[Senate Hearing 106-902] [From the U.S. Government Publishing Office] S. Hrg. 106-902 IDENTITY THEFT: HOW TO PROTECT AND RESTORE YOUR GOOD NAME ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, TERRORISM, AND GOVERNMENT INFORMATION of the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED SIXTH CONGRESS SECOND SESSION on PREVENTING CRIMINALS FROM USING TECHNOLOGY TO PREY UPON SOCIETY, FOCUSING ON IDENTITY THEFT PREVENTION MEASURES AND THE IMPLEMENTATION OF THE IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT (PUB. LAW 105-318) __________ JULY 12, 2000 __________ Serial No. J-106-97 __________ Printed for the use of the Committee on the Judiciary __________ U.S. GOVERNMENT PRINTING OFFICE 69-466 WASHINGTON : 2001 COMMITTEE ON THE JUDICIARY ORRIN G. HATCH, Utah, Chairman STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware JON KYL, Arizona HERBERT KOHL, Wisconsin MIKE DeWINE, Ohio DIANNE FEINSTEIN, California JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York BOB SMITH, New Hampshire Manus Cooney, Chief Counsel and Staff Director Bruce A. Cohen, Minority Chief Counsel ______ Subcommittee on Technology, Terrorism, and Government Information JON KYL, Arizona, Chairman ORRIN G. HATCH, Utah DIANNE FEINSTEIN, California CHARLES E. GRASSLEY, Iowa JOSEPH R. BIDEN, Jr., Delaware MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin Stephen Higgins, Chief Counsel and Staff Director Neil Quinter, Minority Chief Counsel and Staff Director (ii) C O N T E N T S ---------- STATEMENTS OF COMMITTEE MEMBERS Page Kyl, Hon. Jon, U.S. Senator from the State of Arizona............ 1 Feinstein, Hon. Dianne, U.S. Senator from the State of California 3 CHRONOLOGICAL LIST OF WITNESSES Panel consisting of Jodie Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, Washington, DC; and James G. Huse, Jr., Inspector General, Social Security Administration, Baltimore, MD.................................. 6 Panel consisting of Michelle Brown, identity theft victim, Los Angeles, CA; Beth Givens, director, Privacy Rights Clearinghouse, San Diego, CA; Steven M. Emmert, director, Government and Industry Affairs, Reed Elseveir, Inc., and Lexis-Nexis, and president, Individual Reference Service Group, Washington, DC; and Stuart K. Pratt, vice president, Government Relations, Associated Credit Bureaus, Inc., Washington, DC..... 23 ALPHABETICAL LIST AND MATERIAL SUBMITTED Bernstein, Jodie: Testimony.................................................... 6 Prepared statement........................................... 9 Brown Michelle: Testimony.................................................... 23 Prepared statement........................................... 25 Attachment 1............................................. 28 Emmert, Steven M.: Testimony.................................................... 61 Prepared statement........................................... 63 Feinstein, Hon. Dianne: List of Internet Websites Where Personal Information Can Be Purchased................................... 4 Givens, Beth: Testimony.................................................... 30 Prepared statement........................................... 31 A Survey of Identity Theft Victims and Recommendations for Reform............................................. 38 Huse, James E., Jr.: Testimony.................................................... 13 Prepared statement........................................... 15 Pratt, Stuart K.: Testimony.................................................... 69 Prepared statement........................................... 72 News Release: Contact Norm Magnuson, dated March 14, 2000 74 IDENTITY THEFT: HOW TO PROTECT AND RESTORE YOUR GOOD NAME ---------- WEDNESDAY, JULY 12, 2000 U.S. Senate, Subcommittee on Technology, Terrorism, and Government Information, Committee on the Judiciary, Washington, DC. The subcommittee met, pursuant to notice, at 10:03 a.m., in room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl (chairman of the subcommittee) presiding. Also present: Senator Feinstein. OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE STATE OF ARIZONA Senator Kyl. Good morning. This hearing of the Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information will come to order. The subject of our hearing this morning is ``Identity Theft: How to Protect and Restore Your Good Name.'' As chairman of this subcommittee, it has been my goal to prevent criminals from using technology to prey on society. There are few clearer violations of personal privacy than having your identity stolen and used to commit a crime. Criminals often use Social Security numbers and other personal information to assume the identity of law-abiding citizens and take their money. It is high-tech theft. To combat this, I sponsored the Identity Theft and Assumption Deterrence Act, which prohibits the stealing of a person's identity. The aim of the Act, which is now law, is to protect consumers and safeguard people's privacy. Almost 2 years after passage of the Act, identity theft unfortunately continues to grow, particularly as the Internet grows in popularity. Teachers, housewives, doctors and, yes, even U.S. Senators have been recent victims of identity theft. It can happen to anyone. Well, how does it happen? Technology enables new, sophisticated means of identity theft. Using a variety of methods, criminals steal Social Security numbers, credit card numbers, drivers' license numbers, ATM cards, telephone calling cards, and other key pieces of a citizen's identity. Victims are often left with a bad credit report and must spend months and even years regaining their financial wholeness. In the meantime, they have difficulty writing checks, obtaining loans, renting apartments, getting their children financial aid for college, even getting hired. Victims of identity theft need help as they attempt to untangle the web of deception that has allowed another individual person to impersonate them. The key to prevention is businesses establishing responsible information handling practices and for the credit industry to adopt stricter application verification procedures and to put limits on data disclosure. One provision in a bill that Senator Feinstein and I have proposed would require a credit card issuer to confirm any change of address with the cardholder within 10 days. This could prevent the common method of identity fraud where a criminal steals an individual's credit card number and then obtains a duplicate card by informing the credit issuer of a change of address. Credit bureaus would be required to disclose to credit issuers that an address on the application does not match the address on the credit report. Another provision of this legislation would ensure that conspicuous fraud alerts would appear on credit reports, and also it would impose penalties for non-compliance by credit issuers and credit bureaus. Another provision would require the credit issuers and credit bureaus to develop a universally recognized form for reporting identity fraud. Victims could then fill out one form and one affidavit to supply to the numerous companies and entities involved in reporting an identity theft. These legislative changes, and the willingness of many here to adapt to best business practices, will help victims to detect errors on their credit history, report the errors efficiently, and to act quickly to recover their good name. Now, just a couple of statistics before we begin. I think it is interesting that in fiscal year 1999, the Social Security Administration's Office of Inspector General hotline for fraud and abuse reported more than 62,000 instances of misuse of Social Security numbers, something that Senator Feinstein has been working on. Since November 1999, the FTC hotline and website have logged more than 20,000 calls and 1,500 e-mail complaints regarding identity theft. So this is an ongoing, serious, significant problem. Today, our subcommittee will hear from six witnesses about the effect of identity theft and the help that victims of identity theft can expect. On the first panel, we are glad to welcome back Jodie Bernstein, who is the current Director of the Bureau of Consumer Protection of the Federal Trade Commission. She will discuss how the FTC has responded to identity theft in carrying out its duties under the 1998 law. She will also discuss what legislative and non-legislative measures have been taken and what could reduce criminals' access to sensitive data. James G. Huse, the current Inspector General of the Social Security Administration, is our next witness. He will discuss how Social Security numbers are used in the commission of identity theft, what steps can be taken to reduce the role of Social Security numbers in identity theft, why Social Security numbers can be purchased on the Internet for as little as $40, current undercover operations to prevent the sale of Social Security numbers on the Internet, and what is the most common source of Social Security numbers used for identity theft. I will just mention who we will have on the second panel, then call upon Senator Feinstein and our first panel to begin its presentation. Michelle Suzanne Brown will be one of the witnesses on the second panel. She is a victim of identity theft, and she will talk about her case and will share with us the very difficult experience that she has had in clearing her good name through endless telephone calls and correspondence with various credit bureaus, credit card companies, her landlord, property manager, police departments, the courts, and other government officials. She will also discuss her ideas about how to streamline the victim reporting process and how to recover and protect from this crime. Beth Givens, of the Privacy Rights Clearinghouse, will be another witness on our second panel. The Clearinghouse has a new report, called ``Nowhere to Turn,'' which describes common obstacles experienced by identity theft victims and what measures can be taken to reduce criminal access to sensitive personal information, and how to better provide services to identity theft victims. Steve Emmert is the current president of the Individual Reference Services Group, the IRSG, and the director of the information company LEXIS-NEXIS. The IRSG is composed of 14 leading information industry companies that provide data to help identify, verify, or locate individuals. President Emmert will testify how the IRSG members limit the transmission of personal information to prevent criminal misuse, and testify about the progress of self-regulatory efforts, present some statistics on enforcement, compliance, and monitoring of member groups. Finally, Stuart Pratt, executive vice president of Government Relations for the Associated Credit Bureaus, the ACB, will describe the use of fraud alerts within the credit bureau industry, addressing the duration of the alert, how credit card issuers use alerts, and he will testify about the resources of the ACB, what it has available for identity theft victims, and its plans to work with credit card issuers to streamline reporting of identity theft. I want to thank all of our witnesses for being with us today. Before calling on our first panel here, I would like to again thank Senator Feinstein for her leadership in helping to get the identity theft bill passed into law and her continuing interest in seeing that it is enforced properly, and to help determine whether it goes far enough and whether we need to do some additional things now that we have some experience with it to ensure continued protection for consumers. It is always a pleasure to work with her. I would also like to make this brief announcement. They are working on the air conditioning and I hope that we get it fixed before this hearing is over. Senator Feinstein. STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE STATE OF CALIFORNIA Senator Feinstein. Thanks very much, Mr. Chairman, and let me thank you for your leadership. Let me thank the panelists, some of whom have come from California for this hearing. I think it is very important and I am just delighted that you are here. Identity theft really deserves our committee's very close and careful attention. It is, I believe, one of the fastest growing crimes in the Nation. Now, what is identity theft? It occurs when one person uses another person's Social Security number, birth date, driver's license, or other identifying information to obtain credit cards, car loans, phone plans, or other services in the potential victim's name. In other words, you steal someone's identity, credit documents, and then go out and commit fraud against them. Identity thieves get personal information in a myriad of ways. They steal wallets and purses containing identification cards. They use personal information they can buy on the Internet. They steal mail, including pre-approved credit offers and credit statements. They fraudulently obtain another's credit reports, or they get another's personnel records. Every 60 seconds in this country, an American becomes the victim of identity theft. Some estimates of the theft run as high as 700,000 cases a year. The chairman has quoted the Social Security Administration's concerns, but the U.S. Postal Inspection Service also reports that 50,000 people a year have become victims of identity theft since that Service first began collecting information of the crime in the mid-1990's. Treasury estimates that identity theft annually causes $3 billion in credit card losses. Identity theft victims have actually been calling our office with story after story of these crimes, and let me give you a couple of examples. My constituent, Kim Bradbury, of Castro Valley, reported that an identity thief obtained a credit card in her name through the Internet in just 10 seconds. The false application only had her Social Security number and birth date correct. As a matter of fact, my staff has compiled a list of about 12 different Internet websites where personal information can be purchased for as little as $25. Let me read their comments on one website called digdirt.com. Here is one that is not online access, per se, but it will blow your mind as to what they offer. You hire them, they do the work, they get back to you--medical records, phone numbers, assets, et cetera. I am not going to say the names of all these websites, but I would like to enter them into the record, if I might, Mr. Chairman. Senator Kyl. Without objection. [The information referred to follows:] List Submitted by Senator Feinstein An analysis of the services anyone can use on the World Wide Web indicates that many sites sell Social Security numbers. The following is just a short list of example sites that traffic in personal information. (1) www.fastbreakbail.com (2) www.infoseekers.com (3) www.e-backgroundchecks.com (4) www.infotel.net (5) www.docusearch.com (6) www.1800ussearch.com (7) www.locateme.com (8) www.informus.com (9) www.loc8fast.com (10) www.merlindata.com (11) www.digdirt.com Senator Feinstein. Let me give you another example--Lynn Kleinenberg, of Los Angeles. Her husband was an executive at Cedars Sinai Medical Center. He died last December. The identity thief in her case used her husband's obituary to get the maiden name, then went to the Internet, and purchased various identification documents. The thief attempted to charge $200,000 in diamonds against her account. This included a $160,000 wire transfer which she was fortunately able to head off when the bank called her about her request. Another person, Amy Boyer, a 20-year-old dental assistant from Maine, was killed last year by a stalker who bought her Social Security number off the Internet for $45 and used the number to locate her work address. Incidentally, some of these websites provide that you can buy the Social Security number for $25 now. I have two proposals pending before the Congress today, and I hope we can discuss them. The first one prohibits the sale of Social Security numbers. The Administration supports this legislation. I am hopeful we can pass it. It is Senate bill 2699, entitled ``The Social Security Number Protection Act.'' That would restrict the sale and purchase of Social Security numbers. It has some exceptions. I am also right now writing legislation to amend that to provide for the same stipulations to a driver's license, to personal medical information, and personal financial data, and to provide an opt-in. In other words, the Internet site would have to get the permission of the individual before using their Social Security number, their driver's license, their personal medical information, or their personal financial information. Now, this is very controversial, and we have met with many of the companies. They want to put the obligation on the individual. Well, if you put that obligation on me, I really wouldn't know where to turn or how to opt out. I think if somebody is going to make a profit off of my personal financial data, my Social Security number, my driver's license, they ought to ask me, find me and ask me if they can use it. I very deeply believe that, and I believe that enough reputable companies now are beginning to do it, so that it is not something very extreme to do. Senator Kyl, you and I and Senator Grassley have also introduced a bill, S. 2328, entitled ``The Identity Theft Prevention Act.'' This bill is supported by the Federal Trade Commission. It has gone to the Banking Committee. I doubt very much the Banking Committee is going to move the bill, but it is widely supported. The bill's measures aim to prevent identity theft. They give credit card holders written notice at their original address if a new card is requested to be sent to a different address. The bill would impose penalties on credit issuers who ignore fraud alerts on a credit report. That is another problem. People just ignore it, you know, don't go and check. It also directs credit bureaus to notify credit issuers if there are inconsistencies in a credit application. This legislation would also authorize the development of a single reporting form that an identity theft victim could fill out to notify creditors of fraudulent charges in their name, and it would provide an individual with a free annual credit card report. Six States already guarantee free access to these reports. I think there is really nothing so sacred as an individual's good name, and that is one of the reasons why identity theft is so devastating. It robs people of their reputation and their security that they often spent years building, and it can present untold problems. I believe we have one witness today who will tell a story of being detained at the airport, because of a crime committed in her name by the identity thief. She had left the country for vacation, and upon her return, Customs wouldn't let her back into the country. She is an innocent victim. So, Mr. Chairman, the bottom line is I think we need to move and pass these bills, particularly the Social Security number. The Social Security number is our No. 1 personal identifier. It is meant for personal identification. It is not meant as a barter tool to be able to encourage commerce, and I think it is appropriate for the Federal Government to take some action to set some strict restrictions on the use of this national personal identifier. So I would be hopeful that we would see fit, you and I, to move that particular bill. And I hope to introduce tomorrow the one that would add to the Social Security number also the driver's license, personal financial data, and personal health data. There are exceptions which we will put in which I think kind of cover, for example, research that is done without revealing the personal identity of the person. So for bona fide medical purposes, it could be used, or bona fide credit rating purposes it could be used, but not to reveal to the public at a purchase price the individual data. Thank you very much. Senator Kyl. Thank you very much. As we discussed, I agree, and we will try to move, whether we need to do it in the subcommittee and the full committee. We should also talk to the Banking Committee, and we will do that. I really appreciate all of the witnesses being here today. Let's begin with Ms. Bernstein, and then Mr. Huse will follow that. PANEL CONSISTING OF JODIE BERNSTEIN, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, DC; AND JAMES G. HUSE, JR., INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION, BALTIMORE, MD STATEMENT OF JODIE BERNSTEIN Ms. Bernstein. Thank you very much, Mr. Chairman. Thank you for including us. I am pleased to be able to present the Commission's testimony, but I also wanted to let you and Senator Feinstein know just how important your attention on this in terms of holding hearings has been for us. It has focused attention on American consumers so that they can take steps when they can to prevent these occurrences. And, importantly, other parts of the Congress have been supportive of our efforts, and I really do believe it is because of the attention that you have focused on this issue. So thank you for that as well. I thought what I would do today would be to update you on what our complaint data tells us about ID theft and how we can all perhaps do a better job of trying to reduce identity theft and fraud. As Senator Feinstein mentioned, we, the Commission, has supported the legislation that you all have introduced, and we thank you for that as well. We think that will be a great help. So here is what we have been able to do, and I think we have made great strides in victim assistance and in data- sharing. We do have a slide. I have my--I call her my technical guru, but at another hearing she was asked to testify. So perhaps I shouldn't introduce her that way, but she is presenting the slides. We distributed more than 83,000 copies of our popular brochure, ``When Bad Things Happen to Your Good Name.'' Our colleagues at the Social Security Administration distributed 115,000 copies on their own, and our Web version has been viewed by over 110,000 consumers. The ID theft website, www.consumer.gov/idtheft, has received about 110,000 visits. These are very positive trends because we know that informed consumers can protect themselves from some of the harm caused by identity theft. During my testimony in March, I also spoke about our complaint clearinghouse, the central repository of identity theft complaints, pursuant to the legislation passed earlier. We pushed this project forward and we have had really terrific results, I think. First, we made the complaint data a click away for the law enforcement officers that will prosecute the crimes. Law enforcement officers can easily access complaints on Consumer Sentinel, and that is a web-based system linking more than 250 agencies to a single and central body of consumer fraud complaint data. The system now has more than 200,000 consumer fraud complaints and has resulted in hundreds of successful civil and criminal prosecutions. Consumer Sentinel users have to sign a confidentiality agreement and then they have access to the ID theft clearinghouse data. Using a password, law enforcers use a desktop PC to link to a secure website from which they can search for ID theft perpetrators or victims in their backyards and seek out trends and patterns. As you can see from the slide, we have developed different ways to search for the data to enable law enforcement users to customize their searches and to retrieve precisely the data they are looking for. For example, users can also place alerts on certain records, flagging a target as under investigation or as an open file. In addition, FTC investigators and data analysts will be scrutinizing the data and we will refer cases to appropriate agencies. I think what you can see from this is we have been trying to be at least as smart as the ID thieves are in using the new technology, and hopefully we will succeed. We launched the web availability of our system just last week, and already Social Security's Inspector General, Jim Huse, sitting with me, the Postal Inspection Service, the Department of Justice, and State attorneys general are on the system, reviewing and analyzing the data through the website. We are also finalizing an agreement with Social Security--I think we will do it probably very shortly--to transfer their complaint data into the central clearinghouse, which will then enrich the clearinghouse. It will be increasingly valuable as it grows. Since its creation, the launching of the online complaint form, and the establishment of our toll-free consumer complaint line, we have received more than 20,000 telephone calls and 1,500 consumer complaints via our online complaint form. That was a very significant development for people to be able to use the form right on the website. In March, I told you that we have received 400 calls a week to the toll-free number. That number has doubled, to about 800 to 850 calls a week. We expect the rate to continue to climb, and we expect and hope we will be able to manage the new volume of calls. The other clearinghouse news to share is what we have learned from the data, and again we have a slide. Half of the ID theft complaints report credit card fraud; that is, the thief either opened a new account in their name or took over an existing account. Approximately a quarter report that identity theft opened up telephone, cellular, or other utility services in their name. Bank fraud is the third category, and about 16 percent reported that a checking or savings account had been opened in their name, and or that fraudulent checks had been written. Approximately 11 percent reported that identity theft obtained a loan, such as a car loan, in their name. These figures have been consistent across geographic regions in the country, and the top sources of complaints in the Nation, as well as in your States, are also shown on our reports; that is, Senator Feinstein, for example, you can get the complaints that are from the State of California, and we expect to be able to provide that to law enforcement officials in those States. So what about these trends? With credit card fraud appearing in more than half of the complaints, it is time, we think, to take a good hard look at business practices. As you know, the Commission has supported the recent legislative proposals that require credit grantors to take extra steps to verify change of address requests for credit accounts. We also endorse requiring credit bureaus to tell a consumer when a credit application is made in the consumer's name but with a different address. Each of these measures will help cut back on the top category of complaints. Those are account takeovers and fraudulently opened credit accounts. Free annual credit reports may also encourage consumers to review their credit reports and allow them to detect early warnings of fraud. There are additional requirements in 2328 that I won't detail because we have already discussed them. We think they will be very, very helpful. In closing, I would add that there are steps that we at the FTC would like to implement to streamline and simplify the process of reporting and responding to ID theft. We want to implement an electronic notification system so that when a consumer tells us that their identity has been stolen, we can transmit that information to one of the three or all of the three credit reporting agencies and they can enter a prominent fraud alert on that consumer's file, on all three of them. We can only take on this project and others like it by working together with you, with the public, and the private sector groups toward this common goal. We think it would go a long way, and we remain prepared to do that if we receive that cooperation from the industry involved. I would be happy to answer any questions you may have, I presume, following Jim's testimony. Thank you. [The prepared statement of Ms. Bernstein follows:] Prepared Statement of Jodie Bernstein Mr. Chairman Kyl, and members of the Subcommittee, I am Jodie Bernstein, Director of the Bureau of Consumer Protection, Federal Trade Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity to present the Commission's views on the important issue of identity theft, and to describe to you the impressive strides we have made in implementing the Identity Theft and Assumption Deterrence Act.\2\ --------------------------------------------------------------------------- \1\ The views expressed in this statement represent the views of the Commission. My oral presentation and response to questions are my own, and do not necessarily represent the views of the Commission or any Commissioner. \2\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. Sec. 1028). --------------------------------------------------------------------------- The fear of identity theft has gripped the public as few consumer issues have. Consumers fear the potential financial loss from someone's criminal use of their identity to obtain loans or open utility accounts. They also fear the long lasting impact on their lives that results from the denial of a mortgage, employment, credit or an apartment lease when credit reports are littered with the fraudulently incurred debts of an identity thief.