[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



 
               USE AND MISUSE OF SOCIAL SECURITY NUMBERS

=======================================================================

                                HEARING

                               before the

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                     U.S. HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 10, 2003

                               __________

                           Serial No. 108-35

                               __________

         Printed for the use of the Committee on Ways and Means






                        U.S. GOVERNMENT PRINTING OFFICE

93-570                         WASHINGTON : 2004
_____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800
Fax: (202) 512-2250  Mail: Stop SSOP, Washington, DC  20402-0001






                        COMMITTEE ON WAYS AND MEANS

                   BILL THOMAS, California, Chairman

PHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York
E. CLAY SHAW, JR., Florida           FORTNEY PETE STARK, California
NANCY L. JOHNSON, Connecticut        ROBERT T. MATSUI, California
AMO HOUGHTON, New York               SANDER M. LEVIN, Michigan
WALLY HERGER, California             BENJAMIN L. CARDIN, Maryland
JIM MCCRERY, Louisiana               JIM MCDERMOTT, Washington
DAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. MCNULTY, New York
JENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio                    XAVIER BECERRA, California
PHIL ENGLISH, Pennsylvania           LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona               EARL POMEROY, North Dakota
JERRY WELLER, Illinois               MAX SANDLIN, Texas
KENNY C. HULSHOF, Missouri           STEPHANIE TUBBS JONES, Ohio
SCOTT MCINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
ERIC CANTOR, Virginia

                    Allison H. Giles, Chief of Staff

                  Janice Mays, Minority Chief Counsel

                                 ______

                    SUBCOMMITTEE ON SOCIAL SECURITY

                  E. CLAY SHAW, JR., Florida, Chairman

SAM JOHNSON, Texas                   ROBERT T. MATSUI, California
MAC COLLINS, Georgia                 BENJAMIN L. CARDIN, Maryland
J.D. HAYWORTH, Arizona               EARL POMEROY, North Dakota
KENNY C. HULSHOF, Missouri           XAVIER BECERRA, California
RON LEWIS, Kentucky                  STEPHANIE TUBBS JONES, Ohio
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.





                            C O N T E N T S

                               __________

                                                                   Page

Advisories announcing the hearing................................     2

                               WITNESSES

U.S. General Accounting Office, Barbara D. Bovbjerg, Director, 
  Education, Workforce, and Income Security Issues; accompanied 
  by Dan Bertoni, Deputy Director................................     7
Social Security Administration, Hon. James G. Huse, Jr., 
  Inspector General..............................................    18

                                 ______

Electronic Privacy Information Center, Chris Jay Hoofnagle.......    51
Georgia Bureau of Investigations, InfraGard Atlanta Chapter Watch 
  and Warn Committee, Georgia's Stop Identity Theft Network, 
  National White Collar Crime Center, and Financial Crimes 
  Enforcement Network, Steve Edwards.............................    60
Identity Theft Resource Center, Theodore Wern....................    38

                       SUBMISSIONS FOR THE RECORD

American Benefits Council; American Society of Pension Actuaries, 
  Arlington, VA; College and University Professional Association 
  for Human Resources, Knoxville, TN; ERISA Industry Committee; 
  Financial Executives International's Committee on Benefits 
  Finance, Florham Park, NJ; National Association of State 
  Retirement Administrators, Baton Rouge, LA; National Council on 
  Teacher Retirement, Sacramento, CA; National Rural Electric 
  Cooperative Association, Arlington, VA; Profit Sharing/401(k) 
  Council of America, Chicago, IL; joint letter and attachment...    72
Consumer Data Industry Association, Stuart K. Pratt, statement 
  and attachment.................................................    75
Hooley, Hon. Darlene, a Representative in Congress from the State 
  of Oregon, statement...........................................    80
Sandlin, Hon. Max, a Representative in Congress from the State of 
  Texas, statement...............................................    80


               USE AND MISUSE OF SOCIAL SECURITY NUMBERS

                              ----------                              


                        THURSDAY, JULY 10, 2003

             U.S. House of Representatives,
                       Committee on Ways and Means,
                           Subcommittee on Social Security,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 1:18 p.m., in 
room B-318, Rayburn House Office Building, Hon. E. Clay Shaw, 
Jr. (Chairman of the Subcommittee) presiding.
    [The advisory and revised advisory announcing the hearing 
follow:]

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                                CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
July 02, 2003
SS-3

                       Shaw Announces Hearing on

               Use and Misuse of Social Security Numbers

    Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on 
Social Security of the Committee on Ways and Means, today announced 
that the Subcommittee will hold a hearing on both the use and misuse of 
Social Security numbers. The hearing will take place on Thursday, July 
10, 2003, in room B-318 Rayburn House Office Building, beginning at 
10:00 a.m.
      
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Committee and for 
inclusion in the printed record of the hearing.
      

BACKGROUND:

      
    The Social Security number (SSN) was originally created in 1936 to 
track workers' earnings for benefit purposes. Use of the SSN by both 
government agencies and the private sector has exploded over the 
decades as automation of record keeping and other business processes 
encouraged use of this simple, unique number that virtually every 
American possesses. As a result, many have called it a de facto 
national identifier, though it was never intended as such.
      
    Today, even the most routine transactions may involve sharing of 
SSNs. Banks, schools, stores, and other businesses often use SSNs as 
account numbers. The SSN is used to help compile information from many 
different public and private sources for use in everything from 
tracking down criminals to issuing credit. Additionally, SSNs are 
easily found on display to the general public on employee badges, 
licenses, or court documents. In short, SSNs are the key to an 
individual's financial and other personal information, but their 
confidentiality is not well protected.
      
    Use of the SSN as a personal identifier has produced some 
beneficial results for the public, including reduction in government 
waste from program fraud, enhanced collection of child support, and 
better law enforcement. Unfortunately, widespread utilization and 
public exposure of SSNs have also made them an invaluable tool for 
identity thieves. According to the Identity Theft Resource Center, an 
estimated 700,000 people of all ages, races, and economic backgrounds 
were victims of identity theft last year. The harm inflicted can be 
devastating difficulty obtaining credit, harassment by debt collectors, 
or even arrest because of the crimes of the identity thief. Worse yet, 
according to the Federal Bureau of Investigation, terrorists have 
utilized Social Security number fraud and identity theft to obtain 
employment, access secure locations, and finance their activities all 
of which threaten our national security.
      
    The Social Security Administration (SSA) serves as the front line 
of defense in ensuring SSN integrity. It is responsible for accurately 
assigning SSNs and ensuring the wages earned and Social Security 
benefits claimed on that number are only those of the number holder. 
The SSA's Inspector General (IG) has long criticized the agency's 
failure to verify the authenticity of identification documents, and 
last year SSA began verifying supporting immigration records before 
issuing SSN cards. In addition, despite the agencies efforts to reduce 
wage-reporting discrepancies--including outreach to employers 2 to 3 
percent of wage items, equaling about $50 billion, will remain 
unmatched after wage processing is complete, according to the SSA.
      
    In announcing the hearing, Chairman Shaw stated: ``The Social 
Security number was originally intended to ensure American's hard-
earned wages were properly credited to their record, so that they could 
receive their due benefits at retirement. Today, however, use and 
misuse of these numbers is rampant. The Federal Government requires the 
use of Social Security numbers and, therefore, has the responsibility 
to ensure they are assigned accurately, exchanged only when necessary, 
and protected from indiscriminant disclosure. We must stem the tide of 
attacks on Social Security number privacy. As in previous Congresses, I 
remain committed to pursuing bipartisan legislation to protect the 
privacy and integrity of Social Security numbers.''
      

FOCUS OF THE HEARING:

      
    The Subcommittee will examine the widespread use and misuse of the 
SSN in the public and private sectors and the effects of such use and 
misuse, as well as the integrity of the SSA's Social Security number 
issuance and wage crediting process.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
    Please Note: Due to the change in House mail policy, any person or 
organization wishing to submit a written statement for the printed 
record of the hearing should send it electronically to 
[email protected], along with a fax copy to 
(202) 225-2610, by the close of business, Thursday, July 24, 2003. 
Those filing written statements who wish to have their statements 
distributed to the press and interested public at the hearing should 
deliver their 200 copies to the Subcommittee on Social Security in room 
B-316 Rayburn House Office Building, in an open and searchable package 
48 hours before the hearing. The U.S. Capitol Police will refuse 
sealed-packaged deliveries to all House Office Buildings.
      

FORMATTING REQUIREMENTS:

      
    Each statement presented for printing to the Committee by a 
witness, any written statement or exhibit submitted for the printed 
record or any written comments in response to a request for written 
comments must conform to the guidelines listed below. Any statement or 
exhibit not in compliance with these guidelines will not be printed, 
but will be maintained in the Committee files for review and use by the 
Committee.
      
    1. Due to the change in House mail policy, all statements and any 
accompanying exhibits for printing must be submitted electronically to 
[email protected], along with a fax copy to 
(202) 225-2610, in WordPerfect or MS Word format and MUST NOT exceed a 
total of 10 pages including attachments. Witnesses are advised that the 
Committee will rely on electronic submissions for printing the official 
hearing record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. Any statements must include a list of all clients, persons, or 
organizations on whose behalf the witness appears. A supplemental sheet 
must accompany each statement listing the name, company, address, 
telephone and fax numbers of each witness.
      
    Note: All Committee advisories and news releases are available on 
the World Wide Web at http://waysandmeans.house.gov.
      
    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.

                                 

                   * * * NOTICE--CHANGE IN TIME * * *

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                                CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
July 08, 2003
SS-3 Revised

                     Change in Time for Hearing on

               Use and Misuse of Social Security Numbers

    Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on 
Social Security of the Committee on Ways and Means, today announced 
that the Subcommittee hearing on use and misuse of Social Security 
numbers, previously scheduled for Thursday, July 10, 2003, at 10:00 
a.m., in room B-318 Rayburn House Office Building, will now be held at 
1:00 p.m. or immediately following the completion of the full Committee 
informal mark up of the Singapore and Chilean Free Trade Agreements.
      
    All other details for the hearing remain the same. (See 
Subcommittee Advisory No. SS-3, dated July 3, 2003).

                                 

    Chairman SHAW. I am sorry. We are a few minutes late 
starting, but we had a busy morning with our Committee. Good 
afternoon. Today, the Subcommittee will examine the use and 
misuse of Social Security Numbers (SSNs). Using the SSN as a 
personal identifier has proven both a blessing and a curse. On 
one hand, the public is served when governmental agencies can 
use the number in matching information from other sources to 
reduce program waste, fraud and abuse, or when law enforcement 
agencies employ SSNs to help track down criminals or deadbeat 
dads. On the other hand, easy access to these numbers and their 
widespread use has provided a new tool for identity thieves. 
Worse yet, terrorists use SSN fraud and identity theft to 
assimilate themselves into our society, as did those 
responsible for the September 11th attacks. Identity theft 
continues to threaten our national security. Identity theft is 
the fastest growing white collar crime, and no one is immune, 
but the public is increasingly recognizing the vulnerabilities 
of SSNs and is working to protect them. Businesses are taking 
steps on their own to move away from using SSNs and several 
States have passed legislation, including Texas just last week, 
to protect SSNs from public display.
    The Social Security Administration (SSA) serves as the 
front line of defense in ensuring the integrity of SSNs from 
the moment they are issued throughout the number holder's 
lifetime and even after his or her death, a responsibility the 
SSA takes very seriously. It is also responsible for ensuring 
the wages earned and Social Security benefits claimed on that 
number are only those of the number holder. As our witnesses 
will tell us, while the agency has taken steps to improve the 
number assignment process, there is still more to do to prevent 
people from fraudulently obtaining and using SSNs. However, 
protecting the privacy and accuracy of SSNs is not the SSA's 
responsibility alone. Employers and individuals have a 
responsibility for submitting correct information to the SSA or 
correcting erroneous information. The Internal Revenue Service 
(IRS) has responsibility for imposing appropriate penalties on 
employers who submit erroneous wage reports to the SSA. The 
Bureau of Citizenship and Immigration Services must better 
coordinate with the SSA in verifying eligibility for a SSN and 
acting on information regarding earnings reported to nonwork 
numbers. Lastly, every public agency that uses and shares SSNs 
has the responsibility to protect their privacy.
    The Subcommittee has been working on a bipartisan basis to 
protect the privacy of SSNs and prevent identity theft since 
the 106th Congress, when it first approved the Social Security 
Number Privacy and Identity Theft Prevention Act of 2000 (H.R. 
4857). In the 107th Congress I, along with Ranking Member 
Matsui and 80 other Members of Congress, reintroduced a similar 
bill. Mr. Kleczka, of our full Committee, has also been very 
active in this regard. Consideration of this legislation was 
rightly preempted by necessary congressional response to 9/11 
attacks. In coming days, Mr. Matsui and I will again introduce 
bipartisan legislation to restrict the sale and public display 
of SSNs, establish penalties for violations, limit 
dissemination of SSNs by credit reporting agencies, make it 
more difficult for businesses to deny services if a customer 
refuses to provide their SSN, and improve the integrity of the 
SSN assignment process. Congress must act this session to 
protect the very number it requires each of us to obtain and 
use throughout our lifetime. Providing for uses of SSNs that 
benefit the public while protecting these numbers from being 
used by criminals or even terrorists is a complex balancing 
act, as we found out in previous Congresses. We can make 
significant progress toward this goal by ensuring SSNs are 
assigned accurately, exchanged only when necessary, and 
protected from indiscriminate disclosure. I look forward to 
hearing from each of our witnesses, and thank them in advance 
for sharing with us their experiences and their 
recommendations. I understand Mr. Matsui is otherwise engaged 
this afternoon, and he has asked Mr. Cardin to sit in for him. 
The gentleman from Maryland.
    [The opening statement of Chairman Shaw follows:]
 Opening Statement of the Honorable E. Clay Shaw, Jr., Chairman, and a 
          Representative in Congress from the State of Florida
    Good afternoon. Today, the Subcommittee will examine the use and 
misuse of Social Security numbers.
    Using the Social Security number as a personal identifier has 
proved both a blessing and a curse. On one hand, the public is served 
when government agencies can use the number in matching information 
from other sources to reduce program waste, fraud and abuse, or when 
law enforcement agencies employ Social Security numbers to help track 
down criminals or deadbeat dads. On the other hand, easy access to 
these numbers and their widespread use has provided a new tool for 
identity thieves. Worse yet, terrorists use Social Security number 
fraud and identity theft to assimilate themselves into our society, as 
did those responsible for the September 11th attacks. Identity theft 
continues to threaten our national security.
    Identity theft is the fastest growing white collar crime, and no 
one is immune. But the public is increasingly recognizing the 
vulnerabilities of Social Security numbers and is working to protect 
them. Businesses are taking steps on their own to move away from using 
Social Security numbers, and several States have passed legislation, 
including Texas just last week, to protect SSNs from public display.
    The Social Security Administration serves as the front line of 
defense in ensuring the integrity of Social Security numbers from the 
moment they are issued, throughout the number-holder's lifetime, and 
even after his or her death--a responsibility the SSA takes very 
seriously. It is also responsible for ensuring the wages earned and 
Social Security benefits claimed on that number are only those of the 
number-holder. As our witnesses will tell us, while the agency has 
taken steps to improve the number assignment process, there is still 
more to do to prevent people from fraudulently obtaining and using 
Social Security numbers.
    However, protecting the privacy and the accuracy of Social Security 
numbers is not the Social Security Administration's responsibility 
alone. Employers and individuals have a responsibility for submitting 
correct information to the Social Security Administration, or 
correcting erroneous information. The Internal Revenue Service has 
responsibility for imposing appropriate penalties on employers who 
submit erroneous wage reports to the Social Security Administration. 
The Bureau of Citizenship and Immigration Services must better 
coordinate with the Social Security Administration in verifying 
eligibility for a Social Security number and acting on information 
regarding earnings reported to non-work numbers. Lastly, every public 
agency that uses and shares Social Security numbers has the 
responsibility to protect their privacy.
    This Subcommittee has been working on a bipartisan basis to protect 
the privacy of Social Security numbers and prevent identity theft since 
the 106th Congress when it first approved the Social Security Number 
Privacy and Identity Theft Prevention Act of 2000. In the 107th 
Congress, I, along with Ranking Member Matsui and 80 other Members of 
Congress reintroduced a similar bill. Consideration of this legislation 
was rightly preempted by necessary Congressional response to the 
September 11th attacks.
    In coming days, Mr. Matsui and I will again introduce bipartisan 
legislation to restrict the sale and public display of Social Security 
numbers, establish penalties for violations, limit dissemination of 
Social Security numbers by credit reporting agencies, make it more 
difficult for businesses to deny services if a customer refuses to 
provide their Social Security number, and improve the integrity of the 
Social Security number assignment process. Congress must act this 
session to protect the very number it requires each of us to obtain and 
use throughout our lifetime.
    Providing for uses of Social Security numbers that benefit the 
public while protecting these numbers from being used by criminals, or 
even terrorists, is a complex balancing act. We can make significant 
progress toward this goal by ensuring Social Security numbers are 
assigned accurately, exchanged only when necessary, and protected from 
indiscriminant disclosure.
    I look forward to hearing from each of our witnesses, and thank 
them in advance for sharing with us their experiences and their 
recommendations.

                                 

    Mr. CARDIN. Thank you, Chairman Shaw. Let me thank you for 
holding this hearing. I also want to thank you for your 
leadership on this very important issue. I also want to 
acknowledge Mr. Matsui and Mr. Kleczka for the work they have 
done on identity fraud and the use of SSNs. Mr. Chairman, it is 
noteworthy to point out this is our ninth hearing on this 
subject, and it is a commitment that we have to take action in 
this area. As you pointed out, identity theft is considered one 
of the fastest growing crimes in the United States, with an 
average of an estimated 700,000 people being affected last 
year. It can ruin an individual's good name and destroy their 
credit rating. It even has affected the credit ratings of their 
young children. While credit issuers have been willing to 
refund fraudulent charges, victims are still faced with the 
effects of poor credit, the time commitments of restoring their 
ratings with multiple credit bureaus and credit issuers and the 
fear and anxiety associated with knowing someone is using their 
personal information to charge goods and services.
    As a result of identity theft, victims have been turned 
down for jobs, mortgages and other important extensions of 
credit. So, therefore this is a very important subject, and we 
need to take action. As you pointed out, it even goes beyond 
the immediate problems of individuals that have found that the 
criminal elements, including terrorists, have used the identity 
of other people through SSNs in order to carry out their 
activities. We have a dilemma, the SSN is basically a national 
identifier. We have used it. We can't guarantee the 
confidentiality of that number, and therefore it can be used 
for identity theft. I am looking forward to the testimony from 
the U.S. General Accounting Office (GAO) and the Inspector 
General, who have been extremely helpful to us in coming 
forward with suggestions on how we can protect the 
confidentiality or use of the SSNs and how we can protect 
against identity theft. The bottom line is we need to take 
action in this area. The Chairman has indicated that he will be 
filing legislation shortly with Mr. Matsui. I can assure you we 
want to move forward as quickly as possible in a bipartisan way 
in order to try to help our people against this growing element 
of crime. Thank you, Mr. Chairman.
    Chairman SHAW. Thank you, Mr. Cardin. I would like to just 
point out I think that we share jurisdiction with two other 
committees with regard to this legislation. Our Committee has 
moved forward in the past but we need to bring the other 
committees along with us in order to have a complete 
comprehensive bill rather than just picking and choosing the 
small portions of which our Committee has jurisdiction. Any 
other Members have an opening statement? The record will remain 
open. Without objection, they will be included in the 
transcript. On our first panel are two old friends of this 
Committee, Barbara Bovbjerg, who is the Director of Education, 
Workforce, and Income Security Issues from the GAO, and she is 
accompanied by Dan Bertoni, I believe that is the correct 
pronunciation, who is the Deputy Director. From the SSA, we 
have the Honorable James Huse, who is the Inspector General. As 
you all well know, we have your full statement which will be 
made a part of the record. We invite you to summarize as you 
see fit. Ms. Bovbjerg.

    STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR, EDUCATION, 
WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GENERAL ACCOUNTING 
      OFFICE; ACCOMPANIED BY DAN BERTONI, DEPUTY DIRECTOR

