and in assisting consumers with restoring their
credit. Although our Office is vested with criminal authority to pursue
perpetrators of identity theft, as a civil law litigator with the
office, I will not be able to speak specifically to the details of any
criminal investigations or prosecutions. However, I would be happy to
provide later any further information that the subcommittee might
desire.
iii. scope of problem
According to the Social Security Administration, more than 750,000
incidents of identity theft occurred nationwide last year. One study
found that on the average, it takes victims 175 hours and over $800 in
outofpocket to clear their name. The Federal Trade Commission reports
that in 2002 they received 161,819 identity theft complaints. This
national figure is almost double that which was reported in 2001, when
the FTC tracked 86,198 complaints of identity theft. We have every
reason to believe that the trend is increasing this year.
Allow me to share with the Committee some recent numbers which
pertain specifically to Pennsylvanians. Statistics on identity theft
are maintained by the Federal Trade Commission which established an
Identify Theft Hotline and Data Clearinghouse in 1999. These records
show that in 2002, Pennsylvania had reports of victims in 5,080 cases.
The overwhelming majority, 46 percent, specifically experienced credit
card fraud. Next to credit card fraud, the most common instance
involved unauthorized use of phone or utility services. Almost 1 in 4
of these crimes occurred in Philadelphia. However, every region in the
Commonwealth has experienced this brand of crime.
With statistics such as these, which have been steadily increasing,
identity theft is a problem that certainly warrants the continued
attention of the Subcommittee.
Data shows that the typical victim of identity theft is between 30
and 40 years old and does not notice the crime until roughly a year
after they have become a victim. At this age, people generally have an
established credit history and a steady income. Similarly, with
children, work, and other commitments, there are a lot of priorities
and responsibilities to tackle. It is often easy to take your financial
privacy and security for granted. Particularly disturbing is the
increasing victimization of our seniors who, with their good credit,
retirement nest eggs and trusting nature, are often targeted by scam
artists. Only the state of Florida has a higher percentage of citizens
over the age of 65 than Pennsylvania, and Attorney General Fisher's
efforts to protect the Commonwealth's citizens includes a special
commitment to protection of our seniors.
These criminals use a variety of methods to access your
information. They steal purses and wallets for personal information;
they complete changeofaddress cards to have personal information
forwarded out of the victim's hands. Other practices include ``dumpster
diving,'' where criminals steal discarded statements and preapproved
credit offers from the victim's trash. ``Shoulder surfing'' refers to
the practice of stealing PIN numbers and account numbers over the
person's shoulder while they are using an ATM. Of course, the Internet
is fertile ground for these thieves. A fraudulent email can be sent
promising some benefit in exchange for personal information. A
surprising number of people quickly sent out the information without
taking any steps to determine the validity of the offer.
iv. efforts to combat problem
The old saying that ``an ounce of prevention is worth a pound of
cure'' is particularly true in the case of identity theft. Attorney
General Fisher has taken action to educate Pennsylvanians on how to
avoid these tactics. Through various forms of outreach and public
speaking, representatives from the Bureau of Consumer Protection help
to spread the word on the rather simple and easy steps that consumers
can take to avoid becoming a victim. We appear before church and other
community organizations, senior groups, as well as numerous civic
associations. We staff information booths at shopping malls and county
fairs throughout the state.
Just this last year, the Bureau joined in National Consumer
Protection Week by participating in consumer education fairs and
activities throughout the Commonwealth. The theme was ``Consumer
Confidential: The Privacy Story.'' As part of this event, the Bureau
rolled out a new brochure titled ``Consumer Privacy: Protecting Your
Personal Information.''
Consistent with what I had mentioned about the seriousness of these
crimes against seniors, the Attorney General's Office has also launched
a program known as the Senior Crime Prevention University to educate
older Pennsylvanians and their families on crime prevention. The Senior
Crime Prevention University is presented in conjunction with other law
enforcement agencies who provide training to help stop the multitude of
crimes, including identity theft, against the senior citizens of
Pennsylvania.
The Bureau has also specially published a brochure which offers
specific tips to protect personal identifying information. For
instance:
� Minimize the identification information and cards you carry. Don't
carry your social security card with you and carry other cards
that list your social security number (such as prescription
cards or insurance cards) only when necessary.
� Purchase a shredder. As I said earlier, identity thieves commonly
sift through garbage seeking discarded mail such as preapproved
credit card offerings and bank statements.
� Be mindful of billing cycles if it seems like one of your bills
didn't arrive, follow up with the business. Remember, that in
addition to containing your name, address and other
information, monthly statements also contain account numbers.
� Don't give out personal information over the phone, through the mail,
or over the Internet unless you have initiated the contact, or
know with whom you are dealing. To get your information,
identity thieves may pose as representatives of banks, Internet
services providers, even government agencies.
� Order a copy of your credit report.
If, despite taking these precautions, a person's information does
end up in the wrong hands, our Office recommends taking the fallowing
steps immediately:
� Call the fraud departments of the credit bureaus and request that a
``fraud alert'' be put on your file. This lets creditors know
to call you before they open any new accounts in your name. You
should also ask for a copy of your credit report and follow up
with these credit bureaus by asking that they remove any
fraudulent or incorrect information.
� Contact banks, credit card companies and all other creditors who
issued credit in your name and/or permitted access to your
existing account and close all affected accounts.
� Finally, contact your local police department and file a criminal
report on the incident. Such a report can help in clearing up
your credit records and, or course, may lead to the arrest of
the thief.
As I mentioned before, each consumer complaint that the Bureau
receives is assigned to an individual agent. In cases of identity
theft, this agent is available to direct the consumer to the
appropriate agencies. Additionally, the agents are available to work
with, and provide information to, other parties in an effort to address
some of the problems created by the theft.
The Bureau has also taken action within the context of legal
actions to protect consumer privacy and avoid identity theft. For
instance, when an online retailer of children's education materials
announced that it would cease operations and sell off its assets,
Pennsylvania, along with a majority of other states, filed an Objection
in the Bankruptcy Court to prevent that company from selling its
customer list as an asset. Ultimately, through the efforts of
Pennsylvania, the FTC and 42 other states, this company agreed to
destroy the customer list.