\3\ --------------------------------------------------------------------------- \3\ Data from the Identity Theft Clearinghouse, our central repository of identity theft complaints, bear out these fears. See discussion at pp. 7-10. --------------------------------------------------------------------------- The Identity Theft and Assumption Deterrence Act (``the Identity Theft Act'') has raised the public's appreciation for the hardship suffered by identity theft victims. The Identity Theft Act's focus on the individual as the victim--rather than just the financial institutions that often absorb the bulk of the financial loss--has brought focus to business practices that may place consumers at higher risk of having their identities stolen. It has heightened consumers' awareness of the ways they can change their everyday practices to minimize the risk that they will be victimized. The Federal Trade Commission has worked to strengthen these measures through our responsibilities under the Act. In particular, we have expanded our consumer education campaign, encouraged increased use of our toll-free help line, made our Identity Theft Clearinghouse available to law enforcement through a secure website, continued to forge partnerships with other law enforcement offices, and reached out to private industry to help identify ways to establish identity theft prevention best practices. By letter dated June 1, 2000, we also conveyed our support for S. 2328, a bill introduced by Senator Feinstein, Chairman Kyl and Senator Grassley, that seeks to protect consumers by providing them with access to credit-related information that may reveal indicia of identity theft. The bill would also restrict the release of information through the sale of ``credit header'' information, and entitle consumers to free annual credit reports. The Commission's participation in the March Summit on Identity Theft, hosted by the Department of Treasury, marked the beginning of a new dialogue among government, private sector and consumer groups on these critical issues. We continue to look for ways to expand on these efforts. I. MEETING THE GOALS OF THE IDENTITY THEFT ACT In earlier testimony before this Committee, the Commission described the ways in which we have carried out our responsibilities under the 1998 Identity Theft Act.\4\ Since that time, we have built on these achievements. --------------------------------------------------------------------------- \4\ The Commission testified before this subcommittee on March 7, 2000. We also testified before this subcommittee in May 1998 in support of the Act. Following the passage of the Act, the Commission testified again, in April 1999, before the House Subcommittee on Telecommunications, Trade and Consumer Protection and the Subcommittee on Finance and Hazardous Materials of the Commerce Committee. That testimony focused on identity theft in the financial services industry. --------------------------------------------------------------------------- A. Centralized Complaint Handling--877 ID THEFT The Commission established its toll-free telephone number, 1-877-ID THEFT (438-4338) to help consumers avoid or resolve identity theft problems. The Identity Theft Hotline phone counselors also enter information from the consumer complaints into the centralized Identity Theft Data Clearinghouse. In operation since November 1, 1999, the Identity Theft Hotline now receives between 800 and 850 calls per week.\5\ About two thirds of the calls are from victims, the remaining calls coming from consumers who are looking for information on ways to minimize their risk of identity fraud. --------------------------------------------------------------------------- \5\ That figure has doubled since March, when we reported 400 calls a week. To date, the hotline has received more than 20,000 calls. --------------------------------------------------------------------------- The telephone counselors provide victims of identity theft with specific information about how to try to prevent additional harm to their finances and credit histories. The phone counselors advise callers to contact each of the three consumer reporting agencies to obtain copies of their credit reports and request that a fraud alert be placed on their credit report.\6\ Fraud alerts request that the consumer be contacted when new credit is applied for in that consumer's name. We advise consumers to request copies of their credit reports, and explain how to review the information on the reports carefully to detect any additional evidence of identity theft. Because the credit reports of identity theft victims often reflect the fraudulent accounts opened or other misinformation, the counselors inform callers of their rights under the Fair Credit Reporting Act and provide them with the procedures for correcting their credit report.\7\ The counselors advise consumers to contact each of the creditors or service providers where the identity thief has established or accessed an account, and to follow up in writing by certified mail, return receipt requested. Where the identity theft involves ``open end'' credit accounts,\8\ consumers are advised on how to take advantage of their rights under the Fair Credit Billing Act, which, among other things, limits their responsibility for unauthorized charges to fifty dollars in most instances. Consumers who have been contacted by a debt collector trying to collect on debts incurred by the identity thief are advised of their rights under the Fair Debt Collection Practices Act, which limits debt collectors' practices in their collection of debts. --------------------------------------------------------------------------- \6\ The three consumer reporting agencies are Equifax Credit Information Services, Inc., Experian Information Solutions, Inc. and Trans Union, LLC. \7\ In addition to fraudulently acquiring accounts or loans, the identity thieves also may register a change of address in the victim's name, routing bills and other correspondence to a different address. In that way, it may take months for the victim to realize that his/her identity has been hijacked. \8\ The Fair Credit Billing Act generally applies to ``open end'' credit accounts, such as credit cards, revolving charge accounts, and overdraft checking accounts. It does not cover installment contracts such as loans or extensions of credit that are repaid on a fixed schedule. --------------------------------------------------------------------------- In addition, the FTC phone counselors advise consumers to notify their local police departments, both because local law enforcement may be in the best position to catch and bring the perpetrator to justice, and because a police report is among the best means of demonstrating to would-be creditors and debt collectors that they are genuine victims of identity theft. More than half the states have enacted their own identity theft laws, and our counselors, in appropriate circumstances, will refer consumers to other state and local authorities for potential criminal investigation or prosecution. B. Outreach and Consumer Education The FTC also reaches consumers through the Internet. The FTC's identity theft website--www.consumer.gov/idtheft--gives tips on how consumers can guard against identity theft, warns consumers about the latest identity theft schemes and trends, and provides access to consumer education materials on identity theft. This website has received more than 108,000 hits since November, 1999. The site also links to a secure complaint form on which identity theft victims can enter the details of their complaints online, allowing consumers to contact the Commission at all times. After review by FTC staff, these complaints are entered into the Clearinghouse. To date we have received more than 1500 complaints through this electronic form. The Federal Trade Commission continues to distribute the comprehensive consumer guide: ID Theft: When Bad Things Happen to Your Good Name. Developed in consultation with more than a dozen federal agencies,\9\ this booklet provides consumers with practical tips on how best to protect their personal information from identity thieves, summarizes the various federal statutes that protect consumer victims of identity theft, and details the victim assistance mechanisms available. The Federal Trade Commission has distributed more than 83,000 copies of the booklet, and is in the process of revising the booklet for a second, and larger printing. The Social Security Administration has also printed and distributed 115,000 copies of When Bad Things Happen.\10\ --------------------------------------------------------------------------- \9\ These include: Department of Justice; Federal Bureau of Investigation; Federal Communications Commission; Federal Deposit Insurance Corporation; Federal Reserve Board; Internal Revenue Service; National Credit Union Administration; Office of the Comptroller of the Currency; Office of Thrift Supervision; Social Security Administration; United States Postal Inspection Service; United States Secret Service; United States Securities and Exchange Commission; and United States Trustee. \10\ The FTC has provided the booklet on zip disk to other agencies who are interested in printing additional copies. --------------------------------------------------------------------------- C. Identity Theft Clearinghouse--Launched Online The Identity Theft Act authorized the Commission to establish a central repository of consumer complaints about identity theft, and refer appropriate cases to law enforcement for prosecution. The Identity Theft Complaint Database, which was activated in November 1999, provides specific investigative material for law enforcement and larger, trend-based information providing insight to both private and public sector partners on ways to reduce the incidence of identity theft. Currently, the Clearinghouse contains the data from consumers who contact the FTC through the toll free number or website. We are pursuing ways to collect complaint data from other agencies and private sector entities to allow Clearinghouse users from law enforcement agencies to see as much complaint data on identity theft as possible.\11\ --------------------------------------------------------------------------- \11\ Our Consumer Sentinel database, which houses consumer fraud complaints, receives complaint data from Better Business Bureaus, consumer outreach organizations and others. We are looking to replicate this approach with identity theft complaints. --------------------------------------------------------------------------- With a database as rich as we envision the Clearinghouse becoming, we can and do refer cases for potential prosecution. To maximize use of the data, we now provide law enforcement partners with direct access to the Clearinghouse through Consumer Sentinel, our secure website for sharing complaints and other information with consumer protection law enforcers. Starting this month, law enforcement and appropriate regulatory offices can access the Clearinghouse through their desktop personal computers. This access enables them to readily and easily spot identity theft problems in their own backyards, and to coordinate with other law enforcement officers where the database reveals common schemes or perpetrators. The FTC will continue to comb through the data to spot cases for referral, but has also enabled others to use the data to ferret out the bad actors for prosecution. The Identity Theft Act also authorized the Commission to share complaint data with appropriate entities,'' \12\ including specifically the three major consumer reporting agencies and others in the financial services industry.\13\ The Commission does not envision providing access to the complete database for these private sector entities. Unfettered access could interfere with law enforcement efforts. FTC data analysts can, however, identify patterns that reveal a business or business practice that exposes consumers to a high risk of identity theft. We will forward appropriate information about these complaints to the entities involved so they can evaluate and revise those practices.\14\ Similarly, we plan to share limited complaint data with a business if data reveal that that business fails to respond to legitimate consumer complaints about identity theft or frustrates their efforts to correct misinformation on their credit reports. --------------------------------------------------------------------------- \12\ The Identity Theft Assumption and Deterrence Act provides, in pertinent part, ``the Federal Trade Commission shall establish procedures to * * * refer [identity theft] complaints * * * to appropriate entities, which may include referral to * * * the 3 major national consumer reporting agencies.'' 18 U.S.C. Sec. 1028 (note). \13\ The unique role of the consumer reporting agencies in resolving the problems of identity theft victims is discussed below. \14\ S. 2328, introduced by Senator Feinstein, Chairman Kyl and Senator Grassley of this Subcommittee, identifies a set of best practices that would minimize consumers' exposure to identity theft. For example, S. 2328 would require that creditors notify consumers if they receive a change of address notification. --------------------------------------------------------------------------- II. WHAT THE CLEARINGHOUSE TELLS US ABOUT IDENTITY THEFT The Identity Theft Act recognized the importance of creating a single repository for identity theft complaints. Accordingly, the Commission established the Identity Theft Clearinghouse to collect and consolidate these complaints. We are already seeing the fruits of this effort. Our basic complaint data show that the most common forms of identity theft reported during the first seven months of operation were:Credit Card Fraud.--Approximately 54 percent of consumers reported credit card fraud--i.e., a credit card account opened in their name or a ``takeover'' of their existing credit card account; Communications Services.--Approximately 26 percent reported that the identity thief opened up telephone, cellular, or other utility service in their name; Bank Fraud.--Approximately 16 percent reported that a checking or savings account had been opened in their name, and/or that fraudulent checks had been written; and Fraudulent Loans.--Approximately 11 percent reported that the identity thief obtained a loan, such as a car loan, in their name. Not surprisingly, the states with the largest populations account for the largest numbers of complainants and suspects. California, New York, Florida, Texas, and Illinois, in descending order, represent the states with the highest number of complainants.\15\ About 55 percent of victims calling the identity theft hotline report their age. Of these, 40 percent fall between the 30 and 44 years of age. Approximately 26 percent are between age 45 and 64, and another 25 percent are between age 19 and 29. About 7 percent of those reporting their ages are 65 and over; and slightly over 2 percent are age 18 and under. --------------------------------------------------------------------------- \15\ Texas and Illinois had an equal number of complaints. --------------------------------------------------------------------------- The data also reveal information about the perpetrators. Almost 60 percent of the caller-complainants provided some identifying information about the identity thief, such as a name, address, or phone number. More than one quarter of those victims reported that they personally knew the suspect. We also are assessing the data on the monetary impact of this theft. Some complainants provided estimates of the dollar amounts obtained by the thief, because they have received the resulting bills or been notified of the resulting bad debts. The range of dollar amounts reported varies widely, with approximately 34 percent of complainants reporting theft of under $1,000; approximately 35 percent of complainants reporting theft totaling between $1,000 and $5,000, approximately 13 percent of complainants reporting theft totaling between $5,000 and $10,000, and approximately 18 percent of complainants reporting theft of over $10,000. Consumers also report the harm to their reputation or daily life. The most common non-monetary harm reported by consumers is damage to their credit report through derogatory, inaccurate information. The negative credit information leads to the other problems most commonly reported by victims, including loan denials, bounced checks, and rejection of credit cards. Identity theft victims also report repeated contacts by debt collectors for the bad debt incurred by the identity thief. Many consumers report that they have to spend significant amounts of time resolving the problems caused by identity theft. The Clearinghouse data also reveal that consumers are often dissatisfied with the consumer reporting agencies. The leading complaints by identity theft victims against the consumer reporting agencies are that they provide inadequate assistance over the phone, or that they will not reinvestigate or correct an inaccurate entry in the consumer's credit report. In one fairly typical case, a consumer reported that two years after initially notifying the consumer reporting agencies of the identity theft, following up with them numerous times by phone, and sending several copies of documents that they requested, the suspect's address and other inaccurate information continues to appear on her credit report. In another case, although the consumer has sent documents requested by the consumer reporting agency three separate times the consumer reporting agency involved still claims that it has not received the information. Consumers also report problems with the institutions that provided the credit, goods, or services to the identity thief in the consumer's name. These institutions often attempt to collect the bad debt from the victim, or report the bad debt to a consumer reporting agency, even after the consumer believes that he or she has established the illegal fraud. Consumers further complain that these institutions' inadequate or lax security procedures failed to prevent the identity theft in the first place; customer service or fraud departments were not responsive; or the companies refused to close or correct the unauthorized accounts after notification by the consumer. Callers to the hotline are not limited to identity theft victims. Indeed, approximately 36 percent of the callers simply requested information on identity theft. Many felt they were vulnerable to identity theft because, for example, their wallets had recently been lost or stolen (23 percent); someone had attempted to open an account in their name (19 percent); or they had given out their personal information to someone they did not know (7 percent).\16\ --------------------------------------------------------------------------- \16\ Our data analysis covers the period from November 1, 1999 through May 31, 2000. --------------------------------------------------------------------------- III. NEXT STEPS The Commission has made great strides in assisting consumers and law enforcement to combat identity theft, but recognizes that much remains to be done. As mentioned earlier, the Identity Theft Act authorizes the Commission to refer consumer identity theft complaints and information to the three major national consumer reporting agencies and other appropriate entities. The Commission envisions a streamlined process that would decrease the amount of time spent by consumer victims correcting credit report errors. Paramount among these efforts would be the ability of a consumer to make a single call to report him or herself as a victim of identity theft to the FTC or one of the three major national consumer reporting agencies, and to have a fraud alert posted on the credit reports from each of the reporting agencies. Currently, a victim of identity theft must notify each of the three national consumer reporting agencies separately, and then typically make additional calls to the FTC and to all creditors. The Commission looks forward to working with the three major national consumer reporting agencies to develop a complementary process to allow identity theft victims to share the details of their complaints simultaneously with the FTC and the national consumer reporting agencies. Further, the Commission will soon begin sharing certain limited information from its Identity Theft Clearinghouse with businesses whose practices are frequently associated with identity theft complaints. Our goal is to encourage and enable industry and individual companies to develop better fraud prevention practices and consumer assistance techniques. To that end, the Commission, in conjunction with the Department of Treasury and the other federal agencies who participated in the Identity Theft Summit, will convene a workshop for law enforcement and industry on Identity Theft victim assistance and prevention in the fall of 2000. IV. CONCLUSION The Identity Theft Clearinghouse, our toll free number, and the consumer education campaign have helped us begin to address the serious problems associated with identity theft. Heightened awareness by consumers and businesses will also help reduce the occurrences of this fraud. We look forward to continued collaboration and cooperation in these efforts. The FTC also looks forward to working with the Subcommittee to find ways to prevent this crime and to assist its victims. Senator Kyl. Thank you very much, Ms. Bernstein. That is a great update, and it shows both what is happening as a result of our legislation and what more needs to be done, exactly what we are all about here this morning. Mr. Huse, thank you for being here. STATEMENT OF JAMES G. HUSE, JR. Mr. Huse. Thank you, Mr. Chairman, Senator Feinstein. I want to thank you both for holding this hearing which focuses on the victims of identity fraud. While it is the victims for whom the Identity Theft Act was originally passed, and for whom we are all working to stem the tide of identity theft, it is also the victims whose plight is sometimes overlooked in the day-to-day business of enacting and enforcing these laws. We are each faced with a challenge in combatting identity theft and protecting its victims. The challenge facing my office is to reduce the number of victims by preventing these crimes in the first instance, and punishing their perpetrators when they do occur. The challenge facing the Congress is to provide offices such as mine with the necessary tools to do so successfully. The importance of meeting these challenges was evident in a survey reported in the June 13 issue of Investor's Business Daily, in which the Chubb Group of insurance companies found that 44 percent of 1,000 Americans polled had been victims of identity fraud. This is a staggering statistic, but one which is not surprising, as even at its simplest level the use of a Social Security number to commit identity fraud leaves a trail of victims in its wake. Let me tell you about Waverly Burns, a Supplemental Security Income recipient from Milwaukee whose story I have used in the past as a classic identity fraud illustration. Mr. Burns stole another person's SSN and used it to secure employment as a cleaning crew supervisor. By hiding his work behind this new identity, he could continue to draw his SSI benefits under his own Social Security number. He went on to steal over $80,000 in computer equipment from the Wisconsin Supreme Court, obtained a State of Wisconsin identity card using the stolen SSN, opened bank accounts in the name of his victim, and filed fraudulent tax returns. Our special agents arrested Mr. Burns in Chicago. He was sentenced to 21 months in prison and ordered to pay over $62,000 in restitution, including the full amount of benefits fraudulently obtained from SSA. Mr. Burns' case illustrates not only the central role of the SSN in identity theft crimes, but how a single such crime can have multiple victims. In Mr. Burns' case, the victims included the Social Security Administration, the Wisconsin Supreme Court, the financial institutions involved, the Internal Revenue Service, the State of Wisconsin, and the proper owner of the Social Security number. In all likelihood, other ancillary victims included credit reporting agencies and other members of the public, including each of us in this room, who will have to bear the costs of Mr. Burns' misdeeds. Identity theft is a crime in which we are all victims. My office employs an investigative staff of fewer than 300, and our primary responsibility must be to the programs and operations of the Social Security Administration. We alone cannot hope to stem the tide of SSN misuse and identity fraud. We are, however, taking every step we can in that direction. A year ago, our Office of Investigations launched an SSN misuse pilot project in five cities across the Nation, working jointly with Federal and State law enforcement agencies to target perpetrators of identity crimes and SSN misuse. By joining forces with other law enforcement agencies in a task force environment, we were able to pool resources and share information aimed at fighting identity fraud. Some of the accomplishments of those offices and the steps they are taking to aid identity theft victims are discussed in my written testimony, but already the pilot projects have been an unparalleled success. In their first year, 197 investigations have been opened resulting in 61 convictions. U.S. attorneys' offices and outside law enforcement entities have enthusiastically welcomed these pilots and have thanked us for taking the investigative lead. Because of the increased role that the Internet is playing in SSN misuse and identity theft, we have expanded the scope of these pilots to include the sale of Social Security cards over the Internet. Using undercover purchases of Social Security cards, we can determine which vendors actually provide buyers with fraudulent documents and which merely take the money and run. We are very optimistic that we will be able to shut down several important Internet distributors of false identification documents through this initiative. On the other side of e-commerce, we have recently launched another operation targeted not at those who sell false identification documents over the Internet, but at those who buy them. This effort has two goals. First, we can locate and stop those who purchase counterfeit Social Security cards that might be used in identity theft crimes. And, second, it will enable us for the first time to determine both the scope of Internet trafficking in false identification documents and the many ways one can use a false SSN. Our efforts have been considerable and are aimed at maximizing the impact of limited resources through collaborative efforts with other agencies, particularly the Federal Trade Commission. Still, I would be remiss if I did not point out that there still exists a legislative void that to some extent fosters the misuse of SSN's for purposes of identity theft. Senate bill 2328, introduced by Senator Feinstein, together with you, Mr. Chairman, and Senator Grassley; Senate bill 2554, introduced by Senator Gregg, together with Senator Dodd; and Senator Feinstein's amendment to Senate bill 2448, which would prohibit the sale of Social Security numbers, all represent significant steps in the right direction. Together, these bills create front-end limits on the use of Social Security numbers, and authorize criminal and civil sanctions and administrative penalties when violations occur. My staff would be happy to assist you in combining all of this legislation into a comprehensive bill that would enable us to bring the full authority of the U.S. Government to bear against those who would buy, sell, or otherwise misuse SSN's. I welcome your interest in filling this legislative void, one aspect of which was the subject of a recent op ed column by the distinguished New York Times columnist William Safire, in which he expressed shock that no law prohibited compelling an individual to disclose his or her SSN. I am no less concerned than Mr. Safire that this and other acts, such as the sale, purchase, and public display of SSN's, remain legal. My office shares your concern for the victims of identity theft and is committed to providing those victims with the surest form of assistance, ensuring that the crime never occurs in the first place. I welcome the subcommittee's continued support of our efforts and would be happy to answer any questions. [The prepared statement of Mr. Huse follows:] Prepared Statement of James G. Huse, Jr. Good Morning Mr. Chairman and members of the Subcommittee. I want to thank you for holding this hearing on identity theft. Previously our attention concentrated on the challenges we faced in implementing the Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act). Today, we focus on ways to prevent identity theft and how individuals can protect themselves from this crime, or if already victimized, repair the damage that has been done. Too little attention has been paid to the victims of this increasingly prevalent crime and there are other witnesses appearing today who can address the personal aspects of identity theft. My office is committed to ensuring that this type of crime is prevented, and if not prevented, then detected and sent forward for prosecution. SSN misuse and the crime of identity theft are becoming so pervasive in our society, that it has become the subject of polls and an issue in the current presidential campaign. A June 13, 2000 article in Investor's Business Daily reported that an identity theft survey by the Chubb Group of Insurance Companies showed that 44 percent of those polled had been victims of identity theft. In fiscal year 1999, our Fraud Hotline received over 75,000 allegations with about 62,000 of these involving SSN misuse. Specifically, 32,000 had SSN misuse implications involving SSA programs and an additional 30,000 represented SSN misuse with no direct