[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
FIFTH IN A SERIES OF HEARINGS
ON SOCIAL SECURITY NUMBER HIGH-RISK ISSUES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SOCIAL SECURITY
of the
COMMITTEE ON WAYS AND MEANS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
MARCH 30, 2006
__________
Serial No. 109-62
__________
Printed for the use of the Committee on Ways and Means
U.S. GOVERNMENT PRINTING OFFICE
30-440 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON WAYS AND MEANS
BILL THOMAS, California, Chairman
E. CLAY SHAW, JR., Florida CHARLES B. RANGEL, New York
NANCY L. JOHNSON, Connecticut FORTNEY PETE STARK, California
WALLY HERGER, California SANDER M. LEVIN, Michigan
JIM MCCRERY, Louisiana BENJAMIN L. CARDIN, Maryland
DAVE CAMP, Michigan JIM MCDERMOTT, Washington
JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia
JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas MICHAEL R. MCNULTY, New York
PHIL ENGLISH, Pennsylvania WILLIAM J. JEFFERSON, Louisiana
J.D. HAYWORTH, Arizona JOHN S. TANNER, Tennessee
JERRY WELLER, Illinois XAVIER BECERRA, California
KENNY C. HULSHOF, Missouri LLOYD DOGGETT, Texas
RON LEWIS, Kentucky EARL POMEROY, North Dakota
MARK FOLEY, Florida STEPHANIE TUBBS JONES, Ohio
KEVIN BRADY, Texas MIKE THOMPSON, California
THOMAS M. REYNOLDS, New York JOHN B. LARSON, Connecticut
PAUL RYAN, Wisconsin RAHM EMANUEL, Illinois
ERIC CANTOR, Virginia
JOHN LINDER, Georgia
BOB BEAUPREZ, Colorado
MELISSA A. HART, Pennsylvania
CHRIS CHOCOLA, Indiana
DEVIN NUNES, California
Allison H. Giles, Chief of Staff
Janice Mays, Minority Chief Counsel
______
SUBCOMMITTEE ON SOCIAL SECURITY
JIM MCCRERY, Louisiana, Chairman
E. CLAY SHAW JR., Florida SANDER M. LEVIN, Michigan
SAM JOHNSON, Texas EARL POMEROY, North Dakota
J.D. HAYWORTH, Arizona XAVIER BECERRA, California
KENNY C. HULSHOF, Missouri STEPHANIE TUBBS JONES, Ohio
RON LEWIS, Kentucky RICHARD E. NEAL, Massachusetts
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public
hearing records of the Committee on Ways and Means are also published
in electronic form. The printed hearing record remains the official
version. Because electronic submissions are used to prepare both
printed and electronic versions of the hearing record, the process of
converting between various electronic formats may introduce
unintentional errors or omissions. Such occurrences are inherent in the
current publication process and should diminish as the process is
further refined.
C O N T E N T S
__________
Page
Advisory of March 23, 2006 announcing the hearing................ 2
WITNESSES
The Honorable David Dreier, a Representative in Congress from the
State of California............................................ 5
The Honorable Silvestre Reyes, a Representative in Congress from
the State of Texas............................................. 9
______
Federal Trade Commission, Joel Winston, Associate Director,
Division of Privacy and Identity Protection, Bureau of Consumer
Protection..................................................... 28
U.S. Government Accountability Office, Cynthia M. Fagnoni,
Managing Director, Education, Workforce, and Income Security... 17
______
BITS Fraud Reduction Steering Committee, Erik Stein.............. 60
Consumer Data Industry Association, Stuart K. Pratt.............. 68
Council of State Court Administrators, Mary C. McQueen........... 47
Identity Theft Resource Center, Nicole Robinson.................. 42
National Council of Investigation and Security Services, Bruce
Hulme.......................................................... 76
SUBMISSIONS FOR THE RECORD
Kenney, John P., Corona Del Mar, CA, letter...................... 89
Sybesma, Jamie, Fishers, IN, statement........................... 89
FIFTH IN A SERIES OF HEARINGS ON
SOCIAL SECURITY NUMBER HIGH-RISK ISSUES
----------
THURSDAY, MARCH 30, 2006
U.S. House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:40 p.m., in
room B-318, Rayburn House Office Building, Hon. Jim McCrery
(Chairman of the Subcommittee) presiding.
[The advisory announcing the hearing follows:]
ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS
SUBCOMMITTEE ON SOCIAL SECURITY
CONTACT: (202) 225-9263
FOR IMMEDIATE RELEASE
March 23, 2006
No. SS-14
McCrery Announces Fifth in
Series of Subcommittee Hearings on
Social Security Number High-Risk Issues
Congressman Jim McCrery, (R-LA), Chairman, Subcommittee on Social
Security of the Committee on Ways and Means, today announced that the
Subcommittee will hold the fifth in a series of Subcommittee hearings
on Social Security number (SSN) high-risk issues. The hearing will
examine the role of SSNs in identity theft and options to enhance SSN
privacy. The hearing will take place on Thursday, March 30, 2006, in
room B-318 Rayburn House Office Building, beginning at 2:00 p.m.
In view of the limited time available to hear witnesses, oral
testimony at this hearing will be from invited witnesses only. However,
any individual or organization not scheduled for an oral appearance may
submit a written statement for consideration by the Subcommittee and
for inclusion in the printed record of the hearing.
BACKGROUND:
Identity theft is a serious crime in which a victim's personal
information may be used to fraudulently obtain credit, goods or
services, employment, government documents or benefits, or to commit
other crimes. According to a 2006 survey released by the Council of
Better Business Bureaus and Javelin Strategy & Research, there are
almost 9 million adult victims of identity fraud (about 4 percent of
the U.S. adult population). These victims may spend significant amounts
of money and time to resolve their problems: on average $422 and 40
hours per victim. Total identity theft costs exceed $50 billion
annually.
Although SSNs have many important legitimate uses, the Federal
Trade Commission (FTC) indicates that they also play a pivotal role in
identity theft. According to the FTC, the SSN is integral to many
business transactions, and identity thieves use the SSN as a key to
unlock access to the financial benefits of their victims. Despite its
vital role in our financial system, there is no Federal law that
requires comprehensive confidentiality protection for the SSN. An SSN
may be on display to the general public on employee badges, in court
documents, or on the Internet. However, there are laws that provide
limited SSN confidentiality. For example, the Gramm-Leach-Bliley Act
(P.L. 106-102) restricts the reuse and redisclosure of certain personal
information, including SSNs, by financial institutions. Also, many
States have enacted legislation to restrict the use, disclosure, or
display of SSNs.
Members of Congress, concerned about the magnitude of the problem
and its devastating effects on victims, have introduced legislation
that would place various restrictions and prohibitions on the use,
sale, purchase, or display of SSNs, as well as create new criminal and
civil penalties for those who misuse SSNs. Also, legislation has been
introduced that would require improvements to the process of issuing
SSNs or the design of the SSN card to prevent individuals from
fraudulently obtaining an SSN or counterfeiting SSN cards.
In announcing the hearing, Chairman McCrery stated, ``We must
carefully examine all options to keep Social Security numbers, or SSNs,
out of the hands of identity thieves. As we do so, we must remember
that SSNs play a key role in our society, whether in business
transactions, tax administration, public benefits, or the court
systems. Through this hearing we will explore how best to achieve the
appropriate balance between the need for protecting SSN privacy and
allowing their use for legitimate and necessary purposes.''
FOCUS OF THE HEARING:
The Subcommittee will examine the role of SSNs in abetting identity
theft, and the effects of proposals to prohibit or restrict the use,
sale, purchase, or display of SSNs by individuals, businesses, or the
government.
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:
Please Note: Any person(s) and/or organization(s) wishing to submit
for the hearing record must follow the appropriate link on the hearing
page of the Committee website and complete the informational forms.
From the Committee homepage, http://waysandmeans.house.gov, select
``109th Congress'' from the menu entitled, ``Hearing Archives'' (http:/
/waysandmeans.house.gov/Hearings.asp?congress=17). Select the hearing
for which you would like to submit, and click on the link entitled,
``Click here to provide a submission for the record.'' Once you have
followed the online instructions, completing all informational forms
and clicking ``submit'' on the final page, an email will be sent to the
address which you supply confirming your interest in providing a
submission for the record. You MUST REPLY to the email and ATTACH your
submission as a Word or WordPerfect document, in compliance with the
formatting requirements listed below, by close of business Thursday,
April 13, 2006. Finally, please note that due to the change in House
mail policy, the U.S. Capitol Police will refuse sealed-package
deliveries to all House Office Buildings. For questions, or if you
encounter technical problems, please call (202) 225-1721.
FORMATTING REQUIREMENTS:
The Committee relies on electronic submissions for printing the
official hearing record. As always, submissions will be included in the
record according to the discretion of the Committee. The Committee will
not alter the content of your submission, but we reserve the right to
format it according to our guidelines. Any submission provided to the
Committee by a witness, any supplementary materials submitted for the
printed record, and any written comments in response to a request for
written comments must conform to the guidelines listed below. Any
submission or supplementary item not in compliance with these
guidelines will not be printed, but will be maintained in the Committee
files for review and use by the Committee.
1. All submissions and supplementary materials must be provided in
Word or WordPerfect format and MUST NOT exceed a total of 10 pages,
including attachments. Witnesses and submitters are advised that the
Committee relies on electronic submissions for printing the official
hearing record.
2. Copies of whole documents submitted as exhibit material will not
be accepted for printing. Instead, exhibit material should be
referenced and quoted or paraphrased. All exhibit material not meeting
these specifications will be maintained in the Committee files for
review and use by the Committee.
3. All submissions must include a list of all clients, persons,
and/or organizations on whose behalf the witness appears. A
supplemental sheet must accompany each submission listing the name,
company, address, telephone and fax numbers of each witness.
Note: All Committee advisories and news releases are available on
the World Wide Web at http://waysandmeans.house.gov.
The Committee seeks to make its facilities accessible to persons
with disabilities. If you are in need of special accommodations, please
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four
business days notice is requested). Questions with regard to special
accommodation needs in general (including availability of Committee
materials in alternative formats) may be directed to the Committee as
noted above.
Chairman MCCRERY. The Subcommittee hearing will come to
order. Good afternoon, everybody. Welcome to our fifth in a
series of hearings on high-risk issues related to Social
Security numbers (SSNs). Today, we will examine the use of SSNs
by government agencies, businesses, and others, as well as
explore options for improving the confidentiality of SSNs.
For many years, this Subcommittee has worked to protect SSN
privacy. For example, the Committee on Ways and Means approved
bills in the 108th and 106th Congresses that were introduced by
my predecessor, Subcommittee Chairman Clay Shaw. Some of the
provisions from Mr. Shaw's bill in the 108th Congress have
become law, including limits on replacement SSN cards and a
prohibition on the display of SSNs on drivers' licenses.
The SSN plays a key role in both our government and in our
economy. Since the SSN is a unique number for each person and
is widely used, it helps link records at all levels. This, in
turn, facilitates administration of government services and
benefits, business transactions, and fraud prevention. However,
once this essential piece of information is in the hands of
identity thieves, it opens a Pandora's box of problems. Stolen
SSNs can damage lives and businesses' bottom lines.
Today, we will hear about the current patchwork of Federal
and State laws that provide limited and inconsistent
confidentiality protection for SSNs. For example, financial
institutions are restricted in their ability to release SSN
information, but SSNs may appear in any number of publicly
available government records, such as court records or property
ownership records.
Computers and the Internet have enabled unprecedented
information sharing, and anyone who collects, uses, or shares
SSN information has a responsibility to protect its
confidentiality. Today, we will hear about some of the
voluntary steps that government agencies, businesses, and
others are taking to protect SSNs from unauthorized disclosure.
We also will have the opportunity to explore options for
improving SSN protections.
These options involve complicated trade-offs. In some
cases, Federal laws and regulations require the collection of
SSNs to achieve certain goals, such as efficient and accurate
tax administration, child support enforcement, and
identification of money launderers and terrorists. As we
examine alternatives for improving SSN privacy to help prevent
identity theft, we must consider the potential effect on the
attainment of those goals. We must also be mindful of the costs
that individuals, businesses, and government agencies may incur
as a result.
By carefully examining all options to keep SSNs out of the
hands of identity thieves and by listening to as many
stakeholders as possible, we seek a balance between protecting
SSN privacy and allowing its use for legitimate and necessary
purposes. Mr. Levin?
Mr. LEVIN. Mr. Chairman, since I basically agree with your
opening statement and since both of our colleagues here, I
would simply ask that my opening statement be placed in the
record.
Chairman MCCRERY. Without objection. Thank you, Mr. Levin.
[The prepared statement of Mr. Levin follows:]
Opening Statement of The Honorable Sander M. Levin, a Representative in
Congress from the State of Michigan
The problem of identity theft is serious and growing, claiming
almost 9 million victims and costing our economy an estimated $50
billion a year. The issue within our Committee's jurisdiction--
protecting the Social Security Number--is just one piece of a total
strategy to address identity theft, but it is an important one.
Government agencies and the private sector must both do their part to
prevent and detect identity theft.
When it comes to the Social Security number, the critical issue is
striking the right balance between allowing beneficial uses of the
number and protecting privacy for individuals. The rapid advance in
technology in recent years has greatly aggravated the problem of
identity theft. Identity thieves no longer have to rifle through
people's trash in search of private information. They increasingly
obtain this information by tapping into computer databases and other
high-tech means.
Given the evolving nature of the problem, there is a clear need for
ongoing oversight. I look forward to hearing more about the issues and
options from our witnesses.
In the past, our Subcommittee has been able to work to find this
balance in a genuinely bipartisan way, with Republicans and Democrats
sitting across the table and coming to agreement on the issues. I hope
we will be able to continue in that tradition, and work closely
together to act on the information we receive today.
Chairman MCCRERY. Our first panel today is composed of two
distinguished colleagues, Mr. Dreier and Mr. Reyes, each of
whom have expressed an interest in the issues that this
Subcommittee has been exploring for some time now. They were
supposed to be here last time, but we had a series of votes,
and in an effort to not prolong the necessity for other
witnesses to stay, we asked these two colleagues if they could
come today, and they graciously agreed to do that.
Welcome, gentlemen. We are interested in your views on this
subject. We would like for you to try to summarize those views
in about 5 minutes, and we will start with my colleague from
California, Mr. Dreier.
STATEMENT OF DAVID DREIER, A REPRESENTATIVE IN CONGRESS FROM
THE STATE OF CALIFORNIA
Mr. DREIER. Thank you very much, Mr. Chairman. Let me begin
by expressing my appreciation to you for the hard work that you
do in dealing with this issue of Social Security and the
specific issue you are tackling right now, and to Mr. Levin and
Mr. Johnson and Mr. Brady, I thank all of you for being here. I
know we have completed our votes on the floor, but this is a
very important issue.
Mr. Reyes and I have come together in a bipartisan way to
deal with an issue that is getting a great deal of attention.
The issue is immigration reform and border security. I don't
know if any of you all recall that we dealt with that back in
December and our colleagues in the other body are tackling that
question right now, as to how they move ahead this week and
next on this issue.
Virtually everything that we do focuses on the supply side
of the immigration problem. On border security, what is it that
we did? Well, we talked about building a 700-mile wall. We
talked about dramatically increasing the size of the Border
Patrol, a lot of things that are designed to stem the flow of
people coming into this country illegally.
What is it that we really haven't done? We haven't spent
much time and effort looking at why it is that they come to the
United States of America. That is why Mr. Reyes and I, with the
encouragement of T.J. Bonner, who is the President of the
National Border Patrol Council, which is the union of Border
Patrol agents, said, let us not just look at the supply side.
Let us focus on the demand side here.
Why is it that people come into this country illegally?
They come here, 98 percent of them, for one reason and one
reason only. They come here looking for a job. They are looking
to feed their families. They are looking for economic
opportunity. We all know that. Of the 12 million people who are
in this country illegally, we know that nearly all of them are
here as productive members of society, working, paying taxes,
doing things that need to be done in this country.
We know that they are here illegally and there is a strong
sense that we need to take action. We need to take action to
deal with it.
Right now, there are 94 different combinations of
documents, including that flimsy little Social Security card
that was first put into place in 1935, that has not been
updated once since 1935, that are used for a potential employee
to go to a potential employer and get a job--94 different
combinations of documents, including a school ID card, a
library card. What Mr. Reyes and I have come together to do is
very simply to say, why don't we make an attempt to put into
place a smart, counterfeit-proof Social Security card with an
algorithm strip on the back of it, an algorithm strip which
would simply go in and look at the data that is already there.
No new data--the government would not get its hands on any new
data at all.
This counterfeit-proof card--actually, I carry a
counterfeit example of my counterfeit-proof card, this is an
old Union 76 credit card and I have just put the Social
Security on the top of the card. I used T.J. Bonner's picture,
since this was his idea, and his photo is here, and you would
have an algorithm strip on the back.
Someone is going in, Mr. Chairman, to look for a job. The
potential employer decides, I might want to hire this person.
They either swipe this card or call an 800 number. They dial
the 800 number and it goes into a databank which is simply
taking the SSN, linking it with the U.S. Department of Homeland
Security (DHS), and the only information that would go out is
yea or nay. Is this person a qualified worker or not a
qualified worker?
We put on the bottom of this that this is not a national ID
card. I know that from testimony you all have had in the past,
from your last hearing, I understood that real concern is
raised about if it looks like a duck, walks like a duck, acts
like a duck, talks like a duck, it may be a duck. The fact is,
this is not a national ID card. Why? The only utilization of
this card will be for, number one, Social Security purposes,
which are correct, and number two, applying for a new job.
Now, as I look around this room, I feel pretty sanguine
that everybody here, including Xavier Becerra, will be
reelected as they head toward this November election.
Mr. BECERRA. Is that an endorsement?
Mr. DREIER. You don't want my endorsement, Xavier.
[Laughter.]
That might jeopardize it, if you had my endorsement. The
fact is, only people looking, Mr. Chairman, for a new job would
be required to carry this. A senior citizen would never have to
have a counterfeit-proof Social Security card. Someone who is a
small business man or woman would never have to have a
counterfeit-proof Social Security card.
What we have got is we have got a situation where the
magnet that draws people across the border is jobs, and if the
thumbs-down comes from this card from the databank that is
already there, we in our legislation increase the penalty
dramatically and we increase enforcement dramatically. By 400
percent, we increase the penalty, from $10,000 to $50,000 for
hiring, and we have a 5 year prison term, and we also increase
by 10,000 the number of enforcement agents.
Now, you and I were talking yesterday about this and I know
that everyone in this room pays their taxes simply because they
are patriotic Americans, but there may be some people out there
who realize that the Internal Revenue Service (IRS) is there
and that may be the reason that as April 15 approaches, they
will be paying their taxes. I know none of us are among those.
Similarly, if we were to see four or five high-profile
arrests due to people who were knowingly hiring those who are
here illegally, I am convinced that we would see a great
diminution of the number of hirings taking place. I am
convinced that we have, if not the panacea, we have the ability
to look at what deals with 98 percent of the people who come
here illegally to help us address this issue.
Mr. Chairman, I think we have got a great opportunity to do
something here and I am pleased that Members of the Hispanic
Caucus have joined. Again, it is a very, very bipartisan
measure. It is my hope that as we look at the issue of
immigration reform, we will be able to recognize that this is
better for the employer, easier for the businessman or woman
who is looking to hire someone, because they don't have to look
at 94 different combinations of documents and they are free of
responsibility once they have gotten a yea or nay on it. It is
going to help us deal with this very serious problem that we
have of illegal immigration and finally see the Social Security
Administration (SSA) bring that flimsy little paper to which I
was referring into the 21st century.
Thank you very much.
Chairman MCCRERY. Thank you, Mr. Dreier.
[The prepared statement of Mr. Dreier follows:]
Statement of The Honorable David Dreier, a Representative in Congress
from the State of California
Chairman McCrery, Ranking Member Levin, Members of the
Subcommittee, thank you for providing this opportunity to appear before
the Subcommittee's hearing on Social Security high risk issues.
Specifically, I would like to discuss the merits of legislation I
authored with my friend from El Paso, Mr. Reyes, H.R. 98, the Illegal
Immigration Enforcement and Social Security Protection Act, and how it
would help to crack down on the hiring of illegal immigrants and curb
abuse of the Social Security number and card. I have submitted
testimony for the record to two of your previous hearings on this
matter, so I'll keep my statement somewhat brief. I want to have ample
time to answer your questions.
As I mentioned in previous written testimony, there are 94
different combinations of documents on the current I-9 form that can be
used to establish identity and employment eligibility. The Social
Security card is one such document. Because the process by which job
seekers prove their employment eligibility is so unwieldy and
complicated, it plays right into the hands of illegal immigrants who
can obtain or copy Social Security numbers and cards. In fact, easy
employment powers the job-magnet that draws people to illegally enter
our country. That is why Mr. Reyes and I authored H.R. 98. We need to
address the ``demand-side'' of the illegal immigration issue.
H.R. 98 makes the Social Security card fraud-proof and provides
employers with a tamper-free tool to verify work authorization status.
This will come as a great relief to employers who have been forced to
act as immigration and document experts. Under the bill, the Social
Security Administration (SSA) is required to issue cards that contain a
digitized photo of the cardholder, as well as other countermeasures to
reduce fraud. This includes replacing the flimsy Social Security
banknote paper with a durable plastic or similar material. Also, each
card will contain physical security features designed to prevent
tampering, counterfeiting or duplication.
In addition, this card will have an electronic signature strip that
contains an encrypted electronic identification code unique to that
individual. Employers could verify worker eligibility via a Department
of Homeland Security (DHS) database by swiping the card through an
electronic card-reader or simply calling a toll-free number. The
employer would know instantaneously whether or not they were permitted
to hire the individual in question. As my colleagues on the
Subcommittee know, the House-approved border control bill directs SSA
to study the implementation and feasibility of such a proposal.
I understand that privacy concerns have been raised regarding H.R.
98; that the bill would create a national ID card. Let me just say
unequivocally that H.R. 98 does not create a national ID card. In fact,
section 11 of the bill unconditionally prohibits the use of the Social
Security card as a national ID card. Let us not forget that job
applicants, under current law, are already required to show documents
that establish their identity and employment eligibility. Many, if not
most, choose to show their employer the combination of a photo ID and
their Social Security card. Eliminating a step by actually placing the
photo on the Social Security card itself doesn't take us any further
down the road of creating a national ID card.
The only time anyone would actually be required to carry the
improved Social Security card would either be for Social Security
purposes or when they are applying for a new job. H.R. 98 explicitly
states that individuals cannot be required to carry the new card,
except for these two purposes. And the card itself will contain a
disclaimer stating: ``This card not to be used for the purpose of
identification.'' Social Security cards had a similar disclaimer from
1946 to 1972.
I also understand that concerns have been raised regarding the
privacy and security of the employment eligibility database created
under H.R. 98. Let me just say that no one is more sensitive to
concerns about privacy and data security than I am. But let's remember,
I wouldn't be sitting here in front of you today if we were already
doing a great job of securing our Social Security and immigration
systems. Nonetheless, we have taken great care to ensure the integrity
of the Employment Eligibility Database which H.R. 98 creates.
Specifically, the bill prohibits the use of any information in the
database by any DHS employee for any purpose other than administering
the database, and it requires DHS to limit access to the database to
only those employees who administer the database.
We also need to keep in mind that the government already has the
information that would be contained on this new Social Security card.
An individual's eligibility to work under the law is dependent on
whether they are a U.S. citizen, and if not, their immigration status.
SSA already maintains citizenship and immigration status files for each
worker issued a Social Security card, and our legislation would not
require them to gather any additional information than they do
currently.
The only thing H.R. 98 does is allow the information that SSA
already collects to be used for the purpose of verifying a prospective
employee's eligibility to work--via the DHS database--and the
authenticity of their Social Security card. This streamlines two
separate pre-existing government functions: determining a person's
eligibility to work and ensuring that employers do not hire anyone
ineligible to work.
Mr. Chairman, in recent years, we have improved the security of
almost every government-issued document, passports, green cards,
driver's licenses, save one--the Social Security card. With over five
million cards issued annually, we need to realize that it's time to
bring the Social Security card into the 21st Century. In the process,
we will end the magnet of jobs for illegal immigrants.
I believe that H.R. 98 represents an excellent starting point to
secure the Social Security card and enhance our efforts to stop the
hiring of illegal immigrants. I look forward to working with the
Members of the Subcommittee to reach these important goals.
Chairman MCCRERY. Now, our colleague from Texas, Mr. Reyes.
STATEMENT OF SILVESTRE REYES, A REPRESENTATIVE IN CONGRESS FROM
THE STATE OF TEXAS
Mr. REYES. Thank you, Mr. Chairman, Mr. Levin, fellow
colleagues. I am pleased to be here with my good friend and
colleague from California, and I just want to make three
points, but before I make those points, I want to tell you that
in 1986, when the Immigration Control and Reform Act (P.L. 99-
603) (IRCA) was passed, it had a provision for employer
sanctions in there. Had Congress provided the resources to INS,
Border Patrol back then, we wouldn't be having the debates that
we are having today.
Fast forward to 2006 and the three points that I want to
make are that, as my colleague stated, the technology has
gotten to the point where we feel very confident that a Social
Security card with biometrics and algorithm and all the other
things that have been mentioned were included, it would be safe
to say--I always hesitate from the law enforcement background
that something is counterfeit-proof, but it would be very hard
to replicate with the kind of technology that is available
today. You need that card that would, in essence, relieve any
employer from the responsibility of having to look at and file
as many as nine and ten documents, as the I-9 provision
currently requires, with the fraud-proof Social Security card.
The second point I want to make is that along with that
card, you need a system, a system where an employer, once he is
presented with that card, can check and verify whether it is
the individual. If there is a question, they can ask somebody
to come out and check it out or maybe check it out through the
computer. Those systems exist today. They are not cheap, but I
would say they are a lot cheaper than all of these other
proposals that have been--and not as controversial as the ones
that have been proposed in the bill that we passed in December,
the wall, taking citizenship, all these things that are very
contentious.
The third point I want to make is that adequate resources
must be provided along with it. No system is good if you don't
provide the resources for checks. You have got to provide the
money. You have got to provide the people. Our bill does that.
Those are the three basic points I wanted to make. I have a
statement that I would like to include into the record, but
now, being respectful of your time, I will yield back the
balance of my time, subject to any questions you might have for
me or for my colleague.
Chairman MCCRERY. Thank you, Mr. Reyes.
[The prepared statement of Mr. Reyes follows:]
Statement of The Honorable Silvestre Reyes, a Representative in
Congress from the State of Texas
Good afternoon. I would like to thank Chairman Jim McCrery and
Ranking Member Sander Levin for giving me the opportunity to testify
before this Subcommittee today about the role a new, improved Social
Security card could play in allowing employers to determine whether
prospective employees are authorized to work in the United States and,
ultimately, in helping to curb illegal immigration.
I believe I come to this hearing with a somewhat unique perspective
on this important issue. My district of El Paso, Texas--along with its
sister city, Ciudad Jurez, Mexico--comprise the largest metropolitan
area on the United States-Mexico border. Also, prior to coming to
Congress, I was in the United States Border Patrol for 26\1/2\ years. I
served as Chief, first in the McAllen sector and subsequently in the El
Paso sector from 1984 until my retirement in 1995. I have also done my
share of interior immigration enforcement at work sites where
undocumented aliens were employed.
As the only Member of Congress with a background in immigration and
experience defending our nation's borders, I have firsthand knowledge
of what we need to do to reduce illegal immigration and help keep
America safe. I have witnessed the difference that strong enforcement
of employment laws can make in discouraging attempted illegal entries
into the United States. Furthermore, I believe that a fraud-proof
Social Security card, coupled with a computerized employment
eligibility verification system and properly enforced employer
sanctions, could be a critical part of that effort.
In 1986, Congress passed the Immigration Reform and Control Act,
which included new sanctions against employers who hire illegal
immigrants. After that law was enacted, in parts of the country such as
the border region where those of us in law enforcement had the
resources to enforce those sanctions, we saw a significant decrease in
the number of people trying to enter the country unlawfully. Clearly,
once word got out that employers would not hire illegal immigrants, a
major incentive to enter the United States was greatly reduced and
attempted entries dropped off considerably.
I have been pleased to work with my friend and colleague from
California, Rep. David Dreier, on H.R. 98, the Illegal Immigration
Enforcement and Social Security Protection Act of 2005. The bill would
substantially expand and improve on the 1986 provisions by enhancing
the security of Social Security cards and allowing employers to
instantaneously verify a prospective employee's eligibility to work in
the United States. The bill would also increase civil and criminal
penalties for employers who hire illegal immigrants or fail to verify
their employment eligibility.
If properly funded and with appropriate oversight and privacy
protections, H.R. 98 would be an important step toward halting the flow
of people seeking to enter the United States illegally in order to find
employment. By doing so, our immigration and border security personnel
will be able to focus more of their time, effort, and resources on
those who may be trying to enter the country to do us harm.
As you continue to hold hearings on important Social Security
matters, I encourage this Subcommittee to consider how a next-
generation Social Security card and employment eligibility system could
help address some of the urgent immigration matters we face in this
country.
Again, thank you for allowing me to testify today, and I look
forward to continuing to work with my colleagues on this important
issue.
Chairman MCCRERY. Both of your statements will be included
in the record. Your written statements will be included in the
record in their entirety.
Mr. Dreier, you said the employer would either swipe the
card or call an 800 number. Explain that. What 800 number would
they call?
Mr. DREIER. Basically, what that would mean is that there
would be a databank, the information, again, that the
government already has, known information. Is someone an
American citizen? Are they here on an H-2A visa, which is
basically a farmworker visa, some other kind of work permit?
They would simply be told yes or no. This person who is
applying for a job to work in your company is, in fact, a
qualified worker, and----
Chairman MCCRERY. If you are an employer and you call this
800 number, what do you say?
Mr. DREIER. What you do is you provide the information that
is there, the SSN, and obviously the goal would be to have a
swipe for people so that they would be able to utilize the
algorithm strip. There would be a transition period, clearly,
through which they would go that would--obviously, a big
challenge----
Mr. REYES. Mr. Chairman, if I can just add to that, if you
don't mind----
Chairman MCCRERY. Sure.
Mr. REYES. What happens today when you go into a restaurant
or you go into a shop and you pay with a credit card, they put
it into the system. They swipe it or they insert it in the
machine-readable system. If there is an issue or a problem that
they think it may not be you or some other thing, then the
merchant will call an 800 number and they will verify the
account and all these other things.
That is what we have in mind here. Remember, we are talking
about employers, employers that are already used to, by and
large, as every American is, in utilizing this kind of a
system. It won't be exactly a system like the ATM or the credit
card system, but it will be similar, with the card sufficing as
proof that it is the individual, that it was presented to the
employer, and the employer, in fact, verified it. Any other
questions in there about that, there is an 800 number. They
pick up the phone, they call and they talk to either a call
center or a DHS system that would answer any questions and,
again, would relieve the employer of the liability because they
have gone and made a good faith effort.
Chairman MCCRERY. I was just trying to get to the question
of why the need for a tamper-proof card. If all you need is the
number and you can call an 800 number, it seems to me you would
need the card----
Mr. DREIER. Well, I think as Mr. Reyes says, it really
would be designed as a back-up to deal with----
Chairman MCCRERY. With questions?
Mr. DREIER. --because the goal is to really utilize this
algorithm strip that is there that is----
Chairman MCCRERY. Yes.
Mr. DREIER. --again, and I think that Silver is right on
target when he says that the notion of saying that something is
100 percent absolutely counterfeit-proof is a bit of a stretch,
but there has been no attempt since 1935 to really move the
Social Security card itself into the modern era, and I think
that we ought to at least engage in the fight, trying to put
into place the most technologically advanced mechanism we
possibly can to deal with this.
Chairman MCCRERY. Would you put a picture on the----
Mr. DREIER. Yes, it has a photograph on it.
Chairman MCCRERY. It has a photograph on the card, so that
would be----
Mr. DREIER. When a person becomes of working age--I know
that some people have raised this question, well, would you put
the baby picture on, because people get their Social Security
card. It is when in their State they would become of working
age that the photo-embedded item would be provided on there.
Chairman MCCRERY. Okay. Mr. Levin?
Mr. LEVIN. I am tempted to ask a question, but I think it
involves larger issues. For example, what would happen to the
people of working age, the 12 million who are here now
illegally?
Mr. DREIER. Well, I am happy to answer that question. I
think that part of the goal here is that since we are focusing
on this question, if 98 percent of the people who come here
illegally are coming to get a job, and with a tamper-proof,
smart, counterfeit-proof, whatever you want to call it, Social
Security card, they can't get a job, my sense is that many of
them might choose to return to a country of origin. I am not
saying that absolutely everyone, but I am convinced that would
go a long way toward dealing with this overall sweeping problem
that we are dealing with of our border security and the problem
of illegal immigration.
Mr. LEVIN. I guess my question does open up a larger issue,
so we will leave it for another day since the Senate is kind of
monopolizing discussion at the moment.
Mr. DREIER. That is why we should weigh in over here a
little bit this week on it.
Mr. LEVIN. Okay. Thank you.
Chairman MCCRERY. Well, obviously, if we went to a guest
worker program of some sort, then that would facilitate getting
something like this----
Mr. DREIER. Oh, absolutely.
Chairman MCCRERY. --that could be used for----
Mr. DREIER. I will say that I believe that as we do this,
it is imperative that we have a responsible, non-amnesty-
granting temporary worker program that does go hand-in-hand
with this so that we can meet the economic demand that exists
in this country and then tackle the question that you correctly
raise.
Mr. REYES. If I can just----
Chairman MCCRERY. Please.
Mr. REYES. We come together on offering this as one part of
the solution, but I do believe that we have got to have
comprehensive immigration reform. We have got to have secure
borders. We have got to have a guest worker program, which this
would fit in with. Then you have got to take care of, as
Congressman Levin said, you have got to take care of those
people that have been in this country, paying their taxes,
being part of our community. That is what I think would be a
realistic way to implement this.
What this does is it becomes part of the mechanism of
making sure that we don't have the magnet--I can tell you from
personal experience, after IRCA, we saw a dramatic downturn in
attempted illegal entries for about 3 years. Some areas of our
border--I was chief in McAllen at the time with Border Patrol--
some areas of our border saw a decline in attempted entries
into this country of as much as 80 percent. The reason for that
was the publicity that was generated that, for the first time,
there were employer sanctions in place. You would not be able
to get a job. The attraction of undergoing that arduous trip
through the border and trying to get a job somewhere in this
country was gone.