In another case where the Bureau took action against a Bucks County
based national seller of computers, the Office made certain that the
settlement prohibited the sale or other disclosure of customer
information.
In another legal action, this Office reached an Assurance of
Voluntary Compliance with a Bucks County developer and distributor of
computer games to resolve alleged violations related to the company's
use of ``spyware'' in its computer games. Customers who purchased the
product were unaware that the games included a computer file attachment
which allowed third party advertisers to secretly interact with the
consumers' computers and trace their steps on the Internet. Asserting
that this conduct violated consumer privacy rights, the Commonwealth
secured an agreement from the business barring the inclusion of such
programs in its products and requiring the company to provide a means
for customers to remove the software program from previously purchased
products.
Once again, thank you for the opportunity to comment today on the
Bureau of Consumer Protection's efforts to assist consumers in
preventing the growing problem of identity theft and I want to commend
Congress for its recent enactment of the Fair and Accurate Credit
Transactions Act which should further assist consumers in combating
this problem.
I would be happy to take any questions.
Mr. Greenwood. Thank you. Lieutenant Colonel Periandi.
TESTIMONY OF LT. COL. RALPH M. PERIANDI
Mr. Periandi. Good morning, Chairman Greenwood. I am
Lieutenant Colonel Ralph Periandi, Deputy Commissioner of
Operations for the Pennsylvania State Police. On behalf of
Colonel Jeffrey B. Miller, Commissioner of the Pennsylvania
State Police, I would like to thank the House Energy and
Commerce Subcommittee on Oversight and Investigations for this
opportunity to speak on the issue of identity theft.
Identity theft is delineated in Title 18, Pennsylvania
Crimes Code, Section 4120. This statute indicates a person
commits the offense of identity theft of another person if he
possesses or uses, through any means, identifying information
of another person without consent of that person to further any
unlawful purpose. The unlawful activity could involve a
criminal utilizing a victim's information in order to obtain
access to loans, credit, or debit cards, bank accounts,
services such as telephone or cable, or personal property
ranging from groceries to automobiles. Following the tragic
events of September 11, 2001, law enforcement must also
consider the use of another person's identifying information by
criminals or terrorists in an attempt to gain access to
restricted areas, information--restricted areas or information
in order to further their criminal enterprise.
In recent years, the crime of identity theft has grown in
scope with the advent of the inexpensive personal computer.
Those criminals possessing familiarity with computers now have
powerful resources at their disposal. By obtaining personal,
biographical and financial information which is readily
available on the Internet, an identity thief can pose as
anyone. Additionally, by utilizing the wide range of high
quality computer peripherals, they are able to craft documents
and identification which allow them to create new identities or
steal the identity of someone else. Another computer aided
method of committing identity theft is known as skimming.
Skimming is the practice of reading and storing the magnetic
information on a debit or credit card. It is easily
accomplished by those in the service or retail industry by
swiping a provided credit or debit card through a second card
reader at the time of a legitimate transaction. The stored
information is then used by that individual or sold to others
for criminal purposes.
Conversely, the technologically challenged identity thief
continues to resort to time tested low-tech methods for
obtaining the personal information of a victim. Stealing mail,
digging through garbage, generally provides the criminal with
extensive personal information, to include the victim's full
name, date of birth, Social Security number, bank account
information, utilities account information, address and
telephone number. Armed with this knowledge, the identity thief
is ready to apply for credit or access funds in the name of the
victim.
Currently, the best source for documented statistical
information concerning the problem of identity theft, and it
has previously been testified to, is the Federal Trade
Commission. The FTC has been maintaining data and information
regarding this crime since enactment of the Identity Theft and
Assumption Deterrence Act. In furtherance of this Act, the FTC
developed the Identity Theft Data Clearinghouse and its
reporting vehicle, the Consumer Sentinel. To quantify the
problem of identity theft, the following information is
provided from the Consumer Sentinel.
Of over 380,000 fraud complaints received nationally in
2002, the largest category of complaint was identity theft at
43 percent. Individual victim costs per fraud is estimated at
$2,000. This, Mr. Chairman, the next area, national reporting
of identity theft has steadily increased since the year 2000, I
think you are going to find to be staggering. In 2000, which
represents the first full year of reporting, slightly over
31,000 reports were received. 2001, slightly over 86,000
reports were received. This increase indicates a 177 percent
change from 2000 to 2001. In 2002, almost 162,000 reports were
received. Actually, 161,819, which represents an 88 percent
increase over 2001. So from 2000 to 2001, we have a 177 percent
increase. From 2001 to 2002, we have an additional 88 percent
increase.
In the year 2002, 75 percent of victims were between the
ages of 18 and 49. Of a little over 13,000 fraud complaints
received in Pennsylvania during 2002, again, as is reflected
nationally, the largest category of complaint was identity
theft. In Pennsylvania, it amounted to 39 percent of all
complaints. In 2002, Pennsylvania ranked 22nd among the states
for victims of identity theft per 100,000 population, with
approximately 5,080 victims.
Mr. Abel, representing the Pennsylvania Attorney General's
Office, has previously testified to related statistics to
these. The top three crimes committed in concert with identity
theft in Pennsylvania during 2002 were credit card fraud, 46
percent of those complaints, phone or utilities fraud, 22
percent of the complaints and bank fraud, 12 percent.
The top three victim locations for identity theft in 2002
in Pennsylvania were Philadelphia, with 24 percent of the
complaints, Pittsburgh, with 5 percent and Allentown, with 1
percent. Continuing in an effort to quantity this problems
since the inception of the Pennsylvania statute regarding
identity theft in 2001, Pennsylvania State Police have received
714 complaints involving this crime. 302 were received in the
year 2001, while 412 were received in the year 2002. This
represents a 27 percent increase in the number of complaints we
have received in the State Police, and I think it should be
noted that we are responsible for 80 percent, we are
responsible for policing 80 percent of the land mass in the
state, but 30 percent of the population, so a full 70 percent
of the population is not reflected in the statistics regarding
the complaints received by our department.
