[House Hearing, 107 Congress] [From the U.S. Government Publishing Office] PREVENTING IDENTITY THEFT BY TERRORISTS AND CRIMINALS ======================================================================= JOINT HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON FINANCIAL SERVICES AND THE SUBCOMMITTEE ON SOCIAL SECURITY OF THE COMMITTEE ON WAYS AND MEANS OF THE U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS FIRST SESSION __________ NOVEMBER 8, 2001 __________ Printed for the use of the Committee on Financial Services and the Committee on Ways and Means Serial No. 107-50 (Committee on Financial Services) Serial No. 107-51 (Committee on Ways and Means) U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2002 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 HOUSE COMMITTEE ON FINANCIAL SERVICES MICHAEL G. OXLEY, Ohio, Chairman JAMES A. LEACH, Iowa JOHN J. LaFALCE, New York MARGE ROUKEMA, New Jersey, Vice BARNEY FRANK, Massachusetts Chair PAUL E. KANJORSKI, Pennsylvania DOUG BEREUTER, Nebraska MAXINE WATERS, California RICHARD H. BAKER, Louisiana CAROLYN B. MALONEY, New York SPENCER BACHUS, Alabama LUIS V. GUTIERREZ, Illinois MICHAEL N. CASTLE, Delaware NYDIA M. VELAZQUEZ, New York PETER T. KING, New York MELVIN L. WATT, North Carolina EDWARD R. ROYCE, California GARY L. ACKERMAN, New York FRANK D. LUCAS, Oklahoma KEN BENTSEN, Texas ROBERT W. NEY, Texas JAMES H. MALONEY, Connecticut BOB BARR, Georgia DARLENE HOOLEY, Oregon SUE W. KELLY, New York JULIA CARSON, Indiana RON PAUL, Texas BRAD SHERMAN, California PAUL E. GILLMOR, Ohio MAX SANDLIN, Texas CHRISTOPHER COX, California GREGORY W. MEEKS, New York DAVE WELDON, Florida BARBARA LEE, California JIM RYUN, Kansas FRANK MASCARA, Pennsylvania BOB RILEY, Alabama JAY INSLEE, Washington STEVEN C. LaTOURETTE, Ohio JANICE D. SCHAKOWSKY, Illinois DONALD A. MANZULLO, Illinois DENNIS MOORE, Kansas WALTER B. JONES, North Carolina CHARLES A. GONZALEZ, Texas DOUG OSE, California STEPHANIE TUBBS JONES, Ohio JUDY BIGGERT, Illinois MICHAEL E. CAPUANO, Massachusetts MARK GREEN, Wisconsin HAROLD E. FORD Jr., Tennessee PATRICK J. TOOMEY, Pennsylvania RUBEN HINOJOSA, Texas CHRISTOPHER SHAYS, Connecticut KEN LUCAS, Kentucky JOHN B. SHADEGG, Arizona RONNIE SHOWS, Mississippi VITO FOSSELLA, New York JOSEPH CROWLEY, New York GARY G. MILLER, California WILLIAM LACY CLAY, Missouri ERIC CANTOR, Virginia STEVE ISRAEL, New York FELIX J. GRUCCI, Jr., New York MIKE ROSS, Arizona MELISSA A. HART, Pennsylvania SHELLEY MOORE CAPITO, West Virginia BERNARD SANDERS, Vermont MIKE FERGUSON, New Jersey MIKE ROGERS, Michigan PATRICK J. TIBERI, Ohio Terry Haines, Chief Counsel and Staff Director ------ Subcommittee on Oversight and Investigations SUE W. KELLY, New York, Chair RON PAUL, Ohio, Vice Chairman LUIS V. GUTIERREZ, Illinois PETER T. KING, New York KEN BENTSEN, Texas ROBERT W. NEY, Texas JAY INSLEE, Washington CHRISTOPHER COX, California JANICE D. SCHAKOWSKY, Illinois DAVE WELDON, Florida DENNIS MOORE, Kansas WALTER B. JONES, North Carolina MICHAEL CAPUANO, Massachusetts JOHN B. SHADEGG, Arizona RONNIE SHOWS, Mississippi VITO FOSSELLA, New York JOSEPH CROWLEY, New York ERIC CANTOR, Virginia WILLIAM LACY CLAY, Missouri PATRICK J. TIBERI, Ohio HOUSE COMMITTEE ON WAYS AND MEANS BILL THOMAS, California, Chairman PHILIP M. CRANE, Illinois, CHARLES B. RANGEL, New York E. CLAY SHAW, Jr., Florida FORTNEY PETE STARK, California NANCY L. JOHNSON, Connecticut ROBERT T. MATSUI, California AMO HOUGHTON, New York WILLIAM J. COYNE, Pennsylvania WALLY HERGER, California SANDER LEVIN, Michigan JIM McCRERY, Louisiana BENJAMIN L. CARDIN, Maryland DAVE CAMP, Michigan JIM McDERMOTT, Washington JIM RAMSTAD, Minnesota GERALD D. KLECZKA, Wisconsin JIM NUSSLE, Iowa JOHN LEWIS, Georgia SAM JOHNSON, Texas RICHARD E. NEAL, Massachusetts JENNIFER DUNN, Washington MICHAEL R. McNULTY, New York MAC COLLINS, Georgia WILLIAM J. JEFFERSON, Louisiana ROB PORTMAN, Ohio JOHN S. TANNER, Tennessee PHILIP S. ENGLISH, Pennsylvania XAVIER BECERRA, California WES WATKINS, Oklahoma KAREN L. THURMAN, Florida J.D. HAYWORTH, Arizona LLOYD DOGGETT, Texas JERRY WELLER, Illinois EARL POMEROY, North Dakota KENNY HULSHOF, Missouri SCOTT McINNIS, Colorado RON LEWIS, Kentucky MARK FOLEY, Florida KEVIN BRADY, Texas PAUL RYAN, Wisconsin ------ Subcommittee on Social Security E. CLAY SHAW, Jr., Florida, Chairman SAM JOHNSON, Texas ROBERT T. MATSUI, California MAC COLLINS, Georgia LLOYD DOGGETT, Texas J.D. HAYWORTH, Arizona BENJAMIN L. CARDIN, Maryland KENNY HULSHOF, Missouri EARL POMEROY, North Dakota RON LEWIS, Kentucky XAVIER BECERRA, California KEVIN BRADY, Texas PAUL RYAN, Wisconsin C O N T E N T S ---------- Page Hearing held on: November 8, 2001............................................. 1 Appendix: November 8, 2001............................................. 45 WITNESSES Thursday, November 8, 2001 Bond, Hon. Philip J., Under Secretary for Technology, Department of Commerce....................................................... 7 Bovbjerg, Barbara D., Director, Education, Workforce and Income Security Issues, U.S. General Accounting Office................ 13 Dugan, John C., Partner, Covington & Burling, on behalf of the Financial Services Coordinating Council........................ 32 Hillman, Richard J., Director, Financial Markets and Community Investment Issues, U.S. General Accounting Office.............. 13 Hendricks, Evan, Editor and Publisher, Privacy Times............. 36 Huse, Hon. James G., Jr., Inspector General, Social Security Administration................................................. 9 Lehner, Thomas J., Executive Vice President, American Financial Services Association........................................... 28 Pratt, Stuart K., Vice President, Government Relations, Associated Credit Bureaus...................................... 26 Rotenberg, Marc, Executive Director, Electronic Privacy Information Center; Adjunct Professor, Georgetown University Law Center..................................................... 34 Sadaka, Thomas A., Special Counsel for Computer Crime and Identity Theft Prosecutions, Florida Office of Statewide Prosecution.................................................... 30 Streckewald, Fritz, Acting Assistant Deputy Commissioner for Disability and Income Security Programs, Social Security Administration................................................. 11 APPENDIX Prepared statements: Kelly, Hon. Sue W............................................ 47 Shaw, Hon. E. Clay Jr........................................ 49 Oxley, Hon. Michael G........................................ 46 Cardin, Hon. Benjamin L...................................... 51 Gutierrez, Hon. Luis V....................................... 53 Paul, Hon. Ron............................................... 54 Schakowsky, Hon. Janice D.................................... 56 Bond, Hon. Philip J.......................................... 57 Bovbjerg, Barbara D., and Richard J. Hillman, joint statement 87 Dugan, John C................................................ 113 Hendricks, Evan.............................................. 131 Huse, Hon. James G., Jr...................................... 62 Lehner, Thomas J............................................. 107 Pratt, Stuart K.............................................. 100 Rotenberg, Marc.............................................. 126 Sadaka, Thomas A............................................. 110 Streckewald, Fritz........................................... 73 Additional Material Submitted for the Record Bovbjerg, Barbara D., and Richard J. Hillman: Written response to questions from Congressman Gutierrez and the Subcommittee on Social Security............................ 96 Dugan, John C.: Written response to questions from Congressman Gutierrez and the Subcommittee on Social Security............................ 123 Hendricks, Evan: Written response to questions from Congressman Gutierrez and the Subcommittee on Social Security............................ 135 Huse, Hon. James G., Jr.: Written response to questions from Congressman Gutierrez and the Subcommittee on Social Security............................ 67 Streckewald, Fritz: Response to an inquiry from Congresswoman Kelly.............. 82 Response to an inquiry from Congressman Shaw................. 83 Written response to questions from Congressman Gutierrez and the Subcommittee on Social Security............................ 84 Comserv, Inc., prepared statement................................ 137 Erisa Industry Committee, prepared statement..................... 140 National Council on Teacher Retirement, prepared statement....... 142 JOINT HEARING: PREVENTING IDENTITY THEFT BY TERRORISTS AND CRIMINALS ---------- THURSDAY, NOVEMBER 8, 2001 U.S. House of Representatives, Subcommittee on Oversight and Investigations, Committee on Financial Services, and the Subcommittee on Social Security, Committee on Ways and Means, Washington, DC. The subcommittees met, pursuant to call, at 10:10 a.m., in room 2128, Rayburn House Office Building, Hon. Sue W. Kelly, [chairwoman of the Subcommittee on Oversight and Investigations], and E. Clay Shaw, Jr., [chairman of the Subcommittee on Social Security], presiding. Present from Subcommittee on Oversight and Investigations: Chairwoman Kelly; Representatives Weldon, Inslee, Tiberi, Jones, Shows and Clay. Present from Subcommittee on Social Security: Chairman Shaw; Representatives Matsui, Cardin, Becerra, Doggett, Collins, Brady, and Ryan. Also attending was Congresswoman Hooley. Chairwoman Kelly. This joint hearing of the Committee on Financial Services Subcommittee on Oversight and Investigations, and Committee on Ways and Means Subcommittee on Social Security, will now come to order. I welcome today my colleagues, Clay Shaw, and Ben Cardin. I'm delighted that we also have other colleagues here--Darlene Hooley. Thank you very much. I look forward to hearing what the witnesses have to say. We're here this morning to see how we can prevent the awful crime and terrible tragedy of identity theft by terrorists and criminals. Our special intention is to protect the families of the deceased from such theft and financial fraud at their most vulnerable moment--when they are grieving from the shock of their loss. Through the rapid transmittal of the information in the Death Master File from the Social Security Administration to the financial services industry and the immediate use of that information by the industry, we can prevent these crimes and spare the families pain. James Jackson and Derek Cunningham stole hundreds of thousands of dollars in gems and watches from deceased executives of our major corporations before being caught by law enforcement. They stole the identity of the late CEO of Wendy's International within days after his death and were not arrested until about 2 months later. In the past 2 months, we learned that identity theft could be a tool of the hijackers who murdered thousands of our fellow citizens, and of their accomplices as well. Last week, the Inspector General of the Social Security Administration testified that some of the 19 hijackers used phony Social Security numbers to perpetrate their murders. And we know that Lofti Raisi, an Algerian held on suspicion that he trained four of the hijackers how to fly, used the Social Security number of a New Jersey woman who has been dead for 10 years. Even after these events, and after three of us serving on the Financial Services Committee requested the SSA to ensure the rapid transmission of the Death Master File, we've received no commitment from the SSA to take any specific action. The file is still physically shipped to an agency at the Commerce Department, where copies are made and physically shipped to subscribers. In other words, ``snail-mail.'' There has been no reduction for years in the time that it takes for the SSA to officially notify the financial services industry of a death. Identity theft is now part of the first war of the 21st Century, but the Federal Government is still treating it in a 1960s way. That must end. That is why we asked the General Accounting Office to study the matter and report their findings to the committee. That is why we're so pleased that the Ways and Means Subcommittee on Social Security, chaired by my colleague, Representative Clay Shaw, can join us in holding a joint hearing today. We need the Social Security Administration to take bold and immediate action to get the information to the financial services industry. We will hear from the SSA, the Commerce Department, the General Accounting Office, and we expect an innovative and effective solution. We also need the financial services industry to ensure that the information is immediately integrated into databases and available for permanently deactivating Social Security numbers of the deceased. Moreover, with the passage of the USA Patriot Act, there will soon be Treasury Department regulations requiring them to verify the identification of new account-holders and for customers to provide the identification requested by the companies. We know that the SSA and financial institutions can meet this challenge. In the past 3 years, they've already met two difficult challenges--the Y2K conversion and the aftermath of the terrorist attacks. The SSA was a leader among Government agencies in successfully avoiding the Y2K glitch and the financial institutions breezed through the turn of the millennium without a single major problem. As the acting SSA commissioner testified last week before Representative Shaw's subcommittee, the SSA regional offices in the New York and Pennsylvania area reacted with fortitude and compassion to assist the victims and their families, and I want to thank the Social Security Administration for their wonderful assistance to New Yorkers, including the many of those in my district. After the horrendous destruction in New York City interrupted the financial markets and killed many, financial institutions there and across the country picked themselves up, dusted off, and got back to work with an amazing speed and grace, even while mourning their compatriots. And all of them did all of that, the Y2K conversion and the recovery from the attacks, without any specific mandate in Federal law. Surely, we can work together to meet this challenge before us now. I urge all parties to get together and, based on the GAO's findings, leapfrog over the antiquated system now used, and stop identity theft of the deceased. Representative Shaw will chair the hearing for the first panel of witnesses. I will chair the hearing for the second panel. Thank you. [The prepared statement of Hon. Sue W. Kelly can be found on page 47 in the appendix.] Chairman Shaw. Thank you, Ms. Kelly. We appreciate being here in your committee room and being able to join with you in this hearing this morning. Today, our two subcommittees join together to examine ways to prevent identity theft by terrorists and criminals. When Social Security numbers were created 65 years ago, their only purpose was to track a worker's earnings so that Social Security benefits could be calculated. But today, use of the Social Security number is pervasive. Our culture is hooked on Social Security numbers. Businesses and Government use the number as their primary source of identifying individuals. You can't even conduct the most frivolous transaction, like renting a video at your local store, without someone asking you first to render your 9-digit Social Security ID. Interestingly enough, I had a doctor's appointment last Friday. It was a doctor I had never been to before. And I noticed when I was signing in, my Social Security number was required. I mentioned that to him back in the examining room and I told him, I said, the time is going to come when you're not going to be able to get that number. And he said, well, I hope it does, because he had been a victim of identity theft and it took him many years through the various layers of collection agencies to finally show that he was not the one that ran the tremendous debt up on the credit cards. Your Social Security number is a key that unlocks the doors to your identity for any unscrupulous individual who gains access to it. Once the door is unlocked, the criminal or terrorist has at their fingertips all the essential elements needed to carry out whatever dastardly act that they conceive. We now know that some terrorists involved in the September 11th attacks illegally obtained Social Security numbers and used them to steal identities and obtain false documents, thus hiding their true identities and their motives. These unspeakable acts shine an intense spotlight on the need for the Government and the private industry to be vigilant in protecting identities. It also demands that safeguards to prevent identity theft are put in place and put in place now. Earlier this year, I, along with several of my Ways and Means colleagues, introduced H.R. 2036, the Social Security Number Privacy and Identity Theft Prevention Act of 2001. This bipartisan bill represents a balanced approach to protecting the privacy of Social Security numbers, while allowing for their legitimate uses. Because of its broad scope, the bill has also been referred to the Committee on Energy and Commerce and the Committee on Financial Services, in addition to Ways and Means. I urge prompt action by all three committees so that we may bring this important legislation to the floor as quickly as possible. It is a needed part of our Nation's response to terrorism. Sadly, identity theft is a crime not perpetrated just against the living. A Washington Post article on Saturday, September 29th, reported that a man detained in Great Britain and suspected of training the terrorists who hijacked the airliners on September 11th, used the Social Security number of a New Jersey woman who died in 1991. The Associated Press reported on October 31st, that an individual from North Carolina had been indicted on charges he tried to steal the identity of someone killed in the terrorist attack at the World Trade Center. Therefore, today, we will take a hard look at the sharing of death information. The Social Security Administration maintains the most comprehensive file of death information in the Federal Government. How this information is compiled, its accuracy, and the speed with which it is shared with the public will be explored. Because the financial services industry relies fundamentally on Social Security numbers as the common identifier to assemble accurate financial information, they are in a unique position to assist in the prevention of Social Security number fraud and abuse. Their timely receipt of death information and prompt updating of financial data is key in preventing identity theft. In the past, some businesses have not been enthusiastic about further restricting the use of Social Security numbers. It is my hope they will rethink their resistance in light of September 11th. Identity theft is a national security threat involving life and property. Safeguards will be made and I predict sooner rather than later. Mr. Cardin. [The prepared statement of Hon. E. Clay Shaw Jr. can be found on page 49 in the appendix.] Mr. Cardin. Thank you, Mr. Shaw. Let me thank both Chairman Shaw and Chairwoman Kelly for convening this joint hearing today. This is an extremely important subject. We're working in a very bipartisan way to do everything we can to prevent identity theft. The FBI considers identity theft to be one of the fastest- growing crimes in the United States. 