It wasn't until about 3 years into the program that people
started realizing, well, Congress didn't allot the personnel to
check, so my uncle or my cousin or my friend said that if you
can make it to Denver, you can still get a job. Even though it
had the requirements of the I-9, there were no teeth in the
law.
I think that this on its own probably is not the whole
solution, but it gets us part of the way, and then
comprehensive immigration reform, I think would take us the
rest of the way.
Mr. DREIER. Mr. Chairman, what this really does is, again,
as we look at this question, why is it that people come into
this country illegally, they come seeking a job. People use a
Social Security card, often a fraudulent one, to get a job and
this is the way to end that demand side, the magnet that draws
them in, by having a structure in place like this. I agree
that, overall, this is not the panacea, but I think that this
will go an awful long way toward addressing this issue.
Chairman MCCRERY. Mr. Johnson?
Mr. JOHNSON. Thank you, Mr. Chairman. I am wondering how
easy it is to duplicate a card like that.
Mr. DREIER. It is a great question, Sam, and I will tell
you that one of the things that we have done is we have said
that nothing has been done since 1935.
Mr. JOHNSON. Right.
Mr. DREIER. I believe that with the technological advances
that are made, that it would be, I hope, impossible to
duplicate it. There are no guarantees, but we should do every
single thing within our power to, after these many decades
having done nothing, use the technology that we have today to
ensure that it is as tamper-proof, as smart, as counterfeit-
proof as we possibly can.
Mr. JOHNSON. I couldn't agree with you more. What kind of
upgrade are you going to have to have to get--business offices
don't have the ability to scan cards, a lot of them.
Mr. DREIER. Well, that is a great question, and obviously
this is something that would have to be phased in over a period
of time. At the end of the day, I think that it would be easier
on businesses because of the fact that they don't have to look
at these 94 different combinations of documents, and I am,
frankly, offended by a lot of this stuff where you would ask
one person whether or not they are an American citizen and not
another person based in the way someone might look. I am very
offended by that. I think that the existence of this card will
go a long way toward helping that. Obviously, we will have to
deal with businesses as they look at the challenge of having
the equipment----
Mr. JOHNSON. Yes, there is going to be a cost involved. You
are from California, and you have got a lot of agricultural
migrant workers out there. How are you going to get them a
card?
Mr. DREIER. You know what? The fact----
Mr. JOHNSON. Are we going to--let me rephrase it a little
bit.
Mr. DREIER. Sure.
Mr. JOHNSON. Guys that come across legally for migrant
work, are we going to give them some kind of an identification?
Mr. DREIER. Well, see, what they would have on this is they
would, within the database, it would be stated that they are
here, if it is an H-2A visa or any kind of work permit, that
would mean that they are a qualified worker by virtue of it. If
we do end up with some kind of responsible non-amnesty-granting
temporary worker program, someone who is here under that would
be able to have this card for those purposes. If someone is
here illegally and they don't have a card and they are hired,
then that employer would be subjected to a, as I said, a 400-
percent increase in the fine, 5 years in prison, and we hire
10,000 enforcement agents to make sure that this is enforced,
which gets back to Silver's point, which is a very important
one.
If you look at IRCA, we coupled amnesty with sanctions and
unenforced sanctions is what ended up once again reigniting
this flow of people in illegally----
Mr. JOHNSON. Well, that is what I was about to say. If you
depend on the employer, they are not going to do it.
Mr. DREIER. Exactly.
Mr. JOHNSON. Thank you, Mr. Chairman.
Mr. DREIER. I will say that I didn't believe that the
employer should be turned into a Border Patrol agent.
Mr. JOHNSON. I agree.
Mr. DREIER. That is one of the concerns that I have, and I
know we share that. I voted against the--I was here in 1986 and
voted against IRCA for that reason.
Mr. JOHNSON. Thank you.
Chairman MCCRERY. Thank you, Mr. Johnson. Mr. Becerra?
Mr. BECERRA. Thank you to the two of you for being here and
making your presentation. It is rather interesting. We are
about to have witnesses who will come and give us testimony on
the Social Security card, the use of the number, and so forth,
and we have had over the course of actually the last few years
a number of hearings. Last session, we passed out, without a
single ``no'' vote, legislation by Representative Shaw to
actually restrict the use of the SSN. It is interesting,
because your proposal would make it the universal identifier
and we are about to hear from witnesses who are going to tell
us why there are problems in allowing the number to be more
universally available. It is a fascinating discussion.
We need to figure out a way to be able to identify folks.
Right now, the SSA would tell you, if they were here to
testify, that just by having a number, we can't tell you, or
they can't tell us if that individual is a citizen----
Mr. DREIER. Absolutely.
Mr. BECERRA. --or not. They may or may not be able to tell
us whether that person is here legally. You would have to do a
lot of work before you could get the SSN to become a national
identification number.
Mr. DREIER. Well, we don't want it to be that, though. We
don't want it to be a national ID card. In fact, as I said, we
actually have on this card that it is not a national ID card
and it is used only for Social Security purposes and when
applying for a new job.
Mr. BECERRA. Okay, so then, Mr. Chairman, let me ask you
this. What are you going to tell all the credit bureaus, the
banks, all the folks, all the industries that currently use the
SSN--hospitals used to use them publicly as the patient
identification number--what do you tell all those industries
that are telling us right now, you can't do more to restrict
our utilization of the number because that has become our
universal identifier within our industry?
Mr. DREIER. You see, that is up to them. What I have said
is a national ID card, getting on board an airplane, utilizing
it for a Federal purpose, which is really what we are in the
business of doing. The way some private entity or a State or
local entity handles the use of this number and card is their
business----
Mr. BECERRA. Would you prohibit the use for any other
purposes?
Mr. DREIER. Yes, I am not saying--I am not saying that it
can't be used, because I don't want to in any way restrict the
SSN from being utilized for purposes that we determine are
necessary. All I am saying is that I don't want the use of a
smart, counterfeit-proof Social Security card to be
misinterpreted as some sort of national identification card.
That is all I am arguing.
Mr. BECERRA. The thing there, David, is if indeed it is a
strong identifier that has good firewalls from abuse, then it
is going to become a great identifier for a lot of other folks,
as well. If it works well for identifying whether or not you
are entitled to work in this country, someone is going to say,
well, it is probably going to work well to identify whether or
not you have got good credit or whether or not we should offer
you this mortgage. I think we have to be very careful. Unless
you prohibit its use for other purposes----
Mr. DREIER. I think that is something we might consider
looking at, if you want to.
Mr. REYES. If I can say something, currently--I just became
a grandfather for the third time. When your baby is born, he or
she gets a Social Security card.
Mr. BECERRA. Yes.
Mr. REYES. When you volunteer for the Army or the Navy, the
Marine Corps, the Air Force, your Social Security card becomes
your identifier. When I was drafted, I was given a number, RN-
18746717. You never forget that. Today's service people use
that Social Security card for those purposes. I don't know
that--and maybe David has given it more thought, but I haven't
given it a lot of thought in terms of why you would want to
preclude or limit somebody's ability to use the SSN when I
know----
Mr. BECERRA. If you were to stay a little longer, you would
hear testimony by someone who actually had her SSN misused for
identity purposes----
Mr. REYES. See, even in this system, I think here is what
is important about having the system. I made the three points.
The system would tell you if somebody else is using the same
number, because in today's technology, the availability--if
somebody presents--say, for instance, somebody came up with a
system of----
Mr. BECERRA. Yes, but by then, it is too late----
Mr. REYES. No----
Mr. BECERRA. --for the person who had his or her identity
stolen.
Mr. REYES. The point is, it will raise an alert when that
card is presented. It is like--and I don't know how they work
currently on use of credit cards, but I know that occasionally
when I give a credit card, especially when you travel out of
the country, they will ask for identification. My wife will get
a call at home and say, this purchase was made in London or
whatever. We want to make sure that you or your husband is
comfortable that one of you is in London.
The technology exists that would be able to tell the system
that the SSN that was presented in Peoria, Illinois, all of a
sudden a week later was presented in Los Angeles and maybe
within 72 hours was presented within Miami, so that tells you
that number has been compromised somehow and the system alerts
DHS and they would check all three people that presented that
card.
Mr. DREIER. Which one of the two of you is making all those
purchases, too.
Mr. REYES. Yes.
Mr. BECERRA. Thank you, Mr. Chairman. Thank you, gentlemen.
Chairman MCCRERY. Mr. Brady?
Mr. BRADY. Thank you, Mr. Chairman, and David and Grandpa
Reyes, it is good to have you here today. I think Xavier's
comment about SSNs, one of the issues we are struggling with is
our SSN system already so compromised that we can never really
bring integrity to the system. Your point is that if Social
Security is going to be a key employer verification in this
whole immigration-Border Security debate, make it counterfeit-
proof. Here is the way to do it.
I think, in the end, the question of whether we will have a
counterfeit or attempt to create a counterfeit Social Security
document, it isn't a matter of if we do but when and how we do
it, how we structure it, and I know that I supported the House
bill on border security that passed earlier, or late last year,
but I know that today, if we had to rely on the Social Security
system to verify workers in this country, either new or
existing, the system would simply crater. It doesn't have the
integrity, the resources, the technology to do that, so I just
appreciate you bringing a bipartisan idea to the table and I
appreciate you, Chairman, letting us hear what some of our
Members who are giving this issue some thought a chance to talk
to us about that.
I don't really have any questions. Thanks for giving this a
thoughtful----
Mr. DREIER. Let me just thank you very much for that,
Kevin, and say that I believe that we are in a position where
this can go a long way toward addressing those identity issues,
which Xavier correctly raised, dealing with the question that
Sandy raised as to exactly what happens to the people who are
here, and tackles this whole issue of the credibility of Social
Security and the utilization of the number itself as we head to
the future.
I had a conversation yesterday with a number of Senators
about this. They are in the midst of their debate on this, and
I should say that this provision is actually included in one of
the Senate bills that has been introduced. John Cornyn and Jon
Kyl have introduced legislation that actually includes H.R. 98
as an important component of it.
It is my hope that we will be able to see this move as
expeditiously as possible through so that we can include this
as part of a comprehensive package, and I certainly leave it up
to you all to demonstrate for us what the best approach is.
Chairman MCCRERY. Thank you, Mr. Brady.
Mr. Dreier, Mr. Reyes, thank you very much for being with
us----
Mr. DREIER. Thank you very much for having us.
Chairman MCCRERY. --and for showing up today and sharing
with us your thoughts.
Mr. DREIER. Thanks, Mr. Chairman.
Chairman MCCRERY. Our next panel is composed of two
witnesses, Ms. Cynthia Fagnoni, Managing Director of Education,
Work force, and Income Security, United States GAO, and Joel
Winston, the Associate Director, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, Federal
Trade Commission.
Your written testimony will be included in the record in
its entirety and we would like for you to try to summarize your
written testimony in about 5 minutes, and Ms. Fagnoni, we will
begin with you. Welcome.
STATEMENT OF CYNTHIA M. FAGNONI, MANAGING DIRECTOR, EDUCATION,
WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GOVERNMENT
ACCOUNTABILITY OFFICE
Ms. FAGNONI. Thank you. Thank you, Mr. Chairman, Mr. Levin,
and Members of the Subcommittee. I am pleased to be here this
afternoon to discuss ways to better protect the SSN.
Although the SSN was originally created as a means of
tracking workers' earnings and eligibility for Social Security
benefits, today, the number is used for many non-Social
Security purposes. The wide use of the SSN is significant
because once it is obtained fraudulently, it can be used to
create false identities for financial misuse, to falsely obtain
credit, or to assume another person's identity.
Today, I would like to discuss the use of SSNs by
government agencies and certain private sector entities,
Federal laws that regulate the use and disclosure of SSNs, and
gaps that remain in protecting the SSN and what more could be
done. My testimony is based on reports GAO has issued over the
last several years, many of them completed at the request of
this Subcommittee.
First, let me begin with the widespread use of SSNs by both
the public and private sectors. Federal, State, and county
government agencies rely extensively on the SSN to maintain
records with unique identifiers and ensure program integrity.
Last year, we reported that SSNs are available in a variety of
public records held by States, local jurisdictions, and courts,
public records or documents routinely made available to the
public for inspection, such as marriage licenses and property
transactions. We also reported that information resellers,
consumer reporting agencies, and health care organizations use
SSNs for a variety of purposes, including verifying a person's
identity or matching existing records.
Earlier this year, we reported that banks, security firms,
telecommunications companies, and tax preparation companies
routinely obtain SSNs from their customers for authentication
and verification purposes and sometimes share SSNs with their
contractors for limited purposes, such as identification
requirements, debt collection, and data storage.
Regarding the laws, although Federal and State laws have
been enacted to restrict the use and disclosure of consumers'
personal information, including SSNs, no one law
comprehensively regulates the SSN use and protections.
Moreover, many of the laws enacted are industry-specific and do
not apply broadly.
Several States have enacted laws to restrict the use and
display of SSNs. California, for example, has enacted such a
law. Thirteen other States now have passed laws similar to
California's. Four States--California, Georgia, Nevada, and New
York--require notification of security breaches, another
example. As a result of such State restrictions, some companies
now notify customers of security breaches regardless of where
they happen in the country.
Although Congress and State legislatures have enacted laws
that help to restrict SSN display and protect an individual's
personal information, we have found gaps in the protection of
SSNs. We have reported that government agencies at all levels
lack the uniform approach to ensuring the security of the SSN.
In addition, we found that gaps exist in the Federal law and
oversight of different industries that share SSNs with their
contractors. SSNs also continue to be exposed on government-
issued ID cards. Finally, few restrictions are placed on
information resellers to obtain and resell SSNs in the course
of their business.
GAO has made a number of recommendations in proposed
matters for Congressional consideration to address these gaps.
We propose that Congress pull together a representative group
of Federal, State, and local officials to develop a unified
approach to safeguarding SSNs used at all levels of government.
We also recommended that OMB advise all levels of government of
the applicability of the Privacy Act (P.L. 93-579) and develop
a government-wide policy to ensure a consistent approach for
displaying SSNs on ID cards.
Regarding the private sector, we have recommended that
Congress consider possible options for addressing the gaps in
the existing Federal requirements for safeguarding SSNs shared
with contractors. We continue to focus on SSN issues, identify
gaps, and will continue to recommend possible solutions, where
appropriate.
Mr. Chairman, this completes my oral statement. I would be
happy to answer any questions you or other Members of the
Subcommittee may have. Thank you.
[The prepared statement of Ms. Fagnoni follows:]
Statement of Cynthia M. Fagnoni, Managing Director, Education,
Workforce, and Income Security, U.S. Government Accountability Office
Mr. Chairman and Members of the Committees:
I am pleased to be here today to discuss ways to better protect the
Social Security Number (SSN). The SSN was created as a means to track
workers' earnings and eligibility for Social Security benefits.
However, the SSN has evolved beyond its original intended purpose and
has become the identifier of choice for public and private sector
entities, and is used for numerous non-Social Security purposes. This
is significant because SSNs, along with a name and date of birth, are
the pieces of information most often sought by identity thieves. Once
an SSN is obtained fraudulently, it can then be used to create false
identities for financial misuse, assuming another individual's
identity, fraudulently obtaining credit, violating immigration laws, or
fleeing the criminal justice system. Recent statistics suggest that the
incidence of identity theft is rapidly growing. The Federal Trade
Commission (FTC) estimated that over a 1-year period nearly 10 million
people--or 4.6 percent of the adult U.S. population--discovered that
they were victims of some form of identity theft, translating into
estimated losses exceeding $50 billion. FTC also reported that most
victims of identity theft do not report the crime, and, therefore, the
total number of identity theft incidences is unknown.
Over the last few years Congress and some states have recognized
the importance of restricting the use and display of SSNs by both
public and private sectors. As a result, federal and state laws have
begun to be enacted that to some degree protect individual's personal
information, including SSNs. GAO has issued a number of reports and
testified before this Subcommittee about the various aspects of SSN use
in both the public and private sectors. (See related GAO products at
the end of this testimony.) Accordingly, you asked us to speak about
some of our findings regarding SSN use and protections. My remarks
today will focus on (1) the use of SSNs by government agencies and
certain private sector entities, (2) the federal laws that regulate the
use and disclosure of SSNs, and (3) the gaps that remain in protecting
the SSN and what more could be done.
In summary, SSN use is widespread by both the public and private
sectors. Agencies at all levels of government frequently collect and
use SSNs to administer their programs, verify applicants' eligibility
for services and benefits, and perform research and evaluations of
their programs. In addition, SSNs are available in a variety of public
records held by states, local jurisdictions, and courts, appearing in
records that document common life events and transactions, such as
marriages and home purchases. Certain private sector entities also use
SSNs. Information resellers, credit reporting agencies (CRAs), and
health care organizations routinely obtain SSNs from various public and
private sources, and use SSNs for various purposes, such as to build
tools that verify an individual's identity or match existing records.
In addition, private sector entities that engage in third party
contracting sometimes share SSNs with their contractors for limited
purposes.
There is no one law that comprehensively regulates SSN use and
protections. However, certain federal laws have been enacted to
restrict the use and disclosure of consumers' personal information,
including SSNs, but these laws tend to be industry-specific and do not
apply broadly. In addition, certain states had begun to enact their own
legislation restricting the use and display of SSNs by public and
private sector entities, which has subsequently led other states to
start enacting similar regulation. Finally, Congress is currently
considering several proposals to restrict SSN use and display, similar
to state legislation.
Although some action has been taken at the federal and state level
to protect SSNs, more could be done. In our prior work, we found gaps
in the practices for protecting SSNs by government agencies and across
industry sectors. As a result, we made recommendations to federal
agencies to address the issues we found and proposed matters for
Congress to consider. For example, we found that certain measures that
could help protect SSNs are not uniformly in place at all levels of
government. In addition, there are gaps in the federal law and
oversight in different industries that share SSNs with their
contractors, and there are few restrictions placed on certain entities'
abilities to obtain and use SSNs in the course of their business.
Finally, SSNs are widely exposed in a variety of public records and are
still subject to exposure on identity cards issued under federal
auspices. To address some of these issues, we made recommendations and
proposed matters for congressional consideration. For example, to
address gaps in the government uses of SSNs and the exposure of SSNs in
public records and on identification cards, we advised Congress to
convene a group of government officials to develop a unified approach
to safeguarding SSNs. To address the gaps in federal laws that would
apply to industries that share SSNs with their contractors, we
recommended Congress consider options to restrict the use and display
of SSNs to third party contractors.
Background
The Social Security Act of 1935 authorized the Social Security
Administration (SSA) to establish a record-keeping system to manage the
Social Security program, which resulted in the creation of the SSN.\1\
Through a process known as ``enumeration,'' unique numbers are created
for every person as a work and retirement benefit record. Today, SSA
issues SSNs to most U.S. citizens, but they are also available to non-
citizens lawfully admitted to the United States with permission to
work. Lawfully admitted noncitizens may also qualify for a SSN for
nonwork purposes when a federal, state, or local law requires that they
have a SSN to obtain a particular welfare benefit or service. SSA staff
collect and verify information from such applicants regarding their
age, identity, citizenship, and immigration status.
---------------------------------------------------------------------------
\1\ The Social Security Act of 1935 created the Social Security
Board, which was renamed the Social Security Administration in 1946.
---------------------------------------------------------------------------
With the enhancement of computer technologies in recent years,
private sector businesses are increasingly computerizing their records;
as a result, these enhancements have spawned new businesses activities
involving the aggregation of person information. Information resellers,
sometimes referred to as information brokers, are businesses that
specialize in amassing consumer information including SSNs for
informational services. They may provide their services to a variety of
customers, either to specific businesses clients or through the
Internet to anyone willing to pay a fee. Consumer reporting agencies,
also known as credit bureaus, are agencies that collect and sell
information about the creditworthiness of individuals. CRAs collect
information that is considered relevant to a person's credit history,
and obtain SSNs from their customers or businesses that furnish data to
them, as well as from private and public sources. Organizations that
provide health care services also commonly use consumers' SSNs. They
obtain SSNs from individuals themselves and companies that offer health
care plans.
In recent years, companies have increasingly relied on the use of
contractors to perform certain activities and functions related to
their business operations. This trend has often been referred to as
outsourcing. However, no commonly recognized definition of outsourcing
exists, and there has been confusion over whether it encompasses only
activities a company performed in-house or includes any activity a
company may contract out. According to outsourcing experts,
approximately 90 percent of businesses contract out some activity
because they find either it is more economical to do so or other
companies are better able to perform these activities. Some of the
activities companies outsource will require that contractors be
provided personal information about the companies' customers in order
to perform those activities, in some cases, this information includes
SSNs.
Due to the pervasive use of SSNs, individuals are routinely asked
to disclose their SSNs, along with other personal identifying
information, for numerous purposes. In some instances where individuals
provide their SSNs to government entities, documents containing the SSN
are routinely made available to the public for inspection. The
widespread disclosure of SSNs in public records has raised concern
because it can put individuals at increased risk of identity theft. In
addition, given the explosion in the Internet use and the ease with
which personally identifiable information is accessible, individuals
looking to steal someone's identity are increasingly able to do so.
According to FTC, it receives roughly 15,000 to 20,000 contacts per
week on its hotline and Web site, or through the mail from victims and
consumers who want to avoid becoming victims.
Both Government and Private Sector Entities Collect and Use SSNs for a
Variety of Purposes
Government entities are generally required by law to collect SSNs
to determine individuals' eligibility for services and benefits. SSNs
are also widely available in public records maintained by state and
local governments and the courts. Certain private sector entities, such
as information resellers, CRAs, and healthcare organizations obtain
SSNs from public and private sources, or directly from their customers,
and use them for various purposes. In addition, banks, securities
firms, telecommunication firms, and tax preparers engage in third party
contracting and sometimes share SSNs with their contractors for limited
purposes.
Government Entities Are Required by Laws and Regulations to Collect
SSNs, and Use Them for Various Purposes
As required by a number of federal laws and regulations, agencies
at all levels of government frequently collect and use SSNs to
administer their programs, to link data for verifying applicants'
eligibility for services and benefits, and to conduct program
evaluations.\2\ For example, the Personal Responsibility and Work
Opportunity Act of 1996 mandates that, among other things, states have
laws in place to require the collection of SSNs on driver's license
applications. Such laws and regulations have contributed to the
widespread use of SSNs by government agencies, because the SSN serves
as a unique identifier.
---------------------------------------------------------------------------
\2\ GAO, Social Security: Government and Commercial Use of the
Social Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.:
February 16, 1999) and GAO, Social Security Numbers: Government
Benefits from SSN Use, but Could Provide Better Safeguards, GA0-02-352
(Washington, D.C.: May 31, 2002).
---------------------------------------------------------------------------
Government agencies use SSNs for a variety of purposes. We have
found that agencies typically used SSNs to manage their records and to
facilitate data sharing to verify an applicant's eligibility for
services and benefits.\3\ For example, agencies use SSNs
---------------------------------------------------------------------------
\3\ GA0-02-352.
for internal administrative purposes, which included
activities such as identifying, retrieving, and updating records;
to collect debts owed the government and conduct or
support research and evaluations as well as using employees' SSNs for
activities such as payroll, wage reporting, and providing employee
benefits;
to ensure program integrity, such as matching records
with state and local correctional facilities to identify individuals
for whom the agency should terminate benefit payments; and
for statistics, research, and evaluation; \4\
---------------------------------------------------------------------------
\4\ The Bureau of the Census is authorized by statute to collect a
variety of information and is prohibited from making it available,
except in certain circumstances.
---------------------------------------------------------------------------
SSNs Are Widely Available in Public Records Held by States, Local
Jurisdictions, and Courts, but Many of These Agencies Are
Taking Steps to Limit Display
SSNs are publicly available throughout the United States, primarily
at the state and local levels of government.\5\ Based on a survey of
federal, state, and local governments, we reported in 2004 that state
agencies in 41 states and the District of Columbia were displaying SSNs
in public records; this was also true in 75 percent of U.S.
counties.\6\ We also found that while the number and type of records in
which SSNs were displayed varied greatly across states and counties,
SSNs were most often found in court and property records.
---------------------------------------------------------------------------
\5\ Not all records held by government or public agents are
``public'' in terms of their availability to any inquiring person. For
example, adoption records are generally sealed. Personnel records are
often not readily available to the public, although newspapers may
publish the salaries of high, elected officials. There is no common
definition of public records. However, we define public records as
those records generally made available to the public for inspection in
their entirety by a federal, state, or local government agency. Such
documents are typically accessed in a public reading room, clerk's
office, or on the Internet.
\6\ GAO, Social Security Numbers: Governments Could Do More To
Reduce Display in Public Records and on Identity Cards, GAO-05-59
(Washington, D.C.: November 9, 2004).
---------------------------------------------------------------------------
Public records displaying SSNs are stored in multiple formats that
vary by different levels of government. State government offices tended
to store such records electronically, while most local government
records were stored on microfiche or microfilm. However, our survey
found that public access to such records was often limited to
inspection of the individual paper copy or request by mail.\7\
---------------------------------------------------------------------------
\7\ GAO-05-59
---------------------------------------------------------------------------
We found that few state agencies make public records available on
the Internet, although some do so. However, few state or local offices
reported any plans to significantly expand Internet access to public
records that display SSNs. Based on our survey results, only four state
agencies indicated plans to make such records available on the
Internet, and one agency planned to remove records displaying SSNs from
Internet access.
Private Sector Entities Obtain SSNs from Public and Private Sources and
Use Them for Various Purposes
Private sector entities such as information resellers, CRAs, and
health care organizations generally obtain SSNs from various public and
private sources. Large or well known information resellers have told us
they obtain SSNs from various public records, such as records of
bankruptcies, tax liens, civil judgments, criminal histories, deaths,
real estate transactions, voter registrations, and professional
licenses. They also said that they sometimes obtain batch files of
electronic copies of jurisdictional public records where available.
However, some reseller officials said they are more likely to rely on
SSNs obtained directly from their clients, who would voluntarily
provide such information for a specific service or product, than those
found in public records.\8\
---------------------------------------------------------------------------
\8\ GAO, Social Security Numbers: Private Sector Entities Routinely
Obtain and Use SSNs, and Laws Limit the Disclosure of This Information,
GAO-04-11 (Washington, D.C.: January 22, 2004).
---------------------------------------------------------------------------
Like information resellers, CRAs also obtain SSNs from public and
private sources. CRA officials have told us that they obtained SSNs
from public sources, such as bankruptcy records. We also found that
these companies obtained SSNs from other information resellers,
especially those that specialized in obtaining information from public
records. However, CRAs are more likely to obtain SSNs from businesses
that subscribe to their services, such as banks, insurance companies,
mortgage companies, debt collection agencies, child support enforcement
agencies, credit grantors, and employment screening companies.
Therefore, individuals who provide these businesses with their SSNs for
reasons such as applying for credit would subsequently have their
charges and payment transactions, accompanied by the SSN, reported to
the CRAs.
Health care organizations, including health care insurance plans
and providers, are less likely to obtain SSN data from public sources.
Health care organizations typically obtained SSNs either from
individuals themselves or from companies that offer health care plans.
For example, subscribers or policyholders enrolled in a health care
plan provide their SSN as part of their health care plan application to
their company or employer group. In addition to health care plans,
health care organizations also included health care providers, such as
hospitals. Such entities often collected SSNs as part of the process of
obtaining information on insured people. However, health care provider
officials told us that, particularly with hospitals, the medical record
number is the primary identifier, rather than the SSN.
We found that the primary use of the SSN by information resellers,
CRAs, and health care organizations alike was to help verify the
identity of an individual. Large information resellers said they
generally use the SSN as an identity verification tool. They also use
it for internal matching purposes of its databases, as a factor in
identifying individuals for their product reports, or for conducting
investigations for their clients for resident screening or employment
screening. CRAs use SSNs as the primary identifier of individuals that
enables them to match the information they receive from their business
clients with information stored in their databases on individuals.
Because these companies have various commercial, financial, and
government agencies furnishing data to them, the SSN is the primary
factor that ensures that incoming data is matched correctly with an
individual's information on file. We found that in some cases CRAs and
information resellers can sometimes be the same entity, a fact that
blurs the distinction between the two types of businesses but does not
affect the use of SSNs by these entities. Finally, health care
organizations also use the SSN to help verify the identity of
individuals. These organizations use SSNs, along with other information
such as name, address, and date of birth, as a factor in determining a
member's identity.
Private sector companies also share customers' SSNs with their
contractors. Banks, investment firms, telecommunication companies, and
tax preparation companies we interviewed routinely obtain SSNs from
their customers for authentication and identification purposes.\9\ All
these companies contracted out various services, such as data
processing, administrative, and customer service functions. Although
these companies may share consumer information, such as SSNs, with
contractors that provide services to their customers, company officials
said that they only share such information with their contractors for
limited purposes, generally when it is necessary or unavoidable.
---------------------------------------------------------------------------
\9\ GAO, Social Security Numbers: Stronger Protections Needed When
Contractors Have Access to SSNs, GAO-06-238 (Washington, D.C.: January
23, 2006).
---------------------------------------------------------------------------
The companies we contacted provided us with standard contract forms
they use in contracting with service providers to safeguard customers'
personal information, such as SSNs, from misuse.\10\ In general, the
types of provisions these companies included in their standard contract
forms included electronic and physical data protections, audit rights,
data breach notifications, subcontractor restrictions, and data
handling and disposal requirements. We found that most of the companies
we interviewed had established some type of due diligence or
credentialing process to verify the reliability of potential
contractors prior to and during contract negotiations. Furthermore, we
found that some industry associations have voluntarily developed
guidance for their members regarding the sharing of personal
information with third parties.
---------------------------------------------------------------------------
\10\ GAO-06-238
---------------------------------------------------------------------------
No Single Law Governs the Use and Disclosure of SSNs Although Various
Laws Have Been Enacted That Help Protect SSNs
Although no single law comprehensively governs the use and
disclosure of SSNs, certain federal laws restrict the use and
disclosure of personal information, including SSNs, by government
agencies or private sector entities. These laws, however, tend to be
directed at specific industries or governmental agencies and often do
not apply broadly across public and private sectors or across private
sector industries. For example, the overall use and disclosure of SSNs
by the federal government is restricted under the Privacy Act, which,
broadly speaking, seeks to balance the government's need to maintain
information about individuals with the rights of individuals to be
protected against unwarranted invasions of their privacy. The Privacy
Act requires that any federal, state, or local government agency, when
requesting an SSN from an individual, tell individuals whether
disclosing their SSN is mandatory or voluntary, cite the statutory or
other authority under which the request is being made, and state what
uses it will make of the individual's SSN.
Other federal laws have also placed restrictions on private sector
entities' use and disclosure of consumers' personal information,
including SSNs. These include the Fair Credit Reporting Act (FCRA), the
Fair and Accurate Credit Transaction Act (FACTA), the Gramm-Leach-
Bliley Act (GLBA), the Drivers Privacy Protection Act (DPPA), and the
Health Insurance Portability and Accountability Act (HIPAA). As shown
in table 1, some of these federal laws either restrict certain private
sector entities from disclosing personally identifiable information to
specific purposes or with whom the information is shared. In addition,
certain industries, such as the financial services industry, are
required to protect individuals' personal information to a greater
degree than entities in other industries.
Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure
of Personal Information
------------------------------------------------------------------------
Federal Laws Restrictions
------------------------------------------------------------------------
Fair Credit Reporting Act Limits access to credit data that
includes SSNs to those who have a
permissible purpose under the law.
------------------------------------------------------------------------
Fair and Accurate Credit Amends FCRA to allow, among others
Transactions Act things, consumers who request a copy
of their credit report to also
request that the first 5 digits of
their SSN (or similar identification
number) not be included in the file;
requires consumer reporting agencies
and any business that use a consumer
report to adopt procedures for
proper disposal.
------------------------------------------------------------------------
Gramm-Leach-Bliley Act Creates a new definition of personal
information that includes SSNs and
limits when financial institutions
may disclose the information to
nonaffiliated third parties.
------------------------------------------------------------------------
Health Insurance Portability and Protects the privacy of health
Accountability Act information that identifies an
individual and restricts health care
organizations from disclosing such
information to others without the
patient's consent.
------------------------------------------------------------------------
Source: GAO analysis
Congress has also introduced a federal statute that criminalizes
fraud in connection with the unlawful theft and misuse of personal
identifiable information. In 1998, Congress enacted the Identity Theft
and Assumption Deterrence Act (Identity Theft Act). The act made it a
criminal offense for a person to ``knowingly transfer, possess, or use
without lawful authority,'' another person's means of identification
``with the intent to commit, or to aid or abet, or in connection with,
any unlawful activity that constitutes a violation of Federal law, or
that constitutes a felony under any applicable state or local law.''
Under the act, a name or Social Security number is considered a ``means
of identification'' and a number of cases have been prosecuted under
this law.
Many states have begun to enact laws to restrict the use and
display of SSNs. (See appendix 1 for a listing of state laws previously
reported by GAO.) After one state took action, other states followed in
enacting similar laws. For example, in 2001, California enacted a law
restricting the use and display of SSNs, which generally prohibited
companies and persons from engaging in certain activities, such as
posting or publicly displaying SSNs, or requiring people to transmit an
SSN over the Internet unless the connection is secure or the number is
encrypted. In addition, California enacted a law containing
notification requirements in the event of a security breach where a
business or a California state agency is required to notify any
California resident whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized person.
Subsequently, other states have enacted laws restricting the use
and display of SSNs. Specifically, in our prior work, we identified 13
others states--Arizona, Arkansas, Connecticut, Georgia, Illinois,
Maryland, Michigan, Minnesota, Missouri, Oklahoma, Texas, Utah, and
Virginia--that have each passed laws similar to California's. \11\
While some states, such as Arizona, have enacted virtually identical
SSN use and display restrictions, other states have modified the
restrictions in various ways. For example, unlike the California law,
which prohibits the use of the full SSN, the Michigan statute prohibits
the use of more than four sequential digits of the SSN. The Michigan
law also contains a prohibition against the use of SSNs on
identification and membership cards, permits, and licenses. Missouri's
law includes a prohibition against requiring an individual to use his
or her SSN as an employee number. Oklahoma's law is unique in that it
only limits the ways in which employers may use their employees' SSNs,
and does not apply more generally to other types of transactions and
activities.