This data provides a general overview of the raw, cold,
statistical information regarding the crime of identity theft.
What it does not provide is insight into the associated
emotional problems victims of the crime encounter. Many
individuals do not discover they are the victim of an identity
theft for months, if not years. Some victims have been duped
for as long as 5 years. Upon discovery, victims must spend
significant amounts of time contacting creditors and credit
reporting agencies in an attempt to repair the damage to their
credit histories. While this is occurring, they are often
unable to obtain credit and financial services,
telecommunication, utility services and even employment.
Many victims report having wages garnished and tax refunds
withheld. In those instances when an identity theft--an
identity thief has received a criminal record in the victim's
name, victims have reported having licenses revoked, family
background checks and even being arrested or detained.
Combating the crime of identity theft in Pennsylvania requires
law enforcement to achieve three main objectives. First, law
enforcement personnel must be properly trained and informed
regarding this crime. Second, they must be appropriately
staffed with criminal investigators to conduct these sometimes
in-depth and lengthy investigations. Finally, the public needs
to be provided with information concerning methods to protect
themselves from identity theft, as well as information
regarding the steps to take should they become a victim.
Each of these objectives will be explored more fully. In
Pennsylvania, the State Police are tasked with providing police
services to those areas and citizens who find themselves
without their own police department. We are a full service
department, performing functions ranging from traffic
enforcement to criminal investigations. Our criminal
investigators are responsible for the investigation of all
types of crime. As such, our investigators must receive
training and obtain expertise in all facets of criminal
investigation. Training specific to identity theft and fraud is
available to them and Pennsylvania's law enforcement community
through numerous sources. Some examples are at our own Academy,
Pennsylvania State Police Academy in Hershey and our regional
training centers; at the Middle Atlantic Great Lakes Organized
Crime Law Enforcement Network, or MAGLOCLEN, which is
headquartered right here in Bucks County; the National White
Collar Crime Center; International Association of Financial
Crimes Investigators; the United States Department of Justice.
The FTC has been previously testified to, and local banking
institutions.
Generally, individual instances of identity theft are
investigated by a criminal investigator assigned to one of our
troop commands In those instances when a case of identity theft
is indicative of organized criminal activity, the Pennsylvania
State Police rely on the Organized Crime Division of our Bureau
of Criminal Investigation. Members of this specially selected
group of investigators are strategically located in task forces
throughout Pennsylvania. They work with their troop
counterparts as well as local and Federal investigators on
cases involving large monetary losses, which are usually
associated with organized groups of criminals.
These groups may be associated with traditional organized
crime, displaced ethnic groups, or simply enterprising local
criminals. Identity theft is increasingly becoming an
international crime, with roots in Canada, Eastern Europe, Asia
and Africa. This has made prosecution difficult, and in some
cases, impossible, even with the involvement of Federal law
enforcement.
In an attempt to deter or mitigate the crime of identity
theft, the Pennsylvania State Police provide the following
information to law enforcement agencies and the general public,
and I do this, Mr. Chairman, at the risk of repeating previous
recommendations, because I think we all believe it is very
important that we get this information to the public.
Let us answer a few questions for our citizens. First, how
do I protect myself? These and other protective measures will
not absolutely guarantee you will never become a victim of
identity theft, but employing one or more of these can
drastically reduce your risk.
Give your Social Security number only when it is absolutely
necessary and do not carry your Social Security card with you.
Leave it at home or in a secure place. Annually, review your
Social Security personal earnings and benefits statement, which
is mailed to all participants. A copy can also be requested
from the Social Security Administration. Memorize your ATM
password and shield the keypad when entering your password at
any ATM machines. Previously, Mr. Chairman, I believe you asked
a question relative to passwords and PIN numbers particularly.
And we have had instances where criminals from a remote
location will videotape the keypad and then, by certainly
expanding or utilizing that videotape to basically just look at
the particular PIN information, and they have already captured
possibly your password information or your account number
information.
Do not place bill payments in your mailbox for pickup. We
saw that in one of the videos. Mail your bills directly from
the Post Office. Shredding of documents, which we have already
talked about. Annually obtaining your credit report from the
three major credit reporting agencies. Carefully review them
for accuracy and immediately correct all mistakes. Have your
name removed from lists sold to companies offering pre-approved
credit cards. That has already been testified to and questioned
and discussed, by contacting three credit card reporting
agencies.
Do not give your credit card number over the telephone
unless you have initiated the call. Ensure that neither you nor
the called party is using a mobile or cellular telephone. This
is another issue that we deal with where people speak freely on
mobile phones and cellular telephones without regard for the
fact that that can often be intercepted. When you purchase
items with a credit card, take your receipts with you. Do not
toss them away. Do not put your credit card number on the
Internet unless it is an encrypted or secured site.
How about the question what if I become a victim of
identity theft? Identity theft can occur even if you have been
careful about protecting your personal information because of
the ever-increasing skill employed by professional thieves. The
exact steps that you should take after becoming a victim of
identity theft will vary depending upon your circumstances, but
in most instances, the following steps should be taken.
Mr. Greenwood. I am going to ask you to just kind of go
through these steps real----
Mr. Periandi. Skip through those?
Mr. Greenwood. Real quickly, and--because----
Mr. Periandi. Okay. Contact the security department of the
respective financial institution. Contact each of the Nation's
credit reporting agencies. File a complaint with your local
police department or law enforcement agency where the identity
theft took place, and I know previously Mrs. Kane talked about
the problem relative to jurisdiction and venue. That has been
cleared up with an amendment in 2002 in Pennsylvania, so that
prosecution can be taken at either the residence or the work
location of the victim.
Report fraudulent use of your Social Security number to the
Social Security Administration. Notify the United States Postal
Service, which has been testified to, and notify immediately
your agency, if an ATM card has been lost or stolen or any of
that information has been compromised.