    Ms. BOVBJERG. Thank you, Mr. Chairman, and Members of the 
Subcommittee. I am pleased to be here again today--I don't 
think it has been nine times for me, but it has been a number--
to discuss issues associated with the integrity and use of the 
SSN. Although the SSN was originally created as a means to 
track workers' earnings and their eligibility for Social 
Security benefits, today the number is used for many non-Social 
Security purposes in both the public and private sectors. The 
wide use of SSNs causes concern because these numbers are among 
the personal identifiers most often sought by identity thieves. 
Today, I will present results of our completed and ongoing work 
on a variety of issues associated with the SSN. I would like to 
focus first on public and private sector use of the SSN and 
then, second, on the role of the SSA in preventing the 
proliferation of false identities. My testimony is based on a 
report we did for this Subcommittee on government uses of the 
SSN and on ongoing work that focuses on private sector uses and 
on SSA's role in assigning SSNs and verifying them for others. 
I have so much material today that is relevant to this hearing 
and some visual aids to illustrate my points, I would ask to 
speak longer than the usual 5 minutes. I hope that will be 
acceptable to the Subcommittee. I will try not to prey on your 
good nature for very much longer.
    Let me speak first about public and private uses. We 
reported last year that Federal, State, and county agencies 
rely extensively on the SSN. Although government agencies told 
us of various steps they take to safeguard the SSNs they use, 
we found that key protections are not uniformly in place at any 
level of government. We also found that some Federal agencies 
and many of the State and county agencies we surveyed, 
including courts in all the three levels of government, 
maintain public records that contain SSNs. Public records are 
documents routinely made available to the public for inspection 
such as marriage licenses or property transactions. For 
customer service reasons, some public officials told us they 
were considering making such records available on their 
websites. Because such actions would create new opportunities 
for identity thieves to gather SSNs from public records on a 
broad scale, we are beginning work for this Subcommittee to 
examine the extent to which SSNs in public records are already 
accessible on the Internet. Although we are not far along 
enough in this work to report the results today, I can assure 
you that we have already found SSNs in several public websites.
    With regard to the private sector, we are finding that 
companies too are increasingly using SSNs, often collecting 
them from customers as a condition for providing service. For 
example, consumer reporting agencies (CRAs) build and maintain 
credit histories around an individuals' name, address, and SSN. 
The CRAs obtain SSNs from individuals who seek credit and from 
information resellers and public records. Some businesses 
aggregate information, including SSNs, from various public and 
private sources for resale. They obtain data from public 
records like bankruptcy proceedings, tax liens, and voter 
registration rolls--and from private compilations like 
telephone directories. These businesses combine and resell this 
information to a variety of customers. The ones we contacted 
told us that to comply with current law they generally limit 
their services to customers who establish accounts with them 
and with whom they have contracts that restrict the extent to 
which the data purchased can be redisclosed.
    Despite protections such as these, large databases of 
information still represent a vulnerability for Americans. In 
the course of our work we have identified numerous instances in 
which the public and private databases have been compromised 
and personal data, including SSNs, stolen. Such cases 
illustrate the vulnerability of these databases to criminal 
misuse. Let me turn now to the role of the SSA in preventing 
the proliferation of false identities. This Subcommittee asked 
us to examine two aspects of the SSA role: SSA's assignment of 
new SSNs, a process called enumeration, and SSA's verification 
of SSNs for State driver's licensing agencies. Our review of 
SSA's enumeration process found that SSA has begun to implement 
important new policies and procedures to prevent the 
inappropriate assignment of SSNs to noncitizens. For example, 
SSA has required staff to verify identity information and 
immigration status with the U.S. Department of State and the 
U.S. Department of Homeland Security prior to issuing an SSN. 
The SSA has also begun implementation of a program called 
Enumeration at Entry, where an applicant's information is 
vetted by the Department of Homeland Security and the 
Department of State before the applicants enter the United 
States. In addition, the SSA has created a special center in 
Brooklyn, New York to focus solely on enumeration and 
verification.
    These three initiatives all hold promise of improved 
enumeration accuracy. However, the enumeration process overall 
still has vulnerabilities that could result in fraudulent use 
of Social Security cards and SSNs. I am speaking specifically 
of replacement Social Security cards and policies regarding 
SSNs for children under the age of 1. Let me turn to those now. 
As to replacement cards, SSA policy currently allows 
individuals to obtain up to 52 replacement cards a year. That 
is one a week. Of the 18 million cards SSA issued last year, 
12.4 million, or almost 70 percent, were replacements. While 
SSA requires noncitizens to provide the same identity and 
immigration information that they need to obtain an original 
card when they get a replacement, citizens can use things like 
health insurance cards or church memberships when they apply 
for replacements. The ease of obtaining replacements creates 
the potential that these cards can be accumulated and sold to 
those not eligible for their own cards. This is an obvious 
vulnerability that should be better controlled.
    With regard to enumerating young children, although SSA 
revised its policies to require that field staff obtain 
verification of birth records for most U.S.-born individuals 
applying for enumeration, agency policy requires only visual 
inspection of a birth certificate for children under the age of 
1. Although such visual inspection can identify false 
documents, and indeed we found an instance where an alert 
Social Security field office staff member did identify a false 
birth certificate, we were able ourselves to create false 
documents and enumerate two nonexistent infants; the documents 
we used to do this are shown in the exhibit on your right. It 
is the left board, and I believe you have that in your packets 
in front of you. We have full names and other identifying 
information blacked out for security reasons. To support our 
applications for these cards, we used fake documents that you 
see on the left under the heading, ``counterfeit documents.'' 
We used birth certificates and certificates of baptism for both 
of the applications we made. In one we used an employer 
identification card. In the other we also used a State driver's 
license to provide identification for the so-called parents who 
were applying for this infant's card. We created these 
documents with inexpensive, commercially-available software. 
You see the results on the right. We received one card already, 
and the written assurance below is that the other card is in 
the mail. After receiving these cards for children who do not 
exist we could have passed them to someone who is not eligible 
for a SSN. We wouldn't do that, but it is a clear vulnerability 
that SSA needs to address.
    Let me now move on to SSA's verification of information for 
State driver's licensing agencies. Since driver's licenses are 
a widely accepted form of identification, the agencies that 
issue such licenses can be focal points for identity fraud. The 
SSA has a verification service in place that allows State 
agencies to verify the name, date of birth, and SSN of driver's 
license applicants. In our work for this Subcommittee and the 
House Judiciary Committee, we have found that 25 States have 
used the SSA service, but they have not all used it regularly. 
Most of them use the online verification method, but a few use 
only the batch method, which takes longer but costs less to 
use. States that don't use either verification method told us 
they were concerned about start-up costs and system 
performance. Indeed, there are 10 States awaiting improvement 
to the online verification system's capacity before they can be 
allowed to use it. Others already using the system have scaled 
back their use because of capacity problems.
    In addition to the capacity problems the system has 
experienced, we also identified a key weakness in the batch 
method that exposes States to a higher risk of fraud. Unlike 
the online method, batch does not match verification requests 
against SSA's death records. As a result, the batch method will 
verify the name and SSN of a dead person as an accurate record. 
We observed this ourselves and again we have prepared a visual 
to illustrate--the one on the right. Our undercover 
investigators were able to obtain licenses in two States that 
use the batch verification method. We presented counterfeit 
identity documents that contain the name, data of birth, and 
SSN of a dead person to motor vehicle agencies in these States. 
In one instance, you can see we presented a fake birth 
certificate, a military identification, and a Social Security 
card. In another, we presented only the fake Social Security 
card and a fake driver's license from another State. In both 
instances, we received the driver's licenses you see before you 
on the right. The ease with which our staff were able to obtain 
these licenses suggests that the batch method must change and 
must change immediately to protect the State driver's licensing 
system. Our report on this topic will be issued in September 
and is likely to contain recommendations to improve SSA's 
verification systems, both online and batch.
    In conclusion, let me say that SSNs are used for many 
beneficial purposes, but as we all know SSNs are also used for 
illegal financial gain and for immigration fraud. While most 
uses are for the benefit of the taxpayer and to ease the 
provision of various services such as granting credit, this 
personal information is not always adequately protected. 
Further, those who would live in the United States illegally 
have sought not just stolen SSNs, but their own Social Security 
cards and driver's licenses--fraudulently obtained, of course. 
The SSA has an important role to play both in limiting the 
issuance of SSNs only to those who are eligible to have them 
and to verifying personal information for State driver's 
licensing agencies. While progress is being made on both these 
fronts, we have demonstrated the vulnerabilities that remain. 
We look forward to continuing work with this Subcommittee to 
strengthen needed protections to ensure that false identities 
are not readily available to those who would harm the United 
States and its people. That concludes my statement, Mr. 
Chairman. I really appreciate the extra time, and I am here to 
answer any questions.
    [The prepared statement of Ms. Bovbjerg follows:]
 Statement of Barbara D. Bovbjerg, Director, Education, Workforce, and 
Income Security Issues, U.S. General Accounting Office; accompanied by 
                      Dan Bertoni, Deputy Director
    Mr. Chairman and Members of the Subcommittee:
    I am pleased to be here today to discuss ways to better protect 
Social Security Numbers (SSNs) to help prevent the proliferation of 
false identities whether for financial misuse or for assuming an 
individual's identity. Although the Social Security Administration 
(SSA) originally created SSNs as a means to track worker's earnings and 
eligibility for Social Security benefits, over time the SSN has come to 
be used for a myriad of purposes. As you know, SSNs are a key piece of 
information in creating false identities. Allegations of SSN misuse 
include, for example, incidents where a criminal uses the SSN of 
another individual for the purpose of fraudulently obtaining credit, 
acquiring goods, violating immigration laws, or fleeing the criminal 
justice system.
    Although Congress has passed a number of laws to protect the 
security of personal information, the continued use of and reliance on 
SSNs by private and public sector entities and the potential for misuse 
underscores the importance of identifying areas that can be further 
strengthened. Accordingly, you asked us to talk about the uses of SSNs 
and ways that the integrity of the SSN may be preserved. My remarks 
today will focus on describing (1) public and private sector use and 
display of SSNs, and (2) SSA's role in preventing the proliferation of 
false identities. My testimony is based on a report we did for this 
subcommittee on government uses of the SSN,\1\ ongoing work that 
focuses on private sector SSN uses, and work we are completing on SSA's 
enumeration process and the agency's verification of SSNs for state 
driver licensing.
---------------------------------------------------------------------------
    \1\ U.S. General Accounting Office, Social Security Numbers: 
Government Benefits from SSN Use but Could Provide Better Safeguards, 
GAO-02-352 (Washington D.C.: May 31, 2002).
---------------------------------------------------------------------------
    In summary, public and some private sector entities rely 
extensively on SSNs. We reported last year that federal, state and 
county government agencies rely extensively on the SSN to manage 
records, verify eligibility of benefit applicants, collect outstanding 
debt, and conduct research and program evaluations. SSNs are also 
displayed on a number of public record documents that are routinely 
made available to the public. To improve customer service, some state 
and local government entities are considering placing more public 
records on the Internet. In addition, some private sector entities have 
come to rely on the SSN as an identifier, using it and other 
information to accumulate information about individuals. This is 
particularly true of entities that amass public and private data, 
including SSNs, for resale. Certain laws have helped to restrict the 
use of SSN and other information by these private sector entities to 
specific purposes. However, as a result of the increased use and 
availability of SSN information and other data, more and more personal 
information is being centralized into various corporate and public 
databases. Because SSNs are often the identifier of choice among 
individuals seeking to create false identities, to the extent that 
personal information is aggregated in public and private sector 
databases it becomes vulnerable to misuse.
    As the agency responsible for issuing SSNs and maintaining the 
earnings records and other personal information for millions of SSN 
holders, SSA plays a unique role in helping to prevent the 
proliferation of false identities. Following the events of September 
11, 2001, SSA formed a task force to address weaknesses in the 
enumeration process and developed major new initiatives to prevent the 
inappropriate assignment of SSNs to non-citizens, who represent the 
bulk of new SSNs issued by SSA's 1,300 field offices. For example, SSA 
now requires field staff to independently verify the identity 
information and immigration status of all non-citizen applicants with 
the Department of Homeland Security (DHS), prior to issuing an SSN. 
However, some SSA field staff are relying exclusively on the DHS 
verification system, while neglecting other standard practices for 
visually inspecting documents. SSA's automated system for assigning 
SSNs also does not prevent the issuance of an SSN if staff by-pass 
required verification steps. Other areas remain vulnerable and could be 
targeted by those seeking fraudulent SSNs. These include SSA's process 
for assigning social security numbers for children under age one and 
issuing replacement social security cards. In addition to its 
enumeration process, SSA provides a service to states to verify the 
SSNs of individuals seeking driver's licenses. We found that fewer than 
half the states have used SSA's service and the extent to which they 
regularly use the service varies widely across states. Factors such as 
cost, problems with system reliability, and state priorities and 
policies determine whether or not states use SSA's service. We also 
identified a weakness in SSA's verification service that exposes some 
states to fraud by those who would use the SSN of a deceased 
individual.
BACKGROUND
    The Social Security Act of 1935 authorized the Social Security 
Administration to establish a recordkeeping system to help manage the 
Social Security program, and resulted in the creation of the SSN. 
Through a process known as ``enumeration,'' unique numbers are created 
for every person as a work and retirement benefit record for the Social 
Security program. Today, SSNs are generally issued to most U.S. 
citizens and are also available to, non-citizens lawfully admitted to 
the U.S. with permission to work. Lawfully admitted non-citizens may 
also qualify for a SSN for nonwork purposes when a federal, state, or 
local law requires an SSN to obtain a particular welfare benefit or 
service. SSA is required to verify information from such applicants 
regarding their age, identity, foreign citizenship, and immigration 
status. Most of the agency's enumeration workload involves U.S. 
citizens who generally receive SSNs via SSA's birth registration 
process handled by hospitals. However, individuals seeking SSNs can 
also apply in-person at any of SSA's field locations, through the mail, 
or via the Internet.
    The uniqueness and broad applicability of the SSN have made it the 
identifier of choice for government agencies and private businesses, 
both for compliance with federal requirements and for the agencies' and 
businesses' own purposes. In addition, the boom in computer technology 
over the past decades has prompted private businesses and government 
agencies to rely on SSNs as a way to accumulate and identify 
information for their databases. As such, SSNs are often the identifier 
of choice among individuals seeking to create false identities. Law 
enforcement officials and others consider the proliferation of false 
identities to be one of the fastest growing crimes today. In 2002, the 
Federal Trade Commission received 380,103 consumer fraud and identity 
theft complaints, up from 139,007 in 2000.\2\ In 2002, consumers also 
reported losses from fraud of more than $343 million. In addition, 
identity crime accounts for over 80 percent of social security number 
misuse allegations according to the SSA.
---------------------------------------------------------------------------
    \2\ Identity theft records broken out of consumer fraud totaled per 
year: 31,117 (2000), 86,198 (2001), and 161,819 (2002).
---------------------------------------------------------------------------
PUBLIC AND PRIVATE SECTOR USES AND DISPLAY OF SSNS
    As we reported to you last year, federal, state, and county 
government agencies use SSNs.\3\ When these entities administer 
programs that deliver services and benefits to the public, they rely 
extensively on the SSNs of those receiving the benefits and services. 
Because SSNs are unique identifiers and do not change, the numbers 
provide a convenient and efficient means of managing records. They are 
also particularly useful for data sharing and data matching because 
agencies can use them to check or compare their information quickly and 
accurately with that from other agencies. In so doing, these agencies 
can better ensure that they pay benefits or provide services only to 
eligible individuals and can more readily recover delinquent debts 
individuals may owe. In addition to using SSNs to deliver services or 
benefits, agencies also use or share SSNs to conduct statistical 
research and program evaluations. Moreover, most of the government 
departments or agencies we surveyed use SSNs to varying extents to 
perform some of their responsibilities as employers, such as paying 
their employees and providing health and other insurance benefits.
---------------------------------------------------------------------------
    \3\ U.S. General Accounting Office, Social Security Numbers: 
Government Benefits from SSN Use but Could Provide Better Safeguards, 
GAO-02-352 (Washington D.C.: May 2002).
---------------------------------------------------------------------------
    Many of the government agencies we surveyed in our work last year 
reported maintaining public records that contain SSNs. This is 
particularly true at the state and county level where certain offices 
such as state professional licensing agencies and county recorders' 
offices have traditionally been repositories for public records that 
may contain SSNs. These records chronicle the various life events and 
other activities of individuals as they interact with the government, 
such as birth certificates, professional licenses, and property title 
transfers. Generally, state law governs whether and under what 
circumstances these records are made available to the public, and they 
vary from state to state. They may be made available for a number of 
reasons, including the presumption that citizens need key information 
to ensure that government is accountable to the people. Certain records 
maintained by federal, state, and county courts are also routinely made 
available to the public. In principle, these records are open to aid in 
preserving the integrity of the judicial process and to enhance public 
trust and confidence in the judicial process. At the federal level, 
access to documents generally has its grounding in common law and 
constitutional principles. In some cases, public access is also 
required by statute, as is the case for papers filed in a bankruptcy 
proceeding. As with federal courts, requirements regarding access to 
state and local court records may have a state common law or 
constitutional basis or may be based on state laws.
    Although public records have traditionally been housed in 
government offices and court buildings, to improve customer service, 
some state and local government entities are considering placing more 
public records on the Internet. Because such actions would create new 
opportunities for gathering SSNs from public records on a broad scale, 
we are beginning work for this subcommittee to examine the extent to 
which SSNs in public records are already accessible via the Internet.
    In our current work, we found that some private sector entities 
also rely extensively on the SSN. Businesses often request an 
individual's SSN in exchange for goods or services. For example, some 
businesses use the SSN as a key identifier to assess credit risk, track 
patient care among multiple providers, locate bankruptcy assets, and 
provide background checks on new employees. In some cases, businesses 
require individuals to submit their SSNs to comply with federal laws 
such as the tax code. Currently, there is no law that prohibits 
businesses from requiring a person's SSN as a condition of providing 
goods and services. If an individual refuses to give his or her SSN to 
a company or organization, they can be refused goods and services 
unless the SSN is provided.
    To build on previous work we did to determine certain private 
sector entities use of SSNs, we have focused our initial private sector 
work on information resellers and consumer reporting agencies 
(CRAs).\4\ Some of these entities have come to rely on the SSN as an 
identifier to accumulate information about individuals, which helps 
them determine the identity of an individual for purposes such as 
employment screening, credit information, and criminal histories. This 
is particularly true of entities, known as information resellers, who 
amass personal information, including SSNs. Information resellers often 
compile information from various public and private sources.\5\ These 
entities provide their products and services to a variety of customers, 
although the larger ones generally limit their services to customers 
that establish accounts with them, such as entities like law firms and 
financial institutions. Other information resellers often make their 
information available through the Internet to persons paying a fee to 
access it.
---------------------------------------------------------------------------
    \4\ U.S. General Accounting Office, Social Security: Government and 
Commercial Use of the Social Security Number is Widespread, GAO/HEHS-
99-28 (Washington, D.C.: Feb. 16, 1999.)
    \5\ The information compiled may include public records of 
bankruptcy, tax liens, civil judgments, criminal histories, deaths, 
real estate ownership, driving histories, voter registration, and 
professional licenses. Private data sources include information from 
telephone directories and copyrighted publications.
---------------------------------------------------------------------------
    CRAs are also large private sector users of SSNs. These entities 
often rely on SSNs, as well as individuals' names and addresses to 
build and maintain credit histories. Businesses routinely report 
consumers' financial transactions, such as charges, loans, and credit 
repayments to CRAs. CRAs use SSNs to determine consumers' identities 
and ensure that incoming consumer account data is matched correctly 
with information already on file.
    Certain laws such as the Fair Credit Reporting Act, the Gramm-
Leach-Bliley Act, and the Driver's Privacy Protection Act have helped 
to limit the use of personal information, including SSNs, by 
information resellers and CRAs. These laws limit the disclosure of 
information by these entities to specific circumstances. In our 
discussion with some of the larger information resellers and CRAs, we 
were told that they have to take specific actions to adhere to these 
laws, such as establishing contracts with their clients specifying that 
the information they obtain will be used only for accepted purposes 
under the law.
    The extensive public and private sector uses of SSNs and 
availability of public records and other information, especially via 
the Internet, has allowed individuals' personal information to be 
aggregated into multiple databases or centralized locations. In the 
course of our work, we have identified numerous examples where public 
and private databases have been compromised and personal data, 
including SSNs, has been stolen. In some instances, the display of SSNs 
in public records and easily accessible websites provided the 
opportunity for identity thieves. In other instances, databases not 
readily available to outsiders have had their security breached by 
employees with access to key information. For example, in our current 
work, we identified a case where two individuals obtained the names and 
SSNs of 325 high-ranking United States military officers from a public 
Website, then used those names and identities to apply for instant 
credit at a leading computer company. Although criminals have not 
accessed all public and private databases, such cases illustrate that 
these databases are vulnerable to criminal misuse.
SSA HAS A ROLE IN PREVENTING SSNS FROM BEING USED TO CREATE FALSE 
        IDENTITIES BUT SOME AREAS REMAIN VULNERABLE
    Because SSA is the issuer and custodian of SSN data, SSA has a 
unique role in helping to prevent the proliferation of false 
identities. Following the events of September 11, 2001, SSA began 
taking steps to increase management attention on enumeration and formed 
a task force to address weaknesses in the enumeration process. As a 
result of this effort, SSA has developed major new initiatives to 
prevent the inappropriate assignment of SSNs to non-citizens. However, 
our preliminary findings to date identified some continued 
vulnerabilities in the enumeration process including SSA's process for 
issuing replacement Social Security cards and assigning SSNs to 
children under age one. SSA is also increasingly called upon by states 
to verify the identity of individuals seeking driver licenses. We found 
that fewer than half the states have used SSA's service and the extent 
to which they regularly use the service varies widely. Factors such as 
costs, problems with system reliability, and state priorities have 
affected states use of SSA's verification service. We also identified a 
key weakness in the service that exposes some states to inadvertently 
issuing licenses to individuals using the SSNs of deceased individuals. 
We plan to issue reports on these issues in September that will likely 
contain recommendations to improve SSA's enumeration process and its 
SSN verification service.
SSA's Enumeration Process Helps Prevent the Proliferation of False 
        Identities, but Additional Actions are Needed to Safeguard the 
        Issuance of SSNs
    SSA has increased document verifications and developed new 
initiatives to prevent the inappropriate assignment of Social Security 
numbers (SSNs) to non-citizens who represent the bulk of all initial 
SSNs issued by SSA's 1,300 field offices. However, in some key areas, 
weaknesses remain. SSA has increased document verifications by 
requiring independent verification of the documents and immigration 
status of all non-citizen applicants with the issuing agency--namely 
the Department Homeland Security (DHS) and Department of State (State 
Department) prior to issuing the SSN. However, in our audit work, we 
found that many field offices are relying heavily on DHS's verification 
service, while neglecting standard, in-house practices for visually 
inspecting and verifying identity documents. We also found that while 
SSA has made improvements to its automated system for assigning SSNs, 
the system is not designed to prevent the issuance of an SSN if field 
staff by-pass essential verification steps. SSA also has begun 
requiring foreign students to show proof of their full-time enrollment, 
but does not require field staff to verify with the school the 
students' enrollment or their authorization to work. Consequently, SSNs 
for non-citizen students may still be improperly issued.
    SSA has also undertaken other new initiatives to shift the burden 
of processing non-citizen applications from its field offices. SSA 
recently piloted a specialized center in Brooklyn, New York, which 
focuses exclusively on enumeration and utilizes the expertise of DHS 
document examiners and SSA's OIG investigators. However, the future of 
this pilot project and DHS' participation has not yet been determined. 
Meanwhile, in late 2002, SSA began a phased implementation of a long-
term process to issue SSNs to non-citizens at the point of entry into 
the United States, called ``Enumeration at Entry'' (EAE). EAE offers 
the advantage of using State Department and DHS expertise to 
authenticate information provided by applicants for subsequent 
transmission to SSA who then issues the SSN. Currently, EAE is limited 
to immigrants age 18 and older who have the option of applying for an 
SSN at one of the 127 State posts worldwide that issue immigrant visas. 
SSA has experienced problems with obtaining clean records from both the 
State Department and DHS, but plans to continue expanding the program 
over time to include other non-citizen groups, such as students and 
temporary visitors. The agency also intends to evaluate the initial 
phase of EAE in conjunction with the State Department and DHS. However, 
this evaluation has not yet been planned or scheduled.
    While SSA has embarked on these new initiatives, it has not 
tightened controls in two key areas of its enumeration process that 
could be exploited by individuals seeking fraudulent SSNs. One area is 
the assignment of SSNs to children under age one. Prior work by SSA's 
Inspector General identified the assignment of SSNs to children as an 
area prone to fraud because SSA did not independently verify the 
authenticity of various state birth certificates. Despite the training 
and guidance provided to field office employees, the OIG found that the 
quality of many counterfeit documents was often too good to detect 
simply by visual inspection. Last year, SSA revised its policies to 
require that field staff obtain independent third party verification of 
the birth records for U.S.-born individuals age one and older from the 
state or local bureau of vital statistics prior to issuing an SSN 
card.\6\ However, SSA left in place its policy for children under age 
one and continues to require only a visual inspection of documents, 
such as birth records.
---------------------------------------------------------------------------
    \6\ Most U.S.-born individuals receive a SSN through a process SSA 
refers to as Enumeration-at-Birth (EAB). Under EAE parents can apply 
for a SSN for their newborn child at the hospital as part of the birth 
registration process. Under this process hospitals send birth 
registration information to a state or local bureau of vital statistics 
where it is put into a database. SSA accepts the data captured during 
the birth registration process as evidence of age, identity, and 
citizenship, and assigns the child an SSN without further parental 
involvement. The appropriate bureau of vital statistics forwards SSA 
the required information, usually by electronic means. Once SSA 
receives the required information, it performs edits, assigns the SSN 
and issues the card.
---------------------------------------------------------------------------
    SSA's policies relating to enumerating children under age one 
expose the agency to fraud. During our fieldwork, we found an example 
of a non-citizen who submitted a counterfeit birth certificate in 
support of an SSN application for a fictitious U.S. born child under 
age one. In this case, the SSA field office employee identified the 
counterfeit state birth certificate by comparing it with an authentic 
one. However, SSA staff acknowledged that if a counterfeit out-of-state 
birth certificate had been used, SSA would likely have issued the SSN 
because of staff unfamiliarity with the specific features of the 
numerous state birth certificates. Further, we were able to prove the 
ease with which individuals can obtain SSNs by exploiting SSA's current 
processes. Working in an undercover capacity our investigators were 
able to obtain two SSNs. By posing as parents of newborns, they 
obtained the first SSN by applying in-person at a SSA field office 
using a counterfeit birth certificate and baptismal certificate. Using 
similar documents, a second SSN was obtained by our investigators who 
submitted all material via the mail. In both cases, SSA staff verified 
our counterfeit documents as being valid. SSA officials told us that 
they are re-evaluating their policy for enumerating children under age 
one. However, they noted that parents often need an SSN for their child 
soon after birth for various reasons such as for income tax purposes. 
They acknowledge that a challenge facing the agency is to strike a 
better balance between serving the needs of the public and ensuring SSN 
integrity.
    In addition to the assignment of SSNs to children under the age of 
one, SSA's policy for replacing Social Security cards also increases 
the potential for misuse of SSNs. SSA does not limit the number of 
replacement cards individuals can receive. Of the 18 million cards 
issued by SSA in FY2002, 12.4 million, or 69 percent, were replacement 
cards. More than 1 million of these cards were issued to non-citizens. 
In several of the field offices we visited, replacement cards 
represented 70 percent of the total enumeration workload. While SSA 
requires non-citizens applying for a replacement card to provide the 
same identity and immigration information as if they were applying for 
an original SSN, SSA's evidence requirements for citizens are much less 
stringent. Citizens applying for a replacement card need not prove 
their citizenship; they may use as proof of identity such documents as 
a driver's license, passport, employee identification card, school 
identification card, church membership or confirmation record, life 
insurance policy, or health insurance card. The ability to obtain 
numerous replacement SSN cards with less documentation creates a 
condition for requestors to obtain SSNs for a wide range of illicit 
uses including selling them to non-citizens. These cards can be sold to 
individuals seeking to hide or create a new identity, perhaps for the 
purpose of some illicit activity. SSA told us the agency is considering 
limiting the number of replacement cards with certain exceptions such 
as for name changes, administrative errors, and hardships. However, 
they cautioned that while support exists for this change within the 
agency, some advocacy groups oppose such a limit.
    Field staff we interviewed told us that despite their reservations 
regarding individuals seeking excessive numbers of replacement cards, 
they were required under SSA policy to issue the cards. Many of the 
field office staff and managers we spoke to acknowledged that the 
current policy weakens the integrity of SSA's enumeration process.
SSA's Verification of Driver Licenses Applicants Helps Prevent 
        Fraudulent Documents, but Vulnerabilities Still Exist
    The events of September 11th, 2001 focused attention on the 
importance of identifying people who use false identity information or 
documents, particularly in the driver licensing process. Driver 
licenses are a widely accepted form of identification that individuals 
frequently use to obtain services or benefits from federal and state 
agencies, open a bank account, request credit, board an airplane, and 
carry on other important activities of daily living. For this reason, 
driver licensing agencies are points at which individuals may attempt 
to fraudulently obtain a license using a false name, social security 
number (SSN), or other documents such as birth certificates to secure 
this key credential.
    Given that most states collect SSNs during the licensing process, 
SSA is uniquely positioned to help states verify the identity 
information provided by applicants. To this end, SSA has a verification 
service in place that allows state driver licensing agencies to verify 
the SSN, name, and date of birth of customers with SSA's master file of 
SSN owners. States can transmit requests for SSN verification in two 
ways. One is by sending multiple requests together, called the 
``batch'' method, to which SSA reports it generally responds within 48 
hours. The other way is to send an individual request on-line, to which 
SSA responds immediately.
    Twenty-five states have used the batch or on-line method to verify 
SSNs with SSA and the extent to which they use the service on a regular 
basis varies. About three-fourths of the states that rely on SSA's 
verification service used the on-line method or a combination of the 
on-line and batch method, while the remaining states used the batch 
method exclusively. Over the last several years, batch states estimated 
submitting over 84 million batch requests to SSA compared to 13 million 
requests submitted by on-line users. States' use of SSA's on-line 
service has increased steadily over the last several years. However, 
the extent of use has varied significantly, with 5 states submitting 
over 70 percent of all on-line verification requests and one state 
submitting about one-third of the total.
    Various factors, such as costs, problems with system reliability, 
and state priorities affect states' decisions regarding use of SSA's 
verification service. In addition to the per-transaction fees that SSA 
charges, states may incur additional costs to set up and use SSA's 
service, including the cost for computer programming, equipment, 
staffing, training, and so forth. Moreover, states' decisions about 
whether to use SSA's service, or the extent to which to use it, are 
also driven by internal policies, priorities, and other concerns. For 
example, some of the states we visited have policies requiring their 
driving licensing agencies to verify all customers' SSNs. Other states 
may limit their use of the on-line method to certain targeted 
populations, such as where fraud is suspected or for initial licenses, 
but not for renewals of in-state licenses. The non-verifying states we 
contacted expressed reluctance to use SSA's verification service based 
on performance problems they had heard were encountered by other 
states. Some states cited concerns about frequent outages and slowness 
of the on-line system. Other states mentioned that the extra time to 
verify and resolve SSN problems could increase customer waiting times 
because a driver license would not be issued until verification was 
complete.
    Indeed, weaknesses in SSA's design and management of its SSN on-
line verification services have limited its usefulness and contributed 
to capacity and performance problems. SSA used an available 
infrastructure to set up the system and encountered capacity problems 
that continued and worsened after the pilot phase. The capacity 
problems inherent in the design of the on-line system have affected 
state use of SSA's verification service. Officials in one state told us 
that they have been forced to scale back their use of the system 
because they were told by SSA that their volume of transactions were 
overloading the system. In addition, because of issues related to 
performance and reliability, no new states have used the service since 
the summer of 2002. At the time of our review, 10 states had signed 
agreements with SSA and were waiting to use the on-line system and 17 
states had received funds from Department of Transportation for the 
purpose of verifying SSNs with SSA. It is uncertain how many of the 17 
states will ultimately opt to use SSA's on-line service. However, even 
if they signed agreements with SSA today, they may not be able to use 
the service until the backlog of waiting states is addressed. More 
recently, SSA has made some necessary improvements to increase system 
capacity and to refocus its attention to the day-to-day management of 
the service. However, at the time of our review, the agency still has 
not established goals for the level of service it will provide to 
driver licensing agencies.
    In reviewing SSA's verification service, we identified a key 
weakness that exposes some states to issuing licenses to applicants 
using the personal information of deceased individuals. Unlike the on-
line service, SSA does not match batch requests against its nationwide 
death records. As a result, the batch method will not identify and 
prevent the issuance of a license in cases where an SSN name and date 
of birth of a deceased individual is being used. SSA officials told us 
that they initially developed the batch method several years ago and 
they did not design the system to match SSNs against its death files. 
However, in developing the on-line system for state driver licensing 
agencies, a death match was built into the new process. At the time of 
our review, SSA acknowledged that it had not explicitly informed states 
about the limitation of the batch service.
    Our own analysis of one month of SSN transactions submitted to SSA 
by one state using the batch method identified at least 44 cases in 
which individuals used the SSN, name, and date of birth of persons 
listed as deceased in SSA's records to obtain a license or an 
identification card.\7\ We forwarded this information to state 
investigators who quickly confirmed that licenses and identification 
cards had been issued in 41 cases and were continuing to investigate 
the others. To further assess states' vulnerability in this area, our 
own investigators working in an undercover capacity were able to obtain 
licenses in two batch states using a counterfeit out-of-state license 
and other fraudulent documents and the SSNs of deceased persons. In 
both states, driver licensing employees accepted the documents we 
submitted as valid. Our investigators completed the transaction in one 
state and left with a new valid license.\8\ In the second state, the 
new permanent license arrived by mail within weeks. The ease in which 
they were able to obtain these licenses confirmed the vulnerability of 
states currently using the batch method as a means of SSN verification. 
Moreover, states that have used the batch method in prior years to 
clean up their records and verify the SSNs of millions of driver 
license holders, may have also unwittingly left themselves open to 
identity theft and fraud.
---------------------------------------------------------------------------
    \7\ SSA's death records may contain inaccuracies because SSA 
records all reports of death but only verifies those involving benefit 
payments.
    \8\ This state does not use SSA's batch verification process for 
initial licenses, but only for license renewals. Therefore, the use of 
the deceased person's SSN will not be caught by the system when the 
state ultimately verifies it using the batch method.
---------------------------------------------------------------------------
CONCLUSIONS
    The use of SSNs by both public and sector entities is likely to 
continue given that it is used as the key identifier by most of these 
entities and there is currently no other widely accepted alternative. 
To help control such use, certain laws have helped to safeguard such 
personal information, including SSNs, by limiting disclosure of such 
information to specific purposes. To the extent that personal 
information is aggregated in public and private sector databases, it 
becomes vulnerable to misuse. In addition, to the extent that public 
record information becomes more available in an electronic format, it 
becomes more vulnerable to misuse. The ease of access the Internet 
affords could encourage individuals to engage in information gathering 
from public records on a broader scale than they could before when they 
had to visit a physical location and request or search for information 
on a case-by-case basis.
    SSA has made substantial progress in protecting the integrity of 
the SSN by requiring that the immigration and work status of every non-
citizen applicant be verified before an SSN is issued. However, without 
further system improvements and assurance that field offices will 
comply fully with the new policies and procedures this effort may be 
less effective than it could be. Further, as SSA closes off many 
avenues of unauthorized access to SSNs, perpetrators of fraud will 
likely shift their strategies to less protected areas. In particular, 
SSA's policies for enumerating children and providing unlimited numbers 
of replacement cards may well invite such activity, unless they too are 
modified.
    State driver license agencies face a daunting task in ensuring that 
the identity information of those to whom they issues licenses is 
verified. States effectiveness verifying individual's identities is 
often dependent on several factors, including the receipt of timely and 
accurate identity information from SSA. Unfortunately, design and 
management weaknesses associated with SSA's verification service have 
limited its effectiveness. States that are unable to take full 
advantage of the service and others that are waiting for the 
opportunity to use it remain vulnerable to identity crimes. In 
addition, states that continue to rely primarily or partly on SSA's 
batch verification service still risk issuing licenses to individuals 
using the SSNs and other identity information of deceased individuals. 
This remains a critical flaw in SSA's service and states' efforts to 
strengthen the integrity of the driver license.
    GAO is preparing to publish reports covering the work I have 
summarized within the next several months, which will include 
recommendations aimed at ensuring the integrity of the SSN. We look 
forward to continuing to work with this Subcommittee on these important 
issues. I would be happy to respond to any questions you or other 
members of the Subcommittee may have.
CONTACTS AND ACKNOWLEDGMENTS
    For further information regarding this testimony, please contact 
Barbara D. Bovbjerg, Director, or Dan Bertoni, Assistant Director, 
Education, Workforce, and Income Security at (202) 512-7215. 
Individuals making key contributions to this testimony include Mindy 
Bowman, Alicia Cackley, Tamara Cross, Patrick DiBattista, Melissa 
Hinton, Jason Holsclaw, George Scott, Jacquelyn Stewart, and Tony 
Wysocki.

                                 

    Chairman SHAW. Very good. We appreciate your testimony. Mr. 
Huse.

   STATEMENT OF THE HONORABLE JAMES G. HUSE, JR., INSPECTOR 
            GENERAL, SOCIAL SECURITY ADMINISTRATION

    Mr. HUSE. Thank you, Mr. Chairman, Mr. Matsui, and Members 
of the Subcommittee. As always--and I have probably been here 
nine times--it is a pleasure to be here to assist you in your 
important work involving the SSN and its protection. In the 
interest of brevity and since you have accepted my full written 
testimony, I will summarize the major points that I have in 
that testimony. This Subcommittee and the Office of the 
Inspector General have been fighting SSN misuse and identity 
theft together for quite a few years now, beginning when I was 
Acting Inspector General at Social Security. So, now I am 
pleased to be here today and to see that the Subcommittee's 
continuing and tenacious dedication to stopping and reversing 
what is now a long-standing upward trend in SSN misuse and 
identity theft has never wavered. I come in support of 
legislation to strengthen protection for the SSN, our national 
identifier. We as a government remain ill-equipped to afford it 
the protection it needs and deserves. We need to protect the 
SSN at three stages: upon issuance, during the life of the 
number holder, and following the number holder's death. Perhaps 
the most important step we can take in preventing SSN misuse is 
to limit the SSNs' easy availability. Any meaningful 
legislation designed to protect the SSN must strictly limit the 
number's availability on public documents. The financial 
industry relies on the SSN and no one is suggesting that we 
change the way legitimate business is conducted in the United 
States. The use of the SSN as a student or patient 
identification number, as part of a car rental contract or to 
rent a video must be curtailed.
    Finally, I respect and support the SSA's strict privacy 
regulations. The information SSA stores on each of us is 
personal and is entitled to all of the protections we can 
provide. However, there are times when that privacy must be 
abridged for the greater good. Following September 11th, and 
again during last year's sniper attacks in the Washington, D.C. 
area, it became necessary to share with appropriate law 
enforcement authorities information stored by SSA to permit 
those authorities to conduct their investigations and, more 
importantly, to prevent additional lives from being lost. On 
both occasions, I asked the Commissioner of Social Security to 
use the ad hoc authority vested in the Commissioner by SSA's 
regulations to permit me to share SSA information with our law 
enforcement partners. I now ask this Subcommittee for statutory 
authority that would enable the Inspector General to make such 
disclosures when necessary to protect human lives without prior 
formal authorization from the Commissioner. When lives are at 
stake, we cannot waste precious moments in order to sustain 
some bureaucratic modality.
    Before I close, I would like to emphasize one part of my 
discussion. While the SSN is issued by SSA, the responsibility 
for protecting its integrity reaches far beyond the agency's 
boundaries. The SSA has come very far and is willing to do 
more, yet other Federal, State and local jurisdictions as well 
as the private sector must each also do their part. With 
everyone's participation we can protect the SSN and ultimately 
our homeland. Mr. Chairman, I thank you for your continuing 
commitment to these critical issues. I might add to sharpen all 
of this, that this very morning in California, we, along with 
the Los Angeles Police Department and other local police 
departments, made a raid and have arrested three suspects while 
one suspect remains at large. We also seized computers, 
printers, books of templates of every conceivable kind of 
identification, SSNs, lists of SSNs, birth certificates, 
driver's licenses, the seals to make driver's licenses, 
doctor's certificates, and infant footprints. Now what do you 
think they were going to do with those? This is a serious 
matter. It goes on every day. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Huse follows:]
   Statement of the Honorable James G. Huse, Jr., Inspector General, 
                     Social Security Administration
    Good Morning Mr. Chairman, Mr. Matsui, and members of the 
Subcommittee. As always, it is a pleasure to be here to assist you in 
your important work. We have been fighting Social Security number (SSN) 
misuse and identity theft together for quite a number of years now, 
starting when I was Acting Inspector General of the Social Security 
Administration's (SSA) Office of the Inspector General. On March 30, 
2000, I testified before this Subcommittee about SSA program integrity 
issues in general. On that occasion, I expressed my appreciation that 
the Subcommittee had recognized the importance of confronting SSN 
misuse, and looked forward to separate hearings that you promised to 
hold on the issue.
    Five weeks later, on May 9, 2000, I returned and reported at length 
on the misuse of SSNs in many areas, including identity theft. I 
explained that my office could not possibly investigate every instance 
of identity theft that involved an SSN. I testified that we were 
working vigorously on the audit side to identify and eliminate 
weaknesses in SSA's enumeration process, and just as vigorously on the 
investigative side to stop SSN misuse crimes that had a direct impact 
on SSA's programs and operations.
    In the year that followed, even as we worked to tighten controls 
over the issuance of SSNs and fought to deter and punish SSN misuse, 
identity theft continued to increase. It became apparent that under 
existing law, we could not do enough to stop criminals from obtaining 
SSNs, and did not have sufficient enforcement tools to deter them from 
doing so.
    So on May 22, 2001, I returned to this Subcommittee asking for its 
help. I asked for legislation that would severely restrict the use of 
SSNs in the private and public sector, and that would criminalize the 
sale of SSNs. I asked for an administrative safety net in the form of 
Civil Monetary Penalty authority for those instances of SSN misuse that 
could not be criminally prosecuted. And I pledged my office's 
unwavering support of the Subcommittee's efforts to prevent SSN misuse 
and, by extension, identity theft.
    The Subcommittee's response was swift. H.R. 2036, which provided 
all of the relief I had requested and more, was an important step 
forward. Tragically, before we could take that step forward, we all 
took an enormous step back. September 11, 2001 stopped us all in our 
tracks, and H.R. 2036 understandably took a temporary back seat to more 
pressing Congressional responsibilities.
    But it was a very short time before we collectively realized that 
H.R. 2036 and September 11 shared more common ground than we had ever 
contemplated. We had always seen SSN misuse as a bureaucratic problem 
for the government and a financial problem for the private sector and 
the citizenry. As our investigative offices were besieged with requests 
from the FBI for assistance in the September 11 investigation, we 
quickly came to realize that SSN misuse and identity theft threatened 
not only credit ratings and government records, but lives as well.
    Shortly after the attacks on New York and Washington, I again came 
before this Subcommittee and testified about individuals seeking to 
assimilate themselves into our society for nefarious purposes. The 
assimilation process begins with the use of an SSN whether obtained 
legally or fabricated. Without it, I explained, it would be all but 
impossible to function in our society for any extended period. H.R. 
2036, which had been an important piece of legislation eight weeks 
earlier, had become a critical one. Unfortunately, despite the best 
efforts of this Subcommittee and my office, the 107th Congress 
adjourned before that Bill became law.
    Then just last week, Treasury Secretary John Snow called upon 
Congress to take additional steps to help stem what he correctly terms 
``the growing menace of identity theft.'' While the Secretary's focus 
was on the harm identity theft visits upon consumers, this Subcommittee 
knows the damage is much broader than that.
    So, I am pleased to be here today, and to see that the 
Subcommittee's continuing and tenacious dedication to stopping and 
reversing what is now a long-standing upward trend in SSN misuse and 
identity theft has never wavered. As you well know, the use of the SSN 
in American society has expanded to the breaking point. Created in 1935 
to track workers' earnings and pay them retirement benefits, its use 
has increased so dramatically that it has become a part of more 
government functions and financial transactions than we could ever 
count. It is our national identifier, and while it serves its purpose 
well, we as a government remain ill-equipped to afford it the 
protection it needs and deserves.
    I have previously testified as to the need to protect the SSN at 
three stages: upon issuance, during the life of the number-holder, and 
following the number-holder's death. This three-tiered approach remains 
critical.
    At Stage One, my office is doing more work than ever, working 
closely with this Subcommittee and SSA to strengthen controls over the 
enumeration process, ensure the integrity of identification documents, 
and make it as difficult as possible to obtain an SSN from the Federal 
government fraudulently. If we cannot accomplish this much--ensuring 
that the government is not an unwitting accomplice to identity theft 
and other SSN-related crimes--then we will have failed before we have 
begun. But I can testify today with confidence that this is not the 
case. Together with you and with SSA, we have made important strides in 
reducing enumeration vulnerabilities, and that effort continues. Still, 
legislation is sorely needed to limit the number of replacement Social 
Security cards an individual can obtain, and to require better cross-
verification of records in the enumeration at birth process, to ensure 
that SSNs are not inappropriately issued in this important program. 
Excellent progress has been made in the enumeration arena, and we 
remain dedicated to even further improvements. At present, SSA is 
drafting two regulations to tighten the issuance of SSNs to non-workers 
and foreign students.
    Similarly, Stage Three, following the death of the number-holder, 
is an area in which we are working hard to ensure that, through timely 
reporting, appropriate cross-matching, and better controls, the SSNs of 
deceased individuals are not recycled for inappropriate purposes.
    But it is at Stage Two where we have focused the majority of our 
efforts, and where we have made the most progress. In the last several 
years, we have conducted numerous audits and made sweeping 
recommendations to SSA to improve the SSN misuse problem in the 
earnings reporting process, and most importantly, to improve controls 
over SSN misuse as it pertains specifically to Homeland Security. 
Further, over the last six months, we have led the President's Council 
on Integrity and Efficiency community in conducting an audit in 
assessing their respective Agency's practices in the use of SSNs. The 
final report noted that despite safeguards to prevent improper access, 
as well as disclosure and use of SSNs by external entities, many 
agencies remain at risk.
    As I stated, the SSN was never intended for the uses to which it is 
now put millions of times every day. The Identity Theft and Assumption 
Deterrence Act of 1998 and the Internet False Identification Prevention 
Act of 2000 provided law enforcement with the initial tools necessary 
to punish SSN misuse as it relates to identity theft. But each SSN 
begins and ends at SSA, and true stewardship over that number must 
reside in the Act that created it, the Social Security Act. That 
stewardship must focus not only on punishment and deterrence, but also 
on prevention.
    Perhaps the most important step we can take in preventing SSN 
misuse is to limit the SSN's easy availability. Any meaningful 
legislation designed to protect the SSN must strictly limit the 
number's availability on public documents. As long as criminals can 
walk into the records room of a courthouse or local government building 
and walk out with names and SSNs culled from public records, we can 
never reverse the trend. Any meaningful legislation must also 
specifically prohibit the sale of SSNs--including one's own SSN--on the 
open market. As long as criminals can buy a list of names and SSNs in 
an Internet auction, we will continue to be plagued by the 
consequences. And legislation, if it is to be meaningful, must limit 
the use of the SSN to appropriate and valid transactions.
    The financial industry relies on the SSN, and no one is suggesting 
that we change the way legitimate business is conducted in the United 
States. But the use of the SSN as a student or patient identification 
number, as part of a car rental contract or to rent a video, must be 
curtailed. Secretary Snow commented, ``Secure, reliable information is 
the lifeblood of all financial services, among which consumer credit is 
fundamental. It is not an overstatement to suggest that preserving the 
integrity and availability of consumer credit in this economy is 
preserving prosperity itself.'' This is why I have testified that 
Congress should consider requiring the cross-verification of SSNs 
through both governmental and private sector systems of records to 
identify and address anomalies in SSA's files, and in data bases at 
various levels of government and the financial sector. Only in such a 
way can we combat and limit the spread of false of identification and 
SSN misuse. In fact, SSA has taken initial steps toward implementing 
provisions of the Patriot Act. This Act requires the Treasury 
Department to develop a system for domestic financial institutions to 
verify the identities of foreign nationals seeking to open accounts 
with information held by Government agencies.
    If we can implement these changes, all of which come down to the 
acceptance of the fact that the SSN has become our national identifier 
and the application of common sense, criminals will have a far more 
difficult time obtaining an SSN from SSA or from other sources, and we 
will be able to better focus on enforcement.
    The Identity Theft legislation I discussed earlier provides 
criminal penalties, but those penalties were designed for broader 
crimes involving Social Security cards and/or SSNs, not for SSN misuse 
itself. Meaningful legislation that is focused solely on SSN misuse 
must provide meaningful criminal penalties in the Social Security Act, 
must provide enhanced penalties for those few SSA employees who betray 
the public trust and assist criminals in obtaining SSNs, and must 
provide an administrative safety net in the form of Civil Monetary 
Penalties to allow for some form of relief when criminal prosecution is 
not available for SSN misuse and other Social Security-related crimes.
    Finally, I respect and support SSA's strict privacy regulations. 
The information SSA stores on each of us is personal, and is entitled 
to all of the protections we can afford it. I have learned, however, 
through a series of unfortunate events, that there are times when that 
privacy must be abridged for the greater good. Following September 
11th, and again during last year's sniper attacks in the Washington, 
D.C. area, it became necessary to share with appropriate law 
enforcement authorities information stored by SSA to permit those 
authorities to conduct their investigations and, more importantly, 
prevent additional lives from being lost. On both occasions, I asked 
the Commissioner of Social Security to use the ad hoc authority vested 
in the Commissioner by SSA regulations to permit me to share SSA 
information with our law enforcement partners. I now ask this 
Subcommittee for statutory authority that would enable the Inspector 
General to make such disclosures when necessary to protect human lives 
without prior formal authorization from the Commissioner. When lives 
are at stake, we cannot waste precious moments.
    Before I close, I would like to emphasize one part of my 
discussion. While the SSN is issued by SSA, the responsibility for 
protecting its integrity reaches far beyond this Agency's walls. While 
SSA has come very far and is willing to do more, other Federal, State 
and local jurisdictions, as well as the private sector must each do 
their part. With everyone's participation, we can protect the SSN and 
ultimately our homeland.
    I thank you for your continuing commitment to these critical 
issues, and would be happy to answer any questions.