---------------------------------------------------------------------------
\11\ See Arkansas (Ark. Code Ann. � 4-86-107 (2005)); Arizona
(Ariz. Rev. Stat. � 44-1373 (2004)); Connecticut (Conn. Gen. Stat. �
42-470 (2003)); Georgia (Ga. Code Ann. � 33-24-57.1 (2003)); Illinois
(815 Ill. Comp. Stat. 505/2QQ (2004)); Maryland (Md. Code Ann., Com.
Law � 14-3301 et seq. (2005)); Michigan (Mich. Comp. Laws � 445.81 et
seq. (2004)); Minnesota (Minn. Stat. � 325E.59 (2005)); Missouri (Mo.
Rev. Stat. � 407.1355 (2003)); Oklahoma (Okla. Stat. tit. 40, � 173.1
(2004)); Texas (Tex. Bus. & Com. Code Ann. 35.58 (2003)); Utah (Utah
Code Ann. � 31A-21-110 (2004)); and Virginia (Va. Code Ann. � 59.1-
443.2 (2005)).
---------------------------------------------------------------------------
Some states have recently enacted other types of restrictions on
the uses of SSNs as well. Arkansas, Colorado, and Wisconsin limit the
use of a student's SSN as a student identification number.\12\ New
Mexico requires businesses that have acquired consumer SSNs to adopt
internal policies to limit access to authorized employees.\13\ Texas
recently enacted a law requiring businesses to properly dispose of
business records that contain a customer's personal identifying
information, which is defined to include SSNs.\14\
---------------------------------------------------------------------------
\12\ Ark. Code Ann. � 6-18-208 (2005); Colo. Rev. Stat. � 23-5-127
(2003); and Wis. Stat. � 36.32 (2001).
\13\ N.M. Stat. Ann. � 57-12B-1 et seq. (2003).
\14\ Tex. Bus. & Com. Code Ann. � 35.48 (2005).
---------------------------------------------------------------------------
Other recent state legislation includes new restrictions on state
and local government agencies. For example, South Dakota law prohibits
the display of SSNs on all driver's licenses and nondriver's
identification cards,\15\ while Indiana law generally prohibits a state
agency from releasing a SSN unless otherwise required by law.\16\ In
addition, as of January 1, 2007, a Nevada law will require governmental
agencies, except in certain circumstances, to ensure that the SSNs
recorded in their books and on their records are maintained in a
confidential manner.\17\
---------------------------------------------------------------------------
\15\ S.D. Codified Laws � 32-12-17.13 (2005).
\16\ Ind. Code � 4-1-10-1 et seq. (2005).
\17\ Nev. Rev. Stat.� 239.030 (2005).
---------------------------------------------------------------------------
We also identified four states that have passed legislation
containing notification requirements in the event of a security breach.
For example, New York recently enacted a law requiring such
notifications.\18\ California requires a business or a California state
agency to notify any California resident whose unencrypted personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person.\19\ In the last year, this law forced several
large companies to notify individuals that their information was
compromised because of certain circumstances. Under a Nevada law,
government agencies and certain persons who do business in the state
must notify individuals if their personal information is reasonably
believed to have been compromised.\20\ Similarly, Georgia requires
certain private sector entities to notify their customers if a security
breach occurred that compromised their customers' personal information,
such as their SSNs.\21\
---------------------------------------------------------------------------
\18\ N.Y. State Tech. Law � 208 (2005).
\19\ Cal. Civ. Code � 1798.29 (2002); 1798.82 (2002).
\20\ Nev. Rev. Stat. � 603A.220 (2005).
\21\ Ga. Code Ann. � 10-1-910 et seq. (2005).
---------------------------------------------------------------------------
In addition, we found that some state offices were beginning to
take measures to change the way in which they displayed or shared SSNs
in public records. For example, we found that many state agencies had
restricted access to or redacted--covered or otherwise hidden from
view--SSNs from public versions of records. Specific restrictions and
other actions state agencies reported taking included blocking or
removing SSNs from electronic versions of records, allowing individuals
identified in the record to request removing their SSN from the
publicly available version, replacing SSNs with alternative
identifiers, and restricting access only to individuals identified in
the records.
Finally, Congress is currently considering consumer privacy
legislation, which in some cases includes SSN restrictions. In 2005,
there were more than 20 proposed bills pending before the U.S. House
and Senate.\22\ In some cases, the provisions being considered mirrored
provisions in enacted state laws. For example, some proposed
legislation included prohibitions on the display of SSNs, similar to a
Colorado law, while other proposed legislation address the solicitation
of SSNs by public and private sector entities. In addition, some
federal privacy legislation also proposed consumer safeguards, such as
security freezes and prohibitions on the sale and purchase of SSNs.
---------------------------------------------------------------------------
\22\ GAO, Social Security Numbers: Federal and State Laws Restrict
Use of SSNs, yet Gaps Remain, GAO-05-1016T (Washington, D.C.:
September15, 2005)
---------------------------------------------------------------------------
More Could Be Done To Protect SSNs
Although laws at both state and federal levels have helped to
restrict SSN display and protect individual's personal information,
clearly gaps remain. We have issued a number of reports for this
Subcommittee that have looked at the collection, use, and protections
of SSNs by federal agencies and private sector entities. In some cases
where federal action could be taken, we have proposed matters for
congressional consideration to explore legislative actions or
recommendations to a federal agency to address problems we found. In
other cases, mainly those that relate to private sector entities, we
have proposed a matter for Congressional consideration. OMB has
implemented two of our recommendations and Congress is still
considering what actions need to be taken.
Prior Work Found Gaps in the Protections of SSNs
In our review of government uses of SSNs, we reported that certain
measures that could provide more assurances that SSNs obtained by
government entities are secure are not universally in place at any
level of government.\23\ Agencies that deliver services and benefits
use SSNs to administer programs and took some steps to safeguard SSNs.
However, when federal, state, and county agencies request SSNs, they
did not consistently inform the SSN holders of whether they must
provide the SSN to receive benefits or services and how the SSN will be
used. In addition, although some agencies took action to limit the
display of SSNs on documents that were not intended to be public but
may be viewed by others, these actions sometimes took place in a
piecemeal manner rather than as a result of a systematic effort.
---------------------------------------------------------------------------
\23\ GAO-02-352
---------------------------------------------------------------------------
In our reviews of private sector entities' collection and use of
SSNs, we found gaps in how different industries are covered by federal
laws protecting individual's personal information. In our third party
contractors' review, we reported that federal regulation and oversight
of SSN sharing varies across four industries we reviewed, revealing
gaps in federal law and agency oversight for different industries that
share SSNs with their contractors.\24\ For example, federal law and
oversight of the sharing of personal information in the financial
services industry is very extensive: financial services companies must
comply with GLBA requirements for safeguarding customer's personal
information, and regulators have an examination process in place that
includes determining whether banks and securities firms are
safeguarding this information. IRS has regulations and guidance in
place to restrict the disclosure of SSNs by tax preparers and their
contractors, but does not perform periodic reviews of tax preparers'
compliance. FCC does not have regulations covering SSNs and also does
not periodically review telecommunications companies to determine
whether they are safeguarding such information. Companies in the
industries we reviewed relied on accepted industry practices and
primarily used the terms of their contracts to safeguard personal
information, including SSNs they shared with outside contractors.
---------------------------------------------------------------------------
\24\ GAO-06-238.
---------------------------------------------------------------------------
We also found that there are few restrictions placed on certain
entities' abilities such as information resellers to resell SSNs in the
course of their business. Although certain federal laws have some
restrictions on reselling nonpublic personal information, these laws
only apply to certain types of private sector entities, such as
financial institutions.
In our review of SSNs in public records, we found that SSNs are
widely exposed to view in a variety of public records and are still
subject to exposure on identity cards issued under federal
auspices.\25\ The number and type of records in which SSNs are
displayed varies greatly for both states and counties, and SSNs are
available in some federal court records. A number of government
agencies and oversight bodies are taking steps to eliminate the open
display of SSNs. For example, some actions state agencies reported
taking included blocking or removing SSNs from electronic versions of
records, and replacing SSNs with alternative identifiers. However, such
initiatives to protect the SSN may slow its misuse, but the absence of
uniform and comprehensive policy is likely to leave many individuals
vulnerable.
---------------------------------------------------------------------------
\25\ GAO-05-59.
---------------------------------------------------------------------------
Finally, although they are not displayed in public records en
masse, we found that millions of SSNs are still subject to exposure on
individual identity cards issued under federal auspices. We found that
in 2004 an estimated 42 million Medicare cards displayed entire 9-digit
SSNs, as did approximately 8 million Department of Defense (DOD)
insurance cards and 7 million Department of Veterans Affairs (VA)
beneficiary cards. Some of these agencies have begun taking action to
remove SSNs from identification cards. For example, VA is eliminating
SSNs from 7 million VA identification cards and is replacing cards with
SSNs or issuing new cards without SSNs from 2004 through 2009, until
all such cards have been replaced. DOD has begun replacing
approximately 6 million health insurance cards that display SSNs with
cards that do not display the bearer's SSN, but continues to include
SSNs on approximately 8 million military identification cards. The
Centers for Medicare and Medicaid Services, with the largest number of
cards displaying the entire 9-digit SSN, does not plan to remove the
SSN from Medicare identification cards.
GAO Has Proposed Matters for Congressional Consideration and
Recommendations
In order to address the issues we found, GAO has proposed matters
for congressional consideration and recommended that a federal agency
take action. To date, OMB has implemented two of our three
recommendations, but Congress is still considering what other actions
to take.
In order to address the problems we found with how
government entities assure the security of SSNs, we proposed that
Congress consider convening a representative group of federal, state,
and local officials to develop a unified approach to safeguarding SSNs
used in all levels of government. The Privacy Act and other federal
laws prescribe actions federal departments and agencies must take to
assure the security of SSNs and other personal information. However,
these requirements may not be uniformly observed. We presented a matter
for congressional consideration to facilitate intergovernmental
collaboration in strengthening safeguards at the state and local
levels. We also made two recommendations to the Office of Management
and Budget that it direct federal agencies to review their practices
for securing SSNs and providing required information, and advise all
federal, state, and local governments of the applicability of the
Privacy Act to their uses of SSNs. OMB has implemented both our
recommendations.
In our report on third party contactors' uses of SSNs, we
recommended that Congress consider possible options for addressing the
gaps in existing federal requirements for safeguarding SSNs shared with
contractors. The current gaps do not provide incentives for companies
to commit to protecting personal information. Each industry is subject
to different federal oversight and is often left to decide what
established practices for safeguarding SSNs and other consumer
information it wishes to follow. We suggested that one approach
Congress could take would be to require industry-specific protections
for the sharing of SSNs with contractors where such measures are not
already in place. For example, Congress could consider whether the
Telecommunications Act of 1996 should be amended to address how that
industry shares SSNs with contractors. Alternatively, we suggested that
Congress could take a broader approach. For example, in considering
proposed legislation that would generally restrict the use and display
of SSNs, Congress could also include a provision that would explicitly
apply this restriction to third party contractors. We stated that with
either approach, Congress would want to establish a mechanism
overseeing compliance by contractors and enforcement.
In our report on the display of SSNs on identification
cards and in public records, we recommended that OMB identify all those
federal activities that require or engage in the display of 9-digit
SSNs on health insurance, identification, or any other cards issued to
federal government personnel or program beneficiaries, and devise a
governmentwide policy to ensure a consistent approach to this type of
display. Although SSA has authority to issue policies and procedures
over the Social Security cards that it issues, it does not have
authority over how other federal agencies use and display SSNs. Rather,
it is up to individual government agencies to have their own policies
for the cards issued under their authority. The lack of a broad,
uniform policy allows for inconsistent, but persistent exposure of the
SSN. OMB has not yet taken action on our recommendation but said at the
time we issued our report they would consider it. With regard to SSN
exposure in public records, we again noted that it would be
constructive for a representative group of federal, state, and local
officials to develop a unified approach to safeguarding SSNs used in
all levels of government, particularly those displayed in public
records.
Finally, with regard to private sector entities, such as
information resellers reselling personal information, including SSNs,
we noted that there are few restrictions placed on these entities
ability to obtain, use, and resell SSNs for their businesses. The
federal laws that have some restrictions can be interpreted broadly.
The broad interpretation combined with the uncertainty about the
application of the exceptions suggest that reselling personal
information--including SSNs--is likely to continue.
Conclusions
The use of SSNs by both public and private sector entities is
likely to continue given that it is used as the key identifier by most
of these entities and there is currently no other widely accepted
alternative. Given the significance of the SSN in committing fraud or
stealing a person's identity, it is imperative that steps be taken to
protect it. Without proper safeguards in place, SSNs will remain
vulnerable to misuse, thus adding to the growing number of identity
theft victims.
SSNs are still widely used and publicly available, although
becoming less so. State legislatures have begun to place restrictions
on SSNs by enacting laws that restrict the use and display of SSNs and
prohibit the theft of individuals' personal information. Yet, more
could be done to protect SSNs. As Congress continues to propose and
consider legislation to protect individuals' personal information, gaps
in protections that have already been identified could help focus the
debate on the areas that could be addressed immediately based on our
work in order to prevent SSNs and other personal information from being
misused.
At this Subcommittee's request, we are continuing work on SSNs and
the ease with which they can be purchased from Internet information
resellers. We look forward to supporting continued congressional
consideration of these important policy issues. That concludes my
testimony, and I would be pleased to respond to any questions the
subcommittee has.
Appendix I: Selected State SSN Laws Previously Reported by GAO
------------------------------------------------------------------------
Type of Law Enacting States
------------------------------------------------------------------------
Imposes Limits on State and Local Connecticut
Governments, including Restrictions Delaware
on Public Disclosure Florida
Georgia
Hawaii
Indiana
Minnesota
Nebraska
Nevada
New Jersey
North Dakota
Oregon
South Carolina
Tennessee
Texas
Virginia
West Virginia
------------------------------------------------------------------------
Limits Use and Display of SSNs Arizona
Arkansas
California
Connecticut
Georgia
Illinois
Maryland
Michigan
Minnesota
Missouri
Oklahoma
Texas
Utah
Virginia
------------------------------------------------------------------------
Limits Use of SSNs on Drivers' Indiana
Licenses North Dakota
South Dakota
West Virginia
------------------------------------------------------------------------
Requires Notification of Security California
Breaches Georgia
Nevada
New York
------------------------------------------------------------------------
Prohibits Certain Activities Related Arizona
to Identity Theft Idaho
New York
------------------------------------------------------------------------
Limits or Prohibits Use of SSN as Arkansas
Student ID Number Colorado
Wisconsin
------------------------------------------------------------------------
Authorizes Redaction of SSNs in California
Certain Public Records New Jersey
------------------------------------------------------------------------
Limits Certain Activities of North Dakota
Financial Institutions Vermont
------------------------------------------------------------------------
Prohibits Businesses From Requiring New Mexico
SSNs as a Condition of Doing Rhode Island
Business
------------------------------------------------------------------------
Requires Development of Employee New Mexico
Access Policies
------------------------------------------------------------------------
Requires Business to Properly Dispose Texas
of Business Records Containing
Customers' Personal Information
------------------------------------------------------------------------
Provides Identity Theft Victim Washington
Assistance
------------------------------------------------------------------------
Requires that SSNs be Truncated for Louisiana
Certain Public Records
------------------------------------------------------------------------
Requires Third Party Contracting California
Protections
------------------------------------------------------------------------
Source: GAO Analysis
Related GAO Products
Social Security Numbers: Stronger Protections Needed When
Contractors Have Access to SSNs. GAO-06-238. Washington, D.C.: January
23, 2006.
Social Security Numbers: Federal and State Laws Restrict Use of
SSNs, yet Gaps Remain. GAO-05-1016T. Washington, D.C.: September 15,
2005.
Social Security Numbers: Governments Could Do More to Reduce
Display in Public Records and on Identity Cards. GAO-05-59. Washington,
D.C.: November 9, 2004.
Social Security Numbers: Use Is Widespread and Protections Vary in
Private and Public Sectors. GAO-04-1099T. Washington, D.C.: September
28, 2004.
Social Security Numbers: Use Is Widespread and Protections Vary.
GAO-04-768T. Washington, D.C.: June 15, 2004.
Social Security Numbers: Private Sector Entities Routinely Obtain
and Use SSNs, and Laws Limit the Disclosure of This Information. GAO-
04-11. Washington, D.C.: January 22, 2004.
Social Security Numbers: Ensuring the Integrity of the SSN. GAO-03-
941T. Washington, D.C.: July 10, 2003.
Social Security Numbers: Government Benefits from SSN Use but Could
Provide Better Safeguards. GAO-02-352. Washington, D.C.:May 31, 2002.
Social Security: Government and Commercial Use of the Social
Security Number is Widespread. GAO/HEHS-99-28. Washington, D.C.:
February 16, 1999.
Chairman MCCRERY. Thank you, Ms. Fagnoni. Mr. Winston?
STATEMENT OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF
PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION,
FEDERAL TRADE COMMISSION
Mr. WINSTON. Mr. Chairman, Mr. Levin, Members of the
Subcommittee, I am Joel Winston, Associate Director of the
Division of Privacy and Identity Protection at the Federal
Trade Commission (FTC). I appreciate the opportunity to testify
today about the important issue of SSNs and their relation to
identity theft. Although the views expressed in the written
testimony represent those of the Commission, my oral
presentation and responses to your questions are my own and do
not necessarily represent the opinions of the Commission or any
individual Commissioner.
Americans today are very concerned about protecting their
identities, and with good reason. Identity theft is a
pernicious and persistent problem. When a thief steals your
identity, the economic and emotional impact can be severe.
American businesses pay a heavy price, as well, as much as $50
billion every year. Every time consumers hear about the latest
data breach that threatens to expose their personal
information, they lose a little more confidence in our
commercial system.
Access to SSNs contributes to the worst form of identity
theft, having new accounts opened in your name. The SSN has
become an all-purpose identifier because of its convenience,
its uniqueness to each individual, and its permanence over
time. Many businesses also use the SSN to authenticate that the
person presenting it is who he says he is. It is this dual use
that makes the SSN so valuable to identity thieves.
At the same time, the SSN serves many important functions
in our financial system. For example, our credit reporting
system hinges on the availability of SSNs to match consumers
with their financial information. SSNs also are used to locate
lost beneficiaries, collect child support, and detect fraud,
among many other things.
This presents a challenge, how to find the right balance
between permitting beneficial use and disclosure of SSNs while
keeping them out of the hands of criminals. The solution must
combine a number of approaches. To begin with, public and
private entities should use less sensitive identifiers whenever
possible and they must do a better job of securing consumer
data. This is a fundamental legal responsibility. Under the
Federal Trade Commission Act, the Commission can act against
firms that misrepresent their security procedures or fail to
take reasonable steps to secure sensitive information. The FTC
Safeguards Rule requires financial institutions to implement
reasonable safeguards to protect consumer information. The FTC
Disposal Rule requires businesses that hold certain consumer
information to dispose of it in a safe manner.
The Commission has acted aggressively to enforce these
legal requirements. Our two most recent cases involved massive
data breaches that led to numerous instances of identity fraud.
In both cases, the Commission alleged that the company failed
to have reasonable procedures to safeguard consumer
information, including in one of the cases SSNs.
In addition to law enforcement, education and outreach are
critical weapons in this fight. The Commission has targeted its
efforts at the three groups best situated to combat identity
theft, consumers, industry, and law enforcement. We receive
between 15,000 and 20,000 contacts per week from individuals
seeking advice on avoiding identity theft or coping with the
consequences. We provide information and assistance, including
tools to simplify the recovery process.
We are working to implement the provisions of the Fair and
Accurate Credit Transactions Act of 2003 Act (P.L. 108-159)
(FACT Act), many of which address identity theft. The free
annual credit report program, for example, has allowed millions
of consumers to obtain and check their credit reports, where
the first signs of identity fraud often appear.
The Commission also works with the business community to
promote a culture of security. Our outreach efforts encourage
and help businesses to maintain only the information that they
need and to protect the information that they maintain.
Finally, the Commission assists criminal law enforcement
through our operation of the ID Theft Data Clearinghouse, a
national database with over a million identity theft
complaints. Law enforcers, ranging from the FBI to local
sheriffs, use the clearinghouse to aid in their investigation.
In closing, I want to emphasize that identity theft is a
multi-faceted problem for which there is no simple solution.
The challenge of determining how best to keep SSNs out of the
hands of wrongdoers illustrates how difficult this problem is.
Still, there is much that we can do to discourage unnecessary
use of SSNs, enhance data protection, educate consumers, and
assist criminal prosecutors. The Commission will continue to
play a central role in the fight against identity theft and we
look forward to working with the Congress in this endeavor.
Thank you again for the opportunity to testify today and I
would be happy to answer any questions.
[The prepared statement of Mr. Winston follows:]
Statement of Joel Winston, Associate Director, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, Federal Trade
Commission
I. INTRODUCTION
Mr. Chairman, Mr. Levin, and members of the Subcommittee, I am Joel
Winston, Associate Director of the Division of Privacy and Identity
Protection at the Federal Trade Commission (``FTC'' or
``Commission'').\1\ I appreciate the opportunity to present the
Commission's views on identity theft and Social Security numbers
(``SSNs'').
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral presentation and responses to questions are my
own and do not necessarily represent the views of the Commission or any
Commissioner.
---------------------------------------------------------------------------
The Commission has a broad mandate to protect consumers generally
and to combat identity theft specifically. Controlling identity theft
is an issue of critical concern to all consumers--and to the
Commission. The FTC serves a key role as the central repository for
identity theft complaints, facilitates criminal law enforcement in
detecting and prosecuting identity thieves, and provides extensive
victim assistance and consumer education. In recognition of the need to
protect sensitive consumer information and prevent identity theft, the
FTC recently created a new Division of Privacy and Identity Protection.
This division--which consists of staff with expertise in privacy, data
security, and identity theft--addresses cutting-edge consumer privacy
matters through aggressive enforcement, as well as rulemaking, policy
development, and outreach to consumers and businesses.
This testimony describes the ways in which SSNs are collected and
used, their relationship to identity theft, current laws that restrict
the use or transfer of consumers' personal information, and the
Commission's efforts to help consumers avoid identity theft or
remediate its consequences.
II. THE IDENTITY THEFT PROBLEM
Identity theft is a pernicious crime that harms both consumers and
businesses. Recent surveys estimate that nearly 10 million consumers
are victimized by some form of identity theft each year.\2\ The costs
of this crime are staggering. The Commission's 2003 survey estimated
that identity theft cost businesses approximately $50 billion, and cost
consumers an additional $5 billion in out-of-pocket expenses, over the
twelve-month period prior to the survey.\3\ The 2003 survey looked at
two major categories of identity theft: (1) misuse of existing
accounts; and (2) the creation of new accounts in the victim's name.
The 2003 survey found that the costs imposed by new account fraud were
substantially higher than the misuse of existing accounts.\4\
---------------------------------------------------------------------------
\2\ See Federal Trade Commission--Identity Theft Survey Report
(2003), http://www.ftc.gov/os/2003/09/synovatereport.pdf and Rubina
Johannes, 2006 Identity Fraud Survey Report (2006), http://
www.javelinstrategy.com/research. A free summary of the 2006 Identity
Fraud Survey Report is available at http://www.bbb.org/alerts/
article.asp?ID=651.
\3\ Federal Trade Commission--Identity Theft Survey Report at 6
(2003), http://www.ftc.gov/os/2003/09/synovatereport.pdf.
\4\ Id.
---------------------------------------------------------------------------
III. USES AND SOURCES OF SOCIAL SECURITY NUMBERS
SSNs today play a vital role in our economy. With 300 million
American consumers, many of whom share the same name,\5\ the unique 9-
digit SSN is a key identification tool for businesses, government, and
others.\6\ For example, consumer reporting agencies use SSNs to ensure
that the data furnished to them is placed in the correct file and that
they are providing a credit report on the correct consumer.\7\
Businesses and other entities use these reports to evaluate the risk of
providing to individuals services, such as credit, insurance, home
rentals, or employment. Timely access to consumer credit, as well as
the overall accuracy of credit reporting files, could be compromised if
SSNs could not be used to match consumers to their financial
information. Additionally, SSNs are used in locator databases to find
lost beneficiaries, potential witnesses, and law violators, and to
collect child support and other judgments. SSN databases also are used
to fight identity fraud--for example, to confirm that an SSN provided
by a loan applicant does not, in fact, belong to someone who is
deceased.\8\ Without the ability to use SSNs as a personal identifier
and fraud prevention tool, the granting of credit and the provision of
other financial services would become riskier and more expensive and
inconvenient for consumers.
---------------------------------------------------------------------------
\5\ According to the Consumer Data Industry Association, 14 million
Americans have one of ten last names, and 58 million men have one of
ten first names.
\6\ See General Accounting Office, Private Sector Entities
Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This
Information (GAO 04-01) (2004).
\7\ See Federal Trade Commission--Report to Congress Under Sections
318 and 319 of the Fair and Accurate Credit Transactions Act of 2003 at
38-40 (2004),http://www.ftc.gov/reports/facta/041209factarpt.pdf.
\8\ The federal government also uses the SSN as an identifier, for
example, as both an individual's Medicare and taxpayer identification
number. It also is used to administer the federal jury system, federal
welfare and workmen's compensation programs, and military draft
registration. See Social Security Administration, Report to Congress on
Options for Enhancing the Social Security Card (Sept. 1997),
www.ssa.gov/history/reports/ssnreportc2.html.
---------------------------------------------------------------------------
SSNs are available from both public and private sources. Public
records in city and county government offices across the country,
including birth and death records, property records, tax lien records,
voter registrations, licensing records, and court records, often
contain consumers' SSNs.\9\ Increasingly, these records are being
placed online where they can be accessed easily and anonymously.\10\
There also are a number of private sources of SSNs, including consumer
reporting agencies that include name, address, and SSN as part of the
``credit header'' information on consumer reports. Data brokers also
collect personal information, including SSNs, from a variety of sources
and compile and resell that data to third parties.\11\
---------------------------------------------------------------------------
\9\ Local and state governments are reducing their reliance on SSNs
for many administrative purposes in response to identity theft
concerns. For example, only a few states still use SSNs as drivers
license numbers. See David A. Lieb, Millions of Motorists Have Social
Security Numbers on Licenses, The Boston Globe, Feb. 6, 2006, http://
www.boston.com/news/local/massachusetts/articles/2006/02/06/
millions_of_motorists_have_social_security_numbers_on_licenses/. In
some cases, however, governments still use SSNs as identifiers when it
is not essential to do so. See Mark Segraves, Registering to Vote May
Lead to Identity Theft, WTOP Radio, Mar. 22, 2006, http://www.wtop.com/
?nid=428&sid=733727.
\10\ Improved access to public records has important public policy
benefits, but at the same time raises privacy concerns. Some public
records offices redact sensitive information such as SSNs, but doing so
can be very costly. The Commission has recognized the sensitive nature
of SSNs, even when they are contained in publicly available records.
For example, in response to a comment on the DSW order, the Commission
stated that ``[C]ertain publicly available records, such as court
records, contain Social Security numbers and other highly sensitive
information that can be used to perpetrate identity theft.'' The
Commission response letter is available at http://www.ftc.gov/os/
caselist/0523096/0523096DSW LettertoCommenter BankofAmerica.pdf.
\11\ Some data brokers have announced that they are voluntarily
restricting the sale of SSNs and other sensitive information to those
with a demonstrable and legitimate need. See Social Security Numbers
Are for Sale Online, Newsmax.com, Apr. 5, 2005, http://www.newsmax.com/
archives/articles/2005/4/4/155759.shtml.
---------------------------------------------------------------------------
The misuse of SSNs, however, can facilitate identity theft. For
example, new account fraud--the most serious form of identity theft--is
often possible only if the thief obtains the victim's SSN. The
challenge is to find the proper balance between the need to keep SSNs
out of the hands of identity thieves, while giving businesses and
government entities sufficient means to attribute information to the
correct person. Restrictions on disclosure of SSNs also could have a
broad impact on such important purposes as public health, criminal law
enforcement, and anti-fraud and anti-terrorism efforts. Moreover, as
referenced above, regulation or restriction of the availability of SSNs
in public records poses substantial policy and practical concerns.
IV. CURRENT LAWS RESTRICTING THE USE OF DISCLOSURE OF SOCIAL SECURITY
NUMBERS
There are a variety of specific statutes and regulations that
restrict disclosure of certain consumer information, including SSNs, in
certain contexts. In addition, under some circumstances, entities are
required to have procedures in place to ensure the security and
integrity of sensitive consumer information such as SSNs. Three
statutes that protect SSNs from improper access fall within the
Commission's jurisdiction: Title V of the Gramm-Leach-Bliley Act
(``GLBA'');\12\ Section 5 of the Federal Trade Commission Act (``FTC
Act'');\13\ and the Fair and Accurate Credit Transactions Act of 2003
(``FACT Act''),\14\ amending the Fair Credit Reporting Act
(``FCRA'').\15\
---------------------------------------------------------------------------
\12\ 15 U.S.C. �� 6801-09.
\13\ 15 U.S.C. � 45(a).
\14\ Pub. L. No. 108-159, 117 Stat. 1952.
\15\ 15 U.S.C. �� 1681-1681x, as amended.
---------------------------------------------------------------------------
A. The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (``GLBA'') imposes privacy and security
obligations on ``financial institutions.''\16\ Financial institutions
are defined broadly as those entities engaged in ``financial
activities'' such as banking, lending, insurance, loan brokering, and
credit reporting.\17\
---------------------------------------------------------------------------
\16\ 15 U.S.C. � 6809(3)(A).
\17\ 12 C.F.R. �� 225.28, 225.86.
---------------------------------------------------------------------------
1. Privacy of Consumer Financial Information
In general, financial institutions are prohibited by Title V of the
GLBA\18\ from disclosing nonpublic personal information, including
SSNs, to non-affiliated third parties without first providing consumers
with notice and the opportunity to opt out of the disclosure.\19\
However, the GLBA includes a number of statutory exceptions under which
disclosure is permitted without having to provide notice and an opt-
out. These exceptions include consumer reporting (pursuant to the
FCRA), fraud prevention, law enforcement and regulatory or self-
regulatory purposes, compliance with judicial process, and public
safety investigations.\20\ Entities that receive information under an
exception to the GLBA are subject to the reuse and redisclosure
restrictions of the GLBA Privacy Rule, even if those entities are not
themselves financial institutions.\21\ In particular, the recipients
may only use and disclose the information ``in the ordinary course of
business to carry out the activity covered by the exception under which
. . . the information [was received].''\22\
---------------------------------------------------------------------------
\18\ Privacy of Consumer Financial Information, 16 C.F.R. Part 313
(``GLBA Privacy Rule'').
\19\ The GLBA defines ``nonpublic personal information'' as any
information that a financial institution collects about an individual
in connection with providing a financial product or service to an
individual, unless that information is otherwise publicly available.
This includes basic identifying information about individuals, such as
name, SSN, address, telephone number, mother's maiden name, and prior
addresses. See, e.g., 65 Fed. Reg. 33,646, 33,680 (May 24, 2000) (the
FTC's Privacy Rule).
\20\ 15 U.S.C. � 6802(e).
\21\ 16 C.F.R. � 313.11(a).
\22\ Id.
---------------------------------------------------------------------------
Entities can obtain SSNs from consumer reporting agencies,
generally from the credit header data on the credit report. However,
because credit header data is typically derived from information
originally provided by financial institutions, entities that receive
this information generally are limited by the GLBA's reuse and
redisclosure provision.
2. Required Safeguards for Customer Information
The GLBA also requires financial institutions to implement
appropriate physical, technical, and procedural safeguards to protect
the security and integrity of the information they receive from
customers, whether directly or from other financial institutions.\23\
The FTC's Safeguards Rule, which implements these requirements for
entities under FTC jurisdiction,\24\ requires financial institutions to
develop a written information security plan that describes their
procedures to protect customer information. Given the wide variety of
entities covered, the Safeguards Rule requires a plan that accounts for
each entity's particular circumstances--its size and complexity, the
nature and scope of its activities, and the sensitivity of the customer
information it handles. It also requires covered entities to take
certain procedural steps (for example, designating appropriate
personnel to oversee the security plan, conducting a risk assessment,
and overseeing service providers) in implementing their plans.\25\
---------------------------------------------------------------------------
\23\ 15 U.S.C. � 6801(b); Standards for Safeguarding Customer
Information, 16 C.F.R. Part 314 (``Safeguards Rule'').
\24\ The Federal Deposit Insurance Corporation, the National Credit
Union Administration (``NCUA''), the Securities and Exchange
Commission, the Office of the Comptroller of the Currency, the Board of
Governors of the Federal Reserve System, the Office of Thrift
Supervision, and state insurance authorities have promulgated
comparable information safeguards rules, as required by Section 501(b)
of the GLBA. 15 U.S.C. � 6801(b); see, e.g., Interagency Guidelines
Establishing Standards for Safeguarding Customer Information and
Rescission of Year 2000 Standards for Safety and Soundness, 66 Fed.
Reg. 8,616-41 (Feb. 1, 2001). The FTC has jurisdiction over entities
not subject to the jurisdiction of these agencies.
\25\ The Commission previously has recommended that Congress
consider whether companies that hold sensitive consumer data, for
whatever purpose, should be required to take reasonable measures to
ensure its safety. Such a requirement could extend the FTC's existing
GLBA Safeguards Rule to companies that are not financial institutions.
See Statement of Federal Trade Commission Before the Committee on
Commerce, Science, and Transportation, U.S. Senate, on Data Breaches
and Identity Theft (June 16, 2005) at 7, http://www.ftc.gov/os/2005/06/
050616databreaches.pdf.
---------------------------------------------------------------------------
B. Section 5 of the FTC Act
Section 5 of the FTC Act prohibits ``unfair or deceptive acts or
practices in or affecting commerce.''\26\ Under the FTC Act, the
Commission has broad jurisdiction over a wide variety of entities and
individuals operating in commerce. Prohibited practices include making
deceptive claims about one's privacy procedures, including claims about
the security provided for consumer information.\27\
---------------------------------------------------------------------------
\26\ 15 U.S.C. � 45(a).
\27\ Deceptive practices are defined as material representations or
omissions that are likely to mislead consumers acting reasonably under
the circumstances. Cliffdale Associates, Inc., 103 F.T.C. 110 (1984).
---------------------------------------------------------------------------
In addition to deception, the FTC Act prohibits unfair practices.