Same thing with checks. If you are a victim of identity
theft, never agree to pay any portion of the debt just to get a
collection agency off the case. The Fair Debt Collection Act
prohibits collectors from contacting you if within 30 days
after you receive their written notice, you send them a letter
refuting the debt, et cetera, with supporting documentation
relative to criminal violation.
Unfortunately, it is impossible to protect yourself
entirely from identity theft, but following the safeguards
detailed herein can greatly reduce your risk.
Additionally, the Pennsylvania State Police provides
numerous other services to Pennsylvania citizenry and law
enforcement community in dealing with the problem of identity
theft. The Bureau of Forensic Services offers examination of
questioned documents, handwriting comparisons, patent and
latent fingerprint identification comparison. The Polygraph
Unit in many instances is required to determine the veracity of
involved suspects. Community Services Unit performs speeches
and provides information to community groups concerning how to
reduce the probability of becoming a victim of this type of
theft. The Bureau of Criminal Investigation, through the
Department's Pennsylvania Criminal Intelligence Center, or
PaCIC, provides briefs, which contain information concerning
prevention and response methods for crimes such as identity
theft. In addition, ongoing analysis of data helps PaCIC to
identity trends in an effort to alert law enforcement statewide
to potential organized efforts to commit identity theft.
Finally, with the advent and ease of access to computer
technology, the State Police Area Computer Crime Task Forces
have become an invaluable resource to Pennsylvania law
enforcement, particularly in those instances when a computer
has been utilized in some way to steal an individual's identity
or commit a crime utilizing another's identity.
As you can see, Mr. Chairman, the Pennsylvania State Police
brings a wide variety of investigative resources to combat the
evolving problem of identity theft in the Commonwealth. Through
experience, we have learned to utilize and share these
resources with local, State and Federal investigators. Only by
sharing resources and staying ahead of the criminal mind will
we be effective in this crime fighting effort.
Finally, recent legislative changes to Pennsylvania's
identity theft statute have made investigation and prosecution
for this crime a more efficient and effective process. I
mentioned the fact that the venue has been changed and
penalties have been enhanced. The clarification of venue is
particularly important, as many of the crimes associated with
identity theft occur in other jurisdictions, states and
countries.
In closing, I would like to thank Chairman Greenwood and
the Members of the committee for the opportunity to address you
today on this issue. As a member of the Pennsylvania State
Police, each officer carries on a tradition of excellence begun
in the year 1905. As part of this tradition, it is the mission
of each member of our department to effectively investigate
crime and criminal activity, provide investigative assistance
and support to all law enforcement within the Commonwealth, and
promote public awareness concerning personal responsibility
regarding crime reduction. This includes the crime of identity
theft.
I welcome the opportunity to respond to any questions or
comments you may have.
[The prepared statement of Ralph M. Periandi follows:]
Prepared Statement of Lt. Col. Ralph M. Periandi, Deputy Commissioner
of Operations, Pennsylvania State Police
Good morning Mr. Chairman and members of the Committee. I am Lt.
Col. Ralph M. Periandi, Deputy Commissioner of Operations for the
Pennsylvania State Police. On behalf of Colonel Jeffrey B. Miller,
Commissioner of the Pennsylvania State Police, I would like to thank
the House Energy and Commerce Committee for this opportunity today to
speak on the issue of Identity Theft.
Identity Theft is delineated in Title 18, the Pennsylvania Crimes
Code, Section 4120. This statute indicates a person commits the offense
of identity theft of another person if he possesses or uses, through
any means, identifying information of another person without consent of
that other person to further any unlawful purpose. The unlawful
activity could involve a criminal utilizing a victim's personal
information in order to obtain access to loans, credit or debit cards,
bank accounts, services such as telephone or cable, or personal
property ranging from groceries to automobiles. Following the tragic
events of September 11, 2001, law enforcement must also consider the
use of another persons identifying information by criminals or
terrorists in an attempt to gain access to restricted areas/information
in order to further their criminal enterprise.
In recent years, the crime of Identity Theft has grown in scope
with the advent of the inexpensive personal computer. Those criminals
possessing familiarity with computers now have powerful resources at
their disposal. By obtaining personal biographical and financial
information, which is readily available on the Internet, an identity
thief can pose as anyone. Additionally, by utilizing the wide range of
high quality computer peripherals available, they are able to craft
documents and identification, which allow them to create new identities
or steal the identity of someone else. Another computer aided method of
committing Identity Theft is known as ``skimming''. ``Skimming'' is the
practice of reading and storing the magnetic information on a debit or
credit card. It is easily accomplished by those in the service or
retail industry by ``swiping'' a provided credit or debit card through
a second card reader at the time of a legitimate transaction. The
stored information is then used by that individual or sold to others
for criminal purposes.
Conversely, the technologically challenged identity thief continues
to resort to time tested low-tech methods for obtaining the personal
information of a victim. Stealing mail and digging through garbage
generally provides the criminal with extensive personal information to
include the victim's full name, date of birth, social security number,
bank account information, utilities account information, address, and
telephone number. Armed with this knowledge, the identity thief is
ready to apply for credit or access funds in the name of the victim.
Currently, the best source for documented statistical information
concerning the problem of Identity Theft is the Federal Trade
Commission (FTC). The FTC has been maintaining data and information
regarding this crime since enactment of the Identity Theft and
Assumption Deterrence Act in 1998. (Pub. L. No. 105-318, 112 Stat.
3007) In furtherance of this Act, the FTC developed the Identity Theft
Data Clearinghouse and its reporting vehicle, the Consumer Sentinel. To
quantify the problem of identity theft, the following information is
provided from the Consumer Sentinel:
� Of 380,103 fraud complaints received nationally in 2002, the largest
category of complaint was Identity theft at 43%.
� The Financial costs to victims of all fraud reported in the nation
during the year 2002 is estimated at nearly \1/2\ billion
dollars. 43% of this figure would indicate Identity Theft
nationwide cost victims approximately $200 Million.
� Individual victim cost per fraud is estimated at $2,000.
