[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] SECURING CONSUMERS' DATA: OPTIONS FOLLOWING SECURITY BREACHES ======================================================================= HEARING before the SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ MAY 11, 2005 __________ Serial No. 109-14 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house ______ U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2005 21-635PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE JOE BARTON, Texas, Chairman RALPH M. HALL, Texas JOHN D. DINGELL, Michigan MICHAEL BILIRAKIS, Florida Ranking Member Vice Chairman HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RICK BOUCHER, Virginia PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey ED WHITFIELD, Kentucky SHERROD BROWN, Ohio CHARLIE NORWOOD, Georgia BART GORDON, Tennessee BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California HEATHER WILSON, New Mexico BART STUPAK, Michigan JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York CHARLES W. ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland Mississippi, Vice Chairman GENE GREEN, Texas VITO FOSSELLA, New York TED STRICKLAND, Ohio ROY BLUNT, Missouri DIANA DeGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire TOM ALLEN, Maine JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida MARY BONO, California JAN SCHAKOWSKY, Illinois GREG WALDEN, Oregon HILDA L. SOLIS, California LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas MIKE FERGUSON, New Jersey JAY INSLEE, Washington MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin C.L. ``BUTCH'' OTTER, Idaho MIKE ROSS, Arkansas SUE MYRICK, North Carolina JOHN SULLIVAN, Oklahoma TIM MURPHY, Pennsylvania MICHAEL C. BURGESS, Texas MARSHA BLACKBURN, Tennessee Bud Albright, Staff Director David Cavicke, Deputy Staff Director and General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Commerce, Trade, and Consumer Protection CLIFF STEARNS, Florida, Chairman FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois NATHAN DEAL, Georgia Ranking Member BARBARA CUBIN, Wyoming MIKE ROSS, Arkansas GEORGE RADANOVICH, California EDWARD J. MARKEY, Massachusetts CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York JOSEPH R. PITTS, Pennsylvania SHERROD BROWN, Ohio MARY BONO, California BOBBY L. RUSH, Illinois LEE TERRY, Nebraska GENE GREEN, Texas MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio MIKE ROGERS, Michigan DIANA DeGETTE, Colorado C.L. ``BUTCH'' OTTER, Idaho JIM DAVIS, Florida SUE MYRICK, North Carolina CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee JOHN D. DINGELL, Michigan, JOE BARTON, Texas, (Ex Officio) (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Barrett, Jennifer, Chief Privacy Officer, Acxiom Corporation. 12 Buege, Steve, Senior Vice President, Business Information, News and Public Records, North American Legal.............. 18 Burton, Daniel, Vice President of Government Affairs, Entrust, Inc............................................... 25 Ireland, Oliver I., Partner, Financial Services Practice Group, Morrison and Foerster, LLP, on Behalf of Visa USA... 22 Solove, Daniel J., Associate Professor of Law, George Washington University Law School........................... 31 Additional material submitted for the record: ARMA International, prepared statement of.................... 51 Hillebrand, Gail, Senior Attorney, Consumers Union, prepared statement of............................................... 53 (iii) SECURING CONSUMERS' DATA: OPTIONS FOLLOWING SECURITY BREACHES ---------- WEDNESDAY, MAY 11, 2005 House of Representatives, Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection, Washington, DC. The subcommittee met, pursuant to notice, at 11:05 a.m., in room 2123 of the Rayburn House Office Building, Hon. Cliff Stearns (chairman) presiding. Members present: Representatives Stearns, Upton, Cubin, Radanovich, Bass, Pitts, Bono, Terry, Rogers, Myrick, Murphy, Blackburn, Barton (ex officio), Schakowsky, Ross, Markey, and Baldwin. Staff present: David Cavicke, chief counsel; Chris Leahy, policy coordinator; Will Carty, professional staff; Larry Neal, deputy staff director; Billy Harvard, clerk; Kevin Schweers, communications director; Lisa Miller, press secretary; Consuela Washington, minority counsel; Turney Hall, staff assistant; and Alec Gerlach, staff assistant. Mr. Stearns. Good morning. The subcommittee will come to order. My colleagues, today we continue the subcommittee's examination of consumer data security and identity theft. As all of us are keenly aware, our important work is set against the backdrop of almost daily reports of consumer data, security breaches at data brokers, retailers, banks, universities, and the list, of course, goes on. It seems like every corner of our economy has been touched. Understandably, the public is worried. The reported breaches involve everything from elaborate high-tech hacker attacks to simply theft of physical consumer data that had been poorly secured in the first place. The consumer impact of these breaches has been just as varied. Some cases never result in identity theft or financial loss, while others affect significant consumer populations. With some estimates of those affected ballooning past initial numbers as further investigations reveal even larger cracks in the digital infrastructure. And while our initial assessment of the extent of this problem for consumers and businesses is still a bit fuzzy, the cracks and vulnerabilities are becoming more apparent to the committee and to the public. Questions are starting to be raised about the inherent security of a large segment of the commercial marketplace. This should concern all of us. The committee understands this concern, and to address it, there are a number of issues that need careful examination. First, we must ensure that existing Federal law does not leave open ways for certain entities to skirt the objectives of the primary laws governing such areas, including the Fair Credit Reporting Act and the Gramm-Leach-Bliley. Second, if we determine that existing law is inadequate, we need to get a clearer and more accurate assessment of the scope of the problem across all sectors, assess the current legal tools we have to attack it, and weigh the need for additional regulation and other approaches. Other non-regulatory approaches could include applying good old American technological ingenuity to buttress current consumer data security regulations. Throughout this series of hearings, we have heard from a number of experts that data security breaches go hand in hand with identity theft, a phenomenon that keeps getting larger and more insidious. The numbers are sobering. At our March hearing, the FTC testified that over 10 million people were victims of identity theft during the 1-year period of its latest survey. The FTC estimated that this figure translates into loss of nearly $48 billion for businesses, almost $5 billion for consumers, and close to 300 million hours spent by those individuals and businesses trying to resolve the problems just generated by these crimes. We cannot allow our consumer economy to be undermined by these criminals. Consumers, businesses, and the public sector needs to strengthen defenses collectively. The reality is that the bad guys will always be around. It is up to us as consumers, businesses, and public institutions to make sure that our data is locked down and is accounted for. The best offense to combat identity theft is simple prevention coupled with an assurance that entities dealing in consumer data adhere to consistent and comprehensive security standards with a bite. The accessibility and portability of consumer data in an information-driven market has made controlling who has access to what more difficult than ever. Consumer data breaches and as a result in identity theft continues to grow and affect broader commercial activity at all levels, not just a specific industry or a specific sector. Consumer data in our modern markets has become a commodity. It is bought and sold. It is processed and analyzed. And it is now an integral ingredient in disciplines as varied as finance, demographics, research, direct marketing, academic study, and law enforcement. I believe the majority of these activities improve our lives and well-being. They make us more productive, allow a higher standard of living, and afford us better personal and national security, particularly in a post-9/11 world. What it is lacking, my colleagues, however, is a safeguard system in which our personal data is shielded by a robust security no matter where it goes or whoever possesses it. We need to examine approaches that enable robust security measures to surround personal data as it speeds through commerce. I think this is where advanced technology can play a larger role in helping reduce the incidence of identity theft. Technologies like sophisticated encryption techniques, advanced password authentication systems, as well as better and more widespread use of advanced data security software all can play an important role in improving our defenses. Technology can also be used to facilitate more uniform best practices in affected sectors that deal in consumer data. Let me be clear. I do believe that additional measures are necessary, but for those still undecided, this hearing and the proceedings should provide a great deal of information to help everyone make a judgment call here. I think it is a fair thing to say that one thing is certain--criminals cannot be allowed to capitalize on another high-tech nefarious business model to steal and defraud American consumers, businesses, and public institutions. We have seen this happen with spyware and spam. It can't be allowed to happen here. Therefore, our focus needs to be on first, clearly identifying what is not working before we act on a national scale. But with each new breach we are losing more valuable time to put an end to a new breed of professional cyber criminals and the inappropriate and illegal activities that are slowly corroding consumer confidence in the integrity of information-driven commerce and technology. I would like to thank our distinguished panel for being here this morning and for joining us today, and we look forward to your testimony. With that, the ranking member, Ms. Schakowsky. [The prepared statement of Hon. Cliff Stearns follows:] Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on Commerce, Trade, and Consumer Protection Good Morning. Today, we continue the Subcommittee's examination of consumer data security and identity theft. As all of us are keenly aware, our important work is set against the backdrop of almost daily reports of consumer data security breaches at data brokers, retailers, banks, universities--and the list goes on. It seems like every corner of our economy has been touched. Understandably, the public is worried. The reported breaches involve everything from elaborate high-tech hacker attacks to simply theft of physical consumer data that had been poorly secured. The consumer impact of these breaches has been just as varied. Some cases never result in identify theft or financial loss while others affect significant consumer populations, with some estimates of those affected ballooning past initial numbers as further investigation reveals even bigger cracks in the digital infrastructure. And while our initial assessment of the extent of this problem for consumers and businesses is still a bit fuzzy, the cracks and vulnerabilities are becoming more apparent to the Committee and to the public. Questions are starting to be raised about the inherent security of a large segment of the commercial marketplace. This should concern us all. The Committee understands this concern. And to address it, there are a number of issues that need careful examination. First, we must ensure that existing federal law is not leaving open ways for certain entities to skirt the objectives of the primary laws governing this area, including the Fair Credit Reporting Act and Gramm-Leach-Bliley. Second, if we determine that existing law is inadequate, we need to get a clearer and more accurate assessment of the scope of the problem across all sectors, assess the current legal tools we have to attack it, and weigh the need for additional regulation and other approaches. Other non-regulatory approaches could include applying good old American technological ingenuity to buttress current consumer data security regulations. Throughout this series of hearings we have heard from a number of experts that data security breaches go hand in hand with identify theft--a phenomenon that keeps getting bigger and more insidious. The numbers are sobering. At our March hearing, the FTC testified that over 10 million people were victims of identity theft during the one-year period of its latest survey. The FTC estimated that this figure translates into loses of nearly $48 billion for businesses, almost $5 billion for consumers, and close to 300 million hours spent by those individuals and businesses trying to resolve the problems generated by these crimes. We cannot allow our consumer economy to be undermined by these criminals. Consumers, business, and the public sector need to strengthen defenses collectively. The reality is that the bad guys will always be around. It is up to us as consumers, businesses, and public institutions to make sure that our data is locked down and accounted for. The best offense to combat identity theft is simple prevention coupled with an assurance that entities dealing in consumer data adhere to consistent and comprehensive security standards with bite. The accessibility and portability of consumer data in an information-driven market has made controlling who has access to what more difficult than ever. Consumer data breaches and resultant identity theft continues to grow and affect broader commercial activity at all levels, not just a specific industry or sector. Consumer data in our modern markets has become a commodity. It is bought and sold. It is processed and analyzed. And it is now an integral ingredient in disciplines as varied as finance, demographic research, direct marketing, academic study, and law enforcement. I believe that the majority of these activities improve our lives and wellbeing. They make us more productive, allow higher standards of living, and afford us better personal and national security, particularly in a post 9/11 world. What is lacking, however, is a safeguard system in which our personal data is shielded by robust security no matter where it goes or who possess it. We need to examine approaches that enable robust security measures to surround personal data as it speeds through commerce. I think this is where advanced technology can play a larger role in helping reduce the incidence of identity theft. Technologies like sophisticated encryption techniques, advanced password authentication systems, as well as better and more widespread use of advanced data security software all can play an important role in improving our defenses. Technology can also be used to facilitate more uniform best practices in affected sectors that deal in consumer data. Let me be clear, I do believe that additional measures are necessary. But for those still undecided, this hearing and the preceding ones should provide a great deal of information to make a judgment. I think it's fair to say that one thing is certain--criminals cannot be allowed to capitalize on another high-tech, nefarious business model to steal and defraud American consumers, business, and public institutions. We've seen that happen with spyware and spam. It can't be allowed to happen here. Therefore, our focus needs to be on first clearly identifying what is not working before we act on a national scale. But with each new breach, we are losing more valuable time to put an end to a new breed of professional cyber-criminal and the inappropriate and illegal activities that at are slowly corroding consumer confidence in the integrity of information-driven commerce and technology. I would like to thank our distinguished panel of witnesses for joining us today. We look forward to your testimony. Thank you. Ms. Schakowsky. Once again I want to thank you, Chairman Stearns, for holding a hearing on how we can further protect consumers from the stealing of their most personal information. We need to close the canyon-size gaps in the law that are putting consumers and their sensitive, private information at serious risk of invasion--identity theft and other crimes. I look forward to hearing from our witnesses today about their ideas of what we can do, and I look forward to working with you, Chairman Stearns and Chairman Barton and Ranking Member Dingell and Representative Markey and others, on legislation to restore consumers' control of private information. The Privacy Rights Clearinghouse has been keeping an ongoing tally of data breaches revealed since news first broke on the ChoicePoint incident. In the past 3 months alone we have learned that approximately 4,736,400 individuals have had their personally identifiable information compromised. Again, that is in just months. And those are the cases about which we know. The means of access are varied. Computers have been hacked and stolen, backup tapes lost, passwords compromised, information exposed online, and fake businesses established. And it has not just been the data brokers' stockpiles that have been raided. University stores, banks, and government offices have seen their data bases breached and their students, alumni, customers, and constituencies exposed. If there is personal information to be had, there are criminals out to get it from anyplace and in any way they can. From the recent wave of breaches we know data insecurity is endemic, and it is time for us to close whatever loopholes there are in privacy laws to ensure that consumers are not stuck with the short end of the stick as they are now. We need to address privacy and data security with comprehensive legislation governing the handling and use of personal and consumer information. I believe we should explore the possibility of giving consumers the power to lock up their information, making it available only when consumers give affirmative consent. We should also look into giving consumers the opportunity to inspect their information, and if it is not accurate, then a chance to correct it. We should also place a heightened responsibility on record keepers to ensure that they are truthfully representing consumers. And we should give victims of lost or stolen information a place to turn, like an office of an omdetsman in order to help them through repairing whatever damage has been done by their information being compromised. We also need to explore the government's use of information compiled by data brokers to make sure that Big Brother is not handing the binoculars to Big Business in order to skirt the Privacy Act. Inaccuracies can cost people their jobs, insurance, the right to vote, good credit histories, or even their lives. I believe that if consumers have the tools, resources, and the rights to protect their personal information, and if companies were held to a higher standard of accountability, we would not have 4.7 million letters being sent out over 3 months warning consumers that their information could be in the hands of criminals. We need to keep in mind that perhaps the only reason we know about these breaches is because of tough State laws like California's that made sure these breaches were reported. If those companies with security breaches had to comply only with Federal legislation, there is a good chance we would be hearing from more and more identity theft victims and had no idea what was going on to cause the potential upsurge. When we craft the legislation to contend with data insecurity, we need to provide a floor and not a ceiling for how personal information is handled and protected. Let the States pressure us to do better instead of us limiting what they can do. Again, Chairman Stearns, I look forward to working with you and the other members of our committee to do what we can to protect consumers. I thank you. Mr. Stearns. I thank the gentlelady. The gentlelady from California, Ms. Bono. Ms. Bono. Thank you, Mr. Chairman. I just would like to thank you for holding this hearing, but I will waive an opening statement. Mr. Stearns. The gentlelady waives. Mr. Ross, is he here? Ms. Baldwin? No. The gentlelady waives. Mr. Pitts, gentleman-- waive. Mr. Markey? Mr. Markey. Thank you, Mr. Chairman, very much. Mr. Chairman, in ``Bonfire of the Vanities'' the novelist Tom Wolfe wrote about ``the Bororo Indians, a primitive jungle tribe who live along the Vermelho River in the Amazon Jungles of Brazil.'' According to Wolfe, the Bororos believed that ``there is no such thing as a private self.'' Instead, they ``regard the mind as an open cavity, like a cave or a tunnel or an arcade, if you will, in which the entire village dwells and the jungle grows.'' Wolfe compared this to the situation faced by someone in the middle of a public scandal in the last quarter of the 20th century, when he suggested ``one's self--or what one takes to be oneself--is not a mere cavity open to the outside world but has suddenly become an amusement park to which everybody, todo el mundo, tout le monde, comes scampering, skipping and screaming, nerves a-tingle, loins aflame, ready for anything, all you have got, laughs, tears, moans, giddy thrills, gasps, horrors, whatever, the gorier the merrier.'' In the 21st Century, Mr. Chairman, we now face the prospect of a world in which all of us--not just Sherman McCoy's caught in the midst of scandal--will be forced to live without a private self: with the entire ``village'' able to obtain access to some of the most personal aspects of our lives. In the emerging surveillance society of the 21st Century, the Bororo Indians seeking to inhabit our private selves are the data mining and information brokerage firms. These companies are collecting and selling a vast array of personal information about the American public. For a fee, these companies will tell you someone's Social Security number, their address, phone number, driver's license number, driving record, any criminal record information, court records, insurance claims, divorce records, and even credit and financial information. Recent press reports have chronicled the adverse privacy consequences of this phenomenon. As we have seen company after company acknowledging that the security and confidentiality of the personal information it holds about American citizens has been compromised. Each week the list of companies who have suffered data security breaches or acknowledged lax practices with respect to access to sensitive personal data has grown longer and longer. I have introduced three bills aimed at addressing the current threats to personal privacy. My first bill, the Information Protection and Security Act, would subject information brokers to regulation by the Federal Trade Commission, and specifically to a set of new, fair information practice rules that the FTC would be required to issue within 6 months of enactment. The FTC rules would address the security of information held by information brokers, the right of consumers to obtain access to incorrect information held by the broker, the responsibility of the broker to protect the information from unauthorized users or from users seeking the information for impermissible and unlawful purposes. The bill also provides the enforcement of the bill's substantive provisions by the FTC, the State Attorney General, and a private right of action. My second bill would generally restrict the purchase and sale of Social Security numbers. And my third bill would allow consumers to block a company from transferring their personal information to entities located in countries that fail to provide adequate and enforcement privacy protection. In other words, the outsourcing of privacy to countries like India and Pakistan that do not have privacy laws in conformance with the EU or with the United States of America. Our x-rays should not be going to be read in countries that do not have the same privacy laws which we have. Our tax records should not be going there, our financial records should not be going there, our health records should not be going there. These are personal records to go to the very identity of us as Americans and as a people. I thank you, Mr. Chairman, for having this very important hearing. [The prepared statement of Hon. Edward J. Markey follows:] Prepared Statement of Hon. Edward J. Markey, a Representative in Congress from the State of Massachusetts Thank you, Mr. Chairman. In Bonfire of the Vanities, the novelist Tom Wolfe wrote about ``The Bororo Indians, a primitive jungle tribe who live along the Vermelho River in the Amazon Jungles of Brazil.'' According to Wolfe, the Bororos believed that ``there is no such thing as a private self.'' Instead, they ``regard the mind as an open cavity, like a cave or a tunnel or an arcade, if you will, in which the entire village dwells and the jungle grows.'' Wolfe compared this to the situation faced by someone in the middle of a public scandal in the last quarter of the 20th century--when, he suggested: ``. . . one's self--or what one takes to be one's self--is not a mere cavity open to the outside world but has suddenly become an amusement park to which everybody, todo el mundo, tout le monde, comes scampering, skipping and screaming, nerves a- tingle, loins aflame, ready for anything, all you've got, laughs, tears, moans, giddy thrills, gasps, horrors, whatever, the gorier the merrier.'' In the 21st Century, we now face the prospect of a world in which all of us--not just the Sherman McCoy's caught in the midst scandal-- will be forced to live without a private self--with the entire ``village'' able to obtain access to some of the most personal aspects of our lives. In the emerging surveillance society of the 21st Century, the Bororo Indians seeking to inhabit our private selves are the data mining and information brokerage firms. These companies are collecting and selling a vast array of personal information about the American public. For a fee, these companies will tell you someone's Social Security Number, their address, phone number, driver's license number, driving record, any criminal record information, court records, insurance claims, divorce records, and even credit and financial information. Recent press reports have chronicled the adverse privacy consequences of this phenomenon, as we have seen company after company acknowledging that the security and confidentiality of the personal information it holds about American citizens has been compromised. Each week, the list of companies who have suffered data security breaches, or acknowledged lax practices with respect to access to sensitive personal data, has grown longer and longer. I have introduced three bills aimed at addressing the current threats to personal privacy. My first bill, the ``Information Protection and Security Act,'' would subject information brokers to regulation by the Federal Trade Commission, and specifically, to a set of new fair information practice rules that the FTC would be required to issue within 6 months of enactment. The FTC rules would address the security of information held by information brokers, the right of consumers to obtain access to and correct information held by the broker, the responsibility of the broker to protect the information from unauthorized users, or from users seeking the information for impermissible or unlawful purposes. The bill also provides for enforcement of the bill's substantive provisions by the FTC, the State Attorney's General, and a private right of action. My second bill, H.R. 1078, would generally restrict the purchase or sale of Social Security numbers, which has become a ubiquitous personal identifier used by corporations and identity thieves to access sensitive personal information. My third bill, H.R. 1653, would allow consumers to block a company from transferring their personal information to entities located in countries that fail to provide adequate and enforceable privacy protections. All three of these bills have been referred to this Subcommittee, and I look forward to hearing the testimony of the witnesses at this morning's hearing, and to discussing the proposals set forth in these bills with them. Mr. Stearns. I thank my colleague for a very thoughtful opening statement. And we are going to Mr. Terry. Mr. Terry waives. Ms. Cubin. Ms. Cubin. Thank you, Mr. Chairman, and thank you for holding this timely hearing. It is especially timely for me. I also want to thank the witnesses that are here today who have joined us to help us hopefully guide us on shaping future legislation regarding personal data security. Throughout my tenure on this subcommittee we have continuously addressed issues regarding privacy protection and the ability of third parties to access and distribute personally identifiable information. Though there are most certainly valid and necessary uses of personal data collection, recent breaches of seemingly secure data have demonstrated that there are just as many opportunities for criminal use of this information. Identify theft, as we all know, is a whole new realm of crime, and America does not currently have the proper legal tools to prevent it, rectify it, or mitigate it. ID theft can invade people's homes, bank accounts, financial assets, often undetected. This can be devastating to victims and Congress must determine the best course of action to help this from happening. As I said, I think this hearing is timely because just on Monday of this week I was notified that I was one of over 96,000 people in one incident and one of 1.4 million people in another affected by an identity theft incident. According to a letter that I received from the companies to notify me of this breach, stolen personal information included bank account numbers and driver's license numbers and other information that's provided on checks. While I was lucky enough I think--I am not sure at this point--that my Social Security number wasn't stolen and that my address wasn't stolen, millions of Americans aren't that lucky--if you want to call my situation lucky. Financial institutions whose systems have been breached have an immediate responsibility to notify victims as well as to provide an explanation of the breach of the security system, which did happen with me. Once again I thank--I hope that I was notified of everything. I am hopeful that today's hearing will outline what other further steps must be taken to assist us in identifying victims and