[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
USE AND MISUSE OF SOCIAL SECURITY NUMBERS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SOCIAL SECURITY
of the
COMMITTEE ON WAYS AND MEANS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
JULY 10, 2003
__________
Serial No. 108-35
__________
Printed for the use of the Committee on Ways and Means
U.S. GOVERNMENT PRINTING OFFICE
93-570 WASHINGTON : 2004
_____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON WAYS AND MEANS
BILL THOMAS, California, Chairman
PHILIP M. CRANE, Illinois CHARLES B. RANGEL, New York
E. CLAY SHAW, JR., Florida FORTNEY PETE STARK, California
NANCY L. JOHNSON, Connecticut ROBERT T. MATSUI, California
AMO HOUGHTON, New York SANDER M. LEVIN, Michigan
WALLY HERGER, California BENJAMIN L. CARDIN, Maryland
JIM MCCRERY, Louisiana JIM MCDERMOTT, Washington
DAVE CAMP, Michigan GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia
JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas MICHAEL R. MCNULTY, New York
JENNIFER DUNN, Washington WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio XAVIER BECERRA, California
PHIL ENGLISH, Pennsylvania LLOYD DOGGETT, Texas
J.D. HAYWORTH, Arizona EARL POMEROY, North Dakota
JERRY WELLER, Illinois MAX SANDLIN, Texas
KENNY C. HULSHOF, Missouri STEPHANIE TUBBS JONES, Ohio
SCOTT MCINNIS, Colorado
RON LEWIS, Kentucky
MARK FOLEY, Florida
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
ERIC CANTOR, Virginia
Allison H. Giles, Chief of Staff
Janice Mays, Minority Chief Counsel
______
SUBCOMMITTEE ON SOCIAL SECURITY
E. CLAY SHAW, JR., Florida, Chairman
SAM JOHNSON, Texas ROBERT T. MATSUI, California
MAC COLLINS, Georgia BENJAMIN L. CARDIN, Maryland
J.D. HAYWORTH, Arizona EARL POMEROY, North Dakota
KENNY C. HULSHOF, Missouri XAVIER BECERRA, California
RON LEWIS, Kentucky STEPHANIE TUBBS JONES, Ohio
KEVIN BRADY, Texas
PAUL RYAN, Wisconsin
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public
hearing records of the Committee on Ways and Means are also published
in electronic form. The printed hearing record remains the official
version. Because electronic submissions are used to prepare both
printed and electronic versions of the hearing record, the process of
converting between various electronic formats may introduce
unintentional errors or omissions. Such occurrences are inherent in the
current publication process and should diminish as the process is
further refined.
C O N T E N T S
__________
Page
Advisories announcing the hearing................................ 2
WITNESSES
U.S. General Accounting Office, Barbara D. Bovbjerg, Director,
Education, Workforce, and Income Security Issues; accompanied
by Dan Bertoni, Deputy Director................................ 7
Social Security Administration, Hon. James G. Huse, Jr.,
Inspector General.............................................. 18
______
Electronic Privacy Information Center, Chris Jay Hoofnagle....... 51
Georgia Bureau of Investigations, InfraGard Atlanta Chapter Watch
and Warn Committee, Georgia's Stop Identity Theft Network,
National White Collar Crime Center, and Financial Crimes
Enforcement Network, Steve Edwards............................. 60
Identity Theft Resource Center, Theodore Wern.................... 38
SUBMISSIONS FOR THE RECORD
American Benefits Council; American Society of Pension Actuaries,
Arlington, VA; College and University Professional Association
for Human Resources, Knoxville, TN; ERISA Industry Committee;
Financial Executives International's Committee on Benefits
Finance, Florham Park, NJ; National Association of State
Retirement Administrators, Baton Rouge, LA; National Council on
Teacher Retirement, Sacramento, CA; National Rural Electric
Cooperative Association, Arlington, VA; Profit Sharing/401(k)
Council of America, Chicago, IL; joint letter and attachment... 72
Consumer Data Industry Association, Stuart K. Pratt, statement
and attachment................................................. 75
Hooley, Hon. Darlene, a Representative in Congress from the State
of Oregon, statement........................................... 80
Sandlin, Hon. Max, a Representative in Congress from the State of
Texas, statement............................................... 80
USE AND MISUSE OF SOCIAL SECURITY NUMBERS
----------
THURSDAY, JULY 10, 2003
U.S. House of Representatives,
Committee on Ways and Means,
Subcommittee on Social Security,
Washington, DC.
The Subcommittee met, pursuant to notice, at 1:18 p.m., in
room B-318, Rayburn House Office Building, Hon. E. Clay Shaw,
Jr. (Chairman of the Subcommittee) presiding.
[The advisory and revised advisory announcing the hearing
follow:]
ADVISORY
FROM THE
COMMITTEE
ON WAYS
AND
MEANS
SUBCOMMITTEE ON SOCIAL SECURITY
CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
July 02, 2003
SS-3
Shaw Announces Hearing on
Use and Misuse of Social Security Numbers
Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on
Social Security of the Committee on Ways and Means, today announced
that the Subcommittee will hold a hearing on both the use and misuse of
Social Security numbers. The hearing will take place on Thursday, July
10, 2003, in room B-318 Rayburn House Office Building, beginning at
10:00 a.m.
In view of the limited time available to hear witnesses, oral
testimony at this hearing will be from invited witnesses only. However,
any individual or organization not scheduled for an oral appearance may
submit a written statement for consideration by the Committee and for
inclusion in the printed record of the hearing.
BACKGROUND:
The Social Security number (SSN) was originally created in 1936 to
track workers' earnings for benefit purposes. Use of the SSN by both
government agencies and the private sector has exploded over the
decades as automation of record keeping and other business processes
encouraged use of this simple, unique number that virtually every
American possesses. As a result, many have called it a de facto
national identifier, though it was never intended as such.
Today, even the most routine transactions may involve sharing of
SSNs. Banks, schools, stores, and other businesses often use SSNs as
account numbers. The SSN is used to help compile information from many
different public and private sources for use in everything from
tracking down criminals to issuing credit. Additionally, SSNs are
easily found on display to the general public on employee badges,
licenses, or court documents. In short, SSNs are the key to an
individual's financial and other personal information, but their
confidentiality is not well protected.
Use of the SSN as a personal identifier has produced some
beneficial results for the public, including reduction in government
waste from program fraud, enhanced collection of child support, and
better law enforcement. Unfortunately, widespread utilization and
public exposure of SSNs have also made them an invaluable tool for
identity thieves. According to the Identity Theft Resource Center, an
estimated 700,000 people of all ages, races, and economic backgrounds
were victims of identity theft last year. The harm inflicted can be
devastating difficulty obtaining credit, harassment by debt collectors,
or even arrest because of the crimes of the identity thief. Worse yet,
according to the Federal Bureau of Investigation, terrorists have
utilized Social Security number fraud and identity theft to obtain
employment, access secure locations, and finance their activities all
of which threaten our national security.
The Social Security Administration (SSA) serves as the front line
of defense in ensuring SSN integrity. It is responsible for accurately
assigning SSNs and ensuring the wages earned and Social Security
benefits claimed on that number are only those of the number holder.
The SSA's Inspector General (IG) has long criticized the agency's
failure to verify the authenticity of identification documents, and
last year SSA began verifying supporting immigration records before
issuing SSN cards. In addition, despite the agencies efforts to reduce
wage-reporting discrepancies--including outreach to employers 2 to 3
percent of wage items, equaling about $50 billion, will remain
unmatched after wage processing is complete, according to the SSA.
In announcing the hearing, Chairman Shaw stated: ``The Social
Security number was originally intended to ensure American's hard-
earned wages were properly credited to their record, so that they could
receive their due benefits at retirement. Today, however, use and
misuse of these numbers is rampant. The Federal Government requires the
use of Social Security numbers and, therefore, has the responsibility
to ensure they are assigned accurately, exchanged only when necessary,
and protected from indiscriminant disclosure. We must stem the tide of
attacks on Social Security number privacy. As in previous Congresses, I
remain committed to pursuing bipartisan legislation to protect the
privacy and integrity of Social Security numbers.''
FOCUS OF THE HEARING:
The Subcommittee will examine the widespread use and misuse of the
SSN in the public and private sectors and the effects of such use and
misuse, as well as the integrity of the SSA's Social Security number
issuance and wage crediting process.
DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:
Please Note: Due to the change in House mail policy, any person or
organization wishing to submit a written statement for the printed
record of the hearing should send it electronically to
[email protected], along with a fax copy to
(202) 225-2610, by the close of business, Thursday, July 24, 2003.
Those filing written statements who wish to have their statements
distributed to the press and interested public at the hearing should
deliver their 200 copies to the Subcommittee on Social Security in room
B-316 Rayburn House Office Building, in an open and searchable package
48 hours before the hearing. The U.S. Capitol Police will refuse
sealed-packaged deliveries to all House Office Buildings.
FORMATTING REQUIREMENTS:
Each statement presented for printing to the Committee by a
witness, any written statement or exhibit submitted for the printed
record or any written comments in response to a request for written
comments must conform to the guidelines listed below. Any statement or
exhibit not in compliance with these guidelines will not be printed,
but will be maintained in the Committee files for review and use by the
Committee.
1. Due to the change in House mail policy, all statements and any
accompanying exhibits for printing must be submitted electronically to
[email protected], along with a fax copy to
(202) 225-2610, in WordPerfect or MS Word format and MUST NOT exceed a
total of 10 pages including attachments. Witnesses are advised that the
Committee will rely on electronic submissions for printing the official
hearing record.
2. Copies of whole documents submitted as exhibit material will not
be accepted for printing. Instead, exhibit material should be
referenced and quoted or paraphrased. All exhibit material not meeting
these specifications will be maintained in the Committee files for
review and use by the Committee.
3. Any statements must include a list of all clients, persons, or
organizations on whose behalf the witness appears. A supplemental sheet
must accompany each statement listing the name, company, address,
telephone and fax numbers of each witness.
Note: All Committee advisories and news releases are available on
the World Wide Web at http://waysandmeans.house.gov.
The Committee seeks to make its facilities accessible to persons
with disabilities. If you are in need of special accommodations, please
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four
business days notice is requested). Questions with regard to special
accommodation needs in general (including availability of Committee
materials in alternative formats) may be directed to the Committee as
noted above.
* * * NOTICE--CHANGE IN TIME * * *
ADVISORY
FROM THE
COMMITTEE
ON WAYS
AND
MEANS
SUBCOMMITTEE ON SOCIAL SECURITY
CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
July 08, 2003
SS-3 Revised
Change in Time for Hearing on
Use and Misuse of Social Security Numbers
Congressman E. Clay Shaw, Jr. (R-FL), Chairman, Subcommittee on
Social Security of the Committee on Ways and Means, today announced
that the Subcommittee hearing on use and misuse of Social Security
numbers, previously scheduled for Thursday, July 10, 2003, at 10:00
a.m., in room B-318 Rayburn House Office Building, will now be held at
1:00 p.m. or immediately following the completion of the full Committee
informal mark up of the Singapore and Chilean Free Trade Agreements.
All other details for the hearing remain the same. (See
Subcommittee Advisory No. SS-3, dated July 3, 2003).
Chairman SHAW. I am sorry. We are a few minutes late
starting, but we had a busy morning with our Committee. Good
afternoon. Today, the Subcommittee will examine the use and
misuse of Social Security Numbers (SSNs). Using the SSN as a
personal identifier has proven both a blessing and a curse. On
one hand, the public is served when governmental agencies can
use the number in matching information from other sources to
reduce program waste, fraud and abuse, or when law enforcement
agencies employ SSNs to help track down criminals or deadbeat
dads. On the other hand, easy access to these numbers and their
widespread use has provided a new tool for identity thieves.
Worse yet, terrorists use SSN fraud and identity theft to
assimilate themselves into our society, as did those
responsible for the September 11th attacks. Identity theft
continues to threaten our national security. Identity theft is
the fastest growing white collar crime, and no one is immune,
but the public is increasingly recognizing the vulnerabilities
of SSNs and is working to protect them. Businesses are taking
steps on their own to move away from using SSNs and several
States have passed legislation, including Texas just last week,
to protect SSNs from public display.
The Social Security Administration (SSA) serves as the
front line of defense in ensuring the integrity of SSNs from
the moment they are issued throughout the number holder's
lifetime and even after his or her death, a responsibility the
SSA takes very seriously. It is also responsible for ensuring
the wages earned and Social Security benefits claimed on that
number are only those of the number holder. As our witnesses
will tell us, while the agency has taken steps to improve the
number assignment process, there is still more to do to prevent
people from fraudulently obtaining and using SSNs. However,
protecting the privacy and accuracy of SSNs is not the SSA's
responsibility alone. Employers and individuals have a
responsibility for submitting correct information to the SSA or
correcting erroneous information. The Internal Revenue Service
(IRS) has responsibility for imposing appropriate penalties on
employers who submit erroneous wage reports to the SSA. The
Bureau of Citizenship and Immigration Services must better
coordinate with the SSA in verifying eligibility for a SSN and
acting on information regarding earnings reported to nonwork
numbers. Lastly, every public agency that uses and shares SSNs
has the responsibility to protect their privacy.
The Subcommittee has been working on a bipartisan basis to
protect the privacy of SSNs and prevent identity theft since
the 106th Congress, when it first approved the Social Security
Number Privacy and Identity Theft Prevention Act of 2000 (H.R.
4857). In the 107th Congress I, along with Ranking Member
Matsui and 80 other Members of Congress, reintroduced a similar
bill. Mr. Kleczka, of our full Committee, has also been very
active in this regard. Consideration of this legislation was
rightly preempted by necessary congressional response to 9/11
attacks. In coming days, Mr. Matsui and I will again introduce
bipartisan legislation to restrict the sale and public display
of SSNs, establish penalties for violations, limit
dissemination of SSNs by credit reporting agencies, make it
more difficult for businesses to deny services if a customer
refuses to provide their SSN, and improve the integrity of the
SSN assignment process. Congress must act this session to
protect the very number it requires each of us to obtain and
use throughout our lifetime. Providing for uses of SSNs that
benefit the public while protecting these numbers from being
used by criminals or even terrorists is a complex balancing
act, as we found out in previous Congresses. We can make
significant progress toward this goal by ensuring SSNs are
assigned accurately, exchanged only when necessary, and
protected from indiscriminate disclosure. I look forward to
hearing from each of our witnesses, and thank them in advance
for sharing with us their experiences and their
recommendations. I understand Mr. Matsui is otherwise engaged
this afternoon, and he has asked Mr. Cardin to sit in for him.
The gentleman from Maryland.
[The opening statement of Chairman Shaw follows:]
Opening Statement of the Honorable E. Clay Shaw, Jr., Chairman, and a
Representative in Congress from the State of Florida
Good afternoon. Today, the Subcommittee will examine the use and
misuse of Social Security numbers.
Using the Social Security number as a personal identifier has
proved both a blessing and a curse. On one hand, the public is served
when government agencies can use the number in matching information
from other sources to reduce program waste, fraud and abuse, or when
law enforcement agencies employ Social Security numbers to help track
down criminals or deadbeat dads. On the other hand, easy access to
these numbers and their widespread use has provided a new tool for
identity thieves. Worse yet, terrorists use Social Security number
fraud and identity theft to assimilate themselves into our society, as
did those responsible for the September 11th attacks. Identity theft
continues to threaten our national security.
Identity theft is the fastest growing white collar crime, and no
one is immune. But the public is increasingly recognizing the
vulnerabilities of Social Security numbers and is working to protect
them. Businesses are taking steps on their own to move away from using
Social Security numbers, and several States have passed legislation,
including Texas just last week, to protect SSNs from public display.
The Social Security Administration serves as the front line of
defense in ensuring the integrity of Social Security numbers from the
moment they are issued, throughout the number-holder's lifetime, and
even after his or her death--a responsibility the SSA takes very
seriously. It is also responsible for ensuring the wages earned and
Social Security benefits claimed on that number are only those of the
number-holder. As our witnesses will tell us, while the agency has
taken steps to improve the number assignment process, there is still
more to do to prevent people from fraudulently obtaining and using
Social Security numbers.
However, protecting the privacy and the accuracy of Social Security
numbers is not the Social Security Administration's responsibility
alone. Employers and individuals have a responsibility for submitting
correct information to the Social Security Administration, or
correcting erroneous information. The Internal Revenue Service has
responsibility for imposing appropriate penalties on employers who
submit erroneous wage reports to the Social Security Administration.
The Bureau of Citizenship and Immigration Services must better
coordinate with the Social Security Administration in verifying
eligibility for a Social Security number and acting on information
regarding earnings reported to non-work numbers. Lastly, every public
agency that uses and shares Social Security numbers has the
responsibility to protect their privacy.
This Subcommittee has been working on a bipartisan basis to protect
the privacy of Social Security numbers and prevent identity theft since
the 106th Congress when it first approved the Social Security Number
Privacy and Identity Theft Prevention Act of 2000. In the 107th
Congress, I, along with Ranking Member Matsui and 80 other Members of
Congress reintroduced a similar bill. Consideration of this legislation
was rightly preempted by necessary Congressional response to the
September 11th attacks.
In coming days, Mr. Matsui and I will again introduce bipartisan
legislation to restrict the sale and public display of Social Security
numbers, establish penalties for violations, limit dissemination of
Social Security numbers by credit reporting agencies, make it more
difficult for businesses to deny services if a customer refuses to
provide their Social Security number, and improve the integrity of the
Social Security number assignment process. Congress must act this
session to protect the very number it requires each of us to obtain and
use throughout our lifetime.
Providing for uses of Social Security numbers that benefit the
public while protecting these numbers from being used by criminals, or
even terrorists, is a complex balancing act. We can make significant
progress toward this goal by ensuring Social Security numbers are
assigned accurately, exchanged only when necessary, and protected from
indiscriminant disclosure.
I look forward to hearing from each of our witnesses, and thank
them in advance for sharing with us their experiences and their
recommendations.
Mr. CARDIN. Thank you, Chairman Shaw. Let me thank you for
holding this hearing. I also want to thank you for your
leadership on this very important issue. I also want to
acknowledge Mr. Matsui and Mr. Kleczka for the work they have
done on identity fraud and the use of SSNs. Mr. Chairman, it is
noteworthy to point out this is our ninth hearing on this
subject, and it is a commitment that we have to take action in
this area. As you pointed out, identity theft is considered one
of the fastest growing crimes in the United States, with an
average of an estimated 700,000 people being affected last
year. It can ruin an individual's good name and destroy their
credit rating. It even has affected the credit ratings of their
young children. While credit issuers have been willing to
refund fraudulent charges, victims are still faced with the
effects of poor credit, the time commitments of restoring their
ratings with multiple credit bureaus and credit issuers and the
fear and anxiety associated with knowing someone is using their
personal information to charge goods and services.
As a result of identity theft, victims have been turned
down for jobs, mortgages and other important extensions of
credit. So, therefore this is a very important subject, and we
need to take action. As you pointed out, it even goes beyond
the immediate problems of individuals that have found that the
criminal elements, including terrorists, have used the identity
of other people through SSNs in order to carry out their
activities. We have a dilemma, the SSN is basically a national
identifier. We have used it. We can't guarantee the
confidentiality of that number, and therefore it can be used
for identity theft. I am looking forward to the testimony from
the U.S. General Accounting Office (GAO) and the Inspector
General, who have been extremely helpful to us in coming
forward with suggestions on how we can protect the
confidentiality or use of the SSNs and how we can protect
against identity theft. The bottom line is we need to take
action in this area. The Chairman has indicated that he will be
filing legislation shortly with Mr. Matsui. I can assure you we
want to move forward as quickly as possible in a bipartisan way
in order to try to help our people against this growing element
of crime. Thank you, Mr. Chairman.
Chairman SHAW. Thank you, Mr. Cardin. I would like to just
point out I think that we share jurisdiction with two other
committees with regard to this legislation. Our Committee has
moved forward in the past but we need to bring the other
committees along with us in order to have a complete
comprehensive bill rather than just picking and choosing the
small portions of which our Committee has jurisdiction. Any
other Members have an opening statement? The record will remain
open. Without objection, they will be included in the
transcript. On our first panel are two old friends of this
Committee, Barbara Bovbjerg, who is the Director of Education,
Workforce, and Income Security Issues from the GAO, and she is
accompanied by Dan Bertoni, I believe that is the correct
pronunciation, who is the Deputy Director. From the SSA, we
have the Honorable James Huse, who is the Inspector General. As
you all well know, we have your full statement which will be
made a part of the record. We invite you to summarize as you
see fit. Ms. Bovbjerg.
STATEMENT OF BARBARA D. BOVBJERG, DIRECTOR, EDUCATION,
WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GENERAL ACCOUNTING
OFFICE; ACCOMPANIED BY DAN BERTONI, DEPUTY DIRECTOR
Ms. BOVBJERG. Thank you, Mr. Chairman, and Members of the
Subcommittee. I am pleased to be here again today--I don't
think it has been nine times for me, but it has been a number--
to discuss issues associated with the integrity and use of the
SSN. Although the SSN was originally created as a means to
track workers' earnings and their eligibility for Social
Security benefits, today the number is used for many non-Social
Security purposes in both the public and private sectors. The
wide use of SSNs causes concern because these numbers are among
the personal identifiers most often sought by identity thieves.
Today, I will present results of our completed and ongoing work
on a variety of issues associated with the SSN. I would like to
focus first on public and private sector use of the SSN and
then, second, on the role of the SSA in preventing the
proliferation of false identities. My testimony is based on a
report we did for this Subcommittee on government uses of the
SSN and on ongoing work that focuses on private sector uses and
on SSA's role in assigning SSNs and verifying them for others.
I have so much material today that is relevant to this hearing
and some visual aids to illustrate my points, I would ask to
speak longer than the usual 5 minutes. I hope that will be
acceptable to the Subcommittee. I will try not to prey on your
good nature for very much longer.
Let me speak first about public and private uses. We
reported last year that Federal, State, and county agencies
rely extensively on the SSN. Although government agencies told
us of various steps they take to safeguard the SSNs they use,
we found that key protections are not uniformly in place at any
level of government. We also found that some Federal agencies
and many of the State and county agencies we surveyed,
including courts in all the three levels of government,
maintain public records that contain SSNs. Public records are
documents routinely made available to the public for inspection
such as marriage licenses or property transactions. For
customer service reasons, some public officials told us they
were considering making such records available on their
websites. Because such actions would create new opportunities
for identity thieves to gather SSNs from public records on a
broad scale, we are beginning work for this Subcommittee to
examine the extent to which SSNs in public records are already
accessible on the Internet. Although we are not far along
enough in this work to report the results today, I can assure
you that we have already found SSNs in several public websites.
With regard to the private sector, we are finding that
companies too are increasingly using SSNs, often collecting
them from customers as a condition for providing service. For
example, consumer reporting agencies (CRAs) build and maintain
credit histories around an individuals' name, address, and SSN.
The CRAs obtain SSNs from individuals who seek credit and from
information resellers and public records. Some businesses
aggregate information, including SSNs, from various public and
private sources for resale. They obtain data from public
records like bankruptcy proceedings, tax liens, and voter
registration rolls--and from private compilations like
telephone directories. These businesses combine and resell this
information to a variety of customers. The ones we contacted
told us that to comply with current law they generally limit
their services to customers who establish accounts with them
and with whom they have contracts that restrict the extent to
which the data purchased can be redisclosed.
Despite protections such as these, large databases of
information still represent a vulnerability for Americans. In
the course of our work we have identified numerous instances in
which the public and private databases have been compromised
and personal data, including SSNs, stolen. Such cases
illustrate the vulnerability of these databases to criminal
misuse. Let me turn now to the role of the SSA in preventing
the proliferation of false identities. This Subcommittee asked
us to examine two aspects of the SSA role: SSA's assignment of
new SSNs, a process called enumeration, and SSA's verification
of SSNs for State driver's licensing agencies. Our review of
SSA's enumeration process found that SSA has begun to implement
important new policies and procedures to prevent the
inappropriate assignment of SSNs to noncitizens. For example,
SSA has required staff to verify identity information and
immigration status with the U.S. Department of State and the
U.S. Department of Homeland Security prior to issuing an SSN.
The SSA has also begun implementation of a program called
Enumeration at Entry, where an applicant's information is
vetted by the Department of Homeland Security and the
Department of State before the applicants enter the United
States. In addition, the SSA has created a special center in
Brooklyn, New York to focus solely on enumeration and
verification.
These three initiatives all hold promise of improved
enumeration accuracy. However, the enumeration process overall
still has vulnerabilities that could result in fraudulent use
of Social Security cards and SSNs. I am speaking specifically
of replacement Social Security cards and policies regarding
SSNs for children under the age of 1. Let me turn to those now.
As to replacement cards, SSA policy currently allows
individuals to obtain up to 52 replacement cards a year. That
is one a week. Of the 18 million cards SSA issued last year,
12.4 million, or almost 70 percent, were replacements. While
SSA requires noncitizens to provide the same identity and
immigration information that they need to obtain an original
card when they get a replacement, citizens can use things like
health insurance cards or church memberships when they apply
for replacements. The ease of obtaining replacements creates
the potential that these cards can be accumulated and sold to
those not eligible for their own cards. This is an obvious
vulnerability that should be better controlled.
With regard to enumerating young children, although SSA
revised its policies to require that field staff obtain
verification of birth records for most U.S.-born individuals
applying for enumeration, agency policy requires only visual
inspection of a birth certificate for children under the age of
1. Although such visual inspection can identify false
documents, and indeed we found an instance where an alert
Social Security field office staff member did identify a false
birth certificate, we were able ourselves to create false
documents and enumerate two nonexistent infants; the documents
we used to do this are shown in the exhibit on your right. It
is the left board, and I believe you have that in your packets
in front of you. We have full names and other identifying
information blacked out for security reasons. To support our
applications for these cards, we used fake documents that you
see on the left under the heading, ``counterfeit documents.''
We used birth certificates and certificates of baptism for both
of the applications we made. In one we used an employer
identification card. In the other we also used a State driver's
license to provide identification for the so-called parents who
were applying for this infant's card. We created these
documents with inexpensive, commercially-available software.
You see the results on the right. We received one card already,
and the written assurance below is that the other card is in
the mail. After receiving these cards for children who do not
exist we could have passed them to someone who is not eligible
for a SSN. We wouldn't do that, but it is a clear vulnerability
that SSA needs to address.
Let me now move on to SSA's verification of information for
State driver's licensing agencies. Since driver's licenses are
a widely accepted form of identification, the agencies that
issue such licenses can be focal points for identity fraud. The
SSA has a verification service in place that allows State
agencies to verify the name, date of birth, and SSN of driver's
license applicants. In our work for this Subcommittee and the
House Judiciary Committee, we have found that 25 States have
used the SSA service, but they have not all used it regularly.
Most of them use the online verification method, but a few use
only the batch method, which takes longer but costs less to
use. States that don't use either verification method told us
they were concerned about start-up costs and system
performance. Indeed, there are 10 States awaiting improvement
to the online verification system's capacity before they can be
allowed to use it. Others already using the system have scaled
back their use because of capacity problems.
In addition to the capacity problems the system has
experienced, we also identified a key weakness in the batch
method that exposes States to a higher risk of fraud. Unlike
the online method, batch does not match verification requests
against SSA's death records. As a result, the batch method will
verify the name and SSN of a dead person as an accurate record.
We observed this ourselves and again we have prepared a visual
to illustrate--the one on the right. Our undercover
investigators were able to obtain licenses in two States that
use the batch verification method. We presented counterfeit
identity documents that contain the name, data of birth, and
SSN of a dead person to motor vehicle agencies in these States.
In one instance, you can see we presented a fake birth
certificate, a military identification, and a Social Security
card. In another, we presented only the fake Social Security
card and a fake driver's license from another State. In both
instances, we received the driver's licenses you see before you
on the right. The ease with which our staff were able to obtain
these licenses suggests that the batch method must change and
must change immediately to protect the State driver's licensing
system. Our report on this topic will be issued in September
and is likely to contain recommendations to improve SSA's
verification systems, both online and batch.
In conclusion, let me say that SSNs are used for many
beneficial purposes, but as we all know SSNs are also used for
illegal financial gain and for immigration fraud. While most
uses are for the benefit of the taxpayer and to ease the
provision of various services such as granting credit, this
personal information is not always adequately protected.
Further, those who would live in the United States illegally
have sought not just stolen SSNs, but their own Social Security
cards and driver's licenses--fraudulently obtained, of course.
The SSA has an important role to play both in limiting the
issuance of SSNs only to those who are eligible to have them
and to verifying personal information for State driver's
licensing agencies. While progress is being made on both these
fronts, we have demonstrated the vulnerabilities that remain.
We look forward to continuing work with this Subcommittee to
strengthen needed protections to ensure that false identities
are not readily available to those who would harm the United
States and its people. That concludes my statement, Mr.
Chairman. I really appreciate the extra time, and I am here to
answer any questions.
[The prepared statement of Ms. Bovbjerg follows:]
Statement of Barbara D. Bovbjerg, Director, Education, Workforce, and
Income Security Issues, U.S. General Accounting Office; accompanied by
Dan Bertoni, Deputy Director
Mr. Chairman and Members of the Subcommittee:
I am pleased to be here today to discuss ways to better protect
Social Security Numbers (SSNs) to help prevent the proliferation of
false identities whether for financial misuse or for assuming an
individual's identity. Although the Social Security Administration
(SSA) originally created SSNs as a means to track worker's earnings and
eligibility for Social Security benefits, over time the SSN has come to
be used for a myriad of purposes. As you know, SSNs are a key piece of
information in creating false identities. Allegations of SSN misuse
include, for example, incidents where a criminal uses the SSN of
another individual for the purpose of fraudulently obtaining credit,
acquiring goods, violating immigration laws, or fleeing the criminal
justice system.
Although Congress has passed a number of laws to protect the
security of personal information, the continued use of and reliance on
SSNs by private and public sector entities and the potential for misuse
underscores the importance of identifying areas that can be further
strengthened. Accordingly, you asked us to talk about the uses of SSNs
and ways that the integrity of the SSN may be preserved. My remarks
today will focus on describing (1) public and private sector use and
display of SSNs, and (2) SSA's role in preventing the proliferation of
false identities. My testimony is based on a report we did for this
subcommittee on government uses of the SSN,\1\ ongoing work that
focuses on private sector SSN uses, and work we are completing on SSA's
enumeration process and the agency's verification of SSNs for state
driver licensing.
---------------------------------------------------------------------------
\1\ U.S. General Accounting Office, Social Security Numbers:
Government Benefits from SSN Use but Could Provide Better Safeguards,
GAO-02-352 (Washington D.C.: May 31, 2002).
---------------------------------------------------------------------------
In summary, public and some private sector entities rely
extensively on SSNs. We reported last year that federal, state and
county government agencies rely extensively on the SSN to manage
records, verify eligibility of benefit applicants, collect outstanding
debt, and conduct research and program evaluations. SSNs are also
displayed on a number of public record documents that are routinely
made available to the public. To improve customer service, some state
and local government entities are considering placing more public
records on the Internet. In addition, some private sector entities have
come to rely on the SSN as an identifier, using it and other
information to accumulate information about individuals. This is
particularly true of entities that amass public and private data,
including SSNs, for resale. Certain laws have helped to restrict the
use of SSN and other information by these private sector entities to
specific purposes. However, as a result of the increased use and
availability of SSN information and other data, more and more personal
information is being centralized into various corporate and public
databases. Because SSNs are often the identifier of choice among
individuals seeking to create false identities, to the extent that
personal information is aggregated in public and private sector
databases it becomes vulnerable to misuse.
As the agency responsible for issuing SSNs and maintaining the
earnings records and other personal information for millions of SSN
holders, SSA plays a unique role in helping to prevent the
proliferation of false identities. Following the events of September
11, 2001, SSA formed a task force to address weaknesses in the
enumeration process and developed major new initiatives to prevent the
inappropriate assignment of SSNs to non-citizens, who represent the
bulk of new SSNs issued by SSA's 1,300 field offices. For example, SSA
now requires field staff to independently verify the identity
information and immigration status of all non-citizen applicants with
the Department of Homeland Security (DHS), prior to issuing an SSN.
