[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
PROTECTING THE PRIVACY OF CONSUMERS' SOCIAL SECURITY NUMBERS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 28, 2004
__________
Serial No. 108-128
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
96-100PDF WASHINGTON : 2004
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan
RALPH M. HALL, Texas Ranking Member
MICHAEL BILIRAKIS, Florida HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York
JAMES C. GREENWOOD, Pennsylvania FRANK PALLONE, Jr., New Jersey
CHRISTOPHER COX, California SHERROD BROWN, Ohio
NATHAN DEAL, Georgia BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
CHARLIE NORWOOD, Georgia ANNA G. ESHOO, California
BARBARA CUBIN, Wyoming BART STUPAK, Michigan
JOHN SHIMKUS, Illinois ELIOT L. ENGEL, New York
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES W. ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi, Vice Chairman TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine
MARY BONO, California JIM DAVIS, Florida
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
LEE TERRY, Nebraska HILDA L. SOLIS, California
MIKE FERGUSON, New Jersey CHARLES A. GONZALEZ, Texas
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
JOHN SULLIVAN, Oklahoma
Bud Albright, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan JANICE D. SCHAKOWSKY, Illinois
ED WHITFIELD, Kentucky Ranking Member
BARBARA CUBIN, Wyoming CHARLES A. GONZALEZ, Texas
JOHN SHIMKUS, Illinois EDOLPHUS TOWNS, New York
JOHN B. SHADEGG, Arizona SHERROD BROWN, Ohio
Vice Chairman PETER DEUTSCH, Florida
GEORGE RADANOVICH, California BOBBY L. RUSH, Illinois
CHARLES F. BASS, New Hampshire BART STUPAK, Michigan
JOSEPH R. PITTS, Pennsylvania GENE GREEN, Texas
MARY BONO, California KAREN McCARTHY, Missouri
LEE TERRY, Nebraska TED STRICKLAND, Ohio
MIKE FERGUSON, New Jersey DIANA DeGETTE, Colorado
DARRELL E. ISSA, California JIM DAVIS, Florida
C.L. ``BUTCH'' OTTER, Idaho JOHN D. DINGELL, Michigan,
JOHN SULLIVAN, Oklahoma (Ex Officio)
JOE BARTON, Texas,
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Bovbjerg, Barbara, Director, Education, Workforce and Income
Security, Government Accountability Office................. 15
Hoofnagle, Chris Jay, Associate Director, Electronic Privacy
Information Center......................................... 26
Leary, Thomas B., Commissioner, Federal Trade Commission..... 6
Additional material submitted for the record:
ACA International, prepared statement of..................... 43
Financial Services Coordinating Council, prepared statement
of......................................................... 44
Leary, Thomas B., Commissioner, Federal Trade Commission,
letter dated October 20, 2004, enclosing response for the
record..................................................... 59
O'Carroll, Patrick P., Jr., Acting Inspector General, Social
Security Administration, prepared statement of............. 54
(iii)
PROTECTING THE PRIVACY OF CONSUMERS' SOCIAL SECURITY NUMBERS
----------
TUESDAY, SEPTEMBER 28, 2004
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m., in
room 2123, Rayburn House Office Building, Hon Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Barton (ex
officio), Schakowsky, and Green.
Also present: Representative Shaw.
Staff present: David Cavicke, majority counsel; Chris
Leahy, policy coordinator; Shannon Jacquot, majority counsel;
Brian McCullough, majority professional staff member; William
Harvard, legislative clerk; and Ashley Groesbeck, minority
research assistant.
Mr. Stearns. The subcommittee will come to order.
Good afternoon. I am pleased to hold this important hearing
on H.R. 2971, the Social Security Privacy Identity Theft
Prevention Act of 2003. The committee received a referral on
the bill, and this subcommittee will take a good look at the
issues which surround this legislation.
My colleague from Florida, Congressman Shaw, has done a
great deal of work on this bill and in this area. I commend him
for his work as an advocate for protecting the privacy of
consumers and maintaining the integrity of Social Security
numbers.
Balancing the benefits that accrue to consumers from
private use of Social Security numbers with the harm caused by
identity theft is a difficult feat. Now, my colleagues,
identity theft is a very important consumer protection issue.
Federal Trade Commission data indicates in a 1-year period,
from September 2002 to September 2003, over 10 million people
were victims of identity theft. That also means 297 million
hours were spent in the year 2003 cleaning up the identity
theft problem. So people talk about the numbers in terms of
people and money spent, but the hours are also a great deal.
I also point out that the loss to businesses were $48
billion in 2003 and $5 billion in 2003 to individuals. So,
frankly, this is a significant cost to consumers and businesses
both in terms of money lost and time spent trying to clear up
their names and, obviously, correct their credit reports.
The Federal Trade Commission has done a tremendous job in
gathering important statistical information regarding identity
theft. This will help us in policy decisions we have to make as
legislators. I look forward to a general update from the
Federal Trade Commission on the state of identity theft today
and would like to hear what ideas the Commission itself has for
reducing the occurrence of this problem.
This committee has extensive knowledge on issues relating
to information privacy and information security. In fact,
ladies and gentlemen, this will be my eighth privacy hearing on
this subcommittee in the past 3 years dealing with privacy and
information security. I have a privacy bill, which I introduced
in the 170th Congress and which the committee has had extensive
dialog on, providing privacy and security protection for Social
Security numbers and other personal identifiable information.
So I will continue to work on this problem in this Congress
and, God willing, the next Congress.
The anti-spyware bill that was reported by the full
committee in July also came through this subcommittee, provides
for strong enforcement against spyware practices that, frankly,
facilitate identity theft. Phishing and keystroke logging are
explicitly prohibited in the bill, and the bill provides that
the Federal Trade Commission will have strong enforcement tools
to go after these practices. We expect this spyware to be voted
in the House this week, hopefully, on the floor under
suspension.
So our subcommittee and Congresswoman Mary Bono, who
authored the bill and went through our committee, and the great
staff we have have made this possible. So we are hoping it will
be on the floor this week.
I know the chairman of the full committee, Joe Barton, has
intense interest in information and privacy; and I expect this
committee will continue to work on it in the 109th Congress.
The heart of this committee's jurisdiction over H.R. 2971
obviously is the Federal Trade Commission and its enforcement
practices, and that is going to be a piece of this legislation.
That provision makes it an unfair and deceptive act or practice
under the Federal Trade Commission for any person to refuse to
do business with an individual because the individual will not
consent to that person's receipt of his personal Social
Security number. The section provides an exception for any case
in which a business is required by law to submit to the Federal
Government the consumer's Social Security number.
I ask our panel whether there are any other uses of Social
Security numbers that are outlawed by this provision but, given
appropriate safeguards, would benefit to consumers. That
perhaps is one thing you will need to address. I would like to
know from this panel what types of information security
practice should be implemented when Social Security numbers are
exchanged. So I look forward to a frank discussion on this bill
at this hearing.
We have a distinguished panel of experts to educate us
about this identity theft, privacy in general and importance of
the integrity of Social Security numbers. I thank the witness
from the Federal Trade Commission, and I thank GAO and EPIC for
their participation today.
With that, I welcome the opening statement of the ranking
member, the gentlelady, Ms. Schakowsky.
Ms. Schakowsky. Thank you, Chairman Stearns, and thank you
for holding today's hearing on H.R. 2971, the Social Security
Number Privacy and Identity Theft Protection Act. This bill,
which would restrict what both the public and private sectors
can do with Social Security numbers, is an important tool in
the fight against identity theft.
Identity theft, as you mentioned, Mr. Chairman, is one of
the fastest-growing financial crimes in the United States, with
the number of victims doubling each year over the past 3 years.
As the Federal Trade Commission reports, in 2003, there were
nearly 10 million Americans victimized by this crime. Over the
past 5 years, there have been 27 million victims. Both of our
States, Chairman Stearns, rank in the top ten for identity
theft occurrences. Florida is fifth, and Illinois is ninth.
Although nearly half of the victims do not know how their
personal information was stolen, we do know that Social
Security numbers are one of the most important means that
identity thieves use to financially establish themselves as
someone else. When we consider what the financial door of
Social Security numbers can unlock and the pervasiveness of the
use of these numbers, then the rising number of occurrences of
identity theft should come as no surprise.
As we have all personally experienced, everyone wants our
Social Security number. It is not just when we open a bank
account or apply for a credit card or even when we accept a new
job. Our Social Security number is requested when we get an
insurance policy, open a new phone account, or sign a lease.
So many times when we establish a business relationship,
the other party wants our number, whether there is a legitimate
need for it or not. Most times, consumers provide it. We feel
we have to do so. But we are so used to being asked for our
Social Security number that we may not give enough thought to
what the other party might do with it. That company may sell
them. The numbers may be transmitted over the Internet for
legitimate purposes but may not be protected in those
transmissions. Our new accounts may be linked to our Social
Security numbers. The numbers may be displayed on forms or
files that are not adequately protected.
These possibilities should give everyone pause. If we can
limit how other parties, public and private, use our numbers,
then we can establish a good framework to prevent the misuse of
the key to our personal financial information.
We know that identity theft is financially and emotionally
devastating. It can take years to discover that one has been
victimized or even longer to repair that damage. That is why I
am very pleased we are considering H.R. 2971 today.
Again, it is truly an important start. However, I also
believe that we can and need to do more. We, as government
officials, need to make sure there are adequate resources for
consumers both to prevent them from becoming victims and to
help them if they are victimized. We need to make sure we are
also helping consumers protect themselves by giving them the
information they need to do so. We need to make sure everyone
knows how to check their credit reports regularly. That is how
most people find out that they were victimized. We need to make
sure that there is help available for victims to recover their
losses and to clean up their credit reports with as little
hassle and frustration as possible. We need to be as proactive
and responsive as we can.
I look forward to continuing the conversation about what we
need to do; and, although we have a small panel of witnesses
before our subcommittee, I am pleased you could join us today.
I look forward to hearing from you.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. George Radanovich, a Representative in
Congress from the State of California
Mr. Chairman, I would like to thank you for holding this important
hearing today on the privacy of consumers' social security numbers.
The social security number was created to identify each U.S.
citizen for the sole purpose of tracking employment and benefits
however, over time our social security number has been used by both
public and private entities for purposes both related and unrelated to
the social security program. The usage of this unique identifier has
benefited both businesses and consumers, but unfortunately it has led
to misuse and most importantly identity theft.
The FTC has reported that over 10 million people were victims of
identity theft in one year and they estimate that this translates into
upwards of a $48 billion loss for businesses and $5 billion loss for
consumers, but a price tag can not be put on the loss of one's
identity.
I look forward to hearing our witness' testimony today. Hopefully
this will help us determine if our current laws are adequate enough to
protect the integrity of our social security numbers and if not, what
we need to do to protect them.
______
Prepared Statement of Hon. John Sullivan, a Representative in Congress
from the State of Oklahoma
Thank you, Mr. Chairman, for holding this hearing.
This is an important issue for the First district of Oklahoma.
Oklahomans have a firm appreciation for, and dedication to, the concept
of individual liberty. While we conform to our nation's laws, we demand
that the federal government respects our liberties and privacy. And
this includes first and foremost, our social security number.
The social security number (SSN) was first introduced as a device
for keeping account of contributions to the Social Security system.
Through the years, however, the government and the private sector have
expanded the use of this identifying number. In the view of some,
including many of my constituents, a person's SSN has essentially
attained the status of a national identification number. SSN's can be
required to obtain a driver's license, apply for public assistance,
donate blood, take out a loan, access insurance records, track down
student loan defaulters, or compile direct marketing mailing lists.
Private sector use of the social security number is widespread, and
continues to be unregulated by the federal government. This is
unacceptable.
H.R. 2971, Social Security Number Privacy and Identity Theft
Prevention Act of 2003, prohibits Federal, State, and local governments
from requiring the display of SSNs to the general public, displaying
SSNs on checks, driver's licenses, and motor vehicle registrations. It
would prohibit from employing prisoners in jobs that provide them with
access to SSNs. Requiring the transmission of SSNs over the Internet
without encryption or other security measures would also become
illegal.
Additionally, the private sector could not sell, purchase, or
display a SSN to the general public. Businesses would be discouraged
from denying services to individuals who refuse to provide their SSNs,
unless required by law, by subjecting them to penalties under Federal
law. It would create new criminal and civil penalties for violations of
this law.
I strongly support H.R. 2971 and the spirit of liberty it upholds.
The people of my district, and of all of Oklahoma, commend the
gentleman Mr. Shaw for his hard work on this bill. I encourage all
members of this Committee to look at this issue very closely, and to
support this legislation in order to protect your constituent's
privacy.
Thank you, Mr. Chairman.
______
Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy
and Commerce
Thank you Mr. Chairman for holding this hearing on H.R. 2971, the
Social Security Privacy and Identity Theft Prevention Act of 2003. The
Committee received a referral on the bill and we intend to give this
issue a fair hearing.
Identity theft is a burgeoning problem for consumers and
businesses. Approximately 3.23 million consumers were victims of
identity theft in 2003. Losses to business were estimated at $48
billion and losses to individuals were estimated at $5 billion. It is
estimated that in 2003, identity theft victims spent 297 million hours
trying to clear up the problems and their reputation. Unfortunately,
the one unique number than can be used to verify an individual can
create hazardous results when it is in the hands of the wrong people.
This Committee has a deep bench of experts in the areas of identity
theft and privacy. Over the past three years, Chairman Stearns has held
numerous hearings parsing through important issues surrounding
information privacy. I too have a very strong interest in information
privacy.
Representative Shadegg was the author of an important public law,
the Identity Theft and Assumption Deterrence Act of 1998. That Act has
provided significant tools for enforcement against identity theft. It
also directed the Federal Trade Commission to set up an identity theft
consumer resource center. That center has been a success as it has
gathered important information regarding identity theft, acted as a
central repository for complaints, and provided important consumer
education.
We have also worked hard at this Committee to shut down new
electronic means to identity theft. The anti-spyware bill sponsored by
Representatives Bono and Towns provides the Federal Trade Commission
with powerful tools against spyware programs, in particular keystroke
logging programs, used to steal personally identifiable information,
including a social security number. The bill also includes a
prohibition against Phishing, the practice of inducing a consumer to
provide personally identifiable information by misrepresenting the
identity of the person seeking the information.
I look forward to hearing from our witnesses today on this
important topic. Thank you and I yield back.
______
Prepared Statement of Hon. Gene Green, a Representative in Congress
from the State of Texas
I'd like to thank Chairman Stearns and Ranking member Schakowsky
for their leadership on this issue.
I have been a long time supporter of protecting our citizens from
identity theft. In fact, every year we hold a ``How to Prevent Identity
Theft'' workshop for senior citizens in our district. This has become
one of our more popular community events with senior citizens.
Today's seniors did not grow up in the digital age and new
technologies can often be confusing. This is why I'm glad to be holding
this hearing to ensure we protect senior citizens and the rest of us
from identity theft. Advances in technology have led to advances in
identity theft and many of the seniors in our district feel vulverable.
Our social security numbers are widely used in both the public and
private sectors. Our medical histories and credit records are often
tied to our social security number. Given this fact, it is important
for both the government and the private sector to maintain the highest
degree of security surrounding these numbers.
I support limiting the sale of social security numbers to the
general public. However, I also support each of our ability to access
those numbers when it comes to checking our own records regarding our
personal financial histories or medical histories.
I hope we examine the need to strengthen privacy restrictions
pertaining to our social security numbers as we move forward with this
legislation.
We will hear testimony today that billions of dollars are lost on
identity theft each year. Both business and consumers lose out when
identity thieves open bogus accounts and spend money that isn't theirs.
We need to make sure it's as difficult as possible for people to
take our money and destroy our credit history.
I look forward to hearing what we can do to make our social
security numbers more secure and I thank our panel for coming here
today to testify.
Thank you and I yield the balace of my time.
Mr. Stearns. With that, we will move to our panel, if you
will come to the table here.
We have the Honorable Thomas Leary, Commissioner of the
Federal Trade Commission; and we have Barbara Bovbjerg,
Director of Education, Workforce and Income Security,
Government Accountability Office; and Chris J. Hoofnagle,
Associate Director of Electronic Privacy Information Center. We
welcome your opening statement.
Commissioner, we will start with you. Thank you for your
time, and the floor is yours.
STATEMENTS OF THOMAS B. LEARY, COMMISSIONER, FEDERAL TRADE
COMMISSION; BARBARA D. BOVBJERG, DIRECTOR, EDUCATION, WORKFORCE
AND INCOME SECURITY, GOVERNMENT ACCOUNTABILITY OFFICE; AND
CHRIS JAY HOOFNAGLE, ASSOCIATE DIRECTOR, ELECTRONIC PRIVACY
INFORMATION CENTER
Mr. Leary. Again, thank you, Mr. Chairman. It is a pleasure
to be here.
My written statement has been submitted for the record, and
that reflects the views collectively of the Commission. My oral
responses to you are my own.
As you mentioned in your opening statement--and I won't
repeat the numbers--identity theft is a significant problem,
and our data indicate that it is a problem which is growing.
However, we are heartened somewhat by the fact that most of the
recent increase seems to involve misuse of existing accounts
rather than opening new credit lines, which is an activity that
is somewhat less harmful and somewhat easier for consumers to
rectify. We also anticipate that the recently enacted Fair and
Accurate Credit Transactions Act of 2003, FACTA, will make
inroads into the identity theft problem, but it is much too
early to see the results.
We have, as you probably know, a complex rulemaking task
under that statute. Notice and comment rulemaking is
necessarily a somewhat lengthy process, and we are still in the
process. I have a chart that shows the progress of our
rulemaking thus far. That process is still under way. And of
course, once the rules are in place, it takes some time for
business to adjust to a new regime.
So it is too early to tell now whether or not that statute
will do what it is intended to do. However, the survey results
that we have up to now demonstrate the need for a concerted
effort between the public and the private sectors to reduce
identity theft.
A second point. If we focus specifically on Social Security
numbers, we have to recognize that the effects of their
disclosure can be beneficial as well as harmful, as you pointed
out in your opening statement, Mr. Chairman. There is no
question that identity thieves use the Social Security number
as the key to access other peoples' financial resources. ID
theft will be we reduced to the extent we make it hard for
thieves to get these numbers.
On the other hand, Social Security numbers are essential
for the operation of our financial system. Instant access to
credit, which we all use for both large and small transactions,
would be compromised if Social Security numbers could not be
used to match consumers to their financial information.
We must find, as you pointed out, the proper balance
between the need to keep Social Security numbers out of the
hands of identity thieves and the need for businesses to have
sufficient information to catch fraud and to match financial
records with the right person. Achievement of this goal depends
not only on Congress and government agencies but on private
business initiatives and prudent actions by consumers
themselves.
Three, Congress created important new protections in FACTA.
Many of the provisions of the Fair and Accurate Credit
Transactions Act of 2003 aim to prevent ID theft and facilitate
early detection by the victims:
A, free annual file disclosures. The law requires that
consumers be given free access to their credit reports
annually. This will enhance their ability to discover and
correct errors and detect identity theft early.
B, National Fraud Alert System. The National Fraud Alert
System created by this statute will put potential creditors on
notice that they must proceed with caution when granting credit
in a consumer's name.
C, the so-called ``red-flag'' rulemaking, which will
require financial institutions to analyze identity theft
patterns.
And, D, the disposal rule. Rules on the disposal of
consumer report information and records will help to ensure
that sensitive consumer information, including Social Security
numbers, is not simply thrown out with the trash.
When fully implemented, these provisions should help to
reduce the incidence of identity theft and help victims recover
when problems do occur.
Point four, the role of the Federal Trade Commission. The
Commission's law enforcement role in this area is limited. We
do not have criminal authority; and criminal sanctions, are, of
course, the principal deterrent to crimes such as these. Our
primary role today is to maintain a central repository of ID
theft complaints for the benefit of other law enforcement
agencies. We also work with businesses on developing better
ways to protect valuable consumer information. We have a kit
available on-line which provides guidance for businesses on
this subject. The Commission is also required by FACTA to study
how credit reporting agencies use identifying information to
match consumers to their credit reports before releasing them.
And finally, and perhaps most important, are education and
assistance for consumers. We have published booklets with basic
information and specific guidelines for actual victims in both
English and in Spanish. I have brought some samples of these
booklets today. These have been distributed in the millions. I
don't have the exact figure, but it is in the millions.
Mr. Stearns. We will have the staff bring them up so the
ranking member and I can look at them.
Mr. Leary. In this area, as in other areas, the consumers
are better informed; and more wary consumers are always the
first line of defense.
In conclusion, let me just say there is no magic bullet
that will eliminate identity theft. The basic problem is that
the dissemination of personal identifiers is essential for
maintaining our financial system that runs on credit, but that
same information in the wrong hands can cause immense harm. An
appropriate balance of public and private efforts will help to
contain the problem, and we in the Commission are determined to
do our part.
Thank you very much, Mr. Chairman.
[The prepared statement of Thomas B. Leary follows:]
Prepared Statement of Hon. Thomas B. Leary, Commissioner, Federal Trade
Commission
I. INTRODUCTION
Mr. Chairman, and members of the Subcommittee, I am Commissioner
Thomas B. Leary of the Federal Trade Commission (``FTC'' or
``Commission'').1 I appreciate the opportunity to present
the Commission's views on identity theft and Social Security numbers.
The Federal Trade Commission has a broad mandate to protect consumers,
and controlling identity theft is an important issue of concern to all
consumers. Through this testimony, the Commission will describe the
results of a recent survey on the prevalence and impact of identity
theft, the ways in which Social Security numbers are collected and
used, new protections for consumers and identity theft victims, and the
Commission's identity theft program.
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and responses to questions are my
own and do not necessarily represent the views of the Commission or any
other Commissioner.
---------------------------------------------------------------------------
II. UNDERSTANDING THE IMPACT OF IDENTITY THEFT
On November 1, 1999, the Commission began collecting identity theft
complaints from consumers in its national database, the Identity Theft
Data Clearinghouse (the ``Clearinghouse'').2 Every year
since has seen an increase in complaints.3 The Clearinghouse
now contains over 666,000 identity theft complaints taken from victims
across the country. By itself, though, these self-reported data do not
allow the FTC to draw any firm conclusions about the incidence of
identity theft in the general population. To address this important
issue, the FTC commissioned a survey last year to gain a better picture
of the incidence of identity theft and the impact of the crime on its
victims.4 The results were startling. The data showed that
within the 12 months preceding the survey, 3.23 million persons
discovered that an identity thief opened new accounts in their names.
An additional 6.6 million consumers learned of the misuse of an
existing account.5 Overall, nearly 10 million people--or 4.6
percent of the adult population--discovered that they were victims of
some form of identity theft. These numbers translate to nearly $48
billion in losses to businesses, nearly $5 billion in losses to
individual victims, and almost 300 million hours spent by victims
trying to resolve their problems.
---------------------------------------------------------------------------
\2\ See infra Section V for a discussion of the Commission's
mandate to maintain an identity theft complaint database pursuant to
the 1998 Identity Theft Assumption and Deterrence Act.
\3\ Charts that summarize data from the Clearinghouse can be found
at http://www.consumer.gov/idtheft/stats.html and http://
www.consumer.gov/sentinel/index.html.
\4\ The research took place during March and April 2003. It was
conducted by Synovate, a private research firm, and involved a random
sample telephone survey of over 4,000 U.S. adults. The full report of
the survey can be found at http://www.consumer.gov/idtheft/stats.html.
\5\ These 6.6 million victims include 5.1 million victims who
experienced only the unauthorized use of their existing credit card
accounts, and 1.5 million who reported the misuse of other existing
accounts, such as their checking or telecommunications accounts. Of the
cases involving only the misuse of existing credit cards, 26% of the
victims (which represents 4.6% of all identity theft victims) reported
that the suspect was a family member. Some in the financial services
industry do not consider unauthorized use of existing credit card
accounts ``identity theft'' unless accompanied by an ``account
takeover,'' meaning that the thief has impersonated the victim to the
credit card issuer and has taken actions such as changing the victim's
billing address, having a replacement or additional credit card sent
out, or changing the victim's password. Federal criminal law, however,
defines identity theft to include the misuse of existing accounts. 18
U.S.C. Sec. 1028(a)(7). Of the 5.1 million victims reporting only the
unauthorized use of an existing credit card account, 16% reported
account takeover.
---------------------------------------------------------------------------
Moreover, identity theft is a growing crime. The survey indicated a
significant increase in the previous 2-3 years--nearly a doubling from
one year to the next, although the research showed that this increase
has recently slowed. Notably, this recent increase primarily involved
the misuse of an existing account, which tends to cause less economic
injury to victims and is generally easier for them to identify and fix.
Overall, the 2003 survey analysis puts the incidence rates of identity
theft into sharper focus, and demonstrates the need for a concerted
effort between the public and private sectors to act aggressively to
reduce identity theft.
III. SOCIAL SECURITY NUMBER USES AND IDENTITY THEFT
Social Security numbers play a pivotal role in identity theft.
Identity thieves use the Social Security number as a key to access the
financial benefits available to their victims. Preventing identity
thieves from obtaining Social Security numbers will help to protect
consumers from this pernicious crime. The potential for misuse arises
because Social Security numbers are crucial to the proper functioning
of our financial system. Social Security numbers are used to match
consumers to their credit and other financial information. Without
them, information may be attributed to the wrong consumer, and the
accuracy of credit reports may be degraded. Enabling Social Security
numbers to be used appropriately will help to ensure that consumers
continue to enjoy the benefits of our current credit system. The
Commission is studying ``the efficacy of increasing the number of
points of identifying information that a credit reporting agency is
required to match to ensure that a consumer is the correct individual
to whom a consumer report relates before releasing a consumer report to
a user'' as required by the Fair and Accurate Credit Transactions Act
of 2003.6 This study, to be completed by December, 2004,
should greatly increase our knowledge of the importance of Social
Security numbers in the matching process. The Commission looks forward
to reporting its findings to Congress.
---------------------------------------------------------------------------
\6\ Pub. L. No. 108-159, Sec. 318 (2003).