Practices are unfair if they cause or are likely to cause consumers
substantial injury that is neither reasonably avoidable by consumers
nor offset by countervailing benefits to consumers or competition.\28\
The Commission has used this authority to challenge a variety of
injurious practices, including companies' failure to provide reasonable
and appropriate security for sensitive customer data.\29\ The
Commission can obtain injunctive relief for violations of Section 5, as
well as consumer redress or disgorgement in appropriate cases.
---------------------------------------------------------------------------
\28\ 15 U.S.C. � 45(n).
\29\ Other practices include, for example, allegations of
unauthorized charges in connection with ``phishing,'' high-tech scams
that use spam or pop-up messages to deceive consumers into disclosing
credit card numbers, bank account information, SSNs, passwords, or
other sensitive information. See FTC v. Hill, No. H 03-5537 (filed
S.D. Tex. Dec. 3, 2003), http://www.ftc.gov/opa/2004/03/
phishinghilljoint.htm; FTC v. C.J., No. 03-CV-5275-GHK (RZX) (filed
C.D. Cal. July 24, 2003), http://www.ftc.gov/os/2003/07/
phishingcomp.pdf.
---------------------------------------------------------------------------
C. The Fair and Accurate Credit Transactions Act of 2003
The FACT Act amended the FCRA to include a number of provisions
designed to increase the protection of sensitive consumer information,
including SSNs. One such provision required the banking regulatory
agencies, the NCUA, and the Commission to promulgate a coordinated rule
designed to prevent unauthorized access to consumer report information
by requiring all users of such information to have reasonable
procedures to dispose of it properly and safely.\30\ This Disposal
Rule, which took effect on June 1, 2005, should help minimize the risk
of improper disclosure of SSNs.
---------------------------------------------------------------------------
\30\ 16 C.F.R. Part 382 (``Disposal of Consumer Report Information
and Record Rule'').
---------------------------------------------------------------------------
In addition, the FACT Act requires consumer reporting agencies to
truncate the SSN on consumer reports at the consumer's request.\31\
Eliminating the unnecessary display of this information could lessen
the risk of it getting into the wrong hands.
---------------------------------------------------------------------------
\31\ 15 U.S.C. � 1681g(a)(1)(A). The FTC advises consumers of this
right through its consumer outreach initiatives. See e.g., the FTC's
identity theft prevention and victim recovery guide, Take Charge:
Fighting Back Against Identity Theft at 5 (2005), available at http://
www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf.
---------------------------------------------------------------------------
D. Other Laws
Other federal laws not enforced by the Commission regulate certain
other specific classes of information, including SSNs. For example, the
Driver's Privacy Protection Act (``DPPA'') \32\ prohibits state motor
vehicle departments from disclosing personal information in motor
vehicle records, subject to fourteen ``permissible uses,'' including
law enforcement, motor vehicle safety, and insurance. The Health
Information Portability and Accountability Act (``HIPAA'') and its
implementing privacy rule prohibit the disclosure to third parties of a
consumer's medical information without prior consent, subject to a
number of exceptions (such as, for the disclosure of patient records
between entities for purposes of routine treatment, insurance, or
payment).\33\ Like the GLBA Safeguards Rule, the HIPAA Privacy Rule
also requires entities under its jurisdiction to have in place
``appropriate administrative, technical, and physical safeguards to
protect the privacy of protected health information.'' \34\
---------------------------------------------------------------------------
\32\ 18 U.S.C. �� 2721-25.
\33\ 45 C.F.R. Part 164 (``HIPAA Privacy Rule'').
\34\ 45 C.F.R. � 164.530(c).
---------------------------------------------------------------------------
E. FTC Enforcement Actions
Over the past year or so, reports have proliferated about
information compromises at U.S. businesses, universities, government
agencies, and other organizations that collect and store sensitive
consumer information, including SSNs. Some of these incidents
reportedly have led to identity theft, confirming that security
breaches can cause real and tangible harm to consumers, businesses, and
other institutions.
Since 2001, the Commission has brought twelve cases challenging
businesses that have failed to take reasonable steps to protect
sensitive consumer information in their files.\35\ Two of the
Commission's most recent law enforcement actions arose from high-
profile data breaches that occurred last year. In the first case, the
Commission alleged that a major data broker, ChoicePoint, Inc., failed
to use reasonable procedures to screen prospective subscribers and
monitor their access to sensitive consumer data, in violation of the
FCRA \36\ and the FTC Act.\37\ The Commission's complaint alleged that
ChoicePoint's failures allowed identity thieves to obtain access to the
personal information of over 160,000 consumers, including nearly 10,000
consumer reports. In settling the case, ChoicePoint agreed to pay $10
million in civil penalties for the FCRA violations--the highest civil
penalty ever levied in a consumer protection case--and $5 million in
consumer redress for identity theft victims. The Order also requires
ChoicePoint to implement a number of strong data security measures,
including bi-annual audits to ensure that these security measures are
in place.
---------------------------------------------------------------------------
\35\ Documents related to these enforcement actions generally are
available at http://www.ftc.gov/privacy/index.html.
\36\ 15 U.S.C. �� 1681-1681x, as amended. The FCRA specifies that
consumer reporting agencies may only provide consumer reports for
certain ``permissible purposes.'' ChoicePoint allegedly approved as
customers individuals whose applications had several indicia of fraud,
including false credentials, the use of commercial mail drops as
business addresses, and multiple applications faxed from the same
public commercial location. The FTC's complaint alleged that
ChoicePoint did not have a permissible purpose in providing consumer
reports to such individuals and failed to have reasonable procedures to
verify prospective subscribers.
\37\ United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga.
Feb. 15, 2006).
---------------------------------------------------------------------------
In the second action, the Commission reached a settlement with
CardSystems Solutions, Inc., the card processor allegedly responsible
for last year's breach of credit and debit card information for Visa
and MasterCard, which exposed tens of millions of consumers' credit and
debit numbers.\38\ This case addresses the largest known compromise of
sensitive financial data to date. As in the ChoicePoint case, the FTC
alleged that CardSystems engaged in a number of practices that, taken
together, failed to provide reasonable and appropriate security for
sensitive consumer data. These settlements provide important
protections for consumers and also provide important lessons for
industry about the need to safeguard consumer information.
---------------------------------------------------------------------------
\38\ In the Matter of CardSystems Solutions, Inc., FTC File No.
052-3148 (proposed settlement posted for public comment, Feb. 23,
2006). The settlement requires CardSystems and its successor
corporation to implement a comprehensive information security program
and obtain audits by an independent third-party professional every
other year for 20 years. As noted in the FTC's press release,
CardSystems faces potential liability in the millions of dollars under
bank procedures and in private litigation for losses related to the
breach.
---------------------------------------------------------------------------
V. THE COMMISSION'S EFFORTS TO COMBAT IDENTITY THEFT
In addition to our efforts to ensure that businesses take
reasonable steps to safeguard sensitive consumer information, the
Commission works in many other ways to address the identity theft
problem. Pursuant to the 1998 Identity Theft Assumption and Deterrence
Act (``the Identity Theft Act''),\39\ the Commission has implemented a
program that assists consumers, businesses, and other law enforcers.
---------------------------------------------------------------------------
\39\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18
U.S.C. � 1028).
---------------------------------------------------------------------------
A. Working with Consumers
The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a
secure online complaint form on its website, www.consumer.gov/idtheft,
for consumers concerned about identity theft. Every week, the
Commission receives about 15,000 to 20,000 contacts from victims and
consumers seeking information on how to avoid identity theft. The
callers to the hotline receive counseling from trained personnel who
provide information on steps they can take both to prevent identity
theft and to resolve problems resulting from the misuse of their
identities. Victims are advised to: (1) obtain copies of their credit
reports and have a fraud alert placed on them;\40\ (2) contact each of
the creditors or service providers with which the thief has established
or accessed an account to request that the account be closed and to
dispute any associated charges; and (3) report the theft to the police
and, if possible, obtain a police report. The police report is useful
in demonstrating to purported creditors and debt collectors that the
consumer is a victim of identity theft, and serves as an ``identity
theft report'' that can be used for exercising various victims' rights
granted by the FACT Act.\41\ The Commission's identity theft website,
www.consumer.gov/idtheft, has an online complaint form where victims
can enter their complaints into the Clearinghouse.
---------------------------------------------------------------------------
\40\ The FACT Act added a requirement that consumer reporting
agencies, at the request of a consumer, place a fraud alert on the
consumer's credit report. Consumers may obtain an initial alert if they
have a good faith suspicion that they have been or are about to become
an identity theft victim. The initial alert must stay on the file for
at least 90 days. Actual victims who submit an identity theft report
can obtain an extended alert, which remains in effect for up to seven
years. Fraud alerts require users of consumer reports who are extending
credit or related services to take certain steps to verify the
consumer's identity. See 15 U.S.C. � 1681c-1.
\41\ These include the right to an extended fraud alert, the right
to block fraudulent trade lines on credit reports and to prevent such
trade lines from being furnished to a consumer reporting agency, and
the ability to obtain copies of fraudulent applications and transaction
reports. See 15 U.S.C. � 1681 et seq., as amended.
---------------------------------------------------------------------------
The Commission also has taken the lead in developing and
disseminating identity theft-related consumer education materials,
including an identity theft primer, ID Theft: What It's All About, and
a victim recovery guide, Take Charge: Fighting Back Against Identity
Theft. The Commission alone has distributed more than 2.1 million
copies of the Take Charge booklet (formerly known as ID Theft: When Bad
Things Happen To Your Good Name) since its release in February 2000 and
has recorded more than 2.4 million visits to the Web version. The
Commission also maintains the identity theft website, www.consumer.gov/
idtheft, which provides publications and links to testimony, reports,
press releases, identity theft-related state laws, and other resources.
Last fall, the Commission, together with partners from law
enforcement, the technology industry, and nonprofits, launched OnGuard
Online, an interactive, multi-media resource for information and up-to-
the minute tools on how to recognize Internet fraud, avoid hackers and
viruses, shop securely online, and deal with identity theft, spam,
phishing, and file-sharing.\42\
---------------------------------------------------------------------------
\42\ See www.onguardonline.gov. OnGuard Online is also available in
Spanish. See www.AlertaEnLinea.gov.
---------------------------------------------------------------------------
In addition, the Commission will launch this spring a major new
identity theft education campaign. The campaign will encourage
consumers to guard against identity theft by taking steps to reduce
their risk, keep a close eye on their personal information, and move
quickly to minimize the damage if identity theft occurs. The
centerpiece of the campaign will be a turnkey toolkit--a comprehensive
how-to guide that will help promote grassroots education about identity
theft.
The Commission also has developed ways to simplify the recovery
process. One example is the ID Theft Affidavit, included in the Take
Charge booklet and on the website. This standard form was developed in
partnership with industry and consumer advocates for victims to use in
resolving identity theft debts. To date, the Commission has distributed
more than 293,000 print copies of the Affidavit and has recorded more
than 1.1 million hits to the Web version.
B. Working with Industry
The private sector can play a key role in combating identity theft
by reducing its incidence through better security and authentication.
The Commission works with institutions to promote a ``culture of
security'' by identifying ways to spot risks to the information they
maintain and keep it safe.
Among other things, the Commission has disseminated advice for
businesses on reducing risks to their computer systems\43\ and on
compliance with the Safeguards Rule.\44\ Our emphasis is on preventing
breaches before they happen by encouraging businesses to make security
part of their regular operations and corporate culture. The Commission
also has published Information Compromise and the Risk of Identity
Theft: Guidance for Your Business, a booklet on managing data
compromises.\45\ This publication provides guidance on when it would be
appropriate for an entity to notify law enforcement and consumers in
the event of a breach of personal information.
---------------------------------------------------------------------------
\43\ Security Check: Reducing Risks to Your Computer Systems,
available at http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm.
\44\ Financial Institutions and Customer Data: Complying with the
Safeguards Rule, available at http://www.ftc.gov/bcp/conline/pubs/
buspubs/safeguards.htm.
\45\ Information Compromise and the Risk of Identity Theft:
Guidance for Your Business, available at http://www.ftc.gov/bcp/
conline/pubs/buspubs/idtrespond.pdf.
---------------------------------------------------------------------------
In 2003, the Commission held a workshop that explored the
challenges consumers and industry face in securing their computers.
Titled ``Technologies for Protecting Personal Information: The Consumer
and Business Experiences,'' the workshop also examined the role of
technology in meeting these challenges.\46\ Workshop participants,
including industry leaders, technologists, researchers on human
behavior, and representatives from consumer and privacy groups,
identified a range of challenges in safeguarding information and
proposed possible solutions.
---------------------------------------------------------------------------
\46\ See workshop agenda and transcripts available at www.ftc.gov/
bcp/workshops/technology. See Staff Report available at http://
www.ftc.gov/bcp/workshops/technology/finalreport.pdf.
---------------------------------------------------------------------------
C. Working with Law Enforcement
A primary purpose of the Identity Theft Act was to provide law
enforcement with access to a centralized repository of identity theft
victim data to support their investigations. The Commission operates
this database as a national clearinghouse for complaints received
directly from consumers and through numerous state and federal
agencies, including the Social Security Administration's Office of
Inspector General.
With over 1,060,000 complaints, the Clearinghouse provides a
detailed snapshot of current identity theft trends as reported by the
victims themselves. The Commission publishes data annually showing the
prevalence of complaints broken out by state and city.\47\ Since its
inception, nearly 1,400 law enforcement agencies have registered for
access to the Clearinghouse database. Individual investigators within
those agencies can access the system from their desktop computers 24
hours a day, seven days a week. The Clearinghouse also gives access to
training resources, and enables users to coordinate their
investigations.
---------------------------------------------------------------------------
\47\ See Federal Trade Commission--National and State Trends in
Fraud & Identity Theft (Jan. 2006), available at http://
www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf. The Commission also
conducts national surveys to learn how identity theft impacts the
general public. The FTC conducted the first survey in 2003 and is
conducting a second survey this spring. See Federal Trade Commission--
Identity Theft Survey Report (Sept. 2003), available at http://
www.ftc.gov/os/2003/09/synovatereport.pdf.
---------------------------------------------------------------------------
The Commission also encourages use of the Clearinghouse through
training seminars offered to law enforcement. In cooperation with the
Department of Justice, the U.S. Postal Inspection Service, the U.S.
Secret Service, and the American Association of Motor Vehicle
Administrators, the Commission began organizing full-day identity theft
training seminars for state and local law enforcement officers in 2002.
To date, this group has held 20 seminars across the country. More than
2,880 officers have attended these seminars, representing over 1,000
different agencies. Future seminars are being planned for additional
cities.
To further assist law enforcers, the Commission staff developed an
identity theft case referral program. The staff creates preliminary
investigative reports by examining patterns of identity theft activity
in the Clearinghouse, and refers the reports to financial crimes task
forces and others for further investigation and possible prosecution.
In addition, analysts from the FBI, U.S. Secret Service, and Postal
Inspection Service work on-site at the FTC, developing leads and
supporting ongoing investigations for their agencies.
VI. CONCLUSION
The crime of identity theft is a scourge, causing enormous damage
to businesses and consumers. The unauthorized use of consumers' SSNs is
an important tool of identity thieves, especially those seeking to
create new accounts in the victim's name. Although current laws place
some restrictions on the use or disclosure of SSNs by certain entities
under certain circumstances, this information is still otherwise
available from both public and private sources, thereby enabling
identity thieves to obtain SSNs through legal means as well as illegal
means.
At the same time, SSNs are an important driver of our market
system. Businesses and others rely on SSNs to provide many important
benefits for consumers and to fight identity theft.
There are a number of things that government, industry, and
consumers can do to help stem the tide of identity theft. First, both
government and industry need to consider what information they collect
and maintain from or about consumers and whether they need to do so.
Entities that possess sensitive consumer information should continue to
enhance their procedures to protect it. The Commission will continue
its law enforcement and outreach efforts to encourage and, when
necessary, require better protections.
Second, industry should continue the development of improved fraud
prevention methods to stop identity thieves from misusing the consumer
information they have managed to obtain. In this regard, the FACT Act
should prove instrumental by requiring the bank regulatory agencies,
the NCUA, and the FTC to develop jointly regulations and guidelines for
financial institutions and creditors to identify possible risks of
identity theft.\48\
---------------------------------------------------------------------------
\48\ 15 U.S.C. � 1681m(e).
---------------------------------------------------------------------------
Third, the Commission will continue and strengthen its efforts to
empower consumers by providing them with the knowledge and tools to
protect themselves from identity fraud and to deal with the
consequences when it does occur. As discussed above, new consumer
rights granted by the FACT Act should help consumers minimize the
damage.
Finally, the Commission will continue to assist criminal law
enforcement in detecting and prosecuting identity thieves. The prospect
of serious jail time hopefully will discourage those considering
identity theft from perpetrating this crime.
The Commission looks forward to continuing to work with Congress to
address ways to reduce identity theft.
Chairman MCCRERY. Thank you, Mr. Winston. Can you fill us
in on what your agency does specifically to try to ensure
compliance with the laws that you talked about in your
testimony that fall in your jurisdiction?
Mr. WINSTON. Well, we go about it in many ways. First and
foremost, we are a law enforcement agency and we investigate
and take action against companies that violate the laws that we
enforce, for example, cases against companies that fail to
safeguard information that they have. We brought 12 cases to
date. We have a number of others under investigation. I think
we have sent a pretty clear message to the business community
that this is an important requirement.
At the same time, we are strong believers in education,
both for businesses and consumers. That is always the first
line of defense and we work very hard in that regard.
Chairman MCCRERY. Ms. Fagnoni, you talked about the fact
that many States have enacted laws that restrict the use of
SSNs. Can you give us an idea of how those actions by States
affect businesses and commerce in those States and maybe even
how it affects businesses and commerce across the country?
Ms. FAGNONI. The work we did, we had more information about
the impacts on different government activities and the ease of
getting information. One example of how business and commerce
has been affected by these laws is that, particularly when a
State like California, a large State such as California enacts
a law, for example, the law where any entity where there is a
security breach involving information, private information,
personal information from somebody who resides in the State of
California, the California law is that those individuals have
to be notified. Some large companies now have on that basis
made it a practice to notify anyone when there is a security
breach, regardless of what State they happen to live in, based
on, perhaps the pressure and the precedent in having certain
laws in place.
That is one example where companies have had to adapt and
adjust to some of those laws. Having different laws in
different States probably can also cause some challenges for
people who do business in multiple jurisdictions. As I said, a
lot of what our studies have shown is that once, whether it is
government or private entities become more aware of the ways in
which the SSN can be fraudulently used and they start to take
actions on their own to better secure the information, they can
still continue to use the SSN for the purposes that are very
important to commerce. They have a better sense and a clear
understanding of the need to protect the exposure of that
number beyond the uses for which it is needed.
Chairman MCCRERY. Thank you. Would you talk a little bit
about the Internet and the availability of SSNs on the
Internet? Should we be looking at some new Federal laws
regarding public display of SSNs?
Ms. FAGNONI. In the work we did looking at government and
selected private sector use of SSNs, we did not find a large
percentage of entities that were placing the SSNs on the
Internet, particularly in the local and State government
levels. Most of the information that is publicly available
through those entities is on paper or microfiche or microfilm
and people actually have to go to a location, such as a
courthouse or someplace like that, and actually look for the
information.
We do have some work ongoing right now where we are looking
at the information resellers who are selling information via
the Internet and we will have some information to report fairly
soon on that. It does raise some questions about how carefully
some information sellers are paying attention to who is
actually asking for the information and what kinds of
safeguards are in place to ensure that the information is being
provided only to those where it is an appropriate use.
Chairman MCCRERY. Thank you. Mr. Becerra?
Mr. BECERRA. Thank you, Mr. Chairman, and thank you to the
two of you for your testimony.
Let me ask a question and revert back to the testimony of
our two colleagues who were just here and talked about using
the SSN for purposes of trying to determine one's eligibility
to work in this country. Any comments on what you heard in the
discussion that took place among the Members on that particular
proposal?
Ms. FAGNONI. We don't really have work that would comment
on it directly, but there is a difference. First of all, they
were talking about having a card that was tamper-proof, and
there are all sorts of issues associated with looking at the
different options and what would be appropriate and what the
cost would be.
There also is an issue which somebody raised about the
information on the card which is only going to be as good as
the information in the databases in DHS and SSA. We have
reported on the fact that to the extent that, for example,
information about somebody's visa status, if that is not kept
up to date and isn't updated somehow through the encryption,
then that is going to limit the usefulness of the database.
There is a whole separate issue on the deterrent effect,
which I really can't comment on.
Mr. BECERRA. Okay.
Mr. WINSTON. I found the discussion very interesting and I
thought the point that you made actually was the one that I was
thinking of, as well, and that is you can have a national
number for immigrants or even for citizens, but any time you
have a number that is the key to benefits, it is going to
potentially be something that is valuable to identity thieves.
The trick is to find a way of identifying people and
authenticating who they are without having that information get
in the hands of the wrongdoers and that is a very difficult
task.
Mr. BECERRA. As we explore how we can better protect the
SSN, is there something that we have learned in these
examinations about best practices or what some either public or
private sector agencies, enterprises are doing to try to
protect the number, anything that you can tell us that can help
us with regard to this ongoing examination?
Ms. FAGNONI. Keying off Mr. Winston's testimony, in the
work we did where we looked at four sectors--banking, financial
institutions, telecommunications, and tax preparers--it was
clear that because of the laws and the regulatory structure
surrounding the banking and financial institutions industries,
there are a lot more protections in place regarding the
protection of personal information, including the SSN.
Particularly in telecommunications, there really are no
laws that are designed to explicitly ensure that
telecommunications companies are protecting SSNs. The companies
are relying on individual contracts and things like that.
As a matter for the Congress, one option would be to look
at regulatory structures in terms of protecting information and
consider whether or not those could be more broadly applied, or
conversely, to look at some other specific sectors that don't
now have laws in place that might warrant them.
Mr. BECERRA. Let me ask just one last question, and if you
wish to comment on something else, that is fine so long as I
have time. I am not sure how to phrase it. Do we need to have
one identifier, or should we ask all these various industries
to have their own identifiers? The banking industry or
financial services, you all keep an identifier that is for your
purposes. Credit bureaus, those who are checking status of your
demographic, your activities, whether purchasing or doing
anything else, you keep your own number. The Federal
Government, you keep your own number. State, driver's license
and all the rest, you keep your own number.
Should we have one, or should we, for purposes of trying to
make sure we don't have a number that can be stolen or has that
value if it is stolen, should we try to move toward something
that says, you all keep your own numbers and that way no one
can steal that much value from an individual when they get that
identifier?
Ms. FAGNONI. The reason the SSN is so valuable is because
often, and I am sure you will hear this from the next panel,
somebody who is trying to check somebody's credit or make sure
that the individual they are talking to is the appropriate
person and they should be sharing certain information, the only
way they can ensure somebody's identity, looking across
different kinds of pieces of information, is through that
common identifier, the SSN.
At the same time, though, we have a lot of examples where
more and more kinds of entities are moving away from the
display of the SSN. I think there is a difference between
needing it and protecting it because it is a very important way
to protect against fraud. At the same time, whether it is a
driver's license or a health care card or whatever, over the
past several years cards that routinely used SSNs now either
first voluntarily and then now routinely across the board use
other special identifiers unique to that particular entity for
display purposes. They still have that SSN, behind the scenes
that they need for data matching and things like that.
Mr. WINSTON. I would just add very briefly, I agree with
that, and there is a lot we can do to convince people to stop
using SSNs when they don't need to, but at the same time, we
have to look at the back end, and the back end is somebody
appears before you with an SSN and wants to take out a loan.
How do you make sure that person is who he says he is? It is
the fact that the SSN is being used for that purpose, as well
as for the identification purpose, that creates the problem.
That is the key that unlocks the door to identity theft. The
more we can go to systems of passwords, PINs, and get away from
using the SSN as the authenticator, I think the better we will
be.
Mr. BECERRA. Thank you. Thanks very much, Mr. Chairman.
Chairman MCCRERY. Mr. Brady?
Mr. BRADY. Thank you, Mr. Chairman. A couple of questions,
three, really. The first two are fairly direct. Identity theft
is such a big issue. What percentage, would you guess, of
identity thefts start with a stolen SSN?
Mr. WINSTON. I can talk about the surveys we have done and
that others have done, which indicate that about two-thirds of
identity theft is what is called account takeover, and that is
where somebody gets your credit card number or your bank card
number and gets into your account. Typically, that doesn't
require an SSN to do.
The other one-third is new account fraud, where they
actually go out and open a new account in your name. Typically,
although not always, typically, you need an SSN to do that kind
of fraud. It is about one-third.
Mr. BRADY. That leads right to the second question. What is
the most common way of obtaining a stolen SSN? Is it a stolen
card? Is it mail theft, computer hacking, information
resellers? What is the most common of those, would you guess?
Mr. WINSTON. It is a little hard to tell from the surveys
because most people don't know how their identity was stolen in
the first place. They just know it happened. They don't know
who did it. They don't know how it got done. If you look at
just the data for people who do know what happened, you find
that most of it is done through lost wallets or friends,
relatives who get a hold of your information. That is not
necessarily representative of half or more of the people who
don't know. There are a lot of potential sources. It is really
hard to tell what is the biggest.
Mr. BRADY. A final question. Part of the, I think,
complexity is the issue of information resellers. Even if we
are able to sort of contain this issue at the source, as it
gets sold, integrity becomes less and loose and things happen.
I will ask both of you, who is responsible for ensuring that
information resellers and financial institutions and those to
whom they sell SSNs only disclose according to the law and who
monitors it and what kind of resource do we use to tackle that
problem?
Ms. FAGNONI. Well, quickly, initially, who has authority,
if anyone, is dependent on what industry is involved, and that
is where we found, at least of the four industries we looked at
and other examples we have, it varies. It is based on the laws
that regulate that particular industry.
In some cases, information resellers, for example, consider
themselves to be financial institutions and therefore subject
to the different kinds of laws regulating that industry. In
other cases, they don't and it is honestly not clear if there
is any regulatory framework.
Mr. WINSTON. Just to elaborate on that, generally speaking,
resellers get SSNs from credit bureaus. Credit bureaus get it
from financial institutions. That is subject to the Gramm-
Leach-Bliley Act (P.L. 106-102). There are restrictions on
people who buy information from resellers in how they can use--
how they can get the information and how they can use it. We
are responsible for enforcing that law as to the non-bank
entities. The banking agencies are responsible for the banks.
Mr. BRADY. How much resource do you put toward that?
Mr. WINSTON. We have a new division at the FTC, the
Division of Privacy and Identity Protection, which is devoted
solely to issues of identity theft, consumer privacy, ensuring
that consumer information is protected. We have a staff of
about 30 people who are looking at these issues and enforcing
the law.
Mr. BRADY. For your agency, can you guess or do you know
how many businesses have been investigated, information
resellers, for example, or businesses using it fraudulently
have been investigated and successfully prosecuted?
Mr. WINSTON. There have been a number, but the most recent
case against Choice Point is a good example.
Mr. BRADY. Sure.
Mr. WINSTON. Choice Point is one of the largest data
brokers in the country and they didn't have procedures in place
to ensure that the people who called them up to buy SSNs and
other information were legitimate. As a result----
Mr. BRADY. Thankfully, that got a lot of attention, but are
we talking about thousands of businesses across the country are
investigated, hundreds are investigated, dozens are
investigated?
Mr. WINSTON. Keep going.
[Laughter.]
Mr. BRADY. Getting a little smaller, isn't it.
Mr. WINSTON. We are a small agency. I don't know what the
number would be. It is certainly not in the hundreds or
thousands. That is all we can--that is all that we have the
resources to do.
Mr. BRADY. Thank you, Mr. Chairman, and thank you, both
panelists.
Ms. FAGNONI. Thank you.
Chairman MCCRERY. Thank you, Ms. Fagnoni. Thank you, Mr.
Winston.
Our next panel is Nicole Robinson, North Atlantic Coast
Volunteer Coordinator, Identity Theft Resource Center, San
Diego, California; Mary McQueen, on behalf of the Council of
State Court Administrators, Williamsburg, Virginia; Erik Stein,
member of BITS Fraud Reduction Steering Committee; Stuart
Pratt, President and CEO of Consumer Data Industry Association;
and Bruce Hulme, Legislative Director, National Council of
Investigation and Security Services from New York. Welcome,
everybody.
The same rules apply. Your written statements will be
included in the record in their entirety, but we would ask you
to summarize those statements in about 5 minutes.
We will begin, Ms. Robinson, with you. Thank you for
coming. You may begin.
STATEMENT OF NICOLE ROBINSON, NORTH ATLANTIC COAST VOLUNTEER
COORDINATOR, IDENTITY THEFT RESOURCE CENTER, SAN DIEGO,
CALIFORNIA
Ms. ROBINSON. Good afternoon, Mr. Chairman, Members of the
Committee. Thank you for the opportunity to testify on behalf
of this very important topic.
My name is Nicole Robinson, and besides being the North
Atlantic Coast Coordinator for the Identity Theft Resource
Center, I am also a victim of identity theft, and I want to
start first off to tell you--try to be brief about my identity
theft case.
It first started in 2000 and I was notified by a fraud
investigator, Kay Jewelers said someone had used my SSN to open
an instant credit account. That first night, she bought watches
and a ring totaling $2,300. The next night, she came trying to
max out the account and they were alerted to it because people
don't usually do that with jewelry store accounts.
Well, I contacted the three credit reporting agencies on
that Monday. It was very difficult to get my credit reports
because she had used different addresses in Texas and I
couldn't get my own credit reports. I soon came to find out
that she had applied for a personal loan at my mortgage lender.
She was picked up by the Bear County police getting a personal
check in my name. My mortgage lender never contacted me,
although they knew they held a mortgage for me in Maryland and
she was in Texas. The police let her go that day. She promised
that she wouldn't do it again. She cried. She said she didn't
know what she was doing was wrong and they let her go home.
After that, since she knew I had a mortgage, she applied
for a mortgage several days later. She continued to apply for
credit, even though she had been picked up by the police. She,
in a 3 month period, got $36,000 in goods and services. She had
a Geico car insurance policy in my name and Geico would not
give me the VIN number off the vehicle so I could track back to
the dealership that sold it because they said they had to
protect her privacy.
As time went on, she was eventually indicted and she pled
guilty to two counts of misusing my identifying information.
She served no time in jail. She was ordered to pay restitution.
I have only seen a small portion of the restitution thus far.
As time has gone, I have borne the burden of her theft of
my identity. I continue to get her collection notices at my
home in Maryland. As recently as last summer, I got a
collection notice from a collection agency where Nicole
Robinson--and that is her name, her name is Nicole Robinson, as
well--she had gone to a dentist in Texas while she was in
police custody and had a tooth extracted. Well, of course she
didn't pay for it and so the collection agency started to look
for her. Instead of finding her in Texas, they sent a
collection notice to my home in Maryland.
I have continued to get collection notices for bad checks
that she has written. I also get preapproved credit card offers
at my home in her name, and the only reason why I know it is
for her is because we have a different middle initial and they
always come with her middle initial.
As I started to get my credit reports, in 2004, I got a 54-
page credit report. It had 170 accounts on it. A hundred-and-
thirty of them were in collections. It had 42 different names
and 65 different addresses. I was notified by another credit
reporting agency that my SSN resided on five different credit
reports.
Even as recently as this year, when a mortgage broker ran
my credit report, her bad debts, even a judgment from an
apartment complex in Texas, is on my credit report, and it is
not on the credit reports that the credit reporting agency
sends to me, but it is on the credit report that they disclose
to the lenders.
As a result of me being a victim of identity theft, I do
speak to consumer groups about protecting your SSN. The way my
SSN was stolen by Nicole Robinson is that she worked for a
business called Care Mark, and Care Mark used to provide mail-
in pharmaceutical services for a law firm where I used to work.
Even though I was no longer an employee of the law firm, she
still had access to my information in their databases. I
ultimately found out that she used the SSN of several people
named Nicole Robinson and she was able to get cars and jewelry,
and when she bought a vacuum cleaner, somebody reported to the
police in Texas that she had a warehouse full of stuff that she
had stolen.
I just want to go over briefly some of the recommendations
from the Identity Theft Resource Center on securing data. We
realize that businesses do use the SSN. It is so much a part of
what a lot of businesses do. We think that businesses should
take extra precautions to secure the SSN.
In my case, Nicole Robinson had access to my SSN years
after I was a member of the health plan that required me to use
my SSN as an identifier. She should have never had access to
that number because I was no longer a member of that plan. Even
if she had access to my records, my SSN should have been
redacted in whole or in part.
We believe that consumer education is key. A lot of people
don't see the risk in carrying their Social Security cards in
their wallets and we believe that when you get your annual
statement from the SSA, there should be a consumer alert on
there about protecting your SSN.
We also believe that businesses should assume
responsibility for the protection of your SSN. If they require
it, they should also protect it.
Thank you very much.
[The prepared statement of Ms. Robinson follows:]
Statement of Nicole Robinson, North Atlantic Coast Volunteer
Coordinator, Identity Theft Resource Center, San Diego, California
Members of the committee: Thank you for the opportunity to provide
both written and oral testimony for your committee today and for your
interest in the topic of identity theft.
The oral portion of our testimony will be provided by Nicole
Robinson, a survivor of identity theft, and the highest ranking ITRC
volunteer on North Atlantic Coast.
The nonprofit Identity Theft Resource Center (ITRC) is passionate
about combating identity theft, empowering consumers and victims,
assisting law enforcement, reducing business loss due to this crime and
helping victims. We also realize that you are in a difficult position
of trying to impose laws that may impact consumers, business and
government.
However, ITRC firmly believes that it is possible to find a balance
between the creation of strong identity theft laws to protect consumers
and businesses and allowing the business community to flourish and
grow. It is critical that all parties be considered in any legislation
you pass and in all of your deliberations. After all--In each case of
Financial Identity Theft there are at least two sets of victims--the
individual whose SSN was used and the business that has lost services,
goods or money. We all victims of this crime and we appreciate your
time in addressing this issue.
We are honored by your invitation and will continue to make our
opinions available upon request to your representatives over the next
few months as you grapple with this complex crime and its many issues.
Introduction:
Governmental agencies at all levels, businesses and consumers have
for ease and convenience tied and associated many critical elements of
daily life to the individual Social Security Number (SSN). The
individual number is the primary key to the individual's credit
history, work history education and health information. You must have
one to work, gain tenancy, credit and to identify individuals on tax
forms.