However, some SSA field staff are relying exclusively on the DHS
verification system, while neglecting other standard practices for
visually inspecting documents. SSA's automated system for assigning
SSNs also does not prevent the issuance of an SSN if staff by-pass
required verification steps. Other areas remain vulnerable and could be
targeted by those seeking fraudulent SSNs. These include SSA's process
for assigning social security numbers for children under age one and
issuing replacement social security cards. In addition to its
enumeration process, SSA provides a service to states to verify the
SSNs of individuals seeking driver's licenses. We found that fewer than
half the states have used SSA's service and the extent to which they
regularly use the service varies widely across states. Factors such as
cost, problems with system reliability, and state priorities and
policies determine whether or not states use SSA's service. We also
identified a weakness in SSA's verification service that exposes some
states to fraud by those who would use the SSN of a deceased
individual.
BACKGROUND
The Social Security Act of 1935 authorized the Social Security
Administration to establish a recordkeeping system to help manage the
Social Security program, and resulted in the creation of the SSN.
Through a process known as ``enumeration,'' unique numbers are created
for every person as a work and retirement benefit record for the Social
Security program. Today, SSNs are generally issued to most U.S.
citizens and are also available to, non-citizens lawfully admitted to
the U.S. with permission to work. Lawfully admitted non-citizens may
also qualify for a SSN for nonwork purposes when a federal, state, or
local law requires an SSN to obtain a particular welfare benefit or
service. SSA is required to verify information from such applicants
regarding their age, identity, foreign citizenship, and immigration
status. Most of the agency's enumeration workload involves U.S.
citizens who generally receive SSNs via SSA's birth registration
process handled by hospitals. However, individuals seeking SSNs can
also apply in-person at any of SSA's field locations, through the mail,
or via the Internet.
The uniqueness and broad applicability of the SSN have made it the
identifier of choice for government agencies and private businesses,
both for compliance with federal requirements and for the agencies' and
businesses' own purposes. In addition, the boom in computer technology
over the past decades has prompted private businesses and government
agencies to rely on SSNs as a way to accumulate and identify
information for their databases. As such, SSNs are often the identifier
of choice among individuals seeking to create false identities. Law
enforcement officials and others consider the proliferation of false
identities to be one of the fastest growing crimes today. In 2002, the
Federal Trade Commission received 380,103 consumer fraud and identity
theft complaints, up from 139,007 in 2000.\2\ In 2002, consumers also
reported losses from fraud of more than $343 million. In addition,
identity crime accounts for over 80 percent of social security number
misuse allegations according to the SSA.
---------------------------------------------------------------------------
\2\ Identity theft records broken out of consumer fraud totaled per
year: 31,117 (2000), 86,198 (2001), and 161,819 (2002).
---------------------------------------------------------------------------
PUBLIC AND PRIVATE SECTOR USES AND DISPLAY OF SSNS
As we reported to you last year, federal, state, and county
government agencies use SSNs.\3\ When these entities administer
programs that deliver services and benefits to the public, they rely
extensively on the SSNs of those receiving the benefits and services.
Because SSNs are unique identifiers and do not change, the numbers
provide a convenient and efficient means of managing records. They are
also particularly useful for data sharing and data matching because
agencies can use them to check or compare their information quickly and
accurately with that from other agencies. In so doing, these agencies
can better ensure that they pay benefits or provide services only to
eligible individuals and can more readily recover delinquent debts
individuals may owe. In addition to using SSNs to deliver services or
benefits, agencies also use or share SSNs to conduct statistical
research and program evaluations. Moreover, most of the government
departments or agencies we surveyed use SSNs to varying extents to
perform some of their responsibilities as employers, such as paying
their employees and providing health and other insurance benefits.
---------------------------------------------------------------------------
\3\ U.S. General Accounting Office, Social Security Numbers:
Government Benefits from SSN Use but Could Provide Better Safeguards,
GAO-02-352 (Washington D.C.: May 2002).
---------------------------------------------------------------------------
Many of the government agencies we surveyed in our work last year
reported maintaining public records that contain SSNs. This is
particularly true at the state and county level where certain offices
such as state professional licensing agencies and county recorders'
offices have traditionally been repositories for public records that
may contain SSNs. These records chronicle the various life events and
other activities of individuals as they interact with the government,
such as birth certificates, professional licenses, and property title
transfers. Generally, state law governs whether and under what
circumstances these records are made available to the public, and they
vary from state to state. They may be made available for a number of
reasons, including the presumption that citizens need key information
to ensure that government is accountable to the people. Certain records
maintained by federal, state, and county courts are also routinely made
available to the public. In principle, these records are open to aid in
preserving the integrity of the judicial process and to enhance public
trust and confidence in the judicial process. At the federal level,
access to documents generally has its grounding in common law and
constitutional principles. In some cases, public access is also
required by statute, as is the case for papers filed in a bankruptcy
proceeding. As with federal courts, requirements regarding access to
state and local court records may have a state common law or
constitutional basis or may be based on state laws.
Although public records have traditionally been housed in
government offices and court buildings, to improve customer service,
some state and local government entities are considering placing more
public records on the Internet. Because such actions would create new
opportunities for gathering SSNs from public records on a broad scale,
we are beginning work for this subcommittee to examine the extent to
which SSNs in public records are already accessible via the Internet.
In our current work, we found that some private sector entities
also rely extensively on the SSN. Businesses often request an
individual's SSN in exchange for goods or services. For example, some
businesses use the SSN as a key identifier to assess credit risk, track
patient care among multiple providers, locate bankruptcy assets, and
provide background checks on new employees. In some cases, businesses
require individuals to submit their SSNs to comply with federal laws
such as the tax code. Currently, there is no law that prohibits
businesses from requiring a person's SSN as a condition of providing
goods and services. If an individual refuses to give his or her SSN to
a company or organization, they can be refused goods and services
unless the SSN is provided.
To build on previous work we did to determine certain private
sector entities use of SSNs, we have focused our initial private sector
work on information resellers and consumer reporting agencies
(CRAs).\4\ Some of these entities have come to rely on the SSN as an
identifier to accumulate information about individuals, which helps
them determine the identity of an individual for purposes such as
employment screening, credit information, and criminal histories. This
is particularly true of entities, known as information resellers, who
amass personal information, including SSNs. Information resellers often
compile information from various public and private sources.\5\ These
entities provide their products and services to a variety of customers,
although the larger ones generally limit their services to customers
that establish accounts with them, such as entities like law firms and
financial institutions. Other information resellers often make their
information available through the Internet to persons paying a fee to
access it.
---------------------------------------------------------------------------
\4\ U.S. General Accounting Office, Social Security: Government and
Commercial Use of the Social Security Number is Widespread, GAO/HEHS-
99-28 (Washington, D.C.: Feb. 16, 1999.)
\5\ The information compiled may include public records of
bankruptcy, tax liens, civil judgments, criminal histories, deaths,
real estate ownership, driving histories, voter registration, and
professional licenses. Private data sources include information from
telephone directories and copyrighted publications.
---------------------------------------------------------------------------
CRAs are also large private sector users of SSNs. These entities
often rely on SSNs, as well as individuals' names and addresses to
build and maintain credit histories. Businesses routinely report
consumers' financial transactions, such as charges, loans, and credit
repayments to CRAs. CRAs use SSNs to determine consumers' identities
and ensure that incoming consumer account data is matched correctly
with information already on file.
Certain laws such as the Fair Credit Reporting Act, the Gramm-
Leach-Bliley Act, and the Driver's Privacy Protection Act have helped
to limit the use of personal information, including SSNs, by
information resellers and CRAs. These laws limit the disclosure of
information by these entities to specific circumstances. In our
discussion with some of the larger information resellers and CRAs, we
were told that they have to take specific actions to adhere to these
laws, such as establishing contracts with their clients specifying that
the information they obtain will be used only for accepted purposes
under the law.
The extensive public and private sector uses of SSNs and
availability of public records and other information, especially via
the Internet, has allowed individuals' personal information to be
aggregated into multiple databases or centralized locations. In the
course of our work, we have identified numerous examples where public
and private databases have been compromised and personal data,
including SSNs, has been stolen. In some instances, the display of SSNs
in public records and easily accessible websites provided the
opportunity for identity thieves. In other instances, databases not
readily available to outsiders have had their security breached by
employees with access to key information. For example, in our current
work, we identified a case where two individuals obtained the names and
SSNs of 325 high-ranking United States military officers from a public
Website, then used those names and identities to apply for instant
credit at a leading computer company. Although criminals have not
accessed all public and private databases, such cases illustrate that
these databases are vulnerable to criminal misuse.
SSA HAS A ROLE IN PREVENTING SSNS FROM BEING USED TO CREATE FALSE
IDENTITIES BUT SOME AREAS REMAIN VULNERABLE
Because SSA is the issuer and custodian of SSN data, SSA has a
unique role in helping to prevent the proliferation of false
identities. Following the events of September 11, 2001, SSA began
taking steps to increase management attention on enumeration and formed
a task force to address weaknesses in the enumeration process. As a
result of this effort, SSA has developed major new initiatives to
prevent the inappropriate assignment of SSNs to non-citizens. However,
our preliminary findings to date identified some continued
vulnerabilities in the enumeration process including SSA's process for
issuing replacement Social Security cards and assigning SSNs to
children under age one. SSA is also increasingly called upon by states
to verify the identity of individuals seeking driver licenses. We found
that fewer than half the states have used SSA's service and the extent
to which they regularly use the service varies widely. Factors such as
costs, problems with system reliability, and state priorities have
affected states use of SSA's verification service. We also identified a
key weakness in the service that exposes some states to inadvertently
issuing licenses to individuals using the SSNs of deceased individuals.
We plan to issue reports on these issues in September that will likely
contain recommendations to improve SSA's enumeration process and its
SSN verification service.
SSA's Enumeration Process Helps Prevent the Proliferation of False
Identities, but Additional Actions are Needed to Safeguard the
Issuance of SSNs
SSA has increased document verifications and developed new
initiatives to prevent the inappropriate assignment of Social Security
numbers (SSNs) to non-citizens who represent the bulk of all initial
SSNs issued by SSA's 1,300 field offices. However, in some key areas,
weaknesses remain. SSA has increased document verifications by
requiring independent verification of the documents and immigration
status of all non-citizen applicants with the issuing agency--namely
the Department Homeland Security (DHS) and Department of State (State
Department) prior to issuing the SSN. However, in our audit work, we
found that many field offices are relying heavily on DHS's verification
service, while neglecting standard, in-house practices for visually
inspecting and verifying identity documents. We also found that while
SSA has made improvements to its automated system for assigning SSNs,
the system is not designed to prevent the issuance of an SSN if field
staff by-pass essential verification steps. SSA also has begun
requiring foreign students to show proof of their full-time enrollment,
but does not require field staff to verify with the school the
students' enrollment or their authorization to work. Consequently, SSNs
for non-citizen students may still be improperly issued.
SSA has also undertaken other new initiatives to shift the burden
of processing non-citizen applications from its field offices. SSA
recently piloted a specialized center in Brooklyn, New York, which
focuses exclusively on enumeration and utilizes the expertise of DHS
document examiners and SSA's OIG investigators. However, the future of
this pilot project and DHS' participation has not yet been determined.
Meanwhile, in late 2002, SSA began a phased implementation of a long-
term process to issue SSNs to non-citizens at the point of entry into
the United States, called ``Enumeration at Entry'' (EAE). EAE offers
the advantage of using State Department and DHS expertise to
authenticate information provided by applicants for subsequent
transmission to SSA who then issues the SSN. Currently, EAE is limited
to immigrants age 18 and older who have the option of applying for an
SSN at one of the 127 State posts worldwide that issue immigrant visas.
SSA has experienced problems with obtaining clean records from both the
State Department and DHS, but plans to continue expanding the program
over time to include other non-citizen groups, such as students and
temporary visitors. The agency also intends to evaluate the initial
phase of EAE in conjunction with the State Department and DHS. However,
this evaluation has not yet been planned or scheduled.
While SSA has embarked on these new initiatives, it has not
tightened controls in two key areas of its enumeration process that
could be exploited by individuals seeking fraudulent SSNs. One area is
the assignment of SSNs to children under age one. Prior work by SSA's
Inspector General identified the assignment of SSNs to children as an
area prone to fraud because SSA did not independently verify the
authenticity of various state birth certificates. Despite the training
and guidance provided to field office employees, the OIG found that the
quality of many counterfeit documents was often too good to detect
simply by visual inspection. Last year, SSA revised its policies to
require that field staff obtain independent third party verification of
the birth records for U.S.-born individuals age one and older from the
state or local bureau of vital statistics prior to issuing an SSN
card.\6\ However, SSA left in place its policy for children under age
one and continues to require only a visual inspection of documents,
such as birth records.
---------------------------------------------------------------------------
\6\ Most U.S.-born individuals receive a SSN through a process SSA
refers to as Enumeration-at-Birth (EAB). Under EAE parents can apply
for a SSN for their newborn child at the hospital as part of the birth
registration process. Under this process hospitals send birth
registration information to a state or local bureau of vital statistics
where it is put into a database. SSA accepts the data captured during
the birth registration process as evidence of age, identity, and
citizenship, and assigns the child an SSN without further parental
involvement. The appropriate bureau of vital statistics forwards SSA
the required information, usually by electronic means. Once SSA
receives the required information, it performs edits, assigns the SSN
and issues the card.
---------------------------------------------------------------------------
SSA's policies relating to enumerating children under age one
expose the agency to fraud. During our fieldwork, we found an example
of a non-citizen who submitted a counterfeit birth certificate in
support of an SSN application for a fictitious U.S. born child under
age one. In this case, the SSA field office employee identified the
counterfeit state birth certificate by comparing it with an authentic
one. However, SSA staff acknowledged that if a counterfeit out-of-state
birth certificate had been used, SSA would likely have issued the SSN
because of staff unfamiliarity with the specific features of the
numerous state birth certificates. Further, we were able to prove the
ease with which individuals can obtain SSNs by exploiting SSA's current
processes. Working in an undercover capacity our investigators were
able to obtain two SSNs. By posing as parents of newborns, they
obtained the first SSN by applying in-person at a SSA field office
using a counterfeit birth certificate and baptismal certificate. Using
similar documents, a second SSN was obtained by our investigators who
submitted all material via the mail. In both cases, SSA staff verified
our counterfeit documents as being valid. SSA officials told us that
they are re-evaluating their policy for enumerating children under age
one. However, they noted that parents often need an SSN for their child
soon after birth for various reasons such as for income tax purposes.
They acknowledge that a challenge facing the agency is to strike a
better balance between serving the needs of the public and ensuring SSN
integrity.
In addition to the assignment of SSNs to children under the age of
one, SSA's policy for replacing Social Security cards also increases
the potential for misuse of SSNs. SSA does not limit the number of
replacement cards individuals can receive. Of the 18 million cards
issued by SSA in FY2002, 12.4 million, or 69 percent, were replacement
cards. More than 1 million of these cards were issued to non-citizens.
In several of the field offices we visited, replacement cards
represented 70 percent of the total enumeration workload. While SSA
requires non-citizens applying for a replacement card to provide the
same identity and immigration information as if they were applying for
an original SSN, SSA's evidence requirements for citizens are much less
stringent. Citizens applying for a replacement card need not prove
their citizenship; they may use as proof of identity such documents as
a driver's license, passport, employee identification card, school
identification card, church membership or confirmation record, life
insurance policy, or health insurance card. The ability to obtain
numerous replacement SSN cards with less documentation creates a
condition for requestors to obtain SSNs for a wide range of illicit
uses including selling them to non-citizens. These cards can be sold to
individuals seeking to hide or create a new identity, perhaps for the
purpose of some illicit activity. SSA told us the agency is considering
limiting the number of replacement cards with certain exceptions such
as for name changes, administrative errors, and hardships. However,
they cautioned that while support exists for this change within the
agency, some advocacy groups oppose such a limit.
Field staff we interviewed told us that despite their reservations
regarding individuals seeking excessive numbers of replacement cards,
they were required under SSA policy to issue the cards. Many of the
field office staff and managers we spoke to acknowledged that the
current policy weakens the integrity of SSA's enumeration process.
SSA's Verification of Driver Licenses Applicants Helps Prevent
Fraudulent Documents, but Vulnerabilities Still Exist
The events of September 11th, 2001 focused attention on the
importance of identifying people who use false identity information or
documents, particularly in the driver licensing process. Driver
licenses are a widely accepted form of identification that individuals
frequently use to obtain services or benefits from federal and state
agencies, open a bank account, request credit, board an airplane, and
carry on other important activities of daily living. For this reason,
driver licensing agencies are points at which individuals may attempt
to fraudulently obtain a license using a false name, social security
number (SSN), or other documents such as birth certificates to secure
this key credential.
Given that most states collect SSNs during the licensing process,
SSA is uniquely positioned to help states verify the identity
information provided by applicants. To this end, SSA has a verification
service in place that allows state driver licensing agencies to verify
the SSN, name, and date of birth of customers with SSA's master file of
SSN owners. States can transmit requests for SSN verification in two
ways. One is by sending multiple requests together, called the
``batch'' method, to which SSA reports it generally responds within 48
hours. The other way is to send an individual request on-line, to which
SSA responds immediately.
Twenty-five states have used the batch or on-line method to verify
SSNs with SSA and the extent to which they use the service on a regular
basis varies. About three-fourths of the states that rely on SSA's
verification service used the on-line method or a combination of the
on-line and batch method, while the remaining states used the batch
method exclusively. Over the last several years, batch states estimated
submitting over 84 million batch requests to SSA compared to 13 million
requests submitted by on-line users. States' use of SSA's on-line
service has increased steadily over the last several years. However,
the extent of use has varied significantly, with 5 states submitting
over 70 percent of all on-line verification requests and one state
submitting about one-third of the total.
Various factors, such as costs, problems with system reliability,
and state priorities affect states' decisions regarding use of SSA's
verification service. In addition to the per-transaction fees that SSA
charges, states may incur additional costs to set up and use SSA's
service, including the cost for computer programming, equipment,
staffing, training, and so forth. Moreover, states' decisions about
whether to use SSA's service, or the extent to which to use it, are
also driven by internal policies, priorities, and other concerns. For
example, some of the states we visited have policies requiring their
driving licensing agencies to verify all customers' SSNs. Other states
may limit their use of the on-line method to certain targeted
populations, such as where fraud is suspected or for initial licenses,
but not for renewals of in-state licenses. The non-verifying states we
contacted expressed reluctance to use SSA's verification service based
on performance problems they had heard were encountered by other
states. Some states cited concerns about frequent outages and slowness
of the on-line system. Other states mentioned that the extra time to
verify and resolve SSN problems could increase customer waiting times
because a driver license would not be issued until verification was
complete.
Indeed, weaknesses in SSA's design and management of its SSN on-
line verification services have limited its usefulness and contributed
to capacity and performance problems. SSA used an available
infrastructure to set up the system and encountered capacity problems
that continued and worsened after the pilot phase. The capacity
problems inherent in the design of the on-line system have affected
state use of SSA's verification service. Officials in one state told us
that they have been forced to scale back their use of the system
because they were told by SSA that their volume of transactions were
overloading the system. In addition, because of issues related to
performance and reliability, no new states have used the service since
the summer of 2002. At the time of our review, 10 states had signed
agreements with SSA and were waiting to use the on-line system and 17
states had received funds from Department of Transportation for the
purpose of verifying SSNs with SSA. It is uncertain how many of the 17
states will ultimately opt to use SSA's on-line service. However, even
if they signed agreements with SSA today, they may not be able to use
the service until the backlog of waiting states is addressed. More
recently, SSA has made some necessary improvements to increase system
capacity and to refocus its attention to the day-to-day management of
the service. However, at the time of our review, the agency still has
not established goals for the level of service it will provide to
driver licensing agencies.
In reviewing SSA's verification service, we identified a key
weakness that exposes some states to issuing licenses to applicants
using the personal information of deceased individuals. Unlike the on-
line service, SSA does not match batch requests against its nationwide
death records. As a result, the batch method will not identify and
prevent the issuance of a license in cases where an SSN name and date
of birth of a deceased individual is being used. SSA officials told us
that they initially developed the batch method several years ago and
they did not design the system to match SSNs against its death files.
However, in developing the on-line system for state driver licensing
agencies, a death match was built into the new process. At the time of
our review, SSA acknowledged that it had not explicitly informed states
about the limitation of the batch service.
Our own analysis of one month of SSN transactions submitted to SSA
by one state using the batch method identified at least 44 cases in
which individuals used the SSN, name, and date of birth of persons
listed as deceased in SSA's records to obtain a license or an
identification card.\7\ We forwarded this information to state
investigators who quickly confirmed that licenses and identification
cards had been issued in 41 cases and were continuing to investigate
the others. To further assess states' vulnerability in this area, our
own investigators working in an undercover capacity were able to obtain
licenses in two batch states using a counterfeit out-of-state license
and other fraudulent documents and the SSNs of deceased persons. In
both states, driver licensing employees accepted the documents we
submitted as valid. Our investigators completed the transaction in one
state and left with a new valid license.\8\ In the second state, the
new permanent license arrived by mail within weeks. The ease in which
they were able to obtain these licenses confirmed the vulnerability of
states currently using the batch method as a means of SSN verification.
Moreover, states that have used the batch method in prior years to
clean up their records and verify the SSNs of millions of driver
license holders, may have also unwittingly left themselves open to
identity theft and fraud.
---------------------------------------------------------------------------
\7\ SSA's death records may contain inaccuracies because SSA
records all reports of death but only verifies those involving benefit
payments.
\8\ This state does not use SSA's batch verification process for
initial licenses, but only for license renewals. Therefore, the use of
the deceased person's SSN will not be caught by the system when the
state ultimately verifies it using the batch method.
---------------------------------------------------------------------------
CONCLUSIONS
The use of SSNs by both public and sector entities is likely to
continue given that it is used as the key identifier by most of these
entities and there is currently no other widely accepted alternative.
To help control such use, certain laws have helped to safeguard such
personal information, including SSNs, by limiting disclosure of such
information to specific purposes. To the extent that personal
information is aggregated in public and private sector databases, it
becomes vulnerable to misuse. In addition, to the extent that public
record information becomes more available in an electronic format, it
becomes more vulnerable to misuse. The ease of access the Internet
affords could encourage individuals to engage in information gathering
from public records on a broader scale than they could before when they
had to visit a physical location and request or search for information
on a case-by-case basis.
SSA has made substantial progress in protecting the integrity of
the SSN by requiring that the immigration and work status of every non-
citizen applicant be verified before an SSN is issued. However, without
further system improvements and assurance that field offices will
comply fully with the new policies and procedures this effort may be
less effective than it could be. Further, as SSA closes off many
avenues of unauthorized access to SSNs, perpetrators of fraud will
likely shift their strategies to less protected areas. In particular,
SSA's policies for enumerating children and providing unlimited numbers
of replacement cards may well invite such activity, unless they too are
modified.
State driver license agencies face a daunting task in ensuring that
the identity information of those to whom they issues licenses is
verified. States effectiveness verifying individual's identities is
often dependent on several factors, including the receipt of timely and
accurate identity information from SSA. Unfortunately, design and
management weaknesses associated with SSA's verification service have
limited its effectiveness. States that are unable to take full
advantage of the service and others that are waiting for the
opportunity to use it remain vulnerable to identity crimes. In
addition, states that continue to rely primarily or partly on SSA's
batch verification service still risk issuing licenses to individuals
using the SSNs and other identity information of deceased individuals.
This remains a critical flaw in SSA's service and states' efforts to
strengthen the integrity of the driver license.
GAO is preparing to publish reports covering the work I have
summarized within the next several months, which will include
recommendations aimed at ensuring the integrity of the SSN. We look
forward to continuing to work with this Subcommittee on these important
issues. I would be happy to respond to any questions you or other
members of the Subcommittee may have.
CONTACTS AND ACKNOWLEDGMENTS
For further information regarding this testimony, please contact
Barbara D. Bovbjerg, Director, or Dan Bertoni, Assistant Director,
Education, Workforce, and Income Security at (202) 512-7215.
Individuals making key contributions to this testimony include Mindy
Bowman, Alicia Cackley, Tamara Cross, Patrick DiBattista, Melissa
Hinton, Jason Holsclaw, George Scott, Jacquelyn Stewart, and Tony
Wysocki.
Chairman SHAW. Very good. We appreciate your testimony. Mr.
Huse.
STATEMENT OF THE HONORABLE JAMES G. HUSE, JR., INSPECTOR
GENERAL, SOCIAL SECURITY ADMINISTRATION
Mr. HUSE. Thank you, Mr. Chairman, Mr. Matsui, and Members
of the Subcommittee. As always--and I have probably been here
nine times--it is a pleasure to be here to assist you in your
important work involving the SSN and its protection. In the
interest of brevity and since you have accepted my full written
testimony, I will summarize the major points that I have in
that testimony. This Subcommittee and the Office of the
Inspector General have been fighting SSN misuse and identity
theft together for quite a few years now, beginning when I was
Acting Inspector General at Social Security. So, now I am
pleased to be here today and to see that the Subcommittee's
continuing and tenacious dedication to stopping and reversing
what is now a long-standing upward trend in SSN misuse and
identity theft has never wavered. I come in support of
legislation to strengthen protection for the SSN, our national
identifier. We as a government remain ill-equipped to afford it
the protection it needs and deserves. We need to protect the
SSN at three stages: upon issuance, during the life of the
number holder, and following the number holder's death. Perhaps
the most important step we can take in preventing SSN misuse is
to limit the SSNs' easy availability. Any meaningful
legislation designed to protect the SSN must strictly limit the
number's availability on public documents. The financial
industry relies on the SSN and no one is suggesting that we
change the way legitimate business is conducted in the United
States. The use of the SSN as a student or patient
identification number, as part of a car rental contract or to
rent a video must be curtailed.
Finally, I respect and support the SSA's strict privacy
regulations. The information SSA stores on each of us is
personal and is entitled to all of the protections we can
provide. However, there are times when that privacy must be
abridged for the greater good. Following September 11th, and
again during last year's sniper attacks in the Washington, D.C.
area, it became necessary to share with appropriate law
enforcement authorities information stored by SSA to permit
those authorities to conduct their investigations and, more
importantly, to prevent additional lives from being lost. On
both occasions, I asked the Commissioner of Social Security to
use the ad hoc authority vested in the Commissioner by SSA's
regulations to permit me to share SSA information with our law
enforcement partners. I now ask this Subcommittee for statutory
authority that would enable the Inspector General to make such
disclosures when necessary to protect human lives without prior
formal authorization from the Commissioner. When lives are at
stake, we cannot waste precious moments in order to sustain
some bureaucratic modality.
Before I close, I would like to emphasize one part of my
discussion. While the SSN is issued by SSA, the responsibility
for protecting its integrity reaches far beyond the agency's
boundaries. The SSA has come very far and is willing to do
more, yet other Federal, State and local jurisdictions as well
as the private sector must each also do their part. With
everyone's participation we can protect the SSN and ultimately
our homeland. Mr. Chairman, I thank you for your continuing
commitment to these critical issues. I might add to sharpen all
of this, that this very morning in California, we, along with
the Los Angeles Police Department and other local police
departments, made a raid and have arrested three suspects while
one suspect remains at large. We also seized computers,
printers, books of templates of every conceivable kind of
identification, SSNs, lists of SSNs, birth certificates,
driver's licenses, the seals to make driver's licenses,
doctor's certificates, and infant footprints. Now what do you
think they were going to do with those? This is a serious
matter. It goes on every day. Thank you, Mr. Chairman.
[The prepared statement of Mr. Huse follows:]
Statement of the Honorable James G. Huse, Jr., Inspector General,
Social Security Administration
Good Morning Mr. Chairman, Mr. Matsui, and members of the
Subcommittee. As always, it is a pleasure to be here to assist you in
your important work. We have been fighting Social Security number (SSN)
misuse and identity theft together for quite a number of years now,
starting when I was Acting Inspector General of the Social Security
Administration's (SSA) Office of the Inspector General. On March 30,
2000, I testified before this Subcommittee about SSA program integrity
issues in general. On that occasion, I expressed my appreciation that
the Subcommittee had recognized the importance of confronting SSN
misuse, and looked forward to separate hearings that you promised to
hold on the issue.
Five weeks later, on May 9, 2000, I returned and reported at length
on the misuse of SSNs in many areas, including identity theft. I
explained that my office could not possibly investigate every instance
of identity theft that involved an SSN. I testified that we were
working vigorously on the audit side to identify and eliminate
weaknesses in SSA's enumeration process, and just as vigorously on the
investigative side to stop SSN misuse crimes that had a direct impact
on SSA's programs and operations.
In the year that followed, even as we worked to tighten controls
over the issuance of SSNs and fought to deter and punish SSN misuse,
identity theft continued to increase. It became apparent that under
existing law, we could not do enough to stop criminals from obtaining
SSNs, and did not have sufficient enforcement tools to deter them from
doing so.
So on May 22, 2001, I returned to this Subcommittee asking for its
help. I asked for legislation that would severely restrict the use of
SSNs in the private and public sector, and that would criminalize the
sale of SSNs. I asked for an administrative safety net in the form of
Civil Monetary Penalty authority for those instances of SSN misuse that
could not be criminally prosecuted. And I pledged my office's
unwavering support of the Subcommittee's efforts to prevent SSN misuse
and, by extension, identity theft.
The Subcommittee's response was swift. H.R. 2036, which provided
all of the relief I had requested and more, was an important step
forward. Tragically, before we could take that step forward, we all
took an enormous step back. September 11, 2001 stopped us all in our
tracks, and H.R. 2036 understandably took a temporary back seat to more
pressing Congressional responsibilities.
But it was a very short time before we collectively realized that
H.R. 2036 and September 11 shared more common ground than we had ever
contemplated. We had always seen SSN misuse as a bureaucratic problem
for the government and a financial problem for the private sector and
the citizenry. As our investigative offices were besieged with requests
from the FBI for assistance in the September 11 investigation, we
quickly came to realize that SSN misuse and identity theft threatened
not only credit ratings and government records, but lives as well.
Shortly after the attacks on New York and Washington, I again came
before this Subcommittee and testified about individuals seeking to
assimilate themselves into our society for nefarious purposes. The
assimilation process begins with the use of an SSN whether obtained
legally or fabricated. Without it, I explained, it would be all but
impossible to function in our society for any extended period. H.R.
2036, which had been an important piece of legislation eight weeks
earlier, had become a critical one. Unfortunately, despite the best
efforts of this Subcommittee and my office, the 107th Congress
adjourned before that Bill became law.
Then just last week, Treasury Secretary John Snow called upon
Congress to take additional steps to help stem what he correctly terms
``the growing menace of identity theft.'' While the Secretary's focus
was on the harm identity theft visits upon consumers, this Subcommittee
knows the damage is much broader than that.
So, I am pleased to be here today, and to see that the
Subcommittee's continuing and tenacious dedication to stopping and
reversing what is now a long-standing upward trend in SSN misuse and
identity theft has never wavered. As you well know, the use of the SSN
in American society has expanded to the breaking point. Created in 1935
to track workers' earnings and pay them retirement benefits, its use
has increased so dramatically that it has become a part of more
government functions and financial transactions than we could ever
count. It is our national identifier, and while it serves its purpose
well, we as a government remain ill-equipped to afford it the
protection it needs and deserves.
I have previously testified as to the need to protect the SSN at
three stages: upon issuance, during the life of the number-holder, and
following the number-holder's death. This three-tiered approach remains
critical.
At Stage One, my office is doing more work than ever, working
closely with this Subcommittee and SSA to strengthen controls over the
enumeration process, ensure the integrity of identification documents,
and make it as difficult as possible to obtain an SSN from the Federal
government fraudulently. If we cannot accomplish this much--ensuring
that the government is not an unwitting accomplice to identity theft
and other SSN-related crimes--then we will have failed before we have
begun. But I can testify today with confidence that this is not the
case. Together with you and with SSA, we have made important strides in
reducing enumeration vulnerabilities, and that effort continues. Still,
legislation is sorely needed to limit the number of replacement Social
Security cards an individual can obtain, and to require better cross-
verification of records in the enumeration at birth process, to ensure
that SSNs are not inappropriately issued in this important program.
Excellent progress has been made in the enumeration arena, and we
remain dedicated to even further improvements. At present, SSA is
drafting two regulations to tighten the issuance of SSNs to non-workers
and foreign students.
Similarly, Stage Three, following the death of the number-holder,
is an area in which we are working hard to ensure that, through timely
reporting, appropriate cross-matching, and better controls, the SSNs of
deceased individuals are not recycled for inappropriate purposes.
But it is at Stage Two where we have focused the majority of our
efforts, and where we have made the most progress. In the last several
years, we have conducted numerous audits and made sweeping
recommendations to SSA to improve the SSN misuse problem in the
earnings reporting process, and most importantly, to improve controls
over SSN misuse as it pertains specifically to Homeland Security.