---------------------------------------------------------------------------
Social Security numbers are collected by public and private
entities for various purposes, and several federal and state laws
restrict the use or disclosure of Social Security numbers, depending on
the source.7 The nationwide credit bureaus are primary
private sources of Social Security numbers, collecting information from
financial institutions for credit reporting purposes. This information
typically includes a consumer's identifying information--such as name,
address, and Social Security number--as well as information related to
the consumer's credit accounts. The identifying information collected
by the credit bureaus is one of the most reliable and comprehensive
sources of this information, because individuals tend to provide their
financial institutions with accurate and up-to-date identifying
information and the credit bureau databases contain information for
over 200 million consumers.8
---------------------------------------------------------------------------
\7\ As GAO has reported, government and commercial entities use
Social Security numbers for a number of different purposes, including
to verify the eligibility of applicants, manage records, and conduct
research. U.S. General Accounting Office, Social Security: Government
and Commercial Use of the Social Security Number is Widespread, GAO/
HEHS-99-28 (Washington, D.C.: Feb. 16, 1999) and Social Security
Numbers: Government Benefits from SSN Use but Could Provide Better
Safeguards, GAO-02-352 (Washington, D.C.: May 31, 2002). As examined in
GAO's most recent report of January 2004, information resellers,
consumer reporting agencies, and health care organizations obtain
social security numbers both directly from consumers and other
businesses, and the entities use them for various purposes, including
identification and to match the consumer to information stored in the
consumer's credit report. See U.S. General Accounting Office, Social
Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs
and Laws Limit the Disclosure of This Information, GAO-04-11
(Washington, D.C.: Jan. 22, 2004).
\8\ See Consumer Data Industry Association's Web site, available at
http://www.cdiaonline.org/about.cfm.
---------------------------------------------------------------------------
The Gramm-Leach-Bliley Act (``GLBA'') 9 imposes certain
restrictions on the reuse and redisclosure of the identifying
information--including Social Security numbers--that is collected by
credit bureaus from financial institutions.10 As a general
matter, the GLBA prohibits financial institutions from disclosing
nonpublic personal information ((NPI() to nonaffiliated third parties
without first providing consumers with notice and the opportunity to
opt out of such disclosure. This general restriction, however, is
subject to certain exceptions. The information may flow from financial
institutions to others for certain purposes specified in the statute
and rule, including, for example, to process transactions or to report
consumer information to credit bureaus.11 When information
is disclosed under these GLBA exceptions, the recipient may not use or
disclose that NPI except (in the ordinary course of business to carry
out the activity covered by the exception under which . . . the
information [was received].( 12
---------------------------------------------------------------------------
\9\ 15 U.S.C. Sec. 6801 et seq.
\10\ The GLBA applies to any ``nonpublic personal information''
(``NPI'') that a financial institution collects about an individual in
connection with providing a financial product or service to an
individual, unless that information is otherwise publicly available.
This includes basic identifying information about individuals, such as
name, Social Security number, address, telephone number, mother's
maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, 33680
(May 24, 2000) (the FTC's Privacy Rule). This identifying information
generally is not covered by the Fair Credit Reporting Act. See FTC v.
Trans Union, Dkt. 9255, Op. of the Commission at pp. 30-31 (Mar. 1,
2000) (holding that consumer name, Social Security number, address,
telephone number, and mother's maiden name do not constitute a consumer
report under the FCRA).
\11\ These exceptions are found in Sec. 502(e) of the GLBA, and in
Sec.Sec.313.14 and 313.15 of the FTC's privacy rule. The other GLBA privacy
rules contain substantially similar provisions. The Sec. 313.14 exceptions
relate to the processing and servicing of transactions at the
consumer's request, and the Sec. 313.15 exceptions contain a broad range
of unrelated exceptions, such as preventing fraud, assisting law
enforcement, complying with subpoenas, and reporting to credit bureaus.
Section 313.13 also contains an exception to the notice and opt out
requirement, but that section is not relevant here because it relates
to contractual arrangements with service providers and joint marketers.
\12\ 16 C.F.R. 313.11(a)(1)(iii), (c)(3) (2000).
---------------------------------------------------------------------------
IV. NEW PROTECTIONS FOR IDENTITY THEFT VICTIMS
On December 4, 2003, the Fair and Accurate Credit Transactions Act
of 2003 (``FACTA'') was enacted.13 Many of the provisions
amend the Fair Credit Reporting Act (``FCRA''),14 and
provide new and important measures to prevent identity theft and
facilitate identity theft victims' recovery. Some of these measures
will take effect this year.15 They will codify many of the
voluntary measures initiated by the private sector and improve other
recovery procedures already in place.
---------------------------------------------------------------------------
\13\ Pub. L. No. 108-159 (2003) (codified at 15 U.S.C. Sec. 1681 et
seq.).
\14\ 15 U.S.C. Sec. 1681 et seq.
\15\ The statute set effective dates for certain sections and
required the Commission and the Federal Reserve Board jointly to set
effective dates for the remaining sections. See Effective Dates for the
Fair and Accurate Credit Transactions Act of 2003, 16 C.F.R. Sec. 602.1
(2004).
---------------------------------------------------------------------------
One prominent benefit of these amendments to the FCRA is the
greater access to free consumer reports.16 Previously under
the FCRA, consumers were entitled to a free consumer report only under
limited circumstances.17 Beginning in December of this year
with a regional rollout, nationwide and nationwide specialty consumer
reporting agencies 18 must provide free credit reports to
consumers once annually, upon request.19 Free reports will
enhance consumers' ability to discover and correct errors, thereby
improving the accuracy of the system, and also enable consumers to
detect identity theft early.
---------------------------------------------------------------------------
\16\ Pub. L. No. 108-159, Sec. 211 (2003).
\17\ Previously, free reports were available only pursuant to the
FCRA when the consumer suffered adverse action, believed that
fraudulent information may be in his or her credit file, was
unemployed, or was on welfare. Absent one of these exceptions,
consumers had to pay a statutory ``reasonable charge'' for a file
disclosure; this fee is set each year by the Commission and is
currently $9. See 15 U.S.C. Sec. 1681j. In addition, a small number of
states required the CRAs to provide free annual reports to consumers at
their request.
\18\ Section 603(w) of the FCRA defines a ``nationwide specialty
consumer reporting agency'' as a consumer reporting agency that
compiles and maintains files on consumers relating to medical records
or payments, residential or tenant history, check writing history,
employment history, or insurance claims, on a nationwide basis. 15
U.S.C. Sec. 1681a(w).
\19\ See Free Annual File Disclosures, 16 C.F.R. Sec.Sec.610.1 and 698.1
(2004).
---------------------------------------------------------------------------
Other measures that act to prevent identity theft include:
National fraud alert system: 20 Consumers who reasonably
suspect they have been or may be victimized by identity theft,
or who are military personnel on active duty away from
home,21 can place an alert on their credit files.
The alert will put potential creditors on notice that they must
proceed with caution when granting credit in the consumer's
name. The provision also codified and standardized the ``joint
fraud alert'' initiative administered by the three major credit
reporting agencies. After receiving a request from an identity
theft victim for the placement of a fraud alert on his or her
consumer report and for a copy of that report, each credit
reporting agency now shares that request with the other two
nationwide credit reporting agencies, thereby eliminating the
need for the victim to contact each of the three agencies
separately.
---------------------------------------------------------------------------
\20\ Pub. L. No. 108-159, Sec. 112 (2003).
\21\ The Commission is developing a rule on the duration of this
active duty alert. See Related Identity Theft Definitions, Duration of
Active Duty Alerts, and Appropriate Proof of Identity Under the Fair
Credit Reporting Act, 69 Fed. Reg. 23370, 23372 (April 28, 2004) (to be
codified at 16 C.F.R. pt. 613).
---------------------------------------------------------------------------
Truncation of credit and debit card receipts: 22 In some
instances, identity theft results from thieves obtaining access
to account numbers on credit card receipts. FACTA seeks to
reduce this source of fraud by requiring merchants to truncate
the full card number on electronic receipts. The use of
truncation technology is becoming widespread, and some card
issuers already require merchants to truncate.23
---------------------------------------------------------------------------
\22\ Pub. L. No. 108-159, Sec. 113 (2003).
\23\ FACTA creates a phase-in period to allow for the replacement
of existing equipment.
---------------------------------------------------------------------------
``Red flag'' indicators of identity theft: 24 The banking
regulators and the FTC will jointly develop a rule to identify
and maintain a list of ``red flag'' indicators of identity
theft. The goal of this provision is for financial institutions
and creditors to analyze identity theft patterns and practices
so that they can take appropriate action to prevent this crime.
---------------------------------------------------------------------------
\24\ Pub. L. No. 108-159, Sec. 114 (2003).
---------------------------------------------------------------------------
Disposal of Consumer Report Information and Records: 25
The banking regulators and the FTC are coordinating a
rulemaking to require proper disposal of consumer information
derived from consumer reports.26 This requirement
will help to ensure that sensitive consumer information,
including Social Security numbers, is not simply left in a
trash dumpster, for instance, once a business no longer needs
the information.27
---------------------------------------------------------------------------
\25\ Id. Sec. 216.
\26\ Disposal of Consumer Report Information and Records, 69 Fed.
Reg. 21388 (April 20, 2004) (to be codified at 16 C.F.R. pt. 682).
\27\ In its outreach materials, the FTC also advises consumers to
shred any sensitive information before disposing of it.
---------------------------------------------------------------------------
FACTA also includes measures that will assist victims with their
recovery. These provisions include:
Identity theft account blocking: 28 This provision
requires credit reporting agencies immediately to cease
reporting, or block, allegedly fraudulent account information
on consumer reports when the consumer submits an identity theft
report,29 unless there is reason to believe the
report is false. Blocking would mitigate the harm to consumers'
credit records that can result from identity theft. Credit
reporting agencies must also notify information furnishers who
must then cease furnishing the fraudulent information and may
not sell, transfer, or place for collection the debt resulting
from the identity theft.
---------------------------------------------------------------------------
\28\ Pub. L. No. 108-159, Sec. 152 (2003).
\29\ The Commission is developing a rule to define the term
``identity theft report.'' See Related Identity Theft Definitions,
Duration of Active Duty Alerts, and Appropriate Proof of Identity Under
the Fair Credit Reporting Act, 69 Fed. Reg. 23370, 23371 (April 28,
2004) (to be codified at 16 C.F.R. pt. 603).
---------------------------------------------------------------------------
Information available to victims: 30 A creditor or other
business must give victims copies of applications and business
records relating to the theft of their identity at the victim's
request. This information can assist victims in proving that
they are, in fact, victims. For example, they may be better
able to prove that the signature on the application is not
their signature.
---------------------------------------------------------------------------
\30\ Pub. L. No. 108-159, Sec. 151 (2003).
---------------------------------------------------------------------------
Prevention of re-reporting fraudulent information: 31
Consumers can provide identity theft reports directly to
creditors or other information furnishers to prevent them from
continuing to furnish fraudulent information resulting from
identity theft to the credit reporting agencies.
---------------------------------------------------------------------------
\31\ Id. Sec. 154.
---------------------------------------------------------------------------
When fully implemented, these provisions should help to reduce the
incidence of identity theft, and help victims recover when the problem
does occur.
V. THE FEDERAL TRADE COMMISSION(S ROLE IN COMBATING IDENTITY THEFT
The FTC's role in combating identity theft derives from the 1998
Identity Theft Assumption and Deterrence Act (``the Identity Theft
Act'' or ``the Act'').32 The Identity Theft Act strengthened
the criminal laws governing identity theft 33 and focused on
consumers as victims.34 The Act directed the Federal Trade
Commission to establish the federal government's central repository for
identity theft complaints, to make available and to refer these
complaints to law enforcement for their investigations, and to provide
victim assistance and consumer education. Thus, the FTC's role under
the Act is primarily one of facilitating information sharing among
public and private entities.35
---------------------------------------------------------------------------
\32\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18
U.S.C. Sec. 1028).
\33\ 18 U.S.C. Sec. 1028(a)(7) made identity theft a crime by focusing
on the unlawful use of an individual's ``means of identification,''
which broadly includes ``any name or number that may be used, alone or
in conjunction with any other information, to identify a specific
individual,'' including, among other things, name, address, Social
Security number, driver's license number, biometric data, access
devices (i.e., credit cards), electronic identification number or
routing code, and telecommunication identifying information.
\34\ Because individual consumers' financial liability is often
limited, prior to the passage of the Act, financial institutions,
rather than individuals, tended to be viewed as the primary victims of
identity theft. Setting up an assistance process for consumer victims
is consistent with one of the Act's stated goals: to recognize the
individual victims of identity theft. See S. Rep. No. 105-274, at 4
(1998).
\35\ Most identity theft cases are best addressed through criminal
prosecution. The FTC itself has no direct criminal law enforcement
authority. Under its civil law enforcement authority provided by
Section 5 of the FTC Act, the Commission may, in appropriate cases,
bring actions to stop practices that involve or facilitate identity
theft. See, e.g., FTC v. Corporate Marketing Solutions, Inc., CIV-02
1256 PHX RCB (D. Ariz. Feb. 3, 2003) (final order) (defendants
``pretexted'' personal information from consumers and engaged in
unauthorized billing of consumers' credit cards); FTC v. C.J., CIV-03
5275 GHK (RZx) (C.D. Cal. July 24, 2003) (final order); FTC v. Hill,
CV-H-03-5537 (S.D. Tex. Dec. 3, 2003) (final order); and FTC v. M.M.,
CV-04-2086 (E.D.N.Y. May 18, 2004) (final order) (defendants sent
``phishing'' spam purporting to come from AOL or Paypal and created
look-alike websites to obtain credit card numbers and other financial
data from consumers that defendants used for unauthorized online
purchases). In addition, the FTC brought six complaints against
marketers for purporting to sell international driver's permits that
could be used to facilitate identity theft. Press Release, Federal
Trade Commission, FTC Targets Sellers Who Deceptively Marketed
International Driver's Permits over the Internet and via Spam (Jan. 16,
2003) (at http://www.ftc.gov/opa/2003/01/idpfinal.htm).
---------------------------------------------------------------------------
To fulfill the Act's mandate, the Commission implemented a program
that focuses on three principal components: (1) collecting complaints
and providing victim assistance through a telephone hotline and a
dedicated website, (2) maintaining and promoting the Clearinghouse, a
centralized database of victim complaints that serves as an
investigative tool for law enforcement, and (3) outreach and education
to consumers, law enforcement, and private industry.
A. Assisting Identity Theft Victims
The Commission takes complaints from victims through a toll-free
hotline, 1-877-ID THEFT (438-4338),36 and a secure online
complaint form on its website, www.consumer.gov/idtheft. In addition,
the FTC provides advice on recovery from identity theft. Callers to the
hotline receive telephone counseling from specially trained personnel
who provide general information about identity theft and help guide
victims through the steps needed to resolve the problems resulting from
the misuse of their identities.37 Victims are currently
advised to: 38 (1) obtain copies of their credit reports
from the three national consumer reporting agencies and have a fraud
alert placed on their credit reports; 39 (2) contact each of
the creditors or service providers where the identity thief has
established or accessed an account, to request that the account be
closed and to dispute any associated charges; and (3) report the
identity theft to the police and get a police report, which is very
helpful in demonstrating to would-be creditors and debt collectors that
the consumers are genuine victims of identity theft.
---------------------------------------------------------------------------
\36\ The Commission has a separate toll-free line (877-FTC-HELP) to
serve those with general consumer protection complaints.
\37\ Spanish speaking counselors are available for callers who
select the Spanish-language option on the toll-free line.
\38\ As the relevant provisions of FACTA become effective, the
Commission will update its advice to victims on their new rights and
procedures for recovery.
\39\ These fraud alerts indicate that the consumer is to be
contacted before new credit is issued in that consumer's name.
---------------------------------------------------------------------------
Counselors also advise victims having particular problems about
their rights under relevant consumer credit laws including the
FCRA,40 the Fair Credit Billing Act,41 the Truth
in Lending Act,42 and the Fair Debt Collection Practices
Act.43 If another federal agency can assist victims because
the nature of the victims' identity theft falls within such agency's
jurisdiction, callers also are referred to those agencies.
---------------------------------------------------------------------------
\40\ 15 U.S.C. Sec. 1681 et seq.
\41\ Id. Sec. 1666. The Fair Credit Billing Act generally applies to
``open end'' credit accounts, such as credit cards, revolving charge
accounts, and overdraft checking accounts. It does not cover
installment contracts, such as loans or extensions of credit that are
repaid on a fixed schedule.
\42\ Id. Sec. 1601 et seq.
\43\ Id. Sec. 1692 et seq.
---------------------------------------------------------------------------
The FTC's identity theft website, located at www.consumer.gov/
idtheft, provides equivalent service for those who prefer the immediacy
of an online interaction. The site contains a secure complaint form,
which allows victims to enter their identity theft information into the
Clearinghouse. Victims also immediately can read and download all of
the resources necessary for reclaiming their credit record and good
name, including the FTC's tremendously successful consumer education
booklet, Identity Theft: When Bad Things Happen to Your Good
Name.44 The 26-page booklet, now in its fourth edition,
comprehensively covers a range of topics, including the first steps to
take for victims and how to correct more intensive credit-related
problems that may result from identity theft. It also describes other
federal and state resources that are available to victims who may be
having particular problems as a result of the identity theft. The FTC
alone has distributed more than 1.4 million copies of the booklet since
its release in February 2000, and recorded over 1.6 million visits to
the Web version.45
---------------------------------------------------------------------------
\44\ Identity Theft: When Bad Things Happen to Your Good Name and
the secure complaint form are available in Spanish.
\45\ Other government agencies, including the Social Security
Administration, the SEC, and the FDIC, also have printed and
distributed copies of Identity Theft: When Bad Things Happen to Your
Good Name.
---------------------------------------------------------------------------
B. The Identity Theft Data Clearinghouse
One of the primary purposes of the Identity Theft Act was to enable
criminal law enforcement agencies to use a single database of victim
complaints to support their investigations. To ensure that the database
operates as a national clearinghouse for complaints, the FTC accepts
complaints from external sources such as other state or federal
agencies as well as directly from consumers through its call center and
online complaint form. For example, in February 2001, the Social
Security Administration Office of Inspector General (SSA-OIG) began
providing the FTC with complaints from its fraud hotline, significantly
enriching the FTC's database.
The Clearinghouse provides a picture of the nature, prevalence, and
trends of the identity theft victims who submit complaints. The
Commission publishes annual charts showing the prevalence of identity
theft complaints by states and by cities.46 Law enforcement
and policy makers at all levels of government use these reports to
better understand the challenges identity theft presents.
---------------------------------------------------------------------------
\46\ Charts that summarize data from the Clearinghouse can be found
at http://www.consumer.gov/idtheft/stats.html and http://
www.consumer.gov/sentinel/index.html.
---------------------------------------------------------------------------
Since the inception of the Clearinghouse in July of 2000, more than
1042 law enforcement agencies, from the federal to the local level,
have signed up for secure online access to the database. Individual
investigators within those agencies have the ability to access the
system from their desktop computers 24 hours a day, seven days a week.
The Commission actively encourages even greater use of the
Clearinghouse. Beginning in 2002, in an effort to further expand the
use of the Clearinghouse among law enforcement, the FTC, in cooperation
with the Department of Justice, the United States Postal Inspection
Service, and the United States Secret Service, initiated full day
identity theft training seminars for state and local law enforcement
officers. To date, seminars have been held in Washington, D.C., Des
Moines, Chicago, San Francisco, Las Vegas, Dallas, Phoenix, New York
City, Seattle, San Antonio, Orlando, Raleigh, Rochester, and Denver.
The FTC also helped the Kansas and Missouri offices of the U.S.
Attorney and State Attorney General conduct a training seminar in
Kansas City. More than 1800 officers have attended these seminars,
representing more than 680 different agencies. Future seminars are
being planned for additional cities.
The FTC staff also developed an identity theft case referral
program.47 The staff creates preliminary investigative
reports by examining significant patterns of identity theft activity in
the Clearinghouse and refining the data through the use of additional
investigative resources. Then the staff refers the investigative
reports to appropriate Financial Crimes Task Forces and other law
enforcers throughout the country for further investigation and
potential prosecution. The FTC is aided in this work by its federal law
enforcement partners, including the United States Secret Service, the
Federal Bureau of Investigation, and the United States Postal
Inspection Service. Recently, an FBI analyst has worked intensively
with the Clearinghouse complaints, using sophisticated analytical
software to find related complaints and combine the information with
other data sources available to the FBI.
---------------------------------------------------------------------------
\47\ The referral program complements the regular use of the
database by all law enforcers from their desktop computers.
---------------------------------------------------------------------------
C. Outreach and Education
The Identity Theft Act also directed the FTC to educate consumers
about identity theft. Recognizing that law enforcement and private
industry each play an important role in helping consumers both to
minimize their risk and to recover from identity theft, the FTC
expanded its outreach and education mission to include these sectors.
(1) Consumers: The FTC has taken the lead in the development and
dissemination of comprehensive consumer education materials for victims
of identity theft and those concerned with preventing this crime. The
FTC's extensive consumer and business education campaign includes print
and online materials, media mailings, and radio and television
interviews. The FTC also maintains the identity theft website,
www.consumer.gov/idtheft, which includes the publications and links to
testimony, reports, press releases, identity theft-related state laws,
and other resources.
To increase awareness for the average consumer and provide tips for
minimizing the risk of identity theft, the FTC developed a new primer
on identity theft, ID Theft: What's It All About?.48 Taken
together with the detailed victim recovery guide, Identity Theft: When
Bad Things Happen to Your Good Name, the two publications help to
educate consumers.
---------------------------------------------------------------------------
\48\ Since its release in May 2003, the FTC has distributed more
than 972,000 paper copies and over 119,300 web versions, and developed
a Spanish version.
---------------------------------------------------------------------------
(2) Law Enforcement: Because law enforcement at the state and local
level can provide significant practical assistance to victims, the FTC
places a premium on outreach to such agencies. In addition to the
training described previously (see infra Section V.B), the staff joined
with North Carolina's Attorney General Roy Cooper to send letters to
every other Attorney General about the FTC's identity theft program and
how each Attorney General could use the resources of the program to
better assist residents of his or her state. Other outreach initiatives
include: (i) participation in a ``Roll Call'' video produced by the
Secret Service, which has been sent to thousands of law enforcement
departments across the country to instruct officers on identity theft,
investigative resources, and assisting victims; and (ii) the redesign
of the FTC's website to include a section for law enforcement with tips
on how to help victims as well as resources for investigations.
(3) Industry: The private sector can help with the problem of
identity theft in several ways. From prevention through better security
and authentication, to helping victims recover, businesses play a key
role in reducing the impact of identity theft.
(a) Information Security Breaches: The FTC works with institutions
that maintain personal information to identify ways to help keep that
information safe from identity theft.49 In 2002, the FTC
invited representatives from financial institutions, credit issuers,
universities, and retailers to an informal roundtable discussion of how
to prevent unauthorized access to personal information in employee and
customer records.
---------------------------------------------------------------------------
\49\ The Commission also has law enforcement authority relating to
information security. In addition to developing the Disposal Rule
pursuant to FACTA, see supra Section IV, the Commission also is
responsible for enforcing its GLBA Safeguards Rule, which requires
financial institutions under the FTC's jurisdiction to develop and
implement appropriate physical, technical, and procedural safeguards to
protect customer information. FTC Safeguards Rule, 16 C.F.R. Sec. 314.1
(2002). In brief, the Safeguards Rule requires financial institutions
to develop a written information security plan that includes certain
elements that are basic to security.
In the past few years, the FTC has also brought enforcement actions
against four companies that the Commission alleged made false promises
about securing sensitive consumer information, in violation of Section
5 of the FTC Act. 15 U.S.C. Sec. 45(a). These actions resulted in
settlements with those companies that collected sensitive information
from consumers while making such promises. Those actions arose out of
the Commission's finding that these companies' security measures were
inadequate and their information security claims therefore were
deceptive. See, e.g., In re Microsoft Corp., FTC Dkt. C-4069, Final
Decision and Order available at http://www.ftc.gov/os/2002/12/
microsoftdecision.pdf at (Dec. 20, 2002).
---------------------------------------------------------------------------
As awareness of the FTC's role in identity theft has grown,
businesses and organizations that have suffered compromises of personal
information have begun to contact the FTC for assistance.50
To provide standardized assistance in these types of cases, the FTC
developed a kit, Information Compromise and the Risk of Identity Theft:
Guidance for Your Business, that is available on the identity theft
website. The kit provides advice on contacting consumers, law
enforcement agencies, business contact information for the three major
credit reporting agencies, information about contacting the FTC for
assistance, and a detailed explanation of what information individuals
need to know to protect themselves from identity theft.
---------------------------------------------------------------------------
\50\ See, e.g., the incidents involving TriWest (Adam Clymer,
Officials Say Troops Risk Identity Theft After Burglary, N.Y. Times,
Jan. 12, 2003, Sec. 1 (Late Edition), at 12) and Ford/Experian (Kathy M.
Kristof and John J. Goldman, 3 Charged in Identity Theft Case, LA
Times, Nov. 6, 2002, Main News, Part 1 (Home Edition), at 1).
---------------------------------------------------------------------------
(b) Victim Assistance: Identity theft victims may spend substantial
time and effort restoring their good names and financial records. As a
result, the FTC devotes substantial resources to conducting outreach
with the private sector on ways to improve victim assistance
procedures. One such initiative arose from the burdensome requirement
that victims complete a different fraud affidavit for each different
creditor with whom the identity thief had opened an
account.51 To reduce that burden, the FTC worked with
industry and consumer advocates to create a standard form for victims
to use in resolving identity theft debts. From its release in August
2001 through April 2004, the FTC has distributed more than 293,000
print copies of the ID Theft Affidavit. There have also been more than
643,000 hits to the Web version. The affidavit is available in both
English and Spanish.
---------------------------------------------------------------------------
\51\ See ID Theft: When Bad Things Happen to Your Good Name:
Hearing Before the Subcomm. on Technology, Terrorism and Government
Information of the Senate Judiciary Comm. 106th Cong. (2000) (statement
of Mrs. Maureen Mitchell, Identity Theft Victim).
---------------------------------------------------------------------------
VI. CONCLUSION
Identity theft places substantial costs on individuals and
businesses. The Commission looks forward to working with businesses on
better ways for them to protect the valuable information of consumers
with which they are entrusted as well as other means of preventing
identity theft. The Commission anticipates that as the new provisions
of FACTA take effect, they will further help to reduce identity theft
as well as its impact on victims.
Mr. Stearns. Thank you, Commissioner.
Ms. Bovbjerg.
STATEMENT OF BARBARA D. BOVBJERG
Ms. Bovbjerg. Thank you, Mr. Chairman, Ms. Schakowsky. I am
pleased to be here today to discuss issues associated with the
use and misuse of the Social Security number.