More and more business and entities are collecting personal
information about each and every one of us. These can range from your
bank to the soccer league that your child plays in. Add to that number
the schools where you or your child attended, all the job applications
you have ever filled out, the Funeral Home that is preplanning your
final arrangements and the many health facilities that you have used.
Some veterinarians, self-storage units and even car rental companies
ask for SSNs.
In some cases there is a valid reason to collect the information
and the Identity Theft Resource Center holds that it should be allowed
to continue. Our concern lies not in the collection of the Social
Security number but in the use, storage, access and misuse of this key
information.
It must be noted that the crime of identity theft is not a
particularly new crime. It is more that in the current environment of
electronic credit and business identity theft has become extremely
profitable and safe for the thief. The thief faces little chance of
apprehension with minimal penalties for the theft of thousands of
dollars.
Each day the thieves grow more accomplished at their task. Now it
is time for businesses, governmental agencies and consumers to adopt a
more proactive position on the value of the Social Security number as a
marketable commodity. Consumers need to realize it has value.
Businesses and governmental entities need to accept responsibility for
this item of value, the Social Security number. We need to create a
plan that focuses on all involved parties and not just on the business
community.
Numerous surveys have proven that consumers do not feel trust for
companies or the government proactively protecting their personal
identifying information. They believe, with cause, their information is
accessible to too many people and handled without protection. In order
to increase customer, employee and client trust, new security processes
must be implemented as soon as possible.
Findings and Recommendations:
SSN as an identifier on items in wallets
Finding: Too many people carry their Social Security number on
their person, in the form of the actual Social Security card, health
insurance cards, Military ID cards, employee id cards or Medicare/
MediCal cards and driver's license numbers. Wallets are primary targets
by identity thieves, pickpockets and drug addicts who hope to profit
this information.
Recommendation: The Social Security number should not be used as an
identifier in any circumstances and should never be on cards carried in
the wallet, even on the magnetic strip due to improvements in skimming
technology. Randomized numbering systems should be used that match the
SSN in a well-protected database when necessary such as for Medicare
benefits.
Consumer Education
Recommendation: That all Social Security cards come with an
advisory with the original card and that this advisory should also be
sent out yearly with the person's work benefit statement. This advisory
should include under what circumstances one should give out a SSN, when
not to, a telephone number to call with questions or to file
complaints, and not to carry a SS card in one's wallet, palm pilot or
laptop.
Recommendation: That the SSA work with other governmental and
private entities to continue to educate consumers about scams that
involve the SSN. A study of the SSA site only included one scam warning
as the beginning of March 2006.
Overcollection/misuse of the SSN
Recommendation: Too many companies are unnecessarily asking for a
person's SSN. While it may not be practical to limit the collection of
the SSN, a blanket liability should be incurred all entities that
collect this information from an individual or secondary source. It is
not unreasonable for any individual to expect basic standards of
protection of the information obtained by the entity doing the
collection. Federal, state and private right of actions should included
in any bill considered in order for there to be effective encouragement
to self-enforce these standards.
Information Security
Finding: The number of publicized security breaches during 2005
clearly indicates a serious problem. Whereas it is not possible to
build an impenetrable security system around data, it is clear that
companies and governmental agencies need to have a tighter control on
information. This rule cannot just apply to businesses. All
governmental agencies need to be held to the same standard and be a
leader in this movement.
Recommendation: Companies and all levels of governmental agencies
should be required to do an information risk assessment of both paper
and electronic documents containing a Social Security number. This
assessment should include the ability to follow information from the
point of entry to beyond disposal, including the auditing of any
person, department or storage space. A written policy should be
designed that limits access to the SSN, describes the protection of the
information and how information should be destroyed. ITRC strongly
recommends a breach notification similar to California's or New
Jersey's current laws.
SSN as an identifier for customers or employees
In order to limit access of an individual's SSN, all companies
should assign a separate account number and the SSN should never been
seen on a call center screen by an employee of the company. There are
many other ways, including passwords, to verify a person's identity.
Document Disposal
Finding: A popular spot identified by law enforcement and other
investigative entities is the unshredded documents and data recklessly
discarded into or near trash cans and dumpsters. Only several states
have passed mandatory document disposal laws stating that paper and
electronic documents must be rendered unreadable prior to disposal.
Example: A recent situation occurred in Los Angeles when the
Department of Social Services had boxes of medical records, application
forms and other documents with SSN put in boxes by a trash can. These
documents never had been shredded but were being sent whole to China
for recyling. Unfortunately they were also seen blowing in the wind and
people went through boxes for information knowing they were out there.
Recommendation: A law that states that all documents, no matter
what form they are in, must be rendered unreadable prior to leaving the
entity that no longer wishes to store them.
Educational Facilities and SAT testing
Finding: In 2005 more than half of the disclosed breaches were
educational facilities, mainly colleges and universities. The
University of Colorado had 4 breaches in the last 14 months. After
speaking with IT departments and administrators at several of these
colleges, it is clear that changes need to be made. Parents send
children to colleges to help them on their career paths. One identity
theft problem can stop a future before it begins.
Recommendations: First, SSN should never be a student's public
identification number, computer access number or publicly used for any
other purpose. These steps will significantly limit the number of
professors who have lost or had laptops stolen with student numbers and
stop roster with names and SSNs from circulating classrooms.
Second, other than a few departments that are involved in payroll,
student loans, scholarships and such should have access to the
student's SSN. While it is easy to track a student by SSN it is easy to
have that information securely stored in a database with limited access
so that when a student asks for a transcript or school records they be
found. However, the SSN should never been printed in full on any
document sent through the mail.
Third, the ``College Boards,'' the company that does SAT testing
must immediately stop asking students for SSN and stop placing them on
mailing labels. ITRC has had numerous calls about this activity.
Immigrants who no longer need or wish to have a SSN
Finding: ITRC has heard from a number of people who lived in the
United States for a limited period of time or have moved from the
United States to live permanently in another country. They would like a
way to prevent any possible use of their SSN now that they no longer
need it.
Recommendation: The creation of a national credit freeze program
would not only help victims of identity theft and businesses from
giving cards to thieves but would also solve this problem. However,
that only solves the financial side of the problem. Other solutions
would have to be found within the SSA so that those numbers would be
tagged as inactive for employment or benefit purposes.
SSN of the Deceased
Finding: According to the SSA not all deceased individuals are on
the Master Death Registry. It is partially consumer driven (change in
benefit status) and partially populated by some states that do report
all deaths to the SSA.
Recommendation: All governmental agencies that issue a death
certificate should report that death to the SSA either directly or via
a state program. Since this Registry is available to the credit
reporting agencies and Department of Motor Vehicles this would
significantly stop the use of a dead 7 year old's SSN by an adult.
SSNs sent through the mail
Finding: ITRC receives numerous inquiries from parents who never
receive their newborns Social Security cards. Either they have been
lost or intercepted by a would-be identity thief.
Recommendation: After talking with the Chief Privacy Officer of the
U.S. Postal Service, there are a number of ways that the Post Office
and SSA can work together to help insure the delivery of these
documents. ITRC recommends that a committee be formed and a new
procedure implemented within six months.
Finding: Companies still send information via the U.S. Mail with
SSNs on mailing labels or in the body of the letter. In some cases it
would clear to an identity thief that this envelope contains valuable
information.
Recommendation: That mailing labels may never include a SSN and
that when a SSN is included in the body of a document that it must be
partially truncated.
IRS and selling of information
ITRC would be remiss if it did not comment on the plan being
considered by the IRS to allow the sale by tax preparation services of
our tax returns or personal tax information. Many people get numerous
papers from tax preparers and just sign them. They go unread or may be
beyond an individual's reading ability. This proposed plan must not be
implemented. It creates another public record that will benefit thieves
more than anyone else. If this must be allowed then there can be no
allowances for acceptance of any release that is not clear and
specific.
Public Records
Recommendation: The SSN should never be published on the Internet
by a business or governmental entity including court records. In
response to those who state they need that information, it can be
specifically requested of the court, with appropriate redaction of
unnecessary information that may place the individual in harm's way.
This includes witness and victim information, family records during
custody and divorce hearings and bankruptcy hearings.
Recommendation: In a court proceeding where information must be
exchanged between opposing sides, the SSN should be at least partially
redacted in order to protect the sanctity of that number.
New Laws--A Standard and not the Ceiling
The concepts discussed above are intended to benefit business and
consumers. While we understand that companies don't want to deal with
50 different laws, it is also important to note that some states want
to hold state and local governmental agencies and businesses to a
higher standard than the ones recommended above. Any federal law should
be a standard, to cover those citizens in states currently without
information protection statutes and not pre-empt stronger state laws.
In Conclusion:
Protecting Social Security numbers from identity thieves needs to
be everyone's job--not just the consumers. We need businesses and
governmental agencies to work cooperatively with consumers to keep this
valuable number out of the hands of those who have no regard for the
damage they cause individuals and companies.
Businesses cannot afford to continue to lose money to identity
thieves. While the numbers discussed in terms of fraud loss may sound
like a trickle now, it is going to worsen. Identity thieves are more
sophisticated, meth addicts have turned to this crime for money for
fixes, and information trafficking is big business. Without required
control procedures for the handling of Social Security numbers, this
crime will worsen and our economy will suffer.
Its going to require the reeducation of consumers, businesses and
governmental agencies. It going to require new behavior patterns, new
ways of controlling information in the workplace and strict vigilance
against new trends and attacks.
The proactive and not reactive protection of the Social Security
number is in your hands. This small nine-digit number has the ability
to destroy a company or an individual when misused. It is clear that
some states have taken great strides to protect consumers.
Unfortunately some business groups believe that anything that will
benefit consumers will harm them and have fought change. Consumers
blame businesses.
This is not a time for finger pointing. The blame game must end. We
must be on the same team fighting a battle against this Goliath if we
are to win. We must realize that we are one people and anything that
harms one of us harms us all.
Thank you for your time and interest.
Linda Foley
Jay Foley
Chairman MCCRERY. Thank you, Ms. Robinson. Ms. McQueen?
STATEMENT OF MARY C. McQUEEN, PRESIDENT, NATIONAL CENTER FOR
STATE COURTS, ON BEHALF OF THE CONFERENCE OF STATE COURT
ADMINISTRATORS
Ms. MCQUEEN. Thank you, Mr. Chairman, Mr. Levin, Members of
the Subcommittee. I am Mary McQueen. The Conference of State
Court Administrators is pleased to present testimony on today's
hearings before this important Committee.
Before I begin my remarks, I would like to provide some
background about who that group is, and I submit testimony on
their behalf. I am a former member of the Conference of State
Court Administrators, having served as the Chief Administrative
Officer for the court system in the State of Washington for 25
years, and most recently assumed the position as the President
for the National Center for State Courts. The National Center
operates in coordination with the Conference of State Court
Administrators and Chief Justices in a similar way that the
Federal Judicial Center operates with the Federal judiciary.
The Conference of State Court Administrators and the
Conference of Chief Justices represent the top judicial
officials and chief administrative officers in the 58 States,
Commonwealths, and U.S. Territories, and we work very closely
together with the chief justices to develop best practices to
improve the administration of justice. You may know that more
than 98 percent of all judicial proceedings in the United
States are in State courts that consist of over 30,000 judges
and over 16,000 courts.
Mr. Chairman, let me begin by informing you that the State
courts have taken several important steps to protect individual
privacy and we share the Committee's concerns. The State courts
hope to partner with the Chair and the Members of this
Subcommittee in your efforts to increase those privacy steps.
A question we are always asked is why do State courts need
SSNs? What is the State courts' interest in collecting those
numbers, and why do State courts require parties to provide
them in litigation? I would like to just briefly identify five
different uses of the SSN in State courts.
The first and obvious one to those of you who are members
of the bar is to ensure that accurate information is placed
before a fact finder. We want to ensure, especially in family
law cases, that we have access to the information that is
necessary to determine child support, to distribute property,
and to determine paternity.
Secondly, we also need to identify the parties. Courts
often use SSNs to identify criminal defendants that lack
fingerprint information.
We also use SSNs to enforce judgments in court orders.
Courts often order restitution or the repayment of fines as a
legal judgment, and SSNs have become the universal commercial
identifier for use in monetary penalties. Litigants' SSNs are
also necessary for use in State income tax intercept programs,
where outstanding monetary judgments are deducted from State
income tax returns. Federal law now requires State courts to
place a party's SSN in records relating to divorce and child
support decrees, and in October 1999, that requirement was
extended to require SSNs for all children to whom support is
required to be paid.
We also need SSNs to create jury pools and to pay jurors.
It requires us when we issue a check to jurors that that income
is reported, and we are required to have SSNs for those
individuals.
Finally, we use SSNs to notify the SSA of incarcerated and
absconded persons. The SSA cuts off payments to persons
incarcerated in all Federal, State, and local prisons or jails
who are fugitives from justice and they need to identify those
persons. While traditionally that information comes from
correctional agencies, the courts initially provide those
agencies with that information.
As previously mentioned, the Welfare Reform Act (P.L. 104-
193) does require courts to collect SSNs on court orders
granting divorces, providing for child support, or determining
paternity, and SSNs can appear in many financial records, such
as tax returns, which are required to be filed in many court
proceedings.
We were encouraged by some of the language that accompanied
H.R. 2971 in the report dealing with incidental versus non-
incidental appearances of SSNs on public records and we would
encourage that if you move forward, we would like to work with
you on looking at some of those provisions.
In drafting Social Security legislation, we respectfully
request that you ask members of the court community participate
in those discussions.
Finally, in an effort to increase privacy and reduce the
possibility of identity theft from court documents, the chief
justices and the State court administrators have established a
Standing Committee on Court Privacy and Access to Court
Records. They have adopted national guidelines and model court
rules, and we have identified three best practices. I would
draw your attention to our visual aid here.
These best practices include creating basically two sets of
records. The State of Washington, the States of Michigan,
Vermont, and South Dakota have adopted this approach, where
basically in the types of records that incorporate sensitive
information as well as SSN, there is a special procedure for
sealing this information, placing them in a separate file, and
when someone comes to the counter and asks to see the court
file, those records are removed in the envelope and not
provided to the public.
We have also identified a best practices that we give an
alert to the filing parties and make sure that they know they
are responsible for including any SSNs in the documents that
are filed and make sure that on all court model forms, that
everybody uses, that there is an alert saying your SSN may be
available, so please consider not including that.
Also, as part of the two sets of records, several States
have identified confidentiality filing forms, where you put
that information on one sheet, not incorporate it into the
court documents, and that one sheet is sealed.
Finally, when requiring SSNs, we have recommended that you
only use four digits that would appear in the court record.
Mr. Chairman, we recognize the threat of identity theft as
real. We commit that the State courts want to do our part in
eliminating that opportunity. I have presented several reasons
why the courts utilize SSNs as well as the solutions that we
are working to implement.
Thank you for allowing us to participate in this discussion
and I will be happy to answer any questions you may have.
[The prepared statement of Ms. McQueen follows:]
Statement of Mary C. McQueen, on behalf of the Council of State Court
Administrators, Williamsburg, Virginia
Mr. Chairman and Members of the Subcommittee,
The Conference of State Court Administrators (COSCA) is pleased to
present testimony on today's fifth in a series of hearings on Social
Security Number High Risk Issues.
SUMMARY
Mr. Chairman and members of the subcommittee, the state court
community has been grappling with the issue of protecting privacy as it
relates to court records for the past few years. We are taking a
proactive stance in protecting the privacy of individuals and their
social security numbers, while at the same time maintaining traditional
open court access. Today, we will share examples of what state courts
that are doing on this via the approval of court rules.
In collaboration with the Conference of Chief Justices (CCJ), we
established a project entitled ``Public Access to Court Records: CCJ/
COSCA Guidelines for Policy Development by State Courts,'' which
outlines the issues that a jurisdiction must address in developing its
own rules, and provides one approach. The Guidelines touch on the use
of social security numbers (SSNs) in court records as well as other
private information. The entire text of the Guidelines can be found
online at http://www.courtaccess.org/modelpolicy/
18Oct2002FinalReport.pdf. Both CCJ and COSCA, adopted a resolution
endorsing the Guidelines and urged the states to address them.
Mr. Chairman, SSNs are pervasive in state court documents and
procedures. The testimony that follows gives the subcommittee numerous
examples of how we use SSNs in day-to-day court proceedings. For
example, we use SSNs to insure that judges have the best evidence
available to them. We also use SSNs to collect fines and restitution.
In addition, many SSNs appear in the public record in many types of
court cases including, but not limited to, bankruptcy, divorce and
child support cases. My testimony also details the federal requirements
imposed on us to collect SSNs for various reasons, for example, to
track parents who are not paying child support.
Mr. Chairman, we stand ready to work with you to craft solutions to
address the problem of identity theft. We want to do our part to
eliminate it. We are at the same time concerned about the effort to
require us to redact or expunge SSNs that appear in public records. We
feel that this type of requirement would impose an unfunded mandate on
state courts in this country. The cost to fulfill this requirement
would be high because many SSNs appear in paper documents as well as
other hard-to-redact microfilm/microfiche.
ABOUT COSCA
Before I begin my remarks, I would like to provide some background
on our group and our membership. I submit this testimony on behalf of
the Conference of State Court Administrators (COSCA). I am a former
member of COSCA having served as State Court Administrator of the state
of Washington. The National Center for State Courts, of which I am
President, serves as secretariat to COSCA. COSCA was organized in 1955
and is dedicated to the improvement of state court systems. Its
membership consists of the principal court administrative officer in
each of the fifty states, the District of Columbia, the Commonwealth of
Puerto Rico, the Commonwealth of the Northern Mariana Islands, and the
Territories of American Samoa, Guam, and the Virgin Islands. A state
court administrator implements policy and programs for a statewide
judicial system. COSCA is a nonprofit corporation endeavoring to
increase the efficiency and fairness of the nation's state court
systems. As you know, state courts handle 98% of all judicial
proceedings in the country. The purposes of COSCA are:
To encourage the formulation of fundamental policies,
principles, and standards for state court administration;
To facilitate cooperation, consultation, and exchange of
information by and among national, state, and local offices and
organizations directly concerned with court administration;
To foster the utilization of the principles and
techniques of modern management in the field of judicial
administration; and
To improve administrative practices and procedures and to
increase the efficiency and effectiveness of all courts.
Although I do not speak for them today, I also would like to tell
you about the Conference of Chief Justices (CCJ), a national
organization that represents the top judicial officers of the 58
states, commonwealths, and U.S. territories. Founded in 1949, CCJ is
the primary voice for state courts before the federal legislative and
executive branches and works to promote current legal reforms and
improvements in state court administration. COSCA works very closely
with CCJ on policy development and administration of justice issues.
STATE COURTS ARE RESPONDING TO PRIVACY CONCERNS
Mr. Chairman, let me begin by informing you of the progress that
many state courts are making to protect individual privacy rights,
while maintaining the American tradition of open courts. Through court
rules, state court systems are changing their procedures for viewing
and accessing court records as they relate to the appearance of social
security numbers. Washington State, for example, is establishing a
procedure for ``sealing'' family case court records containing
privileged information such as social security numbers and financial
information. In effect, Washington is creating two sets of records: a
public and a private one. Vermont is placing the burden on parties to
expunge or redact social security numbers from papers filed with the
court. Minnesota is requiring that parties in a divorce case fill out a
confidential information sheet, which contains social security numbers,
to be kept separate from the official record. South Dakota adopted a
rule that protects SSNs and financial account number information by
requiring these numbers to be redacted from documents and submitted to
the Court on confidential information forms. As an example, I am
attaching the South Dakota rule along with their required confidential
information sheet to the end of my testimony.
In addition to the proactive stance we are taking to this issue, we
are also responding to some of the demands placed on our court systems
by state legislatures and governors. In 2005, 53 bills were signed into
law by governors dealing with social security number privacy. That's 17
more than in 2004; an increase of 46 percent. These bills range from
simple prohibition of displays of SSNs on public records to new
expansive criminal and civil statutes that punish wrongdoers and those
that traffic in social security numbers as a means to steal a person's
identity. Activity in this area has not diminished in the current year.
In the ongoing 2006 sessions, state legislatures are considering 176
measures dealing with social security numbers and privacy. Again, this
number is an increase over the prior year.
At the direction of the CCJ and COSCA leadership, we established a
special subcommittee of the CCJ/COSCA Court Management Committee to
explore privacy protection innovations and share them with the Congress
and the Administration. This committee meets twice a year at our annual
and mid-year meetings. This subcommittee has been researching the issue
and is responsible for compiling examples of best practices in this
area that I am presenting today.
NATIONAL EFFORT TO CRAFT PUBLIC ACCESS GUIDELINES TO COURT RECORDS
Our project entitled, ``Public Access to Court Records: CCJ/COSCA
Guidelines for Policy Development by State Courts'' was a joint effort
of CCJ/COSCA and the NCSC to give state court systems and local trial
courts assistance in establishing policies and procedures that balance
the concerns of personal privacy, public access and public safety.
The State Justice Institute (SJI) funded this project in 2001 and
it was staffed by the NCSC and the Justice Management Institute. The
project received testimony, guidance and comments from a broad-based
national committee that included representatives from courts (judges,
court administrators, and clerks), law enforcement, privacy advocates,
the media, and secondary users of court information.
The Guidelines recommend the issues that a jurisdiction must
address in developing its own rules governing public access. The
Guidelines are based on the following premises:
Retention of the traditional policy that court records
are presumptively open to public access
The criteria for access should be the same regardless of
the form of the record (paper or electronic), although the manner of
access may vary
The nature of certain information in some court records
is such that remote public access to the information in electronic form
may be inappropriate, even though public access at the courthouse is
maintained
The nature of the information in some records is such
that all public access to the information should be precluded, unless
authorized by a judge
Access policies should be clear, consistently applied,
and not subject to interpretation by individual courts or court
personnel
The Guidelines Committee examined the use of SSNs in current court
practices. They looked at the inclusion of SSNs in bulk distribution of
court records, and in other private information that courts
traditionally protect, such as addresses, phone numbers, photographs,
medical records, family law proceedings, and financial account numbers.
Finally, the Committee examined various federal laws and requirements
governing SSN display and distribution by state and local entities.
On August 1, 2002, CCJ and COSCA endorsed and commended ``the
Guidelines to each state as a starting point and means to assist local
officials as they develop policies and procedures for their own
jurisdictions.''
STATE COURTS' INTEREST IN COLLECTING AND USING SOCIAL SECURITY NUMBERS
A question we are often asked is why do state courts utilize SSNs?
What is the state court interest in collecting SSNs? Why do state
courts need to require parties to provide their SSNs in the course of
state court litigation? The following are some of the reasons we use
them:
Accurate determination of assets/income Judges need the most
accurate information on assets and income when making their decisions,
especially in family law cases. In many instances this involves
examining assets by a social security number. There are numerous
examples of individuals giving a false social security number to avoid
paying child support, for example. The same logic applies in dealing
with divorce cases in dividing assets.
Identification of parties A growing number of court systems are
using case management information systems in which an individual's
name, address, and telephone number are entered once, regardless of the
number of cases in which the person is a party. The advantage of these
systems is to be able to update an address or telephone number for all
cases in which the person is a party by a single computer entry. SSNs
provide a unique identifier by which court personnel can determine
whether the current ``John Smith'' is the same person as a previous
``John Smith'' who appeared in an earlier case.
Courts have often used SSNs to identify criminal defendants as well
as parties to civil cases. In the future, persons accused of crime will
be identified by automated fingerprint identification systems (AFIS)
which scan fingerprints and classify them electronically. The primary
future need for SSNs as a means to identify individuals will therefore
be in civil, not criminal, litigation.
Collection of fees, fines and restitution by courts SSNs are the
universal personal identifier for credit references, tax collection,
and commercial transactions.
When courts give a litigant an opportunity to pay an assessment
resulting from a judgment in periodic payments, the court needs to be
able to function as a collection agency. Having the convicted person's
social security number is necessary for use of state tax intercept
programs (in which a debt to the state is deducted from a taxpayer's
state income tax refund) and other collection activities. Some states
use additional means to enforce criminal fines and restitution orders,
such as denial of motor vehicle registration; SSNs are often used for
these purposes as well.
Creation of jury pools and payment of jurors SSNs are a necessary
part of the process by which multiple lists (for instance, registered
voters and registered drivers) are merged by computer programs to
eliminate duplicate records for individual citizens in the creation of
master source lists from which citizens are selected at random for jury
duty. Duplicate records double an individual's chance of being called
for jury duty and reduce the representativeness of jury panels. Some
courts use SSNs to pay jurors as well.
Making payments to vendors SSNs are used as vendor identification
numbers to keep track of individuals providing services to courts and
to report their income to state and federal taxing authorities.
Facilitating the collection of judgments by creditors and
government agencies Courts are not the only entities that need to
collect judgements. Judgment creditors need SSNs to locate a judgment
debtor's assets and levy upon them. Courts often require that the
judgment debtor make this information available without requiring
separate discovery proceedings that lengthen the collection process and
increase its costs. Federal law now requires state courts to place the
parties' SSNs in the records relating to divorce decrees, child support
orders, and paternity determinations or acknowledgements in order to
facilitate the collection of child support. On October 1, 1999, that
requirement was extended to include the SSNs of all children to whom
support is required to be paid.
Notification to the Social Security Administration of the names of
incarcerated and absconded persons The Social Security Administration
cuts off all payments to persons incarcerated in federal, state or
local prison or jails, and to person who are currently fugitives from
justice. The savings to the federal budget from this provision are
substantial. To implement this process, Social Security Administration
needs to identify persons who have been sentenced to jail or prison and
persons for whom warrants have been issued. The agency has
traditionally obtained this information from state and local
correctional agencies. See 42 USC � 402(x)(3) requiring Federal and
State agencies to provide names and SSNs of confined persons to the
Social Security Administration. The state courts of Maryland are
involved in an experimental program to provide such information
directly from court records. The Maryland program has two additional
future advantages for state courts. First, the program offers the
possibility of obtaining better addresses for many court records;
social security and other welfare agencies have the very best address
records because of beneficiaries' obvious interest in maintaining their
currency. Second, cutting off benefits may provide a useful incentive
for persons receiving benefits to clear up outstanding warrants without
requiring the expenditure of law enforcement resources to serve them.
Transmitting information to other agencies In addition to the
Social Security Administration, many states provide information from
court records to other state agencies. A frequently occurring example
is the Motor Vehicle Department, to which courts send records of
traffic violations for enforcement of administrative driver's license
revocation processes. These transfers of information often rely upon
SSNs to ensure that new citations are entered into the correct driver
record.
POTENTIAL LEGISLATION
Mr. Chairman, in the past, this subcommittee has considered various
pieces of legislation that would, in some form or another, prohibit the
display of a person's social security number on a public record.
Blanket prohibitions like these will place courts in the position of
trying to comply with conflicting public policies. We submit the
following questions for your consideration:
The Welfare Reform Law requires courts to collect SSNs on court
orders granting divorces or child support or determining paternity.
State laws contain similar requirements in other types of cases in some
states. What steps must a court take to restrict access to these
documents, which are matters of public record in most states?
SSNs appear in many financial documents, such as tax returns, which
are required to be filed in court (e.g., for child support
determinations) or are appended to official court documents, such as
motions for summary judgments. What steps must a court take to restrict
access to these documents, which are also matters of public record in
most states?
We were encouraged by language in the report accompanying HR 2971
(Rept. 108-685, Part 1, p. 21) in the 108th Congress dealing with
incidental vs. non-incidental appearances of SSNs in public records:
During Social Security Subcommittee hearings on the bill, court and
other public records administrators testified they receive numerous
documents filed by individuals, businesses, and attorneys that often
include SSNs the government did not require to be submitted, and of
which they are therefore unaware. They stated redaction of
``incidentally'' included SSNs would create a serious administrative
burden, and it would require significant resources to review each
document and redact such incidental SSNs--With respect to SSNs
submitted in court documents absent the court's requirement to do so,
the individual communicating the SSN in the document, not the court,
would be held responsible according to Section 108 of the bill.
(Emphasis ours)
In drafting social security legislation, we respectfully ask that
you expand on the above sentiments in actual legislative language of
any future bill.
Courts will have substantial increased labor costs in staff time to
redact or strike the appearance of SSNs in paper records or in
microfilm/microfiche if a redaction requirement is imposed.
In the event you draft legislation dealing with redaction, we urge
you to make a distinction between existing court records/documents and
future documents. For example, requiring a court to retroactively
redact or expunge old records would be a nightmarish task due to the
cost in staff time and the actual compiling of said court records.
Finally, in an effort to make courts and court records more open,
many courts are now beginning to make available many public records on
the internet either as text/character documents or by scanning and
placing them online through imaging software (PDF files). While the
removal of SSNS in text/character documents may be relatively easy in
some computer generated records (XML), other scanned records, such as
PDF files, will be harder to change necessitating more staff and an
increase in labor costs.
OUR FUTURE COURSE OF ACTION
CCJ and COSCA have recommended that state courts adopt the
following policies, unless state law directs them otherwise, to protect
citizen privacy while providing service to litigants:
Official court files State courts should not attempt to expunge or
redact SSNs that appear in documents that are public records. As was
mentioned earlier, federal law requires state courts to place the
parties' SSNs in the records relating to divorce decrees, child support
orders, and paternity determinations or acknowledgement in order to
facilitate the collection of child support. The purpose of placing that
data on judgments is not just to provide it to child support
enforcement agencies; it is also to provide it to the parties
themselves for their own private enforcement efforts. Any other
interpretation puts the courts in an untenable position--having an
affirmative obligation to provide judgments in one form to parties and
child support enforcement agencies and in another form to all other
persons.
This same reasoning applies to income tax returns or other
documents containing SSNs filed in court. It would be unreasonable, and
expensive, to expect courts to search every document filed for the
existence of SSNs. Further, court staff has no authority altering
documents filed in a case; the social security number may have
evidentiary value in the case--at the very least to confirm the
identity of the purported income tax filer.
Case management information databases Data in automated information
systems raises more privacy concerns than information in paper files.
Automated data can be gathered quickly and in bulk, can be manipulated
easily, and can be correlated easily with other personal data in
electronic form. Data in an automated database can also be protected
more easily from unauthorized access than data in paper files. It is
feasible to restrict access to individual fields in a database
altogether or to limit access to specific persons or to specific
categories of persons. Consequently, state courts should take steps to
restrict access to SSNs appearing in court databases. They should not
be available to public inquirers. Access to them should be restricted
to court staff and to other specifically authorized persons (such as
child support enforcement agencies) for whose use the information has
been gathered.
Staff response to queries from the public When court automated
records include SSNs for purposes of identifying parties, court staff
should be trained not to provide those numbers to persons who inquire
at the public counter or by telephone. However, staff may confirm that
the party to a case is the person with a particular social security
number when the inquirer already has the social security number and
provides it to the court staff member.
In short, staff may not read aloud a social security number, but
may listen to a social security number and confirm that the party in
the court's records is the person with that number. This is the same
distinction applied to automated data base searches. This distinction
is one commonly followed in federal and state courts.
CONCLUSION
Mr. Chairman, we recognize the role of SSNs in the incidence of
identity theft cases. The current state of affairs with regards to the
treatment of SSNs provides lawbreakers the continued opportunity to
exploit the current system at the expense of ordinary Americans. The
threat of identity theft is real and we want to do our part to
eliminate it.
I have presented several ways our courts utilize SSNs. Finding
solutions to protect an individual's privacy will be complex and
difficult. Many state courts are already taking steps to fashion
solutions in response to the problem. I remind you of the earlier
mentioned approaches from Washington, Vermont, Minnesota and South
Dakota. Other states are experimenting with different approaches.
Thank you for asking for our input on this important matter. The
Conference of State Court Administrators stands ready to work
collaboratively and cooperatively to craft solutions to this important
issue. I will be happy to answer any questions you may have.
______
Example of South Dakota court rule to protect SSNs from public
dissemination
UNIFIED JUDICIAL SYSTEM
COURT RECORDS rule
SDCL ch. 15-15A
SDCL 15-15A-1. Purpose of rule of access to court records.
The purpose of this rule is to provide a comprehensive policy on
access to court records. The rule provides for access in a manner that:
(1) Maximizes accessibility to court records,
(2) Supports the role of the judiciary,
(3) Promotes governmental accountability,
(4) Contributes to public safety,
(5) Minimizes risk of injury to individuals,
(6) Protects individual privacy rights and interests,
(7) Protects proprietary business information,
(8) Minimizes reluctance to use the court to resolve disputes,
(9) Makes most effective use of court and clerk of court staff,
(10) Provides excellent customer service, and
(11) Does not unduly burden the ongoing business of the judiciary.
The rule is intended to provide guidance to 1) litigants, 2) those
seeking access to court records, and 3) judges, court and clerk of
court personnel responding to requests for access.
SDCL 15-15A-2. Eho has access to court records under the rule.
Every member of the public has the same access to court records as
provided in this rule, except as provided otherwise by statute or rule
and except as provided in � 15-15A-7.
``Public'' includes:
(1) any person and any business or non-profit entity, organization
or association;
(2) any governmental agency for which there is no existing policy,
statute or rule defining the agency's access to court records;
(3) media organizations.
``Public'' does not include:
(4) court or clerk of court employees;
(5) people or entities, private or governmental, who assist the
court in providing court services;
(6) public agencies whose access to court records is defined by
another statute, rule, order, policy or database access agreement with
the South Dakota Unified Judicial System;
(7) the parties to a case or their lawyers regarding access to the
court record in their case, which may be defined by statute or rule.
SDCL 15-15A-3. Definition of terms.
(1) ``Court record'' includes any document, information, or other
thing that is collected, received or maintained by a clerk of court in
connection with a judicial proceeding. ``Court record'' does not
include other records maintained by the public official who also serves
as clerk of court or information gathered, maintained or stored by a
governmental agency or other entity to which the court has access but
which is not part of the court record as defined in this section.
(2) Information in a court record ``in electronic form'' includes
information that exists as: (a) electronic representations of text or
graphic documents; (b) an electronic image, including a video image, of
a document, exhibit or other thing; or (c) data in the fields or files
of an electronic database.
(3) ``Public access'' means that the public may inspect and obtain
a copy of the information in a court record unless otherwise prohibited
by statute, court rule or a decision by a court of competent
jurisdiction. The public may have access to inspect information in a
court file upon payment of applicable fees.
(4) ``Remote access'' means the ability to electronically search,
inspect, or copy information in a court record without the need to
physically visit the court facility where the court record is
maintained.
