[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
SECURING CONSUMERS' DATA: OPTIONS FOLLOWING SECURITY BREACHES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
MAY 11, 2005
__________
Serial No. 109-14
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
______
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2005
21-635PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
RALPH M. HALL, Texas JOHN D. DINGELL, Michigan
MICHAEL BILIRAKIS, Florida Ranking Member
Vice Chairman HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey
ED WHITFIELD, Kentucky SHERROD BROWN, Ohio
CHARLIE NORWOOD, Georgia BART GORDON, Tennessee
BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
HEATHER WILSON, New Mexico BART STUPAK, Michigan
JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York
CHARLES W. ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland
Mississippi, Vice Chairman GENE GREEN, Texas
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire TOM ALLEN, Maine
JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida
MARY BONO, California JAN SCHAKOWSKY, Illinois
GREG WALDEN, Oregon HILDA L. SOLIS, California
LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas
MIKE FERGUSON, New Jersey JAY INSLEE, Washington
MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin
C.L. ``BUTCH'' OTTER, Idaho MIKE ROSS, Arkansas
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee
Bud Albright, Staff Director
David Cavicke, Deputy Staff Director and General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois
NATHAN DEAL, Georgia Ranking Member
BARBARA CUBIN, Wyoming MIKE ROSS, Arkansas
GEORGE RADANOVICH, California EDWARD J. MARKEY, Massachusetts
CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York
JOSEPH R. PITTS, Pennsylvania SHERROD BROWN, Ohio
MARY BONO, California BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska GENE GREEN, Texas
MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio
MIKE ROGERS, Michigan DIANA DeGETTE, Colorado
C.L. ``BUTCH'' OTTER, Idaho JIM DAVIS, Florida
SUE MYRICK, North Carolina CHARLES A. GONZALEZ, Texas
TIM MURPHY, Pennsylvania TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee JOHN D. DINGELL, Michigan,
JOE BARTON, Texas, (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation. 12
Buege, Steve, Senior Vice President, Business Information,
News and Public Records, North American Legal.............. 18
Burton, Daniel, Vice President of Government Affairs,
Entrust, Inc............................................... 25
Ireland, Oliver I., Partner, Financial Services Practice
Group, Morrison and Foerster, LLP, on Behalf of Visa USA... 22
Solove, Daniel J., Associate Professor of Law, George
Washington University Law School........................... 31
Additional material submitted for the record:
ARMA International, prepared statement of.................... 51
Hillebrand, Gail, Senior Attorney, Consumers Union, prepared
statement of............................................... 53
(iii)
SECURING CONSUMERS' DATA: OPTIONS FOLLOWING SECURITY BREACHES
----------
WEDNESDAY, MAY 11, 2005
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 11:05 a.m., in
room 2123 of the Rayburn House Office Building, Hon. Cliff
Stearns (chairman) presiding.
Members present: Representatives Stearns, Upton, Cubin,
Radanovich, Bass, Pitts, Bono, Terry, Rogers, Myrick, Murphy,
Blackburn, Barton (ex officio), Schakowsky, Ross, Markey, and
Baldwin.
Staff present: David Cavicke, chief counsel; Chris Leahy,
policy coordinator; Will Carty, professional staff; Larry Neal,
deputy staff director; Billy Harvard, clerk; Kevin Schweers,
communications director; Lisa Miller, press secretary; Consuela
Washington, minority counsel; Turney Hall, staff assistant; and
Alec Gerlach, staff assistant.
Mr. Stearns. Good morning. The subcommittee will come to
order. My colleagues, today we continue the subcommittee's
examination of consumer data security and identity theft. As
all of us are keenly aware, our important work is set against
the backdrop of almost daily reports of consumer data, security
breaches at data brokers, retailers, banks, universities, and
the list, of course, goes on. It seems like every corner of our
economy has been touched. Understandably, the public is
worried. The reported breaches involve everything from
elaborate high-tech hacker attacks to simply theft of physical
consumer data that had been poorly secured in the first place.
The consumer impact of these breaches has been just as
varied. Some cases never result in identity theft or financial
loss, while others affect significant consumer populations.
With some estimates of those affected ballooning past initial
numbers as further investigations reveal even larger cracks in
the digital infrastructure.
And while our initial assessment of the extent of this
problem for consumers and businesses is still a bit fuzzy, the
cracks and vulnerabilities are becoming more apparent to the
committee and to the public. Questions are starting to be
raised about the inherent security of a large segment of the
commercial marketplace. This should concern all of us. The
committee understands this concern, and to address it, there
are a number of issues that need careful examination.
First, we must ensure that existing Federal law does not
leave open ways for certain entities to skirt the objectives of
the primary laws governing such areas, including the Fair
Credit Reporting Act and the Gramm-Leach-Bliley.
Second, if we determine that existing law is inadequate, we
need to get a clearer and more accurate assessment of the scope
of the problem across all sectors, assess the current legal
tools we have to attack it, and weigh the need for additional
regulation and other approaches. Other non-regulatory
approaches could include applying good old American
technological ingenuity to buttress current consumer data
security regulations.
Throughout this series of hearings, we have heard from a
number of experts that data security breaches go hand in hand
with identity theft, a phenomenon that keeps getting larger and
more insidious. The numbers are sobering. At our March hearing,
the FTC testified that over 10 million people were victims of
identity theft during the 1-year period of its latest survey.
The FTC estimated that this figure translates into loss of
nearly $48 billion for businesses, almost $5 billion for
consumers, and close to 300 million hours spent by those
individuals and businesses trying to resolve the problems just
generated by these crimes.
We cannot allow our consumer economy to be undermined by
these criminals. Consumers, businesses, and the public sector
needs to strengthen defenses collectively. The reality is that
the bad guys will always be around. It is up to us as
consumers, businesses, and public institutions to make sure
that our data is locked down and is accounted for. The best
offense to combat identity theft is simple prevention coupled
with an assurance that entities dealing in consumer data adhere
to consistent and comprehensive security standards with a bite.
The accessibility and portability of consumer data in an
information-driven market has made controlling who has access
to what more difficult than ever. Consumer data breaches and as
a result in identity theft continues to grow and affect broader
commercial activity at all levels, not just a specific industry
or a specific sector.
Consumer data in our modern markets has become a commodity.
It is bought and sold. It is processed and analyzed. And it is
now an integral ingredient in disciplines as varied as finance,
demographics, research, direct marketing, academic study, and
law enforcement. I believe the majority of these activities
improve our lives and well-being. They make us more productive,
allow a higher standard of living, and afford us better
personal and national security, particularly in a post-9/11
world.
What it is lacking, my colleagues, however, is a safeguard
system in which our personal data is shielded by a robust
security no matter where it goes or whoever possesses it. We
need to examine approaches that enable robust security measures
to surround personal data as it speeds through commerce.
I think this is where advanced technology can play a larger
role in helping reduce the incidence of identity theft.
Technologies like sophisticated encryption techniques, advanced
password authentication systems, as well as better and more
widespread use of advanced data security software all can play
an important role in improving our defenses. Technology can
also be used to facilitate more uniform best practices in
affected sectors that deal in consumer data.
Let me be clear. I do believe that additional measures are
necessary, but for those still undecided, this hearing and the
proceedings should provide a great deal of information to help
everyone make a judgment call here. I think it is a fair thing
to say that one thing is certain--criminals cannot be allowed
to capitalize on another high-tech nefarious business model to
steal and defraud American consumers, businesses, and public
institutions. We have seen this happen with spyware and spam.
It can't be allowed to happen here.
Therefore, our focus needs to be on first, clearly
identifying what is not working before we act on a national
scale. But with each new breach we are losing more valuable
time to put an end to a new breed of professional cyber
criminals and the inappropriate and illegal activities that are
slowly corroding consumer confidence in the integrity of
information-driven commerce and technology.
I would like to thank our distinguished panel for being
here this morning and for joining us today, and we look forward
to your testimony. With that, the ranking member, Ms.
Schakowsky.
[The prepared statement of Hon. Cliff Stearns follows:]
Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on
Commerce, Trade, and Consumer Protection
Good Morning. Today, we continue the Subcommittee's examination of
consumer data security and identity theft. As all of us are keenly
aware, our important work is set against the backdrop of almost daily
reports of consumer data security breaches at data brokers, retailers,
banks, universities--and the list goes on. It seems like every corner
of our economy has been touched. Understandably, the public is worried.
The reported breaches involve everything from elaborate high-tech
hacker attacks to simply theft of physical consumer data that had been
poorly secured. The consumer impact of these breaches has been just as
varied. Some cases never result in identify theft or financial loss
while others affect significant consumer populations, with some
estimates of those affected ballooning past initial numbers as further
investigation reveals even bigger cracks in the digital infrastructure.
And while our initial assessment of the extent of this problem for
consumers and businesses is still a bit fuzzy, the cracks and
vulnerabilities are becoming more apparent to the Committee and to the
public. Questions are starting to be raised about the inherent security
of a large segment of the commercial marketplace. This should concern
us all.
The Committee understands this concern. And to address it, there
are a number of issues that need careful examination. First, we must
ensure that existing federal law is not leaving open ways for certain
entities to skirt the objectives of the primary laws governing this
area, including the Fair Credit Reporting Act and Gramm-Leach-Bliley.
Second, if we determine that existing law is inadequate, we need to get
a clearer and more accurate assessment of the scope of the problem
across all sectors, assess the current legal tools we have to attack
it, and weigh the need for additional regulation and other approaches.
Other non-regulatory approaches could include applying good old
American technological ingenuity to buttress current consumer data
security regulations.
Throughout this series of hearings we have heard from a number of
experts that data security breaches go hand in hand with identify
theft--a phenomenon that keeps getting bigger and more insidious. The
numbers are sobering. At our March hearing, the FTC testified that over
10 million people were victims of identity theft during the one-year
period of its latest survey. The FTC estimated that this figure
translates into loses of nearly $48 billion for businesses, almost $5
billion for consumers, and close to 300 million hours spent by those
individuals and businesses trying to resolve the problems generated by
these crimes. We cannot allow our consumer economy to be undermined by
these criminals. Consumers, business, and the public sector need to
strengthen defenses collectively. The reality is that the bad guys will
always be around. It is up to us as consumers, businesses, and public
institutions to make sure that our data is locked down and accounted
for. The best offense to combat identity theft is simple prevention
coupled with an assurance that entities dealing in consumer data adhere
to consistent and comprehensive security standards with bite.
The accessibility and portability of consumer data in an
information-driven market has made controlling who has access to what
more difficult than ever. Consumer data breaches and resultant identity
theft continues to grow and affect broader commercial activity at all
levels, not just a specific industry or sector. Consumer data in our
modern markets has become a commodity. It is bought and sold. It is
processed and analyzed. And it is now an integral ingredient in
disciplines as varied as finance, demographic research, direct
marketing, academic study, and law enforcement. I believe that the
majority of these activities improve our lives and wellbeing. They make
us more productive, allow higher standards of living, and afford us
better personal and national security, particularly in a post 9/11
world. What is lacking, however, is a safeguard system in which our
personal data is shielded by robust security no matter where it goes or
who possess it. We need to examine approaches that enable robust
security measures to surround personal data as it speeds through
commerce.
I think this is where advanced technology can play a larger role in
helping reduce the incidence of identity theft. Technologies like
sophisticated encryption techniques, advanced password authentication
systems, as well as better and more widespread use of advanced data
security software all can play an important role in improving our
defenses. Technology can also be used to facilitate more uniform best
practices in affected sectors that deal in consumer data.
Let me be clear, I do believe that additional measures are
necessary. But for those still undecided, this hearing and the
preceding ones should provide a great deal of information to make a
judgment. I think it's fair to say that one thing is certain--criminals
cannot be allowed to capitalize on another high-tech, nefarious
business model to steal and defraud American consumers, business, and
public institutions. We've seen that happen with spyware and spam. It
can't be allowed to happen here. Therefore, our focus needs to be on
first clearly identifying what is not working before we act on a
national scale. But with each new breach, we are losing more valuable
time to put an end to a new breed of professional cyber-criminal and
the inappropriate and illegal activities that at are slowly corroding
consumer confidence in the integrity of information-driven commerce and
technology.
I would like to thank our distinguished panel of witnesses for
joining us today. We look forward to your testimony. Thank you.
Ms. Schakowsky. Once again I want to thank you, Chairman
Stearns, for holding a hearing on how we can further protect
consumers from the stealing of their most personal information.
We need to close the canyon-size gaps in the law that are
putting consumers and their sensitive, private information at
serious risk of invasion--identity theft and other crimes.
I look forward to hearing from our witnesses today about
their ideas of what we can do, and I look forward to working
with you, Chairman Stearns and Chairman Barton and Ranking
Member Dingell and Representative Markey and others, on
legislation to restore consumers' control of private
information.
The Privacy Rights Clearinghouse has been keeping an
ongoing tally of data breaches revealed since news first broke
on the ChoicePoint incident. In the past 3 months alone we have
learned that approximately 4,736,400 individuals have had their
personally identifiable information compromised. Again, that is
in just months. And those are the cases about which we know.
The means of access are varied. Computers have been hacked
and stolen, backup tapes lost, passwords compromised,
information exposed online, and fake businesses established.
And it has not just been the data brokers' stockpiles that have
been raided. University stores, banks, and government offices
have seen their data bases breached and their students, alumni,
customers, and constituencies exposed. If there is personal
information to be had, there are criminals out to get it from
anyplace and in any way they can.
From the recent wave of breaches we know data insecurity is
endemic, and it is time for us to close whatever loopholes
there are in privacy laws to ensure that consumers are not
stuck with the short end of the stick as they are now. We need
to address privacy and data security with comprehensive
legislation governing the handling and use of personal and
consumer information. I believe we should explore the
possibility of giving consumers the power to lock up their
information, making it available only when consumers give
affirmative consent. We should also look into giving consumers
the opportunity to inspect their information, and if it is not
accurate, then a chance to correct it. We should also place a
heightened responsibility on record keepers to ensure that they
are truthfully representing consumers. And we should give
victims of lost or stolen information a place to turn, like an
office of an omdetsman in order to help them through repairing
whatever damage has been done by their information being
compromised. We also need to explore the government's use of
information compiled by data brokers to make sure that Big
Brother is not handing the binoculars to Big Business in order
to skirt the Privacy Act.
Inaccuracies can cost people their jobs, insurance, the
right to vote, good credit histories, or even their lives. I
believe that if consumers have the tools, resources, and the
rights to protect their personal information, and if companies
were held to a higher standard of accountability, we would not
have 4.7 million letters being sent out over 3 months warning
consumers that their information could be in the hands of
criminals.
We need to keep in mind that perhaps the only reason we
know about these breaches is because of tough State laws like
California's that made sure these breaches were reported. If
those companies with security breaches had to comply only with
Federal legislation, there is a good chance we would be hearing
from more and more identity theft victims and had no idea what
was going on to cause the potential upsurge.
When we craft the legislation to contend with data
insecurity, we need to provide a floor and not a ceiling for
how personal information is handled and protected. Let the
States pressure us to do better instead of us limiting what
they can do.
Again, Chairman Stearns, I look forward to working with you
and the other members of our committee to do what we can to
protect consumers. I thank you.
Mr. Stearns. I thank the gentlelady. The gentlelady from
California, Ms. Bono.
Ms. Bono. Thank you, Mr. Chairman. I just would like to
thank you for holding this hearing, but I will waive an opening
statement.
Mr. Stearns. The gentlelady waives. Mr. Ross, is he here?
Ms. Baldwin? No. The gentlelady waives. Mr. Pitts, gentleman--
waive. Mr. Markey?
Mr. Markey. Thank you, Mr. Chairman, very much. Mr.
Chairman, in ``Bonfire of the Vanities'' the novelist Tom Wolfe
wrote about ``the Bororo Indians, a primitive jungle tribe who
live along the Vermelho River in the Amazon Jungles of
Brazil.'' According to Wolfe, the Bororos believed that ``there
is no such thing as a private self.'' Instead, they ``regard
the mind as an open cavity, like a cave or a tunnel or an
arcade, if you will, in which the entire village dwells and the
jungle grows.'' Wolfe compared this to the situation faced by
someone in the middle of a public scandal in the last quarter
of the 20th century, when he suggested ``one's self--or what
one takes to be oneself--is not a mere cavity open to the
outside world but has suddenly become an amusement park to
which everybody, todo el mundo, tout le monde, comes
scampering, skipping and screaming, nerves a-tingle, loins
aflame, ready for anything, all you have got, laughs, tears,
moans, giddy thrills, gasps, horrors, whatever, the gorier the
merrier.''
In the 21st Century, Mr. Chairman, we now face the prospect
of a world in which all of us--not just Sherman McCoy's caught
in the midst of scandal--will be forced to live without a
private self: with the entire ``village'' able to obtain access
to some of the most personal aspects of our lives.
In the emerging surveillance society of the 21st Century,
the Bororo Indians seeking to inhabit our private selves are
the data mining and information brokerage firms. These
companies are collecting and selling a vast array of personal
information about the American public. For a fee, these
companies will tell you someone's Social Security number, their
address, phone number, driver's license number, driving record,
any criminal record information, court records, insurance
claims, divorce records, and even credit and financial
information.
Recent press reports have chronicled the adverse privacy
consequences of this phenomenon. As we have seen company after
company acknowledging that the security and confidentiality of
the personal information it holds about American citizens has
been compromised. Each week the list of companies who have
suffered data security breaches or acknowledged lax practices
with respect to access to sensitive personal data has grown
longer and longer.
I have introduced three bills aimed at addressing the
current threats to personal privacy. My first bill, the
Information Protection and Security Act, would subject
information brokers to regulation by the Federal Trade
Commission, and specifically to a set of new, fair information
practice rules that the FTC would be required to issue within 6
months of enactment.
The FTC rules would address the security of information
held by information brokers, the right of consumers to obtain
access to incorrect information held by the broker, the
responsibility of the broker to protect the information from
unauthorized users or from users seeking the information for
impermissible and unlawful purposes. The bill also provides the
enforcement of the bill's substantive provisions by the FTC,
the State Attorney General, and a private right of action.
My second bill would generally restrict the purchase and
sale of Social Security numbers. And my third bill would allow
consumers to block a company from transferring their personal
information to entities located in countries that fail to
provide adequate and enforcement privacy protection.
In other words, the outsourcing of privacy to countries
like India and Pakistan that do not have privacy laws in
conformance with the EU or with the United States of America.
Our x-rays should not be going to be read in countries that do
not have the same privacy laws which we have. Our tax records
should not be going there, our financial records should not be
going there, our health records should not be going there.
These are personal records to go to the very identity of us as
Americans and as a people. I thank you, Mr. Chairman, for
having this very important hearing.
[The prepared statement of Hon. Edward J. Markey follows:]
Prepared Statement of Hon. Edward J. Markey, a Representative in
Congress from the State of Massachusetts
Thank you, Mr. Chairman.
In Bonfire of the Vanities, the novelist Tom Wolfe wrote about
``The Bororo Indians, a primitive jungle tribe who live along the
Vermelho River in the Amazon Jungles of Brazil.'' According to Wolfe,
the Bororos believed that ``there is no such thing as a private self.''
Instead, they ``regard the mind as an open cavity, like a cave or a
tunnel or an arcade, if you will, in which the entire village dwells
and the jungle grows.'' Wolfe compared this to the situation faced by
someone in the middle of a public scandal in the last quarter of the
20th century--when, he suggested:
``. . . one's self--or what one takes to be one's self--is not
a mere cavity open to the outside world but has suddenly become
an amusement park to which everybody, todo el mundo, tout le
monde, comes scampering, skipping and screaming, nerves a-
tingle, loins aflame, ready for anything, all you've got,
laughs, tears, moans, giddy thrills, gasps, horrors, whatever,
the gorier the merrier.''
In the 21st Century, we now face the prospect of a world in which
all of us--not just the Sherman McCoy's caught in the midst scandal--
will be forced to live without a private self--with the entire
``village'' able to obtain access to some of the most personal aspects
of our lives.
In the emerging surveillance society of the 21st Century, the
Bororo Indians seeking to inhabit our private selves are the data
mining and information brokerage firms. These companies are collecting
and selling a vast array of personal information about the American
public. For a fee, these companies will tell you someone's Social
Security Number, their address, phone number, driver's license number,
driving record, any criminal record information, court records,
insurance claims, divorce records, and even credit and financial
information.
Recent press reports have chronicled the adverse privacy
consequences of this phenomenon, as we have seen company after company
acknowledging that the security and confidentiality of the personal
information it holds about American citizens has been compromised. Each
week, the list of companies who have suffered data security breaches,
or acknowledged lax practices with respect to access to sensitive
personal data, has grown longer and longer.
I have introduced three bills aimed at addressing the current
threats to personal privacy. My first bill, the ``Information
Protection and Security Act,'' would subject information brokers to
regulation by the Federal Trade Commission, and specifically, to a set
of new fair information practice rules that the FTC would be required
to issue within 6 months of enactment. The FTC rules would address the
security of information held by information brokers, the right of
consumers to obtain access to and correct information held by the
broker, the responsibility of the broker to protect the information
from unauthorized users, or from users seeking the information for
impermissible or unlawful purposes. The bill also provides for
enforcement of the bill's substantive provisions by the FTC, the State
Attorney's General, and a private right of action.
My second bill, H.R. 1078, would generally restrict the purchase or
sale of Social Security numbers, which has become a ubiquitous personal
identifier used by corporations and identity thieves to access
sensitive personal information.
My third bill, H.R. 1653, would allow consumers to block a company
from transferring their personal information to entities located in
countries that fail to provide adequate and enforceable privacy
protections.
All three of these bills have been referred to this Subcommittee,
and I look forward to hearing the testimony of the witnesses at this
morning's hearing, and to discussing the proposals set forth in these
bills with them.
Mr. Stearns. I thank my colleague for a very thoughtful
opening statement. And we are going to Mr. Terry. Mr. Terry
waives. Ms. Cubin.
Ms. Cubin. Thank you, Mr. Chairman, and thank you for
holding this timely hearing. It is especially timely for me. I
also want to thank the witnesses that are here today who have
joined us to help us hopefully guide us on shaping future
legislation regarding personal data security.
Throughout my tenure on this subcommittee we have
continuously addressed issues regarding privacy protection and
the ability of third parties to access and distribute
personally identifiable information. Though there are most
certainly valid and necessary uses of personal data collection,
recent breaches of seemingly secure data have demonstrated that
there are just as many opportunities for criminal use of this
information.
Identify theft, as we all know, is a whole new realm of
crime, and America does not currently have the proper legal
tools to prevent it, rectify it, or mitigate it. ID theft can
invade people's homes, bank accounts, financial assets, often
undetected. This can be devastating to victims and Congress
must determine the best course of action to help this from
happening.
As I said, I think this hearing is timely because just on
Monday of this week I was notified that I was one of over
96,000 people in one incident and one of 1.4 million people in
another affected by an identity theft incident. According to a
letter that I received from the companies to notify me of this
breach, stolen personal information included bank account
numbers and driver's license numbers and other information
that's provided on checks. While I was lucky enough I think--I
am not sure at this point--that my Social Security number
wasn't stolen and that my address wasn't stolen, millions of
Americans aren't that lucky--if you want to call my situation
lucky.
Financial institutions whose systems have been breached
have an immediate responsibility to notify victims as well as
to provide an explanation of the breach of the security system,
which did happen with me. Once again I thank--I hope that I was
notified of everything. I am hopeful that today's hearing will
outline what other further steps must be taken to assist us in
identifying victims and rectifying fraudulent bank transactions
and correcting inaccurate file information for future
dissemination.