350,000 cases a year. We can do better. The focus of today's hearing is going to spend a lot of time on the SSA's Death Master File, where it compiles the names and Social Security numbers of those individuals who have recently died. Questions have been raised as to whether those files are as up-to-date as they need to be and whether that information is being shared, particularly with financial institutions, in the most effective way in order to reduce the amount of identity fraud. I think there's a joint responsibility here and when the panel presents their testimony, I hope that they will deal with this. There's clearly a responsibility by SSA to have the information available so that we can prevent identity theft. But there's also responsibility in the private sector, particularly of financial institutions, as to how they deal with identity in the use of fraudulent or false information. Both need to work together in order to accomplish it. The Chairmen have given us examples that should chill all of us. The fact that several of the hijackers had fraudulent SS numbers, that is something that is unacceptable. The fact that a terrorist apprehended in Britain had a Social Security number that was from a deceased person that was 10 years old is unacceptable. We can do better than that. There is now, of course, a ring of thefts involving recently-deceased business executives. Ms. Kelly mentioned the Wendy's executive. We need to be wiser in how we deal with the Social Security numbers and updating the data bank at the public level, sharing with the private sector, to avoid these types of crimes. I think the questions being raised is whether we can update these Death Master Files in a more effective way, would that have prevented some of these ID thefts? But I must at least raise some additional questions here as we go through this hearing. We have the question that the primary purpose, the primary mission of the SSA's use of the Social Security card is to maintain earnings records and pay benefits in the case of death, retirement and disability. I have concern about making the list more up-to-date and easier to use, could compromise individual privacy and have the unintended consequence of making it easier, rather than more difficult, for people to steal and use false SSNs. So there are tradeoffs here. We also have the challenge of joint accounts, where one person dies and you have another person account. If we all of a sudden freeze those assets, in a way, we may be causing unintended problems for our constituents. So these are not easy issues. But the bottom line is we cannot accept the number of thefts that are occurring today through the use of Social Security numbers. We need to do a better job. And we look forward to working with the people who will be here today on our panel and others so that we can effectively combat this criminal activity. Thank you, Mr. Chairman. Chairman Shaw. Thank you. Mr. Weldon, do you have a statement? Mr. Weldon. No, thank you, Mr. Chairman. Chairman Shaw. Mr. Inslee. Mr. Inslee. No statement, Mr. Chairman. Chairman Shaw. Mr. Tiberi. Mr. Tiberi. No, thank you, Mr. Chairman. Chairman Shaw. Ms. Hooley. Ms. Hooley. Thank you, Chairman Shaw, and Chairwoman Kelly. We've heard numerous times today identity theft is an equal opportunity crime. It affects victims of all ages, all incomes, and all ethnic backgrounds. Ms. Kelly told us about Wendy's CEO. But more often than not, identity theft is something that affects the ordinary citizen, the person who is working hard, paying their taxes, and trying to do their best in life. For example, a little over a year ago, a young man from Oregon named Sean Bolden, appeared before the full Banking Committee to testify about his personal nightmare with identity theft. In Sean's case, identity thieves had opened dozens of financial accounts with his Social Security number and, as a result, at age 23, he was unable to obtain any credit whatsoever, including student loans. And then there's the case of the little boy in Salem, Oregon, named Tyler Bales. Tyler was 16 months old when he lost his battle with a rare genetic disease called Hurler's Syndrome. Now there's nothing more tragic than losing a child. Unfortunately, the heartache of Tyler's loss hasn't been eased for his parents. Not only isn't it hard enough losing a 16-month-old child, but last spring, the Bales learned, courtesy of the Internal Revenue Service, that someone claimed Tyler as a dependent on their 2000 income tax return and, as a result, the Bales' income tax return was rejected. As disturbing as that is, it gets worse. Because of Federal disclosure issues, the IRS cannot give out the name of the identity theft to the Salem Police Department, even though identity theft is a felony offense in Oregon. The thief could live right down the street or 3000 miles away. But because of a loophole in the IRS, the Bales and the police department will never know who stole their son's personal information. Mr. Chair, I submit that Tyler Bales and Sean Bolden are more than a name, a date of birth, or a Social Security number, and that's why I've been a strong advocate of stamping out the crime of identity theft. In Tyler's case, I introduced H.R. 2077, the ID Theft Loophole Closure bill. It is in the Ways and Means Committee. It is a very simple bill that says the IRS, in fact, can give out the information to the local police. I know our economy in a large degree depends on the flow of free information. However, it's imperative that we recognize that private information is just that--private--and not a salable commodity or something to be exposed by unscrupulous individuals. Literally, this is the fastest-growing crime there is. The numbers are outrageous. And I could spend some times with numbers, but I don't want to do that. What I want to express today is this is happening more and more frequently. It's happening with people who are committing other crimes. In Salem, the police department has said that in the last 2 years, ID theft has increased by over 38 percent and much of that is related to also methamphetamine abuse, is the motivating factor. We need to close some of these loopholes. We need to do something with identity theft, instead of just talk about it. And I think today's hearing is a good start and I yield back my time. Chairman Shaw. Thank you very much. Now I'd like to introduce our first panel this morning. We first have: The Honorable Philip Bond, who is the Undersecretary of Technology at the United States Department of Commerce; Jim Huse is no stranger to the subcommittees, he is the Inspector General of the Social Security Administration; Fritz Streckewald, Acting Assistant Deputy Commissioner for Disability and Income Security Programs of the Social Security Administration; Barbara Bovbjerg, the Director--Barbara, if I ever fail to mispronounce your name, would you please call me down on it? [Laughter.] Ms. Bovbjerg. It's ``Bo-berg,'' and everyone has trouble with it. Chairman Shaw. And it seems, as long as I've known you, I'd have gotten it right by now. [Laughter.] But you certainly are no stranger to the subcommittees, because you're the Director of Education, Workforce and Income Security of the General Accounting Office. And Richard Hillman, who is the Director of the Financial Markets and Community Investment of the General Accounting Office. Welcome to all the witnesses. We have your full statements and they'll be made a part of the record. You may proceed as you see fit. Mr. Bond. STATEMENT OF HON. PHILIP J. BOND, UNDER SECRETARY FOR TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE Mr. Bond. Thank you, Mr. Chairman, Chairwoman Kelly, Members of both subcommittees. I want to thank you for inviting me here to address an important issue, obviously of combatting fraudulent use of Social Security numbers of decreased individuals. The National Technical Information Service, NTIS, is a component of the Department of Commerce. It's involved in this issue because it makes available to the public the Social Security Administration's Death Master File extract. Let me just say by way of preface that as someone who spent 7 years working in the people's house, sitting back there in the staff row, it's a special and deep honor for me to come back here and work with you in trying to work toward a solution and improvement in the system in this regard. Obviously, September 11th has caused all of us to revisit and reassess what we're doing in every branch of Government, and certainly that is true at the Department of Commerce, where Secretary Evans has us involved deeply in that reassessment. So I want to commend you for holding this hearing, for the leadership, and for bringing some attention to this matter. And I'm confident that as the subcommittees look into this, that they'll find that technology is part of the solution. First, very quickly, a bit about NTIS. For over 50 years, NTIS has collected, organized and permanently preserved most of the research and technical reports of the Federal Government. There are today about 3 million information products in its permanent collection. NTIS, I want to stress, received no appropriated funds. It is self-sustaining, basically on the sale of these largely technical manuals and reports. Many agencies in the Federal Government work with NTIS because they know the agency has the ability to make their information products more widely available, beyond their normal constituency, and in different formats. Clearly, it would be more expensive if all of the agencies tried to replicate this infrastructure. A quick example. The Defense Technical Information Center provides its technical reports directly to the folks in their community. But they turn to the NTIS for the release of unclassified research to the public at large. Similarly, the Social Security Administration distributes the Death Master File to Federal agencies, some State and local agencies, but they turn to the NTIS to make it available to others, in part because SSA does not currently have the capacity or the distribution networks. Very quickly, my principal comments here will address what NTIS does with the files once we receive them and I'll defer to that agency on a description of the preparation of the files, other than to say that, on a quarterly basis, they do the full Master File and then monthly updates beyond that. The Death Master File contains only basic information-- Social Security number, last name, first name, date of death, date of birth, State or county of residence, zip code for the last residence, and last lump-sum payment. Obviously, the Death Master File can be a great help for detecting erroneous or fraudulent payments. Accordingly, SSA makes it available directly to a number of agencies that pay benefits or have other needs for this information, such as preparing statistical studies and to States which use the list to detect fraud or administrative errors, including fraudulent or erroneous food stamp payments, for example. At the same time, SSA makes the Death Master File available to these Federal agencies, they make it available to NTIS for reproduction and distribution to others. We receive this information on a cartridge via overnight mail and copy the information onto magnetic tape or cartridge or CD, depending on what our end-user has requested. And I want to stress that NTIS will of course be pleased to consider other formats. It typically takes 1 to 3 days for NTIS to complete this production process, having received the cartridge and then turning it around. We send the file to more than one hundred subscribers, either via overnight mail or first-class mail, if that is their preference. All formats are sent out at the same time. The turn-around time does depend in part on the size of the file, but it is not generally a function of the fact that NTIS offers it in various formats. That is not the source of delay. We understand that the Social Security Administration is exploring new approaches to making the file available in a more timely technological manner. These include sending the file to NTIS electronically and sending updates on a weekly, rather than monthly, basis. Clearly, electronic transfer would certainly reduce the turn-around time. Subscribers would probably find it easier to obtain just the updates electronically rather than the massive Master File. In any event, we are committed to working with SSA to improve the delivery of this important product. Finally, let me express--I understand there's a desire in the financial community for a web-based search capability. That is an interesting proposal that we will certainly look at. And again, NTIS is pleased to look at that further. If there's anything that we can or should do to expedite the process, we want to do it as soon as possible. Thank you, Mr. Chairman. [The prepared statement of Hon. Philip J. Bond can be found on page 57 in the appendix.] Chairman Shaw. Thank you, Mr. Bond. Mr. Huse. STATEMENT OF HON. JAMES G. HUSE, JR., INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION Mr. Huse. Good morning, Mr. Chairman. Thank you for having me. Chairwoman Kelly. While I have testified on the issue of identity theft before various committees in both the House and Senate, the issues of September 11th lend a renewed urgency to this issue. Identity theft was already a significant problem facing law enforcement, the financial industry, and the American public before September 11th. In the weeks since that terrible day, it has become increasingly apparent that improperly obtained Social Security numbers were a factor in the terrorists' ability to assimilate themselves into our society while they planned their attacks. While this has heightened the urgency of the need for Congress, the Social Security Administration, and my office to take additional steps to protect the integrity of the Social Security number, it has not altered the nature of the steps that must be taken. The Social Security number, no matter how much we avoid labeling it as such, is our national identifier. As such, it is incumbent upon those of us gathered here to do all in our power to protect it and the people to whom it is issued. There are three stages at which protections must be in place: upon issuance, during the life of the number holder, and upon that individual's death. With respect to the issuance of SSNs, or what the Social Security Administration refers to as the enumeration process, our audit and investigative work has revealed a number of vulnerabilities and resulted in a number of recommendations. The most critical of these recommendations centers around the authentication of documents presented by the individual applying for an SSN or a replacement Social Security card. If we are to preserve the integrity of the SSN, birth records, immigration records, and other identification documents presented to SSA must be independently verified as authentic before an SSN is issued. Further, if immigration records