SDCL 15-15A-4. Applicability of rule.
This rule applies to all court records, regardless of the physical
form of the court record, the method of recording the information in
the court record or the method of storage of the information in the
court record.
SDCL 15-15A-5. General access rule.
(1) Information in the court record is accessible to the public
except and as prohibited by statute or rule and except as restricted by
�� 15-15A-7 through 15-15A-13.
(2) There shall be a publicly accessible indication of the
existence of information in a court record to which access has been
restricted, which indication shall not disclose the nature of the
information protected, i.e., ``sealed document.''
(3) An individual circuit or a local court may not adopt a more
restrictive access policy or otherwise restrict access beyond that
provided by statute or in this rule, nor provide greater access than
that provided for by statute or in this rule.
SDCL 15-15A-6. Court records that are only publicly available at a
court facility.
A request to limit public access to information in a court record
to a court facility in the jurisdiction may be made by any party to a
case, an individual identified in the court record, or on the court's
own motion. For good cause, the court will limit the manner of public
access. In limiting the manner of access, the court will use the least
restrictive means that achieves the purposes of this access rule and
the needs of the requestor.
SDCL 15-15A-7. Court records excluded from public access.
The following information in a court record is not accessible to
the public:
(1) Information that is not to be accessible to the public pursuant
to federal law;
(2) Information that is not to be accessible to the public pursuant
to state law, court rule or case law as follows;
(3) Examples of such state laws, court rules, or case law follow.
Note this may not be a complete listing and the public and court staff
are directed to consult state law, court rules or case law. Note also
that additional documents are listed below that may not be within court
records but are related to the court system; the public and court staff
should be aware of access rules relating to these documents.
(a) Abortion records (closed); � 34-23A-7.1
(b) Abuse and neglect files and records (closed, with statutory
exceptions); � 26-8A-13
(c) Adoption files and adoption court records (closed, with
statutory exceptions); �� 25-6-15 through 25-6-15.3
(d) Affidavit filed in support of search warrant (sealed if so
ordered by court, see statutory directives); � 23A-35-4.1
(e) Attorney discipline records (closed until formal complaint has
been filed with Supreme Court by the State Bar Association's
Disciplinary Board or Attorney General, accused attorney requests
matter be public, or investigation is premised on accused attorney's
conviction of a crime); � 16-19-99
(f) Civil case filing statements (closed); � 15-6-5(h)
(g) Coroner's inquest (closed until after arrest directed if
inquisition finds criminal involvement with death); � 23-14-12
(h) Custody or visitation dispute mediation proceedings pursuant to
� 25-4-60 (closed, inadmissible into evidence)
(i) Discovery material (closed unless admitted into evidence by
court) �� 15-6-26(c); 15-6-5(g)
(j) Domestic abuse victim's location (closed, with statutory
exception); � 25-10-39
(k) Employment examination or performance appraisal records
maintained by Bureau of Personnel (closed); � 1-27-1
(l) Grand jury proceedings (closed with statutory exceptions); �
23A-5-16
(m) Guardianships and conservatorships (closed with statutory
exceptions); � 29A-5-311
(n) Involuntary commitment for alcohol and drug abuse (petition,
application, report to circuit court and court's protective custody
order sealed; law enforcement or prosecutor may petition the court to
examine these documents for limited purpose); � 34-20A-70.2
(o) Judicial disciplinary proceedings (closed until Judicial
Qualifications Commission files its recommendation to Supreme Court,
accused judge requests matter be public, or investigation is premised
on accused judge's conviction of either a felony crime or one involving
moral turpitude); ch. 16-1A, Appx. III(1)
(p) Juvenile court records and court proceedings (closed with
statutory exception); � 26-7A-36 through -38; �� 26-7A-113 through -116
(q) Mental illness court proceedings and court records (closed); ��
27A-12-25; 27A-12-25.1 through -32
(r) Pardons (statutory exceptions, see � 24-14-11)
(s) Presentence investigation reports (closed); �� 23A-27-5
through -10; � 23A-27-47
(t) Probationer under suspended imposition of sentence (record
sealed upon successful completion of probation conditions and
discharge); �� 23A-27-13.1; 23A-27-17
(u) Records prepared or maintained by court services officer
(closed except by specific order of court); � 23A-27-47
(v) Trade secrets (closed); � 15-6-26(c)(7)
(w) Trusts (sealed upon petition with statutory exceptions); � 21-
22-28
(x) Voluntary termination of parental rights proceedings and
records (closed except by order of court); � 25-5A-20
(y) Wills (closed with statutory exceptions); � 29A-2-515
(z) Written communication between attorney and client; attorney
work product (closed unless such privilege is waived); ch. 16-18, Appx.
Rule 1.6
(aa) Information filed with the court pending in camera review
(closed)
(bb) Any other record declared to be confidential by law; � 1-27-3.
SDCL 15-15A-8. Confidential numbers and financial documents excluded
from public access.
The following information in a court record is not accessible to
the public.
(1) Social security numbers, employer or taxpayer identification
numbers, and financial account numbers of a party or party's child.
(2) Financial documents such as income tax returns, W-2's and
schedules, wage stubs, credit card statements, financial institution
statements, credit card account statements, check registers, and other
financial information.
SDCL 15-15A-9. Filing confidential numbers and financial documents in
court records.
(1) Social security numbers, employer or taxpayer identification
numbers, and financial account numbers of a party or party's child,
where required to be filed with the court shall be submitted on a
separate Confidential Information Form, appended to these rules, and
filed with the pleading or other document required to be filed. The
Confidential Information Form is not accessible to the public.
(2) Financial documents named in � 15-15A-8(2) that are required to
be filed with the court shall be submitted as a sealed document and
designated as such to the clerk upon filing. The Sealed Financial
Documents Information Form appended to these rules shall be attached to
financial documents being filed with the court. The Sealed Financial
Documents Information Form is confidential and is not accessible to the
public. The sealed financial documents will not be publicly accessible,
even if admitted as a trial or hearing exhibit, unless the court
permits access pursuant to � 15-15A-10. The court may, on its own
motion, seal financial documents that have been submitted without the
Sealed Financial Documents Information Form.
(3) Parties with cases filed prior to the effective date of this
rule, or the court on its own, may, by motion, protect the privacy of
confidential information as defined in � 15-15A-8. Parties filing this
motion will submit a completed Confidential Information Form or Sealed
Financial Documents Information Form as appropriate.
SDCL 15-15A-10. Procedure for requesting access to sealed financial
documents.
(1) Any person may file a motion, supported by affidavit showing
good cause, for access to sealed financial documents. Written notice of
the motion shall be required.
(2) If the person seeking access cannot locate a party to provide
the notice required under this rule, after making good faith reasonable
effort to provide such notice as required by applicable court rules, an
affidavit may be filed with the court setting forth the efforts to
locate the party and requesting waiver of the notice provisions of this
rule. The court may waive the notice requirement of this rule if the
court finds that further good faith efforts to locate the party are not
likely to be successful.
(3) The court shall allow access to sealed financial documents, or
relevant portions of the documents, if the court finds that the public
interest in granting access or the personal interest of the person
seeking access outweighs the privacy interests of the parties or
dependent children. In granting access the court may impose conditions
necessary to balance the interests consistent with this rule.
SDCL 15-15A-11. Requests for bulk distribution of court records.
Dissemination of bulk information for resale is prohibited pursuant
to � 1-27-1. Any other bulk dissemination is prohibited except as
authorized by the State Court Administrator or the Chief Justice of the
Supreme Court.
SDCL 15-15A-12. Access to compiled information from court records.
(1) Compiled information is defined as information that is derived
from the selection, aggregation or reformulation by the Supreme Court
of some of the information from more than one individual court record.
(2) Any member of the public may request compiled information that
consists solely of information that is publicly accessible and that is
not already available in an existing report. The Supreme Court may
compile and provide the information if it determines, in its
discretion, that providing the information meets criteria established
by the Court, that the resources are available to compile the
information and that it is an appropriate use of public resources. The
State Court Administrator's Office will make the initial determination
as to whether to provide the compiled information.
(a) Compiled information that includes information to which public
access has been restricted may be requested by any member of the public
only for scholarly, journalistic, political, governmental, research,
evaluation, or statistical purposes.
(b) The request shall a) identify what information is sought; b)
describe the purpose for requesting the information and explain how the
information will benefit the public interest or public education, and
c) explain provisions for the secure protection of any information
requested to which public access is restricted or prohibited.
(c) The Supreme Court may grant the request and compile the
information if it determines that doing so meets criteria established
by the Court, is consistent with the purposes of the access rules, that
the resources are available to compile the information, and that it is
an appropriate use of public resources.
(d) If the request is granted, the Supreme Court may require the
requestor to sign a declaration that:
(i) The data will not be sold or otherwise distributed directly or
indirectly, to third parties, except for journalistic purposes;
(ii) The information will not be used directly or indirectly to
sell a product or service to an individual or the general public,
except for journalistic purposes; and
(iii) There will be no copying or duplication of information or
data provided other than for the stated scholarly, journalistic,
political, governmental, research, evaluation, or statistical purpose.
The Supreme Court may make such additional orders as may be needed
to protect information to which access has been restricted or
prohibited.
SDCL 15-15A-13. Requests to prohibit public access to information in
court records.
A request to prohibit public access to information in a court
record may be made by any party to a case, the individual about whom
information is present in the court record, or on the court's own
motion. Notice of the request must be provided to all parties in the
case and the court may order notice be provided to others with an
interest in the matter. The court shall hear any objections from other
interested parties to the request to prohibit public access to
information in the court record. The court must decide whether there
are sufficient grounds to prohibit access according to applicable
constitutional, statutory and common law. In deciding this the court
should consider the purpose of this rule as set forth in � 15-15A-1. In
restricting access, the court will use the least restrictive means that
will achieve the purposes of this access rule and the needs of the
requestor.
SDCL 15-15A-14. When court records may be accessed.
(1) Court records will be available where available for public
access in the courthouse during hours established by the court. Court
records in electronic form to which the court allows remote access
under this rule will be available for access at least during the hours
established by the court for courthouse access, subject to unexpected
technical failures or normal system maintenance announced in advance.
(2) Upon receiving a request for access to information the court
will respond within a reasonable time regarding the availability of the
information and provide the information within a reasonable time.
SDCL 15-15A-15. Fees for accessing court records.
The Supreme Court may charge a fee for access to and copies of
court records in electronic form, for remote access or compiled
information. The fee shall be reasonable and may include costs for
labor, materials and supplies. Fees for record searches are set forth
in � 16-2-29.5. Some entities, and other entities under certain
conditions, are exempt from paying a record search fee pursuant to �
16-2-29. Copying and certification fees shall be charged as determined
by statute or Supreme Court Rule.
CONFIDENTIAL INFORMATION FORM (Required by SDCL 15-15A-9)
_________________________ Case No. ________
Plaintiff / Petitioner
_________________________
Defendant / Respondent
The information on this form is confidential and shall not be
placed in a publicly accessible portion of a court record.
NAME ____________________________________
SOCIAL SECURITY NUMBER ________________________
EMPLOYER IDENTIFICATION NUMBER ___________________
TAXPAYER IDENTIFICATION NUMBER ___________________
FINANCIAL ACCOUNT NUMBERS:
______________________
Plaintiff / Petitioner
______________________________
______________________________
1. ____________ ____________ ____________
2. ____________ ____________ ____________
3. ____________ ____________ ____________
Defendant / Respondent
___________________________
___________________________
1. ____________ ____________ ____________
2. ____________ ____________ ____________
3. ____________ ____________ ____________
Other Parties (including minor children)
___________________
___________________
1. ____________ ____________ ____________
2. ____________ ____________ ____________
3. ____________ ____________ ____________
4. ____________ ____________ ____________
Information supplied by:
___________________________
Signed:
____________________________________
Firm:
____________________________________
Address:
___________________________________
________________________________________
Date:
_____________________________________
SEALED FINANCIAL DOCUMENTS INFORMATION FORM (Required by SDCL 15-15a-9)
_________________________ Case No. ________
Plaintiff / Petitioner
_________________________
Defendant / Respondent
The information on this form is confidential and shall not be placed in
a publicly accessible portion of a court record.
__________ Income Tax Records
Period Covered:
__________ Financial Account Statements
Period Covered:
__________ Wage Stubs
Period Covered:
__________ Credit Card Account Statements
Period Covered:
__________ Other
Information supplied by:
___________________________
Signed:
____________________________________
Firm:
____________________________________
Address:
___________________________________
________________________________________
Date:
_____________________________________
Chairman MCCRERY. Thank you, Ms. McQueen. Mr. Stein?
STATEMENT OF ERIK STEIN, EXECUTIVE VICE PRESIDENT AND DIRECTOR,
FRAUD RISK MANAGEMENT, COUNTRYWIDE FINANCIAL CORPORATION, ON
BEHALF OF BITS FRAUD REDUCTION STEERING COMMITTEE
Mr. STEIN. Thank you. Good afternoon, Chairman McCrery and
Members of the Subcommittee. My name is Erik Stein. I am
Executive Vice President and Director of Fraud Risk Management
at Countrywide, America's largest residential mortgage lender
and servicer, currently responsible for preventing, detecting,
investigating, mitigating, and reporting on criminal conduct
by, through, or within Countrywide Financial Corporation and
its member family of companies.
I am pleased to appear before you today on behalf of BITS
and the Financial Services Roundtable to discuss the role of
SSNs in identity theft and SSN privacy. I have submitted a more
detailed written statement for the record, but would like to
highlight five key points in my oral statement.
First, SSNs have evolved, regardless of their original
intent, to become the de facto unique identifier that today
accompanies most consumers from cradle to grave. SSNs provide
the link to associate consumers to their financial accounts,
credit reports, public records, and a host of other critical
relationships. SSNs are essential to financial institutions to
meet various statutory obligations, such as knowing their
customers, report tax-related activity, conduct financial
crimes investigations, screen prospective employees, and more.
All of these functions help keep our customers and their
financial assets safe and ensure the security and reliability
of the economy.
Second, SSNs play a pivotal role in the accurate
determination of an individual. With millions of citizens in
America, the SSN is the single unique identifier common to them
all. However, it is important to note that the verification of
the SSN is not the same as the verification of identity.
Verification of identity is accomplished through the use of
other government-issued documentation, including drivers'
licenses and passports, which financial institutions require to
open accounts and make loans. However, financial institutions
have not been afforded the tools to ensure the validity of SSNs
and these other documents presented for identity verification
even though the institutions are required by the USA PATRIOT
Act (P.L. 107-56) to know their customers.
That brings me to my third point, which is the proposed
consent-based SSN verification, or CBSV program recently
established by the SSA, is a critical first step in
facilitating identity verification. The program allows
verification of the SSN along with the corresponding name and
date of birth provided by consumers to SSA's database. I and
other fraud reduction professionals strongly encourage the
Subcommittee to actively support the CBSV program and we urge
the SSA to remove restrictions on the daily submission volume
by participants, work to improve the proposed response times,
eliminate the requirements for a stand-alone consumer
authorization, allowing the authorization to be incorporated
into loan or account documents, and review the cost structure.
These changes would allow participants to consistently use CBSV
on every new relationship, reducing fraud, identifying errors,
and lowering costs.
Fourth, criminals know the intrinsic value of SSNs in
committing identity theft and other crimes. The sad reality is
that criminals in search of identities with which to commit
identity theft can readily obtain them through many means. For
example, all a criminal need do is steal mail in January, when
millions of 1099s and 1098s are distributed to taxpayers. These
forms are required by statute to display the SSN and for
mailing purposes must have the recipients' name and address. We
recommend that Congress review statutory obligations that
require the printing of SSNs on any documents to determine if
the risk of compromise exceeds the value derived, and if so,
enact changes to remove these obligations.
My final point is that we should be mindful of the
unintended consequences that could result from restricting the
use of SSNs among legitimate businesses. Decreasing financial
institutions' abilities to use SSNs could potentially lead to
increased fraud, increased lending costs, decreased loan
approval rates, and a myriad of other unforeseen results. It is
important for Congress, the SSA, and other agencies to
thoroughly consider the potential consequences and adverse
impact such restrictions could have on commerce.
In closing, it is important to note that through BITS, the
financial services industry has been aggressive in efforts to
mitigate identity theft, reduce fraud, and strengthen cyber
security by working together to share information, analyze
threats, and implement best practices. We need essential tools
such as the CBSV program to continue these efforts.
Thank you for the opportunity to testify before you today.
I would be happy to answer any questions.
[The prepared statement of Mr. Stein follows:]
Statement of Erik Stein, Member, BITS Fraud Reduction Steering
Committee
Introduction
Good afternoon Chairman McCrery and members of the Subcommittee. My
name is Erik Stein. I am Executive Vice President and Director of Fraud
Risk Management at Countrywide Financial Corporation, America's largest
residential mortgage lender and servicer. I have over 25 years of
banking, credit card, mortgage lending and dot com experience and am
currently responsible for preventing, detecting, investigating,
mitigating and reporting on criminal conduct by, through or within
Countrywide and its family of companies.
I am pleased to appear before you today on behalf of BITS and its
Fraud Reduction Steering Committee (FRSC) to discuss the role of Social
Security Numbers (SSNs) in identity theft and enhancing SSN privacy.
BITS is a nonprofit industry consortium of 100 of the largest
financial institutions in the U.S. BITS is the non-lobbying division of
The Financial Services Roundtable. BITS' mission is to serve the
financial services industry's needs at the interface between commerce,
technology and financial services. BITS' member companies provide fuel
for America's economic engine, accounting directly for $40.7 trillion
in managed assets, $960 billion in revenue, and 2.3 million jobs. BITS
works as a strategic brain trust to provide intellectual capital and
address emerging issues where financial services, technology and
commerce intersect. BITS focuses onkey issues where industry
cooperation serves the public good, such as critical infrastructure
protection, fraud prevention, and the safety of financial services.
BITS' activities are driven by the CEOs and their direct reports--CIOs,
CTOs, Vice Chairmen and Executive Vice President-level executives of
the businesses.
Especially relevant to today's testimony, the mission of the BITS
Fraud Reduction Steering Committee (FRSC) is to identify fraudulent
trend activity, reduce fraud losses, and foster new opportunities to
reduce the impact of fraud on the financial services industry and our
customers. Participants in the BITS Fraud Reduction Steering Committee
include representatives from financial institutions, industry
associations and the Federal Reserve.
BITS works with government organizations including the U.S.
Department of Homeland Security, U.S. Department of the Treasury,
federal financial regulators, Federal Reserve, technology associations,
and major third-party service providers to achieve its mission.
BITS is also a founding and active member of the Financial Services
Sector Coordinating Council for Critical Infrastructure Protection and
Homeland Security (FSSCC). The mission of the FSSCC is to:
Foster and facilitate the coordination of financial
services sector-wide voluntary activities and initiatives designed to
improve Critical Infrastructure Protection and Homeland Security
Identify voluntary efforts where improvements in
coordination can foster sector preparedness
Identify barriers and recommend initiatives to improve
sector-wide knowledge sharing and timely dissemination of critical
information among all sector constituents
Promote public trust and confidence in the financial
services sector's ability to withstand and recover from terrorist
attacks, cybercrime, and natural disasters.
The financial services industry has been aggressive in its efforts
to strengthen cyber security, reduce fraud, and mitigate identity
theft. Members of BITS are sharing information, analyzing threats,
creating best practices, urging the software and technology industries
to do more to provide more secure products and services, and combating
fraud and ID theft. As just one example of these efforts, the Identity
Theft Assistance Center (ITAC), which BITS and the Financial Services
Roundtable established in 2004, recently announced that it had helped
over 5,000 individuals in restoring their financial identity.
SSNs: A Unique Identifier
SSNs have evolved, regardless of original intent, to become the de
facto unique identifier for consumers. This number is the only unique
identifier that today accompanies most consumers from cradle to grave.
SSNs remain a constant in an ever-changing world of name change from
marriage and divorce, shifting addresses, and driver's license re-
issuance as consumers move from one state to another. SSNs are used in
efforts to ensure the accurate association of financial accounts,
credit reports, public records, medical records and a host of other
critical relationships and services to a consumer.
Critical Role of SSNs for Financial Institutions
The use of SSNs by financial institutions is essential to satisfy a
variety of statutory obligations such as to report earned interest
income and deductible interest payments on mortgages for millions of
American consumers. In addition, SSNs facilitate practical realities
such as accessing credit reports to determine creditworthiness,
performing due diligence on business partners and correspondent banks
and, as required by the USA Patriot Act, performing enhanced due
diligence on politically-exposed persons (PEP).\1\
---------------------------------------------------------------------------
\1\ The Federal Financial Institutions Examination Council's
(FFIEC) Bank Secrecy Act Anti-Money Laundering Examination Manual
defines a PEP as ``a person identified in the course of normal account
opening, maintenance or compliance procedures to be a `senior foreign
political figure,' any member of a senior foreign political figure's
`immediate family,' and any `close associate' of a senior foreign
political figure.''
---------------------------------------------------------------------------
Under the USA Patriot Act, financial institutions are obligated to
``know their customer,'' and to take steps to verify the identity of
account holders. In addition, financial institutions perform due
diligence on business partners and vendors. One of the integral parts
of compliance with these obligations often involves the use of public
records which are searched by use of the SSN, or, in the case of
business, EIN, to ensure that the results returned are unique to the
subject of the due diligence.
After the customer's identity has been verified and the
relationship has been established, many financial institutions utilize
the SSN internally to track the customer's relationship with the
financial institution across multiple accounts and for a variety of
legitimate internal business reasons. This legitimate, internal
business use should remain exempt from additional limitations.
Criminal investigations initiated by financial institutions are
facilitated by the availability of SSNs both in the financial
institution's database and in public records. Public records are
frequently used by financial institutions' staff during the
investigation of potential criminal conduct. During the investigation,
the SSN is the single most reliable method of identification,
correlation and association of the perpetrators to their public
records, which often provide critical details imperative to solving the
crime and locating the suspect(s). The loss of this valuable tool would
jeopardize the effective investigation of financial crimes.
Financial institutions and other businesses routinely screen
prospective employees to verify identity, validate applicant employment
and education history, and check for criminal conduct prior to
extending job offers. These background checks, particularly in high-
risk occupations or vulnerable industries, can reduce the incidence of
criminal infiltration, potential workplace violence and security risks,
including customer data security and privacy risks. The SSN is critical
in verifying a potential employee's background and allows for the
ongoing monitoring of employees in high-risk positions. Without the use
of a SSN, financial institutions would find it very difficult to adhere
to a ``know your employee'' standard.
SSN Verification: A Key Tool for Successful Identity Determination of
Customers
SSNs play a pivotal role in identity determination: the
establishment and verification of the identity of unique persons with
whom financial institutions, and others, conduct business. With
millions of John Smiths in America, the identity determinate of which
John Smith with whom a financial institution is dealing is made by the
single unique identifier common to all Americans, his SSN.
Importantly, financial institutions realize that the ability to
successfully verify John's SSN is not the same as successfully
determining his identity. A financial institution must do this through
the use of identification documents such as driver's license, passport
and other, typically government-issued, identity documents containing a
picture, signature, expiration date, security features, a physical
description, etc. It should be noted that SSNs have not been used for
identity verification due to the lack of a highly secure SSN card,
tamper-proof signature, picture and expiration. The SSN card contains
few security features making it easy to counterfeit and reducing or
eliminating any value in its use for identity verification. The SSN is
thus only a tool, albeit an invaluable one, in the process of
determining the identity of an individual. It is clear, however, that
verification is a key tool for achieving positive identity
determination.
Value of the SSN to Criminals
The critical role of SSNs is the fundamental reason for their
intrinsic value to criminals' intent on committing crimes. Criminals
utilize SSNs in the commission of identity theft. Identity Theft may be
divided into ``true name'' fraud where the perpetrator uses the
``true'' identity of a consumer, or identity fraud where combinations
of consumer's identities are pieced together or even fabricated to
create a synthetic identity, a new person.
It is important to recognize that criminals committing identity
fraud don't need to steal or purchase SSNs to commit their crime. The
structure of the SSN is common knowledge to anyone who has ever had, or
seen, one or checked the Social Security Administration's (SSA) website
(i.e. http://policy.ssa.gov/poms.nsf/lnx/0100201030?opendocument.)
Valid SSNs can be determined by checking the SSA's website for the
highest group issuance http://www.socialsecurity.gov/employer/
highgroup.txt. By selecting a recently issued SSN, and applying for
credit, a criminal creates an identity with the Credit Reporting
Bureaus (for which there will be no conflicting SSN information since
the valid SSN holder is an infant).
Since financial institutions and lenders don't have the ability to
verify the SSN, name and date of birth combinations (other than the
current Enumeration Verification System pilot in the mortgage industry
which is not a robust, enterprise-strength, low cost, timely
verification process and therefore narrowly used), the identity thief
is unlikely to be caught. Restrictions on the sale and purchase of SSNs
would do little to prevent this type of fraud. The fraud also doesn't
rely on the theft of SSNs from their legitimate owner.
BITS members would encourage the Subcommittee to remove the highest
group issuance list from the public domain and make it available to
financial institutions and others with a legitimate business need on a
subscription basis as is currently done with SSA's Death Master File.
While this list is an essential tool today to validate SSNs provided to
financial institutions, its potential use by criminals is inconsistent
with its availability to the general public.
Another area of risk is that criminals in search of identities for
committing true name fraud can readily obtain name, address, SSN and
account number combinations by mail theft during January each year when
millions of account holders and borrowers receive their 1099's or 1098.
By statute, these tax forms are required to display the account
holder's SSN, and, for mailing purposes, must have the recipient's name
and address along with the account number to identify the account for
which the form has been filed. These forms are mailed en masse by
financial institutions at the beginning of the year for use in
requisite income tax filing by the consumer thereby making for a
target-rich environment for obtaining identities through mail theft.
Combating Identity Theft through SSN Verification
For decades, financial institutions have required SSNs and identity
documents to open accounts, make loans and accept transactions by their
customers. However, the industry has been relegated to validation
methods that do not, and cannot, validate the existence of, and their
association with, a consumer's personal identifiers (such as name, date
of birth and gender). For SSNs, financial institutions have relied on
rules that determine if the SSN had been issued (the highest group
issuance list referenced above available from SSA), that the SSN holder
had not been reported deceased (SSA's Death Master File), and that the
holder was not born after the issuance of the SSN by SSA (from
historical highest group issuance lists). The single most important
validation has been unavailable, that the consumer presenting the
number is the holder of record in SSA's database.
The proposed Consent-Based SSN Verification (CBSV) program recently
published for public comment by the SSA is an extension of the
Enumeration Verification System pilot and is a critical effort to allow
financial institutions to verify SSNs. It will allow financial
institutions to verify the SSN holder's name and date of birth against
SSA's database. Establishing a system capable of high volume, low cost,
real time verification direct to financial institutions and lenders
would significantly reduce the incidence of synthetic identities.
``True name'' identity theft would become more difficult with the
validation of date of birth and the optional gender code by financial
institutions utilizing a CBSV program.
BITS' members strongly encourage the Subcommittee to support the
CBSV program.\2\ We also request that the SSA evaluate the removal of
restrictions on the daily volume of submissions by participants, work
towards improving the proposed response times, eliminate requirements
for a standalone consumer authorization allowing incorporation of the
authorization into loan or account documents, and review the cost
structure.
---------------------------------------------------------------------------
\2\ Attached is the BITS/Financial Services Roundtable Comment
Letter on the Social Security Administration's Consent-Based Social
Security Verification Process (February 2006)
---------------------------------------------------------------------------
Consumers would benefit from industry's ability to verify SSN
information by reducing the incidence of fraud and errors. Erroneous
data entry of consumer's SSNs would also be easily determined, reducing
the incidence of erroneous tax reporting on interest earned and
deductible interest expense and reducing the quantity of consumers
required to be subjected to annual solicitation for a corrected SSN due
to mismatches submitted to the IRS and misrepresentation.
Further, the BITS members, due to the high perceived value of CBSV,
would also encourage the consideration of federal legislation to
mandate similar programs related to other governmental identity
documents used in the financial industry to verify consumers including
U.S. passports, alien registration documents (e.g. Non-Resident Alien
card) and state driver's licenses. Financial institutions, while under
obligations to know their customer under the USA Patriot Act, have not
been afforded the tools to ensure the validity of the documents
presented for identity verification. We have had to rely exclusively on
the appearance of legitimacy (e.g. verification of security features,
visual inspections or tests that validate the structure of a driver's
license number but, again, not the name of the true license holder).
Unintended Consequences for Limiting Use of SSNs
The critical roles of SSNs for use in financial institutions,
investigations, public records, lending, account servicing, tax
reporting and much more makes the availability and use of the SSN for
legitimate business uses an imperative. It is important that additional
proposed restrictions on the use, sale and purchase of SSNs be
thoroughly evaluated to ensure that unintended consequences do not
occur. This could include potential increases in fraud; economic
impacts from increased lending costs; and decreased loan approval rates
and other adverse implications to commerce.
Conclusion and Recommendations
In summary, the use of SSNs is critically important to the
financial services industry. They allow financial institutions to meet
various statutory obligations such as knowing who their customers,
employees, and business associates are; reporting earned interest
income and deductible interest payments on mortgages; and satisfying
due diligence expectations as set forth by statutory obligations. All
of these functions are performed to keep our customers and their
financial assets safe, and to ensure the security and reliability of
the economy.
On behalf of BITS and our member financial institutions, we
encourage Congress to:
Continue to allow financial institutions to use SSNs
without additional restrictions and limitations;
Exercise caution if changes are considered, to be
especially alert to unintended consequences such as increased fraud;
Support a verification program capable of high volume,
low cost, real time verification in a manner consistent with customers'
demands; and
Review statutory obligations that require the printing of
SSN's (e.g. 1098, 1099) to determine if the risk of compromise exceeds
the value derived and, if so, enact changes to remove these
obligations.
Thank you for the opportunity to testify before you today. I would
be happy to answer any questions.
______
February 26, 2006
Office of Management and Budget (OMB)
Attn: Desk Officer for SSA
Fax: 202-395-6974
Social Security Administration, DCFAM,
Attn: Reports Clearance Officer
Fax: 410-965-6400
E-mail: [email protected]
Re: Comment to Consent Based Social Security Number Verification (CBSV)
Process
Dear Sirs and Madams:
BITS and The Financial Services Roundtable appreciate the
opportunity to participate in the Social Security Administration's
(SSA) request for comment regarding the Consent Based Social Security
Number Verification (CBSV) Process.
BITS and The Financial Services Roundtable share membership and
represent 100 of the largest integrated financial services companies
providing banking, insurance, and investment products and services to
the American consumer. Member companies participate through the Chief
Executive Officer and other senior executives nominated by the CEO.
BITS works to leverage the intellectual capital of its members,
fostering collaboration to address emerging issues where financial
services, technology, and commerce intersect. The Roundtable promotes
the interests of member companies in legislative, regulatory and
judicial forums. Roundtable member companies provide fuel for America's
economic engine, accounting directly for $40.7 trillion in managed
assets, $960 billion in revenue, and 2.3 million jobs.
Our members have always been a favorite target for perpetrators of
fraud. Institutions have long answered this challenge with reliable
business controls, advanced technology, information sharing, and
cooperative efforts with government and law enforcement agencies. While
our members' foremost concern is to protect their customers and
maintain their trust, they are also mindful of the need to comply with
the regulations set forth by Section 326 of the Patriot Act. This
section requires institutions to verify not only the identity of a
customer, but also the accuracy of the information provided.
In the interest of reducing fraud and complying with Section 326 of
the Patriot Act, BITS members supported the initial pilot, the
Enumeration Verification System (EVS), to allow institutions to
affirmatively verify consumer's name, social security number and date
of birth (DOB). This pilot provided a means to ensure accounts were
opened for the legitimate consumer and not a ``fraudster'' and we
applaud the SSA's efforts to provide enhancements in the form of the
CBSV that would benefit our customers and our industry.
After careful review of the information collection process outlined
in the December 30, 2005 Federal Register, we respectfully offer the
following comments:
``Valid Consent from Number Holders''
There is concern that, since the CBSV is designed to verify a
person's Social Security Number (SSN) to their name (and potentially
DOB), there may be instances where financial institutions are misled
and the consent is not from the true applicant as may be the case in
identity theft or identity manipulation. There should be
acknowledgement that while financial institutions have established a
process for verification, there is still an opportunity for applicants
to provide false information. This verification process is fundamental
to ensuring the name, SSN, and DOB (optionally) match the authorizing
consumer. While we understand the use of ``valid consent from number
holders,'' we want to ensure that there are no consequential impacts to
financial institutions from the fraudulent completion of consent
authorizations.
Inclusion of Gender Code
The public comment details the submission as consisting of a name,
SSN and DOB (if available) and the results provide a match to name,
SSN, date of birth and gender code (which is not part of the
submission). Clarity needs to be provided on whether gender code is
intended to be a submitted/verified field.
Full Name Matching
While SSN, DOB (and possibly gender assuming it is used) are unique
variables, one's name is subject to wide variation. It is suggested
that the full first and full last be used for matching and that a
secondary field be available for each that could include a nickname,
shortened name (Jim vs. James) and last name. The use of a secondary
field for name matching would reduce the incidence of re-running
queries; improve match rates including where Soundex matching is
utilized and the name variation is not conducive to such matching
logic; and would accommodate name changes due to marriage, divorce,
etc. which may not yet have been reported to SSA.
Real-time vs. Batch Submissions
SSA had indicated its intention to continue the practice of EVS in
providing the results of inquiries by Requesting Parties within 48
hours while not guaranteeing such response time. Institutions believe
there is strong value in having real-time capabilities and encourage
the SSA to evaluate methods to provide this verification service in
real-time as soon as feasible. If batch submissions remain exclusively
available, members strongly encourage SSA to provide a response, to
inquiries submitted before midnight, by no later than 5am the following
business morning consistent with other batch jobs run by financial
institutions for fraud detection, verification and posting.
Daily Limitation of Records and Expectation of Volume
While strongly supportive of CBSV, we urge the SSA to reconsider
the daily limitation of 5,000 records. One of the inherent values of an
automated system of SSN verification is its scalability. With
scalability in mind, we recommend the SSA remove the daily limitation.