I hope this subcommittee will continue to examine this
issue in the light of the need for harsher punishment for both
data thieves and commercial entities who forfeit personal
information, albeit unintentionally.
I thank the chairman and I yield back the balance of my
time.
[The prepared statement of Hon. Barbara Cubin follows:]
Prepared Statement of Hon. Barbara Cubin, a Representative in Congress
from the State of Wyoming
Thank you, Mr. Chairman, for holding this timely hearing.
I would also like to thank the witnesses who have joined us here
today. As we found during the previous hearing, the current laws
governing data security are very complex. I anticipate an open dialogue
with the panel of witnesses to help guide Members of the Subcommittee
in shaping future legislation regarding personal data security.
Throughout my tenure on this subcommittee, we have continuously
addressed issues relating to privacy protection and the ability of
third parties to access and distribute personally identifiable
information. Though there are most certainly valid and necessary uses
of personal data collection, recent breaches of seemingly secure data
have demonstrated that there are just as many opportunities for
criminal use of this information. Identity theft is a whole new realm
of crime, and America does not currently have the proper legal tools to
prevent, rectify or mitigate it. ID theft can invade people's homes,
bank accounts, and financial assets, often undetected. This can be
devastating to victims, and Congress must determine the best course of
action to halt this crime.
I myself have just recently been notified that I was a one of over
1.4 million people affected by the DSW identity theft incident.
According to the letter DSW sent to notify me of this breach, stolen
personal information included bank account and drivers license numbers
provided on checks. While the stolen information did not include names,
addresses, or Social Security numbers, millions of Americans affected
in other data theft incidents have not been so lucky. It is crucial we
call attention to the need for consumers to have proper recourse.
Financial institutions whose systems have been breached have an
immediate responsibility to notify victims, as well as provide an
explanation of the nature of the system's breach. I am hopeful today's
hearing will outline what further steps must be taken to assist
identity theft victims in rectifying fraudulent bank transactions and
correcting inaccurate file information for future dissemination.
I hope the subcommittee will continue to examine this issue in
light of the need for harsher punishment for both data thieves and the
commercial entities who forfeit personal information, albeit
unintentionally. I thank the chairman, and I yield back the balance of
my time.
Mr. Stearns. I thank the gentlelady, and it is very
appropriate that you bring to our attention that letter. And I
thank you very much, and I think that lends credence to why we
are attempting to grapple with this problem to come up with a
solution. Mr. Radanovich? The gentleman waives. Ms. Myrick?
Ms. Myrick. I waive also.
Mr. Stearns. Okay. I think everybody has completed their
opportunity for an opening statement. We move now to our
witness list. And we welcome them. Before I start, Mr. Ross
would like to make an introduction. Mr. Ross.
Mr. Ross. Thank you, Mr. Chairman and Ranking Member
Schakowsky for having this important hearing today to address
the issue of protecting consumers' data. I am pleased that we
have Jennifer Barrett to testify from Acxiom, which is located
in my home State of Arkansas.
Since it was founded in 1969, Acxiom has used technology
and consumer data to help some of the largest, most respected
companies in the world improve their business results. Acxiom
is based in Little Rock, Arkansas and employs more than 6,300
people in eight countries with an annual revenue of about $1.2
billion.
Jennifer Barrett is the chief privacy officer of Acxiom
Corporation and is one of the world's leading authorities on
information practices and policies and their impact on
consumers, commerce, and the global economy. Jennifer has been
with Acxiom almost since its inception after earning a degree
in computer science and mathematics from the University of
Texas, which those of us in Arkansas do not hold against her.
She has worked at almost every facet of the company. In the
early 1990's she became one of the first executives in any
industry to become what is now commonly referred to as a chief
privacy officer, assigned to help her company and its clients
achieve the critical balance of protecting consumer privacy
while preserving the benefits of this new information age.
Jennifer is now sought out by leading companies, international
business leaders, lawmakers, regulators, and many others for
her counsel and views on the responsible uses of data. She has
appeared many times before committees and forums here in
Washington, and we appreciate her again offering her insights
to us today. So I would like to thank you, and I look forward
to the testimony from Mrs. Barrett as well as the other
witnesses on the panel today and the questions from the members
here as well.
Mr. Stearns. I thank my colleague.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. George Radanovich, a Representative in
Congress from the State of California
Mr. Chairman, I would like to thank you for holding this important
hearing today on securing consumers' data.
With recent reports from the Federal Trade Commission's study
survey indicating that over 10 million people were victims of identity
theft during a one year period and estimates that translate into $48
billion loss for businesses and $5 billion loss for consumers, I
believe it is evident that the time is right for Congress to determine
what needs to be done to protect our constituents from these thieves.
I am happy to report that California has been one of the most
active state governments in regulation data security. In 2002
California passed a consumer security breach notification law that
requires any state agency, or any person or business that owns or
licenses computerized data that includes personal information to
disclose any breach of security of the data to any resident of that
state whose unencrypted information was, or is reasonably believed to
have been, acquired by an unauthorized person. In addition to
California I would like to commend the states of Georgia, Texas and
Illinois who are considering similar legislation.
As we hear from our witnesses today it is important to determine if
the current federal laws are sufficient to protect the data security of
consumer's and if technologies exist that could aid in protecting
sensitive consumer data and prevent unauthorized access to computerized
databases.
Recent reports of data security breaches by data brokers, financial
institutions, and retailers have raised questions about the sufficiency
of current laws to protect consumer information from identity theft.
During the Subcommittee's March hearing on issues related to the
Choicepoint breach, the FTC testified that the results of a recent FTC
study indicated that over 10 million people were victims of identity
theft during the one year period the study's survey covered. The FTC
estimates that the losses translate into $48 billion for businesses and
$5 billion to consumers.
While there are Federal laws that provide standards for disclosure
of consumer information and require certain entities to take steps to
safeguard consumer information, there is NO comprehensive Federal law
dealing with data security that governs ALL uses of consumer data.
There are two main bodies of Federal law that deal with privacy and
data security related to certain types of entities and certain uses of
information: The Fair Credit Reporting Act and the Gramm-leach Bliley
Act; however the universe of entities to which these bodies of law
apply is limited.
Several other states have passed or are considering similar
legislation, including GA, TX, and Il. A number of federal bills
introduced in this Congress are modeled after the CA statute.
The social security number was created to identify each U.S.
citizen for the sole purpose of tracking employment and benefits
however, over time our social security number has been used by both
public and private entities for purposes both related and unrelated to
the social security program. The usage of this unique identifier has
benefited both businesses and consumers, but unfortunately it has led
to misuse and most importantly identity theft.
The FTC has reported that over 10 million people were victims of
identity theft in one year and they estimate that this translates into
upwards of a $48 billion loss for businesses and $5 billion loss for
consumers, but a price tag can not be put on the loss of one's
identity.
I look for to hearing our witness' testimony today. Hopefully this
will help us determine if our current laws are adequate enough to
protect the integrity of our social security numbers and if not, what
we need to do to protect them.
______
Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy
and Commerce
Thank you Mr. Chairman for holding this hearing today. I have spent
considerable time focusing on information security issues such as the
spyware legislation that this Committee passed unanimously. I'm
confident that that bill will be received favorably by the full House
as well. Our Committee's work on these issues will continue in earnest,
particularly in light of the alarming and ever-growing list of data
security breaches recently.
Nothing seems safe. In recent months, we have learned about the
loss of personally identifiable information--even including Social
Security numbers--from ChoicePoint, LexisNexis, Blockbuster, as well as
a company called RuffaloCODY that manages information systems for a
number of colleges and universities. Most recently, data tapes
belonging to Time Warner were stolen from a storage company called Iron
Mountain--a company, I might add, that also stores some sensitive
information for the Congress. I suspect that there are more thefts of
this nature about which we have not yet learned.
This is simply unacceptable.
In the Internet age, personal information can be accessed in any
number of ways and from any number of outlets. To not guard it closely
is to open the door to thieves. Sensitive personal information must be
secure, and companies that legally gather and distribute this
information need to be held accountable if they do not take reasonable
steps to ensure that security.
The recent breaches have focused our attention on ``data brokers'''
who compile public and non-public information in ways that seem
downright Orwellian. They can share it, rent it, and sell it.
Constraints on these companies and their practices are few and thin.
Some of these companies provide an important service for individuals
trying to protect their families or investments, as well as for the
government trying to protect us all. It is essential that only those
who have an appropriate, legitimate reason for having access to such
information are allowed to view it. Those who provide this access must
be responsible for verifying both the legitimacy of the business or
person inquiring, as well as the appropriateness of their reason for
doing so. Of course, other entities such as credit card companies,
department stores--even the video store, as I mentioned--have sensitive
information as well. They must be similarly responsible with the data,
and take vigorous steps to protect it.
Congress has not laid out a comprehensive framework for data
security and data brokers, and it is clear that we need to act. This
Committee must take the lead in developing appropriate safeguards for
consumer information, and we will proceed to that end on a bipartisan
basis. I am glad that Chairman Stearns has put together a diverse panel
to discuss this topic, and to explore options for how we as
policymakers can help address the concerns of the American public.
With that, I would like to welcome the witnesses and thank them for
their participation. I am very interested to hear what these companies
and their industries are doing to help prevent identity theft, and the
misuse of personal information in general.
Thank you, and I yield back the balance of my time.
______
Prepared Statement of Hon. Ed Towns, a Representative in Congress from
the State of New York
Thank you Mr. Chairman for holding this important hearing. Since we
last met, the privacy of our constituents has been compromised further
and their worries have increased ten-fold. I was encouraged by the
feedback that we received in our hearing this past March, but there is
much more work to be done.
I was pleased to learn that banks and credit card companies are
detecting fraud at a quicker rate and successfully shutting down
information-sharing websites before identity theft becomes more rampant
and uncontrollable. While I understand that stolen or lost credit cards
still account for the largest losses to consumers, the danger these on-
line thieves pose must be confronted and dealt with.
According to an article in Monday's Wall Street Journal, the Anti-
Phishing Working Group says 2,870 active phishing sites were reported
in March alone, and that since last July such sites have increased 28%
a month. The article goes on to state that about 980,000 American
consumers had encountered identity-theft fraud via phishing in the
prior year, costing banks and credit card issuers more than $1.2
billion in direct losses.
I have had a long-standing interest in protecting consumers'
privacy. I first began advocating for safeguarding medical records when
I found my own records in a public trash bin following a doctor's
appointment. In response, I introduced a bill protecting the privacy
rights of insurance claimants, which became part of HIPPA.
Since last Congress, I have been working with my colleague,
Congresswoman Mary Bono to protect consumers' privacy on the internet
from Spyware. Our committee passed this bill last week and I am hopeful
that we can send it to the President's desk before the end of this
year.
I look forward to hearing from our witnesses about what went wrong
in these recent cases and how we can better protect consumers.
Thank you Mr. Chairman. I yield back the balance of my time.
Mr. Stearns. We want to welcome Ms. Barrett of Acxiom
Corporation; also Mr. Steve Buege, Senior Vice President of
Business Information, News and Public Records, North American
Legal; Thomson West; Mr. Oliver Ireland, Partner, Financial
Services Practice Group, Morrison and Foerster; on behalf of
Visa U.S.A., Mr. Daniel Burton, Vice President of Government
Affairs, Entrust, Incorporated, McLean, Virginia; and Mr.
Daniel Solove, Associate Professor of Law at George Washington
University Law School. I thank all of you for attending this
morning. And, Ms. Barrett, we will start with you for your
opening statement.
STATEMENTS OF JENNIFER BARRETT, CHIEF PRIVACY OFFICER, ACXIOM
CORPORATION; STEVE BUEGE, SENIOR VICE PRESIDENT, BUSINESS
INFORMATION, NEWS AND PUBLIC RECORDS, NORTH AMERICAN LEGAL;
OLIVER I. IRELAND, PARTNER, FINANCIAL SERVICES PRACTICE GROUP,
MORRISON AND FOERSTER, LLP, ON BEHALF OF VISA USA; DANIEL
BURTON, VICE PRESIDENT OF GOVERNMENT AFFAIRS, ENTRUST, INC.;
AND DANIEL J. SOLOVE, ASSOCIATE PROFESSOR OF LAW, GEORGE
WASHINGTON UNIVERSITY LAW SCHOOL
Ms. Barrett. Thank you, Chairman Stearns, Ranking Member
Schakowsky, Congressman Ross, and distinguished members of this
committee. I thank you for the opportunity for Acxiom to
participate in this hearing, and I ask for unanimous consent
that my written statement be entered in the record.
Mr. Stearns. By unanimous consent, so ordered.
Ms. Barrett. Mr. Chairman, let me be blunt. The bad guys
are smart and they are getting better organized in using their
skills to intelligently but illegally and fraudulently access
personal information. Acxiom must therefore remain more
vigilant and innovative by constantly improving, auditing, and
testing our systems, and yes, even learning from the security
breaches in the marketplace.
Information is an integral part of the American economy,
and Acxiom recognizes its responsibility to safeguard the
personal information it collects and brings to the market. As
FTC Chairman Majoras recently stated in her testimony both
before the Senate and the House, ``There is no such thing as
perfect security.'' And breaches can happen even when a company
has taken every reasonable precaution. Although we believe this
to be true, no one has a greater interest than Acxiom in
protecting its information because our very existence depends
on it.
Acxiom's U.S. business includes two distinct components:
our customized computer services and a line of information
products. Our computer services, which represent more than 80
percent of the company's business, help businesses, not-for-
profit organizations, political parties, and government manage
their own information. Less than 20 percent of our business
comes from our four lines of products involving information--
our fraud management products, our background screening
products, our directory products, and our marketing products.
Our fraud management and background screening products are the
only Acxiom products containing sensitive information, and they
represent less than 10 percent of our business.
Acxiom would like to take this opportunity to set the
record straight in response to a couple of misunderstandings
that have developed about the company. First, Acxiom does not
maintain one big data base containing dossiers on anyone.
Instead, we build and maintain discrete, segregated data bases
for each and every product.
Second, Acxiom does not co-mingle client information that
comes from the services we provide to our clients with their
information products, which we are responsible for. Such
activity would constitute a violation of our contracts and
consumer privacy.
Third, Acxiom's fraud management products are sold only to
a handful of large companies and government agencies who have a
legitimate need for them. The information utilized in these
products is covered under the safeguards and use rules of the
Gramm-Leach-Bliley Act and both State and Federal driver
privacy protection laws.
Fourth, Acxiom's fraud management verification services
only validate information already in our client's possession.
Access to additional information is available only to law
enforcement and the internal fraud departments of large
financial institutions and insurance companies.
Fifth, our background screening products are covered under
the Fair Credit Reporting Act, and we do not pre-aggregate
information provided in these services.
Beyond these protections, the following additional
safeguards exist: first, because public record information is
blended with regulated information in both our fraud management
and our background screening products, Acxiom voluntarily
applies the more stringent security standards to all such
blended data, even though not required to by law. Since 1997
Acxiom has posted a privacy policy on our website describing
both our online and all our offline practices, thus voluntarily
subjecting the company to the FTC rules governing unfair or
deceptive practices. Third, the company has imposed our own
internal, more restrictive guidelines for use of sensitive
information such as Social Security numbers. And fourth, all of
Acxiom's information products and practices have been audited
on an annual basis since 1997, and our security policies are
regularly audited both by ourselves, as well as by many of our
clients.
Two years ago Acxiom experienced a security breach on one
of the external file transfer servers used to transfer
information back and forth between Acxiom and our clients.
Fortunately, the vast majority of the information involved was
of a non-sensitive nature, and law enforcement was able to
apprehend the suspects and ascertain that none of the
information was used to commit identity fraud. Since then,
Acxiom has put in place even greater protections for the
benefit of both consumers and our clients.
In conclusion, I would like to say that ongoing privacy
concerns indicate the adoption of additional legislation may be
appropriate. Acxiom supports efforts to pass federally
preemptive legislation requiring notice to consumers in the
event of a security breach, which places the consumer at risk
of identity fraud. Acxiom also supports the recent proposal
from FTC Chairman Majoras for the extension of the GLBA
Safeguards Rule.
Mr. Chairman, on behalf of Acxiom I want to express our
gratitude for the opportunity to participate, and we will be
happy to answer any questions the committee may have.
[The prepared statement of Jennifer Barrett follows:]
Prepared Statement of Jennifer Barrett, Chief Privacy Officer, Acxiom
Corporation
introduction
Chairman Stearns, Ranking Member Schakowsky and distinguished
Members of the Committee, thank you taking the time to hold this
hearing on consumer data and options following security breaches.
Acxiom appreciates the opportunity to participate in today's hearing.
Acxiom has an inherent responsibility to safeguard the personal
information we collect and bring to the market, and we have focused on
assuring the appropriate use of these products and providing a safe
environment for this information since 1991 when the company brought
its first information products to market.
It is important that we all recognize that information has become
an ever growing and ever more integral part of the American economy.
Information is the facilitator of convenience, competition and provides
the tools that reduce fraud and terrorism. As such, we believe that it
is Acxiom's obligation to provide effective safeguards to protect the
information we bring to market regardless of the difficulties
encountered in doing so.
Let me be blunt. The bad guys are smart and getting more organized.
They will use all of the skills available to them to try to find ways
to obtain the information they need to commit fraud. Acxiom must
therefore remain vigilant and innovative, and that is why we employ a
world-class information security staff to help us fend off criminals
who attempt to access Acxiom's data. Acxiom is constantly improving,
auditing and testing its systems. Yes, Acxiom is even learning from
security breaches when they occur, and we are certain that other
responsible companies are doing so as well.
As Chairman Deborah Majoras of the Federal Trade Commission
recently stated in her testimony before the Senate, ``[T]here is no
such thing as perfect security, and breaches can happen even when a
company has taken every reasonable precaution.'' Even though we believe
that this is true, no one has a greater interest than Acxiom in
protecting information because the company's very existence depends on
securing personal information pertaining to consumers.
In order to enjoy the benefits provided by a robust information-
based economy and also to keep our citizens safe from fraudulent
activity, there are no quick fixes or easy solutions. We believe that
it is necessary that cooperation exists among policy makers,
information service providers, Acxiom's clients, law enforcement and
consumers. We applaud your interest in exploring these issues and we
very much want to be a resource in helping you achieve the proper
legislative balance we all seek.
about acxiom corporation
Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas,
with operations throughout the United States, and with processing
centers in Arkansas, Illinois, Arizona, Ohio and California. The
company also has offices in nine other countries across Europe and
Asia. From a small company in Arkansas, Acxiom Corporation has grown
into a publicly traded corporation with more than 6,000 employees
worldwide
Acxiom's U.S. business includes two distinct components: customized
computer services and a line of information products. Acxiom's computer
services represent the vast majority of the company's business and they
include a wide array of leading technologies and specialized computer
services focused on helping clients manage their own customer
information. These services are offered exclusively to large
businesses, not-for-profit organizations, political parties and
candidates, and government agencies. Acxiom's private sector computer
services clients represent a ``who's who'' of America's leading
companies. Acxiom helps these clients improve the loyalty of their
customers and increase their market share, while reducing risk and
assisting them with their compliance responsibilities under state and
federal law. Finally, Acxiom helps government agencies improve the
accuracy of the personal information they currently hold.
The balance of Acxiom's business comes from information products
that are comprised of four categories: fraud management products,
background screening products, directory products and marketing
products. These four product lines represent less than 20 percent of
the company's total business and the fraud management and background
screening products represent less than 10 percent. While each product
plays a unique role, all of Acxiom's information products help fill an
important gap in today's business-to-consumer relationship.
To understand the critical role Acxiom plays in facilitating the
nation's economy and safeguarding consumers, it is important to
understand what the company does not do. Over the years, a number of
myths have developed about Acxiom that require clarification. Please
allow us to set the record straight:
� Acxiom does not maintain one big database that contains detailed
information about all individuals. Instead, the company
safeguards discrete databases developed and tailored to meet
the specific needs of Acxiom's clients--entities that are
appropriately screened and with whom Acxiom has legally
enforceable contractual commitments. I cannot call up from the
company's databases a detailed dossier on myself or any
individual.
� Acxiom does not provide information on particular individuals to the
public, with the exception of Acxiom's telephone directory
products. These products, which are available on several
Internet search engines, contain information already available
to the public. The other information Acxiom processes is
provided only to legitimate businesses for specific legitimate
business purposes.
� Acxiom's does not have any information in either its directory or
marketing products which could be used to commit identity
fraud. Acxiom also does not include detailed or specific
transaction-related information, such as what purchases an
individual made on the Internet or what websites they visited.
The company's directory products include only name, address and
telephone information. The company's marketing products include
only information that is general in nature and not specific to
an individual purchase or transaction.
� Acxiom does not commingle client information that the company
processes in its computer services business with any of our
information products. Such activity would constitute a
violation of the company's services contracts with those
clients and a violation of consumer privacy. A client for whom
the company performs services may have a different agreement
with us as a data contributor, but these two relationships are
kept entirely separate.
Acxiom's fraud management products are sold exclusively to a
handful of large companies and government agencies--they are not sold
to individuals. The company's verification services only validate that
the information our client has obtained from the consumer is correct.
Only law enforcement, government agencies and the internal fraud
departments of large financial institutions and insurance companies
have access to additional information.
Acxiom's background screening products provide employment and
tenant screening services which utilize field researchers who do in-
person, real-time research against public records and make calls to
past employers to verify the information provided by the consumer.
Where permitted by law, a pre-employment credit report can also be
obtained. Acxiom does not pre-aggregate information for these products.
Acxiom's directory information products contain only contact
information on consumers such as name, address and telephone number.
They are collected so businesses and consumers can locate other
businesses or consumers. They are compiled from the white and yellow
pages of published U.S. and Canadian telephone directories and from
information available from the various directory assistance services
provided by the telephone companies.
Acxiom's marketing information products provide demographic,
lifestyle and interest information to companies to reach prospective
new customers who are most likely to have an interest in their products
and to better understand and serve the needs of existing customers.
They are compiled from pubic records, surveys and summarized customer
information primarily from publishers and catalogers.
respecting and protecting consumers' privacy
Acxiom has a longstanding tradition and engrained culture of
protecting and respecting consumer interests in our business. The
company is today, and always has been, a leader in developing self-
regulatory guidelines and in establishing security policies and privacy
practices. There are, as explained below, numerous laws and regulations
that govern our business. Ultimately, however, Acxiom's own
comprehensive approach to information use and security goes far beyond
what is required by either law or self-regulation.
Safeguards Applicable to Products Involving the Transfer of Sensitive
Information
Only Acxiom's fraud management and background screening products
involve the transfer of sensitive information. These products,
therefore, are subject to law, regulations and our own company policies
that help protect against identity fraud. These legal protections and
additional safeguards are addressed below:
GLBA, DPPAs, and FTC: Our fraud management products utilize information
covered under the Gramm-Leach-Bliley Act (GLBA), and driver's
license information covered under both state and federal
driver's privacy protection acts (DPPAs). These obligations
include honoring GLBA and DPPA notice and choice related to
sharing and use of the information, the GLBA Safeguard Rules
and FTC Privacy Rule and Interagency Guidelines. Any uses of
data must fall within one of the permitted uses or exceptions
specified in these laws.
FCRA and FACTA: Our background screening products are covered by all of
the regulations and consumer protections established by the
Fair Credit Reporting Act (FCRA) and the Fair and Accurate
Credit Transactions Act (FACTA). These protections include: the
requirement that a consumer authorize the creation of
employment reports; notice of adverse actions taken based on
such report; and the right of consumers to obtain a copy of
such reports and to dispute inaccuracies. Finally, such
regulations require that re-verification or correction of
disputed information be performed in a timely manner.
