[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] FIFTH IN A SERIES OF HEARINGS ON SOCIAL SECURITY NUMBER HIGH-RISK ISSUES ======================================================================= HEARING before the SUBCOMMITTEE ON SOCIAL SECURITY of the COMMITTEE ON WAYS AND MEANS U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ MARCH 30, 2006 __________ Serial No. 109-62 __________ Printed for the use of the Committee on Ways and Means U.S. GOVERNMENT PRINTING OFFICE 30-440 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON WAYS AND MEANS BILL THOMAS, California, Chairman E. CLAY SHAW, JR., Florida CHARLES B. RANGEL, New York NANCY L. JOHNSON, Connecticut FORTNEY PETE STARK, California WALLY HERGER, California SANDER M. LEVIN, Michigan JIM MCCRERY, Louisiana BENJAMIN L. CARDIN, Maryland DAVE CAMP, Michigan JIM MCDERMOTT, Washington JIM RAMSTAD, Minnesota JOHN LEWIS, Georgia JIM NUSSLE, Iowa RICHARD E. NEAL, Massachusetts SAM JOHNSON, Texas MICHAEL R. MCNULTY, New York PHIL ENGLISH, Pennsylvania WILLIAM J. JEFFERSON, Louisiana J.D. HAYWORTH, Arizona JOHN S. TANNER, Tennessee JERRY WELLER, Illinois XAVIER BECERRA, California KENNY C. HULSHOF, Missouri LLOYD DOGGETT, Texas RON LEWIS, Kentucky EARL POMEROY, North Dakota MARK FOLEY, Florida STEPHANIE TUBBS JONES, Ohio KEVIN BRADY, Texas MIKE THOMPSON, California THOMAS M. REYNOLDS, New York JOHN B. LARSON, Connecticut PAUL RYAN, Wisconsin RAHM EMANUEL, Illinois ERIC CANTOR, Virginia JOHN LINDER, Georgia BOB BEAUPREZ, Colorado MELISSA A. HART, Pennsylvania CHRIS CHOCOLA, Indiana DEVIN NUNES, California Allison H. Giles, Chief of Staff Janice Mays, Minority Chief Counsel ______ SUBCOMMITTEE ON SOCIAL SECURITY JIM MCCRERY, Louisiana, Chairman E. CLAY SHAW JR., Florida SANDER M. LEVIN, Michigan SAM JOHNSON, Texas EARL POMEROY, North Dakota J.D. HAYWORTH, Arizona XAVIER BECERRA, California KENNY C. HULSHOF, Missouri STEPHANIE TUBBS JONES, Ohio RON LEWIS, Kentucky RICHARD E. NEAL, Massachusetts KEVIN BRADY, Texas PAUL RYAN, Wisconsin Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Ways and Means are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined. C O N T E N T S __________ Page Advisory of March 23, 2006 announcing the hearing................ 2 WITNESSES The Honorable David Dreier, a Representative in Congress from the State of California............................................ 5 The Honorable Silvestre Reyes, a Representative in Congress from the State of Texas............................................. 9 ______ Federal Trade Commission, Joel Winston, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection..................................................... 28 U.S. Government Accountability Office, Cynthia M. Fagnoni, Managing Director, Education, Workforce, and Income Security... 17 ______ BITS Fraud Reduction Steering Committee, Erik Stein.............. 60 Consumer Data Industry Association, Stuart K. Pratt.............. 68 Council of State Court Administrators, Mary C. McQueen........... 47 Identity Theft Resource Center, Nicole Robinson.................. 42 National Council of Investigation and Security Services, Bruce Hulme.......................................................... 76 SUBMISSIONS FOR THE RECORD Kenney, John P., Corona Del Mar, CA, letter...................... 89 Sybesma, Jamie, Fishers, IN, statement........................... 89 FIFTH IN A SERIES OF HEARINGS ON SOCIAL SECURITY NUMBER HIGH-RISK ISSUES ---------- THURSDAY, MARCH 30, 2006 U.S. House of Representatives, Committee on Ways and Means, Subcommittee on Social Security, Washington, DC. The Subcommittee met, pursuant to notice, at 2:40 p.m., in room B-318, Rayburn House Office Building, Hon. Jim McCrery (Chairman of the Subcommittee) presiding. [The advisory announcing the hearing follows:] ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS SUBCOMMITTEE ON SOCIAL SECURITY CONTACT: (202) 225-9263 FOR IMMEDIATE RELEASE March 23, 2006 No. SS-14 McCrery Announces Fifth in Series of Subcommittee Hearings on Social Security Number High-Risk Issues Congressman Jim McCrery, (R-LA), Chairman, Subcommittee on Social Security of the Committee on Ways and Means, today announced that the Subcommittee will hold the fifth in a series of Subcommittee hearings on Social Security number (SSN) high-risk issues. The hearing will examine the role of SSNs in identity theft and options to enhance SSN privacy. The hearing will take place on Thursday, March 30, 2006, in room B-318 Rayburn House Office Building, beginning at 2:00 p.m. In view of the limited time available to hear witnesses, oral testimony at this hearing will be from