Although the SSN was originally created as a means to track
workers' earnings and eligibility for Social Security benefits,
today the numbers are used for many non-Social Security
purposes in both the public and the private sectors. This wide
use of SSNs cause us concern because these numbers are among
the personal identifiers most sought by identity thieves.
Today, I will present results of our work on a variety of
issues associated with the SSN. I would like to focus mainly on
private sector use of the SSN and the protections that private
companies apply and then more briefly on public sector uses and
protections. My testimony is based on reports we have prepared
over the last several years on this topic.
First, the SSN and the private sector. We reported last
January that consumer reporting agencies, health care
organizations and information resellers use the SSN for a
variety of purposes, only some of which are restricted by law,
and virtually all of these entities have come to rely on the
SSN as an identifier. Some businesses use the SSN to facilitate
activities by assessing credit risk, locating bankruptcy assets
or tracking patient care. For example, consumer reporting
agencies, or CRAs, build and maintain credit histories around
individuals' names, addresses, and SSNs. CRAs obtain SSNs from
individuals who seek credit and from information resellers and
public records. The SSNs are combined with information about a
consumer's financial transactions such as charges, loans and
credit repayments to ensure the consumer account data are
matched correctly.
Some businesses that function as information resellers
aggregate information, including SSNs, from various public and
private sources for resale. They obtain data from public
records like bankruptcy proceedings, tax liens and voter
registration rolls and from private compilations like phone
books. These businesses resell this information to a variety of
customers.
Those we contacted told us that, to comply with current
law, they limit their services to customers who establish
accounts with them and with whom they have contracts that
restrict the extent to which the data purchased can be
redisclosed. Many say they truncate the SSN if they provide it
all.
Indeed, Federal and State laws have helped to control
access to and distribution of personal information like the
SSN. At the Federal level, the Fair Credit Reporting Act,
Gramm-Leach-Bliley and HIPAA, among others, have restricted
use, distribution and display of the SSN in specific
industries. Several States, most notably California, have
enacted laws restricting display and use of SSNs; and although
these are limited to a particular State, such restrictions have
caused some private companies to alter their policies
nationwide. No law, however, restricts use and display of the
SSN in all industries in all locations, leaving the potential
for misuse when protections are inadequate.
Let me turn now to the public sector. As we have reported
previously, Federal, State and county government agencies rely
extensively on the SSN to maintain records with unique
identifiers and maintain program integrity. Although government
agencies told us of the various steps they take to safeguard
the SSNs they use, we found the key protections are not
uniformly in place. For example, some Federal agencies and many
of the State and county agencies maintain public records that
contain SSNs.
Public records are documents routinely made available to
the public for inspection, such as marriage licenses and
property transactions, and represent a primary source of data
for information resellers. GAO has expressed concern that such
records create opportunities for identity thieves and has
called on government at all levels to consider better
protections.
In conclusion, although SSNs are used for many beneficial
purposes, the widespread use and retention of SSNs in both the
public and private sectors creates opportunities for identity
theft. Although both government and private companies have
strengthened their protections of personal data and have
reduced display of this information, these actions are far from
uniform and leave troubling gaps. Nonetheless, restrictions on
SSN use and the protections that would ensue must be weighed
against the effect of such measures on governments and
businesses now reliant on the SSN.
I welcome this committee's interest on this important
policy area and look forward to helping to provide information
and analysis needed to assure that America's personal
information is safe and secure. I thank you for your attention,
and I would be happy to answer any questions you have.
[The prepared statement of Barbara D. Bovbjerg follows:]
Prepared Statement of Barbara D. Bovbjerg, Director, Education,
Workforce, and Income Security Issues, United States Government
Accountability Office
Mr. Chairman and Members of the Subcommittee: I am pleased to be
here today to discuss private and public sector entities' use of Social
Security numbers (SSNs). Although the Social Security Administration
(SSA) originally created SSNs as a means to track workers' earnings and
eligibility for Social Security benefits, over time the SSN has come to
be used for a myriad of purposes; individuals are frequently asked to
supply personal information, including their SSNs, to both public and
private sector entities. In addition, individuals' SSNs can be found in
a number of public sources such as records displayed to the public.
Given the uniqueness and broad applicability of the SSN, many private
and public sector entities rely extensively on the SSN sometimes as a
way to accumulate and identify information for their databases,
sometimes to comply with federal regulations, and other times for
various business purposes. The potential for misuse of the SSN has
raised questions about how private and public sector entities obtain,
use, and protect SSNs.
Although Congress has passed a number of laws to protect the
security of personal information, the continued use of and reliance on
SSNs by both private and public sector entities underscores the
importance of determining if appropriate safeguards are in place to
protect individuals' private information or if enhanced protection of
individuals' personal information is needed. Accordingly, you asked us
to talk about how certain types of private and public sector entities
obtain SSNs and what protections, if any, exist to govern their use. My
remarks today will focus on describing (1) how private sector entities
obtain, use, and protect SSNs and (2) public sector uses and
protections.
To determine how private sector entities obtain, use, and protect
SSNs, we relied on our previous work that looked at how private sector
entities obtain and use SSNs and the laws that limit disclosure of this
use.1 To determine how the public sector uses and protects
SSNs, we also relied on our previous work that looked at the
government's use and protection of SSNs.2 In addition, we
are conducting structured interviews of federal agencies concerning the
display of SSNs.
---------------------------------------------------------------------------
\1\ GAO, Social Security Numbers: Private Sector Entities Routinely
Obtain and Use SSNs, and Laws Limit the Disclosure of This Information,
GAO-04-11 (Washington D.C.: January 22, 2004).
\2\ See GAO, Social Security Numbers: Government Benefits from SSN
Use but Could Provide Better Safeguards, GAO-02-352 (Washington, D.C.:
May 31, 2002).
---------------------------------------------------------------------------
In summary, entities such as information resellers, consumer
reporting agencies (CRAs), and health care organizations routinely
obtain SSNs from their business clients and from public sources, such
as marriage licenses, paternity determinations, and professional
licenses. Businesses use SSNs for various purposes, such as to build
databases, verify individuals' identities, or match existing
records.3 Given the various types of services these
companies offer, we found that all of these entities have come to rely
on the SSN as an identifier, which they say helps them determine a
person's identity for the purpose of providing the services they offer.
However, certain federal laws have helped to limit the disclosures of
personal information these private sector entities are allowed to make
to their customers. Private sector entities are either subject to the
laws directly, given the nature of their business, or indirectly,
through their business clients who are subject to these laws. Some
states have also enacted laws to restrict the private sector's use of
SSNs. However, such restrictions vary by state.
---------------------------------------------------------------------------
\3\ GAO-04-11 (Washington D.C.: January 2004).
---------------------------------------------------------------------------
Public sector entities also rely extensively on SSNs. These
agencies often obtain SSNs for compliance with federal laws and
regulations and for their own agencies' purposes. We found that
federal, state, and county government agencies rely extensively on the
SSN to manage records, verify benefit eligibility, collect outstanding
debt, conduct research and program evaluations, and verify information
provided to state drivers' licensing agencies.4 Given that
SSNs are often the identifier of choice among individuals seeking to
create false identities, these agencies are taking steps to safeguard
SSNs. Yet despite these actions, SSNs appear in records displayed to
the public such as documents that record financial transactions or
court documents. In a previous report, we proposed that Congress
consider developing a unified approach to safeguarding SSNs used in all
levels of government and particularly those displayed in public
records, and we continue to believe that this approach has
merit.5
---------------------------------------------------------------------------
\4\ GAO-02-352 (Washington D.C.: May 2002).
\5\ GAO-02-352 (Washington D.C.: May 2002).
---------------------------------------------------------------------------
BACKGROUND
The Social Security Act of 1935 authorized SSA to establish a
record-keeping system to help manage the Social Security program, and
this resulted in the creation of the SSN. Through a process known as
enumeration, unique numbers are created for every person as a work and
retirement benefit record for the Social Security program. SSA
generally issues SSNs to most U.S. citizens, and SSNs are also
available to noncitizens lawfully admitted to the United States with
permission to work. SSA estimates that approximately 277 million
individuals currently have SSNs. The SSN has become the identifier of
choice for government agencies and private businesses, and thus it is
used for a myriad of non-Social Security purposes.
The growth in the use of SSNs is important to individual SSN
holders because these numbers, along with names and birth certificates,
are among the three personal identifiers most often sought by identity
thieves.6 In addition, SSNs are used as breeder information
to create additional false identification documents, such as drivers'
licenses. Recent statistics collected by federal agencies and CRAs
indicate that the incidence of identity theft appears to be
growing.7 The Federal Trade Commission (FTC), the agency
responsible for tracking identity theft, reported that consumer fraud
and identity theft complaints grew from 404,000 in 2002 to 516,740 in
2003. In 2003, consumers also reported losses from fraud of more than
$437 million, up from $343 million in 2002. In addition, identity
crimes account for over 80 percent of SSN misuse allegations according
to the SSA. Also, officials from two of the three national CRAs report
an increase in the number of 7-year fraud alerts placed on consumer
credit files, which they consider to be reliable indicators of the
incidence of identity theft.8 Law enforcement entities
report that identity theft is almost always a component of other
crimes, such as bank fraud or credit card fraud, and may be prosecuted
under the statutes covering those crimes.
---------------------------------------------------------------------------
\6\ United States Sentencing Commission, Identity Theft Final Alert
(Washington, D.C.: Dec. 15, 1999).
\7\ GAO, Identity Theft: Prevalence and Cost Appear to be Growing,
GAO-02-363 (Washington, D.C.: Mar. 1, 2002).
\8\ A fraud alert is a warning that someone may be using the
consumer's personal information to fraudulently obtain credit. When a
fraud alert is placed on a consumer's credit card file, it advises
credit grantors to conduct additional identity verification before
granting credit. The three consumer reporting agencies offers fraud
alerts that can vary from 2 to 7 years at the discretion of the
individual.
---------------------------------------------------------------------------
private sector entities routinely obtain and use ssns, and certain laws
affect the disclosure of this information
Private sector entities such as information resellers, CRAs, and
health care organizations routinely obtain and use SSNs.9
Such entities obtain the SSNs from various public sources and their
business clients wishing to use their services. We found that these
entities usually use SSNs for various purposes, such as to build tools
that verify an individual's identity or match existing records. Certain
federal laws have limited the disclosures private sector entities are
allowed to make to their customers, and some states have also enacted
laws to restrict the private sector's use of SSNs.
---------------------------------------------------------------------------
\9\ Information resellers, sometimes referred to as information
brokers, are businesses that specialize in amassing consumer
information that includes SSNs for informational services. CRAs, also
known as credit bureaus, are agencies that collect and sell information
about the creditworthiness of individuals. Health care organizations
generally deliver their services through a coordinated system that
includes health care providers and health plans, also referred to as
health care insurers.
---------------------------------------------------------------------------
Private Sector Entities Obtain SSNs from Public and Private Sources and
Use SSNs for Various Purposes
Private sector entities such as information resellers, CRAs, and
health care organizations generally obtain SSNs from various public and
private sources and use SSNs to help identify individuals. Of the
various public sources available, large information resellers told us
they obtain SSNs from various records displayed to the public such as
records of bankruptcies, tax liens, civil judgments, criminal
histories, deaths, real estate ownership, driving histories, voter
registrations, and professional licenses. Large information resellers
said that they try to obtain SSNs from public sources where possible,
and to the extent public record information is provided on the
Internet, they are likely to obtain it from such sources. Some of these
officials also told us that they have people that go to courthouses or
other repositories to obtain hard copies of public records.
Additionally, they obtain batch files of electronic copies of all
public records from some jurisdictions.
Given the varied nature of SSN data found in public records, some
reseller officials said they are more likely to rely on receiving SSNs
from their business clients than they are from obtaining SSNs from
public records. These entities obtain SSNs from their business clients,
who provide SSNs in order to obtain a reseller's services or products,
such as background checks, employee screening, determining criminal
histories, or searching for individuals. Large information resellers
also obtain SSN information from private sources. In many cases such
information was obtained through review of data where a customer has
voluntarily supplied information resellers with information about
himself or herself. In addition, large reseller officials said they
also use their clients' records in instances where the client has
provided them with information.
We also found that Internet-based resellers rely extensively on
public sources and records displayed to the public. These resellers
listed on their Web sites public information sources, such as
newspapers, and various kinds of public record sources at the county,
state, and national levels. During our investigation, we determined
that once Internet-based resellers obtained an individual's SSN they
relied on information in public records to help verify the individual's
identity and amass information around the individual's SSN.
Like information resellers, CRAs also obtain SSNs from public and
private sources as well as from their customers or the businesses that
furnish data to them. CRA officials said that they obtain SSNs from
public sources, such as bankruptcy records, a fact that is especially
important in terms of determining that the correct individual has
declared bankruptcy. CRA officials also told us that they obtain SSNs
from other information resellers, especially those that specialize in
obtaining information from public records. However, SSNs are more
likely to be obtained from businesses that subscribe to their services,
such as banks, insurance companies, mortgage companies, debt collection
agencies, child support enforcement agencies, credit grantors, and
employment screening companies. Individuals provide these businesses
with their SSNs for reasons such as applying for credit, and these
businesses voluntarily report consumers' charge and payment
transactions, accompanied by SSNs, to CRAs.
We found that health care organizations were less likely to rely on
public sources for SSN data. Health care organizations obtain SSNs from
individuals themselves and from companies that offer health care plans.
For example, subscribers or policyholders provide health care plans
with their SSNs through their company or employer group when they
enroll in health care plans. In addition to health care plans, health
care organizations include health care providers, such as hospitals.
Such entities often collect SSNs as part of the process of obtaining
information on insured people. However, health care officials said
that, particularly with hospitals, the medical record number rather
than the SSN is the primary identifier.
Information resellers, CRAs, and health care organization officials
all said that they use SSNs to verify an individual's identity. Most of
the officials we spoke to said that the SSN is the single most
important identifier available, mainly because it is truly unique to an
individual, unlike an individual's name and address, which can often
change over an individual's lifetime. Large information resellers said
that they generally use the SSN as an identity verification tool. Some
of these entities have incorporated SSNs into their information
technology, while others have incorporated SSNs into their clients'
databases used for identity verification. For example, one large
information reseller that specializes in information technology
solutions has developed a customer verification data model that aids
financial institutions in their compliance with some federal laws
regarding ``knowing your customer.'' We also found that Internet-based
information resellers use the SSN as a factor in determining an
individual's identity. We found these types of resellers to be more
dependent on SSNs than the large information resellers, primarily
because their focus is more related to providing investigative or
background-type services to anyone willing to pay a fee. Most of the
large information resellers officials we spoke to said that although
they obtain the SSN from their business clients, the information they
provide back to their customers rarely contains the SSN. Almost all of
the officials we spoke to said that they provide their clients with a
truncated SSN, an example of which would be xxx-xx-6789.
CRAs use SSNs as the primary identifier of individuals, which
enables them to match the information they receive from their business
clients with the information stored in their databases on
individuals.10 Because these companies have various
commercial, financial, and government agencies furnishing data to them,
the SSN is the primary factor that ensures that incoming data is
matched correctly with an individual's information on file. For
example, CRA officials said they use several factors to match incoming
data with existing data, such as name, address, and financial account
information. If all of the incoming data, except the SSN, match with
existing data, then the SSN will determine the correct person's credit
file. Given that people move, get married, and open new financial
accounts, these officials said that it is hard to distinguish among
individuals. Because the SSN is the one piece of information that
remains constant, they said that it is the primary identifier that they
use to match data.
---------------------------------------------------------------------------
\10\ We found that CRAs and information resellers can sometimes be
the same entity, a fact that blurs the distinction between the two
types of businesses but does not affect the use of SSNs by these
entities. Five of the six large information resellers we spoke to said
they were also CRAs. Some CRA officials said that information reselling
constituted as much as 40 percent of CRAs' business.
---------------------------------------------------------------------------
Health care organizations also use the SSN to help verify the
identity of individuals. These organizations use SSNs, along with other
information, such as name, address, and date of birth, as a factor in
determining a member's identity. Health care officials said that health
care plans, in particular, use the SSN as the primary identifier of an
individual, and it often becomes the customer's insurance number.
Health care officials said that they use SSNs for identification
purposes, such as linking an individual's name to an SSN to determine
if premium payments have been made. They also use the SSN as an online
services identifier, as an alternative policy identifier, and for
phone-in identity verification. Health care organizations also use SSNs
to tie family members together where family coverage is used,
11 to coordinate member benefits, and as a cross-check for
pharmacy transactions. Health care industry association officials also
said that SSNs are used for claims processing, especially with regard
to Medicare. According to these officials, under some Medicare
programs, SSNs are how Medicare identifies benefits provided to an
individual.
---------------------------------------------------------------------------
\11\ During the enrollment process, subscribers have a number of
options, one of which is decided whether they would like single or
family coverage. In cases where family coverage is chosen, the SSN is
the key piece of information generally allowing the family members to
be linked.
---------------------------------------------------------------------------
Certain Laws Limit the Private Sectors' Disclosure of Personal
Information That Includes SSNs
Certain federal and state laws have placed restrictions on certain
private sector entities use and disclosure of consumers' personal
information that includes SSNs. Such laws include the Fair Credit
Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Drivers
Privacy Protection Act (DPPA), and the Health Insurance Portability and
Accountability Act (HIPAA). As shown in table 1, the laws either
restrict the disclosures that entities such as information resellers,
CRAs, and health care organizations are allowed to make to specific
purposes or restrict whom they are allowed to give the information to.
Moreover, as shown in table 1, these laws focus on limiting or
restricting access to certain personal information and are not
specifically focused on information resellers. See appendix I for more
information on these laws.
Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure
of Personal Information
------------------------------------------------------------------------
Federal Laws Restrictions
------------------------------------------------------------------------
Fair Credit Reporting Act................. Limits access to credit data
that includes SSNs to those
who have a permissible
purpose under the law.
Gramm-Leach-Bliley Act.................... Creates a new definition of
personal information that
includes SSNs and limits
when financial institutions
may disclose the
information to non-
affiliated third parties.
Drivers Privacy Protection Act............ Prohibits obtaining and
disclosing SSNs and other
personal information from a
motor vehicle record except
as expressly permitted
under the law.
Health Insurance Portability and Protects the privacy of
Accountability Act. health information that
identifies an individual
(including by SSNs) and
restricts health care
organizations from
disclosing such information
to others without the
patient's consent.
------------------------------------------------------------------------
Source: GAO analysis.
We reviewed selected legislative documents of 18 states and found
that at least 6 states have enacted their own legislation to restrict
either the display or use of SSNs by the private sector.12
Notably, in 2001, California enacted Senate Bill (SB) 168, restricting
private sector use of SSNs. Specifically, this law generally prohibits
companies and persons from certain uses such as, posting or publicly
displaying SSNs and printing SSNs on cards required to access the
company's products or services. Furthermore, in 2002, shortly after the
enactment of SB 168, California's Office of Privacy Protection
published recommended practices for protecting the confidentiality of
SSNs. These practices were to serve as guidelines to assist private and
public sector organizations in handling SSNs.
---------------------------------------------------------------------------
\12\ On the basis of our interviews with private sector businesses
and organizations, contacts with some state offices of attorney
general, and identification of state laws and legislative initiatives
related to the use of SSNs, we did a legislative review of 18 states
that were identified as having laws or proposed laws governing SSN use.
In the 18 states we researched, we reviewed more than 40 legislative
documents, including relevant laws, proposed laws, legislative
summaries, and other related documents, such as state regulations,
executive orders, and referendums.
---------------------------------------------------------------------------
Similar to California's law, Missouri's law (2003 Mo. SB 61), which
is not effective until July 1, 2006, bars companies from requiring
individuals to transmit SSNs over the Internet without certain safety
measures, such as encryption and passwords. However, while SB 61
prohibits a person or private entity from publicly posting or
displaying an individual's SSN ``in any manner,'' unlike California's
law, it does not specifically prohibit printing the SSN on cards
required to gain access to products or services. In addition, Arizona's
law (2003 Ariz. Sess. Laws 137), effective January 1, 2005, restricts
the use of SSNs in ways very similar to California's law. However, in
addition to the private sector restrictions, it adds certain
restrictions for state agencies and political
subdivisions.13 For example, state agencies and political
subdivisions are prohibited from printing an individual's SSN on cards
and certain mailings to the individual. Last, Texas prohibits the
display of SSNs on all cards, while Georgia and Utah's laws are
directed at health insurers and, therefore, pertain primarily to
insurance identification cards.14 None of these three laws
contain the provisions mentioned above relating to Internet safety
measures and mailing restrictions. Table 2 lists states that have
enacted legislation and related provisions.
---------------------------------------------------------------------------
\13\ Political subdivisions would include counties, cities, and
towns.
\14\ Georgia's law (O.C.G.A. Sec. 33-24-57.1(f)) and Utah's law (Utah
Code Ann. Sec. 31-22-634) were both effective July 1, 2004. However,
Utah's law provides certain extensions until March 1, 2005. Texas' law
(2003 Tex. Gen. Laws 341) is effective March 1, 2005.
Table 2: Provisions Included in Enacted Legislation Reviewed
------------------------------------------------------------------------
States Where Provision or
Provision Restriction Enacted
------------------------------------------------------------------------
Specifically prohibits display on
cardsgDAZ, CA, GA, TX, UT.
Requires Internet safety measures......... AZ, CA, MO
Restricts mailing of SSNs................. AZ, CA
------------------------------------------------------------------------
Source: GAO analysis.
PUBLIC SECTOR ENTITIES ALSO USE SSNS AND SOME AGENCIES LIMIT THEIR USE
AND DISPLAY
Agencies at all levels of government frequently obtain and use
SSNs. A number of federal laws require government agencies to obtain
SSNs, and these agencies use SSNs to administer their programs, verify
applicants' eligibility for services and benefits, and do research and
evaluation. In addition, given the open nature of certain government
records, SSNs appear in some records displayed to the public. Given the
potential for misuse, some government agencies are taking steps to
limit their use and display of SSNs and prevent the proliferation of
false identities.
Public Sector Entities Are Required by Laws and Regulations to Obtain
SSNs and Use SSNs for Various Purposes
Government agencies obtain SSNs because a number of federal laws
and regulations require certain programs and federally funded
activities to use the SSN for administrative purposes.15
Such laws and regulations require the use of the SSN as an individual's
identifier to facilitate automated exchanges that help administrators
enforce compliance with federal laws, determine eligibility for
benefits, or both. For example, the Internal Revenue Code and
regulations, which govern the administration of the federal personal
income tax program, require that individuals' SSNs serve as taxpayer
identification numbers.16 A number of other federal laws
require program administrators to use SSNs in determining applicants'
eligibility for federally funded benefits. The Social Security Act
requires individuals to provide their SSNs in order to receive benefits
under the SSI, Food Stamp, Temporary Assistance for Needy Families, and
Medicaid programs.17 In addition, the Commercial Motor
Vehicle Safety Act of 1986 requires the use of SSNs to identify
individuals and established the Commercial Driver's License Information
System, a nationwide database where states may use individuals' SSNs to
search the database for other state-issued licenses commercial drivers
may hold.18 Federal law also requires the use of SSNs in
state child support programs to help states locate noncustodial
parents, establish and enforce support orders, and recoup state welfare
payments from parents.19 The law also requires states to
record SSNs on many other state documents, such as professional,
occupational, and marriage licenses; divorce decrees; paternity
determinations; and death certificates.
---------------------------------------------------------------------------
\15\ GAO, Social Security Numbers: Government and Commercial Use of
the Social Security Number is Widespread, GAO/HEHS-99-28 (Washington
D.C.: February 1999).
\16\ This means that employers and others making payments to
individuals must include the individuals' SSNs in reporting to IRS many
of these payments. In addition, the Code and regulations require
individuals filing personal income tax returns to include their SSNs as
their taxpayer identification number, the SSNs of people whom they
claim as dependents, and the SSNs of spouses to whom they paid alimony.
\17\ Applicants give program administrators information on their
income and resources, and program administrators use applicants' SSNs
to match records with those of other organizations.
\18\ States may also use SSNs to search another database, the
National Driver's Registry, to determine whether an applicant's license
has been cancelled, suspended, or revoked by another state. In these
situations, the states use SSNs to limit the possibility of
inappropriately licensing applicants.
\19\ The law requires states to maintain records that include (1)
SSNs for individuals who owe or are owed support for cases in which the
state has ordered child support payments to be made, the state is
providing support, or both, and (2) employers' records of new hires
identified by SSN.
---------------------------------------------------------------------------
Government agencies use SSNs for a variety of reasons. We found
that most of these agencies use SSNs to administer their programs, such
as to identify, retrieve, and update their records. In addition, many
agencies also use SSNs to share information with other entities to
bolster the integrity of the programs they administer. As unique
identifiers, SSNs help ensure that the agency is obtaining or matching
information on the correct person.
Government agencies also share information containing SSNs for the
purpose of verifying an applicant's eligibility for services or
benefits, such as matching records with state and local correctional
facilities to identify individuals for whom the agency should terminate
benefit payments. SSNs are also used to ensure program integrity.
Agencies use SSNs to collect delinquent debts and even share
information for this purpose. In addition, SSNs are used for
statistics, research, and evaluation. Agencies responsible for
collecting and maintaining data for statistical programs that are
required by statute, make use of SSNs. In some cases, these data are
compiled using information provided for another purpose. For example,
the Bureau of the Census prepares annual population estimates for
states and counties using individual income tax return data linked over
time by SSN to determine immigration rates between
localities.20 SSNs also provide government agencies and
others with an effective mechanism for linking data on program
participation with data from other sources to help evaluate the
outcomes or effectiveness of government programs. In some cases,
records containing SSNs are sometimes matched across multiple agency or
program databases.21
---------------------------------------------------------------------------
\20\ The Bureau of the Census is authorized by statute to collect a
variety of information, and the Bureau is also prohibited from making
it available, except in certain circumstances.
\21\ The statistical and research communities refer to the process
of matching records containing SSNs for statistical or research
purposes as ``record linkage.'' See U.S. General Accounting Office,
Record Linkage and Privacy: Issues in Creating New Federal Research and
Statistical Information, GAO-01-126SP (Washington, D.C.: Apr. 2001).