Safeguarding Public Record Information: Public records are used in
both Acxiom's fraud management and background screening products.
Although a heightened level of protection is not mandated for such
public record information, by virtue of the fact that such public
information is blended with regulated information, Acxiom voluntarily
chooses to apply the more stringent standards of the above-mentioned
regulations to the resulting products.
Safeguards Applicable to Other Products
Although Acxiom's directory and marketing products do not contain
any sensitive information that could put a consumer at risk for
identity fraud, Acxiom is still subject to the following critical
safeguards: various industry guidelines, compliance with all
requirements in the original notice to consumers at the time the data
was collected, and voluntary compliance with those laws to which our
clients themselves are subject.
Telephone Directory Safeguards: Acxiom's directory products comply with
all applicable policies regarding unpublished and unlisted
telephone numbers and addresses. In addition, because Acxiom
recognizes that consumers may object to published listings
being available on the Internet, Acxiom itself offers an opt-
out from such use. Further, Acxiom voluntarily suppresses all
telephone numbers found on the Federal Trade Commission's Do-
Not-Call Registry and the eleven other state Do-Not-Call
registries, when providing phone numbers for targeted
telemarketing purposes.
Marketing Product Safeguards: Acxiom's marketing products comply with
all the self-regulatory guidelines issued by the Direct
Marketing Association. These requirements include notice and
the opportunity to opt-out. Consumers have the ability to opt-
out from Acxiom's marketing products by calling the company's
toll-free Consumer Hotline, accessing its Website, or by
writing to the company. Since Acxiom does not have a customer
relationship with individual consumers, Acxiom coordinates with
its industry clients to research and resolve consumer
inquiries.
Additional Safeguards
Acxiom takes seriously its responsibility to assure that all the
information we bring to market is appropriate for the use to which it
is intended and to provide adequate safeguards specifically aimed at
protecting against unauthorized use.
Privacy Policy/FTC Jurisdiction: Since 1997, long before it was a
common practice, Acxiom has posted its privacy policy on the
company's website. The privacy policy describes both Acxiom's
online and offline consumer information products. The policy
further describes: what data Acxiom collects for these
products; how such data is used; the types of clients to which
such data is licensed; as well as the choices available to
consumers as to how such data is used. By making these
extensive disclosures, Acxiom has voluntarily subjected itself
to Section 5 of the Federal Trade Commission Act, which
prohibits unfair or deceptive conduct in the course of trade or
commerce, as well as various state statutes governing unfair
and deceptive acts and practices.
Consumer Care Department/Consumer Hotline: Acxiom maintains a Consumer
Care Department led by a Consumer Advocate whose team
interacted with more than 50,000 consumers in the past 12
months by way of answering questions, resolving issues,
processing opt-outs, and handling requests for access to
Acxiom's fraud management, background screening, directory and
marketing products. Acxiom provides consumers who contact the
company (through the company website, or by calling a toll-free
Consumer Hotline or by writing to the company) the options of:
opting-out of all of Acxiom's marketing products; receiving an
information report from the company's fraud management and
directory products; or receiving a consumer report as specified
in the FCRA from the company's background screening products.
Acxiom encourages consumers to notify the company if the
information in any of these reports is inaccurate and it is the
company's policy either to correct the information, to delete
it or to refer the consumer to the appropriate source to obtain
the requested correction, such as a county or state agency.
Certification and Compliance with Federal and State Law: Acxiom's
privacy policy is designed to adhere to all Federal, State, and
local laws and regulations on the use of personal information.
The company is also certified under the Department of
Commerce's European Union Safe Harbor and the Better Business
Bureau's Online Seal.
Consumer Education: Acxiom believes that consumers should be educated
about how businesses use information. To that end, Acxiom
publishes a booklet, entitled ``Protecting Your Privacy in the
Information Age--What Every Consumer Should Know About the Use
of Individual Information,'' which is available for free both
on the company's website and upon written or telephone request.
Voluntary Acxiom Policies: Above and beyond the industry-accepted
guidelines with which Acxiom complies, Acxiom also has
established its own internal guidelines, which are more
restrictive than industry standards. For example, Acxiom only
collects the specific information required to meet its clients'
information needs, and the company properly disposes of the
remaining data, when information is compiled from public
records. Acxiom has also implemented specific guidelines
regarding the use and protection of information that could be
involved in identity fraud, such as Social Security numbers.
Information Practice and Security Audits: Acxiom has had a longstanding
focus on the appropriate use of information in developing and
delivering its information products. While the creation of
strong information use policies is a business imperative,
assuring these policies are followed is equally important. To
this end, all of Acxiom's information products and practices
have been internally and externally audited on an annual basis
since 1997.
Since many of Acxiom's computer service clients are financial
institutions and insurance agencies, Acxiom has been regularly
audited for many years by these clients. Furthermore, Acxiom
must honor the safeguards and security policies of the
company's clients. Since Acxiom's security program is
enterprise-wide, it is the company's policy to institute these
high levels of protection across all lines of business. These
client audits, along with Acxiom's own internal security
audits, provide Acxiom with regular and valuable feedback on
ways to stay ahead of hackers and fraudsters who may attempt to
gain unauthorized access to Acxiom's systems.
Lessons Learned
Two years ago, Acxiom experienced a security breach on one of the
company's external file transfer servers. The hackers were employees of
an Acxiom client and a client's contractor. As users with legitimate
access to the server, the hackers had received authority to transfer
and receive their own files. The hackers did not penetrate the
firewalls to Acxiom's main system. They did, however, exceed their
authority when they accessed an encrypted password file on the server
and successfully unencrypted about 10 percent of the passwords, which
allowed them to gain access to other client files on the server.
Fortunately, the vast majority of the information involved in this
incident was of a non-sensitive nature.
Upon learning of the initial breach from law enforcement, Acxiom
immediately notified all affected clients and, upon further forensic
investigation, the company informed law enforcement regarding a second
suspected security incident. Fortunately, in both instances, law
enforcement was able to apprehend the suspects, recover the affected
information and ascertain that none of the information was used to
commit identity fraud. One of the hackers pled guilty and was recently
sentenced to 48 months in federal prison. The other is currently
awaiting trial.
As a result of the breach, Acxiom cooperated with audits conducted
by dozens of its clients, and both the Federal Trade Commission and the
Office of the Comptroller of the Currency examined Acxiom's processes
to ensure that the company was in compliance with all applicable laws
and its own stated policies.
This experience taught Acxiom additional valuable lessons regarding
the protection of information. For example, Acxiom now requires the use
of more secure passwords on the affected server. The process for
transferring files has been changed, specifically by keeping
information on the server for much shorter periods of time. And while
it was always a recommended internal policy, Acxiom now requires that
all sensitive information passed across such servers be encrypted. In
addition, while Acxiom has had in place a Security Oversight Committee
for many years, the company has also now appointed a Chief Security
Officer with more than 20 years of IT experience. In short, Acxiom's
systems are more secure today as a result of the company's experience
and dedication to the privacy of consumers.
The Need For Additional Legislative Safeguards
There has been much discussion, especially in recent weeks, about
whether existing federal law sufficiently protects consumers from harm.
In this regard, Acxiom does believe that additional, appropriately
tailored legislation would assist Acxiom, the rest of the information
services industry and businesses in general in ensuring that consumers
are protected from fraud and identity theft. But, as FTC Chairman
Majoras has said, even the best security systems imaginable and the
strongest laws possible can nonetheless be circumvented by inventive
criminals' intent on committing fraud.
Breach Notification: Acxiom supports efforts to pass federal preemptive
legislation requiring notice to consumers in the event of a
security breach, where such breach places consumers at risk of
identity theft or fraud. California implemented similar
legislation several years ago, and over thirty other states are
involved in passing similar laws. The bottom line is that
consumers deserve a nationwide mandate that requires that they
be notified when they are at risk of identity theft, so they
can take appropriate steps to protect themselves.
Extension of the GLBA Safeguards Rule: Currently, Acxiom voluntarily
subjects itself to the GLBA Safeguards Rule with respect to the
company's computer services and information products. Acxiom
also complies with the California safeguards law (AB 1950). FTC
Chairman Majoras recently has proposed an extension of the GLBA
Safeguards Rule to the information services industry as a
whole. Acxiom supports her recommendation.
Mr. Chairman, Acxiom appreciates the opportunity to participate in
this hearing and to assist Congress in identifying how best to
safeguard the nation's information and data. Acxiom is available to
provide any additional information the Committee may request.
Mr. Stearns. I thank you. Our next witness is Mr. Buege.
Welcome.
STATEMENT OF STEVEN BUEGE
Mr. Buege. Chairman Stearns, Congresswoman Schakowsky,
members of this distinguished committee, thank you for allowing
West to present testimony before this hearing of the
Subcommittee on Commerce, Trade, and Consumer Protection. I
commend you for continuing its tradition of ardent and
principled investigation and legislative oversight of so many
of the issues that touch each of us every day.
My name is Steve Buege. I am senior vice president of
Business Information, News, and Public Records for West. I
oversee this content on Westlaw. I have worked for West nearly
20 years, most recently as head of operations, and prior to
that as chief technology officer. I am proud to be associated
with West and of West's record in the data privacy arena.
West has served the same niche customer base, legal and
government professionals, for over 125 years and throughout our
transformation from being a traditional law book publisher to a
leader in information technology. In 1975 West introduced its
first online legal research service, Westlaw, and we have been
a pioneer in e-commerce ever since.
According to our research, the total U.S. public records
market represents about $7 billion annually. Of that, $1
billion is focused on the crime, law enforcement, prosecution
area. About $160 million of that is in the legal market. For
our business, data bases with full SSNs account for only a
fraction of 1 percent of our revenue.
West's customers work in law firms, courts, government, and
corporate legal departments. Much of the information they need
to do their jobs is, by its very nature, sensitive. We are
acutely aware of this and consider ourselves stewards of data
privacy.
Given the attention this issue has recently received in
Washington and in the media, we have carefully reviewed and
further tightened our policies. Throughout this process, our
ultimate test was to do the right thing. Our record proves that
we are on the right track.
Since February, West has removed access to full SSNs from
about 85 percent of the accounts that had it, and blocked this
access entirely to all non-government accounts. Today, the only
customers who can access full SSNs are government agencies
involved in crime prevention, prosecution, and homeland
security. Primarily, the Federal courts, Department of Justice,
and IRS. We also have some smaller government accounts all in
the areas of law enforcement and homeland security as well with
access to full SSNs. All of these accounts are carefully
vetted. It is important to note that we have never granted ad
hoc access to full SSNs and that West serves a specialized B to
B market of legal and government professionals, not a consumer-
oriented market.
West's policies go well beyond what is required under
various privacy laws, yet we recognize the need for more
clarity and regulatory guidance. We welcome the opportunity to
work with you on a variety of approaches, including
establishing a uniform notification system to inform citizens
whose data may have been compromised, charging a government
agency with regulatory oversight of public data providers
similar to the FTC's role with financial institutions,
requiring senior management in data companies that deal with
SSNs to sign off on their companies' security and privacy
arrangements, and legislation that would establish a consistent
method for masking SSNs--for example, always obscuring the last
four digits.
Thank you for your interest and your hard work and for
allowing West to be part of this discussion. I look forward to
continuing to work with you on this important matter.
[The prepared statement of Steve Buege follows:]
Prepared Statement of Steve Buege, Senior Vice President, Business
Information News and Public Records, on Behalf of West
introduction
Chairman Stearns, Congresswoman Schakowsky, Members of this
distinguished Committee: Thank you very much for allowing West the
opportunity to present testimony before this hearing of the Energy and
Commerce Committee's Subcommittee on Commerce, Trade, and Consumer
Protection. I commend you for continuing the Committee's tradition of
ardent and principled investigation and legislative oversight of so
many of the issues that touch each of us every day.
My name is Steve Buege. I'm senior vice president of Business
Information News and Public Records. In that role for West, I oversee
our news, business information and public records content on Westlaw,
and together with the president and CEO of West, I oversee the policies
governing procurement of and access to that information.
Prior to this, I was vice president of Operations for West, where
Customer Experience, Technology and Content Operations reported into
me. Prior to that, I was Chief Technology Officer for four years. In my
work with the company, spanning now some 20 years, I've participated in
some of its most important transformations. I have intimate knowledge
of its technology, its business and its values. And I am proud of my
association with the business.
about west and our customers
West has been serving the same niche customer base--exclusively
legal and government professionals--for more than 125 years. Our
company founder, John B. West, started West Publishing in 1872 as a
regional book and office supply seller for attorneys in the Midwest.
Eventually, West covered judicial opinions from every state, circuit
and appellate court and the U.S. Supreme Court.
Our core market has remained legal and government customers for
more than a century. West maintained this focus on the B2B market while
transitioning from a traditional legal book publisher to a leader in
the information technology revolution. In 1975, West introduced its
first online legal research service, Westlaw. We've been a pioneer in
e-commerce ever since. We embraced the Internet, and electronic
publishing is at the heart of our business today.
The West name--from West Publishing to Westlaw--has long been known
as an authoritative, trustworthy source for the U.S. bench and bar.
This market recognizes Westlaw as the premier online legal research
service; it offers the world's largest databases of legal research
materials, statutes, case law, legal treatises and business
information.
West has been acutely focused on security and privacy issues,
especially in the last 10 years as access to electronic information has
increased significantly. We consider ourselves stewards of data
privacy. West was a founding member of the Individual Reference
Services Group (IRSG). The 1997 IRSG Principles defined a balance
between personal privacy and the important societal benefits of
reference services. West used these principles to establish procedures
for qualifying its users, with only government agencies and a very
small number of professional users receiving qualified access to full
Social Security numbers.
Today, West still refers to the IRSG Principles for guidance about
our collection and distribution of information. For example, although
the Gramm-Leach-Bliley Act's privacy rule permits distribution of
information--including full Social Security numbers--to any entity that
fits within the exception to the rule, West limits distribution of full
Social Security numbers to specific government agencies--going beyond
the requirements of GLBA.
overview of the public records market
According to our research, the U.S. public records market
represents about $7 billion dollars annually. Within this space, $1
billion is focused on the crime/law enforcement/prosecution area;
approximately $160 million of that space is focused on usage within the
legal market. Of this $160 million, only a fraction relates to records
with full Social Security numbers. For our legal businesses, databases
with full Social Security numbers only account for a fraction of 1
percent of our revenues.
It's important to note that only vetted government customers who
deal with law enforcement, investigatory or homeland security issues
have access to full Social Security numbers. None of our corporate
clients have this access.
our privacy policies
West's customers work in law firms, the courts, government and
corporate legal departments. Much of the information our customers need
to do their jobs and serve our legal justice system is, by its very
nature, sensitive.
West has always been a good steward of this sensitive information,
and we are deeply committed to ensuring that we achieve the proper
balance between making information available for legitimate business
and governmental purposes and respecting people's expectations of
privacy.
Given the attention this issue has received in Washington and in
the media during the past few months, we have carefully reviewed our
policies and made significant changes concerning access. Throughout
this process, our ultimate test was to do the right thing. Our record
proves that we're on the right track.
Since February, West has reviewed the very small number of
customers who had access to full Social Security numbers and further
restricted which customers are allowed such access. We removed access
to full Social Security numbers for about 85 percent of the accounts
who had it, and blocked this type of access to all non-government
accounts. Today, most customers who can access full Social Security
numbers are government agencies involved in crime prevention,
prosecution and homeland security--primarily the Federal Courts, the
Department of Justice and the IRS. We also have some smaller accounts--
all in the areas of law enforcement and homeland security as well--with
access to full Social Security numbers. All these accounts are
carefully vetted. It's important to note that we have never granted ad
hoc access to full Social Security numbers and that West serves a
specialized market of legal and government professionals--not a
consumer-oriented market.
Opt-in policy
In the past few months, West has worked with our government
customers to fully institute an opt-in policy; that is, a policy that
assumes a government account will not have full access to Social
Security numbers. Under this new policy, accounts that need access to
full Social Security numbers will be granted access only to specified
and qualified individuals. Moving forward, all new contracts West
enters with government agencies will be opt-in only.
Enhanced usage tracking and Westlaw reminders
West also has introduced new procedures to monitor databases that
contain Social Security numbers for unusual use patterns, and on a go-
forward basis, customers permitted to view full Social Security numbers
on Westlaw will see a special notification message--any time--they--
access--these databases.--This message will remind the user that he or
she is among a--limited--number of people given privileged access to
this information, and that it must be used only for appropriate
purposes and in compliance with the law and the privacy terms West
imposes. This will ensure that individual users are aware of their
responsibility in accessing Social Security numbers as well as their
unique privilege to use this information.
West's policy goes well beyond what's required under--various
privacy--laws. We are committed to working with this Committee to fully
explore this complex issue. We also hope to work with you, federal
agencies and the industry to ensure that the public is protected from
fraud and that those committed to fighting and prosecuting these crimes
will have the information they need to do their important work.
privacy guidelines and regulations
And that is why I'm here today. West recognizes the need for
guidelines, and we would welcome the opportunity to work with you to
advance a variety of approaches. From our business perspective, here
are some areas where we welcome clarity and guidance:
� Establishing a uniform notification system that informs customers
whose data may have been compromised
� Allowing a government agency to have an appropriate regulatory role
over public data providers, similar to the regulatory role the
Federal Trade Commission currently has regarding data matters
in financial institutions
� Requiring senior management in data companies that deal with Social
Security numbers to sign off on a business's security and
privacy arrangements
Also, you may want to consider the following ideas that haven't
been as widely discussed:
� Legislation that would establish a universally applied method for
masking Social Security numbers. (Now there are several common
ways that entities mask Social Security numbers. Some mask the
first five digits and others truncate the last four. This might
allow someone to determine a full Social Security number by
using two differently masked numbers.)
� Encouraging each business in this space to find an alternative
technology solution--instead of Social Security numbers--to
create a unique locator that distinguishes one individual with
the same name from another. This approach would be specific to
each business; it wouldn't be uniform across the industry.
conclusion
Thank you for your interest, your hard work and allowing West to be
part of your discussion. I look forward to continuing to work with you
on this important matter as we balance individuals' rights to privacy
with the national concern for justice and homeland security.
Mr. Stearns. I thank the gentleman. Mr. Ireland, well,
welcome.
STATEMENT OF OLIVER I. IRELAND
Mr. Ireland. Good morning, Chairman Stearns----
Mr. Stearns. I just need you to----
Mr. Ireland. [continuing] Ranking Member Schakowsky, and
members of the subcommittee. My name is Oliver Ireland. I am a
partner in the Washington, DC office of Morrison and Foerster,
and I am pleased to be here today on behalf of Visa U.S.A. to
address the issue of consumer information security.
Visa has long recognized the importance of protecting
cardholder information. The Visa system provides for zero
liability for cardholders for unauthorized transactions.
Therefore, Visa members, card issuers incur the costs of
fraudulent transactions that may result from unauthorized
access to cardholder information and have a strong interest in
protecting that information.
Further, existing Federal law obligates financial
institutions to protect their customers' information. Under
Section 501(b) of the Gramm-Leach-Bliley Act, the Federal
banking agencies and the Federal Trade Commission have
established information security standards for the financial
institution subject to their jurisdiction. But many holders of
sensitive personal information, including, for example,
employers and retail merchants, are not financial institutions
subject to the 501(b) rule. In part, to address this gap, Visa
is implementing a comprehensive Cardholder Information Security
Plan or CISP. CISP requires all holders of cardholder
information, including merchants, to comply with the ``Visa
Digital Dozen,'' 12 basic requirements for safeguarding
customer information.
Visa also uses sophisticated neural networks to detect and
block transactions where fraud is suspected. These networks,
coupled with CISP and Visa's zero liability policy provide a
high degree of protection from fraudulent credit card
transactions to cardholders. Nevertheless, Visa believes that
all businesses that maintain sensitive personal information
should be subject to uniform national requirements to protect
that sensitive information.
Closely related to the issue of information security is the
question of what to do if a security breach occurs. Visa
believes that where the breach creates a substantial risk of
harm to consumers, that the consumers can take action to
prevent, the consumers should be notified so that they can take
the appropriate action. Both Federal and California law already
address this issue. For example, the California law currently
requires notice to individuals of a breach of security
involving their computerized personal information. Other States
have enacted or are considering security breach notification
laws. However, the details of these laws differ.
The Federal banking agencies have also issued guidance that
requires banking institutions that experience a breach of
security involving sensitive customer information to notify
customers where misuse of the information has occurred or is
reasonably possible.
The fact that States are not addressing notification in a
uniform way creates a critical need for a single, national
standard for notification. A single standard will avoid
confusion among consumers as to the meaning of notices that
they receive and among holders of consumer information as to
their notification responsibilities.
Further, any legislation on security breach notification
should recognize compliance with the banking agency guidance
that is already in place as compliance with any Federal
notification requirement. Further, such notification
requirements should be risk-based to avoid inundating consumers
with notices where no action by consumers is required. As FTC
Chair Majoras has testified, notices should be sent only if
there is a significant risk of harm.
Thank you again for the opportunity to be here today. I
would be happy to answer any questions from the members of this
committee.
[The prepared statement of Oliver I. Ireland follows:]
Prepared Statement of Oliver I. Ireland on Behalf of Visa U.S.A. Inc.
Good morning Chairman Stearns, Ranking Member Schakowsky, and
Members of the Subcommittee. I am a partner in the law firm of Morrison
& Foerster LLP, and practice in the firm's Washington, D.C. office. I
am pleased to appear before the Subcommittee on behalf of the Visa,
U.S.A. Inc., to discuss the important issue of consumer information
security.
The Visa Payment System, of which Visa U.S.A. is a part, is the
largest consumer payment system, and the leading consumer e-commerce
payment system, in the world, with more volume than all other major
payment cards combined. Visa plays a pivotal role in advancing new
payment products and technologies, including technology initiatives for
protecting personal information and preventing identity theft and other
fraud.
Visa commends the Subcommittee for focusing on the important issue
of information security. As the leading consumer electronic commerce
payment system in the world, Visa considers it a top priority to remain
a leader in developing and implementing technology, products, and
services that protect consumers from the effects of information
security breaches. As a result, Visa has long recognized the importance
of strict internal procedures to protect Visa's members' cardholder
information, thereby to protect the integrity of the Visa system.
Visa has substantial incentives to maintain strong security
measures to protect cardholder information. The Visa system provides
for zero liability to cardholders for unauthorized transactions.
Cardholders are not responsible for unauthorized use of their cards.
The Visa Zero Liability policy guarantees maximum protection for Visa
cardholders against fraud due to information security breaches. Because
the financial institutions that are Visa members do not impose the
losses for fraudulent transactions on their cardholder customers, these
institutions incur costs from fraudulent transactions. These costs are
in the form of direct dollar losses from credit that will not be
repaid, and also can be in the form of indirect costs attributable to
the harm and inconvenience that might be felt by cardholders or
merchants. Accordingly, Visa aggressively protects the cardholder
information of its members.
existing federal laws and rules for information security
Existing federal laws and regulations also obligate financial
institutions to protect the personal information of their customers.
Rules adopted under section 501(b) of the Gramm-Leach-Bliley Act of
1999 by the federal banking agencies and the Federal Trade Commission
(``FTC'') (``GLBA 501(b) Rules'') establish information security
standards for the financial institutions subject to the jurisdiction of
these agencies. Under the GLBA 501(b) Rules, financial institutions
must establish and maintain comprehensive information security programs
to identify and assess the risks to customer information and then
control these potential risks by adopting appropriate security
measures.