� National reporting of Identity Theft has steadily increased since the
year 2000. In 2000, which represents the first full year of
reporting, 31,117 reports were received. During 2001, 86,198
reports were received. This increase indicates a 177% change
over the previous year. Finally, in 2002, 161,819 reports were
received, which represents an 88% increase over the year 2001.
� In the year 2002, 75% of victims were between the ages of 18-49.
� Of 13,119 fraud complaints received in Pennsylvania during 2002, the
largest category of complaint was Identity theft at 39% of all
complaints.
� In 2002, Pennsylvania ranked 22nd among states for victims of
Identity Theft per 100,000 population, with 5,080 victims.
� The top three crimes committed in concert with an Identity Theft in
Pennsylvania during 2002 were Credit Card Fraud with 2,359
victims (46%), Phone or Utilities Fraud with 1,103 victims
(22%), and Bank Fraud with 623 victims (12%).
� The top three victim locations for Identity Theft in 2002 were
Philadelphia with 1,202 victims (24%), Pittsburgh with 226
victims (5%), and Allentown with 70 victims (1%).
Continuing, in an effort to quantify this problem since the
inception of the Pennsylvania statute regarding Identity Theft in 2001,
the Pennsylvania State Police have received 714 complaints involving
this crime. 302 were received in the year 2001, while 412 were received
in 2002. This represents a 27% increase.
This data provides a general overview of the raw, cold statistical
information regarding the crime of Identity Theft. What it does not
provide is insight into the associated emotional problems victims of
this crime encounter. Many individuals do not discover they are the
victim of Identity Theft for months, if not years. Some victims have
been duped for as long as five years. Upon discovery, victims must
spend significant amounts of time contacting creditors and credit
reporting agencies in an attempt to repair the damage to their credit
histories. While this is occurring, they are often unable to obtain
credit and financial services, telecommunication and utility services,
and even employment. Many victims report having wages garnished and tax
refunds withheld. In those instances when an identity thief has
received a criminal record in the victim's name, victims have reported
having licenses revoked, failing background checks, and even being
arrested or detained.
Combating the crime of Identity Theft in Pennsylvania requires law
enforcement to achieve three main objectives. First, law enforcement
personnel must be properly trained and informed regarding this crime.
Second, they must be appropriately staffed with criminal investigators
to conduct these sometimes in-depth and lengthy investigations.
Finally, the public needs to be provided with information concerning
methods to protect themselves from Identity Theft, as well as
information regarding the steps to take should they become a victim.
Each of these objectives will be explored more fully.
In Pennsylvania, the State Police are tasked with providing police
services to those areas and citizens, who find themselves without their
own police department. We are a full service department, performing
functions ranging from traffic enforcement to criminal investigations.
Our criminal investigators are responsible for the investigation of all
types of crime. As such, our investigators must receive training and
obtain expertise in all facets of criminal investigations. Training
specific to Identity Theft and fraud is available to them and
Pennsylvania's law enforcement community through numerous sources. Some
examples are: the Pennsylvania State Police Academy; the Middle
Atlantic-Great Lakes Organized Crime Law Enforcement Network
(MAGLOCLEN); the National White Collar Crime Center (NW3C); the
International Association of Financial Crimes Investigators; the U.S.
Department of Justice; and local banking institutions.
Generally, individual instances of Identity Theft are investigated
by a Criminal Investigator assigned to one of our Troop commands. In
those instances when a case of Identity Theft is indicative of
organized criminal activity, the Pennsylvania State Police rely upon
the Organized Crime Division of the Bureau of Criminal Investigation.
Members of this specially selected group of investigators are
strategically located in task forces throughout Pennsylvania. They work
with their Troop counterparts, as well as local and federal
investigators on cases involving large monetary losses, which are
usually associated with organized groups of criminals. These groups may
be associated with traditional organized crime, displaced ethnic
groups, or simply enterprising local criminals. Identity Theft is
increasingly becoming an international crime with roots in Canada,
Eastern Europe, Asia and Africa. This has made prosecution difficult
and in some cases impossible even with the involvement of federal law
enforcement agencies.
In an attempt to deter or mitigate the crime of Identity Theft, the
Pennsylvania State Police provide the following information to law
enforcement agencies and the general public:
How Do I Protect Myself?
These and other protective measures will not absolutely guarantee
you will never become a victim of Identity Theft, but employing one or
more of these can drastically reduce your risk:
� Give your social security number only when it is absolutely
necessary, and do not carry your social security card with you.
Leave it at home or in a secure place.
� Annually review your social security personal earnings and benefit
statement which is mailed to all participants. A copy can also
be requested from the Social Security Administration
(1.800.772.1213).
� Memorize your ATM password and shield the keypad when entering your
password at ATM machines.
� Do not place bill payments in your mailbox for pickup. Mail your
bills directly from the post office.
� Shred all documents containing personal information especially bills,
credit card receipts, pre-approved credit card offers, and bank
statements, before you throw them away.
� Annually obtain a copy of your credit report from the three major
credit reporting agencies (Trans Union, 1.800.680.7289)
(Equifax, 1.888.766.0008) (Experian, 1.888.397.3742). A basic
report costs $9.00 from any of the three agencies. Certain
states have passed legislation giving residents free or reduced
prices on credit reports. Carefully review them for accuracy
and immediately correct all mistakes identified on your credit
reports in writing.
� Have your name removed from lists sold to companies offering
preapproved credit cards by contacting the three credit
reporting agencies and taking advantage of their ``optout''
service. One number, 1.888.567.8688, reaches all three
agencies.
� Do not give your credit card number over the telephone unless you
have initiated the call. Ensure that neither you nor the called
party is using a mobile or cellular telephone.
� When you purchase items with a credit card, take your receipts with
you, do not toss them away.
� Do not put your credit card number on the Internet unless it is an
encrypted or secured site.
What If I Become A Victim of Identity Theft?