program implications. I am sure you will agree that these are alarming statistics. THE EVOLUTION OF THE SSN INTO A TOOL FOR IDENTITY FRAUD The Social Security number (SSN) is frequently the starting point for identity theft crimes. The SSN was created 65 years ago for the sole purpose of tracking the earnings of working Americans in order to implement and maintain the new Social Security system. The SSN was never intended to be the de facto national identifier that it has slowly become. For example, it was not until 1967 that the Department of Defense adopted the SSN in lieu of a military service number for identifying Armed Forces personnel. The SSN quickly became an integral part of enrolling in school, receiving financial assistance, applying for drivers' licenses; opening bank accounts, applying for credit, and myriad other activities. Today, Americans are asked for their Social Security number as a part of any number of transactions in both the public and private sectors. The SSN has grown to become one of the most critical pieces of personal information. REASONS BEHIND THE INCREASE IN SSN MISUSE Perhaps the most obvious reason for the increase in SSN misuse is because people come from all over the world to take advantage of our free enterprise system. There are no realistic numbers available on how many tourists, students, and migrants remain in this country after their visas expire and work under a false SSN. The popularity and availability of the Internet in this day and age provides for an international marketplace for the sale of SSN's and if one is enterprising a new identity. CRIMES COMMITTED WITH FRAUDULENT SSN'S We have only begun to scratch the service in discovering the innovative ways in which the SSN is used to commit identity theft crimes. The most obvious example is the assumption of another person's name and SSN for purposes of committing simple financial crimes-- today's version of the wild west bank robberies. For example, our Special Agents, working as part of the Delaware Financial Crimes task force, investigated Zaid Gbolahan Jinadu as he schemed to defraud several federally insured financial institutions. He solicited the assistance of bank employees to obtain SSN's and other identifying data to open fraudulent credit card and bank accounts. These compromised employees also helped him to take over current accounts, make fraudulent wire transfers, receive cash advances, and negotiate numerous checks. Mr. Jinadu was indicted by a Federal grand jury in the District of Delaware on October 26, 1999 on four counts: one of bank fraud, one of identity theft, one of fraud in connection with access devices, and one of SSN misuse. On December 20, 1999, Mr. Jinadu and his co-defendants entered a guilty plea to the bank fraud and identity theft counts. Mr. Jinadu is responsible for fraud losses totaling approximately $281,122. The total known losses to financial institutions due to the actions of Mr. Jinadu and his claimed associates over the past 4 years exceeds $4 million. The use of SSN's to commit identity theft can have a direct impact on SSA programs. Waverly Burns, a Supplemental Security Income (SSI) recipient in Milwaukee, stole another person's SSN and used it to secure employment as a cleaning crew supervisor. By taking on a new identity, he continued to draw SSI payments based on disability while also drawing a salary which would disqualify him as a benefit recipient. Under his new identity, Mr. Burns stole over $80,000 in computer equipment from the offices of the Wisconsin Supreme Court, used the stolen SSN to obtain a State of Wisconsin identity card, to open bank accounts in the victim's name, and filed fraudulent tax returns. Office of the Inspector General (OIG) Special Agents arrested Mr. Burns in Chicago. He was sentenced to 21 months in prison and ordered to pay over $62,000, including the full amount of benefits fraudulently obtained from SSA. Mr. Burns' case illustrates how identity theft through the use of SSN's can have many victims--in his case SSA, the Wisconsin Supreme Court, the financial institutions, the Internal Revenue Service, the State of Wisconsin, and the proper owner of the SSN were all victims. In all likelihood, other ancillary victims included credit reporting bureaus and other members of the public who will have to bear the cost of Mr. Burns' misdeeds. Identity Theft is a crime in which we are all victims. These examples show how the SSN is at the core of assuming the identity of another or establishing wholly fictitious identities. Unscrupulous individuals can hide behind either while committing a broad range of crimes. I would like to inform you of the initiatives this office has taken and how we expect to keep pace, if not a step ahead, of this escalating problem. EXISTING AND FUTURE INITIATIVES The OIG's efforts in combating the use of SSN's to commit identity theft crimes is widespread, but our small investigative staff, whose primary responsibility must be to the programs and operations of the Social Security Administration, cannot hope to stem the tide. This is not to say, however, that we are not taking all available steps in that direction. A year ago, our Office of Investigations launched an SSN misuse pilot project in five cities across the Nation, working jointly with Federal and State law enforcement agencies to target perpetrators of identity crimes and SSN misuse. By joining forces with other law enforcement agencies in a task force environment, we are able to pool resources and share information aimed at fighting identity fraud. In St. Louis, we have entered into a Memorandum of Understanding with the United States Attorney's Office, under which a Federal prosecutor has been assigned to our task force, facilitating additional prosecutions. In Cleveland, in addition to its investigatory function, the task force is developing a letter to inform individuals whose identities have been compromised of actions they can take to minimize the effects of the crime. And in Milwaukee, the task force is making presentations to local law enforcement agencies, educating and sensitizing them to the array of identity theft crimes. Pilot projects are in the early stages in two additional cities, and further expansion is planned. Already, the pilot projects have been an unparalleled success; in the first year we have opened 197 investigations which have already resulted in 61 convictions. United States Attorneys' Offices and outside law enforcement entities have enthusiastically welcomed such pilots and have thanked our office for taking the investigative lead. Because of the increasing role that the Internet is playing in SSN misuse and identity theft, we have expanded the scope of these pilots to initiate programs in this area. Specifically they are investigating the sale of Social Security cards over the Internet. Using undercover purchases of Social Security cards, we can determine which vendors actually provide the documents and which ones take the money and run. Under either scenario, working with Federal, State and local authorities allows us to take action that extends beyond our stated mission of SSA program fraud and will prevent the conduct of identity theft crimes. We are very optimistic that we will be able to shut down several important Internet distributors of false identification documents. On the other side of e-commerce, we started another operation targeted not at those who sell false identification documents over the Internet, but at those who buy them. This effort has two goals. First, we can locate and stop those who purchase counterfeit Social Security cards that might be used in identity theft crimes. Second, it will enable us, for the first time, to determine both the scope of Internet trafficking in false identification documents and the many ways one can use a false SSN. THE NEED FOR LEGISLATION While our efforts have been considerable, and are aimed at maximizing the impact of limited resources through collaborative efforts with other agencies, I would be remiss if I did not point out that there still exists a legislative void that, to some extent, fosters the misuse of SSN's for purposes of Identity Theft. Senate Bill 2328, introduced by Senator Feinstein, together with Senators Kyl and Grassley, Senate Bill 2554, introduced by Senator Gregg, together with Senator Dodd, and Senator Feinstein's amendment to Senate Bill 2448, which would prohibit the sale of Social Security numbers, all represent significant steps in the right direction. Together, these Bills create front-end limits on the use of Social Security numbers and authorize criminal and civil sanctions and administrative penalties when violations occur. My staff would be happy to assist you in combining all of this legislation into a comprehensive Bill that would enable us to bring the full authority of the United States Government to bear against those who would buy, sell, or otherwise misuse SSN's. Until there are criminal statutes, civil sanctions, and administrative penalties available to combat the many forms of SSN misuse that we see on a daily basis, we are ill equipped to bring this epidemic under control. In a recent Op/Ed piece in the New York Times, columnist William Safire expressed surprise that Federal law does not currently prohibit the compelled disclosure of SSN's. We should be no less surprised. CONCLUSION Because the SSN is instrumental in perpetrating identity theft crimes this office, by virtue of its congressional mandate, must be a key player in the fight to control these crimes. The task is made all the more difficult by the broad range of crimes that fall within the identity theft category, the new role of the Internet in perpetrating identity theft, and the difficulty inherent even in determining where the crime begins, what course it takes, and who is the primary victim. Nevertheless, we have put in place, and continue to implement, strategies aimed at both better understanding and combating the use of SSN's to commit identity fraud crimes. I thank the Subcommittee for inviting me here today, and for its concern of this very real threat to every American. Senator Kyl. Thank you very much, Mr. Huse. Just with respect to the last point you were making about the monitoring of the sale and purchase over the Internet of Social Security numbers, what are the current prohibitions on purchase, as well as sale, of someone else's Social Security number? Mr. Huse. There are no current prohibitions on the sale or purchase of someone's Social Security number at all, and that is the alarming issue here. Senator Kyl. And what are the prohibitions on the use of the Internet to therefore fraudulently sell or purchase somebody else's Social Security number? Mr. Huse. Again, Mr. Chairman, there are none. Senator Kyl. And, finally, a point that I think you just made, what is the current prohibition on forcing someone to tell you what their Social Security number is, other than IRS or Social Security? Mr. Huse. There are no prohibitions there either. Senator Kyl. Well, we could say case closed and get to work on the legislation, but I think that illustrates a very, very important point, and I appreciate your making that point very clearly. Ms. Bernstein, in your testimony, and also before, you mentioned the practice of skimming, in which identity thieves use sophisticated devices to intercept personal information on credit cards and ATM cards. What is being done to combat this practice, and what could we do to help combat that? Ms. Bernstein. To the extent that we are able to get information about those practices--that is, consumers who have been victimized--and put it in our data base, we are trying to compile it to get to the appropriate law enforcers in order to try to make that a part of the criminal conduct; that is, it would be part of identity theft. It would be one way in which the thief could obtain the necessary information to pursue the identity. There is no specific prohibition that I know of in the criminal laws that makes that a specific crime, and it perhaps could be addressed in legislation to make it more specific. Senator Kyl. Right. Could you describe the practice specifically for those who hadn't heard your previous testimony? Ms. Bernstein. Well, at least from our anecdotal evidence that we have gathered from the complaint data, they have techniques of observing when you use your credit card to enter the ATM or to use your other information that may be observable by a thief. For example, your telephone credit card has been used very widely to begin the process of reconstructing your identity by someone looking over your shoulder in an airport lounge, for example. It was widely used until people became aware of it. It still is an entry point for people because, from that number, often through other data bases you can begin to compile all the additional information that you need in order to be ``Senator Kyl'' and enter either your other credit or your bank account. Senator Kyl. Just as an aside, I serve on the Intelligence Committee and it is amazing to me how completely information about someone or something can be reconstructed starting with just one number, a telephone number, a Social Security number, a birth certificate, whatever it might be. There are so many different entities in the country that have access to different kinds of data, now that we have the Internet, that it can be done literally with a click, as you point out. That is why we are trying to identify the different kinds of entry points, the places where there could be a crime committed, especially where it is not yet a crime and we may need to consider making it such. So, that is another area, in addition to those that I talked to Mr. Huse about. Just one more thing, you have talked about novelty Social Security cards. Talk a little bit about that and just explain the phenomenon to the subcommittee, if you would. Mr. Huse. Well, Mr. Chairman, on the Internet there are many companies that sell false identification documents. They call them novelties. There is a disclaimer, if you purchase these, when they arrive at your home. They could be anything. There is nothing that can't be counterfeited today. With the State of the art in terms of desktop publishing and computer graphics, you can counterfeit anything. So they can replicate any kind of a document, certificate, diploma. It makes no difference. These arrive at your home, if you purchase them over these sites, with little pull-off stickers. The stickers, of course, say ``this is a novelty, not to be used for identification.'' That, of course, covers the entity that is selling these, but there is a plethora of these on the Net. I mean, you can become anything you want today. Senator Kyl. Well, obviously, we will have to look into how to try to define around those kinds of techniques of avoiding a criminal situation, and we will have to work with you very carefully on doing that, I am sure. Senator Feinstein. Senator Feinstein. Mr. Chairman, when I introduced the Social Security bill, and it was S. 2699, it went to Finance, where it has sat. Then I introduced the amendment to 2448 that Mr. Huse spoke about. That is an amendment to the Hatch Cyber Crime bill, and the Social Security bill was redrafted to involve Justice so that it could come to this committee. I am trying to think of a way to at least control the Social Security number as kind of a first step because that is so much in the Federal domain. I would be interested in any of your views in that regard. I think maybe just to stay with the amendment to the Hatch Cyber Crime bill, put that on the Hatch bill, if he will have us. Senator Kyl. He will have us, I am sure. Yes, we will work together to make this happen. Senator Feinstein. All right, good. That is great. Let me ask this question. With respect to the Internet, do either one of you have any views on the opt-in versus opt-out issue? Every time I discuss this, at least, with Silicon Valley people, it always comes down to opt-in versus opt-out. Ms. Bernstein. I could just offer a little bit of experience we have had, Senator, with what I call the Kids Act, COPA, the Children's Online Protection Act, which the Congress passed 18 months ago and we have implemented through rulemaking. It is now in effect. There is a requirement for verifiable consent for parents before an operator can obtain any information about an under-age consumer. Senator Feinstein. So that is an opt-in? Ms. Bernstein. It is opt-in, and we had a considerable discussion both before the Act was passed and in the rulemaking context, and I think have worked out methods by which the consent can be obtained from parents, and I think it has worked quite well to date. We are trying to encourage them, and there have been some efforts to really develop technology that would make it easier to go opt-in instead of opt-out, because I think in the end that is probably the only real impediment, is how do you get it done. So we have had a positive experience in that area and it has really worked quite well. So I don't believe that it would shut down the Internet if you have opt-in for certain kinds of use or misuse of very sensitive information. Medical/financial, of course, are generally considered by most Americans as very sensitive. In other words, you could make some discreet differences, considering what kind of information was being obtained or used. Mr. Huse. I endorse everything that Jodie said, but I would just like to take it from another tangent. We all know that the Social Security number has become our own personal identifier and, in fact, it is the national identifier. We all know it was never intended to be that, but de facto it has become that. Since it is synonymous with our name and our own reputations, I personally believe that the biggest weakness we have is this consent piece. If we build that in, all the rest of legitimate commerce can go on. But I think every one of us should have a personal right to decide whether and how our financial information that is under the tent of this number, and all the other uses of the SSN--we should have the right to yes or no. And I think that is the piece that we really need to work on. If we could fix that, the rest will follow. So I agree, opt-in is really the way to go. Senator Feinstein. So you are saying that the most important part is the Social Security number. Now, with respect to the Social Security number, at least in the legislation I have submitted, there is no opt-in/opt-out. You are prohibited from using it for commercial purposes---- Mr. Huse. Unless there is opt-in. Senator Feinstein [continuing]. With certain exceptions, and the exceptions are very carefully crafted. Mr. Huse. Right, and I think that is the right way to go. Senator Feinstein. You think that is the right way to go? Mr. Huse. I do, because I think that that forces a positive act on the part of anybody who wants to engage in commerce to get your permission. I think that part of the victim violation here is that none of us have any control over this. Senator Feinstein. In the legislation as it is drafted, and I believe this is correct, permission isn't part of it with respect to the Social Security number. Mr. Huse. No. Senator Feinstein. It is, with consent. I beg your pardon. Mr. Huse. That was my understanding. Senator Feinstein. You were right. I was wrong. Mr. Huse. That is OK. You are there and I am here. [Laughter.] Senator Kyl. If they only knew how frequently we were wrong. [Laughter.] I think they do know. Senator Feinstein. I think they do, too. Ms. Bernstein. Your secret is safe with us, Senator. Senator Kyl. Us and C-SPAN, right? Ms. Bernstein. Yes. Senator Feinstein. In any event, with Senator Kyl's enormous help, we may just be able to move that legislation. Mr. Huse. I think it is really important, I do. It would be a tremendous step forward. Senator Kyl. Can I interrupt? Senator Feinstein. Yes, please. Senator Kyl. I have also been curious, though, about the need. If we are going to do this, which seems to me a very big step in the right direction, as you point out, don't we also need to make the Social Security card itself as counterfeit- proof as possible, and what is your view with respect to that? Obviously, if you protect against one type of theft but it is very easy to steal it in another way, then you simply move the people from type A to type B crime. Mr. Huse. The Senate has been focused on the Social Security card itself for some time, and the Social Security Administration has done an extensive study. There are implications, of course, of improving the current card to a point where it is more counterfeit-proof, and then we stray into an area of actually, again, de facto adding more underpinning to the use of the Social Security number as a national identifier. That has policy implications that, you know, is a greater dialog than what we are talking about here. Senator Feinstein. Such as, for example? Mr. Huse. Well, if it becomes a national identifier, then we have a national identity card and---- Senator Feinstein. But all he was saying is making it counterfeit-proof. All Senator Kyl was saying--we weren't getting into anything other than that. I mean, my Social Security number is on a little piece of cardboard, you know. Mr. Huse. Sure. But probably the folks who get a card today have--there have been improvements to that card over time. But as you add in more security features, then we need to add in a better business process underpinning that type of a card. There are tremendous costs involved to shift from the system we have now to one--would you add a photograph? I mean, there are all kinds of implications embedded in this that are a broader discussion. I think it is a dilemma because we are crossing a line until this time we have never had to deal with in this country. But some of it is being driven by technology and it certainly is worthy of debate, but I don't have the answer right here. Senator Feinstein. I guess what I understand him saying is when you go into making it counterfeit-proof, you go into what you use to make it counterfeit-proof, which ergo expands its application into a more formal identifier than it is now. I mean, the number is effectively our national identifier. Mr. Huse. Right. It is the number, not the card. Senator Feinstein. But we don't have a national identification card, per se. Mr. Huse. No, but by adding this strengthened number to a better card, we are adding in the ingredients for something I don't know that you want, or maybe you do. We are right on the precipice here of an entirely different issue, and that is the conundrum. Senator Kyl. But we are there. I am not taking a position one way or the other, because we had this debate with regard to the Immigration Act and the possibility of a prototype. We had a couple of demonstration projects for the purpose for which Social Security is intended, namely indicating that you have a number and therefore you are permitted to work in this country. And even that raised huge questions. But when we talk about opt-in and opt-out, what are we talking about? We are talking about opt-in and opt-out of allowing your number to be used for commercial purposes, OK? We are there, and so the fact that you make the card tamper-proof or fraud-proof doesn't force you to use it for commerce. It may make it easier to use for commerce, but that is again only if you agree that it be used in commerce, and you are already being asked whether you will agree to allow your number to be used in commerce. So we are there. But, again, that is a subject with much larger implications than we intended to cover in this hearing. I appreciate your point about that, and I just asked the question for information purposes and I think at some point maybe it would be worth exploring further. Mr. Huse. Adding any kind of security features to the card, of course, makes it a better--we are in a better place enforcing the law. I mean, I can give you a simple answer to that, too. Senator Kyl. It doesn't, of necessity, take you into commercial uses. It simply makes it a better product for commercial use. Is that correct? Mr. Huse. Yes, Mr. Chairman. Senator Kyl. Anything else for this panel? Senator Feinstein. No, Mr. Chairman. Senator Kyl. I know we need to move on to the next panel, so I want to thank both of you again. You have been tremendously helpful. We really appreciate your testimony. Mr. Huse. Thank you. Senator Kyl. I was just trying to determine here a proper order, and I think just for ease of doing it, if we would start with Ms. Michelle Suzanne Brown and just move down the table this way, Beth Givens next, Steve Emmert, and then Stuart Pratt, that will make an easy transition from one to the other. I want to thank each of you for being here today as well. We really appreciate your willingness to share your experiences with us and we look forward to your testimony. Michelle Suzanne Brown, why don't you begin? PANEL CONSISTING OF MICHELLE BROWN, IDENTITY THEFT VICTIM, LOS ANGELES, CA; BETH GIVENS, DIRECTOR, PRIVACY RIGHTS CLEARINGHOUSE, SAN DIEGO, CA; STEVEN M. EMMERT, DIRECTOR, GOVERNMENT AND INDUSTRY AFFAIRS, REED ELSEVIER, INC., AND LEXIS-NEXIS, AND PRESIDENT, INDIVIDUAL REFERENCE SERVICE GROUP, WASHINGTON, DC; AND STUART K. PRATT, VICE PRESIDENT, GOVERNMENT RELATIONS, ASSOCIATED CREDIT BUREAUS, INC., WASHINGTON, DC STATEMENT OF MICHELLE BROWN Ms. Brown. Thank you, Senator Kyl, Senator Feinstein. If I could ask one thing before I speak, I have one request. If we could redact my middle name from anything of record, is that a possibility? Senator Kyl. Absolutely. Ms. Brown. I don't know where that came from, but I appreciate that to be suppressed. I am pleased to be in your presence today, and I genuinely thank you for the opportunity to elevate the invasive crime known as identity theft. This is a topic, unfortunately, that I am intimately familiar with. My name is Michelle Brown. I am 29 years old and have been working in the international banking field for the last 7 years. I am an ambitious and hard-working individual. I am certain that I much like any of your cousins, your nieces, your daughters, your sisters. I believe that I strongly represent any average, respectable citizen of the United States. However, there is one clear-cut issue that separates me from nearly the rest of the population. I have lived and breathed the nightmare of identity theft. I will tell you firsthand this is a devastation beyond any outsider's comprehension, a nearly unbearable burden that no one should ever have to suffer. Imagine establishing credit at age 17 and building a perfect credit profile over the next 11 years. Imagine working consistently since age 15 and helping to finance your education at an accredited university to advance your future success in life. Imagine never having been in trouble with the law. Now, imagine the violation you would internalize as you realize some vile individual you have never met nor wronged has taken everything you have built up from scratch to grossly use and abuse your good name and unblemished credit profile. That is precisely what happened to me. I discovered this new, blackened reality on January 12, 1999, when a Bank of America representative called me inquiring about the first payment on a brand new truck which had been purchased just the previous month. I immediately placed fraud alerts on my credit reports, canceled all credit cards, and even placed a fraud alert on my driver's license number. From that day forward, I unearthed the trail of this menace's impersonation, and attempted to work with a current faulty system to protect myself from any further abuse. The system clearly failed me. To summarize, over a year-and-a-half, from January 1998 through July 1999, one individual impersonated me to procure over $50,000 worth of goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected. She engaged in drug trafficking. This crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually a prison record, when she was booked under my name as an inmate in a Chicago Federal prison. The impersonation began with the perpetrator's theft of my rental application from my landlord's property management office in January 1998. Immediately, she set up cellular telephone service, followed by residential telephone and other utility services, and attempted to obtain time-share financing and department store credit cards. She was successful in purchasing a $32,000 truck, had nearly $5,000 worth of lyposuction performed to her body, and even rented properties in my name, including signing a year lease. Not only did this person defraud the Department of Motor Vehicles by obtaining a driver's license with my name and number in October 1998, but she even presented herself as me with this identification to the DEA and before a Federal judge when she was caught trafficking 3,000 pounds of marijuana in May 1999. She remained a fugitive for almost 6 months while still assuming my name, and was finally turned in by an acquaintance in July 1999. Months later, after she was already in prison, in September 1999, I was stopped at LAX Customs after returning from a vacation in Mexico. While I explained my innocence to several agents in a stream of tears, and as I attempted to clearly distinguish this Michelle Brown from the other Michelle Brown with a criminal record, I was blatantly treated with strong suspicion. I was, as is typical for an identity fraud victim, guilty until proven innocent. I was finally let go after an hour, after the police were called to vouch for me. This situation