[House Hearing, 107 Congress] [From the U.S. Government Publishing Office] PROTECTING THE PRIVACY OF SOCIAL SECURITY NUMBERS AND PREVENTING IDENTITY THEFT ======================================================================= HEARING before the SUBCOMMITTEE ON SOCIAL SECURITY of the COMMITTEE ON WAYS AND MEANS HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ APRIL 29, 2002 Lake Worth, Florida __________ Serial No. 107-71 __________ Printed for the use of the Committee on Ways and Means U.S. GOVERNMENT PRINTING OFFICE 80-224 WASHINGTON : 2002 ________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON WAYS AND MEANS BILL THOMAS, California, Chairman PHILIP M. CRANE, Illinois CHARLES B. RANGEL, New York E. CLAY SHAW, Jr., Florida FORTNEY PETE STARK, California NANCY L. JOHNSON, Connecticut ROBERT T. MATSUI, California AMO HOUGHTON, New York WILLIAM J. COYNE, Pennsylvania WALLY HERGER, California SANDER M. LEVIN, Michigan JIM McCRERY, Louisiana BENJAMIN L. CARDIN, Maryland DAVE CAMP, Michigan JIM McDERMOTT, Washington JIM RAMSTAD, Minnesota GERALD D. KLECZKA, Wisconsin JIM NUSSLE, Iowa JOHN LEWIS, Georgia SAM JOHNSON, Texas RICHARD E. NEAL, Massachusetts JENNIFER DUNN, Washington MICHAEL R. McNULTY, New York MAC COLLINS, Georgia WILLIAM J. JEFFERSON, Louisiana ROB PORTMAN, Ohio JOHN S. TANNER, Tennessee PHIL ENGLISH, Pennsylvania XAVIER BECERRA, California WES WATKINS, Oklahoma KAREN L. THURMAN, Florida J.D. HAYWORTH, Arizona LLOYD DOGGETT, Texas JERRY WELLER, Illinois EARL POMEROY, North Dakota KENNY C. HULSHOF, Missouri SCOTT McINNIS, Colorado RON LEWIS, Kentucky MARK FOLEY, Florida KEVIN BRADY, Texas PAUL RYAN, Wisconsin Allison Giles, Chief of Staff Janice Mays, Minority Chief Counsel ______ Subcommittee on Social Security E. CLAY SHAW, Florida, Chairman SAM JOHNSON, Texas ROBERT T. MATSUI, California MAC COLLINS, Georgia LLOYD DOGGETT, Texas J.D. HAYWORTH, Arizona BENJAMIN L. CARDIN, Maryland KENNY C. HULSHOF, Missouri EARL POMEROY, North Dakota RON LEWIS, Kentucky XAVIER BECERRA, California KEVIN BRADY, Texas PAUL RYAN, Wisconsin Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. C O N T E N T S __________ Page Advisories announcing the hearing................................ 2, 4 WITNESSES U.S. General Accounting Office, Barbara D. Bovbjerg, Director, Education, Workforce, and Income Security Issues, accompanied by Kay Brown, Assistant Director............................... 29 Social Security Administration, Atlanta, Georgia, Roland Maye, Special Agent-in-Charge, Atlanta Field Division, Office of Inspector General.............................................. 60 ______ Florida Office of the Attorney General, Cece Dykas............... 14 Florida Office of the Attorney General, 17th Judicial Circuit: Lee Cohen.................................................... 50 Anthangtha Guialdo........................................... 51 Palm Beach County, Florida, Sheriff's Office: Hon. Ed Bieluch.............................................. 55 Paul Rispoli................................................. 56 Tropepe, Lisa, Shalloway, Foy, Rayman & Newell Inc., accompanied by Tim Morell.................................................. 7 United States Marshals Service, Anthony K. Ross.................. 11 SUBMISSIONS FOR THE RECORD Alpert, Maisy, Plantation, FL, letter............................ 66 Palay, David, Las Vegas, NV, statement........................... 66 PROTECTING THE PRIVACY OF SOCIAL SECURITY NUMBERS AND PREVENTING IDENTITY THEFT ---------- MONDAY, APRIL 29, 2002 House of Representatives, Committee on Ways and Means, Subcommittee on Social Security, Lake Worth, Florida. The Subcommittee met, pursuant to notice, at 2:15 p.m., in Commission Chambers, Lake Worth City Hall, Lake Worth, Florida, Hon. E. Clay Shaw, Jr., (Chairman of the Subcommittee) presiding. [The advisory and revised advisory follow:] ADVISORY COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON SOCIAL SECURITY Contact: (202) 225-9263 FOR IMMEDIATE RELEASE April 22, 2002 No. SS-13 Shaw Announces Hearing on Social Security Protecting the Privacy of Social Security Numbers and Preventing Identity Theft Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee will hold a field hearing on protecting the privacy of Social Security numbers (SSNs) and preventing identity theft. The hearing will take place on Monday, April 29, 2002, in the Commission Chambers, Lake Worth City Hall, 7 North Dixie Highway, Lake Worth, Florida, beginning at 1:00 p.m. In view of the limited time available to hear witnesses, oral testimony at this hearing will be from invited witnesses only. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Subcommittee and for inclusion in the printed record of the hearing. BACKGROUND: The SSN was created in 1936 for the sole purpose of tracking workers' Social Security earnings records. Today, SSN use has expanded well beyond its original purpose. According to the Social Security Administration (SSA), the SSN is the single-most widely used record identifier in the public and private sectors. Federal law requires the use of SSNs for administration of income taxes, the Food Stamp, Medicaid, and other Federal programs. In the private sector, SSNs are commonly used for record-keeping and data exchange systems, and often businesses require individuals to disclose their SSN as a condition for doing business. Many believe widespread use of the SSN benefits the public by improving access to financial and credit services in a timely manner, reducing administrative costs, and improving record keeping so consumers can be contacted and identified accurately. Others argue the pervasive use of SSNs makes them a primary target for fraud and misuse. Most recently, the events of September 11 have shed new light on the severe consequences of failure to protect the integrity of SSNs, as the ensuing investigations have exposed the methods used by the terrorists who assumed false identities to carry out their activities. In addition to being a gateway to terrorist acts, identity theft causes misery and frustration in the daily lives of tens of thousands of Americans. Identity theft is the number one consumer complaint received by the Federal Trade Commission, amounting to 42 percent of complaints received in 2001. In a recent report, the U. S. General Accounting Office found that identity theft appears to be growing (Identity Theft--Prevalence and Cost Appear to Be Growing: GAO-02-363). Report findings include: (1) the SSA Office of Inspector General has reported a substantial increase in call-ins of identity theft-related allegations to its Fraud Hotline, where allegations involving SSN misuse (81 percent of which relate directly to identity theft) have increased more than fivefold (11,000 to 65,000) in the 4 years ending September 2001; (2) seven-year fraud alerts (warnings to credit grantors to conduct additional identity verification before granting credit) have increased substantially (36 percent and 53 percent respectively) in the last 3 years, according to two consumer reporting agencies; and, (3) in its 2000 annual report, the Postal Service indicated that investigations of identity theft crime increased by 67 percent since the previous year. To increase the privacy of SSNs and better protect the American public from being victimized, Chairman Shaw, along with several Members of the Committee on Ways and Means, introduced bipartisan legislation, H.R. 2036, the ``Social Security Number Privacy and Identity Theft Prevention Act of 2001.'' This legislation prohibits the sale and display of SSNs by Federal, State, and local governments, prohibits the sale of SSNs by the private sector, deters businesses from denying services when someone refuses to provide the SSN, and increases fines and penalties for SSN misuse. In announcing the hearing, Chairman Shaw stated: ``Although never created to be a personal identifier, the use of SSNs is now pervasive throughout our automated society. As highlighted by the September 11 attacks, these numbers are far too easily used by criminals or terrorists to steal identities and obtain false documents. The ravages of SSN misuse are experienced by each and every victim of identity theft and now by our Nation through their role in facilitating terror. We must act to take whatever steps we can to protect the privacy of each and every Americans' SSNs. It's the right thing to do and a necessary step in our Nation's response to terrorism.'' FOCUS OF THE HEARING: The hearing will focus on what victims experience when their identities are stolen, the challenges law enforcement faces as they pursue identity thieves, the use of SSNs by government agencies at the Federal, State, and local levels, practices used to safeguard privacy, and the impact of legislative proposals aimed at combating SSN misuse and protecting privacy. DETAILS FOR SUBMISSIONS OF WRITTEN COMMENTS: Please Note: Due to the change in House mail policy, any person or organization wishing to submit a written statement for the printed record of the hearing should send it electronically to [email protected], along with a fax copy to (202) 225-2610, by the close of business, Monday, May 13, 2002. Those filing written statements who wish to have their statements distributed to the press and interested public at the hearing should deliver 200 copies to the West Palm Beach District Office of Congressman E. Clay Shaw, Jr., 222 Lakeview Avenue, Suite 162, West Palm Beach, Florida 33401, by the close of business, Friday, April 26, 2002. FORMATTING REQUIREMENTS: Each statement presented for printing to the Committee by a witness, any written statement or exhibit submitted for the printed record or any written comments in response to a request for written comments must conform to the guidelines listed below. Any statement or exhibit not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee. 1. Due to the change in House mail policy, all statements and any accompanying exhibits for printing must be submitted electronically to [email protected], along with a fax copy to (202) 225-2610, in Word Perfect or MS Word format and MUST NOT exceed a total of 10 pages including attachments. Witnesses are advised that the Committee will rely on electronic submissions for printing the official hearing record. 2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee. 3. Any statements must include a list of all clients, persons, or organizations on whose behalf the witness appears. A supplemental sheet must accompany each statement listing the name, company, address, telephone and fax numbers of each witness. Note: All Committee advisories and news releases are available on the World Wide Web at http://waysandmeans.house.gov/. The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call (202) 225-1721 or (202) 226-3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above.***NOTICE--CHANGE IN TIME*** ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON SOCIAL SECURITY Contact: (202) 225-9263 FOR IMMEDIATE RELEASE April 25, 2002 No. SS-13-Revised Change in Time for Subcommittee Field Hearing on Protecting the Privacy of Social Security Numbers and Preventing Identity Theft Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee field hearing on Protecting the Privacy of Social Security Numbers and Preventing Identity Theft, scheduled for Monday, April 29, 2002, at 1:00 p.m., in the Commission Chambers, Lake Worth City Hall, 7 North Dixie Highway, Lake Worth, Florida, will now be held at 2:00 p.m. All other details for the hearing remain the same. (See Subcommittee Advisory No. SS-13, dated April 22, 2002.) Chairman SHAW. We will call the hearing to order. This is about Social Security Numbers (SSNs), and although they were created solely for the purpose of tracking workers' Social Security earnings, our culture is hooked on Social Security Numbers. Even the most trivial transactions require us to hand over our nine-digit ID before services can be rendered. I phoned in just this weekend to renew my fishing license, and they wanted my Social Security Number, the State of Florida. I said, ``Is it required?'' They said, ``No, but it would be nice if you give it.'' And I said, ``I don't believe I will.'' So they took my driver's license number instead. Our Social Security Number's the key that unlocks the door to your identity for any unscrupulous individual who gains access to it. Once the door is unlocked, the criminal or terrorist has at his fingertips all essential elements needed to carry out whatever dastardly act they can conceive of. Worse, we know that some terrorists involved on the September 11 attack illegally obtained Social Security Numbers and used them to steal identities and obtain false documents, thus enabling them to live within our borders and plan their heinous acts. government and private industry must be vigilant to protect our identities. Safeguards to protect Social Security Numbers and prevent identity theft must be put in place now. As a first step, I, along with several of my Committee on Ways and Means colleagues, including Mark Foley, introduced bipartisan legislation entitled, the Social Security Number Privacy and Identity Theft Prevention Act. The bill prohibits the sale and display of Social Security Numbers by Federal, State and local governments and restricts the sale and display of Social Security Numbers by the private sector and deters business from denying services when someone refuses to provide their number and increase fines and penalties for Social Security Number misuse. Today, we will shine a bright light on the need to quickly bring comprehensive legislation to the House floor to keep Social Security Numbers private and protect citizens from identity theft. The time for action is long overdue. Field hearings allow us the unique opportunity to get out of Washington and hear the real-life experience of our neighbors on the frontlines of these important issues. I sincerely want to thank the City of Lake Worth for allowing us to hold this hearing in the Commission Chambers. [The opening statement of Chairman Shaw follows:] Opening Statement of the Hon. E. Clay Shaw, Jr., a Representative in Congress from the State of Florida, and Chairman, Subcommittee on Social Security Although created solely for the purpose of tracking workers' Social Security earnings, our culture is hooked on Social Security numbers. Even the most trivial transactions require us to hand over our 9-digit ID before services can be rendered. Your Social Security number is the key that unlocks the door to your identity for any unscrupulous individual who gains access to it. Once the door is unlocked, the criminal or terrorist has at their fingertips all the essential elements needed to carry out whatever dastardly act they can conceive. Worse, we know that some terrorists involved in the September 11th attacks illegally obtained Social Security numbers and used them to steal identities and obtain false documents, thus enabling them to live within our borders and plan their heinous crimes. Government and private industry must be vigilant in protecting identities. Safeguards to protect Social Security numbers and prevent identity theft must be put in place now. As a first step, I, along with several of my Ways and Means colleagues introduced bipartisan legislation, the Social Security Number Privacy and Identity Theft Prevention Act. This bill prohibits the sale and display of Social Security numbers by Federal, State and local governments, restricts the sale and display of Social Security numbers by the private sector, deters businesses from denying services when someone refuses to provide their number, and increases fines and penalties for Social Security number misuse. Today we will shine a bright light on the need to quickly bring comprehensive legislation to the House floor to keep Social Security numbers private and protect citizens from identity theft. The time for action is long overdue. Field hearings allow us the unique opportunity to get out of Washington and hear the real life experiences of our neighbors on the front lines of this important issue. I sincerely thank the City of Lake Forth for allowing us to hold this hearing in the Commission Chambers. Today, we welcome a neighbor and a former neighbor, Ms. Tropepe and Mr. Ross, who will share their personal stories about the theft of their identities. In addition, Barbara Bovberg of the General Accounting office will discuss government use of Social Security numbers. We will also hear about the many challenges faced by the law enforcement community as they hunt down identity thieves. We welcome Cece Dykas of the Office of the Attorney General; Lee Cohen of the State Attorney's Office, the Sheriff of Palm Beach County, Sheriff Ed Bieluch; and Roland Maye of the Social Security Administration's Office of Inspector General. Welcome to all. Chairman SHAW. Mark, I believe your political life started right here in this building. Mr. FOLEY. In this very seat. Chairman SHAW. Oh. Today we welcome a neighbor and former neighbor, Mrs. Tropepe and Mr. Ross, who will share their personal stories about the theft of their identities. In addition, Barbara Bovbjerg of the U.S. General Accounting Office will discuss government use of Social Security Numbers. We will also hear about the many challenges faced by law enforcement as they hunt down identity theft. We want to welcome representatives from the Office of the Attorney General, the State's Attorney's Office, we have the Sheriff of Palm Beach County, and we have also Mr. Maye of the Social Security Administration (SSA), Office of the Inspector General (OIG). I want to welcome all of you, and I will, at this time, yield to Mr. Foley for any comments that he might have. Mr. FOLEY. Thank you very much, Clay. And, first, let me thank everybody. It is a delight and honor to be back in this seat, in this city, in the first political office I ever held, and I think longingly of those days when life was easy and we didn't have the problems we have today. I am particularly pleased to see the number of panelists here. And, Lisa, specifically, thank you for joining us. You mentioned to me a few weeks ago the problems you had, and it was interesting because I had relayed a similar problem that I had where somebody took my Social Security Number and applied for credit. I got the first notice from Target Collection Agency that I had somehow charged $780 worth of goods and services. We got a copy of the application for credit. It showed my Social Security Number, said the person worked for the government. The only thing different was they used an address, Powerline Boulevard in Pompano Beach, Florida. So everything else they had on me. Target extended credit. That person walked away with $700-plus merchandise. I spent countless hours trying to reconcile this issue. It was horrific, and I felt if I had to go through so much trouble, imagine someone who may not have a phone that is able to reach during the day, who may not have the tenacity, who may be a single mother having to deal with kids and family all day long and then hustle up to try and see if they can get these collection agencies off their phones and off their backs. I felt violated. I couldn't believe it could occur, but as Congressman Shaw suggested, it is happening far too frequently. I want to thank my colleague, because he had the bill long before I came involved with this, but when I heard the subject matter of the bill, I told him of my own experience and enthusiastically wanted to jump on board to see whatever we could do to eliminate this kind of problem, because it is, it is a sad commentary, it is a tragedy when you have to go through it, and so I joined together with my colleague hopefully getting something done on this issue. And thank you, Clay, for coming to Lake Worth--your district, my old hometown. Chairman SHAW. Thank you, Mark. Our first panel--we will have two panels today. The first panel, Lisa Tropepe, who is the Partner at Shalloway, Foy, Rayman & Newell, Incorporated, West Palm Beach, Florida; accompanied by Tim Morell, attorney, West Palm Beach, Florida; Anthony Ross, who is a Federal Law Enforcement Officer, United States Marshals Service in Brunswick, Georgia; Cece Dykas, who is the Assistant Deputy Attorney General, Florida Office of the Attorney General, Palm Beach County; and Barbara Bovbjerg who is the Director of Education, Work force and Income Security Issues, the U.S. General Accounting Office from Washington. She often appears before us in Washington. And Kay Brown, Assistant Director of Education, Work force and Income Security Issues, the U.S. General Accounting Office, also in Washington. From each one of you we have, I believe for all, if not most of you, your written statements which will be made a part of the record. You may proceed as you see fit. Lisa? STATEMENT OF LISA A. TROPEPE, PARTNER, SHALLOWAY, FOY, RAYMAN & NEWELL, INC., WEST PALM BEACH, FLORIDA, ACCOMPANIED BY TIM MORELL, ATTORNEY Ms. TROPEPE. Thank you. For the record, I just wanted to let you know that Tim Morell is my attorney. My firm and I had to hire him when this was happening to me, and he is here on my behalf. Dear Committee Members, good afternoon. My name is Lisa A. Tropepe, and I have been a victim of identity theft. I am beginning my testimony with a copy of a May 7, 1999, letter to Judge Oftedahl articulating the seriousness of the crimes against me and the importance of penalizing the imposter for all the crimes committed. The letter is dated May 7, 1999. It is in reference to the State of Florida v. Terkesha L. Lane. ``Dear Judge Oftedahl, Assistant State Attorney Chris Jette called to let me know that Terkesha L. Lane is scheduled for arraignment today. The crime against me was that the defendant, while working as a temporary receptionist at my office stole personal information about me and assumed my identity. She cleaned out my personal bank account and opened several credit card accounts where she charged up to thousands of dollars of merchandise. Although I was initially advised by intake officer Brian Brennan, Esq., that the defendant would be charged with multiple counts of grand theft and counts relating to the fraudulent assumption of my identity, I am now advised that only one charge of theft has been made. My employers and I are concerned that the courts may not be well advised as to the personal seriousness and public danger this crime represents. With those thoughts in mind, I feel compelled to write this letter in the hope of informing you of the impact of the crime of identity theft that was perpetrated upon me and, indirectly upon my firm by Ms. Lane. This person stole approximately $20,000 from credit grantors and my personal bank account using my name. She applied and received a valid driver's license with her picture and my name, address, and so forth., on the license. She subsequently applied for credit cards, received temporary credit limits, and spent accordingly. She also entered my bank several times and withdrew $13,900 from my personal bank account. Now I am spending hundreds of frustrating hours dealing by phone and letters with collection companies, banks, credit reporting agencies, governmental agencies, (Division of Highway Safety and Motor Vehicles, Postal authorities, Social Security, etc.) and various other companies to convince them of the fraud, and to clean up the disaster affecting my credit and other aspects of my finances. The out-of-pocket costs are substantial. However, far more devastating is learning that someone has invaded every aspect of my life and taken my identity. My credit is ruined, my good reputation is stolen and tarnished, my career and livelihood has been impaired, and I am subjected to possible further invasion in the future. I will briefly outline several aspects of this nightmare. My office and I have spent over 100 hours calling, filling out documentation, writing letters return receipt requested to banks, credit