Further, over the last six months, we have led the President's Council
on Integrity and Efficiency community in conducting an audit in
assessing their respective Agency's practices in the use of SSNs. The
final report noted that despite safeguards to prevent improper access,
as well as disclosure and use of SSNs by external entities, many
agencies remain at risk.
As I stated, the SSN was never intended for the uses to which it is
now put millions of times every day. The Identity Theft and Assumption
Deterrence Act of 1998 and the Internet False Identification Prevention
Act of 2000 provided law enforcement with the initial tools necessary
to punish SSN misuse as it relates to identity theft. But each SSN
begins and ends at SSA, and true stewardship over that number must
reside in the Act that created it, the Social Security Act. That
stewardship must focus not only on punishment and deterrence, but also
on prevention.
Perhaps the most important step we can take in preventing SSN
misuse is to limit the SSN's easy availability. Any meaningful
legislation designed to protect the SSN must strictly limit the
number's availability on public documents. As long as criminals can
walk into the records room of a courthouse or local government building
and walk out with names and SSNs culled from public records, we can
never reverse the trend. Any meaningful legislation must also
specifically prohibit the sale of SSNs--including one's own SSN--on the
open market. As long as criminals can buy a list of names and SSNs in
an Internet auction, we will continue to be plagued by the
consequences. And legislation, if it is to be meaningful, must limit
the use of the SSN to appropriate and valid transactions.
The financial industry relies on the SSN, and no one is suggesting
that we change the way legitimate business is conducted in the United
States. But the use of the SSN as a student or patient identification
number, as part of a car rental contract or to rent a video, must be
curtailed. Secretary Snow commented, ``Secure, reliable information is
the lifeblood of all financial services, among which consumer credit is
fundamental. It is not an overstatement to suggest that preserving the
integrity and availability of consumer credit in this economy is
preserving prosperity itself.'' This is why I have testified that
Congress should consider requiring the cross-verification of SSNs
through both governmental and private sector systems of records to
identify and address anomalies in SSA's files, and in data bases at
various levels of government and the financial sector. Only in such a
way can we combat and limit the spread of false of identification and
SSN misuse. In fact, SSA has taken initial steps toward implementing
provisions of the Patriot Act. This Act requires the Treasury
Department to develop a system for domestic financial institutions to
verify the identities of foreign nationals seeking to open accounts
with information held by Government agencies.
If we can implement these changes, all of which come down to the
acceptance of the fact that the SSN has become our national identifier
and the application of common sense, criminals will have a far more
difficult time obtaining an SSN from SSA or from other sources, and we
will be able to better focus on enforcement.
The Identity Theft legislation I discussed earlier provides
criminal penalties, but those penalties were designed for broader
crimes involving Social Security cards and/or SSNs, not for SSN misuse
itself. Meaningful legislation that is focused solely on SSN misuse
must provide meaningful criminal penalties in the Social Security Act,
must provide enhanced penalties for those few SSA employees who betray
the public trust and assist criminals in obtaining SSNs, and must
provide an administrative safety net in the form of Civil Monetary
Penalties to allow for some form of relief when criminal prosecution is
not available for SSN misuse and other Social Security-related crimes.
Finally, I respect and support SSA's strict privacy regulations.
The information SSA stores on each of us is personal, and is entitled
to all of the protections we can afford it. I have learned, however,
through a series of unfortunate events, that there are times when that
privacy must be abridged for the greater good. Following September
11th, and again during last year's sniper attacks in the Washington,
D.C. area, it became necessary to share with appropriate law
enforcement authorities information stored by SSA to permit those
authorities to conduct their investigations and, more importantly,
prevent additional lives from being lost. On both occasions, I asked
the Commissioner of Social Security to use the ad hoc authority vested
in the Commissioner by SSA regulations to permit me to share SSA
information with our law enforcement partners. I now ask this
Subcommittee for statutory authority that would enable the Inspector
General to make such disclosures when necessary to protect human lives
without prior formal authorization from the Commissioner. When lives
are at stake, we cannot waste precious moments.
Before I close, I would like to emphasize one part of my
discussion. While the SSN is issued by SSA, the responsibility for
protecting its integrity reaches far beyond this Agency's walls. While
SSA has come very far and is willing to do more, other Federal, State
and local jurisdictions, as well as the private sector must each do
their part. With everyone's participation, we can protect the SSN and
ultimately our homeland.
I thank you for your continuing commitment to these critical
issues, and would be happy to answer any questions.
Chairman SHAW. Thank you, Mr. Huse. What is the criminal
penalty for supplying fraudulent documents in order to obtain a
Social Security card--SSN? Or is there State law that you are
familiar with that would do the same thing with regard to
getting a driver's license that you are aware of?
Mr. HUSE. The answer to your question is, there are Federal
statutes that cover those crimes, and State statutes also.
There is a strong law enforcement remedy for all of this
criminal activity. What there isn't, though, is an elastic
enough charge or felony charge for Social Security misuse in
and of itself, which oftentimes is the common denominator
through all of these levels of government and the crimes that
have been established. If we had a strong, simple Social
Security misuse felony, it would cut through a lot of this
criminal justice activity.
Chairman SHAW. Let's take the examples that are up on the
board. If one were to go in to the Social Security office and
give them a birth certificate, a baptismal certificate and some
other type of picture identification such as the one you use up
there with the United Airlines employee type of identification,
in order to obtain a SSN--these documents are fraudulent--what
would be the criminal penalty that this person is liable for?
Mr. HUSE. There is a Federal criminal statute that covers
this type of criminal activity. However, if I sold my SSN to
Barbara to use illegally, there is no crime for the actual
sale. I can't be charged for that. So, these are some of the
aspects of this that we are trying to get in a specific SSN
misuse felony.
Chairman SHAW. I am just talking about the individual who
goes in and tries.
Mr. HUSE. It is a crime, and we can charge them.
Chairman SHAW. Is it a felony?
Mr. HUSE. It is a felony crime.
Chairman SHAW. Five years?
Mr. HUSE. Five to 10.
Chairman SHAW. Five to 10. Thank you.
Mr. HUSE. I would also add that in the Federal system there
are also the sentencing guidelines.
Chairman SHAW. Are the prosecutors prosecuting these cases?
Many of our courts I know in south Florida, are overworked so
much, and the question of whether you are going to be
prosecuted even for a felony can depend upon the severity of
the felony because of short-handedness within the prosecutor's
offices themselves, the right to speedy trial, overcrowded
dockets, those type of things. Are these cases being
prosecuted?
Mr. HUSE. Some of them are. I think the prosecutors try to
do the right thing. They triage cases just like everybody else.
There are those cases, as you just pointed out, that are not
prosecuted, perhaps because the dollar amount is minimal, or
the urgency, or there is no terrorism nexus, or what have you.
Those cases usually fall out. That is why we are asking for
this civil money penalty, a provision that would allow us to
sanction those people who aren't prosecuted. They would still
have to pay a substantial fine, and in that way perhaps we can
do something about the proliferation of this crime.
Chairman SHAW. Mr. Cardin.
Mr. CARDIN. Thank you, Mr. Chairman. Let me again thank our
witnesses for their testimony. The SSN is supposed to be the
identification number for the Federal Government for Social
Security purposes. Yet it is used as an identification number
by a lot of different organizations and groups. I have my
health insurance card, which my membership number is identical
to my SSN. I am sure that is not unusual. Until 2 or 3 years
ago, our U.S. House of Representatives identification cards
included, mandatorily, our SSNs. So, I guess my question is,
how important is it for us to try to protect the
confidentiality of an individual SSN? You point out that you
can go on the Internet and probably find the SSNs of most of us
in some documents that are probably public today. If you
couldn't find it there you, probably with a little effort,
could find out our SSNs. How much is that a contributing factor
to identity theft? Should we be much more vigilant about
protecting the use of the SSN as a way to protect against
identity theft? How major is this? How much effort should we
put behind keeping these numbers confidential or for use only
by the SSA?
Ms. BOVBJERG. It couldn't hurt to quit giving people your
SSN when you don't know what they are going to do with it. The
Privacy Act (P.L. 93-579) requires all levels of government,
not just the Federal Government, when they ask for your SSN, to
tell you whether you are required to give it, and for what
purpose it is to be used. This is not a provision of the
Privacy Act that is followed very routinely. We have made a
recommendation to the Office of Management and Budget to take
some action to inform government agencies, particularly State
and local governments, that this provision applies to them. I
think as an individual it is probably also important to ask why
Blockbuster Video or someone like that is asking you for your
SSN and how it will be used, or to simply not give it to them.
You are really also asking to put the genie back in the bottle.
Mr. CARDIN. I don't think people think about this. If they
are asked to give their SSN they give their SSN because it is
there, it is on the form. They don't think twice about it.
Unless we develop policy nationally that prevents the use of
the SSN for non-governmental purposes or provide additional
protection for the individual to make that judgment, it seems
to me it is not going to happen.
Mr. HUSE. I agree with everything our distinguished witness
from the GAO said, but I would add that that is 50 percent of
the issue. The other 50 percent is for those numbers that are
already out there. I believe there is also a governmental
obligation to ensure that there is due diligence on the data
that is stored by all of these entities in matching those
records with the true records of government at all of the
levels, but including the Federal level--to ensure that there
is an attempt to make positive identification occur. I think
that is the other half of the identity theft problem. I think
we are doing a lot of work on the front end in trying to get
the integrity in the system that issues numbers, but we are not
doing enough on the back end to verify that data and to make
sure that anomalies in it are rooted out and given to
appropriate law enforcement authorities at the local, State,
county and Federal level to deal with. This is a universal
problem, it is way beyond just the SSA.
Mr. CARDIN. I agree with your point. I guess my point is,
how do you put this all together? Would it make it a lot easier
if these numbers weren't so readily available? I guess the
answer is, it wouldn't hurt and certainly it would make it more
difficult for identity theft. Unless we are prepared also to be
very aggressive on the use of identity, and the verification of
identity, and all the other issues there would still be a
significant problem out there?
Mr. HUSE. I think you are at a point where, as Barbara
said, you can't put it back in the bottle. I think we have to
accept the status quo.
Mr. CARDIN. Why? I am not sure I agree with that. Unless we
are willing to take action on who can use SSNs, and how they
are to release and protect them, I agree with you. I guess my
point is, that is one area that we could control here from
Washington. It may cause disruptions and maybe it is not worth
all the disruptions it causes, but I am trying to get a sense
as to how important it would be to restrict the availability of
SSNs. What I am getting from you is, that would certainly help
us in reducing the amount of identity theft.
Mr. HUSE. The answer is yes.
Ms. BOVBJERG. If I could just add briefly, you have already
done things that have helped. Certainly the Drivers Protection
Act of 1993 (P.L. 103-322) helped enormously to prevent motor
vehicle records that had SSNs on them from being sold in bulk.
There are other things that have occurred over the last 10
years that have made the SSN, particularly in government, more
secure. So, I think there are things that you already have done
that have helped.
Mr. CARDIN. Why should my health insurance company require
to use my SSN?
Ms. BOVBJERG. They want to know that you are you. It is a
unique identifier. They want to distinguish you.
Mr. CARDIN. Well.
Mr. HUSE. From another person with a similar name.
Mr. CARDIN. Is that a responsibility of government, or the
private insurance industry?
Ms. BOVBJERG. The government did not provide it to the
insurance company.
Mr. CARDIN. No, but we provide the SSN. Thank you, Mr.
Chairman.
Chairman SHAW. Mr. Collins.
Mr. COLLINS. No questions.
Chairman SHAW. Mr. Brady.
Mr. BRADY. Thank you, Mr. Chairman, for holding this
hearing. Thank you to the witnesses for being here. It is very
helpful. Reading the testimony in advance, I wanted to focus on
defining the problem a little better. It seems like there are
widely varying estimates of how big a problem identity theft
is. I am wondering between thefts used for financial fraud that
are--sometimes we identify them because of complaints, those
used for illegal immigration purposes, those used for national
security access. Do you think we really know how big the
problem of identity theft is in America right now?
Mr. HUSE. I don't think we do. The numbers that come to us
from the financial sector are those that they choose to share
with us. All of the credit card entities have huge insurance
bonds that mask a lot of the activity. By this I mean that they
assume a lot of this is risk. In the context of the national
security dimension, I think we do get good information, and it
has really been emerging since 9/11, as to how important it is
for someone that comes into this country to do ill, to be able
to get underneath our radar by obtaining whatever requisite
identification we need--principally the driver's license
because that is the one that allows you to move around as
someone who has some kind of status. I think, to use a
metaphor, this is the tip of the iceberg. We just see the top
from the hysteria that we hear and the reporting. I think the
problem is far bigger than we even know.
Mr. BRADY. Thank you. Ms. Bovbjerg.
Ms. BOVBJERG. I agree, we don't know. We have reported to
Mr. Johnson in the past, that it is difficult to get statistics
on this. I have brought Federal Trade Commission (FTC)
statistics that said in calendar-year 2002, 380,000 consumer
fraud and identity theft complaints came to their hotline. How
many of those are SSN-related is unclear. They certainly don't
get at the point that Mr. Huse made about the criminal
immigration fraud, the terrorism side of identity theft. They
also reported losses of more than $340 million. We know that
not all of these losses get reported, so indeed this figure is
lower than actual losses.
Mr. BRADY. Those aren't the answers I wanted to hear, but I
think it is what we all know in the room--that it is the tip of
the iceberg on this issue, and leads to the follow-up question,
how successful are we in catching and prosecuting those who
steal identities for various reasons? Do we have any numbers on
how many prosecutions occur each year, and if I steal someone's
identity for whatever reason, what are the chances that I will
get caught--other than being a Member of Congress, we are
likely to get caught--but still in the most part, how
successful are we?
Mr. HUSE. I would say we are as successful there as we are
with a number of issues when we talk about the criminal justice
system. We know what we know. We have statistics, and I don't
have them at my finger tips but we will supply them to you
later, from what we do and the rest of Federal law enforcement.
The U.S. Department of Justice garners the statistics from
across the country. I don't think we really get at the universe
of identity fraud through the criminal justice system. I think
we probably, to use my metaphor from before, I think we are
just getting at the surface of it. It is one of those crimes
that has become provocative enough to warrant our attention. A
lot of it goes on unnoticed. Some of it is because a victim has
to discover that they have been violated. That is the part we
don't really know yet.
[The information follows:]
Social Security Administration
Baltimore, Maryland 21235
May 5, 2004
The Honorable Kevin Brady
House of Representatives
Washington, D.C. 20515
Dear Mr. Brady:
During the Ways and Means Social Security Subcommittee hearing on
July 10, 2003, you asked then Inspector General James Huse some
questions related to the prosecution of identity theft cases. I would
like to take the opportunity to respond to each of your questions in
turn.
First, you asked how successful we are in catching and prosecuting
those who steal identities for various reasons. It is important to note
that the Social Security Administration (SSA) Office of the Inspector
General (OIG) is responsible for investigating and referring for
prosecution a small portion of the overall universe of identity theft
cases--those that relate to Social Security disability benefits,
earnings or other fraud issues that concern SSA programs generally.
With regard to these cases, the SSA OIG has been instrumental in
successfully apprehending and referring violators for prosecution.
Second, you asked whether we have any numbers on how many identity
theft prosecutions occur each year. As previously stated, the SSA OIG
has statistics on the number of identity theft prosecutions relating to
Social Security fraud, but not the number of identity theft
prosecutions that occur nationwide as the result of investigations
conducted by other federal, state and local entities. Between FY 2001
and FY 2003, the SSA OIG investigated over 1800 allegations of identity
theft related to SSA's programs. These cases resulted in over 1100
convictions.
Finally, you asked how likely it is that someone will get caught
for stealing an identity. Identity theft is often referred to as a
crime that entails minimal risk. According to the Federal Trade
Commission, the incidence of identity theft continues to rise. Through
its investigations of Social Security-related identity theft
allegations, and its referral process, the SSA OIG is making a
significant contribution to the fight against identity theft. It is
clear that more work needs to be done. We look forward to working
cooperatively with other agencies and the Social Security Subcommittee
in furtherance of this effort.
Sincerely,
Patrick P. O'Carroll, Jr.
Acting Inspector General
Mr. BRADY. Sure. Ms. Bovbjerg.
Ms. BOVBJERG. I am leaving the criminal justice statistics
up to Mr. Huse.
Mr. HUSE. I didn't even answer them.
Mr. BRADY. I think really you did. I think the point you
made earlier about more flexible criminal justice penalties and
charges I think are real important. Mr. Chairman, I conclude
with that. I think your bill on Social Security theft and
response is an excellent approach. Perhaps we ought to find a
way to better define this problem as well as better identify
how successful we are because then we can at least start
measuring our improvement against that. I yield back the
balance of my time. Thank you.
Chairman SHAW. Mr. Pomeroy.
Mr. POMEROY. Mr. Chairman, I want to commend you for not
just this hearing, but your long-standing work on this
important issue. I would ask Ms. Bovbjerg whether there are
some systems' investments that we need to make at SSA that will
address some of the concerns your report notes. How do we get
to where we need to go in terms of bringing a greater measure
of security in the areas that you cite? Obviously the
replacement cards, I suppose, if you don't issue--you don't
allow 52 in a year would be a good start perhaps, but more
specifically what recommendations you might have in that area,
and the children's cards, the batch systems, what specifically
do you think we ought to--how should we respond?
Ms. BOVBJERG. We are still thinking about recommendations
in those areas. We will be issuing a report to the Subcommittee
in September. We have been discussing these things with the
SSA, and I know they have a concern about replacement cards and
reducing the number permitted, thinking that, maybe 52 is too
many, and certainly I think 52 is too many. The SSA raises the
point about the homeless person who comes in regularly for his
card, he needs it for benefits. The SSA doesn't want to cut
that person off from his benefits. On the other hand, perhaps
that person needs something more than a replacement card if he
is coming in to SSA offices that often. We are thinking about
what would be a reasonable approach to fixing that problem. I
think we have thought, particularly with regard to verification
for enumeration that there might be some things that ought to
be done, perhaps having SSA's staff have a means to acknowledge
in the SSA system that they have done the third party
verification. That is, the new SSN number could be issued.
Things like that. These are recommendations that we are still
thinking about, that we are discussing with the SSA. We don't
want to recommend something that is not feasible. I think there
are some things that can be done to strengthen the verification
process.
Mr. POMEROY. Is your investigation also evaluating what
legitimate private uses are occurring with SSNs as a national
identifier in trying to find ways that put in place protections
but on the other hand don't unduly disrupt existing systems
that depend upon this identifier?
Ms. BOVBJERG. We are trying to look at that balance. In the
work that we are doing for this Subcommittee on the private
sector, we are asking certain parts of the private sector how
they are using the number, how do they obtain it, what
safeguards they have, because some companies have really
thought about this a lot and are attempting to grapple with the
safeguard issue. We will be reporting back in the fall on this.
We are still in the middle of our work.
Mr. POMEROY. Mr. Huse.
Mr. HUSE. I just wanted to say that I think I can speak for
Commissioner Barnhart here, too, that her interest in this is
as strong as my own. The SSA does have a regulation moving
through the vetting process now that will restrict the number
of replacement cards available to an individual during the
course of the year. It markedly reduces the number down from 52
to 2 in a given year, and 10 over the course of a lifetime,
which I think is far more reasonable. That is going through the
vetting process in the executive branch before it is issued as
a regulation. So, it is there. I only answered that so that you
understand that the SSA is not static on this issue. It is just
a question of the process.
Ms. BOVBJERG. Your office too?
Mr. HUSE. My office too.
Mr. POMEROY. Do you have a feel for as we move to address
identity theft it is going to significantly curtail commercial
use of SSNs?
Mr. HUSE. I think it will. It will probably also spur the
private sector to look to the promise in new technology for
identification that takes us away from the number and its
universal use now to biometrics and other more facile uses of
identification. I think by drawing the line now, we are saying,
that the continued use of the SSN will become too expensive for
you, it would be better to try another way. The information
technology will require this in any case.
Mr. POMEROY. Thank you. Thank you, Mr. Chairman.
Chairman SHAW. Mr. Johnson.
Mr. JOHNSON. Thank you, Mr. Chairman. Mr. Huse, I asked you
a question I think before on one of your nine appearances. I
wonder if you could give me an update on where we are with the
regulatory process on the issuance of SSNs for nonwork purposes
and for foreign students as well as those who are issued to
foreigners. I have got a question along those lines. I believe
you testified before with reference to the illegals that were
allowed to have work permits in Dallas, that if they were
issued a work permit they were allowed to get a SSN. What kind
of documentation do they use to get that, one; and two, you
said it was for life, good for life. Is that still true?
Mr. HUSE. Once a number is issued, it is valid for life.
Mr. JOHNSON. Well, then, what is this deal about you all
issuing different kinds of SSNs for temporary work permits or
students or people who are in the country temporarily from
foreign countries? Is there such a thing? You were talking
about different colors, I think.
Mr. HUSE. I never understood how complex this was until I
took this office.
Mr. JOHNSON. It is, but you know the currency was
counterfeited all over the world and we came up with coloration
to take care of that. It isn't working, but it is still--well,
it isn't. They keep changing it. It is an effort to stop the
counterfeit process. I wonder why we don't do that with the
Social Security card?
Mr. HUSE. The nonwork card, for example, was required as a
means to provide legitimate visitors to this country with the
ability to get a driver's license and be insured and to----
Mr. JOHNSON. They don't have to have a Social Security card
to get a driver's license.
Mr. HUSE. Well, in some States you do need an SSN to get a
driver's license. It is the underpinning of the driver's
license system.
Mr. JOHNSON. That is not the purpose of the number. So, we
are misusing it when we use it that way.
Mr. HUSE. The nonwork number, because there were these
requirements, the SSA came up with this as a service. Now that
was curtailed after September 11th. Commissioner Barnhart
notified the governors of our States that the SSA would no
longer do that. There were court challenges to that decision
and the SSA has gone back to it temporarily, but it is under
scrutiny now.
Mr. JOHNSON. So, what you are saying is the States use the
SSN as verification to get a driver's license?
Mr. HUSE. They do. It is the underpinning of our driver's
license system. That is why I used to use the term de facto
national identifier for the SSN. If you notice over the time I
have been here I have dropped that ``de facto.'' If this is
truly the case, that the number is underneath even the driver's
license, we can't call it a de facto number, it is the national
identifier until something changes.
Mr. JOHNSON. Do we legislate against that? I see driver's
licenses being used as fake identification, too.
Mr. HUSE. The driver's license is probably the most
counterfeited identification we have. In any case there is a
lot of scrutiny on the uses of the nonwork number. There are
foreign visitors to this country, students that obtain the
appropriate visas that are in this country to be educated that
for Citizenship and Immigration Services, if I got this right.
Mr. JOHNSON. I know what you are talking about. When you
issue a SSN are you verifying it by one document or several
documents? It seems to me if there is a fraudulent effort out
there to obtain them, I don't know where they get them all
from. Do they just make up the numbers or are they buying them
or what?
Mr. HUSE. Thieves steal genuine numbers, thieves make up
counterfeit numbers out of thin air and then create a myriad of
identification from that. Between the two, all of this migrates
into databases, and that is why I suggest that verification of
these records is a way to root out SSN misuse.
Mr. JOHNSON. The IRS is your primary enforcement agency
right now?
Mr. HUSE. It is.
Mr. JOHNSON. It seems to me that--how are they verifying
the authenticity of the SSN? I know there is a lot of
mismatches. How are we fixing that and are your computers being
updated as we speak?
Mr. HUSE. There are efforts to do that. Our work and the
work of the GAO have suggested system fixes to Social Security,
and they have those in their queue to do along with their own
systems enhancements. Those are under way. Are they done yet?
No, they are not finished.
Mr. JOHNSON. We talked about this at least 2 years ago.
Where are we with reference to that issue?
Mr. HUSE. We are moving toward the goal line, but it is not
done yet.
Mr. JOHNSON. Can you see the goal line?
Mr. HUSE. Well, some things you take on faith.
Mr. JOHNSON. More than 100 yards away. Thank you very much.
Thank you, Mr. Chairman.
Chairman SHAW. Mr. Becerra.
Mr. BECERRA. Thank you, Mr. Chairman. Before I begin my
questions, I want to thank the Chairman for continuing to press
on this issue. I know he has had legislation in the past, and I
hope we are able to move something. I am sure it is going to be
a bipartisan piece of legislation. I thank the Chairman for his
efforts on this particular subject. To our witnesses, thank you
again for being here. A couple of questions. First, with regard
to the maintenance or the integrity of the SSN itself, the war
on terrorism, the need for more security, it is becoming more
and more important now that we check and verify. Now, I recall
before 9/11, the SSA was already having problems trying to find
the resources to take care of this massive work. Can you tell
us what kind of monies you have post-9/11, or let's just focus
on this year's budget, what kind of moneys you have in addition
to what you already had to try to deal with this issue of
identity theft.
Mr. HUSE. First of all, we do have built into our 2004
budget request appropriate funding to do some more significant
work with----
Mr. BECERRA. How much are you asking for?
Mr. HUSE. Let me look back and get a dollar. The total
appropriation we have asked for is $90 million, but in there,
there is about an $8 million increase over current
appropriations. We were looking to build out this SSN misuse
capacity.
Mr. BECERRA. Let me make sure. Of the $90 million that you
are asking for, $8 million of it would focus on the identity
theft issue or all $90 million would focus on the identity
theft issue?
Mr. HUSE. The $90 million covers all of our
responsibilities, which is beyond just this particular mission.
What we were looking for in the $90 million is $2 million, a
modest amount to develop what we call SSN misuse teams that we
have. The teams will include auditors, investigators and----
Mr. BECERRA. That is $2 million. Keep going.
Mr. HUSE. That is the only growth we asked for.
Mr. BECERRA. That's $2 million for a country the size of
the United States?
Mr. HUSE. Well, we----
Mr. BECERRA. I suspect the folks that are forging these
documents could give you more than $2 million off their profits
just of what they have made.
Mr. HUSE. Now, I need to be careful here, because my role
in relation to all of this is the integrity to the SSN business
process itself. The whole issue that you speak to is a massive
universe that involves----
Mr. BECERRA. That is very true.
Mr. HUSE. The whole government.
Mr. BECERRA. Outline for us what moneys you are getting for
your particular role within the Inspector General's office, and
perhaps we could ask, Mr. Chairman, for the SSA to break down
the monies it is requesting to deal specifically with the
identity theft issue so we have a sense. I am almost positive
what we will find is that you all need more resources, and we
should know that now so that when you come back and testify for
the 10th or 11th time, we won't be asking why you haven't made
more progress along the yardage markers to get closer to the
goal line. Another question for you. Do government
administrators or employees today at any level of government,
whether Federal, State, local, or any business employees that
you are aware of, undergo any training for identification
verification to know when a document is real or fraudulent?
Mr. HUSE. They do. Even Social Security field employees get
training in the identification of----
Mr. BECERRA. Without going further, because I want to make
sure I get all my questions in, if you could provide us or
provide my office with the literature, whatever you have in
writing that says what the training is----
Mr. HUSE. I would be glad to.
Mr. BECERRA. If you know what other State or local
governments do as well, because I guess one of the problems is
we have a lot of folks who aren't trying or doing much of an
effort to figure out if these are authentic documents or
identification cards or not.
Mr. HUSE. Sure.
Mr. BECERRA. If someone asks for a replacement Social
Security card--I lost my card, I write to the SSA and say I
need to get another one, I can get one; right?
Mr. HUSE. Right away.
Mr. BECERRA. If a year later I write back and say, you know
what, I lost it again.
Mr. HUSE. You would get it again.
Mr. BECERRA. If I say, you know what, I ripped it up. I
lost it. Can I get another one?
Mr. HUSE. You can, and that goes on and on and on.
Mr. BECERRA. Does that trigger within SSA any thought that
perhaps this individual is misusing the SSN?
Mr. HUSE. It does now, because we analyze the enumeration
process, and where there are clusters of these, some are
referred to us for an investigative look, where there is
suspicion, which can't be----
Mr. BECERRA. So, we are doing something?
Mr. HUSE. Yes. Yes, we are.
Mr. BECERRA. Thank you, Mr. Chairman.
Chairman SHAW. The replacement card has the same number,
doesn't it?
Mr. HUSE. Yes.
Chairman SHAW. Your concern with the replacement card is
they are just handing them off to their buddies.
Mr. HUSE. Correct. We have, in some instances, where people
get hundreds of these in a year, or almost 100 in a year.
Now, some people may be generationally used to the fact
that they think they have to have this card at all times. Some
of us get older, and we forget, misplace them and we think we
have to get another one, and that is a service. That is a
service some people believe they have to have, so a lot of
these really aren't criminal, but when you see 80 or 90 a year,
you begin to wonder, and those we are now----
Mr. BECERRA. I'd think you would begin to wonder before 80
or 90.
Chairman SHAW. Mr. Collins.
Mr. COLLINS. Maybe we ought to flag those and send them to
them in bulk. I was just looking at some information the
Subcommittee provided for us on mismatched records to see where
the Social Security matches information with the IRS weekly
about, and that is W-E-E-K-L-Y, not W-E-A-K-L-Y, about
discrepancies. Interesting figures that no match letters were
sent out to employers for employers to actually verify the
employee, that it went from 110,000 to 950,000 letters last
year, representing 10 million mismatches. Now, to go back to
what Mr. Johnson was talking about, the immigration bill, and
you talked about earlier, the raid that you all were successful
with this morning in California where you apprehended three and
one is on the loose. A lot of the cards or the material they
had there to create cards will be part or a large part of this
mismatch?
Mr. HUSE. There is absolutely no doubt that there is a
demand for counterfeit identification documents brought on by
our undocumented worker population in this country. That is
fact.
Mr. COLLINS. A driver's license or most any kind of
identification that has a SSN on it also has a photo on it. Any
thoughts toward a photo? You get a SSN as an infant, but once
you reach legal age, some age----
Mr. HUSE. There is no plan to do that. In fact, at the
present time the SSA does not require a photograph for any of
Social Security's services, including any of the insurance
programs. Your number is the key that unlocks those benefits.
In addition, there is not any biometrics involved.
Mr. COLLINS. It is also becoming a key to a lot of other
folks too, using it in a wrong pattern. What can an
individual--what has the Administration done to assist an
individual in how to be more responsible or protective of their
SSN?
Mr. HUSE. I can speak to what we, at SSA, and what I know
from the FTC, and they have done extensive outreach work and
activity in their communications arena to apprise people of the
issues involved and the personal responsibility to protect your
number, what to do when something happens to you, when you
detect someone else has used your number and what remedies to
take, and those are very understandable brochures and mailings.
We have a fraud hotline at SSA that provides these answers to
hundreds of people that call in with these problems. The FTC
does the same thing. We also tell people in the process of
getting their statement on Social Security every year, which is
very important, that is a critical document, just like your
monthly credit card statements, that you should review it
carefully to be sure that the wages and earnings that are
posted on it track with your recollection of your earnings
history, because if there are differences there, that is almost
a sure sign there has been a compromise of your identity. The
other thing that SSA has advised people for some time now is to
cease the practice of putting your SSN on private checks, and
that is just not necessary. You shouldn't put your phone number
either. This is just a desire by businesses to gather some data
on folks that they don't really need to have.
Mr. COLLINS. Thank you. Thank you, Mr. Chairman.
Chairman SHAW. You had a follow-up on--go ahead and then we
will go to Ms. Tubbs Jones.
Mr. JOHNSON. Thank you. I would just like to ask, in the
military, they ask you for your SSN. That is why we used to put
them on the checks. I don't anymore.
Mr. HUSE. I remember, too.
Mr. JOHNSON. That, and phone number. That as well.
Mr. HUSE. So, they could get your officer's club bill to
you.
Mr. JOHNSON. That is so you would pay them. That's right. I
would like to ask a question real quick. Kids that get--when
you give a baby a SSN, he isn't going to work. Why does he need
one? The IRS asks you to do that, didn't they?
Mr. HUSE. They did.
Mr. JOHNSON. They use it, and it is if that is where how
much of the fraud do you know what percentage of the fraud is
in young kids?
Mr. HUSE. Well, the fraud that happens with the young
children is when parents of young children get earned income
credits for the purpose for----
Mr. JOHNSON. Kids get earned income credits?
Mr. HUSE. No. The parents do for the number of children
they have, depending upon the level of the parent's income.
That is a type of fraud. We can get you some information on
that.