reinforced my fear that I may be wrongly identified as the criminal, which could end with my arrest or, worse yet, being taken into custody and serving time in jail. After having seen so many inefficiencies and blatant errors in the system, I feel no assurance, nor can I receive any concrete evidence from authorities that this type of insane mix-up would never happen again. It was tormenting to know someone was, in essence, living the good life at my expense, and I was left with the taxing chore of proving my innocence. The restoration of my credit and my good name was a seemingly never-ending process. I was forced to make literally thousands of phone calls, fill out various forms, submit all sorts of documents, and have many documents notarized. Without a doubt, I was entirely consumed with the whole pain- staking process. I gained nothing from putting over 500 hours into the chore of restoration. All in all, it was an exhausting waste of a good person's time and a massive drain on my life and energy. At one point, I even feared for my safety after I learned that the perpetrator had been linked with a convicted murderer. The whole identity fraud experience was by far the darkest, most challenging and terrifying chapter of my life. I faced many difficulties in clearing my name, and I still face the fear that I will forever be linked with her criminal record. I have encountered widespread inefficiency and general insensitivity at nearly every turn. I know that there are most definitely not enough dedicated resources and governmental authorities to assist victims and to simplify the burdens on the innocent's life. Clearly, changes need to be made. The Government not only needs to promote initiatives to shorten and simplify restoration of one's name and credit, but also to facilitate early detection and termination of an abused person's name, and most importantly to deter criminals from the allure of such an easy crime by enforcing swift and severe punishment. I think that Senator Feinstein's Identity Theft Prevention Act of 2000 is definitely a positive initiative and will put the legislation in the right direction to fight this crime. I support the two corresponding bills and recommend the enforcement of such initiatives. I came here today because I feel responsible to limit the abuse of other victims' names. I know how terribly tormenting it is to be a victim. I am living proof that identity theft is a very real crime with very real victims and true life-altering consequences. It is astounding that my life-long discipline to be a law-abiding citizen and to have the diligence to establish perfect credit was reversed so easily, so quickly, simply because I represent the perfect victim in another's eyes. This crime is clearly on the rise, and no one at this time is completely protected from becoming the next victim. I realize the scenario of becoming an identity fraud victim seems entirely far-fetched and implausible to many of you. I know the feeling; I was once in your shoes. I thank you for your time and for the opportunity to present my story and views today. I hope it is clear now that many changes need to be effected to the current system to combat this crime and protect victims. This fact is crystal clear in my mind. Thank you. Senator Kyl. Ms. Brown, thank you very, very much for your testimony. It is compelling and we appreciate it very much. It is precisely the kind of sacrifice that you have made to come here that will help us to prevent this happening to other people, and you are to be commended for it. Thank you. Ms. Brown. Thank you. [The prepared statement of Ms. Brown follows:] Prepared Statement of Michelle Brown Mr. Chairman and Members of the Committee, it is my pleasure to submit testimony to your committee today and hope that my presence will shed some light on the invasive crime known as Identity Theft. My name is Michelle Brown, I am 29 years old, and currently reside in a respectable community in the surrounding area of Los Angeles, California. I have been gainfully employed in international banking for the last 7 years since my graduation from a University in California. I am much like most other hard-working, conscientious individuals, eager to get ahead in life and to make a respectable living; however, one thing clearly sets me apart from the rest of the crowd. I have endured the trying chores of realizing that I have become, and subsequently, have been painstakingly trying to break free from being, an identity fraud victim. It was a scenario I had only previously known through unbelievable stories painted in Hollywood: someone becomes you, erases your life, and through their destructive behaviors, complicates your own existence to an extreme level where you no longer know how to just live day after day. Your life becomes the life consumed by unraveling the unthinkable acts that your perpetrator has done in your perceived skin. I discovered on January 12, 1999, the existence of this shadow identity that I have been anxiously trying to expel from my life ever since. To be truthful, I don't think I will ever be able to close the books entirely on this menace's activities. I dearly wish I could, but what I know now translates to the fact that I will always be dealing with this alter reality I am plagued with. Over the course of a year and a half, my name, personal identifiers and records were grossly misused to obtain over $50,000 in goods and services, to rent properties, and to engage in federal criminal activities--namely drug trafficking. During the course of 1999, I spent countless sleepless nights and seemingly endless days, dedicating my valuable time, energy, peace of mind, and what should have been a normal life, trying to restore my credit and my life. I filed various statements and affidavits, had documents notarized, made thousands of phone calls to creditors, governmental authorities, etc., and continually set in motion the next level of protection for further follow up and monitoring. I alerted all the proper authorities, filed all the right papers, made the right phone calls, and diligently remained actively adamant to restore my perfect credit and my good name. I would estimate that the time lost toward clearing my credit, attempting to clear my criminal record, and to sever myself free from this menacing being, amounted to somewhere in excess of 500 hours of my time. At the time, the burden seemed like it cost me a lifetime. In the course of restoring my credit and my name, I realized that I was victimized by someone without conscience. This person was not a normal, socially responsible individual and would stop at nothing. In restoring my name, I discovered the following about her and her fraudulent activities: The perpetrator: Heddi Larae Ille, is currently 33 years old, and thankfully, is serving both state (2 years) and federal (73 months) prison time for illegal acts she performed while assuming my name. She is a Caucasian female, standing at about 5 foot 7 inches, weighing about 200 pounds, brown hair, and brown eyes. I am Caucasian, height 5 foot 9 inches, weight 125 pounds, brown hair, hazel eyes. I believe we look nothing alike in physical appearance. January 1998: Just after I filed an application to rent a property, the perpetrator stole my rental application from my landlord's property management office. She apparently was at one time an acquaintance of my landlord's; to this day, I still have never met her and do not know her in any fashion. February 1998: Heddi set up a wireless telephone service at my then current address, and quickly switched the address within less than a week. After 3 weeks, Pacific Bell deemed this account as fraud and disconnected the service. Due to their fraud determination, this account was never alerted to me. March 1998: Heddi set up residential telephone service at a property in L.A., which remained on for about 4 months; $1,443 remained late and unpaid, therefore the service was finally shut off. This account eventually hit my credit report in the form of a credit inquiry through a credit bureau. [Of note, I simultaneously had telephone service in my name for years non-stop through the same provider (GTE); even though Heddi established the service through the same provider, with my name, Driver's License Number, and Social Security Number, I was never alerted of this new account, nor was this account cross- referred to mine, even as it was in serious delinquency.] July 1998: Heddi attempted to obtain timeshare financing. The application was never activated, and when I spoke to the timeshare financing company, they did not have a ``Fraud'' division set up and could not tell me what happened with the application. I was later informed that she was required to serve 45 days in jail (on a separate fraud charge) shortly after the application was filed; likely this is the reason nothing had been pursued. July 1998: Heddi attempted to get a credit card through Target (a ``home/everything'' type store); the application was denied. August and September 1998: Heddi served 45 days in jail. October 1998: Heddi got a duplicate drivers license at a Fullerton, CA Department of Motor Vehicles, in my name, my drivers' license number, but an alternate address, and with her picture. The DMV issued the duplicate, even though at the time, she weighed 40 pounds more than me and was two inches shorter, and completely different in physical appearance. The requirement of her fingerprint enabled the authorities to clearly distinguish our different identities and made things much easier for me to clear my credit, and to clearly establish the fact that I was the victim of identity fraud and impersonation. October 1998: Heddi rented a property in San Diego, CA, in my name, set up utilities, and shortly thereafter vacated. October 1998: Heddi signed a year lease at another property in San Diego, in my name. December 1998: Heddi filed applications for and received the following: a $32,000 2000 Quad Cab D2500 Dodge Ram Pick-Up (zero down lease), and $4,800 worth of liposuction in Long Beach, CA (she paid $1,400; the rest was financed through a line of credit established in my name). January 12, 1999: I received a message at home from a Bank of America representative inquiring about the new Dodge pick up. I returned the call to tell them they had the wrong person and I knew nothing of the truck. They explained they must have the wrong Michelle Brown, all the numbers listed on the application were not working, and a previous address was listed in my city; so they reached me via my 411 listing. I asked them for the SSN to ensure it wasn't mine, they couldn't release it; I gave them mine and they told me that was in fact the one used on the application. January 12, 1999: I instantly put fraud alerts on all credit reporting agencies, filed a police report, cancelled all of my credit cards, put heightened security on all bank accounts, called the DMV to find out if a duplicate drivers license was issued (it had been) and subsequently put a ``pink flag'' fraud alert on my License number. Subsequently filed another local police report, called the Postmaster, Social Security Agency, U.S. Passport Agency, etc., and the nightmare continued with each and every passing day. Mid-January 1999: The Police Detective I was working with gets her pager number, pages her, and has a conversation with her. After she identifies herself as me when she returned the page, he tells her he knows that she really is Heddi Ille, and to turn herself in the next day. She agrees. Two subsequent times in the next week, she requests more time to turn herself in. Within the next week, the Detective issues a warrant out for her arrest and attaches required bond set at $750,000. May 1999: Heddi is arrested in Texas for smuggling 3,000 pounds of marijuana, she identifies herself as me to the DEA and to a federal magistrate. The arrest is recorded in my name, ``I'' am subsequently named in the criminal complaint, and listed as the DEA's informant. She was somehow set free even though my name and Drivers' License number was flagged with fraud since January 1999. I know nothing of her criminal activities at this time. June 1999: Through my landlord's property manager, I was told that they heard through one of Heddi's acquaintances that there was a warrant out for my arrest somewhere in Texas. Since I was going out of the country on vacation within 2 weeks, I asked the detective to write a letter explaining the circumstances and my innocence. I also had the police run my information in databases to tell what city/county the warrant was in, and tell me how to clear it prior to my vacation. No positive responses were found; I assumed it was a local county warrant--it was a federal felony warrant as I found out in July when she was arrested. July 1999: Heddi called an acquaintance of hers while she was in a suicidal state, and they turned her in. She identified herself as me even still as the police came to her hotel door. She was found with drugs in her possession, credit cards that had been melded down and re- imprinted with my name, and her CDL in my name. She was brought in on 13 criminal counts. September 1999: Returning from a trip to Cabo San Lucas, I was held at LAX's Customs and Immigration for an hour while I explained the circumstances of my erroneous link with her criminal record (after my passport was swiped in the computer). As I presented endless documentation of court records, police filings, etc., and explained my situation in a stream of tears, I knew then that I had become erroneously linked with Heddi's criminal record. The agents questioned my story and documentation, and treated me very suspiciously--like I was the criminal. After the Police Detective was called and vouched for me, I was allowed to leave. I feared being arrested or being taken into custody. I found out later that, even though Heddi had already been in police custody at a jail since July, the DEA posted a lookout for ``me'' in the system. They neglected to let me know that I might want to be prepared for this type of confusion at any time. September 1999: Heddi is convicted of 3 felony counts (perjury, grand theft, and possession of stolen property) at the state level at 2 years each, which she is serving simultaneously. Note that the specific charge for identity theft/impersonation was not a charge that she was actually convicted of. October/November 1999: Heddi is transferred to the Chicago Federal Prison and they book her as an inmate in my name. She even addressed outgoing letters from the Federal Prison using my name in the return address. Needless to say, I was furious. When I called the DA, they told me they would have this corrected. I was told subsequently that it was corrected; however, they could never provide me proof of this in writing as I requested. June 2000: Heddi is sentenced to 73 months in federal prison for possession with intent to distribute 3,000 pounds of marijuana, with an enhanced sentence for lying to a federal magistrate. She received a reduced sentence from the pre-determined 110 months because she provided assistance to the government. [I believe she was tied to a major drug smuggling ring. Even though my name was used, I was never privy to details of her crime; however, I was informed that there were several defendants in this case.] Through the course of uncovering her trail and waiting for her to be caught, I honestly believed that the victimization would never end, that I would never become whole again as the true ``Michelle Brown.'' My world had become a living nightmare. I personally was affected extremely: I was significantly distracted at a job that I had just started three weeks prior to the day of discovery, I suffered from a nearly non-existent appetite, very little sleep, and was consumed with the ferocious chore of restoring my name and attempting to quell any future abuse. I lost identification with the person I really was inside and shut myself out of social functions because of the negativity this caused on my life. I know that a very meaningful 3 year relationship with my then boyfriend suffered dearly because of the affect this traumatic chapter of my life had on me--the relationship ended about 4 months later. No words will ever be strong enough to completely convince others what this period was like, filled with terror, aggravation, unceasing anger and frustration as I woke every day (since my discovery of the identity fraud in January 1999) with emotionally charged, livid angst. I unceasingly was forced to view life through a clouded reality, one seriously altered by a horrendous individual who committed a series of unforgivable acts in my name. The existence of Heddi has robbed me of the normal life I have strived for and entirely deserve. My life should be one in which I, and I only, should be the only one being held responsible and accountable for my personal credit history and what should be, a lack of a criminal history. For me, the most personally frightening moment was dealing with LAX's Customs and fearing an erroneous arrest. Because of this situation, I purposely have NOT gone out of the country for fear of some mishap, confusion, language barrier, that may land me in prison for some unknown period of time. I do not deserve to be in this predicament and do not deserve to feel imprisoned by the U.S. Borders. I still fear what might happen as I cross the U.S. Border and I cannot get assurance from any governmental agency that this situation will never happen again. Identity fraud (especially those cases escalated to a criminal level) leaves a very dark and filthy cloud around the victim. Although I am the free Michelle Brown, living what may on the surface seem to be a normal life with freedom on the streets, I have never deserved less than that: a normal life, one free of the ill effects of a heinous individual who deliberately and unabashedly used and abused my world that I had always been so careful to create and maintain. I am a law- abiding, good natured and caring individual, contributing through legitimate business and upstanding citizenship, who never deserved to be haunted with this naggingly irritating air Heddi has shadowed me with. Clearly many preventive measures and protective procedures need to be enforced to prevent such a horrendous crime from being so easy and attractive for a perpetrator to facilitate. Below I've attached a list of items highlighting some of the weaknesses I see with the current system. I thank you for your time and consideration and hope that my case can provide you with the awareness that this is truly a real crime, with real victims, and dire life-altering consequences attached. ______ Attachment 1 During the course of the restoration of my credit and my personal records, including criminal associations, I can identify the following faults in the current system: There should be a better system to clearly verify the innocent's residency for the past.--Creditors and the credit reporting agencies require various statements to prove residency over the course of time (when services were actually established). The types of documents they require as proof(s) of residency were rarely consistent with each other. Additionally, most people do not keep old statements. How is one to prepare for the occasion that you would have to prove residency for any time period? I happen to keep all of my old credit card statements, some utility bills, and most phone bills which allowed me to provide sufficient documentation. I doubt the common citizen retains the same level of credit card statements, utility bills, etc. There should be a standardized form that would suffice to send to all parties that were victims of extending credit, extending identification/documentation of identity (Department of Motor Vehicles for licenses, passport agencies), and reporting on these items (credit reporting agencies).--To clear fraudulent items, I was asked to fill out various forms from one creditor to the next, which is very time consuming. Credit restoration (at the credit reporting agencies) is rarely timely, efficient, or effective.--Even though the fraudulent accounts were erased from my credit reports, some items mysteriously resurfaced months later. Also, several fraudulent inquiries still remain on my Trans Union report despite repetitive efforts with both the creditors and the credit reporting agency to clear these items. Credit Monitoring Services should be provided free to victims of identity fraud for several years.--I still need to monitor my credit even though the perpetrator is in prison (she could use it again or could have sold it off, etc). I continually call to ensure that neither new inquiries nor accounts have been opened fraudulently. I also need to ensure that my fraud statement remains attached to each credit report. Many victims are re-victimized after the fraud alert expires on their credit reports. This will always be a necessity despite the appearance of a fraud alert tagged to each of the three credit reporting agencies' reports, especially in the event a merchant does not comply with the fraud instructions to contact the victim telephonically. Identity fraud victims should always be able to speak to a live person at the credit reporting agencies.--As the attachment of a fraud alert if the first level of prevention once someone has learned of their victimization, it is a necessity to attach this as soon as possible. This was the first means of comfort to me that I could take this measure and discuss my situation with someone more familiar with the situation. However, in subsequent calls to the credit reporting agencies, I had discovered that often the call went straight to an automated call receipt system with inadequate options. It would have been quite unnerving if my first call to alert them of fraud had been funneled to an answering machine where you are asked to leave your name, number, social security number, etc., rather than speaking to a live individual who can better instruct you and understand your crisis. Authorities are not always sensitive to this type of crime.--When I spoke to an LAPD, I was told blatantly not to file a report in their office because they didn't want such an enormous case on their hands. The DMV was also not sensitive to my case and was in fact accusatory: they suggested that I was lying about someone getting a duplicate CDL in my name, despite the fact that I had just spoken with another employee who verified this for me. I was guilty until proven innocent-- like most identity fraud victims are treated time and time again. In each Police Department, there should be an established Task Force to which calls of Identity Fraud nature should be referred, where expertise in this arena and sensitivity to the victim would be highly appreciated.--On filing my first police report, I was told to file a report in the county where the crime was committed. The first thing I was alerted to was the truck purchase, which took place somewhere over 100 miles away from me in San Diego. Additionally, the officer I initially spoke to in San Diego mistakenly thought that I should collect all of the necessary paperwork and bring it to the San Diego Police Department. Not only would this have been a major inconvenience, but legally, I did not even have access to this ``proof:'' the application for the $32,000 loan, copies of the perpetrators' drivers license, etc. My feeling is that Law Enforcement Officers are not trained to handle these types of calls and do not know the procedures. The fraud alert posted on my driver's license in January 1999 obviously was not effective: either the various systems should be able to share this information across the state borders, or the DMV should be more careful about what they are telling victims.--What I understood created a false sense of security for me. Had this fraud alert worked, I would not be linked with: the perpetrator's arrest record, the criminal complaint, the warrant out for her arrest, nor would I have been detained at LAX's Customs and Immigration. There are neither enough resources nor expertise dedicated to this crime in general, and government information sharing across state lines is poor.--I was highly frustrated by the length of time it took to finally catch Heddi; when she was finally taken into custody, it was not because of the diligence of the police, it was because she was turned in. Also, it amazes me that she was actually arrested in Texas in my name, taken into custody, and released even though California records were flagged to show that someone was using my name and to be on the look out. Clearly the current system and procedures failed horribly and are not adequate at this time. There need to be clear cut procedures and evidence provided to the victim to break a victim free of an impersonator's crimes.--Authorities cannot provide assurance that I am now cleared of hassles with the law, Customs/Immigration, etc. In fact, I am told that I will always be linked with Heddi's criminal record because I'm her A.K.A, meaning that I will likely be questioned any time that my name and identifiers are run in government systems. This is an enormous, haunting burden on a victim, who has clearly already suffered enough. I believe the government does not have solid procedures on how to de-link a victim from its perpetrator, and they are uncertain of the flow of information. I feel like I'm testing the system as if I'm walking through a minefield. Finally, there should be severe consequences to the perpetrator of such crime.--Although my perpetrator is currently serving prison time, she was never convicted of the identity fraud felony count. Her other crimes carried more weight over the one most personally offensive and life altering to me. I would recommend to impose a $5,000 fine to anyone who steals another's identity, and require that this be paid to the victim within 2 years of conviction. Additional recommendations, while not directly applicable to my case, would help prevent the extent of fraudulent activities: Social security numbers should be treated as confidential information, and therefore should not be required to be part of passwords, medical identification numbers (this is usually clearly stated of medical cards which should be carried at all times by the insured), etc. Additionally, there are NO situations in which SSN's should be sold. Credit issuers: all duplicate card requests should be verified by a mailer to the previous credit card address, or verified via telephone. Credit issuers: change of address requests should be followed up with a level of verification. Possibly there could be a better communication system between the Postmaster, and credit reporting agencies and creditors, to verify that authentic address changes have been made. Credit issuers: many unauthorized charges to a credit card holder are facilitated by shipping goods to an alternate address.--Any items billed to a credit card and shipped to another address should be subject to the same verification/authentication requirements as if the creditor were discussing private account information with the card holder. Further, as the shipment is requested, the credit card holder should be informed in writing of the shipment, including the address to which the item was billed. Credit reports should be offered free to individuals at least once a year, at their request. Unusual inquiry/account opening behavior should be flagged at the credit reporting agencies and further investigated.