reporting agencies, governmental agencies, companies, utilities, credit grantors, etc., to inform them of the fraud in an attempt to prove my own innocence. The burden is on the victim to prove fraud since there is great suspicion by the credit grantors. In fact, since I put fraud alerts and new passwords on all my accounts, I have experienced extensive questioning and delays in dealing with the various banks and agencies. I am told by the Privacy Rights Clearinghouse and the Federal Trade Commission that my problems may go on for several years. This has been a very frightening and invasive nightmare. I have had great difficulty sleeping and have woken in cold sweats worrying about what else I will find out. The impersonator was a temporary employee at my office. She was our temporary receptionist in charge of outgoing mail and phone messages. When I realized someone had taken my identity and was applying for credit cards in my name, I shared my problem with her. She subsequently hugged me and said everything will be okay. She never wavered in her demeanor. I truly believed that she was concerned. I was shocked to see her caught on tape withdrawing money from my bank account. I have had nightmares seeing the defendant invading my home and hurting me physically. She lives in Riviera Beach, and I live in Palm Beach Shores (Singer Island), which is only 5 minutes away. She knows where I live. Stealing my identity has made me feel very vulnerable and violated. It has been stressful and literally made me ill. I do not like to think of myself as a victim. I am a professional engineer and am responsible for multi-million dollar projects, handling many complex problems related to the health, safety and welfare of the public. Because of this, I thought at first that I could handle this stress without any help. However, I found it so overwhelming that I had to hire an attorney and am in the process of scheduling a meeting with a therapist. I respectfully request that Your Honor consider the serious nature of these crimes. I believe this defendant and other wrongdoers who might see this as an easy crime to commit with potentially big money to steal and no real punishment to face, learn that society will not tolerate this type of insidious crime. For that reason, I strongly urge that she experience jail time, not just a couple of months on probation. I am concerned about of what she will do to me in the future. I trust you take this crime seriously. In that connection, I am also concerned that the charges being brought against this wrongdoer don't include charges for credit card theft and fraud under Florida Statute 817. Thank you for your consideration. Sincerely, Lisa A. Tropepe.'' It has been almost exactly 3 years since I sent the above May 7, 1999, letter to Judge Oftedahl. In 3 years, the following has occurred. One, Turkesha L. Lane never served a day in prison. Turkesha L. Lane still has my Social Security Number, my home address and workplace. If she has not moved, Turkesha L. Lane still lives 5 minutes away from my home. Two, my credit record will never be the same. Perpetual fraud alerts and annual credit bureau inquiries have been, and will be, a part of my life for the rest of my life. Three, a reoccurrence is always in the back of my mind. After 3 years, I still shutter at the thought of someone impersonating me. My summation of this incident can only be described in two words: electronic rape. A part of me wants to thank you for giving me this opportunity to share my experience with all of you. However, a part of me is fearful that my testimony may call attention to other criminals regarding my vulnerability to be impersonated again. As lawmakers, I trust that you will provide the necessary laws needed to stop this awful crime. [The prepared statement of Ms. Tropepe follows:] Statement of Lisa A. Tropepe, Partner, Shalloway, Foy, Rayman & Newell Inc., West Palm Beach, Florida Dear Committee Members: Good Afternoon, my name is Lisa A. Tropepe and I have been a victim of identity theft. I am beginning my testimony with a copy of a May 7, 1999 letter to Judge Oftedahl articulating the seriousness of the crimes against me and the importance of penalizing the imposter for all the crimes committed. ______ May 7, 1999 The Honorable Richard L. Oftedahl, Room 11.2213, Division X Palm Beach County Courthouse, 205 N. Dixie Highway, West Palm Beach, FL 33401 IN RE: State of Florida v. Terkesha L. Lane; PBSO #99-053521; Assigned to Assistant State Attorney Chris Jette, Division X; Arrainment date 5/7/99 Hand Delivered Dear Judge Oftedahl: Assistant State Attorney Chris Jette called to let me know that Terkesha L. Lane is scheduled for arraignment today. The crime against me was that the defendant while working as a temporary receptionist at my office stole personal information about me and assumed my identity. She cleaned out my personal bank account and opened several credit card accounts where she charged up thousands of dollars of merchandise. Although I was initially advised by intake officer Brian Brennan, Esq., that the defendant would be charged with multiple counts of grand theft and counts relating to the fraudulent assumption of my identity, I am now advised that only one charge of theft has been made. My employers and I are concerned that the courts may not be well advised as to the personal seriousness and public danger this crime represents. With those thoughts in mind, I feel compelled to write this letter in the hope of informing you of the impact of the crime of identity theft that was perpetrated upon me and, indirectly upon my firm, by Ms. Lane. This person stole approximately $20,000.00 from credit grantors and my personal bank account using my name. She applied and received a valid driver's license with her picture and my name, address, etc., on the license. She subsequently applied for credit cards, received temporary credit limits, and spent accordingly. She also entered my bank several times and withdrew $13,900.00 from my personal bank account. Now I am spending hundreds of frustrating hours dealing by phone and letters with collection companies, banks, credit reporting agencies, governmental agencies, (Division of Highway Safety and Motor Vehicles, Postal authorities, Social Security, etc.) and various other companies to convince them of the fraud, and to clean up the disaster affecting my credit and other aspects of my finances. The out-of-pocket costs are substantial. However, far more devastating is learning that someone has invaded every aspect of my life and taken my identity. My credit is ruined, my good reputation is stolen and tarnished, my career and livelihood has been impaired, and I am subjected to possible further invasion in the future. I will briefly outline several aspects of this nightmare: My office and I have spent over 100 hours calling, filling out documentation, writing letters return receipt requested to banks, credit reporting agencies, governmental agencies, companies, utilities, credit grantors, etc. to inform them of the fraud in an attempt to prove my own innocence. The burden is on the victim to prove fraud since there is great suspicion by the credit grantors. In fact, since I put fraud alerts and new passwords on all my accounts, I have experienced extensive questioning and delays in dealing with the various banks and agencies. I am told by the Privacy Rights Clearinghouse and the Federal Trade Commission that my problems may go on for several years. See articles attached--including an article from Wednesday's Sun Sentinel which reports a nearly identical case. This has been a very frightening and invasive nightmare. I have had great difficulty sleeping and have awoken in cold sweats worrying about what else I will find out. The impersonator was a temporary employee at my office. She was our temporary receptionist in charge of outgoing mail and phone messages. When I realized someone had taken my identity and was applying for credit cards in my name, I shared my problem with her. She subsequently hugged me and said everything will be okay. She never waivered in her demeanor. I truly believed that she was concerned. I was shocked to see her caught on tape withdrawing money from my account. I have had nightmares seeing the defendant invading my home and hurting me physically. She lives in Riviera Beach and I live in Palm Beach Shores (Singer Island), which is only five minutes away. She knows where I live. Stealing my identity has made me feel very vulnerable and violated. It has been stressful and literally made me ill. I do not like to think of myself as a victim. I am a professional engineer and am responsible for multi-million dollar projects, handling many complex problems related to the health, safety and welfare of the public. Because of this, I thought at first that I could handle this stress without any help. However, I found it so overwhelming that I had to hire an attorney and am in the process of scheduling a meeting with a therapist. I respectfully request that Your Honor consider the serious nature of these crimes. I believe this defendant and other wrongdoers who might see this as an easy crime to commit with potentially big money to steal and no real punishment to face, learn that society will not tolerate this type of insidious crime. For that reason, I strongly urge that she experience jail time, not just a couple months on probation. I am concerned about of what she will do to me in the future. I trust you take this crime seriously. In that connection, I am also concerned that the charges being brought against this wrongdoer don't include charges for credit card theft and fraud under Florida Statute 817. Thank you for your consideration. Sincerely, Lisa A. Tropepe ______ It has been almost exactly three years since I sent the above May 7, 1999 letter to Judge Oftedahl. In the three years the following has occurred: 1. Terkesha L. Lane never served a day in prison. Terkesha L. Lane still has my social security number, my home address and workplace. If she has not moved, Terkesha L. Lane still lives five minutes away from my home. 2. My credit record will never be the same. Perpetual fraud alerts and annual Credit Bureau inquiries have been and will be a part of my life for the rest of my life. 3. A reoccurrence is always in the back of my mind. After 3 years I still shutter at the thought of someone impersonating me. My summation of this incident can only be described in two words--``Electronic Rape''. A part of me wants to thank you for giving me this opportunity to share my experience with all of you. However, a part of me is fearful that my testimonial may call attention to other criminals regarding my vulnerability to be impersonated again. As lawmakers, I trust that you will provide the necessary laws needed to stop this awful crime. Chairman SHAW. Thank you for that testimony. I think we are all vulnerable. Mr. Ross? STATEMENT OF ANTHONY K. ROSS, FEDERAL LAW ENFORCEMENT OFFICER, UNITED STATES MARSHALS SERVICE, BRUNSWICK, GEORGIA Mr. ROSS. Thank you. Good afternoon. My name is Anthony Ross, and I would like to thank the Honorable Clay Shaw, Social Security Subcommittee and the Social Security Administration Office of Inspector General for inviting me to testify to you today. The illegal use of another's identity is a serious problem costing the American taxpayers and businesses billions of dollars. Additionally, it destroys the credit of a very large number of citizens daily. I am one of those citizens and also a Federal Law Enforcement Officer, the United States Marshals Service. In April 2000, I became aware that I was a victim of identity theft when contacted by my banking institution. In a few days time, a person had assumed a false Florida driver's license with my name and information, cashed five checks for $995 each. I went through a few weeks of closing accounts and then finding that my accounts were now frozen and the moneys transferred back to the original accounts. This occurred several times during approximately a 2-week period. Eventually, it was resolved when out of frustration I closed all the accounts and began banking with another institution. Shortly thereafter, I was going to purchase a home subsequent to relocating from Florida to Georgia. The mortgage institution ran a credit check and inquired I had opened more than 25 revolving credit accounts in approximately a month's time. SunTrust was very professional, and they were quick in determining that I was not the cause of these accounts, and the purchase of my home went through without difficulty. However, from that point on it has been a nightmare and that is because my identity was illegally used to obtain in excess of $50,000 worth of credit charges. I have contacted credit bureaus and established flags for being a victim of identity theft. I have contacted numerous credit card companies, spending extended lengths of time just trying to get through the computerized phone systems, and then to a living person and then transferred again to reach a person in the Fraud Investigations Department. I have struggled with trying to read or more likely decipher credit reports; they are not user-friendly. I have contacted numerous creditors and filled out endless forms, filed affidavits, provided copies of driver's license, Social Security card to try to prove my innocence. That is right, the victim has to prove he is innocent. In many cases, I have received letters indicating that I have been cleared and credit bureaus that have been notified. However, and this is after looking up my most recent credit reports, the credit bureaus have not properly disclosed that information on my credit report. In June 2000, I received a Notice of Court appearance to answer for charges regarding failure to redeliver a hired vehicle. Again, my identity information was misused, and now I face the possibility of being arrested. At the least, I was now, as a Law Enforcement Officer, on the wrong end of the judicial system. Again, I had to prove my innocence by providing photographs and fingerprint cards. Metro-Dade Police Identity Unit was very professional and prompt in assisting me with clearing up this situation, as well as the State Attorney's Office. During this ordeal, I attempted to get assistance through several law enforcement agencies. I would call and get transferred, received voice mail, and then when I did speak to a detective I was generally given very little positive indication that anything would be done other than establish a crime report. Some law enforcement indicated they were very overwhelmed with identity theft activity, and I was part of a long list. Due to the abundance of identity theft and limited law enforcement resources, proper attention to my case was initially very poor. And that was until I contacted Special Agent Ray Llorca of the Social Security Administration. Special Agent Llorca promptly scheduled a meeting with me and obtained information and statements from me, and he was permitted to open an investigation. As a result, I testified in a State grand jury in July 2001. I was informed that six people were indicted in this scheme regarding identity theft and credit card/banking fraud. As recently as March 2002, a collection agency provided me an offer to settle an account with a balance of over $4,000, and this was for a substantially reduced amount. They were actually going to let me make two payments for about, oh, $1,200 and change each. What a deal, okay? This was in regards to an account that was illegally opened using my identity. A recent credit report indicates that I have 38 serious delinquency in public record or collections filed, none of which are truly my responsibility, but I must deal with them until they are cleared. The point I am trying to make is that even after crime, the investigation and to some extent the judicial proceedings, we, as victims of identity theft, are still trying to clear our names and restore our credit. Thank you. [The prepared statement of Mr. Ross follows:] Statement of Anthony Ross, Federal Law Enforcement Officer, United States Marshals Service, Brunswick, Georgia Good Afternoon, my name is Anthony Ross. I would like to thank the Honorable Clay Shaw, Social Security Subcommittee and the Social Security Administration Office of Inspector General for inviting me to testify to you today. The illegal use of another's identity is a serious problem costing American taxpayers and businesses billions of dollars. Additionally, it destroys the credit of very large number of citizens daily. I am one of those citizens and also a Federal Law Enforcement Officer with the United States Marshals Service. In April of 2000 I became aware that I was a victim of identity theft when contacted by my banking institution. In a few days time a person assumed a false Florida Drivers License and cashed five checks for $995.00 each. I went through a few weeks of closing accounts and then finding that my accounts were frozen and monies transferred back to the original accounts. This occurred several times in that time period. Eventually it was resolved when out of frustration, I closed all accounts and began business with another banking institution. Shortly thereafter, I was going to purchase a home subsequent to relocating from Florida to Georgia. The mortgage institution ran a credit check and inquired if I had opened more than 25 revolving credit accounts in approximately a month's time. Sun Trust was very professional and quick in determining that I was not the cause of these credit problems. The purchase of the home went through without difficulty. However, from that point on it has been a nightmare. That's because my identity was illegally used to obtain in excess of $50,000.00 worth of credit charges. I have contacted credit bureaus and established flags for being a victim of identity theft. I have contacted numerous credit card companies spending extended lengths of time just trying to get through the computerized phone systems and then to a living person and then transferred again to reach a person in a fraud investigations department. I have struggled with trying to read or more likely decipher credit reports. They are not consumer friendly. I have contacted numerous creditors and have filled out endless forms, filed affidavits, provided copies of Drivers License and Social Security card to try to prove my innocence. That's right, the victim has to prove he is innocent. In many cases, I received letters indicating that I have been cleared and credit bureaus notified. However, In some cases that has not been properly disclosed on my credit report. In June of 2000 I received a Notice of Court appearance to answer for charges regarding Failure to Redeliver a Hired Vehicle. Again, my identity information was misused and now I faced the possibility of being arrested. At the least, I was now seen as a law enforcement officer on the wrong end of the judicial system. Again, I had to prove my innocence by providing photos and fingerprint cards. Metro-Dade Police Identity Unit was very professional and prompt in assisting with clearing up this situation as well as the State Attorney's Office. During this ordeal, I attempted to get assistance through several law enforcement agencies. I would call and get transferred and receive voice mail. When I did speak to a Detective, I was given very little positive indication that anything would be done other than establishing a crime report. Some law enforcement indicated they were overwhelmed with identity theft activity and I was part of a long list. Due to the abundance of identity theft, and limited law enforcement resources, proper attention to my case was initially very poor. That was until I contacted Special Agent Ray Llorca of the Social Security Administration, Office of Inspector General. S/A Llorca promptly scheduled a meeting with me and obtained information and statements and was permitted to open an investigation. As a result, I testified in a State Grand Jury in July 2001 and I was informed that six people were indicted in this scheme regarding identity theft and credit card/ banking fraud. As recently as March 2002, a collection agency provided me an offer to settle an account with a balance of over $4000.00 for a substantially reduced amount. What a deal! This was in regards to an account that was illegally opened using my identity. A recent credit report indicates that I have 38 serious delinquency and public record or collections filed. None of which are truly my responsibilities, but I must deal with them until they are cleared. The point I am trying to make is that even after crime, the investigation, and to some extent, the judicial proceedings, we as victims of identity theft are still trying to clear our names and restore our credit. Thank you. Chairman SHAW. Mr. Dykas? STATEMENT OF CECE DYKAS, ASSISTANT DEPUTY ATTORNEY GENERAL, FLORIDA OFFICE OF THE ATTORNEY GENERAL, PALM BEACH COUNTY OFFICE, FT. LAUDERDALE, FLORIDA Mr. DYKAS. Good afternoon, Chairman, Congressman Foley. My name is Cece Dykas. I am the Assistant Deputy Attorney General for south Florida. Unfortunately, Florida finds itself on the forefront of identity theft issues, but hopefully we will also be on the forefront, along with the Federal Government, in trying to help stop these. In 1999, the Governor requested a Privacy and Technology Task Force. As a result of that task force and the testimony that was generated from that, a State grand jury was empanelled to deal with the variety of issues, including identity theft, along with the theft of driver's licenses. The grand jury that was empanelled recently released their report in January 10, 2002. To date, there have been at least 56 defendants who have been charged with over 470 counts. There is a projected loss for the year 2005 that there will be a theft of $8 billion. They estimate that the average loss per person in an identity theft scheme is $17,000, as the other panelists, just through their own experience, have indicated. The average length of time between a theft occurring and a victim finding out that their identity has been stolen is generally 12.7 months. The average victim spends up to at least 3 months and over $800 of their money to try and clear their name. Your Social Security, as the Chairman indicated when he was getting his fishing license, is on virtually everything. It is doctors' offices, video rentals, school applications. As a result of that, the Florida legislature, in the past several years, have passed Statutory section 817.568, Subsection 8. It allows for the prosecution of identity theft based on the residency of the victim. In many ways, part of the problem in prosecuting identity theft was to be able to determine where the crime had occurred. That statute now allows for the place of resident of the victim to determine jurisdiction. One of the recommendations or several of the recommendations of the task force were that they be established a nationally recognized identity theft prosecution unit within the Office of statewide Prosecution, that there be a devotion of resources for the training of Florida prosecutors and law enforcement officers on issues related to the investigation and prosecution of identity theft, that the legislation appropriation of funds to study and report on design methods and procedures to make the Florida drivers' licenses and identification card more resistant to tampering and counterfeiting. There is also a request for a formation for a multi-disciplined focus group to study security features of the Florida driver's license and identification card to make it one of the most secure driver's licenses and ID cards in the country. This past session, or should I say current session, that is going on in Tallahassee, has several bills before it dealing specifically with the issue of identity theft. Senate bill 140 criminalizes the use of any public record to commit a further crime. House bill 1673 makes