Each financial institution's program for information security must
be risk-based. Every institution must tailor its program to the
specific characteristics of its business, customer information and
information systems, and must continuously assess the threats to its
customer information and systems. As those threats change, the
institution must appropriately adjust and upgrade its security measures
to respond to those threats.
However, the scope of the GLBA 501(b) Rules is limited. Many
holders of sensitive personal information are not financial
institutions covered by the GLBA 501(b) Rules. For example, employers
and most retail merchants are not covered by the GLBA 501(b) Rules,
even though they may possess sensitive information about consumers.
visa's cardholder information security plan
Because of its concerns about the adequacy of the security of
information about Visa cardholders, Visa has developed and is
implementing a comprehensive and aggressive customer information
security program known as the Cardholder Information Security Plan
(``CISP''). CISP applies to all entities, including merchants, that
store, process, transmit, or hold Visa cardholder data, and covers
enterprises operating through brick-and-mortar stores, mail and
telephone order centers, or the Internet. CISP was developed to ensure
that the cardholder information of Visa's members is kept protected and
confidential. CISP includes not only data security standards but also
provisions for monitoring compliance with CISP and sanctions for
failure to comply.
As a part of CISP, Visa requires all participating entities to
comply with the ``Visa Digital Dozen''--twelve basic requirements for
safeguarding accounts. These include: (1) install and maintain a
working network firewall to protect data; (2) do not use vendor-
supplied defaults for system passwords and security parameters; (3)
protect stored data; (4) encrypt data sent across public networks; (5)
use and regularly update anti-virus software; (6) develop and maintain
secure systems and applications; (7) restrict access to data on a
``need-to-know'' basis; (8) assign a unique ID to each person with
computer access; (9) restrict physical access to data; (10) track all
access to network resources and data; (11) regularly test security
systems and processes; and (12) implement and maintain an overall
information security policy.
payment card industry data security standard
Visa is not the only credit card organization that has developed
security standards. In order to avoid the potential for imposing
conflicting requirements on merchants and others, in December of 2004,
Visa, MasterCard, American Express, Discover, and Diners Club
collaborated to align their respective data security requirements for
merchants and third parties. Visa found that the differences between
these security programs were more procedural than substantive.
Therefore, Visa has been able to integrate CISP into a common set of
data security requirements without diluting the substantive measures
for information security already developed in CISP. Visa supports this
new, common set of data security requirements, which is known as the
Payment Card Industry Data Security Standard (``PCI Standard'').
neural networks to detect fraud and block potentially unauthorized
transactions
In addition to the CISP program, which helps to prevent the use of
cardholder information for fraudulent purposes, Visa uses sophisticated
neural networks that flag unusual spending patterns for fraud and block
the authorization of transactions where fraud is suspected. When
cardholder information is compromised, Visa notifies the issuing
financial institution and puts the affected card numbers on a special
monitoring status. If Visa detects any unusual activity in that group
of cards, Visa again notifies the issuing institutions, which begin a
process of investigation and card re-issuance. These networks, coupled
with CISP and Visa's Zero Liability, provide a high degree of
protection from fraudulent credit card transactions to cardholders.
expansion of existing requirements
Current protections notwithstanding, Visa believes that an
obligation to protect sensitive personal information, similar to the
GLBA 501(b) Rules, should apply broadly so that all businesses that
maintain sensitive personal information will establish information
security programs. Because consumer information knows no boundaries, it
is critical that this obligation be uniform across all institutions in
all jurisdictions.
security breach notification
Closely related to the issue of information security is the
question of what to do if a breach of that security occurs. Visa
believes that where the breach creates a substantial risk of harm to
consumers that the consumers can take action to prevent, the consumers
should be notified about the breach so that they can take appropriate
action to protect themselves. Both federal and California law already
address this issue. California law currently requires notice to
individuals of a breach of security involving their computerized
personal information. The California law focuses on discrete types of
information that are deemed to be sensitive personal information. The
statute defines sensitive personal information as an individual's name
plus any of the following: Social Security Number, driver's license
number, California identification card number, or a financial account
number, credit or debit card account number, in combination with any
code that would permit access to the account. The California law
includes an exception to the notification requirement when this
personal information has been encrypted. The California law only
requires notice to be provided when personal information is ``acquired
by an unauthorized person.'' Other states recently have enacted or are
considering security breach notification laws; however, the details of
some of the laws differ.
In March, the federal banking agencies issued final interagency
guidance on response programs for unauthorized access to customer
information and customer notice (``Guidance''). The Guidance applies to
all financial institutions that are subject to banking agency GLBA
501(b) Rules and requires every covered institution that experiences a
breach of security involving sensitive customer information to: (1)
notify the institution's primary federal regulator; (2) notify
appropriate law enforcement authorities consistent with existing
suspicious activity report rules; and (3) notify its affected customers
where misuse of the information has occurred or is reasonably possible.
The keen interest that states have shown to legislate on the issue
of security breach notification emphasizes the need for a single
national standard for security breach notification in order to avoid
confusion among consumers as to the significance of notices that they
receive and among holders of information about consumers as to their
notification responsibilities. In addition, any legislation on security
breach notification should recognize compliance with the Guidance as
compliance with any notification requirements.
Visa believes that a workable notification law that would require
entities that maintain computerized sensitive personal information to
notify individuals upon discovering a significant breach of security of
that data should be risk-based to avoid inundating consumers with
notices where no action by consumers is required. As FTC Chairwoman
Majoras recently testified to Congress, notices should be sent only if
there is a ``significant risk of harm,'' because notices sent when
there is not a significant risk of harm actually can cause individuals
to overlook those notices that really are important.
Thank you, again, for the opportunity to present this testimony
today. I would be happy to answer any questions.
Mr. Stearns. I thank the gentleman. Mr. Burton, welcome.
STATEMENT OF DANIEL BURTON
Mr. Burton. Thank you, Chairman Stearns, Ranking Member
Schakowsky, distinguished members of the subcommittee. I
appreciate your holding this hearing and giving me the
opportunity to testify. My name is Daniel Burton. I am vice
president of government affairs for Entrust, Inc.
Entrust is a world leader in securing digital identities
and information. As a security software company, we are in the
business of protecting our customers, and by extension, your
constituents, with proven technology solutions. Over 1,200
enterprises and government agencies in more than 50 countries
rely on Entrust software, including the U.S. Department of
Treasury, the Department of Justice, and several nuclear
laboratories. So we have a lot of experience in this field.
I would first like to note with great appreciate this
subcommittee's longstanding interest in online privacy. You
have followed this issue closely for several years and built up
considerable expertise. As a result, this committee is very
well-positioned to play a leadership role in this debate.
The privacy issues we are facing today are very different
than they were a few years ago. Then, much of the debate
revolved around limited opt-in and opt-out provisions. Today,
with the rampant theft of confidential personal information,
the Internet privacy debate is focused squarely on security.
This shift in emphasis represents a sea of change for
public policy. For years we have enjoyed the productivity
improvements that network computing afforded and tolerated the
nuisances that came with it. Today, these nuisances are
overshadowed by a much more sinister problem, organized crime.
Just like companies and governments, criminals have
realized that the Internet is a powerful business tool. For
criminals, gaining access to computerized credit card
information, Social Security numbers, and other identifiers is
a gateway to ready cash. Computer hackers no longer fit the
profile of pimply faced teenagers who lose interest as soon as
they get a girlfriend. Increasingly, they are skilled criminals
who have a sophisticated business plan, mount wholesale
attacks, move quickly around the world, and cover their tracks.
Identify theft is not limited to data brokers. The breaches
at ChoicePoint and Lexis-Nexis may have sparked public outrage,
but the problem goes much deeper. Discount Shoe Warehouse, the
San Jose Medical Group, George Mason University, SAIC, Time
Warner, none of these are data brokers, yet all have suffered
breaches of highly sensitive personal information.
Focusing remedies exclusively on data brokers is like
protecting your home from burglars by locking your doors but
leaving your windows wide open. It may make you feel better,
but it won't prevent a robbery. Similarly, passing a law that
requires only data brokers to issue notifications when their
systems are breached will do nothing to safeguard the reams of
personal information that are held by other organizations.
It is for this reason that the recent State breach
notification laws cover anyone that owns or licenses
computerized data that includes personal information. As you
know, several States have already passed such bills, and many
more are considering them. There is a very real possibility
that by this summer we could see over a dozen competing State
breach notification laws in effect.
Given the reality of cyber crime, breaches, and State
legislation, Congress needs to act. Entrust believes the
Federal legislation could help and recommends the following
measures for consideration: No. 1, establish a uniform national
breach notification policy for unauthorized access to
unencrypted personal information. If personal data is
appropriately encrypted, notification should not be required.
That is because even if the data is stolen, it will show up as
random characters that won't make any sense to thieves unless
they have the proper access codes. Since not all encryption is
reliable, however, Congress should insist that it meets
standards developed by the National Institute of Standards and
Technology.
No. 2, require second factor authentication for access to
sensitive personal information. The FDIC said it best in its
report ``Putting an End to Account-Hijacking Identify Theft.''
Its lead recommendation, upgrading existing password-based,
single factor customer authentication systems to two factor
authentication. Simple user name and passwords are too easily
breached. They must be backed up with physical tokens
containing secret access codes the legitimate users keep in
their possession.
No. 3, encourage enterprises that hold sensitive personal
information to use technological and other means to assure
compliance with their privacy policies. Since the majority of
breaches come from insiders, organizations can significantly
improve data security by deploying automated tools that screen
email for privacy violations.
The fourth recommendation is to extend security
requirements similar to the Gramm-Leach-Bliley Act safeguards
to all entities that retain sensitive personal information.
In conclusion, this subcommittee has a vital role to play
in the effort to security computerized personal information.
Entrust is doing its best to help organizations implement
strong technology safeguards and looks forward to working with
you to see that they are complemented with effective public
policy.
[The prepared statement of Daniel Burton follows:]
Prepared Statement of Daniel Burton, Vice President of Government
Affairs, Entrust, Inc.
Good Morning. Chairman Stearns and distinguished Members of the
Subcommittee, thank you for holding this hearing and giving me the
opportunity to provide testimony on this important subject. My name is
Daniel Burton, and I am Vice President of Government Affairs for
Entrust, Inc. In my testimony today, I will discuss the impact of
security breaches and what we can do about them.
Entrust is a world leader in securing digital identities and
information. As a security software company, we are in the business of
protecting our customers--and by extension your constituents--with
proven technology solutions that secure digital information. Over 1,200
enterprises and government agencies in more than 50 countries,
including the US Department of Treasury, the Department of Justice and
numerous nuclear laboratories, rely on Entrust software, so we have a
lot of experience in this field. Entrust provides software solutions
that protect your digital identity through authentication, enforce
policy through advanced content scanning, and protect your information
assets through encryption. Our mission is to work with customers to put
in place the technologies, policies, and procedures necessary to
protect digital identities and information.
I would like to note with appreciation this committee's
longstanding interest in on-line privacy. As a company that is on the
front lines of the daily battle to protect sensitive information,
Entrust applauds your activities and encourages your continued
leadership in this area. You have followed this issue closely for
several years and built up considerable expertise. As a result, you are
well positioned to play a critical role in protecting the privacy of
individuals, companies and governments.
The privacy issues we are facing today are very different than they
were a few years ago. Then, much of the debate revolved around limited
``opt-in'' and ``opt-out'' provisions that determined what kind of
consent was necessary to share personal information for marketing
purposes. Today, with rampant theft of confidential personal
information a reality, the Internet privacy debate is focused on
squarely on security.
crime on the net
This shift in emphasis--from nuisance to outright crime--represents
a sea change for public policy. For years we have enjoyed the
productivity improvements that networked computing afforded and learned
to live with the nuisances that came with it. We may have been
concerned about hacking for ``honor'' and other pranks, but like early
version of spam, viruses and unsolicited marketing campaigns, we
tolerated them as a small price to pay for the extraordinary dividends
the Internet provided. Today, these nuisances are overshadowed by a
much more sinister problem--organized crime.
Just like companies and governments, criminals have come to realize
that the Internet is a powerful business tool. As mountains of
sensitive personal, corporate and government information have moved
onto the net, crime has too. For criminals, gaining access to names,
addresses, credit card information, social security numbers and other
identifiers is a gateway to ready cash. As a result, computer hackers
no longer fit the profile of pimply faced teenagers who lose interest
as soon as they get a girlfriend. Increasingly, they are skilled
criminals who have a sophisticated business plan, mount wholesale
attacks, move quickly around the globe and cover their tracks. Our
understanding of these crimes and the role of law enforcement is still
evolving, but the stakes are high. If Internet crime causes American
consumers to retreat from online transactions, U.S. business and
government will suffer huge productivity reversals that could cripple
not only e-commerce, but also the economy at large.
The statistics are staggering. The Federal Trade Commission
estimates that 9-10 million Americans are victims of identity theft per
year. Total cost to business and consumers is approaching $50 billion.
Almost 2 million US adult Internet users had their identities stolen in
2004. Almost 12% of the fraud is online.
As a result, the public temperature is rising. A January 2005 IDC
Survey showed that close to 60% of US consumers are concerned about
identity theft, and almost 6% have taken the remarkable step of
switching banks as a result. A survey that Entrust conducted reaffirmed
this concern. It found that 80% of individuals are worried about
someone stealing their on-line identity and using it to access their
on-line bank accounts.
The underlying question of this hearing is whether we are doing
enough to protect confidential information. The answer, unfortunately,
is that as a nation we are not prepared to deal with the reality of
cybercrime. The necessary legal framework to safeguard consumers and
companies is still incomplete; enforcement efforts and resources are
inadequate; and much of the private sector is still in denial.
bigger than banks, hospitals and data brokers
The identity theft crisis extends well beyond regulated industries
like banking and healthcare that many people view as guardians of their
sensitive information. It's even bigger than data brokers, despite all
the attention they have received lately. The breaches at Bank of
America, Choicepoint and Lexis-Nexis may have sparked public outrage
about identity theft, but you only have to look at the kinds of
organizations that have announced breaches in recent months to
understand that the problem goes much deeper. Discount Shoe Warehouse,
Paymaxx, the San Jose Medical Group, the University of California at
Berkeley, George Mason University, SAIC, Time Warner--none of these are
data brokers, yet they all suffered breaches of highly sensitive
personal information. The scope of these breaches demonstrates that the
universe of organizations holding sensitive personal information is
quite large. Focusing remedies exclusively on data brokers is like
protecting your home from burglars by locking the front door and
leaving all the windows wide open. It may make you feel better, but it
won't do much to prevent a robbery. Similarly, passing a law that
requires only data brokers to issue notifications when their systems
are breached will do nothing to safeguard the mountains of personal
information that are held by other organizations. True success lies in
a much broader approach.
It is for this reason that the recent state breach notification
laws we see around the country are not limited to banks, healthcare
providers and data brokers. It may interest you to know that many of
the most proactive states in this arena are represented by members of
this Committee. For example, California was the first state to pass
such a bill (H.B. 1386). It took effect on July 1, 2003 and requires a
state agency, person or business that conducts business in California,
and that owns or licenses computerized data that includes personal
information to disclose breaches of unencrypted personal information to
California residents. Arkansas has also passed a disclosure law (Senate
Bill 1167) that covers ``individuals, businesses and state agencies
that acquire, own or license personal information about the citizens of
the State of Arkansas . . .'' Florida has a bill (H.B. 481) awaiting
the Governor's signature that covers ``Any person who conducts business
in this state and maintains computerized data in a system that includes
personal information . . .'' In all, over twenty states have introduced
such legislation, and there is a possibility that we could have over a
dozen competing and conflicting state breach notification laws in
effect by this summer.
Given this backdrop of crime, systematic breaches and proliferating
state legislation, Congress needs to act.
technology and public policy
In trying to determine what role Congress should play, it is
important to understand some of the key technologies underlying
information security. I will focus on two: confidentiality and
authentication. Confidentiality means assuring that information is not
disclosed to unauthorized persons. E oding or scrambling of information
so that it can only be decoded and read by someone with the correct
decoding key--is the technology often associated with confidentiality.
Encryption comes in different strengths. Many of the state breach
notification bills make specific reference to it.
Data in transit, such as e-mail, presents different encryption
challenges than stored data. And since stored data is held in a variety
of repositories, from mainframes to laptops, and in different ways,
such as data bases and directories, it presents unique encryption
challenges of its own. Software applications and data bases are
typically built for speed, not security, so the issue is not just
whether to encrypt them, but how and where to apply it. Not all data
must be encrypted, but there is an increasing demand to encrypt
sensitive personal data, even if it affects performance.
Authentication means corroborating that a user is who they claim to
be. It is often linked closely with authorization, which means that you
have the right to access the information in question. Authentication
technologies include user name and password (referred to as first
factor since they relate to something you know) and physical tokens
with secret codes (referred to as second factor since they are
something you have). An even stronger form of authentication technology
is the digital certificate, which is an electronic identifier that
establishes your credentials. Digital certificates are issued by a
certification authority. They contain your name, a serial number,
expiration dates, a copy of the certificate holder's public key (used
for encrypting messages and digital signatures), and the digital
signature of the certificate-issuing authority so that a recipient can
verify that the certificate is real. Using public key cryptography and
digital certificates, the sender can assure that only the intended
recipient can--open the message, and the recipient knows that only the
authorized sender could have sent the message.
Much of the public policy debate about identity theft has focused
on the need to authenticate consumer identities. Just as important,
however, is the need to authenticate employer and supplier identities
at both ends of a transaction. Since many breaches are internal, proper
authentication of the employees, customers and partners who have
privileged access to information is critical to preventing identity
theft.
the need for additional legislative safeguards
There has been a lot of discussion about whether existing law is
sufficient to prevent identity theft. Although industry at large has
traditionally opposed federal legislation in this area, rampant
identity theft, the proliferation of security breaches, and the passage
of state breach notification laws have caused many companies to change
their view. Entrust believes that additional Federal legislation could
assist holders of sensitive personal information in their efforts to
prevent consumer fraud and identity theft. Specifically, we believe
that the following measures deserve consideration.
1. Establish a uniform national breach notification policy for
unauthorized access to unencrypted personal information.
Breach notification laws are necessary to inform consumers when
their sensitive personal information has been compromised so that they
can guard themselves against identity crimes. As mentioned above,
several states have passed breach notification laws and many more have
introduced this legislation. A uniform national notification standard
is needed to preempt conflicting state laws and establish consistent
requirements. In weighing such a provision, Congress should keep in
mind two important criteria that are enshrined in state law.
First, the notification requirement should apply to all entities
that hold sensitive personal information. Confidential information is
held by a wide variety of institutions, including employers, retailers,
lawyers and government agencies. If the Federal notification
requirement is limited to data brokers and regulated industries like
banking and health-care, none of these other organizations will be
covered. If this were the case, organizations like SAIC, Time Warner,
George Mason University and Discount Shoe Warehouse--all of whom have
suffered breaches and sent out notifications in recent months--would
not be required by Federal law to notify those people whose identities
had been compromised.
Second, and just as important, if the personal information is
appropriately encrypted, notification should not be required. The
reason for this provision is that unauthorized access to encrypted data
reveals only scrambled code that is meaningless. For example, if the
personal information of the 600,000 current and former employees of
Time Warner had been encrypted on the tapes that were lost, there would
have been very little risk of identity theft because the information
would have been unintelligible to anyone without the proper access.
There are several different kinds of encryption, however, not all
of which are reliable. To insure that the encryption is adequate,
Congress should insist on the encryption standards developed by the
National Institute of Standards and Technology. Organizations that
suffer breaches should not have to issue notifications if their data,
whether in storage or in transit, is encrypted with a NIST approved
encryption algorithm, uses NIST approved key management techniques and
has cryptographic operations performed within a FIPS 140 validated
cryptographic module.
2. Require second factor authentication for access to sensitive
personal information.
The Federal Deposit Insurance Corporation (FDIC) issued a thorough
study of identity theft in its December 2004 report, Putting an End to
Account-Hijacking Identity Theft. The FDIC's lead recommendation is
``Upgrading existing password-based single-factor customer
authentication systems to two-factor authentication.'' Industry
analysts have confirmed this view. Jonathan Penn, an analyst at
Forrester, has written that ``In response to consumers' rising concerns
about fraud and identity theft, many organizations are evaluating
strong authentication solutions . . .'' And John Pescatore, an analyst
with Gartner, has written ``When you get to the core issue of most
identity theft attacks, it really falls back to needing stronger
authentication . . .''
The problem with two-factor authentication is that, until recently,
it was difficult to administer and prohibitively expensive to implement
on a large scale. Fortunately, new technology breakthroughs by Entrust
and others have substantially reduced the cost and complexity
associated with two factor authentication. These breakthroughs should
facilitate the broader use of this technology to organizations that
must safeguard large quantities of digital identities.
3. Encourage enterprises that hold sensitive personal information to
use technological and other means to assure compliance with
their privacy policies.
Since the majority of breaches come from insiders, one way to limit
them is for organizations to screen communications for privacy
violations. The FDIC has already highlighted this imperative in its
safeguards guidance to financial institutions, recommending that they
establish controls to prevent employees from providing customer
information to unauthorized individuals. Since banks are not the only
ones holding sensitive personal information, these controls should be
extended to non-financial institutions as well.
Because the majority of electronic data is at some point associated
with e-mail, controls that assure outgoing e-mail communications and
attachments comply with privacy policies can help reduce identity
theft. To the extent that organizations monitor e-mail traffic at all,
however, many rely on a manual review of only a small sample of e-mail
traffic. Fortunately, technology now exists that has automated
compliance controls capable of blocking, archiving, redirecting or
securing e-mail communications in real-time. Enterprises that are in
the business of holding sensitive personal information should be
encouraged to consider adopting it.
4. Extend security requirements similar to the Gramm-Leach-Bliley Act
safeguards for financial institutions to all entities that
retain sensitive personal information.
This Subcommittee should consider extending the risk management,
reporting and accountability requirements documented in FDIC and FTC
safeguards guidance to all enterprises that hold sensitive personal
information. Title V of the Gramm-Leach-Bliley Act (GLBA) states that
financial institutions must establish safeguards for customer records
and information. In her testimony before this Subcommittee on March 15,
2005, the Chair of the Federal Trade Commission, Deborah Majoras, noted
that to the extent that data brokers fall within the GLBA definition of
financial institutions they must abide by these safeguards. As
discussed earlier, however, limiting the extension of the GLBA
safeguards only to data brokers would overlook the vast numbers of
other organizations that hold sensitive personal information and do
little to stem the tide of identity theft.
Since any discussion of security safeguards raises questions about
technology mandates, it is important to emphasize that the regulatory
guidance for implementing the GLBA safeguards addresses such issues as
the need to develop a written security plan, to designate appropriate
personnel to oversee it, and to conduct a risk assessment. None of
these is a technology requirement. Instead, they relate to sound
management practices. The National Cyber Security Summit Task Force on
Information Security Governance that Entrust CEO Bill Conner co-chaired
took a similar approach. In its April 2004 report, Information Security
Governance: A Call to Action, it concluded that ``The best way to
strengthen US information security is to treat it as a corporate
governance issue that requires the attention of Boards and CEOs.'' It
recommended that CEOs have an annual information security evaluation
conducted, review the evaluation results with staff, and report on
performance to their board of directors. In addition, it emphasized the
need for organizations to establish a security management structure to
assign explicit individual roles, responsibility, authority and
accountability.
conclusion
This Subcommittee has an important role to play in the effort to
secure personal data. The goal is clear. We should do everything we can
to encourage holders of sensitive information to secure it from
unauthorized access and, in the event of a breach, to notify
individuals so that they can protect themselves. The reality of rampant
identity theft is proof that we have no time to waste. The fact that
sensitive personal information is held by a wide variety of
organizations demonstrates that a narrow solution will be insufficient.