                                 

    Chairman SHAW. Thank you, Mr. Huse. What is the criminal 
penalty for supplying fraudulent documents in order to obtain a 
Social Security card--SSN? Or is there State law that you are 
familiar with that would do the same thing with regard to 
getting a driver's license that you are aware of?
    Mr. HUSE. The answer to your question is, there are Federal 
statutes that cover those crimes, and State statutes also. 
There is a strong law enforcement remedy for all of this 
criminal activity. What there isn't, though, is an elastic 
enough charge or felony charge for Social Security misuse in 
and of itself, which oftentimes is the common denominator 
through all of these levels of government and the crimes that 
have been established. If we had a strong, simple Social 
Security misuse felony, it would cut through a lot of this 
criminal justice activity.
    Chairman SHAW. Let's take the examples that are up on the 
board. If one were to go in to the Social Security office and 
give them a birth certificate, a baptismal certificate and some 
other type of picture identification such as the one you use up 
there with the United Airlines employee type of identification, 
in order to obtain a SSN--these documents are fraudulent--what 
would be the criminal penalty that this person is liable for?
    Mr. HUSE. There is a Federal criminal statute that covers 
this type of criminal activity. However, if I sold my SSN to 
Barbara to use illegally, there is no crime for the actual 
sale. I can't be charged for that. So, these are some of the 
aspects of this that we are trying to get in a specific SSN 
misuse felony.
    Chairman SHAW. I am just talking about the individual who 
goes in and tries.
    Mr. HUSE. It is a crime, and we can charge them.
    Chairman SHAW. Is it a felony?
    Mr. HUSE. It is a felony crime.
    Chairman SHAW. Five years?
    Mr. HUSE. Five to 10.
    Chairman SHAW. Five to 10. Thank you.
    Mr. HUSE. I would also add that in the Federal system there 
are also the sentencing guidelines.
    Chairman SHAW. Are the prosecutors prosecuting these cases? 
Many of our courts I know in south Florida, are overworked so 
much, and the question of whether you are going to be 
prosecuted even for a felony can depend upon the severity of 
the felony because of short-handedness within the prosecutor's 
offices themselves, the right to speedy trial, overcrowded 
dockets, those type of things. Are these cases being 
prosecuted?
    Mr. HUSE. Some of them are. I think the prosecutors try to 
do the right thing. They triage cases just like everybody else. 
There are those cases, as you just pointed out, that are not 
prosecuted, perhaps because the dollar amount is minimal, or 
the urgency, or there is no terrorism nexus, or what have you. 
Those cases usually fall out. That is why we are asking for 
this civil money penalty, a provision that would allow us to 
sanction those people who aren't prosecuted. They would still 
have to pay a substantial fine, and in that way perhaps we can 
do something about the proliferation of this crime.
    Chairman SHAW. Mr. Cardin.
    Mr. CARDIN. Thank you, Mr. Chairman. Let me again thank our 
witnesses for their testimony. The SSN is supposed to be the 
identification number for the Federal Government for Social 
Security purposes. Yet it is used as an identification number 
by a lot of different organizations and groups. I have my 
health insurance card, which my membership number is identical 
to my SSN. I am sure that is not unusual. Until 2 or 3 years 
ago, our U.S. House of Representatives identification cards 
included, mandatorily, our SSNs. So, I guess my question is, 
how important is it for us to try to protect the 
confidentiality of an individual SSN? You point out that you 
can go on the Internet and probably find the SSNs of most of us 
in some documents that are probably public today. If you 
couldn't find it there you, probably with a little effort, 
could find out our SSNs. How much is that a contributing factor 
to identity theft? Should we be much more vigilant about 
protecting the use of the SSN as a way to protect against 
identity theft? How major is this? How much effort should we 
put behind keeping these numbers confidential or for use only 
by the SSA?
    Ms. BOVBJERG. It couldn't hurt to quit giving people your 
SSN when you don't know what they are going to do with it. The 
Privacy Act (P.L. 93-579) requires all levels of government, 
not just the Federal Government, when they ask for your SSN, to 
tell you whether you are required to give it, and for what 
purpose it is to be used. This is not a provision of the 
Privacy Act that is followed very routinely. We have made a 
recommendation to the Office of Management and Budget to take 
some action to inform government agencies, particularly State 
and local governments, that this provision applies to them. I 
think as an individual it is probably also important to ask why 
Blockbuster Video or someone like that is asking you for your 
SSN and how it will be used, or to simply not give it to them. 
You are really also asking to put the genie back in the bottle.
    Mr. CARDIN. I don't think people think about this. If they 
are asked to give their SSN they give their SSN because it is 
there, it is on the form. They don't think twice about it. 
Unless we develop policy nationally that prevents the use of 
the SSN for non-governmental purposes or provide additional 
protection for the individual to make that judgment, it seems 
to me it is not going to happen.
    Mr. HUSE. I agree with everything our distinguished witness 
from the GAO said, but I would add that that is 50 percent of 
the issue. The other 50 percent is for those numbers that are 
already out there. I believe there is also a governmental 
obligation to ensure that there is due diligence on the data 
that is stored by all of these entities in matching those 
records with the true records of government at all of the 
levels, but including the Federal level--to ensure that there 
is an attempt to make positive identification occur. I think 
that is the other half of the identity theft problem. I think 
we are doing a lot of work on the front end in trying to get 
the integrity in the system that issues numbers, but we are not 
doing enough on the back end to verify that data and to make 
sure that anomalies in it are rooted out and given to 
appropriate law enforcement authorities at the local, State, 
county and Federal level to deal with. This is a universal 
problem, it is way beyond just the SSA.
    Mr. CARDIN. I agree with your point. I guess my point is, 
how do you put this all together? Would it make it a lot easier 
if these numbers weren't so readily available? I guess the 
answer is, it wouldn't hurt and certainly it would make it more 
difficult for identity theft. Unless we are prepared also to be 
very aggressive on the use of identity, and the verification of 
identity, and all the other issues there would still be a 
significant problem out there?
    Mr. HUSE. I think you are at a point where, as Barbara 
said, you can't put it back in the bottle. I think we have to 
accept the status quo.
    Mr. CARDIN. Why? I am not sure I agree with that. Unless we 
are willing to take action on who can use SSNs, and how they 
are to release and protect them, I agree with you. I guess my 
point is, that is one area that we could control here from 
Washington. It may cause disruptions and maybe it is not worth 
all the disruptions it causes, but I am trying to get a sense 
as to how important it would be to restrict the availability of 
SSNs. What I am getting from you is, that would certainly help 
us in reducing the amount of identity theft.
    Mr. HUSE. The answer is yes.
    Ms. BOVBJERG. If I could just add briefly, you have already 
done things that have helped. Certainly the Drivers Protection 
Act of 1993 (P.L. 103-322) helped enormously to prevent motor 
vehicle records that had SSNs on them from being sold in bulk. 
There are other things that have occurred over the last 10 
years that have made the SSN, particularly in government, more 
secure. So, I think there are things that you already have done 
that have helped.
    Mr. CARDIN. Why should my health insurance company require 
to use my SSN?
    Ms. BOVBJERG. They want to know that you are you. It is a 
unique identifier. They want to distinguish you.
    Mr. CARDIN. Well.
    Mr. HUSE. From another person with a similar name.
    Mr. CARDIN. Is that a responsibility of government, or the 
private insurance industry?
    Ms. BOVBJERG. The government did not provide it to the 
insurance company.
    Mr. CARDIN. No, but we provide the SSN. Thank you, Mr. 
Chairman.
    Chairman SHAW. Mr. Collins.
    Mr. COLLINS. No questions.
    Chairman SHAW. Mr. Brady.
    Mr. BRADY. Thank you, Mr. Chairman, for holding this 
hearing. Thank you to the witnesses for being here. It is very 
helpful. Reading the testimony in advance, I wanted to focus on 
defining the problem a little better. It seems like there are 
widely varying estimates of how big a problem identity theft 
is. I am wondering between thefts used for financial fraud that 
are--sometimes we identify them because of complaints, those 
used for illegal immigration purposes, those used for national 
security access. Do you think we really know how big the 
problem of identity theft is in America right now?
    Mr. HUSE. I don't think we do. The numbers that come to us 
from the financial sector are those that they choose to share 
with us. All of the credit card entities have huge insurance 
bonds that mask a lot of the activity. By this I mean that they 
assume a lot of this is risk. In the context of the national 
security dimension, I think we do get good information, and it 
has really been emerging since 9/11, as to how important it is 
for someone that comes into this country to do ill, to be able 
to get underneath our radar by obtaining whatever requisite 
identification we need--principally the driver's license 
because that is the one that allows you to move around as 
someone who has some kind of status. I think, to use a 
metaphor, this is the tip of the iceberg. We just see the top 
from the hysteria that we hear and the reporting. I think the 
problem is far bigger than we even know.
    Mr. BRADY. Thank you. Ms. Bovbjerg.
    Ms. BOVBJERG. I agree, we don't know. We have reported to 
Mr. Johnson in the past, that it is difficult to get statistics 
on this. I have brought Federal Trade Commission (FTC) 
statistics that said in calendar-year 2002, 380,000 consumer 
fraud and identity theft complaints came to their hotline. How 
many of those are SSN-related is unclear. They certainly don't 
get at the point that Mr. Huse made about the criminal 
immigration fraud, the terrorism side of identity theft. They 
also reported losses of more than $340 million. We know that 
not all of these losses get reported, so indeed this figure is 
lower than actual losses.
    Mr. BRADY. Those aren't the answers I wanted to hear, but I 
think it is what we all know in the room--that it is the tip of 
the iceberg on this issue, and leads to the follow-up question, 
how successful are we in catching and prosecuting those who 
steal identities for various reasons? Do we have any numbers on 
how many prosecutions occur each year, and if I steal someone's 
identity for whatever reason, what are the chances that I will 
get caught--other than being a Member of Congress, we are 
likely to get caught--but still in the most part, how 
successful are we?
    Mr. HUSE. I would say we are as successful there as we are 
with a number of issues when we talk about the criminal justice 
system. We know what we know. We have statistics, and I don't 
have them at my finger tips but we will supply them to you 
later, from what we do and the rest of Federal law enforcement. 
The U.S. Department of Justice garners the statistics from 
across the country. I don't think we really get at the universe 
of identity fraud through the criminal justice system. I think 
we probably, to use my metaphor from before, I think we are 
just getting at the surface of it. It is one of those crimes 
that has become provocative enough to warrant our attention. A 
lot of it goes on unnoticed. Some of it is because a victim has 
to discover that they have been violated. That is the part we 
don't really know yet.
    [The information follows:]

                                     Social Security Administration
                                          Baltimore, Maryland 21235
                                                        May 5, 2004

The Honorable Kevin Brady
House of Representatives
Washington, D.C. 20515

Dear Mr. Brady:

    During the Ways and Means Social Security Subcommittee hearing on 
July 10, 2003, you asked then Inspector General James Huse some 
questions related to the prosecution of identity theft cases. I would 
like to take the opportunity to respond to each of your questions in 
turn.
    First, you asked how successful we are in catching and prosecuting 
those who steal identities for various reasons. It is important to note 
that the Social Security Administration (SSA) Office of the Inspector 
General (OIG) is responsible for investigating and referring for 
prosecution a small portion of the overall universe of identity theft 
cases--those that relate to Social Security disability benefits, 
earnings or other fraud issues that concern SSA programs generally. 
With regard to these cases, the SSA OIG has been instrumental in 
successfully apprehending and referring violators for prosecution.
    Second, you asked whether we have any numbers on how many identity 
theft prosecutions occur each year. As previously stated, the SSA OIG 
has statistics on the number of identity theft prosecutions relating to 
Social Security fraud, but not the number of identity theft 
prosecutions that occur nationwide as the result of investigations 
conducted by other federal, state and local entities. Between FY 2001 
and FY 2003, the SSA OIG investigated over 1800 allegations of identity 
theft related to SSA's programs. These cases resulted in over 1100 
convictions.
    Finally, you asked how likely it is that someone will get caught 
for stealing an identity. Identity theft is often referred to as a 
crime that entails minimal risk. According to the Federal Trade 
Commission, the incidence of identity theft continues to rise. Through 
its investigations of Social Security-related identity theft 
allegations, and its referral process, the SSA OIG is making a 
significant contribution to the fight against identity theft. It is 
clear that more work needs to be done. We look forward to working 
cooperatively with other agencies and the Social Security Subcommittee 
in furtherance of this effort.

            Sincerely,
                                          Patrick P. O'Carroll, Jr.
                                           Acting Inspector General

                                 

    Mr. BRADY. Sure. Ms. Bovbjerg.
    Ms. BOVBJERG. I am leaving the criminal justice statistics 
up to Mr. Huse.
    Mr. HUSE. I didn't even answer them.
    Mr. BRADY. I think really you did. I think the point you 
made earlier about more flexible criminal justice penalties and 
charges I think are real important. Mr. Chairman, I conclude 
with that. I think your bill on Social Security theft and 
response is an excellent approach. Perhaps we ought to find a 
way to better define this problem as well as better identify 
how successful we are because then we can at least start 
measuring our improvement against that. I yield back the 
balance of my time. Thank you.
    Chairman SHAW. Mr. Pomeroy.
    Mr. POMEROY. Mr. Chairman, I want to commend you for not 
just this hearing, but your long-standing work on this 
important issue. I would ask Ms. Bovbjerg whether there are 
some systems' investments that we need to make at SSA that will 
address some of the concerns your report notes. How do we get 
to where we need to go in terms of bringing a greater measure 
of security in the areas that you cite? Obviously the 
replacement cards, I suppose, if you don't issue--you don't 
allow 52 in a year would be a good start perhaps, but more 
specifically what recommendations you might have in that area, 
and the children's cards, the batch systems, what specifically 
do you think we ought to--how should we respond?
    Ms. BOVBJERG. We are still thinking about recommendations 
in those areas. We will be issuing a report to the Subcommittee 
in September. We have been discussing these things with the 
SSA, and I know they have a concern about replacement cards and 
reducing the number permitted, thinking that, maybe 52 is too 
many, and certainly I think 52 is too many. The SSA raises the 
point about the homeless person who comes in regularly for his 
card, he needs it for benefits. The SSA doesn't want to cut 
that person off from his benefits. On the other hand, perhaps 
that person needs something more than a replacement card if he 
is coming in to SSA offices that often. We are thinking about 
what would be a reasonable approach to fixing that problem. I 
think we have thought, particularly with regard to verification 
for enumeration that there might be some things that ought to 
be done, perhaps having SSA's staff have a means to acknowledge 
in the SSA system that they have done the third party 
verification. That is, the new SSN number could be issued. 
Things like that. These are recommendations that we are still 
thinking about, that we are discussing with the SSA. We don't 
want to recommend something that is not feasible. I think there 
are some things that can be done to strengthen the verification 
process.
    Mr. POMEROY. Is your investigation also evaluating what 
legitimate private uses are occurring with SSNs as a national 
identifier in trying to find ways that put in place protections 
but on the other hand don't unduly disrupt existing systems 
that depend upon this identifier?
    Ms. BOVBJERG. We are trying to look at that balance. In the 
work that we are doing for this Subcommittee on the private 
sector, we are asking certain parts of the private sector how 
they are using the number, how do they obtain it, what 
safeguards they have, because some companies have really 
thought about this a lot and are attempting to grapple with the 
safeguard issue. We will be reporting back in the fall on this. 
We are still in the middle of our work.
    Mr. POMEROY. Mr. Huse.
    Mr. HUSE. I just wanted to say that I think I can speak for 
Commissioner Barnhart here, too, that her interest in this is 
as strong as my own. The SSA does have a regulation moving 
through the vetting process now that will restrict the number 
of replacement cards available to an individual during the 
course of the year. It markedly reduces the number down from 52 
to 2 in a given year, and 10 over the course of a lifetime, 
which I think is far more reasonable. That is going through the 
vetting process in the executive branch before it is issued as 
a regulation. So, it is there. I only answered that so that you 
understand that the SSA is not static on this issue. It is just 
a question of the process.
    Ms. BOVBJERG. Your office too?
    Mr. HUSE. My office too.
    Mr. POMEROY. Do you have a feel for as we move to address 
identity theft it is going to significantly curtail commercial 
use of SSNs?
    Mr. HUSE. I think it will. It will probably also spur the 
private sector to look to the promise in new technology for 
identification that takes us away from the number and its 
universal use now to biometrics and other more facile uses of 
identification. I think by drawing the line now, we are saying, 
that the continued use of the SSN will become too expensive for 
you, it would be better to try another way. The information 
technology will require this in any case.
    Mr. POMEROY. Thank you. Thank you, Mr. Chairman.
    Chairman SHAW. Mr. Johnson.
    Mr. JOHNSON. Thank you, Mr. Chairman. Mr. Huse, I asked you 
a question I think before on one of your nine appearances. I 
wonder if you could give me an update on where we are with the 
regulatory process on the issuance of SSNs for nonwork purposes 
and for foreign students as well as those who are issued to 
foreigners. I have got a question along those lines. I believe 
you testified before with reference to the illegals that were 
allowed to have work permits in Dallas, that if they were 
issued a work permit they were allowed to get a SSN. What kind 
of documentation do they use to get that, one; and two, you 
said it was for life, good for life. Is that still true?
    Mr. HUSE. Once a number is issued, it is valid for life.
    Mr. JOHNSON. Well, then, what is this deal about you all 
issuing different kinds of SSNs for temporary work permits or 
students or people who are in the country temporarily from 
foreign countries? Is there such a thing? You were talking 
about different colors, I think.
    Mr. HUSE. I never understood how complex this was until I 
took this office.
    Mr. JOHNSON. It is, but you know the currency was 
counterfeited all over the world and we came up with coloration 
to take care of that. It isn't working, but it is still--well, 
it isn't. They keep changing it. It is an effort to stop the 
counterfeit process. I wonder why we don't do that with the 
Social Security card?
    Mr. HUSE. The nonwork card, for example, was required as a 
means to provide legitimate visitors to this country with the 
ability to get a driver's license and be insured and to----
    Mr. JOHNSON. They don't have to have a Social Security card 
to get a driver's license.
    Mr. HUSE. Well, in some States you do need an SSN to get a 
driver's license. It is the underpinning of the driver's 
license system.
    Mr. JOHNSON. That is not the purpose of the number. So, we 
are misusing it when we use it that way.
    Mr. HUSE. The nonwork number, because there were these 
requirements, the SSA came up with this as a service. Now that 
was curtailed after September 11th. Commissioner Barnhart 
notified the governors of our States that the SSA would no 
longer do that. There were court challenges to that decision 
and the SSA has gone back to it temporarily, but it is under 
scrutiny now.
    Mr. JOHNSON. So, what you are saying is the States use the 
SSN as verification to get a driver's license?
    Mr. HUSE. They do. It is the underpinning of our driver's 
license system. That is why I used to use the term de facto 
national identifier for the SSN. If you notice over the time I 
have been here I have dropped that ``de facto.'' If this is 
truly the case, that the number is underneath even the driver's 
license, we can't call it a de facto number, it is the national 
identifier until something changes.
    Mr. JOHNSON. Do we legislate against that? I see driver's 
licenses being used as fake identification, too.
    Mr. HUSE. The driver's license is probably the most 
counterfeited identification we have. In any case there is a 
lot of scrutiny on the uses of the nonwork number. There are 
foreign visitors to this country, students that obtain the 
appropriate visas that are in this country to be educated that 
for Citizenship and Immigration Services, if I got this right.
    Mr. JOHNSON. I know what you are talking about. When you 
issue a SSN are you verifying it by one document or several 
documents? It seems to me if there is a fraudulent effort out 
there to obtain them, I don't know where they get them all 
from. Do they just make up the numbers or are they buying them 
or what?
    Mr. HUSE. Thieves steal genuine numbers, thieves make up 
counterfeit numbers out of thin air and then create a myriad of 
identification from that. Between the two, all of this migrates 
into databases, and that is why I suggest that verification of 
these records is a way to root out SSN misuse.
    Mr. JOHNSON. The IRS is your primary enforcement agency 
right now?
    Mr. HUSE. It is.
    Mr. JOHNSON. It seems to me that--how are they verifying 
the authenticity of the SSN? I know there is a lot of 
mismatches. How are we fixing that and are your computers being 
updated as we speak?
    Mr. HUSE. There are efforts to do that. Our work and the 
work of the GAO have suggested system fixes to Social Security, 
and they have those in their queue to do along with their own 
systems enhancements. Those are under way. Are they done yet? 
No, they are not finished.
    Mr. JOHNSON. We talked about this at least 2 years ago. 
Where are we with reference to that issue?
    Mr. HUSE. We are moving toward the goal line, but it is not 
done yet.
    Mr. JOHNSON. Can you see the goal line?
    Mr. HUSE. Well, some things you take on faith.
    Mr. JOHNSON. More than 100 yards away. Thank you very much. 
Thank you, Mr. Chairman.
    Chairman SHAW. Mr. Becerra.
    Mr. BECERRA. Thank you, Mr. Chairman. Before I begin my 
questions, I want to thank the Chairman for continuing to press 
on this issue. I know he has had legislation in the past, and I 
hope we are able to move something. I am sure it is going to be 
a bipartisan piece of legislation. I thank the Chairman for his 
efforts on this particular subject. To our witnesses, thank you 
again for being here. A couple of questions. First, with regard 
to the maintenance or the integrity of the SSN itself, the war 
on terrorism, the need for more security, it is becoming more 
and more important now that we check and verify. Now, I recall 
before 9/11, the SSA was already having problems trying to find 
the resources to take care of this massive work. Can you tell 
us what kind of monies you have post-9/11, or let's just focus 
on this year's budget, what kind of moneys you have in addition 
to what you already had to try to deal with this issue of 
identity theft.
    Mr. HUSE. First of all, we do have built into our 2004 
budget request appropriate funding to do some more significant 
work with----
    Mr. BECERRA. How much are you asking for?
    Mr. HUSE. Let me look back and get a dollar. The total 
appropriation we have asked for is $90 million, but in there, 
there is about an $8 million increase over current 
appropriations. We were looking to build out this SSN misuse 
capacity.
    Mr. BECERRA. Let me make sure. Of the $90 million that you 
are asking for, $8 million of it would focus on the identity 
theft issue or all $90 million would focus on the identity 
theft issue?
    Mr. HUSE. The $90 million covers all of our 
responsibilities, which is beyond just this particular mission. 
What we were looking for in the $90 million is $2 million, a 
modest amount to develop what we call SSN misuse teams that we 
have. The teams will include auditors, investigators and----
    Mr. BECERRA. That is $2 million. Keep going.
    Mr. HUSE. That is the only growth we asked for.
    Mr. BECERRA. That's $2 million for a country the size of 
the United States?
    Mr. HUSE. Well, we----
    Mr. BECERRA. I suspect the folks that are forging these 
documents could give you more than $2 million off their profits 
just of what they have made.
    Mr. HUSE. Now, I need to be careful here, because my role 
in relation to all of this is the integrity to the SSN business 
process itself. The whole issue that you speak to is a massive 
universe that involves----
    Mr. BECERRA. That is very true.
    Mr. HUSE. The whole government.
    Mr. BECERRA. Outline for us what moneys you are getting for 
your particular role within the Inspector General's office, and 
perhaps we could ask, Mr. Chairman, for the SSA to break down 
the monies it is requesting to deal specifically with the 
identity theft issue so we have a sense. I am almost positive 
what we will find is that you all need more resources, and we 
should know that now so that when you come back and testify for 
the 10th or 11th time, we won't be asking why you haven't made 
more progress along the yardage markers to get closer to the 
goal line. Another question for you. Do government 
administrators or employees today at any level of government, 
whether Federal, State, local, or any business employees that 
you are aware of, undergo any training for identification 
verification to know when a document is real or fraudulent?
    Mr. HUSE. They do. Even Social Security field employees get 
training in the identification of----
    Mr. BECERRA. Without going further, because I want to make 
sure I get all my questions in, if you could provide us or 
provide my office with the literature, whatever you have in 
writing that says what the training is----
    Mr. HUSE. I would be glad to.
    Mr. BECERRA. If you know what other State or local 
governments do as well, because I guess one of the problems is 
we have a lot of folks who aren't trying or doing much of an 
effort to figure out if these are authentic documents or 
identification cards or not.
    Mr. HUSE. Sure.
    Mr. BECERRA. If someone asks for a replacement Social 
Security card--I lost my card, I write to the SSA and say I 
need to get another one, I can get one; right?
    Mr. HUSE. Right away.
    Mr. BECERRA. If a year later I write back and say, you know 
what, I lost it again.
    Mr. HUSE. You would get it again.
    Mr. BECERRA. If I say, you know what, I ripped it up. I 
lost it. Can I get another one?
    Mr. HUSE. You can, and that goes on and on and on.
    Mr. BECERRA. Does that trigger within SSA any thought that 
perhaps this individual is misusing the SSN?
    Mr. HUSE. It does now, because we analyze the enumeration 
process, and where there are clusters of these, some are 
referred to us for an investigative look, where there is 
suspicion, which can't be----
    Mr. BECERRA. So, we are doing something?
    Mr. HUSE. Yes. Yes, we are.
    Mr. BECERRA. Thank you, Mr. Chairman.
    Chairman SHAW. The replacement card has the same number, 
doesn't it?
    Mr. HUSE. Yes.
    Chairman SHAW. Your concern with the replacement card is 
they are just handing them off to their buddies.
    Mr. HUSE. Correct. We have, in some instances, where people 
get hundreds of these in a year, or almost 100 in a year.
    Now, some people may be generationally used to the fact 
that they think they have to have this card at all times. Some 
of us get older, and we forget, misplace them and we think we 
have to get another one, and that is a service. That is a 
service some people believe they have to have, so a lot of 
these really aren't criminal, but when you see 80 or 90 a year, 
you begin to wonder, and those we are now----
    Mr. BECERRA. I'd think you would begin to wonder before 80 
or 90.
    Chairman SHAW. Mr. Collins.
    Mr. COLLINS. Maybe we ought to flag those and send them to 
them in bulk. I was just looking at some information the 
Subcommittee provided for us on mismatched records to see where 
the Social Security matches information with the IRS weekly 
about, and that is W-E-E-K-L-Y, not W-E-A-K-L-Y, about 
discrepancies. Interesting figures that no match letters were 
sent out to employers for employers to actually verify the 
employee, that it went from 110,000 to 950,000 letters last 
year, representing 10 million mismatches. Now, to go back to 
what Mr. Johnson was talking about, the immigration bill, and 
you talked about earlier, the raid that you all were successful 
with this morning in California where you apprehended three and 
one is on the loose. A lot of the cards or the material they 
had there to create cards will be part or a large part of this 
mismatch?
    Mr. HUSE. There is absolutely no doubt that there is a 
demand for counterfeit identification documents brought on by 
our undocumented worker population in this country. That is 
fact.
    Mr. COLLINS. A driver's license or most any kind of 
identification that has a SSN on it also has a photo on it. Any 
thoughts toward a photo? You get a SSN as an infant, but once 
you reach legal age, some age----
    Mr. HUSE. There is no plan to do that. In fact, at the 
present time the SSA does not require a photograph for any of 
Social Security's services, including any of the insurance 
programs. Your number is the key that unlocks those benefits. 
In addition, there is not any biometrics involved.
    Mr. COLLINS. It is also becoming a key to a lot of other 
folks too, using it in a wrong pattern. What can an 
individual--what has the Administration done to assist an 
individual in how to be more responsible or protective of their 
SSN?
    Mr. HUSE. I can speak to what we, at SSA, and what I know 
from the FTC, and they have done extensive outreach work and 
activity in their communications arena to apprise people of the 
issues involved and the personal responsibility to protect your 
number, what to do when something happens to you, when you 
detect someone else has used your number and what remedies to 
take, and those are very understandable brochures and mailings. 
We have a fraud hotline at SSA that provides these answers to 
hundreds of people that call in with these problems. The FTC 
does the same thing. We also tell people in the process of 
getting their statement on Social Security every year, which is 
very important, that is a critical document, just like your 
monthly credit card statements, that you should review it 
carefully to be sure that the wages and earnings that are 
posted on it track with your recollection of your earnings 
history, because if there are differences there, that is almost 
a sure sign there has been a compromise of your identity. The 
other thing that SSA has advised people for some time now is to 
cease the practice of putting your SSN on private checks, and 
that is just not necessary. You shouldn't put your phone number 
either. This is just a desire by businesses to gather some data 
on folks that they don't really need to have.
    Mr. COLLINS. Thank you. Thank you, Mr. Chairman.
    Chairman SHAW. You had a follow-up on--go ahead and then we 
will go to Ms. Tubbs Jones.
    Mr. JOHNSON. Thank you. I would just like to ask, in the 
military, they ask you for your SSN. That is why we used to put 
them on the checks. I don't anymore.
    Mr. HUSE. I remember, too.
    Mr. JOHNSON. That, and phone number. That as well.
    Mr. HUSE. So, they could get your officer's club bill to 
you.
    Mr. JOHNSON. That is so you would pay them. That's right. I 
would like to ask a question real quick. Kids that get--when 
you give a baby a SSN, he isn't going to work. Why does he need 
one? The IRS asks you to do that, didn't they?
    Mr. HUSE. They did.
    Mr. JOHNSON. They use it, and it is if that is where how 
much of the fraud do you know what percentage of the fraud is 
in young kids?
    Mr. HUSE. Well, the fraud that happens with the young 
children is when parents of young children get earned income 
credits for the purpose for----
    Mr. JOHNSON. Kids get earned income credits?
    Mr. HUSE. No. The parents do for the number of children 
they have, depending upon the level of the parent's income. 
That is a type of fraud. We can get you some information on 
that.
    Mr. JOHNSON. Well, why isn't it possible to give a child a 
number that is not a SSN, that the IRS can use until they get 
of working age? We have child labor laws too. They are not 
supposed to work under a certain age.
    Mr. HUSE. Like many things in government, this was a 
process that emerged out of a need to prevent fraud in filing 
income tax returns, where people claimed----
    Mr. JOHNSON. It has turned around on us and we are having 
fraud develop in the Social Security regime. Then we maybe need 
to look at that again.
    Mr. HUSE. That could be a possible area for adjustment. I 
know of the time in my youth you didn't get a number until you 
went to work.
    Mr. JOHNSON. That's right. Thank you. Thank you, Mr. 
Chairman.
    Mr. COLLINS. That may be part of the problem with the $10 
billion of fraud that we have with the earned income tax credit 
each year.
Chairman SHAW. Ms. Tubbs Jones.
    Ms. TUBBS JONES. Thank you. Do you have any indication that 
there is more abuse by earned income tax credit people filing 
than there is abuse of fraud in businesses across the country?
    Mr. HUSE. No.
    Ms. TUBBS JONES. Thank you. Let me go on. I heard you 
earlier raise the question that or say that there is no way you 
could prosecute Ms.--I don't know how to pronounce your name.
    Ms. BOVBJERG. Bovbjerg.
    Ms. TUBBS JONES. Thank you--for selling her SSN to you.
    Mr. HUSE. You could prosecute her, but you couldn't 
prosecute me if I sold my number to her.
    Ms. TUBBS JONES. Why not?
    Mr. HUSE. There is no penalty for me to sell my genuine 
SSN.
    Ms. TUBBS JONES. Oh, absolutely. There is a penalty for 
theft and deception and fraud.
    Mr. HUSE. I meant in the Social Security Act (1935, 49 
Stat. 620).
    Ms. TUBBS JONES. I want you to be clear on that, because 
there is a law that covers that conduct.
    Mr. HUSE. I believe there is a law on the books for just 
about every particular aspect of this, but it is sorting 
through those to get to the right penalty that makes it very 
difficult.
    Ms. TUBBS JONES. Let me tell you the reason I raise the 
question with you, sir, is I am a former judge and a former 
prosecutor, prosecuted cases for Cuyahoga County for 8 years 
with 300 and some assistants, and the thing I worry about is us 
always trying to create another crime to prosecute conduct that 
can be prosecuted under existing law, and I just wanted the 
record to be clear that there is a law that you can be 
prosecuted for engaging in that conduct.
    Mr. HUSE. I am sure.
    Ms. TUBBS JONES. Let me ask you also. You said that you 
have been here nine times. My first time meeting you, it is 
nice to meet you. Have you, in the nine times that you have 
been here, requested sufficient dollars to be able to do the 
type of work that the SSA needs to do to adequately protect the 
people of the United States and their numbers?
    Mr. HUSE. Yes, I think I have done that.
    Ms. TUBBS JONES. So, the $2 million you asked for is 
sufficient to cover the needs of the SSA to help deal with this 
issue?
    Mr. HUSE. To clarify, that was to add to what we already 
have received through the support of this Subcommittee and the 
House Committee on Appropriations over time. We have come some 
distance in the last 8 years from a very small organization to 
a very respected law enforcement organization. Most of which 
has occurred through the good will of this Subcommittee, and 
the Committee on Appropriations.
    Ms. TUBBS JONES. I think you are being generous to the 
Subcommittee, and to yourself, to say that you have asked for 
enough money, because if you had asked for enough money, 
hopefully we would be further along than we are; and I don't 
mean to be accusatory, but I am just suggesting to you that 
prosecuting white-collar crime costs much more money. It costs 
many more law enforcement folks. It costs a lot more time than 
prosecuting a robbery or a burglary, and so the reality is that 
in order to be able to do some of the things that you really 
need to do to protect the people of the United States and their 
SSNs, you probably haven't asked for enough money, and you may 
be thinking that, well, they are probably not going to give it 
to me anyway, so I am not going to ask for it, but I would 
suggest to you that perhaps that might be, you might ratchet up 
that request so that if all of us, as Members of Congress, are 
sincere about trying to alleviate this problem for the people 
of the United States, we would put our money where our mouth 
is. That is all I am saying to you.
    Mr. HUSE. I would say thank you, then. I will take your 
counsel.
    Ms. TUBBS JONES. I appreciate it. Let me also, just one 
more area, Mr. Chairman. Commissioner, you say on page 5 that I 
asked the Commissioner of Social Security to use the ad hoc 
authority vested in the Commissioner by SSA regulations to 
permit me to share SSA information with our law enforcement 
partners. Can you tell me what that ad hoc authority is, 
please, sir?
    Mr. HUSE. Well, it is authority that allows the 
Commissioner to disclose SSA information if not prohibited by 
Federal law.
    Ms. TUBBS JONES. Why then, if you have that extraordinary 
authority under the ad hoc authority vested in the Social 
Security administrator, do you need statutory authority to 
enable the Inspector General to make such disclosures when 
necessary to protect human lives without formal authorization 
from the Commissioner?
    Mr. HUSE. Well, this authority, because it is 
extraordinary, is a special and time-consuming process. Often 
the emergency is very time-restricted, where even seconds 
count, and that is the reason for this proposal in a simple 
statement.
    Ms. TUBBS JONES. Under that authorization, what would be 
the circumstances upon which you would want this legislation to 
authorize the Commissioner to receive the--to be able to give 
up my SSN?
    Mr. HUSE. It is actually the data that is in, they would be 
extremely limited to those, and it would be based--it is a 
discretionary authority. It would be based on my judgment, 
which I would have to answer for, as I do now to the 
Commissioner.
    Ms. TUBBS JONES. So, if you can do it already, I guess my 
problem is in the name of terrorism, we have caused so many of 
the rights of the people of the United States to be abridged, 
and I am all for going after the terrorists and I am all for 
law enforcement having what they need to do their job and just 
for background, I am a former judge and I used to issue search 
warrants all of the time. I just fear the process of enlarging 
opportunities to give away a number that we are worried about 
giving away and we can't control government, so forth and so 
on, in the name of saving lives, per se. I would just suggest 
that it would be a good idea when we go through this process 
that we are real clear if we give away that authority that if 
he already has it in an ad hoc authority, maybe we might change 
the process but not expand it.
    Mr. HUSE. That is what we seek in this legislation. The 
same restrictions would apply. We are merely moving the process 
from the Commissioner to the Inspector General, who, like the 
Commissioner, is Presidentially appointed and confirmed by the 
Senate. This proposal would just move the process into the law 
enforcement function in Social Security. The same rules would 
apply.
    Ms. TUBBS JONES. There may be some advantage of having some 
oversight. That is why the law enforcement has to go to the 
judges to get search warrants, but I don't want to argue with 
you about it. What I would like to see, though, is the proposal 
that you have for the change in that authority. I thank you 
very much for your time, sir.
    Mr. HUSE. Thank you.
    Ms. BOVBJERG. Could I add something to that, please? Ms. 
Tubbs Jones, the Chairman has asked GAO to look at Social 
Security's policy with regard to sharing information with law 
enforcement. We are comparing it to the terms of the Privacy 
Act and to the policies of other Federal agencies. In this 
work, we are really looking at the balance between the privacy 
associated with the personal data that the SSA maintains and 
the needs of law enforcement, and of course we have been 
working with Mr. Huse and his office on that. We will be 
reporting out in September.
    Ms. TUBBS JONES. I would be interested in hearing from you 
as well, and I would say the same thing to you, to you and 
anyone else looking at that area, that in the name of 
terrorism, we have abridged a whole bunch of rights. Let's 
think about it before we--especially to an area that has given 
us so much dilemma so far. Thank you, Mr. Chairman.
    Chairman SHAW. Mr. Becerra asked for another follow-up 
question.
    Mr. BECERRA. Thank you, Mr. Chairman. Quickly, if either of 
you, any of the three of you could respond to this, the breeder 
documents, I think at the end of the day we all recognize that 
as much integrity as we may put into the SSA's process for 
issuing cards, if the breeder documents that are used to obtain 
the SSN and card are fraudulent, that are very good fraudulent 
numbers or cards, identifiers, then we are still in the same 
place we were before. So, how--what can we do? Is there a 
carrot-or-stick approach that we can use to get the underlying 
State or local authorities who issue identifiers that are used 
often to obtain a SSN or any other private sector industries or 
businesses that issue identifies that are also used, health 
care, health insurance card, for example, which is often used 
or accepted by some as an identification card. How can we make 
sure that those breeder cards or identity cards can be made 
more authentic? How can we provide the integrity in that 
process?
    Ms. BOVBJERG. Well, third-party verification is really 
important. What we observed in the case of the driver's 
licenses, was that the third-party verification wasn't looking 
in the right place, so it was incomplete. In the other case, 
the SSN they weren't checking. There wasn't a verification of 
the birth record to see that the child didn't exist.
    Mr. BECERRA. On that point, say the two faulty Social 
Security cards you got were verified by the SSA, so even if you 
take a State driver's license from whatever State and ask the 
State administrator, can you verify if this is a true 
identifier for you, is it an authentic State driver's license, 
someone might say, yeah, because it is such a great fake, 
forged document. So, how do you stop the process of creating 
what are clearly very good forgeries?
    Mr. BERTONI. I will take a shot at that. We have criss-
crossed the country looking at the processes for driver's 
license as well as SSNs, and I reiterate what Barbara says. We 
really need a system where we can have some independent third-
party verification. So, if I am coming to the table with 
documents that look really good, even with training, and other 
tools that a driver's license clerk is given, or an SSA person 
is given, the documents are often just too good to catch. You 
really need to corroborate this information with third-party 
sources. In the case of the SSN, if I were to bring a birth 
certificate, SSA staff should bump that against State Bureau of 
Vital Statistics information from the issuing State. There are 
a number of other data sources that SSA could use to 
corroborate the name, date of birth, Social Security, and other 
elements. If the data comes back matching and you have other 
documents that corroborate the rest of the story, then you have 
a comfort level and you can issue the document. The same is 
true for driver's licenses. If you are a State using SSA's 
online process, you are going to get the full, I guess, the 
plate of services from SSA, including the death match. States 
that use a batch process, are not getting that match and if 
persons come to the table with a name, date of birth and SSN of 
a dead person and it is on the documents, SSA could do that 
check. I am sorry. The Department of Motor Vehicles could check 
with SSA, and it would still come back verified.
    So, again, it goes back to what third-party verification 
are States doing, and what is the quality of that third-party 
verification. Another aspect is that if not SSA, or another 
government agency, some States use private vendors to perform 
data mining, and data cross-matching across the public and 
private sector sources to give the person that is verifying 
your identity documents greater comfort level that you are who 
you say you are. This brings me to the issue of how extensive 
identity theft is, and I will use the driver's license example. 
We took 1 month of transactions from 1 State and matched that 
data against SSA's master death file and got initially 160 
instances where it looked like someone had used the identity 
documents of a deceased individual. We immediately forwarded 44 
good ones to the State of issuance, because these folks were 
dead 10, 15, or 20 years, and it looked like identity theft was 
likely. We got a quick response back from the State that they 
had issued a license or identification card to 41 of 44 of 
these people. So, one State, 1 month of data show that this is 
a problem. There are a lot of States out there, and identity 
information is being used over and over and over again. I think 
there are driver's licenses out there that are issued to folks 
who shouldn't have them, and I think the problem is bigger than 
we all think it is, at least in the driver's license area.
    Mr. HUSE. That is why, to sum this up, I think there are so 
many benefits to the cross-verification of data. Some privacy, 
of course, will be abridged, but anomalies will be reduced that 
everybody, whatever sector they are from, government, 
commercial, financial, will have to deal with these anomalies. 
These people were dead people that basically were used to 
produce this, we need to get a control over, it is not just 
government's problem. It is a universal problem. It will never, 
ever be perfect. That is a fact. There is nothing that can't be 
counterfeited. One day, though, all of this will lead us to a 
place where we will go to biometrics. We have to. That is not 
my role to suggest that. I just know that that is the ultimate 
answer.
    Mr. BECERRA. It sounds like what you are saying is, if it 
is going to gain better protection of our privacy, we may have 
to give up a little bit of privacy----
    Mr. HUSE. We may have to give up a little. It is this 
willingness to have our records cross-checked against----
    Mr. BECERRA. This cross-checking isn't cheap. It is----
    Mr. HUSE. No. It is expensive.
    Mr. BECERRA. Mr. Chairman, thanks for the time.
    Chairman SHAW. I think also by limiting the use of SSNs, we 
are actually going the other way. We are pulling back and we 
are increasing the right of privacy, which is something that we 
seem to be losing a little bit, as Ms. Tubbs Jones was pointing 
out, because of 9/11. I cannot remember a single time that I 
have been asked, somebody has asked to see my Social Security 
card. I am constantly asked for a SSN, and I have gotten to be, 
whether it is an application or something like that, I will 
just leave that blank, and usually nobody ever follows up to 
ask for it. This is something we have certainly got to do 
something about. When you think about the number one identifier 
in this country today is a card with a name and a number on it, 
period, no description, no date of birth, nothing else involved 
in it and this is being used as a prime identifier, there is 
something wrong with that picture and something we need to work 
on. We are just so vulnerable with regard to the use of those, 
and those numbers really have to be protected. Someone was--I 
think Mr. Johnson brought up the question that and you can see 
on that board to the right where the military identification 
uses the same numbers as Social Security.
    Mr. HUSE. Exactly.
    Chairman SHAW. Rank, name, and serial number. I used to kid 
Mr. Johnson. I would say, when you were in prison in Vietnam, 
the Vietnamese have your SSN, because that is the serial 
number, and when you go to many of the PXs on Army bases or any 
military base, you try to give them a check and not put your 
serial number on it, they won't take it, and that means that 
they are getting the SSN, and we had testimony a few years ago, 
I think it was a colonel whose credit was absolutely destroyed 
because of, because somebody somewhere in the chain from the PX 
to the bank had picked up his SSN and just used that as the 
jumping off spot in order to assume his identity. We have, at 
this point, a vote on the floor. I think it is a point of 
order, and I assume that----
    Ms. TUBBS JONES. Mr. Chairman, since we have a vote, can I 
ask just one other question, real short?
    Chairman SHAW. Your questions go on for a long time.
    Ms. TUBBS JONES. I know.
    Chairman SHAW. I have got the gavel. You are----
    Ms. TUBBS JONES. Okay. I won't have any problem. Just gavel 
me. By the time someone realizes that there is an identity 
theft problem and they go to law enforcement, the track is 
pretty cold, isn't it?
    Mr. HUSE. Very often, yes.
    Ms. TUBBS JONES. See. I am done, Mr. Chairman, and you 
didn't even know it.
    Chairman SHAW. Very good. That is a record. I am a little 
confused about exactly how long we are going to be gone, but we 
will be coming back and go into the second panel immediately 
upon our return. So, I appreciate your patience in dealing with 
the schedule that we have. We will be in recess until 
approximately 10 minutes after the next vote.
    [Recess.]
    Chairman SHAW. We are going to go ahead and start. One of 
our witnesses has not returned as yet, but the vote has been 
over for a few moments and Mr. Collins is coming in now. So, we 
are going to go ahead and start with the next panel. We have 
Theodore Wern who is the Chicago, Illinois Regional 
Coordinator, the Identity Theft Resource Center in Chicago. 
Chris Hoofnagle, who is the Deputy Counsel, Electronic Privacy 
Information Center. We have an additional witness from Georgia, 
whom Mr. Collins will introduce when he returns. Mr. Wern.