are to be relied upon, the Immigration and Naturalization Service must be required to authenticate those records. Regrettably, this will subject the enumeration process to delays. But just as we must endure lengthy waits at airports in the name of higher security, so must we now sacrifice a degree of customer service in the name of SSN integrity. H.R.2036, introduced by the Social Security Subcommittee, moves us closer to these protections, the importance of which cannot be overstated. If we cannot stop the improper issuance of SSNs by the Federal Government, then no degree of protection after the fact will have any significant effect. It would merely be closing the barn door after the horse has gone. The second and most difficult stage of protecting the SSN comes during the life of the number-holder. Because the SSN has become so integral a part of our lives, particularly with respect to financial transactions, it is difficult to give the number the degree of privacy it requires, but there are important steps we can take. We can limit the SSN's public availability to the greatest extent practicable, without unduly limiting commerce. We can prohibit the sale of SSNs, prohibit their display on public records, and limit their use to valid transactions. And we can put in place enforcement mechanisms and stiff penalties to further discourage identity theft. Finally, we must do more to protect the SSN after the number-holder's death. The Social Security Administration receives death information from a wide variety of sources and compiles a Death Master File, which is updated monthly and transmitted to various Federal agencies. It is also required to be offered for sale to the public and can be accessed over the internet through a number of sources, as we've already heard. My concern under the current system is with the accuracy of the death information. Accuracy in this area is critical to SSA in the administration of its programs, to the financial services industry, and to the American people. Our audit work has revealed systemic errors in the Death Master File and we have recommended steps that SSA can take to improve the reliability of this critical data. Among these recommendations were matching the Death Master File against auxiliary benefit records to ensure that individuals receiving benefits in one system are not listed as deceased in another, and reconciling 1.3 million deaths recorded in SSA's benefit payment files that do not appear in the Death Master File. We are faced with striking a balance between speed and convenience, on the one hand, and accuracy and security on the other. This is true in the case of the Death Master File, just as it is true in the enumeration process. At all three of these stages of an SSN's existence, improvement is needed. H.R. 2036 addresses many of these concerns. The Social Security Administration, my office, the Congress, and the American people must act together to accord the SSN the protections appropriate to the power it wields. Thank you very much. [The prepared statement of Hon. James G. Huse, Jr. can be found on page 62 in the appendix.] Chairman Shaw. Thank you, Mr. Huse. Mr. Streckewald. STATEMENT OF FRITZ STRECKEWALD, ACTING ASSISTANT DEPUTY COMMISSIONER FOR DISABILITY AND INCOME SECURITY PROGRAMS, SOCIAL SECURITY ADMINISTRATION Mr. Streckewald. Chairman Shaw, Chairwoman Kelly, Members of the subcommittees, thank you for asking me to appear before you today to discuss the Social Security Administration's collection, maintenance and distribution of death information. We use this information for a number of important program purposes and the integrity of this information is of utmost importance to us. SSA's Death Master File was created because of a 1980 Consent Judgement resulting from a lawsuit brought by a private citizen. Under the Freedom of Information Act, we are required to disclose the Death Master File to members of the public. SSA obtains death reports from many sources, with 90 percent of the reports obtained from family members and funeral homes. The remainder of the information comes from States and other Federal agencies through data exchanges and reports from postal authorities and financial institutions. We match death reports of the approximately 2.5 million people who die annually against our payment records and terminate benefits for those individuals who are deceased. We annotate the deaths on our master Social Security and Supplemental Security Income beneficiary records and on the Social Security number record file for beneficiaries and non-beneficiaries. Since studies have shown that death reports from family members and from funeral homes are over 99 percent accurate, we do not verify these reports. For our beneficiaries, we are currently verifying reports from financial institutions and postal authorities after terminating benefits. However, we are changing our policy to verify these reports before taking any action. Reports obtained through data exchange require verification through our field offices before an individual's death is posted to our payment records and their benefit is terminated. This includes death data received from the States. We do not verify death reports on persons who don't receive Social Security benefits, and it would be difficult for us to do so since we do not have addresses or other identifying information on these individuals. The Death Master File is updated daily based upon reports SSA receives and contains approximately 70 million records, including Social Security beneficiaries and non-beneficiaries, with verified and unverified reports of death. If available, the file contains the deceased's SSN, first name, middle name, surname, date of death, date of birth, State, county, zip code of the last address on our records, and the zip code of the lump-sum death payment. The record is also annotated to indicate where the report was verified. Federal agencies, State and local government, and the private sector use the national death data file, and we are reimbursed for the cost of providing this information. Currently, as required by law, SSA shares the full Death Master File with Federal benefit-paying agencies that use the data to conduct matches against their own beneficiary rolls, such as the Department of Defense and the Office of Personnel Management. Under the matching agreement with SSA, these agencies are required to independently verify the fact of death before taking any adverse action. The publicly available Death Master File is provided monthly to the Department of Commerce, National Technical Information Service, or NTIS, which in turn makes it available to the public under the Freedom of Information Act. NTIS distributes it to subscribers by either tape file or CD-ROM version. Some of these private companies, including genealogical publishing companies, create their own files from the Death Master File. Some private websites have these files on line. In response to issues raised by the subcommittee Members, we are exploring electronically transmitting our Death Master File to the NTIS, rather than sending them through Federal Express. We are prepared to do that immediately, as soon as NTIS is ready to receive it. Transmitting the data more frequently is also possible, perhaps on a weekly or bi-weekly basis. SSA also has an electronic data exchange of all States and a large number of Federal agencies. This is an electronic overnight query process that enables requesters to enter a query for any individual. Using this process, State agencies can access our death records so they can ensure that benefits are not paid to deceased individuals. Finally, I'd like to briefly mention recent initiatives to strengthen the enumeration process. In response to the events of September 11th and the indication that some terrorists had Social Security numbers and cards, some of which may have been fraudulently obtained, SSA formed a high-level response team to re-examine the enumeration process. The response team, which includes representatives of SSA's Office of the Inspector General, will help determine what changes need to be made to ensure that we are taking all necessary precautions to prevent those of criminal intent from using Social Security numbers and cards to advance their operations. Thank you again for the opportunity to discuss with your committees how SSA gathers and distributes death information. I will be glad to answer any questions. [The prepared statement of Fritz Streckewald can be found on page 73 in the appendix.] Chairman Shaw. Thank you. Mrs. Bovbjerg. STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR, EDUCATION, WORKFORCE AND INCOME SECURITY ISSUES; AND RICHARD J. HILLMAN, DIRECTOR, FINANCIAL MARKETS AND COMMUNITY INVESTMENT ISSUES, GENERAL ACCOUNTING OFFICE Ms. Bovbjerg. Thank you, Mr. Chairman, Members of the subcommittees. I'm really pleased to be here before the subcommittee again and to meet a new subcommittee to me, with my colleague, Richard Hillman, to discuss the distribution of death information to financial institutions. As we've heard, the Social Security Administration collects and records the names and Social Security numbers of the more than two million Americans who die each year. This information is critical to the integrity of the Federal benefit system. Properly used and distributed, death information can also help prevent the fraudulent use of Social Security numbers to steal identities, to obtain false identification documents, and to commit financial fraud. In light of the recent terrorist attacks, it is more important than ever to safeguard Social Security numbers from criminal use. Accordingly, our testimony today addresses three points. First, how death information is collected and distributed and how long this takes. Second, how the financial services industry uses such information. And third, possible steps to improve timeliness of distribution. Our observations are based on prior GAO work, preliminary work at the SSA and the National Technical Information Service, and our discussions with financial services institutions. First, let me describe the collection and distribution process. As we've heard, SSA receives about 90 percent of its death information from funeral homes and relatives of the deceased, and most of this information reaches SSA within a week of death. SSA takes another week to process the information and add it to individual Social Security records. At the beginning of each month, SSA extracts this death information from its records to the Death Master File, and sends it to the NTIS. NTIS receives this information by the fourth or fifth day of each month and mails it to subscribers on tape or on CD-ROM within another 2 to 4 days. Overall, most death information reaches these subscribers within 1 to 2 months of death, depending on when the death notice first reaches Social Security. The remaining ten percent of death information comes to SSA from other Federal agencies that learn of deaths through data matches or undelivered benefit checks and from State vital statistics bureaus. However, these death reports are less timely than those sent directly from families and funeral directors to SSA, and require verification by SSA before they can be added to the Master File and distributed. Death information may not reach SSA from State reports until 3 to 4 months after the date of death and is not available to private subscribers. Let me now turn to how financial services institutions use this information. Representatives of such institutions told us they did not use a formal process or a central data source to identify deceased customers, although most receive death information either from family members or, in the case of Social Security beneficiaries with direct deposit, from SSA directly. However, most also told us that they subscribe to fraud prevention products or services offered by credit reporting agencies for evaluating new credit applications. All three credit reporting agencies subscribe to the Master File and make this information available to their customers through these proprietary fraud prevention products. Most institutions we contacted expressed an interest in receiving timely death information with frequent updates. Some of these institutions were aware of the Master File, but unfamiliar with the information they provide, or of the ability to subscribe, while others were not aware of it at all. Finally, let me turn to possible steps for improving the distribution and use of death information. As you've heard, SSA is exploring ways to speed up this process and has stated that it would be relatively easy to produce updates on a weekly, rather than a monthly, basis. SSA and NTIS officials have stated that it should also be possible for SSA to transmit updates to NTIS electronically and that NTIS could transmit the information to subscribers electronically as well. SSA is also piloting the electronic death registration system, which would enable States to collect and report deaths electronically to SSA, both streamlining and centralizing the collection reporting of such information. However, existing restrictions on distribution of State- provided data could complicate adoption of such an approach. In conclusion, most death information is available to the public within 2 months and improvements to the collection and transmission processes could make this information more complete and more timely. Educating the financial services industry about the availability and contents of the Master File would also be helpful. Such measures are tangible steps that could act to narrow the window of time in which a criminal can open new accounts using a deceased person's identity and would raise the likelihood that such behavior would be detected. However, improving the use and timeliness of death information will not by itself eliminate identity theft and is not a panacea for addressing the larger issue of criminal misuse of Social Security numbers. That concludes my statement, Madam Chairwoman. Mr. Hillman and I would be happy to answer any questions you have. Chairwoman Kelly. Thank you very much. Mr. Hillman, have you a statement, or is yours the same? It's a joint statement? Mr. Hillman. Yes, Madam Chairwoman. [The prepared joint statement of Barbara D. Bovbjerg and Richard J. Hillman can be found on page 87 in the appendix.] Chairwoman Kelly. All right. Thank you very much. I appreciate you all indulging us up here as some of us are leaving to vote. This way, we can keep the hearing going without keeping you all in your seats for too long a period of time. I'm going to open the questioning. Mr. Streckewald, I have a question for you. Actually, I have a couple of questions for you. On page 6, in your testimony, you describe the State verification and exchange system that allows some States and some Federal agencies to verify a death within one day. Have you considered whether to open it to access by the financial services industry? Mr. Streckewald. We use that for, as you said, the State governments. We have, as far as I know, not looked into using it for financial institutions. We do have the ability for employers to verify Social Security numbers in a batch mode, which is like an overnight type of mode as well. And so, employers can send us batches or individual Social Security numbers, so that we can verify for them. I'm not aware that we have specifically looked at the financial services' access to the information. Chairwoman Kelly. I think that looks like the basis for a system that's needed by the financial institutions, so that they could do rapid verification. Since the Patriot Act requires them to verify the identity of any new account-holder, I don't understand why the SSA can't commit to allowing that system to be used as part of verification procedures. Mr. Streckewald. We can certainly take a look at that and get back to the subcommittees on what we find. [The information referred to can be found on page 82 in the appendix.] Chairwoman Kelly. I wish you would, please. And to that effect, I'm going to send a letter to the Secretary of the Treasury with that recommendation to put into their regulations, because I think that that's a way of rapidly helping our financial institutions. I also wondered if the SSA and the NTIS had ever collaborated on a study to determine a faster means of getting the information to the financial services industry, including this one, and including sending it electronically or even perhaps, that difficult word, contracting out the entire process, from extraction to dissemination. Mr. Streckewald. I think with recent events, we've come to the conclusion with NTIS that we do need to get this information to them quicker and that they need to be able to distribute it quicker. I think what remains to be worked out is just the details of that. It's certainly technologically feasible and as we've heard this morning, it seems like both agencies are willing to move to perhaps a weekly or biweekly update of the information and to transmit electronically rather than through overnight mail. Chairwoman Kelly. That I read in the testimony. My question is, I really want to know how rapidly you're doing that, but also there's another piece of this. There's a victim. I