Information security is not only a technical issue, but also a
governance challenge. Technology solutions, like encryption, strong
authentication and automated e-mail compliance with privacy policies,
can do a lot to prevent unauthorized access to personal information.
But they must be grounded in the risk management, reporting and
accountability that can only be implemented with the active engagement
of executive management.
Mr. Stearns. I thank the gentleman. We are on a vote, but I
think we--Mr. Solove, I think we can get your opening
statement, and then we will recess and come right back. So go
ahead. Welcome.
STATEMENT OF DANIEL J. SOLOVE
Mr. Solove. Mr. Chairman, Congresswoman Schakowsky, members
of the committee, thank you for inviting me to appear before
you and provide testimony. My name is Daniel Solove, and I am
an associate professor of law at George Washington University
Law School. I have published over a dozen articles as well as
two books about information privacy. My most recent book, ``The
Digital Person,'' discusses the issues at this hearing in
depth. It was published in December 2004.
The litany of data leaks and improper access to personal
data are the symptoms of a significant problem that Congress
must address. It is important to understand the nature of the
problem, and I think this extends beyond just a security issue.
We are increasingly living with digital dossiers about our
lives. These repositories of personal data can affect whether
we get a loan, a license, or a job. The central problem that we
face today, the central problem is that it is caused by a lack
of individual participation and empowerment when it comes to
the collection and use of personal data and a lack of
accountability among the companies that handle that data.
Today, people lack much participation in how their data is
used and disseminated. Identify theft is difficult for victims
to detect because they have little knowledge about the
information being circulated about them. Therefore, solutions
to the problem must provide individuals with greater knowledge
and control about how their data is used. People must be
provided meaningful remedies when their data is leaked and
misused. Without meaningful remedies, mere notice of a leak is
akin to a company saying we just had a toxic spill in your
backyard. It might cause you harm, so you might want to have
periodic medical checkups.
Because people have so little participation and power over
their information, it is very hard for them to clean up their
records in the event of an identity theft. Congress should
ensure that victims of identity theft have appropriate tools to
repair the damage quickly.
The harm to victims in an identity theft is facilitated by
Social Security numbers, birth dates, and other pieces of
personal data being used by companies as passwords to obtain
access to accounts or to sign up for a credit card. If the
practice of using Social Security numbers as passwords were
halted, the leakage of Social Security numbers would not be so
dangerous and damaging to individuals.
The Gramm-Leach-Bliley Act requires security safeguards for
personal data maintained by financial institutions. Despite
these safeguards, many financial institutions continue to use
Social Security numbers as passwords. Why doesn't the FTC
enforce these security standards to halt this practice? Well, I
can postulate a number of reasons, and I think one of the
primary reasons is that these security standards are incredibly
vague and they haven't provided adequate guidance. I think to
be effective in crafting security standards, they must apply
widely and they must be specific without being overly
constraining.
Beyond identity theft, people lack the ability to easily
locate and fix errors in their records that may cause them
harm. People's dossiers are often riddled with inaccuracies.
The Fair Credit Reporting Act requires consumer reporting
agencies to maintain procedures to ensure maximum possible
accuracy. However, many data brokers have data bases they claim
fall outside of the Fair Credit Reporting Act. And little is
done more systemically to ensure the accuracy of records
systems used for background checks and other decisions about
people's lives.
I believe that the security breaches that we are facing
today are part of a larger problem, one involving information
privacy. Information today is protected in a piecemeal fashion
based on who holds it. The same piece of data might be
protected if it is held by a video rental store but completely
unprotected in the hands of data brokers like ChoicePoint.
The current regulation of information has tremendous gaps
and loopholes. We have a system that does not provide adequate
accountability among the users of personal information. We have
a system that, to a large extent, leaves people out in the cold
who are victimized by identity theft or harmed by an erroneous
report.
Congress must put individuals back in control of their data
and ensure that companies are accountable for the way that they
handle and use that data. Thank you very much.
[The prepared statement of Daniel J. Solove follows:]
Prepared Statement of Daniel J. Solove, Associate Professor of Law,
George Washington University Law School
i. introduction
Mr. Chairman, members of the Committee, thank you for inviting me
to appear before you and provide testimony. My name is Daniel Solove
and I am an associate professor of law at the George Washington
University Law School. I write extensively about information privacy
law issues and have published well over a dozen law review articles as
well as two books, The Digital Person: Technology and Privacy in the
Information Age (NYU Press December 2004) and Information Privacy Law
(Aspen 2003) (with Marc Rotenberg).
The announcement of recent data breaches at a variety of companies
and institutions have affected millions of people. As one article
notes:
In breaches reported publicly since February, more than 2.5
million records may have been exposed to thieves at data broker
ChoicePoint, retailer DSW, news and information broker
LexisNexis, the University of California at Berkeley and
elsewhere.1
---------------------------------------------------------------------------
\1\ Jon Swartz, Time Warner's Personal Data on 600,000 Missing, USA
Today (May 3, 2005).
---------------------------------------------------------------------------
I will not discuss the series of data breaches that have lead to
this hearing, as I am sure that you are all familiar with them.
Instead, I will focus my comments on what can be done to address the
problems and how we can better protect information privacy. My remarks
will focus on two points.
First, I will explain why the problem is larger than just a
security problem. Security is one dimension of a larger set of issues
involving information privacy. Beyond securing data, the law must
ensure that when there is a leak or improper access, the harmful
effects are minimized. Doing this requires empowering individuals with
tools to better manage their data. Moreover, making companies more
accountable for their activities will promote better security, as well
as better accuracy, in record systems.
Second, I will discuss why the innovative role of the states should
be preserved. Federal legislation must allow room for states to
experiment with new approaches and solutions to the problem. Many
current federal protections, as well as many of the ideas currently
proposed to address the problem, are drawn from state laws.
There are many more specific measures that can be taken to address
the problems we are encountering today. Chris Hoofnagle of the
Electronic Privacy Information Center and I have written a short essay
called A Model Regime of Privacy Protection, where we set forward
succinctly a series of sixteen legislative proposals. We explain why
these proposals are necessary and respond directly to the criticisms of
our proposals by a wide array of individuals (some from the industries
we propose regulating). The paper is currently available for free at:
Daniel J. Solove & Christopher Hoofnagle, A Model Regime of Privacy
Protection http://papers.ssrn.com/sol3/papers.cfm?abstract_id=699701
I will avoid repeating the content of this paper, but I recommend
that you read it as it may be helpful in crafting specific legislative
solutions.
ii. beyond security: a problem of many dimensions
The litany of data leaks and improper access to personal data are
the symptoms of a significant problem that Congress should address. It
is important to understand the nature of the problem, as it extends far
beyond just a security issue. In my recent book, The Digital Person:
Technology and Privacy in the Information Age (NYU Press, December
2004), I observed that the central problem we face is caused by a lack
of individual participation and empowerment when it comes to the
collection and use of personal information as well as a lack of
accountability among the companies that handle the data. In my book, I
argued:
We are increasingly living with digital dossiers about our
lives, and these dossiers are not controlled by us but by
various entities, such as private-sector companies and the
government. These dossiers play a profound role in our
existence in modern society.2
---------------------------------------------------------------------------
\2\ Daniel J. Solove, The Digital Person; Technology and Privacy in
the Information Age 115 (2004).
---------------------------------------------------------------------------
These repositories of personal information are used in ways that
affect key aspects of our lives: whether we get a loan, a license, or a
job. However, despite these high stakes:
At present, the collectors and users of our data are often
not accountable to us. A company can collect a person's data
without ever contacting that person, without that person ever
finding out about it. The relationship is akin to the
relationship between strangers--with one very important
difference: One of the strangers knows a lot about the other
and often has the power to use this information to affect the
other's life.3
---------------------------------------------------------------------------
\3\ Id. at 102.
---------------------------------------------------------------------------
The problem is not that companies dealing with personal information
are a bunch of evil-doers bent on harming people. The collection and
use of personal information can have many benefits, and the goal of an
effective protection of privacy is not to stop information flow, but to
empower individuals with greater control over their data and to make
companies more accountable for their uses of personal data.
A. Individual Participation
People lack much participation in how their data is used or
disseminated. Personal data is readily collected and disseminated
without people's knowledge and consent, thus increasing people's
vulnerability to identity theft, stalking, and other crimes.
Identity theft is rising at an staggering rate. In an identity
theft, the thief uses a victim's personal information to improperly
access accounts, obtain credit in the victim's name, or impersonate the
victim for other purposes. In 2003, the FTC estimated that ``almost 10
million Americans have discovered that they were the victim of some
form of ID Theft within the past year.'' 4
---------------------------------------------------------------------------
\4\ Federal Trade Commission, Identity Theft Survey Report 4, 6
(Sept. 2003). For an excellent account of the rise of identity theft,
see Bob Sullivan, Your Evil Twin: Behind the Identity Theft Epidemic
(2004).
---------------------------------------------------------------------------
The law has attempted to deal with identity theft by enhancing
criminal penalties, but this alone has been a dismal failure. The
problem is that identity thieves are hard to catch. Gartner, Inc.
estimates that only 1 in 700 thieves is successfully
prosecuted.5 A report by the U.S. General Accounting Office
describes in great detail the difficulties with criminal investigation
and prosecution of identity theft cases.6
---------------------------------------------------------------------------
\5\ Stephen Mihm, Dumpster Diving for Your Identity, N.Y. Times
Magazine, Dec. 21, 2003.
\6\ U.S. General Accounting Office, Report to the Honorable Sam
Johnson, House of Representatives, Identity Theft: Greater Awareness
and Use of Existing Data Are Needed 17-18 (June 2002).
---------------------------------------------------------------------------
In contrast, I noted in my book that:
The identity thief's ability to so easily access and use our
personal data stems from an architecture that does not provide
adequate security to our personal information and that does not
afford us with a sufficient degree of participation in its
collection, dissemination, and use. Consequently, it is
difficult for the victim to figure out what is going on and how
to remedy the situation.7
---------------------------------------------------------------------------
\7\ Daniel J. Solove, The Digital Person; Technology and Privacy in
the Information Age 115 (2004).
---------------------------------------------------------------------------
The problem is that the law does not afford people sufficient
participation in the way that their information is managed. Identity
theft is difficult for victims to detect because they have little
knowledge about the information being circulated about them or how that
data is being used. The victim's lack of awareness is exploited by the
identity thief, who can go on a spree of fraud in the victim's name
without the victim finding out about it. Therefore, solutions to the
problem must provide individuals with greater knowledge and control
about how their data is used.
B. Remedies for Harmed Individuals
People must be provided meaningful remedies when their data is
leaked or misused. Without meaningful remedies, mere notice of a leak
would be akin to a company saying: ``We just had a toxic spill in your
backyard. It might cause you harm, and so you might want to have
periodic medical checkups.'' The letter from ChoicePoint to the victims
of its data breach began:
I'm writing to inform you of a recent crime committed against
ChoicePoint that MAY have resulted in your name, address, and
Social Security number being viewed by businesses that are not
allowed to access such information. We have reason to believe
that your personal information may have been obtained by
unauthorized third parties, and we deeply regret any
inconvenience this event may cause you.8
---------------------------------------------------------------------------
\8\ Letter from ChoicePoint to Californians Regarding the Data
Breach (Feb. 9, 2005).
---------------------------------------------------------------------------
The letter recommended that people review their credit reports, and
continue to check them for unusual activity. In other words, ``we've
had a spill, now you go and protect yourself.''
Certainly, requiring disclosure of security leaks is a good first
step, but merely sending people a scary letter without providing them
with sufficient rights and abilities to address the problems will not
suffice.
Identity theft, according to estimates, results in victims spending
on average 200 hours and thousands of dollars fixing the
damage.9 Becoming victimized by identity theft is akin to
contracting a chronic protracted disease. Because people have so little
participation and power over their information, it is very hard for
them to cure themselves and clean up their records. Identity theft can
be financially and emotionally crippling, and the law does little to
help people who have been victimized. States, such as California, have
adopted some effective measures to assist victims in dealing with
identity theft.10 I believe that Congress should look to
California's measures as it crafts a federal law addressing these
issues.
---------------------------------------------------------------------------
\9\ Janine Benner, Beth Givens, & Ed Mierzwinski, Nowhere To Turn:
Victims Speak Out on Identity Theft: A CALPRIG/Privacy Rights
Clearinghouse Report (May 2000), at http://privacyrights.org/ar/
idtheft2000.htm.
\10\ The California Office of Privacy Protection maintains a
comprehensive summary of California's privacy statutes: http://
www.privacy.ca.gov/lawenforcement/laws.htm.
---------------------------------------------------------------------------
C. Deactivating Dangerous Data
The data leaks that have occurred recently are made more harmful
because of another type of security issue. SSNs, birth dates, and other
pieces of personal data are used by other companies as passwords to
obtain access to accounts or to sign up for a credit card. It would
take great imagination to design a poorer security mechanism than the
use of SSNs. This is akin to using a password that anyone can readily
obtain in an instant. Companies routinely sell people's SSNs, as it is
not illegal to do so. SSNs are also available in many public
records.11 This ``password'' can then unlock virtually any
account or be used to sign up for credit cards. And it is very
difficult to change it. As I argued in my book ``the SSN functions as a
magic key that can unlock vast stores of records as well as financial
accounts, making it the identity thief's best tool. . . . [T]he
government has created an identification number without affording
adequate precautions against its misuse.'' 12
---------------------------------------------------------------------------
\11\ Solove, Digital Person, supra, at 115-17.
\12\ Solove, Digital Person, supra, at 116.
---------------------------------------------------------------------------
If the practice of using SSNs as passwords were halted, the leakage
of SSNs would not be as dangerous and damaging to individuals. In our
paper, A Model Regime of Privacy Protection, Chris Hoofnagle and I
propose:
Companies shall develop methods of identification which (1)
are not based on publicly available personal information or
data that can readily be purchased from a data broker; and (2)
can be easily changed if they fall into the wrong hands.
Whereas Social Security Numbers cannot be changed without
significant hassle, and dates of birth and mother's maiden
names cannot be changed, identifiers such as passwords can be
changed with ease. Furthermore, they are not universal, and
thus a thief with a password cannot access all of a victim's
accounts--only those with that password. Biometric identifiers
present problems because they are impossible to change, and if
they fall into the wrong hands could prove devastating for
victims as well as present ongoing risks to national security.
Therefore, passwords are a cheap and effective way to limit
much identity theft and minimize the problems victims face in
clearing up the damage caused by identity theft.13
---------------------------------------------------------------------------
\13\ Daniel J. Solove & Christopher Hoofnagle, A Model Regime of
Privacy Protection, at http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=699701
---------------------------------------------------------------------------
If businesses and other private sector organization were restricted
from using SSNs as passwords, improper access to people's SSNs would
not put people in such peril of identity theft and fraud.
The Gramm-Leach-Bliley (GLB) Act of 1999 requires agencies that
regulate financial institutions to promulgate ``administrative,
technical, and physical safeguards for personal information.''
14 Despite the fact that FTC regulations under the Gramm-
Leach-Bliley Act establish security standards for financial
institutions to ``[p]rotect against unauthorized access to or use of
such information that could result in substantial harm or inconvenience
to any customer,'' 15 many financial institutions continue
to allow easy access to records by using SSNs as passwords. In an
article entitled, Identity Theft, Privacy, and the Architecture of
Vulnerability,16 I argued:
---------------------------------------------------------------------------
\14\ 15 U.S.C. � 6801(b) (requiring agencies to promulgate
``administrative, technical, and physical safeguards for personal
information.'').
\15\ 16 C.F.R. � 314.3(b) (2002).
\16\ Daniel J. Solove, Identity Theft, Privacy, and the
Architecture of Vulnerability, 54 Hastings L.J. 1227 (2003).
---------------------------------------------------------------------------
The GLB Act requires a number of agencies that regulate
financial institutions to promulgate ``administrative,
technical, and physical safeguards for personal information.''
On February 1, 2001, several agencies including the Office of
the Comptroller of the Currency, the Board of Governors of the
Federal Reserve System, the Federal Deposit Insurance
Corporation, and the Office of Thrift Supervision issued
standards for safeguarding customer information. On May 23,
2002, the FTC issued similar security standards. Pursuant to
the FTC regulations, financial institutions ``shall develop,
implement, and maintain a comprehensive information security
program'' that is appropriate to the ``size and complexity'' of
the institution, the ``nature and scope'' of the institution's
activities, and the ``sensitivity of any customer information
at issue.'' An information security program consists of ``the
administrative, technical, or physical safeguards
[institutions] use to access, collect, distribute, process,
store, use, transmit, dispose of, or otherwise handle customer
information.'' The regulations set forth three objectives that
a security program should achieve:
(1) Insure the security and confidentiality of customer
information;
(2) Protect against any anticipated threats or hazards to the
security or integrity of such information; and
(3) Protect against unauthorized access to or use of such
information that could result in substantial harm or
inconvenience to any customer.
The GLB Act is on the right track in its focus on information
security . . . However, the regulations under the GLB Act
remain rather vague as to the specific level of security that
is required or what types of measures should be taken. The
regulations require institutions to designate personnel to
``coordinate'' the information security program; and to
``[i]dentify reasonably foreseeable internal and external risks
to the security, confidentiality, and integrity of customer
information.'' These regulations establish rather broad obvious
guidelines; they virtually ignore specifics. Of course, a rule
that is too detailed in the standards it required could end up
being ineffective as well . . . [S]uch regulations, if too
specific, can quickly become obsolete, discourage innovation,
and be costly and inefficient. However, rules that are too
open-ended and vague can end up being toothless. Although
security standards must not be overly specific, they must
contain meaningful minimum requirements.
Ultimately, the strength of the GLB Act's security
protections will depend upon how they are enforced. . . .
Despite these new security provisions, companies continue to
maintain lax security procedures for the access of financial
accounts and other personal data. Thus far, the FTC's efforts
have been somewhat anemic. With vigorous enforcement, security
practices can change. But it remains uncertain whether the FTC
and other agencies will undertake such a vigorous enforcement
effort.17
---------------------------------------------------------------------------
\17\ Id. at 45-46. The article is available online at: http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=416740
---------------------------------------------------------------------------
The FTC has not used the GLB Act to crack down on security, as the
spate of security breaches in the news these days have occurred in
spite of these regulations. The FTC could have concluded, for example,
that the use of SSNs as passwords by so many financial institutions was
an insufficient security procedure under the GLB standards. But it did
not. Why hasn't the FTC vigorously enforced these security standards?
I can postulate two reasons. First, the security standards only
apply to financial institutions rather than all the entities that
process significant amounts of personal data. Second, they are rather
vague, and as a result, they have not provided adequate guidance. To be
effective, security standards must apply widely, not in a piecemeal
fashion, and they must be more specific in nature (without being overly
constraining).
D. Accuracy
Beyond identity theft, people lack the ability to easily locate and
fix errors in their records that can cause them harm. Decisions are
being made based on people's dossiers which are often riddled with
inaccuracies. Although a recent Wall St. Journal article noted that
ChoicePoint says that only .0008% of its 7.3 million background checks
in 2004 had incorrect data, the authors had no difficulty finding a
number of instances of people harmed by errors in ChoicePoint
databases.18 In one study, 90% of ChoicePoint's reports
obtained had at least one error.19 And there are numerous
anecdotal stories reported in the media of significant errors in
people's reports.20
---------------------------------------------------------------------------
\18\ Evan Perez & Rick Brooks, File Sharing: For Big Vendor of
Personal Data, A Theft Lays Bare the Downside, Wall St. J., May 3,
2005, at A1.
\19\ After the Breach: How Secure and Accurate is Consumer
Information Held by ChoicePoint and Other Data Aggregators?, Before the
California Senate Banking Committee, Mar. 30, 2005 (testimony of Pam
Dixon, Executive Director, World Privacy Forum).
\20\ Id. (testimony of Elizabeth Rosen, Registered Nurse) (noting
that the report wrongly reported that she owned a deli store); Bob
Sullivan, ChoicePoint Files Found Riddled With Errors, MSNBC, Mar 8,
2005, available at http://www.msnbc.msn.com/id/7118767/ (noting that
Deborah Pierce's ChoicePoint report wrongly indicated a ``possible
Texas criminal history'').
---------------------------------------------------------------------------
The issue of accuracy demonstrates a central problem--the companies
maintaining personal data are often not accountable to the people to
whom the data pertains. Because of this lack of accountability, there
are insufficient incentives for data brokers to maintain their records
accurately. The Fair Credit Reporting Act (FCRA) requires consumer
reporting agencies to maintain procedures to ensure ``maximum possible
accuracy.'' 21 However, many data brokers have databases
that they claim fall outside of FCRA. And they gather data from various
public record systems, which themselves might have errors. An error can
infect various databases because of the fluidity by which personal
information is transferred. Moreover, because people are so out of the
loop when it comes to the way their data is collected and used, they
might not even discover the error. Little is done more systemically to
ensure the accuracy of record systems used for background checks and
other decisions about people's lives.
---------------------------------------------------------------------------
\21\ 15 U.S.C. � 1681e(b).
---------------------------------------------------------------------------
E. Closing the Gaps
The security breaches we are facing today are part of a larger
problem, one involving information privacy. This is not a problem that
can be solved with what I call the ``little more care and little more
notice'' approach. Certainly setting minimum security standards and
providing notice to consumers of security breaches are two important
steps. But the larger problem is one of information privacy. In some
contexts, personal information is widely collected, used, and
disseminated without much control or limitation. Information today is
protected in a piecemeal fashion based on who holds it. The same piece
of data might be protected if held by a video rental store but
completely unprotected in the hands of data brokers such as ChoicePoint
or LexisNexis.22 The current state of regulation of
information is very porous, with tremendous gaps and loopholes. The
result is that we have, in many respects, lost control over the way
personal information is collected, managed, and used. We have a system
that does not promote accountability among the users of personal
information. We have a system that to a large extent leaves people out
in the cold if victimized by identity theft or if harmed by an
erroneous report. We have a system that thrusts on consumers the
tremendous responsibility of guarding their digital dossiers, a
difficult task when so many companies maintain data about them and when
people have little knowledge that this is going on. Congress must put
individuals back in control of their data and ensure that companies are
accountable for the way they handle and use that data.
---------------------------------------------------------------------------
\22\ Video Privacy Protection Act of 1998, Pub. L. No. 100-618, 18
U.S.C. ��2710-11.
---------------------------------------------------------------------------
iii. the problem with preemption
In any solution that Congress takes, the innovative role of the
states must be preserved. Thus, Congress should avoid preempting state
laws when crafting federal legislation.
Many of the ideas for reforming the information system in this
country emerge from state laws. Justice Brandeis said it well: ``It is
one of the happy incidents of the federal system that a single
courageous State may, if its citizens choose, serve as a laboratory;
and try novel social and economic experiments without risk to the rest
of the country.'' 23 This is especially important in such a
rapidly changing field such as information privacy. Not all approaches
work, and we need a way to test innovative solutions. Indeed, the law
that required ChoicePoint to disclose its security breach was a
California law. What if there were federal preemption and such a law
never existed? Would we ever have found about the security breach?
---------------------------------------------------------------------------
\23\ New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932)
(Brandeis, J., dissenting).