   STATEMENT OF THEODORE WERN, CHICAGO AND ILLINOIS REGIONAL 
    COORDINATOR, IDENTITY THEFT RESOURCE CENTER, SAN DIEGO, 
                           CALIFORNIA

    Mr. WERN. Thank you. Good afternoon. My name is Ted Wern, 
and I am the Midwest Regional Coordinator for the Identity 
Theft Resource Center. I am also an attorney in private 
practice in Chicago, Illinois. I began my work with the 
Resource Center after I recovered from my own personal identity 
theft problems. My battle lasted about 3 years, and from that 
process, I learned what millions of Americans have learned--
that identity theft can truly wreak havoc on a person's life. 
What I have also learned as an attorney and as an educator to 
corporations in this area is that identity theft can result in 
some very significant liabilities for corporations. Therefore, 
my role both as an attorney, and as a volunteer for the 
Resource Center is to ensure responsible information handling, 
both for the benefit of potential individual victims as well as 
for the benefit of institutions which face potential liability 
in this area. Next I would like to provide a real-life 
perspective on the problem of identity theft by talking about a 
small sample of cases that the Identity Theft Resource Center 
has handled in the past, keeping in mind that they handle 
thousands of cases each year, and these are just a few that 
seem particularly relevant to this hearing.
    The first case involves a widow of the September 11th 
attacks. Approximately a year after her husband died in those 
attacks, she found out that her deceased husband's SSN was 
being used by an illegal immigrant for both fraudulent credit 
purposes and employment purposes. We don't know exactly how 
that person got the SSN, but public death records, which often 
display SSNs, are probably a very good guess. We also handle 
numerous cases involving the theft of children's identities. 
Mr. Johnson had a concern about this, and in response to that, 
children are becoming a new target of identity thieves. Here is 
why. Basically, a child's SSN and personal information can be 
stolen when the child is young, 6, 7, or 8 years old, by either 
a family member or stranger. By the time the child finds out, 
i.e., when the child is 18 or 19, or after adult age, to apply 
for credit or sign a landlord lease, by that time the thief has 
had 15 or 12 years to use that information to his or her 
advantage. So, the reason the children are such a hot target is 
because there is this lengthy discovery period for the crime.
    The other group of cases to talk about, and one stands out 
in particular, involves military personnel. I would like to 
highlight a case that was the centerpiece of the Parade 
Magazine issue that comes in your Sunday newspapers. It was 
issued just this past Sunday. It involved a man named John 
Harrison who was a retired Army captain. His name and SSN and 
other personal information were stolen and used by a man who 
was able to buy, for example, a Harley Davidson, who was able 
to rent an apartment, was able to buy a timeshare, and the list 
goes on and on, all with Mr. Harrison's name. The importance of 
this article, and the story is that within hours of this 
article hitting the news stands, the Resource Center was 
flooded with calls and e-mails from citizens who were concerned 
about their identities, and the vast majority of those citizens 
were elderly persons, military personnel, and people who were 
concerned about their SSN appearing or being displayed on their 
military identification cards, which is a common practice, 
Medicare identification cards and of course, health 
identification cards as Mr. Cardin showed us a few moments ago.
    The common thread from all of these cases is the fact that 
the SSN is at use in all of them. Without the SSN being 
available to criminals, none of these cases would have been 
possible. I would love to give you hard data about how many 
thieves extract their SSN from particular sources, whether they 
be death records or government records, but the data just isn't 
available, because, one, thieves rarely get caught; and two, 
when they are caught, their stories about where they got the 
information are hardly credible. What I can tell you, however, 
is that the SSN is the golden piece of data for identity 
thieves. A thief can only go so far with a date of birth or 
with an address. The SSN rounds out the crime, and with it, 
along with other information, getting fraudulent credit is as 
easy as picking up the phone or signing up on the Internet. So, 
even though we don't know exactly how the thieves are getting 
the information, what we do know is that the number itself is 
worthy of any protections, any confidentiality restrictions 
that the government or the private industry can impose on it.
    Let me point out that our goal here is not to create an 
undo burden on industry. We have looked at this bill, and we 
believe that, as Chairman Shaw indicated earlier, that it is a 
balancing act. You have to look at the potential benefits of 
the bill weighed against the burdens. In this case, we believe 
after careful study that the benefits of this bill far outweigh 
the potential burdens. With regard to that balancing, first of 
all, the SSN has no intrinsic value to governments or private 
industry. What I mean by that is that you don't use a SSN to 
dial up a person at home. You don't send marketing materials to 
a SSN. It is a random number, the only significance of which is 
to identify the particular person. There is no intrinsic value 
in the number itself. So, as Mr. Cardin raised before, why is 
his number and my number on our health identification cards? So 
that our doctor can have an emergency response number to call 
us or so that our medical records can be sent to that number? 
No. It is a random number, and there are plenty of other random 
numbers that could replace that number. So, especially in the 
area of publicly displaying these numbers on identification 
cards, unless it is for a legitimate IRS purposes or some of 
the exceptions that you have laid out in your bill, but for 
general commercial purposes like this, it just makes no sense. 
It is a random number. Why not get it out of circulation?
    Also, with regard to balancing, it is important to point 
out that this is not a bill that imposes huge financial or 
administrative burdens on the industries or the government 
agencies that are subjected to it. We are not talking about 
huge capital expenditures here. We are not talking about 
complete overhauls to data systems. There are simple practical 
solutions of taking this number off the market, basically 
removing it from circulation. Furthermore, with regard to costs 
and benefits, there is an economic benefit for corporations and 
government agencies to not having that number out there for two 
reasons. One, there is a serious source of liability for 
corporations and government agencies who are responsible for 
information getting out into the public and identity thieves 
grabbing it. For example, when you have a large identity theft 
situation and outbreak, there is enormous class action 
potential in that situation, and these sorts of cases are 
growing exponentially in the marketplace today. So, this bill, 
in fact, is doing what exactly some of my clients, when we give 
our corporate workshops, are asking us to help them do, and 
that is help them to remove sensitive information from public 
display within their organizations, because they are very 
concerned about this source of liability. Finally, very 
obviously, as you reduce identity theft, you reduce direct 
losses to merchants, to banks, to credit card companies, and 
the losses in the last year we estimated at $17 billion. We 
took the average direct loss of an identity theft victim, 
losses that are borne by credit card companies and other 
creditors, multiplied it by the number of estimated victims 
which are between 700,000 and a million last year. Those are 
real numbers. So, not only do you have--if you can prevent 
identity theft, a prevention of liability. You also have a 
prevention of direct losses. So, with these points in mind, I 
think the balancing act strongly favors this bill.
    [The prepared statement of Mr. Wern follows:]
Statement of Theodore Wern, Chicago and Illinois Regional Coordinator, 
         Identity Theft Resource Center, San Diego, California
           ``Identity Theft and the Social Security Number''
    Members of the committee: Thank you for the opportunity to provide 
both written and oral testimony for your committee today and for your 
interest in the topic of identity theft.
    The Identity Theft Resource Center (ITRC) is passionate about 
combating identity theft, empowering consumers and victims, assisting 
law enforcement, reducing business loss due to this crime and helping 
victims. Our organization is honored by your invitation and will 
continue to make its opinions available upon request to your 
representatives over the next few months as you grapple with this 
complex crime. The following testimony was written along with ITRC's 
executive directors, Linda and Jay Foley, and I have their permission 
to represent ITRC today at this hearing.
About ITRC and the experts testifying:
    ITRC's mission is to research, analyze and distribute information 
about the growing crime of identity theft. It serves as a resource and 
advisory center for consumers, victims, law enforcement, legislators, 
businesses, media and governmental agencies.
    In late 1999, ITRC Executive Director Linda Foley founded this San 
Diego-based nonprofit program after becoming a victim of identity 
theft. In her case, the perpetrator was her employer. Co-Executive 
Director Jay Foley has spent hundreds of hours speaking and 
corresponding with thousands victims while assisting in their recovery, 
listening as they discuss their revictimization by ``a system that 
doesn't care, understand or listen.''
    ITRC also works with credit grantors, representatives from the 
credit reporting agencies (CRAs), law enforcement officers, 
governmental agencies and private businesses to prevent and resolve 
identity theft problems.
    As one of the few groups that deal with a victim at all stages of 
the recovery process, we have a unique perspective on the crime. ITRC's 
information does not arise only from moment of discovery statistics. 
Its information comes at the cost of minutes, hours, days, weeks, 
months and years of a victim's life.
    I (Theodore Wern) was an identity theft victim and serve as the 
ITRC Chicago and Illinois Regional Coordinator and victim advocate. My 
own case was complicated and required me to go to the extreme measure 
of changing my Social Security Number (SSN) in order to stop the crime 
from continuing. Because of my experiences, I am one of ITRC's 
designated specialists in severe cases. Since I work with others who 
must also change their SSN (only recommended in extreme situations), I 
serve as one of ITRC's representatives on a taskforce with the Social 
Security Administration (SSA) on defining and smoothing the procedures 
for changing one's SSN in extreme cases of ID theft. My expertise as a 
corporate attorney also gives me added insight into the business 
implications of using the SSN as an identifier, as well as liability 
issues surrounding this subject.
    The ITRC has worked for a number of years to make changes in laws, 
policies, business practices and trends to combat this crime. As a 
result ITRC has composed a list of recommendations that we feel will 
make a difference both in crime prevention (keeping the information 
from the hands of criminals and preventing the issuance of fraudulent 
credit) and in victim recovery.
    ITRC's Testimony: ITRC has been asked to address the following 
points:

      The problem of identity theft including its impact on 
victims
      Issues surrounding the use and abuse of the SSN
      Recommendations for new laws regarding the SSN, including 
those listed in the Social Security Number Privacy and Identity Theft 
Prevention Act of 2001 (H.R. 2036).
Part One: Summary of the Problem
    H.R. 2036 succinctly summarizes the history of the creation of the 
SSN and how this Pandora's box was opened. Unfortunately, in 1943, 
President Roosevelt could not have predicted the impact of the 
information age and the role computer technology would play in our 
lives. He could not have foreseen how it would change business 
practices or expose United States citizens to a harsh crime--that of 
financial identity theft.
    Identity theft is not a new crime. The crimes of criminal identity 
theft and identity cloning (the use of another person's name instead of 
your own) can be traced back to biblical times. Credit card fraud and 
checking account fraud began soon after the advent of those financial 
transactions.
    As stated in Mr. Shaw's summary, the Federal Government requires 
virtually every individual in the United States to obtain and maintain 
a Social Security account number in order to pay taxes, to qualify for 
Social Security benefits, or to seek employment. The use of this number 
as an identifier has grown tremendously and it is now common practice 
to use the SSN for purposes that have nothing to do with the extension 
of credit or governmental purposes. This extensive use of the SSN 
provides criminals with easy access to fresh credit and a new identity. 
To an identity thief, a victim's name, date of birth and address can be 
valuable, but such data alone is often not sufficient to commit 
identity theft. A thief generally needs a SSN as well. Because the SSN 
is ``golden data'' to the identity thief, it should be given the 
greatest privacy protections.
    As pointed out in Mr. Shaw's summary:

      An individual's Social Security account number may be 
sold or transferred without the individual's knowledge or permission.
      Today, the Social Security account number is generally 
regarded as the single-most widely used record identifier by both 
government and private sectors within the United States.
      No one should seek to profit from the sale of Social 
Security account numbers in circumstances that create a substantial 
risk of physical, emotional, or financial harm to the individuals to 
whom those numbers are assigned.
      The prevalence of the use of the Social Security account 
number and the ease by which individuals can obtain another person's 
Social Security account number have raised serious concerns over 
privacy and opportunities for fraud.
      Social Security cards may be counterfeited for illegal 
aliens and individuals use false Social Security account number 
information to improperly apply for and receive benefits under Federal 
and State programs.
      Misuse of the Social Security account number is a central 
component of identity theft, considered the fastest growing financial 
crime in the country as well as welfare and Social Security fraud.
      Growing concern over fraud and privacy and the absence of 
a comprehensive Federal law regulating the use of Social Security 
account numbers prompt the need for the Congress to act.

    ITRC does not believe it will be possible to completely eliminate 
this crime but we certainly hope to do the following:

      Make it extremely difficult for criminals to obtain SSN 
and other information that can be used to commit financial identity 
theft by severely cutting back on the exchange of such information.
      Tighten the procedures used by the issuers of credit so 
that criminals have a more difficult time in using ill-gotten 
information.
      Assist in victim recovery and shorten the time and duress 
suffered by its victims.

    Because the federal government, through the SSA, created and 
maintains SSNs, it is appropriate for the federal government to take 
steps to stem the abuse of SSNs both in private industry and by 
governmental agencies. It will be far more efficient for the federal 
government to pass regulations about the use and misuse of the SSN than 
to rely on state regulations. California has come a long way in 
addressing the abuse of the SSN but to do this in 49 more states would 
be a daunting task.
Part Two: Victim Impact
    Identity theft is a dual crime and no one is immune, from birth to 
beyond death. Who are these victims? It could be you, unknown to you at 
this very moment. I'd like to introduce you to some of ITRC's clients/
victims who have turned to us for assistance. Many of these cases are 
taken directly from emails ITRC has received from victims. We present 
them to you so that you can see what we work with on a daily basis. 
Personal identifiers have been changed to protect each victim's privacy 
and some grammar/spelling corrections have been made.

Case 1: Child ID theft

    The victim, Jose, owes about $65,000, $4,700 in child arrears and 
has 3 DUI warrants in his name. One problem: Jose is only 6 years old 
now and those arrears are to himself. The perpetrator is his father, 
now divorced from Jose's mother, an illegal immigrant who is subject to 
deportation when found.

Case 2: Identity theft of the deceased

    Perhaps one of the most poignant stories we have heard (NJ Star 
Ledger reported it) is the theft of a man's identity who died in the 
World Trade Center attack on Sept. 11th. His widow was notified about 
10 months after the event to discuss her husband's recent auto 
accident. She went through hours of turmoil only to discover that an 
illegal immigrant had created a false driver's license and was living 
and working as her deceased husband.
    Unfortunately this is only one of more than several dozen cases 
that we have worked on involving the deceased. In some cases the 
imposter has purchased the information, in others the imposter is a 
family member or even a caregiver. Some may ask what is the harm in 
using the SSN of the deceased. Not only can identity theft involving a 
deceased person affect the estate but also the survivors still dealing 
with the grief of losing a loved one. In one other case, a mother has 
had to fight collectors trying to collect money from accounts opened in 
her daughter's name, a daughter who died several years ago. Each new 
call opens up the wound again.

Case 3: Workplace identity theft

    T's identity was stolen by her doctor's receptionist. She found out 
when applying for her first home loan, her dream home. Months later, 
after clearing her records, spending her own time to research how her 
thief got her information and used it, and seeing another family move 
into her home, she was able to convince authorities to prosecute her 
offender. The result--the thief is now living in a halfway house, 
driving the car she bought with T's identity and working for another 
doctor as a staff member. T was finally able to buy a house almost 2 
years later, at a higher purchase cost, with a higher interest rate due 
to the multiple accounts that had been opened in her name after the 
placement of a fraud alert.

Case 4: Victim recovery issue

    Victim owns her own business. For the past 3 years, she has been in 
a fight with her bank. They repeatedly open new fraudulent accounts in 
her name and grant fraudulent access to her existing accounts, even 
generating dual credit cards and sending them to the imposters as well 
as herself. At one point she went to the local branch of her bank 
regarding the transfer of her account information. With multiple pieces 
of identification in her possession she was devastated by the bank 
officers who would not acknowledge her right to discuss the accounts in 
question or accept her identifying documents including passport, 
driver's license, utility bills, business license and SS card. To date 
she still has problems with her bank and her accounts. She is currently 
talking to an attorney and plans to sue the multiple companies who 
continue to torment her and refuse to correct their errors. She 
believes that lawsuits are her only option left.

Case 5: Financial ID theft turns into criminal case

    Two nights ago, I was arrested as part of a 4-year ongoing theft of 
my identity. The arrest was over bad checks written in Lincoln, NE near 
where I reside.
    The issue, other than the arrest and all that goes with it, is the 
fact that J.P.M. was able to open fraudulent accounts because the 
Nebraska DMV issued her a license with her picture and my information. 
I don't know what documentation she provided them, but we clearly do 
not have the same physical features. This should have sent up a red 
flag to the DMV. As a result, J.P.M. illegally used my identity to 
spend almost $40,000, with new credit cards and with fraudulent checks.
    I am doing the best I can to be compensated for the money spent on 
bail, loss of work time, personal stress, which all occurred while I 
was finishing my undergraduate degree and throughout my master's 
degree. Needless to say, this has interfered with my performance in 
school because of the time it takes to free myself as a citizen and as 
a consumer. The arrest was the last straw, and I've been told that the 
statute of limitations to sue the woman who stole my identity has 
expired. I am looking for help.

Case 6: SSN used as driver's license number

    Victim had car broken just prior to a move from HI to DE. A file 
with all of her personal information was stolen in HI including her 
driver's license that used her SSN as the identity number. Since then a 
fraudulent cell phone account was setup with Voicestream generating a 
bill for $10,000.00. The victim has made some payments during the 
course of the account dispute due to the bullying action of collectors 
threatening to attach to possessions. Because of that payment, 
Voicestream refuses to acknowledge the account is fraudulent.

Case 7: Security breach

    Victim was referred to ITRC by the FBI Victim/Witness Coordinator. 
The victim is a 72 year old retired Air Force Major. His dentist told 
him his identifying information might have been stolen. The dentist had 
befriended a man who saw the victim's dental records. This man then 
copied and used all of victim's info. The dentist found out when he saw 
files out of place. This befriended man/handyman was the only person 
who had access. The imposter purchased a condo, a BMW, and used the 
victim's HMO for medical services. The victim's HMO paid for this. Upon 
arrest, it was discovered that the imposter had a prior record of 
fraud. The imposter is now in jail on non-related charges.

Case 8: Identity Cloning

    Victim lives in San Diego and is receiving disability benefits. The 
imposter is living and working in IL. Fraud is impacting her disability 
benefits. The IRS and SSA have been contacted. Victim is fearful of 
losing housing and being unable to cover living expenses due to the 
lengthy time of recovering her good name and clearing the records.

Case 9: Co-Worker ID theft

    The victim recently found out of the identity theft. In 1999, a co-
worker stole her credit card. The victim went through all the necessary 
procedures with her credit card company to remove the charges including 
filing a police report. In January 2002, the victim applied for a loan 
with a small finance company. The victim was told her social security 
number had already been used to apply for a loan with this company. The 
victim retrieved the application and found it was used back in 1999 by 
the same woman who stole her credit card. The victim had never been 
contacted by this company. The company's reply was that they denied the 
application. Unfortunately, in doing so, they did not indicate that it 
was denial due to fraud but due to not enough income.
    Victim did speak to the finance company about this and even spoke 
with the Vice President in South Carolina who was not helpful. Victim 
still has not received a copy of her credit report so she is not sure 
if the imposter has done any real damage or not. Victim is certain that 
she used her social security number and she is not sure how else she 
can file a report if the police are not helpful.

Case 10: Extreme identity theft case

    Victim's identity was stolen by a co-worker 10 years ago. She knows 
who the imposter is and he has been questioned but released by police 
(refusal to take action due to ``extenuating family circumstances''). 
In the meantime, the victim has been unable to stop the imposter from 
opening credit and checking accounts, fraudulently applying for 
welfare, etc. She has had to change her SSN, driver's license number 
and name, essentially recreating herself in order to separate and 
protect her from the actions of the imposter.