had my credit card stolen. I think there's a lot of people who have had things like that go on. I want to know with regard to the Social Security number what you're doing to help the victims who have their identity stolen, or the families of victims. Mr. Streckewald. We have a series of actions that kick into place when we hear about this type of event. First of all, we refer them to the inspector general hotline because it's perhaps a criminal event that needs to be investigated. But we also work very closely with the person. We give them pamphlets that explain who they can contact. We give them referrals to some of the national financial services organizations so they can clarify and correct their credit ratings. So we do have procedures in place for referrals to hotlines and other services that can help correct the problem. Chairwoman Kelly. It's been my experience in working with those that they are not terribly rapid. It takes a while. And it takes going through several people to get it done. I'm going to ask you this, Mr. Bond, and I would like you both to answer both those questions, the prior question and this one. What's the possibility of allowing people to do this kind of thing, to do it perhaps electronically with something as a follow-up that would be a verification. Mr. Bond. I'm sorry? Just to understand, a verification of the receipt of the information or a verification of falsely secured numbers? Chairwoman Kelly. I'm extending this to the people who are the victims of identity theft from the Social Security Administration numbers. Those people would have to, when you have that happen, if it's in your family, you have to deal with a lot of different people. What's the electronic possibilities of letting people do that electronically, deal with people and do it rapidly, rather than having to make a lot of telephone calls? Mr. Huse. If I may be permitted, Chairwoman Kelly. Chairwoman Kelly. By all means. Mr. Huse. The Federal Trade Commission and our office of the inspector general have a reciprocal information exchange that going forward will only get better. But in the last 2 years, has rapidly improved the transmission of victim information so that it gets to the credit-reporting bureaus better than it used to. Can it be improved? Yes. Like many other things in Government, it is based on this application of resources and we're certainly changing our approach to the amount of resources we apply to this as this crisis has developed over the last 5 years. But that's the way it's done. It's better today, and does use, by the way, e-mail and electronic transmission, if victims have that available to them, to get the information to us. From that clearinghouse, then, this information becomes available to local, county and State law enforcement. Again, I'm not trying to paint a rosy picture here, but at least we have the dots on the paper and we're connecting them a little bit better than we used to. Chairwoman Kelly. What's the timeline on that? Mr. Huse. It all depends on the application of resources. We work in our budget submission process to try and gain those to do this. The technology is already there. It really is a matter of adjusting IT resources and the human capital that you need to make this happen. We're just learning that this is an issue that the people care about a great deal. Mr. Bond. Madam Chairwoman, if I could add to that, too. Technologically, of course, there's no reason you can't expedite things via the internet and secure communications and so forth. It really becomes part of a very fundamental e- government initiative that both the Congress and the Administration have to join hands on. The Administration has sent up an aggressive proposal in that regard and appointed people at OMB to oversee it, to try to really push the agencies more toward quicker, more rapid response for our shared constituents. But it's going to be a very fundamental effort to apply technology to the service of constituents. Chairwoman Kelly. What's your timeline? Mr. Bond. There is a multi-year plan out of OMB which does require some significant funding here on the Hill. And that will be one of the many issues in final appropriations discussions for this year because the request was not fully funded coming out of the two chambers. Chairwoman Kelly. So it's a matter of appropriated funds from Congress. Is that correct? Mr. Bond. Absolutely, to upgrade the IT capabilities in many of the Federal agencies. Mr. Streckewald. If I could, I would reinforce Mr. Bond's comments that the Federal Government as a whole, through the leadership of OMB and through individual agencies' initiatives, is looking at customer-oriented electronic services. In some ways, SSA has been providing this with our online applications. But this particular example that you're using, which is to help people correct identity theft problems, would have to be a broad spectrum of stakeholders, financial services, Government agencies, States, would have to come together and plan this out and construct the communications lines and the procedures for solving this. But it is technologically feasible and OMB is trying to lead us to a more electronically-focused, customer-oriented Government. Chairwoman Kelly. Mr. Huse. Mr. Huse. One more thought on all of this. I think we understand now, with this identity fraud crisis issue and victim assistance as a key part of it, we've learned a lot the last few years that our traditional approaches to this just don't cut it. They don't work. We have advanced a proposal in the budget process for innovative ways to change this model, so that law enforcement, Federal law enforcement integrates itself better with local law enforcement because it's a total issue. It just can't be relegated to the Federal Government or a burden on local governments. And this model means non-traditional approaches. The key to it is rapid and effective information exchange. The work is there and the ideas are there. In fact, some of this is in 2036. Some of the pieces that we need to get this done is in 2036. But I really want to assure you, Madam Chairwoman, that we are committed to trying to do this. But, as I said, as in everything in Government, it is resource-dependent. Chairwoman Kelly. Most people who come before these subcommittees ask for resources. That's not a surprise. Mr. Huse. No. Chairwoman Kelly. But we're essentially in a terrorist war situation. One of the things that America has always had is ingenuity. This may be the time to do more with less. And I'm not saying that you can't get the resources. What I'm simply saying is that we have a limited budget. We all know that. And ingenuity is going to have to be the order of the day for all of us. This may be the time, when you need to have that larger meeting, discuss how it's going to go and do it sooner rather than later, so you can get help from the financial institutions as well as from anyone else who is an interested stakeholder in this. I want to ask the GAO, since there's no one else who has come back from the vote yet, I want to ask you, Barbara, if you don't mind, have you considered whether the Social Security Administration can open the State verification and exchange system to the financial services industry to allow the companies to verify? Is that something that you've thought about? Ms. Bovbjerg. GAO has done a lot of work on data sharing and the importance, on the one hand, of sharing information that allows you to safeguard benefits and safeguard identity and, on the other hand, being concerned about privacy and retention of personal information. The death records are already public information, at least for the most part. What remains to be worked out with the States is this question of State restrictions on information that they provide that is not verified by SSA. That seems to be one of the sticking points. And we do hear about a resource question. I think we have been interested and have asked about the feasibility of doing some sort of online look-up, web-based approach that financial institutions could go to directly. And we're not in a position to make any recommendations. We would have to look at the cost versus benefits. But we thought that that might show promise. Chairwoman Kelly. Perhaps we should ask for a cost/benefit analysis of something like that. Ms. Bovbjerg. Well, may I add something? Chairwoman Kelly. Yes. Ms. Bovbjerg. Excuse me, Ms. Chairwoman. We are doing some work that I wanted to call to your attention for Congressman Johnson on the Social Security Subcommittee that looks at law enforcement and identity theft across governments. And one of the questions that he has us addressing is looking at the lead Federal and State law enforcement agencies with responsibilities in identity theft investigation and looking at how they cooperate across jurisdiction, including across Federal agencies. I'm not sure when that work will be published. That's being done in another team. But I think that that will help get at some of the issues that have been raised this morning. Chairwoman Kelly. Thank you, and thank you for volunteering that. What exposure did you find that financial institutions have? If a name is in the Master File and the institution processes a payment any way? Mr. Hillman, do you want to answer that? Mr. Hillman. I'm not exactly sure what the exposure may be to a financial institution who processes information and maybe provides funds out to an individual of a deceased person. But we could find that out for you and let you know. Chairwoman Kelly. I would appreciate your taking a look at that because that goes to the next question. And that is whether or not--I'm trying to get the acronym here--the FFIEC, the exam procedures, perhaps should take that into account. I don't know if it does or not, but I think it's worth taking a look at. I'm concerned also with the education of financial institutions with regard to what their exposure is and the appropriate usage of the Death Master File. So perhaps you could take a look at look at that also. Mr. Hillman. We'd be happy to do that. We have looked at the examination procedures, as you might expect, that financial Federal regulators follow in looking at the financial services industry. And in general, those examination procedures look to the safety and soundness of those depository institutions to ensure that they have sufficient funds to conduct their businesses. They haven't in all cases looked at other important areas such as concerns with individuals or constituents. And I agree with you that that would be an important topic to further study. Chairwoman Kelly. Thank you very much. Mr. Brady, do you have any questions? Mr. Brady. Thank you, Madam Chairwoman. I'm sorry I missed the last part of the testimony. But, obviously, to solve this problem will take a combination of prevention and enforcement in the process. We need to do all we can in prevention of identity theft. But I think what everyone understands is that, in this open society, it will be difficult to close that barn door completely, in this open, information-based society. So focusing a bit on the enforcement and the punishment side of it, what are the chances someone engaging in identity theft is going to get caught? What are the consequences in real life when they do? Who's the best responsible and available to do that, State or Federal Government? What role can the business community play in catching them? And the bottom line, what would it take to make the consequences harsher to be a real deterrent to people engaging in it? And I'll open it up to anyone who's got an opinion. Mr. Huse. I'll take the first cut at an answer, Mr. Brady. Mr. Brady. All right. Mr. Huse. We don't do a great job from a criminal justice perspective with identity thieves because it's a relatively new crime. We have a mixed result if you look across the Federal judicial system in terms of sentencing on these crimes. We need to do better. One of the outreach efforts I think we need to make now with the post-9/11 consciousness that we have is to educate United States attorneys to the fact that these crimes need to be a priority concern in each of the 94 judicial districts. That may or may not be the case depending upon where you are in the United States. Other trendier crimes get priority. Most States have very vigorous and good identity crime statutes themselves. So we need to cooperate more with local and State law enforcement to prosecute there where we can. Clearly, though, the key to identity fraud because it transcends all boundaries is there has to be a better information-sharing mechanism. And the Congress, when it passed the Identity Theft Deterrence Act several years ago, an Assumption Deterrence Act several years ago, and established the clearing house in the FTC, I assure you that that is working and will only get better as we engage it more. So that's my first try at an answer. Mr. Streckewald. If I could just elaborate a little bit. That particular law that was passed in 1998, which for the first time made it a Federal crime to fraudulently obtain identification, sell identification, or misrepresent yourself on obtaining any type of identification. And for the first time, the Social Security number was included as a means of identification. So that did provide law enforcement with an added tool for enforcement. Mr. Brady. How many prosecutions have there been? Mr. Huse. We can get that for you and follow that up. One thing I want to add, Mr. Brady, is one of the provisions of 2036, if it's passed, gives us some great civil money penalty tools. Also, for those identity crimes that fall maybe under the prosecutorial thresholds in a given judicial district, but still have a fact pattern that supports an offense, we can sting those people with some money penalties, and I think that's a good thing, too. Mr. Brady. In real life, what are the consequences for getting caught? What's an average sentence, punishment, for identity theft? Mr. Huse. Well, with sentencing guidelines, probably for a first offender, it is several years of confinement. It depends on the criminal history involved. Mr. Brady. Sure. Mr. Huse. But it's a 10-year felony, the misuse is a basic Federal felony. Mr. Brady. Is there a feel for what first-time, second-time offenders, what they traditionally get? I'm not pushing. I'm just curious. We all know what guidelines are. We all know what happens in real life. Mr. Huse. As I said, it's confinement for several years. It hasn't reached the point, even though the violation is just as bad, of having, for example, the emotion involved of a bank robbery or something like that. But it's just as pernicious. Mr. Brady. What role--can I keep, while I'm on a roll? Two questions, really. How can Washington help? Is it to create more resources here at the Federal level, or to complement better State prosecution efforts? Second, what role can the business community play in helping us catch and enforce this? Mr. Huse. I'll let Barbara answer that. Ms. Bovbjerg. I'll step into the breech. We have talked in GAO about the need for both prevention and for law enforcement. One of the things that we're doing right now at the request of Chairman Shaw is looking at uses in Government at all levels--Federal agencies, various departments in State government, local government, and the courts, looking at uses of the number and looking at how the number is being safeguarded and developing options that could be considered for safeguarding. So my answer to your question is more in a prevention side and working with SSA as they try to have the balance of making information available, but at the same time safeguarding it. That's always an issue with some of these web-based---- Mr. Brady. And clearly, we need to do both. I'm not discounting either. I was just focusing on that side because I'm not as aware of it. And second, it just seems, when you look at the number of people who have been hurt by identity theft and fraud, the average time it takes to try and clear their name, the costs to them, and then on September 11th, we had people who stole identities and then stole thousands of people's lives as a result of it. So the obvious question is, what can we do to punish them to the fullest extent, or to deter the next person who has that in mind? That was my focus. Ms. Bovbjerg. And then I turn it over to the law enforcement end of the table. Mr. Huse. Well, I just wanted to take the piece of the question, is it all about resources? And that goes to Chairwoman Kelly's earlier comment. It doesn't necessarily just mean resources, although some modest adjustments are needed here and there because you're short some capacity. But basically, the key to this is rethinking this particular crime top to bottom, and rethinking how we focus on this crime. We're trying to apply an old model to this that just doesn't work. If we could just understand how serious it is, that's a big, huge step, and then work with ways to, using the magnificent technology that we have, to communicate better. I think that's really the answer, rather than some new agency or the like. Mr. Brady. Thank you. Thank you all very much. Chairman Shaw. Before I go to Ms. Hooley, I do have a question for you, Mr. Huse. Does