---------------------------------------------------------------------------
Federal legislation that preempts state law will not only shut down
the real engines of innovation in the field, but it will have very
detrimental long-term effects on federal legislation as well. The grist
for federal legislation in privacy is often state regulatory ideas that
have worked. The majority of privacy legislation has been enacted at
the state level.24 Many of the federal laws addressing
privacy have adopted measures tried-and-tested in the states. The
states first tried out the idea of telemarketing do-not-call lists.
Many of the reforms in the 2003 federal Fair and Accurate Credit
Transactions Act were based on prior state laws.25 If
Congress were to shut down this tremendous source of ideas, federal
legislation will lose one of its primary developmental tools. Federal
legislation in the future would suffer severely as a result.
---------------------------------------------------------------------------
\24\ Robert Ellis Smith, Compilation of State and Federal Privacy
Laws (Privacy Journal 2002).
\25\ Edmund Mierzwinski, Preemption of State Consumer Laws: Federal
Interference Is A Market Failure, Government, Law and Policy Journal of
the New York State Bar Association, Spring 2004 (Vol. 6, No. 1, pgs. 6-
12).
---------------------------------------------------------------------------
I have often heard companies say that it is too onerous complying
with so many differing laws in all 50 states. Yet if the federal
legislation sets a strong floor of protection, there will be little
incentive for the states to do more. In other words, if the federal
legislation solves the problems, then there will not be a need for the
states to act. Additionally, historically, stronger protections have
only been enacted by a handful of states, not all 50. So the reality is
not 50 different standards, but a floor of protection for 90% of the
states with the remaining 10% adopting a slightly more protective
standards. Moreover, other industries have long dealt with differing
state protections, such as the auto industry and the insurance
industry. Why are the burdens on data brokers any greater? What strikes
me as most remarkable is that companies that manage billions of records
of data and claim to be able to do so with remarkable depth, precision,
and detail say that they cannot comply with a handful of states that
have stronger protections.
Most federal privacy laws have not preempted stronger state
protections: the Electronic Communications Privacy Act, the Right to
Financial Privacy Act, the Cable Communications Privacy Act, the Video
Privacy Protection Act, the Employee Polygraph Protection Act, the
Telephone Consumer Protection Act, the Driver's Privacy Protection Act,
and the Gramm-Leach-Bliley Act.26 In all these instances,
companies have been able to comply with state laws.
---------------------------------------------------------------------------
\26\ Respectively at 18 U.S.C. � 2510 et. seq., 12 U.S.C � 3401, 47
USC � 551(g), 18 USC � 2710(f), 29 USC � 2009, 47 USC � 227(e), 18
U.S.C. � 2721, and Pub. L. No. 106-102, ��507, 524 (1999).
---------------------------------------------------------------------------
iv. conclusion
I am very encouraged that so many in Congress are interested in
addressing the problems of data security and information privacy. My
recommendations today are: (1) to focus on the larger problem by
empowering individuals and making the users of data more accountable;
and (2) to avoid preempting the states, as this will retard the
development of privacy law for years to come.
Mr. Stearns. I thank the gentleman. We are going to take a
recess. We will quickly vote and we will be right back with the
questions from the Members of Congress. So thank you for your
patience.
[Brief recess.]
Chairman Barton. The Chair would recognize himself for 5
minutes. I want to apologize for calling you back from your
break, but I have got three meetings going on right now and so
this would be my only chance to ask questions.
This is not a Visa card; it is a MasterCard card, but I
have got--it says Joe Barton, Campaign, Joe Barton. There is
only one of these cards. I hardly ever use it. Five, six times
a year maybe, once a month. I got a phone call Monday; somebody
in Orlando, Florida had charged $3,500 at two different Wal-
Marts on this card. Now, I have been in Wal-Mart; I have been
in Orlando to Disneyworld back in January, but I never went to
a Wal-Mart. And the people that use--they actually had a card,
not just the number, they had the card. And they went in on two
different occasions, charged around $3,500. So I got a phone
call, and the lady on the phone said had I been to Orlando,
Florida? I said yes. She said were you there over the weekend?
And I said no. And so we determined that somebody else had used
this card.
Now, the gentleman from--I think Mr. Ireland is
representing Visa. According to your testimony, there is a very
sophisticated system to detect misappropriation or misuse of
these cards, so I would assume that that is what happened with
me, that it kicked in because it was two large transactions and
in an area that I showed almost no use, no geographic use. Is
that correct?
Mr. Ireland. That is correct. The financial institution--
bank that issued that card and probably in combination with
MasterCard has a system to track authorizations on the card to
see whether they fit your pattern and to see whether they fit
known fraud patterns. And so they spotted a transaction that
they didn't think was you----
Chairman Barton. Now, who ends up paying for those charges?
Does Wal-Mart pay for them? Does the institution that issued
this card pay for them?
Mr. Ireland. Typically, in a card-present transaction, the
institution that issued the card will pay for it.
Chairman Barton. Now what, if anything, will they do to try
to actually track down the person who used this card
fraudulently?
Mr. Ireland. Well, typically, the card issuers will work
with law enforcement based on the information they get to see
if there is any way they can do it. We are talking in this case
about the creation of counterfeit cards, which----
Chairman Barton. They actually had a card. It wasn't just
the number.
Mr. Ireland. Exactly. Which has been a problem in the past
and the credit card issuers have worked to develop security
features in the card and other ways to combat card
counterfeiting. But they have regular programs that are
designed to prevent those kinds of fraud and to try to track
them down----
Chairman Barton. Well, how would whoever got a fraudulent
card--because I just almost never use this card. How would they
have actually gotten the information, obtained the information
to create the fraudulent card?
Mr. Ireland. I obviously can't answer that in this specific
case. But it is possible to create fraudulent cards based on
information that may be collected at the point of sale. I
believe the Visa rules discourage or prevent the collection of
that information, but sometimes enough information is collected
at point of sale to create a fraudulent card, No. 1. No. 2,
plain old theft may be involved. Somebody may have been able to
get a hold of the card, steal it for a period of time and
replace it.
Chairman Barton. I--now what?
[Brief recess.]
Mr. Stearns. If members are here, we are going to continue
to go on. We have another full committee markup that we have to
do in this room, and I think we have three out of the five, and
we have the chairman here who is in the middle of his
questions. So if the witnesses will please take their seats,
and we shall continue. And with that, I recognize the chairman
of the full committee, Mr. Barton.
Chairman Barton. And, Mr. Chairman, I had about 2 minutes
left on my clock, so if you want to----
Mr. Stearns. Well----
Chairman Barton. [continuing] reset the clock----
Mr. Stearns. [continuing] we will give you whatever you
want, sir.
Chairman Barton. Well, we just want to be fair. I was
asking a series of questions based on my personal campaign
credit card being stolen over--the number stolen and used down
in Florida, what the safeguards are about that. But I want to
go to the next line of questions. I want to ask Mrs. Barrett, I
would like to outlaw the use of Social Security numbers for any
purpose except governmental purposes. What is your reaction to
that?
Ms. Barrett. Well, I think that the Social Security number
has become an identifier in many, many aspects of our lives.
From a standpoint of Acxiom's business, we limit its use to a
very, very small number of instances. So the direct impact on
something like--back to us would not be significant. But I am
aware of instances where it would create huge problems for
either our clients or other businesses. And I----
Chairman Barton. Well, just this calendar year, we have had
I think three instances of people breaking into data systems
and stealing hundreds of thousands of records that had Social
Security numbers attached to them with quite a bit of personal
privacy information. You know, I understand how ubiquitous the
Social Security number is, and it is one of the few things that
almost every American citizen has and even some non-citizens if
they are working in the country. But wouldn't it be possible to
create each data base its own identifier so we don't have to
use the Social Security number?
Ms. Barrett. In many cases Acxiom does help our clients,
who have the records on these consumers, create their unique
customer identifiers. Social Security number, however, has
become a key element in identifying someone's identity when you
are trying to establish who that person is up front so that----
Chairman Barton. But you could do it without it. We have
had banks a lot longer than we have had the Social Security
system.
Ms. Barrett. You could. I think we need to look carefully
at whether it is government uses or other specific uses should
be carved out and preserved because of the importance of it----
Chairman Barton. Mr. Burton----
Ms. Barrett. [continuing] restricting general uses.
Chairman Barton. Mr. Burton, do you have a comment on that?
Mr. Burton. No, I don't. I think our view is if you are
keeping any sort of data, Social Security numbers, any
sensitive data, it should be encrypted so that even if it is
pilfered, it doesn't mean anything to the thieves.
Chairman Barton. Okay. What about the gentleman, Mr.
MacCarthy, who is representing Visa now.
Mr. MacCarthy. Our sense is that the Social Security number
is a key identifier in a lot of the data bases that are
important for people who are issuing credit cards, when they
are trying to determine whether someone who is applying for
credit has a good history. The Social Security number is, in
the current systems, a very important way of identifying that
person and seeing whether that person has a good credit
history. It is not impossible over time to move to a new
system, but the legacy systems, the ones that exist now, the
ones that help us fight identity theft and fraud all make heavy
use of the Social Security number. And a government rule that
said you simply can't use that starting tomorrow would create
havoc with those systems. So we would ask you to look carefully
at the idea of restricting Social Security numbers to just
government use. We think right now they are----
Chairman Barton. Well, I know that you----
Mr. MacCarthy. [continuing] legitimate commercial uses.
Chairman Barton. I know that you are not trying to be
argumentative and that you had a legitimate business point, but
at what point do we say an individual's privacy trumps that? Do
we just say it is okay for these Social Security numbers to be
stolen and used for all kinds of purposes for which they are
not intended because of these legacy systems and all of the
valid, legitimate business reasons why it would be inconvenient
to do something differently?
Mr. MacCarthy. Two things: one is very often a way to fight
identity theft and fraud, which hurts consumers, is through the
effective use of Social Security numbers. So if you take that
weapon away from us, it might actually hurt in protecting
people against identity theft and fraud.
The second is there are some uses of Social Security that
probably should be restricted. You know, the idea that a Social
Security number can be simply published on the Internet or made
available for non-business uses, we think that that is the kind
of thing that Congress may want to look upon and restrict.
In terms of business practices, it is the current practice
and maybe it should begin to be phased out--it is the current
practice for Social Security numbers to be used as access
numbers to gain access to accounts and other--and that may be
something that should, over time, go away as well. The fact
that that number is so readily available makes it very, very
risky to use as an access device.
Chairman Barton. And my time is about to expire, but as we
get more and more information and more and more centralized, we
have to do something. I mean we just have to. You cannot have
an individual or a family that their whole financial records,
their medical records, all kinds of consumer data is just out
there without their permission. And the Social Security number
ties that all together and it is so easy for the criminal
elements--we have had testimony that organized crime is moving
in to identity theft. And so I know there are legitimate
business reasons why it is done, but I think the time has come
to tip the balance in the favor of the individual privacy and
find another way to help businesses determine the identity of
people they want to give credit to. With that, Mr. Chairman, I
yield back. I thank the witnesses for the inconvenience.
Mr. Stearns. Just following up with what the chairman said,
there is some talk about a second factor ID authentication, and
they gave me this card, Mr. Chairman, where, instead of putting
your Social Security number, what you would do is put your name
and then they would ask you, based upon the permutations in
this card, you would give them a number off a card. And rather
than--I think that is what you talked about a little bit, Mr.
Burton. You might tell the chairman here just before he goes
what this second factor ID authentication would do which
possibly could replace Social Security.
Mr. Burton. Yes, well, second factor authentication is an
access card and a way to identify a user. I think what it would
not do is identify a user in a data base, which I think is what
a lot of Social Security numbers do. But what a lot of security
experts are saying, we have got to have, for everyone holding
sensitive information, says the FDIC recommendation, is to use
second factor authentication. And that means not only something
that you know, which are passwords which you give you access to
an account, but something that you physically have. So even if
your password is compromised, the thieves still can't get
access. The problem with this technology to date is that it is
quite expensive. It can run $40, $50 per year per user. And so
for mass applications, it is simply not feasible.
And the solution that Chairman Stearns and I were
discussing is called Identity Guard. Entrust just released it
about 4 months ago. And what you do is you enter your user name
and password in your account; you then have a card with a
unique scrambled set of numbers and letters unique to you, and
much like bingo, you are prompted to say, well, what is in
column A-1, B-3, C-4, and then you fill in the numbers from
this unique card and get access to your account.
What is interesting about this is that that prompt changes
every time you log in. So it is not that there is one pin
number, there is one password that someone has to steal to get
access to your account. Very inexpensive, very easy to deploy,
mass market application, and I think these are the kinds of
technologies that the private sector is starting to come up
with to address questions of access to sensitive information.
Mr. Stearns. Thank you. You know, listening to your opening
statements I sort of put together I think about seven different
things that would possibly be in a bill. And I am not sure we
would all agree upon these factors. But I thought I would take
each one and ask you if you agree or disagree. The first I
heard was uniform national notification standards for consumers
in the event of a breach. Does anybody not agree with that
being part of the bill? Okay. So----
Mr. Burton. Just a----
Mr. Stearns. Yes.
Mr. Burton. [continuing] point of clarification for breach
of unencrypted personal information. I think that is how most
of the State laws read----
Mr. Stearns. Okay----
Mr. Burton. [continuing] so that if there is a breach and
the data is encrypted, no one can read it, and so there
shouldn't be a notification requirement.
Mr. Stearns. Okay.
Mr. MacCarthy. Mr. Chairman----
Mr. Stearns. Yes, sir.
Mr. MacCarthy. The one thing we would add to that is
compliance with the guidelines that have been put in place by
the Federal banking regulators should count as compliance with
the national standard that is put in place in the legislation.
Mr. Stearns. Okay. Good point. The second is Federal
preemption with all the States. Anybody disagree with that?
Okay. The third is establish an official agency role over
public data providers. This was mentioned. Sort of a government
agency having broad powers, something like the SEC, dealing
with privacy. Does anybody disagree with that or not? It is a
little more controversial. And, Ms. Barrett, I think you sort
of might have some objection to that.
Ms. Barrett. Well, I don't know that I have objection. I
think that information providers have a responsibility to
safeguard the information and use it for responsible purposes.
And if there are enough bad actors out there that are using
information irresponsibly, we want those out of the
marketplace. And if it takes a regulating agency to do it, then
we will support that.
Mr. Stearns. Okay, so that is--yes. This is pretty
important now. What you are saying is a government regulating
agency should be put in place to help and control, and, you
know, you have got to be careful what you ask for here.
Mr. MacCarthy. The only point I would ask is that the
committee recognize the important role that the Federal banking
regulators already play in that area----
Mr. Stearns. Okay.
Mr. MacCarthy. [continuing] their privacy requirements and
their security requirements, notification requirements that are
already administered by the banking agencies and by the Federal
Trade Commission. And I don't think it would be a good idea to
move enforcement from those agencies to a new agency.
Mr. Stearns. Okay. So maybe the existing Federal Trade
Commission or the existing whatever----
Mr. MacCarthy. Yes.
Mr. Stearns. [continuing] Gramm-Leach-Bliley where----
Mr. MacCarthy. Yes, that would work.
Mr. Stearns. Yes. Opportunity for consumers to inspect and
correct any information that is in their data base. Yes?
Ms. Barrett. Today, we offer the consumer the right to do
that. I think that it is--when it comes to correction, it is a
complicated environment, so we need to explore how a correction
takes place very carefully. But the concept that the
information needs to be accurate, and when it is inaccurate, we
need to figure out ways to deal with it is one we support.
Mr. Stearns. The idea is for your consumer credit you can
get access to see if it is correct. And so the theory is then
why can't you inspect incorrect data that has been collected to
see if it is correct too?
Ms. Barrett. We actually offer the same inspection----
Mr. Stearns. Okay.
Ms. Barrett. [continuing] of information in our fraud
management systems.
Mr. Stearns. I am not sure----
Ms. Barrett. And our----
Mr. Stearns. [continuing] everybody does though.
Ms. Barrett. No. I don't believe----
Mr. Stearns. And so the question, should the Federal
Government step in and mandate that all data collection
agencies have to provide access to consumers so they can see if
the information is correct? That is a little sensitive because
there is a lot there that deals with marketing and deals with--
--
Ms. Barrett. I was just about to say there are different
categories of data.
Mr. Stearns. Right, different categories.
Ms. Barrett. And so I think it is important to understand
that when we want to put a standard of accuracy in and
correction in and access in, that we need to do it in a way
where the accuracy of the information is important to the
decisionmaking process. We offer access today to all of our
what we call reference products where decisions are being made,
identities are being verified with that information.
We actually do not today offer access to our marketing
products. We offer an opportunity to see what kind of data we
might have about you and then the chance to opt out of that.
But since you can't opt out of identity systems like you can't
opt out of your credit report----
Mr. Stearns. Yes.
Ms. Barrett. [continuing] the inspection process becomes
more important.
Mr. Stearns. Yes, it is a little more nuanced. Someone
mentioned to possibly have the security officer sign to
corroborate the security at the agency that collects this
information. Does anybody disagree with that? It is a little
bit like Tosarbi and Zoshley in which the CEO has to sign the
accounting--the P and L statement. So it sounds like you might
accept that.
The other idea is standard credentialing practices for
customers desiring sensitive consumer data. Anybody object to
that?
Ms. Barrett. Let me just comment on that----
Mr. Stearns. Yes.
Ms. Barrett. [continuing] I think that credentialing is
extremely important. I would caution the committee in terms of
how it defines credentialing because the tools we have for
credentialing today will not be the same tools that we have in
5 or 10 years----
Mr. Stearns. Yes.
Ms. Barrett. [continuing] and so if we do it in a way that
allows the evolution of technology and other aspects to be
accommodated within the requirement, it may be a good
requirement. For instance, I think the Gramm-Leach-Bliley
safeguards rule really actually has an implication on
credentialing because it says you must have physical,
procedural, system, and so on, processes in place to keep the
data protected from unauthorized use. And to me credentialing
becomes a part of that. So I would just urge that the committee
not consider too prescriptive an approach to accommodate
wherever we go with technology in the future.
Mr. Stearns. My time is up. I think the last one I had was
to encourage, perhaps through legislation, a technical solution
for--well, let me--you know, instead of using your Social
Security ID, to try and encourage some other way, work out so
that you could access the information without using your Social
Security ID. And that is sort of what we talked about in the
Chairman Barton talk. So my time has expired. And with that, I
recognize the ranking member.
Ms. Schakowsky. Thank you, Mr. Chairman. Mr. Ireland, you,
in your testimony, talked about significant risk of harm, and
you went back to FTC chairwoman saying notices should be sent
only if there is a significant risk of harm. How are we going
to define significant risk of harm?
Mr. Ireland. Well, I think there is obviously a drafting
issue here as to precisely the verbiage you use in how you
ensure that it doesn't essentially gut the requirement. But
there are numerous circumstances where identification
information that could otherwise be used for identity theft,
upon investigation you find out that it is clearly not going to
be used for that purpose.
One thing we have seen is what might be called competitive
espionage where one company manages to get a hold of the other
company's customer list, and it includes identification
information that might be used to open an account. But you know
they have no intention of doing that. What they want to do is
solicit the company's customers. And a notice in those
circumstances to the customer might serve some privacy
interest, but there is no real reason for the customer to go
put a fraud alert on their account, for example----
Ms. Schakowsky. Well, who says that it is not of interest
to the consumer in that even being solicited might, in their
view--harm may not be the correct word, but you heard my
colleague, Ms. Cubin, talk about being notified about some
breaches which, she said, thankfully are not going to result,
she believes, in any illegitimate use. But she, it seems to me,
is glad to know that this information has been shared at the
very least. And I can't quote you exactly the source, but at
one of the many hearings on privacy, apparently a data broker
has testified that the unauthorized access of information by a
former employee does not constitute a significant risk. I am
just a little concerned that the owners of this information are
deciding for me what I might consider to be significant harm
and then choosing to not provide the information to me, that
there has been a breach.
Mr. Ireland. Well, I would agree with you. I think there is
a terminology and a drafting challenge there because you don't
want the owners to have unlimited discretion to make that
decision. Currently, under the banking agency guidance, for
example, banks are required to notify the banking agency about
the breach, regardless of risk. And then they are supposed to
notify based on risk standard, and that is going to be worked
out between the banks and the banking agencies.
There are issues where information is disclosed that have
implications for privacy. There are issues where information is
disclosed that have implication for credit card fraud. And
there are issues where information is disclosed that have
implications for identity theft in the form of opening accounts
in somebody's name that are fraudulent. And the actions that a
consumer would want to take on the basis of those different
classes of breaches are different. If you find that you are
giving notices to consumers in all of those classes, you may
find that the one where they really need to take action by
putting a fraud alert, for example, on their file at a consumer
reporting agency under the Fact Act, as passed by Congress in
2003, gets lost among other notices that are simply addressing
potential privacy issues. So I think the----
Ms. Schakowsky. You know, I mean----
Mr. Ireland. [continuing] judgment needs to made----
Ms. Schakowsky. [continuing] let us not get too----
Mr. Ireland. [continuing] here----
Ms. Schakowsky. [continuing] patronizing though about what
consumers can really handle. I mean, we may want to deal with
how we communicate that and prioritize a sense of urgency. But
isn't it also true that financial institutions regulatory
guidance doesn't cover breaches of data about business
customers, even small business customers who have business
accounts? Mr. MacCarthy said in your absence that we should
import that standard. And, you know, we are not covering all--I
guess the guidance doesn't cover all consumers but only
customers.
You know, we just need to make sure that--I think that we--
privacy is a huge deal to people. And I think it varies in its
implications, but people don't even like the idea of people
just picking through it.
And with that, I just want to ask the question--I realize I
am running out of time. How do I determine which data brokers
have my information? I mean, does your company have information
about me? How do we even know? We know about credit reports, we
know how to check them, we can even get them free once a year
now. But who has my information? How do I know if I want to
know? Maybe each of you could quickly tell me how I know if you
have got info on me?
Ms. Barrett. Well, there are a couple ways if Acxiom had
info on you that you might know about it. If you have a
question about a client or about a business relationship and
you ask them where did that information come from? They might
well refer you to Acxiom if we provided the information for
whatever that process----
Ms. Schakowsky. But they might not.
Ms. Barrett. Well, we actually encourage our clients to do
that. And so that is one avenue.
Ms. Schakowsky. They don't have to.
Ms. Barrett. It becomes a customer service issue I think
for them to----
Ms. Schakowsky. Okay.
Ms. Barrett. [continuing] deal with--in terms of you--your
relationship with them since they are the business that you
have a relationship with.
Ms. Schakowsky. Okay.
Ms. Barrett. On our website you can request, as I was
talking earlier, a copy of the report of the information that
we have since we do allow consumers to have access. Our web
address is fairly well-known. While I don't think all consumers
know it, many, many do, and you can easily get to it from
privacy websites and a number of other places. Those would be
the two most common ways.
Ms. Schakowsky. If we knew about Acxiom we could do that,
but, you know, most consumers haven't got a clue of who is even
controlling their information. Do you know what I am saying? Is
there a website I could go to to say well, here is a whole list
of data brokers? Here is a whole list of people--I mean, I know
who my credit card companies are, so I can go there. But these
other businesses that may have my information and are in the
business of information are really not very well-known to
people.
Ms. Barrett. I think that is accurate. And we have actually
talked about whether or not there should be a directory if you
will or a website where consumers could go and learn who we
are. We are certainly not trying to stay in the dark.
Ms. Schakowsky. Thank you.
Mr. Buege. In our case at West we really don't originate
any of this information. We obtain it from the credit bureaus
and other aggregators. So in our case if you were to ask us
what we have, we would certainly happily and do happily share
that with consumers even though, again, we don't serve consumer
markets directly. And the answer is it all comes from upstream,
so what we end up doing is referring you to the source of the
data to have it corrected, removed, whatever.