Should hardware limitations be reached by the overwhelming success
and adoption of CBSV, the SSA should charge registered user businesses
sufficient additional fees to allow the SSA to meet this demand. This
linear scalability should also keep the cost per inquiry low. We
believe that SSA's expectations of demand for CBSV are substantially
below the industry's need for this verification solution. We encourage
the SSA to revise its expectations and lower the cost of entry for
business by reducing the initial fee of $40,288.10. While the basis for
SSA's expectation of only 150 business users for CBSV is not explained
in the publicly available documents, we believe that, with nearly 9,000
FDIC-insured financial institutions alone in the U.S., 5,000 business
users is both reasonable and sustainable. This would lower the initial
cost of entry to $1,208.64. However, to both encourage maximum
participation and guarantee SSA's financial support of the program, we
recommend the initial fee be set at $10,000.
Document Requirements
SSA-89--Authorization for the Social Security Administration (SSA) To
Release Social Security Number (SSN) Verification
Evidence of consumer authorization to verify their SSN is clearly
both an obligation of the Requesting Party and a necessary privacy
safeguard. However, the requirement for a standalone SSA-89 evidencing
said authorization provides no additional safeguard over an obligation
for equivalent language, approved by the SSA prior to usage,
incorporated into account or loan documents. In addition, this document
(SSA-89) cannot be incorporated into loan documents, account signature
cards or any other documents. For efficiency and enhancement purposes,
institutions must be able to incorporate the authorization language
into existing documents that allows them to run the SSN which can then
be retained for six years from the authorization date.
The existing retention of these underlying documents already, in
most cases, meets or exceeds the SSA minimum retention requirement.
Where the existing document retention is shorter than SSA-89's
retention requirement, Requesting Parties will voluntarily comply with
modification of their retention schedules to achieve the efficiencies
afforded by merging these documents with the CBSV authorization. The
SSA should consider inclusion of specific authorization of the SSN
owner for electronic signature in accordance with the Electronic
Signatures in Global and National Commerce Act (ESIGN). SSA's existing
allowance of storage of the SSA-89 electronically would be consistent
with the use of ESIGN for electronification of the authorization
process with inherent increased efficiency.
SSA-89 cannot be modified by the Requesting Party. The defined term
can be modified by agreement as specified in the User Agreement, by
agreement of the parties executing the Authorization and documented
therein. These two statements are mutually exclusive. We recommend SSA
clearly delineate the method by which Authorization term extension is
to be documented so the Requesting Party can ensure compliance with
SSA's requirements.
SSA-88--Pre-Approval Form for CBSV
The Requesting Party has a contractual obligation to protect the
integrity of SSA's systems, utilize information requested only for
authorized purposes, and to be authorized by the Requesting Party in
accordance with their internal approval policies. The need for
completion of form SSA-88 for each employee in a large company that has
access to the results of the inquiry is overly burdensome and
inefficient. We strongly encourage the SSA to make user administration
for Requesting Parties an obligation of authorized employees of the
Requesting Party and managed through a user interface in Business
Services Online (BSO). All service providers to the financial services
industry allow the participant to manage their employees' access. The
BSO administrative user interface can be designed so as to require the
data elements mandated by SSA (e.g. name, SSN, phone number, and email
address of each employee) with appropriate electronic attestation by
the authorized admin user during new user setup. Maintenance (e.g.
changes to the existing information as a result of job status changes,
phone or email changes) and deletion (e.g. termination of the employee
or job status changes no longer requiring access) can likewise be
accomplished through the BSO administrative user interface by the
authorized employee of the Requesting Party. This process is much more
conducive to large scale employers who may have thousands of employees
authorized to access the information from SSA during the processing of
accounts or loans.
SSA-1235--Agreement Covering Reimbursable Services
SSA-1235 is ``effective upon signature of both parties and shall
remain in effect until one or more of the following events occur. . .
.'' While the Agreement is continuously in effect (barring one of the
events listed), SSA requires an annual resubmission of the Agreement.
The resubmission appears inconsistent with an Agreement with no defined
term. We recommend the SSA eliminate the annual submission requirement
for form SSA-1235. The provision of the annual fee as defined by SSA
each year should be sufficient evidence of the Requesting Party's
intent to continue the Agreement. The Conditions of Agreement,
paragraph 6, stipulates that the Authorization ``must be presented
within 60 days after its execution,'' however the Authorization itself
indicates it ``is valid only for 90 days from the date signed. . . .''
These statements are incongruous and we recommend the SSA reconcile
these documents to a consistent period of 90 days. The Conditions of
Agreement, paragraph 8, stipulates the Agreement may be terminated ``by
giving a 60 day advance written notice.'' However, Section XI. Duration
of Agreement, Suspension of Services, Annual SSA-1235 of the User
Agreement specifies ``the Agreement shall terminate 30 days after the
date of the notice or at a later date specified in the notice.'' We
recommend the SSA reconcile this discrepancy by establishing a
consistent 30 day written notice requirement for termination.
Submission of Requests
The CBSV User Guide establishes the file format for submission of
requests by the Requesting Party to SSA. The file format contains a
field for a ``Multiple Request Sequence Number''; however, the SSA
limits the number of file submissions by a Requesting Party to one.
Since only one file can be submitted daily, there would never be a need
for this field. If the field is anticipated for future use when
Requesting Parties may be allowed multiple daily file submissions, we
suggest ``Future Use'' indicated in the description for this field to
remove ambiguity.
If you have any further questions or comments on this matter,
please do not hesitate to contact us or Heather Wyson at (202) 289-
4322.
Sincerely,
Catherine A. Allen
CEO, BITS
Richard M. Whiting
Executive Director and General Counsel
Chairman MCCRERY. Thank you, Mr. Stein. Mr. Pratt?
STATEMENT OF STUART K. PRATT, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION
Mr. PRATT. Mr. Chairman and Members of the Committee, thank
you for this opportunity to appear before you today to discuss
the importance of SSNs. For the record, my name is Stuart Pratt
and I am President and CEO of the Consumer Data Industry
Association.
We applaud this Committee for the thoughtful and open
dialog regarding how SSNs are used and to identify risks
associated with such use. Before I discuss how our members'
systems make use of the SSN, let us just consider how
demographics in our society really explain why the SSN is so
important.
First, identifiers in everyday life do change and do so
more often than we might think. Over 40 million addresses
change every year in this country. More than three million last
names change due to marriage and divorce. We use our
identifiers inconsistently. We don't do so purposefully, but a
simple example is our choice to use a nickname in some
transactions but to use our full name in others. Our name is
not as unique as we might think. There are millions and
millions of Smiths and Joneses in this country, and, in fact,
more than 13 million consumers have only one of ten very common
last names. Another 57 million males have only one of ten
common first names.
We provide other examples of how personal information
changes in our written testimony, and by taking into account
all of these facts, it really does become very apparent why the
SSN is the key to stabilizing consumers' identifying
information in the context of databases. The SSN is truly a
unique identifier.
Let us discuss how the use of the SSN works within our
members' systems. Our members design products for
determinations of a consumer's eligibility for a product or
service, to prevent fraud, and to aid in the location of
consumers for a variety of reasons. These products bring great
value to us as consumers every day. Eligibility products, such
as a credit or employment report, for example, lead to
definitive decisions.
These reports are regulated under the Fair Credit Reporting
Act (P.L. 91-508). The FCRA imposes a duty that consumer
reporting agencies employ reasonable procedures to ensure the
maximum possible accuracy of the information in the report, and
the SSN plays a vital role in helping our members to achieve
this maximum possible accuracy standard. Absent the use of the
SSN as a key identifier, consumers would be harmed in many ways
through the exclusion or inclusion of information.
Our members also produce products regulated under other
laws, such as the Gramm-Leach-Bliley Act. Fraud prevention
systems, for example, employ a diversity of strategies. The SSN
plays an important role. In 2004 alone, businesses conducted
more than 2.6 billion searches to check for fraud. The largest
users of fraud detection systems are, in fact, financial
services companies, accounting for about 78 percent of the
transactions, but there were others users. 5.5 million location
searches were conducted by child support enforcement agencies,
378 million searches to enforce contracts to pay, tens of
millions of searches were used by pension funds, blood donor
organizations, and by organizations focused on missing and
exploited children. The availability and permitted use of the
SSN remains vital across this entire spectrum of consumer data
products.
Consumers and media often assume that the SSN is fully
unregulated and, of course, this is not the case. As we have
discussed, laws such as the FCRA and the Gramm-Leach-Bliley Act
do regulate our members' products. However, we recognize that
similar protections don't exist for all, and the SSN is
sensitive personal information that must be protected. We
believe that a national uniform system to establish information
safeguards should be enacted so that anyone possessing
sensitive personal information, such as an SSN in combination
with my name and address, that they would be obligated to
protect that information. There are a number of House and
Senate committees that are looking at proposals.
I think standards like this would cause more American
businesses to move to encrypt such information, which we think
is the right direction. I think other businesses would decide
whether or not they really should be gathering it in the first
place. We think that is another good result, as well. Our
members want to protect that information. We think every
company and every business in this country that is going to
gather that information should do the same.
Public records also contain SSNs, and it is encouraging to
hear the State court organizations discussing strategies to
protect them. We support this effort unequivocally. However,
CDIA does believe that the disclosure of the SSN to the general
public, while it must be addressed, we also believe that public
records must be made available, including SSNs, to those with
appropriate needs. Public records play a vital role in our
society and they bring value to consumer data industry products
and services. Bankruptcy records, for example, and tax liens as
well as judgments are used by lenders. Records of eviction are
critical to a landlord, and these are just a few examples.
The public sector agencies are taking actions and we are
encouraged by SSA's efforts to explore the viability of a
system by which a party may verify a particular SSN is
associated with another. However, the system is cumbersome. It
does not allow for real-time automated processing of SSN
verification and it will render it very ineffective, in fact,
in assisting victims of identity theft. We hope the SSA will
move toward a more effective system in the future.
In conclusion, we believe that enacting law that imposes
national uniform information security regulations on all who
possess the SSN is the right step to take and this is the right
year in which to do it. In contrast, laws that overreach and
attempt to limit the SSN's use are likely to merely take fraud
prevention tools off the table and out of the hands of
legitimate businesses and expose--and ultimately at the expense
of consumers. We believe consumers expect us to protect the
SSN. We also know consumers expect us to maintain accurate
databases. Thank you, Mr. Chairman.
[The prepared statement of Mr. Pratt follows:]
Statement of Stuart K. Pratt, President and Chief Executive Officer,
Consumer Data Industry Association
Chairmen McCrery, Ranking Member Levin and members of the
committee, thank you for this opportunity to appear before you today to
discuss the importance of Social Security Numbers to our members'
consumer data systems. For the record, my name is Stuart Pratt and I am
president and CEO of the Consumer Data Industry Association.\1\ Our
members applaud this committee for the thoughtful and open dialogue it
has sought regarding how Social Security Numbers are used and to
identify risks associated with such use.
---------------------------------------------------------------------------
\1\ CDIA, as we are commonly known, is the international trade
association representing over 300 consumer data companies that provide
fraud prevention and risk management products, credit and mortgage
reports, tenant and employment screening services, check fraud and
verification services, systems for insurance underwriting and also
collection services. As we will discuss below, the secure and protected
use of the social security number (SSN) is an important key to the
effectiveness of these systems and services.
---------------------------------------------------------------------------
OVERVIEW
Before I discuss how our members' systems make use of the social
security number, it is important to take into account key demographics
about our society that help explain why the SSN so important.
Personal identifiers change:
While it probably doesn't occur to most of us, the identifiers we
use in everyday life do change and more often than most might think.
For example, data from the U.S. Postal Service and the U.S. Census
confirm that over 40 million addresses change every year. More than
three million last names change due to marriage and divorce. While
trends in naming conventions are changing, this fact is still far more
often true for women than men.
We use our identifiers inconsistently:
It is a fact that we use our identifiers inconsistently for a wide
variety of reasons. First, many citizens choose to use nicknames rather
than a given name However, there are times where, in some official
transactions, a full name is required, Some consumers, when hurried,
use an initial coupled with a last name, rather than their full name or
nickname. Consumers are also inconsistent in the use of generational
designations (e.g., III, or Sr.). Finally, there are times where
consumers themselves do make mistakes when completing applications.
Thus, a consumer's identifiers may be presented in different ways in
different databases and, in some cases, the data may be partially
incorrect.
Personal identifiers are not always unique:
We think of our names as a very personal part of who we are.
However, our names are less common and unique than we might think. For
example, families carry forward family naming conventions leading to
some consumers sharing entirely the same name. Further, U.S. Census
data shows that both first and last names are, in some cases amazingly
common. Fully 2.5 million consumers share the last name Smith. Another
3 million share the name Jones and more than thirteen million consumers
have one of ten common last names. First names are also used very
commonly leading to common naming combinations. Eight million males
have either the name James or John and a total of 57 million males have
one of ten common first names. An additional 26 million females have
one of ten common first names. Common naming conventions make it more
difficult and in some cases impossible to depend on name alone to
properly match consumer data.
Identifiers are shared:
Our birthday is a unique day in our lives, but it is, nonetheless,
a date shared with hundreds of thousands of others. Date of birth alone
is not an effective identifier. Family members who live together end up
sharing addresses and per our discussion above, where consumers share
the same name due to family traditions and the address at which they
live, distinguishing one consumer from another is complex.
Data entry errors do happen:
Hundreds of millions of applications for credit, insurance,
cellular phone services, and more are processed every year. There is no
doubt that in the process of entering a consumer's identifying
information errors can be made which carry forward into databases and
into the reporting of data to consumer reporting agencies.
By taking into account all of these facts about our identifying
information, it becomes far more apparent why the SSN is key in
stabilizing a consumer's identifying information in the context of
databases. The SSN is a truly unique identifier.
USE OF THE SSN BY CDIA MEMBERS
CDIA's members produce a range of critical consumer data products
which bring great value to individual consumers, to society and the
nation's economy. Our members design products used for determinations
of a consumer's eligibility for a product or service, to prevent fraud
and to aid in the location of consumers for a variety of reasons.
Consumer Data Products Used for Eligibility Decisions
Many CDIA-member products are focused on helping consumers to gain
access to the goods and services for which they apply. These
transactions focus on a consumer's eligibility and, as such, the
consumer data products used are regulated under the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.) as ``consumer reports.''
Eligibility determinations include applications for any type of credit
including unsecured credit, home purchases, auto financing, home equity
loans, as well as for insurance of all types, employment, government
benefits, apartment rentals, and for other business transactions
initiated by the consumer.
The FCRA, enacted in 1970, has been the focus of careful oversight
by the Congress resulting in significant changes in both 1996 and again
in 2003. There is no other law that is so current in ensuring consumer
rights and protections are adequate.
Of particular importance to our discussion here today, is the FCRA-
imposed duty on consumer reporting agencies by the FCRA (and similar
state laws) that reasonable procedures be used to ensure the maximum
possible accuracy of the information contained in all types of consumer
reports. This duty is established for the protection of consumers. The
SSN plays a vital role in helping our members to achieve the ``maximum
possible accuracy'' standard.
Absent use of the SSN as a key identifier, consumers would be
harmed in many ways. Consider the following illustrative examples:
Incomplete data harms consumers: There would be a likely
increase in the inability of consumer reporting agencies to properly
match incoming information to the correct consumer about whom the
information relates. Think about the consequence to consumers of having
a consumer ``credit'' report that does not contain all of the accounts
that they pay on time and which makes them eligible for the lowest cost
loans.
Incomplete data harms our banking system: The absence of
the SSN would also put at risk the safety and soundness of lending
decisions due to less information being included in consumer ``credit''
reports due to data matching problems.
Incomplete data prevents consumer access to goods and
services: Think about the consequence for consumers when a consumer
reporting agency cannot locate the proper file on a consumer and thus a
lender, insurer or other service provider wanting to do business with
the consumer has to deny the application.
There is no doubt that consumer reporting agencies of all types
provide tremendous benefits to consumers directly and to the nation's
economy and the use of the SSN in the context of our members' systems
helps bring forward these benefits. Consider the following:
Access to home ownership: Every homeowner benefits from a
credit reporting system that reduces the costs of all mortgage loans by
a full two percentage points, thus putting literally thousands of
dollars in disposable income into their pockets.\2\ Homeownership is no
longer a luxury of the well-to-do, but is a truly democratized American
dream enjoyed by nearly seventy percent of the population.\3\
---------------------------------------------------------------------------
\2\ Kitchenman, Walter., U.S. Credit Reporting: Perceived Benefits
Outweigh Privacy Concerns., Pp. 5 (1998).
\3\ Turner, Michael., The Fair Credit Reporting Act: Access,
Efficiency & Opportunity. Pp. 8 (2003).
---------------------------------------------------------------------------
Check fraud prevention: Check fraud is reduced thanks to
CDIA members' systems. It is estimated that more than 1.2 million
worthless checks enter the payment system every day in the United
States. This number speaks to the risks, but also the success of our
members' systems which service as many as 40 billion check transactions
a year.
Tenant screening services: Tenant screening services help
all landlords to make informed decisions, as well. Consider the
circumstances of a retiree who owns a rental property on which he or
she depends for income. A tenant screening service mitigates risks for
literally millions of such individuals in a country where the majority
of units for lease are owned by individuals and not by corporations.
Employment/security screening: SSNs serve as vital links
among disparate records that help businesses verify prospective
employees' identities and conduct thorough, accurate background checks
to ensure workplace safety and business security. Our members' systems
and services help to ensure that hardened criminals and sex offenders
do not end up working at daycare centers, schools, nuclear power
plants, or secure-ID areas of airports.
Small business B-to-B transactions: An SSN is the key
business entity identifier to virtually all sole proprietorships or
partnerships. As a result, SSNs are required to facilitate business-to-
business transactions between small businesses.
Securitized credit markets: Confidence in the U.S.
securities market is made possible by accurate financial histories
compiled using the SSN as a key identifier. Restricting use of the SSN
could undermine confidence in these securities, resulting in
substantially higher consumer costs for credit, including mortgages and
auto loans.
Investigative services and insurance fraud: SSN access is
an important tool for investigative services and insurance fraud
investigation. Insurance fraud losses are estimated to exceed $79
billion a year--$900 per family--in the U.S. Prohibiting use of SSNs
for investigative purposes could drive those costs even higher.
Consumer data products used for fraud prevention and location
Not all CDIA member products are used for an eligibility
determination, but products regulated under other laws such as the
Gramm-Leach-Bliley Act (Pub. L. 106-102, title V) are used in critical
ways for the benefit of all consumers. CDIA's members represent the
leading companies in the field of consumer identity verification, fraud
prevention and location services.
Fraud prevention systems:
Fraud prevention systems deploy a diversity of strategies, but
clearly the SSN plays an important role. In fact, in 2004 alone,
businesses conducted more than 2.6 billion searches to check for
fraudulent transactions. As the fraud problem has grown, industry has
been forced to increase the complexity and sophistication of the fraud
detection tools they use. As the importance of fraud detection tools
increases, the potentially negative consequences of allowing ``access
and correction'' to these databases must be considered in order to
protect the accuracy of the included data, and thus the overall
integrity of these tools.
How do Fraud Detection Tools Work?
Fraud detection tools are also known as Reference, Verification and
Information services or RVI services. RVI services are used not only to
identify fraud, but also to locate and verify information for public
and private sector uses. While fraud detection tools may differ, there
are four key models used.
Fraud databases--check for possible suspicious elements
of customer information. These databases include past identities and
records that have been used in known frauds or are on terrorist watch
lists, suspect phone numbers or addresses, and records of inconsistent
issue dates of SSNs and the given birth years.
Identity verification products--crosscheck for
consistency in identifying information supplied by the consumer by
utilizing other sources of known data about the consumer. Identity
thieves must change pieces of information in their victim's files to
avoid alerting others of their presence. Inconsistencies in name,
address, or SSN associated with a name raise suspicions of possible
fraud.
Quantitative fraud prediction models--calculate fraud
scores that predict the likelihood an application or proposed
transaction is fraudulent. The power of these models is their ability
to assess the cumulative significance of small inconsistencies or
problems that may appear insignificant in isolation.
Identity element approaches--use the analysis of pooled
applications and other data to detect anomalies in typical business
activity to identify potential fraudulent activity. These tools
generally use anonymous consumer information to create macro-models of
applications or credit card usage that deviates from normal information
or spending patterns, as well as a series of applications with a common
work number or address but under different names, or even the
identification and further attention to geographical areas where there
are spikes in what may be fraudulent activity.
Who uses Fraud Detection Tools?
The largest users of fraud detection tools are financial
businesses, accounting for approximately 78 percent of all users.
However, there are many non-financial business uses for fraud detection
tools. Users include:
Governmental agencies--Fraud detection tools are used by
the IRS to locate assets of tax evaders, state agencies to find
individuals who owe child support, law enforcement to assist in
investigations, and by various federal and state agencies for
employment background checks.
Private use--Journalists use fraud detection services to
locate sources, attorneys to find witnesses, and individuals use them
to do background checks on childcare providers.
Location services and products
CDIA's members are also the leading location services providers in
the United States. These services, which help locate individuals, are a
key business-to-business tool that creates great value for consumers
and business alike. Locator services depend on a variety of matching
elements, but again, a key is the SSN. Consider the following examples
of location service uses:
There were 5.5 million location searches conducted by
child support enforcement agencies to enforce court orders. Access to
SSNs dramatically increases the ability of child support enforcement
agencies to locate non-custodial, delinquent parents (often reported in
the news with the moniker ``deadbeat dads''). For example, the
Financial Institution Data Match program required by the Personal
Responsibility and Work Opportunity Reconciliation Act of 1996 (PL 104-
193) led to the location of 700,000 delinquent individuals being linked
to accounts worth nearly $2.5 billion.
There were 378 million location searches used to enforce
contractual obligations to pay debts.
Tens of millions of searches were conducted by pension
funds (location of beneficiaries), lawyers (witness location), blood
donors organizations, as well as by organizations focused on missing
and exploited children.
Clearly location services bring great benefit to consumers and to
businesses of all sizes. Availability and permitted use of the SSN
remains vital to the effective operation of these services for both
private and public sector purposes.
INFORMATION SECURITY AND THE SSN
Because of recent media coverage regarding security breaches of
sensitive personal information and also general concerns about identity
theft, some consumers may well feel that data about them presents risks
that outweigh benefits. But in reality as we have discussed above,
there is clear and convincing value in the uses of such data, including
the SSN, that bring direct value to consumers and our nation's economy,
which must be preserved.
Consumers and media often assume that use of the SSN is wholly
unregulated and this is not the case. As we've discussed, the FCRA
regulates SSNs in the context of consumer reports and our members' use
of the SSN is also regulated under the restrictions of the GLB. Other
laws such as the Fair Debt Collection Practices Act (15 U.S.C. 1601 et
seq.), the Health Insurance Portability and Accountability Act (Pub. L.
104-191), and the Drivers Privacy Protection Act (18 U.S.C. 2721 et
seq.), also impose protections on sensitive information about consumers
which in turn protects the SSN.
However, CDIA's members recognize that the laws which cover them
may not extend to all and clearly the SSN is sensitive personal
information which must be protected. The following statement delivered
during our testimony before the Senate Banking Committee on September
22, 2005 continues to reflect our position on protecting sensitive data
about consumers, including the SSN:
``The discussion of safeguarding sensitive personal information and
notifying consumers when there is a substantial risk of identity theft
has expanded beyond the boundaries of financial institutions. It is our
view that rational and effective national standards should be enacted
both for information security and consumer notification as it applies
to sensitive personal information, regardless of whether the person is
a `financial institution.' ''
As this committee knows, there are a number of House and Senate
committees that are focused on developing uniform national standards
for ensuring the protection of sensitive personal information. We
believe that enactment of national standards will ensure that the SSN
is protected by all who possess it. New nationwide safeguards
regulations authored by the Federal Trade Commission will compel all to
deploy physical and technical strategies for the protection of
sensitive information about consumers. Further they will likely cause
American businesses to move to encrypt such information and finally
some will question why they gather the SSN in the first place. Further,
information safeguards rules would effectively bring into question the
business model of operating publicly available websites that sell a
consumer's SSN to virtually anyone who is willing to pay the price.
Ultimately national standards for the safeguarding of the SSN and
other sensitive personal information will address consumer concerns and
perceptions. These are all good public policy results and CDIA remains
committed to a constructive dialogue as various bills move through the
House and Senate.
PUBLIC RECORDS AND THE SSN
The historical debate about the presence of the SSN in public
records has suggested a binary proposition of either providing everyone
with access to all of a record, including the SSN, or to deny all
access to the record with an SSN. We think that this paradigm is dated
and today encouraging trends in the technologies used to make public
records available to all citizens, particularly via the internet, are
allowing state and federal agencies to employ far more sophistication
in how and when an SSN will be disclosed.
It is also encouraging to hear state court organizations discussing
strategies for protecting SSNs and CDIA will continue to engage in
these dialogues. However, while CDIA believes that disclosure of the
SSN to the general public must be addressed, we also believe that
public records must be made available, including SSNs, to those with an
appropriate need. States are seeking out dialogue with the private
sector about future access to public records which shows promise.
Consider the following excerpt from CDIA's April 18, 2002 letter to the
National Center for State Courts:
``. . . consider the example of the Maryland court access project
that tried to create a limitation on bulk access to court records. The
concerns raised at a public hearing in December 2000 `prompted [Chief]
Judge Bell to appoint an expanded, more representative task force.' \4\
The expanded task force recently issued a final report and noted that
requestors of bulk data sell that information `with value added' to
their customers. The report also noted that registration agreements
between the court and the bulk data requestors 1can provide a vehicle
for reasonable safeguards concerning released data.' '' \5\
---------------------------------------------------------------------------
\4\ Maryland Judiciary Website (visited March 20, 2002).
\5\ Report of the Maryland Court of Appeals Committee on Access to
Court Records 10 (Feb. 2002).
---------------------------------------------------------------------------
Public records play a vital in our society and bring value to the
consumer data industry's members. Bankruptcy records, tax liens and
judgments are part of consumer ``credit'' reports used by lenders to
make decisions that implicate safety and soundness. Records of eviction
are critical to landlords who must themselves pay the bills and attempt
to lease properties to consumers who will do the same. Validating
professional licenses for employment screening agencies is yet another
use of public records, as is accessing criminal histories.
Through the development of nationwide databases of public record
information, our members have solved the problems inherent in having to
search through tens of thousands of federal and state court houses and
agency databases. In this way, the SSN is as important an identifier in
a public document as it is in a private-sector database. It is a
critical identifier for all of the data management reasons we discuss
above. Without an SSN, a consumer can simply alter a few items of
information, such as moving to a new address, or even changing a name
and thus separate himself/herself from a bankruptcy record, a tax lien,
a record of eviction and even a criminal history, in some cases.
Clearly this is not a positive outcome for consumers or for American
businesses which are on the front lines of making, for example, fair
and accurate risk-based lending and employment decisions, while at the
same time fighting identity theft and fraud.
Some federal proposals have suggested that state agencies must
limit access to the SSN. The concern of the CDIA's members is that this
apparent unfunded mandate will drive under-funded state agencies to
either stop requesting the SSN when processing vital records, or to
simply deny all access to the SSN for a variety of reasons including
the fact that they cannot fund a bifurcated system of access to the SSN
for some but not for others. Additionally, because some state public
access laws appear to prohibit a bifurcated approach.
Ultimately, dialogue with state and federal agencies coupled with
the advancement of technologies will address concerns about public
records which contain SSNs. An unfunded mandate will destabilize the
system of public records which is so important to our democracy.
In the context of discussing governmental agencies and the SSN, we
do want to acknowledge and are encouraged by the Social Security
Administration's efforts to explore the viability of a system by which
a party may verify that a particular SSN is associated with a
particular name. A discussion of this system can be found in the
December 30, 2005 edition of the Federal Register, Vol. 70, No. 250.
Entitled ``Consent Based Social Security Number Verification Process,''
the service will be available starting June 2006 and only a limited
number of parties are allowed to enroll. As it currently stands, this
system is very cumbersome and does not allow for a real-time automated
process of SSN verification which will render it very ineffective for
assisting victims of identity theft and also preventing the crime. We
hope that the SSA will move towards a truly automated, system that
meets the broader needs of the data industry.
CONCLUSION
In conclusion, you can see that the underlying theme in the
discussion of SSN uses is that of balance and ultimately ensuring the
security of the number. Law that that imposes national uniform
information security regulations on all who possesses the SSN in
combination with a person's name and address, is the most responsible
and constructive focus for Congress. In contrast, law that overreaches
in attempting to limit use of the SSN is likely to merely take fraud
prevention tools out of the hands of legitimate businesses at the
expense of consumers. Ironically, to prevent fraud you must be able to
crosscheck information. To maintain accurate databases, you must be
able to maintain a range of identifying elements. Absent the
availability of the SSN, we will be less able to build accurate data
bases, to accurately identify records and to help prevent identity
theft through the development of fraud prevention and authentication
tools. Ultimately consumers expect us all to accomplish the goals of
protecting and securing the SSN, and also ensuring the accuracy and
effectiveness of databases which contain information about them.
Thank you for this opportunity to testify.
Chairman MCCRERY. Thank you, Mr. Pratt. Mr. Hulme?
STATEMENT OF BRUCE H. HULME, PRESIDENT, SPECIAL INVESTIGATIONS,
INC., AND LEGISLATIVE DIRECTOR, NATIONAL COUNCIL OF
INVESTIGATION AND SECURITY SERVICES, NEW YORK, NEW YORK
Mr. HULME. Good afternoon, Mr. Chairman and Members of the
Committee. My name is Bruce Hulme. I represent the National
Council of Investigation and Security Services. I am a New York
State licensed private investigator, having been so for 42
years. My company is Special Investigations, Inc.
As a profession that has been helping victims through the
identity theft maze for years, our experience is that such
thefts result from purloining of documents, files, charge
slips, credit cards, and wallets, and according to the Javelin
Strategy and Research survey, 47 percent of such theft is
perpetrated by friends, neighbors, and employees.
We agree that additional measures can be taken to further
reduce incidents of theft. Our concern is that some measures,
unless amended, will have unintended consequences that would
help create a safe haven for criminals and do substantial
damage to the judicial system. We support Congressional efforts
to protect data breaches. We favor limiting the use of the SSN
on government documents, student IDs, and health cards.
Certainly we do not believe that such information should be
sold over the Internet to anybody willing to pay a fee.
However, we do have strong concerns with some provisions of
H.R. 1745 and a Senate measure that would have direct and
harmful effects on how our profession conducts lawful
investigations by banning the sale of SSNs. The result would be
that databases would not have accurate information about
individuals and private investigators would be hampered in our
efforts to locate individuals and perform many functions
essential to the judicial system.
There are 46,000 American men named Bill Jones. Many of
them have the same or similar dates of birth. Private
investigators and others, of course, need to be able to
differentiate between subjects for many purposes, including
evidence in court proceedings.
One critical and effective tool used by private
investigators is what is referred to as the credit header, that
portion of a credit report that includes location and
identifying information but discloses no credit data. That
search is by far the most important one used by investigators
when locating female witnesses. Women often change their names
due to marriage and divorce, and it also helps to locate other
individuals, particularly transients.
Pending legislation provides exceptions for law
enforcement. This creates an obvious issue of due process
because prosecutors with the full resources of the State will
always have use of this tool while the accused would not.
Database searches led directly to a witness or witnesses who
recanted testimony and helped free a man wrongly imprisoned for
20 years. The same situation holds true in civil matters.
Privacy legislation restricting the use of SSNs generally
provides an exception for insurance companies, thereby creating
an imbalance between insurance defense and plaintiffs' bars.
Investigators do not have access to a central criminal
history database, as does law enforcement, so it is essential
to develop address information when seeking information about
prior convictions so that we know what courthouses to go check
out. In both civil and criminal trials, attorneys need to know
the backgrounds of witnesses. We urge Congress that any
restriction on the sale of SSN information include an exception
to enable licensed private investigators and other State-
regulated persons to conduct lawful investigations, including
but not limited to identifying or locating missing or abducted
persons, witnesses, criminals and fugitives, parties to
litigation, parents delinquent in child support payments, organ
and bone marrow donors, pension fund beneficiaries, and missing
heirs.
Here are four quick examples of how we use SSNs. I was
retained by the New York courts in a guardianship proceeding to
recover $300,000 in assets stolen from a 97-year-old retired
Army officer. It was a successful result. The suspect pled
guilty, was sentenced 3 to 9 years in State prison and ordered
to pay $360,000 in restitution and we got all the money back.
In San Francisco, a businessowner started getting
statements in the mail saying he owed tens of thousands of
dollars on computers and other equipment he never purchased.
Someone had hijacked his identity, opened credit cards, store
accounts in his name, set up a similar-type website in his name
and his company's name. The police said they would only take a
report, they wouldn't investigate. They passed it off to the
Secret Service. His loss was $80,000. The Secret Service said
at that point, they had a $100,000 threshold. A private
investigator came into the case and with the use of credit
header information found that an ex-employee, checking things
out, had been using three names or several different SSNs and
birthdates.
One of our association members reported a case that
involved a woman who was left a sizeable inheritance by her
uncle in the form of a trust. The investigator was able to
eventually determine that she was recently married and living
in Utah somewhere destitute, out of a pickup truck. That had a
successful result.
A former president of our council testified just several
years ago, I think, about a similar case before this Committee
regarding a custodial parent whose child had been abducted 2
years prior. Her mother spent 2 years having a run-around with
the police and politicians trying to get somebody to do the
job. She went to this private investigator. Within basically
minutes, running a credit header, determined enough leads as to
where the husband might be, turned the information over to the
police. They went there, got in, and the child was reunited
with its mother.
As detailed in our statement, the association of regulators
which regulates our profession, they support granting an
exception for our industry in this, and we stand ready to
assist the Committee in any way we can and thank you for this
opportunity, Mr. Chairman.
[The prepared statement of Mr. Hulme follows:]
Statement of Bruce Hulme, Legislative Director, National Council of
Investigation and Security Services, New York, New York
Good afternoon Mr. Chairman and members of the subcommittee. My
name is Bruce H. Hulme and I am appearing today on behalf of the
National Council of Investigation and Security Services (NCISS) where I
serve as Legislative Director. I am past president and chairman of the
Council and serve as a member of the Board of Directors. I have been a
licensed private investigator in New York for more than forty years and
am president of Special Investigations, Inc.
We appreciate the opportunity to discuss how Social Security
numbers can be used by perpetrators of identity theft, what Congress
can do to mitigate the risk of such fraud, and the impact of pending
legislation.