Case 11: Reoccurring identity theft

    My wife was a victim of identity theft in 1999. After many letters, 
a police report and an affidavit of forgery, we thought everything was 
settling. We were reassured that the loan and credit that was taken out 
in our name was removed from our reports and that our credit was 
restored. We asked several times for correspondence that this was taken 
care of but no one returned a letter. As time passed and we received no 
bills and we forgot about it. That is until we received an Equifax 
report on 6-2-02 showing that the fraud was still on the report. I 
tried to contact the office that I communicated with before but no one 
would return my call.
    The date reported was after we had notified Equifax of the dispute. 
Are they in violation of the (FCRA)? Please advise or direct.

Case 12: Family ID theft

    Victim's relative used victim's identity to clear out victim's bank 
accounts. This relative has victim's SSN and stolen checks. Victim has 
filed a police report and is in contact with the managers at her bank. 
Law enforcement is not investing a great deal of time on case, usually 
claiming that this is a family dispute.
    Family identity theft is one of the most difficult crimes we work 
on, in part due to lack of police action and in part due to the 
emotional impact of this crime. How does one turn one's own mother in 
to the police? Unfortunately, we receive about 3-5 of these types of 
cases each week.

Case 13: Domestic abuse and harassment

    The victim was divorced in 1987. She now lives in Florida. The ex-
husband is operating in San Diego. Due to the actions of her ex, the 
victim is having IRS and SSA problems and is dealing with 3 accounts 
opened in her name. Unfortunately ID theft is the perfect tool to 
harass another person and to perpetuate domestic abuse after a divorce 
or separation.

Case 14: Stolen wallet

    I live in TX. On June 2, 2002 my wallet was stolen in New York 
City. On June 6, 2002 a woman began using my identity from the wallet 
including drivers license, social security number from a medical 
insurance card, place of employment and stolen cards to establish 
instant credit at 9 different stores in 3 different states. I have 
placed a fraud alert on my credit report with the three credit 
reporting agencies but there has already been theft totaling in excess 
of $16,000 dollars. I am now having difficulty getting anyone to follow 
through with a police report and also changing my drivers license 
number. Because the theft occurred out of my home state, I have to 
follow up on the phone and not getting much response or help.

Case 15: Military spouse

    I have had the frustrating and humiliating experience of somebody 
taking my maiden name and social security number in order to open 
numerous fraudulent utility accounts leaving my credit reports a mess. 
I am also a military wife who is required to show my social security 
number on my ID card, which is used for everything.

Case 16: Enable credit granting behavior

    I was a victim of credit fraud/ID theft beginning in November of 
2001, and continuing until approximately April of 2002. All of the many 
fraudulent credit applications using my name and identifying 
information were done in the Los Angeles area. Somehow, my personal 
identifying information (SSN, name, birth date, etc.) were obtained and 
used to apply for instant store credit at Radio Shack, Gateway 
Computers, and approximately a dozen other merchants. Additionally, my 
personal credit card was ``taken over'' by these criminals. By calling 
Visa and posing as me, they changed my billing address, and claimed 
that they had lost the credit card. They then received my new Visa card 
in the mail at the fraudulent address. They applied for many credit 
cards under my name and were even successful at getting a few, then 
charging the cards up to the maximum very quickly.

Case 17: Mail theft by an acquaintance

    I just found out on June 14, 2002 that I am the victim of identity 
theft by my housekeeper/babysitter. Since she had access to my mail it 
was easy. She opened the first account in April 2001. She has charged 
over 10,000.00 that I am aware of and I have jewelry etc. missing from 
my home.
    This is so recent that I don't even know what I'm up against yet--
what I do know is that this has hurt my eleven year old daughter very 
badly. My daughter sang in the housekeeper's wedding last May, I wonder 
now if the wedding was all charged to me!
    I would be happy to talk to anyone about this. I live in a small 
town of 12,000 people right now I know 4 people personally that this 
has happened to including the president of one of the banks here in 
town. Something must be done!! She is having trouble getting creditors 
off her back.

Case 18: Domestic abuse, insurance fraud

    My ex-husband and his employer used my Social Security number to 
file medical claims on my health insurance. My ex has not been covered 
on my insurance since 1999, and I have changed employers and insurance 
carriers since that time. However, claims for February 2002 through May 
2002 have been filed on my current insurance. He has obtained the 
information without my knowledge. I found out about the claims after 
receiving Explanation of Benefit forms from my insurance provider. The 
claims have been denied, so the insurance provider states that they are 
doing their job. The insurer will not file a report with the police.

Case 19: IRS complications

    Someone has stolen my social security number and from that caused 
me to have false credit bureau claims and a warning from the IRS that I 
had underreported my income. Creditors have harassed me and required me 
to go to extraordinary lengths to prove that I could not have incurred 
the debt in question. The IRS has required extensive documentation as 
well. Right now the activity has settled down, but anytime the next 
shoe could fall.
    Even though there is a certain person I suspect of engaging in this 
identity theft, law enforcement authorities turn a deaf ear. I really 
don't blame them; it's not a high priority crime to them. To me, it is 
a major theft and close akin to rape.
    This whole situation has been aided by the use of computers and the 
overuse of the social security number. I understand that the original 
law establishing the issuance of social security numbers stated that 
that number should only be used for social security, but indeed that 
has not been the case.

Case 20: Victim frustration--complex case

    I became a victim of identity theft in March 2001. I found out when 
the person who had my social security number tried to open a credit 
card with a bank that I already had a card with. The woman was not able 
to give my correct birthday. They contacted me but they gave me a hard 
time saying that it was my daughter. They suggested that I contact the 
credit agencies about a fraud alert. That is when I found out that the 
person had many credit cards and a cell phone and they even bought a 
computer from Dell. Since I found out early I was able to stop almost 
everything before it was way out of hand. I filed a report with the 
Dallas police department and talked to a detective on a regular basis; 
only to find out they would do nothing. They had the address to which 
the credit cards and computer were sent but they would not go there. 
They even had another address where the person used a credit card in my 
name to buy a pizza. It took many months to clear everything up and I 
still have the fraud alert on my report for seven years. This is a 
crime that is to easy for someone to do and they get away with it 
because our laws are too easy and the officers are not trained on this 
type of crime. I feel I am luckier then most because I found out early 
and was able to clear up the damage within a year.
    While you know my story, that only tells part of the picture. What 
I discovered disturbed me greatly:

    1.  Fraud alerts only help a little. Most places do not even honor 
them. So I'm not sure they help very much.
    2.  After I put the fraud alert on, they still opened a few more 
credit cards. All of the accounts they opened were done on the 
Internet.
    3.  I found that the credit card companies did not care much, they 
just closed the accounts. But before they will close the accounts you 
have to prove to them it was not you who opened the account.
    4.  They also made you wait on the phone a long time and you are 
transferred to many people before you found one that could help you. 
Most of the people I talked with acted like they were not educated 
enough on the subject.
    5.  They treat you like it was your fault and most of them need 
more training on this issue.
    6.  The police are no help at all.
    7.  The credit agencies take forever to remove the fraud accounts 
from your file.
    8.  The victim spends hundreds of hours writing letters and phone 
calls trying to remove the damage the thief caused while they are free 
to go to the next victim.
    9.  The Laws should help the victims, but you are alone when it 
comes to identify theft.

Case 21: Child ID theft

    (Address, email and phone of victim will be provided to the members 
of the committee upon request. Copy and paste with permission of 
victim)

    I am a mother of a thirteen-year-old son. I share joint legal 
custody with his father, who lives in a different county. Although my 
two boys primarily live with their father in ###, California, they 
visit frequently and spend all of their summers and vacations with my 
new husband and me.
    About two years ago, my mother and I were in the process of setting 
up college fund accounts for my two sons. We were informed by our 
investor that my oldest son's social security number had several active 
accounts and recommended that we research this matter further before 
proceeding to open any financial accounts under his name and social 
security number. Unfortunately for my son, the thief is his own father. 
They both share the same base name and physical address. Therefore, the 
theft of my son's social security number was an easy accomplishment by 
his father.
    In going through this case of Identity Theft, I have encountered 
various problems along the way. First being that the local law 
enforcement agency in the county in which my son resides with his 
father, refused to take an identity theft report because their county 
does not have a department that handles such matters. Because of this 
and the fact that my son is a minor, it took several months, almost the 
remainder of the year to obtain a copy of my sons credit report. The 
three credit reporting agencies refused to issue any information 
because he was a minor. Instead of investigating the matter further, 
they sent a standard ``refusal to issue information letter'' based on 
the fact that he was under the age of 18 and that they do not issue 
reports for minors. Without this report, it has been nearly impossible 
to get any response from creditors as well as getting a credit issuer 
to take me seriously. The report was subsequently acquired, through 
diligence and perseverance.
    I have also attempted to write letters to each lender and attach a 
copy of his credit report as proof of an existing account, I have had 
to send follow up letter as well, and have yet to hear a reply as they 
are not required to respond or assist with fraudulent accounts.
    As a mother of a victim of Identity Theft, I would highly recommend 
that all state and local law enforcement agencies be required to 
generate a report on identity theft complaints in the jurisdiction 
where the victim lives and to provide a copy of the report to the 
victim, regardless of their subsequent decision on whether or not the 
agency will investigate the case. If by chance, there had already been 
laws in effect, it would clearly have been easier to obtain credit 
reports for a minor with parental documentation. It would also have 
directly influenced the ability to stop further debit from occurring.
    As you might imagine the recourse for this action can lead in 
several directions. Although I do not wish to amend this crime out of 
vengeance towards my son's father. I am deeply worried that as my son 
approaches adulthood and tries to obtain college grants, scholarships, 
etcetera, he will be denied due to his already existing debt. To this 
day, his father has acquired over $250,000.00 in debt under our son's 
social security number. I cannot begin to imagine the long-term affect 
that this amount of debt will have on my son's future.
    Knowing my son as I do, it has been a difficult decision to keep 
this information from him. As he has already suffered emotionally from 
the divorce, I deeply fear that this will emotionally tear him apart 
and sever all bonds he has created with his father. I also fear that 
the impact of knowing that his father was the criminal will have a 
psychological scaring on him for the remainder of his life.
    Finally, in trying to rectify this matter with the social security 
administration, and in conjunction with my family law attorney, this 
entire matter must be handled with diligence and on an efficient 
manner. Because of the fact that I share joint custody with my ex 
husband, I have an incredible fear, based on past actions, that if and 
when his father is confronted with the truth of his crimes, he will 
then take matters to extreme action and kidnap my son, making it 
impossible for me to have any further contact with him. This also 
presents the problem of obtaining a new social security number. Because 
our son is still a minor, the new number will have to be disclosed to 
his father for medical and scholastic purposes. An even greater fear is 
that his father will continue to abuse his son in this manner. Based on 
passed history of his fathers actions of first destroying his own 
credit, and now destroying his son's credit, what will prevent him from 
committing the crime once again. Unfortunately, I do not see this cycle 
ending without laws to protect victims of fraud as well as minors.
Part Three: Issues to be discussed
    It is clear that a list of commonalities can be derived from ITRC's 
victim accounts set forth above. Categories where the SSN has been an 
instrument to create havoc include:

      Use of the SSN for as a driver's license number
      ID theft of the Deceased
      Child identity theft
      Failure of governmental agencies to find alternate ways 
to protect identifying numbers used by the government: military ID 
number, Medicare/state health insurance number (could be done by random 
number matching to SSN in a closed, secure database)
      Employer use of the SSN as an individual employee 
(private or governmental) ID number, including public display of the 
SSN, e.g., timecards, badges
      The use of the SSN as an identifier by a business group, 
printed on a card carried by the person on a regular basis
      Mail theft--where the SSN is printed (unnecessarily) on 
the document being mailed and is intercepted by another person
      Theft of SSN given in good faith to or displayed or sold 
by a business which required the information to complete a transaction 
or activity--e.g., to obtain health care benefits.
      Collection of information not needed for the necessary 
task or program
      Failure to protect collected information--e.g., disposed 
of inadequately
      Database or information breach--failure to provide proper 
security
      Database or information breach--due to the actions of an 
individual who had access to the information that never should have 
been collected in the first place
      Domestic abuse, harassment of an ex--due to extensive use 
of the SSN as an identifier
      Restrictions on sale of SSN and credit info to third 
parties by governmental agencies or private entities
      Unrestricted ability to print SSN of individuals on web 
sites, e.g. Ancestry.com
      Failure to truncate parts of SSN on documents available 
to the public--electronic court records, birth and death certificates, 
etc., unless the requesting party has a legitimate reason for such 
information

Part Four: Recommendations for Laws
    ITRC likes to use a Finding/Recommendation format to advise on new 
legislation. In this testimony, ITRC will limit its findings with the 
belief that this esteemed committee has studied this subject at length 
and does not need substantial background information.
    This list is a preliminary discussion and ITRC's directors would be 
honored to continue to work with the committee as they explore this 
topic and prepare legislation that will protect all of us from SSN 
abuse.

1.  Use of the SSN as the driver's license number

    Finding: At this time, individuals have a choice in those remaining 
states that continue to use the SSN as the driver's license number. 
This practice means that each check written includes one's SSN and that 
individuals with social security numbers on their license suffer 
greater loss due to lost/stolen wallets.

    Recommendation: Due to lack of consumer education, ITRC believes 
that states MUST be required to adopt a random number system and 
replace the SSN on all drivers' licenses within 1 year of the passage 
of this legislation.

2.  Identity theft and the Deceased

    Finding: Despite a person's death, a SSN continues to be active and 
may be used for the extension of credit. The Master Death Registry 
controlled by the SSA does not include the names of all deceased. 
Information is added to this list in a variety of methods, some of 
which are only consumer generated. Too many stories have been printed 
and too many cases have occurred where a deceased individual's SSN has 
been used to get credit.

    Example: Florida Department of Law Enforcement agents arrested 
William Troy Herman and Ronnie J. Skipper for fraud. Agents say the duo 
used the personal information of seven deceased individuals to obtain 
credit cards in the victims' names.

    This causes problems for the estate and additional stress on the 
bereaved. The letters we receive from them are painful and their 
distress is evident.

    Recommendation: ITRC's executive directors are currently working 
with Senator Corzine and U.S. House Representative Gutierrez on 
legislation to correct this issue. It would make sure that all deaths 
are recorded on the death register, forwarded to the repositories that 
will then mark all of those SSNs as ``Deceased, do not issue credit.'' 
This list must be designated as not to be sold, distributed or used for 
any purpose other than the one itemized above.

3.  Identity Theft of Children

    Finding: There are several types of child identity theft scenarios 
that ITRC typically sees:

      It's a split family. One of the parents finds out that 
the other parent (or the ``friend'' of the parent) has begun to use the 
child's identity to gain credit or a driver's license. This is usually 
because they have already ruined their own credit or driving record. 
They plan on ``fixing'' everything before that child reaches 18. They 
even swear they were planning on paying all the bills accrued under the 
child's SSN. The reality is that they eventually will ruin the child's 
credit just as they ruined their own.
      Upon reaching 16, the child applies for a driver's 
license. They are denied because someone already has a driver's license 
using that SSN.
      Upon reaching 17 and applying for a college loan, the 
teen finds out he or she cannot qualify due to a poor credit rating. 
This has sometimes resulted in a one-year delay in starting college.
      Upon reaching 18, the now adult child is denied credit, 
unable to gain employment or rent an apartment due to a poor credit 
rating. They find out that someone has used their info for the past 10 
years and they are $15,000 in debt. Before their true adult life has 
begun, it is tainted and may take years to clear up.
      Now an adult and in the workplace, the victim finds it 
difficult but not impossible to get credit. Perhaps they think it is 
because of their youth and that the first card they did get they 
mishandled and perhaps had to pay off over time. They have never 
checked their credit reports until one day a collection notice reaches 
them--perhaps at the age of 25 or even 30. Once checking their credit 
reports, they find out that for the last 15 years someone else has been 
opening up accounts in their name.

    Their imposters often are family members, parents or guardians, or 
may be illegal aliens who purchased the information from traffickers 
who purposely sell information that belongs to children due to the 
lengthy time prior to crime discovery.

    Recommendation: Elderly and children are deserving of additional 
protection under the law. No one disagrees with that. We must assume 
the role of caregivers and make sure that those individuals are not 
abused--physically or financially. ITRC's recommendation is that the 
SSA creates a list using birth records of all SSN and birthdates. This 
list would be given to the repositories that may not sell, distribute 
or use it for other than the intended purpose. Should a credit 
application be submitted with the SSN of an individual (child) on the 
list, then that application must be further investigated and such 
investigation well documented. When a child reaches the age of 
majority, their information would be deleted from the list. ITRC would 
also like to see any person who commits child identity theft receive an 
enhanced penalty for this crime.

4.  The need to find alternate ways to protect identifying numbers used 
by the government: military ID number, Medicare/MediCal number, etc.

    Finding: On July 6, 2003, Parade Magazine's (in the Sunday paper) 
centerpiece discussed identity theft. More than 70% of the emails ITRC 
received were from people either concerned about lost and stolen wallet 
issues or from people who are angry at either governmental agencies 
(SSA, military) or health providers that place the SSN on a card they 
must carry on a daily basis. Those many concerns must not go unheard.
    Lost and stolen wallets are a prime way for thieves to gather 
information. Unfortunately, the federal government as well as state 
governments (and health providers) also use SSN as employee or member 
numbers: military, elders and Medicare, etc. These numbers are seen by 
dozens of people through the course of daily activities. Colleges and 
universities must also be included in this list since NY is the only 
state that prohibits the use of the SSN as the student identifier and 
almost all college students we have spoken with have told us that it is 
being used as their student ID number--often written down on rosters, 
papers passed around classrooms, posted on bulletin boards, placed on 
college transcripts, etc.

    Recommendation: If the SSN must be in the database, then we must 
find a way to assign a random number that will be on the card that is 
carried and put on the multiple forms that are filled out by the 
individual. Right now, college students, seniors and military are our 
most vulnerable population groups due to the fact that their SSN is so 
widely known and used. That number can be linked in a database if 
necessary, at a high level of security. If the federal government 
expects the business community to change systems, it must lead by 
example.

5.  Overuse of the SSN

    Findings: The following categories demonstrate the problem of the 
overuse of the SSN.

      Employer use of SSN as individual employee (private or 
governmental) ID number, including public display of such, e.g., 
timecards, timesheets, cash register use number, badges, etc.
      The use of the SSN as an identifier by a business group, 
printed on a card carried by the person on a regular basis.
      Mail theft--where the SSN is printed unnecessarily on the 
document being mailed and is intercepted by another person.
      Theft of SSN given in good faith to a business who 
required the information to complete a transaction or activity--e.g., 
get health care benefits.
      Domestic abuse, harassment of an ex--due to extensive use 
of the SSN as an identifier. Most of us know the SSN of our spouses, 
ex-lovers, etc. This crime is a perfect tool to harm another.

    Recommendations: Private entities may not use the SSN other than 
for tax purposes or other purposes so designated by either state or 
federal governmental agencies. They may not publicly display, use, sell 
or share the information. Language for a bill may be found in 
California's SSN Confidentiality bills, many written by CA Senator 
Debra Bowen.

6.  SSN Protection

    Findings: It is critical that any entity, whether private or 
governmental, safeguard identifying information properly. The following 
categories are just some of the areas that must be included in any 
legislation considered.

      Need to render all sensitive information unreadable prior 
to disposal, electronic or in paper format
      Restrict collection of information not needed for the 
necessary task or program
      Need to require adequate database and paper information 
storage
      Need to require notification of any database or 
information breach

    Recommendations: It is critical that minimum standards be set for 
acquiring, access, disposal, storage and breach of information fields 
that include the SSN as well as other sensitive information. This 
includes what information may be requested by a company and when. For 
example, no one is hired on the basis of a job application. That is a 
screening device and hundreds may be collected for a single job. Yet 
each one asks for your SSN. Why? All they need to do at that stage is 
ask if you have a SSN and would be willing to provide it upon request. 
That information can be exchanged when an employer is narrowed the 
field and is serious about a new hire. This protects consumers from 
overextension and viewing of the SSN (think of the many applications a 
job seeker fills out) and limits the company's liability in terms of 
acquiring and storage of sensitive information. Language for some of 
these bills can be found in some new California laws as well as in some 
of the bills now under consideration at the federal level.

7.  Restrictions on sale of SSN and credit info

    Finding: The less people with access to SSNs, the less opportunity 
there is for leakage to identity thieves.

    Recommendation: Federal restrictions on the sale, exchange or 
transfer of SSN and credit info to third parties by governmental 
agencies or private entities.

8.  Restriction on public posting of SSN

    Finding: This problem falls into two categories: websites and 
public records. Both allow unlimited viewing by both criminals and 
people with legitimate purposes.

    Recommendations:

      Federal restrictions regarding the publication of SSNs of 
individuals, alive or dead, on web sites, e.g., Ancestry.com.
      Federal requirements to truncate parts of SSN and other 
sensitive information (to be decided by committee) on documents 
available to the public, e.g., electronic court records, birth and 
death certificates, etc., unless the requesting party has a legitimate 
reason for such information.

IN CONCLUSION:
    The crime of identity theft, like any other thing in our society 
grows, evolves and constantly changes along with the changes in our 
society. In 1970, the writers of the FCRA could not have predicted the 
credit trends and practices of the year 2003. They created the FCRA 
when all business was conducted in person, in communities where people 
were known and applications could be verified.
    When FDR expanded the use of the SSN as an identifier, he could not 
have anticipated the Pandora's box that he would open. It was 
impossible to predict the impact of the information age and how 
computer technology would allow a crime like identity theft to 
flourish.
    In 2000, the FTC held a hearing on ID theft in which ITRC 
participated. The FTC has continued to monitor this crime through its 
databases and through victim panels. The information has not changed, 
nor have the laws. In fact, members of ITRC's staff has attended 
hearings and provided information for years now to federal legislators 
and governmental agencies about changes that need to be made, but few 
if any bills have been passed. The most recent was passed because of 
its link to Homeland Security. It imposes higher penalties for all 
those criminals who are not caught in the first place.
    Now it has come down to the final question. Can you meet the 
challenge to create and pass the much-needed bills in a timely manner, 
prior to the end of this year? If you cannot, then all this action and 
activity is nothing more than talk. If you are serious about identity 
theft and feel you can address it sufficiently on a national basis, 
this is your opportunity to prove it. But keep in mind--we (consumer, 
victims, advocates and the business community who care about combating 
this crime) have high standards for the laws that you pass. We will not 
accept weak laws that either do little to help the situation or weaken 
existing laws that have a proven track history. State legislators will 
take action where the Federal government fails to.
    ITRC's sole purpose is to combat this crime and to help victims. 
Its fear is that the public will be promised strong laws that allow for 
expansion and redirection as this crime evolves, but such laws will 
never materialize.
    ITRC believes it is the time for some action. We need the subjects 
covered by this testimony to be addressed and signed into law. The 
greatest leaders throughout history have led by example. They never 
asked of others what they were not willing to do themselves. The 
federal government must also change their practices by protecting SSNs 
for military personnel, our seniors and governmental employees. 
Otherwise, they do not have the right to ask the business community to 
comply. This administration and this Congress must take the lead and 
set the standard for the rest of the country. It is up to you to show 
us that this crime is being taken seriously by one and all.
    Thank you for your time and consideration.

                                 

    Chairman SHAW. Mr. Hoofnagle.

 STATEMENT OF CHRIS JAY HOOFNAGLE, DEPUTY COUNSEL, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. HOOFNAGLE. Thank you, Chairman Shaw, and Members of the 
Subcommittee. My name is Chris Hoofnagle, and I am Deputy 
Counsel with the Electronic Privacy Information Center. We 
appreciate the opportunity to testify on this very important 
matter today. In our written testimony, we detailed the 
development of the SSN and historical attempts to regulate the 
identifier. As you are well aware, today the SSN plays an 
unparalleled role in the identification, authentication and 
tracking of Americans, but I would like to focus my comments 
today on several recent developments--developments that include 
large-scale theft of identity cases, the continued use of a SSN 
by private sector actors, including colleges and universities 
and the role of States in passing Social Security legislation. 
I believe these developments continue to institute more 
evidence that a national framework for privacy protection for 
the SSN is necessary. Accordingly, I am here to make only one 
recommendation today, and that is to ask the Committee to 
reintroduce H.R. 2036 from the 107th Congress. That is an 
excellent measure. Many of its provisions will allow us to put 
the SSN genie back into the bottle. Often in the privacy 
debate, people say it is too late, that your privacy is already 
gone, but as we have seen with telemarketing, it is possible to 
assign rights and responsibilities and personal data and help 
put our private information back into the bottle and safeguard 
individual rights.
    Again, I think there are three recent trends that are worth 
highlighting. The first, of course, is that the SSN continues 
to be the key to identity theft, as Mr. Wern testified. In our 
written testimony, we identify several cases where identity 
thieves or computer crackers have targeted databases that 
contain the SSN. In a New York case SSNs were stolen from a 
State insurance fund, a college and several private businesses. 
Another involved a computer help desk employee who using access 
codes for Ford Motor Credit was able to obtain tens of 
thousands of credit card reports with SSNs from Experian. Yet 
another involved employees who took advantage of a patient 
identification system that used the SSN to commit identity 
theft. Researchers at Michigan State University recently 
studied over 1,000 identity theft cases and found that victims 
in 50 percent of the cases specifically reported that the theft 
was committed by an employee of the company that maintained 
their personal information. There is very little an individual 
can do about these identity theft cases that are insider jobs 
or cases where personal information is stolen from a database, 
and this is one of the reasons why we think we need to get the 
SSN out of circulation, to stop reliance on the identifier, 
because in most cases, you can't prevent its theft.
    Another trend illustrated in our written testimony is that 
many public and private sector entities continue to use the SSN 
for identification. As we have testified before, in most cases, 
it is wholly unnecessary for a business to collect your SSN. 
The Blue Cross/Blue Shield insurance cards that Representative 
Cardin and Mr. Wern held up contain their SSN, and there is 
absolutely no reason for them to do that. They could assign a 
random identifier, and the only case where they actually need 
to collect the SSN is when your health costs actually have a 
tax consequence. Nevertheless, recent news reports indicate 
that major companies, including Blockbuster Video, Sam's Club, 
and Costco continue to demand a SSN for membership. A related 
problem is that many colleges and universities in the country 
continue to use a SSN as the primary student identifier. In a 
recent study done by the American Association of Collegiate 
Registrars of 1,300 institutions, half of those polled claim 
that they still use a SSN as a primary identifier. It is 
actually on the card, the student identity card, or in the 
record database.
    These trends involving use and misuse of the SSN and 
identity theft have actuated State leaders to create new 
protections for personal information. In the college and 
university context, about six States have passed laws saying 
that schools can't use the SSN as the identifier. In Florida, 
there was a special grand jury report that recommended that 
SSNs be scrubbed from public records and from private 
institutions. They noted specifically that one of the major 
problems about the SSN was that local governments were asking 
for it, and then the local government would place it in the 
public record. In California, Senate bill S. 1386 went into 
effect just a couple weeks ago, and that legislation requires 
people who maintain databases that have SSNs in it, to give 
notice to individuals if their SSN is stolen out of the 
database. So, assigning a responsibility to people who actually 
collect the SSN or maintain it can often create new 
protections. I see that my red light is on, so let me just come 
to our recommendation, and that is that we do hope that 
Chairman and other Members will reintroduce H.R. 2036, and we 
have ideas for substantive improvements to it that we are happy 
to share with you, many of which are included in our written 
testimony. Thank you for the opportunity to testify today.
    [The prepared statement of Mr. Hoofnagle follows:]
 Statement of Chris Jay Hoofnagle, Deputy Counsel, Electronic Privacy 
                           Information Center
    Chairman Shaw, Ranking Member Matsui, and Members of the 
Subcommittee, thank you for extending the opportunity to testify on use 
and misuse of Social Security Numbers.
    My name is Chris Hoofnagle and I am deputy counsel with the 
Electronic Privacy Information Center (EPIC), a not-for-profit research 
organization based in Washington, D.C. Founded in 1994, EPIC has 
participated in cases involving the privacy of the Social Security 
Number (SSN) before federal courts and, most recently, before the 
Supreme Court of New Hampshire.\1\ EPIC has also taken a leading role 
in campaigns against the use of globally unique identifiers (GUIDs) 
involving the Intel Processor Serial Number and the Microsoft 
Corporation's Passport identification and authentication system. EPIC 
maintains an archive of information about the SSN online at http://
www.epic.org/privacy/ssn/.
---------------------------------------------------------------------------
    \1\ Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B 
(N.H. 2002). In Remsburg, the ``Amy Boyer'' case, Liam Youens was able 
to locate and eventually murder Amy Boyer through hiring private 
investigators who tracked her by her date of birth, Social Security 
Number, and by pretexting. EPIC maintains information about the Amy 
Boyer case online at 
http://www.epic.org/privacy/boyer/.
---------------------------------------------------------------------------
    I appreciate the opportunity to testify today. In the testimony 
below, we will first review historical and recent attempts to regulate 
the use of the SSN. This section demonstrates that there is ample 
legislative and judicial support for limitations on the collection and 
use of the SSN.
    The second section describes trends involving the SSN. These 
include:

      A statistical rise in identity theft complaints to 
federal authorities.
      The occurrence of several large-scale identity theft 
cases, many of which involved ``insiders'' or other trusted persons who 
had access to SSNs.
      Colleges, universities, and other schools continue to 
identify students by the SSN.
      Health providers and insurance companies continue to 
identify individuals by the SSN.
      Companies continue to condition access to products and 
services on disclosure of the SSN.
      Litigation has provided more privacy for SSNs in some 
cases.
      Privacy advocates and other activists have posted public 
officials' SSNs to protest government activity.
      A number of states are innovating solutions to the SSN 
problem.

    Finally, in the last section we recommend that the Committee 
revisit 107 H.R. 2036, The Social Security Number Privacy and Identity 
Theft Protection Act of 2001. That bill, which enjoyed wide bipartisan 
support in the last Congress, should be reintroduced and passed by this 
Congress. Alternatively, we recommend that the Committee consider 108 
H.R. 1931, the Personal Information Privacy Act of 2003. That bill 
would establish important protections for the SSN, including moving the 
SSN ``below the line'' on the credit report.
I. Historical Regulation of the Collection and Use of the SSN
    The Social Security Number (SSN) was created in 1936 as a nine-
digit account number assigned by the Secretary of Health and Human 
Services for the purpose of administering the Social Security laws. 
SSNs were first intended for use exclusively by the federal government 
as a means of tracking earnings to determine the amount of Social 
Security taxes to credit to each worker's account. Over time, however, 
SSNs were permitted to be used for purposes unrelated to the 
administration of the Social Security system. For example, in 1961 
Congress authorized the Internal Revenue Service to use SSNs as 
taxpayer identification numbers.
    A major government report on privacy in 1973 outlined many of the 
risks with the use and misuse of the Social Security Number. Although 
the term ``identify theft'' was not yet in use, Records Computers and 
the Rights of Citizens described the risks of a ``Standard Universal 
Identifier,'' how the number was promoting invasive profiling, and that 
many of the uses were clearly inconsistent with the original purpose of 
the 1936 Act. The report recommended several limitations on the use of 
the SSN and specifically said that legislation should be adopted 
``prohibiting use of an SSN, or any number represented as an SSN for 
promotional or commercial purposes.'' \2\
---------------------------------------------------------------------------
    \2\ Department of Health, Education, and Welfare, Records, 
Computers, and the Rights of Citizens 108-35 (MIT 1973) (Social 
Security Number as a Standard Universal Identifier and Recommendations 
Regarding Use of Social Security Number).
---------------------------------------------------------------------------
    In response to growing risks over the accumulation of massive 
amounts of personal information and the recommendations contained in 
the 1973 report, Congress passed the Privacy Act of 1974.\3\ Among 
other things, this Act makes it unlawful for a governmental agency to 
deny a right, benefit, or privilege merely because the individual 
refuses to disclose his SSN. This is a critical principle to keep in 
mind today because consumers in the commercial sphere often face the 
choice of giving up their privacy, their SSN, to obtain a service or 
product. The drafters of the 1974 law tried to prevent citizens from 
facing such unfair choices, particularly in the context of government 
services. But there is no reason that this principle could not apply 
equally to the private sector, and that was clearly the intent of the 
authors of the 1973 report.
---------------------------------------------------------------------------
    \3\ 5 U.S.C.  552a.
---------------------------------------------------------------------------
    Section 7 of the Privacy Act further provides that any agency 
requesting an individual to disclose his SSN must ``inform that 
individual whether that disclosure is mandatory or voluntary, by what 
statutory authority such number is solicited, and what uses will be 
made of it.'' At the time of its enactment, Congress recognized the 
dangers of widespread use of SSNs as universal identifiers. In its 
report supporting the adoption of this provision, the Senate Committee 
stated that the widespread use of SSNs as universal identifiers in the 
public and private sectors is ``one of the most serious manifestations 
of privacy concerns in the Nation.'' Short of prohibiting the use of 
the SSN outright, the provision in the Privacy Act attempts to limit 
the use of the number to only those purposes where there is clear legal 
authority to collect the SSN. It was hoped that citizens, fully 
informed where the disclosure was not required by law and facing no 
loss of opportunity in failing to provide the SSN, would be unlikely to 
provide an SSN and institutions would not pursue the SSN as a form of 
identification.
    It is certainly true that the use of the SSN has expanded 
significantly since the provision was adopted in 1974. This is 
particularly clear in the financial services sector. In an effort to 
learn and share financial information about Americans, companies 
trading in financial information are the largest private-sector users 
of SSNs, and it is these companies that are among the strongest 
opponents of SSN restrictions.
    Outside the financial services sector, many companies require the 
SSN instead of assigning an alternative identifier. These requirements 
appear in a myriad of commercial interchanges, many of which absolutely 
do not require the SSN. For instance, Golden Tee, a popular golf video 
game, requires players to enter their SSN in order to engage in 
``tournament play.'' \4\ The company could assign its own identifier 
for players, but instead relies upon the SSN, which puts players at 
risk by requiring them to further circulate personal information.
---------------------------------------------------------------------------
    \4\ Official ITS Rules, at http://www.itsgames.com/ITS/
its_rules.htm.
---------------------------------------------------------------------------
    It is critical to understand that the legal protection to limit the 
collection and use of the SSN is still present in the Privacy Act and 
can be found also in recent court decisions that recognize that there 
is a constitutional basis to limit the collection and use of the SSN. 
When a Federal Appeals court was asked to consider whether the state of 
Virginia could compel a voter to disclose an SSN that would 
subsequently be published in the public voting rolls, the Court noted 
the growing concern about the use and misuse of the SSN, particularly 
with regard to financial services.\5\ The Fourth Circuit said:
---------------------------------------------------------------------------
    \5\ Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993).