Mr. Ireland. The only information we would have would be
derivative of the Visa card that you have with your bank. And
we act as a servicer to your bank in processing some of that
information, as do other servicers. And the place to start to
know where that information is is with your bank if it gave you
the Visa card.
Mr. Burton. Entrust is a security software company so we
are not a data broker, and we help banks and data brokers
protect information, but we don't hold any ourselves.
Ms. Schakowsky. Thank you all.
Mr. Stearns. I thank the gentlelady. The gentlelady from
Tennessee. Okay. Okay. I think what we are going to do is a
second round here. We appreciate having this expertise here.
Mr. Ireland, your testimony states that Visa believes that
all holders of sensitive information about consumers should be
subject to the same rules. Why shouldn't different types of
information be treated differently? Should data security laws
differentiate between companies that maintain customer data and
those that handle non-customer data?
Mr. Ireland. Well, the current banking rules, for example,
differentiate--well, depending on whether or not you are the
customer or the bank. But Visa adopted the CISP program, for
example, because it saw gaps in the banking agency 501(b) and
the FTC 501(b) guidance and standards like that. There was some
discussion earlier about whether the banking agency standard or
the FTC standard is precisely the right standard. And there is
no standard that can't be improved in my mind.
But standards like that ought to apply, we believe, to
classes of information that would be considered sensitive. And
obviously other classes, more sophisticated information systems
such as credit reporting agencies are already subject to the
Fair Credit Reporting Act. But a basic security standard in our
view ought to be adopted for a level of information. And it is
characterized in my testimony as sensitive, and you have to
sort out what that is.
One of the problems with current State legislation is that
different States are defining sensitive information
differently. And what you consider sensitive information
depends in part on the dialog I had with Ms. Schakowsky about
what you are trying to protect. If you are trying to protect
against identity theft, the information is the type of
information that would enable somebody to open an account with
a financial institution, which is information specified in
rules under Section 326 of the U.S.A. Patriot Act for example.
If you were talking about credit card account information,
that is a somewhat different set of information. If you are
talking about privacy interests, you are covering a still
broader set of information, but you are still not probably
covering information that is not personally identifiable. So as
you go about that task I think yes, you have to differentiate
between classes of information. But for the same class of
information, the same rules ought to apply, regardless of who
has that information I would think.
Mr. Stearns. If you could waive a wand, do you think Gramm-
Leach-Bliley needs to be changed at all?
Mr. Ireland. I think Gramm-Leach-Bliley has done a very
good job of doing what it set out to do, which was to have
financial institutions get control of their uses of personal
information and give consumers an opportunity to opt out of
certain uses of that information. And that has happened. And I
think you have a very high level of compliance with that
statute. But obviously there is personal information that is
outside the scope of that statute, and the unauthorized use and
access to that information creates risks to consumers and we
think ought to be addressed by security standards.
Mr. Burton. Mr. Chairman----
Mr. Stearns. Yes----
Mr. Burton. [continuing] if I could just comment----
Mr. Stearns. Go ahead. Sure, Mr. Burton.
Mr. Burton. [continuing] on Gramm-Leach-Bliley, because I
think actually the security safeguards in Gramm-Leach-Bliley
are extremely interesting, and I think that we may need to do
more. But if you look at what they talk about in terms of what
organizations should do to protect security, they don't talk
about technology, they don't talk about mandates. They really
talk about sound business practices like having a risk
assessment for your personal data, making sure there is a
security officer in charge of it, making sure that there is
regular audits. And I think these kinds of activities are
ultimately what is going to drive greater security.
And in the work that Entrust has done, including a
Department of Homeland Security Committee we co-chaired, we
focused really on information security as a corporate
governance issue. And so to the extent that you get CEOs and
Boards of Directors focused on this and with regular ports
going to them about the state of the security in their
organizations, suddenly you will see big progress in the way
that data is protected and secured.
Mr. Stearns. Mr. Buege, we haven't talked about in the
event that there are violations and penalties. And do you think
monetary penalties are appropriate for entities that disregard
basic data base security due to, you know, lack of preparation,
due diligence, not following good industry practices? And if so
when should a data broker be sanctioned with a fine?
Mr. Buege. I think I would say yes, that if a data broker
is not exercising appropriate diligence in terms of
safeguarding the information, in terms of securing access to it
appropriately, that sanctions would be an appropriate remedy. I
am not sure I can speculate on, you know, what sorts of
sanctions or the magnitude of those but----
Mr. Stearns. Do you think it should be monetary or----
Mr. Buege. Why not? I mean, I wouldn't object to some
measures like that in place. I mean, I think if that is what it
takes to motivate companies to properly protect this
information and to act responsibly in terms of access and
systems integrity, I would have no objection to it.
Mr. Stearns. Anybody else--I mean, that is another area we
haven't talked about in the event that we do find somebody who
is negligent. What kind of penalty should be enforced or is
there, you know, a warning or what? I mean, depending upon
obviously the offense, but if you have any feel on that,
anybody else?
Ms. Barrett. I would agree.
Mr. Stearns. Okay, all right. Well, my time has expired on
that, so the gentlelady from Tennessee.
Ms. Blackburn. Thank you, Mr. Chairman. And I want to thank
each of you for your indulgence. I had just arrived when we had
to depart. So I thank you for this. And I think it does, Mr.
Chairman, point out the importance of testimony being submitted
early because it does allow us to read through that and to
prepare and to be ready to come into the hearings.
Ms. Barrett, I think want to begin with you if I may,
please, ma'am. And I want to thank all of you for what you are
doing and being with us here today. I represent an area in
Tennessee that goes from Memphis to Nashville, and we have a
lot of individuals that live in this district that are
concerned with piracy, intellectual property theft, and, of
course, a component of that is identity theft. And so we are
pretty focused on this. The banking interests, the insurance
interests that are in my district, the healthcare interests
that are there, the identity theft comes up repeatedly. So we
thank you for this.
And, Ms. Barrett, in your testimony you explained an
occurrence of a client illegally obtaining information from
your server and how you went about handling that. And my
question for you is based on--it was a July 1904 article that
was in ``U.S.A. Today'' that referenced an occurrence of
hacking into your server by an individual who ran
snipermail.com. So was Snipermail the client that you were
referring to?
Ms. Barrett. Yes, it is.
Ms. Blackburn. It is, okay. All right. So they were a
client and not just an outside intruder. And so would you
explain the vetting process that you went through before
agreeing to do business with Snipermail?
Ms. Barrett. Yes, and let me clarify--let me describe the
situation. That----
Ms. Blackburn. Okay.
Ms. Barrett. [continuing] might answer this plus other
questions. We have a file transfer server that our clients use
when they want to send us a file of data to be processed. They
would send that file to this server, and then we would reach
outside of our main system, pick it up, and bring it inside our
firewall. It was used----
Ms. Blackburn. Hold on just one moment. So that transfer
server is outside your normal firewall system?
Ms. Barrett. Yes, it----
Ms. Blackburn. Okay.
Ms. Barrett. [continuing] was password-protected with
passwords that each client was assigned. Sometimes the files
were coming to us for processing, and then when we finished
with that, sometimes we would put the file back on that server
to be sent back to the client. In many cases the downstream use
of that file was actually by a vender of our clients. And in
the case of Snipermail, there were actually two different
breaches--or two different individuals that breached the server
in the same way in 2003. One of them was from a client
operation. The other one was from a vendor of a client. And we
posted files on that server, and the client actually gave the
vendor access to the server to come and pick up the files for
subsequent processing.
Ms. Blackburn. If I may follow up with you on that, then.
So in your vetting process with your clients, are you including
or requiring some type of vetting process for their vendors
with which they plan to share that information?
Ms. Barrett. We have talked about it since that incident.
Since the client--this is client data, not Acxiom data, not
part of our information products. We actually rely on our
client to do the vetting of their own vendors.
Ms. Blackburn. And what is your accountability process with
your clients regarding those vendor clients of theirs--the
vendors of theirs? Because in essence the client is acting on
the behalf of the vendor if you will. So therefore, you still
have a contingent liability in that issue.
Ms. Barrett. And what we have done since that incident is
change rather dramatically the processes we use to distribute
files to both clients and their vendors, tighten that process
up. There are much stricter passwords that are required for
that server. It is not a two-way server. There is a server for
distribution and a server for receipt. The passwords are
changed and verified far more frequently than they were before.
And we expect a credentialing process if you will to go on
between our client and their vendor.
Ms. Blackburn. Okay. Have you sold information on American
consumers to foreign companies or foreign governments?
Ms. Barrett. No.
Ms. Blackburn. You have not. Okay, great. All right. I
think my time is about out. Mr. Chairman, thank you.
Mr. Stearns. I thank you. I thank you for coming. We are
through with our questions so we are going to adjourn the
subcommittee, but I want to thank you for the patience you had
during the evacuation here. It is very unusual, but we
appreciate you taking the time to come back. We lost the GWU
law professor, but we are going to submit questions to him to
fulfill everything. But I think you have given us a good idea
of what we should do. So your coming here today has helped sort
of firm up some of the ideas we had on this bill, and we are
hoping, I think, in due time here to get a bill. And so any
other things that you might suggest--I have given you the
outline, probably 7 or 8 of the things we are thinking about,
some of them not as forcibly as the others, but you never know
what can happen once you move out of the subcommittee to the
full committee. But I am hoping we can mark this up in perhaps
the next 30 days. So thank you very much for coming, and the
subcommittee is adjourned.
[Whereupon, at 1:37 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Prepared Statement of ARMA International
about arma international
Established in 1956, ARMA International (ARMA) is the non-profit
membership organization for the records and information management
profession. The 10,000 members of ARMA include records and information
managers, imaging specialists, archivists, technologists, legal
administrators, librarians, and educators. Our mission includes
providing education, research, and networking opportunities to
information management professionals, as well as serving as a resource
to public policy makers on matters related to the integrity and
importance of records and information.
ARMA also serves as a recognized standards developer for the
American National Standards Institute (ANSI), participating and
contributing toward the development of standards for records and
information management.1 ARMA is also a charter member of
the information and documentation subcommittee of the International
Organization for Standardization (ISO), aiding in the development of
its records management standard.2
---------------------------------------------------------------------------
\1\ ``Managing Recorded Information Assets and Resources: Retention
and Disposition Program'' may be viewed at http://www.arma.org/
standards/public/document_review.cfm?DocID=22.
\2\ ``Information and documentation--Records management--Part 1:
General'' (ISO 15489-1:2001) (hereafter ``ISO 15489-1''). ARMA fully
supports ISO 15489-1. ARMA is currently developing additional records
management standards beyond ISO 15489.
---------------------------------------------------------------------------
Because of the essential role of effective and appropriate
information management in today's economy, ARMA International has a
strong interest in issues pertaining to safeguarding consumer
information and other personally identifiable information possessed by
business and government.
Records and information management plays an important role in the
private sector. In this new century, the most valuable commodity of
business is information, often in the form of data bases of essential
information required by the service sectors of our economy. The
greatest responsibility for organizations will be managing and
maintaining the integrity of an ever-growing flow of information,
including the establishment of appropriate safeguards for sensitive
information and in establishing retention schedules complaint with
regulatory and statutory requirements. Issues such as what information
has intrinsic value and what information will be shared and with whom
are critical to the future success of 21st century organizations. These
challenges call for increased recognition of the role of managing
critical information and providing appropriate protections for
personally identifiable information.
Organizations that embrace information management as being
strategic and mission critical will ensure their competitive advantage
and remain appropriate stewards of information that contains personal
and private records.
data security initiatives need to be sensitive to a wide variety of
factors
Americans demand security and privacy of their personally
identifiable information. Identity theft complaints continue to
rise.3 The establishment of new systems that allow easy
access and transference of personally identifiable data between parties
should to be sensitive to personal privacy and grant assurance to
Americans that their data will not be misused or end up in the wrong
hands. ARMA believes that these systems must incorporate the best
practices of records and information management.
---------------------------------------------------------------------------
\3\ The Federal Trade Commission reported over 400,000 complaints
of identity theft logged into its ID Theft Clearinghouse as of December
2003. See prepared statement of the Federal Trade Commission on
Identity Theft: Prevention and Victim Assistance, presented by Betsy
Broder, Assistant Director, Division of Planning and Information,
Bureau of Consumer Protection, before the Subcommittee on Oversight and
Investigations of the House Committee on Energy and Commerce (December
15, 2003). http://www.ftc.gov/os/2003/12/031215idthefttestimony.pdf.
---------------------------------------------------------------------------
Concerns have also begun to emerge with health care providers,
financial institutions, and other users of consumer information sending
personally identifiable information overseas for processing. This
practice, known as ``information offshoring'' is becoming more and more
common as organizations seek to curb costs by sending data to countries
such as India, Pakistan, and Bangladesh for processing. Unfortunately,
these nations lack any statutory controls for the protection personally
identifiable information and it remains unclear whether existing U.S.
laws, such as HIPAA, apply.4
---------------------------------------------------------------------------
\4\ In a response to a letter from Representative Edward J. Markey
asking whether HIPAA covers personally identifiable information sent
overseas for processing, Health and Human Services Secretary Tommy
Thompson indicated it did not. See letter from Secretary Thompson to
Representative Markey dated June 14, 2004 at http://www.house.gov/
markey/Issues/iss_
health_resp040614.pdf.
---------------------------------------------------------------------------
Of primary importance from a records and information management
perspective is ensuring the privacy and security of the information.
Whatever information management systems are in place must ensure
protection of the records and information in these two critical areas.
Public sector agencies and private sector entities should not have
access to personally identifiable information unless the information is
essential to the organization's work. It is important that public and
private sector entities identify what information is actually mission
critical, who within their organizations should have access to the
information, and then ensuring that the information cannot be accessed
by unauthorized parties.
Established records and information management policies that follow
best practices concerning retention, disposition, categorization,
maintenance, or disposal may apply to aggregated data just as they
apply to records in other formats.5 The requirements for
protecting records during their use cannot simply be ``added on'' at
the end of a technology implementation. These requirements are integral
to the functioning of any system which stores, retrieves and protects
information, and therefore must be considered during each phase from
design to final implementation and system maintenance.
---------------------------------------------------------------------------
\5\ See ``Managing Electronic Messages as Records (formerly:
Guideline for Managing E-mail)'' (ANSI/ARMA-9-200x).
---------------------------------------------------------------------------
why records retention and destruction policies are important for data
security
Information is among the most valuable commodities of any
organization. In the case of organizations that possess, process, and
use sensitive consumer information, this information is a part of the
organization's strategic business model. As such, these organizations
have a significant responsibility to manage and maintain the integrity
and security of this information, including the implementation of
appropriate safeguards against unauthorized use and the proper disposal
of the information.
ARMA notes that a significant risk of identity theft occurs at a
point when a given record should be destroyed--and the best practices
of records and information management and a record's retention schedule
would require not only appropriate measures to ensure destruction, but
also the documentation of the destruction or final disposition action.
Within the context of managing the life cycle of any information,
assuring that records and information are destroyed appropriately--at
the time and in the manner anticipated by the organization's retention
and disposition program, and in compliance with any applicable law or
regulation--is as important and deserves the same level of attention
and stewardship as assuring that the information is properly
maintained--both for the use of an organization in pursuit of its
business purposes as well as for safeguarding the information from
improper use during the useful life of the information. The appropriate
destruction of a record at the end of its life cycle will assist with
efforts to curb identity theft, such as the growing problem of
``dumpster diving.'' The same best practices will safeguard the
misappropriation of records stored in electronic format.
Safeguards and proper disposal are essential elements of an
organization's information retention and disposition program. ARMA
believes that any safeguard regime for personally identifiable
information must include the formal endorsement by senior management of
a written records and information management program. This would
include the appropriate investment in personnel, training and
organization-wide communications. It would also ensure that third party
relationships endorse the same safeguards with appropriate means of
ensuring compliance.
In today's distributed work environments, a wide variety of
individuals create records and must therefore take responsibility to
ensure those records are captured, identified and preserved. It is no
longer enough to train administrative staff and assume they will make
sure the records end up in the records management program. All members
of management, employees, contractors, volunteers and other individuals
share the responsibility for capturing records so they can be properly
managed throughout the length of their required retention period.
ARMA's comments are informed by recognized practices of documenting
the disposal of information and records. ISO 15489-1 Clause 8.3.7,
``Retention and disposition 6'' provides: ``Records systems
should be capable of facilitating and implementing decisions on the
retention and disposition of records. It should be possible for these
decisions to be made at any time in the existence of records, including
during the design stage of records systems. It should also be possible,
where appropriate, for disposition to be activated automatically.
Systems should provide audit trails or other methods to track completed
disposition actions.''
---------------------------------------------------------------------------
\6\ ISO 15489-1 Clause 3.9 defines ``disposition'' to mean ``range
of processes associated with implementing records retention,
destruction or transfer decisions which are documented in disposition
authorities or other instruments''. ISO 15489-1 Clause 3.8 defines
``destruction'' to mean ``process of eliminating or deleting records,
beyond any possible reconstruction''. Similarly, Draft Standard,
Section 3, ``Definitions,'' defines ``disposition'' to mean ``a range
of processes associated with implementing records retention,
destruction, or transfer decisions that are documented in the records
retention and disposition schedule or other authorities. Draft
Standard, Section 3 defines ``destruction'' to mean ``the process of
eliminating or deleting records beyond any possible reconstruction.''
---------------------------------------------------------------------------
ISO 15489-1 Clause 9.9, ``Implementing disposition'' provides in
part: ``The following principles should govern the physical destruction
of records--
1) Destruction should always be authorized.
2) Records pertaining to pending or actual litigation or investigation
should not be destroyed.
3) Records destruction should be carried out in a way that preserves
the confidentiality of any information they contain.
4) All copies of records that are authorized for destruction, including
security copies, preservation copies and backup copies, should
be destroyed.''
The Fair and Accurate Credit Transactions Act of 2003 (FACT Act),
approved by this Committee, contains a provision requiring the Federal
Trade Commission and the various banking regulators to develop a
disposal rule for sensitive customer information. This rule may provide
a model for businesses in other industry sectors for the appropriate
disposal of personally identifiable information. In its comments to the
disposal rules proposed by the Commission and the various banking
regulators, ARMA strongly recommended that an orgnization's safeguards
include a formal, written records and information management program,
consistent with ISO 15489.
conclusion
ARMA International applauds the leadership of Chairman Stearns and
Ranking Member Schakowsky for examining the data security issue. ARMA
recommends to the Subcommittee the best practices of records and
information management as an effective element for any data security or
safeguards initiatives or policies.
______
Prepared Statement of Gail Hillebrand, Senior Attorney, Consumers Union
summary
Consumers Union,1 the non-profit, independent publisher
of Consumer Reports, believes that the recent announcements by
ChoicePoint, Lexis-Nexis, and many others about the lack of security of
our most personal information underscores the need for Congress and the
states to act to protect consumers from identity theft.
---------------------------------------------------------------------------
\1\ Consumers Union is a non-profit membership organization
chartered in 1936 under the laws of the state of New York to provide
consumers with information, education and counsel about goods,
services, health and personal finance, and to initiate and cooperate
with individual and group efforts to maintain and enhance the quality
of life for consumers. Consumers Union's income is solely derived from
the sale of Consumer Reports, its other publications and from
noncommercial contributions, grants and fees. In addition to reports on
Consumers Union's own product testing, Consumer Reports with more than
four million paid circulation, regularly, carries articles on health,
product safety, marketplace economics and legislative, judicial and
regulatory actions which affect consumer welfare. Consumers Union's
publications carry no advertising and receive no commercial support.
---------------------------------------------------------------------------
Identity theft is a serious crime that has become more common in
recent years as we have delved further into the ``information age.''
According to the Federal Trade commission, 27.3 million Americans have
been victims of identity theft in the past five years, costing
businesses and financial institutions $48 billion and consumers $5
billion. Victims pay an average of $1,400 (not including attorney fees)
and spend an average of 600 hours to clear their credit reports. The
personal costs can also be devastating; identity theft can create
unimaginable family stress when victims are turned down for mortgages,
student loans, and even jobs.
And as ongoing scandals involving ChoicePoint, Lexis-Nexis, and
others point to, American consumers cannot fully protect themselves
against identity theft on their own. Even consumers who do ``everything
right,'' such as paying their bills on time and holding tight to
personal information such as Social Security numbers and dates of
birth, can become victim through no fault of their own because the
companies who profit from this information have lax security standards.
Therefore, Congress and the states must enact new obligations
grounded in Fair Information Practices 2 on those who hold,
use, sell, or profit from private information about consumers. In this
context, Fair Information Practices would reduce the collection of
unnecessary information, restrict the use of information to the purpose
for which it was initially provided, require that information be kept
secure, require rigorous screening of the purposes asserted by persons
attempting to gain access to that information, and provide for full
access to and correction of information held.
---------------------------------------------------------------------------
\2\ The Code of Fair Information Practices was developed by the
Health, Education, and Welfare Advisory Committee on Automated Data
Systems, in a report released two decades ago. The Electronic Privacy
Information Center has described the Code as based on these five
principles:
1. There must be no personal data record-keeping systems whose very
existence is secret.
2. There must be a way for a person to find out what information
about the person is in a record and how it is used.
3. There must be a way for a person to prevent information about
the person that was obtained for one purpose from being used or made
available for other purposes without the person's consent.
4. There must be a way for a person to correct or amend a record of
identifiable information about the person.
5. Any organization creating, maintaining, using, or disseminating
records of identifiable personal data must assure the reliability of
the data for their intended use and must take precautions to prevent
misuses of the data.
Electronic Privacy Information Center, http://www.epic.org/privacy/
consumer/code_fair_
info.html.
---------------------------------------------------------------------------
Consumers Union recommends that lawmakers do the following:
� Require notice of all security breaches: Impose requirements on
businesses, nonprofits, and government entities to notify
consumers when an unauthorized person has gained access to
sensitive information pertaining to them. Consumers Union
supports S. 751, by Senator Dianne Feinstein, which would put
these requirements in place. We also believe that S. 768,
introduced by Senator Charles Schumer and Senator Bill Nelson,
will make an excellent notice of breach law.
� Require and monitor security: Impose strong requirements on
information brokers to protect the information they hold and to
screen and monitor the persons to whom they make that
information available. S. 768, as well as S. 500 and H.R. 1080,
introduced by Senator Bill Nelson and Representative Ed Markey,
respectively, would direct the Federal Trade Commission to
develop such standards and oversee compliance with them.
� Give consumers access to and a right to correct information: Give
individuals rights to see, dispute, and correct information
held by information brokers. This is also addressed in the
Schumer/Nelson and Nelson/Markey bills.
� Protect SSNs: Restrict the sale, collection, use, sharing, posting,
display, and secondary use of Social Security numbers.
� Require more care from creditors: Require creditors to take
additional steps to verify the identity of an applicant when
there is an indicator of possible ID theft.
� Grant individuals control over their sensitive information: Give
individuals rights to control who collects--and who sees--
sensitive information about them.
� Restrict secondary use of sensitive information: Restrict the use of
sensitive personal information for purposes other than the
purposes for which it was collected or other uses to which the
consumer affirmatively consents.
� Fix FACTA: A consumer should be able to access more of his or her
Fair and Accurate Credit Transactions Act (FACTA) rights, such
as the extended fraud alert, before becoming an ID theft
victim. Further, one of the key FACTA rights is tied to a
police report, which victims still report difficulty in getting
and using.
� Create strong and broadly-based enforcement: Authorize federal,
state, local, and private enforcement of all of these
obligations.