Mr. JOHNSON. Well, why isn't it possible to give a child a
number that is not a SSN, that the IRS can use until they get
of working age? We have child labor laws too. They are not
supposed to work under a certain age.
Mr. HUSE. Like many things in government, this was a
process that emerged out of a need to prevent fraud in filing
income tax returns, where people claimed----
Mr. JOHNSON. It has turned around on us and we are having
fraud develop in the Social Security regime. Then we maybe need
to look at that again.
Mr. HUSE. That could be a possible area for adjustment. I
know of the time in my youth you didn't get a number until you
went to work.
Mr. JOHNSON. That's right. Thank you. Thank you, Mr.
Chairman.
Mr. COLLINS. That may be part of the problem with the $10
billion of fraud that we have with the earned income tax credit
each year.
Chairman SHAW. Ms. Tubbs Jones.
Ms. TUBBS JONES. Thank you. Do you have any indication that
there is more abuse by earned income tax credit people filing
than there is abuse of fraud in businesses across the country?
Mr. HUSE. No.
Ms. TUBBS JONES. Thank you. Let me go on. I heard you
earlier raise the question that or say that there is no way you
could prosecute Ms.--I don't know how to pronounce your name.
Ms. BOVBJERG. Bovbjerg.
Ms. TUBBS JONES. Thank you--for selling her SSN to you.
Mr. HUSE. You could prosecute her, but you couldn't
prosecute me if I sold my number to her.
Ms. TUBBS JONES. Why not?
Mr. HUSE. There is no penalty for me to sell my genuine
SSN.
Ms. TUBBS JONES. Oh, absolutely. There is a penalty for
theft and deception and fraud.
Mr. HUSE. I meant in the Social Security Act (1935, 49
Stat. 620).
Ms. TUBBS JONES. I want you to be clear on that, because
there is a law that covers that conduct.
Mr. HUSE. I believe there is a law on the books for just
about every particular aspect of this, but it is sorting
through those to get to the right penalty that makes it very
difficult.
Ms. TUBBS JONES. Let me tell you the reason I raise the
question with you, sir, is I am a former judge and a former
prosecutor, prosecuted cases for Cuyahoga County for 8 years
with 300 and some assistants, and the thing I worry about is us
always trying to create another crime to prosecute conduct that
can be prosecuted under existing law, and I just wanted the
record to be clear that there is a law that you can be
prosecuted for engaging in that conduct.
Mr. HUSE. I am sure.
Ms. TUBBS JONES. Let me ask you also. You said that you
have been here nine times. My first time meeting you, it is
nice to meet you. Have you, in the nine times that you have
been here, requested sufficient dollars to be able to do the
type of work that the SSA needs to do to adequately protect the
people of the United States and their numbers?
Mr. HUSE. Yes, I think I have done that.
Ms. TUBBS JONES. So, the $2 million you asked for is
sufficient to cover the needs of the SSA to help deal with this
issue?
Mr. HUSE. To clarify, that was to add to what we already
have received through the support of this Subcommittee and the
House Committee on Appropriations over time. We have come some
distance in the last 8 years from a very small organization to
a very respected law enforcement organization. Most of which
has occurred through the good will of this Subcommittee, and
the Committee on Appropriations.
Ms. TUBBS JONES. I think you are being generous to the
Subcommittee, and to yourself, to say that you have asked for
enough money, because if you had asked for enough money,
hopefully we would be further along than we are; and I don't
mean to be accusatory, but I am just suggesting to you that
prosecuting white-collar crime costs much more money. It costs
many more law enforcement folks. It costs a lot more time than
prosecuting a robbery or a burglary, and so the reality is that
in order to be able to do some of the things that you really
need to do to protect the people of the United States and their
SSNs, you probably haven't asked for enough money, and you may
be thinking that, well, they are probably not going to give it
to me anyway, so I am not going to ask for it, but I would
suggest to you that perhaps that might be, you might ratchet up
that request so that if all of us, as Members of Congress, are
sincere about trying to alleviate this problem for the people
of the United States, we would put our money where our mouth
is. That is all I am saying to you.
Mr. HUSE. I would say thank you, then. I will take your
counsel.
Ms. TUBBS JONES. I appreciate it. Let me also, just one
more area, Mr. Chairman. Commissioner, you say on page 5 that I
asked the Commissioner of Social Security to use the ad hoc
authority vested in the Commissioner by SSA regulations to
permit me to share SSA information with our law enforcement
partners. Can you tell me what that ad hoc authority is,
please, sir?
Mr. HUSE. Well, it is authority that allows the
Commissioner to disclose SSA information if not prohibited by
Federal law.
Ms. TUBBS JONES. Why then, if you have that extraordinary
authority under the ad hoc authority vested in the Social
Security administrator, do you need statutory authority to
enable the Inspector General to make such disclosures when
necessary to protect human lives without formal authorization
from the Commissioner?
Mr. HUSE. Well, this authority, because it is
extraordinary, is a special and time-consuming process. Often
the emergency is very time-restricted, where even seconds
count, and that is the reason for this proposal in a simple
statement.
Ms. TUBBS JONES. Under that authorization, what would be
the circumstances upon which you would want this legislation to
authorize the Commissioner to receive the--to be able to give
up my SSN?
Mr. HUSE. It is actually the data that is in, they would be
extremely limited to those, and it would be based--it is a
discretionary authority. It would be based on my judgment,
which I would have to answer for, as I do now to the
Commissioner.
Ms. TUBBS JONES. So, if you can do it already, I guess my
problem is in the name of terrorism, we have caused so many of
the rights of the people of the United States to be abridged,
and I am all for going after the terrorists and I am all for
law enforcement having what they need to do their job and just
for background, I am a former judge and I used to issue search
warrants all of the time. I just fear the process of enlarging
opportunities to give away a number that we are worried about
giving away and we can't control government, so forth and so
on, in the name of saving lives, per se. I would just suggest
that it would be a good idea when we go through this process
that we are real clear if we give away that authority that if
he already has it in an ad hoc authority, maybe we might change
the process but not expand it.
Mr. HUSE. That is what we seek in this legislation. The
same restrictions would apply. We are merely moving the process
from the Commissioner to the Inspector General, who, like the
Commissioner, is Presidentially appointed and confirmed by the
Senate. This proposal would just move the process into the law
enforcement function in Social Security. The same rules would
apply.
Ms. TUBBS JONES. There may be some advantage of having some
oversight. That is why the law enforcement has to go to the
judges to get search warrants, but I don't want to argue with
you about it. What I would like to see, though, is the proposal
that you have for the change in that authority. I thank you
very much for your time, sir.
Mr. HUSE. Thank you.
Ms. BOVBJERG. Could I add something to that, please? Ms.
Tubbs Jones, the Chairman has asked GAO to look at Social
Security's policy with regard to sharing information with law
enforcement. We are comparing it to the terms of the Privacy
Act and to the policies of other Federal agencies. In this
work, we are really looking at the balance between the privacy
associated with the personal data that the SSA maintains and
the needs of law enforcement, and of course we have been
working with Mr. Huse and his office on that. We will be
reporting out in September.
Ms. TUBBS JONES. I would be interested in hearing from you
as well, and I would say the same thing to you, to you and
anyone else looking at that area, that in the name of
terrorism, we have abridged a whole bunch of rights. Let's
think about it before we--especially to an area that has given
us so much dilemma so far. Thank you, Mr. Chairman.
Chairman SHAW. Mr. Becerra asked for another follow-up
question.
Mr. BECERRA. Thank you, Mr. Chairman. Quickly, if either of
you, any of the three of you could respond to this, the breeder
documents, I think at the end of the day we all recognize that
as much integrity as we may put into the SSA's process for
issuing cards, if the breeder documents that are used to obtain
the SSN and card are fraudulent, that are very good fraudulent
numbers or cards, identifiers, then we are still in the same
place we were before. So, how--what can we do? Is there a
carrot-or-stick approach that we can use to get the underlying
State or local authorities who issue identifiers that are used
often to obtain a SSN or any other private sector industries or
businesses that issue identifies that are also used, health
care, health insurance card, for example, which is often used
or accepted by some as an identification card. How can we make
sure that those breeder cards or identity cards can be made
more authentic? How can we provide the integrity in that
process?
Ms. BOVBJERG. Well, third-party verification is really
important. What we observed in the case of the driver's
licenses, was that the third-party verification wasn't looking
in the right place, so it was incomplete. In the other case,
the SSN they weren't checking. There wasn't a verification of
the birth record to see that the child didn't exist.
Mr. BECERRA. On that point, say the two faulty Social
Security cards you got were verified by the SSA, so even if you
take a State driver's license from whatever State and ask the
State administrator, can you verify if this is a true
identifier for you, is it an authentic State driver's license,
someone might say, yeah, because it is such a great fake,
forged document. So, how do you stop the process of creating
what are clearly very good forgeries?
Mr. BERTONI. I will take a shot at that. We have criss-
crossed the country looking at the processes for driver's
license as well as SSNs, and I reiterate what Barbara says. We
really need a system where we can have some independent third-
party verification. So, if I am coming to the table with
documents that look really good, even with training, and other
tools that a driver's license clerk is given, or an SSA person
is given, the documents are often just too good to catch. You
really need to corroborate this information with third-party
sources. In the case of the SSN, if I were to bring a birth
certificate, SSA staff should bump that against State Bureau of
Vital Statistics information from the issuing State. There are
a number of other data sources that SSA could use to
corroborate the name, date of birth, Social Security, and other
elements. If the data comes back matching and you have other
documents that corroborate the rest of the story, then you have
a comfort level and you can issue the document. The same is
true for driver's licenses. If you are a State using SSA's
online process, you are going to get the full, I guess, the
plate of services from SSA, including the death match. States
that use a batch process, are not getting that match and if
persons come to the table with a name, date of birth and SSN of
a dead person and it is on the documents, SSA could do that
check. I am sorry. The Department of Motor Vehicles could check
with SSA, and it would still come back verified.
So, again, it goes back to what third-party verification
are States doing, and what is the quality of that third-party
verification. Another aspect is that if not SSA, or another
government agency, some States use private vendors to perform
data mining, and data cross-matching across the public and
private sector sources to give the person that is verifying
your identity documents greater comfort level that you are who
you say you are. This brings me to the issue of how extensive
identity theft is, and I will use the driver's license example.
We took 1 month of transactions from 1 State and matched that
data against SSA's master death file and got initially 160
instances where it looked like someone had used the identity
documents of a deceased individual. We immediately forwarded 44
good ones to the State of issuance, because these folks were
dead 10, 15, or 20 years, and it looked like identity theft was
likely. We got a quick response back from the State that they
had issued a license or identification card to 41 of 44 of
these people. So, one State, 1 month of data show that this is
a problem. There are a lot of States out there, and identity
information is being used over and over and over again. I think
there are driver's licenses out there that are issued to folks
who shouldn't have them, and I think the problem is bigger than
we all think it is, at least in the driver's license area.
Mr. HUSE. That is why, to sum this up, I think there are so
many benefits to the cross-verification of data. Some privacy,
of course, will be abridged, but anomalies will be reduced that
everybody, whatever sector they are from, government,
commercial, financial, will have to deal with these anomalies.
These people were dead people that basically were used to
produce this, we need to get a control over, it is not just
government's problem. It is a universal problem. It will never,
ever be perfect. That is a fact. There is nothing that can't be
counterfeited. One day, though, all of this will lead us to a
place where we will go to biometrics. We have to. That is not
my role to suggest that. I just know that that is the ultimate
answer.
Mr. BECERRA. It sounds like what you are saying is, if it
is going to gain better protection of our privacy, we may have
to give up a little bit of privacy----
Mr. HUSE. We may have to give up a little. It is this
willingness to have our records cross-checked against----
Mr. BECERRA. This cross-checking isn't cheap. It is----
Mr. HUSE. No. It is expensive.
Mr. BECERRA. Mr. Chairman, thanks for the time.
Chairman SHAW. I think also by limiting the use of SSNs, we
are actually going the other way. We are pulling back and we
are increasing the right of privacy, which is something that we
seem to be losing a little bit, as Ms. Tubbs Jones was pointing
out, because of 9/11. I cannot remember a single time that I
have been asked, somebody has asked to see my Social Security
card. I am constantly asked for a SSN, and I have gotten to be,
whether it is an application or something like that, I will
just leave that blank, and usually nobody ever follows up to
ask for it. This is something we have certainly got to do
something about. When you think about the number one identifier
in this country today is a card with a name and a number on it,
period, no description, no date of birth, nothing else involved
in it and this is being used as a prime identifier, there is
something wrong with that picture and something we need to work
on. We are just so vulnerable with regard to the use of those,
and those numbers really have to be protected. Someone was--I
think Mr. Johnson brought up the question that and you can see
on that board to the right where the military identification
uses the same numbers as Social Security.
Mr. HUSE. Exactly.
Chairman SHAW. Rank, name, and serial number. I used to kid
Mr. Johnson. I would say, when you were in prison in Vietnam,
the Vietnamese have your SSN, because that is the serial
number, and when you go to many of the PXs on Army bases or any
military base, you try to give them a check and not put your
serial number on it, they won't take it, and that means that
they are getting the SSN, and we had testimony a few years ago,
I think it was a colonel whose credit was absolutely destroyed
because of, because somebody somewhere in the chain from the PX
to the bank had picked up his SSN and just used that as the
jumping off spot in order to assume his identity. We have, at
this point, a vote on the floor. I think it is a point of
order, and I assume that----
Ms. TUBBS JONES. Mr. Chairman, since we have a vote, can I
ask just one other question, real short?
Chairman SHAW. Your questions go on for a long time.
Ms. TUBBS JONES. I know.
Chairman SHAW. I have got the gavel. You are----
Ms. TUBBS JONES. Okay. I won't have any problem. Just gavel
me. By the time someone realizes that there is an identity
theft problem and they go to law enforcement, the track is
pretty cold, isn't it?
Mr. HUSE. Very often, yes.
Ms. TUBBS JONES. See. I am done, Mr. Chairman, and you
didn't even know it.
Chairman SHAW. Very good. That is a record. I am a little
confused about exactly how long we are going to be gone, but we
will be coming back and go into the second panel immediately
upon our return. So, I appreciate your patience in dealing with
the schedule that we have. We will be in recess until
approximately 10 minutes after the next vote.
[Recess.]
Chairman SHAW. We are going to go ahead and start. One of
our witnesses has not returned as yet, but the vote has been
over for a few moments and Mr. Collins is coming in now. So, we
are going to go ahead and start with the next panel. We have
Theodore Wern who is the Chicago, Illinois Regional
Coordinator, the Identity Theft Resource Center in Chicago.
Chris Hoofnagle, who is the Deputy Counsel, Electronic Privacy
Information Center. We have an additional witness from Georgia,
whom Mr. Collins will introduce when he returns. Mr. Wern.
STATEMENT OF THEODORE WERN, CHICAGO AND ILLINOIS REGIONAL
COORDINATOR, IDENTITY THEFT RESOURCE CENTER, SAN DIEGO,
CALIFORNIA
Mr. WERN. Thank you. Good afternoon. My name is Ted Wern,
and I am the Midwest Regional Coordinator for the Identity
Theft Resource Center. I am also an attorney in private
practice in Chicago, Illinois. I began my work with the
Resource Center after I recovered from my own personal identity
theft problems. My battle lasted about 3 years, and from that
process, I learned what millions of Americans have learned--
that identity theft can truly wreak havoc on a person's life.
What I have also learned as an attorney and as an educator to
corporations in this area is that identity theft can result in
some very significant liabilities for corporations. Therefore,
my role both as an attorney, and as a volunteer for the
Resource Center is to ensure responsible information handling,
both for the benefit of potential individual victims as well as
for the benefit of institutions which face potential liability
in this area. Next I would like to provide a real-life
perspective on the problem of identity theft by talking about a
small sample of cases that the Identity Theft Resource Center
has handled in the past, keeping in mind that they handle
thousands of cases each year, and these are just a few that
seem particularly relevant to this hearing.
The first case involves a widow of the September 11th
attacks. Approximately a year after her husband died in those
attacks, she found out that her deceased husband's SSN was
being used by an illegal immigrant for both fraudulent credit
purposes and employment purposes. We don't know exactly how
that person got the SSN, but public death records, which often
display SSNs, are probably a very good guess. We also handle
numerous cases involving the theft of children's identities.
Mr. Johnson had a concern about this, and in response to that,
children are becoming a new target of identity thieves. Here is
why. Basically, a child's SSN and personal information can be
stolen when the child is young, 6, 7, or 8 years old, by either
a family member or stranger. By the time the child finds out,
i.e., when the child is 18 or 19, or after adult age, to apply
for credit or sign a landlord lease, by that time the thief has
had 15 or 12 years to use that information to his or her
advantage. So, the reason the children are such a hot target is
because there is this lengthy discovery period for the crime.
The other group of cases to talk about, and one stands out
in particular, involves military personnel. I would like to
highlight a case that was the centerpiece of the Parade
Magazine issue that comes in your Sunday newspapers. It was
issued just this past Sunday. It involved a man named John
Harrison who was a retired Army captain. His name and SSN and
other personal information were stolen and used by a man who
was able to buy, for example, a Harley Davidson, who was able
to rent an apartment, was able to buy a timeshare, and the list
goes on and on, all with Mr. Harrison's name. The importance of
this article, and the story is that within hours of this
article hitting the news stands, the Resource Center was
flooded with calls and e-mails from citizens who were concerned
about their identities, and the vast majority of those citizens
were elderly persons, military personnel, and people who were
concerned about their SSN appearing or being displayed on their
military identification cards, which is a common practice,
Medicare identification cards and of course, health
identification cards as Mr. Cardin showed us a few moments ago.
The common thread from all of these cases is the fact that
the SSN is at use in all of them. Without the SSN being
available to criminals, none of these cases would have been
possible. I would love to give you hard data about how many
thieves extract their SSN from particular sources, whether they
be death records or government records, but the data just isn't
available, because, one, thieves rarely get caught; and two,
when they are caught, their stories about where they got the
information are hardly credible. What I can tell you, however,
is that the SSN is the golden piece of data for identity
thieves. A thief can only go so far with a date of birth or
with an address. The SSN rounds out the crime, and with it,
along with other information, getting fraudulent credit is as
easy as picking up the phone or signing up on the Internet. So,
even though we don't know exactly how the thieves are getting
the information, what we do know is that the number itself is
worthy of any protections, any confidentiality restrictions
that the government or the private industry can impose on it.
Let me point out that our goal here is not to create an
undo burden on industry. We have looked at this bill, and we
believe that, as Chairman Shaw indicated earlier, that it is a
balancing act. You have to look at the potential benefits of
the bill weighed against the burdens. In this case, we believe
after careful study that the benefits of this bill far outweigh
the potential burdens. With regard to that balancing, first of
all, the SSN has no intrinsic value to governments or private
industry. What I mean by that is that you don't use a SSN to
dial up a person at home. You don't send marketing materials to
a SSN. It is a random number, the only significance of which is
to identify the particular person. There is no intrinsic value
in the number itself. So, as Mr. Cardin raised before, why is
his number and my number on our health identification cards? So
that our doctor can have an emergency response number to call
us or so that our medical records can be sent to that number?
No. It is a random number, and there are plenty of other random
numbers that could replace that number. So, especially in the
area of publicly displaying these numbers on identification
cards, unless it is for a legitimate IRS purposes or some of
the exceptions that you have laid out in your bill, but for
general commercial purposes like this, it just makes no sense.
It is a random number. Why not get it out of circulation?
Also, with regard to balancing, it is important to point
out that this is not a bill that imposes huge financial or
administrative burdens on the industries or the government
agencies that are subjected to it. We are not talking about
huge capital expenditures here. We are not talking about
complete overhauls to data systems. There are simple practical
solutions of taking this number off the market, basically
removing it from circulation. Furthermore, with regard to costs
and benefits, there is an economic benefit for corporations and
government agencies to not having that number out there for two
reasons. One, there is a serious source of liability for
corporations and government agencies who are responsible for
information getting out into the public and identity thieves
grabbing it. For example, when you have a large identity theft
situation and outbreak, there is enormous class action
potential in that situation, and these sorts of cases are
growing exponentially in the marketplace today. So, this bill,
in fact, is doing what exactly some of my clients, when we give
our corporate workshops, are asking us to help them do, and
that is help them to remove sensitive information from public
display within their organizations, because they are very
concerned about this source of liability. Finally, very
obviously, as you reduce identity theft, you reduce direct
losses to merchants, to banks, to credit card companies, and
the losses in the last year we estimated at $17 billion. We
took the average direct loss of an identity theft victim,
losses that are borne by credit card companies and other
creditors, multiplied it by the number of estimated victims
which are between 700,000 and a million last year. Those are
real numbers. So, not only do you have--if you can prevent
identity theft, a prevention of liability. You also have a
prevention of direct losses. So, with these points in mind, I
think the balancing act strongly favors this bill.
[The prepared statement of Mr. Wern follows:]
Statement of Theodore Wern, Chicago and Illinois Regional Coordinator,
Identity Theft Resource Center, San Diego, California
``Identity Theft and the Social Security Number''
Members of the committee: Thank you for the opportunity to provide
both written and oral testimony for your committee today and for your
interest in the topic of identity theft.
The Identity Theft Resource Center (ITRC) is passionate about
combating identity theft, empowering consumers and victims, assisting
law enforcement, reducing business loss due to this crime and helping
victims. Our organization is honored by your invitation and will
continue to make its opinions available upon request to your
representatives over the next few months as you grapple with this
complex crime. The following testimony was written along with ITRC's
executive directors, Linda and Jay Foley, and I have their permission
to represent ITRC today at this hearing.
About ITRC and the experts testifying:
ITRC's mission is to research, analyze and distribute information
about the growing crime of identity theft. It serves as a resource and
advisory center for consumers, victims, law enforcement, legislators,
businesses, media and governmental agencies.
In late 1999, ITRC Executive Director Linda Foley founded this San
Diego-based nonprofit program after becoming a victim of identity
theft. In her case, the perpetrator was her employer. Co-Executive
Director Jay Foley has spent hundreds of hours speaking and
corresponding with thousands victims while assisting in their recovery,
listening as they discuss their revictimization by ``a system that
doesn't care, understand or listen.''
ITRC also works with credit grantors, representatives from the
credit reporting agencies (CRAs), law enforcement officers,
governmental agencies and private businesses to prevent and resolve
identity theft problems.
As one of the few groups that deal with a victim at all stages of
the recovery process, we have a unique perspective on the crime. ITRC's
information does not arise only from moment of discovery statistics.
Its information comes at the cost of minutes, hours, days, weeks,
months and years of a victim's life.
I (Theodore Wern) was an identity theft victim and serve as the
ITRC Chicago and Illinois Regional Coordinator and victim advocate. My
own case was complicated and required me to go to the extreme measure
of changing my Social Security Number (SSN) in order to stop the crime
from continuing. Because of my experiences, I am one of ITRC's
designated specialists in severe cases. Since I work with others who
must also change their SSN (only recommended in extreme situations), I
serve as one of ITRC's representatives on a taskforce with the Social
Security Administration (SSA) on defining and smoothing the procedures
for changing one's SSN in extreme cases of ID theft. My expertise as a
corporate attorney also gives me added insight into the business
implications of using the SSN as an identifier, as well as liability
issues surrounding this subject.
The ITRC has worked for a number of years to make changes in laws,
policies, business practices and trends to combat this crime. As a
result ITRC has composed a list of recommendations that we feel will
make a difference both in crime prevention (keeping the information
from the hands of criminals and preventing the issuance of fraudulent
credit) and in victim recovery.
ITRC's Testimony: ITRC has been asked to address the following
points:
The problem of identity theft including its impact on
victims
Issues surrounding the use and abuse of the SSN
Recommendations for new laws regarding the SSN, including
those listed in the Social Security Number Privacy and Identity Theft
Prevention Act of 2001 (H.R. 2036).
Part One: Summary of the Problem
H.R. 2036 succinctly summarizes the history of the creation of the
SSN and how this Pandora's box was opened. Unfortunately, in 1943,
President Roosevelt could not have predicted the impact of the
information age and the role computer technology would play in our
lives. He could not have foreseen how it would change business
practices or expose United States citizens to a harsh crime--that of
financial identity theft.
Identity theft is not a new crime. The crimes of criminal identity
theft and identity cloning (the use of another person's name instead of
your own) can be traced back to biblical times. Credit card fraud and
checking account fraud began soon after the advent of those financial
transactions.
As stated in Mr. Shaw's summary, the Federal Government requires
virtually every individual in the United States to obtain and maintain
a Social Security account number in order to pay taxes, to qualify for
Social Security benefits, or to seek employment. The use of this number
as an identifier has grown tremendously and it is now common practice
to use the SSN for purposes that have nothing to do with the extension
of credit or governmental purposes. This extensive use of the SSN
provides criminals with easy access to fresh credit and a new identity.
To an identity thief, a victim's name, date of birth and address can be
valuable, but such data alone is often not sufficient to commit
identity theft. A thief generally needs a SSN as well. Because the SSN
is ``golden data'' to the identity thief, it should be given the
greatest privacy protections.
As pointed out in Mr. Shaw's summary:
An individual's Social Security account number may be
sold or transferred without the individual's knowledge or permission.
Today, the Social Security account number is generally
regarded as the single-most widely used record identifier by both
government and private sectors within the United States.
No one should seek to profit from the sale of Social
Security account numbers in circumstances that create a substantial
risk of physical, emotional, or financial harm to the individuals to
whom those numbers are assigned.
The prevalence of the use of the Social Security account
number and the ease by which individuals can obtain another person's
Social Security account number have raised serious concerns over
privacy and opportunities for fraud.
Social Security cards may be counterfeited for illegal
aliens and individuals use false Social Security account number
information to improperly apply for and receive benefits under Federal
and State programs.
Misuse of the Social Security account number is a central
component of identity theft, considered the fastest growing financial
crime in the country as well as welfare and Social Security fraud.
Growing concern over fraud and privacy and the absence of
a comprehensive Federal law regulating the use of Social Security
account numbers prompt the need for the Congress to act.
ITRC does not believe it will be possible to completely eliminate
this crime but we certainly hope to do the following:
Make it extremely difficult for criminals to obtain SSN
and other information that can be used to commit financial identity
theft by severely cutting back on the exchange of such information.
Tighten the procedures used by the issuers of credit so
that criminals have a more difficult time in using ill-gotten
information.
Assist in victim recovery and shorten the time and duress
suffered by its victims.
Because the federal government, through the SSA, created and
maintains SSNs, it is appropriate for the federal government to take
steps to stem the abuse of SSNs both in private industry and by
governmental agencies. It will be far more efficient for the federal
government to pass regulations about the use and misuse of the SSN than
to rely on state regulations. California has come a long way in
addressing the abuse of the SSN but to do this in 49 more states would
be a daunting task.
Part Two: Victim Impact
Identity theft is a dual crime and no one is immune, from birth to
beyond death. Who are these victims? It could be you, unknown to you at
this very moment. I'd like to introduce you to some of ITRC's clients/
victims who have turned to us for assistance. Many of these cases are
taken directly from emails ITRC has received from victims. We present
them to you so that you can see what we work with on a daily basis.
Personal identifiers have been changed to protect each victim's privacy
and some grammar/spelling corrections have been made.
Case 1: Child ID theft
The victim, Jose, owes about $65,000, $4,700 in child arrears and
has 3 DUI warrants in his name. One problem: Jose is only 6 years old
now and those arrears are to himself. The perpetrator is his father,
now divorced from Jose's mother, an illegal immigrant who is subject to
deportation when found.
Case 2: Identity theft of the deceased
Perhaps one of the most poignant stories we have heard (NJ Star
Ledger reported it) is the theft of a man's identity who died in the
World Trade Center attack on Sept. 11th. His widow was notified about
10 months after the event to discuss her husband's recent auto
accident. She went through hours of turmoil only to discover that an
illegal immigrant had created a false driver's license and was living
and working as her deceased husband.
Unfortunately this is only one of more than several dozen cases
that we have worked on involving the deceased. In some cases the
imposter has purchased the information, in others the imposter is a
family member or even a caregiver. Some may ask what is the harm in
using the SSN of the deceased. Not only can identity theft involving a
deceased person affect the estate but also the survivors still dealing
with the grief of losing a loved one. In one other case, a mother has
had to fight collectors trying to collect money from accounts opened in
her daughter's name, a daughter who died several years ago. Each new
call opens up the wound again.
Case 3: Workplace identity theft
T's identity was stolen by her doctor's receptionist. She found out
when applying for her first home loan, her dream home. Months later,
after clearing her records, spending her own time to research how her
thief got her information and used it, and seeing another family move
into her home, she was able to convince authorities to prosecute her
offender. The result--the thief is now living in a halfway house,
driving the car she bought with T's identity and working for another
doctor as a staff member. T was finally able to buy a house almost 2
years later, at a higher purchase cost, with a higher interest rate due
to the multiple accounts that had been opened in her name after the
placement of a fraud alert.
Case 4: Victim recovery issue
Victim owns her own business. For the past 3 years, she has been in
a fight with her bank. They repeatedly open new fraudulent accounts in
her name and grant fraudulent access to her existing accounts, even
generating dual credit cards and sending them to the imposters as well
as herself. At one point she went to the local branch of her bank
regarding the transfer of her account information. With multiple pieces
of identification in her possession she was devastated by the bank
officers who would not acknowledge her right to discuss the accounts in
question or accept her identifying documents including passport,
driver's license, utility bills, business license and SS card. To date
she still has problems with her bank and her accounts. She is currently
talking to an attorney and plans to sue the multiple companies who
continue to torment her and refuse to correct their errors. She
believes that lawsuits are her only option left.
Case 5: Financial ID theft turns into criminal case
Two nights ago, I was arrested as part of a 4-year ongoing theft of
my identity. The arrest was over bad checks written in Lincoln, NE near
where I reside.
The issue, other than the arrest and all that goes with it, is the
fact that J.P.M. was able to open fraudulent accounts because the
Nebraska DMV issued her a license with her picture and my information.
I don't know what documentation she provided them, but we clearly do
not have the same physical features. This should have sent up a red
flag to the DMV. As a result, J.P.M. illegally used my identity to
spend almost $40,000, with new credit cards and with fraudulent checks.
I am doing the best I can to be compensated for the money spent on
bail, loss of work time, personal stress, which all occurred while I
was finishing my undergraduate degree and throughout my master's
degree. Needless to say, this has interfered with my performance in
school because of the time it takes to free myself as a citizen and as
a consumer. The arrest was the last straw, and I've been told that the
statute of limitations to sue the woman who stole my identity has
expired. I am looking for help.
Case 6: SSN used as driver's license number
Victim had car broken just prior to a move from HI to DE. A file
with all of her personal information was stolen in HI including her
driver's license that used her SSN as the identity number. Since then a
fraudulent cell phone account was setup with Voicestream generating a
bill for $10,000.00. The victim has made some payments during the
course of the account dispute due to the bullying action of collectors
threatening to attach to possessions. Because of that payment,
Voicestream refuses to acknowledge the account is fraudulent.
Case 7: Security breach
Victim was referred to ITRC by the FBI Victim/Witness Coordinator.
The victim is a 72 year old retired Air Force Major. His dentist told
him his identifying information might have been stolen. The dentist had
befriended a man who saw the victim's dental records. This man then
copied and used all of victim's info. The dentist found out when he saw
files out of place. This befriended man/handyman was the only person
who had access. The imposter purchased a condo, a BMW, and used the
victim's HMO for medical services. The victim's HMO paid for this. Upon
arrest, it was discovered that the imposter had a prior record of
fraud. The imposter is now in jail on non-related charges.
Case 8: Identity Cloning
Victim lives in San Diego and is receiving disability benefits. The
imposter is living and working in IL. Fraud is impacting her disability
benefits. The IRS and SSA have been contacted. Victim is fearful of
losing housing and being unable to cover living expenses due to the
lengthy time of recovering her good name and clearing the records.
Case 9: Co-Worker ID theft
The victim recently found out of the identity theft. In 1999, a co-
worker stole her credit card. The victim went through all the necessary
procedures with her credit card company to remove the charges including
filing a police report. In January 2002, the victim applied for a loan
with a small finance company. The victim was told her social security
number had already been used to apply for a loan with this company. The
victim retrieved the application and found it was used back in 1999 by
the same woman who stole her credit card. The victim had never been
contacted by this company. The company's reply was that they denied the
application. Unfortunately, in doing so, they did not indicate that it
was denial due to fraud but due to not enough income.