the law distinguish in the case of identity theft between a living person's identity who has been stolen or a deceased person? Mr. Huse. I don't believe it does. I think the law deals with the identity theft. I do know that a deceased person has no rights because they're not here to have them. But in terms of the identity theft, it still stays the same under the law. Again, my staff---- Mr. Bond. I want to add, my understanding on that is that an individual under law is considered to be a living individual. And so the rights do not extend to the deceased. So when you talk about privacy laws, those are applied to living individuals and that is a fine point that I think some of the Executive agency lawyers would want to talk to the committee staff about in doing forward on your legislation. Chairman Shaw. OK. If that answer needs sharpening up, let us know. Mr. Bond. OK. Chairman Shaw. Ms. Hooley. Ms. Hooley. Thank you, Mr. Chair. In the case of Tyler Bales, you could not give the information to local law enforcement agencies, even though identity theft is a crime in Oregon. So I want to know, do we need to as a body fix that? Mr. Huse. Congresswoman, when you were speaking, I jotted down on a card that case and I passed it back to our chief investigator and I said, we should look at this case. I don't know why under the IRS rules they didn't disclose. And that may be some arcane rule. I mean, they're governed by rules. We are at Social Security. But, usually, I'd like to see if there wasn't a way that the Social Security Administration might not be able to work with that case and take it forward. And I'm not criticizing IRS. I'm just not sure. Ms. Hooley. What I'm looking for is if we can do that, in the case of Oregon where identity theft is a crime. Mr. Huse. Right. Ms. Hooley. And I'm just trying to figure out, do we need to fix it or if it's some rule that can be fixed. Mr. Huse. That's why I'd like to look at that. Ms. Hooley. OK. Mr. Huse. And we'd be glad to talk to your staff about that and look into that case and then get back to you, if that's OK. Ms. Hooley. OK. I have a couple of other questions. The Death Master File, it contains everything that a thief would need to get up and running. It's now being transmitted, I understand, to 104 customers, up from about 51 in 1999. Is that correct? Mr. Bond. Yes, that's about right. Ms. Hooley. And all of the customers are paying for the information. Mr. Bond. Correct. Ms. Hooley. And do they use it for the purpose to flag financial holdings of the deceased individuals or is the information being used for other purposes? And if so, what are the other purposes? Mr. Bond. It is a wide variety of purposes, from security to checking for fraud, obviously. I'm just flipping through here to try to see, because I had asked that question myself. Having just been sworn in on October 30th, I'm trying to find out everything I can quickly. Ms. Hooley. I think sort of the irony of this thing is---- Mr. Bond. There are a couple of things that you need to know about. One is just the private genealogy sites that people talked about. That is one that is used, that you can go to. I did my own search and found that the Jasper County Public Library in Indiana has got the full Death Master File available there. So there's a variety of uses out there. But the private sector is checking mostly for fraud in financial transactions. Ms. Hooley. I guess sort of for me the irony is that the Internal Revenue Service can't pass the information on to law enforcement, but they can sell it to other organizations to be used. And I just have a bit of a problem with that. Should I? Mr. Huse. I don't think any of us here are tax experts. We won't even go near there. Mr. Bond. All I can add is that by the time it gets to NTIS, it is, as was explained, considered subject to the FOIA laws, and so it's out there. Mr. Streckewald. I have a little more information on the uses of that, at least in terms of the customers. About 20 percent of the purchasers of the Death Master File are public sector groups. Some colleges use it, perhaps for research or checking against their databases of students. In addition, several private insurance companies use it extensively, along with a few banks. But there are not a lot of financial institutions on the list. Mr. Bond. Here's the actual breakdown from NTIS, Congresswoman. It's 20 percent State and local, 20 percent information brokers, 15 percent insurance companies. Medical and cancer research organizations make up 15 percent. Security providers, five. Marketing companies, around five percent. Credit reporting bureaus and agencies, five percent. Pension funds, five percent. Banks and financial institutions, three. And genealogy, three. Ms. Hooley. Thank you. Thank you and I yield back my time. Chairman Shaw. Thank you. I want to pursue the question of Ms. Hooley. I want to know, those death files, when they're put out, the Social Security numbers are on them. And I guess they're readily obtainable. We know from experience and testimony before these subcommittees that they still have value to those that would attempt identity theft. At the hearing that we had last week, we found that those numbers do survive the decedent and have a real purpose in State tax returns and things of this nature as an identifier. And we also found that the numbers stay exactly the same. There's no D for decedent or something put after the number. So those numbers are still out there and for the layman looking at it, wouldn't know whether that was a decedent or somebody who was very much alive. What is the suggestion--and I open this to any member of the panel, that any of you might have--with how we could safeguard those numbers and yet, release them for legitimate purposes? Obviously, insurance companies need them and some public officials need them--public agencies need them, rather. Are there any thoughts on that? Mr. Streckewald. Yes. Let me see if I can give a couple thoughts on that. I think it goes to the whole purpose of the Death Master File. Originally, it was a court settlement that required us to do this under the Freedom of Information Act law. But we sell the Death Master File for commercial purposes through NTIS, so that those with a reason to know individuals' Social Security numbers will know which numbers belong to deceased individuals. If a number comes through their system and it matches up with a number on the Death Master File, there's a problem. So, in fact, the number is flagged. It is annotated when you compare it against our Death Master File. If the Death Master File is not used extensively, then, of course, people won't have awareness of it. So, on the one hand, if it's out there, anybody can use it and try to take a number from it and create an identity or use it to apply for a credit card. But if the financial services and insurance companies and others make greater use of the Death Master File, then they'll know which numbers belong to deceased individuals. Chairman Shaw. How can we safeguard that, those lists being misused? We have to assume that if they're out there, they're being marketed, that they are available to the bad guys. Mr. Streckewald. From Social Security's perspective, if a person uses a Social Security fraudulently to work--sometimes numbers are used fraudulently for working--if earnings are reported on that number the year after the real number-holder dies, then we automatically investigate because we know that number belongs to a person who is shown as deceased on our records. We issue an alert to the field office and they call the employer and ask who is this person that's giving these wages under this number. On our records, it shows that the number belongs to deceased individuals. So, again, from the original purposes, earnings recordation, we do track back and see if it belongs to a dead person and if so, why are earnings being recorded. Chairman Shaw. It takes a year. You know the person is dead, money is coming in, it is going into his account. Why wouldn't it be kicked out in the first---- Mr. Streckewald. Well, if a person works in January, February and dies in March, those earnings are reported to us after the end of the year. So we know that we haven't heard from the IRS yet until the year is over. The next year, if we receive earnings from that person, that's suspicious and that triggers an alert. Chairman Shaw. Yes, that would be suspicious. How do we handle death in foreign countries? Someone has retired in a foreign country, their money is being electronically transferred to a bank down in Mexico. How is that dealt with? Mr. Streckewald. I believe that we receive from embassies lists of deceased beneficiaries in foreign countries--they have Social Security numbers--so we would annotate our records and we would terminate their benefits. Chairman Shaw. How do the embassies accumulate that? Now here, the funeral home turns them in. The death record is required on that. So where is it in countries that don't have that process in place? Mr. Huse. To get to a bottom line here, it's not a perfect system and it's totally dependent on cooperation in those countries to give that information back to the benefit officers that we have in foreign stations. So what happens is, periodically, the agency does send out a survey team based on ages of beneficiaries--I think they set the number in the 1990s, but they're take a look to see if those people are still alive in the foreign population areas. And those are done on a cycle basis by the international operations. Mr. Streckewald. It's the international operations. And in fact, for countries that are considered to be high risk, such as Yemen, they send a team out there. Not only do they look at the elderly people, they ask to see in person every beneficiary in Yemen. That's one example. But we also go to the Philippines regularly and other countries. Chairman Shaw. Would it help if we actually sent checks to foreign countries that required signatures, or is the expense of doing that more than the savings on electronic transfer? Mr. Streckewald. I think we'd have to take a look at that and get back to you. I'm not sure. It certainly would be an issue. [The information referred to can be found on page 83 in the appendix.] Chairman Shaw. And actually ask for an endorsement on the check. I think people would be a little less likely to endorse or forge somebody's name than they would be to just simply let the thing slide and let the money continue to accumulate in the bank account. That's my off-hand opinion. Anyway, any further questions? The gentleman from Wisconsin? Mr. Ryan. No questions. Chairman Shaw. OK. Well, at this point, I turn the gavel over to Ms. Kelly, who will preside over the next panel. Chairwoman Kelly. Let me make the introductions of the second panel. We have: Mr. Stuart Pratt, Vice President for Government Relations, Associated Credit Bureaus; Tom Lehner, Executive Vice President for Government Affairs, American Financial Services Association; Tom Sadaka, Special Counsel, Office of Statewide Prosecution, Orlando, Florida. We welcome you, Mr. Sadaka. Am I pronouncing that correctly? Mr. Sadaka. Sadaka. Chairwoman Kelly. John Dugan, Covington & Burling, representing the Financial Services Coordinating Council. Mark Rotenberg, Executive Director, Electronic Privacy Information Center. And Evan Hendricks, Editor and Publisher of Privacy Times. We welcome you all. We look forward to your testimony. And I'd like to advise all Members and witnesses, I intend to keep to the 5-minute rule. So I'm going to remind witnesses when they have a minute remaining. Please check the clock. I will also ask unanimous consent that all Members' questions be included in the record. I'd like to begin with you, Mr. Pratt. STATEMENT OF STUART K. PRATT, VICE PRESIDENT FOR GOVERNMENT RELATIONS, ASSOCIATED CREDIT BUREAUS, INC. Mr. Pratt. Thank you both very much for this opportunity to appear before this joint hearing today. For the record, my name is Stuart Pratt and I am the Vice President of Government Relations for the Associated Credit Bureaus. By way of background, the ACB, as we're commonly known, represents more than 500 consumer information companies and produce a wide range of products, including fraud prevention, risk management, credit reports, mortgage reports, tenant employment screening services, check fraud, and verification services. And so the subject matter here today is obviously very relevant to us and all of our members. I think it's clear, perhaps more than ever before, that how we authenticate, how we verify, and how we ensure the authenticity of information in various types of applications is an essential need in this country. Unfortunately, I think we've learned that for all of the wrong reasons. But at the core of this need is also the availability of information to be used and deployed in the authentication of application processes. And at the core of all of that, in many cases still, is the need for the availability of the Social Security number, which plays a particularly important role in our ability and our members' ability to build authentication and fraud prevention products, which then in turn allow us to mediate disparate sets of information and bring them back together in order to partner with our financial services customer bases, insurance and so on, in ensuring that they are, in fact, opening up lines of credit, depository accounts and so on, for legitimate individuals and for legitimate purposes. I want to applaud your subcommittee, of course, and the Congress as a whole for the enactment of the USA Patriot Act and the very fact that this Act itself recognizes the need to have a robust system of authentication, and in turn specifically directs the Secretary of the Treasury to establish minimum standards for financial institutions to verify account applicant information. I think, further, Chairman Shaw, in your hearing last week, we heard additional challenges in terms of even the enumeration process, how do we authenticate and verify information about individuals who are making applications for Social Security numbers. And in fact, I think we heard information in your hearing last week about the challenges even the States will face on a go-forward basis in authenticating and verifying individuals who make applications for something as simple, but as consequential, as a driver's license. So it's a changed world in which we live. The ACB was asked to address some questions or some areas in our testimony and I thought I would attempt to do that very quickly. And then of course we can amplify on that in questions and answers that you may have. You first asked how we, as consumer-reporting agencies, use the Social Security Administration's Death Master File. And let me start by discussing something about the scope of the industry that we represent. Our three major credit reporting system members--Equifax, Experian, and TransUnion--each maintain databases of approximately 200 million files on credit-active consumers in this country. In addition to that, members such as E-funds and Dole & Media, maintain Nationwide systems as well that help prevent checking account fraud and check fraud at the point of sale and further. In fact, we estimate, easily, that more than a billion consumer reports are sold every year in this country. And those consumer reports can carry forward and do carry forward in most cases a notification where there is a Death Master File record that we have been able to obtain. There are many members within our association who are, in fact, on that subscriber list. And I thought I would clarify one point that I think was lost perhaps in the previous round of testimony. And that is that, when we say there were not many financial institutions on that listing of subscribers, that's in part, because the channel of distribution through which the DMF data is made available to a majority of the financial institution market place is through companies like the ones that we represent here with the ACB. You've asked about technical problems with the current system and I think a lot of that has been covered in previous testimony. I think our members are also encouraged by the fact that there may be new and different technologies that could be brought to bear. There could be greater efficiencies achieved. And I think those are the right questions and I think we'll have to work toward achieving the right answers. Regarding other means of obtaining information, really, the only other way that the Associated Credit Bureau's members would be aware of an individual having died is through notifications that come through the systems directly from credit lenders. When a credit lender is notified through a trustee of an estate, they in turn will notify through coding back to us the fact that that consumer's credit account is now associated with a deceased individual. And that would be a code that would then be included in a statement that would be included and referenced on that account in subsequent credit reports issued on that individual. You've asked about outlining ways in which sources of information can be better integrated. And let me just say that today, integration is something that we achieve through the