---------------------------------------------------------------------------
Government agencies also use employees' SSNs to fulfill some of
their responsibilities as employers. For example, personnel departments
of these agencies use SSNs to help them maintain internal records and
provide employee benefits. In addition, employers are required by law
to use employees' SSNs when reporting wages. Wages are reported to SSA,
and the agency uses this information to update earnings records it
maintains for each individual. The Internal Revenue Service (IRS) also
uses SSNs to match the employer wage reports with amounts individuals
report on personal income tax returns. Federal law also requires that
states maintain employers' reports of newly hired employees, identified
by SSNs. States must forward this information to a national database
that is used by state child support agencies to locate parents who are
delinquent in child support payments.
Finally, SSNs appear in some government records that are open to
the public. For example, SSNs may already be a part of a document that
is submitted to a recorder for official preservation, such as veterans'
discharge papers. Documents that record financial transactions, such as
tax liens and property settlements, also contain SSNs to help identify
the correct individual. Government officials are also required by law
to collect SSNs in numerous instances, and some state laws allow
government entities to collect SSNs on voter registries to help avoid
duplicate registrations. In addition, courts at all three levels of
government also collect and maintain records that are routinely made
available to the public. SSNs appear in court documents for a variety
of reasons such as on documents that government officials create like
criminal summonses, and in many cases, SSNs are already a part of
documents that are submitted by attorneys or individuals as part of the
evidence for a proceeding or a petition for an action. In some cases,
federal law requires that SSNs be placed in certain records that courts
maintain, such as child support orders.
Government Agencies Are Taking Steps to Limit the Use and Display of
SSNs
Despite the widespread use of SSNs at all levels of government, not
all agencies use SSNs. We found that some agencies do not obtain,
receive, or use SSNs of program participants, service recipients, or
individual members of the public.22 Moreover, not all
agencies use the SSN as their primary identification number for record-
keeping purposes. These agencies maintain an alternative number that is
used in addition to or in lieu of SSNs for certain activities.
---------------------------------------------------------------------------
\22\ GAO-02-352 (Washington D.C.: May 2002).
---------------------------------------------------------------------------
Some agencies are also taking steps to limit SSNs displayed on
documents that may be viewed by others who may not have a need to view
this personal information. For example, the Social Security
Administration has truncated individuals' SSNs that appear on the
approximately 120 million benefits statements it mails each year. Some
states have also passed laws prohibiting the use of SSNs as a student
identification number. Almost all states have modified their policies
on placing SSNs on state drivers' licenses.
At the federal level, SSA has taken steps in its enumeration
process and verification service to help prevent SSNs from being used
to proliferate false identities. SSA has formed a task force to address
weaknesses in its enumeration process and has (1) increased document
verifications and developed new initiatives to prevent the
inappropriate assignment of SSNs to noncitizens, and (2) undertaken
initiatives to shift the burden of processing noncitizen applications
from its field offices.23 SSA also helps prevent the
proliferation of false identities through its verification service,
which allows state driver licensing agencies to verify the SSN, name,
and date of birth of customers with SSA's master file of Social
Security records.24 Finally, SSA has also acted to correct
deficiencies in its information systems' internal controls. These
changes were made in response to the findings of an independent audit
that found that SSA's systems were exposed to both internal and
external intrusion, increasing the possibility that sensitive
information such as SSNs could be subject to unauthorized access,
modification, and disclosure, as well as the risk of fraud.
---------------------------------------------------------------------------
\23\ See GAO, Social Security Administration: Actions Taken to
Strengthen Procedures for Issuing Social Security Numbers to
Noncitizens but Some Weakness Remain, GAO-04-12 (Washington D.C.:
October 15, 2003). See GAO, Social Security Numbers: Improved SSN
Verification and Exchange of States' Driver Records Would Enhance
Identity Verification, GAO-03-920 (Washington D.C.: September 15,
2003).
\24\ GAO-03-920 (Washington D.C.: September 2003).
---------------------------------------------------------------------------
With regard to the courts, in a prior report we suggested that
Congress consider addressing SSN security and display issues in state
and local government and in public records, including those maintained
by the judicial branch of government at all levels.25 We
proposed that Congress convene a representative group of officials from
all levels of government to develop a unified approach to safeguard
SSNs used in all levels of government and particularly those displayed
in public records.
---------------------------------------------------------------------------
\25\ GAO-02-352 (Washington D.C.: May 2002)
---------------------------------------------------------------------------
CONCLUSIONS
Public and private entities use SSNs for many legitimate and
publicly beneficial purposes. However, the more frequently SSNs are
obtained and used, the more likely they are to be misused. Individuals
may voluntarily provide their SSNs to the private and public sectors to
obtain services, but they should be able to be confident that their
personal information is safe and secure. As we continue to learn more
about the entities that obtain SSNs and the purposes for which they
obtain them, policy makers will be able to determine if there are ways
to limit access to this valuable piece of information and prevent it
from being misused. However, restrictions on access or use may make it
more difficult for businesses and government agencies to verify an
individual's identity. Accordingly, policy makers will have to balance
the potential benefits of restrictions on the use of SSNs on the one
hand with the impact on legitimate needs for the use of SSNs on the
other.
We are continuing our work on protecting the privacy of SSNs in the
private and public sectors, and we are pleased that this Subcommittee
is considering this important policy issue. That concludes my
testimony, and I would be pleased to respond to any questions the
subcommittee has.
Contacts and Acknowledgments
For further information regarding this testimony, please contact
Barbara D. Bovbjerg, Director or Tamara Cross, Assistant Director at
(202) 512-7215.
Appendix I: Federal Laws Affecting Information Resellers, CRAs, and
Health Care Organizations:
gramm-leach-bliley act (glba):
GLBA requires companies to give consumers privacy notices that
explain the institutions' information-sharing practices. In turn,
consumers have the right to limit some, but not all, sharing of their
nonpublic personal information. Financial institutions are permitted to
disclose consumers' nonpublic personal information without offering
them an opt-out right in the following circumstances:
to effect a transaction requested by the consumer in connection with
a financial product or service requested by the consumer;
maintaining or servicing the consumer's account with the
financial institution or another entity as part of a private
label credit card program or other extension of credit; or a
proposed or actual securitization, secondary market sale, or
similar transaction;
with the consent or at the direction of the consumer;
to protect the confidentiality or security of the consumer's records;
to prevent actual or potential fraud, for required
institutional risk control or for resolving customer disputes
or inquiries, to persons holding a legal or beneficial interest
relating to the consumer, or to the consumer's fiduciary;
to provide information to insurance rate advisory organizations,
guaranty funds or agencies, rating agencies, industry standards
agencies, and the institution's attorneys, accountants, and
auditors;
to the extent specifically permitted or required under other
provisions of law and in accordance with the Right to Financial
Privacy Act of 1978, to law enforcement agencies, self-
regulatory organizations, or for an investigation on a matter
related to public safety;
to a consumer reporting agency in accordance with the Fair Credit
Reporting Act or from a consumer report reported by a consumer
reporting agency;
in connection with a proposed or actual sale, merger, transfer, or
exchange of all or a portion of a business if the disclosure
concerns solely consumers of such business;
to comply with federal, state, or local laws; an investigation or
subpoena; or to respond to judicial process or government
regulatory authorities.
Financial institutions are required by GLBA to disclose to
consumers at the initiation of a customer relationship, and annually
thereafter, their privacy policies, including their policies with
respect to sharing information with affiliates and non-affiliated third
parties.
Provisions under GLBA place limitations on financial institutions
disclosure of customer data, thus affecting some CRAs and information
resellers. We found that some CRAs consider themselves to be financial
institutions under GLBA.26 These entities are therefore
directly governed by GLBA's restrictions on disclosing nonpublic
personal information to non-affiliated third parties. We also found
that some of the information resellers we spoke to did not consider
their companies to be financial institutions under GLBA. However,
because they have financial institutions as their business clients,
they complied with GLBA's provisions in order to better serve their
clients and ensure that their clients are in accordance with GLBA. For
example, if information resellers received information from financial
institutions, they could resell the information only to the extent that
they were consistent with the privacy policy of the originating
financial institution.
---------------------------------------------------------------------------
\26\ Under GLBA, the term financial institution is defined as ``any
institution the business of which is engaging in financial activities
as described in section 4(k) of the Bank Holding Company Act of 1956,''
which goes into more detail about what are ``activities that are
financial in nature.'' These generally include banking, insurance, and
investment industries.
---------------------------------------------------------------------------
Information resellers and CRAs also said that they protect the use
of non-public personal information and do not provide such information
to individuals or unauthorized third parties. In addition to imposing
obligations with respect to the disclosures of personal information,
GLBA also requires federal agencies responsible for financial
institutions to adopt appropriate standards for financial institutions
relating to safeguarding customer records and information. Information
resellers and CRA officials said that they adhere to GLBA's standards
in order to secure financial institutions' information.
drivers privacy protection act (dppa):
The DPPA specifies a list of exceptions when personal information
contained in a state motor vehicle record may be obtained and used (18
U.S.C. Sec. 2721(b)). These permissible uses include:
for use by any government agency in carrying out its functions;
for use in connection with matters of motor vehicle or driver safety
and theft; motor vehicle emissions; motor vehicle product
alterations, recalls, or advisories; motor vehicle market
research activities, including survey research;
for use in the normal course of business by a legitimate business,
but only to verify the accuracy of personal information
submitted by the individual to the business and, if such
information is not correct, to obtain the correct information
but only for purposes of preventing fraud by pursuing legal
remedies against, or recovering on a debt or security interest
against, the individual;
for use in connection with any civil, criminal, administrative, or
arbitral proceeding in any federal, state, or local court or
agency;
for use in research activities;
for use by any insurer or insurance support organization in
connection with claims investigation activities;
for use in providing notice to the owners of towed or impounded
vehicles;
for use by a private investigative agency for any purpose permitted
under the DPPA;
for use by an employer or its agent or insurer to obtain information
relating to the holder of a commercial driver's license;
for use in connection with the operation of private toll
transportation facilities;
for any other use, if the state has obtained the express consent of
the person to whom a request for personal information pertains;
for bulk distribution of surveys, marketing, or solicitations, if the
state has obtained the express consent of the person to whom
such personal information pertains;
for use by any requester, if the requester demonstrates that it has
obtained the written consent of the individual to whom the
information pertains;
for any other use specifically authorized under a state law, if such
use is related to the operation of a motor vehicle or public
safety.
As a result of DPPA, information resellers said they were
restricted in their ability to obtain SSNs and other driver license
information from state motor vehicle offices unless they were doing so
for a permissible purpose under the law. These officials also said that
information obtained from a consumer's motor vehicle record has to be
in compliance with DPPA's permissible purposes, thereby restricting
their ability to resell motor vehicle information to individuals or
entities not allowed to receive such information under the law.
Furthermore, because DPPA restricts state motor vehicle offices'
ability to disclose driver license information, which includes SSN
data, information resellers said they no longer try to obtain SSNs from
state motor vehicle offices, except for permissible purposes.
health insurance portability and accountability act (hipaa):
The HIPAA privacy rule also defines some rights and obligations for
both covered entities and individual patients and health plan members.
Some of the highlights are:
Individuals must give specific authorization before health care
providers can use or disclose protected information in most
nonroutine circumstances, such as releasing information to an
employer or for use in marketing activities.
Covered entities will need to provide individuals with written notice
of their privacy practices and patients' privacy rights. The
notice will contain information that could be useful to
individuals choosing a health plan, doctor, or other service
provided. Patients will be generally asked to sign or otherwise
acknowledge receipt of the privacy notice.
Covered entities must obtain an individual's specific authorization
before sending them marketing materials.
Health care organizations, including health care providers and
health plan insurers, are subject to HIPAA's requirements. In addition
to providing individuals with privacy practices and notices, health
care organizations are also restricted from disclosing a patient's
health information without the patient's consent, except for purposes
of treatment, payment, or other health care operations. Information
resellers and CRAs did not consider themselves to be ``covered
entities'' under HIPAA, although some information resellers said that
their customers are considered to be business associates under HIPAA.
As a result, they said they are obligated to operate under HIPAA's
standards for privacy protection, and therefore could not resell
medical information without having made sure HIPAA's privacy standards
were met.
fair credit reporting act (fcra):
Congress has limited the use of consumer reports to protect
consumers' privacy. All users must have a permissible purpose under the
FCRA to obtain a consumer report (15 USC 1681b). These permissible
purposes are:
as ordered by a court or a federal grand jury subpoena;
as instructed by the consumer in writing;
for the extension of credit as a result of an application from a
consumer or the review or collection of a consumer's account;
for employment purposes, including hiring and promotion decisions,
where the consumer has given written permission;
for the underwriting of insurance as a result of an application from
a consumer;
when there is a legitimate business need, in connection with a
business transaction that is initiated by the consumer;
to review a consumer's account to determine whether the consumer
continues to meet the terms of the account;
to determine a consumer's eligibility for a license or other benefit
granted by a governmental instrumentality required by law to
consider an applicant's financial responsibility or status;
for use by a potential investor or servicer or current insurer in a
valuation or assessment of the credit or prepayment risks
associated with an existing credit obligation; and
for use by state and local officials in connection with the
determination of child support payments, or modifications and
enforcement thereof.
Under FCRA, Congress has limited the use of consumer reports
27 to protect consumers' privacy and limits access to credit
data to those who have a legally permissible purpose for using the
data, such as the extension of credit, employment purposes, or
underwriting insurance. However, these limits are not specific to SSNs.
All of the CRAs that we spoke to said that they are considered consumer
reporting agencies under FCRA. In addition, some of the information
resellers we spoke to who handle or maintain consumer reports are
classified as CRAs under FCRA. Both CRAs and information resellers said
that as a result of FCRAs restrictions they are limited to providing
credit data to their customers that have a permissible purpose under
FCRA. Consequently, they are restricted by law from providing such
information to the general public.
---------------------------------------------------------------------------
\27\ The FTC has determined that certain types of information,
including SSNs, do not constitute as consumer report under FCRA because
they are not factors in determining credit eligibility.
Mr. Stearns. I thank you.
Mr. Hoofnagle.
STATEMENT OF CHRIS JAY HOOFNAGLE
Mr. Hoofnagle. Thank you, Chairman Stearns and Ranking
Member Schakowsky, for this opportunity today to speak about
the privacy of Social Security numbers.
My name is Chris Hoofnagle, and I am Associate Director
with the Electronic Privacy Information Center here in
Washington, D.C. We were established in 1994 to protect
privacy, the first amendment and constitutional values. Since
our founding in 1994, we have been active in trying to protect
the Social Security number.
As you are well aware, today the Social Security number
plays an unparalleled role in the identification,
authentication and tracking of Americans. This widespread use
exacerbates several privacy problems. Since it is used as both
an identifier and an authenticator, that is, some businesses
use it as a record locator or a way to amass personal
information about individuals, other businesses use it as a
password, and that creates many of the problems that we are
experiencing today in identity theft and privacy more
generally.
Serious security problems are raised in any system where a
single device is used as both identifier and password. Just
imagine if your bank account assigned you an account number and
a PIN that were the same. Anyone who was able to recover a
cashed check or one of your account statements could very
easily plunder your account or in a similar situation when it
comes to the SSN. Because the SSN is used in this way so
prevalently in the public and private sector, it is so relied
upon by business, it has become the identifier that criminals
use when they want to commit fraud and identity theft.
There is now a rich history in identity theft litigation
showing that the crime is exacerbated by creditors who issue
new accounts based on an SSN match alone. Creditors are
ignoring incorrect information on credit applications and
granting credit even where the SSN matches but other critical
pieces of information such as name, date of birth and address
do not match.
In May, the Salt Lake Tribune reported that businesses
granting credit did little to ensure that Social Security
numbers and names match. The same newspaper argued there are
credit bureaus that allow perpetrators to establish credit
files using other people's Social Security numbers. That
article also reports on an inspector general from the Social
Security Administration, who then at the time stated that SSN-
only fraud makes up the majority of cases of identity theft in
Utah and the surrounding region. We think this is further
evidence that there needs to be less reliance on the Social
Security number and more care in credit transactions in
particular.
But let me be clear about this. This in no way threatens
instant credit or access to services. All we are arguing is
that greater care needs to be made available so that
individuals are not able to be victimized so easily. Congress'
goal in addressing identity theft and privacy issues should
seek to limit the availability of the SSN generally and induce
businesses to rely upon alternative identifiers.
Several provisions of H.R. 2971 are very important and
should be included in any legislation considered by this
committee, for instance, a prohibition on coercive disclosure.
That is the practice where a business denies a service or
access to a product based on a customer's withholding of the
SSN. We think it is very important to address that practice.
Any Social Security number bill should also include a
provision that moves the identifier below the line on a credit
report. That is, a company should not be able to sell the
Social Security number unless they have a valid, permissible
purpose under the Fair Credit Reporting Act. H.R. 2971 does
enact that protection.
I wish to highlight two important changes that should be
made to the bill as amended.
First, our reading of the bill shows that Social Security
numbers are only protected when the government requires their
disclosure and actually states that their disclosure is
mandatory. This is key to protection in a privacy act that
requires the government and States to tell people whether or
not disclosure of their SSN is mandatory. A lot of States are
not complying with the privacy act and not telling people that
they don't need to provide their SSN and, as a result, they
wouldn't have protections under the bill.
We think it is important to strengthen the standards that
the Attorney General will use in determining whether or not
businesses should be able to use their Social Security number
in the private sector. In the public sector, the SSN would be
able to be disclosed where there was a compelling interest that
could not be served by alternative means.
However, in the private sector, the standard is much
looser. We really think that the private sector should be held
to a similar standard to induce it to use alternative
identifiers.
We also think that any exception that is made that allows
disclosure of the SSN should be limited in time. Because if you
create an exception that exists forever, businesses will
solidify their use of the SSN, and they will continue to use
it.
Let me conclude by thanking you for holding this hearing
and continuing to develop a legislative history on the privacy
of the Social Security number.
[The prepared statement of Chris Jay Hoofnagle follows:]
Prepared Statement of Chris Jay Hoofnagle, Associate Director,
Electronic Privacy Information Center
Chairman Stearns, Ranking Member Schakowsky, and Members of the
Subcommittee, thank you for extending the opportunity to testify on
protecting Social Security Numbers.
My name is Chris Hoofnagle and I am associate director with the
Electronic Privacy Information Center (EPIC), a not-for-profit research
organization based in Washington, D.C. Founded in 1994, EPIC has
participated in cases involving the privacy of the Social Security
Number (SSN) before federal courts and, most recently, before the
Supreme Court of New Hampshire.1 EPIC has also taken a
leading role in campaigns against the use of globally unique
identifiers (GUIDs) involving the Intel Processor Serial Number and the
Microsoft Corporation's Passport identification and authentication
system. EPIC maintains an archive of information about the SSN online
at http://www.epic.org/privacy/ssn/.
---------------------------------------------------------------------------
\1\ Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B
(N.H. 2002). In Remsburg, the ``Amy Boyer'' case, Liam Youens was able
to locate and eventually murder Amy Boyer through hiring private
investigators who tracked her by her date of birth, Social Security
Number, and by pretexting. EPIC maintains information about the Amy
Boyer case online at http://www.epic.org/privacy/boyer/.
---------------------------------------------------------------------------
In previous testimony to Congress, EPIC has recommended a strong
framework of Fair Information Practices to create rights and
responsibilities for individuals and collectors of the SSN. In 2001,
EPIC Executive Director Marc Rotenberg traced the history of the SSN as
an identifier, highlighted the use of the SSN in the financial services
sector, and raised privacy issues associated with the Social Security
Administration's Death Master File.2 In 2002, EPIC testified
that the problem of identity theft had grown worse, that the states
were acting to limit collection and disclosure of the SSN, and that 107
H.R. 2036, the Social Security Number Privacy and Identity Theft
Protection Act of 2001 could limit misuse of the SSN.3 In
2003, EPIC appeared again to testify in favor of privacy protections,
highlighting recent abuses, the continuing unnecessary use of the SSN
as an identifier by both private and public sector entities, and the
developing trends of state legislation crafted to limit collection and
use of the identifier.4 In June 2004, EPIC provided an
overview and recommendations for 108 H.R. 2971, the Social Security
Number Privacy and Identity Theft Prevention Act of 2003.5
We testified that the bill was a good start, but could use improvement.
---------------------------------------------------------------------------
\2\ Social Security Numbers and Identity Theft, Joint Hearing
Before the House Financial Services Subcommittee on Oversight and
Investigations and the House Ways and Means Subcommittee on Social
Security, Nov. 8, 2001 (testimony of Marc Rotenberg, Executive
Director, EPIC), available at http://www.epic.org/privacy/ssn/
testimony--11--08--2001.html.
\3\ Hearing on Preserving the Integrity of Social Security Numbers
and Preventing Their Misuse by Terrorists and Identity Thieves, Joint
Hearing Before the House Ways and Means Subcommittee on Social Security
and the House Judiciary Subcommittee on Immigration, Border Security,
and Claims, Sept. 19, 2002 (testimony of Chris Jay Hoofnagle,
Legislative Counsel, EPIC), available at http://www.epic.org/privacy/
ssn/ssntestimony9.19.02.html.
\4\ Hearing on Use and Misuse of the Social Security Number,
Hearing Before the House Ways and Means Subcommittee on Social
Security, July 10, 2003 (testimony of Chris Jay Hoofnagle, Deputy
Counsel, EPIC), available at http://www.epic.org/privacy/ssn/
testimony7.10.03.html.
\5\ Hearing on Enhancing Social Security Number Privacy, Before the
House Ways and Means Subcomm. on Social Security, 108th Cong. (2004)
(statement of Chris Hay Hoofnagle, associate director, Electronic
Privacy Information Center), available at http://www.epic.org/privacy/
ssn/ssntestimony6.15.04.html
---------------------------------------------------------------------------
In today's testimony, we highlight a substitute version of 108 H.R.
2971. We make recommendations to strengthen the bill. We then cite
examples of state SSN regulation that could be adopted at the federal
level to provide an umbrella of protections for the SSN.
i. recommendations for 108 h.r. 2971, the social security number
privacy and identity theft prevention act of 2003
Introduced in July 2003, H.R. 2971 is the latest of a series of
bills designed to enhance protections for the SSN and to promote the
integrity of the identifier. It enjoys bipartisan support in the House
of Representatives. The substitute measure contains many of the
protections we recommended in our June 2004 testimony. However, some
sections have been changed to the detriment of privacy. We highlight
those sections below.
Title I of the bill sets forth limitations on government disclosure
of SSNs. Broadly put, this title would prohibit executive, legislative,
or judicial entities from disclosing the SSN, subject to certain
exceptions.
We think it critical to make several changes to section 101. First,
the legislation amends 42 U.S.C. Sec. 405(c)(2)(C) to protects SSNs where
the identifier has been given to an agency ``pursuant to the assertion
by such agency . . . that disclosure of such number is mandatory.''
This is a serious weakness in the bill that is keyed upon a requirement
in the Privacy Act that government entities disclose whether SSN
collection is mandatory or voluntary. Many state entities, in
particular, do not comply with this disclosure requirement in the
Privacy Act. As a result, individuals do not always understand whether
SSN collection is mandatory or voluntary. Oddly, the legislation as
drafted would reward agencies that didn't comply with the Privacy Act's
voluntary/mandatory notice requirements by also immunizing them from
prohibitions on SSN disclosure. We recommend striking this language.
We recommend removal of exemption VI in section 101, which gives
credit reporting agencies wholesale access to SSNs in the hands of the
government. It is not the role of government to collect SSNs from
citizens, who are often under legal compulsion to provide the
identifier, and then release the SSNs to the private sector for the
purpose of compiling dossiers. Professor Daniel Solove has fully
articulated how this model of information flow is unfair to individuals
and privacy invasive:
Imagine that the government had the power to compel
individuals to reveal a vast amount of personal information
about themselves--where they live, their phone numbers, their
physical description, their photograph, their age, their
medical problems, all of their legal transgressions throughout
their lifetimes whether serious crimes or minor infractions,
the names of their parents, children, and spouses, their
political party affiliations, where they work and what they do,
the property that they own and its value, and sometimes even
their psychotherapists' notes, doctors' records, and financial
information.
Then imagine that the government routinely poured this
information into the public domain--by posting it on the
Internet where it could be accessed from all over the world, by
giving it away to any individual or company that asked for it,
or even by providing entire databases of personal information
upon request. In an increasingly ``wired'' society, with
technology such as sophisticated computers to store, transfer,
search, and sort through all this information, imagine the way
that the information could be combined or used to obtain even
more personal information.6
---------------------------------------------------------------------------
\6\ Professor Daniel Solove describes this problem in Access and
Aggregation: Public Records, Privacy, and the Constitution, 86
Minnesota Law Review 1137 (2002), available at http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=283924.
---------------------------------------------------------------------------
In section 101, we recommend harmonizing the definition of ``sale''
(to be codified at 42 U.S.C. Sec. 405(c)(2)(C)(x)(IX)) with other
references to the term that appear in the legislation. The definition
appearing in section 108, which defines sell as ``to obtain, directly
or indirectly, anything of value in exchange for such number,'' is more
appropriate.
In section 101, we recommend removal of language that would allow
continued disclosure of just the last four digits of the SSN, even with
the six-year sunset. These last four digits are the unique portion of
the SSN, and the legislation's protections are significantly weakened
if this portion can sill be displayed.
Section 102 specifies the authority of the Attorney General to
create exemptions to the general prohibition on government disclosure
of the SSN. We agree with the standard set forth by the legislation--
that SSNs should not be disclosed absent a compelling interest that
cannot be served through the employment of alternative measures. This
same standard should apply to sale of the SSN to the general public.
Currently, the substitute measure would require the Attorney General to
engage in a balancing test of the benefits and harms associated with
the sale of the SSN to the private sector.
We think that exceptions to the general prohibition should be
limited in duration. A time limit will encourage users of the SSN to
transition to alternative identifiers. Exceptions that are not time
limited will ensure that SSN users never transition to alternative
measures.
Section 103 would codify an important safeguard--a prohibition of
printing SSNs on checks issued by governments. This is a common sense
protection against identity theft. It is necessary because a standard
check with a SSN contains all the personal information necessary for
commission of identity theft.
Section 104 would prohibit states from displaying the SSN on
driver's licenses. Again, this is a common sense approach to preventing
identity theft. Indeed, many states already incorporate a ban on
printing the SSN on driver's licenses.7 Such a prohibition
makes it more likely that the SSN will not appear in the wallet of
individuals, thus reducing the risk that a lost or stolen wallet will
provide the personal information necessary to commit identity theft.