          Since the passage of the Privacy Act, an individual's concern 
        over his SSN's confidentiality and misuse has become 
        significantly more compelling. For example, armed with one's 
        SSN, an unscrupulous individual could obtain a person's welfare 
        benefits or Social Security benefits, order new checks at a new 
        address on that person's checking account, obtain credit cards, 
        or even obtain the person's paycheck. . . . Succinctly stated, 
        the harm that can be inflicted from the disclosure of a SSN to 
        an unscrupulous individual is alarming and potentially 
        financially ruinous.\6\
---------------------------------------------------------------------------
    \6\ Id.

---------------------------------------------------------------------------
    The Court said that:

          The statutes at issue compel a would-be voter in Virginia to 
        consent to the possibility of a profound invasion of privacy 
        when exercising the fundamental right to vote. As illustrated 
        by the examples of the potential harm that the dissemination of 
        an individual's SSN can inflict, Greidinger's decision not to 
        provide his SSN is eminently reasonable. In other words, 
        Greidinger's fundamental right to vote is substantially 
        burdened to the extent the statutes at issue permit the public 
        disclosure of his SSN.\7\
---------------------------------------------------------------------------
    \7\ Id.

    The Court concluded that to the extent the Virginia voting laws, 
``permit the public disclosure of Greidinger's SSN as a condition of 
his right to vote, it creates an intolerable burden on that right as 
protected by the First and Fourteenth Amendments.'' \8\
---------------------------------------------------------------------------
    \8\ Id.
---------------------------------------------------------------------------
    In a second case, testing whether a state could be required to 
disclose the SSNs of state employees under a state open record law 
where there was a strong presumption in favor of disclosure, the Ohio 
Supreme Court held that there were privacy limitations in the federal 
Constitution that weighed against disclosure of the SSN.\9\ The court 
concluded that:
---------------------------------------------------------------------------
    \9\ Beacon Journal v. City of Akron, 70 Ohio St. 3d 605 (Ohio 
1994).
---------------------------------------------------------------------------
    We find today that the high potential for fraud and victimization 
caused by the unchecked release of city employee SSNs outweighs the 
minimal information about governmental processes gained through the 
release of the SSNs. Our holding is not intended to interfere with 
meritorious investigations conducted by the press, but instead is 
intended to preserve one of the fundamental principles of American 
constitutional law--ours is a government of limited power. We conclude 
that the United States Constitution forbids disclosure under the 
circumstances of this case. Therefore, reconciling federal 
constitutional law with Ohio's Public Records Act, we conclude that 
[the provision] does not mandate that the city of Akron discloses the 
SSNs of all of its employees upon demand.\10\
---------------------------------------------------------------------------
    \10\ Id.
---------------------------------------------------------------------------
    In an important recent case from the U.S. Court of Appeals for the 
D.C. Circuit, a Court upheld the Federal Trade Commission's 
determination that SSNs are nonpublic personal information under the 
Gramm-Leach-Bliley Act.\11\ The Court rejected First and Fifth 
Amendment challenges to regulations that restricted the use of the SSN 
without giving the individual notice and opportunity to opt-out. 
Additionally, the Court upheld regulations that prohibited the reuse of 
SSNs that are furnished to credit reporting agencies.\12\
---------------------------------------------------------------------------
    \11\ Trans Union L.L.C. v. Fed. Trade Comm'n, No. 01-5202, 295 F.3d 
42 (D.C. Cir. 2002), at http://pacer.cadc.uscourts.gov/common/opinions/
200207/01-5202a.txt.
    \12\ Id. In another recent case, the D.C. Circuit rejected a First 
Amendment challenge to the use of credit reports for marketing 
purposes. Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001), cert. 
denied, 536 U.S. 915 (2002).
---------------------------------------------------------------------------
    While it is true that many companies and government agencies today 
use the Social Security Number indiscriminately as a form of 
identification and authentication, it is also clear from the 1936 Act, 
the 1974 Privacy Act, and these three cases--Greidinger v. Davis, 
Beacon Journal v. City of Akron, and Trans Union v. FTC--that there is 
plenty of legislative and judicial support for limitations on the 
collection and use of the SSN. The question is therefore squarely 
presented whether the Congress will at this point in time follow in 
this tradition, respond to growing public concern, and establish the 
safeguards that are necessary to ensure that the problems associated 
with the use of the SSN do not increase.
II. Recent SSN Trends
    Just in the last eighteen months, there have been a number of 
important SSN developments. These developments, which range from large-
scale incidents of identity theft to continued reliance on the SSN in 
the private sector, underscore the continued need for a national 
framework of protections for the SSN.
Identity Theft Complaints Increase
    The FTC reported on January 22, 2003 a large increase in the number 
of fraud complaints and a doubling of the dollar loss attributable to 
fraudulent activities directed at US Consumers.\13\ The agency noted 
that the number of fraud complaints rose from 220,000 in 2001 to 
380,000 in 2002 and the loss to consumers grew from $160 million in 
2001 to $343 million in 2002. The report revealed that identity theft 
topped the list, accounting for 43% of the complaints lodged in the 
Consumer Sentinel database.
---------------------------------------------------------------------------
    \13\ Fraud Charges Jump in 2002 on Consumer Complaints, ID Thefts, 
Electronic Commerce & Law Report, Vol 8(4), Jan. 29, 2003, 88.
---------------------------------------------------------------------------
The SSN Continues to be the Key to Identity Theft
    On January 10, 2002, a special Florida grand jury commissioned to 
investigate identity theft recommended stronger legal protections for 
personal data, including SSNs, held by business and State agencies.\14\ 
It called for laws that would prohibit the credit industry from selling 
personal data without consumer consent, and would stop State agencies 
from disseminating personal information under the open records law 
without individual consent, court order, or the articulation of a 
compelling need. The panel charged 33 individuals with criminal use of 
personal identifying information, fraud, grand theft, and money 
laundering. The grand jury estimated that the current $2.5 billion 
nationwide cost of identity theft is expected to grow to $8 billion by 
2005. It cited health clubs and video rental stores requiring SSNs on 
applications and local governments asking for SSNs on routine 
transactions.
---------------------------------------------------------------------------
    \14\ Identity Theft in Florida, Sixteenth Statewide Grand Jury 
Report, SC 01-1095, Supreme Court of Florida, Jan. 10, 2002, at http://
www.idtheftcenter.org/attach/FL_idtheft_gj.pdf;see also Florida ID 
Theft Panel Backs More Safeguards for Government and Corporate Data, 
Privacy Times, Vol 22(3), Jan. 30, 2002, 3-4.
---------------------------------------------------------------------------
    In August 2002, New York Attorney General Eliot Spitzer reported 
that law enforcement authorities had broken ``a massive identity theft 
ring.'' \15\ The information involved included SSNs, credit card 
numbers, and bank account information stolen from the NY State 
Insurance Fund, Social Security Administration, Empire State College, 
WNYC radio, Hollywood video, Worldcom Wireless, and American Express. 
The indictment alleges that this personal information was stolen 
between 1998 and 2002, and used to purchase computer equipment, cell 
phones, and other merchandise.
---------------------------------------------------------------------------
    \15\ New York Authorities Say They've Cracked `Massive' Identity 
Theft Ring, Four Indicted, Electronic Commerce & Law Report, Vol 7(31), 
Aug. 7, 2002, p. 794.
---------------------------------------------------------------------------
    In November 2002, it was discovered that a former computer help 
desk employee had obtained 30,000 credit reports directly from a credit 
reporting agency. The former employee sold the reports to others for 
between $30-60 each.\16\ The information was used for credit fraud.
---------------------------------------------------------------------------
    \16\ Huge ID-theft ring broken; 30,000 consumers at risk, Seattle 
Times, Nov. 26, 2002.
---------------------------------------------------------------------------
    In December 2002, personal health care information, including SSNs, 
of more than 500,000 military personnel, retirees and family members in 
16 Midwestern and western States were stolen from a military 
contractor. Also stolen were some active-duty service members' claims 
processing information, which include their names, SSN, and list of 
medical procedures and diagnosis codes for medical care already 
performed.\17\ TriWest stated that it attempted to notify beneficiaries 
by sending them letters and by posting notices on its web site. The 
database was not encrypted and TriWest relied on the SSN as an 
identifier.
---------------------------------------------------------------------------
    \17\ Patient Data, 500,000 SSNs Stolen From DOD System, Privacy 
Times, Vol 23(1), Jan. 2, 2003, 2.
---------------------------------------------------------------------------
    In February 2003, two former employees of health facilities and six 
others were charged with stealing patient SSNs that were used to open 
fraudulent credit card and phone accounts.\18\ The suspects stole 
$78,000 in goods and services. One of the facilities involved has now 
implemented a new patient information system that doesn't label 
patients by the SSN.
---------------------------------------------------------------------------
    \18\ Margaret Zack, Eight charged with stealing patient IDs for 
credit cards, Star Tribune, Feb. 21, 2003, p. 1B.
---------------------------------------------------------------------------
    Because of these and other developments, the Wall Street Journal, 
in its 2003 ``to not do list,'' advised individuals not to give out 
their SSN: ``Don't give out your Social Security number unless you have 
to: With identity theft a growing problem, you should be extremely 
cautious about giving out that information. Many organizations ask for 
it, from volunteer groups to retail stores to Web sites, but not all of 
them require you to provide it.'' \19\
---------------------------------------------------------------------------
    \19\ A To-Don't List For the New Year, Hot to Fix Your Life in 
2003, Wall Street Journal, Dec. 31, 2002.
---------------------------------------------------------------------------
    But as the cases listed above illustrate, many identity theft cases 
are ``insider jobs,'' committed by employees who obtain access and 
misuse individuals' personal information stored in their employers' 
databanks. Researchers at Michigan State University recently studied 
over 1000 identity theft cases and found that victims in 50% of the 
cases specifically reported that the theft was committed by an employee 
of a company compiling personal information on individuals.\20\ There 
is very little that an individual can do to prevent insider jobs, or 
cases where the SSN is stolen from a database.
---------------------------------------------------------------------------
    \20\ Study forthcoming; results provided in email from Judith M. 
Collins, Ph.D., Associate Professor, Leadership and Management Program 
in Security School of Criminal Justice, Michigan State University to 
EPIC (Apr. 22, 2003, 18:13:35 EST) (on file with EPIC).
---------------------------------------------------------------------------
The SSN is Still Being Used as a Student Identifier
    Although privacy protections are important to students, student 
development, and to principles of academic freedom, schools have not 
always been sensitive to student informational privacy issues. A 
handful of states, including Arizona,\21\ New York,\22\ Rhode 
Island,\23\ and Wisconsin \24\ have enacted laws to regulate college 
and university use of the SSN. Nevertheless, in a survey of 1,300 
institutions polled by the American Association of Collegiate 
Registrars and Admissions Offers, half reported that they use the SSN 
as the primary student identifier.\25\
---------------------------------------------------------------------------
    \21\ Ariz. Rev. Stat.  15-1823.
    \22\ N.Y. Educ. Code  52-b.
    \23\  42-72.5-2(6);  16-38-5.1.
    \24\ Wisc. Stat. Ann.  118.169.
    \25\ Kristen Gerencher, Social Security numbers up for grabs. 
Companies, government lax in preventing identity theft, CBS 
MarketWatch, May 7, 2002, at http://cbs.marketwatch.com/news/ 
story.asp?guid=%7B9A569387%2DE7FD%2D44AB%2D8F5F%2D112D25915DA5% 
7D&siteid=mktw
---------------------------------------------------------------------------
    In August 2002, it was revealed that a Princeton admissions officer 
used the SSNs of applicants to his school to view the Yale University's 
web site for admissions. The unauthorized entry allowed Princeton to 
learn whether Yale had accepted students who had applied to both 
schools. Cracking the system was easy: Anyone who knew an applicant's 
birth date and SSN could log on.\26\
---------------------------------------------------------------------------
    \26\ John Schwartz, Privacy vs. Security on Campus, The New York 
Times, Aug. 4, 2002, p. 3.
---------------------------------------------------------------------------
    In March 2003, federal prosecutors charged a University of Texas 
student with breaking into a school database and stealing more than 
55,000 student, faculty, and staff names and SSNs. The student was 
charged with violating the Computer Fraud and Abuse Act of 1986 and the 
Identity Theft and Assumption Deterrence Act of 1998. This occurrence 
led to a new Texas law protecting against identity theft.\27\
---------------------------------------------------------------------------
    \27\ Univ. of Texas SSN, Privacy Times, Vol 23(6), Mar. 17, 2003, 
11.
---------------------------------------------------------------------------
    Also in March 2003, it was reported that the California State 
University's $662 million computer system contains a security flaw that 
gives users access to student and employee SSNs and other confidential 
data. The problem was known for years, and university officials had 
told state auditors they were not going to fix the vulnerability, 
citing cost and time concerns.\28\
---------------------------------------------------------------------------
    \28\ Terri Hardy, CSU computer flaw allows access to confidential 
data, The San Diego Union Tribune, Mar. 22, 2003, p. A-13.
---------------------------------------------------------------------------
    In May 2003, a 17-year-old student of a Chino, CA high school 
allegedly cracked the school's computer system, changing his and a 
classmate's grades and also tapping into confidential student 
information, including the SSN.\29\ Apparently, 1,744 students had 
their SSNs in the database.
---------------------------------------------------------------------------
    \29\ Kristina Sauerweine, Youth Hacked Into Database, Los Angeles 
Times, May 21, 2003, p. 5.
---------------------------------------------------------------------------
    For model approaches to the transition to an alternative student 
identifier, I would look to the leadership of Virginia Rezmierski, 
Professor at the Gerald R. Ford School of Public Policy at the 
University of Michigan.\30\ Additionally, officials at the University 
of Illinois have established a procedure to reduce reliance on the 
SSN.\31\ The University of Pennsylvania is addressing the issue as 
well. That institution appointed Lauren Steinfeld, a former privacy 
expert at the Office of Management and Budget, to address SSN issues.
---------------------------------------------------------------------------
    \30\ See also Privacy and the Handling of Student Information in 
the Electronic Networked Environments of Colleges and Universities, 
EDUCAUSE White Paper, Apr. 1997, at http://www.educause.edu/ir/library/
pdf/pub3102.pdf.
    \31\ Carol Livingstone, Mike Corn & Lisa Huson, University of 
Illinois Social Security Number Policy Implementation, Jan. 10, 2001, 
at http://www.ssn.uillinois.edu/assets/applets/
UIUC_SSN_Presentation_1_10_2002.pdf; Andrea L. Foster, U. of Illinois 
May Be a Model in Protecting Privacy, Chronicle of Higher Education, 
Aug. 2, 2002.
---------------------------------------------------------------------------
The SSN Has Become a Default Health Identifier
    Many medical providers are using the SSN as a patient identifier. 
As David Miller noted in testimony before the National Committee on 
Vital Health Statistics:
    ``It should be noted that the 1993 WEDI [Workgroup for Electronic 
Data Interchange] Report, Appendix 4, Unique Identifiers for the Health 
Care Industry, Addendum 4 indicated 71% of the payers responding to the 
survey based the individual identifier on the Member's Social Security 
Number. However 89% requested the insured's Social Security Number for 
application of insurance. Clearly the Social Security Number is the 
current de facto identifier. . . .'' \32\
---------------------------------------------------------------------------
    \32\ Testimony of David S. Miller, Director, Health System 
Services, UHC, on the Unique Patient Identification Number at the 
National Committee on Vital Health Statistics hearing in Chicago, Jul. 
21, 1998, at http://www.cchconline.org/privacy/uhc.php3.
---------------------------------------------------------------------------
    But individuals and companies are resisting such use of the SSN. 
Acting on employees' suggestions, I.B.M. has requested that health 
companies stop using the SSN on insurance cards. According to IBM, 
fifteen insurers, which cover about 30,000 of the company's 500,000 
employees worldwide have either not responded or indicated that they 
will not comply with the request.\33\
---------------------------------------------------------------------------
    \33\ Marc Ferris, IBM asks providers to drop SSNs, New York Times, 
Feb. 23, 2003, p. 3.
---------------------------------------------------------------------------
SSN Required for Access to Products, Services
    Major companies, including Blockbuster, Sam's Club and Costco 
continue to demand the SSN and other unnecessary information on their 
applications for access to products and services.\34\
---------------------------------------------------------------------------
    \34\ A dubious privilege, Chicago Tribune, Feb. 23, 2003, p. 2.
---------------------------------------------------------------------------
SSN Litigation Has Yielded Mixed Results for Privacy Protection
    In February 2002, the New Hampshire Supreme Court ruled for the 
first time that New Hampshire State residents can sue companies that 
sell their personal data or SSN, or obtain their work address through 
the use of pretextual phone calls.\35\ The Court found that the sale of 
such data was actionable if it subjected a person to foreseeable harm. 
It also ruled that people have a reasonable expectation of privacy in 
their SSNs, even though SSNs must be disclosed in certain 
circumstances. The ruling clears the way for a trial against 
Docusearch, the information broker who sold the SSN, home and work 
address of Amy Boyer to the man who stalked and murdered her.
---------------------------------------------------------------------------
    \35\ Helen Remsburg, Admin of the Estate of Amy Boyer v. 
DocuSearch, Inc., et al 2002 U.S. Dist. LEXIS 7952, NH Supreme Court 
No. 2002-255, Feb. 18, 2002; N.H. Supreme Court Backs Privacy for SSNs, 
Personal Data, Privacy Times, Vol 23(4), Feb. 18, 2003, 3-4.
---------------------------------------------------------------------------
    In September 2002, the Fourth Circuit held that individuals cannot 
recover damages under the Privacy Act without a showing of actual 
harm.\36\ This ruling is in conflict with the law in several other 
circuits, and the Supreme Court has granted certiorari in the case. In 
Doe v. Chao, the Department of Labor used individuals' SSNs to identify 
their compensation claims. As a result, the SSNs were cited in public 
records and are now widely available. Although the plaintiff was 
embarrassed and placed at risk as a result of the disclosure, the 
Fourth Circuit held that one needs other manifestations of emotional 
distress in order to prove that harm occurred. We believe that the 
Fourth Circuit improperly interpreted the damages section of the 
Privacy Act, and we plan to file an amicus brief with the Supreme Court 
in support of the plaintiff.
---------------------------------------------------------------------------
    \36\ Doe v. Chao, 306 F.3d 170 (4th Cir. 2002).
---------------------------------------------------------------------------
    In June 2003, a federal judge in Detroit ruled that the Privacy Act 
creates a private right of action for violating procedural rules 
relating to SSNs, but only as they apply to federal agencies, not 
states or municipalities.\37\ Judge Anna Taylor dismissed a suit 
seeking Privacy Act damages from the City of Detroit after its 
contractor mailed tax forms to residents with their SSNs printed on the 
mailing label. The Judge stated that plaintiff Daniel Schmitt failed to 
show that he was adversely affected or that Detroit acted willfully or 
intentionally because like the IRS, most local and State tax 
authorities request SSN for taxpayer identification purposes. The City 
vowed to keep SSNs off labels and attach a disclosure statement to the 
tax forms about SSNs, as required by the Privacy Act.\38\
---------------------------------------------------------------------------
    \37\ Schmitt v. City of Detroit, et al. 2003 U.S. Dist. LEXIS 
10246, (E.D. Mich. 2003).
    \38\ Privacy Act Permits Suits Over SSNs, but Not Against Cities, 
Privacy Times, Vol 23(13), Jul. 1, 2003, 6.
---------------------------------------------------------------------------
SSNs Are Being Used for Political Protest
    California-based Foundation for Taxpayer and Consumer Rights posted 
partial SSNs of state legislators who voted in opposition of privacy 
legislation.\39\ The group purchased the SSNs online for $26, 
demonstrating that access to sensitive information is convenient and 
inexpensive.
---------------------------------------------------------------------------
    \39\ Christian Berthelsen, Extreme lobbying upsets Assembly, 
Lawmakers mad at response to killing privacy bill, San Francisco 
Chronicle, Jun. 19, 2003, at http://www.sfgate.com/cgi-bin/ 
article.cgi?file=/c/a/2003/06/19/ MN127207.DTL.
---------------------------------------------------------------------------
    In June 2003, the Attorney General of Washington State decided not 
to defend a law designed to prohibit a web site that posts the names, 
addresses and home-phone numbers of police in Western Washington. As a 
result, Bill Sheehan III of Mill Creek is free to continue publishing 
his web site, www.justicefiles.org, which includes names and salaries 
of many Western Washington police officers and in some cases their 
SSNs, birth dates, home addresses and phone numbers. Sheehan claims 
that publishing such information is the best way to hold law-
enforcement officers accountable to the public.\40\
---------------------------------------------------------------------------
    \40\ State won't defend law to shut down Web site that publishes 
police data, Seattle Times, Jun. 24, 2003, p. B3.
---------------------------------------------------------------------------
States Innovating Solutions
    California's Senate Bill 1386 went into effect on July 1, 2003.\41\ 
That legislation requires companies that maintain SSNs and other 
personal information to notify individuals when they experience a 
security breach. The bill came in response to an April 2002 incident in 
which the records of over 200,000 state employees were accessed by a 
computer cracker. The California legislation exceeds federal 
protections, as there is no national requirement for notice to 
individuals when personal information is accessed without 
authorization.
---------------------------------------------------------------------------
    \41\ http://www.leginfo.ca.gov/cgi-bin/
postquery?bill_number=sb_1386&sess=PREV&house= B&author=peace
---------------------------------------------------------------------------
    More specifically, the legislation creates a notice requirement 
where there has been an unauthorized acquisition of an individual's 
name along with a Social Security Number, a driver's license number, or 
an account number and corresponding access code. The notice requirement 
is also triggered when there is a reasonable belief that a security 
breach occurred. Notice must be given ``in the most expedient time,'' 
but may be delayed where it would impede a criminal investigation.
    Although this state law does not directly regulate collection or 
use of the SSN, it is likely to provide more privacy for Californians. 
The legislation places new responsibilities on those who collect the 
SSN, as a result, businesses are more likely to avoid collecting the 
SSN.
III. Recommendations
    107 H.R. 2036, The Social Security Number Privacy and Identity 
Theft Protection Act of 2001, was a good proposal. This Congress should 
revisit and pass this important bill.
    We recommend that the Committee visit the Social Security Number 
Privacy and Identity Theft Protection Act of 2001, 107 H.R. 2036, as a 
guide to limiting the use of the SSN. The measure was sponsored by 
Representative Clay Shaw (R-FL). In the 107th Congress, the bill 
enjoyed bi-partisan sponsorship of over 70 Members. The measure 
contained a comprehensive set of rights to protect individuals from 
identity theft.
    Title I of the bill would have established important protections 
against public-sector sale or display of SSNs. These provisions will 
prohibit the display of the SSN on checks and government-issued 
employment cards. The bill would have prohibited disclosure of the SSN 
to inmates, and appearance of the SSN in public records. Increasingly, 
public records are a source for the collection of personal identifiers 
that then can be reused for any purpose.
    The bill would have also prohibited ``coercive disclosure'' of the 
SSN--the practice of denying a product or service when an individual 
refuses to give a SSN. Additionally, Section 203 of that bill would 
have placed the SSN ``below the line'' on credit reports. This is an 
important and much needed protection that would stem trafficking in 
SSNs.
    Alternatively, we recommend that the Committee consider 108 H.R. 
1931, the Personal Information Privacy Act of 2003. That bill was 
introduced by Representative Kleczka (D-WI) in May and referred to the 
Committee on Ways and Means. H.R. 1931 would establish important 
protections for the SSN, including moving the SSN ``below the line'' on 
the credit report. The bill would also limit the use of ``transaction 
and experience'' information, and require opt-in consent before credit 
or insurance prescreening letters are sent. Such letters are a major 
source of the identity theft problem. Under the bill, aggrieved 
individuals have a private right of action against violators.
IV. Conclusion
    Without a framework of restrictions on the collection and use of 
the SSN and other personal identifiers, identity theft will continue to 
increase, endangering individuals' privacy and perhaps the security of 
the nation. The best legislative strategy is one that discourages the 
collection and dissemination of the SSN and that encourages 
organizations to develop alternative systems of record identification 
and verification. It is particularly important that such legislation 
not force consumers to make unfair or unreasonable choices that 
essentially require trading the privacy interest in the SSN for some 
benefit or opportunity.
    It is important to emphasize the unique status of the SSN in the 
world of privacy. There is no other form of individual identification 
that plays a more significant role in record-linkage and no other form 
of personal identification that poses a greater risk to personal 
privacy. Given the unique status of the SSN, its entirely inappropriate 
use as a national identifier for which it is also inherently 
unsuitable, and the clear history in federal statute and case law 
supporting restrictions, it is fully appropriate for Congress to pass 
legislation.
    I am grateful for the opportunity to testify this afternoon and 
would be pleased to answer your questions.

                                 

    Chairman SHAW. We have your written testimony. It will be 
made part of the record, and it will be examined closely. Mr. 
Collins, will you introduce Mr. Edwards, please.
    Mr. COLLINS. It is my pleasure, Mr. Chairman, to introduce 
to you a fellow Georgian, Mr. Steve Edwards. Mr. Edwards joined 
the Georgia Bureau of Investigation in 1973. For the last 15 
years, his work has focused specifically on financial 
investigations, health care fraud, and computer crime 
investigations. He has been on the National White Collar Crime 
Center Board since 1997, and now he is Vice Chairman, which 
represents southeast region States--West Virginia, Virginia, 
Kentucky, Tennessee, North and South Carolina, Georgia, and 
Florida, as well as Puerto Rico and the Virgin Islands. For his 
next trip to the Virgin Islands, he plans to take one of the 
Congressman from Georgia. He also served as a negotiator for 
Georgia Special Weapons and Tactics (SWAT) team. He is a 
coordinator of the U.S. Department of the Treasury's Financial 
Crimes Enforcement Network, and he has just done a super job 
for Georgia, working in the Georgia Bureau of Investigation. 
Welcome, Mr. Edwards.

STATEMENT OF STEVE EDWARDS, STATE COORDINATOR, FINANCIAL CRIMES 
    ENFORCEMENT NETWORK, VICE CHAIRMAN, BOARD OF DIRECTORS, 
NATIONAL WHITE COLLAR CRIME CENTER, RICHMOND, VIRGINIA, MEMBER, 
GEORGIA'S STOP IDENTITY THEFT NETWORK, CHAIR, INFRAGARD ATLANTA 
CHAPTER WATCH AND WARN COMMITTEE, AND SPECIAL AGENT IN CHARGE, 
       FINANCIAL INVESTIGATIONS UNIT, GEORGIA BUREAU OF 
                INVESTIGATIONS, DECATUR, GEORGIA

    Mr. EDWARDS. Thank you, Mr. Collins. It is a pleasure to be 
here, and I am a little overwhelmed by that introduction. I 
don't deserve that, but thank you very much. Thank you, too, 
Chairman Shaw, for the opportunity to address the Subcommittee 
concerning identity theft. What I would like to talk about or 
take the opportunity to discuss is the Georgia Stop Identity 
Theft Network, and some of the reasons that we formed that 
network. A primary complaint of victims of identity theft is 
that they are unable to get satisfaction. They are often unable 
to find an agency or an organization that is willing to assume 
responsibility for helping them to deal with the crime they 
have experienced. Victims of identity theft also have 
difficulties with legal jurisdiction. For example, if a victim 
who resides in Georgia is confronted with identity theft that 
occurred in California, local law enforcement in Georgia may 
tell them that they do not have jurisdiction or they are not a 
victim. To address this problem, Georgia and some other States, 
a few other States, require that a police report be generated 
for all reported cases of identity theft. This police report is 
a useful tool for the victim when reporting a violation to 
other organizations. In essence, a primary need for victims of 
identity theft is a one-stop shop, whether physical or online. 
The Stop Identity Theft Network in October 2002 actually 
developed and created and put online a complaint program. Since 
that program has been in existence, we have had 233 complaints 
processed through it.
    The way it works is after the victim files a complaint, the 
network submits the complaint to the cities, counties, and 
State law enforcement having jurisdiction or venue. Not only in 
the State of Georgia, but across the country. Along with the 
complaint is a letter explaining to the agency what it means 
and the other agencies that have received the same complaints 
so they can coordinate their efforts. In the past 30 years, I 
have been a Georgia Bureau of Investigation agent. I have seen 
no other crime directly affect more friends, associates, and 
family members than identity theft. Since 2000, when I became 
actively involved in the development of the Stop Identity Theft 
Network, I have received an average of two or three telephone 
calls per month from someone I know who has been a victim of 
identity theft. The illegal use of SSNs is key to laying the 
groundwork to take over someone's identity. Containment of 
widespread use of SSNs could have a substantial impact in the 
prevention of identity theft. This containment is important not 
only in areas of government, but the use of SSNs as individual 
identifiers within the private sector as well. Examples of 
current broad use of SSNs--and this has already been discussed, 
but I will say it again--driver's license, student records, 
bank accounts, utility services, insurance policies, credit 
bureau records, cash checking services, medical services, 
apartment rental, employment, membership, and even in some 
areas library access.
    While it may not be feasible to restrict the use of SSNs to 
administer Social Security taxation, it is recommended that 
SSNs be restricted for other uses. The development of these 
restrictions is appropriately the responsibility of Congress 
and consistent with other privacy measures, particularly in the 
absence of uniform aggressive action among State and local 
governments, as well as the private industry, to reduce 
opportunities for identity theft. In those instances where SSNs 
are deemed suitable for recording their existent need to create 
statutory incentives for organizations to safeguard this 
information. While few States have some form of accountability 
already on the books, there is no uniformity. In addition, 
creating a statutory category of liability would serve both to 
increase the victim's chances in civil court and to put the 
organizations on notice to change their behavior. It has been 
recognized that no Federal law currently limits use or 
disclosure of SSNs among private entities. The SSA cannot 
control how private entities keep use or distribute SSNs. Thus 
leaving the burden on the consumers who have no real power. 
Many bills responding to the problem of identity theft have 
been introduced in recent Congresses, and several are again 
pending. These bills, such as H.R. 2036 which you sponsored in 
the 107th Congress, Mr. Chairman, would enhance privacy 
protection and otherwise help prevent fraudulent misuse of 
SSNs. As you know, other measures are pending in the Congress 
to protect personal identifiers. While we are not necessarily 
endorsing every aspect of these various measures, we certainly 
commend them to your careful consideration as Congress acts 
along with the States to better enable effective responses and 
efforts to prevent identity theft. Thank you, and thank you Mr. 
Collins, for the opportunity to testify before you today; I am 
eager to answer any questions you or other Members of the 
Subcommittee have. Thank you all.
    [The prepared statement of Mr. Edwards follows:]
    Statement of Steve Edwards, State Coordinator, Financial Crimes 
Enforcement Network, Vice Chairman, Board of Directors, National White 
    Collar Crime Center, Richmond, Virginia, Member, Georgia's Stop 
Identity Theft Network, Chair, Infragard Atlanta Chapter Watch and Warn 
Committee, and Special Agent in Charge, Financial Investigations Unit, 
           Georgia Bureau of Investigations, Decatur, Georgia
    Chairman Shaw and members of the subcommittee, thank you for this 
opportunity to address this subcommittee concerning the subject of 
identity theft.

Introduction

    My name is Steve Edwards, and I am Special Agent in Charge of the 
Financial Investigations Unit of the Georgia Bureau of Investigations 
(GBI), State Coordinator to the U.S. Treasury's Financial Crimes 
Enforcement Network (FinCEN), and Vice Chairman on the Board of 
Directors of the National White Collar Crime Center (NW3C). In 
addition, I am a committee member on the State of Georgia's STOP 
IDENTITY THEFT Network and serve as chair on the FBI's InfraGard 
Atlanta Chapter Watch and Warn Committee.
    GBI is an independent, state-wide agency that provides assistance 
to Georgia's criminal justice system in the areas of criminal 
investigations, forensic laboratory services and computerized criminal 
justice information.
    NW3C is a non-profit corporation that provides a national support 
network for law enforcement agencies, state regulatory bodies, state 
and local prosecution offices, and other organizations involved in the 
prevention, investigation, and prosecution of high-tech and economic 
crime.