systems that we have. Unfortunately, I do want to state that the FTC's rules under GLB restrain us significantly in terms of building fraud prevention products outside of the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act. And let me close by making just a couple of announcements. I see I'm slowly losing time here. Chairwoman Kelly. Mr. Pratt, you've lost time. [Laughter.] So if you could sum up, that would be great. Mr. Pratt. Two announcements. Number one, we've asked all of our DMF subscriber members of the Associated Credit Bureaus to convert to monthly receipt. All members will convert to monthly subscriptions with the DMF Master File, which I think will help escalate and help make information available. And number two, our members have established and will work with a task force to work with the Social Security Administration in working through technology and legal issues that might be associated with escalating availability of information from the Administration. [The prepared statement of Stuart K. Pratt can be found on page 100 in the appendix.] Chairwoman Kelly. Thank you very much, Mr. Pratt. We move now to Mr. Lehner. STATEMENT OF THOMAS J. LEHNER, EXECUTIVE VICE PRESIDENT FOR GOVERNMENT AFFAIRS, AMERICAN FINANCIAL SERVICES ASSOCIATION Mr. Lehner. Thank you, Chairwoman Kelly, Chairman Shaw, Members of the subcommittees. Thank you for inviting me to testify today. I'm Tom Lehner. I'm the executive vice president of the American Financial Services Association. AFSA is the leading trade association for market-funded financial services companies. Our 400 member companies include consumer and commercial finance companies, auto finance/leasing companies, mortgage lenders, credit card issuers, and industry suppliers. I'm here to address the issue of identify theft using Social Security numbers and, specifically, the industry's use of the Social Security Administration's Death Master File. Social Security numbers are the most unique identifier of individuals in the United States. The financial services industry uses these identifiers for a variety of reasons, such as customer verification, credit checks, bankruptcy filings, and monetary judgments such as tax liens. The use of Social Security numbers is not generally secure. They are readily available and, indeed, used by companies, State and local governments, motor vehicle departments, colleges, and even by consumers who willingly print the numbers on the face of their checks. Thieves often steal Social Security numbers and ultimately the identity of individuals, both living and dead. Financial institutions such as credit card companies and banks have also incurred significant losses resulting from misuse of Social Security numbers. Consumers have also experienced monetary losses, impaired credit and legal problems because others have amassed debts using their identities. Financial firms have an obvious interest in making sure that individuals who open accounts are who they say they are. Companies rely on the Social Security Death Master File to protect against theft. In most cases, firms do not directly subscribe to the Death Master File, but access it indirectly through credit reporting agencies or other vendors who do subscribe to it. This is both more efficient and less costly to the consumer. For example, bank issuers of credit cards routinely obtain consumer reports on card applicants from credit reporting agencies. Because the credit bureaus periodically update their files by comparing information to the Death Master File, the credit report will contain an indicator if the individual has been reported as deceased. And the bank can use this information to decline the application or investigate the circumstances. Other financial firms such as securities broker/dealers also access the Death Master File as part of the account- opening process. This screening is typically done by third- party vendors who utilize Death Master File information. Consumer lenders regularly use information from credit- reporting agencies to review and adjust the status of existing accounts as well. It also helps to verify customers seeking to refinance existing mortgages or those who are interested in other services offered by the financial institution. Naturally, financial firms have other sources of information that might indicate that a customer has died and that access to the account should be frozen or terminated. The principal source is family members who called to notify the institution of the death of the customer and may request changes in the name on the account or the address where statements are sent. Lawyers and estate executors are another source of this information. Whether financial institutions obtain information about deceased individuals directly from the Death Master File or indirectly from other subscribers, they have an interest in obtaining information and data that is accurate and current. Delays between the date on which an individual dies and the date on which this information is made available to the public through the Death Master File increases the opportunity for identity thieves to defraud survivors, beneficiaries and financial institutions. One of the disadvantages of the current Social Security numbering system is that the agency is not always immediately notified upon the death of an individual. There appears to be no requirement for local officials to notify the Social Security Administration when someone dies. Despite their best intentions, having incomplete and incorrect information makes it very difficult for the Social Security Administration to issue an accurate Death Master File. Many companies have established internal processes that deal with fraud and identity theft. In addition, companies work with customers who are victims of identity theft and they also work with prosecutors to pursue those responsible. AFSA supports the efforts to encourage the Social Security Administration to obtain death information promptly and report it more frequently. We also support the continued dialogue between credit-reporting agencies and financial institutions to facilitate the flow of the Death Master File information and bureau files. For example, there may need to be a change in procedures so that when creditors report account status information to credit-reporting agencies, and this information is placed in a file of a customer about whom the bureau has received death information, the creditor is made aware of this fact on a timely basis. We believe that more financial institutions would consider subscribing to the data directly if the information provided was in real time and more accurate. Whether financial institutions obtain information about deceased individuals directly from the DMF or indirectly from other subscribers, it's in our interest and that of the consumer that we obtain correct information. We've hopeful that the Social Security Administration will make both the procedural and policy changes necessary to ensure the security of our individual unique identifiers, our Social Security numbers. Thank you. [The prepared statement of Thomas J. Lehner can be found on page 107 in the appendix.] Chairwoman Kelly. Thank you very much and thank you for limiting your testimony to the time. We now move to Mr. Thomas Sadaka. STATEMENT OF THOMAS A. SADAKA, SPECIAL COUNSEL, OFFICE OF STATEWIDE PROSECUTION, ORLANDO, FL Mr. Sadaka. Chairwoman Kelly, Chairman Shaw, I truly thank you for the opportunity to be here today. For the record, my name is Thomas Sadaka and I am Special Counsel to the Statewide Prosecutor of Florida for computer crime and identity theft prosecutions. As the only representative of State government, as well as State law enforcement, I think a bit of a background is in order. Florida ranks third in the Nation currently in identity theft complaints, according to the FTC. As such, we have embarked on a rather strenuous effort to combat and to curb the epidemic of identity theft. At the request of Gov. Bush and as a result of the Privacy Technology Task Force, which addressed issues of Social Security abuse, public records abuse, and identity theft in general, we have impaneled a State-wide grand jury and have partnered with the Florida Department of Law Enforcement to focus specifically on identity theft cases as well as what Florida can do to minimize the effects of identity theft and the victimization of her citizens. As such, the use of the Social Security number and the use of other public records information has become apparent. It is the constant in all of the crimes that we have currently investigated. The State of Florida, through my office, was instrumental in passing an identity theft statute. In 1999, the statute went into effect, and at that time, we were one of only three States in the Nation to actually criminalize identity theft on the local level. That is improving. State law enforcement and legislatures are quick to enact these laws and are quick to operate on them. As such, the investigation and the prosecution of these cases is moving along slowly. So while we've addressed the after-the-fact dealings of identity theft, we now need to turn to the issues of prevention of identity theft. The use of the Social Security number and the use of other public records information is vitally important to the identity thief, as well as to the terrorists and others who want to shelter from society who they truly are. From the law enforcement encounter with the individual on the street to the airport security checker who is relying on the State-issued identification card, identity theft has a very broad base, both public safety concern as well as financial industry concern. Our public safety issues are much more in the forefront now since September 11th. But we've been addressing these issues over the past year to try to develop fraud-proof identification as well as uniform identifiers throughout the country so that we can rely on information that's provided from other States. State driver's license offices rely heavily on the Social Security number. Every State requires a Social Security number to be provided. Yet, the States don't avail themselves of the information available from the Social Security Administration, nor the other required information that would be available. Several of the States do check the Master Death File. The Florida legislature commissioned us in July to conduct a study on developing a fraud-proof Florida DL. So as part of that, I have been researching what other States do in the issuance process of identification cards. Of those that do some type of independent verification, only a select number of them interact with the death index on a real-time basis. And although the Social Security Administration has made limited availability for online data verification of Social Security, name and geographical region, there are no States currently that avail themselves of that ability. The State of Florida is currently looking into the ability to expand their infrastructure such that they can rely on the information from the Social Security Administration. There are two issues that face Congress. One is, the Social Security number has become basically our de facto national identifier. There are two subissues to that. Do we want that to be the case? And if the Congress' decision is that, yes, that is to be the case, then there need to be laws and initiatives in place that can basically back up the integrity of that number. There needs to be the ability of both the financial industry as well as State and local governments to verify that the Social Security number that's provided by the citizen or by the customer is truly that individual's Social Security number. We need to confirm that the identify of that person is their true identity. We rely heavily on breeder documents. There are currently 262 different birth certificates in circulation in the United States. Those linked with Social Security numbers and passports and documents that are available from other countries create an daunting task on the part of the administrator, who is issuing this identification card. The Social Security Administration has within its grasp and within the other agencies of the Federal Government all of the information that is necessary to both the State and local governments, as well as the financial industry, to confirm the identity of the person who is before them. That information needs to be streamlined in its distribution and needs to be made available. If the other alternative is to not allow the Social Security number to be used for that purpose, then we face another undaunting task of developing some other unique identifier, such that all of our citizens can be comfortable that the information that is represented to financial industries and to State and local governments is correct and accurate information. Again, I want to thank you very much for the opportunity to be here today and I'd be more than willing to answer any questions at the close of the testimony. [The prepared statement of Thomas A. Sadaka can be found on page 110 in the appendix.] Chairwoman Kelly. Thank you very much. We now move to Mr. Dugan. STATEMENT OF JOHN C. DUGAN, PARTNER, COVINGTON & BURLING, ON BEHALF OF THE FINANCIAL SERVICES COORDINATING COUNCIL Mr. Dugan. Thank you very much, Madam Chairwoman, Mr. Chairman. It's a pleasure to be here today. I'm testifying today on behalf of the Financial Services Coordinating Council, or FSCC, whose members are the American Bankers Association, the American Council of Life Insurers, the American Insurance Association, the Investment Company Institute, and the Securities Industry Association. The FSCC represents the largest and most diverse group of financial institutions in the country, consisting of thousands of large and small banks, insurance companies, investment companies, and securities firms. Together, these financial institutions provide financial services to virtually very household in the United States. The FSCC continues to believe that the Social Security number plays a central role in deterring and detecting fraud and identity theft because Social Security numbers are the best unique identifier that financial institutions can use to determine whether an individual really is who he or she says he or she is. To that end, the FSCC welcomes the attention the subcommittees are giving to the misuse of Social Security numbers of deceased individuals. My testimony today makes three fundamental points. First, Social Security numbers are key unique identifiers that are essential to guard against identity theft. Second, the SSA's Death Master File is a comprehensive record of deceased individuals' Social Security numbers, but delays in updating and disseminating this list can create opportunities for fraud and identity theft. Third, because financial institutions ultimately rely, usually indirectly, almost exclusively on the Death Master File to determine whether a Social Security number belongs to a deceased individual, the more frequently the DMF is updated and disseminated and the more accessible that information is, then the more effective the list will be as a tool to detect and deter fraud and identity theft. On the first fundamental point, following the lead of the Federal Government, the financial services industry has used the Social Security number for many decades as a unique identifier for a broad range of responsible purposes. For example, our Nation's remarkably efficient credit- reporting system relies fundamentally on the Social Security number as a common identifier to compile disparate information from many different sources into a reliable credit report. The banking, insurance and securities industries each use SSNs as unique identifiers for a variety of important regulatory and business transactions, primarily to ensure again that the person with whom the financial institution is dealing really is that person. It's that essential need to verify a person's identity using a common unique identifier--the Social Security number-- that leads financial institutions to rely on the reporting of deceased individual's SSNs to guard against identity theft. We believe there are two keys to preventing the misuse of Social Security numbers of deceased individuals. First, the list of such numbers must be kept current. Second, the current list must be widely accessible and easy to search and cross-hatch against a given Social Security number. Unfortunately, while the current DMF is used to accomplish both these goals, there's clearly room for improvement. On the first point, with respect to the currency of information in the DMF, there can be significant delays in updating the list. These are delays caused by the time taken for deaths to be reported to the SSA, delays caused by the entry of inaccurate information, and delays caused by the fact that the SSA releases comprehensive updates on only a monthly basis. On the second point, the DMF is not provided in a form that is readily searchable. As a result, because it contains such a large amount of information, the most practical way to use the list, at least for financial institutions, is through intermediaries that convert the DMF into a searchable database that can be used by financial