Victim did speak to the finance company about this and even spoke
with the Vice President in South Carolina who was not helpful. Victim
still has not received a copy of her credit report so she is not sure
if the imposter has done any real damage or not. Victim is certain that
she used her social security number and she is not sure how else she
can file a report if the police are not helpful.
Case 10: Extreme identity theft case
Victim's identity was stolen by a co-worker 10 years ago. She knows
who the imposter is and he has been questioned but released by police
(refusal to take action due to ``extenuating family circumstances'').
In the meantime, the victim has been unable to stop the imposter from
opening credit and checking accounts, fraudulently applying for
welfare, etc. She has had to change her SSN, driver's license number
and name, essentially recreating herself in order to separate and
protect her from the actions of the imposter.
Case 11: Reoccurring identity theft
My wife was a victim of identity theft in 1999. After many letters,
a police report and an affidavit of forgery, we thought everything was
settling. We were reassured that the loan and credit that was taken out
in our name was removed from our reports and that our credit was
restored. We asked several times for correspondence that this was taken
care of but no one returned a letter. As time passed and we received no
bills and we forgot about it. That is until we received an Equifax
report on 6-2-02 showing that the fraud was still on the report. I
tried to contact the office that I communicated with before but no one
would return my call.
The date reported was after we had notified Equifax of the dispute.
Are they in violation of the (FCRA)? Please advise or direct.
Case 12: Family ID theft
Victim's relative used victim's identity to clear out victim's bank
accounts. This relative has victim's SSN and stolen checks. Victim has
filed a police report and is in contact with the managers at her bank.
Law enforcement is not investing a great deal of time on case, usually
claiming that this is a family dispute.
Family identity theft is one of the most difficult crimes we work
on, in part due to lack of police action and in part due to the
emotional impact of this crime. How does one turn one's own mother in
to the police? Unfortunately, we receive about 3-5 of these types of
cases each week.
Case 13: Domestic abuse and harassment
The victim was divorced in 1987. She now lives in Florida. The ex-
husband is operating in San Diego. Due to the actions of her ex, the
victim is having IRS and SSA problems and is dealing with 3 accounts
opened in her name. Unfortunately ID theft is the perfect tool to
harass another person and to perpetuate domestic abuse after a divorce
or separation.
Case 14: Stolen wallet
I live in TX. On June 2, 2002 my wallet was stolen in New York
City. On June 6, 2002 a woman began using my identity from the wallet
including drivers license, social security number from a medical
insurance card, place of employment and stolen cards to establish
instant credit at 9 different stores in 3 different states. I have
placed a fraud alert on my credit report with the three credit
reporting agencies but there has already been theft totaling in excess
of $16,000 dollars. I am now having difficulty getting anyone to follow
through with a police report and also changing my drivers license
number. Because the theft occurred out of my home state, I have to
follow up on the phone and not getting much response or help.
Case 15: Military spouse
I have had the frustrating and humiliating experience of somebody
taking my maiden name and social security number in order to open
numerous fraudulent utility accounts leaving my credit reports a mess.
I am also a military wife who is required to show my social security
number on my ID card, which is used for everything.
Case 16: Enable credit granting behavior
I was a victim of credit fraud/ID theft beginning in November of
2001, and continuing until approximately April of 2002. All of the many
fraudulent credit applications using my name and identifying
information were done in the Los Angeles area. Somehow, my personal
identifying information (SSN, name, birth date, etc.) were obtained and
used to apply for instant store credit at Radio Shack, Gateway
Computers, and approximately a dozen other merchants. Additionally, my
personal credit card was ``taken over'' by these criminals. By calling
Visa and posing as me, they changed my billing address, and claimed
that they had lost the credit card. They then received my new Visa card
in the mail at the fraudulent address. They applied for many credit
cards under my name and were even successful at getting a few, then
charging the cards up to the maximum very quickly.
Case 17: Mail theft by an acquaintance
I just found out on June 14, 2002 that I am the victim of identity
theft by my housekeeper/babysitter. Since she had access to my mail it
was easy. She opened the first account in April 2001. She has charged
over 10,000.00 that I am aware of and I have jewelry etc. missing from
my home.
This is so recent that I don't even know what I'm up against yet--
what I do know is that this has hurt my eleven year old daughter very
badly. My daughter sang in the housekeeper's wedding last May, I wonder
now if the wedding was all charged to me!
I would be happy to talk to anyone about this. I live in a small
town of 12,000 people right now I know 4 people personally that this
has happened to including the president of one of the banks here in
town. Something must be done!! She is having trouble getting creditors
off her back.
Case 18: Domestic abuse, insurance fraud
My ex-husband and his employer used my Social Security number to
file medical claims on my health insurance. My ex has not been covered
on my insurance since 1999, and I have changed employers and insurance
carriers since that time. However, claims for February 2002 through May
2002 have been filed on my current insurance. He has obtained the
information without my knowledge. I found out about the claims after
receiving Explanation of Benefit forms from my insurance provider. The
claims have been denied, so the insurance provider states that they are
doing their job. The insurer will not file a report with the police.
Case 19: IRS complications
Someone has stolen my social security number and from that caused
me to have false credit bureau claims and a warning from the IRS that I
had underreported my income. Creditors have harassed me and required me
to go to extraordinary lengths to prove that I could not have incurred
the debt in question. The IRS has required extensive documentation as
well. Right now the activity has settled down, but anytime the next
shoe could fall.
Even though there is a certain person I suspect of engaging in this
identity theft, law enforcement authorities turn a deaf ear. I really
don't blame them; it's not a high priority crime to them. To me, it is
a major theft and close akin to rape.
This whole situation has been aided by the use of computers and the
overuse of the social security number. I understand that the original
law establishing the issuance of social security numbers stated that
that number should only be used for social security, but indeed that
has not been the case.
Case 20: Victim frustration--complex case
I became a victim of identity theft in March 2001. I found out when
the person who had my social security number tried to open a credit
card with a bank that I already had a card with. The woman was not able
to give my correct birthday. They contacted me but they gave me a hard
time saying that it was my daughter. They suggested that I contact the
credit agencies about a fraud alert. That is when I found out that the
person had many credit cards and a cell phone and they even bought a
computer from Dell. Since I found out early I was able to stop almost
everything before it was way out of hand. I filed a report with the
Dallas police department and talked to a detective on a regular basis;
only to find out they would do nothing. They had the address to which
the credit cards and computer were sent but they would not go there.
They even had another address where the person used a credit card in my
name to buy a pizza. It took many months to clear everything up and I
still have the fraud alert on my report for seven years. This is a
crime that is to easy for someone to do and they get away with it
because our laws are too easy and the officers are not trained on this
type of crime. I feel I am luckier then most because I found out early
and was able to clear up the damage within a year.
While you know my story, that only tells part of the picture. What
I discovered disturbed me greatly:
1. Fraud alerts only help a little. Most places do not even honor
them. So I'm not sure they help very much.
2. After I put the fraud alert on, they still opened a few more
credit cards. All of the accounts they opened were done on the
Internet.
3. I found that the credit card companies did not care much, they
just closed the accounts. But before they will close the accounts you
have to prove to them it was not you who opened the account.
4. They also made you wait on the phone a long time and you are
transferred to many people before you found one that could help you.
Most of the people I talked with acted like they were not educated
enough on the subject.
5. They treat you like it was your fault and most of them need
more training on this issue.
6. The police are no help at all.
7. The credit agencies take forever to remove the fraud accounts
from your file.
8. The victim spends hundreds of hours writing letters and phone
calls trying to remove the damage the thief caused while they are free
to go to the next victim.
9. The Laws should help the victims, but you are alone when it
comes to identify theft.
Case 21: Child ID theft
(Address, email and phone of victim will be provided to the members
of the committee upon request. Copy and paste with permission of
victim)
I am a mother of a thirteen-year-old son. I share joint legal
custody with his father, who lives in a different county. Although my
two boys primarily live with their father in ###, California, they
visit frequently and spend all of their summers and vacations with my
new husband and me.
About two years ago, my mother and I were in the process of setting
up college fund accounts for my two sons. We were informed by our
investor that my oldest son's social security number had several active
accounts and recommended that we research this matter further before
proceeding to open any financial accounts under his name and social
security number. Unfortunately for my son, the thief is his own father.
They both share the same base name and physical address. Therefore, the
theft of my son's social security number was an easy accomplishment by
his father.
In going through this case of Identity Theft, I have encountered
various problems along the way. First being that the local law
enforcement agency in the county in which my son resides with his
father, refused to take an identity theft report because their county
does not have a department that handles such matters. Because of this
and the fact that my son is a minor, it took several months, almost the
remainder of the year to obtain a copy of my sons credit report. The
three credit reporting agencies refused to issue any information
because he was a minor. Instead of investigating the matter further,
they sent a standard ``refusal to issue information letter'' based on
the fact that he was under the age of 18 and that they do not issue
reports for minors. Without this report, it has been nearly impossible
to get any response from creditors as well as getting a credit issuer
to take me seriously. The report was subsequently acquired, through
diligence and perseverance.
I have also attempted to write letters to each lender and attach a
copy of his credit report as proof of an existing account, I have had
to send follow up letter as well, and have yet to hear a reply as they
are not required to respond or assist with fraudulent accounts.
As a mother of a victim of Identity Theft, I would highly recommend
that all state and local law enforcement agencies be required to
generate a report on identity theft complaints in the jurisdiction
where the victim lives and to provide a copy of the report to the
victim, regardless of their subsequent decision on whether or not the
agency will investigate the case. If by chance, there had already been
laws in effect, it would clearly have been easier to obtain credit
reports for a minor with parental documentation. It would also have
directly influenced the ability to stop further debit from occurring.
As you might imagine the recourse for this action can lead in
several directions. Although I do not wish to amend this crime out of
vengeance towards my son's father. I am deeply worried that as my son
approaches adulthood and tries to obtain college grants, scholarships,
etcetera, he will be denied due to his already existing debt. To this
day, his father has acquired over $250,000.00 in debt under our son's
social security number. I cannot begin to imagine the long-term affect
that this amount of debt will have on my son's future.
Knowing my son as I do, it has been a difficult decision to keep
this information from him. As he has already suffered emotionally from
the divorce, I deeply fear that this will emotionally tear him apart
and sever all bonds he has created with his father. I also fear that
the impact of knowing that his father was the criminal will have a
psychological scaring on him for the remainder of his life.
Finally, in trying to rectify this matter with the social security
administration, and in conjunction with my family law attorney, this
entire matter must be handled with diligence and on an efficient
manner. Because of the fact that I share joint custody with my ex
husband, I have an incredible fear, based on past actions, that if and
when his father is confronted with the truth of his crimes, he will
then take matters to extreme action and kidnap my son, making it
impossible for me to have any further contact with him. This also
presents the problem of obtaining a new social security number. Because
our son is still a minor, the new number will have to be disclosed to
his father for medical and scholastic purposes. An even greater fear is
that his father will continue to abuse his son in this manner. Based on
passed history of his fathers actions of first destroying his own
credit, and now destroying his son's credit, what will prevent him from
committing the crime once again. Unfortunately, I do not see this cycle
ending without laws to protect victims of fraud as well as minors.
Part Three: Issues to be discussed
It is clear that a list of commonalities can be derived from ITRC's
victim accounts set forth above. Categories where the SSN has been an
instrument to create havoc include:
Use of the SSN for as a driver's license number
ID theft of the Deceased
Child identity theft
Failure of governmental agencies to find alternate ways
to protect identifying numbers used by the government: military ID
number, Medicare/state health insurance number (could be done by random
number matching to SSN in a closed, secure database)
Employer use of the SSN as an individual employee
(private or governmental) ID number, including public display of the
SSN, e.g., timecards, badges
The use of the SSN as an identifier by a business group,
printed on a card carried by the person on a regular basis
Mail theft--where the SSN is printed (unnecessarily) on
the document being mailed and is intercepted by another person
Theft of SSN given in good faith to or displayed or sold
by a business which required the information to complete a transaction
or activity--e.g., to obtain health care benefits.
Collection of information not needed for the necessary
task or program
Failure to protect collected information--e.g., disposed
of inadequately
Database or information breach--failure to provide proper
security
Database or information breach--due to the actions of an
individual who had access to the information that never should have
been collected in the first place
Domestic abuse, harassment of an ex--due to extensive use
of the SSN as an identifier
Restrictions on sale of SSN and credit info to third
parties by governmental agencies or private entities
Unrestricted ability to print SSN of individuals on web
sites, e.g. Ancestry.com
Failure to truncate parts of SSN on documents available
to the public--electronic court records, birth and death certificates,
etc., unless the requesting party has a legitimate reason for such
information
Part Four: Recommendations for Laws
ITRC likes to use a Finding/Recommendation format to advise on new
legislation. In this testimony, ITRC will limit its findings with the
belief that this esteemed committee has studied this subject at length
and does not need substantial background information.
This list is a preliminary discussion and ITRC's directors would be
honored to continue to work with the committee as they explore this
topic and prepare legislation that will protect all of us from SSN
abuse.
1. Use of the SSN as the driver's license number
Finding: At this time, individuals have a choice in those remaining
states that continue to use the SSN as the driver's license number.
This practice means that each check written includes one's SSN and that
individuals with social security numbers on their license suffer
greater loss due to lost/stolen wallets.
Recommendation: Due to lack of consumer education, ITRC believes
that states MUST be required to adopt a random number system and
replace the SSN on all drivers' licenses within 1 year of the passage
of this legislation.
2. Identity theft and the Deceased
Finding: Despite a person's death, a SSN continues to be active and
may be used for the extension of credit. The Master Death Registry
controlled by the SSA does not include the names of all deceased.
Information is added to this list in a variety of methods, some of
which are only consumer generated. Too many stories have been printed
and too many cases have occurred where a deceased individual's SSN has
been used to get credit.
Example: Florida Department of Law Enforcement agents arrested
William Troy Herman and Ronnie J. Skipper for fraud. Agents say the duo
used the personal information of seven deceased individuals to obtain
credit cards in the victims' names.
This causes problems for the estate and additional stress on the
bereaved. The letters we receive from them are painful and their
distress is evident.
Recommendation: ITRC's executive directors are currently working
with Senator Corzine and U.S. House Representative Gutierrez on
legislation to correct this issue. It would make sure that all deaths
are recorded on the death register, forwarded to the repositories that
will then mark all of those SSNs as ``Deceased, do not issue credit.''
This list must be designated as not to be sold, distributed or used for
any purpose other than the one itemized above.
3. Identity Theft of Children
Finding: There are several types of child identity theft scenarios
that ITRC typically sees:
It's a split family. One of the parents finds out that
the other parent (or the ``friend'' of the parent) has begun to use the
child's identity to gain credit or a driver's license. This is usually
because they have already ruined their own credit or driving record.
They plan on ``fixing'' everything before that child reaches 18. They
even swear they were planning on paying all the bills accrued under the
child's SSN. The reality is that they eventually will ruin the child's
credit just as they ruined their own.
Upon reaching 16, the child applies for a driver's
license. They are denied because someone already has a driver's license
using that SSN.
Upon reaching 17 and applying for a college loan, the
teen finds out he or she cannot qualify due to a poor credit rating.
This has sometimes resulted in a one-year delay in starting college.
Upon reaching 18, the now adult child is denied credit,
unable to gain employment or rent an apartment due to a poor credit
rating. They find out that someone has used their info for the past 10
years and they are $15,000 in debt. Before their true adult life has
begun, it is tainted and may take years to clear up.
Now an adult and in the workplace, the victim finds it
difficult but not impossible to get credit. Perhaps they think it is
because of their youth and that the first card they did get they
mishandled and perhaps had to pay off over time. They have never
checked their credit reports until one day a collection notice reaches
them--perhaps at the age of 25 or even 30. Once checking their credit
reports, they find out that for the last 15 years someone else has been
opening up accounts in their name.
Their imposters often are family members, parents or guardians, or
may be illegal aliens who purchased the information from traffickers
who purposely sell information that belongs to children due to the
lengthy time prior to crime discovery.
Recommendation: Elderly and children are deserving of additional
protection under the law. No one disagrees with that. We must assume
the role of caregivers and make sure that those individuals are not
abused--physically or financially. ITRC's recommendation is that the
SSA creates a list using birth records of all SSN and birthdates. This
list would be given to the repositories that may not sell, distribute
or use it for other than the intended purpose. Should a credit
application be submitted with the SSN of an individual (child) on the
list, then that application must be further investigated and such
investigation well documented. When a child reaches the age of
majority, their information would be deleted from the list. ITRC would
also like to see any person who commits child identity theft receive an
enhanced penalty for this crime.
4. The need to find alternate ways to protect identifying numbers used
by the government: military ID number, Medicare/MediCal number, etc.
Finding: On July 6, 2003, Parade Magazine's (in the Sunday paper)
centerpiece discussed identity theft. More than 70% of the emails ITRC
received were from people either concerned about lost and stolen wallet
issues or from people who are angry at either governmental agencies
(SSA, military) or health providers that place the SSN on a card they
must carry on a daily basis. Those many concerns must not go unheard.
Lost and stolen wallets are a prime way for thieves to gather
information. Unfortunately, the federal government as well as state
governments (and health providers) also use SSN as employee or member
numbers: military, elders and Medicare, etc. These numbers are seen by
dozens of people through the course of daily activities. Colleges and
universities must also be included in this list since NY is the only
state that prohibits the use of the SSN as the student identifier and
almost all college students we have spoken with have told us that it is
being used as their student ID number--often written down on rosters,
papers passed around classrooms, posted on bulletin boards, placed on
college transcripts, etc.
Recommendation: If the SSN must be in the database, then we must
find a way to assign a random number that will be on the card that is
carried and put on the multiple forms that are filled out by the
individual. Right now, college students, seniors and military are our
most vulnerable population groups due to the fact that their SSN is so
widely known and used. That number can be linked in a database if
necessary, at a high level of security. If the federal government
expects the business community to change systems, it must lead by
example.
5. Overuse of the SSN
Findings: The following categories demonstrate the problem of the
overuse of the SSN.
Employer use of SSN as individual employee (private or
governmental) ID number, including public display of such, e.g.,
timecards, timesheets, cash register use number, badges, etc.
The use of the SSN as an identifier by a business group,
printed on a card carried by the person on a regular basis.
Mail theft--where the SSN is printed unnecessarily on the
document being mailed and is intercepted by another person.
Theft of SSN given in good faith to a business who
required the information to complete a transaction or activity--e.g.,
get health care benefits.
Domestic abuse, harassment of an ex--due to extensive use
of the SSN as an identifier. Most of us know the SSN of our spouses,
ex-lovers, etc. This crime is a perfect tool to harm another.
Recommendations: Private entities may not use the SSN other than
for tax purposes or other purposes so designated by either state or
federal governmental agencies. They may not publicly display, use, sell
or share the information. Language for a bill may be found in
California's SSN Confidentiality bills, many written by CA Senator
Debra Bowen.
6. SSN Protection
Findings: It is critical that any entity, whether private or
governmental, safeguard identifying information properly. The following
categories are just some of the areas that must be included in any
legislation considered.
Need to render all sensitive information unreadable prior
to disposal, electronic or in paper format
Restrict collection of information not needed for the
necessary task or program
Need to require adequate database and paper information
storage
Need to require notification of any database or
information breach
Recommendations: It is critical that minimum standards be set for
acquiring, access, disposal, storage and breach of information fields
that include the SSN as well as other sensitive information. This
includes what information may be requested by a company and when. For
example, no one is hired on the basis of a job application. That is a
screening device and hundreds may be collected for a single job. Yet
each one asks for your SSN. Why? All they need to do at that stage is
ask if you have a SSN and would be willing to provide it upon request.
That information can be exchanged when an employer is narrowed the
field and is serious about a new hire. This protects consumers from
overextension and viewing of the SSN (think of the many applications a
job seeker fills out) and limits the company's liability in terms of
acquiring and storage of sensitive information. Language for some of
these bills can be found in some new California laws as well as in some
of the bills now under consideration at the federal level.
7. Restrictions on sale of SSN and credit info
Finding: The less people with access to SSNs, the less opportunity
there is for leakage to identity thieves.
Recommendation: Federal restrictions on the sale, exchange or
transfer of SSN and credit info to third parties by governmental
agencies or private entities.
8. Restriction on public posting of SSN
Finding: This problem falls into two categories: websites and
public records. Both allow unlimited viewing by both criminals and
people with legitimate purposes.
Recommendations:
Federal restrictions regarding the publication of SSNs of
individuals, alive or dead, on web sites, e.g., Ancestry.com.
Federal requirements to truncate parts of SSN and other
sensitive information (to be decided by committee) on documents
available to the public, e.g., electronic court records, birth and
death certificates, etc., unless the requesting party has a legitimate
reason for such information.
IN CONCLUSION:
The crime of identity theft, like any other thing in our society
grows, evolves and constantly changes along with the changes in our
society. In 1970, the writers of the FCRA could not have predicted the
credit trends and practices of the year 2003. They created the FCRA
when all business was conducted in person, in communities where people
were known and applications could be verified.
When FDR expanded the use of the SSN as an identifier, he could not
have anticipated the Pandora's box that he would open. It was
impossible to predict the impact of the information age and how
computer technology would allow a crime like identity theft to
flourish.
In 2000, the FTC held a hearing on ID theft in which ITRC
participated. The FTC has continued to monitor this crime through its
databases and through victim panels. The information has not changed,
nor have the laws. In fact, members of ITRC's staff has attended
hearings and provided information for years now to federal legislators
and governmental agencies about changes that need to be made, but few
if any bills have been passed. The most recent was passed because of
its link to Homeland Security. It imposes higher penalties for all
those criminals who are not caught in the first place.
Now it has come down to the final question. Can you meet the
challenge to create and pass the much-needed bills in a timely manner,
prior to the end of this year? If you cannot, then all this action and
activity is nothing more than talk. If you are serious about identity
theft and feel you can address it sufficiently on a national basis,
this is your opportunity to prove it. But keep in mind--we (consumer,
victims, advocates and the business community who care about combating
this crime) have high standards for the laws that you pass. We will not
accept weak laws that either do little to help the situation or weaken
existing laws that have a proven track history. State legislators will
take action where the Federal government fails to.
ITRC's sole purpose is to combat this crime and to help victims.
Its fear is that the public will be promised strong laws that allow for
expansion and redirection as this crime evolves, but such laws will
never materialize.
ITRC believes it is the time for some action. We need the subjects
covered by this testimony to be addressed and signed into law. The
greatest leaders throughout history have led by example. They never
asked of others what they were not willing to do themselves. The
federal government must also change their practices by protecting SSNs
for military personnel, our seniors and governmental employees.
Otherwise, they do not have the right to ask the business community to
comply. This administration and this Congress must take the lead and
set the standard for the rest of the country. It is up to you to show
us that this crime is being taken seriously by one and all.
Thank you for your time and consideration.
Chairman SHAW. Mr. Hoofnagle.
STATEMENT OF CHRIS JAY HOOFNAGLE, DEPUTY COUNSEL, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. HOOFNAGLE. Thank you, Chairman Shaw, and Members of the
Subcommittee. My name is Chris Hoofnagle, and I am Deputy
Counsel with the Electronic Privacy Information Center. We
appreciate the opportunity to testify on this very important
matter today. In our written testimony, we detailed the
development of the SSN and historical attempts to regulate the
identifier. As you are well aware, today the SSN plays an
unparalleled role in the identification, authentication and
tracking of Americans, but I would like to focus my comments
today on several recent developments--developments that include
large-scale theft of identity cases, the continued use of a SSN
by private sector actors, including colleges and universities
and the role of States in passing Social Security legislation.
I believe these developments continue to institute more
evidence that a national framework for privacy protection for
the SSN is necessary. Accordingly, I am here to make only one
recommendation today, and that is to ask the Committee to
reintroduce H.R. 2036 from the 107th Congress. That is an
excellent measure. Many of its provisions will allow us to put
the SSN genie back into the bottle. Often in the privacy
debate, people say it is too late, that your privacy is already
gone, but as we have seen with telemarketing, it is possible to
assign rights and responsibilities and personal data and help
put our private information back into the bottle and safeguard
individual rights.
Again, I think there are three recent trends that are worth
highlighting. The first, of course, is that the SSN continues
to be the key to identity theft, as Mr. Wern testified. In our
written testimony, we identify several cases where identity
thieves or computer crackers have targeted databases that
contain the SSN. In a New York case SSNs were stolen from a
State insurance fund, a college and several private businesses.
Another involved a computer help desk employee who using access
codes for Ford Motor Credit was able to obtain tens of
thousands of credit card reports with SSNs from Experian. Yet
another involved employees who took advantage of a patient
identification system that used the SSN to commit identity
theft. Researchers at Michigan State University recently
studied over 1,000 identity theft cases and found that victims
in 50 percent of the cases specifically reported that the theft
was committed by an employee of the company that maintained
their personal information. There is very little an individual
can do about these identity theft cases that are insider jobs
or cases where personal information is stolen from a database,
and this is one of the reasons why we think we need to get the
SSN out of circulation, to stop reliance on the identifier,
because in most cases, you can't prevent its theft.
Another trend illustrated in our written testimony is that
many public and private sector entities continue to use the SSN
for identification. As we have testified before, in most cases,
it is wholly unnecessary for a business to collect your SSN.
The Blue Cross/Blue Shield insurance cards that Representative
Cardin and Mr. Wern held up contain their SSN, and there is
absolutely no reason for them to do that. They could assign a
random identifier, and the only case where they actually need
to collect the SSN is when your health costs actually have a
tax consequence. Nevertheless, recent news reports indicate
that major companies, including Blockbuster Video, Sam's Club,
and Costco continue to demand a SSN for membership. A related
problem is that many colleges and universities in the country
continue to use a SSN as the primary student identifier. In a
recent study done by the American Association of Collegiate
Registrars of 1,300 institutions, half of those polled claim
that they still use a SSN as a primary identifier. It is
actually on the card, the student identity card, or in the
record database.
These trends involving use and misuse of the SSN and
identity theft have actuated State leaders to create new
protections for personal information. In the college and
university context, about six States have passed laws saying
that schools can't use the SSN as the identifier. In Florida,
there was a special grand jury report that recommended that
SSNs be scrubbed from public records and from private
institutions. They noted specifically that one of the major
problems about the SSN was that local governments were asking
for it, and then the local government would place it in the
public record. In California, Senate bill S. 1386 went into
effect just a couple weeks ago, and that legislation requires
people who maintain databases that have SSNs in it, to give
notice to individuals if their SSN is stolen out of the
database. So, assigning a responsibility to people who actually
collect the SSN or maintain it can often create new
protections. I see that my red light is on, so let me just come
to our recommendation, and that is that we do hope that
Chairman and other Members will reintroduce H.R. 2036, and we
have ideas for substantive improvements to it that we are happy
to share with you, many of which are included in our written
testimony. Thank you for the opportunity to testify today.
[The prepared statement of Mr. Hoofnagle follows:]
Statement of Chris Jay Hoofnagle, Deputy Counsel, Electronic Privacy
Information Center
Chairman Shaw, Ranking Member Matsui, and Members of the
Subcommittee, thank you for extending the opportunity to testify on use
and misuse of Social Security Numbers.
My name is Chris Hoofnagle and I am deputy counsel with the
Electronic Privacy Information Center (EPIC), a not-for-profit research
organization based in Washington, D.C. Founded in 1994, EPIC has
participated in cases involving the privacy of the Social Security
Number (SSN) before federal courts and, most recently, before the
Supreme Court of New Hampshire.\1\ EPIC has also taken a leading role
in campaigns against the use of globally unique identifiers (GUIDs)
involving the Intel Processor Serial Number and the Microsoft
Corporation's Passport identification and authentication system. EPIC
maintains an archive of information about the SSN online at http://
www.epic.org/privacy/ssn/.
---------------------------------------------------------------------------
\1\ Estate of Helen Remsburg v. Docusearch, Inc., et al, C-00-211-B
(N.H. 2002). In Remsburg, the ``Amy Boyer'' case, Liam Youens was able
to locate and eventually murder Amy Boyer through hiring private
investigators who tracked her by her date of birth, Social Security
Number, and by pretexting. EPIC maintains information about the Amy
Boyer case online at
http://www.epic.org/privacy/boyer/.
---------------------------------------------------------------------------
I appreciate the opportunity to testify today. In the testimony
below, we will first review historical and recent attempts to regulate
the use of the SSN. This section demonstrates that there is ample
legislative and judicial support for limitations on the collection and
use of the SSN.
The second section describes trends involving the SSN. These
include:
A statistical rise in identity theft complaints to
federal authorities.
The occurrence of several large-scale identity theft
cases, many of which involved ``insiders'' or other trusted persons who
had access to SSNs.
Colleges, universities, and other schools continue to
identify students by the SSN.
Health providers and insurance companies continue to
identify individuals by the SSN.
Companies continue to condition access to products and
services on disclosure of the SSN.
Litigation has provided more privacy for SSNs in some
cases.
Privacy advocates and other activists have posted public
officials' SSNs to protest government activity.
A number of states are innovating solutions to the SSN
problem.
Finally, in the last section we recommend that the Committee
revisit 107 H.R. 2036, The Social Security Number Privacy and Identity
Theft Protection Act of 2001. That bill, which enjoyed wide bipartisan
support in the last Congress, should be reintroduced and passed by this
Congress. Alternatively, we recommend that the Committee consider 108
H.R. 1931, the Personal Information Privacy Act of 2003. That bill
would establish important protections for the SSN, including moving the
SSN ``below the line'' on the credit report.
I. Historical Regulation of the Collection and Use of the SSN
The Social Security Number (SSN) was created in 1936 as a nine-
digit account number assigned by the Secretary of Health and Human
Services for the purpose of administering the Social Security laws.
SSNs were first intended for use exclusively by the federal government
as a means of tracking earnings to determine the amount of Social
Security taxes to credit to each worker's account. Over time, however,
SSNs were permitted to be used for purposes unrelated to the
administration of the Social Security system. For example, in 1961
Congress authorized the Internal Revenue Service to use SSNs as
taxpayer identification numbers.
A major government report on privacy in 1973 outlined many of the
risks with the use and misuse of the Social Security Number. Although
the term ``identify theft'' was not yet in use, Records Computers and
the Rights of Citizens described the risks of a ``Standard Universal
Identifier,'' how the number was promoting invasive profiling, and that
many of the uses were clearly inconsistent with the original purpose of
the 1936 Act. The report recommended several limitations on the use of
the SSN and specifically said that legislation should be adopted
``prohibiting use of an SSN, or any number represented as an SSN for
promotional or commercial purposes.'' \2\
---------------------------------------------------------------------------
\2\ Department of Health, Education, and Welfare, Records,
Computers, and the Rights of Citizens 108-35 (MIT 1973) (Social
Security Number as a Standard Universal Identifier and Recommendations
Regarding Use of Social Security Number).
---------------------------------------------------------------------------
In response to growing risks over the accumulation of massive
amounts of personal information and the recommendations contained in
the 1973 report, Congress passed the Privacy Act of 1974.\3\ Among
other things, this Act makes it unlawful for a governmental agency to
deny a right, benefit, or privilege merely because the individual
refuses to disclose his SSN. This is a critical principle to keep in
mind today because consumers in the commercial sphere often face the
choice of giving up their privacy, their SSN, to obtain a service or
product. The drafters of the 1974 law tried to prevent citizens from
facing such unfair choices, particularly in the context of government
services. But there is no reason that this principle could not apply
equally to the private sector, and that was clearly the intent of the
authors of the 1973 report.
---------------------------------------------------------------------------
\3\ 5 U.S.C. � 552a.
---------------------------------------------------------------------------
Section 7 of the Privacy Act further provides that any agency
requesting an individual to disclose his SSN must ``inform that
individual whether that disclosure is mandatory or voluntary, by what
statutory authority such number is solicited, and what uses will be
made of it.'' At the time of its enactment, Congress recognized the
dangers of widespread use of SSNs as universal identifiers. In its
report supporting the adoption of this provision, the Senate Committee
stated that the widespread use of SSNs as universal identifiers in the
public and private sectors is ``one of the most serious manifestations
of privacy concerns in the Nation.'' Short of prohibiting the use of
the SSN outright, the provision in the Privacy Act attempts to limit
the use of the number to only those purposes where there is clear legal
authority to collect the SSN. It was hoped that citizens, fully
informed where the disclosure was not required by law and facing no
loss of opportunity in failing to provide the SSN, would be unlikely to
provide an SSN and institutions would not pursue the SSN as a form of
identification.