---------------------------------------------------------------------------
\7\ See Ariz. Rev. Stat. Sec. 28-3158; C.R.S. Sec. 42-2-107; C.R.S. Sec. 42-
3-302; D.C. Code Ann. Sec. 50-402; O.C.G.A. Sec. 40-3-23; HRS Sec. 286-109; HRS
Sec. 286-239; Idaho Code Sec. 49-306; Idaho Code Sec. 49-2444; Ky. Rev. Stat.
Ann. Sec. 186.412; Mont. Code Ann. Sec. 61-5-111(2)(b); Nev. Rev. Stat. Ann.
Sec. 483.345; N.H. Rev. Stat. Ann. Sec. 263:40-a; N.D. Cent. Code 39-06-14;
Ohio Rev. Code Ann. Sec. 4501.31; Okla. Stat. Ann. tit. 47, Sec. 6-106
(2002); Pa. Cons. Stat. Ann. Sec. 1510; Tenn Code Ann. Sec. 55-50-331; Tex.
Trans. Sec. 521.044; Va. Code Ann. Sec. 46.2-342; Wash. Rev. Code Ann. Sec.
26.23.150.
---------------------------------------------------------------------------
Section 106 would prohibit government entities from allowing
prisoners to have access to the SSN. We think that this too is a common
sense protection, in light of the Metromail case, where a company
employed prisoners to enter personal information from surveys into
computers. This resulted in a stalking case where a prisoner harassed a
woman based on information she submitted on a survey. The woman
received mail from a convicted rapist and burglar who knew everything
about her--including her preferences for bath soap and magazines. The
woman sued and as a result of a class-action suit, Metromail may no
longer use prisoners to process personal information.8
Nevertheless, a general prohibition on inmate access to SSNs is
appropriate, and California and Kentucky already have passed
legislation to keep SSNs out of the hands of prisoners.9
---------------------------------------------------------------------------
\8\ During litigation, Metromail claimed that they had not violated
the woman's privacy, that they had no duty to inform individuals that
prisoners were processing their personal data, and that the data
processed was not highly intimate or embarrassing. Beverly Dennis, et
al. v. Metromail, et al., No. 96-04451, Travis County, Texas.
\9\ Cal Pen Code Sec. 4017.1, Sec. 5071; Cal Wel & Inst Code Sec. 219.5; Ky.
Rev. Stat. Ann. Sec. 131.191.
---------------------------------------------------------------------------
Section 108 generally prohibits disclosure of the SSN in the
private sector, subject to exceptions. We think it important to limit
exceptions to the general prohibition in order to curb private sector
use of the SSN. First, the exception for public health purposes should
be limited to ``emergency public health purposes.'' In its current
articulation, this exception could allow medical providers and
insurance companies to continue to rely upon the SSN in normal
operations. Limiting the exception will encourage the industry to shift
away from the identifier. We note that Empire Blue Cross is
transitioning its 4.8 million customers away from the SSN as an
identifier, demonstrating that it is possible for large health care
operations to use an alternative identifier.10
---------------------------------------------------------------------------
\10\ Empire Blue Cross Will End Use Of SSNs, Use Alternate Number
System, Privacy and Security Law Report (Jun. 7, 2004) at 666.
---------------------------------------------------------------------------
Section 108 contains an exception for SSNs of the deceased, meaning
that they could be freely traded on the market. We think there are
important public policy reasons to place some protections on SSNs of
the deceased. SSNs of deceased individuals should receive protection
for the same reasons that justify protections for living individuals;
those reasons include preventing fraud and identity theft.
Additionally, criminals are known to assume the identities of deceased
individuals in order to engage in criminal acts and to avoid law
enforcement. Some protection for these identifiers is justified.
Section 109 codifies a much-needed protection for the SSN. Prior to
the implementation of the Gramm-Leach-Bliley Act, CRAs and other
entities sold SSNs in credit headers to individuals outside Fair Credit
Reporting Act regulation. We understand that some businesses are still
selling SSNs from credit headers that were collected before
implementation of Gramm-Leach-Bliley. Section 108 would eliminate this
unregulated sale of SSNs by tying the identifier to the credit report,
and thus to protections in the Fair Credit Reporting Act.
Section 110 contains important protections against the practice of
``coercive disclosure,'' a practice where an entity conditions
provision of a product or service based on disclosure of the SSN.
Maine, New Mexico, and Rhode Island have established protections
against coercive disclosure, and we think it a good idea to federalize
this important right to enhance privacy of the SSN.11
---------------------------------------------------------------------------
\11\ 2003 Me. ALS 512; N.M. Stat. Ann. Sec. 57-12B-3; R.I. Gen Laws Sec.
6-13-17.
---------------------------------------------------------------------------
ii. states have innovated clever protections for the ssn; congress
should consider incorporating them in 108 h.r. 2971
In recent years, state legislatures have functioned in their
traditional roles as ``laboratories of democracy,'' creating new
approaches to enhancing the privacy of SSNs. These privacy protections
demonstrate that major government and private-sector entities can still
operate in environments where disclosure and use of the SSN is limited.
They also provide examples of protections that should be considered at
the federal level.
Some States Have Placed Broad Prohibitions on Disclosure and Use by
Government and Private Entities
Colorado Governor Bill Owens signed H.B. 1311, legislation that
creates important new protections for the SSN that took effect this
summer. The new law will limit the collection of the SSN and its
incorporation in licenses, permits, passes, or certificates issued by
the state. The law requires the establishment of policies for safe
destruction of documents containing the SSN. Insurance companies
operating in the state must remove the SSN from consumers'
identification cards. Finally, the legislation creates new penalties
for individuals who use others' personal information to injure or
defraud another person.
A law taking effect in January 2005 in Arizona prohibits the
disclosure of the SSN to the general public, the printing of the
identifier on government and private-sector identification cards, and
establishes technical protection requirements for online transmission
of SSNs.12 The new law also prohibits printing the SSN on
materials mailed to residents of Arizona. Exceptions to the new
protections are limited--companies that wish to continue to use the SSN
must do so continuously, must disclose the use of the SSN annually to
consumers, and must afford consumers a right to opt-out of continued
employment of the SSN. Arizona's new law is based on California Civil
Code Sec. 1798.85.
---------------------------------------------------------------------------
\12\ Ariz. Rev. Stat. Sec. 44-1373.
---------------------------------------------------------------------------
Special Protections Have Been Crafted for Students
A number of states have passed legislation limiting colleges and
universities from employing the SSN as a student identifier. Limiting
use of the SSN in this context reduces the risk of identity theft, as
databases of student information, student identity cards, and even
posting of grades sometimes contain SSNs.
In Arizona, major universities can no longer use the SSN as the
student identifier.13 In Colorado, as of July 2003, public
and private postsecondary institutions were required to establish
protections for the SSN and discontinue its use as the primary student
identifier.14 New York and West Virginia prohibit all public
and private schools from using the SSN as a primary
identifier.15 Kentucky law allows students to opt-out of use
of the SSN as student identifier.16
---------------------------------------------------------------------------
\13\ Ariz. Rev. Stat. Sec. 15-1823. Rhode Island and Wisconsin have
similar protections. R.I. Gen. Laws Sec. 16-38-5.1; Wis. Stat. Ann. Sec.
36.11(35).
\14\ C.R.S. Sec. 23-5-127.
\15\ N.Y. Educ. Law Sec. 2-b; W. Va. Code Ann. Sec. 18-2-5f.
\16\ Ky. Rev. Stat. Ann. 156.160. See also Ky. Rev. Stat. Ann.
197.120.
---------------------------------------------------------------------------
Protections Crafted for Public, Vital, and Death Records
Commercial data brokers obtain SSNs from a number of sources,
including public records that individuals are required to file in order
to enjoy important rights and privileges offered by society. For
instance, marriage licenses have been a source for SSNs and a number of
states, including Arizona, California, Indiana, Iowa, Kentucky,
Louisiana, Maine, Montana, Ohio, and Michigan, have enacted legislative
protections to prevent their disclosure.17
---------------------------------------------------------------------------
\17\ Ariz. Rev. Stat. Sec. 25-121; Cal Fam Code Sec. 2024.5; Burns Ind.
Code Ann. Sec. 31-11-4-4; Iowa Code Sec. 595.4; Ky. Rev. Stat. Ann. 402.100;
La. R.S. 9:224; 19-A M.R.S. Sec. 651; MCL Sec. 333.2813; Mont. Code Ann. Sec.
40-1-107; Ohio Rev. Code Ann. Sec. 3101.05.
---------------------------------------------------------------------------
Birth and death records are rich in personal information, and
states have acted to shield SSNs collected in these life events against
disclosures. Arizona, California, Illinois, Kansas, Maine, Maryland,
Massachusetts, Minnesota, Mississippi, Missouri, New Hampshire, and
other states limit the appearance of the parents' SSN on birth
records.18 Similarly, several states restrict disclosure of
the SSN in records associated with death.19
---------------------------------------------------------------------------
\18\ See Ariz. Rev. Stat. Sec. 36-322; Cal Health & Saf Code Sec. 102425;
410 ILCS 535/11; K.S.A. Sec. 65-2409a; 22 M.R.S. Sec. 2761; Md. Ann. Code Sec.
4-208; ALM GL ch. 111, Sec. 24B; Minn. Stat. Sec. 144.215; Miss. Code Ann. Sec.
41-57-14; Mo. Rev. Stat. Sec. 193.075; Mo. Rev. Stat. Sec. 454.440; N.H. Rev.
Stat. Ann. Sec. 5-C:10.
\19\ See Ariz. Rev. Stat. Sec. 16-165; Cal Health & Saf Code Sec. 102231;
Idaho Code Sec. 67-3007; Burns Ind. Code Ann. Sec. 16-37-3-9; La R.S. Sec.
23:1671; N.D. Cent. Code Sec. 23-02.1-28.
---------------------------------------------------------------------------
Protections Against Pretexting Should Be Considered
We wish to raise one additional concern here--even legitimate
collection of the SSN contributes to unauthorized access to the
identifier. That is, we are increasingly aware of manuals for private
investigators and other materials suggesting that SSNs can be obtained
from motor vehicle departments, applications for professional licenses,
and even tax returns.20 In these cases, the investigator
probably obtains the identifier through a friend or contact working at
the institution with a SSN. Alternatively, the manuals suggest the use
of ``pretexting,'' a practice where an investigator requests personal
information from an entity while pretending to be another person or
while pretending to have a legitimate reason for access to the
information. The Gramm-Leach-Bliley Act prohibits pretexting with
respect to financial, securities, and insurance companies, but the law
doesn't apply to pretexting targeted at employers, utility companies,
or other entities that have SSNs. The Subcommittee should consider
whether expanding protections against pretexting would enhance the
privacy of the SSN.
---------------------------------------------------------------------------
\20\ See e.g. Lee Lapin, How to Get Anything on Anybody 533-543
(Intelligence Here, 3d ed. 2003) (section titled ``How to Find Anyone's
Social Security Number'' suggests thirty sources for the SSN, including
driver's license applications, bankruptcy filings, court records, bank
files, utility records, professional and recreational licenses, and
employment files).
---------------------------------------------------------------------------
conclusion
We think that the privacy and integrity of SSNs could be enhanced
through the passage of federal legislation that limits the collection
and approved uses of the identifier. We urge the Subcommittee to
examine state laws that have created new, clever protections for the
SSN. We look forward to continuing to work with the Subcommittee on
this and other privacy matters.
Mr. Stearns. I thank the gentleman.
I will start with my questions first.
Mr. Hoofnagle mentioned the possibility of an alternative
to a Social Security number. Commissioner, do you think there
is another way to do this instead of having Social Security
numbers? That would obviate the need to show your Social
Security number, and should Congress push that idea?
Mr. Leary. My problem with this, Congressman, is if we were
writing on a clean slate and starting all over again, I suppose
you could imagine a system where there might be some other
identifier. And going down the road, there may be other
identifiers. I mean, there may be technology having to do with
your eye, fingerprints or things like this, which will be much,
much more secure identifiers than what we have today. That is
down in the future. But we have, unfortunately, a system that
has been in place for a long time that is very, very hard to
turn around. Let me give you a purely personal example.
I first got my Social Security number when I turned 15 and
had my first summer job. That was almost 60 years ago. In the
interim, my Social Security number has been out there in
innumerable employment records, employment applications, and
records of various kinds. I agree with Mr. Hoofnagle that
business has gathered these records reflexively for a long
period of time. We were encouraged to carry our Social Security
card around with us at all times to use as identification when
I was young. Now, of course, they advise just the opposite. We
were encouraged to put the Social Security number on the
envelope when we mailed in our tax returns. Now, of course,
they tell us just the opposite. I suspect that someone who
wanted to get hold of my Social Security number and who knew
where to look could get it in about 3 minutes today. There is
not much of anything that Congress can do about that.
All I am saying is that there is this embedded system, and
whether there is an incremental value in attempting root and
branch to change the way businesses do things is a very serious
question.
Mr. Stearns. Mr. Hoofnagle, when I have a credit report, my
Social Security is part of that credit report; and I can get a
copy of my credit report on the Internet for $35. Do you think
that consumers should put their Social Security on the
Internet?
Mr. Hoofnagle. That is a complex question. It can be
transferred over the Internet if it is done in encrypted
fashion.
Mr. Stearns. If it is not encrypted, then--because you get
these dialog boxes that say what you are sending is not
protected.
Mr. Hoofnagle. If those cases, the consumers should never
send their Social Security number. They do it over the phone,
and the credit reporting agencies will make your credit report
available by mail if you call, but consumers should only enter
that information if it is encrypted.
Mr. Stearns. I think it goes without saying, Equifax,
Experian, TransUnion, these people are not necessarily--they
have some legitimate arguments that they use this information
to help the consumers and this bill, might, in fact, hurt the
marketing or the dissemination of information that is valuable
to the consumer. So would you understand their point of view?
Do you think they have a legitimate problem--this is for all
three of you--that these major data base collectors have some
reservations about restriction, both application of civil and
criminal penalties, because they might be liable for something
they are doing just as a service to the consumer?
Mr. Hoofnagle. That is a legitimate concern, but I do think
H.R. 2971 is a nuanced approach, and I think, going forward,
Congress should have a nuanced approach that allows the use of
Social Security numbers in some contexts but not in others.
We got a call from a consumer last week who was going to
rent a refrigerator for her home. The company wanted her Social
Security number to check her credit, but then they were going
to use her Social Security number as her record identifier. So
she would start receiving mail with her Social Security number
in it. All the employees of that company would probably have
her Social Security number. A nuanced approach would allow the
transfer of the SSN to check the credit but not allow it for
use as a customer identifier.
Ms. Bovbjerg. I like to put these things into three groups.
There are entities who have a legitimate need to use the
Social Security number. With those, you want them to apply
better protections; and I think that is something that you are
looking at in this bill. You want entities who don't need the
number to stop collecting it, another element of this bill. You
want to protect sources like, for example, public records in
the States and counties in particular where people may not know
that their number is floating around and we have been told by
the businesses involved are sources for them in getting
personal information, which includes the Social Security
number.
It is a nuanced approach that the entities who have a
legitimate need, you want to allow them to continue to use it
but protect it from being transferred to the wrong places,
protect it from being displayed to people who don't need to see
it.
When we have talked with businesses over the years that we
have been doing this work about what would happen if you
couldn't use the number, which would be I think a more
Draconian approach than what we are discussing today, they felt
that it would be--disruptive was the word they used. They would
have to consider what they could find to track that would be
both unique and that the person would keep for their lifetime
that wouldn't change and something they might be able to
exchange with other entities but that, ultimately, they would
adjust.
Mr. Stearns. Commissioner?
Mr. Leary. I think we all agree that a nuanced approach is
necessary. The question is whether or not some of the
provisions in the bill are not nuanced. Let me pick one for
example.
That is the notion that, somehow or other, a consumer can
refuse to give a Social Security number to a business that
requires it as a condition of doing business. Now you can
understand why that right would make sense if, as Mr. Hoofnagle
points out and I think rightly so, a lot of businesses have
just gotten in the habit of using it as an identifier. But, it
seems to me that that right of refusal would make no sense
whatever if you are asking the business to extend credit to you
or to give you merchandise on some kind of a payment plan where
they need that Social Security number to access your credit
history. If these businesses can't access your credit history
readily, our financial system as we know it is going to be
seriously impaired.
So writing a statute and then subsequently enacting
regulations that distinguish between the legitimate request for
Social Security number and one that goes too far is no easy
task.
Mr. Stearns. I am going to conclude, and I am going to say
that the question would be then that the three large data base
companies, in your opinions, should not fear this bill? Is that
what the three of you are saying? You all agree with that? That
Equifax, Experian and TransUnion, there is nothing in this bill
that would make it difficult for them?
Mr. Leary. There is some language in the bill that might
even make it difficult for them, and I would like to submit
something to the committee. Our written statement doesn't have
a paragraph by paragraph analysis of the bill; and, with your
indulgence, I would like to submit that.
Mr. Stearns. You are saying you think the bill does have
some reservations and you think it should be improved to better
allow these people to communicate with consumers?
Mr. Leary. Yes, sir.
Mr. Stearns. Ms. Bovbjerg, is your opinion the same? Just
yes or no. These people are the big players here, and I want to
see if you think the bill would work for them or not.
Ms. Bovbjerg. What we have heard out in the business world
is that it is not impossible to do business without the Social
Security number. But if use of the Social Security number were
restructured, there could be a period of disruption, and there
could be a period where people don't get the services that they
have become accustomed to.
Mr. Stearns. You are saying the bill as it stands right now
in your opinion would not affect these three companies?
Ms. Bovbjerg. I can't answer that question.
Mr. Stearns. This is a subjective opinion. The Commissioner
is saying, yes, I think it could, but some parts of it should
be changed. Should some of this be changed, you are an expert
here, so these folks can communicate with the consumers or not?
Ms. Bovbjerg. I can't say from their perspective. I don't
have the information to do that. I can say that I think the
bill would go a long way toward filling in the gaps.
Mr. Hoofnagle. I wish to echo those comments. I cannot
evaluate it from the perspective of the credit reporting
agencies. But I would point out major companies like Blue Cross
and Blue Shield of New York have switched away from the Social
Security number. That is a company with 4.8 million
subscribers.
Mr. Stearns. Seems you could use the license number on your
driving permit would be a possibility or just eliminate the
Social Security except for the last four digits and use that as
a tool, except in very select cases.
My time is expired and, with that, the ranking member.
Ms. Schakowsky. Mr. Hoofnagle, I am--I bank on-line, and my
password is my Social Security number. Are you saying that
there is danger in that? And also that there is not any
particular good reason for that to be my PIN number to log in?
Actually, they give a PIN number, but my first identifier,
though, is my Social Security number.
Mr. Hoofnagle. It is not a good idea to use the Social
Security number as the main identifier for your account. It is
not necessary for the company to do so. The general problem is
that your Social Security number might be available in other
contexts. It might be in public records. It might be in the
business records of companies without good security, and access
to the number could provide someone an opportunity to interfere
with your accounts.
Ms. Schakowsky. Does that mean each time I call for help,
the help line, that the individual who is looking at my account
is also looking at that screen that has my Social Security
number and has complete access to that?
Mr. Hoofnagle. It depends on the company. Some companies
have layered access to personal information and essentially
condition access on the need for it. Some companies do not. So
it is entirely up to whether or not the company has good
internal security protocols.
But the risk you are articulating here is the primary
identity theft risk, and there is very little consumers can do
about identity theft because so much of the crime that occurs
is a result of insider access.
Ms. Schakowsky. This is a financial institution. This isn't
a small bank. What is the indication of encryption or other
security? How do I know that the number I give is encrypted?
Mr. Hoofnagle. Consumers have very little insight into
security practices. One of the core ideas behind privacy is so-
called fair information practices. It is the idea that you have
access to your personal information, that you can audit access
to your information and that there is real security safeguards.
Ms. Schakowsky. Is there an icon or anything that tells me?
Normally, I never looked for that, and I have never noticed it.
Is there something that says it is encrypted in some way?
Mr. Hoofnagle. In a standard browser, a little lock icon
should appear at the bottom of the browser. But the consumer,
in addition to seeing that little lock, should click on the
lock to make sure that the certificate that is being issued by
the Web site matches the bank's Web address. That extra step of
matching the certificate is beyond most consumers.
Ms. Schakowsky. The issue of restitution for consumers
seems to be one that has not been particularly addressed. I
know that, in looking through your testimony, Mr. Leary, that
you get a lot of complaints and those are shared, I guess, with
law enforcement. But what we hear in terms of constituent
complaints is that it is just a hassle beyond tolerance to try
and get any restitution or relief or even getting it corrected,
much less even getting--I wonder if any of you could comment on
that and what kinds of things we could be doing to help once
the theft has already occurred.
Mr. Leary. Well, there is an irony here, too, as well. As
you know, the Federal Trade Commission does administer some
restitution programs and in a very limited way. And by that, I
don't mean that our remedies are limited, but our resources are
limited. So our efforts are necessarily selective, exemplary
and usually aimed at covering as large a group of consumers as
we can in a particular complaint against a particular company.
In other words, we are not equipped to deal with the individual
constituent complaints that you have and which I know are a
serious problem.
One of the great ironies here, in the world we live in
today, is that Social Security numbers are a very quick and
ready way to find people who might otherwise not be able to be
located for the purpose of administering redress programs to
wide numbers of people who have been injured. I wish I could
tell you that there is some way that we, the Federal Trade
Commission, can help you with these individual consumer
complaints, but I am afraid that we have to deal only with
things that have a much larger impact.
I get consumer complaints mailed in to me as well, and one
of the sad and frustrating things is that we simply don't have
the resources to deal with these individual things. We can give
people advice. We have advice in the booklets as to whom you
can go, steps you can take to repair your credit, at least to
cutoff the damage. But when it comes to actually getting
redress from the wrongdoers, that is a real tough job.
Ms. Bovbjerg. I don't have a lot to say about redress, but
I did want to say that I think things have been getting a
little better with regard to law enforcement coordination and
that does help people. But it is very frustrating and
disheartening for individuals where the crime doesn't meet a
threshold that a Federal law enforcement agency will
investigate. The victims have to go to State and local
enforcement, and the coordination may or may not be there,
depending on where the crime occurred, and where the person
lives. It is terribly frustrating for them, and you can
understand why they would like restitution, but, even then, I
don't know that it can compensate for their time, and for the
damage that such a crime has done to this person's life.
Mr. Hoofnagle. A number of victims have attempted to sue
companies that have improperly granted credit to imposters, and
those lawsuits have generally failed, unfortunately from our
view. We think a great protection moving forward would be the
ability of a victim to actually pursue a credit-issuing bank or
credit-issuing retailer that negligently extends credit to an
imposter. There are amazing examples of this behavior where an
imposter applies for credit and only the Social Security number
matches and nothing else matches and the creditor still issues
the account, and we think that needs to be reined in.
Ms. Schakowsky. There are legal impediments to pursuing
that in the courts.
Mr. Hoofnagle. There are four cases that have been
litigated in the Federal Courts on that issue, and all four
have failed. The most recent was before the Supreme Court of
South Carolina, where that court said that there was no duty
between the credit issuer and the victim. So even though the
credit was granted in the victim's name to an imposter, the
court still would not recognize a right of action.
Mr. Stearns. The chairman of the full committee, Chairman
Barton.
Chairman Barton. I don't have too many questions. I want to
thank you for holding the hearing and thank our panelists for
being here.
My question goes to the heart of this whole issue. Social
Security numbers were really not created to be a surrogate for
a national identification number. They were created to help
track people who were paying taxes into the Social Security
Trust Fund, Old Age Survivor and Independent Beneficiary Fund,
and to pay the benefits out. But they have become a surrogate
national identity number.
I took out a loan to buy a new home this past year, and I
had to give my Social Security number. I opened a bank account
when I got married. It wasn't an option. You want to take this
loan out, you give us your Social Security number. You want to
take this loan out, you give us your Social Security number.
My first question is, should we just begin to assume that
the Social Security number is a national identity number and
proceed forward or should we continue under this charade that
it is really not a national identification number?
Mr. Leary. I will start, Mr. Chairman.
We had a brief discussion of that shortly before you
arrived, and I agree with you it has evolved in a way that
probably people didn't foresee 65 years ago. But it has, as a
practical matter, now become the basis on which credit
decisions are made. It has been a very important way of
identifying who someone named John Jones is, and distinguishing
that person from some other John Jones who has a terrible
credit history.
One of the reasons that you and I are able to walk into a
store in a strange town where nobody knows us and walk away
with fairly expensive merchandise is because there is a
recognized identifier. So that is the system we have. Now there
can be--and I hope someday going down the road, long term,
there will be--much more highly technical ways of ensuring that
you are who you say you are, but for the moment this is what we
are stuck with.
Mr. Hoofnagle made a very good point, though, and that is
there are some businesses that are very careless, and they
assume that if you have the Social Security identifier they can
take it as a given that you are who you say you are,
notwithstanding the fact that a lot of other things don't
match. We are working on ways, by the way, to see if we can't
make some affirmative suggestions in that regard for more
positive supplements to that kind of an identifier.
Ms. Bovbjerg. Chairman Barton, I am Barbara Bovbjerg, From
GAO, and I do a lot of work with the Social Security
Administration. I know SSA would be completely horrified at the
prospect of using the Social Security number as a national
identifier. They would then be responsible for enumerating
everyone, not just the people who are born American citizens,
not just the people who are authorized to work, but everyone.
And perhaps arguably that might make their task easier, as they
might not have to sort through people. But it would change the
whole nature of the Social Security number and its relationship
to the Social Security program.
In thinking about that, one can argue that today it is a de
facto national identifier, but I think that if it is our
national identifier, we are not really protecting it very well,
and that if it were to be a national identifier, we would have
to do things very, very differently than we do now.
Chairman Barton. We have to go--to quote a poker term, we
either withdraw or go all in. We are kind of half invested in
the pot right now, and we haven't committed to it. As we become
technologically advanced, we need to have a debate and decide,
either you continue to use this and protect it or back away and
come up with a real national identification number. That is
what it is.
And Mr.--the first gentleman's point--I am a frequent
flyer. Under this test program, they have my thumbprint and eye
print. I walk up to National Airport or Reagan Airport, and the
line is 300 people long. I go up and look in this little thing;
and it says, that is Joe Barton, and he can go through.
So, I mean, the technology is there if we wanted to use it.