Identity Theft can occur even if you have been careful about
protecting your personal information because of the ever-increasing
skill employed by professional thieves. The exact steps that you should
take after becoming a victim of Identity Theft will vary depending upon
your circumstances, but in most instances, the following steps should
be taken:
� Contact the security department of the respective financial
institution, both verbally and in writing, for each account
that has been opened or tampered with and close these accounts.
The federal Fair Credit Billing Act limits your liability for
unauthorized charges to $50.00, but it's your responsibility to
make the appropriate notification, in writing, within 60 days
after the fraudulent activity has been discovered. Once the
financial institution acknowledges the fraud, ask them to send
all three credit reporting agencies a letter confirming
fraudulent activity.
� In the past, one necessary step included contact with each of the
nation's three major credit reporting agencies (TransUnion,
Equifax, and Experian). In an effort to streamline the process,
the credit reporting agencies have agreed to begin sharing
fraud related information. As of April 15, 2003, Identity Theft
victims need only make one toll-free call to any of the three
nationwide credit reporting agencies. The information they
provide will be automatically shared with the remaining
agencies for inclusion in their records. Within 24 hours of
being notified, each credit reporting agency will post a
security alert on the victim's credit file, which will be
viewed by all lenders or other users accessing future reports.
The alert will notify lenders of the reported fraud, thereby
assisting them to avoid opening a fraudulent account in the
victim's name. The credit reporting agencies will also remove
the victim's name from the lists of pre-approved credit or
insurance offers for a period of two years. Additionally, the
agencies have agreed to provide each victim with a copy of his
or her credit file, and to simplify the information
verification process to include deletion of fraudulent
information.
� File a complaint with your local police department or the law
enforcement agency where the Identity Theft took place. Also,
file a complaint with the Federal Trade Commission (FTC)
Identity Theft Hotline by telephone at 1.877.IDTHEFT. Although
the FTC has no criminal law enforcement authority, they can
pursue civil remedies and assist victims in resolving the
problems associated with the crime.
� Report the fraudulent use of your social security number to the
United States Social Security Administration at 1.800.269.0271.
Under certain circumstances, a new social security number may
be issued.
� Notify your nearest United States Postal Inspection Service if you
suspect the theft of your mail.
� If your ATM card has been lost or if your password has been
compromised, immediately notify your bank. The Electronic Fund
Transfer Act limits your losses to $50.00 if you make this
report within two business days. If you wait more than 60 days
to make the report, you could lose all the money that was taken
from your account.
� If checks were stolen or fraudulent bank accounts were established,
report this to your bank and to the major check verification
companies (Telecheck, 1.800.710.9898) (Certegy Inc.,
1.800.437.5120) (International Check Services, 1.800.631.9656).
Request they notify retailers who use their service that you
were the victim of Identity Theft.
� If you're a victim of Identity Theft, never agree to pay any portion
of the debt just to get collection agencies off the case. The
Fair Debt Collection Act prohibits collectors from contacting
you if within 30 days after you receive their written notice,
you send them a letter refuting the debt. Along with your
letter, send supporting documentation (police report, letters
from credit reporting agencies, etc.) to substantiate your
position.
Unfortunately, it is impossible to protect yourself entirely from
Identity Theft, but following the safeguards detailed herein can
certainly reduce your risk. Publications by the Federal Trade
Commission (FTC) can provide further information on how to prevent
Identity Theft. These publications can be obtained by contacting the
FTC by telephone at 1-877-IDTHEFT or by visiting their web sites at
http://www.ftc.gov or at http://www.consumer.gov. Phone counselors at
the FTC can assist callers on how to take advantage of their consumer
rights and on what actions need to be taken to restore their credit.
Additionally, The Pennsylvania State Police provides numerous other
services to Pennsylvania's citizenry and law enforcement community in
dealing with the problem of Identity Theft. The Bureau of Forensic
Services offers examination of questioned documents, handwriting
comparisons, and patent and latent fingerprint identification and
comparison. The Polygraph Unit in many instances is required to
determine the veracity of involved suspects. The Community Services
Unit performs speeches and provides information to community groups
concerning how to reduce the probability of becoming a victim of this
type of crime. The Bureau of Criminal Investigation through the
Department's ``Pennsylvania Criminal Intelligence Center'' (PaCIC),
provides Briefs, which contain information concerning prevention and
response methods for crimes such as Identity Theft. In addition,
ongoing analysis of data helps PaCIC to identify trends in an effort to
alert law enforcement statewide to potential organized efforts to
commit Identity Theft. Finally, with the advent and ease of access to
computer technology, the State Police Area Computer Crime Task Forces
have become an invaluable resource to Pennsylvania law enforcement,
particularly in those instances when a computer has been utilized in
some way to steal an individual's identity or commit a crime utilizing
another's identity.
As you can see, the Pennsylvania State Police brings a wide variety
of investigative resources to combat the evolving problem of Identity
Theft in the Commonwealth. Through experience, we have learned to
utilize and share these resources with local, state and federal
investigators. Only by sharing resources and staying ahead of the
criminal mind will we be effective in this crime fighting effort.
Finally, recent legislative changes to Pennsylvania's Identity
Theft statute have made investigation and prosecution for this crime a
more efficient and effective process. Penalties have been stiffened and
venue now includes the residence or employment address of the person
whose identifying information has been lost or stolen or has been used
without the person's consent. The clarification of venue is
particularly important as many of the crimes associated with Identity
Theft occur in other jurisdictions, states, or countries.
In closing, I would like to thank the Chairman and members of the
Committee for the opportunity to address you today on this issue. As a
member of the Pennsylvania State Police, each officer carries on a
tradition of excellence begun in the year 1905. As part of this
tradition, it is the mission of each member to effectively investigate
crime and criminal activity, provide investigative assistance and
support to ALL law enforcement agencies within the Commonwealth, and
promote public awareness concerning personal responsibility regarding
crime reduction. This includes the crime of Identity Theft. I welcome
the opportunity to respond to any questions or comments you may have.