It is certainly true that the use of the SSN has expanded
significantly since the provision was adopted in 1974. This is
particularly clear in the financial services sector. In an effort to
learn and share financial information about Americans, companies
trading in financial information are the largest private-sector users
of SSNs, and it is these companies that are among the strongest
opponents of SSN restrictions.
Outside the financial services sector, many companies require the
SSN instead of assigning an alternative identifier. These requirements
appear in a myriad of commercial interchanges, many of which absolutely
do not require the SSN. For instance, Golden Tee, a popular golf video
game, requires players to enter their SSN in order to engage in
``tournament play.'' \4\ The company could assign its own identifier
for players, but instead relies upon the SSN, which puts players at
risk by requiring them to further circulate personal information.
---------------------------------------------------------------------------
\4\ Official ITS Rules, at http://www.itsgames.com/ITS/
its_rules.htm.
---------------------------------------------------------------------------
It is critical to understand that the legal protection to limit the
collection and use of the SSN is still present in the Privacy Act and
can be found also in recent court decisions that recognize that there
is a constitutional basis to limit the collection and use of the SSN.
When a Federal Appeals court was asked to consider whether the state of
Virginia could compel a voter to disclose an SSN that would
subsequently be published in the public voting rolls, the Court noted
the growing concern about the use and misuse of the SSN, particularly
with regard to financial services.\5\ The Fourth Circuit said:
---------------------------------------------------------------------------
\5\ Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993).
Since the passage of the Privacy Act, an individual's concern
over his SSN's confidentiality and misuse has become
significantly more compelling. For example, armed with one's
SSN, an unscrupulous individual could obtain a person's welfare
benefits or Social Security benefits, order new checks at a new
address on that person's checking account, obtain credit cards,
or even obtain the person's paycheck. . . . Succinctly stated,
the harm that can be inflicted from the disclosure of a SSN to
an unscrupulous individual is alarming and potentially
financially ruinous.\6\
---------------------------------------------------------------------------
\6\ Id.
---------------------------------------------------------------------------
The Court said that:
The statutes at issue compel a would-be voter in Virginia to
consent to the possibility of a profound invasion of privacy
when exercising the fundamental right to vote. As illustrated
by the examples of the potential harm that the dissemination of
an individual's SSN can inflict, Greidinger's decision not to
provide his SSN is eminently reasonable. In other words,
Greidinger's fundamental right to vote is substantially
burdened to the extent the statutes at issue permit the public
disclosure of his SSN.\7\
---------------------------------------------------------------------------
\7\ Id.
The Court concluded that to the extent the Virginia voting laws,
``permit the public disclosure of Greidinger's SSN as a condition of
his right to vote, it creates an intolerable burden on that right as
protected by the First and Fourteenth Amendments.'' \8\
---------------------------------------------------------------------------
\8\ Id.
---------------------------------------------------------------------------
In a second case, testing whether a state could be required to
disclose the SSNs of state employees under a state open record law
where there was a strong presumption in favor of disclosure, the Ohio
Supreme Court held that there were privacy limitations in the federal
Constitution that weighed against disclosure of the SSN.\9\ The court
concluded that:
---------------------------------------------------------------------------
\9\ Beacon Journal v. City of Akron, 70 Ohio St. 3d 605 (Ohio
1994).
---------------------------------------------------------------------------
We find today that the high potential for fraud and victimization
caused by the unchecked release of city employee SSNs outweighs the
minimal information about governmental processes gained through the
release of the SSNs. Our holding is not intended to interfere with
meritorious investigations conducted by the press, but instead is
intended to preserve one of the fundamental principles of American
constitutional law--ours is a government of limited power. We conclude
that the United States Constitution forbids disclosure under the
circumstances of this case. Therefore, reconciling federal
constitutional law with Ohio's Public Records Act, we conclude that
[the provision] does not mandate that the city of Akron discloses the
SSNs of all of its employees upon demand.\10\
---------------------------------------------------------------------------
\10\ Id.
---------------------------------------------------------------------------
In an important recent case from the U.S. Court of Appeals for the
D.C. Circuit, a Court upheld the Federal Trade Commission's
determination that SSNs are nonpublic personal information under the
Gramm-Leach-Bliley Act.\11\ The Court rejected First and Fifth
Amendment challenges to regulations that restricted the use of the SSN
without giving the individual notice and opportunity to opt-out.
Additionally, the Court upheld regulations that prohibited the reuse of
SSNs that are furnished to credit reporting agencies.\12\
---------------------------------------------------------------------------
\11\ Trans Union L.L.C. v. Fed. Trade Comm'n, No. 01-5202, 295 F.3d
42 (D.C. Cir. 2002), at http://pacer.cadc.uscourts.gov/common/opinions/
200207/01-5202a.txt.
\12\ Id. In another recent case, the D.C. Circuit rejected a First
Amendment challenge to the use of credit reports for marketing
purposes. Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001), cert.
denied, 536 U.S. 915 (2002).
---------------------------------------------------------------------------
While it is true that many companies and government agencies today
use the Social Security Number indiscriminately as a form of
identification and authentication, it is also clear from the 1936 Act,
the 1974 Privacy Act, and these three cases--Greidinger v. Davis,
Beacon Journal v. City of Akron, and Trans Union v. FTC--that there is
plenty of legislative and judicial support for limitations on the
collection and use of the SSN. The question is therefore squarely
presented whether the Congress will at this point in time follow in
this tradition, respond to growing public concern, and establish the
safeguards that are necessary to ensure that the problems associated
with the use of the SSN do not increase.
II. Recent SSN Trends
Just in the last eighteen months, there have been a number of
important SSN developments. These developments, which range from large-
scale incidents of identity theft to continued reliance on the SSN in
the private sector, underscore the continued need for a national
framework of protections for the SSN.
Identity Theft Complaints Increase
The FTC reported on January 22, 2003 a large increase in the number
of fraud complaints and a doubling of the dollar loss attributable to
fraudulent activities directed at US Consumers.\13\ The agency noted
that the number of fraud complaints rose from 220,000 in 2001 to
380,000 in 2002 and the loss to consumers grew from $160 million in
2001 to $343 million in 2002. The report revealed that identity theft
topped the list, accounting for 43% of the complaints lodged in the
Consumer Sentinel database.
---------------------------------------------------------------------------
\13\ Fraud Charges Jump in 2002 on Consumer Complaints, ID Thefts,
Electronic Commerce & Law Report, Vol 8(4), Jan. 29, 2003, 88.
---------------------------------------------------------------------------
The SSN Continues to be the Key to Identity Theft
On January 10, 2002, a special Florida grand jury commissioned to
investigate identity theft recommended stronger legal protections for
personal data, including SSNs, held by business and State agencies.\14\
It called for laws that would prohibit the credit industry from selling
personal data without consumer consent, and would stop State agencies
from disseminating personal information under the open records law
without individual consent, court order, or the articulation of a
compelling need. The panel charged 33 individuals with criminal use of
personal identifying information, fraud, grand theft, and money
laundering. The grand jury estimated that the current $2.5 billion
nationwide cost of identity theft is expected to grow to $8 billion by
2005. It cited health clubs and video rental stores requiring SSNs on
applications and local governments asking for SSNs on routine
transactions.
---------------------------------------------------------------------------
\14\ Identity Theft in Florida, Sixteenth Statewide Grand Jury
Report, SC 01-1095, Supreme Court of Florida, Jan. 10, 2002, at http://
www.idtheftcenter.org/attach/FL_idtheft_gj.pdf;see also Florida ID
Theft Panel Backs More Safeguards for Government and Corporate Data,
Privacy Times, Vol 22(3), Jan. 30, 2002, 3-4.
---------------------------------------------------------------------------
In August 2002, New York Attorney General Eliot Spitzer reported
that law enforcement authorities had broken ``a massive identity theft
ring.'' \15\ The information involved included SSNs, credit card
numbers, and bank account information stolen from the NY State
Insurance Fund, Social Security Administration, Empire State College,
WNYC radio, Hollywood video, Worldcom Wireless, and American Express.
The indictment alleges that this personal information was stolen
between 1998 and 2002, and used to purchase computer equipment, cell
phones, and other merchandise.
---------------------------------------------------------------------------
\15\ New York Authorities Say They've Cracked `Massive' Identity
Theft Ring, Four Indicted, Electronic Commerce & Law Report, Vol 7(31),
Aug. 7, 2002, p. 794.
---------------------------------------------------------------------------
In November 2002, it was discovered that a former computer help
desk employee had obtained 30,000 credit reports directly from a credit
reporting agency. The former employee sold the reports to others for
between $30-60 each.\16\ The information was used for credit fraud.
---------------------------------------------------------------------------
\16\ Huge ID-theft ring broken; 30,000 consumers at risk, Seattle
Times, Nov. 26, 2002.
---------------------------------------------------------------------------
In December 2002, personal health care information, including SSNs,
of more than 500,000 military personnel, retirees and family members in
16 Midwestern and western States were stolen from a military
contractor. Also stolen were some active-duty service members' claims
processing information, which include their names, SSN, and list of
medical procedures and diagnosis codes for medical care already
performed.\17\ TriWest stated that it attempted to notify beneficiaries
by sending them letters and by posting notices on its web site. The
database was not encrypted and TriWest relied on the SSN as an
identifier.
---------------------------------------------------------------------------
\17\ Patient Data, 500,000 SSNs Stolen From DOD System, Privacy
Times, Vol 23(1), Jan. 2, 2003, 2.
---------------------------------------------------------------------------
In February 2003, two former employees of health facilities and six
others were charged with stealing patient SSNs that were used to open
fraudulent credit card and phone accounts.\18\ The suspects stole
$78,000 in goods and services. One of the facilities involved has now
implemented a new patient information system that doesn't label
patients by the SSN.
---------------------------------------------------------------------------
\18\ Margaret Zack, Eight charged with stealing patient IDs for
credit cards, Star Tribune, Feb. 21, 2003, p. 1B.
---------------------------------------------------------------------------
Because of these and other developments, the Wall Street Journal,
in its 2003 ``to not do list,'' advised individuals not to give out
their SSN: ``Don't give out your Social Security number unless you have
to: With identity theft a growing problem, you should be extremely
cautious about giving out that information. Many organizations ask for
it, from volunteer groups to retail stores to Web sites, but not all of
them require you to provide it.'' \19\
---------------------------------------------------------------------------
\19\ A To-Don't List For the New Year, Hot to Fix Your Life in
2003, Wall Street Journal, Dec. 31, 2002.
---------------------------------------------------------------------------
But as the cases listed above illustrate, many identity theft cases
are ``insider jobs,'' committed by employees who obtain access and
misuse individuals' personal information stored in their employers'
databanks. Researchers at Michigan State University recently studied
over 1000 identity theft cases and found that victims in 50% of the
cases specifically reported that the theft was committed by an employee
of a company compiling personal information on individuals.\20\ There
is very little that an individual can do to prevent insider jobs, or
cases where the SSN is stolen from a database.
---------------------------------------------------------------------------
\20\ Study forthcoming; results provided in email from Judith M.
Collins, Ph.D., Associate Professor, Leadership and Management Program
in Security School of Criminal Justice, Michigan State University to
EPIC (Apr. 22, 2003, 18:13:35 EST) (on file with EPIC).
---------------------------------------------------------------------------
The SSN is Still Being Used as a Student Identifier
Although privacy protections are important to students, student
development, and to principles of academic freedom, schools have not
always been sensitive to student informational privacy issues. A
handful of states, including Arizona,\21\ New York,\22\ Rhode
Island,\23\ and Wisconsin \24\ have enacted laws to regulate college
and university use of the SSN. Nevertheless, in a survey of 1,300
institutions polled by the American Association of Collegiate
Registrars and Admissions Offers, half reported that they use the SSN
as the primary student identifier.\25\
---------------------------------------------------------------------------
\21\ Ariz. Rev. Stat. � 15-1823.
\22\ N.Y. Educ. Code � 52-b.
\23\ � 42-72.5-2(6); � 16-38-5.1.
\24\ Wisc. Stat. Ann. � 118.169.
\25\ Kristen Gerencher, Social Security numbers up for grabs.
Companies, government lax in preventing identity theft, CBS
MarketWatch, May 7, 2002, at http://cbs.marketwatch.com/news/
story.asp?guid=%7B9A569387%2DE7FD%2D44AB%2D8F5F%2D112D25915DA5%
7D&siteid=mktw
---------------------------------------------------------------------------
In August 2002, it was revealed that a Princeton admissions officer
used the SSNs of applicants to his school to view the Yale University's
web site for admissions. The unauthorized entry allowed Princeton to
learn whether Yale had accepted students who had applied to both
schools. Cracking the system was easy: Anyone who knew an applicant's
birth date and SSN could log on.\26\
---------------------------------------------------------------------------
\26\ John Schwartz, Privacy vs. Security on Campus, The New York
Times, Aug. 4, 2002, p. 3.
---------------------------------------------------------------------------
In March 2003, federal prosecutors charged a University of Texas
student with breaking into a school database and stealing more than
55,000 student, faculty, and staff names and SSNs. The student was
charged with violating the Computer Fraud and Abuse Act of 1986 and the
Identity Theft and Assumption Deterrence Act of 1998. This occurrence
led to a new Texas law protecting against identity theft.\27\
---------------------------------------------------------------------------
\27\ Univ. of Texas SSN, Privacy Times, Vol 23(6), Mar. 17, 2003,
11.
---------------------------------------------------------------------------
Also in March 2003, it was reported that the California State
University's $662 million computer system contains a security flaw that
gives users access to student and employee SSNs and other confidential
data. The problem was known for years, and university officials had
told state auditors they were not going to fix the vulnerability,
citing cost and time concerns.\28\
---------------------------------------------------------------------------
\28\ Terri Hardy, CSU computer flaw allows access to confidential
data, The San Diego Union Tribune, Mar. 22, 2003, p. A-13.
---------------------------------------------------------------------------
In May 2003, a 17-year-old student of a Chino, CA high school
allegedly cracked the school's computer system, changing his and a
classmate's grades and also tapping into confidential student
information, including the SSN.\29\ Apparently, 1,744 students had
their SSNs in the database.
---------------------------------------------------------------------------
\29\ Kristina Sauerweine, Youth Hacked Into Database, Los Angeles
Times, May 21, 2003, p. 5.
---------------------------------------------------------------------------
For model approaches to the transition to an alternative student
identifier, I would look to the leadership of Virginia Rezmierski,
Professor at the Gerald R. Ford School of Public Policy at the
University of Michigan.\30\ Additionally, officials at the University
of Illinois have established a procedure to reduce reliance on the
SSN.\31\ The University of Pennsylvania is addressing the issue as
well. That institution appointed Lauren Steinfeld, a former privacy
expert at the Office of Management and Budget, to address SSN issues.
---------------------------------------------------------------------------
\30\ See also Privacy and the Handling of Student Information in
the Electronic Networked Environments of Colleges and Universities,
EDUCAUSE White Paper, Apr. 1997, at http://www.educause.edu/ir/library/
pdf/pub3102.pdf.
\31\ Carol Livingstone, Mike Corn & Lisa Huson, University of
Illinois Social Security Number Policy Implementation, Jan. 10, 2001,
at http://www.ssn.uillinois.edu/assets/applets/
UIUC_SSN_Presentation_1_10_2002.pdf; Andrea L. Foster, U. of Illinois
May Be a Model in Protecting Privacy, Chronicle of Higher Education,
Aug. 2, 2002.
---------------------------------------------------------------------------
The SSN Has Become a Default Health Identifier
Many medical providers are using the SSN as a patient identifier.
As David Miller noted in testimony before the National Committee on
Vital Health Statistics:
``It should be noted that the 1993 WEDI [Workgroup for Electronic
Data Interchange] Report, Appendix 4, Unique Identifiers for the Health
Care Industry, Addendum 4 indicated 71% of the payers responding to the
survey based the individual identifier on the Member's Social Security
Number. However 89% requested the insured's Social Security Number for
application of insurance. Clearly the Social Security Number is the
current de facto identifier. . . .'' \32\
---------------------------------------------------------------------------
\32\ Testimony of David S. Miller, Director, Health System
Services, UHC, on the Unique Patient Identification Number at the
National Committee on Vital Health Statistics hearing in Chicago, Jul.
21, 1998, at http://www.cchconline.org/privacy/uhc.php3.
---------------------------------------------------------------------------
But individuals and companies are resisting such use of the SSN.
Acting on employees' suggestions, I.B.M. has requested that health
companies stop using the SSN on insurance cards. According to IBM,
fifteen insurers, which cover about 30,000 of the company's 500,000
employees worldwide have either not responded or indicated that they
will not comply with the request.\33\
---------------------------------------------------------------------------
\33\ Marc Ferris, IBM asks providers to drop SSNs, New York Times,
Feb. 23, 2003, p. 3.
---------------------------------------------------------------------------
SSN Required for Access to Products, Services
Major companies, including Blockbuster, Sam's Club and Costco
continue to demand the SSN and other unnecessary information on their
applications for access to products and services.\34\
---------------------------------------------------------------------------
\34\ A dubious privilege, Chicago Tribune, Feb. 23, 2003, p. 2.
---------------------------------------------------------------------------
SSN Litigation Has Yielded Mixed Results for Privacy Protection
In February 2002, the New Hampshire Supreme Court ruled for the
first time that New Hampshire State residents can sue companies that
sell their personal data or SSN, or obtain their work address through
the use of pretextual phone calls.\35\ The Court found that the sale of
such data was actionable if it subjected a person to foreseeable harm.
It also ruled that people have a reasonable expectation of privacy in
their SSNs, even though SSNs must be disclosed in certain
circumstances. The ruling clears the way for a trial against
Docusearch, the information broker who sold the SSN, home and work
address of Amy Boyer to the man who stalked and murdered her.
---------------------------------------------------------------------------
\35\ Helen Remsburg, Admin of the Estate of Amy Boyer v.
DocuSearch, Inc., et al 2002 U.S. Dist. LEXIS 7952, NH Supreme Court
No. 2002-255, Feb. 18, 2002; N.H. Supreme Court Backs Privacy for SSNs,
Personal Data, Privacy Times, Vol 23(4), Feb. 18, 2003, 3-4.
---------------------------------------------------------------------------
In September 2002, the Fourth Circuit held that individuals cannot
recover damages under the Privacy Act without a showing of actual
harm.\36\ This ruling is in conflict with the law in several other
circuits, and the Supreme Court has granted certiorari in the case. In
Doe v. Chao, the Department of Labor used individuals' SSNs to identify
their compensation claims. As a result, the SSNs were cited in public
records and are now widely available. Although the plaintiff was
embarrassed and placed at risk as a result of the disclosure, the
Fourth Circuit held that one needs other manifestations of emotional
distress in order to prove that harm occurred. We believe that the
Fourth Circuit improperly interpreted the damages section of the
Privacy Act, and we plan to file an amicus brief with the Supreme Court
in support of the plaintiff.
---------------------------------------------------------------------------
\36\ Doe v. Chao, 306 F.3d 170 (4th Cir. 2002).
---------------------------------------------------------------------------
In June 2003, a federal judge in Detroit ruled that the Privacy Act
creates a private right of action for violating procedural rules
relating to SSNs, but only as they apply to federal agencies, not
states or municipalities.\37\ Judge Anna Taylor dismissed a suit
seeking Privacy Act damages from the City of Detroit after its
contractor mailed tax forms to residents with their SSNs printed on the
mailing label. The Judge stated that plaintiff Daniel Schmitt failed to
show that he was adversely affected or that Detroit acted willfully or
intentionally because like the IRS, most local and State tax
authorities request SSN for taxpayer identification purposes. The City
vowed to keep SSNs off labels and attach a disclosure statement to the
tax forms about SSNs, as required by the Privacy Act.\38\
---------------------------------------------------------------------------
\37\ Schmitt v. City of Detroit, et al. 2003 U.S. Dist. LEXIS
10246, (E.D. Mich. 2003).
\38\ Privacy Act Permits Suits Over SSNs, but Not Against Cities,
Privacy Times, Vol 23(13), Jul. 1, 2003, 6.
---------------------------------------------------------------------------
SSNs Are Being Used for Political Protest
California-based Foundation for Taxpayer and Consumer Rights posted
partial SSNs of state legislators who voted in opposition of privacy
legislation.\39\ The group purchased the SSNs online for $26,
demonstrating that access to sensitive information is convenient and
inexpensive.
---------------------------------------------------------------------------
\39\ Christian Berthelsen, Extreme lobbying upsets Assembly,
Lawmakers mad at response to killing privacy bill, San Francisco
Chronicle, Jun. 19, 2003, at http://www.sfgate.com/cgi-bin/
article.cgi?file=/c/a/2003/06/19/ MN127207.DTL.
---------------------------------------------------------------------------
In June 2003, the Attorney General of Washington State decided not
to defend a law designed to prohibit a web site that posts the names,
addresses and home-phone numbers of police in Western Washington. As a
result, Bill Sheehan III of Mill Creek is free to continue publishing
his web site, www.justicefiles.org, which includes names and salaries
of many Western Washington police officers and in some cases their
SSNs, birth dates, home addresses and phone numbers. Sheehan claims
that publishing such information is the best way to hold law-
enforcement officers accountable to the public.\40\
---------------------------------------------------------------------------
\40\ State won't defend law to shut down Web site that publishes
police data, Seattle Times, Jun. 24, 2003, p. B3.
---------------------------------------------------------------------------
States Innovating Solutions
California's Senate Bill 1386 went into effect on July 1, 2003.\41\
That legislation requires companies that maintain SSNs and other
personal information to notify individuals when they experience a
security breach. The bill came in response to an April 2002 incident in
which the records of over 200,000 state employees were accessed by a
computer cracker. The California legislation exceeds federal
protections, as there is no national requirement for notice to
individuals when personal information is accessed without
authorization.
---------------------------------------------------------------------------
\41\ http://www.leginfo.ca.gov/cgi-bin/
postquery?bill_number=sb_1386&sess=PREV&house= B&author=peace
---------------------------------------------------------------------------
More specifically, the legislation creates a notice requirement
where there has been an unauthorized acquisition of an individual's
name along with a Social Security Number, a driver's license number, or
an account number and corresponding access code. The notice requirement
is also triggered when there is a reasonable belief that a security
breach occurred. Notice must be given ``in the most expedient time,''
but may be delayed where it would impede a criminal investigation.
Although this state law does not directly regulate collection or
use of the SSN, it is likely to provide more privacy for Californians.
The legislation places new responsibilities on those who collect the
SSN, as a result, businesses are more likely to avoid collecting the
SSN.
III. Recommendations
107 H.R. 2036, The Social Security Number Privacy and Identity
Theft Protection Act of 2001, was a good proposal. This Congress should
revisit and pass this important bill.
We recommend that the Committee visit the Social Security Number
Privacy and Identity Theft Protection Act of 2001, 107 H.R. 2036, as a
guide to limiting the use of the SSN. The measure was sponsored by
Representative Clay Shaw (R-FL). In the 107th Congress, the bill
enjoyed bi-partisan sponsorship of over 70 Members. The measure
contained a comprehensive set of rights to protect individuals from
identity theft.
Title I of the bill would have established important protections
against public-sector sale or display of SSNs. These provisions will
prohibit the display of the SSN on checks and government-issued
employment cards. The bill would have prohibited disclosure of the SSN
to inmates, and appearance of the SSN in public records. Increasingly,
public records are a source for the collection of personal identifiers
that then can be reused for any purpose.
The bill would have also prohibited ``coercive disclosure'' of the
SSN--the practice of denying a product or service when an individual
refuses to give a SSN. Additionally, Section 203 of that bill would
have placed the SSN ``below the line'' on credit reports. This is an
important and much needed protection that would stem trafficking in
SSNs.
Alternatively, we recommend that the Committee consider 108 H.R.
1931, the Personal Information Privacy Act of 2003. That bill was
introduced by Representative Kleczka (D-WI) in May and referred to the
Committee on Ways and Means. H.R. 1931 would establish important
protections for the SSN, including moving the SSN ``below the line'' on
the credit report. The bill would also limit the use of ``transaction
and experience'' information, and require opt-in consent before credit
or insurance prescreening letters are sent. Such letters are a major
source of the identity theft problem. Under the bill, aggrieved
individuals have a private right of action against violators.
IV. Conclusion
Without a framework of restrictions on the collection and use of
the SSN and other personal identifiers, identity theft will continue to
increase, endangering individuals' privacy and perhaps the security of
the nation. The best legislative strategy is one that discourages the
collection and dissemination of the SSN and that encourages
organizations to develop alternative systems of record identification
and verification. It is particularly important that such legislation
not force consumers to make unfair or unreasonable choices that
essentially require trading the privacy interest in the SSN for some
benefit or opportunity.
It is important to emphasize the unique status of the SSN in the
world of privacy. There is no other form of individual identification
that plays a more significant role in record-linkage and no other form
of personal identification that poses a greater risk to personal
privacy. Given the unique status of the SSN, its entirely inappropriate
use as a national identifier for which it is also inherently
unsuitable, and the clear history in federal statute and case law
supporting restrictions, it is fully appropriate for Congress to pass
legislation.
I am grateful for the opportunity to testify this afternoon and
would be pleased to answer your questions.
Chairman SHAW. We have your written testimony. It will be
made part of the record, and it will be examined closely. Mr.
Collins, will you introduce Mr. Edwards, please.
Mr. COLLINS. It is my pleasure, Mr. Chairman, to introduce
to you a fellow Georgian, Mr. Steve Edwards. Mr. Edwards joined
the Georgia Bureau of Investigation in 1973. For the last 15
years, his work has focused specifically on financial
investigations, health care fraud, and computer crime
investigations. He has been on the National White Collar Crime
Center Board since 1997, and now he is Vice Chairman, which
represents southeast region States--West Virginia, Virginia,
Kentucky, Tennessee, North and South Carolina, Georgia, and
Florida, as well as Puerto Rico and the Virgin Islands. For his
next trip to the Virgin Islands, he plans to take one of the
Congressman from Georgia. He also served as a negotiator for
Georgia Special Weapons and Tactics (SWAT) team. He is a
coordinator of the U.S. Department of the Treasury's Financial
Crimes Enforcement Network, and he has just done a super job
for Georgia, working in the Georgia Bureau of Investigation.
Welcome, Mr. Edwards.
STATEMENT OF STEVE EDWARDS, STATE COORDINATOR, FINANCIAL CRIMES
ENFORCEMENT NETWORK, VICE CHAIRMAN, BOARD OF DIRECTORS,
NATIONAL WHITE COLLAR CRIME CENTER, RICHMOND, VIRGINIA, MEMBER,
GEORGIA'S STOP IDENTITY THEFT NETWORK, CHAIR, INFRAGARD ATLANTA
CHAPTER WATCH AND WARN COMMITTEE, AND SPECIAL AGENT IN CHARGE,
FINANCIAL INVESTIGATIONS UNIT, GEORGIA BUREAU OF
INVESTIGATIONS, DECATUR, GEORGIA
Mr. EDWARDS. Thank you, Mr. Collins. It is a pleasure to be
here, and I am a little overwhelmed by that introduction. I
don't deserve that, but thank you very much. Thank you, too,
Chairman Shaw, for the opportunity to address the Subcommittee
concerning identity theft. What I would like to talk about or
take the opportunity to discuss is the Georgia Stop Identity
Theft Network, and some of the reasons that we formed that
network. A primary complaint of victims of identity theft is
that they are unable to get satisfaction. They are often unable
to find an agency or an organization that is willing to assume
responsibility for helping them to deal with the crime they
have experienced. Victims of identity theft also have
difficulties with legal jurisdiction. For example, if a victim
who resides in Georgia is confronted with identity theft that
occurred in California, local law enforcement in Georgia may
tell them that they do not have jurisdiction or they are not a
victim. To address this problem, Georgia and some other States,
a few other States, require that a police report be generated
for all reported cases of identity theft. This police report is
a useful tool for the victim when reporting a violation to
other organizations. In essence, a primary need for victims of
identity theft is a one-stop shop, whether physical or online.
The Stop Identity Theft Network in October 2002 actually
developed and created and put online a complaint program. Since
that program has been in existence, we have had 233 complaints
processed through it.
The way it works is after the victim files a complaint, the
network submits the complaint to the cities, counties, and
State law enforcement having jurisdiction or venue. Not only in
the State of Georgia, but across the country. Along with the
complaint is a letter explaining to the agency what it means
and the other agencies that have received the same complaints
so they can coordinate their efforts. In the past 30 years, I
have been a Georgia Bureau of Investigation agent. I have seen
no other crime directly affect more friends, associates, and
family members than identity theft. Since 2000, when I became
actively involved in the development of the Stop Identity Theft
Network, I have received an average of two or three telephone
calls per month from someone I know who has been a victim of
identity theft. The illegal use of SSNs is key to laying the
groundwork to take over someone's identity. Containment of
widespread use of SSNs could have a substantial impact in the
prevention of identity theft. This containment is important not
only in areas of government, but the use of SSNs as individual
identifiers within the private sector as well. Examples of
current broad use of SSNs--and this has already been discussed,
but I will say it again--driver's license, student records,
bank accounts, utility services, insurance policies, credit
bureau records, cash checking services, medical services,
apartment rental, employment, membership, and even in some
areas library access.
While it may not be feasible to restrict the use of SSNs to
administer Social Security taxation, it is recommended that
SSNs be restricted for other uses. The development of these
restrictions is appropriately the responsibility of Congress
and consistent with other privacy measures, particularly in the
absence of uniform aggressive action among State and local
governments, as well as the private industry, to reduce
opportunities for identity theft. In those instances where SSNs
are deemed suitable for recording their existent need to create
statutory incentives for organizations to safeguard this
information. While few States have some form of accountability
already on the books, there is no uniformity. In addition,
creating a statutory category of liability would serve both to
increase the victim's chances in civil court and to put the
organizations on notice to change their behavior. It has been
recognized that no Federal law currently limits use or
disclosure of SSNs among private entities. The SSA cannot
control how private entities keep use or distribute SSNs. Thus
leaving the burden on the consumers who have no real power.
Many bills responding to the problem of identity theft have
been introduced in recent Congresses, and several are again
pending. These bills, such as H.R. 2036 which you sponsored in
the 107th Congress, Mr. Chairman, would enhance privacy
protection and otherwise help prevent fraudulent misuse of
SSNs. As you know, other measures are pending in the Congress
to protect personal identifiers. While we are not necessarily
endorsing every aspect of these various measures, we certainly
commend them to your careful consideration as Congress acts
along with the States to better enable effective responses and
efforts to prevent identity theft. Thank you, and thank you Mr.
Collins, for the opportunity to testify before you today; I am
eager to answer any questions you or other Members of the
Subcommittee have. Thank you all.
[The prepared statement of Mr. Edwards follows:]
Statement of Steve Edwards, State Coordinator, Financial Crimes
Enforcement Network, Vice Chairman, Board of Directors, National White
Collar Crime Center, Richmond, Virginia, Member, Georgia's Stop
Identity Theft Network, Chair, Infragard Atlanta Chapter Watch and Warn
Committee, and Special Agent in Charge, Financial Investigations Unit,
Georgia Bureau of Investigations, Decatur, Georgia
Chairman Shaw and members of the subcommittee, thank you for this
opportunity to address this subcommittee concerning the subject of
identity theft.
Introduction
My name is Steve Edwards, and I am Special Agent in Charge of the
Financial Investigations Unit of the Georgia Bureau of Investigations
(GBI), State Coordinator to the U.S. Treasury's Financial Crimes
Enforcement Network (FinCEN), and Vice Chairman on the Board of
Directors of the National White Collar Crime Center (NW3C). In
addition, I am a committee member on the State of Georgia's STOP
IDENTITY THEFT Network and serve as chair on the FBI's InfraGard
Atlanta Chapter Watch and Warn Committee.
GBI is an independent, state-wide agency that provides assistance
to Georgia's criminal justice system in the areas of criminal
investigations, forensic laboratory services and computerized criminal
justice information.
NW3C is a non-profit corporation that provides a national support
network for law enforcement agencies, state regulatory bodies, state
and local prosecution offices, and other organizations involved in the
prevention, investigation, and prosecution of high-tech and economic
crime.
Overview of the Problem: On-the-ground Perspective
I would like to take this opportunity to briefly discuss Georgia's
STOP IDENTITY THEFT (STOP I.T.) Network and some of the reasons for its
formation. A primary complaint of victims of identity theft is, in my
experience, that they are unable to ``get satisfaction.'' By this I
mean that they are often unable to find an agency or organization that
is willing to assume responsibility for helping them to deal with the
crime they have experienced. As a result, victims needlessly contact
one organization after another in an effort to handle the violation,
and may, in the end, receive no assistance at all. In many cases, for
example, local law enforcement tell victims of identity theft, ``you
are not a victim''--particularly if the victim has suffered no direct
financial loss. Their advice is often that the victim should contact
the organization that was used for the perpetration. The organization
involved, in turn, refers the victim to local law enforcement.