And so that is really the question at this hearing, what do we
want to do.
Mr. Stearns. Would the gentleman yield?
Chairman Barton. Sure.
Mr. Stearns. How do the rest of us get that service?
Chairman Barton. You just have to sign up for the program.
Mr. Stearns. Just with the airlines itself?
Chairman Barton. Yeah. I am sure Mr. Green is signed up.
Mr. Green. Mr. Chairman, if the gentleman would yield, I
signed up, but since I use Continental Airlines that service is
only good for American Airlines out of Reagan. But hopefully we
will get some type of seamless system.
Chairman Barton. And that is my point. It took me about 5
minutes to go through. I don't think they asked for my Social
Security number when I signed up. They just asked for my
driver's license, and then they took my thumb print and my eye
print and that was it.
Mr. Hoofnagle, do you want to----
Mr. Hoofnagle. Thank you, Chairman Barton. We are concerned
about the expanding use of the Social Security number. But I
did want to remark that people frequently, when thinking about
privacy, say that the toothpaste is out of the tube and you
can't put it back in.
But I don't think that is the case. And the best evidence
of that is the telemarketing Do Not Call list that the Federal
Trade Commission created with the Federal Communications
Commission and by this Congress. And I think that is a
compelling example of where we can take privacy back and we can
establish safeguards.
And the whole history of privacy law has followed the same
model, where people have said it is too late, the information
is already out there, but we have passed legislation to protect
personal information and it protects us from that point
forward.
Gramm-Leach-Bliley, too, protects Social Security numbers
in important ways. And it might not protect you and me, but it
will protect our children. So I think, going forward, we should
be optimistic.
Chairman Barton. I am for that.
You know, the conservatives--when we come to Congress, the
conservative mantra is, no national identification number. You
know, we don't want big brother to know all there is to know
about us. But, de facto, if you use the modern industrial
banking and credit system, you are going to have to give your
Social Security number.
And you have to have it. I don't think you can refuse to
have a Social Security number. I think you have to have one. If
you work, I think you have to have one. I don't think I could
say, I don't want one, I am not going to pay Social Security
taxes; or I am going to pay Social Security taxes, but I don't
want a number. I think whether you get one or not, you get it.
So I think we ought to have the debate and decide how to
protect the Social Security number, and then decide what we
want to do about the national ID number.
With that, Mr. Chairman, I am going to yield back the 3
minutes that I have overused.
Mr. Stearns. I thank the gentleman.
The gentleman from Texas.
Mr. Green. Thank you, Mr. Chairman. And I know, as our
chairman of the full committee mentioned, a lot of us have
concern about use of our Social Security numbers; and I think
we do have a de facto ID number.
Now, I understand when I go and apply for a loan, a home
loan, they want my Social Security number because sometime
along the way I am going to deduct that interest on that loan
and so that mortgage company is going to report that not only
to myself, but I assume to the IRS. There are reasons that we
have a Social Security number for tax purposes.
But I also know when I asked to rent a U-Haul truck, they
wanted my Social Security number. And I refused. I still got
the truck. I don't know how often that would happen--simply
because they want to check your credit rating, and I know that
is our identifier.
I guess my concern, and I appreciate our panel and the
hearing, Mr. Chairman, is because of the three major credit
bureaus we have; and I know under current law they are required
to exchange the information. If I, for example, lost my credit
cards, or I felt they were stolen, I would notify one, and all
of them would be, the other two would be notified.
But I do share the concern. In fact, I--being from Texas, I
have some concern because when I did the American Airlines--
even though I am not a frequent flier with American, it is
Continental--they did ask for my driver's license number. But I
always understood that someone can go to my driver's license
number in Texas, it is on the Web, and find out all my
information, probably including my Social Security number.
Is that correct, that States will provide that information,
and they don't--State governments really don't guard the
information, particularly a Social Security number?
Mr. Hoofnagle. Representative Green, since 1998 the
Driver's Privacy and Protection has set in, opt-in, meaning
affirmative consent protections for your information at the
motor vehicle association. The problem is that not all States
have implemented the Driver's Privacy and Protection Act.
Florida, for instance, failed to implement it, and they will
not come into compliance with the law until October 1 of this
year. And, as a result, there is a lot of information out there
that is not available in other States. But Federal law should
protect that data.
Mr. Green. Well, I would be interested if you could provide
to the committee other States, other than Florida, that maybe
are not in compliance with the law from 1998.
Mr. Hoofnagle. I would be happy to do so.
Mr. Green. One of the other concerns is, when credit
bureaus flag reports once there is fraudulent activity, is
there a specific time by which credit bureaus must respond to
continue to flag that particular account? Because I know
oftentimes with stolen identities, it may not happen within 30
days or 6 months, but can happen later. Is there any kind of
timeframe that you know of that most of the credit reporting
agencies have?
Mr. Leary. I can't answer that question, Congressman. We
will get an answer for you.
I will just tell you a personal experience. I lost a
driver's license about 2 years ago, and reported it, simply out
of an excess of caution, to the credit agencies. And 2 years
later, they still have a flag on my accounts, and it is
extremely difficult to this day for me to get a new line of
credit or something like that. They ask for all kinds of
additional information. And I am glad to provide it under the
circumstances because I feel safer.
Mr. Green. And I agree. That is why I would rather those
flags not drop off, because once that number is available on
that, the folks who want to use it for illegal purposes, it
could used again 30 days or 6 months or, like you said, maybe
even a year later.
Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman.
As customary, when we have completed the members of the
subcommittee, we certainly welcome the opportunity for others
to participate. And we are fortunate to have the author of the
bill, Congressman Shaw. So he has been kind enough to come
here, and I welcome his comments and anything he would like to
put in the record.
Mr. Shaw. Thank you, Mr. Chairman. And I do have a
statement that I would ask unanimous consent to be placed in
the record.
Mr. Stearns. By unanimous consent, so ordered.
Mr. Shaw. And just to make a few observations--and I shall
not take the full 5 minutes--in listening to the questioning
from the members and, of course, the replies from the panel of
witnesses, many of whom have appeared before my Social Security
Subcommittee, I think you are getting the full thrust of what
we are doing and what we are trying to accomplish.
Clearly, the Social Security number was never, never
intended to be an identifier, it never was. We need to do a lot
to protect this number. This particular portion of the bill
that this committee has jurisdiction over is of particular
importance because it stops the widespread use--or requirement
for the wide spread use--of Social Security numbers just simply
to open accounts and just simply to do business with particular
individuals.
You will find that the utilities ask for it, the phone
company asks for it. If you go try to open an account at a
video store, the chances are they are going to want it. Opening
up credit at a department store, at Burdines Department Store
in Florida, which is part of the Burdines-Macy's group, they
had, I recall, a sale where you get 20 percent off, and I was
buying my wife's Christmas present--20 percent off if I would
open an account. And I said, Well, that is a good idea, and I
offered to open the account. And the first thing they wanted to
know is my Social Security number; and I ended up having to pay
20 percent more because I wasn't going to give it, and they
weren't about to give me credit.
But these are very important things. The use of it as a
serial number in the military is of great concern. We have had
testimony before our committee of the tremendous problems that
people go through and the problems that they have once their
credit has been stolen, once their identity has been stolen.
And the Social Security number is the key to it.
There is actual commerce in Social Security numbers that is
going on quite legally in this country. I think if you are
computer literate, you can probably go to a computer and find
my Social Security number.
That is not right. We need to stop this practice. We need
to stop the wide spread use of Social Security numbers for
things that they were never intended for. That Social Security
number is the property of the government and the person to whom
it was issued, period, and it shouldn't be used for any other
purposes other than governmental purposes.
We must address the openness of documents, government
documents, because you can go to court files and find the
Social Security number.
These things have to be dealt with. And again, Mr.
Chairman, I applaud you for moving this legislation forward. I
am hopeful that we can get this bill. If we can't in the few
days left in this particular session, maybe we can come back
and use this as the groundwork necessary to speed this bill
through. We need this particular portion of it to stop the
spread of this crime.
And with that, I yield back, Mr. Chairman.
[The prepared statement of E. Clay Shaw, Jr. follows:]
Prepared Statement of Hon. E. Clay Shaw, Jr., a Representative in
Congress from the State of Florida
Social Security numbers, also known as SSNs, are integral to
Americans' everyday lives. The government requires us to have an SSN
for employment, paying taxes, and numerous other transactions. And even
though it is not required by law, many businesses ask for individual's
SSNs to provide goods and services.
Because the SSN is involved in so many transactions and is the key
to our personal and financial information, it is one of the pieces of
personal information most desired by identity thieves, and plays a
pivotal role in identity theft. That is why I applaud the Committee on
Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer
Protection for holding this important hearing. Congress must act to
help consumers protect their SSNs, which is a vital step toward
identity theft prevention.
Identity theft is a vast and growing problem. Overall, nearly 10
million people--or 4.6 percent of the adult population--discovered that
they were victims of some form of identity theft in the year prior to a
2003 Federal Trade Commission-sponsored survey. The crime resulted in
nearly $48 billion in losses to businesses, nearly $5 billion in losses
to individual victims, and almost 300 million hours spent by victims
trying to resolve their problems.
Although Congress has enacted laws in recent years, such as the
``Gramm-Leach-Bliley Act'' (P.L. 106-102), and the ``Fair and Accurate
Credit Transactions Act of 2003'' (P.L. 108-159) to help protect
personal information and prevent identity theft, we do not yet have a
law that provides broad-based and consistent protection for SSNs,
especially regarding its collection and use in the private sector.
To close the gap in SSN privacy protection identified through
reports by the Government Accountability Office, testimony, and other
research, I introduced the ``Social Security Number Privacy and
Identity Theft Prevention Act of 2003'' (H.R. 2971). This bipartisan
bill, which was unanimously approved by the Committee on Ways and Means
on July 21, 2004, would restrict the sale and public display of SSNs,
close an existing credit header loophole that allows widespread
dissemination of SSNs, tighten procedures for issuing new SSNs, and
establish penalties for violations. H.R. 2971 has been referred to the
Committee on Energy and Commerce to consider a provision that makes it
more difficult for businesses to deny services if a customer refuses to
provide his or her SSN.
Providing for uses of SSNs that benefit the public, while
protecting these numbers from being used by criminals, or even
terrorists, is a complex balancing act. While there are powerful
consumer benefits from business use of SSNs as a common identifier, the
Committee on Ways and Means Subcommittee on Social Security, which I
chair, has heard testimony on how identity theft rings may use an
employee of a business to obtain names, SSNs, and other personal
information in large batches.
For this reason, the Federal Trade Commission and others advise
Americans to avoid giving out their SSN unless it is absolutely
necessary, and my bill puts that advice into law. Consumers should have
the option to refuse providing their SSNs without being denied goods
and services, unless the SSN is required by law. While necessary uses
of SSNs must be, and are preserved in my legislation, widespread
collection and use of SSNs simply for convenience's sake must stop in
order stem the growing tide of identity theft.
Again, I thank the Committee for holding this hearing and look
forward to working with my colleagues to act quickly to help protect
SSN privacy and prevent identity theft.
Mr. Stearns. I thank my colleague, and I appreciate his
attendance here. I think it has helped our hearing. We have
finished our questions. I would conclude by saying that, as Mr.
Shaw mentioned, the Ways and Means Committee had a hearing,
marked it up. So we try to encourage our committee to look at
this bill and look at it carefully. And perhaps, Commissioner,
if you have any changes or suggestions you think should be done
on the bill, as you alluded to, we would like to see those.
All of us know that the Fair Credit Reporting Act had an
amendment so that when I go to a restaurant now, I don't get a
full MasterCard number back; they truncate it, so I only get
the last four numbers. And that was a great step forward.
And so these are the types of things, if you move
incrementally, you get improvements that will help out to
protect people's identity.
So anything we can do--I think, based upon the facts that I
gave in my opening statement, with as much as $5 billion a year
lost to individuals and $48 billion a year lost to businesses--
which is really the Federal Trade Commission's statistic--this
is a formidable problem; and certainly we can't let this
continue.
And as also pointed out, I think, by the committee and the
witnesses, this is on the rise, too, so that this is something
that we should work for and look for solutions.
With that, the subcommittee is adjourned.
[Whereupon, at 3:15 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Prepared Statement of ACA International
social security number privacy and identity theft prevention act (h.r.
2971)
ACA International (ACA), on behalf of the credit and collection
industry, strongly opposes the Social Security Number Privacy and
Identity Theft Prevention Act (H.R. 2971), which would undermine the
practices voluntarily instituted by private industry, many of which
have subsequently been required by federal law, to protect the privacy
of consumers' personal identifying information.
rationale
ACA shares Congress' concern about the increase in the incidence of
identity theft. We applaud legislative proposals that would serve to
deter identity thieves and levy harsh punishment against those who
obtain or use personal identifying information for an unlawful or
illegal purpose. However, these well-intentioned efforts should not
pose an unreasonable burden upon businesses which must use Social
Security numbers (SSNs) to positively identify a particular person.
Therefore, ACA must oppose H.R. 2971, as currently drafted, as it does
not specify that the purchase, sale or display of an individual's SSN
for purposes of enforcing a credit obligation or collecting a debt
would be legal should H.R. 2971 become law.
Furthermore, as the legislation would provide broad powers to the
federal government for access, use and display of an individual's SSN,
ACA is concerned that H.R. 2971 would not make adequate remedy
available to an individual whose identity is stolen through the
negligent actions of a government agency. Unlike other statutes, in
which a private cause of action can be brought by an individual whose
identity is stolen, and credit history and consumer credit report
damaged, the doctrine of governmental immunity would likely prevent
such recourse to an aggrieved individual under H.R. 2971.
protections already in place
As the nation's premier trade association representing credit and
collection professionals, ACA places great emphasis upon the education
of its members, to encourage the highest standards of business ethics
and full compliance with the myriad of federal and state laws that
currently govern the industry. Many of these laws mandate specific
requirements to protect the security and privacy of consumers' personal
information, including their SSN.
ACA's creditor and collector members are subject to the Fair Debt
Collection Practices Act, the Gramm-Leach-Bliley Act, the Federal Trade
Commission Act, the Truth-in-Lending Act, the Health Insurance
Portability and Accountability Act and the Fair Credit Reporting Act
recently reauthorized by the Fair and Accurate Credit Transactions
(FACT) Act, which all contain provisions related to consumer privacy.
The FACT Act included several new safeguards to combat identify theft.
The Federal Trade Commission is currently writing regulations to carry
out the significant legislative requirements of the FACT Act related to
new duties for data furnishers and others to prevent and fight identify
theft.
Layered with these federal requirements are state laws that govern
the practices of creditors and third-party collectors and address
consumer privacy protections. H.R. 2971's sweeping provisions could
prohibit businesses in the consumer credit and collection industries,
which are vital to our nation's economy, from obtaining and using SSNs
to accurately locate consumers and collect owed child support, and
other important financial obligations.
proposed amendment to h.r. 2971
To be clear, ACA opposes the passage of H.R. 2971. However, if the
bill does move forward in the legislative process, we respectfully
submit the following amendment to address the concerns of the credit
and collection industry. ACA proposes that language similar to that
which currently exists under the Fair Credit Reporting Act be added to
H.R. 2971, clarifying that the sale, purchase, or display of an
individual's Social Security account would be permissible for purposes
of enforcing a credit obligation.
Specifically, under the title ``Prohibition of the Sale, Purchase,
or Display to the General Public of the Social Security Account Number
in the Private Sector'' in Section 208 (c) Exceptions, ACA would
propose that another exception be added as follows:
``(H) to the extent necessary in the enforcement of a credit
obligation or the collection of a debt.''
conclusion
As credit and collection professionals, ACA members take the
responsibility of safeguarding the security of sensitive consumer data,
including SSNs very seriously. The member companies of ACA,
representing over 100,000 credit and collection employees nationwide,
comply with the existing framework of federal and state laws designed
to protect consumers. ACA commends Congress for leading the fight
against identity theft. The FACT Act passed last year and the recently
passed Identity Theft Penalty Enhancement Act (H.R. 1731) were well-
designed pieces of legislation intended to provide real relief for ID
theft victims and deter would-be criminals. H.R. 2971, however, is a
misguided and unnecessary bill that will do more harm than good.
aca international
ACA International, formerly known as the American Collectors
Association, is the association of credit and collection professionals.
Founded in 1939, ACA International has approximately 5,300 members,
including third-party collection agencies, attorneys, credit grantors
and vendor affiliates. Headquartered in Minneapolis, ACA International
serves members in the United States, Canada and 58 other countries
worldwide. For more information on ACA International visit http://
www.acainternational.org.
______
Prepared Statement of Financial Services Coordinating Council
This Statement for the Record is being submitted on behalf of the
Financial Services Coordinating Council--or ``FSCC''--whose members are
the American Bankers Association, American Council of Life Insurers,
American Insurance Association, and Securities Industry Association.
The FSCC represents the largest and most diverse group of financial
institutions in the country, consisting of thousands of large and small
banks, insurance companies, investment companies, and securities firms.
Together, these financial institutions provide financial services to
virtually every household in the United States.
The FSCC very much appreciates the opportunity to submit this
statement to the subcommittee on the use and misuse of social security
numbers (or ``SSNs''). Our comments focus on the integral role of
social security numbers in United States commerce; the many consumer
benefits that result from financial institutions' use of these numbers;
and the potentially negative effects that could occur if undue
restrictions are imposed on such use. While the FSCC recognizes that
there have been misuses of social security numbers, we strongly urge
that any legislation intended to address this problem be carefully
targeted to specifically-identified abuses, such as measures to stop
identity theft. We believe it is imperative to avoid restrictions on
legitimate and beneficial uses of SSNs.
We would urge the subcommittee to exercise caution in its
deliberations on any legislation in this area, including consideration
of H.R. 2971, the ``Social Security Number Privacy and Identity Theft
Prevention Act of 2004'', given the significant unintended consequences
that such legislation could engender.
Our testimony today makes three fundamental points:
First, following the lead of the U.S. Government for the last 65
years, businesses' legitimate use of social security numbers as
unique identifiers of individuals is now woven into the fabric
of commercial transactions throughout the country. The use of
these numbers has produced real benefits for American consumers
and taxpayers, and has become critically important for a wide
range of government agencies, financial institutions,
hospitals, blood banks, and many other businesses, both large
and small.
Second, broad restrictions on the use of social security numbers
could have serious unintended consequences, including higher
credit costs; increased fraud and identity theft; fundamental
and costly changes to internal business operating systems;
decreased consumer service; and costly delays in consumer
transactions.
Third, Congress has recently enacted comprehensive privacy
protections under the Gramm-Leach-Bliley Act that, among other
things, place stringent restrictions on financial institutions'
use and transfer of social security numbers. In light of these
provisions, the FSCC strongly believes that further legislative
restrictions on financial institutions' use and transfer of
social security numbers are unnecessary.
Our statement also discusses the potentially negative impact of
social security number restrictions on financial institutions'
legitimate use of public records.
fscc position on h.r. 2971
As a preliminary matter, the FSCC would like to express its serious
concerns with H.R. 2917 as adopted by the House Ways & Means Committee.
At its core, the legislation seeks to restrict the availability of
social security numbers to the general public. It does so by limiting
the sale, purchase and display of such numbers. It imposes limits on
the ability of commercial entities to collect these numbers when
offering a product or service. It also imposes unclear limits on
disclosures of social security numbers to government agencies and the
maintenance of social security numbers in ordinary business records.
Unfortunately, we believe that the bill may have the unintended
consequence of restricting a wide variety of legitimate business
activities that pose no danger of the public display of social security
numbers. Ironically, we remain concerned that H.R. 2971 will have the
effect of actually limiting our ability to combat identity theft and
fraud, and to otherwise serve our customers. It is our collective
associations' view that, with respect to financial institutions,
existing law already provides consumers with significant protections
regarding the misuse of social security numbers, making additional
restrictions unnecessary and potentially counterproductive.
As the Subcommittee is aware, in 1999 Congress enacted historic
privacy protections as part of the Gramm-Leach-Bliley Act (GLBA). The
GLBA subjects the financial services industry to a comprehensive
privacy framework that requires annual disclosure of the company's
privacy policies, allows customers to direct the company not to share
their nonpublic personal information with nonaffiliated third parties,
contains significant prohibitions on the disclosure of detailed account
information, and establishes regulatory standards to protect the
security and confidentiality of nonpublic personal information.
Importantly, under GLBA, social security numbers are considered
``nonpublic personal information'' and thus are already subject to
significant restrictions on the transfer of, and the ability of others
to reuse, such information. Moreover, Congress just last year enacted
comprehensive legislation addressing concerns over identity theft as
part of its passage of the ``Fair and Accurate Credit Transactions Act
of 2003 (FACT Act)''. Taken together, these two congressional
initiatives go straight to the heart of congressional concerns over
identity theft and the efforts of financial institutions to combat this
growing problem.
The proposed bill, however, would create an entirely new regulatory
structure for social security numbers and add it on top of a GLBA
structure. For example, financial services companies regularly sell,
for a price, assets between themselves and with secondary market
institutions (e.g., home mortgages), such assets having social security
numbers embedded in the files. Technically, these would be ``sales''
prohibited under the bill. (These would unlikely be a ``trade or
business'' sale exempted under the bill). In addition, institutions
regularly transfer information within their corporate families, either
through central databases or otherwise, often in exchange for some
compensation. Again, this could be prohibited under the proposed bill,
notwithstanding the fact that such transfers of information help
financial institutions efficiently service customer accounts. Moreover,
financial institutions regularly use third party databases that
purchase data from public databases and other sources that institutions
check against to uncover fraud, identity theft and credit risk. These
data compilers are not ``consumer reporting agencies'' under the Fair
Credit Reporting Act (FCRA), and thus would be subject to the bill's
limitations on purchase and sale. Ironically, each of these legitimate
transfers of information benefit consumers and often facilitate our
members' ability to better serve customers needs, combat fraud and root
out identity theft, yet could be restricted under the bill. These are
just some examples of legitimate, customer-beneficial activities that
are called into question. There are undoubtedly others.
The bill does provide the Attorney General of the United States
with the ability to exempt other transactions from these prohibitions.
As a practical matter, the AG is not familiar with the operations of
financial institutions and would be ill-suited to craft appropriate
exceptions that protect legitimate business activities. The Justice
Department would certainly not be able to respond quickly to questions
that would arise over the implementation of this exception. Moreover,
delegating that authority to financial services regulators (as the bill
permits), while potentially helpful, creates a great deal of regulatory
uncertainty, inserting levels of regulatory bureaucracy in an area
already adequately dealt with under federal law. As noted before, GLBA
already establishes broad restrictions on the disclosure of nonpublic
personal information, while specifically enumerating focused exemptions
for legitimate business activities. Congress vigorously debated these
GLBA rules and exemptions, which various State and Federal regulators
have since implemented after extensive notice and comment periods
(e.g., Federal Reserve, Office of the Comptroller of the Currency,
Federal Deposit Insurance Corporation, Office of Thrift Supervision,
Federal Trade Commission, Securities and Exchange Commission, and state
insurance commissioners have all engaged in such reviews). Further
action in this area, as it applies to financial institutions, is not
necessary.
As a practical matter, we do not believe that the financial
services community is really the subject of the concern that this
legislation is attempting to combat. We use social security numbers, as
well as other personal financial information, to assist us in making
sound credit decisions, underwriting applications for insurance
coverage and performing other ordinary insurance business functions,
combating fraud, rooting out identity theft, and uncovering financial
support for terrorism. We do not make these numbers accessible to the
general public. As a result, we believe that this legislation should be
targeted at those entities at the heart of the problem, be they
unregulated information brokers, those engaged in illegal pretext-
calling, or the like.
integral role of social security numbers in u.s. commercial activities
To assist the subcommittee in its deliberations, it may be helpful
to review the important role that social security numbers play in U.S.
commercial activities.
As the GAO noted in its February 1999 report,1 the
Social Security Administration created social security numbers 65 years
ago as a means to maintain individual earnings records for the purposes
of that program. But Congress soon realized the tremendous value to
society of a unique identifier that is common to nearly every American.
As a result, it began to require federal government use of the SSN as a
common unique identifier for a broad range of wholly unrelated
purposes. For example, ``a number of federal laws and regulations
require the use of the SSN as an individual's identifier to facilitate
automated exchanges that help administrators enforce compliance with
federal laws, determine eligibility for benefits, or both.''
2 These include federal laws applicable to tax reporting,
food stamps, Medicaid, Supplemental Security Income, and Child Support
Enforcement, among others. Moreover, as the GAO acknowledged, it has
repeatedly recommended in numerous reports that the federal government
use SSNs as a unique identifier to reduce fraud and abuse in federal
benefits programs.3
---------------------------------------------------------------------------
\1\ ``Social Security--Government and Commercial Use of the Social
Security Number is Widespread,'' February 1999, GAO/HEHS-99-28.
\2\ Id. at p.4.
\3\ Id.
---------------------------------------------------------------------------
Following the federal government's lead, American businesses not
only complied with federal requirements to use SSNs as identifiers for
federal laws unrelated to social security, such as income tax
reporting. They also realized the powerful consumer benefits to be
derived from comparable business use of SSNs as a common unique
identifier. Thus, businesses began to use SSNs in a manner similar to
the federal government, e.g., to match records with other organizations
to carry out data exchanges for such legitimate business purposes as
transferring and locating assets, tracking patient care among multiple
health care providers, and preventing fraud and identity theft. Many
businesses also use SSNs as an efficient unique identifier for such
internal activities as identifying income tax filers.
Similarly, the financial services industry has used the SSN for
many decades as a unique identifier for a broad range of responsible
purposes that benefit consumers and the economy. For example, our
nation's remarkably efficient credit reporting system--which has helped
make America's affordable and accessible credit the envy of the world--
relies fundamentally on the SSN as a common identifier to compile
disparate information from many different sources into a single,
reliable credit report for a given individual. And as set forth in
considerably more detail in Attachment A to this testimony, the
banking, insurance, and securities industries each use SSNs as unique
identifiers for a variety of important regulatory and business
transactions, primarily to ensure that the person with whom a financial
institution is dealing really is that person. Set forth below is a very
incomplete sample of the many financial institution uses of SSNs that
are listed in Attachment A:
To combat fraud and identity theft;
To accurately assess underwriting risk;
To assist in internal benefits tracking;
To identify money laundering activities;
To comply with securities law reporting requirements;
To transfer assets and accounts to third parties;
To comply with ``deadbeat dad'' laws;
To verify appropriate Department of Motor Vehicle records when
underwriting auto insurance;
To obtain verifiable medical information to underwrite life,
disability income, and long term care insurance;
To locate policyholders to pay insurance proceeds;
To facilitate a multitude of administrative functions.