institutions and others. This service by third-party vendors is valuable, but it can be costly, and cost can thus be a deterrent to the widespread use of the DMF. Obviously, if a centralized, searchable database containing the DMF were widely available at a reasonable price, it's likely that the DMF would be used more routinely for a wider variety of authentication checks. Let me now conclude by talking about financial institutions' use of the Death Master File. Although the main purpose of the DMF is to inform the SSA that an individual has died, it's also purchased by private information vendors. Financial institutions ultimately rely on these vendors for accurate information about the status of individuals' SSNs. Therefore, while the accuracy of the DMF is crucial to saving the SSA money, it's equally crucial to financial institutions who seek to prevent fraud and identity theft. For example, many large banks contract with information vendors to compare the bank's list of individuals who have been approved for credit cards against the DMF. Similarly, banks, securities broker/dealers, mutual fund transfer agents, and insurance companies frequently use these information vendors to conduct the same kind of search with new account openings, changes in parties on accounts, to determine whether to allow a client to maintain a margin account, to locate lost shareholders, and for other purposes. Simply put, the more current the DMF is, then the more current the vendor's data is, and the better financial institutions can be at uncovering identity theft and other fraud. And with that, I would conclude. We certainly welcome suggestions for achieving both of the goals I've outlined in the testimony and we'd be happy to work with the subcommittees and their staffs to facilitate these efforts. Thank you very much. [The prepared statement of John C. Dugan can be found on page 113 in the appendix.] Chairwoman Kelly. Thank you, Mr. Dugan. We move next to Mr. Rotenberg. Mr. Rotenberg, I'm sorry I did not have your testimony before we had this hearing. Usually, I like to have a chance to read it before. But I'm going to be very interested in what you have to say today. STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER; ADJUNCT PROFESSOR, GEORGETOWN UNIVERSITY LAW CENTER Mr. Rotenberg. Well, thank you, Chairwoman Kelly, and Chairman Shaw. I would ask that my statement be entered into the record and I will briefly summarize the points that I'm going to make this morning. I appreciate the opportunity to be here. I'm the Director of the Electronic Privacy Information Center. We are a public interest research group in Washington concerned with privacy issues relating to American consumers. I have also been on the faculty at Georgetown for more than 10 years, where I teach the law of information privacy. I think it's critical to make clear at the outset for the purposes of this hearing that there's a long-standing effort by Congress and by the courts to protect the privacy of the Social Security number in law. And this has been done from the outset out of recognition that the particular status of this number, which can be used in so many different contexts, is ripe for misuse and abuse and, as we've seen in the last few years, the growing crime of identity theft. So, for example, Section 7 of the Privacy Act of 1974 makes very clear in the collection and use of the SSN that Federal agencies may only use the number for certain statutory purposes. And I'd like to say at the outset that the efforts of Chairman Shaw and other Members of the subcommittees to move forward legislation, H.R. 2036, which would extend similar protections to the private sector and strengthen as well the protections in the public sector, is a very important measure that I hope you will move quickly in this session. Now the second part of the problem to understand is that the ID theft problem results from the growing dependence of the Social Security number as a general form of identification unrelated to the original purpose, which was of course the management of SSA benefits. And if I may, Chairwoman Kelly, to pick up on your opening statement, I'd like to make a brief observation about this case involving Lahfti Raisi, who is the Algerian who may be responsible, in fact, for training the hijackers in the great tragedy of September 11th. Now it has been reported that Raisi took advantage of the Social Security number of a deceased person in the State of New Jersey, presumably to obtain access to facilities in other places that he would not otherwise be able to go. But it's not clear, at least from the reports that we have reviewed, that Raisi sought the Social Security number of a deceased person. In other words, this may have just been a nine-digit number pulled from the air that turned out, in fact, to be the number of a person who was deceased. And I make this point because it's critical to understand that in the area of identity theft, there are many ways to create Social Security numbers that are not one's own that don't require access to a deceased's SSN. You can spoof SSNs in a number of different ways. I can look at a Social Security number and probably determine whether it's accurate--in fact, a real Social Security number, computer programs and financial institutions do this on a regular basis. But my point here is I think we need to understand that it is the growing dependence on the use of the Social Security number and whether that number comes from a person who's deceased or whether it's simply made up, is going to be an ongoing problem in systems of identification going forward. Now this then relates to my third point about the expanded use of the Death Master File. And I fully appreciate the interest of the financial institutions in having more timely, more accurate information on an ongoing basis. So that when they are making these determinations about whether or not an SSN is the SSN of the person who represents it, they have better information on which to make that decision. But in expanding the use of the DMF, I'm concerned also that it will create new opportunities for misuse and abuse by others, who will use that information for other purposes. Because, of course, now you will have access to a very convenient file in electronic format that will give the public a great deal of detailed personal information. And so I think an assessment needs to be done. How do you ensure that that information will be used only by the financial institutions for the appropriate purpose and not by others for ill-intended purpose? I'd like to conclude, then, with three recommendations. The first recommendation, having worked on this issue now for more than 10 years, is to urge you once again to think about systems of identification that are not solely dependent on the Social Security number. It is the SSN that contributes to ID theft and our growing use of the SSN leads to more ID theft. Second, as I suggested at the outset, I think the legislation before the subcommittees is excellent. And finally, if you do go forward with the proposal to make the DMF readily available in electronic format, I urge you to create some mechanism of oversight, some way to evaluate, maybe a year out, how that information is being used, because it could well be the case that that file will become a new source of identity theft, and that could simply compound the tragedy. Thank you. [The prepared statement of Marc Rotenberg can be found on page 126 in the appendix.] Chairwoman Kelly. Thank you very much. We now move to Mr. Hendricks. STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, PRIVACY TIMES Mr. Hendricks. Thank you, Madam Chairwoman, and Mr. Chairman. My name is Evan Hendricks, Editor and Publisher of Privacy Times. I've been qualified as an expert in identity theft cases by the Federal courts and I realize I'm the last witness between not only you and lunch, but the lunch of my son, Daniel, who has accompanied me here today. Chairwoman Kelly. We welcome your son. Mr. Hendricks. Yes, thank you. Chairwoman Kelly. Welcome, Daniel. Mr. Hendricks. Thank you. This is an important issue. I'm grateful to follow my colleague, Marc Rotenberg, because I concur in his remarks and incorporate them. What we've seen in this terrible tragedy is that not only has identity theft figured in the use for passport and visa purposes, but also the terrorists supported themselves by committing identity theft and credit fraud. We followed this in my newsletter, Privacy Times, which is in its 21st year; there is an excellent article in the November 4th, Chicago Tribune which summarizes many of the activities they did, including skimming, which is using a machine to swipe a card and steal all the information and then make a counterfeit card out of it. There are two things that fraudsters want in this day and age: either a Social Security number so that they can do identity theft, or a credit card number and an expiration date. We also know that the fraudsters are using stolen credit card numbers to buy people's Social Security numbers so that then they can commit more identity theft. So it's becoming a vicious circle. When the World Trade Center tragedy hit, unfortunately, it became somewhat like when there's a black-out in New York: the thieves know they can break into buildings because there's no electronic burglar alarms any more. And unfortunately, one of the World Trade victim's friends took her credit card and went on a credit joyride, and I'm told by my friends at the Privacy Rights Clearinghouse and the Identity Theft Resource Center that a plane crash victim was going to be picked up by a limo driver who had all his information and then went on to commit identity theft. As indicated by Congresswoman Hooley's opening remarks, there are some really sick people out there and a lot of them are now gravitating toward identity theft. I come here to say that, like Mr. Rotenberg, the goal of privacy laws is to give people control over their personal information. And some of the gaps and the weaknesses in our current privacy laws help the fraudsters get control over other people's information. One of the fundamental principles of privacy laws is the information collected for one purpose should not be used for another purpose without your knowledge and consent. And this is at the heart of the Fair Credit Reporting Act, which is one of the first privacy laws enacted in 1971, amended by Congress in 1996. It's a good law and it recognizes in practice that there are other purposes. And so, the Fair Credit Reporting Act defines permissible purposes. And it also gives people remedies, private right of action, penalties. And I think even my colleague down the table, Mr. Pratt, will agree, this privacy law has made the credit-reporting industry a better industry. They do a better job handling data. They have to be more responsive. And if things go wrong, people have a remedy. And so I'm also here to dispel the myth because there is really not much of a conflict between privacy law and security: all of our existing privacy laws make exceptions for law enforcement, for health and safety, and for intelligence purposes. I think if you get into an honest discussion with the investigators, you'll see that the privacy law has not impeded the investigations here. But that's why we look for solutions, as Mr. Rotenberg said, we need to take advantage of information technology. We need automated exchanges of data. Just as the Fair Credit Reporting Act defines purposes and gives people a degree of confidence that data will be used for permissible purposes, so we need to expand that concept to our larger society, including automating any sort of a Master Death File that will be shared with the banks on an instant basis, or with the credit-reporting agencies, too. I also want to agree with Mr. Rotenberg that we need to have a national oversight office. Every other western country has an independent privacy commissioner that answers to the legislative branch. We need one, too. In terms of three practical solutions, the first is that, conceptually, people need to be plugged into their credit report. The technology allows for it today, and actually, we're gravitating toward this and we need to accelerate it. So if there's activity on your credit report, you should receive some sort of electronic alert. This is not that difficult to set up and it would be one of the best ways to guard against identity theft. Second of all, though the credit reporting agencies sell a service where they can do a trace on SSNs, it's not clear to me that they do an audit of their own systems to see how many names and addresses are associated with one SSN. And if they did that simple audit function, they would guard against some real problems and help clean up the integrity of their databases. The final thing I'd like to mention is something that's called single-use credit card numbers. And Ms. Chairwoman, I heard that you had your credit card number stolen. I don't know if it was by skimming or through a database. One company that I work with, called Privasys, has developed these prototype cards. You punch your pin number into the credit card so it can issue you a single-use number that is only good for one purchase. So if later that number is stolen, it's worthless. And so, there are solutions that we need in law, in organizational practice, and in technology. Thanks very much. I'd be happy to answer any questions. [The prepared statement of Evan Hendricks can be found on page 131 in the appendix.] Chairwoman Kelly. Thank you, Mr. Hendricks. I'm going to ask just a couple of questions. Mr. Rotenberg, on page 2 of your statement, I have to say, I was multi-tasking up here and reading it at the same time. I find this a fascinating statement. It is the financial services industry's misplaced reliance on the SSN, lacks verification procedures and aggressive marketing, that are responsible for the financial consequences of identity theft. I want you to enlarge on that. Mr. Rotenberg. Well, my point, Chairwoman, is simply that the SSN has been moved from the realm of processing Social Security benefits within the Federal Government and the purpose of tax identification when it become recognized by Congress for that purpose in 1961, to a generalized identifier across the financial services sector. Chairwoman Kelly. Yes, sir, I do understand that. My question is why you are blaming--it appears you're blaming the financial service industry's use and reliance on that Social Security number for some of the fraud. As a matter of fact, that integrates with a comment by Mr. Pratt when he talks about the Gramm-Leach-Bliley effect on the FTC rules. I'm wondering if the two of you can tell me--if what my interpretation is is a correct one. Are you saying that the Gramm-Leach-Bliley bill has had an effect on the use of the SSN by the financial services industry that would increase the ability for fraud to exist? Mr. Pratt. If I may, from our perspective, the point we wanted to make in the testimony was simply that the Gramm- Leach-Bliley Act did take into account that there would be a series of exceptions to a consumer's choice for how non-public personal information could be transferred. And one of those exceptions was for purposes under the Fair Credit Reporting Act. But the FTC's interpretation appears to foreclose on a consumer reporting agency's ability once they have that information to then build fraud prevention products that might apply to other exceptions within the GLB 502[e] exceptions. And clearly, to foreclose on our ability to build a fraud prevention or a verification product which would use identifying information outside of GLB and outside of the Fair Credit Reporting Act. So, in that case, the law seems to have tightened down the screws a little too tightly on some information that we might be able to use. Chairwoman Kelly. Do you agree with that, Mr. Rotenberg? Anyone is welcome to join in, but I want to ask that specifically of Mr. Rotenberg. Mr. Rotenberg. Well, I don't agree that one of the consequences of GLB was to make the Social Security number more widely available to financial institutions. I understand the point that it in some ways may restrict certain verification procedures. But I do want to be clear about the point in my statement here. Clearly, the theft itself is not committed by the institutions. That's not what I said. What I said, that the use of the SSN to link financial records across institutions means that when the theft has occurred, the damages are amplified. And so, when I said earlier that we need to think about systems of identification that are not so dependent on the SSN, it is very much based on the experience that victims of ID theft have had. When their Social Security numbers get out, then they lose control of their bank account, their credit account, and the other accounts that they may have with financial institutions. Mr. Hendricks. Madam Chairwoman, can I respond to that? Chairwoman Kelly. Mr. Hendricks. Mr. Hendricks. I'll give you one example. Identity thieves are in the business of getting credit fraudulently. They're able to do that because they apply for credit in somebody else's name and Social Security number. The first problem is