Social Security Numbers in the hands of State agencies exempt from disclosure under chapter 119. House bill 1675 exempts bank account numbers or credit card charge or debit account numbers in the hands of State agencies from disclosure under chapter 119. House bill 1679 sets up a study commission on how the State treats personal ID information in public hands, whether excessive or unnecessary information is collected. The impact of advanced technologies on full access to public records, whether to treat the public access to physical documents differently than public access to electronic documents and other issues that underline the balance between the two. Senate bill 1020, and the bill makes a non-criminal violation for merchants who accept payment by electronic payment cards to leave more than the last five digits of the customer's account number showing on any receipt. And, finally, Senate bill 520, which provides an infrastructure and raises the standards for issuance of driver's license. It provides that a breeder document, those used to prove the identify of the applicant, be preserved by the Department, makes reciprocity and accepting out-of-State driver's licenses contingent on the other State having adopted standards as stringent as Florida's and provides that any driver's licenses used to a foreign national will not be valid for longer than a 2-year period of time. Presently, those bills are before the legislature and have bipartisan support, so hopefully those will be passed this session. Thank you very much. [The prepared statement of Mr. Dykas follows:] Statement of Cece Dykas, Assistant Deputy Attorney General, Florida Office of the Attorney General, Palm Beach County Office, Ft. Lauderdale, Florida [GRAPHIC] [TIFF OMITTED] T0224A.001 ------ [GRAPHIC] [TIFF OMITTED] T0224B.002 ------ [GRAPHIC] [TIFF OMITTED] T0224C.003 ------ [GRAPHIC] [TIFF OMITTED] T0224D.004 ------ [GRAPHIC] [TIFF OMITTED] T0224E.005 ------ [GRAPHIC] [TIFF OMITTED] T0224F.006 ------ [GRAPHIC] [TIFF OMITTED] T0224G.007 ------ [GRAPHIC] [TIFF OMITTED] T0224H.008 ------ [GRAPHIC] [TIFF OMITTED] T0224I.009 ------ [GRAPHIC] [TIFF OMITTED] T0224J.010 ------ [GRAPHIC] [TIFF OMITTED] T0224K.011 ------ [GRAPHIC] [TIFF OMITTED] T0224L.012 ------ [GRAPHIC] [TIFF OMITTED] T0224M.013 ------ [GRAPHIC] [TIFF OMITTED] T0224N.014 ------ [GRAPHIC] [TIFF OMITTED] T0224O.015 ------ [GRAPHIC] [TIFF OMITTED] T0224P.016 ------ [GRAPHIC] [TIFF OMITTED] T0224Q.017 ------ [GRAPHIC] [TIFF OMITTED] T0224R.018 ------ [GRAPHIC] [TIFF OMITTED] T0224S.019 ------ [GRAPHIC] [TIFF OMITTED] T0224T.020 ------ [GRAPHIC] [TIFF OMITTED] T0224U.021 ------ [GRAPHIC] [TIFF OMITTED] T0224V.022 ------ [GRAPHIC] [TIFF OMITTED] T0224W.023 ------ [GRAPHIC] [TIFF OMITTED] T0224X.024 ------ [GRAPHIC] [TIFF OMITTED] T0224Y.025 ------ [GRAPHIC] [TIFF OMITTED] T0224Z.026 Chairman SHAW. Thank you. Ms. Bovbjerg? STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR, EDUCATION, WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE, ACCOMPANIED BY KAY BROWN, ASSISTANT DIRECTOR Ms. BOVBJERG. Thank you. Mr. Chairman, Mr. Foley, thank you very much for inviting me once again before the Subcommittee, and I am especially appreciative that you have chosen to meet in the beautiful Sunshine State. It is very nice to get away from Washington. You have heard people talking about identity theft and the role of the Social Security Number in particular. And you have invited me today to discuss specifically government uses and protections of Social Security Numbers and the results of our ongoing work. I would like to focus first on uses and protections in the course of providing government benefits and services and then, second, on uses and protections in public records. My testimony is based on surveys and site visits we conducted at Federal, State, and county government agencies in the past year. We are conducting this work at your request, Mr. Chairman, and we plan to issue our report next month. Let me speak first about government uses in benefit and service provision. Federal, State and county agencies rely extensively on the Social Security Number, because SSNs provide a quick and efficient means of managing records and maintaining program integrity. The numbers are particularly useful when agencies share information with others to verify benefit eligibility or to collect outstanding debt. Most of this data sharing occurs between government agencies, but a significant percentage of agencies we surveyed told us they also share with other entities, such as contractors, credit bureaus, and insurance companies. governments also use SSNs in their role as employers for wage reporting and benefit administration. Although government agencies told us of various steps they take to safeguard the SSNs they use for these purposes, we found that certain key protections are not uniformly in place at any level of government. For example, when requesting SSNs, government agencies told us that they are not consistently providing individuals with key information mandated by Federal law. The Privacy Act requires that any Federal, State or local government agencies tell individuals who are asked to provide their SSNs whether the compliance is voluntary or mandatory and how the SSN will be used. This notification helps an individual make an informed decision and represents the first line of defense against improper use. We also found that many government agencies occasionally display SSNs on documents that may be viewed by others who don't need this information. These documents include things like payroll and benefit checks, child care vouchers and official letters to program participants. In addition, some governments display employees' SSNs on employee badges and identification cards. Responses to our surveys also showed potential weaknesses in information security. We asked agencies about eight practices commonly used in information security programs. Although many government agencies reported adopting some of the practices, none of the eight practices were uniformly adopted at any level of government. Let me turn now to the topic of SSNs in public records. When I say public records, I mean records or documents routinely made available to the public for inspection, such as marriage licenses or property transactions. Some Federal agencies and many of the State and county agencies we surveyed, including courts at all three levels of government, told us they maintain public records that contain SSNs. Officials who maintain these records told us it is their responsibility to preserve the integrity of the record and to make it publicly available rather than to protect the privacy of the individual SSN holder. Nonetheless, we found examples of government entities trying innovative approaches to protect the SSNs in such records, including developing new forms that shield SSNs from public view by maintaining them separately or on the back of the rest of the record. These changes are most effective when the government agency prepares the documents itself, but they don't protect information on documents prepared and submitted by someone else nor do they limit the availability of SSNs on records filed prior to the change in form. As a practical matter, as long as access to public records remains an in-person process, access will be somewhat limited. Where those wishing to view public records must visit a physical location and request information on a case-by-case basis, there is a measure of protection against widespread collection of personal information, like the SSN. However, several officials told us that thanks to the growth of electronic recordkeeping, they were considering making such records available on their Web sites. Such actions would create new opportunities for gathering SSNs from public records on a broad scale. In conclusion, governments use SSNs for many beneficial purposes but they do not always ensure that this personal information is protected. Although it is unclear whether these gaps in protection lead directly to identity theft, they represent a potential for SSN misuse. It will be important for governments at all levels to consider how best to protect SSNs and to take appropriate actions to improve the security of this information. Thank you, Mr. Chairman. [The prepared statement of Ms. Bovbjerg follows:] Statement of Barara D. Bovbjerg, Director, Education, Workforce, and Income Security Issues, U.S. General Accounting Office Chairman Shaw and members of the Subcommittee: Thank you for inviting me here today to discuss government use of Social Security Numbers (SSNs). Although the SSN was originally created in 1936 as a means to track workers' earnings and eligibility for Social Security benefits, today the number is used for myriad non- Social Security purposes in both the private and public sectors. Consequently, the public is concerned with how their personal SSNs are being used and protected. Further, the growth in electronic record keeping and the explosion of the availability of information over the Internet, combined with the rise in reports of identity theft, have heightened this concern. We have previously reported that SSNs play an important role in public and private sectors' ability to deliver services or conduct business.1 Today, I will focus on how federal, state, and local governments use SSNs. Specifically, I will discuss (1) the extent and nature of government agencies' use of SSNs as they administer programs to provide benefits and services and the actions government agencies take to safeguard these SSNs from improper disclosure and (2) the extent and nature of governments' use of SSNs when they are contained in public records and the options available to better safeguard SSNs that are traditionally found in these public records.2 My testimony is based on our ongoing work conducted at your request and that of the Subcommittee on Technology, Terrorism and Government Information, Senate Committee on the Judiciary. To address these issues, we mailed surveys to programs in 18 federal agencies and those departments that typically use SSNs in all 50 states, the District of Columbia, and the 90 most populous counties.3 We also conducted site visits and in-depth interviews at six selected federal programs, three states, and three counties. We met with officials responsible for programs, agencies, or departments (hereinafter referred to generically as agencies) and courts that make frequent use of SSNs. We conducted our work between February 2001 and March 2002 in accordance with generally accepted government auditing standards. --------------------------------------------------------------------------- \1\ U.S. General Accounting Office, Social Security: Government and Commercial Use of the Social Security Number is Widespread, GAO/HEHS- 99-28 (Washington, D.C.: Feb. 16, 1999). \2\ We found no commonly accepted definition of public records. For the purposes of this statement, when we use the term public record, we are referring to a record or document that is routinely made available to the public for inspection either by a federal, state, or local government agency or a court, such as those readily available at a public reading room, clerk's office, or on the Internet. \3\ We did not survey state Departments of Motor Vehicles or state agencies that administer state tax programs, because we have reported on these activities separately. See U.S. General Accounting Office, Child Support Enforcement: Most States Collect Drivers' SSNs and Use Them to Enforce Child Support, GAO-02-239 (Washington, D.C.: Feb. 15, 2002) and Taxpayer Confidentiality: Federal, State, and Local Agencies Receiving Taxpayer Information, GAO-GGD-99-164 (Washington, D.C.: Aug. 30, 1999). --------------------------------------------------------------------------- In summary, in delivering services and benefits to the public, federal, state, and county government agencies use SSNs to manage records, verify the eligibility of benefit applicants, collect outstanding debts and conduct research and program evaluation. Using SSNs for these purposes can save the government and taxpayers hundreds of millions of dollars each year. As they make use of SSNs for these purposes, government agencies are taking some steps to safeguard the numbers. However, agencies are not consistently following federal laws regarding the collection of personal information, implementing safeguards to protect SSNs from improper disclosure, or limiting the display of SSN on documents not intended for the public. Moreover, courts at all three levels of government and certain offices at the state and county level maintain records that contain SSNs for the purpose of making them available to the public. Recognizing that these SSNs may be misused by others, some government entities have taken steps to protect the SSNs from public display. For example, some have modified forms so that they can collect SSNs but keep them in a file separate from the public portion of the record. Nonetheless, although public records have traditionally been housed in government offices and court buildings, to improve customer service some government entities are considering placing more public records on the Internet. The ease of access the Internet affords could encourage individuals to engage in information gathering from public records on a broader scale than possible previously. In conclusion, we will be reporting in more detail on these issues at the end of this month and look forward to exploring additional options to better protect SSNs with you as we complete our work. Background The use of SSNs by government and the private sector has grown over time, in part because of federal requirements. In addition, the growth in computerized records has further increased reliance on SSNs. This growth in use and availability of the SSN is important because SSNs are often one of the ``identifiers'' of choice among identity thieves. Although no single federal law regulates the use and disclosure of SSNs by governments, when federal government agencies use them, several federal laws limit the use and disclosure of the number.4 Also, state laws may impose restrictions on SSN use and disclosure, and they vary from state to state. Moreover, some records that contain SSNs are considered part of the public record and, as such, are routinely made available to the public for review. --------------------------------------------------------------------------- \4\ In this review, we do not include criminal provisions that might apply to the improper use of SSNs. --------------------------------------------------------------------------- SSN Use Has Grown, in Part Because of Federal Requirements Since the creation of the SSN, the number of federal agencies and others that rely on it has grown beyond the original intended purpose. In 1936, the Social Security Administration (SSA) created a numbering system designed to provide a unique identifier, the SSN, to each individual. The agency uses SSNs to track workers' earnings and eligibility for Social Security benefits, and as of December 1998, SSA had issued 391 million SSNs. Since the creation of the SSN, other entities in both the public and private sectors have begun using SSNs, in part because of federal requirements. The number of federal agencies and others relying on the SSN as a primary identifier escalated dramatically, in part, because a number of federal laws were passed that authorized or required its use for specific activities. (See appendix I for examples of federal laws that authorize or mandate the collection and use of SSNs.) In addition, private businesses, such as financial institutions and health care service providers, also rely on individuals SSNs. In some cases, they require the SSN to comply with federal laws but, at other times, they routinely choose to use the SSNs to conduct business. In addition, the advent of computerized records further increased reliance on SSNs. Government entities are beginning to make their records electronically available over the Internet. Moreover, the Government Paperwork Elimination Act of 1998 requires that, where practicable, federal agencies provide by 2003 for the option of the electronic maintenance, submission, or disclosure of information. State government agencies have also initiated Web sites to address electronic government initiatives. Moreover, continuing advances in computer technology and the ready availability of computerized data have spurred the growth of new business activities that involve the compilation of vast amounts of personal information about members of the public, including SSNs, that businesses sell. Identity Thieves Often Use SSNs The overall growth in the use of SSNs is important to individual SSN holders because these numbers, along with names and birth certificates, are among the three personal identifiers most often sought by identity thieves.5 Identity theft is a crime that can affect all Americans. It occurs when an individual steals another individual's personal identifying information and uses it fraudulently. For example, SSNs and other personal information are used to fraudulently obtain credit cards, open utility accounts, access existing financial accounts, commit bank fraud, file false tax returns, and falsely obtain employment and government benefits. SSNs play an important role in identity theft because they are used as breeder information to create additional false identification documents, such as drivers licenses. --------------------------------------------------------------------------- \5\ United States Sentencing Commission, Identity Theft Final Alert (Washington, D.C.: Dec. 15, 1999). --------------------------------------------------------------------------- Recent statistics collected by federal and consumer reporting agencies indicate that the incidence of identity theft appears to be growing.6 The Federal Trade Commission (FTC), the agency responsible for tracking identity theft, reports that complaint calls from possible victims of identity theft grew from about 445 calls per week in November 1999, when it began collecting this information, to about 3,000 calls per week by December 2001. However, FTC noted that this increase in calls might also, in part, reflect enhanced consumer awareness. In addition, SSA's Office of the Inspector General, which operates a fraud hotline, reports that allegations of SSN misuse increased from about 11,000 in fiscal year 1998 to more than 65,200 in fiscal year 2001. However, some of the reported increase may be a result of a growth in the number of staff SSA assigned to field calls to the Fraud Hotline during this period. SSA staff increased from 11 to over 50 during this period, which allowed personnel to answer more calls. Also, officials from two of the three national consumer reporting agencies report an increase in the number of 7 year fraud alerts placed on consumer credit files, which they consider to be reliable indicators of the incidence of identity theft.7 Finally, it is difficult to determine how many individuals are prosecuted for identity theft because law enforcement entities report that identity theft is almost always a component of other crimes, such as bank fraud or credit card fraud, and may be prosecuted under the statutes covering those crimes. --------------------------------------------------------------------------- \6\ U.S. General Accounting Office, Identity Theft: Prevalence and Cost Appear to be Growing, GAO-02-363 (Washington, D.C.: Mar. 1, 2002). \7\ A fraud alert is a warning that someone may be using the consumer's personal information to fraudulently obtain credit. When a fraud alert is placed on a consumer's credit card file, it advises credit grantors to conduct additional identity verification before granting credit. The third consumer reporting office offers fraud alerts that can vary from 2 to 7 years at the discretion of the individual. --------------------------------------------------------------------------- Most often, identity thieves use SSNs belonging to real people rather than making one up; however, on the basis of a review of identify theft reports, victims usually (75 percent of the time) did not know where or how the thieves got their personal information.8 In the 25 percent of the time when the source was known, the personal information, including SSNs, usually was obtained illegally. In these cases, identity thieves most often gained access to this personal information by taking advantage of an existing relationship with the victim. The next most common means of gaining access were by stealing information from purses, wallets, or the mail. In addition, individuals can also obtain SSNs from their workplace and use them themselves or sell them to others. Finally, SSNs and other identifying information can be obtained legally through Internet sites maintained by both the public and private sectors and from records routinely made available to the public by government entities and courts. Because the sources of identity theft cannot be more accurately pinpointed, it is not possible at this time to determine the extent to which the government's use of SSNs contributes to this problem as compared to use of SSNs by the private sector. --------------------------------------------------------------------------- \8\ This information is based on a review of 39 cases involving SSN theft drawn from the Federal Trade Commission's fiscal year 1998 datafiles. --------------------------------------------------------------------------- In Some Instances, SSNs Are to Be Protected from Public Disclosure No single federal law regulates the overall use or restricts the disclosure of SSNs by governments; however, a number of laws limit SSN use in specific circumstances. Generally, the federal government's overall use and disclosure of SSNs are restricted under the Freedom of Information Act and the Privacy Act. The Freedom of Information Act presumes federal government records are available upon formal request, but exempts certain personal information, such as SSNs. The purpose of the Privacy Act, broadly speaking, is to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy by federal agencies. Also, the Social Security Act Amendments of 1990 provide some limits on disclosure, and these limits apply to state and local governments as well. In addition, a number of federal statutes impose certain restrictions on SSN use and disclosure for specific programs or activities.9 At the state and county level, each state may have its own statutes addressing the public's access to government records and privacy matters; therefore, states may vary in terms of the restrictions they impose on SSN use and disclosure. --------------------------------------------------------------------------- \9\ For example, the Internal Revenue Code, which requires the use of SSNs for certain purposes, declares tax return information, including SSNs, to be confidential, limits access to specific organizations, and prescribes both civil and criminal penalties for unauthorized disclosure. For more information, see GAO-GGD-99-164. Also, the Personal Responsibility and Work Opportunity Act of 1996 explicitly restricts the use of SSNs to purposes set out in the Act, such as locating absentee parents to collect child support payments. --------------------------------------------------------------------------- In addition, a number of laws provide protection for sensitive information, such as SSNs, when maintained in computer systems and other government records. Most recently, the Government Information Security Reform provisions of the Fiscal Year 2001 Defense Authorization Act require that federal agencies take specific measures to safeguard computer systems that may contain SSNs.10 For example, federal agencies must develop an agency-wide information security management program. These laws do not apply to state and local governments; however, in some cases state and local