Mr. Greenwood. Thank you, sir. I appreciate it. Let me go
back to the tape we saw with Mr. Lomax, if that is, in fact,
his real name. Walked through how easy it was for him to steal
actor Will Smith's identity. He basically looked in a magazine
that probably had an article that said who his mother and his
mother's maiden name, what his mother's maiden name was,
address and enough identifying information gleaned from a
source like that to then go, and what he said he did, as I
recall, was to go and get, first off, a duplicate birth
certificate, and then take that and get a duplicate Social
Security card, and then take that and get a duplicate driver's
license. The question I have for any or all of you. If Mr.
Lomax gets out of jail tomorrow, and wants to start all over
again, picking another victim, would he be able to do it just
as easily today as he did initially? Anything changed that
makes his job more difficult?
Mr. Burke. Well, sir, I would like to believe no. One of
the----
Mr. Greenwood. Pull the microphone close to you.
Mr. Burke. One of the--he mentioned mother's maiden name. I
will give you an example. The Inspection Service, in concert
with the banking industry, meets, they have an initiative, it
is the Financial Crimes Mail Security Initiative, and we meet
twice a year, and at those meetings, we discuss best practices.
The young lady from the bank in Newtown mentioned the--as an
example, the 1-800 number, and then of course, Mr. Lomax, I
believe that is his real name, mentioned the mother's maiden
name. Well, the 1-800 sticker that you now get on your credit
cards was a result of an Inspection Service initiative, and in
particularly, a now retired Inspector working out of Florida,
and as odd as this may seem, in developing this 1-800 number
and asking for pertinent information that only the individual
would know, someone suggested at one of these meetings that
they use the mother's maiden name. Well, lo and behold, it
became an industry standard. Now, the good news is that they
are varying that. They are asking other pertinent information.
So that is an example of how it is becoming more difficult.
And as was mentioned several times here today, the
interaction with State and local, Federal law enforcement now,
and the publicity due in large part because of committees and
meetings and public referendums like this is doing a great deal
of good to prepare people for it.
In the past, local law enforcement may take a complaint on
a credit card and quite honestly, it was difficult for them to
give it the time and effort it needed, because it crossed
jurisdictional lines. Now, with the FTC downloading the data
and everything and everyone having access to that, we have
minimized that, too, so I think through educating the public
and the aggressive interaction across the board from law
enforcement at every law, there are more and more stopgaps that
are being put in that will make it more and more difficult.
Mr. Greenwood. You may share the microphone with Ms.
Broder.
Ms. Broder. I guess I can't say with real confidence that
it would be that much more difficult to accomplish what Mr.
Lomax did if he gets out of jail tomorrow. But one of the new
provisions of the FACT Act requires the FTC, along with the
bank regulatory agencies to develop guidelines for red flags,
that is the pattern, what are the indicia of fraud, and when we
see these types of patterns emerging, what should be done? He
talked about 17 to 18 accounts opened in a short period of
time. Mrs. Kane referred to a 33 page credit report for someone
who had a very normal pattern before. So the question is what
can the financial agencies do to pinpoint that where now they
are not, where they are not aware of the fraud, they are not
paying attention to those as closely as they might.
Mr. Periandi. Mr. Chairman.
Mr. Greenwood. What about the--go ahead, yes, please,
Colonel.
Mr. Periandi. If I could add. Unfortunately, your question
is right on point. But it goes to something that we have found
even in the area of terrorism, and that is, it goes to the
identifying documents, the base documents. When someone has a
birth certificate, Social Security card and driver's license
that appears to be legitimate, and is in fact legitimate,
because it has been obtained from legitimate agencies, it makes
it very, very difficult for law enforcement. I won't comment
for the private sector, but it makes it very, very difficult
for law enforcement to work through that and identity this
individual as being a criminal, because all the documents, the
supporting documentation that you would look at is accurate.
They have a reliable and accurate birth certificate. They
have a reliable and accurate driver's license, particularly
which is a photo identification, so I can only assume that when
they present this at a retail establishment, or even within the
banking industry, that that information is going to be
accepted, and that--so it gets, I think you make a very good
point. We need to look at how easy it is for criminals to
obtain that identifying documentation that really gives them
access to the rest of the system. Once they have that
documentation, they have access to the rest of the system.
Mr. Greenwood. And of course, the tricky part in this is
that any of us can lose our driver's license or Social Security
card, or for that matter, our birth certificate, and want to
get copies of it, and so we don't want the government to make
it impossible or extraordinarily difficult. Sometimes, we might
need those documents in a hurry, like for travel or something
like that, and so it is a tough balance. Let me talk--ask about
the consequences on the other side of this quotient. We have--I
think the Postal Inspection Service talked about 3,000 arrests
in a year. One of the things that seems to make a difference in
criminal conduct is when someone says--when people are talking,
potential criminals, criminal are talking amongst themselves,
they say I went to jail, or I did hard time, or you know, I got
off easy.
When we make all these arrests, are we in fact coming down
hard enough on the perpetrators in terms of are they--do we
have the--are we--sometimes, I see that in law enforcement--is
given limited resources and time and money. It is only the
biggest cases that are actually taken in to prosecution and the
smaller cases are disposed of in some other way, probationary
response. There is not even always restitution, so it is a--who
would like to comment on how effective we are being in various
law enforcement agencies in actually making sure that people
pay consequences for these crimes?
Mr. Burke. Congressman, I think that--I think we are
starting to see a change in the trends, but as is often the
case in local prosecutor, State and Federal prosecution, they
have quite a lot on their table, and oftentimes, they will put
dollar restrictions or dollar limitations that a case would
have to be over, say, $50,000 for it to be accepted for
prosecution, and that varies, and of course, each case stands
in and of itself. From an investigator's standpoint, certainly
you are not going to get to me to say that every perpetrator
that commits identity theft, or any crime for that matter, gets
a fair and just sentence, because certainly as investigators,
we would like to see them get as much as possible.
Oftentimes, some of the groups, as was mentioned by the
State Police, are organized ethnic groups, and then you are
dealing with Federal entities like the INS and all, and you can
identify these people, and quite honestly, sometimes, they are
deported and back several years later. You run into them again.