--The bureaus should take more responsibility for unusual activity as they are the first ones to be alerted of consolidated fraud on one individual's record. Fraud alerts should be CLEARLY POSTED on the first page of victims' credit reports. Further there should be fines imposed to merchants who do not properly act on these statements and fail to verify the authenticity of an application. Senator Kyl. Beth Givens. STATEMENT OF BETH GIVENS Ms. Givens. Chairman Kyl, Senator Feinstein, thank you for the opportunity to testify today. I am Beth Givens, director of the Privacy Rights Clearinghouse, a non-profit consumer group in San Diego. We have been assisting victims since 1993 and we have witnessed the ravages of this crime on the victims and their families, and I commend you today for focusing on victims and on prevention. In May, the Privacy Rights Clearinghouse and CALPIRG, another non-profit, released a survey on identity theft victims who had contacted us for help in the past, and here is what we learned. On average, it took them 2 years to clean up their credit report and to regain their financial health. Many were still dealing with it after 4 years. Victims found that they spent an average of 175 hours to resolve the problem. That is the equivalent of 4 working weeks, and many were spending over 500 hours. When victims are asked what would have prevented their identities from being stolen, most, including those we surveyed, said take the Social Security number out of circulation so it can't be obtained by criminals. It certainly should not be used as an ID for insurance companies, by universities and others, and it certainly should be not for sale on the Net. I am pleased that 2328 and 2699 have been introduced because I think they address the prohibition of the sale of the Social Security number. Victims also State that the credit issuers need to be more effective in weeding out fraudulent applications, especially in instant credit situations. Half of the victims in our survey told us that the fraud recurred after they put a fraud alert on their credit report, and I am also pleased that 2328 addresses that. Victims have also stressed that early detection of fraud would have greatly shortened the time needed to regain their financial health. Our survey found that the average time it took them before they even learned they were a victim was 14 months after the fraud had begun. What about victim assistance? It is now much improved since the Federal Trade Commission has opened its identity theft clearinghouse, thanks to the bill that was passed last year, your bill, Senator Kyl. But the credit bureaus and credit issuers must improve their victim assistance tremendously. This includes providing live staff members rather than voice mail and long waits, and also the industry must develop fool-proof methods to prevent fraud from recurring once a fraud alert has been established. The Associated Credit Bureaus' efforts, I think, are moving the industry in the right direction. In closing, I want to bring to your attention to what I call the worst case scenario of identity theft, and that is when the imposter commits crimes using the victim's identity, like we heard from Michelle, giving that person a criminal record. These records are extraordinarily difficult to clear up. Victims may be unable to find work. They live with the constant fear of being arrested at any moment. Many of them have been jailed. They must carry with them a document from either law enforcement or the courts, and they must carry it all times, that is if they are fortunate to even get such a document. This would be a letter of clearance. They face a lifetime of being burdened with someone else's criminal record. Now, with that, I close. I do wish to present the committee with our identity theft survey, also with a documentary about some California identity theft victims that was made by a victim herself. [The documentary will be retained in committee files.] I thank you again for the opportunity to testify on behalf of consumers and on behalf of the identity theft victims. Senator Kyl. Thank you very much for your important work, and we will be very pleased to accept that material for the record of the hearing and try to promote its viewing by others as well. [The prepared statement and information referred to of Ms. Givens follow:] Prepared Statement of Beth Givens The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy program based in San Diego, California. The PRC was established in 1992. We have been assisting victims of identity theft since 1993, when we first started learning about this crime. Our guides for identity theft victims can be found on our web site at www.privacyrights.org. I estimate that I have assisted at least 4,000 victims of this crime, and that others on our staff have assisted many thousands more over the years. I appreciate the ability to provide written and oral testimony on the skyrocketing crime of identity theft, its impact on victims, and possible solutions. And I commend you and the Subcommittee members for addressing this issue. My written testimony is in four parts. Topic number one is the crime itself--what is identity theft, how much of it is going on, and why is it happening in epidemic proportions. Second, I will discuss the many ways in which identity thieves obtain the bits and pieces of information they need to impersonate others--mainly Social Security numbers (SSN) and credit card account numbers. Third, I will explain some of the impacts on victims. And fourth, I will recommend legislative and industry measures to prevent identity theft and to expedite the ability of victims to regain their financial health. First, what is identity theft? There are numerous variations of this crime. Essentially, it occurs when someone uses bits and pieces of information about an individual--usually the Social Security number--to represent him or herself as that person for fraudulent purposes. Examples are obtaining credit cards and loans in someone else's name and then not paying the bills, opening utility accounts, renting an apartment, getting a cellular phone, purchasing a car or a home, and so on. Another type of identity theft--what I call the worst case scenario--is when the perpetrator commits crimes in the victim's name and gives that person a criminal record. Victims are not liable for the bills accumulated up by the imposters, thanks to federal law. But they do have the anxiety and frustration of spending months, even years, regaining their financial health and restoring their good credit history. How many victims of this crime are there? We don't have accurate statistics. But I estimate that there are 500,000 to 700,000 victims this year. A 1998 report by the U.S. General Accounting Office tracked identity theft statistics from 1992 to 1997, based on figures provided by the Trans Union credit reporting agency (CRA). A graph on page 40 shows a dramatic 16-fold increase in the volume of calls from individuals to Trans Union's Fraud Department during the six-year period from 1992 to 1997. Trans Union now receives well over 2,000 calls a day from victims of identity theft. [U.S. General Accounting Office, www.gao.gov, ``Identity Fraud,'' Report No. GGD-98-100BR, 1998, p. 40] Why are these figures significant? When individuals learn they are a victim of this crime, the first step they should take is to contact the three bureaus and place a fraud alert on their file. The CRA's are Trans Union, Equifax, and Experian (formerly TRW). Therefore, the number of calls received by the CRA's fraud departments is a good indicator of the volume of this crime. Why is this crime so rampant today? It is very easy for the criminals to obtain the information needed--in particular, Social Security numbers. Non-Social Security Administration uses of the SSN have not been prohibited by law, at least not to date. As a result, SSN's are used as identification and account numbers by many entities-- insurance companies, universities, cable television companies, military identification, banks, securities brokerage companies, and the like. In about a dozen states, the SSN is used as the driver's license number. Identity thieves can obtain SSN's by stealing mail where those numbers are included. They sift through the trash outside of businesses and residences in hopes of finding unshredded documents containing SSN's and other data. Dishonest employees can obtain SSN's in the workplace by obtaining access to personnel files or accessing credit reporting data bases (commonly available in auto dealerships, realtors' offices, banks and other businesses that approve loans). Another reason identity theft is rampant is because of credit industry practices. Credit grantors make it all too easy to obtain credit. Many credit issuers do not adequately check the identities of applicants before granting credit. Instant credit opportunities are especially popular with identity thieves for this reason. Credit grantors are all too eager, in their competitive zeal, to obtain new customers. It is not uncommon for households to receive several pre- approved offers of credit per week. In fact, a Los Angeles Times news story reported that credit issuers mailed 3.4 billion pre-approved offers of credit to consumers in 1998. (``Charges are flying over credit card pitches,'' by Edmund Sanders, Los Angeles Times, June 15, 1999, p. D-1. www.latimes.com). Another reason identity theft is skyrocketing is that it does not yet get the attention of law enforcement that more violent crimes receive--like breaking and entering, mugging, robbery by gunpoint, and bank thefts. Many violent criminals and organized crime rings are moving to identity theft because they know that law enforcement resources are not yet sufficient to investigate the majority of such crimes. Identity thieves are rarely apprehended and sentenced. If they are, penalties are minimal and rarely include jail time. Community service and parole are the usual sentences. My second topic is the methods used by identity thieves to obtain identifying information about their victims. Typically, they obtain the Social Security number and name. That's often all that is needed to apply for credit (called ``application fraud''). They also might obtain credit card numbers and hijack existing accounts (called ``account takeover). Other pieces of information useful to identity thieves are dates of birth, mother's maiden name, and driver's license numbers. One such method is the old fashioned way--by stealing a wallet or purse. The thief either uses the information obtained or provides the contents to a crime ring. Even if the individual does not carry the Social Security card in the wallet (and we recommend that they do not), he or she might have an insurance card or student ID with that number on it. Another strategy is to fish credit card slips and loan or credit applications from the trash. Unfortunately many businesses, banks, mortgage companies, and restaurants do not shred these documents. We are seeing an increase in the ``inside job'' in the workplace--dishonest employees with access to computer terminals connected to one of the credit reporting agencies. They might look for names similar to theirs, or just someone with good credit. Obviously what goes hand in hand with this type of access is the negligence of the company which is permitting such uses in an unmonitored environment. ``Insiders'' have also used their access to personnel records to obtain Social Security numbers of identity theft victims. In a recent case in San Diego, a dishonest employee had unfettered access to a storage room where past payroll information was filed. She obtained SSN's of over 100 current and former employees and used them to obtain credit in their names. We learned of a case where a member of a Nigerian crime ring was employed temporarily at a very large corporation. He downloaded the employee list containing SSN's and then one by one the employees' identities were used for fraudulent purchases. The employees didn't know about it until they started sharing stories and learned that many of them had been hit. It wasn't until much later that the human resources department confessed that they had known about the theft, but they didn't want to tell the employees and cause them to panic. Sadly, some identity theft is perpetrated by relatives or friends, roommates, household workers like health care givers, and spouses going through a divorce who have a grudge. These individuals obtain Social Security numbers, driver's license numbers, and credit card numbers by having access to their personal effects. Mail theft is another way of obtaining identifying information, as mentioned above. We urge people not to leave their paid bills out at the mailbox for the carrier to pick up. It's better to drop them off at the Post Office. There's also insider mail theft, where credit card mall is stolen from the mail processing areas by postal employees. Then there's the change of address routine. The thief fills out a change of address card so the victim's mail is diverted to the thief's drop box. The thief obtains bank statements and credit card bills, monthly investments reports, and pre- approved offers of credit containing the information necessary to impersonate the victim. The Postal Service has recently initiated changes to make this more difficult. Application fraud is another method. The imposter fills out a credit application--perhaps a pre-approved offer of credit retrieved from the trash--with the victim's name and identifying information and has the credit card mailed to another address. The major credit card issuers say they are now more wary of changes of address, but their efforts are not foolproof. The Internet is becoming a more popular resource for identity thieves. Yes, there are web sites that sell individuals' Social Security numbers. Visit www.infoseekers.com and www.fastbreakbail.com for example. Social Security numbers can be purchased for as little as $20. They are found in records called ``credit headers'' that are sold by credit reporting agencies to information brokers. Credit headers include name and name variations, current and former addresses, telephone numbers (including unlisted numbers), year and month of birth, and SSN. At this time, there are no restrictions on the sale of credit headers to information brokers. Consumers have no way to ``opt-out'' of the sale of their credit header data. The information broker industry adopted a voluntary privacy policy in 1997, but it has been ineffective in restricting the sale of sensitive personal information to the general public. (See the Individual Reference Services Group guidelines at www.irsg.org.) There are many more schemes. Most victims with whom we have spoken haven't a clue as to how their identifying information was obtained by the imposter. My third topic is what happens to the victims of these crimes? Even though each identity fraud case is different, what happens to the victims is, sadly, all too similar. They get little to no help from the authorities who issued the identifying information to them in the first place. Law enforcement doesn't investigate many such crimes. There's just too much identity fraud occurring for them to handle all such cases, although the financial fraud departments of many police departments are being expanded. Many police and sheriff's departments refuse to issue a police report to the victims. They claim that the banks and credit card companies are the real victims because they suffer the financial losses. Many victims find they need the police report to prove their innocence to the credit card companies and the check guarantee services. Many victims report they do not get effective help from the credit grantors, banks, and the CRA's. They describe difficulty in reaching the credit reporting agencies, and tell how they are treated disbelievingly by some creditors. Victims also report that flagging their credit report for fraud doesn't always stop the imposter from obtaining more credit. Victims must also deal with abusive collection agencies. They are threatened with law suits, garnished wages, and having their homes taken away from them. Another common experience of victims is that they must spend a great deal of time cleaning up the mess. I've talked to many who are taking the day or the week off work so they can make the necessary phone calls, write the letters, and get affidavits notarized. This costs them money as well. Many victims are saddled with this situation for years. In a recent survey we conducted with CALPIRG, we found the average amount of time spent by victims to regain their financial health was 175 hours. And those cases had dragged on for an average of two years, with many cases taking more than four years to be resolved. (``Nowhere to Turn: Victims Speak Out on Identity Theft.'' May 2000. www.privacyrights.org/ar/idtheft2000.htm). Victims are often scarred emotionally. They feel violated and helpless--and very angry. I've heard people use the word ``rape'' to describe how they feel. I've talked to many who are crying or close to it because they cannot stop what is happening to them, and no one else will either. I've talked with elderly people who are terrified of losing their life savings and their homes. It's little wonder that victims feel violated, helpless and angry. They are unable to rent an apartment, get a job, qualify for a mortgage, buy a car, all because someone else's bad credit history is recorded on their credit report. Essentially the entire burden of this crime is placed on the shoulders of the victims. The worst-case scenario is when the thief commits crimes in the victim's name. We learned of a case where the imposter was a major drug dealer, using the identity of a high-tech company president. This man travels out of the country often and has to carry a letter from law enforcement which explains he is not the drug dealer, because he gets pulled into secondary inspection every time he comes back to the U.S. Recently law enforcement from another state, who had not read the entry on the FBI's NCIC crime data base completely, entered his bedroom in the early morning hours and tried to arrest him at gunpoint. He was able to convince them they were seeking the wrong person. Another case that came to our hotline was an Hispanic man, a U.S. citizen, who was visiting relatives in Tijuana, Mexico, across the border from San Diego. He was taken into secondary inspection by U.S. Customs on his return trip to San Diego. A search of his SSN showed he was wanted for a crime in the Bay Area. He was transported from San Diego to San Francisco and put in jail. It took him 10 days before one of the officers believed him, took his fingerprints as he had requested all along, and realized they had the wrong person. Another worst-case scenario is when the imposter is working under the victim's name and SSN, and the earnings show on the victim's Social Security Administration record. We learned of one such a case that had been going on for 10 years. The imposter obtained the victim's birth certificate, a public record in California. And even when the victim acquired a new SSN, the impersonator was able to obtain it shortly thereafter. Victims of employment fraud often must deal with the Internal Revenue Service because IRS records show they are under- reporting their wages. Finally, in order for victims to extricate themselves from the identity theft mess they find themselves in, they have to be fairly savvy consumers. They must be assertive with the credit card, banking and credit reporting industries. They must be assertive with all kinds of other officials as well. I have talked with many consumers who are not equipped to deal with the challenges that this crime brings to them--individuals whose first language is not English, or those whose English language skills are such that they cannot communicate at the level of complexity that this problem requires. Those who are semi- literate or illiterate cannot write the necessary letters. Unfortunately, there are not enough consumer assistance offices to help these people. My fourth and final topic is legislative and industry solutions to the crime of identity theft. The awareness of identity theft among consumers has skyrocketed in the past year--primarily because of media coverage. I think consumers are becoming much more wary of disclosing personal information and having it given out without their consent, especially on the Internet. These outcries by members of the public have resulted in some legislative attention brought to the issue, both on the federal level and in the states. In 1998 Congress passed and the President signed the Identity Theft and Assumption Deterrence Act (18 U.S.C. 1028). It makes identity theft a federal felony when someone knowingly uses the identification of another person with the intention to commit any unlawful activity under federal and state law. Violations of this Act are investigated by federal agencies like the U.S. Secret Service, the FBI, and the U.S. Postal Inspection Service. Such crimes are prosecuted by the U.S. Department of Justice. This new law allows for restitution for victims. It established an identity theft clearinghouse within the Federal Trade Commission. The FTC now offers a toll-free number for consumers to call, 877-IDTHEFT, as well as a web site, www.consumer.gov/idtheft. In recent years nearly 40 states have criminalized identity theft. Most of them have made it a felony. A list of those states can be found on the FTC's web site at www.consumer.gov/idtheft/statelaw.htm. On the one hand, I'm pleased that this crime has been criminalized by these new laws. But I believe that in order to make a dent in identity theft, the practices of the credit industry must change dramatically. Until laws create incentives for the credit industry to change how they do business, the crime of identity theft will continue to climb at epidemic proportions. I am encouraged by the introduction of Senate Bill 2328 by Senators Feinstein, Kyl, and Grassley, titled the ``Identity Theft Prevention Act of 2000.'' It places the emphasis on prevention where it rightfully belongs. The points that follow include discussion of the key provisions of S. 2328 (http://thomas.loc.gov). Here are some suggestions for making credit industry practices more fraud-proof: A change of address is often an indicator of fraud. Simple steps by both credit grantors and reporting agencies in verifying address changes would greatly reduce fraud incidents. S. 2328 requires that if the card issuer receives a change of address notification, it must send a confirmation notice to both the new and former addresses. Further, if a card issuer receives a request for an additional credit card within 30 days of receiving a change of address, it must also notify the cardholder at the old and new addresses. Credit reporting agencies must notify credit issuers when it becomes aware that a credit application bears an address for the consumer that is different from the address they have on file. A penalty should be assessed whenever a credit grantor extends credit to an imposter after the victim has placed a fraud alert on the credit file (a provision of S. 2328). All consumers should be able to receive one free copy of their credit report annually (a provision of S. 2328). With more consumers checking their credit reports frequently, identity theft will be detected earlier and the impact will be minimized. Six states have passed such laws: Colorado, Georgia, Massachusetts, Maryland, New Jersey, and Vermont. Consumers should be able to notify the credit bureaus to put a ``freeze'' on their credit report--to prevent their credit report from being furnished without specifically authorizing the release. A Vermont law requires that users of credit reports obtain permission from the consumer prior to obtaining the credit report (Title 9 sec. 2480e at www.state.vt.us. Click on ``Statutes Online''). In California, state Senator Debra Bowen's SB 1767 would adopt the Vermont ``opt-in'' model. Another important piece of legislation that needs to be enacted is a provision that takes the Social Security number out of circulation. A separate bill introduced by Senator Dianne Feinstein would prohibit the commercial sale of SSN's (Social Security Privacy Act of 2000). This measure would also limit uses of the SSN by private sector entities. Government agencies could not display the SSN on mailing labels and documents available to the public. In California, a bill introduced by state Senator Debra Bowen during the 2000 session would prohibit the use of the SSN as an account or member number by such entities as insurance companies and universities. (SB 1767 can be found at www.leginfo.ca.gov. Click on ``Bill Information.'') Credit grantors should be required to verify at least four pieces of information--name, address, date of birth, SSN, driver's license number, and place of employment--with information on the credit report. This is especially important in instant credit situations. If the consumer is applying in person, the credit grantor must inspect a photo ID. As discussed earlier in this testimony, we consider the worst-case scenario of identity theft to be when the victim is burdened with a wrongful criminal record because of the activities of the imposter. This usually occurs when the imposter is arrested and released, perhaps for a traffic violation or shoplifting, and then does not appear in court. This results in a warrant for the arrest of the identity theft victim. Victims of criminal record identity theft can find it impossible to obtain employment. Many have been jailed. It is common for such victims to be detained by U.S. Customs when entering the country after traveling abroad. They must carry a letter with them from law enforcement or the courts at all times in order to prevent wrongful detention. Such victims are faced with having their identity associated with a criminal record for the rest of their lives. It is critical that legislation address the plight of such identity theft victims. There must be a way for them to learn that they have a wrongful criminal record. S. 2328 includes an excellent provision enabling individuals to obtain the content of information about them that is compiled by an information broker, employment background check service, or individual reference service. If erroneous information is compiled in a background check for employment or other purposes, it is essential that the subjects of those investigations know the exact information that has been disclosed and the source from which the information was obtained. Individuals who have wrongful criminal records must also be able to clear such records through an expedited process involving the law enforcement agency that made the arrest, the court system where the warrant was issued, and the official criminal records data bases at the state and federal levels. At present, there is no such process easily available to victims of criminal records identity theft. You might want to read about such a measure currently being considered in the California legislature, Assemblymember Susan Davis's AB 1897. Victims of criminal record identity theft must also be able to locate all the information brokers that have obtained the erroneous information so they can have those records cleared as well. One solution would be to develop a national registry of individuals who are victims of criminal record identity theft and require all entities who conduct criminal records background checks to access that data base before reporting the criminal records information. In California, Assemblymember Tom Torlakson's AB 1862 would call for the development of such a data base within the California Department of Justice. Legislation is not the entire answer to the vexing problem of identity theft. The credit granting and reporting industries must step up their efforts to assist consumers in preventing fraud altogether and in recovering from identity theft. The Associated Credit Bureaus announced an identity theft initiative in March 2000 that would streamline fraud-handling by the credit reporting industry (www.acb- credit.com). The ultimate goal of this endeavor should be ``one-stop shopping'' for fraud victims--a single phone call to launch the fraud clean-up process. Both creditors and the CRA's should increase the use of artificial intelligence computer programs to identify patterns of fraud and to quickly notify consumers of suspected fraud activity. The May 2000 identity theft victims survey conducted by the Privacy Rights Clearinghouse and CALPIRG found that the average amount of time that had transpired before individuals learned they were victims of identity theft was 14 months. (www.privacyrights.org/AR/idtheft2000.htm). Yet, evidence of fraudulent activity can often be easy to detect--numerous inquiries on the credit report in a short period of time, changes of address, monthly credit account bills that are much higher than usual, many late payments when the individual had none previously, and so on. Before closing, I want to briefly discuss the role of law enforcement in investigating identity theft crimes and assisting victims. Three-fourths (76 percent) of the respondents to the PRC/ CALPIRG identity theft survey reported that the police whom they contacted were unhelpful. Detectives were assigned to their cases less than half of the time. And one-fourth of the victims were not able to obtain a police report. It is clear that the crime of identity theft calls for some new approaches by law enforcement. One approach that is being explored in California is the development of a single unit within the police department that specialize in identity theft. The Los Angeles Sheriff's Department has established such a unit. Assemblymember Robert Hertzberg has introduced AB 1949 to fund three pilot projects in the state to establish such specialized units. Additional suggestions for addressing the multi-faceted crime of identity theft can be found in the PRC/CALPIRG identity theft survey, a copy of which has been provided to the Subcommittee. Thank you for the opportunity to testify about the crime of identity theft. Please feel free to contact the Privacy Rights Clearinghouse if you seek additional information or assistance. [GRAPHIC] [TIFF OMITTED] T9466.001 [GRAPHIC] [TIFF OMITTED] T9466.002 [GRAPHIC] [TIFF OMITTED] T9466.003 [GRAPHIC] [TIFF OMITTED] T9466.004 [GRAPHIC] [TIFF OMITTED] T9466.005 [GRAPHIC] [TIFF OMITTED] T9466.006 [GRAPHIC] [TIFF OMITTED] T9466.007 [GRAPHIC] [TIFF OMITTED] T9466.008 [GRAPHIC] [TIFF OMITTED] T9466.009 [GRAPHIC] [TIFF OMITTED] T9466.010 [GRAPHIC] [TIFF OMITTED] T9466.011 [GRAPHIC] [TIFF OMITTED] T9466.012 [GRAPHIC] [TIFF OMITTED] T9466.013 [GRAPHIC] [TIFF OMITTED] T9466.014 [GRAPHIC] [TIFF OMITTED] T9466.015 [GRAPHIC] [TIFF OMITTED] T9466.016 [GRAPHIC] [TIFF OMITTED] T9466.017 [GRAPHIC] [TIFF OMITTED] T9466.018 [GRAPHIC] [TIFF OMITTED] T9466.019 [GRAPHIC] [TIFF OMITTED] T9466.020 [GRAPHIC] [TIFF OMITTED] T9466.021 [GRAPHIC] [TIFF OMITTED] T9466.022 [GRAPHIC] [TIFF OMITTED] T9466.023 Senator Kyl. Steve Emmert. STATEMENT OF STEVEN M. EMMERT Mr. Emmert. Thank you, Chairman Kyl, Senator Feinstein. I appreciate the opportunity to testify before the subcommittee today about the information practices of our company, LEXIS- NEXIS, and the industry's leadership efforts to balance privacy protections with legitimate, socially beneficial information needs. Among the services that LEXIS-NEXIS offers are people- finder or individual reference services that customers use to locate individuals