governments have developed their own statutes or put requirements in place to similarly safeguard sensitive information, including SSNs, kept in their computer systems. --------------------------------------------------------------------------- \10\ These provisions supplement information security requirements established in the federal Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger-Cohen Act of 1996, and Office of Management and Budget guidance. --------------------------------------------------------------------------- SSNs Are Found in Some Public Records In addition to the SSNs used by program agencies to provide benefits or services, some records that contain SSNs are considered part of the public record and, as such, are routinely made available to the public for review. This is particularly true at the state and county level. Generally, state law governs whether and under what circumstances these records are made available to the public, and they vary from state to state. They may be made available for a number of reasons. These include the presumption that citizens need government information to assist in oversight and ensure that government is accountable to the people. Certain records maintained by federal, state, and county courts are also routinely made available to the public. In principle, these records are open to aid in preserving the integrity of the judicial process and to enhance the public trust and confidence in the judicial process. At the federal level, access to court documents generally has its grounding in common law and constitutional principles. In some cases, public access is also required by statute, as is the case for papers filed in a bankruptcy proceeding. As with federal courts, requirements regarding access to state and local court records may have a state common law or constitutional basis or may be based on state laws. LSSNs Are Widely Used by Program Agencies at All Levels of Government, but Could Be Better Protected by Them When federal, state, and county government agencies administer programs that deliver services and benefits to the public, they rely extensively on the SSNs of those receiving the benefits and services. SSNs provide a quick and efficient means of managing records and are used to conduct research and program evaluation. In addition, they are particularly useful when agencies share information with others to verify the eligibility of benefit applicants or to collect outstanding debts. Using SSNs for these purposes can save the government and taxpayers hundreds of millions of dollars each year. As they make this wide use of SSNs, government agencies are taking some steps to safeguard the numbers; however, certain key measures that could help protect SSNs are not uniformly in place at any level of government. First, when requesting SSNs, government agencies are not consistently providing individuals with key information mandated by federal law, such as whether individuals are required to provide their SSNs. Second, although agencies that use SSNs to provide benefits and services are taking steps to safeguard them from improper disclosure, our survey identified potential weaknesses in the security of information systems at all levels of government. Similarly, sometimes government agencies display SSNs on documents not intended for the public, and we found numerous examples of actions taken to limit the presence of SSNs on documents. However, these changes are not systematic and many government agencies continue to display SSNs on a variety of documents. All Levels of Government Use SSNs Extensively for a Wide Range of Purposes Most of the agencies we surveyed at all levels of government reported using SSNs extensively to administer their programs.11 As shown in table 1, more agencies reported using SSNs for internal administrative purposes, such as using SSNs to identify, retrieve, and update their records, than for any other purpose. SSNs are so widely used for this purpose, in part, because each number is unique to an individual and does not change, unlike some other personal identifying information, such as names and addresses. --------------------------------------------------------------------------- \11\ Of the respondents to our survey, 14 state program departments and 13 county program departments reported that they do not obtain, receive, or use the SSN of program participants, service recipients, or individual members of the public. We did not verify this information. Table 1: Percentage of Program Agencies Using SSNs for Each Reason Listed ------------------------------------------------------------------------ Federal State County Purpose of SSN Use (N=55) a (N=244) (N=197) Percent Percent Percent ------------------------------------------------------------------------ Internal administrative purposes 82 90 89 ------------------------------------------------------------------------ Sharing ------------------------------------------------------------------------ Verify applicants' eligibility; monitor 73 83 82 accuracy of information individuals provide ------------------------------------------------------------------------ Collect debts individuals owe agency/ 40 34 25 government ------------------------------------------------------------------------ Research and Evaluation ------------------------------------------------------------------------ Conduct internal research or program 53 44 26 evaluation ------------------------------------------------------------------------ Provide data to outside researchers 4 18 7 ------------------------------------------------------------------------ a Total number of possible respondents Source: GAO surveys of federal, state, and county departments and agencies. Table includes departments and agencies that administer programs and excludes courts, county clerks and recorders, and state licensing agencies. It excludes state departments of motor vehicles and tax administration. Many agencies also use SSNs to share information with other entities to bolster the integrity of the programs they administer. For example, the majority of agencies at all three levels of government reported sharing information containing SSNs for the purpose of verifying an applicant's eligibility for services or benefits. Agencies use applicants' SSNs to match the information they provide with information in other data bases, such as other federal benefit paying agencies, state unemployment agencies, the Internal Revenue Service, or employers. As unique identifiers, SSNs help ensure that the agency is matching information on the correct person. Also, some agencies at each level of government reported sharing data containing SSNs to collect debts owed them. Using SSNs for these purposes can save the government and taxpayers hundreds of millions of dollars, such as when SSA matched its data on Supplemental Security Income recipients with state and local correctional facilities to identify prisoners who were no longer eligible for benefits.12 Doing so helped identify more than $150 million in Supplemental Security Income overpayments and prevented improper payments of more than $170 million over an 8-month period. Finally, SSNs along with other program data, are sometimes used for statistical programs, research, and evaluation, in part because they provide government agencies and others with an effective mechanism for linking data on program participation with data from other sources.13 --------------------------------------------------------------------------- \12\ SSI provides cash assistance to needy individuals who are aged, blind, or disabled. \13\ In some cases, records containing SSNs are sometimes matched across multiple agency or program databases. The statistical and research communities refer to the process of matching records containing SSNs for statistical or research purposes as ``record linkage.'' See U.S. General Accounting Office, Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Information, GAO-01-126SP (Washington, D.C.: Apr. 2001). --------------------------------------------------------------------------- When government agencies that administer programs share records containing individuals' SSNs with other entities, they are most likely to share them with other government agencies.14 After that, the largest percentage of federal and state program agencies report sharing SSNs with contractors (54 and 39 percent respectively), and a relatively large percentage of county program agencies report sharing with contractors as well (28 percent). Agencies across all levels of government use contractors to help them fulfill their program responsibilities, such as determining eligibility for services and conducting data processing activities. In addition to sharing SSNs with contractors, government agencies also share SSNs with private businesses, such as credit bureaus and insurance companies, as well as debt collection agencies, researchers, and, to a lesser extent, with private investigators. --------------------------------------------------------------------------- \14\ On the federal level, data sharing often involves computerized record matching. The Computer Matching and Privacy Protection Act of 1988, which amended the Privacy Act, specifies procedural safeguards affecting agencies' use of Privacy Act records in performing certain types of computerized matching programs, including due process rights for individuals whose records are being matched. These due process rights were further clarified in the Computer Matching and Privacy Protection Amendments of 1990. --------------------------------------------------------------------------- In addition, all government personnel departments we surveyed reported using their employees' SSNs to fulfill at least some of their responsibilities as employers. Aside from requiring that employers report on their employees' wages to SSA, federal law also requires that states maintain employers' reports of newly hired employees identified by SSN. The national database is used by state child support agencies to locate parents who are delinquent in child support payments. In addition, employers responding to our survey said they use SSNs to help them maintain internal records and provide employee benefits. To provide these benefits, employers often share data on employees with other entities, such as health care providers or pension plan administrators. Many Government Entities Collect SSNs without Providing Required Information When a government agency requests an individual's SSN, the individual needs certain information to make an informed decision about whether to provide their SSN to the government agency or not. Accordingly, section 7 of the Privacy Act requires that any federal, state, or local government agency, when requesting an SSN from an individual, provide that individual with three key pieces of information.15 Government entities must --------------------------------------------------------------------------- \15\ Section 7 of the Privacy Act is not codified with the rest of the act, but rather is found in the note section to 5 U.S.C. 552a. 0 Ltell individuals whether disclosing their SSNs is mandatory or voluntary; Lcite the statutory or other authority under which the request is being made; and Lstate what uses government will make of the individual's SSN. This information, which helps the individual make an informed decision, is the first line of defense against improper use. Although nearly all government entities we surveyed collect and use SSNs for a variety of reasons, many of these entities reported they do not provide individuals the information required under section 7 of the Privacy Act when requesting their SSNs. Federal agencies were more likely to report that they provided the required information to individuals when requesting their SSNs than were states or local government agencies. Even so, federal agencies did not consistently provide this required information; 32 percent did not inform individuals of the statutory authority for requesting the SSN and 21 percent of federal agencies reported that they did not inform individuals of how their SSNs would be used. At the state level, about half of the respondents reported providing individuals with the required information, and at the county level, about 40 percent of the respondents reported doing so. LMany Agencies Using SSNs to Administer Programs Do Not Have Uniform Information Security Controls in Place When government agencies collect and use SSNs as an essential component of their operations, they need to take steps to mitigate the risk of individuals gaining unauthorized access to SSNs or making improper disclosure or use of SSNs. Over 90 percent of our survey respondents reported using both hard copy and electronic records containing SSNs when conducting their program activities. When using electronic media, many employ personal computers linked to computer networks to store and process the information they collect. This extensive use of SSNs, as well as the various ways in which SSNs are stored and accessed or shared, increase the risks to individuals' privacy and make it both important and challenging for agencies to take steps to safeguard these SSNs. No uniform guidelines specify what actions governments should take to safeguard personal information that includes SSNs. However, to gain a better understanding of whether agencies had measures in place to safeguard SSNs, we selected eight commonly used practices found in information security programs, and we surveyed the federal, state, and county programs and agencies on their use of these eight practices. Responses to our survey indicate that agencies that administer programs at all levels of government are taking some steps to safeguard SSNs; however, potential weaknesses exist at all levels. Many survey respondents reported adopting some of the practices; however, none of the eight practices were uniformly adopted at any level of government. In general, when compared to state and county government agencies, a higher percentage of federal agencies reported using most of the eight practices. However, despite the federal government's self-reported more frequent use of these practices relative to the state and counties, it is important to note that since 1996 we have consistently identified significant information security weaknesses across the federal government. We are not aware of a comparable comprehensive assessments of information security for either state or county government. (For additional information on the eight practices we selected and how they fit into the federal framework for an information security program, see appendix II.) Further, when SSNs are passed from a government agency to another entity, agencies need to take additional steps to continue protections for sensitive personal information that includes SSNs, such as imposing restrictions on the entities to help ensure that the SSNs are safeguarded.16 Responses to our survey indicate that, when sharing such sensitive information, most agencies reported requiring those receiving personal data to restrict access to and disclosure of records containing SSNs to authorized persons and to keep records in secured locations. However, fewer agencies reported having provisions in place to oversee or enforce compliance with these requirements. --------------------------------------------------------------------------- \16\ In some cases, where federal agencies administer programs that provide federal funds to states and counties, the federal agency has spelled out program-specific requirements for information security that state and county government agencies are expected to follow when they use federal funds to operate these programs. --------------------------------------------------------------------------- Government Agencies Display SSNs on Documents Not Intended for the Public In the course of delivering their services or benefits, many government agencies occasionally display SSNs on documents that may be viewed by others, some of whom may not have a need for this personal information. These documents include payroll checks, vouchers for tax credits for childcare, travel orders, and authorization for training outside of the agency. Also, some personnel departments reported displaying employees' SSNs on their employee badges (27 percent of federal respondents, 5 percent of state, and 9 percent of county). Notably, the Department of Defense (DOD), which has over 2.9 million military and civilian personnel, displays SSNs on its military and civilian identification cards. On the state level, the Department of Criminal Justice in one state, which has about 40,000 employees, displays SSNs on all employee identification cards. According to department officials, some of their employees have taken actions such as taping over their SSNs so that prison inmates and others cannot view this personal information. SSNs are also displayed on documents that are not employee-related. For example, some benefit programs display the SSN on the benefit checks and eligibility cards, and over one-third of federal respondents reported including the SSN on official letters mailed to participants. Further, some state institutions of higher education display students' SSNs on identification cards. Finally, SSNs are sometimes displayed on business permits that must be posted in public view at an individual's place of business. In addition to these examples of SSN display, we also identified a number of instances where the Congress or governmental entities have taken or are considering action to reduce the presence of SSNs on documents that may be viewed by others. For example, the DOD commissary stopped requiring SSNs on checks written by members because of concerns about improper use of the SSNs and identity theft.17 Also, a state comptroller's office changed its procedures so that it now offers vendors the option of not displaying SSNs on their business permits. Finally, some states have passed laws prohibiting the use of SSNs as a student identification number. --------------------------------------------------------------------------- \17\ As of March 2002, the Navy Commissary still requires SSNs on checks. Officials told us they hope to implement a system similar to the DOD Commissary by the end of 2002. --------------------------------------------------------------------------- These efforts to reduce display suggest a growing awareness that SSNs are private information, and the risk to the individual of placing an SSN on a document that others can see may be greater than the benefit to the agency of using the SSN in this manner. However, despite this growing awareness and the actions cited above, many government agencies continue to display SSNs on a variety of documents that can be seen by others. LOpen Nature of Certain Government Records Results in Wide Access to SSNs but Alternatives Exist Regarding public records, many of the state and county agencies responding to our survey reported maintaining records that contain SSNs; however federal program agencies maintain public records less frequently. At the state and county levels, certain offices, such as state licensing agencies and county recorders' offices, have traditionally been repositories for public records that may contain SSNs. In addition, courts at all three levels of government maintain public records that may contain SSNs. Officials who maintain these records told us their responsibility is to preserve the integrity of the record rather than protect the privacy of the individual SSN holder. However, we found examples of some government entities that are trying innovative approaches to protect the SSNs in such records from public display. Moreover, the general public has traditionally gained access to public records by visiting the office that maintains the records, an inconvenience that represents a practical limitation on the volume of SSNs any one person can collect. However, the growth of electronic record-keeping places new pressures on agencies to provide their data to the pubic on the Internet. Although few entities report currently making public records containing SSNs available on the Internet, several officials told us they are considering expanding the volume and type of such records available on their Web site. This would create new opportunities for gathering SSNs on a broader scale. Again, some entities are considering alternatives to making SSNs available on such a wide scale, while others are not. Many State and County Public Records Contain SSNs As shown in table 2, more than two-thirds of the courts, county recorders, and state licensing agencies that reported maintaining public records reported that these records contained SSNs.18 In addition, some program agencies also reported maintaining public records that contain SSNs. --------------------------------------------------------------------------- \18\ Of the respondents to our survey, 20 county recorders and courts and 5 state courts reported that they do not obtain, receive, or use the SSN of program participants, service recipients, or individual members of the public. We did not verify this information. Table 2: Of Courts, County Recorders, and State Licensing Agencies, and of Program Agencies That Maintain Public Records, Percentage That Maintain Public Records That Contain SSNs ---------------------------------------------------------------------------------------------------------------- Federal State County ----------------------------------------------------------- Frequency Percent Frequency Percent Frequency Percent ---------------------------------------------------------------------------------------------------------------- Courts, recorders, and licensing agencies that 3/3 100 21/31 68 73/95 77 maintain public records with SSNs ---------------------------------------------------------------------------------------------------------------- Program agencies that maintain public records with 4/22 23 54/189 29 46/140 33 SSNs ---------------------------------------------------------------------------------------------------------------- Source: Data from GAO survey of federal, state, and county departments and agencies. It excludes state departments of motor vehicles and tax administration. County clerks or recorders (hereinafter referred to as recorders) and certain state agencies often maintain records that contain SSNs because these offices have traditionally been the repository for key information that, among other things, chronicles various life events and other activities of individuals as they interact with government.19 SSNs appear in these public records for a number of reasons. They may already be a part of a document that is submitted to a recorder for official preservation. For example, military veterans are encouraged to file their discharge papers, which contain SSNs, with their local recorder's office to establish a readily available record of their military service.20 Also, documents that record financial transactions, such as tax liens and property settlements, contain SSNs to help identify the correct individual. In other cases, government officials are required by law to collect SSNs. For example, to aid in locating non-custodial parents who are delinquent in their child support payments, the federal Personal Responsibility and Work Opportunity Reconciliation Act of 1996 requires that states have laws in effect to collect SSNs on applications for marriage, professional, and occupational licenses. Moreover, some state laws allow government entities to collect SSNs on voter registries to help avoid duplicate registrations. Although the law requires public entities to collect the SSN as part of these activities, this does not necessarily mean that the SSNs always must be placed on the document that becomes part of the public record. --------------------------------------------------------------------------- \19\ It differs from state-to-state as to whether certain records, such as marriage licenses and birth certificates, are maintained in county or state offices. Certain documents, however, such as land and title transfers, are almost always maintained at the local, or county, level. \20\ Veterans are advised that these are important documents which can be registered/recorded in most states or localities for a nominal fee making retrieval easy. In October 2001, DOD added a cautionary statement that recording these documents could subject them to public access in some states or localities. --------------------------------------------------------------------------- Courts at all three levels of government also collect and maintain records that are routinely made available to the public. Court records overall are presumed to be public; however, each court may have its own rules or practices governing the release of information.21 As with recorders, SSNs appear in court documents for a variety of reasons. In many cases, SSNs are already a part of documents that are submitted by attorneys or individuals. These documents could be submitted as part of the evidence for a proceeding or could be included in documents, such as a petition for an action, a judgment or a divorce decree. In other cases, courts include SSNs on documents they and other government officials create, such as criminal summonses, arrest warrants, and judgments, to increase the likelihood that the correct individual is affected (i.e. to avoid arresting the wrong John Smith). In some cases federal law requires that SSNs be placed in certain records that courts maintain, such as records pertaining to child support orders, divorce decrees, and paternity determinations. Again, this assists child support enforcement agencies in efforts to help parents collect money that is owed to them. These documents may also be maintained at county clerk or recorders' offices. --------------------------------------------------------------------------- \21\ In some states, for example, adoption records, grand jury records, and juvenile court records are not part of the public record. In addition, some court documents pertinent to the cases may or may not be in the public record, depending on local court practice. Finally, the judge can choose to explicitly seal a record to protect the information it contains from public review. --------------------------------------------------------------------------- When federal, state, or county entities, including courts, maintain public records, they are generally prohibited from altering the formal documents. Officials told us that their primary and mandated interest is in preserving the integrity of the record rather than protecting the privacy of the individual named in the record. Officials told us they believe they have no choice but to accept the documents with the SSNs and fulfill the responsibility of their office by making them available to the general public. Alternatives to Displaying SSNs in Public Records Exist When creating public documents or records, such as marriage licenses, some government agencies are trying new innovative approaches that protect SSNs from public display. For example, some have developed alternative types of forms to keep SSNs and other personal information separate from the portion of a document that is accessible to the general public.22 Changing how the information is captured on the form itself can help solve the dilemma of many county recorders who, because they are the official record keepers of the county, are usually not allowed to alter an original document after it is officially filed in their office. For example, a county recorder told us that Virginia recently changed its marriage license application so that the form is now in triplicate, and the copy that is available to the general public does not contain the SSN. However, an official told us even this seemingly simple change in the format of a document can be challenging because, in some cases, the forms used for certain transactions are prescribed by the state. In addition to these efforts at recorders offices, some courts have made efforts to protect SSNs in documents that the general public can access through court clerk offices. For example, one state court offers the option of filing a separate form containing the SSN that is kept separate from the part of the record that is available for public inspection. --------------------------------------------------------------------------- \22\ In some cases, however, the law requires that the SSN appear on the document itself, as on death certificates. --------------------------------------------------------------------------- These solutions, however, are most effective when the recorder's office, state agencies, and courts prepare the documents themselves. In those many instances where others file the documents, such as individuals, attorneys, or financial institutions, the receiving agency has less control over what is contained in the document and, in many cases, must accept it as submitted. Officials told us that, in these cases, educating the individuals who submit the documents for the record may help to reduce the appearance of SSNs. This would include individuals, financial institutions, title companies, and attorneys, who could begin by considering whether SSNs are required on the documents they submit. It may be possible to limit the display of SSNs on some of these documents or, where SSNs are deemed necessary to help identify the subject of the documents, it may be possible to truncate the SSN to the last four digits. While the above options are available for public records created after an office institutes changes, fewer options exist to limit the availability of SSNs in records that have already been officially filed or created. One option is redacting or removing SSNs from documents before they are made available to the general public. In our fieldwork, we found instances where departments redact SSNs from copies of documents that are made available to the general public, but these tended to be situations where the volume of records and number of requests were minimal, such as in a small county. Most other officials told us redaction was not a practical alternative for public records their offices maintain. Although redaction would reduce the likelihood of SSNs being released to the general public, we were told it is time- consuming, labor intensive, difficult, and in some cases would require change in law. In documents filed by others outside of the office, SSNs do not appear in a uniform place and could appear many times throughout a document. In these cases, it is a particularly lengthy and labor- intensive process to find and redact SSNs. Moreover, redaction would be less effective in those offices where members of the general public can inspect and copy large numbers of documents without supervision from office staff. In these situations, officials told us that they could change their procedures for documents that they collect in the future, but it would be extremely difficult and expensive to redact SSNs on documents that have already been collected and filed. LTraditional Access to Public Records Has Practical Limitations That Would Not Exist if the Records Were Placed on the Internet Traditionally, the public has been able to gain access to SSNs contained in public records by visiting the recorder's office, state office, or court house; however, the requirement to visit a physical location and request or search for information on a case-by-case basis offers some measure of protection against the widespread collection and use of others' SSNs from public records.23 Yet, this limited access to information in public records is not always the case. We found examples where members of the public can obtain easy access to larger volumes of documents containing SSNs. Some offices that maintain public records offer computer terminals on site where individuals can look up electronic files from a site-specific database. In one of the offices we visited, documents containing SSNs that were otherwise accessible to the public were also made available in bulk to certain groups. When asked about sharing information containing SSNs with other entities, a higher percentage of county recorders reported sharing information containing SSNs with marketing companies, collection agencies, credit bureaus, private investigators, and outside researchers. --------------------------------------------------------------------------- \23\ Some jurisdictions also permit citizens to request public records through the mail. --------------------------------------------------------------------------- Finally, few agencies reported that they place records containing SSNs on their Internet sites; however, this practice may be growing. Of those agencies that reported having public records containing SSNs, only 3 percent of the state respondents and 9 percent of the county respondents reported that the public can access these documents on their Web site. In some cases, such as the federal courts, documents containing SSNs are available on the Internet only to paid subscribers. However, increasing numbers of departments are moving toward placing more information on the Internet. We spoke with several officials that described their goals for having records available electronically within the next few years. Providing this easy access of records potentially could increase the opportunity to obtain records that contain SSNs that otherwise would not have been obtained by visiting the government agency. While planning to place more information on the Internet, some courts and government agencies are examining their policies to decide whether SSNs should be made available on documents on their Web sites. In our fieldwork, we heard many discussions of this issue, which is particularly problematic for courts and recorders, who have a responsibility to make large volumes of documents accessible to the general public. On the one hand, officials told us placing their records on the Internet would simply facilitate the general public's ability to access the information. On the other hand, officials expressed concern that placing documents on the Internet would remove the natural deterrent of having to travel to the courthouse or recorder's office to obtain personal information on individuals. Again, we found examples where government entities are searching for ways to strike a balance. For example, the Judicial Conference of the United States recently released a statement on electronic case file availability and Internet use in federal courts. They recommended that documents in civil cases and bankruptcy cases should be made available electronically, but SSNs contained in the documents should be truncated to the last four digits. Also, we spoke to one county recorder's office that had recently put many of its documents on their Web site, but had decided not to include categories of documents that were known to contain SSNs. In addition, some states are taking action to limit the display of SSNs on the Internet. Given the likely growth of public information on the Internet, the time is right for some kind of forethought about the inherent risk posed by making SSNs and other personal information available through this venue. Concluding Observations SSNs are widely used in all levels of government and play a central role in how government entities conduct their business. As unique identifiers, SSNs are used to help make record-keeping more efficient and are most useful when government entities share information about individuals with others outside their organization. The various benefits from sharing data help ensure that government agencies fulfill their mission and meet their obligation to the taxpayer by, for example, making sure that the programs serve only those eligible for services. However, the gaps in safeguarding SSNs that we have identified create the potential for SSN misuse. Although the extent to which the government's broad use of SSNs contributes to identity theft is not clear, measures to encourage governments to better secure and reduce the display of SSNs could at least help minimize the risk of SSN misuse. It is important to focus on ways to accomplish this. We will be reporting in more detail on these issues at the end of this month and look forward to exploring additional options to better protect SSNs with you as we complete our work. Contacts and Acknowledgments For further information regarding this testimony, please contact Barbara D. Bovbjerg, Director, or Kay E. Brown, Assistant Director, Education, Workforce, and Income Security at (202) 512-7215. Individuals making key contributions to this testimony include Lindsay Bach, Jeff Bernstein, Richard Burkard, Jacqueline Harpp, Daniel Hoy, Raun Lazier, Vernette Shaw, Jacquelyn Stewart, and Anne Welch. ------ Appendix I: Examples of Federal Statutes That Authorize or Mandate the Collection and Use of Social Security Numbers ------------------------------------------------------------------------ Government General purpose entity and Federal statute for collecting or authorized or using SSN required use ------------------------------------------------------------------------ Tax Reform Act of 1976 General public Authorizes assistance states to 42 U.S.C. 405(c)(2)(c)(i) programs, tax collect and use administration, SSNs in driver's administering license, motor any tax, vehicle general public registration assistance, driver's license, or motor vehicle registration law ------------------------------------------------------------------------ Food Stamp Act of 1977 Food Stamp Mandates the Program secretary of 7 U.S.C. 2025(e)(1) agriculture and state agencies to require SSNs for program participation ------------------------------------------------------------------------ Deficit Reduction Act of 1984 Eligibility Requires that, benefits under as a condition 42 U.S.C. 1320b-7(1) the Medicaid of eligibility program for Medicaid benefits, applicants for and recipients of these benefits furnish their SSNs to the state administering program ------------------------------------------------------------------------ Housing and Community Eligibility for Authorizes the Development Act of 1987 HUD programs secretary of the Department 42 U.S.C. 3543(a) of Housing and Urban Development to require applicants and participants in HUD programs to submit their SSNs as a condition of eligibility ------------------------------------------------------------------------ Family Support Act of 1988 Issuance of birth Requires states certificates to obtain 42 U.S.C. 405(c)(2)(C)(ii) parents' SSNs before issuing a birth certificate unless there is good cause for not requiring the number ------------------------------------------------------------------------ Technical and Miscellaneous Revenue Blood donation Authorizes Act of 1988 states and political 42 U.S.C. 405(c)(2)(D)(i) subdivisions to require that blood donors provide their SSNs ------------------------------------------------------------------------ Food, Agriculture, Conservation, Retail and Authorizes the and Trade Act of 1990 wholesale secretary of businesses agriculture to 42 U.S.C. 405(c)(2)(C) participation in require the food stamp SSNs of program officers or owners of retail and wholesale food concerns that accept and redeem food stamps ------------------------------------------------------------------------ Omnibus Budget Reconciliation Act Eligibility for Requires of 1990 Veterans Affairs individuals to compensation or provide their 38 U.S.C. 510(c) pension benefits SSNs to be programs eligible for Department of Veterans Affairs' compensation or pension benefits programs ------------------------------------------------------------------------ Social Security Independence and Eligibility of Authorizes Program Improvements Act of 1994 potential jurors states and political 42 U.S.C. 405(c)(2)(E) subdivisions of states to use SSNs to determine eligibility of potential jurors ------------------------------------------------------------------------ Personal Responsibility and Work Various license Mandates that Opportunity Reconciliation Act of applications; states have 1996 divorce and laws in effect child support that require 42 U.S.C. 666(a)(13) documents; death collection of certificates SSNs on applications for driver's licenses and other licenses; requires placement in the pertinent records of the SSN of the person subject to a divorce decree, child support order, paternity determination; requires SSNs on death certificates; creates national database for child support enforcement purposes ------------------------------------------------------------------------ Debt Collection Improvement Act of Persons doing Requires those 1996 business with a doing business federal agency with a federal 31 U.S.C. 7701(c) agency, i.e., lenders in a federal guaranteed loan program; applicants for federal licenses, permits, right- of-ways, grants, or benefit payments; contractors of an agency and others to furnish SSNs to the agency ------------------------------------------------------------------------ Higher Education Act Amendments of Financial Authorizes the 1998 assistance secretary of education to 20 U.S.C. 1090(a)(7) include the SSNs of parents of dependent students on certain financial assistance forms ------------------------------------------------------------------------ Internal Revenue Code Tax returns Authorizes the commissioner of (various amendments) the Internal 26 U.S.C. 6109 Revenue Service to require that taxpayers include their SSNs on tax returns ------------------------------------------------------------------------ Source: GAO review of applicable federal laws ______ Appendix II: Our Eight Practices and How They Fit Into the Federal Framework for an Information Security Program Certain federal laws lay out a framework for federal agencies to follow when establishing information security programs to protect sensitive personal information, such as SSNs.24 The federal framework is consistent with strategies used by private and public organizations that we previously reported have strong information security programs.25 This framework includes four principles that are important to an overall information security program. These are to periodically assess risk, implement policies and controls to mitigate risks, promote awareness of risks for information security, and to continually monitor and evaluate information security practices. To gain a better understanding of whether agencies had in place measures to safeguard SSNs that are consistent with the federal framework, we selected eight commonly used practices found in information security programs--two for each principle. Use of these eight practices could give an indication that an agency has an information security program that follows the federal framework.26 We surveyed the federal, state, and county programs and agencies on their use of these eight practices: --------------------------------------------------------------------------- \24\ See federal Government Information Security Reform provisions of the fiscal year 2001 Defense Authorization Act, the federal Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Clinger- Cohen Act of 1996, and Office of Management and Budget guidance. \25\ U.S. General Accounting Office, Executive Guide: Information Security Management, Learning From Leading Organizations, GAO/AIMD-98-8 (Washington, D.C.: May 1998) reported on strategies used by private and public organizations--a financial services corporation, a regional utility, a state university, a retailer, a state agency, a nonbank financial institution, a computer vendor, and an equipment manufacturer--that were recognized as having strong information security programs. The information security strategies discussed in the report were only a part of the organizations' broader information management strategies. \26\ States may also require any number of the eight practices, but the requirements would vary from state to state. --------------------------------------------------------------------------- Periodically assess risk LConduct risk assessments for computer systems that contain SSNs LDevelop written security plan for computer systems that contain SSNs Implement policies and controls to mitigate risks LDevelop written policies for handling records with SSNs LControl access to computerized records that contain SSNs, such as assigning different levels of access and using methods to identify employees (e.g., use ID cards, PINS, or passwords) Promote awareness of risks for information security LProvide employees training or written materials on responsibilities for safeguarding records LTake disciplinary actions against employees for noncompliance with policies, such as placing employees on probation, terminating employment, or referring to law enforcement Continually monitor and evaluate information security practices LMonitor employees' access to computerized records with SSNs, such as tracking browsing and unusual transactions LHave computer systems independently audited Chairman SHAW. Thank you. Ms. Brown? Ms. BROWN. I am here to answer---- Chairman SHAW. You are with Barbara Bovbjerg. Ms. BROWN. Yes. Ms. BOVBJERG. I brought reinforcements today. Chairman SHAW. Good for you. We are delighted to have in you in Florida. Ms. BOVBJERG. Thank you for inviting me. Chairman SHAW. Lisa, you told a very compelling story with regard to your 3-year struggle. Has the defendant been adjudicated guilty or what has happened to the case? Ms. TROPEPE. She received 4 months of in-house arrest, probation time, and community service. Chairman SHAW. How about restitution? Ms. TROPEPE. She surrendered the $10,000 cashier's checks that she got from my bank account, and the balance of the moneys were never--there was no restitution, none that I am aware of. Mr. MORELL. I can give you a little bit of a backup on this, and we can-- Chairman SHAW. Excuse me, for the record, this is Mr. Tim Morell. Mr. MORELL. Tim Morell, right. I am also the current co- Vice Chairman of the Computer Law Committee of the Florida bar, and we have been actively supporting and helping to get publicity for your bill, as you know from a year or two ago when I was in Del Ray helping out and trying to find out some information on this. We were unable to get much of the prosecution at the State court level. It turned out that the only thing we could do was go to U.S. Attorney's Office. We were told that the amount of money involved, unless it was more than $100,000, wasn't going to get anybody's interest, so we ended up going to the media. We went to Channel 12, and we went to the Palm Beach Post. Once that was exposed, then the U.S. Attorney's Office took the case, and I have a copy of a Palm Beach Post summary that we can put into the record of what actually ended up happening. And I will read it if you would like to have that into the record. Chairman SHAW. Without objection, I will place the entire Palm Beach Post article that you are holding into the record. [The article follows:] Palm Beach Post West Palm Beach, Florida WEST PALM BEACH--A temporary worker who stole the identity of a woman in her office, took $13,000 from her bank account and ran up $5,000 in credit card charges in her name was sentenced Friday to 4 years' probation and 150 hours of community service. Terkesha Lane 21, of Riviera Beach, faced up to 3 years in prison, a $25,000 fine and restitution. U.S. District Court Judge Daniel T.K. Hurley took note of Lane's age, her clean record and that she has a 2-year-old child. She also helped authorities track down a $10,000 cashier's check. ``I think you earned this by everything else you have done in your life,'' the judge said. Lane who will be on home detention for the first 4 months of the probation and pay $100, apologized for the elaborate scheme in which she managed