rectifying fraudulent bank transactions and correcting inaccurate file information for future dissemination. I hope this subcommittee will continue to examine this issue in the light of the need for harsher punishment for both data thieves and commercial entities who forfeit personal information, albeit unintentionally. I thank the chairman and I yield back the balance of my time. [The prepared statement of Hon. Barbara Cubin follows:] Prepared Statement of Hon. Barbara Cubin, a Representative in Congress from the State of Wyoming Thank you, Mr. Chairman, for holding this timely hearing. I would also like to thank the witnesses who have joined us here today. As we found during the previous hearing, the current laws governing data security are very complex. I anticipate an open dialogue with the panel of witnesses to help guide Members of the Subcommittee in shaping future legislation regarding personal data security. Throughout my tenure on this subcommittee, we have continuously addressed issues relating to privacy protection and the ability of third parties to access and distribute personally identifiable information. Though there are most certainly valid and necessary uses of personal data collection, recent breaches of seemingly secure data have demonstrated that there are just as many opportunities for criminal use of this information. Identity theft is a whole new realm of crime, and America does not currently have the proper legal tools to prevent, rectify or mitigate it. ID theft can invade people's homes, bank accounts, and financial assets, often undetected. This can be devastating to victims, and Congress must determine the best course of action to halt this crime. I myself have just recently been notified that I was a one of over 1.4 million people affected by the DSW identity theft incident. According to the letter DSW sent to notify me of this breach, stolen personal information included bank account and drivers license numbers provided on checks. While the stolen information did not include names, addresses, or Social Security numbers, millions of Americans affected in other data theft incidents have not been so lucky. It is crucial we call attention to the need for consumers to have proper recourse. Financial institutions whose systems have been breached have an immediate responsibility to notify victims, as well as provide an explanation of the nature of the system's breach. I am hopeful today's hearing will outline what further steps must be taken to assist identity theft victims in rectifying fraudulent bank transactions and correcting inaccurate file information for future dissemination. I hope the subcommittee will continue to examine this issue in light of the need for harsher punishment for both data thieves and the commercial entities who forfeit personal information, albeit unintentionally. I thank the chairman, and I yield back the balance of my time. Mr. Stearns. I thank the gentlelady, and it is very appropriate that you bring to our attention that letter. And I thank you very much, and I think that lends credence to why we are attempting to grapple with this problem to come up with a solution. Mr. Radanovich? The gentleman waives. Ms. Myrick? Ms. Myrick. I waive also. Mr. Stearns. Okay. I think everybody has completed their opportunity for an opening statement. We move now to our witness list. And we welcome them. Before I start, Mr. Ross would like to make an introduction. Mr. Ross. Mr. Ross. Thank you, Mr. Chairman and Ranking Member Schakowsky for having this important hearing today to address the issue of protecting consumers' data. I am pleased that we have Jennifer Barrett to testify from Acxiom, which is located in my home State of Arkansas. Since it was founded in 1969, Acxiom has used technology and consumer data to help some of the largest, most respected companies in the world improve their business results. Acxiom is based in Little Rock, Arkansas and employs more than 6,300 people in eight countries with an annual revenue of about $1.2 billion. Jennifer Barrett is the chief privacy officer of Acxiom Corporation and is one of the world's leading authorities on information practices and policies and their impact on consumers, commerce, and the global economy. Jennifer has been with Acxiom almost since its inception after earning a degree in computer science and mathematics from the University of Texas, which those of us in Arkansas do not hold against her. She has worked at almost every facet of the company. In the early 1990's she became one of the first executives in any industry to become what is now commonly referred to as a chief privacy officer, assigned to help her company and its clients achieve the critical balance of protecting consumer privacy while preserving the benefits of this new information age. Jennifer is now sought out by leading companies, international business leaders, lawmakers, regulators, and many others for her counsel and views on the responsible uses of data. She has appeared many times before committees and forums here in Washington, and we appreciate her again offering her insights to us today. So I would like to thank you, and I look forward to the testimony from Mrs. Barrett as well as the other witnesses on the panel today and the questions from the members here as well. Mr. Stearns. I thank my colleague. [Additional statements submitted for the record follow:] Prepared Statement of Hon. George Radanovich, a Representative in Congress from the State of California Mr. Chairman, I would like to thank you for holding this important hearing today on securing consumers' data. With recent reports from the Federal Trade Commission's study survey indicating that over 10 million people were victims of identity theft during a one year period and estimates that translate into $48 billion loss for businesses and $5 billion loss for consumers, I believe it is evident that the time is right for Congress to determine what needs to be done to protect our constituents from these thieves. I am happy to report that California has been one of the most active state governments in regulation data security. In 2002 California passed a consumer security breach notification law that requires any state agency, or any person or business that owns or licenses computerized data that includes personal information to disclose any breach of security of the data to any resident of that state whose unencrypted information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition to California I would like to commend the states of Georgia, Texas and Illinois who are considering similar legislation. As we hear from our witnesses today it is important to determine if the current federal laws are sufficient to protect the data security of consumer's and if technologies exist that could aid in protecting sensitive consumer data and prevent unauthorized access to computerized databases. Recent reports of data security breaches by data brokers, financial institutions, and retailers have raised questions about the sufficiency of current laws to protect consumer information from identity theft. During the Subcommittee's March hearing on issues related to the Choicepoint breach, the FTC testified that the results of a recent FTC study indicated that over 10 million people were victims of identity theft during the one year period the study's survey covered. The FTC estimates that the losses translate into $48 billion for businesses and $5 billion to consumers. While there are Federal laws that provide standards for disclosure of consumer information and require certain entities to take steps to safeguard consumer information, there is NO comprehensive Federal law dealing with data security that governs ALL uses of consumer data. There are two main bodies of Federal law that deal with privacy and data security related to certain types of entities and certain uses of information: The Fair Credit Reporting Act and the Gramm-leach Bliley Act; however the universe of entities to which these bodies of law apply is limited. Several other states have passed or are considering similar legislation, including GA, TX, and Il. A number of federal bills introduced in this Congress are modeled after the CA statute. The social security number was created to identify each U.S. citizen for the sole purpose of tracking employment and benefits however, over time our social security number has been used by both public and private entities for purposes both related and unrelated to the social security program. The usage of this unique identifier has benefited both businesses and consumers, but unfortunately it has led to misuse and most importantly identity theft. The FTC has reported that over 10 million people were victims of identity theft in one year and they estimate that this translates into upwards of a $48 billion loss for businesses and $5 billion loss for consumers, but a price tag can not be put on the loss of one's identity. I look for to hearing our witness' testimony today. Hopefully this will help us determine if our current laws are adequate enough to protect the integrity of our social security numbers and if not, what we need to do to protect them. ______ Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy and Commerce Thank you Mr. Chairman for holding this hearing today. I have spent considerable time focusing on information security issues such as the spyware legislation that this Committee passed unanimously. I'm confident that that bill will be received favorably by the full House as well. Our Committee's work on these issues will continue in earnest, particularly in light of the alarming and ever-growing list of data security breaches recently. Nothing seems safe. In recent months, we have learned about the loss of personally identifiable information--even including Social Security numbers--from ChoicePoint, LexisNexis, Blockbuster, as well as a company called RuffaloCODY that manages information systems for a number of colleges and universities. Most recently, data tapes belonging to Time Warner were stolen from a storage company called Iron Mountain--a company, I might add, that also stores some sensitive information for the Congress. I suspect that there are more thefts of this nature about which we have not yet learned. This is simply unacceptable. In the Internet age, personal information can be accessed in any number of ways and from any number of outlets. To not guard it closely is to open the door to thieves. Sensitive personal information must be secure, and companies that legally gather and distribute this information need to be held accountable if they do not take reasonable steps to ensure that security. The recent breaches have focused our attention on ``data brokers''' who compile public and non-public information in ways that seem downright Orwellian. They can share it, rent it, and sell it. Constraints on these companies and their practices are few and thin. Some of these companies provide an important service for individuals trying to protect their families or investments, as well as for the government trying to protect us all. It is essential that only those who have an appropriate, legitimate reason for having access to such information are allowed to view it. Those who provide this access must be responsible for verifying both the legitimacy of the business or person inquiring, as well as the appropriateness of their reason for doing so. Of course, other entities such as credit card companies, department stores--even the video store, as I mentioned--have sensitive information as well. They must be similarly responsible with the data, and take vigorous steps to protect it. Congress has not laid out a comprehensive framework for data security and data brokers, and it is clear that we need to act. This Committee must take the lead in developing appropriate safeguards for consumer information, and we will proceed to that end on a bipartisan basis. I am glad that Chairman Stearns has put together a diverse panel to discuss this topic, and to explore options for how we as policymakers can help address the concerns of the American public. With that, I would like to welcome the witnesses and thank them for their participation. I am very interested to hear what these companies and their industries are doing to help prevent identity theft, and the misuse of personal information in general. Thank you, and I yield back the balance of my time. ______ Prepared Statement of Hon. Ed Towns, a Representative in Congress from the State of New York Thank you Mr. Chairman for holding this important hearing. Since we last met, the privacy of our constituents has been compromised further and their worries have increased ten-fold. I was encouraged by the feedback that we received in our hearing this past March, but there is much more work to be done. I was pleased to learn that banks and credit card companies are detecting fraud at a quicker rate and successfully shutting down information-sharing websites before identity theft becomes more rampant and uncontrollable. While I understand that stolen or lost credit cards still account for the largest losses to consumers, the danger these on- line thieves pose must be confronted and dealt with. According to an article in Monday's Wall Street Journal, the Anti- Phishing Working Group says 2,870 active phishing sites were reported in March alone, and that since last July such sites have increased 28% a month. The article goes on to state that about 980,000 American consumers had encountered identity-theft fraud via phishing in the prior year, costing banks and credit card issuers more than $1.2 billion in direct losses. I have had a long-standing interest in protecting consumers' privacy. I first began advocating for safeguarding medical records when I found my own records in a public trash bin following a doctor's appointment. In response, I introduced a bill protecting the privacy rights of insurance claimants, which became part of HIPPA. Since last Congress, I have been working with my colleague, Congresswoman Mary Bono to protect consumers' privacy on the internet from Spyware. Our committee passed this bill last week and I am hopeful that we can send it to the President's desk before the end of this year. I look forward to hearing from our witnesses about what went wrong in these recent cases and how we can better protect consumers. Thank you Mr. Chairman. I yield back the balance of my time. Mr. Stearns. We want to welcome Ms. Barrett of Acxiom Corporation; also Mr. Steve Buege, Senior Vice President of Business Information, News and Public Records, North American Legal; Thomson West; Mr. Oliver Ireland, Partner, Financial Services Practice Group, Morrison and Foerster; on behalf of Visa U.S.A., Mr. Daniel Burton, Vice President of Government Affairs, Entrust, Incorporated, McLean, Virginia; and Mr. Daniel Solove, Associate Professor of Law at George Washington University Law School. I thank all of you for attending this morning. And, Ms. Barrett, we will start with you for your opening statement. STATEMENTS OF JENNIFER BARRETT, CHIEF PRIVACY OFFICER, ACXIOM CORPORATION; STEVE BUEGE, SENIOR VICE PRESIDENT, BUSINESS INFORMATION, NEWS AND PUBLIC RECORDS, NORTH AMERICAN LEGAL; OLIVER I. IRELAND, PARTNER, FINANCIAL SERVICES PRACTICE GROUP, MORRISON AND FOERSTER, LLP, ON BEHALF OF VISA USA; DANIEL BURTON, VICE PRESIDENT OF GOVERNMENT AFFAIRS, ENTRUST, INC.; AND DANIEL J. SOLOVE, ASSOCIATE PROFESSOR OF LAW, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL Ms. Barrett. Thank you, Chairman Stearns, Ranking Member Schakowsky, Congressman Ross, and distinguished members of this committee. I thank you for the opportunity for Acxiom to participate in this hearing, and I ask for unanimous consent that my written statement be entered in the record. Mr. Stearns. By unanimous consent, so ordered. Ms. Barrett. Mr. Chairman, let me be blunt. The bad guys are smart and they are getting better organized in using their skills to intelligently but illegally and fraudulently access personal information. Acxiom must therefore remain more vigilant and innovative by constantly improving, auditing, and testing our systems, and yes, even learning from the security breaches in the marketplace. Information is an integral part of the American economy, and Acxiom recognizes its responsibility to safeguard the personal information it collects and brings to the market. As FTC Chairman Majoras recently stated in her testimony both before the Senate and the House, ``There is no such thing as perfect security.'' And breaches can happen even when a company has taken every reasonable precaution. Although we believe this to be true, no one has a greater interest than Acxiom in protecting its information because our very existence depends on it. Acxiom's U.S. business includes two distinct components: our customized computer services and a line of information products. Our computer services, which represent more than 80 percent of the company's business, help businesses, not-for- profit organizations, political parties, and government manage their own information. Less than 20 percent of our business comes from our four lines of products involving information-- our fraud management products, our background screening products, our directory products, and our marketing products. Our fraud management and background screening products are the only Acxiom products containing sensitive information, and they represent less than 10 percent of our business. Acxiom would like to take this opportunity to set the record straight in response to a couple of misunderstandings that have developed about the company. First, Acxiom does not maintain one big data base containing dossiers on anyone. Instead, we build and maintain discrete, segregated data bases for each and every product. Second, Acxiom does not co-mingle client information that comes from the services we provide to our clients with their information products, which we are responsible for. Such activity would constitute a violation of our contracts and consumer privacy. Third, Acxiom's fraud management products are sold only to a handful of large companies and government agencies who have a legitimate need for them. The information utilized in these products is covered under the safeguards and use rules of the Gramm-Leach-Bliley Act and both State and Federal driver privacy protection laws. Fourth, Acxiom's fraud management verification services only validate information already in our client's possession. Access to additional information is available only to law enforcement and the internal fraud departments of large financial institutions and insurance companies. Fifth, our background screening products are covered under the Fair Credit Reporting Act, and we do not pre-aggregate information provided in these services. Beyond these protections, the following additional safeguards exist: first, because public record information is blended with regulated information in both our fraud management and our background screening products, Acxiom voluntarily applies the more stringent security standards to all such blended data, even though not required to by law. Since 1997 Acxiom has posted a privacy policy on our website describing both our online and all our offline practices, thus voluntarily subjecting the company to the FTC rules governing unfair or deceptive practices. Third, the company has imposed our own internal, more restrictive guidelines for use of sensitive information such as Social Security numbers. And fourth, all of Acxiom's information products and practices have been audited on an annual basis since 1997, and our security policies are regularly audited both by ourselves, as well as by many of our clients. Two years ago Acxiom experienced a security breach on one of the external file transfer servers used to transfer information back and forth between Acxiom and our clients. Fortunately, the vast majority of the information involved was of a non-sensitive nature, and law enforcement was able to apprehend the suspects and ascertain that none of the information was used to commit identity fraud. Since then, Acxiom has put in place even greater protections for the benefit of both consumers and our clients. In conclusion, I would like to say that ongoing privacy concerns indicate the adoption of additional legislation may be appropriate. Acxiom supports efforts to pass federally preemptive legislation requiring notice to consumers in the event of a security breach, which places the consumer at risk of identity fraud. Acxiom also supports the recent proposal from FTC Chairman Majoras for the extension of the GLBA Safeguards Rule. Mr. Chairman, on behalf of Acxiom I want to express our gratitude for the opportunity to participate, and we will be happy to answer any questions the committee may have. [The prepared statement of Jennifer Barrett follows:] Prepared Statement of Jennifer Barrett, Chief Privacy Officer, Acxiom Corporation introduction Chairman Stearns, Ranking Member Schakowsky and distinguished Members of the Committee, thank you taking the time to hold this hearing on consumer data and options following security breaches. Acxiom appreciates the opportunity to participate in today's hearing. Acxiom has an inherent responsibility to safeguard the personal information we collect and bring to the market, and we have focused on assuring the appropriate use of these products and providing a safe environment for this information since 1991 when the company brought its first information products to market. It is important that we all recognize that information has become an ever growing and ever more integral part of the American economy. Information is the facilitator of convenience, competition and provides the tools that reduce fraud and terrorism. As such, we believe that it is Acxiom's obligation to provide effective safeguards to protect the information we bring to market regardless of the difficulties encountered in doing so. Let me be blunt. The bad guys are smart and getting more organized. They will use all of the skills available to them to try to find ways to obtain the information they need to commit fraud. Acxiom must therefore remain vigilant and innovative, and that is why we employ a world-class information security staff to help us fend off criminals who attempt to access Acxiom's data. Acxiom is constantly improving, auditing and testing its systems. Yes, Acxiom is even learning from security breaches when they occur, and we are certain that other responsible companies are doing so as well. As Chairman Deborah Majoras of the Federal Trade Commission recently stated in her testimony before the Senate, ``[T]here is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution.'' Even though we believe that this is true, no one has a greater interest than Acxiom in protecting information because the company's very existence depends on securing personal information pertaining to consumers. In order to enjoy the benefits provided by a robust information- based economy and also to keep our citizens safe from fraudulent activity, there are no quick fixes or easy solutions. We believe that it is necessary that cooperation exists among policy makers, information service providers, Acxiom's clients, law enforcement and consumers. We applaud your interest in exploring these issues and we very much want to be a resource in helping you achieve the proper legislative balance we all seek. about acxiom corporation Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas, with operations throughout the United States, and with processing centers in Arkansas, Illinois, Arizona, Ohio and California. The company also has offices in nine other countries across Europe and Asia. From a small company in Arkansas, Acxiom Corporation has grown into a publicly traded corporation with more than 6,000 employees worldwide Acxiom's U.S. business includes two distinct components: customized computer services and a line of information products. Acxiom's computer services represent the vast majority of the company's business and they include a wide array of leading technologies and specialized computer services focused on helping clients manage their own customer information. These services are offered exclusively to large businesses, not-for-profit organizations, political parties and candidates, and government agencies. Acxiom's private sector computer services clients represent a ``who's who'' of America's leading companies. Acxiom helps these clients improve the loyalty of their customers and increase their market share, while reducing risk and assisting them with their compliance responsibilities under state and federal law. Finally, Acxiom helps government agencies improve the accuracy of the personal information they currently hold. The balance of Acxiom's business comes from information products that are comprised of four categories: fraud management products, background screening products, directory products and marketing products. These four product lines represent less than 20 percent of the company's total business and the fraud management and background screening products represent less than 10 percent. While each product plays a unique role, all of Acxiom's information products help fill an important gap in today's business-to-consumer relationship. To understand the critical role Acxiom plays in facilitating the nation's economy and safeguarding consumers, it is important to understand what the company does not do. Over the years, a number of myths have developed about Acxiom that require clarification. Please allow us to set the record straight: Acxiom does not maintain one big database that contains detailed information about all individuals. Instead, the company safeguards discrete databases developed and tailored to meet the specific needs of Acxiom's clients--entities that are appropriately screened and with whom Acxiom has legally enforceable contractual commitments. I cannot call up from the company's databases a detailed dossier on myself or any individual. Acxiom does not provide information on particular individuals to the public, with the exception of Acxiom's telephone directory products. These products, which are available on several Internet search engines, contain information already available to the public. The other information Acxiom processes is provided only to legitimate businesses for specific legitimate business purposes. Acxiom's does not have any information in either its directory or marketing products which could be used to commit identity fraud. Acxiom also does not include detailed or specific transaction-related information, such as what purchases an individual made on the Internet or what websites they visited. The company's directory products include only name, address and telephone information. The company's marketing products include only information that is general in nature and not specific to an individual purchase or transaction. Acxiom does not commingle client information that the company processes in its computer services business with any of our information products. Such activity would constitute a violation of the company's services contracts with those clients and a violation of consumer privacy. A client for whom the company performs services may have a different agreement with us as a data contributor, but these two relationships are kept entirely separate. Acxiom's fraud management products are sold exclusively to a handful of large companies and government agencies--they are not sold to individuals. The company's verification services only validate that the information our client has obtained from the consumer is correct. Only law enforcement, government agencies and the internal fraud departments of large financial institutions and insurance companies have access to additional information. Acxiom's background screening products provide employment and tenant screening services which utilize field researchers who do in- person, real-time research against public records and make calls to past employers to verify the information provided by the consumer. Where permitted by law, a pre-employment credit report can also be obtained. Acxiom does not pre-aggregate information for these products. Acxiom's directory information products contain only contact information on consumers such as name, address and telephone number. They are collected so businesses and consumers can locate other businesses or consumers. They are compiled from the white and yellow pages of published U.S. and Canadian telephone directories and from information available from the various directory assistance services provided by the telephone companies. Acxiom's marketing information products provide demographic, lifestyle and interest information to companies to reach prospective new customers who are most likely to have an interest in their products and to better understand and serve the needs of existing customers. They are compiled from pubic records, surveys and summarized customer information primarily from publishers and catalogers. respecting and protecting consumers' privacy Acxiom has a longstanding tradition and engrained culture of protecting and respecting consumer interests in our business. The company is today, and always has been, a leader in developing self- regulatory guidelines and in establishing security policies and privacy practices. There are, as explained below, numerous laws and regulations that govern our business. Ultimately, however, Acxiom's own comprehensive approach to information use and security goes far beyond what is required by either law or self-regulation. Safeguards Applicable to Products Involving the Transfer of Sensitive Information Only Acxiom's fraud management and background screening products involve the transfer of sensitive information. These products, therefore, are subject to law, regulations and our own company policies that help protect against identity fraud. These legal protections and additional safeguards are addressed below: GLBA, DPPAs, and FTC: Our fraud management products utilize information covered under the Gramm-Leach-Bliley Act (GLBA), and driver's license information covered under both state and federal driver's privacy protection acts (DPPAs). These obligations include honoring GLBA and DPPA notice and choice related to sharing and use of the information, the GLBA Safeguard Rules and FTC Privacy Rule and Interagency Guidelines. Any uses of data must fall within one of the permitted uses or exceptions specified in these laws. FCRA and FACTA: Our background screening products are covered by all of the regulations and consumer protections established by the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). These