Victims of identity theft also have difficulties with the matter of
legal jurisdiction. For example, if a victim who resides in Georgia is
confronted with identity theft that has resulted in a violation in
California, local law enforcement in Georgia may state that they do not
have jurisdiction. To address this problem, Georgia, and other states,
require that a police report be generated for all reported cases of
identity theft. This police report is a useful tool for the victim when
reporting the violation to other organizations, such as a credit
bureau. Unfortunately, other factors--including lack of resources--
often prevent local law enforcement from taking action beyond the
generation of a report.
In essence, a primary need for victims of identity theft is a
``one-stop-shop,'' or a single ``location''--whether physical or
online--where victims can receive information about identity fraud
prevention, file a complaint, and receive guidance concerning recovery
from identity theft violations. In 2000, Georgia's STOP I.T. Network
was conceived as such a location. In October 2002, STOP I.T. went
online for the first time, and since then 233 complaints have been
received and processed.
After receiving a complaint from a victim, STOP I.T. serves as an
intermediary between the victim and a number of agencies. For example,
a complaint from a victim in Georgia is forwarded by STOP I.T. to city,
county and state law enforcement appropriate to the complaint; to local
and state law enforcement in any state where the victim identifies
activity associated with the identity theft; to the FTC; and to the
Internet Fraud Complaint Center. In addition, STOP I.T. sends to each
organization a letter of explanation that includes a list of every
other organization that has received the complaint. Finally, victims
receive information to assist them in protecting against the continued
fraudulent use of their personal information and in recovering
financial and other losses that have resulted from the violation.
In the 30 years that I have been involved in financial crime, I
have seen no other crime directly affect more friends, associates, and
family members than identity theft. Since 2000, when I became actively
involved in the development of STOP I.T., I have received an average of
2 or 3 telephone calls per month from someone I know who has been a
victim of identity theft. Data collected across the nation--to the
extent that data on identity theft exist--also indicate that identity
theft is a crime that is pervasive and expanding rapidly.
Overview of the Problem: Broad Perspective
Identity theft--or the use of ``another person's personal
information in some way that involves fraud or deception'' \1\--is
currently one of the fastest growing crimes in the United States.\2\
Two of the most common forms of identity theft include ``true name
fraud'' and ``account takeover fraud.'' \3\ True name fraud occurs when
someone uses an individual's personal information to open a new
account, and account takeover involves illegal access to an
individual's existing account for the purpose of making fraudulent
charges against the account. Identity theft is also used to facilitate
other crimes--including money laundering, bankruptcy fraud, computer
crimes, and acts of terrorism--by providing a means of concealing the
identity of the criminal and accessing funds or privileges available to
the victim. It is important to note, however, that financial loss is
not a necessary component of identity theft. ``Criminal identity
theft,'' for example, occurs when a victim's personal information is
used by a criminal and subsequently associated with records of criminal
violations, outstanding arrest warrants, or other public information
without the knowledge of the victim.
The Federal Bureau of Investigation (FBI) and other law enforcement
agencies have estimated that between 700,000 and 1.8 million Americans
are victimized by identity theft each year--a figure that has increased
substantially in recent years. In addition, recent surveys (conducted
by Star Systems, a national electronic payments network) indicate that
about 1 in 20 adults in the United States, or about 12 million
Americans, have been victimized by identity theft at least once.\4\
In 2002, the number of identity theft cases reported to the Federal
Trade Commission (FTC) rose to 161,819--almost twice the number
reported in 2001.\5\ Other cases were reported directly to local law
enforcement; reported to other federal agencies, including the FBI,
Secret Service, Internal Revenue Service, and Postal Inspection
Service; or never reported at all.
The cost of identity theft to businesses has been estimated to be
more than $11.9 billion each year.\6\ The costs to victims of this
crime include loss of credit, harm to reputation, and loss of wages, in
addition to the direct loss of money, attorney fees and other recovery
expenses. Despite these losses, and the considerable attention that has
been paid to the problem in recent years, the average arrest rate for
all identity theft cases reported by victims remains around 5
percent.\7\
Identity Theft and the Use of Social Security Numbers
Since the illegal use of social security numbers (SSNs) ``is key to
laying the groundwork to take over someone's identity,'' \7\
containment of the wide-spread use of SSNs could have a substantial
impact on the prevalence of identity theft in the future. This
containment is important not only in areas of government that use SSNs
as individual identifiers, but also in private organizations, which are
increasingly including SSNs on personal records and distributing this
information for a variety of purposes. Examples of the current broad
use of SSNs include
Driver's Licenses: As many as eleven states and the
District of Columbia currently display the SSN on the face of their
drivers' licenses. Several other states require a SSN for the issuance
of a driver's license but do not display the number on its face.
Student Records: Half of colleges and universities use
SSNs to identify students, and 79% include them in official
transcripts, according to a March 2002 survey by the American
Association of Collegiate Registrars and Admissions Officers.
Other Records: A SSN is often required or requested for
services such as bank accounts, utility services, insurance policies,
check cashing services, medical services, apartment rental, extension
of credit, employment, memberships, and library access. SSNs are also
used as reference numbers for credit bureau reports, which are widely
distributed, often without the knowledge of the credit holder.
While it may not be feasible to restrict the use of SSNs to the
administration of Social Security taxation, for which it was originally
designed, it may be feasible to restrict the use of SSNs to a set of
identified purposes for which there is a legitimate legal reason to
collect a SSN. In addition, government agencies and businesses that
collect SSNs can be required to restrict access to SSNs--by employees
and other organizations--and to dispose of records that include SSNs
using specified procedures, e.g., encrypting personal information on
databases and shredding paper documents containing personal
information.
The development of these restrictions is appropriately the
responsibility of Congress, and consistent with other privacy measures
recently passed, particularly in the absence of uniform, aggressive
action among state governments, local governments, and private industry
to reduce opportunities for identity theft. In addition, the increasing
number of cases being pursued by law enforcement throughout the country
evidence the immediate importance of developing these restrictions. For
example,
July 1 and 2, 2003, Consuelo Onate-Banzon and Rony Razon,
and four other individuals, were arrested on charges of identification
and social security fraud. According to the FBI, Onate-Banzon and Razon
worked for the Virginia Department of Motor Vehicles (DMV) and
allegedly produced and sold as many as 1,000 fraudulent Virginia
driver's licenses, with the help of co-conspirators.\8\
On May 8, 2003, Dorian Thomas, age 27, was indicted on
charges of conspiracy, bank fraud, and identity theft. Thomas, an
employee of a financial institution in California, had ``obtained the
confidential member profile information of account holders through
financial institution computers and provided it to others,'' \9\ who
then completed more than $100,000 in fraudulent bank transactions.\10\
Charmaine Northern, age 23, ``pled guilty on March 10,
2003, to obtaining confidential customer account information from the
computer at the financial institution where she was working and using
it to open credit card accounts and incur unauthorized charges
estimated to be approximately $50,000.'' \13\
Kimberly Smart, age 27, was sentenced on December 5,
2002, ``in connection with using her financial institution position to
obtain customer account information from the financial institution
computer and provide it to others.'' \11\ The losses incurred in this
case were approximately $121,146.63.
Philip Cummings, a 33-year-old former ``help desk''
employee of Teledata Communications, Inc., faced charges on November
26, 2002, of accessing credit bureau databases, selling confidential
information, and participating in a fraud scheme that resulted in a
loss of more than $2.7 million to 30,000 victims.\12\
Ivy Johnson, a former employee of H & R Block in White
Plains, New York, was charged in January 2003, for obtaining customers'
personal information, and using the information to divert tax checks,
open new credit card accounts, and making ATM withdrawals in victims'
names.\13\
All of these cases involved access to and use of SSNs. Future cases
of similar violations may be reduced if requirements for specific
safeguards are mandated and enforced by federal statute. In addition to
legislative restrictions, education and training is also important for
the reduction of identity fraud in the future. This education and
training should include
Educating individuals to take active steps to protect
their personal information;
Training state and local law enforcement to identify and
effectively handle identity theft cases, since these cases are often
first reported to state and local rather than federal law enforcement
agencies; and
Educating businesses, including banks and credit bureaus,
to guard against and detect identity theft.
``Best Practices'' to Combat Identity Theft
The following is an analysis of best practices either currently in
place in the states or needed to fulfill assistance functions for
victims of identity theft. These conclusions were generated through a
synthesis of published commentaries and critiques of existing
legislation, peer-reviewed academic articles, and analysis of pending
legislation.
First, it is important to use a broad definition that explains the
substance of the sort of information that should be considered
``identifying information.'' This definition should be broad enough to
include account numbers, scanned or re-encoded credit or account access
cards, and SSNs. Following the establishment of a working definition of
the problem, the research of NW3C has indicated that there are numerous
opportunities to help victims of identity theft.
Practice 1: Explicit recognition of identity theft as a crime committed
against the
individual.
States have taken a variety of approaches to dealing with identity
theft victims. Chief among the issues that create inconsistencies among
states is the nature of victimization in identity theft cases. For
example, victims in states that do not recognize identity theft as a
crime must often seek assistance through civil suits or ancillary
charges. While the place of the civil suit is to rectify injustices
that escape the criminal justice system, it is an arduous task least
likely to be pursued by most people. Such circumstances exemplify a
need for legislation that explicitly criminalizes the dissemination and
misuse of identifying information such as SSNs rather than just the
theft facilitated by information misuse. Specifically, statutory
frameworks should explicitly criminalize identity theft in a manner
that clearly underscores the method of information obtainment, as well
as monetary damages.
Practice 2: Eligibility of identity theft victims for victims' rights
assistance.
The foremost need expressed by victims in recent NW3C research is
for notification of victimization. Indeed, the most comprehensive
framework for protecting the rights of victims and restoring them to
their pre-victimized state is of little use if victims do not know that
a crime has been committed. This is especially true in the instance of
a SSN that is stolen from medical or business documents without the
knowledge of the victim.
In states that do recognize the individual whose identity has been
stolen as an injured party, the degree of victimization is often deemed
to be trivial in comparison to other offences, especially violent ones.
In some states, victims' assistance and, in some cases basic
notification and participation rights, are denied to victims of
property crime and only afforded to those who can demonstrate some form
of physical injury. In other states, victims of non-violent crimes are
only given full protection if the predation is judged to be a felony
offence. It is therefore of great importance that those statutes that
exist to aid crime victims recognize the victims of identity theft as
targets of a serious crime who may require assistance in pulling their
lives back together.
Practice 3: Phasing out use of private identifying information on non-
secure
documents.
While many states no longer use SSNs as identifiers on drivers'
licenses, these numbers are still widely used on non-secure public
documents. For example, many schools that use SSNs as student
identification numbers include these numbers on a variety of forms and
correspondence, and order forms and applications often solicit personal
information. Consequently, a Nexis public records search can reveal
SSNs and dates of birth in seconds. Additionally, organizations that
accumulate personal information apply varying levels of security.
Ultimately, it is unhelpful for a dozen organizations to strictly
protect personal information if only one organization makes that
information publicly available. This issue is associated with the idea
of liability for breaching a duty of confidentiality, but it is also a
change in focus that requires unique legislative attention. In other
words, it is important not only to protect personal information but
also to establish safeguards for handling those forms that document
personal information. What is required is legislation that mandates
strict controls on the circumstances under which the recording of
personal information is justified.
Practice 4: Eligibility for compensation and financial assistance.
Financial assistance is typically reserved for victims of violent
crimes where the perpetrator has not been ordered to provide
restitution or does not have the means to provide effective
restitution. Such practices can also be helpful in identity theft cases
that result from privacy breaches. Financial assistance, unlike
restitution, is able to provide for and compensate immediate financial
outlays without concern for the offender's ability to pay. As the
Privacy Rights Clearinghouse has demonstrated, a victim of identity
theft typically spends as much as $1,200 out-of-pocket to correct the
damage caused by the crime. Thus, just as victims of violent crimes
have a need for funds to cover immediate emergency expenses, so do
victims of identity theft. Therefore, legislation may be needed to
assure that victims of identity theft can qualify for federal victim
assistance funds.
Practice 5: Aid to identity theft victims in clearing their names.
Regardless of the efficiency of the legal system in prosecuting
identity theft cases, victims often face many difficulties in removing
fraudulent information that is associated with their names.
Consequently, victims of identity theft remain vulnerable to future
victimization through the continued use of their SSN on government
documents, most of which require the use of the SSN as a personal
identifier. A great need exists for aid in purging erroneous records
maintained by credit bureaus, police departments, and other
organizations that result from the crime of identity theft. Often, the
mechanism for such corrections is complex, creating barriers for
citizens of limited means or comprehension. Therefore, legislative
guidance for aid to victims of identity theft would be helpful.
Examples of policies that have been enacted by statute (nearly all from
California) to address this problem are
Providing public agency aides to assist victims by making
phone calls, preparing forms, or taking other steps on behalf of the
victims;
Requiring that court records reflect that the person
whose identity was falsely used to commit a crime did not commit that
crime (Cal. Penal Code 530.5(c)); and
Allowing the victim to petition the court for an
expedited determination of factual innocence (Cal. Penal Code 530.6).
Legislative Treatment of Social Security Information
In those instances when SSNs are deemed suitable for recording,
there exists a need to create statutory incentives for companies
(especially, but not limited to, credit card companies) to safeguard
this information. While a few states have some form of accountability
already on the books (California's Information Practices Act and
Delaware's concept of reckless disclosure of information stand out),
none have gone so far as to explicitly create an actionable duty of
care for all entities that collect private identifying information to
protect said information to at least the level to which a reasonable
person would have protected it. Delaware is the only state to even
mention the reckless or negligent disclosure of personal information in
their identity theft legislation.
While civil actions are always available to punish such
disclosures, they do not possess the desired deterrent effect unless
they are easily factored into a rational analysis of policy options. As
it stands, one can only assume that the current rate of identity theft
and credit card fraud are an acceptable cost of business for the
corporations that currently treat with social security numbers and
other private identifying information in an unsafe way. Creating a
statutory category of liability would serve both to increase the
victim's chances in court and to alter the equation for those
corporations, putting them on notice to change their behavior lest it
eat into their profit margin.
California is one state that has imposed liability on entities that
handle personal data. Cal Civ Code � 1798.29 (2003), for example,
requires any agency that ``owns or licenses computerized data that
includes personal information'' to report security breaches to the
people whose personal information may have been compromised. Cal Civ
Code � 1798.82 (2003) extends similar requirements to people and
businesses doing business in California. This approach is proposed for
Federal law in S. 1350, the Notification of Risk to Personal Data Act,
recently filed by Senator Feinstein.
Of course, regardless of how rigorously SSNs are protected, there
will be instances in which they are abused. On this matter, the
following recommendations are proposed:
Make possession of fraudulent social documents either
illegal in and of itself or allow it to create a permissible inference
of forgery. There is already a provision in many forgery and credit
card fraud statutes that states that the ownership of some small number
of forged or unauthorized instruments is enough to create an inference
of a guilty motive without the necessity of proving a definite intent.
Additional measures can be taken to address unauthorized possession of
identifying documents or information. Some states have already adopted
various measures of this type. Alabama and Kentucky lead the way in
this regard, and set the required number of identity documents (a term
that would include social security cards) in one's possession that are
not one's own to create an inference of identity trafficking at five.
When SSNs are abused, they are often abused for long
periods of time. While a victim of a burglary may change their locks, a
victim who was targeted through their SSN has little ability to prevent
this means of victimization in the future. Unless SSNs are easily
changed, the victims of these crimes have little protection against
repeat predation, especially as the SSN is passed to other unscrupulous
types. To address this problem, some sort of repository for compromised
SSNs, which could flag SSNs that have been the target criminal abuse,
could be established.
Current Legislative Issues
It has been recognized that no federal law currently limits use or
disclosure of SSNs among private entities, leaving them free to deny
credit or services without SSNs; and that the Social Security
Administration (SSA) cannot control how private entities keep, use or
distribute SSNs, thus leaving the burden on consumers who have no real
power.\14\
Many bills, taking a variety of approaches to preventing or
enhancing responses to identity theft, have been introduced in recent
Congresses, and several are again pending in this, the 108th Congress.
Some of these legislative measures propose enhancements in the
penalties under the federal ID Theft statute in the interest of
increasing the deterrent effects, or would make modifications aimed at
facilitating investigations or prosecutions. Others go more directly to
the topic at hand today: augmenting the protections against disclosure
and misuse of certain information, including SSNs.
These bills, such as H.R. 2036 which you sponsored in the 107th
Congress, Mr. Chairman, would enhance privacy protections and otherwise
help prevent ``fraudulent misuse'' of SSNs by restricting display or
use of SSNs, restricting dissemination of SSNs or any derivative or
their use as PINs without an individual's consent, and providing for
regulation and criminal punishment of sales and purchases of SSNs. As
you know, measures are also pending to protect other personal
identifying information by, for example, prohibiting sale and
disclosure of personally identifiable information by commercial
entities to non-affiliated third parties absent prescribed procedures
for notice and opportunity to restrict such disclosures.
Specifically,
H.R. 70, the Social Security On-line Privacy Protection
Act, would prohibit an interactive computer service from disclosing to
a third party an individual's SSN or related personally identifiable
information without the individual's prior informed written consent.
H.R. 220, the Identity Theft Prevention Act of 2003
pending before this subcommittee, would, among other things, amend the
Social Security Act and Internal Revenue Code to protect the integrity
and confidentiality of SSNs, prohibiting their use or disclosure except
for specified social security and tax purposes.
H.R. 637, the Social Security Number Misuse Prevention
Act, and the companion bill, S. 228, would, among other things,
prohibit display, sale, or purchase of SSNs without affirmative,
express consent of the persons to whom they belong; prohibit use of
SSNs on government-issued checks, the appearance of SSNs on driver's
licenses or motor vehicle registrations, and inmate access to SSNs;
prohibit commercial entities from requiring individuals to provide SSNs
when making purchases or from denying such purchases if the persons
refuse to provide such numbers; and establish civil and criminal
penalties for misuse of SSNs. (Similar provisions are included within
other, broader bills, including but not limited to S. 745, the Privacy
Act of 2003.)
H.R. 1931, the Personal Information Privacy Act of 2003,
would, in part, prohibit commercial acquisition or distribution of
SSNs, or derivatives, as well as their use as personal identification
numbers, without written consent.
Two other bills very recently filed in the House of Representatives
and pending before the Ways and Means Committee, H.R. 2617, the
Consumer Identity and Information Security Act of 2003, and H.R. 2633,
the Identity Theft Protection and Information Blackout Act of 2003,
include (but are not limited to) provisions that would similarly place
prohibitions or restrictions on certain uses of SSNs.
While we are not necessarily endorsing every aspect of these
various measures, we certainly commend them to your careful
consideration as Congress acts, along with the states, to better enable
effective responses and efforts to prevent identity theft.
Conclusion
Thank you for the opportunity to testify before you today. Mr.
Chairman, I am eager to answer any questions you or other members of
the subcommittee may wish to direct to me.
References
1. U.S. Department of Justice. (2003, July 27). Fraud. Retrieved
July 7, 2003, from http://www.usdoj.gov/fraud.htm
2. U.S. Department of Justice. (n.d.). Identity theft: Prosecution
and protection. Retrieved July 2, 2003, from http://www.usdoj.gov/usao/
txs/releases/May%202002/020502-identitysheet.htm
3. Benner, J., Givens, B. & Mierzwinski, E. (2000). Nowhere to
Turn: Victims speak out on identity theft: A CALPIRG/Privacy Rights
Clearinghouse report. Privacy Rights Clearinghouse. Retrieved June 13,
2002, from http://www.privacyrights.org/ar/idtheft2000.htm
4. Star Systems (STARsm). (2003, April 16). Americans want action
on identity theft. [Press Release]. Retrieved July 7, 2003, from http:/
/www.star-systems.com/cfm/news-press.cfm?id=81
5. Federal Trade Commission. (2003, January 22). National and
state trends in fraud and identity theft: January-December 2002.
Retrieved July 1, 2003, from http://www.consumer.gov/sentinel/pubs/
Top10Fraud_2002.pdf
6. Identity Theft Resource Center. (2003, February). Facts and
statistics. Retrieved July 2, 2002, from http://www.idtheftcenter.org/
facts.shtml
7. Identity Theft Resource Center. (2003, February). Facts and
statistics. Retrieved July 2, 2002, from http://www.idtheftcenter.org/
facts.shtml
8. Federal Bureau of Investigation. (2003, July 7). Operation easy
rider: FBI puts stop to driver's license fraud. Retrieved July 7, 2003,
from http://www.fbi.gov/homepage.htm
9. U.S. Department of Justice. (2003, May 12). Three indicted on
conspiracy to commit bank fraud and identity theft. [Press Release].
Retrieved July 3, 2003, from http://www.cybercrime.gov/thomasIndict.htm
10. Sanchez, E. (2003, May 13). Scam alert: Insider help giving a
new look to bank robberies. The Sacramento Bee. Retrieved July 3, 2003,
from http://www.sacbee.com/content/news/scam_alert/v-print/story/
6657347p-7609218c.html
11. U.S. Department of Justice. (2003, May 12). Three indicted on
conspiracy to commit bank fraud and identity theft. [Press Release].
Retrieved July 3, 2003, from http://www.cybercrime.gov/thomasIndict.htm
12. Masters, B.A. (2002, November 26). Huge ID-theft ring broken;
30,000 customers at risk. The Washington Post. Retrieved July 3, 2003,
from http://seattletimes.nwsource.com/html/consumeraffairs/
134584039_idtheft26.html
13. O'Connor, T. (2003, January 2). Four charged in ID-theft scam.
The Journal News. Retrieved July 3, 2003, from http://
www.nyjournalnews.com/newsroom/010203/A102idtheft.html
14. Harry A. Valetk, Identity Theft: What It Is and How to Protect
Against It, originally published on GigaLaw.com and found November 22,
2002, at http://www.wiredpatrol.org/idtheft/whatisit.html
Chairman SHAW. Mr. Collins.
Mr. COLLINS. Thank you. Mr. Edwards, there has been talk
about the Inspector General, the SSA having statutory authority
to share information with law enforcement. How often have you
requested information from SSA to pursue a criminal?
Mr. EDWARDS. On several occasions, Mr. Collins, but in each
case it was denied to me.
Mr. COLLINS. What was the reason given?
Mr. EDWARDS. At the time, and this is not in the most
recent past, but at the time I was told that they could not
provide that information. Basically, the information I have
been able to obtain from Social Security over the years is, I
can give them a number and they will tell me if it is a valid
number or not. They will not tell me who the number belongs to
or whether it is being used by the correct person.
Mr. COLLINS. How long ago has it been since your last
request? Do you know?
Mr. EDWARDS. Within the last couple of years? Yes, sir. It
has not been in the recent past; quite frankly, because of the
frustration, unless I just need a verification of a SSN, I
rarely call them.
Mr. COLLINS. The Inspector General stated in its testimony
that we need criminal penalties for Social Security misuse
itself, as well as civil monetaries. You mentioned that
possession of fraudulent documents should be illegal in and of
itself. Describe some cases where such law would have been
helpful in investigating or prosecuting an identity theft.
Mr. EDWARDS. Identity theft covers a lot of different
crimes, and there is a lot of crimes that are predicate acts to
identity theft. So, we have used all kinds of charges,
including false writings to the State for driver's license. We
have used it in cases where an individual has actually
falsified a signature to obtain a credit card or some kind of
bank loan or something along that line. So, all of these
different tools that exist out there are very useful to us. We
have an identity theft statute in the State of Georgia, and
where it has helped our victims, and that is who it really
helps, is giving them a vehicle for when. Particularly, like
the scenario I gave where the identity was compromised in
California, under Georgia law we can indict that individual and
extradite them back, and there doesn't have to be a financial
loss, just the virtue that an individual went around portraying
that they were someone else using that individual's identifiers
in the State of Georgia is a crime now and it is a felony. It
carries 5 years, and we are just starting to test that. It went
into law a year ago, July, and we are just now starting to test
that law in the courts. We have had a couple of cases that have
been successful.
Mr. COLLINS. How many other States have that?
Mr. EDWARDS. I am not familiar, Mr. Collins. Quite frankly,
maybe two or three. If that many.
Mr. COLLINS. Thank you, Mr. Edwards.
Mr. EDWARDS. Thank you, sir.
Chairman SHAW. If I could direct a question to Mr. Wern and
Mr. Hoofnagle with regard to, we have been hearing today a lot,
people have been referring to the identifier as putting the
genie back into the bottle. Obviously, the numbers are out
there now, and they will remain out there no matter what we do.
We can certainly stop the distribution, or certainly retard the
distribution through criminal statutes, but a lot of that
information is already in the public domain. I know in Florida,
with the total access that everybody has to public records, it
is going to be very difficult to go back and take those numbers
off of the public records. Whether you are talking about death
certificates or probate files or it goes on and on, probably
divorce files, I would assume they are probably in there
somewhere, it is going to be very, very difficult. It occurs to
me that if you simply prohibit the use of SSN as an
identification for nongovernmental purposes, that it would make
that number somewhat useless for other purposes. Now, quite
obviously if we were looking at this as an identifier, we would
require very stringent requirements as to photographs or
counterfeit proofing. You would have an address and date of
birth and other pertinent information on the card itself, you
would be sure to keep absolutely current with all of that, all
of that information, and you would have had tremendous
safeguards around it and everything else, which obviously the
crooks have picked this up as something that was never
anticipated by those who wrote the statutes.
I understand, Mr. Edwards, that we are looking into the
area that you and Mr. Collins were just discussing with regard
to the access law enforcement has, at least to the name, they
are governed under the Internal Revenue Code, there are
restrictions on giving any information, but I think it is more
based toward wages and things of this nature. We are going to
look into it and see if it prohibits their giving the name of
whomever, whatever number you have; or at least you should be
able to say, I have got John Doe and he has got X-Y-Z number,
is this his number? They should be able to say yes or no to
that. So, we need to work on that. We use that number for so
many number purposes. Tracking deadbeat dads. That was
something I had a lot to do with in welfare reform when we
reformed the welfare system in this country. We don't want to
make it more difficult to track deadbeat dads so they can
fulfill their parental responsibilities. We do need, we
desperately need to stop the distribution of these numbers as
an identifier and as the golden, I think you, Mr. Hoofnagle,
referred to it as the golden key or something of that nature,
to stealing identification. Mr. Wern, you mentioned that you
were victimized and you went through this for about 3 years. I
understand from people who have been in your place, that they
are being warned that it may not be over, that this nightmare
may recur. You have recurring nightmares in this area. How did
they get your number, and was it the SSN that was the key to
the identity theft that you suffered?
Mr. WERN. We don't know for absolute sure how the
perpetrator got the number. He was caught and interrogated, but
his story just didn't make a whole lot of sense. My best guess,
probably 80 percent sure, is that it was on a dental record
that was stolen from my mail. I had some mail stolen, and one
of the things that I know for a fact was stolen was a dental
report or a bill that I know also had that SSN on it. My SSN
was the key to that crime simply because it was sort of the
final piece of information he needed. It was easy enough to get
my address. He knew where I lived, he took my mail. It was easy
enough to get my name and date of birth as well from other
public records. Once he had the SSN, he used it and damaged to
the point, to the point where I actually had to change the SSN,
which is an extreme measure that we don't recommend people
doing. It carries a lot of problems with it, but when you get
to a situation where another person is essentially cloning you,
you don't have a choice.
Chairman SHAW. Several things in the law that I want this
Committee--that we will be looking at, is use of a counterfeit
SSN. You have an illegal alien who is in this country, working.
He gets a counterfeit Social Security card and number, the
identification, and he can go to work. Then it is under a false
number. Later he is legally admitted into the United States and
gets a green card and gets a work permit. He can actually go
back and claim the money that was paid into Social Security
under that false number on his behalf, which to me is somewhat
bizarre that somebody can go back and claim the fruits of their
crime after they are entitled to work under the laws that we
have. These are there are so many things that just don't make a
whole lot of sense, and the more you look into this whole use
of SSNs and how they are used and abused, it becomes more and
more apparent that we definitely need to at least neuter the
use of this number as an identifier so that if somebody does
get hold of it, it will be sort of a, ``so what.'' One of the
ways to do it is to just stop the nongovernment use of this
number, period. Mr. Cardin, do you have any questions for these
witnesses?
Mr. CARDIN. First, let me thank you all for being here. I
apologize I was not here during your entire testimony. As more
and more we talk about this, I am wondering, Mr. Chairman, how
difficult would it be to restrict the use of SSNs to
governmental purposes and not in the private sector. It would
require a lot of changes, the habits of the private sector. So,
your comment was that the missing ingredient, that was the one
bit of information that allowed the identity theft to be
effective obtaining your SSN probably from a medical record
that there was no need for it to be on. So, there is clearly an
abuse in the private sector on the use of SSNs. It is
convenient for them, it is a reliable number, it is set up by
their government. I understand all those arguments as to why it
is convenient to use the SSN for identification by the private
sector, but that is not its intent. The other question about
trying to verify who you are. The fact that you know someone's
SSN is no guarantee at all that that is who you are. So, I am
just wondering, Mr. Chairman, what is the trade-off here, how
difficult it would be for the private sector if we in fact
restricted those numbers? I don't have any specific questions
for any of the witnesses. Again, I thank them for being here.
Chairman SHAW. Well, I thank all of you for being here
today. The first panel as well, which I neglected to thank as
we ran out the door to make the last vote. I think it has been
a very interesting discussion here, and the three of you
certainly have added considerably to the store of knowledge
that we are trying to build up. I am very hopeful that we will
not only be able to get a bill out of this Committee, which I
don't think is going to be a great deal of trouble, I think we
can do it, we have done it before but that we can work with the
other committees to see that they move it. I think it is the
Committee on the Judiciary and the Committee on Financial
Services that have a piece of this legislation. There may be
another jurisdiction involved, but everybody guards their turf
up here on Capitol Hill, particularly this Committee. We really
guard ours. We want to be sure that the other committees either
waive jurisdiction or that they pass on the provisions of the
bill within their jurisdiction. It is the fastest growing type
of white collar crime that we have, and it may be the fastest
growing crime, period. We know the conditions are getting worse
and worse. Mr. Wern, we don't want to see more people go
through the agony that you went through. Credit is so important
in this country. We certainly appreciate the three of you
coming forward. We are about ready to adjourn. Did you have
anything?
Ms. TUBBS JONES. Thank you gentlemen for coming. I am sorry
I couldn't be here, but you know what life is like on the Hill.
Thank you, Mr. Chairman.
Chairman SHAW. I was a judge too, Ms. Tubbs Jones. One time
I came in late, in fact I came late a lot of times, and the
bailiff looked over and he said, judge, you are late. I said,
oh, did you start without me? So, I think once you have been a
judge, you kind of get used to your own time clock, and you do
what you have to do. Well, thank you all very much. It has been
a very beneficial hearing. We are now adjourned.
[Whereupon, at 3:43 p.m., the hearing was adjourned.]
[Submissions for the record follow:]
July 24, 2003
The Honorable E. Clay Shaw, Jr.
Chairman
Subcommittee on Social Security
B-316 Rayburn House Office Bldg.
Washington, DC 20515
The Honorable Robert Matsui
Ranking Democratic Member
Subcommittee on Social Security
1106 Longworth House Office Bldg.
Washington, DC 20515
Dear Chairman Shaw and Ranking Member Matsui:
The undersigned organizations applaud your efforts over the past
several years to craft legislation that will ensure the integrity of
the social security number (SSN) in the years ahead. We are extremely
concerned about the proliferation of identity theft and other financial
crimes that exploit individual SSNs, and believe strong legislation
should be enacted to combat such nefarious acts. We eagerly await your
introduction of legislation to address these issues during this session
of the 108th Congress.
As public and private employee benefit plan sponsors, however, we
are concerned that such legislation could unintentionally hinder the
delivery of benefits from, and the efficient administration of, public
and private employee benefit plans.
In your bipartisan legislation introduced during the 107th
Congress, the ``Social Security Number Privacy and Identity Theft
Prevention Act of 2001,'' (H.R. 2036), the definitions and provisions
relating to the ``sale,'' ``purchase'' or ``display'' of a person's SSN
could make it more difficult to deliver comprehensive health and
retirement benefits to public and private employees alike. Indeed, the
language could place plan administrators in jeopardy of, on the one
hand, violating the strict fiduciary requirements applicable to
retirement plans and, on the other hand, exposing themselves to
criminal penalties under the bill. It is unreasonable to put plan
administrators of a voluntary employee benefit system in this position.