the credit-reporting agencies are too liberal in disclosing the innocent victim's credit report in response to an application made by an imposter. In many of these cases, I've seen that the city is different, the address is different, and the spelling is different. Yet, they err on the side of maximum disclosure from the credit-reporting agency to the credit granter, and that's the first problem. The second problem is that, if the imposter simply has your Social Security number, I've seen cases--if you write these two names down--Myra Coleman and Maria Gaten. If you have the same Social Security number, their algorithms work so, since there's an M and an R and another letter in the first name, that it's similar enough to go ahead and disclose the information, even though the names are completely different. So there are some real application problems that were built from earlier days when they were thinking--well, women get married, they change their last name. People move a lot. As opposed to now, where we have a clear threat of identity theft and they need to update their rules for disclosing consumers' credit reports. Mr. Dugan. Madam Chairwoman, I'd just like to make two points. Number one, we think the Gramm-Leach-Bliley Act, in fact, makes the misuse of Social Security numbers much more unlikely because it gives individuals more control over the ability of a financial institution to share that information with any non- affiliated third party, number one. And number two, to the extent that information is provided for permissible purposes under the Gramm-Leach-Bliley Act, like fraud prevention, then the law specifically prohibits the recipient from using it for any other purpose. So we think that that goes to that point particularly. The second point I wanted to make was, it's nice to say that it's easy to steal a Social Security number, and, therefore, it's easy to steal someone's identity. But think what it would be like if you did not have a Social Security number used at all for identification purposes. What Mr. Sadaka was saying earlier, you have to have some way to have a common, unique identifier in many circumstances, which is precisely what financial institutions use it for, to make sure that they know you are the Madam Sue Kelly that comes in the door and not a different Sue Kelly. There have to be ways to link that up. And the use of the Social Security number is the way we do that. Without it, and with improper restrictions on its use, it would increase the occurrence of identity theft, not decrease it. Chairwoman Kelly. Thank you very much. I have just one follow-up for Mr. Pratt. What percent of your membership gets the DMF? Mr. Pratt. I actually don't have a good answer for you, but I'll be happy to follow up. Chairwoman Kelly. I wish you would, please. Mr. Pratt. And I think your question is in terms of the total customer base, how many customers are using the DMF product that our members produce. Is that it? Chairwoman Kelly. I'm going to withhold any of my further questions because I've run out of time, and go to Chairman Shaw. Chairman Shaw. I'd like to direct my question to Mr. Pratt again. Our subcommittee has heard from many victims of identity theft over the last 2 years and there are stories that raise some very troubling issues pertaining to harassment and other matters. First of all, fraudulent accounts were opened using their Social Security numbers, even though all of the information on the application was actually incorrect, including their names, addresses, and even their birthdays. And the Social Security number was the only piece of information that was correct on these applications. A second troubling issue is that credit-reporting agencies verified this incorrect information. Verifications of a name, address, place of employment, age, or spouse's name were not questioned. If the Social Security number matched up, the information was verified and the fraudulent application was approved. First of all, can you explain how these fraudulent applications could have been verified or accepted? Mr. Pratt. Well, let me go to, if I could break out your question into some parts. Chairman Shaw. Maybe you could start just by telling us, what is the process and what are the checkpoints? Mr. Pratt. The checkpoints that we use are the Social Security number, the name, the address, and, when available, we may be also able to cross-check previous address. Those would be the principle cross-checks. Clearly, where we have 3 million consumers each year with last names changing, our cross-checks try to accommodate the fact that marriage and divorce occur and names can change in cycle. Date of birth, some of the other identifying elements that you've indicated might have been on the application are not transmitted to the consumer reporting systems. These may be issues that are addressed today differently than they may have been previously, but the cross-checks we use today are Social Security number, name and address. In terms of why an application was approved, I'm not trying to put the monkey on someone's else back, but of course I can't tell you why the application was approved. We transmit the information. We show the lender what information we believe in our file matches---- Chairman Shaw. Do you have any indication of where the system failed in this event? Mr. Pratt. Well, no, sir, I really don't, because I don't have the facts in front of me specific to those particular situations. I'd have to look at those, I suppose, to better understand where the failure occurred. Chairman Shaw. Let me ask the question of liability because, from your previous answer, it sounds like it's nothing but negligence on the part of whoever is putting this information together. Under the current law, are creditors and credit-reporting agencies accountable when their negligence contributes to identity theft and to other Social Security number misuses? Mr. Pratt. Well, I have to resist the industry being characterized as negligent under the Fair Credit Reporting Act. Chairman Shaw. I'm not characterizing the industry. I'm just saying, in the event of negligence, are they liable? That's a simple, straightforward question. Mr. Pratt. The answer to the question would be, under the Fair Credit Reporting Act, we're liable for being accurate. And therefore, if we're not accurate and a lender in turn is also liable as a user and as a furnisher under the same Fair Credit Reporting Act. Chairman Shaw. So it's your testimony that they would be liable in the cases of negligence. Mr. Pratt. There is negligence, there are willful and negligent standards under the Fair Credit Reporting Act and there are liabilities associated with the accuracy of the information and the use of the information. Chairman Shaw. I'll have to go to the Act and see exactly what it says. What does it say--willful negligence, or do you know? Mr. Pratt. There are two standards of civil liability, for example, and then of course there's administrative enforcement through the Federal Trade Commission and other functional regulators under the Act. But the civil liability standards are willful and negligence. Chairman Shaw. Ordinary negligence. Mr. Pratt. Yes. Chairman Shaw. And that makes them liable. Mr. Pratt. Those are two standards of liability depending on the fact pattern, depending on how the suit is brought, against any one of the parties that is regulated under the Act. Chairman Shaw. Do you think the creditors and credit- reporting agencies should be liable for these kinds of mistakes? Mr. Pratt. Well, I think we're on the same side of this along with you. We don't want these mistakes to happen and we want accurate information in our files, sir, really. Chairman Shaw. If we weren't on the same side, I wouldn't be here listening to you. Mr. Pratt. I appreciate that. Chairman Shaw. We're trying to figure this thing out so that we don't disrupt a system of a national identifier that, for good reason or bad reason, has been in place now for a number of years. But we do know that there's been serious misuse. We do know that this is the fastest-growing crime in the country today. And I personally believe and I think many other people personally believe, and I think Mr. Sadaka would agree with me on this--Mr. Sadaka, I think you agree that failure to do something is going to create a snowball effect and that this thing will be totally out of control after a reasonable period of time. Do you agree with that? Mr. Sadaka. Yes, sir, I do. Chairman Shaw. Thank you. I yield back my time. Chairwoman Kelly. Thank you. We go to Mr. Hooley. Ms. Hooley. Thank you, Just a couple of quick questions. Anyone from the industry side can answer the first question. And that is, I understand the need for the industry to have this master list, so you can flag your files to prevent compromise by an identity thief. What else do you do with the information? I mean, you use it to flag your files. What else do you do with the information? Any one of you. Mr. Lehner. Well, as I mentioned in my testimony, it's oftentimes used to verify information on existing accounts, if people change the status of their account for some of our mortgage lenders. If a customer is refinancing their home, they're changing credit products within a company. Usually, that information is asked as a means to verify that they are who they say they are. Mr. Pratt. Our members as subscribers are using it principally for fraud prevention. Ms. Hooley. That's what I assume, all of you are using it for fraud prevention. Mr. Dugan. There are other reasons to use the information: to track down or locate lost shareholders, or to review loan applications. But principally, it's to make sure that the person is who they say they are. Ms. Hooley. Would you have any opposition to having it in law that the information is solely used to flag the file of a deceased individual or for fraud prevention? Mr. Pratt. Like all good trade associations, I'd have to go back and talk to the members, I guess, and find out whether there's anything out there that I'm just not aware of here today. Ms. Hooley. OK. By the way, Mr. Pratt, thank you very much for clearing up the file of Sean. I really appreciate your doing that. Mr. Pratt. Thank you. Ms. Hooley. For either Evan or Marc Rotenberg, are you aware of any instances where information from the Death Master File has been intercepted by identity thieves? Are you aware of that at all? Mr. Hendricks. No, not per se. The cases that I've heard of, the identity is just doing straight to the local government agency and getting information off death certificates. I've heard about cases like that and I've asked for more documentation of that. Ms. Hooley. Do you think we should use it solely for flagging the files, using the Death Master list solely for flagging the files or for fraud? Mr. Hendricks. Yes. You create an automated information exchange here and you specify what those purposes are and you create penalties for people that violate that and remedies for individuals whose privacy is violated. I think that's the way to go. And I think if you look at the kind of privilege that goes between a lawyer and a client or a doctor and a patient, the privacy privilege is not so people can hide or keep data secret. It's to allow for the open exchange of information for the purposes you need--better health care, better legal advice. And I want to take that concept and expand it to everything in our society. So privacy is protected within certain spheres, but that allows for open data exchange within the approves spheres. Ms. Hooley. Thank you. That's all the questions I have. Chairwoman Kelly. Thank you very much. I have a couple of other questions. One for all of you as panel members. I'd like to know if you can commit to participating on a task force with the SSA to solve this problem. I think that if we put together--if there's a task force of the SSA, the GAO, the Commerce Department, and all of you, we could probably get to the root of the problem and get it solved much more quickly than every agency acting without consulting the others. So I'd like to ask for a commitment from all of you to being a part of that task force. Can you commit to that? Mr. Dugan. Madam Chairwoman, we'd be delighted to commit to do that. Chairwoman Kelly. Am I hearing that from all of you? Mr. Pratt. Our testimony already indicates we support doing that. Mr. Sadaka. Absolutely, yes. Mr. Lehner. Absolutely. Mr. Hendricks. Yes. Mr. Rotenberg. Yes. Mr. Sadaka. We'd be very willing to commit as well. Chairwoman Kelly. I thank you very much. One final thing for you, Mr. Hendricks. Your son is going to have to wait for lunch for one second. You said in your testimony that there was an independent national office to oversee and enforce the privacy law, was a recommendation of the U.S. privacy protection study commission in 1976. I think it's time we consider something like that and I hope that you will consider that within the framework of this task force. That being so, then I would like to, if there's no more questions, the Chair notes that some Members may have additional questions for this panel that they may wish to submit in writing. So without objection, the hearing record is going to remain open for 30 days for Members to submit written questions to these witnesses and to place their responses in the record. On behalf of the subcommittees, I want to thank all of the witnesses for taking the time to be here today. I believe it's been a very productive hearing that has highlighted a problem that can be solved with regards to identity theft. This panel is excused with our appreciation. I want to thank Chairman Shaw and his staff and other Members and all of their assistants, and my staff, for making the hearing possible. The hearing is adjourned. [Whereupon, at 12:25 p.m., the hearing was adjourned.] A P P E N D I X November 8, 2001 [GRAPHIC] [TIFF OMITTED] T6259.001 [GRAPHIC] [TIFF OMITTED] T6259.002 [GRAPHIC] [TIFF OMITTED] T6259.003 [GRAPHIC] [TIFF OMITTED] T6259.004 [GRAPHIC] [TIFF OMITTED] T6259.005 [GRAPHIC] [TIFF OMITTED] T6259.006 [GRAPHIC] [TIFF OMITTED] T6259.007 [GRAPHIC] [TIFF OMITTED] T6259.008 [GRAPHIC] [TIFF OMITTED] T6259.009 [GRAPHIC] [TIFF OMITTED] T6259.010 [GRAPHIC] [TIFF OMITTED] T6259.011 [GRAPHIC] [TIFF OMITTED] T6259.012 [GRAPHIC] [TIFF OMITTED] T6259.013 [GRAPHIC] [TIFF OMITTED] T6259.014 [GRAPHIC] [TIFF OMITTED] T6259.015 [GRAPHIC] [TIFF OMITTED] T6259.016 [GRAPHIC] [TIFF OMITTED] T6259.017 [GRAPHIC] [TIFF OMITTED] T6259.018 [GRAPHIC] [TIFF OMITTED] T6259.019 [GRAPHIC] [TIFF OMITTED] T6259.020 [GRAPHIC] [TIFF OMITTED] T6259.021 [GRAPHIC] [TIFF OMITTED] T6259.022 [GRAPHIC] [TIFF OMITTED] T6259.023 [GRAPHIC] [TIFF OMITTED] T6259.024 [GRAPHIC] [TIFF OMITTED] T6259.025 [GRAPHIC] [TIFF OMITTED] T6259.026 [GRAPHIC] [TIFF OMITTED] T6259.027 [GRAPHIC] [TIFF OMITTED] T6259.028 [GRAPHIC] [TIFF OMITTED] T6259.029 [GRAPHIC] [TIFF OMITTED] T6259.030 [GRAPHIC] [TIFF OMITTED] T6259.031 [GRAPHIC] [TIFF OMITTED] T6259.032 [GRAPHIC] [TIFF OMITTED] T6259.033 [GRAPHIC] [TIFF OMITTED] T6259.034 [GRAPHIC] [TIFF OMITTED] T6259.035 [GRAPHIC] [TIFF OMITTED] T6259.036 [GRAPHIC] [TIFF OMITTED] T6259.037 [GRAPHIC] [TIFF OMITTED] T6259.038 [GRAPHIC] [TIFF OMITTED] T6259.039 [GRAPHIC] [TIFF OMITTED] T6259.040 [GRAPHIC] [TIFF OMITTED] T6259.041 [GRAPHIC] [TIFF OMITTED] T6259.042 [GRAPHIC] [TIFF OMITTED] T6259.043 [GRAPHIC] [TIFF OMITTED] T6259.044 [GRAPHIC] [TIFF OMITTED] T6259.045 [GRAPHIC] [TIFF OMITTED] T6259.046 [GRAPHIC] [TIFF OMITTED] T6259.047 [GRAPHIC] [TIFF OMITTED] T6259.048 [GRAPHIC] [TIFF OMITTED] T6259.049 [GRAPHIC] [TIFF OMITTED] T6259.050 [GRAPHIC] [TIFF OMITTED] T6259.051 [GRAPHIC] [TIFF OMITTED] T6259.052 [GRAPHIC] [TIFF OMITTED] T6259.053 [GRAPHIC] [TIFF OMITTED] T6259.054 [GRAPHIC] [TIFF OMITTED] T6259.055 [GRAPHIC] [TIFF OMITTED] T6259.056 [GRAPHIC] [TIFF OMITTED] T6259.057 [GRAPHIC] [TIFF OMITTED] T6259.058 [GRAPHIC] [TIFF OMITTED] T6259.059 [GRAPHIC] [TIFF OMITTED] T6259.060 [GRAPHIC] [TIFF OMITTED] T6259.061 [GRAPHIC] [TIFF OMITTED] T6259.062 [GRAPHIC] [TIFF OMITTED] T6259.063 [GRAPHIC] [TIFF OMITTED] T6259.064 [GRAPHIC] [TIFF OMITTED] T6259.065 [GRAPHIC] [TIFF OMITTED] T6259.066 [GRAPHIC] [TIFF OMITTED] T6259.067 [GRAPHIC] [TIFF OMITTED] T6259.068 [GRAPHIC] [TIFF OMITTED] T6259.069 [GRAPHIC] [TIFF OMITTED] T6259.070 [GRAPHIC] [TIFF OMITTED] T6259.071 [GRAPHIC] [TIFF OMITTED] T6259.072 [GRAPHIC] [TIFF OMITTED] T6259.073 [GRAPHIC] [TIFF OMITTED] T6259.074 [GRAPHIC] [TIFF OMITTED] T6259.075 [GRAPHIC] [TIFF OMITTED] T6259.076 [GRAPHIC] [TIFF OMITTED] T6259.077 [GRAPHIC] [TIFF OMITTED] T6259.078 [GRAPHIC] [TIFF OMITTED] T6259.079 [GRAPHIC] [TIFF OMITTED] T6259.080 [GRAPHIC] [TIFF OMITTED] T6259.081 [GRAPHIC] [TIFF OMITTED] T6259.082 [GRAPHIC] [TIFF OMITTED] T6259.083 [GRAPHIC] [TIFF OMITTED] T6259.084 [GRAPHIC] [TIFF OMITTED] T6259.085 [GRAPHIC] [TIFF OMITTED] T6259.086 [GRAPHIC] [TIFF OMITTED] T6259.087 [GRAPHIC] [TIFF OMITTED] T6259.088 [GRAPHIC] [TIFF OMITTED] T6259.089 [GRAPHIC] [TIFF OMITTED] T6259.090 [GRAPHIC] [TIFF OMITTED] T6259.091 [GRAPHIC] [TIFF OMITTED] T6259.092 [GRAPHIC] [TIFF OMITTED] T6259.093 [GRAPHIC] [TIFF OMITTED] T6259.094 [GRAPHIC] [TIFF OMITTED] T6259.095 [GRAPHIC] [TIFF OMITTED] T6259.096 [GRAPHIC] [TIFF OMITTED] T6259.097