and to verify identities. Individual reference service products contain only basic identifying information, such as name and address, not financial information. LEXIS-NEXIS is a founding member of the IRSG, which represents leading information industry companies, including the three major credit reporting agencies. We provide commercial information services to help verify the identity of or to locate individuals. Customers use individual reference services for a variety of purposes, including finding witnesses, heirs, pension beneficiaries, and hidden assets. In fact, there are a number of Federal regulations that require the use of location services for these very purposes. They are also used to track down missing and exploited children; locate deadbeat dads, parents; to locate bone, blood and organ donors; and to verify identities of contributors to political campaigns. Each of the companies who belong to the IRSG has adopted self-regulatory principles governing the dissemination and use of personal data. The IRSG developed these principles in 1997 in conjunction with the Federal Trade Commission. As part of these principles, companies commit, among other things, to restrict their distribution of non-public information through appropriate safeguards. One such safeguard prohibits the display of Social Security numbers and dates of birth in individual reference service products distributed to the general public, the types of websites that Senator Feinstein referred to at the beginning of the hearing; also, for products distributed to professional and commercial users, a prohibition on the display of such information in a less truncated and appropriate manner. The example of that would be to mask the last four digits of the number so that you can use the initial numbers to identify the place of issuance and the year of issuance. This principle has helped reduce the availability of Social Security numbers for sale on the Internet. I have summarized in my written testimony the other key safeguards contained in the IRSG principles. Given the subcommittee's focus on identity theft today, I know you are interested in the substantial use that is made of these services in the fight against identity theft where verifying an individual's identity is crucial. Banks, credit card companies, and other types of credit institutions, as well as gas, electric and telephone utility companies and government entities, distributing public entitlement programs are all becoming increasingly plagued by frauds who use existing persons' identity to illegally extract products, services and money. Individual reference service products are also an important tool for other types of fraud prevention efforts by businesses. The insurance industry, for example, relies on individual reference service products to investigate fraudulent claims. Credit card companies and department stores use them to detect and limit credit card fraud. Banks use them to detect and report credit card fraud, insider abuse, and money laundering. Many businesses use them to minimize the risk of financial fraud when they receive an unusual order for the delivery of merchandise. Since the victims of identity theft are not only the businesses that lose billions to various forms of identity theft per year, but also the consumers whose credit is often ruined by this insidious act, everybody directly benefits by this application of personal identifying information provided by individual reference services. My point is that the availability of individual reference services helps to reduce identity theft. Although some have alleged that the availability of identifying information from individual reference services contributes to identity theft, two Federal agencies, the Federal Reserve Board and the Federal Trade Commission, have studied this question, and neither agency was able to find any support for this proposition. With respect to S. 2328, our concern is that if enacted in its current form, it would jeopardize the usefulness of such services. Specifically, we believe it goes too far in sections 7 and 8. Section 7 would have the effect of cutting off identifying information that we use to index and organize disparate information, distinguishing between John Smiths that live in the same town. I actually checked this morning. Currently, there are 34,516 entries for ``John Smith'' on a nationwide basis. Trying to determine which John Smith you are looking for is a little bit of a trick sometimes. When we have the availability of prior addresses, age, and Social Security information, we can make those distinctions. These indexing and verification uses are critical to ensure that the products that we and other IRSG members offer to professional and government agencies contain accurate and complete information. Section 8 would mandate that individual reference service companies enter a very different market than they ever sought to enter, the consumer market for public record information, as a condition of selling public record information to lawyers, law enforcement officials, journalists, and other professionals. We do not object to providing an individual with non-public information contained in an individual reference service product that specifically identifies him or her. The IRSG principles already require this. Nor do we object to advising an individual about the nature of public record information that an individual reference service makes available in its products, if reasonably available, where you can obtain a correction and where a correction request can be directed. The IRSG principles also require this. We do object, however, to having to undertake the enormous burden associated with retrieving potentially relevant information from a large number of data bases of public records and verifying that it pertains to the individual making the request. In addition to being burdensome, it would be ineffective for the consumer. To be effective, any correction of errors must be made with the government entities where the sources of the information originate. The task of individual reference services in this regard is to reflect reliably the data made available by the originating public record source. Again, I would like to thank you for the opportunity to testify this morning and welcome any questions you may have. [The prepared statement of Mr. Emmert follows:] Prepared Statement of Steven M. Emmert I. INTRODUCTION I am the Director of Government and Industry Affairs for Reed Elsevier Inc. and LEXIS-NEXIS, a wholly owned division of Reed Elsevier. On behalf of both LEXIS-NEXIS and the Individual Reference Services Group, I very much appreciate the opportunity to testify before your Committee about the information practices of my company, our efforts in the area of acquisition, security, and use of personally identifiable information from non-public sources, and industry's leadership efforts to balance privacy protections with legitimate, socially beneficial information needs. LEXIS-NEXIS leads the information industry with the largest one- stop, dial-up information service, the LEXIS-NEXIS service for legal, business, and government professionals. The LEXIS-NEXIS service contains more than 2.2 trillion characters and approximately 2.5 billion documents in more than 10,200 data bases. It adds 14.7 million documents each week. Today, two million professionals worldwide--lawyers, accountants, financial analysts, journalists, law enforcement officials, and information specialists--subscribe to the LEXIS-NEXIS services. They perform more than 400,000 searches per day. The combined services contain more than 24,800 sources: 18,800 news and business sources and 6,000 legal sources. The NEXIS service is the largest news and business online information service, with not only news, but company, country, financial, and demographic information, as well as market research and industry reports. The NEXIS service is unmatched in depth and breadth of information. In fact, 120,000 new articles are added each day from worldwide newspapers, magazines, news wires and trade journals. Although the overwhelming majority of the information sources on the LEXIS and NEXIS services are public in nature, all of which are available to the general public through their public libraries, the local news stand or bookstore, or from government offices, a handful of the data sources that contribute to our services are not available to the general public. These data sources include consumer credit reporting files but contain only basic identifying information (e.g, name, address) that is used by customers of LEXIS and NEXIS to locate specific individuals. LEXIS-NEXIS also is a founding member of the Individual Reference Services Group (IRSG), which represents leading information industry companies, including the three major credit reporting agencies, that provide commercial information services to help verify the identity of or locate individuals. Each of the member companies has adopted self- regulatory principles governing the dissemination and use of personal data, principles which the IRSG developed in 1997 in conjunction with the Federal Trade Commission. While I will concentrate on LEXIS-NEXIS' practices, we believe that these are typical of the practices of members of the IRSG. Our company and the other members of the IRSG are committed to the responsible acquisition and use of personally identifiable information, and share the Subcommittee's concern about the potential misuse of data for identity theft and other harmful purposes. Indeed, in the fight against identity theft, where verifying an individual's identity is crucial, individual reference service products are absolutely essential. My remarks today will focus on three areas. First, because most people know relatively little about our industry and may confuse the sort of services that are the topic of this hearing with the mainstream of the industry, I will explain the customer base and socially beneficial uses for individual reference information. For example, law enforcement agencies and fraud investigators are major users of these services, and at a 1997 FTC workshop on data base privacy the Secret Service, the Treasury Department's Financial Crimes Enforcement Network (``FINCEN''), American Bankers Association, and National Retail Federation all testified to the importance of these services for their work preventing and pursuing fraud. Second, I will provide some background about the IRSG principles and their enforcement mechanisms. I also will illustrate some of the IRSG principles by explaining how LEXIS-NEXIS implements them. Finally, I will make some observations about the impact of sections 7 and 8 of S. 2328 upon LEXIS-NEXIS and other individual reference services. II. USES OF INDIVIDUAL REFERENCE SERVICE INFORMATION Individual reference services are companies that furnish timely and reliable information to identify and locate individuals. The information is used by governmental, private sector, and non-profit entities for a wide range of beneficial purposes. Individual reference services, such as those provided by LEXIS- NEXIS, are often the only way that individuals with limited resources, through the assistance of a professional who has access to these services, can obtain critical information. LEXIS-NEXIS' customers are professionals, primarily in the fields of law, business, journalism, and law enforcement. For example, law enforcement agencies use these services to locate criminals and witnesses to crimes, and to confirm identities. In fact, individual reference services play an important role in combating the very sorts of fraud that flow from personal financial information falling into the wrong hands. At the June 1997 FTC workshop examining reference services, witnesses from both FINCEN and the Financial Crimes Section of the U.S. Secret Service testified to the value and importance of these services for their work. In the fight against identity theft, where verifying an individual's identity is crucial, individual reference service products are absolutely essential. Banks, credit card companies, and other types of credit institutions, as well as gas, electric, and telephone companies and governmental entities distributing public entitlement programs, are all becoming increasingly plagued by fraudsters who use an existing person's identity to illegally obtain products, services and money. The best, and perhaps only, means of preventing this type of fraud is to crosscheck through the use of personal identifying data, often provided by individual reference services. Since the victims of identity theft are not only the businesses that lose billions to various forms of identity theft per year, but also the consumers whose credit is often ruined by this insidious act, everyone directly benefits by this application of the personal identifying information provided by individual reference services. Individual reference service products also are an important tool for other types of fraud prevention efforts by businesses. The insurance industry, for example, relies on individual reference service products to investigate fraudulent claims. Credit card companies and department stores use them to detect and limit credit card fraud. Banks use them to detect and report credit card fraud, insider abuse, and money laundering. Many businesses use them to minimize the risk of financial fraud when they receive an unusual order for delivery of merchandise. Other businesses use them when performing due diligence before engaging in a business venture with a little-known corporation in the increasingly mobile world economy. The Insurance Information Institute reports that special investigation units save their companies about $10 for every dollar invested in them. Reference services help people in many other ways. One of the most compelling is child support enforcement. Whereas government-compiled child support data bases have encountered difficulties in some instances, individual reference services have proven to be invaluable in tracking down parents who are delinquent in these obligations. In this way, these services advance personal responsibility, give much- needed income to divorced parents and their children, help free families from welfare dependency, and provide an additional source of revenue to state welfare programs. Individual reference services can locate non-custodial parents--quickly and inexpensively, even in circumstances where they move to a different state or begin using a different name. The Association for Children for Enforcement of Support (``ACES''), the leading child support advocacy organization, uses LEXIS-NEXIS' P-TRAK service to assist families--approximately 80 percent of whom are on welfare--in locating parents who have failed to meet legal child support obligations. ACES has reported tremendous success with the service, locating more than 75 percent of the ``deadbeat'' parents they sought, and helping families receive much- needed support. Among the many other important uses of individual reference services are: finding long-lost family members, locating heirs to estates who have moved or changed their names through marriage, locating pension fund beneficiaries who have left a company, locating victims of fraud schemes or environmental hazards, protecting consumers from unlicensed professionals and sham businesses, locating blood, organ and bone marrow donors, promoting the transparency of the political process by providing easy-to-search information on individuals' campaign donations, locating witnesses, and providing citizens with efficient, ready access to Federal, state, and local government information. From these examples, I hope the Subcommittee will appreciate the value of individual reference services. III. THE IRSG APPROACH Privacy Protection Rapid advances in technology, a highly mobile society, the need to prevent fraud, and other market demands for information have spurred increased reliance upon information services provided by companies like LEXIS-NEXIS. These changes in society and technology also have resulted in a heightened interest in the privacy considerations implicated by such services. At LEXIS-NEXIS we are attuned to these issues and have strongly committed to taking a leadership role in effectively addressing them. Privacy protection in the United States has evolved in a way that offers individuals effective protections while, at the same time, not limiting the benefits of technological advances. The ability to preserve both of these important interests results from a network of different policies. These policies are tailored to provide protections in specific circumstances in order to prevent actual or potential abuses of personal information. This sectoral approach is preferable to an omnibus or ``one-size-fits-all'' privacy policy that would govern all industries. Addressing privacy issues within specific industry sectors has proven very effective in evolving and responding to changes in industry and society. The IRSG Principles The importance of defining privacy practices tailored to specific types of information is demonstrated in the IRSG principles. In September 1996, in the closing hours of the 104th Congress, the Federal Trade Commission proposed a broad prohibition on the use of credit header information--non-financial identifying information obtained from a consumer reporting agency's data base. Members of the individual reference service industry and those who rely on credit header information alerted Congress that such a prohibition would severely limit important uses of this information. As a result of arguments made by industry, regulatory efforts were postponed until a further study of the issues could be conducted. This gave LEXIS-NEXIS the opportunity to join together with 13 other companies in the individual reference services industry to form the IRSG. The companies that comprise the IRSG are the leaders in providing information and assisting users in identifying and locating individuals. In close consultation with the Federal Trade Commission, the IRSG developed a comprehensive set of self-regulatory principles backed by third-party assessments and government enforcement that these companies follow. These principles focus on non-public information, that is, information about an individual that is of a private nature and neither available to the general public nor obtained from a public record. For example, the principles govern information obtained from credit headers, such as social security numbers and addresses and telephone numbers. Companies that sign on to the IRSG principles commit--among other things--to: acquire individually identifiable information only from sources known as reputable, restrict their distribution of non-public information through appropriate safeguards, educate the public about their data base services, and furnish individuals with a copy of the information contained in services and products that specifically identifies them, unless the information is publicly available. One of the safeguards on the distribution of non-public information is a prohibition on the display of social security numbers and dates of birth in individual reference service products distributed to the general public and, for products distributed to professional or commercial users, a prohibition on the display of such information unless truncated in an appropriate manner (e.g., masking of the last four or more digits of social security numbers). This IRSG principle has helped reduce the availability of social security numbers for sale on the Internet. Self-Regulation with ``Teeth'' Third-party assessments backed by government enforcement provide real ``teeth'' for enforcing these principles. Enforcement rests on the following three pillars: Legal sanctions--Any company that holds itself out to the public as following the principles may be responsible under existing Federal and state law if the company fails to live up to them. Both the Federal Trade Commission and state attorneys general can bring charges under Section 5 of the Federal Trade Commission Act and similar state laws against member companies that fail to adhere the principles. Cut-off of data supply--Signatories to these principles require by contract that all companies buying non-public data from them for resale abide by the principles. Non-complying companies risk losing access to the data they need for their products or services. This is particularly significant in that it is estimated that IRSG signatories control 90 percent of all non-public information obtained from credit headers. Independent assurance reviews--Every IRSG company must undergo a third-party assessment to verify compliance with the principles. I will describe this in more detail below. Information Practices In the spirit of openness, the principles require individual reference services to have an information practices policy statement available to the public upon request. These statements describe: the types of information included, the types of sources from which that information is obtained, the nature of how the information is collected, the type of entities to whom the information may be disclosed, and the type of uses to which the information may be put. This openness enables individuals to understand the reference service's use of the information it possesses. Individual reference services also inform individuals, upon request, of the choices available to limit access to or use of information about them contained in a company's products and services. Further, the principles require an individual reference service to provide information about the nature of public record and publicly available information that it makes available in its products and services and the sources of such information. Third-Party Assessments To help ensure that member companies do not make unsubstantiated assertions of compliance, the IRSG principles require that independent professional services conduct annual third-party assessments of their compliance. These independent professional services can be accounting firms, law firms, or security consultants who use the criteria developed by PriceWaterhouseCoopers for the IRSG. When the principles were adopted in December 1997, these companies agreed that the assurance reviews would be completed within 15 months. I am pleased to report that this is the second consecutive year in which the companies that offer products that fall within the scope of the IRSG principles and subscribe to the principles have successfully undergone these assessments. As this milestone attests, the IRSG has made great strides through self-regulation to secure the benefits of information service resources and ensure effective protection of consumer privacy. IV. LEXIS-NEXIS' PRACTICES: THE IRSG PRINCIPLES AT WORK In addition to the IRSG principles, LEXIS-NEXIS maintains its own code of fair information practices. While these practices are based upon LEXIS-NEXIS' policies, they also provide an example of how the IRSG principles are implemented. A. LEXIS-NEXIS Acquires Information Only From Reputable Sources Section II of the IRSG principles requires that information be acquired ``from only sources known as reputable in the government and private sectors.'' IRSG members are specifically required ``to understand an information source's data collection practices and policies before accepting information from that source.'' The majority of the information contained in LEXIS-NEXIS data bases is public record information. Moreover, a significant portion of the information we provide comes from publicly available information such as news reports. A few of our many data bases contain some information from non-public sources, such as credit header information (the non- financial, individual identifying information derived from the top of a credit report). At present, we do not provide individually identifiable financial information from non-public sources. However, as discussed above, the IRSG principles are sufficiently broad to encompass, and would apply to, any member company's provision of this sort of non-public information. Because most of our services offer public records, in many cases LEXIS-NEXIS obtains information directly from the government entity that originated it. In addition to governmental sources, the information gathered for our data bases is collected from a wide variety of other sources, some of which are large, well-known companies and smaller, lesser-known businesses. Regardless of the size of the source, in our acquisition of information, we must be confident that all of the information we obtain is owned by the sources and possessed in a legal manner. We review the data collection practices and policies of our sources before accepting information from them to determine whether the data they propose to furnish to us was compiled in a lawful and ethical manner. Furthermore, in order to continue to ensure the accuracy and acceptable origin of information in our data bases, we also engage in occasional site visits to evaluate directly the information practices of the source. In addition, Section III of the IRSG principles requires that ``[r]easonable steps be taken to help assure the accuracy of information in individual reference services.'' LEXIS-NEXIS has embraced this as one of our core policies for many years and through the IRSG we have reaffirmed our commitment to this important principle. LEXIS-NEXIS strives to obtain or create exact reproductions of the machine-readable versions of public records as copied and maintained by the official custodian of the records. We enter into written contracts with all of our sources that contain provisions attesting to the accuracy of the information the source provides LEXIS-NEXIS. These provisions instill confidence that our information is accurate by providing both a deterrent against providing us with inaccurate information, as well as recourse against sources that may violate these provisions. LEXIS-NEXIS' commitment to accuracy, however, does not end with the contractual commitment from the source. We also engage in original source checks to verify that the source is in compliance with our agreement. From time to time LEXIS-NEXIS will go to the original jurisdiction where information is generated and compare samples of information obtained from the jurisdiction with the information provided to LEXIS by its source. This procedure allows us to measure the level of accuracy of our suppliers. B. Security Section VI of the IRSG principles requires signatories to maintain facilities and systems to protect information from unauthorized access and from persons who may exceed their authorization. LEXIS-NEXIS employs a wide array of measures to protect at all times the security of our products and the information obtained from our suppliers. Our security measures are deployed both within our computer systems and within our physical plant. To establish security within our data base system, we employ the most effective security programming available. We constantly evaluate our system looking for weaknesses in order to eliminate them and upgrade security. Our physical plant also uses the most effective security available, including state-of-the-art surveillance systems. Access to the various sections of our facilities is limited to authorized employees. This is done through the use of a ``swipe-in''/``swipe-out'' card system that allows us to account for individuals who are working in certain areas and the times that they are in these areas. Security guards, surveillance cameras, and other surveillance techniques also are employed. Our security system provides the highest level of accountability, and has proved extremely successful in eliminating unauthorized use of information. Additionally, all LEXIS-NEXIS employees are required to sign a non-disclosure agreement stating that they will not disclose confidential information to which they have access as part of their job responsibilities. C. Selective and Limited Distribution Section V of the IRSG principles addresses distribution of non- public information. Section V.A requires that individual reference services distribute non-public information only to qualified subscribers and sets out a lengthy set of conditions that determine these qualifications, as well as recordkeeping requirements concerning subscribers. All of our subscribers enter into formal agreements with LEXIS- NEXIS that define the limits and appropriate uses of information obtained from our data bases. For example, in its customer agreements, LEXIS-NEXIS requires customers to agree contractually not to use information obtained from the data bases for purposes that would violate the Fair Credit Reporting Act. In addition, a warning about FCRA restrictions is prominently visible to LEXIS-NEXIS customers before they access many of the data bases contained in the public record library, as well as files containing non-public information. This warning states: The Fair Credit Reporting Act (15 U.S.C. Sec. 1681) prohibits use of information from this file to determine a consumer's eligibility for credit or insurance for personal, family or household purposes, employment or a government license or benefit. To become a LEXIS-NEXIS subscriber, the prospective customer must furnish information including company/organization name, address, contact person and telephone number. We do not respond to anonymous requests for information, and we thus would be able to assist authorities in the event that subscribers were ever to misuse information. V. ADVERSE IMPACT OF SECTIONS 7 AND 8 OF S. 2328 S. 2328 would directly affect individual reference services in two ways. First, section 7 would cut off the supply of the type of identifying information we obtain from consumer reporting agencies and use to help ensure accuracy in indexing and compiling disparate information. Second, section 8 would mandate that individual reference service companies enter a very different market than they ever sought to enter--the consumer market for public record information--as a condition of selling public record information to lawyers, law enforcement officials, journalists, and other professionals. These proposals are, at best, burdensome and unnecessary and, at worst, unconstitutional and harmful to consumers. Section 7--Cutting Off the Supply of Identifying Information In prohibiting consumer reporting agencies from supplying anything other than a consumer's name and current address without a ``permissible purpose,'' as defined by the Fair Credit Reporting Act, section 7 would have the effect of cutting off identifying information that we use to index and organize disparate information. Distinguishing between ``John Smiths'' who live in the same town is far more effective when we have available to us prior addresses, age, and social security number information. These indexing and verification uses are critical to ensuring that the products we, and other IRSG members, offer to professional and government agencies contain accurate and complete information. The use of social security number information for indexing and verification purposes is different than the display of such information in individual reference service products. As noted earlier, the IRSG principles prohibit the display of social security numbers and dates of birth in individual reference service products distributed to the general public and, for products distributed to professional or commercial users, prohibit the display of such information unless truncated in an appropriate manner.