protections include: the requirement that a consumer authorize the creation of employment reports; notice of adverse actions taken based on such report; and the right of consumers to obtain a copy of such reports and to dispute inaccuracies. Finally, such regulations require that re-verification or correction of disputed information be performed in a timely manner. Safeguarding Public Record Information: Public records are used in both Acxiom's fraud management and background screening products. Although a heightened level of protection is not mandated for such public record information, by virtue of the fact that such public information is blended with regulated information, Acxiom voluntarily chooses to apply the more stringent standards of the above-mentioned regulations to the resulting products. Safeguards Applicable to Other Products Although Acxiom's directory and marketing products do not contain any sensitive information that could put a consumer at risk for identity fraud, Acxiom is still subject to the following critical safeguards: various industry guidelines, compliance with all requirements in the original notice to consumers at the time the data was collected, and voluntary compliance with those laws to which our clients themselves are subject. Telephone Directory Safeguards: Acxiom's directory products comply with all applicable policies regarding unpublished and unlisted telephone numbers and addresses. In addition, because Acxiom recognizes that consumers may object to published listings being available on the Internet, Acxiom itself offers an opt- out from such use. Further, Acxiom voluntarily suppresses all telephone numbers found on the Federal Trade Commission's Do- Not-Call Registry and the eleven other state Do-Not-Call registries, when providing phone numbers for targeted telemarketing purposes. Marketing Product Safeguards: Acxiom's marketing products comply with all the self-regulatory guidelines issued by the Direct Marketing Association. These requirements include notice and the opportunity to opt-out. Consumers have the ability to opt- out from Acxiom's marketing products by calling the company's toll-free Consumer Hotline, accessing its Website, or by writing to the company. Since Acxiom does not have a customer relationship with individual consumers, Acxiom coordinates with its industry clients to research and resolve consumer inquiries. Additional Safeguards Acxiom takes seriously its responsibility to assure that all the information we bring to market is appropriate for the use to which it is intended and to provide adequate safeguards specifically aimed at protecting against unauthorized use. Privacy Policy/FTC Jurisdiction: Since 1997, long before it was a common practice, Acxiom has posted its privacy policy on the company's website. The privacy policy describes both Acxiom's online and offline consumer information products. The policy further describes: what data Acxiom collects for these products; how such data is used; the types of clients to which such data is licensed; as well as the choices available to consumers as to how such data is used. By making these extensive disclosures, Acxiom has voluntarily subjected itself to Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive conduct in the course of trade or commerce, as well as various state statutes governing unfair and deceptive acts and practices. Consumer Care Department/Consumer Hotline: Acxiom maintains a Consumer Care Department led by a Consumer Advocate whose team interacted with more than 50,000 consumers in the past 12 months by way of answering questions, resolving issues, processing opt-outs, and handling requests for access to Acxiom's fraud management, background screening, directory and marketing products. Acxiom provides consumers who contact the company (through the company website, or by calling a toll-free Consumer Hotline or by writing to the company) the options of: opting-out of all of Acxiom's marketing products; receiving an information report from the company's fraud management and directory products; or receiving a consumer report as specified in the FCRA from the company's background screening products. Acxiom encourages consumers to notify the company if the information in any of these reports is inaccurate and it is the company's policy either to correct the information, to delete it or to refer the consumer to the appropriate source to obtain the requested correction, such as a county or state agency. Certification and Compliance with Federal and State Law: Acxiom's privacy policy is designed to adhere to all Federal, State, and local laws and regulations on the use of personal information. The company is also certified under the Department of Commerce's European Union Safe Harbor and the Better Business Bureau's Online Seal. Consumer Education: Acxiom believes that consumers should be educated about how businesses use information. To that end, Acxiom publishes a booklet, entitled ``Protecting Your Privacy in the Information Age--What Every Consumer Should Know About the Use of Individual Information,'' which is available for free both on the company's website and upon written or telephone request. Voluntary Acxiom Policies: Above and beyond the industry-accepted guidelines with which Acxiom complies, Acxiom also has established its own internal guidelines, which are more restrictive than industry standards. For example, Acxiom only collects the specific information required to meet its clients' information needs, and the company properly disposes of the remaining data, when information is compiled from public records. Acxiom has also implemented specific guidelines regarding the use and protection of information that could be involved in identity fraud, such as Social Security numbers. Information Practice and Security Audits: Acxiom has had a longstanding focus on the appropriate use of information in developing and delivering its information products. While the creation of strong information use policies is a business imperative, assuring these policies are followed is equally important. To this end, all of Acxiom's information products and practices have been internally and externally audited on an annual basis since 1997. Since many of Acxiom's computer service clients are financial institutions and insurance agencies, Acxiom has been regularly audited for many years by these clients. Furthermore, Acxiom must honor the safeguards and security policies of the company's clients. Since Acxiom's security program is enterprise-wide, it is the company's policy to institute these high levels of protection across all lines of business. These client audits, along with Acxiom's own internal security audits, provide Acxiom with regular and valuable feedback on ways to stay ahead of hackers and fraudsters who may attempt to gain unauthorized access to Acxiom's systems. Lessons Learned Two years ago, Acxiom experienced a security breach on one of the company's external file transfer servers. The hackers were employees of an Acxiom client and a client's contractor. As users with legitimate access to the server, the hackers had received authority to transfer and receive their own files. The hackers did not penetrate the firewalls to Acxiom's main system. They did, however, exceed their authority when they accessed an encrypted password file on the server and successfully unencrypted about 10 percent of the passwords, which allowed them to gain access to other client files on the server. Fortunately, the vast majority of the information involved in this incident was of a non-sensitive nature. Upon learning of the initial breach from law enforcement, Acxiom immediately notified all affected clients and, upon further forensic investigation, the company informed law enforcement regarding a second suspected security incident. Fortunately, in both instances, law enforcement was able to apprehend the suspects, recover the affected information and ascertain that none of the information was used to commit identity fraud. One of the hackers pled guilty and was recently sentenced to 48 months in federal prison. The other is currently awaiting trial. As a result of the breach, Acxiom cooperated with audits conducted by dozens of its clients, and both the Federal Trade Commission and the Office of the Comptroller of the Currency examined Acxiom's processes to ensure that the company was in compliance with all applicable laws and its own stated policies. This experience taught Acxiom additional valuable lessons regarding the protection of information. For example, Acxiom now requires the use of more secure passwords on the affected server. The process for transferring files has been changed, specifically by keeping information on the server for much shorter periods of time. And while it was always a recommended internal policy, Acxiom now requires that all sensitive information passed across such servers be encrypted. In addition, while Acxiom has had in place a Security Oversight Committee for many years, the company has also now appointed a Chief Security Officer with more than 20 years of IT experience. In short, Acxiom's systems are more secure today as a result of the company's experience and dedication to the privacy of consumers. The Need For Additional Legislative Safeguards There has been much discussion, especially in recent weeks, about whether existing federal law sufficiently protects consumers from harm. In this regard, Acxiom does believe that additional, appropriately tailored legislation would assist Acxiom, the rest of the information services industry and businesses in general in ensuring that consumers are protected from fraud and identity theft. But, as FTC Chairman Majoras has said, even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals' intent on committing fraud. Breach Notification: Acxiom supports efforts to pass federal preemptive legislation requiring notice to consumers in the event of a security breach, where such breach places consumers at risk of identity theft or fraud. California implemented similar legislation several years ago, and over thirty other states are involved in passing similar laws. The bottom line is that consumers deserve a nationwide mandate that requires that they be notified when they are at risk of identity theft, so they can take appropriate steps to protect themselves. Extension of the GLBA Safeguards Rule: Currently, Acxiom voluntarily subjects itself to the GLBA Safeguards Rule with respect to the company's computer services and information products. Acxiom also complies with the California safeguards law (AB 1950). FTC Chairman Majoras recently has proposed an extension of the GLBA Safeguards Rule to the information services industry as a whole. Acxiom supports her recommendation. Mr. Chairman, Acxiom appreciates the opportunity to participate in this hearing and to assist Congress in identifying how best to safeguard the nation's information and data. Acxiom is available to provide any additional information the Committee may request. Mr. Stearns. I thank you. Our next witness is Mr. Buege. Welcome. STATEMENT OF STEVEN BUEGE Mr. Buege. Chairman Stearns, Congresswoman Schakowsky, members of this distinguished committee, thank you for allowing West to present testimony before this hearing of the Subcommittee on Commerce, Trade, and Consumer Protection. I commend you for continuing its tradition of ardent and principled investigation and legislative oversight of so many of the issues that touch each of us every day. My name is Steve Buege. I am senior vice president of Business Information, News, and Public Records for West. I oversee this content on Westlaw. I have worked for West nearly 20 years, most recently as head of operations, and prior to that as chief technology officer. I am proud to be associated with West and of West's record in the data privacy arena. West has served the same niche customer base, legal and government professionals, for over 125 years and throughout our transformation from being a traditional law book publisher to a leader in information technology. In 1975 West introduced its first online legal research service, Westlaw, and we have been a pioneer in e-commerce ever since. According to our research, the total U.S. public records market represents about $7 billion annually. Of that, $1 billion is focused on the crime, law enforcement, prosecution area. About $160 million of that is in the legal market. For our business, data bases with full SSNs account for only a fraction of 1 percent of our revenue. West's customers work in law firms, courts, government, and corporate legal departments. Much of the information they need to do their jobs is, by its very nature, sensitive. We are acutely aware of this and consider ourselves stewards of data privacy. Given the attention this issue has recently received in Washington and in the media, we have carefully reviewed and further tightened our policies. Throughout this process, our ultimate test was to do the right thing. Our record proves that we are on the right track. Since February, West has removed access to full SSNs from about 85 percent of the accounts that had it, and blocked this access entirely to all non-government accounts. Today, the only customers who can access full SSNs are government agencies involved in crime prevention, prosecution, and homeland security. Primarily, the Federal courts, Department of Justice, and IRS. We also have some smaller government accounts all in the areas of law enforcement and homeland security as well with access to full SSNs. All of these accounts are carefully vetted. It is important to note that we have never granted ad hoc access to full SSNs and that West serves a specialized B to B market of legal and government professionals, not a consumer- oriented market. West's policies go well beyond what is required under various privacy laws, yet we recognize the need for more clarity and regulatory guidance. We welcome the opportunity to work with you on a variety of approaches, including establishing a uniform notification system to inform citizens whose data may have been compromised, charging a government agency with regulatory oversight of public data providers similar to the FTC's role with financial institutions, requiring senior management in data companies that deal with SSNs to sign off on their companies' security and privacy arrangements, and legislation that would establish a consistent method for masking SSNs--for example, always obscuring the last four digits. Thank you for your interest and your hard work and for allowing West to be part of this discussion. I look forward to continuing to work with you on this important matter. [The prepared statement of Steve Buege follows:] Prepared Statement of Steve Buege, Senior Vice President, Business Information News and Public Records, on Behalf of West introduction Chairman Stearns, Congresswoman Schakowsky, Members of this distinguished Committee: Thank you very much for allowing West the opportunity to present testimony before this hearing of the Energy and Commerce Committee's Subcommittee on Commerce, Trade, and Consumer Protection. I commend you for continuing the Committee's tradition of ardent and principled investigation and legislative oversight of so many of the issues that touch each of us every day. My name is Steve Buege. I'm senior vice president of Business Information News and Public Records. In that role for West, I oversee our news, business information and public records content on Westlaw, and together with the president and CEO of West, I oversee the policies governing procurement of and access to that information. Prior to this, I was vice president of Operations for West, where Customer Experience, Technology and Content Operations reported into me. Prior to that, I was Chief Technology Officer for four years. In my work with the company, spanning now some 20 years, I've participated in some of its most important transformations. I have intimate knowledge of its technology, its business and its values. And I am proud of my association with the business. about west and our customers West has been serving the same niche customer base--exclusively legal and government professionals--for more than 125 years. Our company founder, John B. West, started West Publishing in 1872 as a regional book and office supply seller for attorneys in the Midwest. Eventually, West covered judicial opinions from every state, circuit and appellate court and the U.S. Supreme Court. Our core market has remained legal and government customers for more than a century. West maintained this focus on the B2B market while transitioning from a traditional legal book publisher to a leader in the information technology revolution. In 1975, West introduced its first online legal research service, Westlaw. We've been a pioneer in e-commerce ever since. We embraced the Internet, and electronic publishing is at the heart of our business today. The West name--from West Publishing to Westlaw--has long been known as an authoritative, trustworthy source for the U.S. bench and bar. This market recognizes Westlaw as the premier online legal research service; it offers the world's largest databases of legal research materials, statutes, case law, legal treatises and business information. West has been acutely focused on security and privacy issues, especially in the last 10 years as access to electronic information has increased significantly. We consider ourselves stewards of data privacy. West was a founding member of the Individual Reference Services Group (IRSG). The 1997 IRSG Principles defined a balance between personal privacy and the important societal benefits of reference services. West used these principles to establish procedures for qualifying its users, with only government agencies and a very small number of professional users receiving qualified access to full Social Security numbers. Today, West still refers to the IRSG Principles for guidance about our collection and distribution of information. For example, although the Gramm-Leach-Bliley Act's privacy rule permits distribution of information--including full Social Security numbers--to any entity that fits within the exception to the rule, West limits distribution of full Social Security numbers to specific government agencies--going beyond the requirements of GLBA. overview of the public records market According to our research, the U.S. public records market represents about $7 billion dollars annually. Within this space, $1 billion is focused on the crime/law enforcement/prosecution area; approximately $160 million of that space is focused on usage within the legal market. Of this $160 million, only a fraction relates to records with full Social Security numbers. For our legal businesses, databases with full Social Security numbers only account for a fraction of 1 percent of our revenues. It's important to note that only vetted government customers who deal with law enforcement, investigatory or homeland security issues have access to full Social Security numbers. None of our corporate clients have this access. our privacy policies West's customers work in law firms, the courts, government and corporate legal departments. Much of the information our customers need to do their jobs and serve our legal justice system is, by its very nature, sensitive. West has always been a good steward of this sensitive information, and we are deeply committed to ensuring that we achieve the proper balance between making information available for legitimate business and governmental purposes and respecting people's expectations of privacy. Given the attention this issue has received in Washington and in the media during the past few months, we have carefully reviewed our policies and made significant changes concerning access. Throughout this process, our ultimate test was to do the right thing. Our record proves that we're on the right track. Since February, West has reviewed the very small number of customers who had access to full Social Security numbers and further restricted which customers are allowed such access. We removed access to full Social Security numbers for about 85 percent of the accounts who had it, and blocked this type of access to all non-government accounts. Today, most customers who can access full Social Security numbers are government agencies involved in crime prevention, prosecution and homeland security--primarily the Federal Courts, the Department of Justice and the IRS. We also have some smaller accounts-- all in the areas of law enforcement and homeland security as well--with access to full Social Security numbers. All these accounts are carefully vetted. It's important to note that we have never granted ad hoc access to full Social Security numbers and that West serves a specialized market of legal and government professionals--not a consumer-oriented market. Opt-in policy In the past few months, West has worked with our government customers to fully institute an opt-in policy; that is, a policy that assumes a government account will not have full access to Social Security numbers. Under this new policy, accounts that need access to full Social Security numbers will be granted access only to specified and qualified individuals. Moving forward, all new contracts West enters with government agencies will be opt-in only. Enhanced usage tracking and Westlaw reminders West also has introduced new procedures to monitor databases that contain Social Security numbers for unusual use patterns, and on a go- forward basis, customers permitted to view full Social Security numbers on Westlaw will see a special notification message--any time--they-- access--these databases.--This message will remind the user that he or she is among a--limited--number of people given privileged access to this information, and that it must be used only for appropriate purposes and in compliance with the law and the privacy terms West imposes. This will ensure that individual users are aware of their responsibility in accessing Social Security numbers as well as their unique privilege to use this information. West's policy goes well beyond what's required under--various privacy--laws. We are committed to working with this Committee to fully explore this complex issue. We also hope to work with you, federal agencies and the industry to ensure that the public is protected from fraud and that those committed to fighting and prosecuting these crimes will have the information they need to do their important work. privacy guidelines and regulations And that is why I'm here today. West recognizes the need for guidelines, and we would welcome the opportunity to work with you to advance a variety of approaches. From our business perspective, here are some areas where we welcome clarity and guidance: Establishing a uniform notification system that informs customers whose data may have been compromised Allowing a government agency to have an appropriate regulatory role over public data providers, similar to the regulatory role the Federal Trade Commission currently has regarding data matters in financial institutions Requiring senior management in data companies that deal with Social Security numbers to sign off on a business's security and privacy arrangements Also, you may want to consider the following ideas that haven't been as widely discussed: Legislation that would establish a universally applied method for masking Social Security numbers. (Now there are several common ways that entities mask Social Security numbers. Some mask the first five digits and others truncate the last four. This might allow someone to determine a full Social Security number by using two differently masked numbers.) Encouraging each business in this space to find an alternative technology solution--instead of Social Security numbers--to create a unique locator that distinguishes one individual with the same name from another. This approach would be specific to each business; it wouldn't be uniform across the industry. conclusion Thank you for your interest, your hard work and allowing West to be part of your discussion. I look forward to continuing to work with you on this important matter as we balance individuals' rights to privacy with the national concern for justice and homeland security. Mr. Stearns. I thank the gentleman. Mr. Ireland, well, welcome. STATEMENT OF OLIVER I. IRELAND Mr. Ireland. Good morning, Chairman Stearns---- Mr. Stearns. I just need you to---- Mr. Ireland. [continuing] Ranking Member Schakowsky, and members of the subcommittee. My name is Oliver Ireland. I am a partner in the Washington, DC office of Morrison and Foerster, and I am pleased to be here today on behalf of Visa U.S.A. to address the issue of consumer information security. Visa has long recognized the importance of protecting cardholder information. The Visa system provides for zero liability for cardholders for unauthorized transactions. Therefore, Visa members, card issuers incur the costs of fraudulent transactions that may result from unauthorized access to cardholder information and have a strong interest in protecting that information. Further, existing Federal law obligates financial institutions to protect their customers' information. Under Section 501(b) of the Gramm-Leach-Bliley Act, the Federal banking agencies and the Federal Trade Commission have established information security standards for the financial institution subject to their jurisdiction. But many holders of sensitive personal information, including, for example, employers and retail merchants, are not financial institutions subject to the 501(b) rule. In part, to address this gap, Visa is implementing a comprehensive Cardholder Information Security Plan or CISP. CISP requires all holders of cardholder information, including merchants, to comply with the ``Visa Digital Dozen,'' 12 basic requirements for safeguarding customer information. Visa also uses sophisticated neural networks to detect and block transactions where fraud is suspected. These networks, coupled with CISP and Visa's zero liability policy provide a high degree of protection from fraudulent credit card transactions to cardholders. Nevertheless, Visa believes that all businesses that maintain sensitive personal information should be subject to uniform national requirements to protect that sensitive information. Closely related to the issue of information security is the question of what to do if a security breach occurs. Visa believes that where the breach creates a substantial risk of harm to consumers, that the consumers can take action to prevent, the consumers should be notified so that they can take the appropriate action. Both Federal and California law already address this issue. For example, the California law currently requires notice to individuals of a breach of security involving their computerized personal information. Other States have enacted or are considering security breach notification laws. However, the details of these laws differ. The Federal banking agencies have also issued guidance that requires banking institutions that experience a breach of security involving sensitive customer information to notify customers where misuse of the information has occurred or is reasonably possible. The fact that States are not addressing notification in a uniform way creates a critical need for a single, national standard for notification. A single standard will avoid confusion among consumers as to the meaning of notices that they receive and among holders of consumer information as to their notification responsibilities. Further, any legislation on security breach notification should recognize compliance with the banking agency guidance that is already in place as compliance with any Federal notification requirement. Further, such notification requirements should be risk-based to avoid inundating consumers with notices where no action by consumers is required. As FTC Chair Majoras has testified, notices should be sent only if there is a significant risk of harm. Thank you again for the opportunity to be here today. I would be happy to answer any questions from the members of this committee. [The prepared statement of Oliver I. Ireland follows:] Prepared Statement of Oliver I. Ireland on Behalf of Visa U.S.A. Inc. Good morning Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee. I am a partner in the law firm of Morrison & Foerster LLP, and practice in the firm's Washington, D.C. office. I am pleased to appear before the Subcommittee on behalf of the Visa, U.S.A. Inc., to discuss the important issue of consumer information security. The Visa Payment System, of which Visa U.S.A. is a part, is the largest consumer payment system, and the leading consumer e-commerce payment system, in the world, with more volume than all other major payment cards combined. Visa plays a pivotal role in advancing new payment products and technologies, including technology initiatives for protecting personal information and preventing identity theft and other fraud. Visa commends the Subcommittee for focusing on the important issue of information security. As the leading consumer electronic commerce payment system in the world, Visa considers it a top priority to remain a leader in developing and implementing technology, products, and services that protect consumers from the effects of information security breaches. As a result, Visa has long recognized the importance of strict internal procedures to protect Visa's members' cardholder information, thereby to protect the integrity of the Visa system. Visa has substantial incentives to maintain strong security measures to protect cardholder information. The Visa system provides for zero liability to cardholders for unauthorized transactions. Cardholders are not responsible for unauthorized use of their cards. The Visa Zero Liability policy guarantees maximum protection for Visa cardholders against fraud due to information security breaches. Because the financial institutions that are Visa members do not impose the losses for fraudulent transactions on their cardholder customers, these institutions incur costs from fraudulent transactions. These costs are in the form of direct dollar losses from credit that will not be repaid, and also can be in the form of indirect costs attributable to the harm and inconvenience that might be felt by cardholders or merchants. Accordingly, Visa aggressively protects the cardholder information of its members. existing federal laws and rules for information security Existing federal laws and regulations also obligate financial institutions to protect the personal information of their customers. Rules adopted under section 501(b) of the