Overview of the Problem: On-the-ground Perspective

    I would like to take this opportunity to briefly discuss Georgia's 
STOP IDENTITY THEFT (STOP I.T.) Network and some of the reasons for its 
formation. A primary complaint of victims of identity theft is, in my 
experience, that they are unable to ``get satisfaction.'' By this I 
mean that they are often unable to find an agency or organization that 
is willing to assume responsibility for helping them to deal with the 
crime they have experienced. As a result, victims needlessly contact 
one organization after another in an effort to handle the violation, 
and may, in the end, receive no assistance at all. In many cases, for 
example, local law enforcement tell victims of identity theft, ``you 
are not a victim''--particularly if the victim has suffered no direct 
financial loss. Their advice is often that the victim should contact 
the organization that was used for the perpetration. The organization 
involved, in turn, refers the victim to local law enforcement.
    Victims of identity theft also have difficulties with the matter of 
legal jurisdiction. For example, if a victim who resides in Georgia is 
confronted with identity theft that has resulted in a violation in 
California, local law enforcement in Georgia may state that they do not 
have jurisdiction. To address this problem, Georgia, and other states, 
require that a police report be generated for all reported cases of 
identity theft. This police report is a useful tool for the victim when 
reporting the violation to other organizations, such as a credit 
bureau. Unfortunately, other factors--including lack of resources--
often prevent local law enforcement from taking action beyond the 
generation of a report.
    In essence, a primary need for victims of identity theft is a 
``one-stop-shop,'' or a single ``location''--whether physical or 
online--where victims can receive information about identity fraud 
prevention, file a complaint, and receive guidance concerning recovery 
from identity theft violations. In 2000, Georgia's STOP I.T. Network 
was conceived as such a location. In October 2002, STOP I.T. went 
online for the first time, and since then 233 complaints have been 
received and processed.
    After receiving a complaint from a victim, STOP I.T. serves as an 
intermediary between the victim and a number of agencies. For example, 
a complaint from a victim in Georgia is forwarded by STOP I.T. to city, 
county and state law enforcement appropriate to the complaint; to local 
and state law enforcement in any state where the victim identifies 
activity associated with the identity theft; to the FTC; and to the 
Internet Fraud Complaint Center. In addition, STOP I.T. sends to each 
organization a letter of explanation that includes a list of every 
other organization that has received the complaint. Finally, victims 
receive information to assist them in protecting against the continued 
fraudulent use of their personal information and in recovering 
financial and other losses that have resulted from the violation.
    In the 30 years that I have been involved in financial crime, I 
have seen no other crime directly affect more friends, associates, and 
family members than identity theft. Since 2000, when I became actively 
involved in the development of STOP I.T., I have received an average of 
2 or 3 telephone calls per month from someone I know who has been a 
victim of identity theft. Data collected across the nation--to the 
extent that data on identity theft exist--also indicate that identity 
theft is a crime that is pervasive and expanding rapidly.

Overview of the Problem: Broad Perspective

    Identity theft--or the use of ``another person's personal 
information in some way that involves fraud or deception'' \1\--is 
currently one of the fastest growing crimes in the United States.\2\ 
Two of the most common forms of identity theft include ``true name 
fraud'' and ``account takeover fraud.'' \3\ True name fraud occurs when 
someone uses an individual's personal information to open a new 
account, and account takeover involves illegal access to an 
individual's existing account for the purpose of making fraudulent 
charges against the account. Identity theft is also used to facilitate 
other crimes--including money laundering, bankruptcy fraud, computer 
crimes, and acts of terrorism--by providing a means of concealing the 
identity of the criminal and accessing funds or privileges available to 
the victim. It is important to note, however, that financial loss is 
not a necessary component of identity theft. ``Criminal identity 
theft,'' for example, occurs when a victim's personal information is 
used by a criminal and subsequently associated with records of criminal 
violations, outstanding arrest warrants, or other public information 
without the knowledge of the victim.
    The Federal Bureau of Investigation (FBI) and other law enforcement 
agencies have estimated that between 700,000 and 1.8 million Americans 
are victimized by identity theft each year--a figure that has increased 
substantially in recent years. In addition, recent surveys (conducted 
by Star Systems, a national electronic payments network) indicate that 
about 1 in 20 adults in the United States, or about 12 million 
Americans, have been victimized by identity theft at least once.\4\
    In 2002, the number of identity theft cases reported to the Federal 
Trade Commission (FTC) rose to 161,819--almost twice the number 
reported in 2001.\5\ Other cases were reported directly to local law 
enforcement; reported to other federal agencies, including the FBI, 
Secret Service, Internal Revenue Service, and Postal Inspection 
Service; or never reported at all.
    The cost of identity theft to businesses has been estimated to be 
more than $11.9 billion each year.\6\ The costs to victims of this 
crime include loss of credit, harm to reputation, and loss of wages, in 
addition to the direct loss of money, attorney fees and other recovery 
expenses. Despite these losses, and the considerable attention that has 
been paid to the problem in recent years, the average arrest rate for 
all identity theft cases reported by victims remains around 5 
percent.\7\

Identity Theft and the Use of Social Security Numbers

    Since the illegal use of social security numbers (SSNs) ``is key to 
laying the groundwork to take over someone's identity,'' \7\ 
containment of the wide-spread use of SSNs could have a substantial 
impact on the prevalence of identity theft in the future. This 
containment is important not only in areas of government that use SSNs 
as individual identifiers, but also in private organizations, which are 
increasingly including SSNs on personal records and distributing this 
information for a variety of purposes. Examples of the current broad 
use of SSNs include

      Driver's Licenses: As many as eleven states and the 
District of Columbia currently display the SSN on the face of their 
drivers' licenses. Several other states require a SSN for the issuance 
of a driver's license but do not display the number on its face.
      Student Records: Half of colleges and universities use 
SSNs to identify students, and 79% include them in official 
transcripts, according to a March 2002 survey by the American 
Association of Collegiate Registrars and Admissions Officers.
      Other Records: A SSN is often required or requested for 
services such as bank accounts, utility services, insurance policies, 
check cashing services, medical services, apartment rental, extension 
of credit, employment, memberships, and library access. SSNs are also 
used as reference numbers for credit bureau reports, which are widely 
distributed, often without the knowledge of the credit holder.

    While it may not be feasible to restrict the use of SSNs to the 
administration of Social Security taxation, for which it was originally 
designed, it may be feasible to restrict the use of SSNs to a set of 
identified purposes for which there is a legitimate legal reason to 
collect a SSN. In addition, government agencies and businesses that 
collect SSNs can be required to restrict access to SSNs--by employees 
and other organizations--and to dispose of records that include SSNs 
using specified procedures, e.g., encrypting personal information on 
databases and shredding paper documents containing personal 
information.
    The development of these restrictions is appropriately the 
responsibility of Congress, and consistent with other privacy measures 
recently passed, particularly in the absence of uniform, aggressive 
action among state governments, local governments, and private industry 
to reduce opportunities for identity theft. In addition, the increasing 
number of cases being pursued by law enforcement throughout the country 
evidence the immediate importance of developing these restrictions. For 
example,

      July 1 and 2, 2003, Consuelo Onate-Banzon and Rony Razon, 
and four other individuals, were arrested on charges of identification 
and social security fraud. According to the FBI, Onate-Banzon and Razon 
worked for the Virginia Department of Motor Vehicles (DMV) and 
allegedly produced and sold as many as 1,000 fraudulent Virginia 
driver's licenses, with the help of co-conspirators.\8\
      On May 8, 2003, Dorian Thomas, age 27, was indicted on 
charges of conspiracy, bank fraud, and identity theft. Thomas, an 
employee of a financial institution in California, had ``obtained the 
confidential member profile information of account holders through 
financial institution computers and provided it to others,'' \9\ who 
then completed more than $100,000 in fraudulent bank transactions.\10\
      Charmaine Northern, age 23, ``pled guilty on March 10, 
2003, to obtaining confidential customer account information from the 
computer at the financial institution where she was working and using 
it to open credit card accounts and incur unauthorized charges 
estimated to be approximately $50,000.'' \13\
      Kimberly Smart, age 27, was sentenced on December 5, 
2002, ``in connection with using her financial institution position to 
obtain customer account information from the financial institution 
computer and provide it to others.'' \11\ The losses incurred in this 
case were approximately $121,146.63.
      Philip Cummings, a 33-year-old former ``help desk'' 
employee of Teledata Communications, Inc., faced charges on November 
26, 2002, of accessing credit bureau databases, selling confidential 
information, and participating in a fraud scheme that resulted in a 
loss of more than $2.7 million to 30,000 victims.\12\
      Ivy Johnson, a former employee of H & R Block in White 
Plains, New York, was charged in January 2003, for obtaining customers' 
personal information, and using the information to divert tax checks, 
open new credit card accounts, and making ATM withdrawals in victims' 
names.\13\

    All of these cases involved access to and use of SSNs. Future cases 
of similar violations may be reduced if requirements for specific 
safeguards are mandated and enforced by federal statute. In addition to 
legislative restrictions, education and training is also important for 
the reduction of identity fraud in the future. This education and 
training should include

      Educating individuals to take active steps to protect 
their personal information;
      Training state and local law enforcement to identify and 
effectively handle identity theft cases, since these cases are often 
first reported to state and local rather than federal law enforcement 
agencies; and
      Educating businesses, including banks and credit bureaus, 
to guard against and detect identity theft.

``Best Practices'' to Combat Identity Theft

    The following is an analysis of best practices either currently in 
place in the states or needed to fulfill assistance functions for 
victims of identity theft. These conclusions were generated through a 
synthesis of published commentaries and critiques of existing 
legislation, peer-reviewed academic articles, and analysis of pending 
legislation.
    First, it is important to use a broad definition that explains the 
substance of the sort of information that should be considered 
``identifying information.'' This definition should be broad enough to 
include account numbers, scanned or re-encoded credit or account access 
cards, and SSNs. Following the establishment of a working definition of 
the problem, the research of NW3C has indicated that there are numerous 
opportunities to help victims of identity theft.

Practice 1: Explicit recognition of identity theft as a crime committed 
        against the
individual.

    States have taken a variety of approaches to dealing with identity 
theft victims. Chief among the issues that create inconsistencies among 
states is the nature of victimization in identity theft cases. For 
example, victims in states that do not recognize identity theft as a 
crime must often seek assistance through civil suits or ancillary 
charges. While the place of the civil suit is to rectify injustices 
that escape the criminal justice system, it is an arduous task least 
likely to be pursued by most people. Such circumstances exemplify a 
need for legislation that explicitly criminalizes the dissemination and 
misuse of identifying information such as SSNs rather than just the 
theft facilitated by information misuse. Specifically, statutory 
frameworks should explicitly criminalize identity theft in a manner 
that clearly underscores the method of information obtainment, as well 
as monetary damages.

Practice 2: Eligibility of identity theft victims for victims' rights 
        assistance.

    The foremost need expressed by victims in recent NW3C research is 
for notification of victimization. Indeed, the most comprehensive 
framework for protecting the rights of victims and restoring them to 
their pre-victimized state is of little use if victims do not know that 
a crime has been committed. This is especially true in the instance of 
a SSN that is stolen from medical or business documents without the 
knowledge of the victim.
    In states that do recognize the individual whose identity has been 
stolen as an injured party, the degree of victimization is often deemed 
to be trivial in comparison to other offences, especially violent ones. 
In some states, victims' assistance and, in some cases basic 
notification and participation rights, are denied to victims of 
property crime and only afforded to those who can demonstrate some form 
of physical injury. In other states, victims of non-violent crimes are 
only given full protection if the predation is judged to be a felony 
offence. It is therefore of great importance that those statutes that 
exist to aid crime victims recognize the victims of identity theft as 
targets of a serious crime who may require assistance in pulling their 
lives back together.

Practice 3: Phasing out use of private identifying information on non-
        secure
documents.

    While many states no longer use SSNs as identifiers on drivers' 
licenses, these numbers are still widely used on non-secure public 
documents. For example, many schools that use SSNs as student 
identification numbers include these numbers on a variety of forms and 
correspondence, and order forms and applications often solicit personal 
information. Consequently, a Nexis public records search can reveal 
SSNs and dates of birth in seconds. Additionally, organizations that 
accumulate personal information apply varying levels of security. 
Ultimately, it is unhelpful for a dozen organizations to strictly 
protect personal information if only one organization makes that 
information publicly available. This issue is associated with the idea 
of liability for breaching a duty of confidentiality, but it is also a 
change in focus that requires unique legislative attention. In other 
words, it is important not only to protect personal information but 
also to establish safeguards for handling those forms that document 
personal information. What is required is legislation that mandates 
strict controls on the circumstances under which the recording of 
personal information is justified.

Practice 4: Eligibility for compensation and financial assistance.

    Financial assistance is typically reserved for victims of violent 
crimes where the perpetrator has not been ordered to provide 
restitution or does not have the means to provide effective 
restitution. Such practices can also be helpful in identity theft cases 
that result from privacy breaches. Financial assistance, unlike 
restitution, is able to provide for and compensate immediate financial 
outlays without concern for the offender's ability to pay. As the 
Privacy Rights Clearinghouse has demonstrated, a victim of identity 
theft typically spends as much as $1,200 out-of-pocket to correct the 
damage caused by the crime. Thus, just as victims of violent crimes 
have a need for funds to cover immediate emergency expenses, so do 
victims of identity theft. Therefore, legislation may be needed to 
assure that victims of identity theft can qualify for federal victim 
assistance funds.

Practice 5: Aid to identity theft victims in clearing their names.

    Regardless of the efficiency of the legal system in prosecuting 
identity theft cases, victims often face many difficulties in removing 
fraudulent information that is associated with their names. 
Consequently, victims of identity theft remain vulnerable to future 
victimization through the continued use of their SSN on government 
documents, most of which require the use of the SSN as a personal 
identifier. A great need exists for aid in purging erroneous records 
maintained by credit bureaus, police departments, and other 
organizations that result from the crime of identity theft. Often, the 
mechanism for such corrections is complex, creating barriers for 
citizens of limited means or comprehension. Therefore, legislative 
guidance for aid to victims of identity theft would be helpful. 
Examples of policies that have been enacted by statute (nearly all from 
California) to address this problem are

      Providing public agency aides to assist victims by making 
phone calls, preparing forms, or taking other steps on behalf of the 
victims;
      Requiring that court records reflect that the person 
whose identity was falsely used to commit a crime did not commit that 
crime (Cal. Penal Code 530.5(c)); and
      Allowing the victim to petition the court for an 
expedited determination of factual innocence (Cal. Penal Code 530.6).

Legislative Treatment of Social Security Information

    In those instances when SSNs are deemed suitable for recording, 
there exists a need to create statutory incentives for companies 
(especially, but not limited to, credit card companies) to safeguard 
this information. While a few states have some form of accountability 
already on the books (California's Information Practices Act and 
Delaware's concept of reckless disclosure of information stand out), 
none have gone so far as to explicitly create an actionable duty of 
care for all entities that collect private identifying information to 
protect said information to at least the level to which a reasonable 
person would have protected it. Delaware is the only state to even 
mention the reckless or negligent disclosure of personal information in 
their identity theft legislation.
    While civil actions are always available to punish such 
disclosures, they do not possess the desired deterrent effect unless 
they are easily factored into a rational analysis of policy options. As 
it stands, one can only assume that the current rate of identity theft 
and credit card fraud are an acceptable cost of business for the 
corporations that currently treat with social security numbers and 
other private identifying information in an unsafe way. Creating a 
statutory category of liability would serve both to increase the 
victim's chances in court and to alter the equation for those 
corporations, putting them on notice to change their behavior lest it 
eat into their profit margin.
    California is one state that has imposed liability on entities that 
handle personal data. Cal Civ Code  1798.29 (2003), for example, 
requires any agency that ``owns or licenses computerized data that 
includes personal information'' to report security breaches to the 
people whose personal information may have been compromised. Cal Civ 
Code  1798.82 (2003) extends similar requirements to people and 
businesses doing business in California. This approach is proposed for 
Federal law in S. 1350, the Notification of Risk to Personal Data Act, 
recently filed by Senator Feinstein.
    Of course, regardless of how rigorously SSNs are protected, there 
will be instances in which they are abused. On this matter, the 
following recommendations are proposed:

      Make possession of fraudulent social documents either 
illegal in and of itself or allow it to create a permissible inference 
of forgery. There is already a provision in many forgery and credit 
card fraud statutes that states that the ownership of some small number 
of forged or unauthorized instruments is enough to create an inference 
of a guilty motive without the necessity of proving a definite intent. 
Additional measures can be taken to address unauthorized possession of 
identifying documents or information. Some states have already adopted 
various measures of this type. Alabama and Kentucky lead the way in 
this regard, and set the required number of identity documents (a term 
that would include social security cards) in one's possession that are 
not one's own to create an inference of identity trafficking at five.
      When SSNs are abused, they are often abused for long 
periods of time. While a victim of a burglary may change their locks, a 
victim who was targeted through their SSN has little ability to prevent 
this means of victimization in the future. Unless SSNs are easily 
changed, the victims of these crimes have little protection against 
repeat predation, especially as the SSN is passed to other unscrupulous 
types. To address this problem, some sort of repository for compromised 
SSNs, which could flag SSNs that have been the target criminal abuse, 
could be established.

Current Legislative Issues

    It has been recognized that no federal law currently limits use or 
disclosure of SSNs among private entities, leaving them free to deny 
credit or services without SSNs; and that the Social Security 
Administration (SSA) cannot control how private entities keep, use or 
distribute SSNs, thus leaving the burden on consumers who have no real 
power.\14\
    Many bills, taking a variety of approaches to preventing or 
enhancing responses to identity theft, have been introduced in recent 
Congresses, and several are again pending in this, the 108th Congress. 
Some of these legislative measures propose enhancements in the 
penalties under the federal ID Theft statute in the interest of 
increasing the deterrent effects, or would make modifications aimed at 
facilitating investigations or prosecutions. Others go more directly to 
the topic at hand today: augmenting the protections against disclosure 
and misuse of certain information, including SSNs.
    These bills, such as H.R. 2036 which you sponsored in the 107th 
Congress, Mr. Chairman, would enhance privacy protections and otherwise 
help prevent ``fraudulent misuse'' of SSNs by restricting display or 
use of SSNs, restricting dissemination of SSNs or any derivative or 
their use as PINs without an individual's consent, and providing for 
regulation and criminal punishment of sales and purchases of SSNs. As 
you know, measures are also pending to protect other personal 
identifying information by, for example, prohibiting sale and 
disclosure of personally identifiable information by commercial 
entities to non-affiliated third parties absent prescribed procedures 
for notice and opportunity to restrict such disclosures.
    Specifically,

      H.R. 70, the Social Security On-line Privacy Protection 
Act, would prohibit an interactive computer service from disclosing to 
a third party an individual's SSN or related personally identifiable 
information without the individual's prior informed written consent.
      H.R. 220, the Identity Theft Prevention Act of 2003 
pending before this subcommittee, would, among other things, amend the 
Social Security Act and Internal Revenue Code to protect the integrity 
and confidentiality of SSNs, prohibiting their use or disclosure except 
for specified social security and tax purposes.
      H.R. 637, the Social Security Number Misuse Prevention 
Act, and the companion bill, S. 228, would, among other things, 
prohibit display, sale, or purchase of SSNs without affirmative, 
express consent of the persons to whom they belong; prohibit use of 
SSNs on government-issued checks, the appearance of SSNs on driver's 
licenses or motor vehicle registrations, and inmate access to SSNs; 
prohibit commercial entities from requiring individuals to provide SSNs 
when making purchases or from denying such purchases if the persons 
refuse to provide such numbers; and establish civil and criminal 
penalties for misuse of SSNs. (Similar provisions are included within 
other, broader bills, including but not limited to S. 745, the Privacy 
Act of 2003.)
      H.R. 1931, the Personal Information Privacy Act of 2003, 
would, in part, prohibit commercial acquisition or distribution of 
SSNs, or derivatives, as well as their use as personal identification 
numbers, without written consent.

    Two other bills very recently filed in the House of Representatives 
and pending before the Ways and Means Committee, H.R. 2617, the 
Consumer Identity and Information Security Act of 2003, and H.R. 2633, 
the Identity Theft Protection and Information Blackout Act of 2003, 
include (but are not limited to) provisions that would similarly place 
prohibitions or restrictions on certain uses of SSNs.
    While we are not necessarily endorsing every aspect of these 
various measures, we certainly commend them to your careful 
consideration as Congress acts, along with the states, to better enable 
effective responses and efforts to prevent identity theft.

Conclusion

    Thank you for the opportunity to testify before you today. Mr. 
Chairman, I am eager to answer any questions you or other members of 
the subcommittee may wish to direct to me.

References

     1. U.S. Department of Justice. (2003, July 27). Fraud. Retrieved 
July 7, 2003, from http://www.usdoj.gov/fraud.htm
     2. U.S. Department of Justice. (n.d.). Identity theft: Prosecution 
and protection. Retrieved July 2, 2003, from http://www.usdoj.gov/usao/
txs/releases/May%202002/020502-identitysheet.htm
     3. Benner, J., Givens, B. & Mierzwinski, E. (2000). Nowhere to 
Turn: Victims speak out on identity theft: A CALPIRG/Privacy Rights 
Clearinghouse report. Privacy Rights Clearinghouse. Retrieved June 13, 
2002, from http://www.privacyrights.org/ar/idtheft2000.htm
     4. Star Systems (STARsm). (2003, April 16). Americans want action 
on identity theft. [Press Release]. Retrieved July 7, 2003, from http:/
/www.star-systems.com/cfm/news-press.cfm?id=81
     5. Federal Trade Commission. (2003, January 22). National and 
state trends in fraud and identity theft: January-December 2002. 
Retrieved July 1, 2003, from http://www.consumer.gov/sentinel/pubs/
Top10Fraud_2002.pdf
     6. Identity Theft Resource Center. (2003, February). Facts and 
statistics. Retrieved July 2, 2002, from http://www.idtheftcenter.org/
facts.shtml
     7. Identity Theft Resource Center. (2003, February). Facts and 
statistics. Retrieved July 2, 2002, from http://www.idtheftcenter.org/
facts.shtml
     8. Federal Bureau of Investigation. (2003, July 7). Operation easy 
rider: FBI puts stop to driver's license fraud. Retrieved July 7, 2003, 
from http://www.fbi.gov/homepage.htm
     9. U.S. Department of Justice. (2003, May 12). Three indicted on 
conspiracy to commit bank fraud and identity theft. [Press Release]. 
Retrieved July 3, 2003, from http://www.cybercrime.gov/thomasIndict.htm
    10. Sanchez, E. (2003, May 13). Scam alert: Insider help giving a 
new look to bank robberies. The Sacramento Bee. Retrieved July 3, 2003, 
from http://www.sacbee.com/content/news/scam_alert/v-print/story/
6657347p-7609218c.html
    11. U.S. Department of Justice. (2003, May 12). Three indicted on 
conspiracy to commit bank fraud and identity theft. [Press Release]. 
Retrieved July 3, 2003, from http://www.cybercrime.gov/thomasIndict.htm
    12. Masters, B.A. (2002, November 26). Huge ID-theft ring broken; 
30,000 customers at risk. The Washington Post. Retrieved July 3, 2003, 
from http://seattletimes.nwsource.com/html/consumeraffairs/
134584039_idtheft26.html
    13. O'Connor, T. (2003, January 2). Four charged in ID-theft scam. 
The Journal News. Retrieved July 3, 2003, from http://
www.nyjournalnews.com/newsroom/010203/A102idtheft.html
    14. Harry A. Valetk, Identity Theft: What It Is and How to Protect 
Against It, originally published on GigaLaw.com and found November 22, 
2002, at http://www.wiredpatrol.org/idtheft/whatisit.html

                                 

    Chairman SHAW. Mr. Collins.
    Mr. COLLINS. Thank you. Mr. Edwards, there has been talk 
about the Inspector General, the SSA having statutory authority 
to share information with law enforcement. How often have you 
requested information from SSA to pursue a criminal?
    Mr. EDWARDS. On several occasions, Mr. Collins, but in each 
case it was denied to me.
    Mr. COLLINS. What was the reason given?
    Mr. EDWARDS. At the time, and this is not in the most 
recent past, but at the time I was told that they could not 
provide that information. Basically, the information I have 
been able to obtain from Social Security over the years is, I 
can give them a number and they will tell me if it is a valid 
number or not. They will not tell me who the number belongs to 
or whether it is being used by the correct person.
    Mr. COLLINS. How long ago has it been since your last 
request? Do you know?
    Mr. EDWARDS. Within the last couple of years? Yes, sir. It 
has not been in the recent past; quite frankly, because of the 
frustration, unless I just need a verification of a SSN, I 
rarely call them.
    Mr. COLLINS. The Inspector General stated in its testimony 
that we need criminal penalties for Social Security misuse 
itself, as well as civil monetaries. You mentioned that 
possession of fraudulent documents should be illegal in and of 
itself. Describe some cases where such law would have been 
helpful in investigating or prosecuting an identity theft.
    Mr. EDWARDS. Identity theft covers a lot of different 
crimes, and there is a lot of crimes that are predicate acts to 
identity theft. So, we have used all kinds of charges, 
including false writings to the State for driver's license. We 
have used it in cases where an individual has actually 
falsified a signature to obtain a credit card or some kind of 
bank loan or something along that line. So, all of these 
different tools that exist out there are very useful to us. We 
have an identity theft statute in the State of Georgia, and 
where it has helped our victims, and that is who it really 
helps, is giving them a vehicle for when. Particularly, like 
the scenario I gave where the identity was compromised in 
California, under Georgia law we can indict that individual and 
extradite them back, and there doesn't have to be a financial 
loss, just the virtue that an individual went around portraying 
that they were someone else using that individual's identifiers 
in the State of Georgia is a crime now and it is a felony. It 
carries 5 years, and we are just starting to test that. It went 
into law a year ago, July, and we are just now starting to test 
that law in the courts. We have had a couple of cases that have 
been successful.
    Mr. COLLINS. How many other States have that?
    Mr. EDWARDS. I am not familiar, Mr. Collins. Quite frankly, 
maybe two or three. If that many.
    Mr. COLLINS. Thank you, Mr. Edwards.
    Mr. EDWARDS. Thank you, sir.
    Chairman SHAW. If I could direct a question to Mr. Wern and 
Mr. Hoofnagle with regard to, we have been hearing today a lot, 
people have been referring to the identifier as putting the 
genie back into the bottle. Obviously, the numbers are out 
there now, and they will remain out there no matter what we do. 
We can certainly stop the distribution, or certainly retard the 
distribution through criminal statutes, but a lot of that 
information is already in the public domain. I know in Florida, 
with the total access that everybody has to public records, it 
is going to be very difficult to go back and take those numbers 
off of the public records. Whether you are talking about death 
certificates or probate files or it goes on and on, probably 
divorce files, I would assume they are probably in there 
somewhere, it is going to be very, very difficult. It occurs to 
me that if you simply prohibit the use of SSN as an 
identification for nongovernmental purposes, that it would make 
that number somewhat useless for other purposes. Now, quite 
obviously if we were looking at this as an identifier, we would 
require very stringent requirements as to photographs or 
counterfeit proofing. You would have an address and date of 
birth and other pertinent information on the card itself, you 
would be sure to keep absolutely current with all of that, all 
of that information, and you would have had tremendous 
safeguards around it and everything else, which obviously the 
crooks have picked this up as something that was never 
anticipated by those who wrote the statutes.
    I understand, Mr. Edwards, that we are looking into the 
area that you and Mr. Collins were just discussing with regard 
to the access law enforcement has, at least to the name, they 
are governed under the Internal Revenue Code, there are 
restrictions on giving any information, but I think it is more 
based toward wages and things of this nature. We are going to 
look into it and see if it prohibits their giving the name of 
whomever, whatever number you have; or at least you should be 
able to say, I have got John Doe and he has got X-Y-Z number, 
is this his number? They should be able to say yes or no to 
that. So, we need to work on that. We use that number for so 
many number purposes. Tracking deadbeat dads. That was 
something I had a lot to do with in welfare reform when we 
reformed the welfare system in this country. We don't want to 
make it more difficult to track deadbeat dads so they can 
fulfill their parental responsibilities. We do need, we 
desperately need to stop the distribution of these numbers as 
an identifier and as the golden, I think you, Mr. Hoofnagle, 
referred to it as the golden key or something of that nature, 
to stealing identification. Mr. Wern, you mentioned that you 
were victimized and you went through this for about 3 years. I 
understand from people who have been in your place, that they 
are being warned that it may not be over, that this nightmare 
may recur. You have recurring nightmares in this area. How did 
they get your number, and was it the SSN that was the key to 
the identity theft that you suffered?
    Mr. WERN. We don't know for absolute sure how the 
perpetrator got the number. He was caught and interrogated, but 
his story just didn't make a whole lot of sense. My best guess, 
probably 80 percent sure, is that it was on a dental record 
that was stolen from my mail. I had some mail stolen, and one 
of the things that I know for a fact was stolen was a dental 
report or a bill that I know also had that SSN on it. My SSN 
was the key to that crime simply because it was sort of the 
final piece of information he needed. It was easy enough to get 
my address. He knew where I lived, he took my mail. It was easy 
enough to get my name and date of birth as well from other 
public records. Once he had the SSN, he used it and damaged to 
the point, to the point where I actually had to change the SSN, 
which is an extreme measure that we don't recommend people 
doing. It carries a lot of problems with it, but when you get 
to a situation where another person is essentially cloning you, 
you don't have a choice.
    Chairman SHAW. Several things in the law that I want this 
Committee--that we will be looking at, is use of a counterfeit 
SSN. You have an illegal alien who is in this country, working. 
He gets a counterfeit Social Security card and number, the 
identification, and he can go to work. Then it is under a false 
number. Later he is legally admitted into the United States and 
gets a green card and gets a work permit. He can actually go 
back and claim the money that was paid into Social Security 
under that false number on his behalf, which to me is somewhat 
bizarre that somebody can go back and claim the fruits of their 
crime after they are entitled to work under the laws that we 
have. These are there are so many things that just don't make a 
whole lot of sense, and the more you look into this whole use 
of SSNs and how they are used and abused, it becomes more and 
more apparent that we definitely need to at least neuter the 
use of this number as an identifier so that if somebody does 
get hold of it, it will be sort of a, ``so what.'' One of the 
ways to do it is to just stop the nongovernment use of this 
number, period. Mr. Cardin, do you have any questions for these 
witnesses?
    Mr. CARDIN. First, let me thank you all for being here. I 
apologize I was not here during your entire testimony. As more 
and more we talk about this, I am wondering, Mr. Chairman, how 
difficult would it be to restrict the use of SSNs to 
governmental purposes and not in the private sector. It would 
require a lot of changes, the habits of the private sector. So, 
your comment was that the missing ingredient, that was the one 
bit of information that allowed the identity theft to be 
effective obtaining your SSN probably from a medical record 
that there was no need for it to be on. So, there is clearly an 
abuse in the private sector on the use of SSNs. It is 
convenient for them, it is a reliable number, it is set up by 
their government. I understand all those arguments as to why it 
is convenient to use the SSN for identification by the private 
sector, but that is not its intent. The other question about 
trying to verify who you are. The fact that you know someone's 
SSN is no guarantee at all that that is who you are. So, I am 
just wondering, Mr. Chairman, what is the trade-off here, how 
difficult it would be for the private sector if we in fact 
restricted those numbers? I don't have any specific questions 
for any of the witnesses. Again, I thank them for being here.
    Chairman SHAW. Well, I thank all of you for being here 
today. The first panel as well, which I neglected to thank as 
we ran out the door to make the last vote. I think it has been 
a very interesting discussion here, and the three of you 
certainly have added considerably to the store of knowledge 
that we are trying to build up. I am very hopeful that we will 
not only be able to get a bill out of this Committee, which I 
don't think is going to be a great deal of trouble, I think we 
can do it, we have done it before but that we can work with the 
other committees to see that they move it. I think it is the 
Committee on the Judiciary and the Committee on Financial 
Services that have a piece of this legislation. There may be 
another jurisdiction involved, but everybody guards their turf 
up here on Capitol Hill, particularly this Committee. We really 
guard ours. We want to be sure that the other committees either 
waive jurisdiction or that they pass on the provisions of the 
bill within their jurisdiction. It is the fastest growing type 
of white collar crime that we have, and it may be the fastest 
growing crime, period. We know the conditions are getting worse 
and worse. Mr. Wern, we don't want to see more people go 
through the agony that you went through. Credit is so important 
in this country. We certainly appreciate the three of you 
coming forward. We are about ready to adjourn. Did you have 
anything?
    Ms. TUBBS JONES. Thank you gentlemen for coming. I am sorry 
I couldn't be here, but you know what life is like on the Hill. 
Thank you, Mr. Chairman.
    Chairman SHAW. I was a judge too, Ms. Tubbs Jones. One time 
I came in late, in fact I came late a lot of times, and the 
bailiff looked over and he said, judge, you are late. I said, 
oh, did you start without me? So, I think once you have been a 
judge, you kind of get used to your own time clock, and you do 
what you have to do. Well, thank you all very much. It has been 
a very beneficial hearing. We are now adjourned.
    [Whereupon, at 3:43 p.m., the hearing was adjourned.]
    [Submissions for the record follow:]

                                                      July 24, 2003

The Honorable E. Clay Shaw, Jr.
Chairman
Subcommittee on Social Security
B-316 Rayburn House Office Bldg.
Washington, DC 20515

The Honorable Robert Matsui
Ranking Democratic Member
Subcommittee on Social Security
1106 Longworth House Office Bldg.
Washington, DC 20515

Dear Chairman Shaw and Ranking Member Matsui:

    The undersigned organizations applaud your efforts over the past 
several years to craft legislation that will ensure the integrity of 
the social security number (SSN) in the years ahead. We are extremely 
concerned about the proliferation of identity theft and other financial 
crimes that exploit individual SSNs, and believe strong legislation 
should be enacted to combat such nefarious acts. We eagerly await your 
introduction of legislation to address these issues during this session 
of the 108th Congress.
    As public and private employee benefit plan sponsors, however, we 
are concerned that such legislation could unintentionally hinder the 
delivery of benefits from, and the efficient administration of, public 
and private employee benefit plans.
    In your bipartisan legislation introduced during the 107th 
Congress, the ``Social Security Number Privacy and Identity Theft 
Prevention Act of 2001,'' (H.R. 2036), the definitions and provisions 
relating to the ``sale,'' ``purchase'' or ``display'' of a person's SSN 
could make it more difficult to deliver comprehensive health and 
retirement benefits to public and private employees alike. Indeed, the 
language could place plan administrators in jeopardy of, on the one 
hand, violating the strict fiduciary requirements applicable to 
retirement plans and, on the other hand, exposing themselves to 
criminal penalties under the bill. It is unreasonable to put plan 
administrators of a voluntary employee benefit system in this position.
    In general, public and private employee benefit plans use SSNs 
because they enable the accurate and timely administration of benefits 
for a highly mobile workforce, and because use of the number is 
mandated for tax reporting requirements. Plan administrators take 
seriously the responsibility that the use of SSNs requires, and they 
use the utmost caution and security when SSNs are used in plan 
administration and communications.
    Public and private sector defined benefit and defined contribution 
pension and savings plans, like 401(k), 403(b), and 457 plans, use SSNs 
to identify plan participants, account for employee contributions, 
implement the employee's investment directions, track ``rollovers'' 
from other plans, and allow employees to view their account activity or 
benefit accrual online (typically in conjunction with a secure 
``PIN''). The broad prohibitions of H.R. 2036 could impede, for 
example, an individual's ability to stay current on the accumulation of 
benefits for his or her retirement.
    SSNs are also used as the primary identifier in many medical and 
health benefit and prescription drug plans to coordinate communications 
between the doctor, the medical service provider, and the plan. H.R. 
2036's broad prohibitions could, for example, hinder the delivery of 
medications to the individual.
    H.R. 2036 allowed the nonabusive legitimate uses of social security 
numbers for national security, law enforcement, public health and 
advancing public knowledge purposes in proposed new section 208A(c) 
(section 201(a) of H.R. 2036). An ``Employment Exception'' could be 
included as well. It would be substantially similar to that in S. 228, 
which exempts any interaction between businesses, governments, or 
business and government. The exemption appears in Section 3(a) of S. 
228, creating Section 1028A in Chapter 47, Title 18, United States 
Code. Senators Feinstein, Gregg, and Leahy introduced S. 228 on January 
28, 2003.
    We firmly believe your legislation should permit the use of an 
individual's SSN for any employment or employment-related purpose (such 
as the administration of an employee benefit plan) and for any 
recordkeeping purpose related to an investment made by the individual. 
In H.R. 2036, you recognized the importance of this issue by 
specifically excluding application for government benefits or programs 
from the definition of ``sale'' or ``purchase.'' We believe our 
proposed ``Employment Exception'' would follow your intent to not 
hinder the administration of employee programs and delivery of benefits 
in the public and private sector employment arena as well.
    An ``Employment Exception'' could be included in the new section 
208A(c) of the bill. Alternatively, the definitions of ``sale,'' 
``purchase'' and ``display'' as drafted in new section 208A(a) (section 
201(a) of H.R. 2036) could be modified and text in Section 202(b) of 
the bill could be slightly revised. We have attached proposed 
legislative language that is designed to enable the bill to achieve 
your objective of limiting the misuse of social security numbers 
without interfering with the efficient and effective administration of 
public and private employee compensation and benefit plans.
    We look forward to continuing to work with staff and with the 
Committee to effectively address the problem of identity theft without 
creating unintentional barriers to the provision of public and private 
pension, health and other benefits to employees. Please do not hesitate 
to contact us should you require additional information or wish to 
discuss this issue in more detail.