to obtain a driver's license in the name of Lisa Tropepe, withdrew money from Tropepe's bank account and ran up credit card charges in Tropepe's name. The bank reimbursed Tropepe and she restored her credit after hiring a lawyer. Mr. MORELL. She was given, in summary, just 4 years probation and 150 hours of community service. There were some other monetary amounts here that we don't think will ever be collectable, but we will put this into evidence. Chairman SHAW. Thank you. Mr. Ross, we will make available to you and Ms. Tropepe a transcript of this particular hearing that you can go in and show your creditors. Mr. ROSS. Thank you. Chairman SHAW. That you have appeared before a congressional Committee who is studying the tragedy of identity theft. Mark? Mr. FOLEY. Well, I think this illuminates the problem. In addition to having to go through hours, now we have got a lawyer and an engineer, both professionals who have both competence and ability to probably pursue this. Think about a poor person who is just struggling? Ms. TROPEPE. That is right. Mr. FOLEY. And this is outrageous. And 4 years probation to steal how much, $40,000? Ms. TROPEPE. Over $20,000. Mr. FOLEY. Plus, plus. Ms. TROPEPE. Plus, plus. Mr. FOLEY. I mean with credit damage and all. Ms. TROPEPE. That is not including the cost to the firm, myself, the cost to hire Tim Morell to clear my name. It is not including all that. Chairman SHAW. But the bank they made good on your account, didn't they? Ms. TROPEPE. The bank made good on the account, and the credit cards that she received or the instant credit that she received, the credit companies, they paid for that as well. So there was no out-of-pocket money, but all the other--the attorney and the time and the grief that it has caused my office. I was in the process of becoming a partner, and checking my billable time was slowly declining every day, and I just wasn't functioning right. And then we finally hired an attorney that helped alleviate that, but I can tell you that there isn't a day that doesn't go by that I don't think about the fact that there is somebody around that is right up the street from me that can do it again. And if she doesn't do it, she has the information still to this day to give it to somebody else. It just doesn't seem to me--the punishment, without a doubt, does not fit the crime. Mr. FOLEY. That is where I see we have two problems. We have, one, punishment, because if you can get away with the kind of larceny that has occurred with that minimal sentence, it encourages people to go ahead and try. Secondly, if you can't protect the Social Security Numbers, it is a catch-22. Ms. TROPEPE. Right. Mr. FOLEY. So you are around and around in circles on this issue. Mr. MORELL. This file represents a lot of effort here to try to keep Lisa's credit in decent shape. She continues to have--a lot of the times we try to keep this so that it doesn't bother her, but as recently as 6 months ago her identity was compromised in, what was it, Ireland or somewhere in the British Isles. Somebody had compromised her identity mostly because once it happens once and you are out there, then there is almost like the reasonable doubt, it would be hard to prove who the criminal was after that. And so they go for you. And that was one of the reasons why we were very nervous about even coming here today. The thing keeps coming back, and the nature of computers is such that once the record is out there somebody inadvertently enters it again or it comes back up in 6 months, and it is all right back like it never left. And it has been a constant struggle to try to keep after those credit bureaus, to keep telling them Lisa is not the perpetrator. Mr. FOLEY. The other problem is the credit reporting. When you go now to a store you--and I probably can't take advantage of these instant credit opportunities---- Ms. TROPEPE. Never again. Mr. FOLEY. Because we will always be---- Ms. TROPEPE. Right. Mr. FOLEY. On somebody's list that they have to flag, that they have to check, that they have to make sure you are who you are for our safeguard, but nonetheless it inconveniences us. Ms. TROPEPE. Right. Well, there is a fraud alert on my name, so I will never be able to get instant credit again. I will have to go through the longer process in order to obtain a credit card for the rest of my life. And this all started with her getting my Social Security Number on the Internet. Chairman SHAW. Did she get it out of the payroll records of the company or---- Ms. TROPEPE. No. She told me that her cousin in Miami helped her get it off the computer. Chairman SHAW. Oh, you talked to her about it since she was charged. Ms. TROPEPE. Well, I am the one who solved the crime. I went to my ATM machine and sometimes you can't tell when a couple dollars are missing, okay? But it was $13,000 subtracted out of my account, which alerted me that night. So the very next day I called up First Union and said, ``What is happening to my account?'' Meanwhile, I am getting every day credit card bills in the mail on a daily basis that I knew nothing about. They told me that I withdrew a $10,000 cashier's check 2 days prior at the Okeechobee Boulevard branch in West Palm Beach, and I said I have never been to the Okeechobee Boulevard branch in West Palm Beach. I drove over there and they replayed the tapes from the bank, and I identified her on those bank tapes. If she had not gone to the bank and started withdrawing cash from my account, I would have never found out who the perpetrator was. And then after that she said to me that she also did--you know, you kind of figure that, okay, since she has taken money out of my account she is probably doing the credit cards too. And I asked her and she said, ``Yes, I did that too.'' ``And how did you do it?'' ``I got your Social Security Number from my cousin in Miami who looked it up on the Internet.'' Chairman SHAW. What site? Ms. TROPEPE. So that is how it started. And then once she had that, she had my home address because she was our receptionist. She took those two pieces of information to DMV, the Division of Motor Vehicles, received a driver's license with my name, address, and information and her picture. Mr. MORELL. That is what I wanted to follow up with. By having the Social Security Number, she was able to get a duplicate driver's license, although our system in Florida has a picture ID. They could have clearly seen the woman who impersonated her looks nothing like Lisa, nothing at all physically. But they had her picture there, but it didn't matter what the picture was. Because the woman had Lisa's Social Security, they gave this woman a driver's license and that became the key to everything. Ms. TROPEPE. And the Division of Motor Vehicles did have my picture on file because, as you both probably know, I was a Broward County resident until about 4 years ago. I went to the Division of Motor Vehicles, got a new driver's license, so my picture was on file in Palm Beach County. They just never bothered to look at my picture when they gave her the duplicate driver's license. Mr. FOLEY. Anthony, why don't you tell us about some of the late night calls during these periods after your credit has been run up. Mr. ROSS. Late night calls? Mr. FOLEY. Collection agencies, people. I mean this is the other side of it you don't realize. Mr. ROSS. Well, as a Federal Law Enforcement Officer and I teach at the Federal Law Enforcement Training Center in Brunswick, Georgia, and we are on a 6-day work week right now. And that and family obligations and just trying to live on that extra day I get off and deal with these has just been a nightmare. And what happens is you receive--if you send in the proper paperwork to try to get this cleared with a creditor, they have a certain number of days that they are looking to have you respond in. And that is not always necessarily possible, especially traveling and other things that do occur within the job. So then you get another letter saying, ``Well, it appears since you have not sent the paperwork in that you no longer want to pursue this and that you are the person that has made these charges, and now this bill is yours, basically.'' Now you have to go back and call, ``I do want to pursue this. I am just not able to do it in your time requirements, and now we are starting all over again.'' Or I have had instances where they have closed it out and I will say, ``I haven't received anything more on this.'' ``Well, we didn't get that back in time.'' Or I have had situations where you may have certain stores that use one banking institution or credit company that supplies credit for all of them. Now you have three different--in this case, I have three different fraudulent accounts, but it was backed by one creditor. Rather than them combining that as one fraudulent account, I had to submit documents individually for each one, and then they assigned them to three different fraud investigators within this one company. So instead of dealing with it one time, I had to deal with it multiple times. One of the other problems that I came into, and this is a situation within the prison system is that the actual main person involved in this case that was orchestrating the fraud was already in custody, and he was using other family members and giving them the information on how to proceed along the fraud. Mr. FOLEY. So he is inside working outside. Mr. ROSS. Right. Chairman SHAW. Absolutely amazing. I will share with you a story that we had in Washington. One of the Members of the Committee on Way and Means, Sam Johnson, who was a prisoner of war for, I think, 7 or 8 years at the Hanoi Hilton in Vietnam, and I had to tell him that--I said, ``Your serial number and rank and those things that you give as a prisoner of war, your serial number is your Social Security Number, and we are trying to get away from that.'' I said, ``All those people that were looking over you in prison have your Social Security Number.'' But I think our military is backing away from that too, and we have got to be terribly careful. And then we had a colonel who testified before us, and he was cashing a check at the PX, and he had to put his ID number on it and that was his Social Security Number, and that is where they picked his up. But you, you were quite correct to say that if you know how to find it, you can find it on a computer and people are--there is trafficking in these numbers. And that is what we have got to--that is what we have really got to stop. It is not all together when you think that the logic of this thing is to get rid of it, but there is a number of organizations that are not in favor of this type of legislation, who deal in identities, whether they be private detectives or whatever, but the type of legislation that we are trying to develop is one that preserves the legitimate government use of the Social Security Number. It was never meant to be a national ID number, but it has sort of risen to that, and it is done without adequate protection. And this is what you people have run into. And I am quite impressed with what the State of Florida has done in this regard. We are trying to move this legislation through several Committees. We moved it through the Committee on Ways and Means in the last Congress but it got stuck in a couple of other Committees with jurisdiction. We are trying to go back and maybe just work the bill so it is the jurisdiction of the Committee on Ways and Means so we can go ahead and pass it and then if they want to go forward with another bill, that they can do that or they can get moving and get the thing done on--get it done on their own Committee because this is terribly important that people like you go through this just because we, the people who issue the numbers, haven't put the proper safeguards in place in order to protect you from identity theft, when you have no choice but to go with a Social Security Number. Also, as you did with the driver's license, we need to also put some type of a code as to someone's nationality. You come here as a citizen of another country, even if you don't have a work permit, if you have a bank account or if you are a student here on a student visa, you have to have a Social Security Number before you even open a bank account. Well, we need to put some identifier on that so that the Social Security Number that is given out will indicate that this person is not a citizen and this person is here on a certain kind of visa. And you can do it simply by just adding a letter from the alphabet on that, and that is another matter that we are looking into. Anything further, Mark? Mr. FOLEY. I just wanted to thank Ms. Dykas for many things, obviously being here today and for your help on Good Sams St. Mary's for leading that effort and as well as Manora Gardens. What is the State doing that you find successful as a mode for other States, and what do you think the Federal government should do to help with this effort of identity theft? Mr. DYKAS. I think that the State being on the forefront, unfortunately, of having probably one of the highest rates of identity theft and certainly post-September 11 issues empanelled a grand jury, as I indicated, that that grand jury was in place for well over 6 months and was able to take testimony similar to the panel today and get very real life experiences as well as talk with experts in terms of crafting some type of resolution. And the grand jury report that came out on January 10, if you split it in two categories, dealt largely with recommendations to Florida Department of Highway Safety and Motor Vehicle in terms of the driver's licenses, certainly being a port State that we have a large influx of people from other countries, and dealing with those issues that may be more unique to a Florida, California, Texas. It is an issue that I think everybody recognizes is a problem. But if you identify what issues you can deal with, those issues that how do we help the victims after it has occurred, and I think the focus now with regard to the legislation is how do we prevent it from happening? And I think it is particularly tricky with all of the clerk's offices, for instance. Many of the lawyers that deal with them are all going to electronic filing, electronic posting, me being a State of Florida employee, all of my information is public record, including my Social Security Number. So they are working on getting those issues exempted out as well. Mr. FOLEY. Thank you. Chairman SHAW. You just said something that rings an alarm in my head that what can we do, the Federal government, after you have been victimized to see that you don't go through this. The issuing new Social Security Numbers really isn't the answer, because that goes back and then some will have trouble with all the earnings that they have had. But that is something that we need to take up with the Social Security Administration--what do you do once someone has been victimized? Because, Lisa, you are quite right, you are more vulnerable because you have been already violated, and it is important, I think, that we look into this and see what can be done. Ms. Bovbjerg just made a note, so that must mean I said something that she is going to look into, I hope. Mr. DYKAS. Well, I will give you one. Having been in the Economic Crime Section here, it is very tough sometimes to get a second Social Security Number, because frequently that is what credit repair scams do. They suggest that you get a new Social Security Number if you were actually the one who truly did have a bad credit as a way to avoid any type of proper credit reporting. So you bump up against issues all along the way. And one last comment I would suggest to this panel as well is we have heard individual stories but part of what was submitted from our office was also the cost to businesses, banking entities as well. Two items briefly: Visa, in 1997, had a total of $490 million in losses; Master Card, in 1997, had $407 million in losses. So it affects everyone. Chairman SHAW. That was from identity theft? Mr. DYKAS. Yes. Chairman SHAW. Wow. Mr. DYKAS. Yes. Chairman SHAW. They are getting half a billion dollars. Thank you all. Thank this panel very much, and we very much appreciate you taking the time to come down here and share your experience with us. Lee Cohen, the Assistant State Attorney in Charge, Misdemeanor Trial Unit, State Attorney's Office, 17th Judicial Circuit of Florida, Broward County, Florida. We have---- Ms. GUIALDO. Anthanagtha Guialdo. Chairman SHAW. Thank you. Say it again for me, please. Ms. GUIALDO. Anthanagtha Guialdo. Chairman SHAW. Anthanagtha. Ms. GUIALDO. Guialdo. Chairman SHAW. Guialdo. Legal Assistant in Charge of Identity Theft Unit, the State Attorney's Office, also with the 17th Judicial District of Florida from Broward County; the Honorable Ed Bieluch, who is Sheriff with Palm Beach County, West Palm Beach, Florida; and Paul Rispoli, who is the Sergeant of Palm Beach County Sheriff's Office in West Palm Beach; and Roland Maye, Special Agent-in-Charge, Atlanta Field Division, the Office of Inspector General, the Social Security Administration in Atlanta, Georgia. I want to thank all of you for being here. We have your written testimony. It has been submitted, it will be made a part of the record, and you may proceed as you see fit. Mr. Cohen. STATEMENT OF LEE COHEN, ASSISTANT STATE ATTORNEY IN CHARGE, MISDEMEANOR DIVISION, STATE ATTORNEY'S OFFICE, 17TH JUDICIAL CIRCUIT OF FLORIDA, BROWARD COUNTY, FLORIDA Mr. Cohen. Good afternoon, Mr. Chairman, Congressman Foley. On behalf of Michael J. Satz, State Attorney, Broward County, I would like to thank you for inviting us to be here. I am the Assistant State Attorney in Charge of the Misdemeanor Division, and I have the pleasure of also supervising Ms. Guialdo, who is our Identity Theft Unit Legal Aide there in that unit. I would like to bring a little bit different perspective to your proceedings, because I am sure you have been inundated with stories, as we have heard today, about financial losses, economic fraud, identity theft, credit card scams and the like. In our unit, we handle things--we have a little bit different twist on what happens with identity theft involving Social Security Numbers. Just a little background. Before I came to my current position, which I have had for about 5 years, I was a Prosecutor in our Elder Abuse and Exploitation Unit. And there I was charged with dealing with crimes against the elderly and the senior citizens of Broward County involving fraud and exploitation. Most of the cases I dealt with were care giver type of relationships, between care givers and the seniors they were supposed to be caring for. It was very common at that time for me to have cases where credit card applications were redirected or intercepted by the care givers. And I think that puts them in a key position for this type of identity theft above and beyond your normal relationship or normal mail situation. Most people do get their mail. The seniors that are being cared for by the care givers are having their mail intercepted. So I was having cases where the care giver would get the application, fill out the application, get the credit cards or add their names to other people's credit cards, and continue on this type of fraud on and on for a very long period of time without detection because the senior citizen was not getting their mail. It wasn't until years later sometimes where family Members got involved where this was detected. So I would like you to consider in your deliberations the effect that the elderly have because of their having to rely on others for their mail which is their main line of communication. One of the recommendations I had at various hearings and meetings with different participants from the security agencies of the financial institutions was to advocate and strengthen the fraud alerts on the accounts as well as putting certain restrictions on the accounts where you can call the bank and say, ``I do not want anybody adding their name to my account. I do not want any changes to the account without a personal contact to me over the telephone with certain information provided.'' I think that would be helpful, and I always advocate that the victims I dealt with were citizens that I spoke to to do such a thing. And I think also any--obviously, I know that restricting the mailing out of applications and offers is a controversial issue, but I think that whatever can be done I that would be helpful. The Identity Theft Unit that we have in the County Court Division is a very unique but, believe it or not, longstanding division that Mr. Satz has had since approximately 1978. There we have a unit that is devoted to what we used to call, or still called by many, the ``not me'' cases, where somebody is charged with a crime or a person is charged with a crime, a name is charged with a crime. The person comes to court and they say to the judge or they say to their attorney or they say to the prosecutor, ``That wasn't me.'' And of course the response is, ``Yes, sure. Tell it to the judge or tell it to the lawyer.'' But these are not cases of mistaken identity like, ``I was at home eating mashed potatoes with my wife.'' These are cases where this is not the person that the police intended to arrest or intended to bring into the system. Somebody else has used their name during an encounter with law enforcement which has caused the innocent person to now be charged with a crime or dealing with the criminal justice system. And Ms. Guialdo is here to tell you a little bit about how she deals with those cases. She deals with a large number of those cases per year, most of the time dealing with driver's license and driving offenses. Thank you. STATEMENT OF ANTHANAGTHA GUIALDO, LEGAL ASSISTANT, IDENTITY THEFT UNIT, COUNTY COURT DIVISION, STATE ATTORNEY'S OFFICE, 17TH JUDICIAL CIRCUIT OF FLORIDA, BROWARD COUNTY, FLORIDA Ms. GUIALDO. Hello, Mr. Chairman, Mr. Foley, nice to meet you. My name is Ann Guialdo. I am a Legal Assistant with the 17th Judicial Circuit, the Identity Theft Unit. As Mr. Cohen stated again, our unit deals basically with an accused victim who may or may not have been arrested but an original arrest was made by somebody using their names or they were booked using that person's name but the accused was arrested. So my job is to go back within the file and check the original arrest, fingerprints if there are any, booking photos if there are any, and clear up the accused's name. Most of the time it is a notice to appear where John Brown gives Tom Brown's name and says Tom Brown's Social Security. He might know it from speaking with Tom Brown is related to Tom Brown. So there that Social Security problem comes in where we have to go in and clean up Tom Brown's Social Security and personal information from John Brown's name. So it becomes a big issue all the time, because when someone is arrested their Social Security automatically is put on the probably cause affidavit. So we always come into that Social Security problem used as an identifier. My duties include determining whether this office charges the right person by initiating an investigation into prosecuting those who unlawfully use the identities of others. The most prevalent cases I deal with are driving offenses wherein a suspect comes to the unit claiming that they hadn't received a citation but that somebody else did. It is our job to look into it, be it by signatures or identifiers from a driver's license that doesn't match that of the accused and find out really who did it. We also have felony cases where somebody is incarcerated under my name. It is my job now, because this person is already in the prison systems, to correct that information so by the time this person gets paroled that he will come out in his own name and not that of the accused. So we have a big process in investigating that with fingerprints, Florida Department of Law Enforcement (FDLE), the Federal Bureau of Investigation, and