Gramm-Leach-Bliley Act of 1999 by the federal banking agencies and the Federal Trade Commission (``FTC'') (``GLBA 501(b) Rules'') establish information security standards for the financial institutions subject to the jurisdiction of these agencies. Under the GLBA 501(b) Rules, financial institutions must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then control these potential risks by adopting appropriate security measures. Each financial institution's program for information security must be risk-based. Every institution must tailor its program to the specific characteristics of its business, customer information and information systems, and must continuously assess the threats to its customer information and systems. As those threats change, the institution must appropriately adjust and upgrade its security measures to respond to those threats. However, the scope of the GLBA 501(b) Rules is limited. Many holders of sensitive personal information are not financial institutions covered by the GLBA 501(b) Rules. For example, employers and most retail merchants are not covered by the GLBA 501(b) Rules, even though they may possess sensitive information about consumers. visa's cardholder information security plan Because of its concerns about the adequacy of the security of information about Visa cardholders, Visa has developed and is implementing a comprehensive and aggressive customer information security program known as the Cardholder Information Security Plan (``CISP''). CISP applies to all entities, including merchants, that store, process, transmit, or hold Visa cardholder data, and covers enterprises operating through brick-and-mortar stores, mail and telephone order centers, or the Internet. CISP was developed to ensure that the cardholder information of Visa's members is kept protected and confidential. CISP includes not only data security standards but also provisions for monitoring compliance with CISP and sanctions for failure to comply. As a part of CISP, Visa requires all participating entities to comply with the ``Visa Digital Dozen''--twelve basic requirements for safeguarding accounts. These include: (1) install and maintain a working network firewall to protect data; (2) do not use vendor- supplied defaults for system passwords and security parameters; (3) protect stored data; (4) encrypt data sent across public networks; (5) use and regularly update anti-virus software; (6) develop and maintain secure systems and applications; (7) restrict access to data on a ``need-to-know'' basis; (8) assign a unique ID to each person with computer access; (9) restrict physical access to data; (10) track all access to network resources and data; (11) regularly test security systems and processes; and (12) implement and maintain an overall information security policy. payment card industry data security standard Visa is not the only credit card organization that has developed security standards. In order to avoid the potential for imposing conflicting requirements on merchants and others, in December of 2004, Visa, MasterCard, American Express, Discover, and Diners Club collaborated to align their respective data security requirements for merchants and third parties. Visa found that the differences between these security programs were more procedural than substantive. Therefore, Visa has been able to integrate CISP into a common set of data security requirements without diluting the substantive measures for information security already developed in CISP. Visa supports this new, common set of data security requirements, which is known as the Payment Card Industry Data Security Standard (``PCI Standard''). neural networks to detect fraud and block potentially unauthorized transactions In addition to the CISP program, which helps to prevent the use of cardholder information for fraudulent purposes, Visa uses sophisticated neural networks that flag unusual spending patterns for fraud and block the authorization of transactions where fraud is suspected. When cardholder information is compromised, Visa notifies the issuing financial institution and puts the affected card numbers on a special monitoring status. If Visa detects any unusual activity in that group of cards, Visa again notifies the issuing institutions, which begin a process of investigation and card re-issuance. These networks, coupled with CISP and Visa's Zero Liability, provide a high degree of protection from fraudulent credit card transactions to cardholders. expansion of existing requirements Current protections notwithstanding, Visa believes that an obligation to protect sensitive personal information, similar to the GLBA 501(b) Rules, should apply broadly so that all businesses that maintain sensitive personal information will establish information security programs. Because consumer information knows no boundaries, it is critical that this obligation be uniform across all institutions in all jurisdictions. security breach notification Closely related to the issue of information security is the question of what to do if a breach of that security occurs. Visa believes that where the breach creates a substantial risk of harm to consumers that the consumers can take action to prevent, the consumers should be notified about the breach so that they can take appropriate action to protect themselves. Both federal and California law already address this issue. California law currently requires notice to individuals of a breach of security involving their computerized personal information. The California law focuses on discrete types of information that are deemed to be sensitive personal information. The statute defines sensitive personal information as an individual's name plus any of the following: Social Security Number, driver's license number, California identification card number, or a financial account number, credit or debit card account number, in combination with any code that would permit access to the account. The California law includes an exception to the notification requirement when this personal information has been encrypted. The California law only requires notice to be provided when personal information is ``acquired by an unauthorized person.'' Other states recently have enacted or are considering security breach notification laws; however, the details of some of the laws differ. In March, the federal banking agencies issued final interagency guidance on response programs for unauthorized access to customer information and customer notice (``Guidance''). The Guidance applies to all financial institutions that are subject to banking agency GLBA 501(b) Rules and requires every covered institution that experiences a breach of security involving sensitive customer information to: (1) notify the institution's primary federal regulator; (2) notify appropriate law enforcement authorities consistent with existing suspicious activity report rules; and (3) notify its affected customers where misuse of the information has occurred or is reasonably possible. The keen interest that states have shown to legislate on the issue of security breach notification emphasizes the need for a single national standard for security breach notification in order to avoid confusion among consumers as to the significance of notices that they receive and among holders of information about consumers as to their notification responsibilities. In addition, any legislation on security breach notification should recognize compliance with the Guidance as compliance with any notification requirements. Visa believes that a workable notification law that would require entities that maintain computerized sensitive personal information to notify individuals upon discovering a significant breach of security of that data should be risk-based to avoid inundating consumers with notices where no action by consumers is required. As FTC Chairwoman Majoras recently testified to Congress, notices should be sent only if there is a ``significant risk of harm,'' because notices sent when there is not a significant risk of harm actually can cause individuals to overlook those notices that really are important. Thank you, again, for the opportunity to present this testimony today. I would be happy to answer any questions. Mr. Stearns. I thank the gentleman. Mr. Burton, welcome. STATEMENT OF DANIEL BURTON Mr. Burton. Thank you, Chairman Stearns, Ranking Member Schakowsky, distinguished members of the subcommittee. I appreciate your holding this hearing and giving me the opportunity to testify. My name is Daniel Burton. I am vice president of government affairs for Entrust, Inc. Entrust is a world leader in securing digital identities and information. As a security software company, we are in the business of protecting our customers, and by extension, your constituents, with proven technology solutions. Over 1,200 enterprises and government agencies in more than 50 countries rely on Entrust software, including the U.S. Department of Treasury, the Department of Justice, and several nuclear laboratories. So we have a lot of experience in this field. I would first like to note with great appreciate this subcommittee's longstanding interest in online privacy. You have followed this issue closely for several years and built up considerable expertise. As a result, this committee is very well-positioned to play a leadership role in this debate. The privacy issues we are facing today are very different than they were a few years ago. Then, much of the debate revolved around limited opt-in and opt-out provisions. Today, with the rampant theft of confidential personal information, the Internet privacy debate is focused squarely on security. This shift in emphasis represents a sea of change for public policy. For years we have enjoyed the productivity improvements that network computing afforded and tolerated the nuisances that came with it. Today, these nuisances are overshadowed by a much more sinister problem, organized crime. Just like companies and governments, criminals have realized that the Internet is a powerful business tool. For criminals, gaining access to computerized credit card information, Social Security numbers, and other identifiers is a gateway to ready cash. Computer hackers no longer fit the profile of pimply faced teenagers who lose interest as soon as they get a girlfriend. Increasingly, they are skilled criminals who have a sophisticated business plan, mount wholesale attacks, move quickly around the world, and cover their tracks. Identify theft is not limited to data brokers. The breaches at ChoicePoint and Lexis-Nexis may have sparked public outrage, but the problem goes much deeper. Discount Shoe Warehouse, the San Jose Medical Group, George Mason University, SAIC, Time Warner, none of these are data brokers, yet all have suffered breaches of highly sensitive personal information. Focusing remedies exclusively on data brokers is like protecting your home from burglars by locking your doors but leaving your windows wide open. It may make you feel better, but it won't prevent a robbery. Similarly, passing a law that requires only data brokers to issue notifications when their systems are breached will do nothing to safeguard the reams of personal information that are held by other organizations. It is for this reason that the recent State breach notification laws cover anyone that owns or licenses computerized data that includes personal information. As you know, several States have already passed such bills, and many more are considering them. There is a very real possibility that by this summer we could see over a dozen competing State breach notification laws in effect. Given the reality of cyber crime, breaches, and State legislation, Congress needs to act. Entrust believes the Federal legislation could help and recommends the following measures for consideration: No. 1, establish a uniform national breach notification policy for unauthorized access to unencrypted personal information. If personal data is appropriately encrypted, notification should not be required. That is because even if the data is stolen, it will show up as random characters that won't make any sense to thieves unless they have the proper access codes. Since not all encryption is reliable, however, Congress should insist that it meets standards developed by the National Institute of Standards and Technology. No. 2, require second factor authentication for access to sensitive personal information. The FDIC said it best in its report ``Putting an End to Account-Hijacking Identify Theft.'' Its lead recommendation, upgrading existing password-based, single factor customer authentication systems to two factor authentication. Simple user name and passwords are too easily breached. They must be backed up with physical tokens containing secret access codes the legitimate users keep in their possession. No. 3, encourage enterprises that hold sensitive personal information to use technological and other means to assure compliance with their privacy policies. Since the majority of breaches come from insiders, organizations can significantly improve data security by deploying automated tools that screen email for privacy violations. The fourth recommendation is to extend security requirements similar to the Gramm-Leach-Bliley Act safeguards to all entities that retain sensitive personal information. In conclusion, this subcommittee has a vital role to play in the effort to security computerized personal information. Entrust is doing its best to help organizations implement strong technology safeguards and looks forward to working with you to see that they are complemented with effective public policy. [The prepared statement of Daniel Burton follows:] Prepared Statement of Daniel Burton, Vice President of Government Affairs, Entrust, Inc. Good Morning. Chairman Stearns and distinguished Members of the Subcommittee, thank you for holding this hearing and giving me the opportunity to provide testimony on this important subject. My name is Daniel Burton, and I am Vice President of Government Affairs for Entrust, Inc. In my testimony today, I will discuss the impact of security breaches and what we can do about them. Entrust is a world leader in securing digital identities and information. As a security software company, we are in the business of protecting our customers--and by extension your constituents--with proven technology solutions that secure digital information. Over 1,200 enterprises and government agencies in more than 50 countries, including the US Department of Treasury, the Department of Justice and numerous nuclear laboratories, rely on Entrust software, so we have a lot of experience in this field. Entrust provides software solutions that protect your digital identity through authentication, enforce policy through advanced content scanning, and protect your information assets through encryption. Our mission is to work with customers to put in place the technologies, policies, and procedures necessary to protect digital identities and information. I would like to note with appreciation this committee's longstanding interest in on-line privacy. As a company that is on the front lines of the daily battle to protect sensitive information, Entrust applauds your activities and encourages your continued leadership in this area. You have followed this issue closely for several years and built up considerable expertise. As a result, you are well positioned to play a critical role in protecting the privacy of individuals, companies and governments. The privacy issues we are facing today are very different than they were a few years ago. Then, much of the debate revolved around limited ``opt-in'' and ``opt-out'' provisions that determined what kind of consent was necessary to share personal information for marketing purposes. Today, with rampant theft of confidential personal information a reality, the Internet privacy debate is focused on squarely on security. crime on the net This shift in emphasis--from nuisance to outright crime--represents a sea change for public policy. For years we have enjoyed the productivity improvements that networked computing afforded and learned to live with the nuisances that came with it. We may have been concerned about hacking for ``honor'' and other pranks, but like early version of spam, viruses and unsolicited marketing campaigns, we tolerated them as a small price to pay for the extraordinary dividends the Internet provided. Today, these nuisances are overshadowed by a much more sinister problem--organized crime. Just like companies and governments, criminals have come to realize that the Internet is a powerful business tool. As mountains of sensitive personal, corporate and government information have moved onto the net, crime has too. For criminals, gaining access to names, addresses, credit card information, social security numbers and other identifiers is a gateway to ready cash. As a result, computer hackers no longer fit the profile of pimply faced teenagers who lose interest as soon as they get a girlfriend. Increasingly, they are skilled criminals who have a sophisticated business plan, mount wholesale attacks, move quickly around the globe and cover their tracks. Our understanding of these crimes and the role of law enforcement is still evolving, but the stakes are high. If Internet crime causes American consumers to retreat from online transactions, U.S. business and government will suffer huge productivity reversals that could cripple not only e-commerce, but also the economy at large. The statistics are staggering. The Federal Trade Commission estimates that 9-10 million Americans are victims of identity theft per year. Total cost to business and consumers is approaching $50 billion. Almost 2 million US adult Internet users had their identities stolen in 2004. Almost 12% of the fraud is online. As a result, the public temperature is rising. A January 2005 IDC Survey showed that close to 60% of US consumers are concerned about identity theft, and almost 6% have taken the remarkable step of switching banks as a result. A survey that Entrust conducted reaffirmed this concern. It found that 80% of individuals are worried about someone stealing their on-line identity and using it to access their on-line bank accounts. The underlying question of this hearing is whether we are doing enough to protect confidential information. The answer, unfortunately, is that as a nation we are not prepared to deal with the reality of cybercrime. The necessary legal framework to safeguard consumers and companies is still incomplete; enforcement efforts and resources are inadequate; and much of the private sector is still in denial. bigger than banks, hospitals and data brokers The identity theft crisis extends well beyond regulated industries like banking and healthcare that many people view as guardians of their sensitive information. It's even bigger than data brokers, despite all the attention they have received lately. The breaches at Bank of America, Choicepoint and Lexis-Nexis may have sparked public outrage about identity theft, but you only have to look at the kinds of organizations that have announced breaches in recent months to understand that the problem goes much deeper. Discount Shoe Warehouse, Paymaxx, the San Jose Medical Group, the University of California at Berkeley, George Mason University, SAIC, Time Warner--none of these are data brokers, yet they all suffered breaches of highly sensitive personal information. The scope of these breaches demonstrates that the universe of organizations holding sensitive personal information is quite large. Focusing remedies exclusively on data brokers is like protecting your home from burglars by locking the front door and leaving all the windows wide open. It may make you feel better, but it won't do much to prevent a robbery. Similarly, passing a law that requires only data brokers to issue notifications when their systems are breached will do nothing to safeguard the mountains of personal information that are held by other organizations. True success lies in a much broader approach. It is for this reason that the recent state breach notification laws we see around the country are not limited to banks, healthcare providers and data brokers. It may interest you to know that many of the most proactive states in this arena are represented by members of this Committee. For example, California was the first state to pass such a bill (H.B. 1386). It took effect on July 1, 2003 and requires a state agency, person or business that conducts business in California, and that owns or licenses computerized data that includes personal information to disclose breaches of unencrypted personal information to California residents. Arkansas has also passed a disclosure law (Senate Bill 1167) that covers ``individuals, businesses and state agencies that acquire, own or license personal information about the citizens of the State of Arkansas . . .'' Florida has a bill (H.B. 481) awaiting the Governor's signature that covers ``Any person who conducts business in this state and maintains computerized data in a system that includes personal information . . .'' In all, over twenty states have introduced such legislation, and there is a possibility that we could have over a dozen competing and conflicting state breach notification laws in effect by this summer. Given this backdrop of crime, systematic breaches and proliferating state legislation, Congress needs to act. technology and public policy In trying to determine what role Congress should play, it is important to understand some of the key technologies underlying information security. I will focus on two: confidentiality and authentication. Confidentiality means assuring that information is not disclosed to unauthorized persons. E oding or scrambling of information so that it can only be decoded and read by someone with the correct decoding key--is the technology often associated with confidentiality. Encryption comes in different strengths. Many of the state breach notification bills make specific reference to it. Data in transit, such as e-mail, presents different encryption challenges than stored data. And since stored data is held in a variety of repositories, from mainframes to laptops, and in different ways, such as data bases and directories, it presents unique encryption challenges of its own. Software applications and data bases are typically built for speed, not security, so the issue is not just whether to encrypt them, but how and where to apply it. Not all data must be encrypted, but there is an increasing demand to encrypt sensitive personal data, even if it affects performance. Authentication means corroborating that a user is who they claim to be. It is often linked closely with authorization, which means that you have the right to access the information in question. Authentication technologies include user name and password (referred to as first factor since they relate to something you know) and physical tokens with secret codes (referred to as second factor since they are something you have). An even stronger form of authentication technology is the digital certificate, which is an electronic identifier that establishes your credentials. Digital certificates are issued by a certification authority. They contain your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Using public key cryptography and digital certificates, the sender can assure that only the intended recipient can--open the message, and the recipient knows that only the authorized sender could have sent the message. Much of the public policy debate about identity theft has focused on the need to authenticate consumer identities. Just as important, however, is the need to authenticate employer and supplier identities at both ends of a transaction. Since many breaches are internal, proper authentication of the employees, customers and partners who have privileged access to information is critical to preventing identity theft. the need for additional legislative safeguards There has been a lot of discussion about whether existing law is sufficient to prevent identity theft. Although industry at large has traditionally opposed federal legislation in this area, rampant identity theft, the proliferation of security breaches, and the passage of state breach notification laws have caused many companies to change their view. Entrust believes that additional Federal legislation could assist holders of sensitive personal information in their efforts to prevent consumer fraud and identity theft. Specifically, we believe that the following measures deserve consideration. 1. Establish a uniform national breach notification policy for unauthorized access to unencrypted personal information. Breach notification laws are necessary to inform consumers when their sensitive personal information has been compromised so that they can guard themselves against identity crimes. As mentioned above, several states have passed breach notification laws and many more have introduced this legislation. A uniform national notification standard is needed to preempt conflicting state laws and establish consistent requirements. In weighing such a provision, Congress should keep in mind two important criteria that are enshrined in state law. First, the notification requirement should apply to all entities that hold sensitive personal information. Confidential information is held by a wide variety of institutions, including employers, retailers, lawyers and government agencies. If the Federal notification requirement is limited to data brokers and regulated industries like banking and health-care, none of these other organizations will be covered. If this were the case, organizations like SAIC, Time Warner, George Mason University and Discount Shoe Warehouse--all of whom have suffered breaches and sent out notifications in recent months--would not be required by Federal law to notify those people whose identities had been compromised. Second, and just as important, if the personal information is appropriately encrypted, notification should not be required. The reason for this provision is that unauthorized access to encrypted data reveals only scrambled code that is meaningless. For example, if the personal information of the 600,000 current and former employees of Time Warner had been encrypted on the tapes that were lost, there would have been very little risk of identity theft because the information would have been unintelligible to anyone without the proper access. There are several different kinds of encryption, however, not all of which are reliable. To insure that the encryption is adequate, Congress should insist on the encryption standards developed by the National Institute of Standards and Technology. Organizations that suffer breaches should not have to issue notifications if their data, whether in storage or in transit, is encrypted with a NIST approved encryption algorithm, uses NIST approved key management techniques and has cryptographic operations performed within a FIPS 140 validated cryptographic module. 2. Require second factor authentication for access to sensitive personal information. The Federal Deposit Insurance Corporation (FDIC) issued a thorough study of identity theft in its December 2004 report, Putting an End to Account-Hijacking Identity Theft. The FDIC's lead recommendation is ``Upgrading existing password-based single-factor customer authentication systems to two-factor authentication.'' Industry analysts have confirmed this view. Jonathan Penn, an analyst at Forrester, has written that ``In response to consumers' rising concerns about fraud and identity theft, many organizations are evaluating strong authentication solutions . . .'' And John Pescatore, an analyst with Gartner, has written ``When you get to the core issue of most identity theft attacks, it really falls back to needing stronger authentication . . .'' The problem with two-factor authentication is that, until recently, it was difficult to administer and prohibitively expensive to implement on a large scale. Fortunately, new technology breakthroughs by Entrust and others have substantially reduced the cost and complexity associated with two factor authentication. These breakthroughs should facilitate the broader use of this technology to organizations that must safeguard large quantities of digital identities. 