As noted in the GAO report, ``[s]imply stated, the uniqueness and
broad applicability of the SSN have made it the identifier of choice
for government agencies and private businesses, both for compliance
with federal requirements and for the agencies' and businesses' own
purposes.'' 4 Put another way, the use of SSNs as common
unique identifiers is now woven into the very fabric of both
governmental and commercial transactions in this country, and has been
so for decades.
---------------------------------------------------------------------------
\4\ Id., p.2.
---------------------------------------------------------------------------
In short, the federal government began the use of SSNs for
unrelated identification purposes; it required businesses to do the
same under certain federal laws; and its use served as an example for
businesses, including financial institutions, for over half a century.
These uses have produced tremendous efficiencies and benefits for all
Americans. The FSCC strongly urges members of Congress to keep such
legitimate uses and benefits, including those financial institution
uses listed in Attachment A, in the forefront when considering
proposals to restrict the use of SSNs.
unintended consequences of broad restrictions on use of social security
numbers
As a result of the widespread use of social security numbers for
legitimate purposes, the FSCC remains fundamentally concerned about the
unintended consequences of legislation that is intended to restrict the
abuse of these numbers. Failure to carefully target legislation to
avoid these unintended consequences risks serious harm to consumers and
the smooth operation of the U.S. economy. Let me provide some specific
examples:
Potential Harm to Consumers. Financial institutions' use of social
security numbers makes it possible for them to provide a level
of service to customers that would otherwise not be possible.
By using such numbers to verify individual identities, credit
bureaus and others can quickly provide financial institutions
with accurate credit histories and verification information on
people seeking loans, insurance, securities, and other
financial products. This in turn permits a financial
institution to act swiftly and efficiently on applications or
requests related to these products. Use of social security
numbers also enables financial institutions to provide more
seamless administrative service, e.g., by allowing a life
insurer to more easily verify the identity of an individual
seeking to change a beneficiary under a life insurance policy.
The FSCC's concern is that a broad restriction on the sale or
use of social security numbers, however well-intended, could
seriously impede the delivery of such important services by
driving up processing costs and impairing decision-making.
Increased Risk of Fraud and Identity Theft. Social security numbers
are critical for fraud detection. Banks, insurance companies,
and securities firms rely on information available from both
public and private sources--with embedded social security
numbers to ensure correct identification--to check for
``inconsistencies'' that may suggest the occurrence of fraud or
identity theft. The use of these numbers also helps financial
institutions verify credit and make sound underwriting
decisions that minimize losses. The sophisticated processes
used for these purposes rely fundamentally on social security
numbers as the common unique identifier to assemble accurate
and verifiable information for a given individual. Put another
way, without a unique common identifier such as a social
security number, we believe it would be easier, not harder, for
an individual's identity to be stolen. Thus, to reiterate, we
believe that Congress should exercise great caution in
restricting the use of social security numbers so as not to
risk an increase in consumer fraud or identity theft--a result
that would be squarely at odds with the intended purpose of
such restrictions.5
---------------------------------------------------------------------------
\5\ Existing law already includes provisions that prohibit identity
theft. Stealing someone's identity is punishable by civil and criminal
penalties under 18 U.S.C. 1028. Moreover, the Gramm-Leach-Bliley Act
bans pretext calling, which is a basic tool of identity thieves.
---------------------------------------------------------------------------
Market Disruption. A prohibition on the sale of social security
numbers could be construed to restrict such activities as the
sale of assets among financial institutions. This is so because
financial institution assets (e.g., mortgage servicing
accounts, credit card accounts, and traditional bank accounts)
often use social security numbers as the basis for account
identification. When it sells such an asset, a financial
institution could be viewed as technically ``selling'' the
embedded social security number as well. Thus, legislative
efforts that ``directly or indirectly'' limit the transfer of
social security numbers could effectively preclude such plainly
legitimate transactions. To address this problem, businesses
would need to rework their internal systems completely to
eliminate the reliance on such numbers--a massive and needless
expense. Accordingly, we believe that any legislative proposal
must be crafted to avoid such a significant unintended
consequence.
the protections of the gramm-leach-bliley act
The FSCC believes there is no need to further restrict the use of
social security numbers by financial institutions in light of the
strong social security number restrictions that apply to such
institutions under the Gramm-Leach-Bliley Act (``GLB Act''). The GLB
Act and its implementing regulations treat a financial institution
consumer's social security number as protected ``nonpublic personal
information.'' 6 As a result, each financial institution
consumer has the right to block a financial institution from selling or
transferring his or her social security number to a nonaffiliated third
party or the general public.
---------------------------------------------------------------------------
\6\ See, e.g., 12 C.F.R. Sec. 40.3(o), generally defining protected
``personally identifiable financial information'' to include ``any
information . . . [t]he bank . . . obtains about a consumer in
connection with providing a financial product or service to that
consumers' (emphasis added).
---------------------------------------------------------------------------
There are exceptions to this general rule for legitimate transfers
of social security numbers, such as ones that are necessary to carry
out a transaction requested by the consumer; to protect against fraud;
to provide necessary identifying information to a credit bureaus, etc.
However, even with respect to such legitimate transfers of social
security numbers, the consumer remains protected because the recipient
of the number is prohibited by law from re-using or re-disclosing the
number--it may do so only as necessary to carry out the purpose of the
exception under which the number was received from the financial
institution. Indeed, this unprecedented restriction on the re-use and
re-disclosure of consumer information, including social security
numbers, was recently upheld by the federal district court of the
District of Columbia.7
---------------------------------------------------------------------------
\7\ ISRG v. FTC, C.A. No.: 00-1828 (ESH) (Dist. DC, April 30,
2001).
---------------------------------------------------------------------------
In short, as the result of the GLB Act's carefully-targeted
restrictions, a financial institution consumer is fully protected with
respect to a financial institution's transfer of social security
numbers, yet legitimate and important uses of these numbers remain
permissible. In light of these restrictions, no additional restrictions
on use of SSNs by financial institutions are warranted.
concerns over restrictions on access to public records
Finally, some concerns have also been expressed regarding the
inappropriate use of social security numbers available in the public
record. The FSCC believes it is important to remember that a wide range
of private sector enterprises--including banks, insurance companies,
and securities firms--rely on such records to conduct a broad range of
legitimate business activities. For example, financial institutions use
public records to:
Uncover fraud and identity theft;
Make sound credit and other financial product determinations;
Verify identities of the customer at the account opening phase;
Assist in internal security operations (e.g., employee background
checks); and
Otherwise verify identities in order to conduct a broad range of
business transactions.
Business reliance upon such records facilitates the efficient operation
of the financial and credit markets, limits mistakes, and ensures that
consumers receive prompt and lower-cost service. It also helps protect
the customer from fraud.
More specifically, to achieve the purposes described above,
financial institutions directly use court bankruptcy records; public
records involving liens on real estate; criminal records and fraud
detection databases; and similar types of public records. Financial
institutions also indirectly use such records for the same purposes by
relying on databases developed by third parties that themselves rely on
information from public records. Importantly, SSN identifiers are
central to ensuring that the information included in these records
matches the correct individual. This allows banks, for example, to
verify the identity of a person so that a direction from a customer to
transfer funds to a third party can be executed without mistake, as
well as to check important credit-related characteristics of loan
applicants (such as pending bankruptcies, tax liens, or other credit
problems).
Moreover, financial institutions employ sophisticated programs that
cross-check public information against information supplied by an
applicant in order to uncover fraud. For example, if the age
information provided by an applicant posing as another individual were
inconsistent with other information known about that individual from
public records made available through SSN identification, a ``red
flag'' would be raised, which would trigger further checking to uncover
the identity theft.
Thus, overly-broad limits on access to public record information
would compromise a financial institution's ability to make sound
business decisions and protect its customers. Such limits could also
greatly slow the decision-making process of U.S. businesses, to the
detriment of consumers and the economy.
Finally, even if financial institutions were exempted from
restrictions on access to public records containing social security
numbers, such restrictions could still create indirect problems for
financial institutions and their customers. For example, if a social
security number were stricken from a public record, it is possible that
the ability to use that record for legitimate purposes would become
impossible because of the expense involved in verifying the identity of
the person covered by that record. The consequences could be delayed
loan approvals, increased consumer costs for products and services, and
limits on an institution's ability to discover identity theft on a
timely basis.
Even if public entities could still retain social security numbers
in their internal nonpublic files, the cost and delays in efficiently
accessing such files would be significant. Ultimately, the cost
efficiencies and speed of delivery inherent in our current market
system would be compromised. The effect could be the same as denying
financial institutions access to such records.
conclusion
The benefits to society from the legitimate and responsible use of
social security numbers are real and substantial. As a result, the FSCC
believes that policymakers should look carefully at the unintended
consequences that could occur with any proposal that would restrict the
use of these numbers. And, because of the GLB Act's restrictions on
financial institution disclosure of social security numbers, we believe
that no new SSN restrictions are required for the financial services
industry.
Attachment A
activities potentially impaired by restrictions on social security
numbers
As noted above, a wide range of legitimate activities conducted by
financial institutions would be affected by broad restrictions on the
use of social security numbers. Set forth below are examples of such
activities, grouped by the respective industries represented by the
FSCC.
I. Banking Industry Uses
A. General Uses of Social Security Numbers
To assist in account administration and better respond to customer
requests. Financial institutions must use shared information to
create central databases that then permit institutions to
better respond to customer requests or needs (e.g., provide
account balances, correct inaccuracies, process loan requests,
etc.). To do this, many institutions use social security
numbers as a unique identifier to ensure more accurate records.
To combat fraud and identity theft. Financial institutions rely on
third-party databases to investigate claims of fraud and
identity theft. These third-party databases in turn rely on
social security numbers as the common unique identifier that is
used by a variety of data sources. Without such common unique
identifiers, there would be no way to ensure that particular
information is associated with a particular individual, and not
with someone posing as that individual. Thus, SSNs are integral
mechanisms for accumulating and processing authentic
information for both law enforcement officials and financial
institutions.
To accurately assess risk. Everyday, financial institutions make
judgments regarding financial risks. Institutions must rely on
information databases to make such judgments, whether they are
decisions on loans, insurance products, or other financial
services. Social security numbers, when used by internal and
third-party data providers as a means of compiling accurate
information on an individual, help institutions make prudent
decisions on product offerings.
To verify the identity of the customer--in person, over the phone, by
mail, or over the internet--in the account opening stage. A
financial institution uses a social security number as the
unique individual identifier when verifying information of a
person with whom the institution has had no previous contact.
To identify potential terrorist funding and money laundering
activities. Institutions use social security numbers as unique
identifiers to comply with various government requirements,
such as the U.S.A. Patriot Act, Office of Foreign Assets
Control (OFAC) verifications or the processing of certain Bank
Secrecy Act-related documents (e.g., cash transaction reports).
To meet other government safety and soundness requirements. Federal
and State bank regulators require banks and savings
associations to operate in a safe and sound manner, and require
institutions to develop sophisticated internal policies and
procedures to that end. To do so, banks often rely on third-
party databases that themselves rely on social security numbers
to promote accuracy. As a result, the use of social security
numbers plays a significant role in bank internal risk
activities.
When providing tax reporting information to the Government (e.g.,
Forms 1098/1099), as well as to the employee (e.g., W-2s).
To facilitate internet banking operations. Many third-party vendors
who provide links to such services rely on social security
numbers as account identifiers.
To assist in internal security operations. Institutions use social
security numbers as an employee identifier for purposes of
background checks and other activities.
To assist in internal benefits tracking. For example, to provide
reimbursements to employees incurring business expenses, or to
track employee participation in employee retirement funds
(e.g., 401(k) plans).
To track external payments to vendors for tax reporting purposes.
To permit customer access to a wide range of 24-hour banking services
via phone or internet. Many banks use social security numbers
as the account identifier, both as a convenience to customers
and to maintain consistency with other internal processing
needs, such as the maintenance of an accurate central database
and the subsequent ability to use such numbers when making
external credit checks.
B. Type of Institutions that Benefit
To facilitate financial holding company operations of benefit to the
company and its customers. Holding companies share customer
information (including social security numbers) within their
corporate family (i.e., affiliates) for a variety of purposes,
including:
Providing customers with consolidated statements reflecting the
status of all of their financial accounts and investments. To
do so, companies need to ensure that customer information
matches the correct file--e.g., that the ``John Smith'' on the
phone is the John Smith that has two checking accounts, a
variable life insurance policy, and holds the securities of
four particular companies. Using social security numbers--the
only truly common unique identifier--to verify this information
greatly enhances company accuracy and increases customer
confidence.
Assisting each affiliate in combating identity theft by giving these
affiliates necessary information on the customer so that they
may protect the customer's interest. For example, having
accurate, up-to-the-minute customer information allows
affiliates to quickly identify inconsistencies or irregular
activities in a customer's accounts that may reflect that
identity theft is occurring. Again, reliance on social security
numbers as the ``common'' element that permits institutions to
cross-check existing customer information with new information
helps institutions help their customers.
Allowing all aspects of the company to prudently manage risk. When a
customer enters a bank, insurance company or securities firm in
search of a financial product or service, a financial
institution must quickly and accurately gauge its financial
risks in providing that product or service. The institution
must rely on a variety of credible internal and external
databases, such as those provided by credit bureaus, third-
party vendors and other affiliates, for accurate information on
the credit standing and financial health of the applicant. To
ensure that these databases are as accurate as possible, such
providers must rely upon some form of common identifier that
ensures that correct financial history information is
associated with the right person. Social security numbers, as
the most accurate common identifier available, help ensure the
highest available level of accuracy in these databases. Since a
financial institution can then rely on the accuracy of this
information in assessing its risk, it can make quick, efficient
and prudent decisions regarding the new customer.
B. Securities Industry Uses
Account identification. Many securities firms' systems rely heavily
on social security numbers for identification. In general,
account relationships are maintained based on SSN as the sole
unique identifier for an individual.
Tax reporting. SSNs appear on account opening documentation,
primarily for tax reporting purposes.
Telephone verification. Firms use SSNs to verify the identity of a
client transacting business over the telephone--this enables
firms to access an account by keying in the SSN if the customer
does not remember his/her account number.
Account searches. Firms use SSNs for account searches, thus enabling
firms to sort all accounts for a customer under the same SSN.
Court Actions/Judicial Process/Subpoenas. Securities firms are often
required to provide documents, which would reveal SSNs of a
client in responding to a subpoena, court order, or judicial
process. Firms also use SSNs to search for accounts in response
to requests from regulators and law enforcement officials.
Securities law reporting. Many of the reports securities firms are
required to file with the SEC and self regulatory organizations
are based on SSN searches and identify SSNs. For example,
certain reports to stock exchanges are based on total positions
by related party (i.e., SSN).
Institutional risk control/anti-fraud. Firms may use SSNs to perform
anti-fraud background checks on potential clients in order to
determine whether for example the person has a history of
defrauding others.
Compliance. SSNs are used to identify certain types of activity that
firms are required to conduct surveillance for, such as
excessive turnover in accounts.
Communications to shareholders. SSNs are used in connection with
mutual fund mailings, including the mailing of proxy statements
and prospectuses to proprietary fund shareholders. SSNs are
also used in connection with dissemination of a company's
annual report, quarterly report, or interim report.
Escheatment/Abandoned Property. Securities firms are required to
provide on an annual basis to individual States the name, last
known address, SSN, and other information for purposes of
complying with various State escheatment and abandoned property
laws, and intangible property tax laws.
Transfers of accounts to third parties. SSNs are used to facilitate a
customer request to transfer an account to another securities
firm, or to satisfy a customer request that a physical stock
certificate be transferred from street name into his or her
name.
Insurance. SSNs may also be disclosed where a client purchases an
insurance policy through the securities firm--the securities
firms would then have to disclose (through the client's
application) information, including SSN, to the insurance
company.
C. Insurance Industry Uses:
1. Property/Casualty Insurers' Use of Social Security Numbers
To the extent the p/c insurance industry uses SSNs, that use is
confined to legitimate business practices such as underwriting
policies, complying with numerous state and federal laws, and
verification of identity.
A proposal to prohibit or limit the disclosure of SSN could restrict
p/c insurers from obtaining necessary information for
underwriting and verification purposes.
For example, auto insurers use motor vehicle records to assess
insurance risks, reevaluate risks undertaken, conduct
claims fraud investigations and pay injured victims. Motor
vehicle records, which include social security numbers as
identifiers, are an essential source of information needed
by insurers to comply with state consumer protection laws
and existing contracts.
Auto insurers may use SSNs obtained from the consumer in order to
verify the receipt of proper Department of Motor Vehicle
records.
Undue restrictions on use of SSNs could also impair the ability of p/
c insurers to comply with reporting requirements under current
federal and state laws, such as those described below.
Federal laws require p/c insurers to report certain payments with
the claimant's SSN to the IRS.
P/C insurers are required under the Federal Welfare Reform Act to
report to state welfare agencies certain information,
including SSNs, so that the state can seize settlement
dollars from non-custodial parents.
Under state workers compensation laws, p/c insurers are required
to file accident claims (which include the claimant's SSN)
with various agencies for those agencies' claims
administration purposes.
States laws require p/c insurers to disclose to state-licensed
advisory organizations certain information, which may
include a SSN. The state-licensed advisory organizations
perform a critical function in insurance pricing by using
the information to conduct actuarial projections of
anticipated losses so that state insurance regulators are
able to perform their duties and insurance companies can
establish rates in accordance with state-approved rating
systems.
2. Life, Disability Income, and Long Term Care Insurers' Use of
Social Security Numbers
Life, disability income, and long term care insurers are strongly
committed to the principle that individuals have a legitimate interest
in the proper collection and handling of their personal information and
that insurers have an obligation to assure individuals of the
confidentiality of that information. However, in order for insurers to
serve their prospective and existing customers, they must use and share
nonpublic personal information, including social security numbers, in
connection with the origination, administration, and servicing of
insurance products and services. These functions are essential to
insurers' ability to serve and meet their contractual obligations to
their existing and prospective customers. Life, disability income, and
long term care insurers also believe that the use and responsible
sharing of nonpublic personal information, including social security
numbers, generally increases efficiency, reduces costs, and makes it
possible to offer economies and innovative products and services to
consumers that otherwise would not be available.
a) Underwriting life, disability income, and long-term care
insurance policies--Insurers must be able to obtain and use nonpublic
personal information, including SSNs, in order to underwrite
applications for coverage. SSNs are used in a number of different ways
in connection with this process:
To obtain verifiable medical information. Insurers sometimes must use
proposed insureds' SSNs in order to obtain medical information
about them from doctors and hospitals which use SSNs as
identification numbers.
To obtain drivers' record information. Insurers sometimes use motor
vehicle record information in underwriting. In some states,
insurers are required to use SSNs to obtain this information
from the motor vehicle department.
To obtain credit report information. Insurers sometimes use
information from credit reporting agencies in underwriting, and
SSNs are sometimes required to obtain information from consumer
reporting agencies.
b) Performance of Essential Insurance Business Functions--Once
life, disability income, or long term care insurance policies are
issued, insurers use their customers' nonpublic personal information,
including their social security numbers, to perform essential, core
functions associated with insurance contracts, such as for claims
evaluations and policy administration. The ability to use this
information for these purposes is crucial to insurers' ability to meet
their contractual obligations to their customers and to perform
important related service and administrative functions. They use SSNs
to perform a number of these core insurance business functions, which
include the following:
To locate policyholders. SSNs are used by insurers to find missing or
lost policyholders to inform them that they are entitled to
life insurance proceeds.
For customer service. SSNs are used to identify policies owned by an
individual who does not have the account or policy number
available when a service request is made.
For phone call verification. Insurer call centers use SSNs as part of
the data requested to authenticate customers who call with
requests for service or for product or account information or
status.
To transfer assets to unaffiliated financial institutions. SSNs are
often needed to transfer assets from one financial institution
to another, for example, for purposes of transfers between
mutual funds or annuities and life insurance. (Since one
financial institution generally does not know an individual's
account number at another financial institution, the SSN is
needed to identify the client's identity for the two
institutions. This reduces delay, error, and misplaced assets
in such transfers.)
Pension plan administration. Insurers also use SSNs in connection
with the administration of pension plans, as identification
numbers.
For online services. Insurers use SSNs as PIN numbers for customers'
use of on-line services.
As identification for group insurance plans. Insurers use SSNs in
reporting to employer policyholders under employee group
insurance plans and in connection with payroll deductions under
these plans.
c) Disclosures Pursuant to Regulatory/Legal Mandates or to Achieve
Certain Public Policy Goals--In furtherance of public policy goals
designed to protect American insurance consumers, life, disability
income, and long term care insurers share nonpublic personal
information, including SSNs, to:
State insurance departments to assist them in their general
regulatory oversight of insurers, which includes regular market
conduct and financial examinations of insurers;
Self-regulatory organizations, such as the Insurance Marketplace
Standards Association (IMSA), which impose and monitor
adherence to requirements with respect to member insurers'
conduct in the marketplace; and
State insurance guaranty funds, which seek to satisfy policyholder
claims in the event of impairment or insolvency of an insurer
or to facilitate rehabilitations or liquidations which
typically require broad access to policyholder information.
Any limitation on these disclosures would seem likely to operate
counter to the underlying public policy reasons for which they were
originally mandated--to protect consumers.
Life, disability income, and long term care insurers are also
required to make certain disclosures of information by the federal
government. In addition, they need to (and, in fact, in some states are
required to) disclose personal information in order to protect against
or to prevent actual or potential fraud. Such disclosures are made to
law enforcement agencies and state insurance departments. Their primary
purpose is to reduce the cost of insurance by helping insurers detect
(and deter) attempts by insurance applicants to conceal or misrepresent
facts. Any limitation on insurers' right to make these disclosures
would seem likely to undermine the public policy goal of reducing
fraud, the costs of which are ultimately borne by consumers.
Life, disability income, and long term care are required to use
SSNs to report to the IRS a variety of payments to insurance consumers,
including, but not limited to, interest payments, certain dividends,
and policy withdrawals and surrenders. At least one state, Rhode
Island, requires that insurers match ``deadbeat'' parents data before
making payments on claims. SSNs are required for that matching.
d) Ordinary Business Transactions--In the event of a proposed or
consummated sale, merger, transfer, or exchange of all or a portion of
an insurance company, it is often essential that the insurer be able to
disclose company files. Naturally, these files can contain personal
information, including customers' SSNs. Such disclosures are often
necessary to the due diligence process that takes place prior to
consummation of the deal and are clearly necessary once the deal is
completed when the newly-created entity often must use policyholder
files in order to conduct business.
Insurers also frequently enter into reinsurance contracts in order
to, among other things, increase the amount and volume of coverage they
can provide. These arrangements often necessitate the disclosure of
personal information, which may include SSNs, by the primary insurer to
the reinsurer.
______
Prepared Statement of Patrick P. O'Carroll, Acting Inspector General,
Social Security Administration
Good morning, Chairman Stearns, Ranking Member Schakowsky, and
members of the Subcommittee. Thank you for the opportunity to provide a
statement for this important hearing to discuss the complex problem of
protecting private consumers' Social Security number (SSN) from misuse
and the Committee's proposed legislation, the Social Security Number
Privacy and Identity Theft Prevention Act of 2004.
The SSN as a National Identifier
I would like to begin my statement today with a simple declaration:
The SSN is a national identifier. In past years, many would challenge
that comment. Today, we live in a changed world, and the SSN's role as
a national identifier is a recognized fact. Unfortunately, with that
knowledge, we must also accept that because the SSN is so heavily
relied upon as an identifier, it is a valuable commodity for
lawbreakers. Given the importance of this unique, nine-digit number and
the tremendous risk associated with its misuse, one of the most
important responsibilities my office undertakes each day is oversight
of SSN integrity.
Today I would like to focus my testimony on how the SSN is misused
to commit crimes, my office's role in addressing homeland security and
identity theft, and what more needs to be done to ensure the integrity
of the SSN. The protection of private consumers' SSNs is an important
concern in fighting identity theft and safeguarding SSN integrity. Over
the years, we have raised concerns in testimony and reports and have
called for improved security for all databases--both public and private
sector--that contain SSNs and other sensitive data, both as a homeland
security issue and as an identity theft issue.
The SSN is a widely used identifier, which can be used to tie
multiple records together about a single individual. While phone
numbers, addresses, and even names can change, the SSN is constant
throughout an individual's life. Because of this, many institutions,
including hospitals and some banks and brokerages, use clients' SSNs as
an identity confirmation. Other institutions, notably banks, use SSNs
as secret passwords that only the owner should know.
While common use of the SSN as an identifier seems reasonable, it
is an invitation for identity theft. For example, if someone knows the
name and SSN of another individual, they could use this information to
access accounts, transfer funds, or make other changes to an account,
which may have serious repercussions for the true account holder. When
SSNs appear with their owners' names on driver's licenses, mailing
labels, and university student ID cards, the owners of these SSNs
become potential targets. In fact, we are currently reviewing the use
of the SSN on student IDs in a nationwide audit that will examine such
policies at approximately 100 schools. Perhaps the most important step
we can take in preventing SSN misuse is to limit the SSNs easy
availability on public documents, and even in electronic forums such as
the Internet.
Our investigations in this area reveal how widespread the misuse of
SSNs and other sensitive data from public and private sector databases
has become. For example, we recently discovered an offer to sell up to
10,000 SSNs with matching names on the eBay web site. These SSNs were
used by the University of North Carolina at Pembroke as identifiers for
its staff, current students, and applicants. The suspect successfully
stole these SSNs and was ultimately sentenced to 5 months'
incarceration.
Our Philadelphia Field Division participated in an investigation
that found that a former credit card company employee provided several
co-conspirators personal information of legitimate account holders. The
co-conspirators then used this information to open and transfer money
from fraudulent accounts. The former employee was sentenced to 4 years
probation and ordered to pay the bank restitution of over $132,800.
In another case, after a year-long identity theft investigation,
our agents arrested a man who had more than 250 credit cards--along
with identification documents and fraudulent Social Security cards--for
aliases he used in an elaborate scheme he began while working as a
credit manager at a local furniture store. When the company was sold
and his job was terminated, he took several credit reports with him and
used those SSNs to get credit cards, bank loans, homes, vehicles,
computers and cash. He was sentenced to 25 months in prison, ordered to
pay $383,000 in restitution to numerous credit card companies and
banking institutions, and ordered to forfeit a home and a recreational
vehicle.