\1\ --------------------------------------------------------------------------- \1\ This IRSG principle has helped reduce the availability of social security numbers for sale on the Internet. The most common sources of such information today are Web sites operated by private investigators and Web sites selling ``stale'' information they obtained prior to the implementation of the IRSG principles. --------------------------------------------------------------------------- Cutting off the availability of social security numbers and similar identifying information for indexing and verification purposes is particularly ironic in light of the requirement in section 8, discussed below, that individual reference service companies provide consumers with copies of ``their files,'' who in turn will probably review the information for accuracy and completeness. Section 8--Consumer Review of Public Record Information in their ``Files'' Requiring individual reference service providers, upon request, to disclose to a consumer ``the nature, content, and substance of all information in the file maintained by the provider,'' is unnecessary, burdensome, and unwise. Section 8's requirement is unnecessary insofar as the IRSG's access principle already requires an individual reference service to provide an individual with ``non-public information contained in'' its look-up products that specifically identifies him or her. (Two types of information are exempted from this requirement: information obtained on a limited use basis from a governmental agency and information whose disclosure is limited by law or legally recognized privilege.) For public record information (and publicly available information) contained in an individual reference service's products, the IRSG principles require a company, upon request, to advise an individual about the nature of such information that it makes available in its products and the sources of such information. Public record information is information about or related to an individual that has been obtained originally from the records of a Federal, state, or local government entity that are open for public inspection. Examples of public records include titles to real property, real property tax assessor records, bankruptcies, judgments, liens, state professional licenses, and death records. When contacted by an individual concerning an alleged inaccuracy about that individual in its public record information, the IRSG principles further require an individual reference service company to inform the individual of the source of the information and, if reasonably available, where a request for correction may be directed. To be effective, any correction of errors must be made with the government entities that are the sources of this information. The task of individual reference services in this regard is to reflect reliably the data made available by the originating public record source. Moreover, neither inaccuracies nor consumer harm are a significant issue in connection with individual reference services. Technological developments and quality assurance measures yield information that reliably mirrors the original public records. Furthermore, the FTC acknowledged in its 1997 Report to Congress on Individual Reference Services that ``neither workshop participants nor commentators identified concrete evidence of harm linked directly to inaccurate records offered by look-up services.'' Nor has any evidence to the contrary emerged since 1997. In addition, statutory safeguards do exist for individuals in the vast majority of circumstances in which the distribution of inaccurate public record information might cause them real harm. For example, the Fair Credit Reporting Act already regulates extensively the use of public record information in connection with decisions about a consumer's eligibility for employment, credit, or insurance. Weighed against this dearth of evidence of inaccuracies or consumer harm is the enormous potential burden associated with retrieving potentially relevant information from the large number of data bases of public records and verifying that it pertains to the individual making the request. This is necessary because many individual reference services, unlike consumer reporting agencies, do not maintain ``files'' in connection with specific individuals. For example, individual reference services leave to their customers the tasks of formulating their search inquiries, of personally reviewing the search results to determine whether the search might have been under-inclusive and, where the search inquiry is over-inclusive, of personally reviewing the search results to determine what records may be relevant. To meet the bill's demands, however, individual reference services would need to hire teams of customer service representatives, train them, and assume the risk of error in formulating search inquiries and making associated decisions. In short, it would force individual reference services to assume risks they long ago shifted to their customers. Finally, section 8 would require that, as a condition of selling public record information to lawyers, law enforcement officials, journalists, and other professionals, individual reference services enter the consumer market for public record information. This is a very different market than most individual reference services ever sought to enter. Moreover, imposing this condition would run afoul of the First Amendment because it would unduly burden the publication of information already in the public domain. See, e.g., The Florida Star v. B.J.F., 491 U.S. 524 (1989) (striking down statute that imposed civil liability upon a newspaper for publishing the name of a rape victim which it had obtained from a publicly released police report); Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979) (finding unconstitutional the indictment of two newspapers for violating a state statute forbidding newspapers to publish the name of any youth charged as a juvenile offender). VI. CONCLUSION Our company and the IRSG are committed to the responsible acquisition and use of personally identifiable information, and share the Subcommittee's concern about the potential misuse of data for identity theft and other harmful purposes. Nevertheless, individual reference service products are absolutely essential in the fight against identity theft, and the Congress should not take any steps that would jeopardize the usefulness of such services. Senator Kyl. Thank you. Mr. Pratt. STATEMENT OF STUART K. PRATT Mr. Pratt. Chairman Kyl and Senator Feinstein, let me join with the others who have testified already and thank you very much for holding this hearing. It is important to us, as the Associated Credit Bureaus, because we represent 500 or so companies out in the marketplace who, in fact, are the information companies who ultimately have their data bases polluted by the crime of identity theft. Mr. Chairman, in particular, we thank you for your thoughtful leadership on the enactment of the Identity Theft Assumption and Deterrence Act of 1998. It was the right step, it was the right time. In fact, at several hearings that I have attended--and one of the reasons we go to these hearings is that it isn't just a matter of telling you what we think. It is a matter of hearing what else is said. Each time I hear a victim, it gives me a chance to go back to our own industry and make it more real to our chief executives, to encourage them to be more efficient, to make sure that they understand that we all have personal lives. I have two children and they go to swim team and they do other things, and if I am spending most of my time unraveling a problem, I am not spending my time on what I guess I would think of as higher priorities in our personal lives. In fact, that is really what drove the Associated Credit Bureaus to establish an identity theft task force that consisted of the chief executive officers. It was a longitudinal process. We actually hired a former attorney general to work with us and we have launched our first series of initiatives. They were announced March 14 and were a part of the identity theft summit that was hosted by the Department of the Treasury earlier this year. We are not finished in terms of our work. I think it is time for industry to be progressive. It is time for industry to look at what we can do. I remember Jim Bauer a number of years ago testifying, in fact, to a Senate Banking Committee subcommittee encouraging industry to step forward and take its responsibility seriously in terms of how this crime affects consumers. It is invasive, it is longitudinal. There is a snarl of problems that result from this, and I think each one of us has our role in trying to solve that problem. We are unhappy, again, with that data that is in our file that is inaccurate that causes a legitimate consumer to not have access to the benefits and the services that they would like to have in this society today. So with that, let me just focus a few comments on the types of initiatives that we have undertaken so far, at least some of which are consistent with some of the ideas we have heard discussed already. We think it is very important that we do what we can to improve both the use of and the effectiveness of the security alerts that we add to the credit files. You have heard testimony today saying are these effective. We want them to be effective, obviously. So, in fact, just this past month we have decided to standardize both the literal statement as well as the coding of what goes into a security alert to ensure that our customers across any technology platform can look for and identify that security alert to make sure that they can then take the actions that they feel are appropriate. We also think that consumers, when they are calling three different consumer reporting agencies for credit fraud, for example, need an even experience. We interviewed victims who said, you know, it is hard for me if you are asking for this data, but you are asking for this data; you ask me to jump through this hoop, but you ask me to jump through this hoop. So can we harmonize, can we standardize some of that experience? We are moving to standardize the advice we give consumers. We are moving to standardize the communications that we give to consumers. We are moving, in fact, to standardize what steps we take first in the process for consumers. Another step was, in fact, even on a weekend where a consumer would get an automated voice attendant potentially rather than get live personnel. One of the keys is to assure that consumers have confidence in what is being done. I think I heard testimony today, and I have heard this before: I am still not sure I feel good, I am not sure I am safe. We want to create a safer world, and so in our case we will add a security alert automatically even if you just leave a message--no verification, no authentication, no hoops. So, that is going to be a change that we are making this year. We will also take you out of all pre-screened offers of credit automatically, no verification, no efforts to check further, but just do it. And we will also issue your file within 3 business days and get that out into the mail so that you can look at that file, and then you will have access to an 800 number and live personnel where you can continue the process of working through this. We will escalate communications to credit grantors even where we do not yet see credit on the file. This is a change in our practices, so that we will communicate electronically through a network that we have established and funded through the 1990's which allows us to communicate with a majority of our data furnishers so that even where there is just what we call an inquiry on the file, and if a consumer says I don't recognize doing business with that bank, and we don't see an account yet on the file, but we wonder what is happening, is there something in the pipeline, that is part of the longitudinal effect. You see what is on the file. It is a snapshot, but there may be more that is cycling in, and this is the experience that consumers have. It seems to go on and on and on. One of the most important steps I think we have taken is that we are going to build new software technologies that will be available within 7 months of that announcement we made earlier this year. We are going to monitor the file, and I think this is going to help solve one of the problems. One of the problems is that consumer says, ``You know, it is on my shoulders to check the file, and to check it again and check again and make sure I am still OK.'' Well, we are going to trigger communications to consumers where we see unusual file activity. We are actually going to mail or communicate with that consumer and say we have seen something happen to your file that doesn't look right, can you call us again on the 800 number, free of charge, and escalate our linkage with the consumer who has been victimized. Again, I think it makes good business sense, by the way, to keep the file clean once we have gotten it cleaned back up again. But we can't be confident that all of the credit problems out there have been cleaned up as well. So we have to try to keep it clean by staying in touch with that consumer. So, that is a sampling of the efforts that we are undertaking, and we have more on the way, actually. I have a conference call next week with another segment of our industry to further refine and take some additional steps to try and build these efficiencies into the system. So I am happy to be here today. We are happy to answer your questions and we appreciate the opportunity you are taking to learn and get the big picture of what is happening on this issue of identity theft. [The prepared statement of Mr. Pratt follows:] Prepared Statement of Stuart K. Pratt Mr. Chairman and Members of the Subcommittee, my name is Stuart Pratt and I am vice president of government relations for the Associated Credit Bureaus, headquartered here in Washington, D.C. ACB, as we are commonly known, is the international trade association representing over 500 consumer information companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, and collection services to hundreds of thousands of customers across the United States and the globe. Our members are the information infrastructure that contributes to the safety and soundness of our banking and retail credit systems; which: allows for the efficiencies of a secondary mortgage securities marketplace that saves consumers an average of 2 percentage points on the cost of a mortgage. helps e-commerce and bricks-and-mortar businesses authenticate applicant data, thus reducing the incidence of fraud. gives child support enforcement agencies the information tools necessary to accomplish their mission. allows states to reduce the incidence of many forms of entitlement fraud. On behalf of ACB, I want to commend you for holding this hearing on the issue of identity theft and for your efforts in the previous Congress, leading to the enactment of the Identity Theft Assumption and Deterrence Act of 1998. Identity theft is an equal-opportunity crime that can affect any of us in this hearing at any time. It is a particularly invasive form of fraud where consumers, consumer reporting agencies and creditors must untangle the snarl of fraudulent accounts and information resulting from a criminal's actions. This task is often frustrating and time-consuming for all concerned. Before I specifically address how our industry has responded to the needs of creditors and victims of identity theft, I have found it helpful to provide a short review of what a consumer reporting agency is, what is contained in a consumer report, and the law that governs our industry. CONSUMER REPORTING AGENCIES AND CONSUMER REPORTS Consumer reporting agencies maintain information on individual consumer payment patterns associated with various types of credit obligations.\1\ The data compiled by these agencies is used by creditors and others permitted under the strict prescription of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) to review the consumer's file. --------------------------------------------------------------------------- \1\ Our members estimate that there are approximately 180 million credit active consumers. Since our members operate in competition with each other, these consumers are likely to have more than one credit history maintained. --------------------------------------------------------------------------- Consumer credit histories are derived from, among other sources, the voluntary provision of information about consumer payments on various types of credit accounts or other debts by thousands of data furnishers such as credit grantors, student loan guarantee and child support enforcement agencies. A consumer's file may also include public record items such as a bankruptcy filing, judgment or lien. Note that these types of data sources often contain SSN's as well. For purposes of data accuracy and proper identification, generally our members maintain information such as a consumer's full name, current and previous addresses, Social Security Number (when voluntarily provided by consumers), date of birth or age, and sometimes places of employment. This data is loaded into the system on a regular basis to enhance the completeness and accuracy of data.\2\ --------------------------------------------------------------------------- \2\ Note that there are in fact a number of major credit reporting systems in this country. Within ACB's membership the three most often recognized systems are Equifax, Atlanta, GA; Experian, Orange, CA; and Trans Union, Chicago, IL. These systems not only manage their own data but also provide data processing services for the over 400 local, independently-owned, automated credit bureaus in the Association's membership. --------------------------------------------------------------------------- It is important to note that the vast majority of data in our members' systems simply confirms what you would expect: that most consumers pay their bills on time and are responsible, good credit risks. This contrasts with the majority of systems maintained in other countries, such as Japan, Australia, or Italy, which store only negative data and do not give consumers recognition for the responsible management of their finances. As important as knowing what we have in our files is also knowing what types of information our members do not maintain in files used to produce consumer reports. Our members do not know what consumers have purchased using credit (e.g., a refrigerator, clothing, etc.) or where they used a particular bank card (e.g., which stores a consumer frequents). They also do not have a record of when consumers have been declined for credit or other benefit based on the use of a consumer report. Medical treatment data is not a part of the data bases, and no bank account balance information is available in a consumer report. THE FAIR CREDIT REPORTING ACT (FCRA) In addition to our general discussion of the industry, we believe it is important for your Subcommittee to have a baseline understanding of the law that regulates our industry. Enacted in 1970, the Fair Credit Reporting Act was significantly amended in the 104th Congress with the passage of the Credit Reporting Reform Act.\3\ --------------------------------------------------------------------------- \3\ Public Law 104-208, Subtitle D, Chapter 1. --------------------------------------------------------------------------- Congress, our Association's members, creditors and consumer groups spent over 6 years working to modernize what was the first privacy law enacted in this country (1970). This amendatory process resulted in a complete, current and forward-looking statute. The FCRA serves as an example of successfully balancing the rights of the individual with the economic benefits of maintaining a competitive consumer reporting system so necessary to the efficient operation and growth of a market- oriented economy. The FCRA is an effective privacy statute, protecting the consumer by narrowly limiting the appropriate uses of a consumer report (often we call this a credit report) under Section 604 (15 U.S.C. 1681b), entitled ``Permissible Purposes of Reports.'' Some of the more common uses of a consumer's file are in the issuance of credit, subsequent account review and collection processes. Reports are also, for example, permitted to be used by child support enforcement agencies when establishing levels of support. Beyond protecting the privacy of the information contained in consumer reports, the FCRA also provides consumers with certain rights such as the right of access; the right to dispute any inaccurate information and have it corrected or removed; and the right to prosecute any person who accesses their information for an impermissible purpose. The law also includes a shared liability for data accuracy between consumer reporting agencies and furnishers of information to the system. FRAUD PREVENTION AND IDENTITY THEFT Let me now turn to our industry's efforts with regard to fraud. Our industry has a history of bringing forward initiatives to address fraud. These efforts focus on use of new technologies, better procedures and education. Consider the following efforts undertaken during this past decade: ACB formed a Fraud and Security Task Force in 1993. A ``membership alert form'' was developed for use in notifying other ACB credit bureau members of customers who were committing fraud through the misuse of data. Implemented in 1994. A ``Universal Fraud Information Form'' was developed for use by creditors when communicating the incidence of fraud to national consumer reporting systems. The credit reporting industry developed a comprehensive presentation on ACB fraud and security initiatives for delivery to customer segments during 1995. Minimum standards for data access equipment and software were announced to industry suppliers in March 1995. ACB members have implemented company-specific limitations on the availability of account numbers, and truncation of Social Security Numbers on consumer reports sold to certain customer segments. Experian, Equifax and Trans Union voluntarily formed special fraud units with toll-free number service and consumer relations personnel specially trained to work with fraud victims. A hardware and software certification program has been created by the industry and administered by a third-party certification authority for those access products, which have implemented industry security standards. Over 150,000 copies of a new customer educational brochure entitled ``We Need Everyone's Help to Protect Consumer Privacy and Reduce Fraud'' have been distributed since its first printing in 4th Q. 1997. An education program was also developed for use by ACB members in presenting the information found in the brochure. 2nd Q. 1998. On March 14, 2000, the ACB announced new voluntary initiatives to assist consumers who have been victimized by identity theft. Following is a description of each initiative and also attached is our press release. Advocate the use and improve the effectiveness of security alerts through the use of codes transmitted to creditors. These alerts and codes can help creditors avoid opening additional fraudulent accounts. Implement victim-assistance best practices to provide a more uniform experience for victims when working with personnel from multiple fraud units. Assist identity theft victims by sending a notice to creditors and other report users when the victim does not recognize a recent inquiry on the victim's file. Execute a three-step uniform response for victims who call automated telephone systems: automatically adding security alerts to files, opting the victim out of prescreened credit offers, and sending a copy of his or her file within three business days. Launch new software systems that will monitor the victim's corrected file for 3 months, notify the consumer of any activity, and provide fraud unit contact information. Fund, through ACB, the development of a series of consumer education initiatives through ACB to help consumers understand how to prevent identity theft and also what steps to take if they are victims. CONCLUSION In conclusion, you can see by our actions that our members have a history of combating fraud of all types including identity theft. We were the first industry trade association to form a task force to consider how best to address the plight of victims who through no fault of their own are left with, as we said at the beginning of this testimony, a snarl of fraudulent accounts to deal with. Along with our progress, there are a few cautionary thoughts that I would like to leave with each of you. It is difficult for laws to prescribe procedures and practices that actually prevent crime. Crime is a moving target and, thus, our fraud prevention strategies must be as agile as the tactics of the criminals. Information is a key economic growth factor in this country. Laws that limit legitimate and beneficial information use are most likely to take fraud prevention tools out of the hands of legitimate industry. Ironically, to prevent fraud, we must be able to crosscheck information. Absent this ability to authenticate identifying information, we will be less able to prevent the very crime we are discussing here today. I think the initiatives I have discussed here today provide ample evidence that our industry is serious about doing its part in reducing the crime of identity theft and fraud and in helping consumers restore their good name and an accurate credit file. Just as it is to consumers, the integrity, accuracy and reliability of the credit files our members maintain is vitally important. Thank you for this opportunity to testify. ______ News Release [Norm Magnuson] CREDIT REPORTING INDUSTRY ANNOUNCES IDENTITY THEFT INITIATIVES Associated Credit Bureaus, the international trade association for the consumer reporting industry, announced today a commitment on behalf of the nation's leading credit reporting agencies to voluntarily implement a comprehensive series of initiatives to assist victims of identity theft in a more timely and effective manner. ``While there is no evidence to show that the credit report is a source for identity theft, our industry has always taken an active role in assisting consumers who are fraud victims. Our members have taken this responsibility seriously, and we're very proud of these initiatives that help consumers who are victims of identity theft or fraud,'' noted D. Barry Connelly, president of Associated Credit Bureaus. ``Designing and implementing these initiatives is a significant milestone in the ongoing efforts of our industry to help address the problem of identity theft. As long as there are criminals who prey on innocent consumers, we will continue to seek even better ways to serve consumers and work with law enforcement and our industry's customers to address this threat.'' Connelly outlined the industry's six-point program to improve identity theft victim assistance: Advocate the use and improve the effectiveness of security alerts through the use of codes transmitted to creditors. These alerts and codes can help creditors avoid opening additional fraudulent accounts. Implement victim-assistance best practices to provide a more uniform experience for victims when working with personnel from multiple fraud units. Assist identity theft victims by sending a notice to creditors and other report users when the victim does not recognize a