3. Encourage enterprises that hold sensitive personal information to use technological and other means to assure compliance with their privacy policies. Since the majority of breaches come from insiders, one way to limit them is for organizations to screen communications for privacy violations. The FDIC has already highlighted this imperative in its safeguards guidance to financial institutions, recommending that they establish controls to prevent employees from providing customer information to unauthorized individuals. Since banks are not the only ones holding sensitive personal information, these controls should be extended to non-financial institutions as well. Because the majority of electronic data is at some point associated with e-mail, controls that assure outgoing e-mail communications and attachments comply with privacy policies can help reduce identity theft. To the extent that organizations monitor e-mail traffic at all, however, many rely on a manual review of only a small sample of e-mail traffic. Fortunately, technology now exists that has automated compliance controls capable of blocking, archiving, redirecting or securing e-mail communications in real-time. Enterprises that are in the business of holding sensitive personal information should be encouraged to consider adopting it. 4. Extend security requirements similar to the Gramm-Leach-Bliley Act safeguards for financial institutions to all entities that retain sensitive personal information. This Subcommittee should consider extending the risk management, reporting and accountability requirements documented in FDIC and FTC safeguards guidance to all enterprises that hold sensitive personal information. Title V of the Gramm-Leach-Bliley Act (GLBA) states that financial institutions must establish safeguards for customer records and information. In her testimony before this Subcommittee on March 15, 2005, the Chair of the Federal Trade Commission, Deborah Majoras, noted that to the extent that data brokers fall within the GLBA definition of financial institutions they must abide by these safeguards. As discussed earlier, however, limiting the extension of the GLBA safeguards only to data brokers would overlook the vast numbers of other organizations that hold sensitive personal information and do little to stem the tide of identity theft. Since any discussion of security safeguards raises questions about technology mandates, it is important to emphasize that the regulatory guidance for implementing the GLBA safeguards addresses such issues as the need to develop a written security plan, to designate appropriate personnel to oversee it, and to conduct a risk assessment. None of these is a technology requirement. Instead, they relate to sound management practices. The National Cyber Security Summit Task Force on Information Security Governance that Entrust CEO Bill Conner co-chaired took a similar approach. In its April 2004 report, Information Security Governance: A Call to Action, it concluded that ``The best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs.'' It recommended that CEOs have an annual information security evaluation conducted, review the evaluation results with staff, and report on performance to their board of directors. In addition, it emphasized the need for organizations to establish a security management structure to assign explicit individual roles, responsibility, authority and accountability. conclusion This Subcommittee has an important role to play in the effort to secure personal data. The goal is clear. We should do everything we can to encourage holders of sensitive information to secure it from unauthorized access and, in the event of a breach, to notify individuals so that they can protect themselves. The reality of rampant identity theft is proof that we have no time to waste. The fact that sensitive personal information is held by a wide variety of organizations demonstrates that a narrow solution will be insufficient. Information security is not only a technical issue, but also a governance challenge. Technology solutions, like encryption, strong authentication and automated e-mail compliance with privacy policies, can do a lot to prevent unauthorized access to personal information. But they must be grounded in the risk management, reporting and accountability that can only be implemented with the active engagement of executive management. Mr. Stearns. I thank the gentleman. We are on a vote, but I think we--Mr. Solove, I think we can get your opening statement, and then we will recess and come right back. So go ahead. Welcome. STATEMENT OF DANIEL J. SOLOVE Mr. Solove. Mr. Chairman, Congresswoman Schakowsky, members of the committee, thank you for inviting me to appear before you and provide testimony. My name is Daniel Solove, and I am an associate professor of law at George Washington University Law School. I have published over a dozen articles as well as two books about information privacy. My most recent book, ``The Digital Person,'' discusses the issues at this hearing in depth. It was published in December 2004. The litany of data leaks and improper access to personal data are the symptoms of a significant problem that Congress must address. It is important to understand the nature of the problem, and I think this extends beyond just a security issue. We are increasingly living with digital dossiers about our lives. These repositories of personal data can affect whether we get a loan, a license, or a job. The central problem that we face today, the central problem is that it is caused by a lack of individual participation and empowerment when it comes to the collection and use of personal data and a lack of accountability among the companies that handle that data. Today, people lack much participation in how their data is used and disseminated. Identify theft is difficult for victims to detect because they have little knowledge about the information being circulated about them. Therefore, solutions to the problem must provide individuals with greater knowledge and control about how their data is used. People must be provided meaningful remedies when their data is leaked and misused. Without meaningful remedies, mere notice of a leak is akin to a company saying we just had a toxic spill in your backyard. It might cause you harm, so you might want to have periodic medical checkups. Because people have so little participation and power over their information, it is very hard for them to clean up their records in the event of an identity theft. Congress should ensure that victims of identity theft have appropriate tools to repair the damage quickly. The harm to victims in an identity theft is facilitated by Social Security numbers, birth dates, and other pieces of personal data being used by companies as passwords to obtain access to accounts or to sign up for a credit card. If the practice of using Social Security numbers as passwords were halted, the leakage of Social Security numbers would not be so dangerous and damaging to individuals. The Gramm-Leach-Bliley Act requires security safeguards for personal data maintained by financial institutions. Despite these safeguards, many financial institutions continue to use Social Security numbers as passwords. Why doesn't the FTC enforce these security standards to halt this practice? Well, I can postulate a number of reasons, and I think one of the primary reasons is that these security standards are incredibly vague and they haven't provided adequate guidance. I think to be effective in crafting security standards, they must apply widely and they must be specific without being overly constraining. Beyond identity theft, people lack the ability to easily locate and fix errors in their records that may cause them harm. People's dossiers are often riddled with inaccuracies. The Fair Credit Reporting Act requires consumer reporting agencies to maintain procedures to ensure maximum possible accuracy. However, many data brokers have data bases they claim fall outside of the Fair Credit Reporting Act. And little is done more systemically to ensure the accuracy of records systems used for background checks and other decisions about people's lives. I believe that the security breaches that we are facing today are part of a larger problem, one involving information privacy. Information today is protected in a piecemeal fashion based on who holds it. The same piece of data might be protected if it is held by a video rental store but completely unprotected in the hands of data brokers like ChoicePoint. The current regulation of information has tremendous gaps and loopholes. We have a system that does not provide adequate accountability among the users of personal information. We have a system that, to a large extent, leaves people out in the cold who are victimized by identity theft or harmed by an erroneous report. Congress must put individuals back in control of their data and ensure that companies are accountable for the way that they handle and use that data. Thank you very much. [The prepared statement of Daniel J. Solove follows:] Prepared Statement of Daniel J. Solove, Associate Professor of Law, George Washington University Law School i. introduction Mr. Chairman, members of the Committee, thank you for inviting me to appear before you and provide testimony. My name is Daniel Solove and I am an associate professor of law at the George Washington University Law School. I write extensively about information privacy law issues and have published well over a dozen law review articles as well as two books, The Digital Person: Technology and Privacy in the Information Age (NYU Press December 2004) and Information Privacy Law (Aspen 2003) (with Marc Rotenberg). The announcement of recent data breaches at a variety of companies and institutions have affected millions of people. As one article notes: In breaches reported publicly since February, more than 2.5 million records may have been exposed to thieves at data broker ChoicePoint, retailer DSW, news and information broker LexisNexis, the University of California at Berkeley and elsewhere.1 --------------------------------------------------------------------------- \1\ Jon Swartz, Time Warner's Personal Data on 600,000 Missing, USA Today (May 3, 2005). --------------------------------------------------------------------------- I will not discuss the series of data breaches that have lead to this hearing, as I am sure that you are all familiar with them. Instead, I will focus my comments on what can be done to address the problems and how we can better protect information privacy. My remarks will focus on two points. First, I will explain why the problem is larger than just a security problem. Security is one dimension of a larger set of issues involving information privacy. Beyond securing data, the law must ensure that when there is a leak or improper access, the harmful effects are minimized. Doing this requires empowering individuals with tools to better manage their data. Moreover, making companies more accountable for their activities will promote better security, as well as better accuracy, in record systems. Second, I will discuss why the innovative role of the states should be preserved. Federal legislation must allow room for states to experiment with new approaches and solutions to the problem. Many current federal protections, as well as many of the ideas currently proposed to address the problem, are drawn from state laws. There are many more specific measures that can be taken to address the problems we are encountering today. Chris Hoofnagle of the Electronic Privacy Information Center and I have written a short essay called A Model Regime of Privacy Protection, where we set forward succinctly a series of sixteen legislative proposals. We explain why these proposals are necessary and respond directly to the criticisms of our proposals by a wide array of individuals (some from the industries we propose regulating). The paper is currently available for free at: Daniel J. Solove & Christopher Hoofnagle, A Model Regime of Privacy Protection http://papers.ssrn.com/sol3/papers.cfm?abstract_id=699701 I will avoid repeating the content of this paper, but I recommend that you read it as it may be helpful in crafting specific legislative solutions. ii. beyond security: a problem of many dimensions The litany of data leaks and improper access to personal data are the symptoms of a significant problem that Congress should address. It is important to understand the nature of the problem, as it extends far beyond just a security issue. In my recent book, The Digital Person: Technology and Privacy in the Information Age (NYU Press, December 2004), I observed that the central problem we face is caused by a lack of individual participation and empowerment when it comes to the collection and use of personal information as well as a lack of accountability among the companies that handle the data. In my book, I argued: We are increasingly living with digital dossiers about our lives, and these dossiers are not controlled by us but by various entities, such as private-sector companies and the government. These dossiers play a profound role in our existence in modern society.2 --------------------------------------------------------------------------- \2\ Daniel J. Solove, The Digital Person; Technology and Privacy in the Information Age 115 (2004). --------------------------------------------------------------------------- These repositories of personal information are used in ways that affect key aspects of our lives: whether we get a loan, a license, or a job. However, despite these high stakes: At present, the collectors and users of our data are often not accountable to us. A company can collect a person's data without ever contacting that person, without that person ever finding out about it. The relationship is akin to the relationship between strangers--with one very important difference: One of the strangers knows a lot about the other and often has the power to use this information to affect the other's life.3 --------------------------------------------------------------------------- \3\ Id. at 102. --------------------------------------------------------------------------- The problem is not that companies dealing with personal information are a bunch of evil-doers bent on harming people. The collection and use of personal information can have many benefits, and the goal of an effective protection of privacy is not to stop information flow, but to empower individuals with greater control over their data and to make companies more accountable for their uses of personal data. A. Individual Participation People lack much participation in how their data is used or disseminated. Personal data is readily collected and disseminated without people's knowledge and consent, thus increasing people's vulnerability to identity theft, stalking, and other crimes. Identity theft is rising at an staggering rate. In an identity theft, the thief uses a victim's personal information to improperly access accounts, obtain credit in the victim's name, or impersonate the victim for other purposes. In 2003, the FTC estimated that ``almost 10 million Americans have discovered that they were the victim of some form of ID Theft within the past year.'' 4 --------------------------------------------------------------------------- \4\ Federal Trade Commission, Identity Theft Survey Report 4, 6 (Sept. 2003). For an excellent account of the rise of identity theft, see Bob Sullivan, Your Evil Twin: Behind the Identity Theft Epidemic (2004). --------------------------------------------------------------------------- The law has attempted to deal with identity theft by enhancing criminal penalties, but this alone has been a dismal failure. The problem is that identity thieves are hard to catch. Gartner, Inc. estimates that only 1 in 700 thieves is successfully prosecuted.5 A report by the U.S. General Accounting Office describes in great detail the difficulties with criminal investigation and prosecution of identity theft cases.6 --------------------------------------------------------------------------- \5\ Stephen Mihm, Dumpster Diving for Your Identity, N.Y. Times Magazine, Dec. 21, 2003. \6\ U.S. General Accounting Office, Report to the Honorable Sam Johnson, House of Representatives, Identity Theft: Greater Awareness and Use of Existing Data Are Needed 17-18 (June 2002). --------------------------------------------------------------------------- In contrast, I noted in my book that: The identity thief's ability to so easily access and use our personal data stems from an architecture that does not provide adequate security to our personal information and that does not afford us with a sufficient degree of participation in its collection, dissemination, and use. Consequently, it is difficult for the victim to figure out what is going on and how to remedy the situation.7 --------------------------------------------------------------------------- \7\ Daniel J. Solove, The Digital Person; Technology and Privacy in the Information Age 115 (2004). --------------------------------------------------------------------------- The problem is that the law does not afford people sufficient participation in the way that their information is managed. Identity theft is difficult for victims to detect because they have little knowledge about the information being circulated about them or how that data is being used. The victim's lack of awareness is exploited by the identity thief, who can go on a spree of fraud in the victim's name without the victim finding out about it. Therefore, solutions to the problem must provide individuals with greater knowledge and control about how their data is used. B. Remedies for Harmed Individuals People must be provided meaningful remedies when their data is leaked or misused. Without meaningful remedies, mere notice of a leak would be akin to a company saying: ``We just had a toxic spill in your backyard. It might cause you harm, and so you might want to have periodic medical checkups.'' The letter from ChoicePoint to the victims of its data breach began: I'm writing to inform you of a recent crime committed against ChoicePoint that MAY have resulted in your name, address, and Social Security number being viewed by businesses that are not allowed to access such information. We have reason to believe that your personal information may have been obtained by unauthorized third parties, and we deeply regret any inconvenience this event may cause you.8 --------------------------------------------------------------------------- \8\ Letter from ChoicePoint to Californians Regarding the Data Breach (Feb. 9, 2005). --------------------------------------------------------------------------- The letter recommended that people review their credit reports, and continue to check them for unusual activity. In other words, ``we've had a spill, now you go and protect yourself.'' Certainly, requiring disclosure of security leaks is a good first step, but merely sending people a scary letter without providing them with sufficient rights and abilities to address the problems will not suffice. Identity theft, according to estimates, results in victims spending on average 200 hours and thousands of dollars fixing the damage.9 Becoming victimized by identity theft is akin to contracting a chronic protracted disease. Because people have so little participation and power over their information, it is very hard for them to cure themselves and clean up their records. Identity theft can be financially and emotionally crippling, and the law does little to help people who have been victimized. States, such as California, have adopted some effective measures to assist victims in dealing with identity theft.10 I believe that Congress should look to California's measures as it crafts a federal law addressing these issues. --------------------------------------------------------------------------- \9\ Janine Benner, Beth Givens, & Ed Mierzwinski, Nowhere To Turn: Victims Speak Out on Identity Theft: A CALPRIG/Privacy Rights Clearinghouse Report (May 2000), at http://privacyrights.org/ar/ idtheft2000.htm. \10\ The California Office of Privacy Protection maintains a comprehensive summary of California's privacy statutes: http:// www.privacy.ca.gov/lawenforcement/laws.htm. --------------------------------------------------------------------------- C. Deactivating Dangerous Data The data leaks that have occurred recently are made more harmful because of another type of security issue. SSNs, birth dates, and other pieces of personal data are used by other companies as passwords to obtain access to accounts or to sign up for a credit card. It would take great imagination to design a poorer security mechanism than the use of SSNs. This is akin to using a password that anyone can readily obtain in an instant. Companies routinely sell people's SSNs, as it is not illegal to do so. SSNs are also available in many public records.11 This ``password'' can then unlock virtually any account or be used to sign up for credit cards. And it is very difficult to change it. As I argued in my book ``the SSN functions as a magic key that can unlock vast stores of records as well as financial accounts, making it the identity thief's best tool. . . . [T]he government has created an identification number without affording adequate precautions against its misuse.'' 12 --------------------------------------------------------------------------- \11\ Solove, Digital Person, supra, at 115-17. \12\ Solove, Digital Person, supra, at 116. --------------------------------------------------------------------------- If the practice of using SSNs as passwords were halted, the leakage of SSNs would not be as dangerous and damaging to individuals. In our paper, A Model Regime of Privacy Protection, Chris Hoofnagle and I propose: Companies shall develop methods of identification which (1) are not based on publicly available personal information or data that can readily be purchased from a data broker; and (2) can be easily changed if they fall into the wrong hands. Whereas Social Security Numbers cannot be changed without significant hassle, and dates of birth and mother's maiden names cannot be changed, identifiers such as passwords can be changed with ease. Furthermore, they are not universal, and thus a thief with a password cannot access all of a victim's accounts--only those with that password. Biometric identifiers present problems because they are impossible to change, and if they fall into the wrong hands could prove devastating for victims as well as present ongoing risks to national security. Therefore, passwords are a cheap and effective way to limit much identity theft and minimize the problems victims face in clearing up the damage caused by identity theft.13 --------------------------------------------------------------------------- \13\ Daniel J. Solove & Christopher Hoofnagle, A Model Regime of Privacy Protection, at http://papers.ssrn.com/sol3/ papers.cfm?abstract_id=699701 --------------------------------------------------------------------------- If businesses and other private sector organization were restricted from using SSNs as passwords, improper access to people's SSNs would not put people in such peril of identity theft and fraud. The Gramm-Leach-Bliley (GLB) Act of 1999 requires agencies that regulate financial institutions to promulgate ``administrative, technical, and physical safeguards for personal information.'' 14 Despite the fact that FTC regulations under the Gramm- Leach-Bliley Act establish security standards for financial institutions to ``[p]rotect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer,'' 15 many financial institutions continue to allow easy access to records by using SSNs as passwords. In an article entitled, Identity Theft, Privacy, and the Architecture of Vulnerability,16 I argued: --------------------------------------------------------------------------- \14\ 15 U.S.C. 6801(b) (requiring agencies to promulgate ``administrative, technical, and physical safeguards for personal information.''). \15\ 16 C.F.R. 314.3(b) (2002). \16\ Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings L.J. 1227 (2003). --------------------------------------------------------------------------- The GLB Act requires a number of agencies that regulate financial institutions to promulgate ``administrative, technical, and physical safeguards for personal information.'' On February 1, 2001, several agencies including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision issued standards for safeguarding customer information. On May 23, 2002, the FTC issued similar security standards. Pursuant to the FTC regulations, financial institutions ``shall develop, implement, and maintain a comprehensive information security program'' that is appropriate to the ``size and complexity'' of the institution, the ``nature and scope'' of the institution's activities, and the ``sensitivity of any customer information at issue.'' An information security program consists of ``the administrative, technical, or physical safeguards [institutions] use to access, collect, distribute, process, store, use, transmit, dispose of, or otherwise handle customer information.'' The regulations set forth three objectives that a security program should achieve: (1) Insure the security and confidentiality of customer information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The GLB Act is on the right track in its focus on information security . . . However, the regulations under the GLB Act remain rather vague as to the specific level of security that is required or what types of measures should be taken. The regulations require institutions to designate personnel to ``coordinate'' the information security program; and to ``[i]dentify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.'' These regulations establish rather broad obvious guidelines; they virtually ignore specifics. Of course, a rule that is too detailed in the standards it required could end up being ineffective as well . . . [S]uch regulations, if too specific, can quickly become obsolete, discourage innovation, and be costly and inefficient. However, rules that are too open-ended and vague can end up being toothless. Although security standards must not be overly specific, they must contain meaningful minimum requirements. Ultimately, the strength of the GLB Act's security protections will depend upon how they are enforced. . . . Despite these new security provisions, companies continue to maintain lax security procedures for the access of financial accounts and other personal data. Thus far, the FTC's efforts have been somewhat anemic. With vigorous enforcement, security practices can change. But it remains uncertain whether the FTC and other agencies will undertake such a vigorous enforcement effort.17 --------------------------------------------------------------------------- \17\ Id. at 45-46. The article is available online at: http:// papers.ssrn.com/sol3/papers.cfm?abstract_id=416740 --------------------------------------------------------------------------- The FTC has not used the GLB Act to crack down on security, as the spate of security breaches in the news these days have occurred in spite of these regulations. The FTC could have concluded, for example, that the use of SSNs as passwords by so many financial institutions was an insufficient security procedure under the GLB standards. But it did not. Why hasn't the FTC vigorously enforced these security standards? I can postulate two reasons. First, the security standards only apply to financial institutions rather than all the entities that process significant amounts of personal data. Second, they are rather vague, and as a result, they have not provided adequate guidance. To be effective, security standards must apply widely, not in a piecemeal fashion, and they must be more specific in nature (without being overly constraining). D. Accuracy Beyond identity theft, people lack the ability to easily locate and fix errors in their records that can cause them harm. Decisions are being made based on people's dossiers which are often riddled with inaccuracies. Although a recent Wall St. Journal article noted that ChoicePoint says that only .0008% of its 7.3 million background checks in 2004 had incorrect data, the authors had no difficulty finding a number of instances of people harmed by errors in ChoicePoint databases.18 In one study, 90% of ChoicePoint's reports obtained had at least one error.19 And there are numerous anecdotal stories reported in the media of significant errors in people's reports.20 --------------------------------------------------------------------------- \18\ Evan Perez & Rick Brooks, File Sharing: For Big Vendor of Personal Data, A Theft Lays Bare the Downside, Wall St. J., May 3, 2005, at A1. \19\ After the Breach: How Secure and Accurate is Consumer Information Held by ChoicePoint and Other Data Aggregators?, Before the California Senate Banking Committee, Mar. 30, 2005 (testimony of Pam Dixon, Executive Director, World Privacy Forum). \20\ Id. (testimony of Elizabeth Rosen, Registered Nurse) (noting that the report wrongly reported that she owned a deli store); Bob Sullivan, ChoicePoint Files Found Riddled With Errors, MSNBC, Mar 8, 2005, available at http://www.msnbc.msn.com/id/7118767/ (noting that Deborah Pierce's ChoicePoint report wrongly indicated a ``possible Texas criminal history''). --------------------------------------------------------------------------- The issue of accuracy demonstrates a central problem--the companies maintaining personal data are often not accountable to the people to whom the data pertains. Because of this lack of accountability, there are insufficient incentives for data brokers to maintain their records accurately. The Fair Credit Reporting Act (FCRA) requires consumer reporting agencies to maintain procedures to ensure ``maximum possible accuracy.'' 21 However, many data brokers have databases that they claim fall outside of FCRA. And they gather data from various public record systems, which themselves might have errors. An error can infect various databases because of the fluidity by which personal information is transferred. Moreover, because people are so out of the loop when it comes to the way their data is collected and used, they might not even discover the error. Little is done more systemically to ensure the accuracy of record systems used for background checks and other decisions about people's lives. --------------------------------------------------------------------------- \21\ 15 U.S.C. 1681e(b). --------------------------------------------------------------------------- E. Closing the Gaps The security breaches we are facing today are part of a larger problem, one involving information privacy. This is not a problem that can be solved with what I call the ``little more care and little more notice'' approach. Certainly setting minimum security standards and providing notice to consumers of security breaches are two important steps. But the larger problem is one of information privacy. In some contexts, personal information is widely collected, used, and disseminated without much control or limitation. Information today is protected in a piecemeal fashion based on who holds it. The same piece of data might be protected if held by a video rental store but completely unprotected in the hands of data brokers such as ChoicePoint or LexisNexis.22 The current state of regulation of information is very porous, with tremendous gaps and loopholes. The result is that we have, in many respects, lost control over the way personal information is collected, managed, and used. We have a system that does not promote accountability among the users of personal information. We have a system that to a large extent leaves people out in the cold if victimized by identity theft or if harmed by an erroneous report. We have a system that thrusts on consumers the tremendous responsibility of guarding their digital dossiers, a difficult task when so many companies maintain data about them and when people have little knowledge that this is going on. Congress must put individuals back in control of their data and ensure that companies are accountable for the way they handle and use that data. --------------------------------------------------------------------------- \22\ Video Privacy Protection Act of 1998, Pub. L. No. 100-618, 18 U.S.C. 2710-11. --------------------------------------------------------------------------- iii. the problem with preemption In any solution that Congress takes, the innovative role of the states must be preserved. Thus, Congress should avoid preempting state laws when crafting federal legislation. Many of the ideas for reforming the information system in this country emerge from state laws. Justice Brandeis said it well: ``It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.'' 