The range of sources from which these SSNs and other critical
personal information were stolen is alarming--legitimate web sites,
universities, credit card companies, and a furniture store. It is not
just SSA that has your number--numerous government agencies, companies
and individual operators such as doctors and insurance agents have them
as well. In fact, it is quite possible that your number has been given
without your knowledge to numerous organizations, businesses and
individuals. We cannot put the genie back in the bottle, but we must do
more to make those who hold this critical information treat it with the
same respect they would give to their own bank account numbers.
Misuse of the SSN to Commit Crimes
For those with an illicit motive, an SSN can be obtained in many
ways:
Presenting false documentation to the Social Security Administration
(SSA).
Stealing another person's SSN.
Purchasing an SSN on the black market.
Using the SSN of a deceased individual.
Creating a nine-digit number out of thin air.
Although SSA may never be able to completely prevent individuals
from purchasing an SSN on the black market or stealing the SSN of
another, we are proud that our efforts are making it more difficult to
do so.
For example, based on an investigation conducted by our Atlanta
Field Division, a St. Petersburg, Florida resident was recently
sentenced to 27 months of incarceration and ordered to make restitution
to SSA for over $79,000 in survivors benefits she received for herself
and three nonexistent children. To perpetrate this scheme, the
individual assumed the identity of a former acquaintance by obtaining a
North Carolina identification card in her friend's name. With this new
identity, she used fraudulent birth certificates to apply for SSNs on
behalf of two fictitious children. She also altered court marriage and
divorce documents, falsely claiming that a known deceased man was her
ex-husband and the fictitious children's father. She perpetrated this
elaborate scheme so that she could apply for and receive Social
Security survivors benefits for the fictitious children--and, until
caught, was successful in doing so. Further investigation revealed that
she had previously committed a similar crime resulting in additional
survivors benefits for herself and another fictitious child.
Other Federal agencies such as the Department of Housing and Urban
Development (HUD) have also experienced a significant increase in the
number of identity theft occurrences in their programs. Within programs
administered by HUD, identity thieves are using someone else's SSN to
obtain and then default on home mortgages--leaving taxpayers to pay
their bills.
Our Role in Addressing Homeland Security and Identity Theft
Recognizing the importance of SSNs to terrorists and identity
thieves, SSA and my office, the Office of the Inspector General (OIG)
take very seriously our responsibility to ensure that these numbers are
only issued to those with a legal reason for having one. As such, we
continuously seek innovative ways to prevent SSN misuse and create
collaborative partnerships with other Federal, State, and local
entities to address both homeland security and identity theft concerns.
OIG Homeland Security Activities
While financial crimes involving SSN misuse are more numerous than
terrorism-related crimes, the potential threat to homeland security
nevertheless justifies intense concern. Because SSNs allow individuals
to assimilate themselves into U.S. society, these numbers can become
valuable tools for terrorists or others who wish to live in the United
States and operate under the ``radar screen.'' Once an individual has
an SSN, he has the ability to work, buy a home, and engage in a wide
range of financial transactions including the raising and transferring
of funds.
Our active involvement in addressing homeland security began on
September 11, 2001, with our agents assisting in rescue efforts and
site security at the World Trade Center. We immediately assigned
supervisors and agents to the FBI Command Centers in New York City and
New Jersey to process information and investigate leads. The Inspector
General ordered all Field Divisions to assist in Joint Terrorism Task
Forces (JTTF) and Anti-Terrorism Task Forces (ATTF) around the
country--in fact, we are now active participants in 63--Joint Terrorism
Task Forces and 29 Anti-Terrorism Task Forces, as well as the Foreign
Terrorist Tracking Task Force.
In carrying out our homeland security responsibility, we coordinate
closely with other Federal agencies. For example, we recently met with
representatives of the Department of Homeland Security (DHS) to discuss
methods in which we could work together to address the SSN's role in
homeland security. We welcome this opportunity and believe cooperative
ventures such as these are imperative to ensure that all of the links
in the homeland security chain stay connected. Based on our initial
discussions, we plan to work with DHS to explore possible data matching
and cross-verification opportunities--those that are currently provided
for under law and those for which additional legislation may be
required.
We are also coordinating with DHS and the Department of State
(State) to review the effectiveness of the Enumeration at Entry
initiative, a collaborative effort among the three agencies to
facilitate the issuance of SSNs to legally admitted aliens whose
immigration status permits such issuance. This initiative is designed
to ensure that DHS and State certify the identity and immigration
status of an alien before an SSN is assigned to that individual.
Further, we have worked with the Department of Defense to determine
whether individuals having public responsibilities and positions,
primarily active duty military personnel, have reported wages with
names and/or SSNs that do not match SSA's records. We are concerned
about both unknown individuals working for the military branches and
potential SSN misuse by military employees.
OIG Identity Theft Activities
I am also concerned about the escalating occurrences of identity
theft, which is the fastest-growing form of white-collar crime in the
United States. In September 2003, the Federal Trade Commission (FTC)
released a survey showing that 27.3 million Americans were victims of
identity theft between 1998 and 2003--including 9.9 million people in
the study's final year. FTC also reported that during the study's final
year, losses to businesses and financial institutions totaled nearly
$48--billion and consumer victims reported $5--billion in out-of-pocket
expenses. Clearly, this is an epidemic that must be brought under
control.
Identity theft is an ``enabling'' crime, one that facilitates other
types of crime, ranging from passing bad checks and defrauding credit
card companies to committing acts of terrorism. Additionally, criminals
use identity theft to defraud Federal agencies and programs of millions
of dollars.
By law and by mission, our office has a narrow but important role
in the overall effort to address identity theft. Much of the Federal
government's responsibility for identity theft issues has been assigned
by Congress to the FTC. State and local law enforcement agencies and
financial institutions also have critical roles to play.
Because our primary mission is to protect the integrity of SSA's
programs and operations, in the majority of our identity theft
investigations, we continue to focus investigative efforts on cases
that affect SSN integrity. For example, our Chicago Field Division took
part in a 3-day inter-agency undercover operation that resulted in the
arrest of 12 suspects dealing in fraudulently obtained Social Security
cards, State driver's licenses, and U.S. passports. Our investigators
determined that the group's leader and 11 others took part in an
elaborate document-counterfeiting scheme to obtain valid SSNs for non-
existent children. The names belonged to undocumented noncitizens who
paid up to $5,000 each for valid documents. Members of the group were
sentenced to up to 2 years in prison or given immunity from prosecution
for their cooperation in the undercover sting.
To maximize our investigative resources, we dedicate agents that
work on task forces with other law enforcement agencies nationwide to
investigate identity crimes. We also work closely with prosecutors to
bundle SSN misuse cases that, when presented separately, may not have
been accepted for prosecution.
We are also continuing our efforts to identify opportunities for
SSA to further strengthen the integrity of the SSN. One of my major
concerns has been the use of fraudulent documents to obtain SSNs. We
continue to explore and recommend further controls the Agency can
implement to strengthen SSA's important responsibility of assigning
SSNs.
SSA Initiatives to Address SSN Integrity
SSA has made significant progress in strengthening the defenses of
the SSN, implementing important suggestions our office has made, and
working with us to find solutions. In November 2001, the Commissioner
of Social Security established an Enumeration Response Team (ERT)
comprised of executives from throughout the Agency, including
representatives from the OIG. The Commissioner charged this group with
identifying steps the Agency could take to improve the enumeration
process and to enhance the integrity of the SSN. Since that time, the
Commissioner and the ERT have implemented numerous policies and
procedures designed to better ensure that only individuals authorized
to do so, receive an SSN. For example, the ERT recommended, and SSA
adopted, more stringent circumstances under which an individual may
obtain a non-work SSN. We are proud to serve on workgroups such as
these and applaud the Commissioner and SSA for their strong commitment
to improving SSN integrity.
Prior to the ERT, the Agency implemented other initiatives such as
the Comprehensive Integrity Review Process (CIRP) and Enumeration at
Entry process. The CIRP system identifies vulnerabilities in the
enumeration process and issues alerts to SSA's field offices (FO) to
develop and certify. The FO reviewer, usually a manager or supervisor,
performs an enumeration integrity review of each alert. If the reviewer
determines that there is a possibility of fraud, the alert is forwarded
to the OIG for development and disposition.
What Actions Still Need to Be Taken to Address SSN Misuse
Despite the significant progress SSA and Congress have made in
recent years to address SSN misuse, we believe SSN integrity and
protection still need improvement at three stages: at issuance, during
the life of the number-holder, and following the number-holder's death.
At Stage One (issuance of the SSN), my office is working closely
with Congress and SSA to strengthen controls over the enumeration
process, ensure the integrity of identification documents, and make it
as difficult as possible to fraudulently obtain an SSN from the Federal
government. Together with Congress and with SSA, we have made important
strides in reducing enumeration vulnerabilities, and that effort
continues. Still, to strengthen our defenses even further, we believe
SSA should implement the following changes.
Continue to address identified weaknesses within the enumeration
process to better safeguard SSNs.
Work with State Bureaus of Vital Statistics to incorporate additional
controls in SSA's Enumeration-at-Birth program, such as
periodically reconciling the number of SSNs assigned through
the program to the number of births reported by participating
hospitals.
In the last several years, we have focused significant resources to
address SSN protection within Stages Two (during the life of the number
holder) and Three (after the number holder's death). Specifically, we
have conducted numerous audits and made extensive recommendations to
SSA to improve the SSN misuse problem in the earnings reporting
process, and most importantly, to improve controls over SSN misuse as
it pertains specifically to Homeland Security. Nevertheless, to more
completely address SSN integrity during the life of the number holder
and following that number holder's death, we believe SSA and lawmakers
should examine the feasibility of the following initiatives.
Limiting the SSN's public availability to the greatest extent
practicable, without unduly limiting commerce.
Prohibiting the sale of SSNs, prohibiting their display on public
records, and limiting their use to legitimate transactions.
Enacting strong enforcement mechanisms and stiffer penalties to
further discourage SSN misuse.
Cross-verifying all legitimate databases that use the SSN as a key
data element.
Review the implications of releasing information on deceased
individuals.
Limiting the SSN's Public Availability and Sale of the SSN
Perhaps the most important step we can take in preventing SSN
misuse is to limit the SSN's easy availability. We believe legislation
designed to protect the SSN must strictly limit the number's
availability on public documents. As long as criminals can walk into
the records room of a courthouse or local government building and walk
out with names and SSNs culled from public records, it will be
extremely difficult to reverse the growing trend of SSN misuse. We also
believe effective legislation should also specifically prohibit the
sale of SSNs--including one's own SSN--on the open market. In addition,
as long as criminals can buy a list of names and SSNs through an
Internet auction, we will continue to be plagued by the consequences.
To be fully effective, we also believe legislation must limit the
use of the SSN to appropriate and valid transactions. The financial
industry relies on the SSN, and no one is suggesting that we change the
way legitimate business is conducted in the United States. But the use
of the SSN as a student or patient identification number, as part of a
car rental contract or to rent a video, must be curtailed.
Congress enacted the Identity Theft and Assumption Deterrence Act
of 1998, P.L. 105-318, responding to the growing epidemic of identity
thefts by imposing criminal sanctions for those who create a false
identity or misappropriate someone else's. The Internet False
Identification Prevention Act of 2000, P.L. 106-578, closed a loophole
left by the earlier legislation, enabling our office and other law
enforcement organizations to pursue vendors who previously could sell
counterfeit Social Security cards legally by maintaining the fiction
that such cards were ``novelties'' rather than counterfeit documents.
More legislative tools are needed, and we have worked with Congress to
identify legislation necessary to protect the integrity of the SSN. For
example, the House is now considering H.R.--2971, the Social Security
Number Privacy and Identity Theft Prevention Act of 2004, which would
restrict the use of SSNs in the private and public sector, and
criminalize the sale of SSNs.
Penalties
The identity theft legislation I discussed earlier provides
criminal penalties, but those penalties were designed for identity
theft crimes involving Social Security cards and/or SSNs, not for SSN
misuse itself. We believe legislation should not only provide criminal
penalties for those who misuse SSNs, but should also provide criminal
penalties for those few SSA employees who betray the public trust and
assist criminals in improperly obtaining SSNs.
For example, a former SSA Service Representative was sentenced to 3
years probation and community service after pleading guilty to a
bribery charge in connection with issuing 100 to 200 Social Security
cards to illegal aliens. She received between $50 and $150 for each
card. We believe it is critically important to send a strong message to
SSA employees tempted to facilitate crimes against Agency programs by
pursuing the maximum sentence possible.
On July 15, 2004, the President signed the Identity Theft Penalty
Enhancement Act, P.L. 108-275, into law, establishing enhanced
penalties for aggravated identity theft. While increased criminal
penalties are a welcomed addition to the arsenal available for use in
combating identity theft, we also believe legislation should provide an
administrative safety net in the form of Civil Monetary Penalties to
allow for some form of relief when criminal prosecution is not
available for SSN misuse and other Social Security-related crimes.
Cross-verification
Additionally, we strongly support cross-verification of SSNs
through both governmental and private sector systems of records to
identify and address inaccuracies. Our experience has shown that cross-
verification can combat and limit the spread of false identification
and SSN misuse. Further, we believe all law enforcement agencies should
be provided the same SSN cross-verification capabilities currently
granted to employers. In doing so, the law enforcement community would
use data already available to the Federal, State and local governments
and the financial sector.
Potentially, the rewards of cross-verification can be great, and it
would not require major expenditures of money or the creation of new
offices or agencies. We believe legislation is needed toexpand cross-
verification of identification data between governmental, financial and
commercial holders of records and the SSA on a recurring basis. To
offset SSA's cost for providing such services, the Agency could charge
a modest fee to commercial and financial entities. The technology to
accomplish these data matches and verifications exists now. Coupled
with steps already underway by SSA to strengthen the integrity of its
enumeration business process, cross-verification, once initiated, would
be a critical step in combating the spread of identity fraud.
Let me give you an example of an identity theft case in which
cross-verification may have prevented a crime against a Federal
government program, saving taxpayers $62,000. A Salt Lake City
grandmother learned last year from one of my Denver Field Division
agents that her SSN was used to purchase a $146,000 HUD home. This
identity theft went undiscovered until the home went into foreclosure
because the criminals used this grandmother's SSN, but another name to
purchase the home. Had HUD been allowed to verify the accuracy of the
borrower's name and SSN with SSA, HUD would have recognized the
discrepancy and denied the loan. In this one case alone, the Government
would have saved the thousands of program dollars HUD had to pay to
foreclose and resell the property. Additionally, this elderly Salt Lake
City grandmother would have been spared the time and expense of
repairing her credit record.
We believe cross-verification is one of the most important tools
the Government and private sector can employ to reduce the instances of
identity theft. We understand the important issue of consumer privacy
that must be considered by Congress and others before allowing such
data integrity matches. However, our ability to prevent these egregious
crimes would be enhanced by additional legislation balancing the need
for consumer privacy with the need for accurate identifying
information.
Conclusion
We appreciate the invitation to provide a statement to this
Subcommittee and to assist you in the very important work you are doing
to help protect consumers' SSNs. We are very pleased with the progress
Congress and SSA have made in addressing the issue of SSN integrity
over the last several years. However, we reiterate our concern that
more must be done to ensure that only those individuals authorized to
have an SSN receive one and that anyone who fraudulently obtains and
misuses an SSN is adequately penalized. As such, we believe recently
enacted legislation such as P.L. 108-275, the Identity Theft Penalty
Enhancement Act, is a significant step toward holding accountable
individuals who misuse SSNs to commit egregious crimes. In addition, we
support legislation such as H.R. 2971, the Social Security Number
Privacy and Identity Theft Prevention Act of 2004, which severely
limits the sale, purchase and display of SSNs to the general public.
We also ask that Congress consider other measures such as increased
cross-verification among Government and private sector entities, Civil
Monetary Penalties for SSN misuse and other Social Security-related
crimes when criminal prosecution is not available, and stronger
penalties for those few SSA employees that betray the public trust by
selling SSNs. We will certainly continue our vigilance in addressing
these issues and stand ready to do more to enhance the safety and well-
being of all Americans.
______
Federal Trade Commission
October 20, 2004
The Honorable Cliff Stearns, Chairman
Subcommittee on Commerce, Trade and Consumer Protection
House Committee on Energy and Commerce
2125 Rayburn House Office Building
Washington, DC 20515
Dear Mr. Chairman: Thank you for the opportunity to present the
views of the Federal Trade Commission at the September 28, 2004,
hearing of the Subcommittee on Commerce, Trade, and Consumer Protection
of the House Committee on Energy and Commerce, on H.R. 2971, the Social
Security Number Privacy and Identity Theft Prevention Act of 2004. This
letter responds to the Subcommittee's request for more specific views
on the bill itself. In addition, the letter addresses Representative
Green's question at the hearing about the length of time that a fraud
alert remains on a consumer's credit file.
As I stated at the hearing, I believe that the goals of H.R. 2971
are laudable. It seeks to strike the right balance between the
legitimate and permissible sale and display of Social Security numbers
(SSNs) and those that should be eliminated. It is extremely difficult,
however, to find the correct place to draw the lines, by rulemaking or
otherwise. Some provisions, like restrictions on access by prisoners,
are clearly justified, but others may have unintended consequences. I
believe that this bill, if enacted in its current form, would present
significant challenges to the credit granting system and may ultimately
harm consumers. The primary concern in this regard is with Sections 109
and 110. Below, I provide a brief analysis of these provisions and
their potential negative impact on consumers.
In my oral presentation, I mentioned that there are many legitimate
uses of SSNs in commerce that provide substantial benefits to
consumers. In particular, SSNs are used by consumer reporting agencies
(e.g., credit bureaus) to organize consumer data files and to match
individual consumers with the correct consumer file (e.g., credit
report). In order to ensure accurate and complete results, it is
important for consumer reporting agencies to obtain a consumer's SSN
from those that request the consumer's credit report.1
Similarly, when financial institutions report account information to
consumer reporting agencies, the SSN is used to match that information
to the correct consumer file. Without SSNs, consumer reporting agencies
may be unable to accurately match individual consumers with the proper
credit reports, and may be unable to match information from financial
institution records to individual consumer files. This could cause
inaccurate information to appear in individual consumer files and
errors in reporting the wrong file to inquiring creditors and other
permissible users. Thus, undue restrictions on the availability of SSNs
to businesses could harm consumers by diminishing the accuracy of the
consumer reporting system.
---------------------------------------------------------------------------
\1\ The FTC is required, under the Fair and Accurate Credit
Transactions Act (the FACT Act), to study the processes by which
consumer reporting agencies ``match'' consumer files to particular
consumers prior to releasing a consumer report to a user. See Pub. L.
No. 108-159 Sec. 318. That study will be completed in December 2004. It is
clear, however, that the current consumer reporting system relies
heavily on consumers' full SSNs.
---------------------------------------------------------------------------
In addition, many businesses rely on SSNs to obtain current address
and other contact information on consumers for a number of legitimate
purposes. For example, a business may need a consumer's current address
information in order to administer rebate, recall, or consumer redress
programs; locate beneficiaries, lost heirs, or the holders of dormant
accounts; and perform collection activities. In addition, this
information is often used for law enforcement and public safety
investigations. Consumer reporting agencies generally possess the most
up-to-date consumer address and contact information. Because SSNs play
an important role in the consumer reporting agencies' ability to match
an individual consumer with the information relating to him, it would
be more difficult for businesses and law enforcement without SSNs to
obtain consumers' current address and contact information for a variety
of legitimate purposes.
This does not mean that consumer reporting agencies should be able
to use SSNs without restriction. In my view, however, H.R. 2971 in its
current form could eliminate or hinder legitimate uses of SSNs, to the
ultimate detriment of consumers.
Section 109
Section 109 of H.R. 2971 would restrict consumer reporting agencies
from disclosing SSNs except as part of a ``full consumer report''
(i.e., where there is a permissible purpose under the Fair Credit
Reporting Act, 15 U.S.C. Sec. 1681 et seq., (FCRA)). Under the FCRA,
businesses may obtain from consumer reporting agencies identifying
information about consumers (often referred to as ``above the line''
information), including SSNs, without having one of the permissible
purposes specified in the statute.2 By prohibiting consumer
reporting agencies from furnishing SSNs except as part of a full
consumer report, Section 109 would cut off use of SSNs for many
legitimate uses, such as law enforcement, public safety investigations,
and insurance or pension benefit distributions,3 which are
not permissible purposes for full file disclosures under the
FCRA.4
---------------------------------------------------------------------------
\2\ This identifying information generally is not covered by the
FCRA. See FTC v. Trans Union, Dkt. 9255, Op. of the Commission at pp.
30-31 (Mar. 1, 2000) (holding that consumer name, SSN, address,
telephone number, and mother's maiden name do not constitute a consumer
report under the FCRA).
\3\ For example, assume that a consumer purchases life insurance.
In current practice, the insurer generally would require the purchaser
to provide his SSN, as well as those of any beneficiaries. When the
policy matures and the insurer seeks to locate the beneficiaries, the
insurer typically would use the SSNs it had collected previously to
find the current address information for those beneficiaries through a
consumer reporting agency or other commercial database. Section 110
would prevent the insurer from requiring the SSNs of the consumer and
the beneficiaries at the time the policy is purchased. Without the
SSNs, the insurer could not obtain current address information for the
beneficiaries from a consumer reporting agency, because the insurer
likely would not have a permissible purpose to obtain their full
consumer reports.
\4\ Apart from the FCRA, the disclosure of SSNs by consumer
reporting agencies and other financial institutions is limited under
the Gramm-Leach-Bliley Act (GLBA), which requires financial
institutions (with certain exceptions) to provide consumers with notice
and an opt-out opportunity before sharing personal financial
information with nonaffiliated third parties. See 16 C.F.R. Part 313.
However, the exceptions to the GLBA notice and opt out requirements
allow many legitimate business uses and disclosures of this
information, including for law enforcement and public safety
investigations. See 16 C.F.R. Sec.Sec.313.14-.15. The permissible purposes
under the FCRA that would govern disclosure of SSNs under H.R. 2971 are
significantly narrower than the GLBA exceptions.
---------------------------------------------------------------------------
At the same time, in those situations where a business does have an
FCRA permissible purpose for a full file disclosure, this section could
encourage the overdisclosure of consumer information, because a
business with a need for SSNs in order to obtain, for example, current
address information, would be forced to purchase a full consumer report
containing much more sensitive information than the user needs. In sum,
this provision could have a negative impact on the availability of
accurate consumer identifying information for legitimate uses, in
addition to overdisclosing sensitive consumer information in other
instances.
Section 110
Section 110 of H.R. 2971 would make it unlawful for a business to
require an individual to provide his SSN as a condition of doing
business, and to do so would violate Section 5 of the FTC Act. The only
exception to this provision is for circumstances where the business is
expressly required under federal law to submit the individual's SSN to
the federal government. As you know, this exception is very limited and
would not allow businesses to require SSNs for many legitimate uses.
For example, Section 110 would prevent creditors, insurers, and others
from requiring a consumer to provide an SSN in connection with an
application for credit, insurance, or other business transaction
involving the consumer. As a result, this section would hinder the
ability of businesses to obtain credit reports for legitimate purposes,
such as risk analysis, underwriting functions, and security checks.
In addition, similar to Section 109, this provision would prevent
businesses with a legitimate need for consumers' current address
information from obtaining that information, because that information
is generally only accessible with an SSN.
Thus, for the reasons described above, I believe that Section 110
could have a significant negative impact on consumers.5
Fraud Alerts Under the FACT Act
Finally, during the hearing, Representative Gene Green asked about
the length of time that a fraud alert--that is, a notation that the
consumer is a potential victim of identity theft or fraud--remains on a
consumer's credit file. At present, as a voluntary practice, the
nationwide consumer reporting agencies have been using a two-step fraud
alert system, placing initial and extended fraud alerts in consumers'
files upon request. The first national consumer reporting agency
contacted notifies the other two of a consumer's request for an initial
fraud alert. If the consumer later seeks to have an extended alert
placed in his file, he will have to contact each of the three agencies.
The duration of the initial fraud alert has varied among the agencies
from 90 days to twelve months. All three agencies have left the
extended fraud alert in the consumer's file for seven years.
The FACT Act codifies and expands upon these voluntary practices.
The fraud alert provisions go into effect on December 1, 2004, and
provide for a two-step fraud alert system.6 Upon the initial
request of a consumer, a nationwide consumer reporting agency must
include an initial fraud alert in that consumer's file for not less
than 90 days. If that consumer subsequently requests an extended alert
and submits an identity theft report,7 a nationwide consumer
reporting agency must include an extended fraud alert in the consumer's
file for seven years. A consumer may, however, request to have either
type of fraud alert removed from his file prior to the expiration of
the designated period. In addition, the nationwide consumer reporting
agency receiving the request for the fraud alert, whether initial or
extended, must refer the fraud alert information to the other
nationwide consumer reporting agencies.
Thank you again for this opportunity to provide my views on H.R.
2971. I look forward to continuing to work with you on these important
issues.
Sincerely,
Thomas B. Leary
Federal Trade Commission
------
5 In addition, it would be valuable in the development
of any legislation on this subject to have the results of the
``matching study'' that the FTC is conducting pursuant to the FACT Act.
This study is intended to learn more about the processes by which
consumer reporting agencies match consumer files to particular
consumers prior to releasing a consumer report to a user. See supra
n.1.
6 Pub. L. No. 108-159 Sec. 112; FCRA Sec. 605A; 15 U.S.C. Sec.
1681c-1.
7 Under the FACT Act, the term ``identity theft report''
is to be defined by Commission rulemaking (see Related Identity Theft
Definitions, Duration of Active Duty Alerts, and Appropriate Proof of
Identity Under the Fair Credit Reporting Act: Notice of Proposed
Rulemaking and Request for Comment, 69 Fed. Reg. 23370, 23372 (Apr. 28,
2004)), and means, ``at a minimum, a report that alleges an identity
theft, is a copy of an official, valid report filed by the consumer
with an appropriate Federal, state, or local law enforcement agency . .
. the filing of which subjects the person filing the report to criminal
penalties . . .'' Pub. L. No. 108-159 Sec. 112; FCRA Sec. 603(q)(4); 15
U.S.C. Sec. 1681a(q)(4).