� Recognize the role of states: States have pioneered responses to new
forms of identity crime and risks to personal privacy. Congress
should not inhibit states from putting in place additional
identity theft and privacy safeguards.
� Provide resources and tools for law enforcement: Provide funding for
law enforcement to pursue multi-jurisdictional crimes promptly
and effectively. Law enforcement also may need new tools to
promote prompt cooperation from the Social Security
Administration and private creditors in connection with
identity theft investigations.
After a very brief discussion of the problem of identity theft,
each recommendation is discussed.
The problem of identity theft is large and growing
Current law simply has not protected consumers from identity theft.
The numbers tell part of the story:
� According to the Federal Trade Commission, 27.3 million Americans
have been victims of identity theft in the last five years,
costing businesses and financial institutions $48 billion, plus
another $5 billion in costs to consumers.
� Commentator Bob Sullivan has estimated that information concerning
two million consumers is involved in the security breaches
announced over just the six weeks ending April 6, 2005. Is Your
Personal Data Next?: Rash of Data Heists Points to Fundamental
ID Theft Problem, http://msnbc.msn.com/id/7358558
� Based on a report to the FTC in 2003 which concluded that there were
nearly 10 million identity theft victims each year, Consumers
Union estimates that every minute 19 more Americans become
victims of ID theft.
These numbers can't begin to describe the stress, financial
uncertainty, lost work-time productivity and lost family time identity
theft victims experience. Even financially responsible people who
routinely pay their bills on time can find themselves in a land of debt
collector calls, ruined credit and lost opportunities for jobs,
apartments, and prime credit. With more and more scandals coming out
every week, the time has come for Congress to act to protect the
security of our personal information.
Recommendations
Notification:
Notice of security breaches of information, whether held in
computerized or paper form, are the beginning, not the end, of a series
of steps needed to begin to resolve the fundamental conundrum of the
U.S. information U.S. society: collecting information generates
revenues or efficiencies for the holder of the information but can pose
a risk of harm to the persons whose economic and personal lives are
described by that information.
The first principle of Fair Information Practices is that there be
no collection of data about individuals whose very existence is a
secret from those individuals. A corollary of this must be that when
the security of a collection of data containing sensitive information
about an individual is breached, that breach cannot be kept secret from
the individual. Recognizing the breadth of the information that
business, government, and others hold about individuals, Consumers
Union recommends a notice of breach requirement that is strong yet
covers only ``sensitive'' personal information, including account
numbers, numbers commonly used as identifiers for credit and similar
purposes, biometric information, and similar information. This
sensitive information could open the door to future identity theft, so
it is vital that people know when this information has been breached.
Consumers Union supports a notice-of-breach law which does the
following:
� Covers paper and computerized data
� Covers government and privately-held information
� Does not except encrypted data
� Does not except regulated entities
� Has no loopholes, sometimes called ``safe harbors''
� Is triggered by the acquisition of information by an unauthorized
person
� Requires that any law enforcement waiting period must be requested in
writing and be based on a serious impediment to the
investigation
� Gives consumers who receive a notice of breach access to the federal
right to place an extended fraud alert.
Consumers Union supports S. 751, which contains these elements. S.
768 contains most, but not all, of these elements and in certain other
respects provides additional protections.
Three of these elements are of special importance: covering all
breaches without exceptions or special weaker rules for particular
industries, covering data contained on paper as well as on computer,
and covering data whether or not it is encrypted. First, a ``one rule
for all breaches'' is the only way to ensure that the notice is
sufficiently timely to be useful by the consumer for prevention of
harm. ``One rule for all'' is also the only rule that can avoid a
factual morass which could make it impossible to determine if a breach
notice should have been given. By contrast, a weak notice
recommendation such as the one contained in the guidance issued by the
bank regulatory agencies 3 cannot create a strong
marketplace incentive to invest the time, money, and top-level
executive attention to reduce or eliminate, future breaches.
---------------------------------------------------------------------------
\3\ That weak recommendation allows a financial institution to
decide whether or not its customers need to know about a breach, and
the explanatory material even states that it can reach a conclusion
that notice is unnecessary without making a full investigation.
Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice, 12 CFR Part 30, 12 CFR Parts
208 and 225, 12 CFR Part 364, 12 CFR Parts 568 and 570. Other reasons
why those guidelines are insufficient to substitute for a statutory
requirement to give notice include that they do not apply to non-
customers about whom the financial institution has sensitive data, that
there is no direct or express penalty for violation of the guideline,
and that their case-by-case approach will make it extremely hard to
determine in which circumstances the guidance actually recommends
notice to consumers, complicating the process of showing that an
obligation was unmet.
---------------------------------------------------------------------------
Second, unauthorized access to paper records, such as hospital
charts or employee personnel files, are just as likely to expose an
individual to a risk of identity theft as theft of computer files.
Third, encryption doesn't protect information from insider theft, and
the forms of encryption vary widely in their effectiveness. Further,
even the most effective form of encryption can quickly become worthless
if it is not adapted to keep up with changes in technology and with new
tools developed by criminals.
A requirement to give notice of a security breach elevates the
issue of information security inside a company. A requirement for
swift, no-exemption notice of security breaches should create
reputational and other marketplace incentives for those who hold
sensitive consumer information to improve their internal security
practices. For example, California's security breach law has led to
improved data security in at least two cases. According to news
reports, after giving its third notice of security breach in fifteen
months, Wells Fargo Bank ordered a comprehensive review of all its
information handling practices. The column quoted a memo from Wells
Fargo's CEO stating in part: ``The results have been enlightening and
demonstrate a need for additional study, remediation and oversight . .
. Approximately 70 percent of our remote data has some measure of
security exposure as stored and managed today.'' 4
---------------------------------------------------------------------------
\4\ D. Lazarus, ``Wells Boss Frets Over Security,'' S.F. Chronicle,
Feb. 23, 2005. http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/02/
23/BUGBHBFCR11.DTL
---------------------------------------------------------------------------
In another example, UC Berkeley Chancellor Robert Bigeneau
announced plans to hire an outside auditor to examine data gathering,
retention, and security, telling employees: ``I insist that we
safeguard the personal information we are given as if it were our
own.'' 5 This announcement followed the second announced
breach of the security of data held by the University in six months,
this one involving 100,000 people.6
---------------------------------------------------------------------------
\5\ ``Cal Laptop Security Put Under Microscope,'' April 6, 2005,
Inside Bay Area, http://www.insidebayarea.com/searchresults/ci_2642564.
\6\ Opinion Page, Oakland Tribune, April 5, 2005.
---------------------------------------------------------------------------
In the Sarbanes-Oxley Act, Congress recognized the importance of
the ``tone at the top,'' and for that reason took steps to require the
corporate boards and CEOs work to improve the quality and accuracy of
audited financial statements. A strong, clear notice of security breach
law, without exceptions, could similarly focus the attention of top
management on information security--creating an incentive for a ``tone
at the top'' to take steps to minimize or eliminate security breaches.
Security:
Consumers Union supports S. 500 and H.R. 1080, introduced by
Senator Bill Nelson and Representative Ed Markey, respectively. These
measures would direct the Federal Trade Commission (FTC)to promulgate
strong standards for information security and a strong obligation to
screen customers, both initially and with respect to how those
customers further protect the information from unauthorized use. They
also provide for ongoing compliance monitoring by the FTC. S. 768, the
Schumer/Nelson bill, contains similar provisions.
If Congress wanted to take even stronger steps with respect to
information brokers, it could require information brokers to undergo
annual audits, paid for by the broker and performed by an independent
auditor retained by the FTC, with specific authority in the FTC to
require corrective action for security and customer screening
weaknesses identified in the audit, as well as allowing the FTC to
specify particular aspects of information security that should be
included in each such audit.
Any federal information broker law must require strong protections
in specific aspects of information security, as well as imposing a
broad requirement that security in fact be effective and be monitored
for ongoing effectiveness. Congress must determine the balance between
the public interest in the protection of data and the business interest
in the business of information brokering. Security breaches and the
effects on consumers of the ongoing maintenance of files on most
Americans by information brokers are issues too important to be
delegated in full to any regulatory agency.
Access and Correction:
Two of the basic Fair Information Practices are the right to see
and the right to correct information held about the consumer. S. 768,
S. 500, and H.R. 1080 all address these issues. While the Fair Credit
Reporting Act (FCRA) allows consumers to see and correct their credit
reports, as defined by FCRA, consumers currently have no legal right to
see the whole file held on them by an information broker such as
ChoicePoint and Lexis-Nexis, even though the information in that file
may have a profound effect on the consumer. There is also lack of
clarity about what a consumer will be able to see even under the FCRA
if the information broker has not yet made a report to a potential
employer or landlord about that consumer.7
---------------------------------------------------------------------------
\7\ Testimony of Evan Hendricks, Editor/Publisher, Privacy Times
before the Senate Banking Committee, March 15, 2005, http://
banking.senate.gov/files/hendricks.pdf.
---------------------------------------------------------------------------
Because the uses of information held by data brokers continue to
grow and change, affecting consumers in myriad ways, consumers must be
given the legal right to see all of the information data brokers hold
on them, and to seek and win prompt correction of that information if
it is in error.
Protection for SSNs:
The Social Security number (SSN) has become a de facto national
identifier in a number of U.S. industries dealing with consumers. Some
proposals for reform have emphasized consent to the use, sale, sharing
or posting of Social Security numbers. Consumers Union believes that a
consent approach will be less effective than a set of rules designed to
reduce the collection and use of sensitive consumer information.
Take, for example, an analogy from the recycling mantra: ``Reduce,
reuse, recycle.'' Just as public policy to promote recycling first
starts with ``reducing'' the use of materials that could end up in a
landfill, so protection of sensitive personal information should begin
with reduction in the collection and use of such information.
Restrictions on the use of the Social Security number must begin with
restricting the initial collection of this number to only those
transactions where the Social Security number is not only necessary,
but also essential to facilitating the transaction requested by the
consumer. The same is true for other identifying numbers or information
that may be called upon as Social Security numbers are relied upon
less.
Consumers Union endorses these basic principles for an approach to
Social Security numbers:
� Ban collection and use of SSNs by private entities or by government
except where necessary to a transaction and there is no
alternative identifier which will suffice.
� Ban sale, posting, or display of SSNs, including no sale of credit
header information containing SSNs. There is no legitimate
reason to post or display individuals' Social Security numbers
to the public.
� Ban sharing of SSNs, including between affiliates.
� Ban secondary use of SSNs, including within the company which
collected them.
� Out of the envelope: ban printing or encoding of SSNs on government
and private checks, statements, and the like
� Out of the wallet: ban use of the SSN for government or private
identifier, except for Social Security purposes. This includes
banning the use of the SSN, or a variation or part of it, for
government and private programs such as Medicare, health
insurance, driver's licenses or driver's records, and military,
student, or employee identification. Any provision banning the
printing of SSNs on identifying cards should also prohibit
encoding the same information on the card.
� Public records containing SSNs must be redacted before posting.
� There should be no exceptions for regulated entities.
� There should be No exception for business-to-business use of SSNs.
Congress should also consider whether to impose the same type of
``responsibility requirements'' on the collection, sale, use, sharing,
display and posting of other information that could easily evolve into
a substitute ``national identifier,'' including drivers license number,
state non-driver information number, biometric information and cell
phone numbers.
Creditor identity theft prevention obligations:
Information is stolen because it is valuable. A key part of that
value is the ability to use the information to gain credit in someone
else's name. That value exists only because credit granting
institutions do not check the identity of applicants carefully enough
to discover identity thieves before credit is granted.
Financial institutions and other users of consumer credit reports
and credit scores should be obligated to take affirmative steps to
establish contact with the consumer before giving credit or allowing
access to an account when there is an indicator of possible false
application, account takeover or unauthorized use. The news reports of
the credit card issued to Clifford J. Dawg, while humorous, illustrate
a real problem--creditor eagerness to issue credit spurs inadequate
review of the identity of the applicant.8 When the applicant
is a dog, this might seem funny, but when the applicant is a thief,
there are serious consequences for the integrity of the credit
reporting system and for the consumer whose good name is being ruined.
---------------------------------------------------------------------------
\8\ Both the news stories about Clifford J. Dawg and a thoughtful
analysis of the larger problem of too lax identification standards
applied by creditors is found in C. Hoofnagle, Putting Identity Theft
on Ice: Freezing Credit Reports to Prevent Lending to Impostors, in
Securing Privacy in the Information Age (forthcoming from Stanford
University Press), http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=650162.
---------------------------------------------------------------------------
As new identifiers evolve, criminals will seek to gain access to
and use those new identifiers. Thus, any approach to attacking identity
theft must also impose obligations on those who make that theft
possible--those who grant credit, goods, or services to imposters
without taking careful steps to determine with whom they are dealing.
At minimum, creditors should be required to actually contact the
applicant to verify that he or she is the true source of an application
for credit when certain triggering events occur. The triggering events
should include any of the following circumstances:
� Incomplete match on Social Security number
� Address mismatch between application and credit file
� Erroneous or missing date of birth in application
� Misspellings of name or other material information in application
� Other indicators as practices change
Under FACTA, the FTC and the federal financial institution
regulators are charged with developing a set of red flag ``guidelines''
to ``identify possible risks'' to customers or to the financial
institution. However, FACTA stops with the identification of risks. It
does not require that financial institutions do anything to address
those risks once identified through the not-yet-released guidelines.
The presence of a factor identified in the guidelines does not trigger
a statutory obligation to take more care in determining the true
identity of the applicant before granting credit. Congress should
impose a plain, enforceable obligation for creditors to contact the
consumer to verify that he or she has in fact sought credit when
certain indicators of potential identity theft are present.
Control for consumers over affiliate-sharing, use of information, use
of credit reports and credit scores:
Consumers are caught between the growth in the collection and
secondary use of information about them on the one hand and the
increasing sophistication of criminals in exploiting weaknesses in how
that information is stored, transported, sold by brokers, shared
between affiliates, and used to access credit files and credit scores.
Identity theft has been fueled in part by information-sharing
between and within companies, the existence of databases that consumers
don't know about and can't stop their information from being part of,
the secondary use of information, and the granting of credit based on a
check of the consumer credit file or credit score without efforts to
verify the identity of the applicant.9 Consumers Union has
consistently supported federal and state efforts to give consumers the
legal right to stop the sharing of their sensitive personal information
among affiliates. Finally, it is essential to stopping the spread of
numbers that serve as consumer identifiers that Congress and the states
impose strong restrictions on the use of sensitive personal information
for purposes other than the purpose for which the consumer originally
provided that information.
---------------------------------------------------------------------------
\9\ Secondary use is use for a purpose other than the purpose for
which the consumer gave the information.
---------------------------------------------------------------------------
Fix FACTA:
FACTA has made some things more difficult for identity theft
victims, according to information provided to Consumers Union by
nonprofits and professionals who assist identity theft victims.
Moreover, FACTA gives only limited rights to those who have not yet
become victims of identity theft, and FACTA fails to offer a pure
prevention tool for all consumers. A consumer who asserts in good faith
that he or she is about to become a victim of identity theft gets one
right under FACTA--the right to place, or renew, a 90 day fraud alert.
However, this type of alert places lower obligations on the potential
creditor than the extended alert, which is restricted only to identity
theft victims.
A consumer should be able to access more of his or her FACTA
rights, such as the extended fraud alert, before becoming an identity
theft victim. One key FACTA right is tied to a police report, which
victims still report difficulty in getting and using.
Here are some key ways to make FACTA work for victims:
� Initial fraud alert should be one year, not 90 days
� Extended alert and other victims' rights, other than blocking of
information, should be available to all identity theft victims
who fill out the FTC ID theft affidavit under penalty of
perjury
� Business records should be available to any consumer who fills out
the FTC ID theft affidavit under penalty of perjury
� Consumers who receive a notice of security breach should be entitled
to place an extended fraud alert
� Consumers who place a fraud alert have the right under FACTA to a
free credit report, but this should be made automatic.
There is also work to do outside of FACTA, including work to
develop a police report that could be given to victims that is
sufficiently similar, if not uniform, across jurisdictions, so that the
victim does not find creditors or businesses in another jurisdiction
refusing to accept a police report from the victim's home jurisdiction.
Congress must encourage the states to continue to pioneer prompt
responses to identity crime:
Virtually every idea on the table today in the national debate
about stemming identity theft and protecting consumer privacy comes
from legislation already enacted by a state. Congress must not cut off
this source of progress and innovation. Instead, any identity theft and
consumer privacy legislation in Congress should expressly permit states
to continue to enact new rights, obligations, and remedies in
connection with identity theft and consumer privacy to the full extent
that the state requirements are not inconsistent with the specific
requirements of federal law.
Criminals will always be more fast-acting, and fast-adapting, than
the federal government. An important response to this reality is to
permit, and indeed encourage, state legislatures to continue to act in
the areas of identity theft and consumer privacy. Fast-acting states
can respond to emerging practices that can harm consumers while those
practices are still regional, before they spread nationwide. For
example, California enacted its notice of security breach law and other
significant identity theft protections because identity theft was a
significant problem in California well before it became, or at least
was recognized as, a national crime wave.
Identity theft illustrates how much quicker states act on consumer
issues than Congress. According to numbers released by the FTC, there
were 9.9 million annual U.S. victims of identity theft in the year
before Congress adopted the relatively modest rights for identity theft
victims found in FACTA. The identity theft provisions adopted by
Congress in FACTA were modeled on laws already enacted in states such
as California, Connecticut, Louisiana, Texas, and
Virginia.10
---------------------------------------------------------------------------
\10\ See California Civil Code ��1785.11.1, 1785.11.2, 1785,16.1;
Conn. SB 688 � 9(d), (e), Conn. Gen. Stats. � 36a-699; IL Re. Stat. Ch.
505 � 2MM; LA Rev. Stat. ��9:3568B.1, 9:3568C, 9:3568D, 9:3571.1 (H)-
(L); Tex. Bus. & Comm. Code ��20.01(7), 20.031, 20.034-039, 20.04; VA
Code ��18.2-186.31:E.
The role of the states has also been important in financial issues
unrelated to identity theft. Here are two examples. In 1986, California
required that specific information be included in credit card
solicitations with enactment of the then-titled Areias-Robbins Credit
Card Full Disclosure Act of 1986. That statute required that every
credit card solicitation to contain a chart showing the interest rate,
grace period, and annual fee. 1986 Cal. Stats., Ch. 1397, codified at
California Civil Code � 1748.11. Two years later, Congress chose to
adopt the same concept in the Federal Fair Credit and Charge Card
Disclosure Act (FCCCDA), setting standards for credit card
solicitations, applications and renewals. P. L. 100-583, 102 Stat. 2960
(Nov. 1, 1988), codified in part at 15 U.S.C. ��1637(c) and 1610(e).
The implementing changes to federal Regulation Z included a model form
for the federal disclosure box which is quite similar to the form
required under the pioneering California statute. 54 Fed. Reg. 13855,
Appendix G.
---------------------------------------------------------------------------
Strong and broadly-based enforcement:
Consumers need effective enforcement of those obligations and
restrictions Congress imposes in response to the increasing threats to
consumer privacy, and of the growth of identity theft. A diversity of
approaches strengthens enforcement. Each statutory obligation imposed
by Congress should be enforceable by federal agencies, the federal law
enforcement structure with the Attorney General and U.S. Attorneys, and
State Attorneys General. Where a state is structured so that part of
the job of protecting the public devolves to a local entity, such as a
District Attorney or City Attorney, those local entities also should be
empowered to enforce anti-identity theft and privacy measures in local
civil or, where appropriate, criminal courts.
There is also a role for a private right of action. It is an
unfortunate reality in identity theft is that law enforcement resources
are slim relative to the size of the problem. This makes it
particularly important that individuals be given a private right of
action to enforce the obligations owed to them by others who hold their
information. A private right of action is an important part of any
enforcement matrix.
Money and tools for law enforcement:
Even if all the recommended steps are taken, U.S. consumers will
still need vigorous, well-funded law enforcement. At a meeting convened
by Senator Feinstein which included some twenty representatives of law
enforcement, including police departments, sheriffs, and District
Attorneys, law enforcement uniformly proposed that they be given tools
to more effectively investigate identity theft. Law enforcement costs
money, and the law enforcers noted that the multi-jurisdictional nature
of identify theft increases the costs and time, it takes to investigate
these crimes.
Law enforcers in California and Oregon have noted a strong link
between identity theft crime and methamphetamine. The Riverside County
Sheriff noted at a March 29, 2005 event that when drug officers close a
methamphetamine lab, they often find boxes of fake identification ready
for use in identity theft. The drug team has closed the lab; without
funding for training and ongoing officer time, there may be no
investigation of those boxes of identities.
To prove a charge of attempted identity theft, a prosecutor may
need to prove that the real person holding a particular driver's
license number, credit or debit card number, or Social Security number
is different from the holder of the fake ID. Doing this may require the
cooperation of a state Department of Motor Vehicles, a financial
institution, or the Social Security Administration. The public meetings
of the California High Tech Crimes Advisory Committee have including
discussion of the difficulties and time delays law enforcement
investigators encounter in trying to obtain this cooperation. Congress
should work with law enforcement and groups representing interest in
civil liberties to craft a solution to verifying victim identity that
will facilitate investigation of identity theft without infringing on
the individual privacy of identity theft victims and other individuals.
Law enforcement may have more specific proposals to enhance their
effectiveness in fighting identity theft. Consumers Union generally
supports:
� Funding for regional identity theft law enforcement task forces in
highest areas of concentration of victims, and of identity
thieves
� Funding for investigation and prosecution
� An obligation on creditors, financial institutions, and the Social
Security Administration to provide information about suspected
theft-related accounts or numbers to local, state, and federal
law enforcement after a simple, well designed, request process
Consumers Union believes that the time has come for both Congress
and state legislatures to act to stem identity theft through strong and
meaningful requirements to tell consumers of security breaches; strong
and detailed security standards and oversight for information brokers,
reining in the use of Social Security numbers, increased control for
consumers over the uses of their information, and obligations on
creditors to end their role in facilitating identity theft through lack
of care in credit granting. This should be done without infringing on
the role of the states, with attention to the need to fund law
enforcement to fight identity theft, and with attention to the need for
private enforcement by consumers. We look forward to working with the
Chair and members of the Committee, and others in Congress, to
accomplish these changes for U.S. consumers. These recommendations by
Consumers Union have been informed by the work of victim assistance
groups, privacy advocates, and others.11
------------
11 Many law enforcers, victim assistance workers, and
consumer and privacy advocates were engaged in the issue of identity
theft prevention long before the most recent ChoicePoint security
breach came to light. Consumers Union has worked closely for many years
on efforts to fight identity theft and protect consumer financial
privacy with other national groups, and with consumer privacy and anti-
identity theft advocates and victim assistance groups based in
California. Our views and recommendations are strongly informed by the
experiences of consumers reported to us by the nonprofit Privacy Rights
Clearinghouse, the nonprofit Identity Theft Resource Center, and others
who work directly with identity theft victims. These groups have worked
to develop the state laws that are the basis for many of the proposals
now being introduced in Congress. Consumers Union is grateful for the
leadership of the Privacy Rights Clearinghouse in consumer privacy
policy work, the work of the state PIRGs and U.S.PIRG on consumer
identity theft rights which includes the preparation of a model state
identity theft statute in cooperation with Consumers Union, for the
work for consumers on the accuracy of consumer credit reporting issues
done over the past decade by the Consumer Federation of America and
U.S. PIRG, and for the contributions to the policy debate of
organizations such as the Electronic Privacy Information Center,
Privacy Times, and others too numerous to mention.