23 This is especially important in such a rapidly changing field such as information privacy. Not all approaches work, and we need a way to test innovative solutions. Indeed, the law that required ChoicePoint to disclose its security breach was a California law. What if there were federal preemption and such a law never existed? Would we ever have found about the security breach? --------------------------------------------------------------------------- \23\ New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting). --------------------------------------------------------------------------- Federal legislation that preempts state law will not only shut down the real engines of innovation in the field, but it will have very detrimental long-term effects on federal legislation as well. The grist for federal legislation in privacy is often state regulatory ideas that have worked. The majority of privacy legislation has been enacted at the state level.24 Many of the federal laws addressing privacy have adopted measures tried-and-tested in the states. The states first tried out the idea of telemarketing do-not-call lists. Many of the reforms in the 2003 federal Fair and Accurate Credit Transactions Act were based on prior state laws.25 If Congress were to shut down this tremendous source of ideas, federal legislation will lose one of its primary developmental tools. Federal legislation in the future would suffer severely as a result. --------------------------------------------------------------------------- \24\ Robert Ellis Smith, Compilation of State and Federal Privacy Laws (Privacy Journal 2002). \25\ Edmund Mierzwinski, Preemption of State Consumer Laws: Federal Interference Is A Market Failure, Government, Law and Policy Journal of the New York State Bar Association, Spring 2004 (Vol. 6, No. 1, pgs. 6- 12). --------------------------------------------------------------------------- I have often heard companies say that it is too onerous complying with so many differing laws in all 50 states. Yet if the federal legislation sets a strong floor of protection, there will be little incentive for the states to do more. In other words, if the federal legislation solves the problems, then there will not be a need for the states to act. Additionally, historically, stronger protections have only been enacted by a handful of states, not all 50. So the reality is not 50 different standards, but a floor of protection for 90% of the states with the remaining 10% adopting a slightly more protective standards. Moreover, other industries have long dealt with differing state protections, such as the auto industry and the insurance industry. Why are the burdens on data brokers any greater? What strikes me as most remarkable is that companies that manage billions of records of data and claim to be able to do so with remarkable depth, precision, and detail say that they cannot comply with a handful of states that have stronger protections. Most federal privacy laws have not preempted stronger state protections: the Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach-Bliley Act.26 In all these instances, companies have been able to comply with state laws. --------------------------------------------------------------------------- \26\ Respectively at 18 U.S.C. 2510 et. seq., 12 U.S.C 3401, 47 USC 551(g), 18 USC 2710(f), 29 USC 2009, 47 USC 227(e), 18 U.S.C. 2721, and Pub. L. No. 106-102, 507, 524 (1999). --------------------------------------------------------------------------- iv. conclusion I am very encouraged that so many in Congress are interested in addressing the problems of data security and information privacy. My recommendations today are: (1) to focus on the larger problem by empowering individuals and making the users of data more accountable; and (2) to avoid preempting the states, as this will retard the development of privacy law for years to come. Mr. Stearns. I thank the gentleman. We are going to take a recess. We will quickly vote and we will be right back with the questions from the Members of Congress. So thank you for your patience. [Brief recess.] Chairman Barton. The Chair would recognize himself for 5 minutes. I want to apologize for calling you back from your break, but I have got three meetings going on right now and so this would be my only chance to ask questions. This is not a Visa card; it is a MasterCard card, but I have got--it says Joe Barton, Campaign, Joe Barton. There is only one of these cards. I hardly ever use it. Five, six times a year maybe, once a month. I got a phone call Monday; somebody in Orlando, Florida had charged $3,500 at two different Wal- Marts on this card. Now, I have been in Wal-Mart; I have been in Orlando to Disneyworld back in January, but I never went to a Wal-Mart. And the people that use--they actually had a card, not just the number, they had the card. And they went in on two different occasions, charged around $3,500. So I got a phone call, and the lady on the phone said had I been to Orlando, Florida? I said yes. She said were you there over the weekend? And I said no. And so we determined that somebody else had used this card. Now, the gentleman from--I think Mr. Ireland is representing Visa. According to your testimony, there is a very sophisticated system to detect misappropriation or misuse of these cards, so I would assume that that is what happened with me, that it kicked in because it was two large transactions and in an area that I showed almost no use, no geographic use. Is that correct? Mr. Ireland. That is correct. The financial institution-- bank that issued that card and probably in combination with MasterCard has a system to track authorizations on the card to see whether they fit your pattern and to see whether they fit known fraud patterns. And so they spotted a transaction that they didn't think was you---- Chairman Barton. Now, who ends up paying for those charges? Does Wal-Mart pay for them? Does the institution that issued this card pay for them? Mr. Ireland. Typically, in a card-present transaction, the institution that issued the card will pay for it. Chairman Barton. Now what, if anything, will they do to try to actually track down the person who used this card fraudulently? Mr. Ireland. Well, typically, the card issuers will work with law enforcement based on the information they get to see if there is any way they can do it. We are talking in this case about the creation of counterfeit cards, which---- Chairman Barton. They actually had a card. It wasn't just the number. Mr. Ireland. Exactly. Which has been a problem in the past and the credit card issuers have worked to develop security features in the card and other ways to combat card counterfeiting. But they have regular programs that are designed to prevent those kinds of fraud and to try to track them down---- Chairman Barton. Well, how would whoever got a fraudulent card--because I just almost never use this card. How would they have actually gotten the information, obtained the information to create the fraudulent card? Mr. Ireland. I obviously can't answer that in this specific case. But it is possible to create fraudulent cards based on information that may be collected at the point of sale. I believe the Visa rules discourage or prevent the collection of that information, but sometimes enough information is collected at point of sale to create a fraudulent card, No. 1. No. 2, plain old theft may be involved. Somebody may have been able to get a hold of the card, steal it for a period of time and replace it. Chairman Barton. I--now what? [Brief recess.] Mr. Stearns. If members are here, we are going to continue to go on. We have another full committee markup that we have to do in this room, and I think we have three out of the five, and we have the chairman here who is in the middle of his questions. So if the witnesses will please take their seats, and we shall continue. And with that, I recognize the chairman of the full committee, Mr. Barton. Chairman Barton. And, Mr. Chairman, I had about 2 minutes left on my clock, so if you want to---- Mr. Stearns. Well---- Chairman Barton. [continuing] reset the clock---- Mr. Stearns. [continuing] we will give you whatever you want, sir. Chairman Barton. Well, we just want to be fair. I was asking a series of questions based on my personal campaign credit card being stolen over--the number stolen and used down in Florida, what the safeguards are about that. But I want to go to the next line of questions. I want to ask Mrs. Barrett, I would like to outlaw the use of Social Security numbers for any purpose except governmental purposes. What is your reaction to that? Ms. Barrett. Well, I think that the Social Security number has become an identifier in many, many aspects of our lives. From a standpoint of Acxiom's business, we limit its use to a very, very small number of instances. So the direct impact on something like--back to us would not be significant. But I am aware of instances where it would create huge problems for either our clients or other businesses. And I---- Chairman Barton. Well, just this calendar year, we have had I think three instances of people breaking into data systems and stealing hundreds of thousands of records that had Social Security numbers attached to them with quite a bit of personal privacy information. You know, I understand how ubiquitous the Social Security number is, and it is one of the few things that almost every American citizen has and even some non-citizens if they are working in the country. But wouldn't it be possible to create each data base its own identifier so we don't have to use the Social Security number? Ms. Barrett. In many cases Acxiom does help our clients, who have the records on these consumers, create their unique customer identifiers. Social Security number, however, has become a key element in identifying someone's identity when you are trying to establish who that person is up front so that---- Chairman Barton. But you could do it without it. We have had banks a lot longer than we have had the Social Security system. Ms. Barrett. You could. I think we need to look carefully at whether it is government uses or other specific uses should be carved out and preserved because of the importance of it---- Chairman Barton. Mr. Burton---- Ms. Barrett. [continuing] restricting general uses. Chairman Barton. Mr. Burton, do you have a comment on that? Mr. Burton. No, I don't. I think our view is if you are keeping any sort of data, Social Security numbers, any sensitive data, it should be encrypted so that even if it is pilfered, it doesn't mean anything to the thieves. Chairman Barton. Okay. What about the gentleman, Mr. MacCarthy, who is representing Visa now. Mr. MacCarthy. Our sense is that the Social Security number is a key identifier in a lot of the data bases that are important for people who are issuing credit cards, when they are trying to determine whether someone who is applying for credit has a good history. The Social Security number is, in the current systems, a very important way of identifying that person and seeing whether that person has a good credit history. It is not impossible over time to move to a new system, but the legacy systems, the ones that exist now, the ones that help us fight identity theft and fraud all make heavy use of the Social Security number. And a government rule that said you simply can't use that starting tomorrow would create havoc with those systems. So we would ask you to look carefully at the idea of restricting Social Security numbers to just government use. We think right now they are---- Chairman Barton. Well, I know that you---- Mr. MacCarthy. [continuing] legitimate commercial uses. Chairman Barton. I know that you are not trying to be argumentative and that you had a legitimate business point, but at what point do we say an individual's privacy trumps that? Do we just say it is okay for these Social Security numbers to be stolen and used for all kinds of purposes for which they are not intended because of these legacy systems and all of the valid, legitimate business reasons why it would be inconvenient to do something differently? Mr. MacCarthy. Two things: one is very often a way to fight identity theft and fraud, which hurts consumers, is through the effective use of Social Security numbers. So if you take that weapon away from us, it might actually hurt in protecting people against identity theft and fraud. The second is there are some uses of Social Security that probably should be restricted. You know, the idea that a Social Security number can be simply published on the Internet or made available for non-business uses, we think that that is the kind of thing that Congress may want to look upon and restrict. In terms of business practices, it is the current practice and maybe it should begin to be phased out--it is the current practice for Social Security numbers to be used as access numbers to gain access to accounts and other--and that may be something that should, over time, go away as well. The fact that that number is so readily available makes it very, very risky to use as an access device. Chairman Barton. And my time is about to expire, but as we get more and more information and more and more centralized, we have to do something. I mean we just have to. You cannot have an individual or a family that their whole financial records, their medical records, all kinds of consumer data is just out there without their permission. And the Social Security number ties that all together and it is so easy for the criminal elements--we have had testimony that organized crime is moving in to identity theft. And so I know there are legitimate business reasons why it is done, but I think the time has come to tip the balance in the favor of the individual privacy and find another way to help businesses determine the identity of people they want to give credit to. With that, Mr. Chairman, I yield back. I thank the witnesses for the inconvenience. Mr. Stearns. Just following up with what the chairman said, there is some talk about a second factor ID authentication, and they gave me this card, Mr. Chairman, where, instead of putting your Social Security number, what you would do is put your name and then they would ask you, based upon the permutations in this card, you would give them a number off a card. And rather than--I think that is what you talked about a little bit, Mr. Burton. You might tell the chairman here just before he goes what this second factor ID authentication would do which possibly could replace Social Security. Mr. Burton. Yes, well, second factor authentication is an access card and a way to identify a user. I think what it would not do is identify a user in a data base, which I think is what a lot of Social Security numbers do. But what a lot of security experts are saying, we have got to have, for everyone holding sensitive information, says the FDIC recommendation, is to use second factor authentication. And that means not only something that you know, which are passwords which you give you access to an account, but something that you physically have. So even if your password is compromised, the thieves still can't get access. The problem with this technology to date is that it is quite expensive. It can run $40, $50 per year per user. And so for mass applications, it is simply not feasible. And the solution that Chairman Stearns and I were discussing is called Identity Guard. Entrust just released it about 4 months ago. And what you do is you enter your user name and password in your account; you then have a card with a unique scrambled set of numbers and letters unique to you, and much like bingo, you are prompted to say, well, what is in column A-1, B-3, C-4, and then you fill in the numbers from this unique card and get access to your account. What is interesting about this is that that prompt changes every time you log in. So it is not that there is one pin number, there is one password that someone has to steal to get access to your account. Very inexpensive, very easy to deploy, mass market application, and I think these are the kinds of technologies that the private sector is starting to come up with to address questions of access to sensitive information. Mr. Stearns. Thank you. You know, listening to your opening statements I sort of put together I think about seven different things that would possibly be in a bill. And I am not sure we would all agree upon these factors. But I thought I would take each one and ask you if you agree or disagree. The first I heard was uniform national notification standards for consumers in the event of a breach. Does anybody not agree with that being part of the bill? Okay. So---- Mr. Burton. Just a---- Mr. Stearns. Yes. Mr. Burton. [continuing] point of clarification for breach of unencrypted personal information. I think that is how most of the State laws read---- Mr. Stearns. Okay---- Mr. Burton. [continuing] so that if there is a breach and the data is encrypted, no one can read it, and so there shouldn't be a notification requirement. Mr. Stearns. Okay. Mr. MacCarthy. Mr. Chairman---- Mr. Stearns. Yes, sir. Mr. MacCarthy. The one thing we would add to that is compliance with the guidelines that have been put in place by the Federal banking regulators should count as compliance with the national standard that is put in place in the legislation. Mr. Stearns. Okay. Good point. The second is Federal preemption with all the States. Anybody disagree with that? Okay. The third is establish an official agency role over public data providers. This was mentioned. Sort of a government agency having broad powers, something like the SEC, dealing with privacy. Does anybody disagree with that or not? It is a little more controversial. And, Ms. Barrett, I think you sort of might have some objection to that. Ms. Barrett. Well, I don't know that I have objection. I think that information providers have a responsibility to safeguard the information and use it for responsible purposes. And if there are enough bad actors out there that are using information irresponsibly, we want those out of the marketplace. And if it takes a regulating agency to do it, then we will support that. Mr. Stearns. Okay, so that is--yes. This is pretty important now. What you are saying is a government regulating agency should be put in place to help and control, and, you know, you have got to be careful what you ask for here. Mr. MacCarthy. The only point I would ask is that the committee recognize the important role that the Federal banking regulators already play in that area---- Mr. Stearns. Okay. Mr. MacCarthy. [continuing] their privacy requirements and their security requirements, notification requirements that are already administered by the banking agencies and by the Federal Trade Commission. And I don't think it would be a good idea to move enforcement from those agencies to a new agency. Mr. Stearns. Okay. So maybe the existing Federal Trade Commission or the existing whatever---- Mr. MacCarthy. Yes. Mr. Stearns. [continuing] Gramm-Leach-Bliley where---- Mr. MacCarthy. Yes, that would work. Mr. Stearns. Yes. Opportunity for consumers to inspect and correct any information that is in their data base. Yes? Ms. Barrett. Today, we offer the consumer the right to do that. I think that it is--when it comes to correction, it is a complicated environment, so we need to explore how a correction takes place very carefully. But the concept that the information needs to be accurate, and when it is inaccurate, we need to figure out ways to deal with it is one we support. Mr. Stearns. The idea is for your consumer credit you can get access to see if it is correct. And so the theory is then why can't you inspect incorrect data that has been collected to see if it is correct too? Ms. Barrett. We actually offer the same inspection---- Mr. Stearns. Okay. Ms. Barrett. [continuing] of information in our fraud management systems. Mr. Stearns. I am not sure---- Ms. Barrett. And our---- Mr. Stearns. [continuing] everybody does though. Ms. Barrett. No. I don't believe---- Mr. Stearns. And so the question, should the Federal Government step in and mandate that all data collection agencies have to provide access to consumers so they can see if the information is correct? That is a little sensitive because there is a lot there that deals with marketing and deals with-- -- Ms. Barrett. I was just about to say there are different categories of data. Mr. Stearns. Right, different categories. Ms. Barrett. And so I think it is important to understand that when we want to put a standard of accuracy in and correction in and access in, that we need to do it in a way where the accuracy of the information is important to the decisionmaking process. We offer access today to all of our what we call reference products where decisions are being made, identities are being verified with that information. We actually do not today offer access to our marketing products. We offer an opportunity to see what kind of data we might have about you and then the chance to opt out of that. But since you can't opt out of identity systems like you can't opt out of your credit report---- Mr. Stearns. Yes. Ms. Barrett. [continuing] the inspection process becomes more important. Mr. Stearns. Yes, it is a little more nuanced. Someone mentioned to possibly have the security officer sign to corroborate the security at the agency that collects this information. Does anybody disagree with that? It is a little bit like Tosarbi and Zoshley in which the CEO has to sign the accounting--the P and L statement. So it sounds like you might accept that. The other idea is standard credentialing practices for customers desiring sensitive consumer data. Anybody object to that? Ms. Barrett. Let me just comment on that---- Mr. Stearns. Yes. Ms. Barrett. [continuing] I think that credentialing is extremely important. I would caution the committee in terms of how it defines credentialing because the tools we have for credentialing today will not be the same tools that we have in 5 or 10 years---- Mr. Stearns. Yes. Ms. Barrett. [continuing] and so if we do it in a way that allows the evolution of technology and other aspects to be accommodated within the requirement, it may be a good requirement. For instance, I think the Gramm-Leach-Bliley safeguards rule really actually has an implication on credentialing because it says you must have physical, procedural, system, and so on, processes in place to keep the data protected from unauthorized use. And to me credentialing becomes a part of that. So I would just urge that the committee not consider too prescriptive an approach to accommodate wherever we go with technology in the future. Mr. Stearns. My time is up. I think the last one I had was to encourage, perhaps through legislation, a technical solution for--well, let me--you know, instead of using your Social Security ID, to try and encourage some other way, work out so that you could access the information without using your Social Security ID. And that is sort of what we talked about in the Chairman Barton talk. So my time has expired. And with that, I recognize the ranking member. Ms. Schakowsky. Thank you, Mr. Chairman. Mr. Ireland, you, in your testimony, talked about significant risk of harm, and you went back to FTC chairwoman saying notices should be sent only if there is a significant risk of harm. How are we going to define significant risk of harm? Mr. Ireland. Well, I think there is obviously a drafting issue here as to precisely the verbiage you use in how you ensure that it doesn't essentially gut the requirement. But there are numerous circumstances where identification information that could otherwise be used for identity theft, upon investigation you find out that it is clearly not going to be used for that purpose. One thing we have seen is what might be called competitive espionage where one company manages to get a hold of the other company's customer list, and it includes identification information that might be used to open an account. But you know they have no intention of doing that. What they want to do is solicit the company's customers. And a notice in those circumstances to the customer might serve some privacy interest, but there is no real reason for the customer to go put a fraud alert on their account, for example---- Ms. Schakowsky. Well, who says that it is not of interest to the consumer in that even being solicited might, in their view--harm may not be the correct word, but you heard my colleague, Ms. Cubin, talk about being notified about some breaches which, she said, thankfully are not going to result, she believes, in any illegitimate use. But she, it seems to me, is glad to know that this information has been shared at the very least. And I can't quote you exactly the source, but at one of the many hearings on privacy, apparently a data broker has testified that the unauthorized access of information by a former employee does not constitute a significant risk. I am just a little concerned that the owners of this information are deciding for me what I might consider to be significant harm and then choosing to not provide the information to me, that there has been a breach. Mr. Ireland. Well, I would agree with you. I think there is a terminology and a drafting challenge there because you don't want the owners to have unlimited discretion to make that decision. Currently, under the banking agency guidance, for example, banks are required to notify the banking agency about the breach, regardless of risk. And then they are supposed to notify based on risk standard, and that is going to be worked out between the banks and the banking agencies. There are issues where information is disclosed that have implications for privacy. There are issues where information is disclosed that have implication for credit card fraud. And there are issues where information is disclosed that have implications for identity theft in the form of opening accounts in somebody's name that are fraudulent. And the actions that a consumer would want to take on the basis of those different classes of breaches are different. If you find that you are giving notices to consumers in all of those classes, you may find that the one where they really need to take action by putting a fraud alert, for example, on their file at a consumer reporting agency under the Fact Act, as passed by Congress in 2003, gets lost among other notices that are simply addressing potential privacy issues. So I think the---- Ms. Schakowsky. You know, I mean---- Mr. Ireland. [continuing] judgment needs to made---- Ms. Schakowsky. [continuing] let us not get too---- Mr. Ireland. [continuing] here---- Ms. Schakowsky. [continuing] patronizing though about what consumers can really handle. I mean, we may want to deal with how we communicate that and prioritize a sense of urgency. But isn't it also true that financial institutions regulatory guidance doesn't cover breaches of data about business customers, even small business customers who have business accounts? Mr. MacCarthy said in your absence that we should import that standard. And, you know, we are not covering all--I guess the guidance doesn't cover all consumers but only customers. You know, we just need to make sure that--I think that we-- privacy is a huge deal to people. And I think it varies in its implications, but people don't even like the idea of people just picking through it. And with that, I just want to ask the question--I realize I am running out of time. How do I determine which data brokers have my information? I mean, does your company have information about me? How do we even know? We know about credit reports, we know how to check them, we can even get them free once a year now. But who has my information? How do I know if I want to know? Maybe each of you could quickly tell me how I know if you have got info on me? Ms. Barrett. Well, there are a couple ways if Acxiom had info on you that you might know about it. If you have a question about a client or about a business relationship and you ask them where did that information come from? They might well refer you to Acxiom if we provided the information for whatever that process---- Ms. Schakowsky. But they might not. Ms. Barrett. Well, we actually encourage our clients to do that. And so that is one avenue. Ms. Schakowsky. They don't have to. Ms. Barrett. It becomes a customer service issue I think for them to---- Ms. Schakowsky. Okay. Ms. Barrett. [continuing] deal with--in terms of you--your relationship with them since they are the business that you have a relationship with. Ms. Schakowsky. Okay. Ms. Barrett. On our website you can request, as I was talking earlier, a copy of the report of the information that we have since we do allow consumers to have access. Our web address is fairly well-known. While I don't think all consumers know it, many, many do, and you can easily get to it from privacy websites and a number of other places. Those would be the two most common ways. Ms. Schakowsky. If we knew about Acxiom we could do that, but, you know, most consumers haven't got a clue of who is even controlling their information. Do you know what I am saying? Is there a website I could go to to say well, here is a whole list of data brokers? Here is a whole list of people--I mean, I know who my credit card companies are, so I can go there. But these other businesses that may have my information and are in the business of information are really not very well-known to people. Ms. Barrett. I think that is accurate. And we have actually talked about whether or not there should be a directory if you will or a website where consumers could go and learn who we are. We are certainly not trying to stay in the dark. Ms. Schakowsky. Thank you. Mr. Buege. In our case at West we really don't originate any of this information. We obtain it from the credit bureaus and other aggregators. So in our case if you were to ask us what we have, we would certainly happily and do happily share that with consumers even though, again, we don't serve consumer markets directly. And the answer is it all comes from upstream, so what we end up doing is referring you to the source of the data to have it corrected, removed, whatever. Mr. Ireland. The only information we would have would be derivative of the Visa card that you have with your bank. And we act as a servicer to your bank in processing some of that information, as do other servicers. And the place to start to know where that information is is with your bank if it gave you the Visa card. Mr. Burton. Entrust is a security software company so we are not a data broker, and we help banks and data brokers protect information, but we don't hold any ourselves. Ms. Schakowsky. Thank