            Sincerely,
                                          American Benefits Council

                              American Society of Pension Actuaries

College and University Professional Association for Human Resources

                                           ERISA Industry Committee

 Financial Executives International's Committee on Benefits Finance

            National Association of State Retirement Administrators

                             National Council on Teacher Retirement

                    National Rural Electric Cooperative Association

                           Profit Sharing/401(k) Council of America

                               __________

                          Proposed Amendments

    The undersigned organizations propose the following be included in 
the upcoming legislation to be introduced by House Ways and Means 
Social Security Subcommittee Chairman E. Clay Shaw, Jr., and Ranking 
Member Robert T. Matsui, which is designed to ensure the integrity of 
the social security number (SSN) in the years ahead. Our proposed 
amendments, which are based on the ``Social Security Number Privacy and 
Identity Theft Prevention Act of 2001,'' (H.R. 2036) introduced in the 
107th Congress, are designed to enable the bill to achieve its 
sponsors' objective of limiting the misuse of SSNs without interfering 
with the efficient and effective administration of public and private 
employee compensation and benefit plans. In each instance, new text is 
underscored, and deletions are [bracketed].

                     Option 1--Employment Exception

    Strike ``and'' after ``;'' on Page 18, line 25.
    Replace ``.'' with ``; and,'' on page 19, line 8.
    Insert at page 19, line 9:

    `(8) if the display, sale, or purchase of such a number is for a 
use occurring as a result of an employment-related interaction between 
employers and employees of businesses or government (regardless of 
which party initiates the interaction), for any purpose mandated or 
permissible under Title 26 or Title 29 on the United States Code;'

       Option 2--Clarify Language to Prevent Unfair Treatment of

                         Employee Benefit Plans

    PROPOSED AMENDMENTS TO SECTION 201: These amendments clarify that 
the prohibitions contained in Section 201 of the bill will not apply to 
public and private employer-sponsored plan uses of SSNs. These 
amendments also clarify that ``government benefit or program'' includes 
benefits related to employment with such governments.

    1.  AMENDMENT DEFINING ``SALE'': This amendment clarifies that an 
SSN is not sold when it is provided in connection with an employment-
related transaction that has a bona fide purpose unrelated to the use 
of the SSN, such as the administration of an employee benefit or 
compensation plan.
Amend Section 208A(a)(2) (section 201(a) of H.R. 2036 defining 
        ``sale'') to read as follows:

       ``(2) SALE--The term `sell' in connection with a social security 
account number means to obtain, directly or indirectly, anything of 
value in exchange for such number. Such term does not include the 
submission of such number as part of the process for applying for any 
type of Government benefits or programs (such as grants or loans or 
welfare or other public assistance programs) or any activity necessary 
to effect an employment-related transaction that has a bona fide 
purpose unrelated to the use of the social security number.''

    2.  AMENDMENT DEFINING ``PURCHASE'': This amendment clarifies that 
an SSN is not purchased when it is obtained in connection with an 
employment-related transaction that has a bona fide purpose unrelated 
to the use of the SSN, such as the administration of an employee 
benefit or compensation plan.
Amend section 208A(a)(3) (section 201(a) of H.R. 2036 defining 
        ``purchase'') to read as follows:

       ``(3) PURCHASE--The term `purchase' in connection with a social 
security account number means to provide, directly or indirectly, 
anything of value in exchange for such number. Such term does not 
include the submission of such number as part of the process for 
applying for any type of Government benefit or programs (such as grant 
or loan applications or welfare or other public assistance programs), 
or any activity necessary to effect an employment-related transaction 
that has a bona fide purpose unrelated to the use of the social 
security number.''

    3.  AMENDMENT DEFINING ``DISPLAY'': This amendment clarifies that 
an SSN is not displayed to the general public when it is placed in a 
viewable manner in connection with an employment-related transaction 
that has a bona fide purpose unrelated to the use of the SSN, such as 
the administration of an employee benefit or compensation plan.
Amend section 208A(a)(4) (section 201(a) of H.R. 2036 defining 
        ``display'') to read as follows:

       ``(4) DISPLAY--The term `display' means, in connection with a 
social security account number, the intentional placing of such number, 
or a derivative thereof, in a viewable manner on an Internet site that 
is available to the general public or in any other manner intended to 
provide access to such number or derivative by the general public. As 
used in this section, the term `general public' does not mean any 
person connected with any activity that is necessary to effect 
employment-related transactions that has a bona fide purpose unrelated 
to the use of the social security number.

    PROPOSED AMENDMENTS TO SECTION 202: This amendment clarifies that 
an employee is not considered a consumer for purposes of this section 
and that section 202 of H.R. 2036 would not apply in the context of the 
employer-employee relationship, such as the administration of an 
employee compensation or benefit plan.
Amend section 202(b) as follows:

       ``(b) EXCEPTION--Subsection (a) shall not apply to any person in 
any case in which such person is required under Federal law, in 
connection with doing business with an individual, to submit to the 
Federal Government such individual's Social Security account number; 
or, in connection with employment of the individual, including the 
provision of compensation or benefits thereof.''

Rationale for Specific Changes in Option 2

    Section 201(c) unwisely subjects public and private employee 
benefit plans to regulations promulgated by a federal agency with no 
expertise in employee benefit plans. Section 201(c) grants the Attorney 
General authority to promulgate regulations to carry out the 
prohibitions against sale, purchase, and display of SSNs, and provides 
the Attorney General complete discretion over whether or not to consult 
with an agency that has expertise over employee benefit plans. 
Regulations that require the amendment of hundreds of thousands of 
public and private employee benefit plans should not be promulgated by 
an agency with no expertise or jurisdiction over the laws governing 
those plans.

    Section 202 could unintentionally restrict access to employee 
benefit plans. Section 202 prevents any ``individual, partnership, 
corporation, trust, estate, cooperative, association, or any other 
entity'' from refusing to ``do business'' with an individual who does 
not provide them with an SSN. Without clarifying that section 202(a) 
does not apply to public and private employee benefit plans, plan 
sponsors might be prevented from obtaining an individual's SSN for plan 
enrollment, benefit payments, and other legally mandated and routine 
plan administrative functions. The exemption in section 202(b) to this 
prohibition, while helpful, does not go far enough.

                                 
    Statement of Stuart K. Pratt, Consumer Data Industry Association
    The Consumer Data Industry Association (CDIA) is pleased to submit 
written testimony in connection with a hearing on the misuse of Social 
Security numbers and we thank Chairman Shaw for holding this hearing. 
CDIA has appeared in person before this subcommittee before and we hope 
our testimony will be helpful to you.\1\
---------------------------------------------------------------------------
    \1\ Preventing Identity Theft by Terrorists: Hearing before the 
House Comm. on Financial Services Subcomm. on Oversight and 
Investigations and the House Comm. on Ways and Means Subcomm. on Social 
Security, 107th Cong. (Nov. 8, 2001) (testimony of Stuart K. Pratt, 
Vice President, Vice President, Associated Credit Bureaus); Use and 
Misuse of Social Security Numbers: Hearing before the House Comm. on 
Ways and Means Subcomm. on Social Security, 106th Cong. (May 11, 2000) 
(testimony of Stuart K. Pratt, Vice President, Vice President, 
Associated Credit Bureaus).
---------------------------------------------------------------------------
    Founded in 1906, the Consumer Data Industry Association (CDIA), 
formerly known as Associated Credit Bureaus, is the international trade 
association that represents more than 500 consumer data companies. CDIA 
members represent the nation's leading institutions in credit 
reporting, mortgage reporting, check verification, fraud prevention, 
risk management, employment reporting, tenant screening and collection 
services.
    Consumer reporting agencies are careful stewards of personal 
information and they adhere to strict procedures outlined in federal 
and state laws.\2\ The information infrastructure of the consumer 
reporting system is the backbone of the consumer credit economy.\3\
---------------------------------------------------------------------------
    \2\ All consumer reporting agencies are bound by the Fair Credit 
Reporting Act (FCRA), 15 U.S.C.  1681 et seq. and numerous state 
credit reporting laws. Among other things, the FCRA requires consumer 
reporting agencies to maintain reasonable procedures to assure maximum 
possible accuracy, 15 U.S.C.  1681e(b) and prohibits data furnishers 
from furnishing data to consumer reporting agencies if they know the 
information has an error,  1681s-2(a). In addition, a consumer 
reporting agency is prohibited from furnishing a consumer report to 
anyone without a ``permissible purpose''--a narrow and statutorily 
limited list of permitted uses.  1681b.
    \3\ For example, it was recently noted that

       Maintaining a reliable and robust national credit reporting 
system is essential to ensure the continued availability of consumer 
credit at reasonable costs * * * The ready availability of accurate, 
up-to-date credit information from consumer reporting agencies benefits 
both creditors and consumers. Information from consumer reports gives 
creditors the ability to make credit decisions quickly and in a fair, 
safe and sound, and cost-effective manner. Consumers benefit from 
access to credit information from different sources, vigorous 
competition among creditors, quick decisions on credit applications, 
and reasonable costs for credit.

    Fair Credit Reporting Act: How it Functions for Consumers and the 
Economy: Hearing before the House Comm. on Financial Services Subcomm. 
on Financial Institutions and Consumer Credit, 108th Cong. (June 4, 
2003) (statement of Dolores S. Smith, Director, Division of Consumer 
and Community Affairs, Board of Governors of the Federal Reserve 
System).
---------------------------------------------------------------------------
    Our members have a strong interest in the legitimate and lawful use 
of all information, including Social Security numbers. Used properly, 
SSNs play a substantial role in reducing fraud, enhancing workplace 
security, promoting public safety, supporting homeland defense, 
reducing state and federal entitlement fraud, enhancing child support 
enforcement, and facilitating commerce to a diverse, mobile electronic 
society.
    Before I specifically address how the SSN is used by our industry 
and the importance of this number, I have found it helpful to provide a 
short review of what a consumer reporting agency is, what is contained 
in a consumer report, and the law that governs our industry.
CONSUMER REPORTING AGENCIES AND CONSUMER REPORTS
    Consumer reporting agencies maintain information on individual 
consumer payment patterns associated with various types of credit 
obligations on approximately 190 million Americans. The data compiled 
by these agencies is used by creditors and others permitted under the 
strict prescriptions of the FCRA.
    Consumer credit histories are derived from, among other sources, 
the voluntary provision of information about consumer payments on 
various types of credit accounts or other debts from thousands of data 
furnishers such as credit grantors, student loan guarantee and child 
support enforcement agencies. A consumer's file may also include public 
record items such as a bankruptcy filing, judgment or lien. Note that 
these types of data sources often contain SSNs, as well.
    For purposes of data accuracy and proper identification, generally 
our members maintain information such as a consumer's full name, 
current and previous addresses, Social Security Number (when 
voluntarily provided by consumers) and places of employment. This data 
is loaded into the system on a regular basis to ensure the completeness 
and accuracy of data.\4\
---------------------------------------------------------------------------
    \4\ Note that there are in fact a number of major credit reporting 
systems in this country. Within CDIA's membership the three most often 
recognized systems would be Equifax, Atlanta, Georgia; Experian, Costa 
Mesa, California; and TransUnion, Chicago, Illinois. These systems not 
only manage their own data, but provide data processing services for 
the hundreds of local independently-owned automated credit bureaus in 
the Association's membership.
---------------------------------------------------------------------------
    It is interesting to note that the vast majority of data in our 
members' systems simply confirms what most of you would expect; that 
consumers pay their bills on time and are responsible, good credit 
risks. This contrasts with the majority of systems maintained in other 
countries, such as Japan or Italy, which store only negative data and 
do not give consumers recognition for the responsible management of 
their finances.
    As important as knowing what we have in our files is also knowing 
what types of information our members do not maintain in files used to 
produce consumer reports. Our members do not know what consumers have 
purchased using credit (e.g., a refrigerator, clothing, etc.) or where 
they used a particular bank card (e.g., which stores a consumer 
frequents). They also don't have a record of when consumers have been 
declined for credit or another benefit based on the use of a consumer 
report. Medical treatment data isn't a part of the databases and no 
bank account information is available in a consumer report.
THE FAIR CREDIT REPORTING ACT (FCRA)
    In addition to our general discussion of the industry, we believe 
it is important for your Subcommittee to have a baseline understanding 
of the law which regulates our industry.
    Enacted in 1970, the Fair Credit Reporting Act was significantly 
amended in the 104th Congress with the passage of the Credit Reporting 
Reform Act.
    Congress, our Association's members, creditors and consumer groups 
spent over six years working through the modernization of what was the 
first privacy law enacted in this country (1970). This amendatory 
process resulted in a complete, current and forwarding-looking statute. 
The FCRA serves as an example of successfully balancing the rights of 
the individual with the economic benefits of maintaining a competitive 
consumer reporting system so necessary to a market-oriented economy.
    The FCRA is an effective privacy statute, which protects the 
consumer by narrowly limiting the appropriate uses of a consumer report 
(often we call this a credit report) under Section 604 (15 U.S.C. 
1681b), entitled ``Permissible Purposes of Reports.''
    Some of the more common uses of a consumer's file are in the 
issuance of credit, subsequent account review and collection processes. 
Reports are also, for example, permitted to be used by child support 
enforcement agencies when establishing levels of support.
    Beyond protecting the privacy of the information contained in 
consumer reports, the FCRA also provides consumers with certain rights 
such as the right of access; the right to dispute any inaccurate 
information and have it corrected or removed; and the right to 
prosecute any person who accesses their information for an 
impermissible purpose. The law also includes a shared liability for 
data accuracy between consumer reporting agencies and furnishers of 
information to the system.
SOCIAL SECURITY NUMBER USES
    Let me now turn to the question of how our industry uses the SSN.
    Under the Fair Credit Reporting Act, our industry has a duty to ``. 
. . employ reasonable procedures to ensure the maximum possible 
accuracy . . .'' of the consumer report. Further, we must design 
systems that accurately allow our customers to extract only the data 
requested on a specific individual.
    We must accomplish this dual mission of accuracy both in terms of 
building databases, but also properly identifying files in our systems 
in the context of a highly mobile society. Consider the following:

      Approximately 16% of the nation's population moves each 
year according to the U.S. Census Bureau, which means many addresses 
change each year. (This equates to approximately 42 million Americans)
      Based on National Center for Health Statistics, it is 
estimated that there are 2.4 million marriages and 1.2 million divorces 
annually. This event frequently triggers changes in addresses as well 
as last names.
      In 1998 there were 6 million homes in the U.S. that are 
considered vacation or second homes. Consumers often switch billing 
addresses if they stay at such residences for long periods of time and 
in some cases maintain billing addresses for both residences with 
various creditors. (Source: U.S. Census Bureau House Vacancy Survey as 
extrapolated by the National Association of Realtors)

    These data clearly speak to the challenge our members face where 
identifying data often changes.
    In light of the mobility of our society, the Social Security Number 
plays a very significant role in ensuring data quality. Our members 
process 2 billion data elements a month. These elements are a 
combination of credit history data and identifying information. 
Consider the following very real example.
    Where a consumer has changed a last name due to marriage or divorce 
and has moved to a new address, which is common in either case, the SSN 
is the most stable identifying element in the file. First, it helps us 
to identify the consumer's file with precision during this life 
transition where he or she is likely applying for new credit, seeking 
approval for utilities, and seeking to rent or purchase a new 
residence. The consumer expects that the consumer report will be 
available for all of these necessary transactions and the SSN helps our 
members to meet this expectation. Second, the consumer expect his or 
her file to be accurate and the SSN helps us to maintain the file 
accurately even when the consumer is in the midst of updating creditors 
with changes in name and address.
    The SSN is also a critical element in producing information 
products, which are commonly called locator services. These services 
are made available, for example, to child support enforcement agencies 
for purposes of locating non-custodial parents;\5\ to pension funds 
which must locate beneficiaries; to law enforcement for locating 
criminals or witnesses; \6\ to healthcare providers that must locate 
individuals who have chosen not to pay their bills, to state benefits 
agencies to reduce public assistance fraud,\7\ and for other similar 
uses.
---------------------------------------------------------------------------
    \5\ The U.S. Department of Health and Human Services noted that 
``[r]outine transfer of child support payment information to credit 
bureaus . . . is essential because these obligations may constitute a 
superior lean on a creditor's income.'' A Guide About Child Support 
Enforcement for Credit Grantors, U.S. Department of Health and Human 
Services, Family Support Administration. November 1988. In addition The 
Association for Children for Enforcement of Support reports that public 
record information provided through commercial vendors helped locate 
over 75 percent of the ``deadbeat parents'' they sought. Information 
Privacy Act, Hearings before the Comm. on Banking and Financial 
Services, House of Representatives, 105th Cong., 2d Sess. (July 28, 
1998) (statement of Robert Glass).
    \6\ Then-FBI Director Louis Freeh testified before Congress in 1999 
and noted that in 1998, his agency made more than 53,000 inquiries to 
commercial on-line databases ``to obtain public source information 
regarding individuals, businesses, and organizations that are subjects 
of investigations.'' This information, according to Director Freeh, 
``assisted in the arrests of 393 fugitives, the identification of more 
than $37 million in seizable assets, the locating of 1,966 individuals 
wanted by law enforcement, and the locating of 3,209 witnesses wanted 
for questioning.'' Hearing before the Senate Comm. on Appropriations 
Subcomm. for the Departments of Commerce, Justice, and State, and the 
Judiciary and Related Agencies, March 24, 1999 (Statement of Louis J. 
Freeh, Director of the Federal Bureau of Investigation).
    \7\ Consider the following examples:
      ``Individuals confined to a correction facility for at 
least 1 full month are ineligible to continue receiving federal 
Supplemental Security Insurance (SSI) program benefits. . . . Between 
January and August 1996, the sharing of prisoner data between SSA and 
state and local correction facilities helped SSA identify about $151 
million overpayments already made and prevented about $173 million in 
additional overpayments to ineligible prisoners.'' General Accounting 
Office, Social Security Numbers: Government Benefits from SSN Use but 
Could Provide Better Safeguards, GAO-02-352 (May 2002), 15, citing 
General Accounting Office, Supplemental Security Income: Incentive 
Payments Have Reduced Benefit Overpayments to Prisoners, GAO/HEHS-00-02 
(Nov. 22, 1999).
      ``Applicants for Temporary Assistance for Needy Families 
(TANF), a program designed to help low-income families, are required to 
provide their SSNs. Some agencies share SSN information to verify 
eligibility and identity. Between January and September 1999, New York 
State estimated that SSN verification saved about $72 million.'' 
General Accounting Office, Social Security Numbers, Government Benefits 
from SSN Use but Could Provide Better Safeguards, GAO-02-352 (May 
2002), 15, citing General Accounting Office, Benefit and Loan Programs: 
Improved Data Sharing Could Enhance Program Integrity, GAO-HEHS-00-119 
(Sept. 13, 2000).
      ``The Department of Education uses SSNs to match data on 
defaulted education loans with the National Directory of New Hires 
(NDNH). . . . As a result of this matching . . . the department 
reported collecting $130 million from defaulted student loan borrowers 
in 2001.'' General Accounting Office, Social Security Numbers, 
Government Benefits from SSN Use but Could Provide Better Safeguards, 
GAO-02-352 (May 2002), 16.
      Federal agencies that are owned money share that 
information with the Treasury Department which matches the debtors' 
SSNs with those taxpayers that are owed tax refunds and reduces the 
refund by the amount owed. In 2001, the Treasury Department offset tax 
refunds by $1 billion. Id.
---------------------------------------------------------------------------
    Further, the SSN plays a role in fraud prevention products. Where a 
consumer makes application for a product or service, information 
products that help the business to ensure that they are doing business 
with the right consumer use information products to authenticate or 
verify the application information. This is true in both for bricks-
and-mortar business and in e-Commerce.
    If applicant data does not match, then the business can take 
additional steps to verify the consumer's identity and thus prevent 
fraud.
FRAUD PREVENTION AND IDENTITY THEFT
    In your press release announcing this hearing, you mention the 
potential for misuse of the SSN. Our industry has a history of bringing 
forward initiatives to address fraud. These efforts focus on the use of 
new technologies, and better procedures and education. CDIA and its 
members have a long history of being leading innovators of identity 
fraud solutions. The attachment provides a short thumbnail of our 
involvement in identity fraud remediation since 1993.\8\
---------------------------------------------------------------------------
    \8\ While we agree that identity fraud is a significant problem, we 
also hope the committee will consider any legislation in the context of 
the most accurate and reliable data on the scope of the problem. One 
witness has suggested that the number of identity fraud victims could 
be between 700,000-1.8 million per year. Misuse of Social Security 
Numbers: Hearing before the House Comm. on Ways and Means Subcomm. on 
Social Security, 108th Cong. (July 10, 2003) (statement of Steve 
Edwards, Special Agent in Charge, Financial Investigations Unit, 
Georgia Bureau of Investigations; State Coordinator, U.S. Department of 
the Treasury, Financial Crimes Enforcement Network; and Vice Chairman 
of the Board of Directors, National White Collar Crime Center). CDIA 
feels that the best review of the level of identity fraud victimization 
is closer to 60,000 to 92,000 per year, General Accounting Office, 
Identity Theft: Prevalence and Cost Appear to be Growing, GAO-02-363 
(March 2002), 4, or 162,000 per year. FTC Reports: Figures and Trends 
on Identity Theft, January 2002-December 2002. The GAO figures were 
developed based on interviews with three national consumer reporting 
agencies. Consumer reporting agencies are probably the best source 
understanding the scope of identity fraud victimization as victims are 
mostly likely to contact consumer reporting agencies as a first 
response.
---------------------------------------------------------------------------
CONCLUSION
    In conclusion, you can see by our actions that in large part our 
uses of the SSN are governed under the Fair Credit Reporting Act, one 
of the most extensive privacy laws in the country. Beyond law, our 
members have a history of proactively limiting how SSNs are used 
outside of the FCRA. No one particular element of information is the 
key to identity theft. The underlying theme in all of this is balance.
    Laws that overreach in attempting to limit use of the SSN are 
likely to merely take fraud prevention tools out of the hands of 
legitimate businesses at the expense of consumers. Ironically, to 
prevent fraud you must be able to crosscheck information. To maintain 
accurate databases, you must be able to maintain a range of identifying 
elements. Absent the availability of the SSN, we will be less able to 
build accurate data bases, to accurately identify records and to help 
prevent the very crime through the development of fraud prevention and 
authentication tools.
    Thank you for this opportunity to offer testimony. CDIA is 
available to assist your and your committee at any time.

                               __________

         Consumer Reporting Agency Responses to Identity Fraud

      1993. Consumer Data Industry Association, then known as 
Associated Credit Bureaus, formed a Fraud and Security Task Force.
      1998. Creation of True Name Fraud Task Force led by 
former Vermont Attorney General M. Jerome Diamond. The work of the task 
force included meetings with law enforcement, consumer organizations, 
privacy advocates, legislators and staff, victims, and others.
      The capstone of the True Name Fraud Task Force was a 
series of initiatives announced in March 2000. These initiatives meant 
the consumer reporting industry was the first industry to step forward 
and not only educate its members about the problems consumers 
experienced, but to seek specific changes in business practices. The 
initiatives are to:

        Advocate the use and improve the effectiveness 
of security alerts through the use of codes transmitted to creditors. 
These alerts and codes can help creditors avoid opening additional 
fraudulent accounts.
        Implement victim-assistance best practices to 
provide a more uniform experience for victims when working with 
personnel from multiple fraud units.
        Assist identity theft victims by sending a 
notice to creditors and other report users when the victim does not 
recognize a recent inquiry on the victim's file.
        Execute a three-step uniform response for 
victims who call automated telephone systems: automatically adding 
security alerts to files, opting the victim out of prescreened credit 
offers, and sending a copy of his or her file within three business 
days.
        Launch new software systems that will monitor 
the victim's corrected file for 3 months, notify the consumer of any 
activity, and provide fraud unit contact information.
        Fund, through CDIA, the development of a series 
of consumer education initiatives through CDIA to help consumers 
understand how to prevent identity theft and also what steps to take if 
they are victims.

      2001. CDIA announced a police report initiative so that 
when a police report is provided as part of the process of disputing 
fraudulent data, Equifax, Experian and TransUnion will block these 
disputed items from appearing on subsequent consumer reports regarding 
that individual.

        ``Another collaborative effort with tremendous 
promise is your new police report initiative. . . . I appreciate that 
certain consumer-based initiatives require you to balance accuracy 
issues--knowing that the consumer's report contains all relevant credit 
information, including derogatory reports--against customer service. 
From my perspective, your police report initiative strikes just the 
right balance.'' J. Howard Beales, III, Director of the FTC's Bureau of 
Consumer Protection, before the Consumer Data Industry Association. 
Jan. 17, 2002.

      2002-03. ID Fraud Victim Data Exchange. CDIA and its 
members committed in 2002 to start a pilot test in early-2003 so that 
when an ID fraud victim calls any one of the participating credit 
reporting agencies, the victim will be notified that his or her 
identifying information will be shared by the receiving credit 
reporting agency with the other two participating credit reporting 
agencies and that the following steps will be taken by each recipient 
of the victim's information:

        A temporary security alert will be added to the 
victim's file. This security alert will be transmitted to all 
subsequent users (e.g., creditors) which request a copy of the file for 
a permissible purpose under the Fair Credit Reporting Act.
        The victim will be opted out of all non-
initiated offers of credit or insurance.
        The CRA will ensure that a copy of the victim's 
file is in the mail within three business days of the victim's request.

      Our efforts are paying off.

        Most calls are prevention related. CDIA members 
report a majority of consumers who contact fraud units are taking 
preventative steps and are not reporting a crime.
        Victims are learning of the fraud earlier. 
According to an FTC report in June 2001, 42% of victims learn about the 
crime within 30 days or less, a full 10% less than in the prior report. 
CDIA estimates another 35% learn of the crime within one to six months 
and 7% learn of the crime in six months to a year.
        Victimization of the elderly is dropping. In 
2001, the FTC estimated that 6.3% of identity fraud victims were over 
65, a 5% decrease from 2000.

                               About CDIA

    Founded in 1906, the Consumer Data Industry Association (CDIA), 
formerly known as Associated Credit Bureaus (ACB), is the international 
trade association that represents more than 400 consumer data 
companies. CDIA members represent the nation's leading institutions in 
credit reporting, mortgage reporting, check verification, fraud 
prevention, risk management, employment reporting, tenant screening and 
collection services.
    For more information about CDIA, its members, or identity fraud or 
other issues, please visit us at www.cdiaonline.org or contact us at 
202-371-0910.

                                 
Statement of the Honorable Darlene Hooley, a Representative in Congress 
                        from the State of Oregon
    Just last week this very committee heard testimony on the many 
problems caused by the misuse of Social Security numbers and the ever 
increasing problem of identity theft.
    I have become increasingly concerned about the vast quantities of 
sensitive, personal information that is now vulnerable to criminal 
interception and misuse. Currently, the ease of obtaining the Social 
Security number of an individual is shocking. Numbers are sold, 
exchanged and printed with an alarming carelessness. With a Social 
Security number and a few pieces of other easily obtainable personal 
information, fraudulent accounts can be opened and lives can be ruined. 
Many individuals work their entire life to build a spotless credit 
record, only to have it destroyed by a criminal armed merely with a 
Social Security number. The protection of Social Security numbers is a 
vital step to slowing the growth of identity theft and protecting 
people's lives.
    I've been active in trying to prevent further horror stories of 
misused Social Security numbers. Two and a half years ago, a young boy 
in Salem named Tyler Bales lost his battle with a rare genetic disease 
called Hurler syndrome. As if it were not hard enough to lose your 
sixteen month old child, Tyler's parents later learned--courtesy of the 
IRS--that someone was claiming Tyler as a dependent on their 2000 
income tax return.
    Because of disclosure issues, the IRS could not give out the 
identity of this thief to local law enforcement, even though ID theft 
is a felony offense in the state of Oregon. To date, two and one half 
years later, the Bales still do not know the identity of this thief.
    For this reason, I request that the House Committee on Ways and 
Means consider the ``ID Theft Loophole Closure Bill'' as the committee 
seeks legislation to prevent the misuse of Social Security numbers. 
This legislation simply changes the law to allow the IRS to furnish the 
name, Social Security number and address of a suspected identity thief 
to state and local law enforcement agencies for the exclusive purpose 
of locating the individual.
    Identity theft is not a victimless crime. We must cut the red tape 
that is preventing thieves from being prosecuted for their crimes, and 
I believe this legislation is the right tool for the job.

                                 
 Statement of the Honorable Max Sandlin, a Representative in Congress 
                        from the State of Texas
    Thank you Mr. Chairman and Ranking Member Matsui, for the 
opportunity to testify today on the impact of the use and misuse of 
Social Security numbers.
    I am pleased that my colleagues on the Ways and Means committee 
have convened a hearing on how the growing use of Social Security 
numbers as a national identifier has resulted in the mounting problem 
of identity theft. As you know, while our Social Security numbers were 
expressly created to catalogue workers' earnings for benefit purposes, 
nearly every branch of our society has co-opted Social Security numbers 
as an identification method. Our Social Security numbers can be found 
on records kept by schools, banks, businesses, and many states even 
list them on people's drivers licenses.
    While the use of Social Security numbers is very convenient and 
facilitates commerce through easy credit checks, we need to be 
cognizant of how the over exposure of Social Security numbers also 
easily enables criminals to commit identity theft. Simply by stealing 
an individual's purse, a thief may have immediate access to an 
individual's name and social security number and use that information 
to open new credit cards, establish new bank accounts, and even 
initiate new cell phone service, all to ring up charges that their 
victims will be left to contest. In the mean time, innocent, hard 
working, victims may find their credit destroyed, and may not even know 
about the theft until they are turned down for a mortgage or car loan. 
Once this occurs they are then forced to embark on an arduous process 
to restore their financial standing, while their dreams for a new home 
or needed vehicle remain on hold.
    The Federal Trade Commission noted that identity theft has 
increased over 88% just in the last year, with nationwide complaints 
totaling 162,000. In my home state, over 14,000 Texans filed victim 
complaint statements last year with the Federal Trade Commission. Their 
tragic experiences provided the impetus for our state legislature's 
enactment of a law to combat identity theft last month. While we were 
only the second state in the nation to do so, seven other states are 
actively considering similar legislation.
    We must continue to find ways to protect the citizens of this 
country from fraud and abuse caused by criminals committing identity 
theft. The Social Security Administration, credit bureaus, businesses, 
individuals and other federal, state and local government agencies must 
all coordinate resources to offer a comprehensive plan of action and 
protection. On the federal level, I am pleased to be a co-sponsor of 
H.R. 2035. This bill requires consumer reporting agencies to provide 
free credit reports annually upon the request of a consumer, as well as 
require the truncation of credit card numbers on printed receipts. By 
enacting common sense legislation like this, individuals will be able 
to detect identity theft at an early stage, before their credit reports 
are permanently damaged.
    Congress has a responsibility to help the American people, and our 
National economy, prosper. Strengthening financial privacy laws and 
protecting Social Security numbers will help to achieve these goals. 
Thank you for your time.