Social Security numbers (SSN's) have become the de facto identifier
in the United States. The Social Security number is the single best way
to distinguish among people of similar or identical names. That is why
businesses have used SSN's on identity cards and customer records. It
is also why SSN's are sought by those who wish to commit fraud, so they
may attempt to establish an identity.
When Congress created the Social Security System nearly three-
quarters of a century ago, it was not intended that the numbers issued
to nearly every American would become the universal identifier for
modern times. But that is what has occurred. An entire system of
commerce is predicated on citizens being able to identify themselves
based on this identifier. Unless each person has a viable substitute
such as a password to take the place of the SSN, Congress should be
very circumspect about eliminating the use of the SSN as an identifier.
Just as most commerce uses the SSN, the civil and criminal justice
systems also require a means of identifying parties and witnesses in
lawsuits and the commonality of dates of birth makes the SSN a
necessary tool to be sure the courts have positive identification. It
is true that some abuses have occurred by the misuse of the SSN, but
the percentage of misuses pale in comparison to the number of positive
uses applied every day in our economic and justice systems.
As a profession that has been trying to help victims through the
identity theft maze for years, we applaud Congress' efforts to put
additional laws on the books that will bring victims some relief.
Recently enacted legislation should be of some assistance. The Fair and
Accurate Credit Transactions Act included several identity theft
provisions, and the 108th Congress adopted the Identity Theft Penalty
Enhancement Act to increase sentences of convicted fraudsters. We were
appalled to read recently that two caretakers who committed such fraud
against their elderly patients received suspended sentences. Until the
courts take the crime seriously, it will be difficult to deter such
thieves.
Although a percentage of identity thieves no doubt gather their
victims' identities from the Internet, our experience is that most such
thefts result from the purloining of documents, files, charge slips,
credit cards, and wallets from restaurants, stores, trash bins, the
mails and private property. In fact, according to the Javelin Strategy
and Research survey 47 percent of such theft is perpetrated by friends,
neighbors or employees.
But we agree that additional measures can be taken to further
reduce incidents of theft. Our concern is that some measures, unless
amended, would have unintended consequences that could help create a
safe haven for criminals and do substantial damage to the judicial
system.
Publicity over data breaches for the past year have led to numerous
bills in Congress and state legislatures to require that sensitive
personal information, including Social Security numbers, be protected
by those who hold it. Such breaches have occurred not only from data
providers, but universities, banks and other institutions. Breaches
have also occurred at every level of government. These breaches have
been caused by lost computers, hacking, misplaced files and other
means.
We support efforts to protect such sensitive personal data.
Consumers should be informed when such data are divulged and should be
provided assistance in order to protect themselves. And, businesses and
other institutions holding such data have a responsibility to protect
it.
With regard to Social Security numbers, we support limiting their
use on government documents, student id's, health cards and other means
of identification that could fall into the wrong hands. And we
certainly don't believe that such information should be sold on the
Internet to anyone willing to pay a fee. Many of these provisions are
found in HR 1745, the Social Security Number Privacy and Identity Theft
Protection Act.
We do, however, have strong concerns with provisions of HR 1745 and
other measures that would have a direct and harmful effect on how our
profession conducts lawful investigations. The Senate Committee on
Commerce, Science and Transportation, for example, amended S 1408, the
Identity Theft Protection Act, to effectively prohibit the sale of
Social Security numbers with few exceptions. The result would be that
databases would not have accurate information and private investigators
would be hampered in our efforts to locate individuals and perform many
of the functions essential to the judicial system.
How Private Investigators Use SSNs
As indicated earlier, the Social Security number is critical for
determining identity. In past hearings, Lexis-Nexis has testified that
there are 46,000 men in America named Bill Jones. Many of them have the
same or similar dates of birth. Licensed private investigators need to
be able to positively differentiate between subjects when rendering
reports which will be used for many purposes including evidence in
court proceedings. Behind any civil or criminal court case of
consequence, you will usually find a licensed private investigator
assisting the attorneys involved in such cases. The investigators are
also then bound by the attorney-client privilege which adds a further
measure of security to the information developed on individuals during
the course of an investigation. Contrary to popular belief, most
investigators work for law firms, insurance companies and corporations,
not the general public.
One critical and effective tool used by private investigators is
the ``credit header,'' that portion of a credit report that includes
location and identifying information but discloses no credit data. That
search is by far the most important one currently used by investigators
when locating female witnesses. Since women often change surnames over
the course of their lives due to marriage or divorce, it makes it even
more critical to be able to identify them by their SSN. The SSN does
not change and allows us to locate these otherwise difficult to find
witnesses. In California recently, database searches led directly to
witnesses who recanted testimony and helped free a man wrongly
imprisoned for twenty years.
In both civil and criminal trials, justice is served best by all
parties getting access to all possible witnesses. Access to a fair
trial is a fundamental right of American citizens. Without the ability
to identify and locate all witnesses, that right is threatened.
The address information is used routinely to locate witnesses,
particularly when they may be transient. Legislation restricting the
use of Social Security numbers always provides exceptions for law
enforcement. This creates an obvious issue of due process because
prosecutors, with the full resources of the state, would have use of
this tool while the accused would not. The criminal justice system
needs balance. . . . the private investigator provides a counterpoint
to the investigators in the public sector.
The same situation holds true in civil matters. Privacy legislation
generally provides an exception for insurance companies, thereby
creating an imbalance between the insurance defense and plaintiffs'
bars in obtaining evidence in civil trials.
Investigators do not have access to the central criminal history
database that law enforcement officials do, so it is essential to have
addresses when seeking information about prior convictions. With prior
address data, investigators know which courthouse records to search.
This information is important for more than pre-employment purposes. In
both civil and criminal trials, attorneys need to know the backgrounds
of witnesses and potential witnesses.
Address information is valuable in locating stolen assets. I was
retained by the New York courts in a guardianship proceeding to recover
over $300,000 in assets stolen from a 97-year-old retired Army officer
by a neighbor caregiver. Through the use of credit headers I was
immediately able to determine the identities and locations of the
wrongdoer's relatives, properties and eventually their assets that had
been taken from the victim. It was the initial header check on the
suspect that uncovered an address in Myrtle Beach, South Carolina. That
information developed leads that the victim's assets had been used to
purchase expensive automobiles, real property in South Carolina and
increased the bank account balances of the suspect. All under the guise
that the 97-year-old victim, who was suffering from dementia, had given
his life savings as gifts to the suspect. The suspect eventually pled
guilty and was sentenced to three to nine years in state prison for
second-degree grand larceny and ordered to pay $360,000 in restitution
to the estate of the victim, who, regrettably, died a month before
sentencing of the defendant.
In numerous cases, such data have led to recovery of funds from
persons not meeting their child support obligations. And missing
persons, including abducted children, have been located with leads
generated from credit headers.
It is no secret that law enforcement does not have the resources to
respond effectively to most victims of identity theft. The crime is
difficult to solve, and often involves several jurisdictions. So
victims turn to private investigators for assistance.
Congress must consider that many licensed private investigators are
former law enforcement officers and can assist the overwhelmed public
law enforcement sector in fraud and identity theft related cases. Law
enforcement is often under-manned and ill--equipped to deal with
identity theft and usually violent crime cases take precedence. The
victims then must turn to investigators in the private sector to assist
them in determining the extent of the fraud and the identity of the
perpetrators. Investigators must have access to the necessary tools
such as the credit header SSN search. Without access to this important
investigative tool, it will become easier for criminals to shield
themselves from discovery. They are fully aware of the limitations
facing law enforcement.
Here is how SSN information helped solve one case: In San
Francisco, an investigator reports working a case for a successful
business owner who started getting statements in the mail saying he
owed tens of thousands of dollars on computers and other purchases,
none of which he knew anything about. He found someone had hijacked his
identity, opened credit card and store accounts in his name and had
even opened a web page mirroring his web page and had an e-mail address
similar to his. The San Francisco Police said they would take a report,
but would not investigate and suggested he go to the Secret Service.
Although losses approached $80,000, the Secret Service declined to take
a report because losses had not reached a $100,000 threshhold. The
victim hired a private agency. Using credit header information, they
learned that the suspect, was an ex-employee with three aliases, three
or four social security numbers, and three different dates of birth.
The suspect was apprehended and prosecuted.
Such information is also valuable for locating lost heirs. One of
our association members reported a case that involved a woman who was
left a sizeable inheritance by her uncle in the form of a trust. The
family had not had any contact with her for a number of years, so the
attorney handling the trust asked for assistance. By using header
information, the investigator was able to eventually determine that she
was recently married and was living someplace in Utah. He was able to
locate her husband's relatives and learned that she and her husband
were destitute and living out of a pick-up truck in Oregon. He sent the
requisite documentation to her in care of her husband's relatives and
she rightfully obtained her substantial inheritance. Without access to
header information, the investigator would not have been able to locate
her.
A former president of our Council--NCISS--helped a custodial parent
whose child had been abducted two years prior. The mother had spent
those two years unsuccessfully trying to keep the police interested and
writing various public officials seeking help. A credit header search
revealed an address in Palm Beach, Florida, where the estranged husband
had recently applied for credit. The police apprehended the husband and
reunited the child with his mother.
One of our Texas members reports using a Social Security number
``trace'' to locate a female in need of assistance. A charitable fund
had been set up to assist her with prenatal care and her childbirth.
The credit header was an efficient means for the licensed investigator
to quickly locate a needy person for charitable purposes at low cost.
Last year, NCISS met with members of the Federal Trade Commission
to apprise them of the many ways private investigators rely on the SSN.
We presented a dozen actual case examples of the sixty we had brought
with us to that meeting.
We urge Congress to provide that any restriction on the sale of
Social Security information include an exception to enable licensed
private investigators and other state regulated persons to conduct
lawful investigations, including, but not be limited to, identifying or
locating missing or abducted persons, witnesses, criminals and
fugitives, parties to litigation, parents delinquent in child support
payments, organ and bone marrow donors, pension fund beneficiaries and
missing heirs.
It is ironic that the end result of such well-intentioned
legislation would be to make it more difficult to assist victims of
identity theft and other frauds. It would make it less likely that the
courts would hear from all relevant witnesses in both civil and
criminal trials and less likely that stolen funds are recovered.
In conclusion, I would like to share with this committee the
position of the International Association of Security and Investigative
Regulators with respect to this issue. IASIR is an association of state
and province regulatory agencies in the United States and Canada,
having jurisdiction over a large part of the security industry and
investigative profession. At their annual meeting last fall they passed
the following motion:
IASIR acknowledges that regulated investigators are an integral
part of the effective administration of justice, civil as well as
criminal. In addition, state licensed investigators provide an
essential service to the public, to businesses and government, and to
the legal community for the purpose of preventing or investigating
fraud including identity theft; reducing business losses such as
embezzlement, robberies, burglaries, thefts, fires and other casualty
claims; investigating workplace allegations including harassment,
discrimination and other workplace risks; locating missing and abducted
persons, witnesses, heirs, and deadbeat parents; as well as assisting
in uncovering significant misrepresentations or critical non-
disclosures in conducting due diligence.
Since access to personally identifiable information is crucial to
the welfare of many and often concerns not only individual physical
safety but the protections of homeland security, IASIR recognizes and
supports the necessity of those investigators, who are licensed and
monitored by regulatory agencies, to maintain access to personal
identifying information including but not limited to, social security
numbers, dates of birth and driver's license numbers to assist in their
important investigative mission.
NCISS stands ready to assist the Committee in its endeavor to
protect consumer privacy without causing unintended consequences.
Chairman MCCRERY. Thank you, Mr. Hulme. Ms. Robinson, I am
curious about one thing that we have discovered. According to
the FTC, 61 percent of identity theft victims never contact the
police department to report their identity theft. Do you have
any idea why that is?
Ms. ROBINSON. Well, from my experience in working with
victims, victims feel like the police don't care, and like the
gentleman just said, the police will only take a report. They
won't actively investigate the crime. They won't actively
pursue the perpetrator.
Chairman MCCRERY. Does anybody else have a thought on that?
Mr. Hulme?
Mr. HULME. Well, it is multiple jurisdictions that present
problems. Law enforcement basically is just now starting to
come up to speed. I can tell you from testimony I heard on the
first panel that I probably investigated more ID thefts than
the two government agencies. I know many of our members
certainly have. I think it is a question of passing the buck,
but it is definitely a major problem that has to be addressed.
Chairman MCCRERY. Thank you. Mr. Stein, you mentioned how
financial institutions use SSNs as a tool to help verify the
identity of their customers. Could you explain how, for
example, a bank's customer identification program might work?
What information do you request in addition to the SSN?
Mr. STEIN. Identity documents are always requested to prove
up identity. The SSN helps as a determinant of an individual.
As my esteemed colleagues have all represented about the
Smiths, the Jones, and so forth, the SSN serves to identify the
specific Jones or Smith that you are dealing with and to be
able to tie those relationships, for example, together within a
financial institution, to ensure that when you pull credit
reports to determine creditworthiness for a loan, a mortgage, a
credit card, you are actually receiving the information about
the specific applicant who has applied to you so that you can
make that credit worthiness decision appropriately.
Those are a number of ways in which that number is used. It
is not used to verify identity per se. It is used to ensure
that you are the Smith with whom we are dealing, and then we
use your identity documents, typically a driver's license in
today's society, and perhaps other pieces of identification,
whether it be a passport, credit card, whatever, to confirm
your identity.
The SSN itself doesn't confirm your identity in the absence
of a CBSV or its predecessor, the Enumeration Verification
System, where we have the ability to actually go out to SSA's
database and pull back or confirm the SSN, name, date of birth
combination so that we know, in fact, we are dealing with the
same person. In the absence of that, the number itself simply
allows us to tie together disparate people using our disparate
accounts that are using that same number as an identifier.
Chairman MCCRERY. Let us take Ms. Robinson's case, for
example. Another Ms. Robinson stole her SSN, or got it, started
using it, and applied for loans, evidently, and got them. Why
couldn't that financial institution have just done a couple of
extra things that might have raised flags and made them
question the person sitting before them? She probably had a
driver's license, that had her name which was almost the same,
and it may have left out her middle initial, and that is not
unusual, and so the person at the bank or the financial
institution said, okay. Maybe then he should have looked at the
address on the driver's license, and then surely the financial
institution did a credit check. Maybe they should have compared
the address on the driver's license to the address on her
credit report, and when those are not the same, a flag goes up
and you just either ask her there at the desk or call her back
and say, there is a discrepancy in the address in your credit
report. What is the deal?
Mr. STEIN. I have----
Chairman MCCRERY. Just a couple things. Why shouldn't you
do that?
Mr. STEIN. I have two answers to that. The first one is,
again, going back to the CBSV and the EVS system, had that been
commercially available so that the financial institution could
have verified the consumer's name along with the SSN and along
with the date of birth, and assuming that the person who was
misrepresenting her didn't have all three of those correct and
documentation to support all three of those correct, the
financial institution could have had an opportunity right there
to have caught that. Number one, I would promote that the
ability to verify that information is a key step in this entire
process.
Now, not knowing exactly what the financial institution
saw, and so I am--you have sort of asked me to second-guess
what they did or didn't do here--but with respect to the credit
reports that would be pulled based on the SSN and the name, I
think that Mr. Pratt here has indicated the volume of address
changes that happen in a year and the information tends to lag
what gets into the credit reports, and so it wouldn't
necessarily in and of itself as the sole trigger. The fact that
the address wasn't in that credit report that represented the
person in front of them wouldn't necessarily by itself have
been a key indicator.
I also think that in a high-volume environment as card
issuers deal with, it may also be difficult for them to find
those really fine nuances between two people of the same name
with the same SSN. I will tell you that had they been using a
different name with her SSN, there would have been a warning
that would have appeared on the credit report that would have
indicated there is another name in the Bureau that is used
sharing that same SSN. One of the problems is the very close
similarity between the two names in this particular instance.
Chairman MCCRERY. Okay. Mr. Hulme, you have stated that
your organization agrees that additional measures can be taken
to reduce identity theft. You undoubtedly have a lot of
experience in dealing with information resellers. Do you have
any recommendations as to how they can improve their protection
of SSNs, these resellers?
Mr. HULME. First of all, if there was a manner of getting a
lot of the resellers--and I am not referring to the major ones,
but two levels down or a level down--from selling this--pull
this off the Internet and eliminate sales to the general public
and you will eliminate 95 percent of the problems, in my
opinion.
Chairman MCCRERY. Say that again?
Mr. HULME. I think one will eliminate 95 percent of the
problems if sales of----
Mr. BECERRA. Could you repeat the whole answer? Pull it
from the Internet----
Mr. HULME. Sure. Don't allow the sale of the SSN and
personally identifiable information to be sold to the general
public over the Internet. That would be my--I think that would
be my first, strongest suggestion, and I heard one of the
speakers earlier today say there were studies that maybe showed
that. I can tell you that anecdotal information, and if you
talk to most investigators and certainly our association, we
think that if you pull down the sale of these items of personal
information direct to the general public over the Internet, you
will eliminate an awful lot of identity theft.
Chairman MCCRERY. Thank you. Mr. Levin?
Mr. LEVIN. Just one question. To sum up, how easy is it to
steal identity?
Mr. HULME. Well, I am not a thief, but I would say----
[Laughter.]
Mr. LEVIN. I said how easy, not how.
Mr. HULME. Well, I think in some cases, the door is being
left open. In some situations, I think there is the
availability to get this information and it is being displayed
often in areas where it shouldn't be displayed. The information
obviously has to come off a lot of government documents, more
than are necessary. The tons of mail that we get that get
sometimes sent to the wrong place, even when it comes back to
the Post Office, just check with the postal inspectors and you
will find that they are now investigating quite a few crimes
regarding what has been done with the mail that has been
returned.
Mr. LEVIN. You are saying it is easy?
Mr. HULME. Yes.
Mr. LEVIN. Does anybody disagree with that?
Mr. PRATT. I don't think we disagree with that. I just want
to emphasize, though, the point that has already been made, but
just to drive it home, that fraud prevention systems are moving
past the simple question of do you have a Social and a name
that match up together. We discuss in our testimony different
fraud prevention strategies that are being used today, and they
really do have to do with bringing together disparate sets of
information and attempting to foil the dilemma of having
information which is far too openly sold out on the Internet,
for example, by, for example, asking additional questions of
the consumer that would probably not--that the ID thief would
not necessarily know. In an online environment, it might be to
ask consumers additional questions that the thief probably
wouldn't even know even if he or she had stolen a wallet.
Fraud prevention systems have clearly moved past the
simple, do you have a set of data and have you matched it, yes
or no, and we, too, agree that the SSA concept of matching
information is a good one, but I suspect we would all agree
that it is not the sum total of how you ultimately validate a
consumer's identity. You may be able to validate that you have
a real SSN, but then you are going to raise yellow flags. What
about that address?
The Fair Credit Reporting Act, by the way, was amended in
2003 to obligate all lenders to have a system by which they
will compare the old address or the address on the application
with the address that you find in the credit report.
What about fraud alerts? The Fair Credit Reporting Act was
amended in 2003 to obligate a lender to pay attention to the
fraud alert, to make sure that it was actually processed, so
that if one was placed on the file, that there would be
additional contact measures taken to further authenticate the
identity of the individual and attempt to foil the criminal
from opening up new accounts.
I think those kinds of steps have been taken and that is
why the world is a little different than even the last time I
appeared before this Committee, when we talked about SSNs and
the availability of them. Those are good steps along the
continuum and the challenge is thieves become more clever and
so, too, do the fraud prevention systems that have to stop
them.
Mr. LEVIN. Thank you.
Chairman MCCRERY. Mr. Johnson?
Mr. JOHNSON. Thank you, Mr. Chairman. Mr. Pratt and Mr.
Stein, I guess, you all haven't talked about how some companies
will use the last four digits and some of them the first five,
maybe, to identify people. Does that have any validity at all?
Mr. PRATT. From our perspective, again, Congressman, the
Fair Credit Reporting Act stipulated that consumers could
truncate SSNs when they order their credit report so that they
could look at their credit report. For example, some laws
attempt to do that.
Yes, there can be some strategies where I suppose
truncation works. There are risks any time you start to
truncate the number. For example, we actually have run data to
show that even with the last four digits of an SSN, you can
match up as many as 90 different Joneses in this country. You
have to be careful. You have to be careful about when and where
to employ a truncation strategy. In some kinds of database
management systems, that is good. In some, that might not be so
good.
Mr. STEIN. I think that one of the reasons that we use
truncated SSNs is a layered approach for role-based access. If
you segment a need around Social Security within a financial
institution, there are three sets of needs. There are those
people who don't ever need to see an SSN. You may have
employees who, by virtue of their job role, have no need to
ever see a customer's SSN, and by virtue of that role-based
access, when they pull up information on the customer to
respond to a question or whatever, they shouldn't see the
customer's SSN at all.
There may be others within the organization who have a need
to verify that as a component of the identity verification
process, but they have no need for the full SSN. They don't
need to know the whole thing for that consumer. A customer
service center, for example, gets a phone call from Mr. Jones
and one of the ways they may verify Mr. Jones in a remote
environment is by having Mr. Jones tell them, or alternatively
key into a voice response unit the last four digits of their
SSN as a means to uniquely identify that Mr. Jones is the one
for whom I am going to pull their account records. Again they
have no need to see the full thing.
Then there are other employees within the organization who
have clearly a need to work with the entire SSN, and that is a
much, much smaller population. We are reducing the risk
throughout that whole thing by taking it from the old world of
financial institutions, where every employee saw every SSN, to
a very small number who see a full SSN.
Mr. JOHNSON. Now, we tried at one time to get the military
to change their procedure, but all of them use the SSN as an ID
and it is on their ID card. Not only that, but my wife's ID
card has both our numbers on it, not just one. Have you got any
suggestions about how we can fix that problem, because that is
an easy theft, I think.
Mr. PRATT. Congressman, all I can say is I think the world
has changed enough that it is time to ask that question again
of the military to see if they are willing to alter that system
now.
Mr. JOHNSON. Okay. We can make them do it, I guess.
[Laughter.]
Mr. PRATT. It is true that every time the SSN is used on a
medical identification card, when it is used on all the
different places that it can occur, those are all risks that I
think my colleague to the left has expressed are potential
risks.
Mr. JOHNSON. Mr. Hulme, you are talking about people
stealing your identity. I got stopped at the airport because
they said I was a terrorist. Sam Johnson--there are a lot of
them around.
[Laughter.]
They didn't have to have an SSN to verify who I was. They
used other means. I think there is a way to get around that if
we really want to and you all are probably doing as good a job
as anybody. Have you got any suggestions on that?
Mr. HULME. No. All I can say is that some people definitely
need to have access to that SSN. Along the same line, in
fairness, it doesn't need to be laid out for the world to have.
Mr. JOHNSON. Yes. You are right. Thank you. Thank you, Mr.
Chairman.
Chairman MCCRERY. Mr. Becerra?
Mr. BECERRA. Thank you all for your testimony. It is
enlightening and also very disturbing. Ms. Robinson, let me ask
you something. Have you cleared up your credit record yet?
Ms. ROBINSON. No, sir. As a result of Nicole Robinson using
my data, one of the credit reporting agencies is still
reporting her bad debt as mine.
Mr. BECERRA. Okay, stop. Mr. Pratt, you represent the
credit bureaus.
Mr. PRATT. I do.
Mr. BECERRA. You hear Ms. Robinson saying that she has been
going through this for years. Is there any reason why, if we
contact you pretty soon, you can't tell us that the credit
bureaus haven't taken care of Ms. Robinson's credit record?
Mr. PRATT. None whatsoever.
Mr. BECERRA. Okay. We will make sure that you get Mr.
Pratt's phone number----
[Laughter.]
Mr. BECERRA. --and you will have----
Ms. ROBINSON. May I also add, though, that I have been
dealing with that particular credit reporting agency for the
last 4 years over the same problem, and it prevented me from
getting a mortgage last year because they were reporting
$35,000 in bad debt that belonged to her.
Mr. BECERRA. Stop. Mr. Pratt said that you won't worry
about that.
Ms. ROBINSON. Okay.
Mr. BECERRA. We will be in touch, and certainly you will be
in touch with----
Ms. ROBINSON. Yes, I will be in touch.
Mr. BECERRA. Thank you, and Mr. Pratt, thank you for that.
Mr. Stein, let me ask a question. What does Countrywide do with
customers who, for whatever reason, close their accounts and
their relationship with Countrywide. What do you do, what does
Countrywide do with that personal private data that it has for
that individual?
Mr. STEIN. There may be continuing obligations we have even
after a relationship is closed, and let me speak more broadly
for the financial industry in general because I think it is
true whether lenders or financial institutions. There may be
continuing obligations we may have with respect to that
information that keeps it within the organization. That having
been said, again, we talked about this role-based access and
restricting the access to the information to those who have a
true need so that you see only really that information which
you have need by virtue of your job.
Mr. BECERRA. I have a mortgage through Countrywide. I pay
it off. I no longer owe Countrywide any money. You have my SSN
through the fact that I took out a mortgage with you. I no
longer have any banking activity with you. You still maintain a
file with my SSN?
Mr. STEIN. For our retention period, yes.
Mr. BECERRA. Which is how long?
Mr. STEIN. I believe it is probably either 5 or 7 years.
Offhand, I don't----
Mr. BECERRA. Who has access to that?
Mr. STEIN. Again, it would depend on the specific job
functions within an organization, but it would be those people
who have, by virtue of their job function, a need to access it.
For example----
Mr. BECERRA. Let me, because I am going to run out of time,
so I don't want to do that, but let me ask you this. Would it
be feasible economically for a company, an industry, to try to
do more to shut down access to that personal data sooner than 5
to 7 years or make it much more restricted in terms of access
to that information, once there is no need to have an ongoing
review of that information because the accounts, in essence,
have been closed?
Mr. STEIN. Right, and I don't want to imply that once you
close your relationship, the same people who have had access to
that information when your relationship was open necessarily
have it when your relationship is closed.
Mr. BECERRA. Okay.
Mr. STEIN. There is some population that does continue to
have it, because you may call up a year later or 2 years later
and have some question about your closed relationship that
someone now needs to get access to.
Mr. BECERRA. Well, let me ask you this. If I were to call
your toll-free number to check on the status of my mortgage 2
years after I have already finished and I punch in on the phone
my old mortgage account number and I have some questions I need
to have answered so I get an actual voice on the phone, would
that person be able to pull up the information that would
include the SSN?
Mr. STEIN. The answer is, it depends.
Mr. BECERRA. Okay. Don't go any further, because I will run
out of time. If you can guide us on this, I think what we have
heard is that we have got to try to limit the access as much as
possible, but we also have to recognize that a lot of commerce
depends on this information. Let us know what you are doing.
What are the best practices that you are using to make sure
that once you don't need it, you are not using it, and once you
don't need it, others can't access it. It would be helpful to
know who is doing a good job of making sure that we are closing
the door on that information the quicker we can.
Mr. STEIN. Right.
Mr. BECERRA. That would be helpful. A hypothetical here.
Social Security says, tomorrow, we are going to scrap the
current SSN and the system that we have used. We are going to
reinstate something totally different. Maybe it is with a
number, but it is different. Everyone in America who has an
SSN, you will be issued something else. At the same time, we
pass a law saying we prohibit the use of this new Social
Security identifier for anything other than Social Security.
What do your industries, your agencies, what do you do?
Mr. PRATT. Beyond panic, I guess, would be the question.
[Laughter.]
Mr. PRATT. I think there are several parts to that answer.
One, clearly, biometrics are being used in certain contexts and
so, yes, there are even today--again, it is very important to
distinguish between how the number is used to create an
accurate database to say, I have data associated with this
number and with this name together, versus how I am going to
identify you and make sure that you are 100 percent who you say
you are. Even today, consumers' acceptance of concepts like
biometrics is much greater than it was perhaps a decade ago.
I think you would always find some sort of substitutes
effect. I think the question is at what level of disruption in
the system overall, between the time that you were to close off
the system completely and then try to reinstate something else.
There would be, by the way, a legacy effect. All the data
that was currently mediated by SSNs would remain. Court records
would remain associated with the SSN. You are really talking
almost generationally, anyway. You are talking about very, very
long periods of time as you move away. It does get into
discussions of cards and whether cards will have algorithms on
them and whether cards will store additional information and
whether they are used for limited purposes or more extended
purposes. These are very complicated issues that certainly go
well beyond the pale of our industry or, I suspect, any of us
here at the table.
Mr. BECERRA. One way or the other, you will find some type
of universal identifier that can help you keep tabs of the
population.
Mr. PRATT. Well, I would say two things could happen.
Number one, you could have less data mediated, which means, for
example, consumers today who already are unhappy when we don't
have a certain account that they have been paying on time for
many, many years that Countrywide wants to use to approve a
loan, when it is not in their credit report, they are also
unhappy with us, just as they are unhappy when there might be
data in their credit report that they say is not theirs. What
you do have with the removal of an identifying system or a
single unique identifier like the SSN is potential
disintermediating and disconnecting data which can be mediated
and which can be used for good things, such as me getting the
car loan on the weekend or getting the student loan for my kids
and so on and so forth. There are effects like that that we
probably can't entirely predict today.
Even the FTC was asked to look at how SSNs interplayed with
credit reports, and that was a study that was done during the
2003 FACT Act, and they concluded that, really, you move away
from a binary, good or bad, proposition and you are on a
continuum, move one direction, and maybe there is less SSNs and
so maybe certain types of risks are reduced, but maybe you have
disintermediated data. It was all about do you move toward more
inclusivity or do you move toward more exclusion or separation?
That is the kind of database continuum our members tend to
operate on. Which way do I go?
Mr. BECERRA. Thank you.
Mr. STEIN. If I may just take one moment, when you talk
about things like biometrics and other kinds of identifiers to
uniquely identify an individual and you compare it to the SSN
issue, the one thing to keep in mind is that the SSN is a
national unique identifier. In the absence of having a national
registry of fingerprints, retinal scans, facial recognition,
hand geometry, whatever you want it to be, there is no way to
take those disparate pieces and put them all together into a
credit report. In the absence of that, it is probably more
likely rather than less likely that the Nicole Robinsons of the
world get joined with someone who really isn't them.
In this case, the person used her SSN with her same name.
In other circumstances, you are going to have people, a whole
bunch of Nicole Robinsons that may get joined together because
there is not that unique identifier that puts them together.
Mr. BECERRA. Thank you. Thank you, Mr. Chairman.
Chairman MCCRERY. Thank you very much, gentlemen and
ladies. We appreciate your testimony and your responses to our
questions.
That concludes today's hearing. The Subcommittee is
adjourned.
[Whereupon, at 4:40 p.m., the Subcommittee was adjourned.]
[Submissions for the record follow:]
Corona Del Mar, California
March 27, 2006
Dear Members of the Subcommittee and Participants of this series of
Hearings:
My name is John Patrick Kenney. I earn my living as a real estate
developer and I am licensed as a real estate broker in California. I am
a former recipient of Long Term Social Security of Disability Benefits.
I am recent recipient of the National Republican Congressional
Committee Ronald Reagan Medal and 2005 Businessman of the year Award. I
am also the plaintiff in a Federal District Court Lawsuit against the
commissioner of Social Security, currently awaiting a decision in case
#SACV 05-00426 (MAN). John P. Kenney Vrs. Commissioner of Social
Security. The agency misused my Social Security Number, identifying me
as the recipient of a mistaken overpayment decision. This resulted in
damages similar to those incurred in identity theft and was a violation
of the bill of rights in the constitution of the United States. As I
expect tot win this case, actual damages today are approximately 12.5
million daollars and increasing at a rate of about $30,000.00 per
calendar day. Patrick O'Carroll, the SSA Inspector General has recently
in this series and through reports, informed you, that the SSA may have
made: 600,000 errors of overpayments and underpayments of the Social
Security Benefits, has put you on notice of this, I'm sorry to say,
error prone agency. The problem is that you, the congress, has backed
this error prone agency with police powers to collect erroneous debts
with minimal if any oversight. For example, the Federal Trade
Commission is not permitted to enforce fair credit reporting or fair
debt collection laws you enacted for our protection against the SSA.
The president's management agenda is I believe correct . . . get our
money out of the hands of this poorly managed bureaucracy. So, as a
consequence of the above I legitimately expect a ``Social Security''
check soon between $12,000,000.00 and $20,000,000.00 depending on how
long this agency wants to fight by withholding evidence, slandering my
character in the public court record, appealing to the 9th circuit or
whatever failure prone tactic they may want to attempt. So . . . this
error prone agency should not of and by itself and without real
oversight possess the police powers have given it. I expect to prevail
in my case and expect some public notice in the media to precipitate
many an angry or scared taxpayer to contact you. What would happen to
the general fund if 600,000 individuals had the opportunity, the
inclination, the resources to sue the Social Security Administration
for violating the privacy act as I have done? Please call on me if you
need some help, even though I've missed meals and been forced by the
above to try to relocate my business out of the country. I'm willing to
help this subcommittee any way I am able.
John P. Kenney
Statement of J. Michelle Sybesma, Fishers, Indiana
You may find it hard to believe that once upon a time I carried an
affidavit from the United States Postal Inspection Service verifying
was indeed who I professed to be. From the looks of my photo, you might
find it amusing to read my most recent state registered identification
had said that I was not only Male, but of a Latin American heritage, 2
inches shorter, and about 15 lbs heavier than when I stood in front on
you.
The truth was, before I figured out what happened I had a house in
the low-income projects in Danville, IL and another just outside my
hometown in Indianapolis, IN. Someone was utilizing my personal
information and morphing it into someone that was in no way aligned
with the principles of good ethics.
This was over ten years ago. I now know better than most what it
takes to establish new social security number and have to spend years
in the fighting to reclaim your identity. However, I am no victim. I am
inclined to believe things happen for a reason and this happened to me
so I might teach others how to prevent it. The experience left me
smarter, credit wiser and fighting mad to make sure it does not happen
to others.
The most recent Federal Trade Commission statistics show that 12.7%
of individuals surveyed have been personally touch by some sort of
credit card fraud or identity theft.
As a consultant and professional speaker who covers topic to teach
groups the importance of proper precautions to risk factors of Identity
theft, I can tell you a more accurate statistic never stood.
If requested to testify, I can tell you a great deal about the
inherent risk in business using our SSNs a primary identifier. Most
people do not understand the long term impact this can have on the rise
of this epidemic. Please consider contacting me to speak for your sub-
committee. Not since the Fair Credit Reporting Act of 1996 has there
been a piece of potential legislation that had such impact on that of
Identity Theft. Thank you.