you all. Mr. Stearns. I thank the gentlelady. The gentlelady from Tennessee. Okay. Okay. I think what we are going to do is a second round here. We appreciate having this expertise here. Mr. Ireland, your testimony states that Visa believes that all holders of sensitive information about consumers should be subject to the same rules. Why shouldn't different types of information be treated differently? Should data security laws differentiate between companies that maintain customer data and those that handle non-customer data? Mr. Ireland. Well, the current banking rules, for example, differentiate--well, depending on whether or not you are the customer or the bank. But Visa adopted the CISP program, for example, because it saw gaps in the banking agency 501(b) and the FTC 501(b) guidance and standards like that. There was some discussion earlier about whether the banking agency standard or the FTC standard is precisely the right standard. And there is no standard that can't be improved in my mind. But standards like that ought to apply, we believe, to classes of information that would be considered sensitive. And obviously other classes, more sophisticated information systems such as credit reporting agencies are already subject to the Fair Credit Reporting Act. But a basic security standard in our view ought to be adopted for a level of information. And it is characterized in my testimony as sensitive, and you have to sort out what that is. One of the problems with current State legislation is that different States are defining sensitive information differently. And what you consider sensitive information depends in part on the dialog I had with Ms. Schakowsky about what you are trying to protect. If you are trying to protect against identity theft, the information is the type of information that would enable somebody to open an account with a financial institution, which is information specified in rules under Section 326 of the U.S.A. Patriot Act for example. If you were talking about credit card account information, that is a somewhat different set of information. If you are talking about privacy interests, you are covering a still broader set of information, but you are still not probably covering information that is not personally identifiable. So as you go about that task I think yes, you have to differentiate between classes of information. But for the same class of information, the same rules ought to apply, regardless of who has that information I would think. Mr. Stearns. If you could waive a wand, do you think Gramm- Leach-Bliley needs to be changed at all? Mr. Ireland. I think Gramm-Leach-Bliley has done a very good job of doing what it set out to do, which was to have financial institutions get control of their uses of personal information and give consumers an opportunity to opt out of certain uses of that information. And that has happened. And I think you have a very high level of compliance with that statute. But obviously there is personal information that is outside the scope of that statute, and the unauthorized use and access to that information creates risks to consumers and we think ought to be addressed by security standards. Mr. Burton. Mr. Chairman---- Mr. Stearns. Yes---- Mr. Burton. [continuing] if I could just comment---- Mr. Stearns. Go ahead. Sure, Mr. Burton. Mr. Burton. [continuing] on Gramm-Leach-Bliley, because I think actually the security safeguards in Gramm-Leach-Bliley are extremely interesting, and I think that we may need to do more. But if you look at what they talk about in terms of what organizations should do to protect security, they don't talk about technology, they don't talk about mandates. They really talk about sound business practices like having a risk assessment for your personal data, making sure there is a security officer in charge of it, making sure that there is regular audits. And I think these kinds of activities are ultimately what is going to drive greater security. And in the work that Entrust has done, including a Department of Homeland Security Committee we co-chaired, we focused really on information security as a corporate governance issue. And so to the extent that you get CEOs and Boards of Directors focused on this and with regular ports going to them about the state of the security in their organizations, suddenly you will see big progress in the way that data is protected and secured. Mr. Stearns. Mr. Buege, we haven't talked about in the event that there are violations and penalties. And do you think monetary penalties are appropriate for entities that disregard basic data base security due to, you know, lack of preparation, due diligence, not following good industry practices? And if so when should a data broker be sanctioned with a fine? Mr. Buege. I think I would say yes, that if a data broker is not exercising appropriate diligence in terms of safeguarding the information, in terms of securing access to it appropriately, that sanctions would be an appropriate remedy. I am not sure I can speculate on, you know, what sorts of sanctions or the magnitude of those but---- Mr. Stearns. Do you think it should be monetary or---- Mr. Buege. Why not? I mean, I wouldn't object to some measures like that in place. I mean, I think if that is what it takes to motivate companies to properly protect this information and to act responsibly in terms of access and systems integrity, I would have no objection to it. Mr. Stearns. Anybody else--I mean, that is another area we haven't talked about in the event that we do find somebody who is negligent. What kind of penalty should be enforced or is there, you know, a warning or what? I mean, depending upon obviously the offense, but if you have any feel on that, anybody else? Ms. Barrett. I would agree. Mr. Stearns. Okay, all right. Well, my time has expired on that, so the gentlelady from Tennessee. Ms. Blackburn. Thank you, Mr. Chairman. And I want to thank each of you for your indulgence. I had just arrived when we had to depart. So I thank you for this. And I think it does, Mr. Chairman, point out the importance of testimony being submitted early because it does allow us to read through that and to prepare and to be ready to come into the hearings. Ms. Barrett, I think want to begin with you if I may, please, ma'am. And I want to thank all of you for what you are doing and being with us here today. I represent an area in Tennessee that goes from Memphis to Nashville, and we have a lot of individuals that live in this district that are concerned with piracy, intellectual property theft, and, of course, a component of that is identity theft. And so we are pretty focused on this. The banking interests, the insurance interests that are in my district, the healthcare interests that are there, the identity theft comes up repeatedly. So we thank you for this. And, Ms. Barrett, in your testimony you explained an occurrence of a client illegally obtaining information from your server and how you went about handling that. And my question for you is based on--it was a July 1904 article that was in ``U.S.A. Today'' that referenced an occurrence of hacking into your server by an individual who ran snipermail.com. So was Snipermail the client that you were referring to? Ms. Barrett. Yes, it is. Ms. Blackburn. It is, okay. All right. So they were a client and not just an outside intruder. And so would you explain the vetting process that you went through before agreeing to do business with Snipermail? Ms. Barrett. Yes, and let me clarify--let me describe the situation. That---- Ms. Blackburn. Okay. Ms. Barrett. [continuing] might answer this plus other questions. We have a file transfer server that our clients use when they want to send us a file of data to be processed. They would send that file to this server, and then we would reach outside of our main system, pick it up, and bring it inside our firewall. It was used---- Ms. Blackburn. Hold on just one moment. So that transfer server is outside your normal firewall system? Ms. Barrett. Yes, it---- Ms. Blackburn. Okay. Ms. Barrett. [continuing] was password-protected with passwords that each client was assigned. Sometimes the files were coming to us for processing, and then when we finished with that, sometimes we would put the file back on that server to be sent back to the client. In many cases the downstream use of that file was actually by a vender of our clients. And in the case of Snipermail, there were actually two different breaches--or two different individuals that breached the server in the same way in 2003. One of them was from a client operation. The other one was from a vendor of a client. And we posted files on that server, and the client actually gave the vendor access to the server to come and pick up the files for subsequent processing. Ms. Blackburn. If I may follow up with you on that, then. So in your vetting process with your clients, are you including or requiring some type of vetting process for their vendors with which they plan to share that information? Ms. Barrett. We have talked about it since that incident. Since the client--this is client data, not Acxiom data, not part of our information products. We actually rely on our client to do the vetting of their own vendors. Ms. Blackburn. And what is your accountability process with your clients regarding those vendor clients of theirs--the vendors of theirs? Because in essence the client is acting on the behalf of the vendor if you will. So therefore, you still have a contingent liability in that issue. Ms. Barrett. And what we have done since that incident is change rather dramatically the processes we use to distribute files to both clients and their vendors, tighten that process up. There are much stricter passwords that are required for that server. It is not a two-way server. There is a server for distribution and a server for receipt. The passwords are changed and verified far more frequently than they were before. And we expect a credentialing process if you will to go on between our client and their vendor. Ms. Blackburn. Okay. Have you sold information on American consumers to foreign companies or foreign governments? Ms. Barrett. No. Ms. Blackburn. You have not. Okay, great. All right. I think my time is about out. Mr. Chairman, thank you. Mr. Stearns. I thank you. I thank you for coming. We are through with our questions so we are going to adjourn the subcommittee, but I want to thank you for the patience you had during the evacuation here. It is very unusual, but we appreciate you taking the time to come back. We lost the GWU law professor, but we are going to submit questions to him to fulfill everything. But I think you have given us a good idea of what we should do. So your coming here today has helped sort of firm up some of the ideas we had on this bill, and we are hoping, I think, in due time here to get a bill. And so any other things that you might suggest--I have given you the outline, probably 7 or 8 of the things we are thinking about, some of them not as forcibly as the others, but you never know what can happen once you move out of the subcommittee to the full committee. But I am hoping we can mark this up in perhaps the next 30 days. So thank you very much for coming, and the subcommittee is adjourned. [Whereupon, at 1:37 p.m., the subcommittee was adjourned.] [Additional material submitted for the record follows:] Prepared Statement of ARMA International about arma international Established in 1956, ARMA International (ARMA) is the non-profit membership organization for the records and information management profession. The 10,000 members of ARMA include records and information managers, imaging specialists, archivists, technologists, legal administrators, librarians, and educators. Our mission includes providing education, research, and networking opportunities to information management professionals, as well as serving as a resource to public policy makers on matters related to the integrity and importance of records and information. ARMA also serves as a recognized standards developer for the American National Standards Institute (ANSI), participating and contributing toward the development of standards for records and information management.1 ARMA is also a charter member of the information and documentation subcommittee of the International Organization for Standardization (ISO), aiding in the development of its records management standard.2 --------------------------------------------------------------------------- \1\ ``Managing Recorded Information Assets and Resources: Retention and Disposition Program'' may be viewed at http://www.arma.org/ standards/public/document_review.cfm?DocID=22. \2\ ``Information and documentation--Records management--Part 1: General'' (ISO 15489-1:2001) (hereafter ``ISO 15489-1''). ARMA fully supports ISO 15489-1. ARMA is currently developing additional records management standards beyond ISO 15489. --------------------------------------------------------------------------- Because of the essential role of effective and appropriate information management in today's economy, ARMA International has a strong interest in issues pertaining to safeguarding consumer information and other personally identifiable information possessed by business and government. Records and information management plays an important role in the private sector. In this new century, the most valuable commodity of business is information, often in the form of data bases of essential information required by the service sectors of our economy. The greatest responsibility for organizations will be managing and maintaining the integrity of an ever-growing flow of information, including the establishment of appropriate safeguards for sensitive information and in establishing retention schedules complaint with regulatory and statutory requirements. Issues such as what information has intrinsic value and what information will be shared and with whom are critical to the future success of 21st century organizations. These challenges call for increased recognition of the role of managing critical information and providing appropriate protections for personally identifiable information. Organizations that embrace information management as being strategic and mission critical will ensure their competitive advantage and remain appropriate stewards of information that contains personal and private records. data security initiatives need to be sensitive to a wide variety of factors Americans demand security and privacy of their personally identifiable information. Identity theft complaints continue to rise.3 The establishment of new systems that allow easy access and transference of personally identifiable data between parties should to be sensitive to personal privacy and grant assurance to Americans that their data will not be misused or end up in the wrong hands. ARMA believes that these systems must incorporate the best practices of records and information management. --------------------------------------------------------------------------- \3\ The Federal Trade Commission reported over 400,000 complaints of identity theft logged into its ID Theft Clearinghouse as of December 2003. See prepared statement of the Federal Trade Commission on Identity Theft: Prevention and Victim Assistance, presented by Betsy Broder, Assistant Director, Division of Planning and Information, Bureau of Consumer Protection, before the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce (December 15, 2003). http://www.ftc.gov/os/2003/12/031215idthefttestimony.pdf. --------------------------------------------------------------------------- Concerns have also begun to emerge with health care providers, financial institutions, and other users of consumer information sending personally identifiable information overseas for processing. This practice, known as ``information offshoring'' is becoming more and more common as organizations seek to curb costs by sending data to countries such as India, Pakistan, and Bangladesh for processing. Unfortunately, these nations lack any statutory controls for the protection personally identifiable information and it remains unclear whether existing U.S. laws, such as HIPAA, apply.4 --------------------------------------------------------------------------- \4\ In a response to a letter from Representative Edward J. Markey asking whether HIPAA covers personally identifiable information sent overseas for processing, Health and Human Services Secretary Tommy Thompson indicated it did not. See letter from Secretary Thompson to Representative Markey dated June 14, 2004 at http://www.house.gov/ markey/Issues/iss_ health_resp040614.pdf. --------------------------------------------------------------------------- Of primary importance from a records and information management perspective is ensuring the privacy and security of the information. Whatever information management systems are in place must ensure protection of the records and information in these two critical areas. Public sector agencies and private sector entities should not have access to personally identifiable information unless the information is essential to the organization's work. It is important that public and private sector entities identify what information is actually mission critical, who within their organizations should have access to the information, and then ensuring that the information cannot be accessed by unauthorized parties. Established records and information management policies that follow best practices concerning retention, disposition, categorization, maintenance, or disposal may apply to aggregated data just as they apply to records in other formats.5 The requirements for protecting records during their use cannot simply be ``added on'' at the end of a technology implementation. These requirements are integral to the functioning of any system which stores, retrieves and protects information, and therefore must be considered during each phase from design to final implementation and system maintenance. --------------------------------------------------------------------------- \5\ See ``Managing Electronic Messages as Records (formerly: Guideline for Managing E-mail)'' (ANSI/ARMA-9-200x). --------------------------------------------------------------------------- why records retention and destruction policies are important for data security Information is among the most valuable commodities of any organization. In the case of organizations that possess, process, and use sensitive consumer information, this information is a part of the organization's strategic business model. As such, these organizations have a significant responsibility to manage and maintain the integrity and security of this information, including the implementation of appropriate safeguards against unauthorized use and the proper disposal of the information. ARMA notes that a significant risk of identity theft occurs at a point when a given record should be destroyed--and the best practices of records and information management and a record's retention schedule would require not only appropriate measures to ensure destruction, but also the documentation of the destruction or final disposition action. Within the context of managing the life cycle of any information, assuring that records and information are destroyed appropriately--at the time and in the manner anticipated by the organization's retention and disposition program, and in compliance with any applicable law or regulation--is as important and deserves the same level of attention and stewardship as assuring that the information is properly maintained--both for the use of an organization in pursuit of its business purposes as well as for safeguarding the information from improper use during the useful life of the information. The appropriate destruction of a record at the end of its life cycle will assist with efforts to curb identity theft, such as the growing problem of ``dumpster diving.'' The same best practices will safeguard the misappropriation of records stored in electronic format. Safeguards and proper disposal are essential elements of an organization's information retention and disposition program. ARMA believes that any safeguard regime for personally identifiable information must include the formal endorsement by senior management of a written records and information management program. This would include the appropriate investment in personnel, training and organization-wide communications. It would also ensure that third party relationships endorse the same safeguards with appropriate means of ensuring compliance. In today's distributed work environments, a wide variety of individuals create records and must therefore take responsibility to ensure those records are captured, identified and preserved. It is no longer enough to train administrative staff and assume they will make sure the records end up in the records management program. All members of management, employees, contractors, volunteers and other individuals share the responsibility for capturing records so they can be properly managed throughout the length of their required retention period. ARMA's comments are informed by recognized practices of documenting the disposal of information and records. ISO 15489-1 Clause 8.3.7, ``Retention and disposition 6'' provides: ``Records systems should be capable of facilitating and implementing decisions on the retention and disposition of records. It should be possible for these decisions to be made at any time in the existence of records, including during the design stage of records systems. It should also be possible, where appropriate, for disposition to be activated automatically. Systems should provide audit trails or other methods to track completed disposition actions.'' --------------------------------------------------------------------------- \6\ ISO 15489-1 Clause 3.9 defines ``disposition'' to mean ``range of processes associated with implementing records retention, destruction or transfer decisions which are documented in disposition authorities or other instruments''. ISO 15489-1 Clause 3.8 defines ``destruction'' to mean ``process of eliminating or deleting records, beyond any possible reconstruction''. Similarly, Draft Standard, Section 3, ``Definitions,'' defines ``disposition'' to mean ``a range of processes associated with implementing records retention, destruction, or transfer decisions that are documented in the records retention and disposition schedule or other authorities. Draft Standard, Section 3 defines ``destruction'' to mean ``the process of eliminating or deleting records beyond any possible reconstruction.'' --------------------------------------------------------------------------- ISO 15489-1 Clause 9.9, ``Implementing disposition'' provides in part: ``The following principles should govern the physical destruction of records-- 1) Destruction should always be authorized. 2) Records pertaining to pending or actual litigation or investigation should not be destroyed. 3) Records destruction should be carried out in a way that preserves the confidentiality of any information they contain. 4) All copies of records that are authorized for destruction, including security copies, preservation copies and backup copies, should be destroyed.'' The Fair and Accurate Credit Transactions Act of 2003 (FACT Act), approved by this Committee, contains a provision requiring the Federal Trade Commission and the various banking regulators to develop a disposal rule for sensitive customer information. This rule may provide a model for businesses in other industry sectors for the appropriate disposal of personally identifiable information. In its comments to the disposal rules proposed by the Commission and the various banking regulators, ARMA strongly recommended that an orgnization's safeguards include a formal, written records and information management program, consistent with ISO 15489. conclusion ARMA International applauds the leadership of Chairman Stearns and Ranking Member Schakowsky for examining the data security issue. ARMA recommends to the Subcommittee the best practices of records and information management as an effective element for any data security or safeguards initiatives or policies. ______ Prepared Statement of Gail Hillebrand, Senior Attorney, Consumers Union summary Consumers Union,1 the non-profit, independent publisher of Consumer Reports, believes that the recent announcements by ChoicePoint, Lexis-Nexis, and many others about the lack of security of our most personal information underscores the need for Congress and the states to act to protect consumers from identity theft. --------------------------------------------------------------------------- \1\ Consumers Union is a non-profit membership organization chartered in 1936 under the laws of the state of New York to provide consumers with information, education and counsel about goods, services, health and personal finance, and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union's income is solely derived from the sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees. In addition to reports on Consumers Union's own product testing, Consumer Reports with more than four million paid circulation, regularly, carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions which affect consumer welfare. Consumers Union's publications carry no advertising and receive no commercial support. --------------------------------------------------------------------------- Identity theft is a serious crime that has become more common in recent years as we have delved further into the ``information age.'' According to the Federal Trade commission, 27.3 million Americans have been victims of identity theft in the past five years, costing businesses and financial institutions $48 billion and consumers $5 billion. Victims pay an average of $1,400 (not including attorney fees) and spend an average of 600 hours to clear their credit reports. The personal costs can also be devastating; identity theft can create unimaginable family stress when victims are turned down for mortgages, student loans, and even jobs. And as ongoing scandals involving ChoicePoint, Lexis-Nexis, and others point to, American consumers cannot fully protect themselves against identity theft on their own. Even consumers who do ``everything right,'' such as paying their bills on time and holding tight to personal information such as Social Security numbers and dates of birth, can become victim through no fault of their own because the companies who profit from this information have lax security standards. Therefore, Congress and the states must enact new obligations grounded in Fair Information Practices 2 on those who hold, use, sell, or profit from private information about consumers. In this context, Fair Information Practices would reduce the collection of unnecessary information, restrict the use of information to the purpose for which it was initially provided, require that information be kept secure, require rigorous screening of the purposes asserted by persons attempting to gain access to that information, and provide for full access to and correction of information held. --------------------------------------------------------------------------- \2\ The Code of Fair Information Practices was developed by the Health, Education, and Welfare Advisory Committee on Automated Data Systems, in a report released two decades ago. The Electronic Privacy Information Center has described the Code as based on these five principles: 1. There must be no personal data record-keeping systems whose very existence is secret. 2. There must be a way for a person to find out what information about the person is in a record and how it is used. 3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent. 4. There must be a way for a person to correct or amend a record of identifiable information about the person. 