So, I think we can go a long way to come up with uniform
sentencing guidelines. Certainly, there is, in the Federal
Government sentencing guidelines, but they are not always
applied equally, because of the size of the case and other
considerations.
Mr. Greenwood. Anyone else wish to comment on that?
Mr. Periandi. I would say I tend to agree, if we take Mrs.
Kane's example, an individual who perpetuates an identity theft
generally is perpetuating it on numerous individuals, so it
makes sense to prosecute that individual where they are
located. In her case, it was in Schenectady, New York. However,
I think we recognize that if that individual would have been
extradited to Bucks County and tried here, where the victim
resides, and where the victim would be identified, or the
judges and the court system would identify with the victim, the
probability for a stronger, harsher sentence and to actually
server that stronger, harsher sentence is increased. So, we
really need to work between the states to ensure that when that
case is prosecuted in Schenectady, New York, that somehow, we
drive home the same kind of identity with the victim and the
emotions associated with what would happen if that individual
were tried here in Bucks County, and I think it does come to
some type of standard sentencing, but you know, I don't know
how you do that in 50 individual states without impacting
states' rights issues from the Federal level.
Mr. Greenwood. Ms. Kane talked about the fact that the
people prosecuting the case really didn't stay much in touch
with her, that the banks had experienced the actual financial
losses, so they hired an investigator, and then they gave that
information to law enforcement, but that she was pretty much
out of the loop and didn't have the opportunity to ever to
confront the woman who had defrauded her, or to observe the
trial, testify at the trial. What is the state-of-the-art
today? Are we seeing your agencies, those of you particularly
in the criminal side of this thing, actually staying and
recognizing that the victim is not just the finance institution
but the person whose identity has been stolen and keeping in
touch with that person, or keeping them in the loop?
Mr. Periandi. We try to, Mr. Chairman, but that really is a
function of the prosecutor's office, and what we have found,
particularly if the prosecutor is in touch with the victim, at
least specifically during the sentencing stage, that that is
very helpful to have the victim present and able to testify
prior to sentencing, or just say a few words to the Court prior
to sentencing. But we certainly will reach out to victims when
the case proceeds to that particular point, as long as we are
notified, again, by the prosecutor's office, but that really
becomes their function at that point.
Mr. Greenwood. Ms. Broder, let me ask you, much has been
mentioned of the FACT Act today. Does the FTC feel that the
U.S. Congress has completed its work on identity theft, or is
there more to do?
Ms. Broder. Well, in light of the 18 rulemaking, studies
and reports, we think they have done enough for the time being.
This is--it has been a dramatic change through the FACT Act,
and substantial changes will take place in the financial
industries as well, and I think this, speaking for myself here,
is the right step, and then we see what effect these changes
have on the incidence of identity theft and the recovery of
victims, and if this is not adequate, I think it is time to go
back to the drawing board, but for the time being, it seems
like a very comprehensive approach to the problem, sir.
Mr. Greenwood. Congress has given you a lot of work to do.
Has Congress given you enough resources to do it?
Ms. Broder. I think we are well prepared to take on these
tasks, Mr. Chairman. Part of our program is to leverage our
resources so that we make our resources available to others.
That is the whole idea behind the training of local law
enforcement. Let them convey our message as well. We do that
also through the credit reporting agencies and the financial
institutions. We make all of our publications available on a
CD-ROM, English and Spanish, the books, the affidavit, so that
other agencies, banks, can print them as well, put their names
on the front cover. We don't care, as long as they get the
message out. So for the time being, I think we are okay. Thank
you very much.
Mr. Greenwood. The--when we heard about the Red Cross and
the folks using the information on blood supplies, I though
that was about as low as it could go, until we learned about
the Medical Examiner's employees gleaning information from dead
bodies. How did the perpetrators achieve that crime, accomplish
that crime?
Mr. Burke. Well, they--the pedigree of the information they
got, actually, from my understanding, is the credit card from
the deceased, and then once they had that----
Mr. Greenwood. So they actually go through the wallets of--
--
Mr. Burke. They go through the personal belongings of the
deceased, and of course, once you have that basic data, then
you can build your fraudulent activity from there.
Mr. Greenwood. That is as low as you can go.
Mr. Burke. I would say it is, sir.
Mr. Greenwood. You also talked in your testimony, Mr.
Burke, about individuals purchasing commercial grade credit
card embossing machines over the Internet. Is anyone looking
at--there are so many purchases you can make over the Internet
now, of a very illegal nature, and at least--ways to access all
kinds of tools for committing crimes, and this is the latest
one that I have heard of. Is anyone taking action to try to
limit the access, the availability of this equipment?
Mr. Burke. Not--certainly not the Inspection Service. What
I have here, Congressman, is a copy of--one of our Inspectors
downloaded this. This is the same website, and there is an
embosser there, so I can give it to your----
Mr. Greenwood. Okay. Well, the staff will pick that up
after the hearing. And I think that is something that should be
pursued. It would be interesting to know whether the actual
manufacturers are marketing their products this way, and why
they would do that. Maybe they have a perfectly legitimate
reason, but it seems that that is the kind of equipment that is
very dangerous, obviously, in the hands of the wrong
individuals, and we need to be careful with that. Let me just
see if I have another kind of question that needs to be asked.
Well, I think we have gone long enough, and I do thank all of
the witnesses in this last panel as well as all of the
witnesses throughout this hearing the last several hours. It is
a big help. Our intent here is twofold, one is to use the media
that is here to help inform the public in this region of the
precautions that they need to take and what they should do if
they are victims, and the others to see what kinds of tasks
that may lay before Congress and if it is not giving more
authority to the FTC, it may be pursuing issues like the
availability of this kind of equipment on the Internet. So with
that, I would also like to thank Ms. Washington, to my right,
who as the counsel for this committee, and my staff and the
District and Washington for helping this--organize this
hearing, and it is now adjourned.
[Whereupon, at 1:14 p.m., the subcommittee was adjourned.]