the prison system in just trying to correct identifiers. A lot of times we have cases where I go in for a background check and because somebody used my name or somehow the Social Security Number the imposter gave was wrong, it becomes my problem because it was my Social Security Number. And my name is now on their criminal history. So it becomes a problem trying to clear all of that off and putting it on the right person. I had placed into evidence exhibits, so those are basically the things--it is a process. We have walk-in complaints, phone calls and mail from all over the country. My, not really recommendation, but fingerprints and Social Security should kind of go hand in hand as identifiers. There should be a way where a fingerprint could match a Social Security Number or something, because, you know, criminals are out there, and they do it every day. I had a lady call in, I was trying to help her. She came in, filled out her paperwork and everything, and she called the imposter's job, said she was me, and the only way to distinguish that it wasn't me is you can notice my name, and she couldn't spell it. Chairman SHAW. I couldn't pronounce it. [Laughter.] Ms. GUIALDO. It is hard. So, you know, it becomes a problem for everybody. Lately, I have been having a lot of Social Security calls. Mothers call up and say, ``My son is going to go to school in September. I need to get a Social Security Number. Well, I went to the Social Security Administration, they told me he already has a Social Security Number.'' And they do a printout and here it is. Well, the father is using the Social Security--received a Social Security Number in the child's name. So now she has to do whatever to try to straighten that out. Chairman SHAW. Yes, but I think you have to do it in the hospitals now. Ms. GUIALDO. Right. So the father is using it, so it becomes a whole problem for this child. It is very difficult. I have had--my brother's name is similar to mine, we are a number off, so that becomes a problem also, because when law enforcement is putting it in their system, somebody is manually putting them in. A number is off. It automatically becomes my problem. So it a catch-22 issue. Thank you. [The prepared statement of Ms. Guialdo follows:] Statement of Anthangtha Guialdo, Legal Assistant, Identity Theft Unit, County Court Division, State Attorney's Office, 17th Judicial Circuit of Florida, Broward County, Florida My name is Anthangtha Guialdo and I am a Legal Assistant assigned to the Identity Theft Unit within the County Court Division of the Office of the State Attorney, 17th Judicial Circuit in Broward County. Assistant State Attorney In Charge Lee G. Cohen and I have been asked by State Attorney Michael J. Satz to represent this office at this hearing. The Identity Theft Unit, originally referred to as the ``Not Me'' Unit, was created by Mr. Satz in 1978 to assist those whose identities have been misused in criminal cases. I have been working in this unit for 5 years. This unit processes approximately 2400 cases each year. A majority of the cases presented to me are done so by the accused (currently named defendant) wherein they are claiming that they have been mistakenly accused of a crime when in fact law enforcement or the Office of the State Attorney intended to charge someone else (often referred to as a ``Not Me'' case). This is due to the true perpetrator using the name or otherwise identifying him or herself as the accused. The perpetrators are usually family members or acquaintances of the accused or strangers who have gained access to personal information of the accused. I have even had my identity stolen by one of the accused that I was trying to help but as you can imagine, she had difficulty in determining the correct spelling of my name. My duties include determining whether this office charges the right person as well as initiating investigations into prosecuting those who have unlawfully used the identities of others. The most prevalent type of cases I deal with are driving offenses wherein a suspect comes to this unit claiming that they received a citation for a criminal or civil traffic offense in their name and that in fact, they were never stopped for such offense. Other misdemeanor and felony cases are also presented where the currently charged defendant claims ``Not Me.'' When a defendant begins to claim that there has been a mistaken identity as to who committed the crime or poses an alibi (i.e. ``It was me who they arrested but I didn't do it''), that defendant is immediately referred to his or her lawyer for further legal advice. When processing a case in this unit, I will interview the suspect and obtain as much personal documentary information I can including fingerprints, signatures, and copies of driver's license. I will then obtain records and photographs from several agencies including the Department of Highway Safety and Motor Vehicles and the local police agencies as well as have fingerprint comparisons made. Occasionally officers or witnesses will be asked to come to the office to see if identifications can be made in order to determine true identities. If I determine that the wrong person is accused then recommendations are made to the Assistant State Attorneys for the charges to be dismissed. If the identity of the true perpetrator is determined, orders and corrected charging documents will be drafted reflecting the correct person's identity as well as the charging of additional criminal charges pursuant to F.S.S. 817.568 for Criminal Use of Personal Identification Information, F.S.S. 843.02 Resisting/Obstructing Officer without Violence and F.S.S. 831.01/831.02 Forgery. (See ``Exhibit A'') In processing my cases, I rely heavily on the validity of Social Security numbers. For example, when checks are made through the National Criminal Information Services and the Florida Criminal Information Services the Social Security number is linked to the master (true) name as an identifier, as well as listing all alias names, dates of birth and Social Security numbers. (See ``Exhibit B'') Additionally, during the booking process, and more importantly for me (due to no fingerprinting of photographing of the suspect), during the issuing of a Notice to Appear/Citation in place of booking, the suspect is often inquired as to his or her Social Security number, which can later be used to verify or distinguish identity. (See ``Exhibit C'') The Social Security number is also used to verify the accuracy of the transposition of names from person to document and document to document, as well as being used to distinguish between persons with common names. (See ``Exhibit D'') Our Information (charging documents) even lists the Social Security number on the top for identification purposes. (See ``Exhibit E'') State Attorney Michael J. Satz conveys his appreciation for requesting input from this office in this matter. Anything that can be done to insure the validity of Social Security numbers will assist in this unit's goal to ensure that only the correct de- fendants are charged with crimes and to assist those victims of the system who are mistakenly charged due to the criminal acts of others. Chairman SHAW. Thank you. Sheriff? STATEMENT OF HON. ED BIELUCH, SHERIFF, PALM BEACH COUNTY, WEST PALM BEACH, FLORIDA Mr. BIELUCH. Good afternoon. Let me preface this by saying that I am not an expert in identity theft; however, it has been around longer than I have been in law enforcement, as Ms. Guialdo stated, particularly with drivers' licenses, and we have had to deal with that over the years many, many, many times, and what we do is if we have someone that is driving with no identification, then we take a thumbprint on a special piece of paper and attach it to the citation so that they can be identified later in court should somebody show up and say, ``It wasn't me.'' It seems like that would be impractical in dealing with a Social Security card unless there was some type of electronic reader that could do the reading and compare them, which I suppose there is. I mean there is all kinds of identifiers out there--iris identifiers and that type of thing--which will probably help at some point when we get to that technology. I mean technology is kind of the catalyst here. Technology has allowed identity theft to really, really grow, and it is probably going to be the way that we have to solve it. Couple points I will make on what Mr. Morell said earlier, that the amount of money seeming to stymie the investigation, and I think that is very true, that $20,000 in the overall scheme of things isn't a lot of money but really it is. And, you know, we look at these at property crimes as opposed to person crimes where somebody is injured, but in many cases I believe that these are almost life threatening because some people just can't afford to lose $20,000. I mean to some people it is a drop in the bucket, but others that is their life, and that is their college money, that is their retirement money, it is whatever they have been saving up for for dozens and dozens of years. And it is almost a life threatening crime to them, and I think we need to approach it on a more serious level regardless of the amount. And one of the other problems is when we talk about trying to get people back on track and get back in the system, and it seems like a lot of red tape, and I am sure it is, but there are thousands, millions of people out there who are genuine bad guys. They are ripping off stores with credit cards and that type of thing, so I mean the other side of the coin is that that is what they are up against when they go to have their credit restored is the fact that there are lots of bad people out there and they just don't believe their story. But I am going to let Sergeant Rispoli talk because he is our expert on identity theft. STATEMENT OF PAUL RISPOLI, SERGEANT, PALM BEACH COUNTY SHERIFF'S OFFICE, FINANCIAL CRIMES UNIT, WEST PALM BEACH, FLORIDA Mr. RISPOLI. Good afternoon, Mr. Chairman, Mr. Foley. On behalf of Sheriff Bieluch and the entire Palm Beach County Sheriff's Office Financial Crime Unit, I want to thank you for inviting us today. My name is Sergeant Paul Rispoli. I am currently in charge of the Palm Beach County Sheriff's Office Financial Crime Unit. Also here with me today is my Captain, Captain Simon Barnes from the Detective Bureau, along with two detectives from the unit: Detective Alice Gold and Pete Palenzuela. Any questions I can't answer they will be able to answer. Detectives in the Financial Crime---- Chairman SHAW. But they are sitting in the back and said you are on your own. [Laughter.] Mr. RISPOLI. I didn't see the door shut, so I know they are still here. Detectives in the unit are responsible for the investigation of white collar crimes, specifically responsible for investigating exploitation of the elderly, corporate embezzlement, identity theft, credit card fraud, counterfeiting and computer Internet fraud. This six-person unit shares a combined 100 years experience in law enforcement. During this time, we have been assigned to road patrol, different units within the Detective Bureau, along with money laundering. Of all the crimes I have investigated personally, identity theft cases are one of the most difficult. They are difficult in identifying the suspects, difficult to get financial institutions to cooperate, difficult to prosecute and difficult to have the guilty parties receive sentences that would deter committing identity theft again. Over the past 5 years, there has been a significant increase in crimes where criminals compromise personal identification data of victims in order to commit identity theft. The information falling into criminal hands includes name, date of birth, Social Security Number, banking account numbers, and other financial information. The victims of identity theft, like other crimes, are made to feel personally responsible. This is especially true in light of the vicious cycle of events following the circumstances of the crime. Imagine for a moment, which Mr. Foley has already run into, you go to a car dealer to buy a new car only to be denied because of a negative payment on your credit report--information that you had no knowledge of. The trauma this type of fraud causes its innocent victims is inconceivable, as victims are usually left to fix the problem. I will explain some of the difficult areas involved with investigating identity theft. Identifying the suspect. Technology, as the Sheriff has said, has improved a thief's chances of getting away with crime. A thief doesn't need a gun or a mask to commit a crime. Today's gun is a keyboard and the mask is a computer with Internet access. You can apply for loans, credit cards, bank accounts online. You can purchase items with a click of a button and have them shipped all over the world. The thief is never seen. The credit cards and the merchandise is delivered to an empty apartment in the thief's building or neighborhood or a post office box under the victim's name. Most financial institutions and credit card companies fail to check or question why the applicant's address is different than the address listed in the credit report. Most of our complaints come from victims who are local and the thief is in another country, State, or county. Florida has a statute dealing with this crime. The statute allows for a venue for the prosecution and trial of violations to be commenced and maintained in any county in which an element of the offense occurred, including the county where the victim generally resides. The local law enforcement agency where the victim resides does not normally have the ability and resources to investigate the offense when it occurs in another county or State. Financial institutions' and credit card companies' cooperation--most financial institutions and credit card companies are reluctant to cooperate during an investigation, because it generate negative publicity, and the loss amount on one case is usually not enough to begin an investigation. It costs more to investigate the case than write off the loss. That is what I have been told. Prosecution and sentencing. Even when a thief is identified and there is probable cause for arrest, some prosecutors tend to plead a case out prior to trial. This plea agreement is usually probation and restitution. When criminals have been found guilty in court, they rarely see any jail time. Most are sentenced to probation and restitution anyway, so there is no deterrence to committing this crime. Financial and white collar crime has always been viewed as a lesser threat than a burglary or a robbery. Common consensus is no one is hurt. Ask a victim of identity theft is they feel any less violated than a robbery victim or a burglary victim. Victims have been refused employment, loans, some victims have actually been arrested for crimes that the identity thief has committed. Victim lives have been destroyed in this crime. In light of the events of September 11, 2001, one should be aware that identity theft in Florida played an important role in a terrorist being able to carry out their objectives. Identity theft does hurt people. Some recommendations suggested by the Palm Beach County Sheriff's Office Financial Crime Unit: An increase in public education about identity theft, which this is part of, the media is all gone now but at least they were here; increased law enforcement education and interagency cooperation. Victims should not be turned away; a report must be taken. The current identity theft statute needs to be updated with enhanced penalties for this crime. This will make the crime less attractive for a thief. Credit cards and financial institutions should be held responsible for indiscriminate issuing of credit to unauthorized persons, i.e, mass mailing pre-approved credit applications. Credit bureaus must take a more active role in ensuring security of one's credit. This may involve notifying a person that their credit has been checked. Also, I heard, I am not sure which panelist it was, said about the fraud alert. That doesn't live with you the rest of your life unless you keep on calling. After a certain amount of time, each credit bureau can shut that off. Require any web-based company or company taking credit applications over the Internet to maintain detailed records of their transactions. Posting of Social Security Numbers on the Internet should be prohibited. Entities having access to a consumer's personal identifying information should be strictly accountable as to whom they provide such information to and the purpose the information is being provided for. We believe if there were an enhancement to the penalties for identity theft, the criminal element would less likely attempt to commit this crime. In closing, we would like to thank you, Congressman Shaw and Mr. Foley, for giving law enforcement an opportunity to offer input into this matter. Additionally, we would ask that this Committee consider the massive impact identity theft has had on our society. Thank you. [The prepared statement of Mr. Rispoli follows:] Statement of Paul Rispoli, Sergeant, Palm Beach County Sheriff's Office, Financial Crimes Unit, West Palm Beach, Florida Good Afternoon, Mr. Chairman and members of the Subcommittee. On behalf of Sheriff Ed Bieluch, we would like to thank you for the opportunity to appear before you today to discuss this very important subject. My name is Sgt Paul Rispoli. I am currently in charge of the Palm Beach County Sheriff's Office Financial Crimes Unit Seated next to me is the Sheriff of Palm Beach County Ed Bieluch, Captain Simon Barnes and Detectives Pete Palenzuela and Alice Gold. We are currently assigned to the Financial Crimes Unit. Detectives in the Financial Crimes Unit are responsible for the investigation of white-collar crimes, specifically responsible for investigating exploitation of the elderly, corporate embezzlement, identity theft, credit card fraud, counterfeiting and computer Internet fraud. This six-person unit shares a combined 100 years experience in law enforcement. During this time, we have been assigned to road patrol, different units within the detective bureau itself and money laundering. Of all the crimes I have investigated, identity theft cases are the most difficult. LDifficult in identifying the suspect(s), LDifficult to get financial institutions to cooperate, LDifficult to prosecute, and LDifficult to have the guilty parties receive sentences that would deter committing identity theft. Over the past five years, there has been a significant increase in crimes where criminals compromise personal identification data of victims, in order to commit identity theft. The information falling into criminal hands includes: LName, LDate of birth, LSocial Security Number, LBanking account number, and other personal and financial information. Victims of identity theft, like other crimes, are made to feel personally responsible. This is especially true in light of the vicious cycle of events following the circumstances of this crime. Imagine for a moment, you go to a car dealer to buy a new car, only to be denied because of a negative payment history reflected in a credit report-- information that you knew nothing about. The trauma this type of fraud causes its innocent victims is inconceivable, as victims are usually left to fix the problem. I will explain some of the difficult areas involved with investigating Identity Theft---- Identifying the syspect: Technology has improved a thief's chances of getting away with crime. A thief doesn't need a gun or a mask to commit crimes. Today's gun is a keyboard and the mask is a computer with Internet access. You can apply for loans, credit cards, and bank accounts online. You can purchase items with the click of a button and have them shipped all over the world. The thief is never seen. The credit cards and merchandise is delivered to an empty apartment in the thief's building or neighborhood or a post office box under the victim's name. Most Financial institutions/Credit Card companies fail to check or question why the applicant's address is different than the address listed in the credit report. Most of our complaints come from victims, who are local and the thief is in another county, state, or country. Florida has a statute dealing with this crime. The statute allows venue for the prosecution and trial of violations to be commenced and maintained in any county in which an element of the offense occurred, including the county where the victim generally resides. The local law enforcement agency where the victim resides does not normally have the ability and resources to investigate the offense when it occurs in another county or state. Financial institutions and Credit Card Companies cooperation: Most financial institutions/credit card companies are reluctant to cooperate during an investigation because it can generate negative publicity. The loss amount on one case is usually not enough to begin an investigation. It costs more to investigate the case than to write off the loss. Prosecution and Sentencing: Even when a thief is identified and there is probable cause for an arrest some prosecutors tend to plea a case out prior to trial. This plea agreement is usually probation and restitution. When criminals have been found guilty in court they rarely see any real jail time. Most are sentenced to probation and restitution anyway, so there is no deterrence to committing this crime. LFinancial (white collar) Crime has always been viewed as a lesser threat than a burglary or a robbery. Common consensus is ``No one is hurt''. Ask a victim of identity theft if they feel any less violated. LVictims have refused employment, loans, and some victims have actually been arrested for crimies the identity thief has committed. Victim's lives have been destroyed by this crime. In light of the events of September 11, 2001, one should be aware that identity theft in Florida played an important role in the terrorist being able to carry out their objectives. LIdentity Theft does hurt people in many ways. Some Recommendations suggested by the Palm Beach County Sheriff's Office Financial Crimes Unit: LIncrease Public education about Identity Theft. LIncrease Law Enforcement education and interagency cooperation. Victims should not be turned away--a report must be taken. LThe current Identity Theft statute needs to be updated with enhanced penalties for this crime. This will make the crime less attractive for a thief. LCredit card companies and Financial Institutions should be held responsible for indiscriminate issuing of credit to unauthorized persons. (Mass mailing pre-approved credit cards to the public) LCredit Bureaus must take a more active role in ensuring security of ones credit. This may include notifying a person that their credit has been checked. LRequire any web-based company or company taking credit applications over the Internet to maintain detailed records of their transactions. LPosting of Social Security Numbers on the Internet should be prohibited. LEntities having access to a consumer's personal identifying information should be strictly accountable as to whom they provide such information to and the purpose the information is being provided for. LWe believe if there were an enhancement in the penalties for identity theft, the criminal element would less likely attempt to commit this crime. In closing, we would like to thank Congressman Shaw for giving Law Enforcement an opportunity to offer input in this matter. Additionally we would ask this committee to consider the massive impact identity theft has had on our society. Chairman SHAW. Thank you. Mr. Maye? STATEMENT OF ROLAND MAYE, SPECIAL AGENT-IN-CHARGE, ATLANTA FIELD DIVISION, OFFICE OF THE INSPECTOR GENERAL, SOCIAL SECURITY ADMINISTRATION, ATLANTA, GEORGIA Mr. MAYE. Good afternoon, Congressman Shaw and Congressman Foley, and thank you for inviting the Office of the Inspector General, the Social Security Administration