5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data. Electronic Privacy Information Center, http://www.epic.org/privacy/ consumer/code_fair_ info.html. --------------------------------------------------------------------------- Consumers Union recommends that lawmakers do the following: Require notice of all security breaches: Impose requirements on businesses, nonprofits, and government entities to notify consumers when an unauthorized person has gained access to sensitive information pertaining to them. Consumers Union supports S. 751, by Senator Dianne Feinstein, which would put these requirements in place. We also believe that S. 768, introduced by Senator Charles Schumer and Senator Bill Nelson, will make an excellent notice of breach law. Require and monitor security: Impose strong requirements on information brokers to protect the information they hold and to screen and monitor the persons to whom they make that information available. S. 768, as well as S. 500 and H.R. 1080, introduced by Senator Bill Nelson and Representative Ed Markey, respectively, would direct the Federal Trade Commission to develop such standards and oversee compliance with them. Give consumers access to and a right to correct information: Give individuals rights to see, dispute, and correct information held by information brokers. This is also addressed in the Schumer/Nelson and Nelson/Markey bills. Protect SSNs: Restrict the sale, collection, use, sharing, posting, display, and secondary use of Social Security numbers. Require more care from creditors: Require creditors to take additional steps to verify the identity of an applicant when there is an indicator of possible ID theft. Grant individuals control over their sensitive information: Give individuals rights to control who collects--and who sees-- sensitive information about them. Restrict secondary use of sensitive information: Restrict the use of sensitive personal information for purposes other than the purposes for which it was collected or other uses to which the consumer affirmatively consents. Fix FACTA: A consumer should be able to access more of his or her Fair and Accurate Credit Transactions Act (FACTA) rights, such as the extended fraud alert, before becoming an ID theft victim. Further, one of the key FACTA rights is tied to a police report, which victims still report difficulty in getting and using. Create strong and broadly-based enforcement: Authorize federal, state, local, and private enforcement of all of these obligations. Recognize the role of states: States have pioneered responses to new forms of identity crime and risks to personal privacy. Congress should not inhibit states from putting in place additional identity theft and privacy safeguards. Provide resources and tools for law enforcement: Provide funding for law enforcement to pursue multi-jurisdictional crimes promptly and effectively. Law enforcement also may need new tools to promote prompt cooperation from the Social Security Administration and private creditors in connection with identity theft investigations. After a very brief discussion of the problem of identity theft, each recommendation is discussed. The problem of identity theft is large and growing Current law simply has not protected consumers from identity theft. The numbers tell part of the story: According to the Federal Trade Commission, 27.3 million Americans have been victims of identity theft in the last five years, costing businesses and financial institutions $48 billion, plus another $5 billion in costs to consumers. Commentator Bob Sullivan has estimated that information concerning two million consumers is involved in the security breaches announced over just the six weeks ending April 6, 2005. Is Your Personal Data Next?: Rash of Data Heists Points to Fundamental ID Theft Problem, http://msnbc.msn.com/id/7358558 Based on a report to the FTC in 2003 which concluded that there were nearly 10 million identity theft victims each year, Consumers Union estimates that every minute 19 more Americans become victims of ID theft. These numbers can't begin to describe the stress, financial uncertainty, lost work-time productivity and lost family time identity theft victims experience. Even financially responsible people who routinely pay their bills on time can find themselves in a land of debt collector calls, ruined credit and lost opportunities for jobs, apartments, and prime credit. With more and more scandals coming out every week, the time has come for Congress to act to protect the security of our personal information. Recommendations Notification: Notice of security breaches of information, whether held in computerized or paper form, are the beginning, not the end, of a series of steps needed to begin to resolve the fundamental conundrum of the U.S. information U.S. society: collecting information generates revenues or efficiencies for the holder of the information but can pose a risk of harm to the persons whose economic and personal lives are described by that information. The first principle of Fair Information Practices is that there be no collection of data about individuals whose very existence is a secret from those individuals. A corollary of this must be that when the security of a collection of data containing sensitive information about an individual is breached, that breach cannot be kept secret from the individual. Recognizing the breadth of the information that business, government, and others hold about individuals, Consumers Union recommends a notice of breach requirement that is strong yet covers only ``sensitive'' personal information, including account numbers, numbers commonly used as identifiers for credit and similar purposes, biometric information, and similar information. This sensitive information could open the door to future identity theft, so it is vital that people know when this information has been breached. Consumers Union supports a notice-of-breach law which does the following: Covers paper and computerized data Covers government and privately-held information Does not except encrypted data Does not except regulated entities Has no loopholes, sometimes called ``safe harbors'' Is triggered by the acquisition of information by an unauthorized person Requires that any law enforcement waiting period must be requested in writing and be based on a serious impediment to the investigation Gives consumers who receive a notice of breach access to the federal right to place an extended fraud alert. Consumers Union supports S. 751, which contains these elements. S. 768 contains most, but not all, of these elements and in certain other respects provides additional protections. Three of these elements are of special importance: covering all breaches without exceptions or special weaker rules for particular industries, covering data contained on paper as well as on computer, and covering data whether or not it is encrypted. First, a ``one rule for all breaches'' is the only way to ensure that the notice is sufficiently timely to be useful by the consumer for prevention of harm. ``One rule for all'' is also the only rule that can avoid a factual morass which could make it impossible to determine if a breach notice should have been given. By contrast, a weak notice recommendation such as the one contained in the guidance issued by the bank regulatory agencies 3 cannot create a strong marketplace incentive to invest the time, money, and top-level executive attention to reduce or eliminate, future breaches. --------------------------------------------------------------------------- \3\ That weak recommendation allows a financial institution to decide whether or not its customers need to know about a breach, and the explanatory material even states that it can reach a conclusion that notice is unnecessary without making a full investigation. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 CFR Part 30, 12 CFR Parts 208 and 225, 12 CFR Part 364, 12 CFR Parts 568 and 570. Other reasons why those guidelines are insufficient to substitute for a statutory requirement to give notice include that they do not apply to non- customers about whom the financial institution has sensitive data, that there is no direct or express penalty for violation of the guideline, and that their case-by-case approach will make it extremely hard to determine in which circumstances the guidance actually recommends notice to consumers, complicating the process of showing that an obligation was unmet. --------------------------------------------------------------------------- Second, unauthorized access to paper records, such as hospital charts or employee personnel files, are just as likely to expose an individual to a risk of identity theft as theft of computer files. Third, encryption doesn't protect information from insider theft, and the forms of encryption vary widely in their effectiveness. Further, even the most effective form of encryption can quickly become worthless if it is not adapted to keep up with changes in technology and with new tools developed by criminals. A requirement to give notice of a security breach elevates the issue of information security inside a company. A requirement for swift, no-exemption notice of security breaches should create reputational and other marketplace incentives for those who hold sensitive consumer information to improve their internal security practices. For example, California's security breach law has led to improved data security in at least two cases. According to news reports, after giving its third notice of security breach in fifteen months, Wells Fargo Bank ordered a comprehensive review of all its information handling practices. The column quoted a memo from Wells Fargo's CEO stating in part: ``The results have been enlightening and demonstrate a need for additional study, remediation and oversight . . . Approximately 70 percent of our remote data has some measure of security exposure as stored and managed today.'' 4 --------------------------------------------------------------------------- \4\ D. Lazarus, ``Wells Boss Frets Over Security,'' S.F. Chronicle, Feb. 23, 2005. http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/02/ 23/BUGBHBFCR11.DTL --------------------------------------------------------------------------- In another example, UC Berkeley Chancellor Robert Bigeneau announced plans to hire an outside auditor to examine data gathering, retention, and security, telling employees: ``I insist that we safeguard the personal information we are given as if it were our own.'' 5 This announcement followed the second announced breach of the security of data held by the University in six months, this one involving 100,000 people.6 --------------------------------------------------------------------------- \5\ ``Cal Laptop Security Put Under Microscope,'' April 6, 2005, Inside Bay Area, http://www.insidebayarea.com/searchresults/ci_2642564. \6\ Opinion Page, Oakland Tribune, April 5, 2005. --------------------------------------------------------------------------- In the Sarbanes-Oxley Act, Congress recognized the importance of the ``tone at the top,'' and for that reason took steps to require the corporate boards and CEOs work to improve the quality and accuracy of audited financial statements. A strong, clear notice of security breach law, without exceptions, could similarly focus the attention of top management on information security--creating an incentive for a ``tone at the top'' to take steps to minimize or eliminate security breaches. Security: Consumers Union supports S. 500 and H.R. 1080, introduced by Senator Bill Nelson and Representative Ed Markey, respectively. These measures would direct the Federal Trade Commission (FTC)to promulgate strong standards for information security and a strong obligation to screen customers, both initially and with respect to how those customers further protect the information from unauthorized use. They also provide for ongoing compliance monitoring by the FTC. S. 768, the Schumer/Nelson bill, contains similar provisions. If Congress wanted to take even stronger steps with respect to information brokers, it could require information brokers to undergo annual audits, paid for by the broker and performed by an independent auditor retained by the FTC, with specific authority in the FTC to require corrective action for security and customer screening weaknesses identified in the audit, as well as allowing the FTC to specify particular aspects of information security that should be included in each such audit. Any federal information broker law must require strong protections in specific aspects of information security, as well as imposing a broad requirement that security in fact be effective and be monitored for ongoing effectiveness. Congress must determine the balance between the public interest in the protection of data and the business interest in the business of information brokering. Security breaches and the effects on consumers of the ongoing maintenance of files on most Americans by information brokers are issues too important to be delegated in full to any regulatory agency. Access and Correction: Two of the basic Fair Information Practices are the right to see and the right to correct information held about the consumer. S. 768, S. 500, and H.R. 1080 all address these issues. While the Fair Credit Reporting Act (FCRA) allows consumers to see and correct their credit reports, as defined by FCRA, consumers currently have no legal right to see the whole file held on them by an information broker such as ChoicePoint and Lexis-Nexis, even though the information in that file may have a profound effect on the consumer. There is also lack of clarity about what a consumer will be able to see even under the FCRA if the information broker has not yet made a report to a potential employer or landlord about that consumer.7 --------------------------------------------------------------------------- \7\ Testimony of Evan Hendricks, Editor/Publisher, Privacy Times before the Senate Banking Committee, March 15, 2005, http:// banking.senate.gov/files/hendricks.pdf. --------------------------------------------------------------------------- Because the uses of information held by data brokers continue to grow and change, affecting consumers in myriad ways, consumers must be given the legal right to see all of the information data brokers hold on them, and to seek and win prompt correction of that information if it is in error. Protection for SSNs: The Social Security number (SSN) has become a de facto national identifier in a number of U.S. industries dealing with consumers. Some proposals for reform have emphasized consent to the use, sale, sharing or posting of Social Security numbers. Consumers Union believes that a consent approach will be less effective than a set of rules designed to reduce the collection and use of sensitive consumer information. Take, for example, an analogy from the recycling mantra: ``Reduce, reuse, recycle.'' Just as public policy to promote recycling first starts with ``reducing'' the use of materials that could end up in a landfill, so protection of sensitive personal information should begin with reduction in the collection and use of such information. Restrictions on the use of the Social Security number must begin with restricting the initial collection of this number to only those transactions where the Social Security number is not only necessary, but also essential to facilitating the transaction requested by the consumer. The same is true for other identifying numbers or information that may be called upon as Social Security numbers are relied upon less. Consumers Union endorses these basic principles for an approach to Social Security numbers: Ban collection and use of SSNs by private entities or by government except where necessary to a transaction and there is no alternative identifier which will suffice. Ban sale, posting, or display of SSNs, including no sale of credit header information containing SSNs. There is no legitimate reason to post or display individuals' Social Security numbers to the public. Ban sharing of SSNs, including between affiliates. Ban secondary use of SSNs, including within the company which collected them. Out of the envelope: ban printing or encoding of SSNs on government and private checks, statements, and the like Out of the wallet: ban use of the SSN for government or private identifier, except for Social Security purposes. This includes banning the use of the SSN, or a variation or part of it, for government and private programs such as Medicare, health insurance, driver's licenses or driver's records, and military, student, or employee identification. Any provision banning the printing of SSNs on identifying cards should also prohibit encoding the same information on the card. Public records containing SSNs must be redacted before posting. There should be no exceptions for regulated entities. There should be No exception for business-to-business use of SSNs. Congress should also consider whether to impose the same type of ``responsibility requirements'' on the collection, sale, use, sharing, display and posting of other information that could easily evolve into a substitute ``national identifier,'' including drivers license number, state non-driver information number, biometric information and cell phone numbers. Creditor identity theft prevention obligations: Information is stolen because it is valuable. A key part of that value is the ability to use the information to gain credit in someone else's name. That value exists only because credit granting institutions do not check the identity of applicants carefully enough to discover identity thieves before credit is granted. Financial institutions and other users of consumer credit reports and credit scores should be obligated to take affirmative steps to establish contact with the consumer before giving credit or allowing access to an account when there is an indicator of possible false application, account takeover or unauthorized use. The news reports of the credit card issued to Clifford J. Dawg, while humorous, illustrate a real problem--creditor eagerness to issue credit spurs inadequate review of the identity of the applicant.8 When the applicant is a dog, this might seem funny, but when the applicant is a thief, there are serious consequences for the integrity of the credit reporting system and for the consumer whose good name is being ruined. --------------------------------------------------------------------------- \8\ Both the news stories about Clifford J. Dawg and a thoughtful analysis of the larger problem of too lax identification standards applied by creditors is found in C. Hoofnagle, Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors, in Securing Privacy in the Information Age (forthcoming from Stanford University Press), http://papers.ssrn.com/sol3/ papers.cfm?abstract_id=650162. --------------------------------------------------------------------------- As new identifiers evolve, criminals will seek to gain access to and use those new identifiers. Thus, any approach to attacking identity theft must also impose obligations on those who make that theft possible--those who grant credit, goods, or services to imposters without taking careful steps to determine with whom they are dealing. At minimum, creditors should be required to actually contact the applicant to verify that he or she is the true source of an application for credit when certain triggering events occur. The triggering events should include any of the following circumstances: Incomplete match on Social Security number Address mismatch between application and credit file Erroneous or missing date of birth in application Misspellings of name or other material information in application Other indicators as practices change Under FACTA, the FTC and the federal financial institution regulators are charged with developing a set of red flag ``guidelines'' to ``identify possible risks'' to customers or to the financial institution. However, FACTA stops with the identification of risks. It does not require that financial institutions do anything to address those risks once identified through the not-yet-released guidelines. The presence of a factor identified in the guidelines does not trigger a statutory obligation to take more care in determining the true identity of the applicant before granting credit. Congress should impose a plain, enforceable obligation for creditors to contact the consumer to verify that he or she has in fact sought credit when certain indicators of potential identity theft are present. Control for consumers over affiliate-sharing, use of information, use of credit reports and credit scores: Consumers are caught between the growth in the collection and secondary use of information about them on the one hand and the increasing sophistication of criminals in exploiting weaknesses in how that information is stored, transported, sold by brokers, shared between affiliates, and used to access credit files and credit scores. Identity theft has been fueled in part by information-sharing between and within companies, the existence of databases that consumers don't know about and can't stop their information from being part of, the secondary use of information, and the granting of credit based on a check of the consumer credit file or credit score without efforts to verify the identity of the applicant.9 Consumers Union has consistently supported federal and state efforts to give consumers the legal right to stop the sharing of their sensitive personal information among affiliates. Finally, it is essential to stopping the spread of numbers that serve as consumer identifiers that Congress and the states impose strong restrictions on the use of sensitive personal information for purposes other than the purpose for which the consumer originally provided that information. --------------------------------------------------------------------------- \9\ Secondary use is use for a purpose other than the purpose for which the consumer gave the information. --------------------------------------------------------------------------- Fix FACTA: FACTA has made some things more difficult for identity theft victims, according to information provided to Consumers Union by nonprofits and professionals who assist identity theft victims. Moreover, FACTA gives only limited rights to those who have not yet become victims of identity theft, and FACTA fails to offer a pure prevention tool for all consumers. A consumer who asserts in good faith that he or she is about to become a victim of identity theft gets one right under FACTA--the right to place, or renew, a 90 day fraud alert. However, this type of alert places lower obligations on the potential creditor than the extended alert, which is restricted only to identity theft victims. A consumer should be able to access more of his or her FACTA rights, such as the extended fraud alert, before becoming an identity theft victim. One key FACTA right is tied to a police report, which victims still report difficulty in getting and using. Here are some key ways to make FACTA work for victims: Initial fraud alert should be one year, not 90 days Extended alert and other victims' rights, other than blocking of information, should be available to all identity theft victims who fill out the FTC ID theft affidavit under penalty of perjury Business records should be available to any consumer who fills out the FTC ID theft affidavit under penalty of perjury Consumers who receive a notice of security breach should be entitled to place an extended fraud alert Consumers who place a fraud alert have the right under FACTA to a free credit report, but this should be made automatic. There is also work to do outside of FACTA, including work to develop a police report that could be given to victims that is sufficiently similar, if not uniform, across jurisdictions, so that the victim does not find creditors or businesses in another jurisdiction refusing to accept a police report from the victim's home jurisdiction. Congress must encourage the states to continue to pioneer prompt responses to identity crime: Virtually every idea on the table today in the national debate about stemming identity theft and protecting consumer privacy comes from legislation already enacted by a state. Congress must not cut off this source of progress and innovation. Instead, any identity theft and consumer privacy legislation in Congress should expressly permit states to continue to enact new rights, obligations, and remedies in connection with identity theft and consumer privacy to the full extent that the state requirements are not inconsistent with the specific requirements of federal law. Criminals will always be more fast-acting, and fast-adapting, than the federal government. An important response to this reality is to permit, and indeed encourage, state legislatures to continue to act in the areas of identity theft and consumer privacy. Fast-acting states can respond to emerging practices that can harm consumers while those practices are still regional, before they spread nationwide. For example, California enacted its notice of security breach law and other significant identity theft protections because identity theft was a significant problem in California well before it became, or at least was recognized as, a national crime wave. Identity theft illustrates how much quicker states act on consumer issues than Congress. According to numbers released by the FTC, there were 9.9 million annual U.S. victims of identity theft in the year before Congress adopted the relatively modest rights for identity theft victims found in FACTA. The identity theft provisions adopted by Congress in FACTA were modeled on laws already enacted in states such as California, Connecticut, Louisiana, Texas, and Virginia.10 --------------------------------------------------------------------------- \10\ See California Civil Code 1785.11.1, 1785.11.2, 1785,16.1; Conn. SB 688 9(d), (e), Conn. Gen. Stats. 36a-699; IL Re. Stat. Ch. 505 2MM; LA Rev. Stat. 9:3568B.1, 9:3568C, 9:3568D, 9:3571.1 (H)- (L); Tex. Bus. & Comm. Code 20.01(7), 20.031, 20.034-039, 20.04; VA Code 18.2-186.31:E. The role of the states has also been important in financial issues unrelated to identity theft. Here are two examples. In 1986, California required that specific information be included in credit card solicitations with enactment of the then-titled Areias-Robbins Credit Card Full Disclosure Act of 1986. That statute required that every credit card solicitation to contain a chart showing the interest rate, grace period, and annual fee. 1986 Cal. Stats., Ch. 1397, codified at California Civil Code 1748.11. Two years later, Congress chose to adopt the same concept in the Federal Fair Credit and Charge Card Disclosure Act (FCCCDA), setting standards for credit card solicitations, applications and renewals. P. L. 100-583, 102 Stat. 2960 (Nov. 1, 1988), codified in part at 15 U.S.C. 1637(c) and 1610(e). The implementing changes to federal Regulation Z included a model form for the federal disclosure box which is quite similar to the form required under the pioneering California statute. 54 Fed. Reg. 13855, Appendix G. --------------------------------------------------------------------------- Strong and broadly-based enforcement: Consumers need effective enforcement of those obligations and restrictions Congress imposes in response to the increasing threats to consumer privacy, and of the growth of identity theft. A diversity of approaches strengthens enforcement. Each statutory obligation imposed by Congress should be enforceable by federal agencies, the federal law enforcement structure with the Attorney General and U.S. Attorneys, and State Attorneys General. Where a state is structured so that part of the job of protecting the public devolves to a local entity, such as a District Attorney or City Attorney, those local entities also should be empowered to enforce anti-identity theft and privacy measures in local civil or, where appropriate, criminal courts. There is also a role for a private right of action. It is an unfortunate reality in identity theft is that law enforcement resources are slim relative to the size of the problem. This makes it particularly important that individuals be given a private right of action to enforce the obligations owed to them by others who hold their information. A private right of action is an important part of any enforcement matrix. Money and tools for law enforcement: Even if all the recommended steps are taken, U.S. consumers will still need vigorous, well-funded law enforcement. At a meeting convened by Senator Feinstein which included some twenty representatives of law enforcement, including police departments, sheriffs, and District Attorneys, law enforcement uniformly proposed that they be given tools to more effectively investigate identity theft. Law enforcement costs money, and the law enforcers noted that the multi-jurisdictional nature of identify theft increases the costs and time, it takes to investigate these crimes. Law enforcers in California and Oregon have noted a strong link between identity theft crime and methamphetamine. The Riverside County Sheriff noted at a March 29, 2005 event that when drug officers close a methamphetamine lab, they often find boxes of fake identification ready for use in identity theft. The drug team has closed the lab; without funding for training and ongoing officer time, there may be no investigation of those boxes of identities. To prove a charge of attempted identity theft, a prosecutor may need to prove that the real person holding a particular driver's license number, credit or debit card number, or Social Security number is different from the holder of the fake ID. Doing this may require the cooperation of a state Department of Motor Vehicles, a financial institution, or the Social Security Administration. The public meetings of the California High Tech Crimes Advisory Committee have including discussion of the difficulties and time delays law enforcement investigators encounter in trying to obtain this cooperation. Congress should work with law enforcement and groups representing interest in civil liberties to craft a solution to verifying victim identity that will facilitate investigation of identity theft without infringing on the individual privacy of identity theft victims and other individuals. Law enforcement may have more specific proposals to enhance their effectiveness in fighting identity theft. Consumers Union generally supports: Funding for regional identity theft law enforcement task forces in highest areas of concentration of victims, and of identity thieves Funding for investigation and prosecution An obligation on creditors, financial institutions, and the Social Security Administration to provide information about suspected theft-related accounts or numbers to local, state, and federal law enforcement after a simple, well designed, request process Consumers Union believes that the time has come for both Congress and state legislatures to act to stem identity theft through strong and meaningful requirements to tell consumers of security breaches; strong and detailed security standards and oversight for information brokers, reining in the use of Social Security numbers, increased control for consumers over the uses of their information, and obligations on creditors to end their role in facilitating identity theft through lack of care in credit granting. This should be done without infringing on the role of the states, with attention to the need to fund law enforcement to fight identity theft, and with attention to the need for private enforcement by consumers. We look forward to working with the Chair and members of the Committee, and others in Congress, to accomplish these changes for U.S. consumers. These recommendations by Consumers Union have been informed by the work of victim assistance groups, privacy advocates, and others.11 ------------ 11 Many law enforcers, victim assistance workers, and consumer and privacy advocates were engaged in the issue of identity theft prevention long before the most recent ChoicePoint security breach came to light. Consumers Union has worked closely for many years on efforts to fight identity theft and protect consumer financial privacy with other national groups, and with consumer privacy and anti- identity theft advocates and victim assistance groups based in California. Our views and recommendations are strongly informed by the experiences of consumers reported to us by the nonprofit Privacy Rights Clearinghouse, the nonprofit Identity Theft Resource Center, and others who work directly with identity theft victims. These groups have worked to develop the state laws that are the basis for many of the proposals now being introduced in Congress. Consumers Union is grateful for the leadership of the Privacy Rights Clearinghouse in consumer privacy policy work, the work of the state PIRGs and U.S.PIRG on consumer identity theft rights which includes the preparation of a model state identity theft statute in cooperation with Consumers Union, for the work for consumers on the accuracy of consumer credit reporting issues done over the past decade by the Consumer Federation of America and U.S. PIRG, and for the contributions to the policy debate of organizations such as the Electronic Privacy Information Center, Privacy Times, and others too numerous to mention.