recent inquiry on the victim's file. Execute a three-step uniform response for victims who call automated telephone systems: automatically adding security alerts to files, opting the victim out of prescreened credit offers, and sending a copy of his or her file within three business days. Launch new software systems that will monitor the victim's corrected file for three months, notify the consumer of any activity, and provide fraud unit contact information. Fund, through ACB, the development of a series of consumer education initiatives through ACB to help consumers understand how to prevent identity theft and also what steps to take if they are victims. ACB's initiatives, to be fully implemented within seven months of this announcement, resulted from a task force comprising senior executives from the ACB Board of Directors and former State Attorney General, M. Jerome Diamond. Diamond interviewed consumer victims and law enforcement officials, made onsite visits to credit reporting agency fraud units, and obtained input from privacy advocates. His counsel was an integral part of the decisionmaking process and influenced the final content of the initiatives. Connelly said: ``Identity theft is a crime that is deeply unsettling for the victims. Our initiatives will make it easier for victims to put their financial lives back together.'' Connelly stressed, though, that the crime extends beyond individuals to creditors and ACB members and added, ``We must all work together in the areas of prevention and victim assistance. We supported the enactment of the Identity Theft Assumption and Deterrence Act of 1998 and have worked with more than half of the State legislatures on similar laws. We urge law enforcement to vigorously investigate and prosecute the criminals.'' Associated Credit Bureaus, Inc. is an international trade association representing 500 consumer information companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, and collection services. Senator Kyl. Thanks very much, and thanks to all of you. Let me ask Senator Feinstein to begin. I will have to step out for just a moment and be right back. Senator Feinstein. Thanks, Mr. Chairman. Mr. Pratt, I was very heartened by your testimony. Let me just thank you for making changes in your system. One of the problems that we have had is that identity theft victims report that they have difficulties getting in touch with a person, as opposed to a recording, when they call a credit bureau to report an incident. And they are frustrated at having to call each of the major main credit bureaus to report identity theft. Is what you are saying that you will have this systematized so that one call will be able to reflect through all credit bureaus? Mr. Pratt. It is a discussion item. I can't tell you yet that that is where we will end up, but I will tell you that what we want to be able to do is make sure that a consumer who calls knows what is going to happen and has confidence in what will happen so that they aren't frustrated, even if it is Sunday night that they are learning about the problem and they are making that phone call on a Sunday. Whether they are calling and getting live personnel or not, either way we want to make sure that experience is fairly standardized. We have other data bases out there, Senator Feinstein, and we are looking at how we can make sure that across a larger spectrum of data bases consumers don't end up making more and more phone calls down the road to help with that efficiency. Senator Feinstein. How many credit bureaus are there? Mr. Pratt. Well, there are three major credit reporting systems that I think we commonly think of. There is a total of 500 members in the Associated Credit Bureaus, some of whom produce mortgage reports, some of whom produce employment screening reports or tenant screening reports of various types. There are check services data bases. One million two hundred thousand fraudulent checks are written a day in this country. Senator Feinstein. Well, let me ask you, if Michelle, for example, wanted to call a credit bureau to say, ``Look, I have got a problem,'' how many calls would she have to make now? Mr. Pratt. I think today she would make three main calls, and with those major calls we would be able to take those steps, making sure that a security alert works, but take those steps that a security alert works and is effective, take the steps that she wants us to take, and so on; three main calls. Senator Feinstein. It would really be helpful, I think, if an individual could make one call, and as a product of that call the word could go out and they wouldn't have to do the rest of it. Mr. Pratt. I think that is an idea that goes far back, and let me just say that, of course, Jodie Bernstein has been a real thought leader and her division has been a real thought leader in the area of identity theft, even as far back as some of the workshops. We still have some of those ideas plugged into the decisionmaking process to take the right steps in the right order. Senator Feinstein. Do you know how much business is actually generated by the sale of marketing lists with Social Security numbers? Mr. Pratt. I really don't. Senator Feinstein. Mr. Emmert, the FTC has made some recommendations to my staff for the improvement of 2328, particularly sections 7 and 8 that you spoke about. I would like to ask that you talk with Tom Oscherwitz of my staff and go over these and see if they satisfy your concerns. I was reading the bill while you were speaking, and I really didn't quite understand what the heart of your concern was. Can you repeat that again? Mr. Emmert. Sure. Thank you, Senator, and we would be very happy to work with you and with Tom on the language. One of the issues that we have is the same comment that Inspector General Huse made, which is you should prohibit the sale of Social Security numbers. I think you should prohibit the sale in the consumer marketplace of Social Security numbers, but there are sales that happen in a more restrictive environment that we believe need to happen that will, in fact, be counterproductive if you stop them. When we obtain a list of names, addresses and Social Security numbers from the credit bureaus, that is a sale. Senator Feinstein. Go over what those are, those instances. Mr. Emmert. Yes. What we will do is we will acquire data in a large set and then we will, in turn, sell it on a limited basis to a very finite group of customers that include government law enforcement agencies, fraud investigation groups within insurance---- Senator Feinstein. Well, now, there is an exception for that in the bill. Keep going. Mr. Emmert. OK. We also need an exception for us so that we can obtain it to begin with. Senator Feinstein. Right. Mr. Emmert. You have insurance companies who have fraud investigations units, many of which are established as mandated by State law. The insurance companies are very big on this. I believe the statistics show that they save $10 for every $1 they spend on fraud investigation. So they are very big on it, but it is private sector-type law enforcement activity. You have similar issues with the securities industry and with the banking industry. We have child support enforcement work. We have work with groups that locate missing children. These are activities that we think that arguably we should support and that we would like to continue to be able to support. We don't try to defend the use of Social Security numbers for marketing or solicitation. It seems unnecessary. I don't need to be able to get my neighbor's Social Security number just because I am curious, and so a website that would make that information available to the general public--I don't want to defend that practice. I think it is reprehensible, and it is a huge feeder for the types of persons who would commit fraud. So, that is not what we are trying to defend. It is the notion of ``no sale'' that is the problem because there are behind- the-scenes types of transactions that need to continue. Senator Feinstein. I think we are prepared to make specific technical exceptions. As you said, the Social Security number is one thing and other data is other things. If you would work with our staffs, perhaps we can work this out. One bill is just the Social Security number. Another one that I am looking at is also the driver's license, personal financial data, and personal health data. Mr. Emmert. All of those are areas that have slightly different issues. The driver's license issues are slightly different from the health data and the financial data. We are not in the market of distributing health or financial data. We don't want to be in that market. We don't want to be disseminating people's medical records or their personal financial records. Again, I would agree there are reasons why you don't want that in the general marketplace, in the public. Driver's license records are an interesting category because, first, they are public records. And, second, they can be used to help with a number of functions. Again, the Drivers Privacy Protection Act has helped to restrict those uses considerably, and I will point out that even under the most restrictive interpretations that have come through on the recent amendments, 96 percent of our current customer base qualifies under the most restrictive amendments because, again, we don't sell for marketing or commercial solicitations or to members of the general public who have curiosity. We are selling to law enforcement, we are selling to the courts, we are selling to attorneys who are working on litigation, things of that nature. And so our concern is that we can protect those uses which we believe are socially beneficial. But we would be more than happy to work with you and your staff on this. Senator Feinstein. Great. I am a big fan of NEXIS-LEXIS. Mr. Emmert. Thank you, Senator. Senator Feinstein. On this personal financial data, I have been told that there are places where I could purchase every mortgage you have ever had, who gives the mortgage, what you have owing on the mortgage, any delay in payment you may have made, where the houses or house or property or whatever it might be is, so that by buying this information, I could actually develop a very good financial profile of you, any weaknesses you might have, any strengths you might have. I find that very dangerous to have out there in the public marketplace. Mr. Emmert. A couple of comments on that. First, my friend Stuart here may, in fact, have that information, but we do not. What we do have is we do have information about real estate titles. As you know, lawyers do title searches. They help you when you go to purchase a house or when you go to sell a house. What we make available are the public records themselves that you get from the county recorder's office. So for a particular parcel of land, we can show who the owner of the record is, where the parcel is situated, and a legal description of the parcel. If there are liens currently in existence against the parcel, the liens would show on the title. That is so when you go to buy a house, you don't pay $200,000 for a house, only to find out that there is also a $150,000 tax lien that you personally are now liable for because nobody found it when you made the purchase and it wasn't settled. And so that basic information is available. Also, you may find things like the assessed tax value of the property. What are the property taxes on the property? What is the assessed value for tax purposes? In terms of the mortgages, I believe the initial mortgage amount is stated on some of the deeds. These are records that we don't create. We don't necessarily dictate what is in these records. We simply report them as they are recorded in the county recorder's office. It would not show the amount of the payment. It would not show the current balance of the mortgage, it would not show prior mortgages, but it may show a second mortgage which would be filed as a matter of record against the property as a lien. Senator Feinstein. Can anyone get this information if they are on some kind of a fishing expedition to find a good victim? Mr. Emmert. Well, anyone can get this information at the county recorder's office today in any county in the country. It has been a public record for as long as we have had land records in this country. So in that sense, the answer is yes. Senator Feinstein. But it is difficult to get. Mr. Emmert. Well, it is, but again you look at the distributions. Certainly, for our company we have a fairly limited distribution. We have a lot of users, but the users tend to be in professional categories in the law enforcement community, in major law firms, and in large corporations. It is not something that we make generally available to the populace at large over the Internet. Legally, that can be done because those records are public. Even if you can't afford a lawyer, even if you are not with a law enforcement agency, you are entitled to go down to the county recorder's office to find out when that tax bill comes in whether your next-door neighbor's property has been assessed at the same basic level as yours is. I just went through that. I bought a new house. I had been in the house less than 6 months and the assessed property value was significantly above what I paid for the property. Well, I am entitled under the law to go over and see how did they assess the other properties on the street. Am I being treated fairly with respect to my neighbors? That is one of the reasons that those records are available to the public. I don't have to hire a lawyer to do it. I can do it myself. So there are some touchy issues here in a free society because we want to protect persons from fraud, from theft, certainly from any scenario of that nature. But it is kind of a fine line between protecting people and allowing people to sort of protect themselves as well in other contexts. Senator Feinstein. Thank you very much. Mr. Pratt, did you have something you wanted to add at one point? Mr. Pratt. I think Steve really covered some of the basic points. We would have mortgage information in a consumer file that might show payment information, but that would be controlled by the Fair Credit Reporting Act. So in that case, a privacy statute is in place which limits distribution. Obviously, that is a great challenge you have going forward, and I know Tom and you and others on your staff are working through that, about what does Graham-Leach-Bliley cover, what does it not cover, what does Fair Credit cover and what does it not, and so on and so forth. So this is the policy issue that we are in today, how to parse through the laws that currently exist and to look for, I guess, the element which might lead to injury somewhere down the road. Certainly, another context for mortgage information being available is the efficiencies for a mortgage lending system today, the fact that we securitize an enormous amount of primary market loans into secondary markets. And in those large automated underwriting contexts, the ability to draw from electronic data bases which create the efficiency--that is, a business-to-business transaction--allows them to do very inexpensive assessments of values of property which allows them, in fact, to approve up to 70, 75 percent of the loans without all of the normal expensive closing costs processes that we have seen in the past. So there are those issues to think about when you are thinking about this larger context of public record and the availability of it, and what are the basic tenets of why it was there in the first place. I have lived in other countries. Land ownership in this country is kind of taken for granted in a lot of ways. We live in a very stable society, comparatively. In a lot of countries, people don't know who owns the land. They don't know why it is being owned. They don't know who controls large swaths of property. That was one of the fundamental tenets behind the idea of making ownership available. Environmental groups today use ownership records of that sort to track down who, in fact, really controls land, who, in fact, controls wetlands, who can build on it, who cannot, that sort of thing. So are these other societal benefits that just have to be weighed in context. Unfortunately, I guess that is the job of U.S. Senators, to try to divine the truth in all of that. Senator Feinstein. Thank you. Thank you, Mr. Chairman. Senator Kyl. The old saying ``knowledge is power'' is really the fundamental of this hearing. That knowledge can be very powerful in a very positive way. That is primarily what has permitted the Internet and this kind of technology to benefit our society in such a significant way. But as we point out in this hearing, it can also be used in a very powerful negative way, and the trick here is to find the proper balance to protect people from the kind of extraordinarily harmful activity that can occur, while not unnecessarily interfering in the free flow of information for positive purposes. I was struck, Senator Feinstein, by the fact that if we could have these four witnesses sit down with us, we could probably craft a very, very good bill, with all of the information that is represented at this table. Incidentally, we may have a vote any minute here, and when that vote is called, we will have about 7 or 8 minutes to conclude the hearing and then we will have to finish, but that perhaps will be enough. Ms. Brown, I was going to ask you what assisted you the most in your efforts to clear your name, and then, second, to what extent did you receive assistance from the FTC. You have given us in writing a lot of great recommendations, some of which are being pursued, some we need to pursue. And if you would like to add anything else there orally, that would be fine, too. Ms. Brown. I would say that the first resource that I found actually was the Privacy Rights Clearinghouse. And I did searches on the Internet for identity fraud that assisted me in certain steps to take to not only report the crime, but also to try to prevent further misuse of my name. Senator Kyl. By the way, did you find that on the Internet? Ms. Brown. On the Internet, yes, rapid information. That is exactly why I went there. I didn't know where else really to turn. If I didn't have access to the Internet, I am sure that it would be a very, very lengthy process to figure out what steps logically--where to go, to call the DMV, to call the Social Security agency. I looked onto, say, FBI sites and Secret Service sites, but generally at that point the initial thing that I knew about was the car loan. That was only $32,000, and to get into something of the FBI and Secret Service, my case did not apply yet. I think maybe down the line, it could have. So I think that those resources from the FTC websites and the Privacy Rights Clearinghouse give great information of how to go about clearing the process. But I didn't receive any further assistance from anybody. It was all just my own diligence and my own persistence in calling the police departments, and so forth. And like I said, there were many times that authorities were not sensitive to my plight. I actually called one time to the LAPD when I found out that something had occurred in the L.A. County, basically, and that is where I was to file a police report. I was told blatantly not to bring the case there because, as the guy was laughing, you know, he did not want a burdensome case like that. So, often, there weren't resources and it was just my persistence in going forward. And from there, it was just logical. When you make a fraud report, they send you documentation, they send you forms to fill out, and you just continue to do that at every step of the way. Senator Kyl. And, of course, one of the things you suggested is much more uniformity in that. Ms. Brown. Absolutely. Senator Kyl. And we have heard here that that is a step that is at least to be pursued. Ms. Brown. Absolutely. Senator Kyl. Did you talk to anybody at the FTC ever, and did they provide any specific help? Ms. Brown. Off the top of my head, I don't recall, but I have extensive notes of every single phone call that I made. Senator Kyl. Did you ever get a letter, a document that you could carry with you, the kind of thing that Ms. Givens talked about? Ms. Brown. When I found out that there was a warrant out for my arrest, then I specifically requested from the police detective that was working on my case--I filed a police report in January 1999. This is June 1999 when I found out I had a warrant out for my arrest. Up until that point, even though I filed a police report, I didn't have anything in my hand, really, aside from a statement that I did file with my local police, because I actually feared for my life and if something happened to me, I wanted some record of that. From that, I had a 1-page sheet that said that I had reported identity theft, basically. But up until that point, no, I had not received anything in my hand to show my innocence. And because I was leaving the country and there was a warrant out, I specifically requested this. But in most cases, I don't think that victims would really be allowed that information. Sometimes, you don't know that there is a clear perpetrator. I knew blatantly because she went to the DMV, and from their records, after they pulled that information, it was clear someone had impersonated me. Senator Kyl. So did you eventually get some kind of a document that you could carry with you? Ms. Brown. From the courts, yes, after she was tried. Senator Kyl. So that was late in the process? Ms. Brown. September 1999. Senator Kyl. And just describe that document briefly. Ms. Brown. Initially, I received a letter from the probation officer saying that she was going to be convicted on such-and-such date; you are allowed to put in a victim statement, and so forth. Senator Kyl. Excuse me. But when you try to come in the country from Mexico, that wouldn't---- Ms. Brown. Exactly. When I came back from Mexico, that is what I had in hand. I also had a letter from the detective. Those were the only things I had in hand--well, not necessarily. I also have certain statements and documentation of filing disputes with credit agencies, and so forth. But the real document came from her conviction in the San Diego court in September 1999, and I specifically requested this out of the court that I wanted them to say this person of such-and-such description, and to provide my description---- Senator Kyl. Alias your name. Ms. Brown. Used my name to perform all of these acts, you know, burglary and what not. Senator Kyl. Let me ask Ms. Givens, you talked about a specific document. And this is one of the things I had in mind when we introduced our original bill and it didn't come out exactly the way I sort of had thought about, but there was at least some reference to it. What would you recommend, understanding that there are different kinds of cases and there are different times in the process here, but to try to respond to the precise problem Ms. Brown had? What kind of document or series of documents could we provide for? And I would think that this could be done, by the way, perhaps without legislation. It doesn't necessarily have to be a Federal law. Ms. Givens. Well, we are working on two bills in California that you might want to look to as models. One would be an expedited court process where you would get a document from the court in the jurisdiction where the arrest or the conviction happened. And, by the way, you have to deal with both arrests and convictions. Michelle's case is horrible, but the one good thing is that the perpetrator was convicted and is in prison. That is a rarity. Most of the time, you are dealing with a nefarious unknown, and you have an arrest warrant and you don't know where they are or what they are doing. So you need to be able to address both arrests and convictions. But perhaps something that you go through your local law enforcement that goes to that court, an official document from the court, but the document must be accepted by U.S. Customs, by the FBI. We have the case of a man who has a document for bad check- writing that he carries with him. He came back into the country and was jailed. U.S. Customs did not accept that document even though it was from the courts in Missouri, and he lives in New York City. And that was for bad check-writing. So there has to be something that is standardized, that is official, that is acceptable to all levels of law enforcement. Senator Kyl. And it seems to me also something that pre- dates an actual conviction like this or arrest. You may have nothing more than the beginning of learning of the event, two or three bad things that you find out about. You report it to, say, the credit bureaus. You are starting the process of clearing your name, but I mean at that point it seems to me there is so much about your life that is now going to be implicated in this that it would be useful to have something from the FTC or somebody that says this person has at least been reporting some really bad anomalies. There would have to be some kind of verification--and we can verify that at least the first one reported was, in fact, an anomaly, and so listen to this person. When she tells you there is something wrong, listen to her. Senator Feinstein. I think we might look at a statement or a letter signed by the chief law enforcement officer of the jurisdiction that she has at least filed a case and that an investigation is going on, and that he or she may well be the unwitting victim of identity theft. The problem is you don't want guilty people to go and get this document as well. Senator Kyl. No. Senator Feinstein. Therefore, it has to be something that has some personal attention given to it. It would seem to me the local law enforcement agency would be the best source because they know whether the complaint, A, is valid or not; B, whether there are really suspicious grounds for it and could give you a clearance on those two bases without waiting for a conviction or an arrest. Senator Kyl. One thing that I need to say here for anybody who might be watching is that by virtue of our legislation a couple of years ago, we made this a crime against the individual as well as the financial institutions and others that might have been defrauded. Up until then, the individual didn't really have standing to force this kind of information and force this kind of action. So we have done that much. We clearly have to try to refine the various bills and amendments that Senator Feinstein has filed and that we have been collaborating with here, and I think we will do that and would like to be able to consult with all of you. And I would suggest, Mr. Pratt, in particular, and Mr. Emmert with the association that you represent, and so on, you ought to hire people like Ms. Brown. I mean, I don't know what she does for a living here, and you don't need to tell us here on the record, but the point is people with real experience like that, as well as, of course, people like Ms. Givens who have a wide survey approach to this based upon their extensive work in the area, to understand each of the kinds of problems that a victim goes through. I think bringing someone like Ms. Brown to some of your meetings and saying, ``All right, listen to all of the different things that have gone on here''--surely, can't we in the marketplace devise ways of dealing with this and not have to rely upon the U.S. Congress to pass some kind of law. For example, I have been reluctant to force the credit reporting agencies to provide a free report. You know, it is an expense. I did want to ask you, are you at the point where you think you can do that, if it is a reasonable kind of requirement, without being too much of a financial burden on the companies, Mr. Pratt? Mr. Pratt. Senator, we really did deal with that question in the many, many years of dialog about the Fair Credit Reporting Act that took place in the decade of the 1990's. By 1996, we had new amendments which were, I think, extensive and material, and changed remarkably the privacy statute originally enacted in 1970. In fact, we agreed at that time there were populations of consumers that needed to have a free report. One of those populations is a consumer who even just thinks they have been a victim of fraud. They don't have to walk in with a police report. So, in fact, we felt that that was a population that deserved access. I lost my wallet, I want a free report. So we agreed with that at the time. We also agreed for welfare recipients, for those who are unemployed seeking employment, any consumer who has ever been denied a benefit. So we provide an enormous volume of free reports per year. We do ask, I guess, for some equity, just as if you want in and got a deed from the local courthouse, you might pay a fee. As long as we can keep that fee reasonable so it doesn't deny access merely by the cost, you give us a chance in those cases to just handle it in the same way. Currently, the law caps that fee at $8 plus the CPI. Senator Kyl. Well, we will continue to work with you on that, too. Because we have this vote, I think we will have to bring the hearing to a close, but I can't thank each of you enough. I mean, you have all provided very important information for us, and I am serious about relying upon your expertise as we move forward with this legislation. Please understand we may be back in touch with you. Thank you all very, very much. Senator Feinstein. May I say ditto. Thank you. Senator Kyl. This hearing will now adjourn. [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]