to testify today. My name is Roland Maye, and I am the Special Agent-in-Charge of the Criminal Investigative Activities for this region. As you noted in your opening remarks, the misuse of Social Security Numbers plays an increasingly large role in two issues currently plaguing American society. Identity theft victimizes thousands of Americans every year, and the number of identity theft crimes continues to grow. This crime begins, in many cases, with the misuse of a Social Security Number. And Homeland Security has become an even greater focus for all Americans. We have learned over the past 7 months that protecting a Social Security Number and preventing identity fraud is not only a criminal justice issue, but a Homeland Security challenge. On behalf of the Inspector General, who could not be here today, I would like to touch briefly on each of these issues, starting with identity theft. As you know, the Social Security Number was never intended to be a national identification number, but we can longer pretend otherwise. A vital part of commercial transactions of every kind, the SSN is as much a part of our identity as our own name. Indeed, the SSN is a more unique identifier--many people share common names, but an SSN is issued only once. For this reason, a valid SSN is an almost priceless tool for identity thieves. With an SSN in hand, unscrupulous individuals can apply for credit cards, open bank accounts, take out loans, apply for government benefits, obtain jobs, and do the many things all of us do every day, but these unscrupulous individuals do so fraudulently under an assumed identity. In fiscal year 2000, more than half of the 92,000 allegations received by our fraud hotline were allegations of SSN misuse. The victims of identity crimes face situations similar to those described by the witnesses here today-- feelings of violation and helplessness, and a long, difficult road to financial recovery. We have made some progress. Certainly the public is more aware of identity theft, and of the importance of protecting their SSN and other personal information than, they have ever been. And the Social Security Administration, which has adopted some of the recommendations made in our audit report, has taken important steps in tightening the process by which Social Security Numbers are issued and used. On the investigative side, we see more and more indictments and convictions for identity theft crimes around the country. Right here in Florida, agents from my office, working with the Florida Department of Law Enforcement, brought the very first case indicted by Governor Bush's 16th statewide Grand Jury for the Purpose of Investigating Identity Theft, resulting in the indictment of six individuals with multiple counts of identity theft. Around the country, similar efforts have ensured that while identity theft may not be a difficult crime to commit, the prosecution of those who commit identity theft is now more of a priority for law enforcement agencies. As great a challenge as identity theft has become, the true severity of the larger SSN misuse problem became horribly apparent after the attack of September 11. We have come to learn in the 7= months since that day just how critical it is that we protect the integrity of the Social Security Number. We knew that our credit rating depended on it; we know now that our lives may depend on it. There is no greater issue in the Homeland Security arena than protecting the integrity of the Social Security Number. It is virtually impossible to operate in the United States without a Social Security Number. It stands to reason, then, that any enemy of the United States that wants to infiltrate our borders and live among us would need a Social Security Number in order to do so. The challenge before us is to find a way to allow legitimate commerce to continue using the SSN for legitimate purposes while making it less simple for both identity thieves and even more dangerous individuals to misuse SSNs. Part of that solution lies with SSA and its OIG. Many of the recommendations we have made to improve the enumeration process are already in place or in the process of being implemented. For example, SSA's practice of issuing ``non- work'' SSNs to visitors to our country so that they may obtain drivers licenses has been discontinued. Development of a meaningful process for SSA to verify immigration documents with the Immigration and Naturalization before issuing an SSN has been expedited. And SSA appreciates the need to do all it can under current law and within the position of budgetary constraints to protect the SSN upon its issuance during the life of the number-holder, and upon the number-holder's death. In OIG, we have worked around the clock since September 11, both in support of the investigation into the events of that day, and in furtherance of Federal efforts to prevent future acts. An example is our participation in Operation Tarmac in 12 major airports around the country. The most recent of these was in the Washington, DC, area, where last week, together with other Federal authorities, we arrested some 105 individuals suspected of providing false information--including SSNs--to obtain work in secure areas of Reagan National Airport, Dulles International Airport, and Baltimore-Washington International Airport. Again, working within the limitation of existing laws--laws which were written for a time before identity theft and Homeland Security became the overarching issues they are today--we have taken significant steps. But we need the help of this Subcommittee and the Congress as a whole. Legislations must be enacted to close the gaps in the laws that govern the use of SSNs. Legislation like H.R. 2036, the Social Security Number Privacy and Identity Theft Protection Act of 2001, introduced by this Subcommittee, places meaningful restrictions on the use, display and sale of SSNs and provides new and important enforcement mechanisms for offenders. Such legislation represents an important step to reducing identity theft and making the SSN unavailable as a tool to those who commit or support acts of terror against the United States. The Inspector General looks forward to working with this Subcommittee to ensure that we are doing all we can to stem the tide of SSN misuse. Thank you. [The prepared statement of Ms. Maye follows:] Statement of Roland Maye, Special Agent-in-Charge, Atlanta Field Division, Office of the Inspector General, Social Security Administration, Atlanta, Georgia Good morning, Chairman Shaw, and thank you for inviting the Office of the Inspector General (OIG), Social Security Administration (SSA), to testify today. My name is Roland Maye and I am the Special Agent-in- Charge of the criminal investigative activities in this region. As you noted in your opening remarks, the misuse of Social Security numbers (SSNs) plays an increasingly large role in two issues currently plaguing American society. Identity theft victimizes thousands of Americans every year, and the number of Identity Theft crimes continues to grow. This crime begins, in many cases, with the misuse of an SSN. And Homeland Security has become an even greater focus for all Americans. We have learned over the past 7 months that protecting the SSN and preventing Identity fraud is not only a criminal justice issue, but a Homeland Security challenge. On behalf of the Inspector General, who could not be here today, I would like to touch briefly on each of these issues, starting with Identity Theft. As you know, the SSN was never intended to be a national identification number, but we can no longer pretend otherwise. A vital part of commercial transactions of every kind, the SSN is as much a part of our identity as our own name. Indeed, the SSN is a more unique identifier--many people share common names, but an SSN is issued only once. For this reason, a valid SSN is an almost priceless tool for identity thieves. With an SSN in hand, unscrupulous individuals can apply for credit cards, open bank accounts, take out loans, apply for government benefits, obtain jobs, and do the many things all of us do every day. In Fiscal Year 2000, more than half of the 92,000 allegations received by our fraud hotline were allegations of SSN misuse. The victims of Identity crimes face situations similar to those described by the witnesses here today--feelings of violation and helplessness, and a long, difficult road to financial recovery. We have made some progress. Certainly the public is more aware of Identity Theft, and of the importance of protecting their SSN and other personal information, than they have ever been. And SSA, which has adopted some of the recommendations made in our audit reports, has taken important steps in tightening the process by which SSNs are issued and used. On the investigative side, we see more and more indictments and convictions for Identity Theft crimes around the country. Right here in Florida, agents from my office, working with the Florida Department of Law Enforcement, brought the very first case indicted by Governor Bush's 16th Statewide Grand Jury for the Purpose of Investigating Identity Theft, resulting in the indictment of six individuals with multiple counts of Identity Theft. Around the country, similar efforts have ensured that while Identity Theft may not be a difficult crime to commit, the prosecution of those who commit Identity Theft is now more of a priority for law enforcement agencies. As great a challenge as Identity Theft has become, the true severity of the larger SSN misuse problem became horribly apparent after the attacks of September 11th. We have come to learn in the 7 months since that day just how critical it is that we protect the integrity of the SSN. We knew that our credit ratings depended on it; we know now that our lives may depend on it. There is no greater issue in the Homeland Security arena than protecting the integrity of the SSN. It is virtually impossible to operate in the United States without an SSN. It stands to reason, then, that any enemy of the United States that wants to infiltrate our borders and live among us would need an SSN in order to do so. The challenge before us is to find a way to allow legitimate commerce to continue using the SSN for legitimate purposes, while making it less simple for both Identity Thieves and even more dangerous individuals to misuse SSNs. Part of that solution lies with SSA and its OIG. Many of the recommendations we have made to improve the enumeration process are already in place or in the process of being implemented. For example, SSA's practice of issuing ``non-work'' SSNs to visitors to our country so that they can obtain drivers licenses has been discontinued. Development of a meaningful process for SSA to verify immigration documents with the Immigration and Naturalization Service before issuing an SSN has been expedited. And SSA appreciates the need to do all it can under current law and within existing budgetary constraints to protect the SSN upon its issuance, during the life of the number- holder, and upon the number-holder's death. In OIG, we have worked around the clock since September 11th, both in support of the investigation into the events of that day, and in furtherance of Federal efforts to prevent future acts. An example is our participation in Operation Tarmac in 12 major airports around the country. The most recent of these was in the Washington, DC area, where last week, together with other Federal authorities, we arrested some 105 individuals suspected of providing false information--including SSNs--to obtain work in secure areas of Reagan National Airport, Dulles International Airport, and Baltimore-Washington International Airport. Again, working within the limitations of existing laws--laws which were written for a time before Identity Theft and Homeland Security became the overarching issues they are today--we have taken significant steps. But we need the help of this Subcommittee and the Congress as a whole. Legislation must be enacted to close the gaps in the laws that govern the use of SSNs. Legislation like H.R. 2036, The Social Security Number Privacy and Identity Theft Protection Act of 2001, introduced by this Subcommittee, places meaningful restrictions on the use, display, and sale of SSNs and provides new and important enforcement mechanisms for offenders. Such legislation represents an important step toward reducing Identity Theft and making the SSN unavailable as a tool to those who commit or support acts of terror against the United States. The Inspector General looks forward to working with this Subcommittee to ensure that we are doing all we can to stem the tide of SSN misuse. Thank you and I'd be happy to answer any questions. Chairman SHAW. Thank you. I would like to address this to anyone on the panel who has information, the question of repeat offenders. Ms. GUIALDO. They are very common. It is every week the same person. It is a constant issue. Right now I have cases where a perpetrator used one person's name. We cleared that person's name. Well, he is also on two other person's cases. Chairman SHAW. Has he been apprehended? Ms. GUIALDO. We refiled charges against him, but the police department does not actively go out and pick you up. If he gets stopped using his own name, he will be apprehended for the new crimes. But if he is not, it doesn't happen. Chairman SHAW. Is that the case up here, Sheriff? Are you talking about misdemeanors? Ms. GUIALDO. Yes. Mr. Cohen. Usually, they are misdemeanors. Usually just the plain using somebody else's name, unless it results in specified harm, it is a misdemeanor. If there is a certain harm---- Chairman SHAW. Well, if it is grand theft to--identity theft, yes, the felony, I mean the felony they will go get them, won't they? Mr. Cohen. That is probably a statewide problem is basically the arrest on these warrants. I mean the police departments prioritize, you know, different degrees. They put different efforts into the fugitive squads of the different police departments. That is a constant resource issue, the apprehension of outstanding felons or outstanding fugitives. Chairman SHAW. Sheriff? Mr. BIELUCH. We probably have right now some 50 to 60,000 warrants just in our Palm Beach County database, and we don't actively go out after misdemeanants; however, perhaps we should in this case. I have made a note of it, and this obviously has the potential to become a serious felony. As we said, stated over and over again, because nobody gets hurt, because it is not a crime against person, these things tend not to be investigated as thoroughly. And when the warrants come out, sometimes they probably don't go pick them up as quickly as they could. But I am going to take note of that, and we definitely will be going after the misdemeanor identity theft cases. Chairman SHAW. We heard two felony cases today---- Mr. BIELUCH. Right. Chairman SHAW. From our witnesses. Also, you are quite right as to what a growing problem it is. This is the fastest growing crime in the United States today. Still what we are looking at today is probably a drop in the bucket compared to what it is going to be, and unless we start getting some vigorous law enforcement and some arrest, it will go even faster. Mr. BIELUCH. Yes, I agree. But, you know, all criminals have MOs, and this is just the MO of the people that do identity theft. And burglars get out of jail, and they don't suddenly become car thieves. They go back to being burglars because that is kind of their trade, and the punishment is nil. Mr. Cohen. But it is not just a crime. It really--it is not just the crime, it is the means to a crime. It really is. And a lot of people say identity theft is a crime. I think that it really is--it is just part of your grand theft, it is part of your credit card fraud, it is part of your forgeries. And that is all it is, is a tool. Instead of pushing them down and grabbing their purse and then using their credit card, they are just applying in the mail for one. Mr. FOLEY. Identity theft is the getaway car, just one issue. Sergeant Rispoli, I appreciate, and all of your testimony I appreciate specifically, but you did a nice job of outlining what are good areas for us to look into: education, enhanced penalty, the companies themselves--not a day goes by that I don't end up with something in my mailbox for a free teaser ad, get 1.5-percent interest rate for the next 30 hours, and then it goes to 19 percent. Mr. RISPOLI. If you get to the mailbox first. Mr. FOLEY. Right, exactly. And that is the problem. People are going into your mailbox and gaining some of this information. The web postings, these are all interesting suggestions. Mr. Maye, as well, with the Social Security Administration, thank you for illuminating some of the problems we are facing relative to immigration. It is a whole other--I talked to a person the other day, because I asked--I know their status is illegal, I asked, ``How you are able to work here?'' They said, ``Oh, five or six of us use the same person's Social Security Number.'' I said, ``Five or six? Doesn't Social Security ever check how he has five or six jobs?'' He said, ``Oh, no. It has never happened to him yet.'' But I mean these things are going on, and so people are either using numbers collectively or gaining them illegally, and so it is a frightening aspect, because we all, again, feel very, very vulnerable. Mr. MAYE. In some cases this is true, especially in the agricultural areas, the person employing the workers are the ones who don't do the necessary checks to ensure that each worker has a valid number. They are more concerned with gathering their crops, so they might look the other way. We have had several cases on some major producers that hired individuals without valid SSNs because they didn't do the proper checks to ensure that each individual they hired had a valid SSN. Mr. FOLEY. No, but it is interesting, and I fault government a lot, and whether we fail to live up to technology we have to look at the problem. I mean I can use an ATM card in Europe. I can put it in a machine, it reads my bank account in the United States, determines if I have a balance and in about 15 seconds it sends me back cash in the denomination of the country I am in. Now Social Security, you would think, if somebody was an employer, they could call up and verify within 15 seconds whether the person presenting themselves had a valid Social Security Number and maybe some outliers, like they ask my grandmother's maiden name. If there was an ability to do that, then I would shoulder the responsibility mostly on the employer community. But I don't know who they call today, and I don't know how long it would take. Mr. MAYE. Social Security has such a system in place. Mr. FOLEY. Is it? Mr. MAYE. An employer can call and verify an SSN with SSA. Mr. FOLEY. Quickly? Mr. MAYE. Yes, expeditiously. Mr. FOLEY. Well, then, God bless, we have gotten something going on, because that is a big concern. Mr. MAYE. It is just a matter of getting employees oriented to contacting Social Security and verifying the employee's SSN. Mr. FOLEY. Well, then we will work on that aspect of it. Because it was one of the concerns that I had that we didn't have enough means in which to determine. And then fraudulent documents are a problem as well for employers. There is a lot of things that go on. Thank you. Chairman SHAW. I would like to thank you all. I think we always learn something from a field hearing, and this has been very helpful to us to see the frustrations of prosecution and law enforcement and trying to get these things done. The bill that we have filed that we are working on would have penalties up to 5 years in jail for people that were trapped in these numbers. So the identity theft would become-- would also become a felony, not just a misdemeanor under what we are proposing. So we still have some work to do, but we will look into it, and I think we will be able to use your experience in developing this legislation as we see it through. I am hopeful that we can get the bill passed in short order to get this thing moving. What happens over in the Senate, which is the graveyard of legislation, I have no idea, but we will do our part. Thank you all for being here. Say hello to Mike for me. We go back 30-some years. Thank you. [Whereupon, at 3:45 p.m., the hearing was adjourned.] [Submissions for the record follow:] Plantation, Florida 33322 May 10, 2002 The Honorable E. Clay Shaw, Jr. Chair, Subcommittee on Social Security Committee on Ways and Means U.S. House of Representatives Dear Representative Shaw, Chair, and Committee Members: This letter is in reference to protecting the privacy of social security numbers and preventing identity theft. In coming across information regarding the already held Subcommittee Hearing in Lake Worth through the Congressional website, there was also details for submission of written comments by May 13, 2002. I am a concerned private citizen wishing to submit comments on this subject. Increasingly, more articles are released by the media highlighting the pervasive misuse of social security numbers (SSNs) by criminals and terrorists. It is now known that a majority of the September 11th terrorists fraudulently obtained false SSNs to carry out their activities and this has exemplified the severe consequences of the failure to protect the integrity of SSNs. I commend Congress for taking steps to protect the privacy of every Americans' SSN and, as you have indicated, it is an appropriate action in the Nation's response to terrorism. There appear to be many issues related to the fraudulent use of SSNs, ranging from law enforcement issues to the ease of accessibility to target victims with identity theft, on account of the widespread use of SSNs as an identification method by businesses, government, medical, and educational institutions. There is a strong need for preventative measures and legal protections to be put in place for U.S. citizens. Public and private entities routinely request the surrender of an individual's SSN as a course of business. As a result, it gets harder for an individual to control access to their own SSN leaving them exposed as victims to potential criminal activity. A serious concern of mine relates to the routine request for SSN by medical practices and health insurances. Not only do many health insurances have practices such as issuing cards announcing an individual's SSN to all parties but also many hospitals, doctors, and others in the medical industry make releasing a SSN a condition to receiving medical attention. Denial of business services due to refusing to submit SSN may currently be an option for those providing consumer goods and services but should not be permitted for medical and insurance providers for its potential serious repercussions and unfair access to medical care. All these industries may have a legitimate need for individual identifiers, including obtaining payment for services, products and insurance, but not by contributing to the exposure of SSNs to potential fraud and the peril of its customers. It is my hope that such concerns be addressed to reduce the common use of SSNs. I would like to be kept informed on the progress of the legislation being considered. Thank you for your attention to the matter. Sincerely, Maisy Alpert Statement of David Palay, Las Vegas, Nevada I urge all members of the Committee to DISREGARD the complaints of industry about limitations on the use of Social Security Numbers and take steps to prohibit all use except for income tax purposes as originally intended and as promised by former President Roosevelt originally. Consider an unseen computer, selling personal information to anyone with the price of access. That is what the system has become. Is not one's name and identification personal property? Please make it so. (Don't worry about placing the nuke repository at Yucca Mountain. Its the right place for these materials) -