In general, public and private employee benefit plans use SSNs
because they enable the accurate and timely administration of benefits
for a highly mobile workforce, and because use of the number is
mandated for tax reporting requirements. Plan administrators take
seriously the responsibility that the use of SSNs requires, and they
use the utmost caution and security when SSNs are used in plan
administration and communications.
Public and private sector defined benefit and defined contribution
pension and savings plans, like 401(k), 403(b), and 457 plans, use SSNs
to identify plan participants, account for employee contributions,
implement the employee's investment directions, track ``rollovers''
from other plans, and allow employees to view their account activity or
benefit accrual online (typically in conjunction with a secure
``PIN''). The broad prohibitions of H.R. 2036 could impede, for
example, an individual's ability to stay current on the accumulation of
benefits for his or her retirement.
SSNs are also used as the primary identifier in many medical and
health benefit and prescription drug plans to coordinate communications
between the doctor, the medical service provider, and the plan. H.R.
2036's broad prohibitions could, for example, hinder the delivery of
medications to the individual.
H.R. 2036 allowed the nonabusive legitimate uses of social security
numbers for national security, law enforcement, public health and
advancing public knowledge purposes in proposed new section 208A(c)
(section 201(a) of H.R. 2036). An ``Employment Exception'' could be
included as well. It would be substantially similar to that in S. 228,
which exempts any interaction between businesses, governments, or
business and government. The exemption appears in Section 3(a) of S.
228, creating Section 1028A in Chapter 47, Title 18, United States
Code. Senators Feinstein, Gregg, and Leahy introduced S. 228 on January
28, 2003.
We firmly believe your legislation should permit the use of an
individual's SSN for any employment or employment-related purpose (such
as the administration of an employee benefit plan) and for any
recordkeeping purpose related to an investment made by the individual.
In H.R. 2036, you recognized the importance of this issue by
specifically excluding application for government benefits or programs
from the definition of ``sale'' or ``purchase.'' We believe our
proposed ``Employment Exception'' would follow your intent to not
hinder the administration of employee programs and delivery of benefits
in the public and private sector employment arena as well.
An ``Employment Exception'' could be included in the new section
208A(c) of the bill. Alternatively, the definitions of ``sale,''
``purchase'' and ``display'' as drafted in new section 208A(a) (section
201(a) of H.R. 2036) could be modified and text in Section 202(b) of
the bill could be slightly revised. We have attached proposed
legislative language that is designed to enable the bill to achieve
your objective of limiting the misuse of social security numbers
without interfering with the efficient and effective administration of
public and private employee compensation and benefit plans.
We look forward to continuing to work with staff and with the
Committee to effectively address the problem of identity theft without
creating unintentional barriers to the provision of public and private
pension, health and other benefits to employees. Please do not hesitate
to contact us should you require additional information or wish to
discuss this issue in more detail.
Sincerely,
American Benefits Council
American Society of Pension Actuaries
College and University Professional Association for Human Resources
ERISA Industry Committee
Financial Executives International's Committee on Benefits Finance
National Association of State Retirement Administrators
National Council on Teacher Retirement
National Rural Electric Cooperative Association
Profit Sharing/401(k) Council of America
__________
Proposed Amendments
The undersigned organizations propose the following be included in
the upcoming legislation to be introduced by House Ways and Means
Social Security Subcommittee Chairman E. Clay Shaw, Jr., and Ranking
Member Robert T. Matsui, which is designed to ensure the integrity of
the social security number (SSN) in the years ahead. Our proposed
amendments, which are based on the ``Social Security Number Privacy and
Identity Theft Prevention Act of 2001,'' (H.R. 2036) introduced in the
107th Congress, are designed to enable the bill to achieve its
sponsors' objective of limiting the misuse of SSNs without interfering
with the efficient and effective administration of public and private
employee compensation and benefit plans. In each instance, new text is
underscored, and deletions are [bracketed].
Option 1--Employment Exception
Strike ``and'' after ``;'' on Page 18, line 25.
Replace ``.'' with ``; and,'' on page 19, line 8.
Insert at page 19, line 9:
`(8) if the display, sale, or purchase of such a number is for a
use occurring as a result of an employment-related interaction between
employers and employees of businesses or government (regardless of
which party initiates the interaction), for any purpose mandated or
permissible under Title 26 or Title 29 on the United States Code;'
Option 2--Clarify Language to Prevent Unfair Treatment of
Employee Benefit Plans
PROPOSED AMENDMENTS TO SECTION 201: These amendments clarify that
the prohibitions contained in Section 201 of the bill will not apply to
public and private employer-sponsored plan uses of SSNs. These
amendments also clarify that ``government benefit or program'' includes
benefits related to employment with such governments.
1. AMENDMENT DEFINING ``SALE'': This amendment clarifies that an
SSN is not sold when it is provided in connection with an employment-
related transaction that has a bona fide purpose unrelated to the use
of the SSN, such as the administration of an employee benefit or
compensation plan.
Amend Section 208A(a)(2) (section 201(a) of H.R. 2036 defining
``sale'') to read as follows:
``(2) SALE--The term `sell' in connection with a social security
account number means to obtain, directly or indirectly, anything of
value in exchange for such number. Such term does not include the
submission of such number as part of the process for applying for any
type of Government benefits or programs (such as grants or loans or
welfare or other public assistance programs) or any activity necessary
to effect an employment-related transaction that has a bona fide
purpose unrelated to the use of the social security number.''
2. AMENDMENT DEFINING ``PURCHASE'': This amendment clarifies that
an SSN is not purchased when it is obtained in connection with an
employment-related transaction that has a bona fide purpose unrelated
to the use of the SSN, such as the administration of an employee
benefit or compensation plan.
Amend section 208A(a)(3) (section 201(a) of H.R. 2036 defining
``purchase'') to read as follows:
``(3) PURCHASE--The term `purchase' in connection with a social
security account number means to provide, directly or indirectly,
anything of value in exchange for such number. Such term does not
include the submission of such number as part of the process for
applying for any type of Government benefit or programs (such as grant
or loan applications or welfare or other public assistance programs),
or any activity necessary to effect an employment-related transaction
that has a bona fide purpose unrelated to the use of the social
security number.''
3. AMENDMENT DEFINING ``DISPLAY'': This amendment clarifies that
an SSN is not displayed to the general public when it is placed in a
viewable manner in connection with an employment-related transaction
that has a bona fide purpose unrelated to the use of the SSN, such as
the administration of an employee benefit or compensation plan.
Amend section 208A(a)(4) (section 201(a) of H.R. 2036 defining
``display'') to read as follows:
``(4) DISPLAY--The term `display' means, in connection with a
social security account number, the intentional placing of such number,
or a derivative thereof, in a viewable manner on an Internet site that
is available to the general public or in any other manner intended to
provide access to such number or derivative by the general public. As
used in this section, the term `general public' does not mean any
person connected with any activity that is necessary to effect
employment-related transactions that has a bona fide purpose unrelated
to the use of the social security number.
PROPOSED AMENDMENTS TO SECTION 202: This amendment clarifies that
an employee is not considered a consumer for purposes of this section
and that section 202 of H.R. 2036 would not apply in the context of the
employer-employee relationship, such as the administration of an
employee compensation or benefit plan.
Amend section 202(b) as follows:
``(b) EXCEPTION--Subsection (a) shall not apply to any person in
any case in which such person is required under Federal law, in
connection with doing business with an individual, to submit to the
Federal Government such individual's Social Security account number;
or, in connection with employment of the individual, including the
provision of compensation or benefits thereof.''
Rationale for Specific Changes in Option 2
Section 201(c) unwisely subjects public and private employee
benefit plans to regulations promulgated by a federal agency with no
expertise in employee benefit plans. Section 201(c) grants the Attorney
General authority to promulgate regulations to carry out the
prohibitions against sale, purchase, and display of SSNs, and provides
the Attorney General complete discretion over whether or not to consult
with an agency that has expertise over employee benefit plans.
Regulations that require the amendment of hundreds of thousands of
public and private employee benefit plans should not be promulgated by
an agency with no expertise or jurisdiction over the laws governing
those plans.
Section 202 could unintentionally restrict access to employee
benefit plans. Section 202 prevents any ``individual, partnership,
corporation, trust, estate, cooperative, association, or any other
entity'' from refusing to ``do business'' with an individual who does
not provide them with an SSN. Without clarifying that section 202(a)
does not apply to public and private employee benefit plans, plan
sponsors might be prevented from obtaining an individual's SSN for plan
enrollment, benefit payments, and other legally mandated and routine
plan administrative functions. The exemption in section 202(b) to this
prohibition, while helpful, does not go far enough.
Statement of Stuart K. Pratt, Consumer Data Industry Association
The Consumer Data Industry Association (CDIA) is pleased to submit
written testimony in connection with a hearing on the misuse of Social
Security numbers and we thank Chairman Shaw for holding this hearing.
CDIA has appeared in person before this subcommittee before and we hope
our testimony will be helpful to you.\1\
---------------------------------------------------------------------------
\1\ Preventing Identity Theft by Terrorists: Hearing before the
House Comm. on Financial Services Subcomm. on Oversight and
Investigations and the House Comm. on Ways and Means Subcomm. on Social
Security, 107th Cong. (Nov. 8, 2001) (testimony of Stuart K. Pratt,
Vice President, Vice President, Associated Credit Bureaus); Use and
Misuse of Social Security Numbers: Hearing before the House Comm. on
Ways and Means Subcomm. on Social Security, 106th Cong. (May 11, 2000)
(testimony of Stuart K. Pratt, Vice President, Vice President,
Associated Credit Bureaus).
---------------------------------------------------------------------------
Founded in 1906, the Consumer Data Industry Association (CDIA),
formerly known as Associated Credit Bureaus, is the international trade
association that represents more than 500 consumer data companies. CDIA
members represent the nation's leading institutions in credit
reporting, mortgage reporting, check verification, fraud prevention,
risk management, employment reporting, tenant screening and collection
services.
Consumer reporting agencies are careful stewards of personal
information and they adhere to strict procedures outlined in federal
and state laws.\2\ The information infrastructure of the consumer
reporting system is the backbone of the consumer credit economy.\3\
---------------------------------------------------------------------------
\2\ All consumer reporting agencies are bound by the Fair Credit
Reporting Act (FCRA), 15 U.S.C. � 1681 et seq. and numerous state
credit reporting laws. Among other things, the FCRA requires consumer
reporting agencies to maintain reasonable procedures to assure maximum
possible accuracy, 15 U.S.C. � 1681e(b) and prohibits data furnishers
from furnishing data to consumer reporting agencies if they know the
information has an error, � 1681s-2(a). In addition, a consumer
reporting agency is prohibited from furnishing a consumer report to
anyone without a ``permissible purpose''--a narrow and statutorily
limited list of permitted uses. � 1681b.
\3\ For example, it was recently noted that
Maintaining a reliable and robust national credit reporting
system is essential to ensure the continued availability of consumer
credit at reasonable costs * * * The ready availability of accurate,
up-to-date credit information from consumer reporting agencies benefits
both creditors and consumers. Information from consumer reports gives
creditors the ability to make credit decisions quickly and in a fair,
safe and sound, and cost-effective manner. Consumers benefit from
access to credit information from different sources, vigorous
competition among creditors, quick decisions on credit applications,
and reasonable costs for credit.
Fair Credit Reporting Act: How it Functions for Consumers and the
Economy: Hearing before the House Comm. on Financial Services Subcomm.
on Financial Institutions and Consumer Credit, 108th Cong. (June 4,
2003) (statement of Dolores S. Smith, Director, Division of Consumer
and Community Affairs, Board of Governors of the Federal Reserve
System).
---------------------------------------------------------------------------
Our members have a strong interest in the legitimate and lawful use
of all information, including Social Security numbers. Used properly,
SSNs play a substantial role in reducing fraud, enhancing workplace
security, promoting public safety, supporting homeland defense,
reducing state and federal entitlement fraud, enhancing child support
enforcement, and facilitating commerce to a diverse, mobile electronic
society.
Before I specifically address how the SSN is used by our industry
and the importance of this number, I have found it helpful to provide a
short review of what a consumer reporting agency is, what is contained
in a consumer report, and the law that governs our industry.
CONSUMER REPORTING AGENCIES AND CONSUMER REPORTS
Consumer reporting agencies maintain information on individual
consumer payment patterns associated with various types of credit
obligations on approximately 190 million Americans. The data compiled
by these agencies is used by creditors and others permitted under the
strict prescriptions of the FCRA.
Consumer credit histories are derived from, among other sources,
the voluntary provision of information about consumer payments on
various types of credit accounts or other debts from thousands of data
furnishers such as credit grantors, student loan guarantee and child
support enforcement agencies. A consumer's file may also include public
record items such as a bankruptcy filing, judgment or lien. Note that
these types of data sources often contain SSNs, as well.
For purposes of data accuracy and proper identification, generally
our members maintain information such as a consumer's full name,
current and previous addresses, Social Security Number (when
voluntarily provided by consumers) and places of employment. This data
is loaded into the system on a regular basis to ensure the completeness
and accuracy of data.\4\
---------------------------------------------------------------------------
\4\ Note that there are in fact a number of major credit reporting
systems in this country. Within CDIA's membership the three most often
recognized systems would be Equifax, Atlanta, Georgia; Experian, Costa
Mesa, California; and TransUnion, Chicago, Illinois. These systems not
only manage their own data, but provide data processing services for
the hundreds of local independently-owned automated credit bureaus in
the Association's membership.
---------------------------------------------------------------------------
It is interesting to note that the vast majority of data in our
members' systems simply confirms what most of you would expect; that
consumers pay their bills on time and are responsible, good credit
risks. This contrasts with the majority of systems maintained in other
countries, such as Japan or Italy, which store only negative data and
do not give consumers recognition for the responsible management of
their finances.
As important as knowing what we have in our files is also knowing
what types of information our members do not maintain in files used to
produce consumer reports. Our members do not know what consumers have
purchased using credit (e.g., a refrigerator, clothing, etc.) or where
they used a particular bank card (e.g., which stores a consumer
frequents). They also don't have a record of when consumers have been
declined for credit or another benefit based on the use of a consumer
report. Medical treatment data isn't a part of the databases and no
bank account information is available in a consumer report.
THE FAIR CREDIT REPORTING ACT (FCRA)
In addition to our general discussion of the industry, we believe
it is important for your Subcommittee to have a baseline understanding
of the law which regulates our industry.
Enacted in 1970, the Fair Credit Reporting Act was significantly
amended in the 104th Congress with the passage of the Credit Reporting
Reform Act.
Congress, our Association's members, creditors and consumer groups
spent over six years working through the modernization of what was the
first privacy law enacted in this country (1970). This amendatory
process resulted in a complete, current and forwarding-looking statute.
The FCRA serves as an example of successfully balancing the rights of
the individual with the economic benefits of maintaining a competitive
consumer reporting system so necessary to a market-oriented economy.
The FCRA is an effective privacy statute, which protects the
consumer by narrowly limiting the appropriate uses of a consumer report
(often we call this a credit report) under Section 604 (15 U.S.C.
1681b), entitled ``Permissible Purposes of Reports.''
Some of the more common uses of a consumer's file are in the
issuance of credit, subsequent account review and collection processes.
Reports are also, for example, permitted to be used by child support
enforcement agencies when establishing levels of support.
Beyond protecting the privacy of the information contained in
consumer reports, the FCRA also provides consumers with certain rights
such as the right of access; the right to dispute any inaccurate
information and have it corrected or removed; and the right to
prosecute any person who accesses their information for an
impermissible purpose. The law also includes a shared liability for
data accuracy between consumer reporting agencies and furnishers of
information to the system.
SOCIAL SECURITY NUMBER USES
Let me now turn to the question of how our industry uses the SSN.
Under the Fair Credit Reporting Act, our industry has a duty to ``.
. . employ reasonable procedures to ensure the maximum possible
accuracy . . .'' of the consumer report. Further, we must design
systems that accurately allow our customers to extract only the data
requested on a specific individual.
We must accomplish this dual mission of accuracy both in terms of
building databases, but also properly identifying files in our systems
in the context of a highly mobile society. Consider the following:
Approximately 16% of the nation's population moves each
year according to the U.S. Census Bureau, which means many addresses
change each year. (This equates to approximately 42 million Americans)
Based on National Center for Health Statistics, it is
estimated that there are 2.4 million marriages and 1.2 million divorces
annually. This event frequently triggers changes in addresses as well
as last names.
In 1998 there were 6 million homes in the U.S. that are
considered vacation or second homes. Consumers often switch billing
addresses if they stay at such residences for long periods of time and
in some cases maintain billing addresses for both residences with
various creditors. (Source: U.S. Census Bureau House Vacancy Survey as
extrapolated by the National Association of Realtors)
These data clearly speak to the challenge our members face where
identifying data often changes.
In light of the mobility of our society, the Social Security Number
plays a very significant role in ensuring data quality. Our members
process 2 billion data elements a month. These elements are a
combination of credit history data and identifying information.
Consider the following very real example.
Where a consumer has changed a last name due to marriage or divorce
and has moved to a new address, which is common in either case, the SSN
is the most stable identifying element in the file. First, it helps us
to identify the consumer's file with precision during this life
transition where he or she is likely applying for new credit, seeking
approval for utilities, and seeking to rent or purchase a new
residence. The consumer expects that the consumer report will be
available for all of these necessary transactions and the SSN helps our
members to meet this expectation. Second, the consumer expect his or
her file to be accurate and the SSN helps us to maintain the file
accurately even when the consumer is in the midst of updating creditors
with changes in name and address.
The SSN is also a critical element in producing information
products, which are commonly called locator services. These services
are made available, for example, to child support enforcement agencies
for purposes of locating non-custodial parents;\5\ to pension funds
which must locate beneficiaries; to law enforcement for locating
criminals or witnesses; \6\ to healthcare providers that must locate
individuals who have chosen not to pay their bills, to state benefits
agencies to reduce public assistance fraud,\7\ and for other similar
uses.
---------------------------------------------------------------------------
\5\ The U.S. Department of Health and Human Services noted that
``[r]outine transfer of child support payment information to credit
bureaus . . . is essential because these obligations may constitute a
superior lean on a creditor's income.'' A Guide About Child Support
Enforcement for Credit Grantors, U.S. Department of Health and Human
Services, Family Support Administration. November 1988. In addition The
Association for Children for Enforcement of Support reports that public
record information provided through commercial vendors helped locate
over 75 percent of the ``deadbeat parents'' they sought. Information
Privacy Act, Hearings before the Comm. on Banking and Financial
Services, House of Representatives, 105th Cong., 2d Sess. (July 28,
1998) (statement of Robert Glass).
\6\ Then-FBI Director Louis Freeh testified before Congress in 1999
and noted that in 1998, his agency made more than 53,000 inquiries to
commercial on-line databases ``to obtain public source information
regarding individuals, businesses, and organizations that are subjects
of investigations.'' This information, according to Director Freeh,
``assisted in the arrests of 393 fugitives, the identification of more
than $37 million in seizable assets, the locating of 1,966 individuals
wanted by law enforcement, and the locating of 3,209 witnesses wanted
for questioning.'' Hearing before the Senate Comm. on Appropriations
Subcomm. for the Departments of Commerce, Justice, and State, and the
Judiciary and Related Agencies, March 24, 1999 (Statement of Louis J.
Freeh, Director of the Federal Bureau of Investigation).
\7\ Consider the following examples:
``Individuals confined to a correction facility for at
least 1 full month are ineligible to continue receiving federal
Supplemental Security Insurance (SSI) program benefits. . . . Between
January and August 1996, the sharing of prisoner data between SSA and
state and local correction facilities helped SSA identify about $151
million overpayments already made and prevented about $173 million in
additional overpayments to ineligible prisoners.'' General Accounting
Office, Social Security Numbers: Government Benefits from SSN Use but
Could Provide Better Safeguards, GAO-02-352 (May 2002), 15, citing
General Accounting Office, Supplemental Security Income: Incentive
Payments Have Reduced Benefit Overpayments to Prisoners, GAO/HEHS-00-02
(Nov. 22, 1999).
``Applicants for Temporary Assistance for Needy Families
(TANF), a program designed to help low-income families, are required to
provide their SSNs. Some agencies share SSN information to verify
eligibility and identity. Between January and September 1999, New York
State estimated that SSN verification saved about $72 million.''
General Accounting Office, Social Security Numbers, Government Benefits
from SSN Use but Could Provide Better Safeguards, GAO-02-352 (May
2002), 15, citing General Accounting Office, Benefit and Loan Programs:
Improved Data Sharing Could Enhance Program Integrity, GAO-HEHS-00-119
(Sept. 13, 2000).
``The Department of Education uses SSNs to match data on
defaulted education loans with the National Directory of New Hires
(NDNH). . . . As a result of this matching . . . the department
reported collecting $130 million from defaulted student loan borrowers
in 2001.'' General Accounting Office, Social Security Numbers,
Government Benefits from SSN Use but Could Provide Better Safeguards,
GAO-02-352 (May 2002), 16.
Federal agencies that are owned money share that
information with the Treasury Department which matches the debtors'
SSNs with those taxpayers that are owed tax refunds and reduces the
refund by the amount owed. In 2001, the Treasury Department offset tax
refunds by $1 billion. Id.
---------------------------------------------------------------------------
Further, the SSN plays a role in fraud prevention products. Where a
consumer makes application for a product or service, information
products that help the business to ensure that they are doing business
with the right consumer use information products to authenticate or
verify the application information. This is true in both for bricks-
and-mortar business and in e-Commerce.
If applicant data does not match, then the business can take
additional steps to verify the consumer's identity and thus prevent
fraud.
FRAUD PREVENTION AND IDENTITY THEFT
In your press release announcing this hearing, you mention the
potential for misuse of the SSN. Our industry has a history of bringing
forward initiatives to address fraud. These efforts focus on the use of
new technologies, and better procedures and education. CDIA and its
members have a long history of being leading innovators of identity
fraud solutions. The attachment provides a short thumbnail of our
involvement in identity fraud remediation since 1993.\8\
---------------------------------------------------------------------------
\8\ While we agree that identity fraud is a significant problem, we
also hope the committee will consider any legislation in the context of
the most accurate and reliable data on the scope of the problem. One
witness has suggested that the number of identity fraud victims could
be between 700,000-1.8 million per year. Misuse of Social Security
Numbers: Hearing before the House Comm. on Ways and Means Subcomm. on
Social Security, 108th Cong. (July 10, 2003) (statement of Steve
Edwards, Special Agent in Charge, Financial Investigations Unit,
Georgia Bureau of Investigations; State Coordinator, U.S. Department of
the Treasury, Financial Crimes Enforcement Network; and Vice Chairman
of the Board of Directors, National White Collar Crime Center). CDIA
feels that the best review of the level of identity fraud victimization
is closer to 60,000 to 92,000 per year, General Accounting Office,
Identity Theft: Prevalence and Cost Appear to be Growing, GAO-02-363
(March 2002), 4, or 162,000 per year. FTC Reports: Figures and Trends
on Identity Theft, January 2002-December 2002. The GAO figures were
developed based on interviews with three national consumer reporting
agencies. Consumer reporting agencies are probably the best source
understanding the scope of identity fraud victimization as victims are
mostly likely to contact consumer reporting agencies as a first
response.
---------------------------------------------------------------------------
CONCLUSION
In conclusion, you can see by our actions that in large part our
uses of the SSN are governed under the Fair Credit Reporting Act, one
of the most extensive privacy laws in the country. Beyond law, our
members have a history of proactively limiting how SSNs are used
outside of the FCRA. No one particular element of information is the
key to identity theft. The underlying theme in all of this is balance.
Laws that overreach in attempting to limit use of the SSN are
likely to merely take fraud prevention tools out of the hands of
legitimate businesses at the expense of consumers. Ironically, to
prevent fraud you must be able to crosscheck information. To maintain
accurate databases, you must be able to maintain a range of identifying
elements. Absent the availability of the SSN, we will be less able to
build accurate data bases, to accurately identify records and to help
prevent the very crime through the development of fraud prevention and
authentication tools.
Thank you for this opportunity to offer testimony. CDIA is
available to assist your and your committee at any time.
__________
Consumer Reporting Agency Responses to Identity Fraud
1993. Consumer Data Industry Association, then known as
Associated Credit Bureaus, formed a Fraud and Security Task Force.
1998. Creation of True Name Fraud Task Force led by
former Vermont Attorney General M. Jerome Diamond. The work of the task
force included meetings with law enforcement, consumer organizations,
privacy advocates, legislators and staff, victims, and others.
The capstone of the True Name Fraud Task Force was a
series of initiatives announced in March 2000. These initiatives meant
the consumer reporting industry was the first industry to step forward
and not only educate its members about the problems consumers
experienced, but to seek specific changes in business practices. The
initiatives are to:
Advocate the use and improve the effectiveness
of security alerts through the use of codes transmitted to creditors.
These alerts and codes can help creditors avoid opening additional
fraudulent accounts.
Implement victim-assistance best practices to
provide a more uniform experience for victims when working with
personnel from multiple fraud units.
Assist identity theft victims by sending a
notice to creditors and other report users when the victim does not
recognize a recent inquiry on the victim's file.
Execute a three-step uniform response for
victims who call automated telephone systems: automatically adding
security alerts to files, opting the victim out of prescreened credit
offers, and sending a copy of his or her file within three business
days.
Launch new software systems that will monitor
the victim's corrected file for 3 months, notify the consumer of any
activity, and provide fraud unit contact information.
Fund, through CDIA, the development of a series
of consumer education initiatives through CDIA to help consumers
understand how to prevent identity theft and also what steps to take if
they are victims.
2001. CDIA announced a police report initiative so that
when a police report is provided as part of the process of disputing
fraudulent data, Equifax, Experian and TransUnion will block these
disputed items from appearing on subsequent consumer reports regarding
that individual.
``Another collaborative effort with tremendous
promise is your new police report initiative. . . . I appreciate that
certain consumer-based initiatives require you to balance accuracy
issues--knowing that the consumer's report contains all relevant credit
information, including derogatory reports--against customer service.
From my perspective, your police report initiative strikes just the
right balance.'' J. Howard Beales, III, Director of the FTC's Bureau of
Consumer Protection, before the Consumer Data Industry Association.
Jan. 17, 2002.
2002-03. ID Fraud Victim Data Exchange. CDIA and its
members committed in 2002 to start a pilot test in early-2003 so that
when an ID fraud victim calls any one of the participating credit
reporting agencies, the victim will be notified that his or her
identifying information will be shared by the receiving credit
reporting agency with the other two participating credit reporting
agencies and that the following steps will be taken by each recipient
of the victim's information:
A temporary security alert will be added to the
victim's file. This security alert will be transmitted to all
subsequent users (e.g., creditors) which request a copy of the file for
a permissible purpose under the Fair Credit Reporting Act.
The victim will be opted out of all non-
initiated offers of credit or insurance.
The CRA will ensure that a copy of the victim's
file is in the mail within three business days of the victim's request.
Our efforts are paying off.
Most calls are prevention related. CDIA members
report a majority of consumers who contact fraud units are taking
preventative steps and are not reporting a crime.
Victims are learning of the fraud earlier.
According to an FTC report in June 2001, 42% of victims learn about the
crime within 30 days or less, a full 10% less than in the prior report.
CDIA estimates another 35% learn of the crime within one to six months
and 7% learn of the crime in six months to a year.
Victimization of the elderly is dropping. In
2001, the FTC estimated that 6.3% of identity fraud victims were over
65, a 5% decrease from 2000.
About CDIA
Founded in 1906, the Consumer Data Industry Association (CDIA),
formerly known as Associated Credit Bureaus (ACB), is the international
trade association that represents more than 400 consumer data
companies. CDIA members represent the nation's leading institutions in
credit reporting, mortgage reporting, check verification, fraud
prevention, risk management, employment reporting, tenant screening and
collection services.
For more information about CDIA, its members, or identity fraud or
other issues, please visit us at www.cdiaonline.org or contact us at
202-371-0910.
Statement of the Honorable Darlene Hooley, a Representative in Congress
from the State of Oregon
Just last week this very committee heard testimony on the many
problems caused by the misuse of Social Security numbers and the ever
increasing problem of identity theft.
I have become increasingly concerned about the vast quantities of
sensitive, personal information that is now vulnerable to criminal
interception and misuse. Currently, the ease of obtaining the Social
Security number of an individual is shocking. Numbers are sold,
exchanged and printed with an alarming carelessness. With a Social
Security number and a few pieces of other easily obtainable personal
information, fraudulent accounts can be opened and lives can be ruined.
Many individuals work their entire life to build a spotless credit
record, only to have it destroyed by a criminal armed merely with a
Social Security number. The protection of Social Security numbers is a
vital step to slowing the growth of identity theft and protecting
people's lives.
I've been active in trying to prevent further horror stories of
misused Social Security numbers. Two and a half years ago, a young boy
in Salem named Tyler Bales lost his battle with a rare genetic disease
called Hurler syndrome. As if it were not hard enough to lose your
sixteen month old child, Tyler's parents later learned--courtesy of the
IRS--that someone was claiming Tyler as a dependent on their 2000
income tax return.
Because of disclosure issues, the IRS could not give out the
identity of this thief to local law enforcement, even though ID theft
is a felony offense in the state of Oregon. To date, two and one half
years later, the Bales still do not know the identity of this thief.
For this reason, I request that the House Committee on Ways and
Means consider the ``ID Theft Loophole Closure Bill'' as the committee
seeks legislation to prevent the misuse of Social Security numbers.
This legislation simply changes the law to allow the IRS to furnish the
name, Social Security number and address of a suspected identity thief
to state and local law enforcement agencies for the exclusive purpose
of locating the individual.
Identity theft is not a victimless crime. We must cut the red tape
that is preventing thieves from being prosecuted for their crimes, and
I believe this legislation is the right tool for the job.
Statement of the Honorable Max Sandlin, a Representative in Congress
from the State of Texas
Thank you Mr. Chairman and Ranking Member Matsui, for the
opportunity to testify today on the impact of the use and misuse of
Social Security numbers.
I am pleased that my colleagues on the Ways and Means committee
have convened a hearing on how the growing use of Social Security
numbers as a national identifier has resulted in the mounting problem
of identity theft. As you know, while our Social Security numbers were
expressly created to catalogue workers' earnings for benefit purposes,
nearly every branch of our society has co-opted Social Security numbers
as an identification method. Our Social Security numbers can be found
on records kept by schools, banks, businesses, and many states even
list them on people's drivers licenses.
While the use of Social Security numbers is very convenient and
facilitates commerce through easy credit checks, we need to be
cognizant of how the over exposure of Social Security numbers also
easily enables criminals to commit identity theft. Simply by stealing
an individual's purse, a thief may have immediate access to an
individual's name and social security number and use that information
to open new credit cards, establish new bank accounts, and even
initiate new cell phone service, all to ring up charges that their
victims will be left to contest. In the mean time, innocent, hard
working, victims may find their credit destroyed, and may not even know
about the theft until they are turned down for a mortgage or car loan.
Once this occurs they are then forced to embark on an arduous process
to restore their financial standing, while their dreams for a new home
or needed vehicle remain on hold.
The Federal Trade Commission noted that identity theft has
increased over 88% just in the last year, with nationwide complaints
totaling 162,000. In my home state, over 14,000 Texans filed victim
complaint statements last year with the Federal Trade Commission. Their
tragic experiences provided the impetus for our state legislature's
enactment of a law to combat identity theft last month. While we were
only the second state in the nation to do so, seven other states are
actively considering similar legislation.
We must continue to find ways to protect the citizens of this
country from fraud and abuse caused by criminals committing identity
theft. The Social Security Administration, credit bureaus, businesses,
individuals and other federal, state and local government agencies must
all coordinate resources to offer a comprehensive plan of action and
protection. On the federal level, I am pleased to be a co-sponsor of
H.R. 2035. This bill requires consumer reporting agencies to provide
free credit reports annually upon the request of a consumer, as well as
require the truncation of credit card numbers on printed receipts. By
enacting common sense legislation like this, individuals will be able
to detect identity theft at an early stage, before their credit reports
are permanently damaged.
Congress has a responsibility to help the American people, and our
National economy, prosper. Strengthening financial privacy laws and
protecting Social Security numbers will help to achieve these goals.
Thank you for your time.