invited witnesses only. However, any individual or organization not scheduled for an oral appearance may submit a written statement for consideration by the Subcommittee and for inclusion in the printed record of the hearing. BACKGROUND: Identity theft is a serious crime in which a victim's personal information may be used to fraudulently obtain credit, goods or services, employment, government documents or benefits, or to commit other crimes. According to a 2006 survey released by the Council of Better Business Bureaus and Javelin Strategy & Research, there are almost 9 million adult victims of identity fraud (about 4 percent of the U.S. adult population). These victims may spend significant amounts of money and time to resolve their problems: on average $422 and 40 hours per victim. Total identity theft costs exceed $50 billion annually. Although SSNs have many important legitimate uses, the Federal Trade Commission (FTC) indicates that they also play a pivotal role in identity theft. According to the FTC, the SSN is integral to many business transactions, and identity thieves use the SSN as a key to unlock access to the financial benefits of their victims. Despite its vital role in our financial system, there is no Federal law that requires comprehensive confidentiality protection for the SSN. An SSN may be on display to the general public on employee badges, in court documents, or on the Internet. However, there are laws that provide limited SSN confidentiality. For example, the Gramm-Leach-Bliley Act (P.L. 106-102) restricts the reuse and redisclosure of certain personal information, including SSNs, by financial institutions. Also, many States have enacted legislation to restrict the use, disclosure, or display of SSNs. Members of Congress, concerned about the magnitude of the problem and its devastating effects on victims, have introduced legislation that would place various restrictions and prohibitions on the use, sale, purchase, or display of SSNs, as well as create new criminal and civil penalties for those who misuse SSNs. Also, legislation has been introduced that would require improvements to the process of issuing SSNs or the design of the SSN card to prevent individuals from fraudulently obtaining an SSN or counterfeiting SSN cards. In announcing the hearing, Chairman McCrery stated, ``We must carefully examine all options to keep Social Security numbers, or SSNs, out of the hands of identity thieves. As we do so, we must remember that SSNs play a key role in our society, whether in business transactions, tax administration, public benefits, or the court systems. Through this hearing we will explore how best to achieve the appropriate balance between the need for protecting SSN privacy and allowing their use for legitimate and necessary purposes.'' FOCUS OF THE HEARING: The Subcommittee will examine the role of SSNs in abetting identity theft, and the effects of proposals to prohibit or restrict the use, sale, purchase, or display of SSNs by individuals, businesses, or the government. DETAILS FOR SUBMISSION OF WRITTEN COMMENTS: Please Note: Any person(s) and/or organization(s) wishing to submit for the hearing record must follow the appropriate link on the hearing page of the Committee website and complete the informational forms. From the Committee homepage, http://waysandmeans.house.gov, select ``109th Congress'' from the menu entitled, ``Hearing Archives'' (http:/ /waysandmeans.house.gov/Hearings.asp?congress=17). Select the hearing for which you would like to submit, and click on the link entitled, ``Click here to provide a submission for the record.'' Once you have followed the online instructions, completing all informational forms and clicking ``submit'' on the final page, an email will be sent to the address which you supply confirming your interest in providing a submission for the record. You MUST REPLY to the email and ATTACH your submission as a Word or WordPerfect document, in compliance with the formatting requirements listed below, by close of business Thursday, April 13, 2006. Finally, please note that due to the change in House mail policy, the U.S. Capitol Police will refuse sealed-package deliveries to all House Office Buildings. For questions, or if you encounter technical problems, please call (202) 225-1721. FORMATTING REQUIREMENTS: The Committee relies on electronic submissions for printing the official hearing record. As always, submissions will be included in the record according to the discretion of the Committee. The Committee will not alter the content of your submission, but we reserve the right to format it according to our guidelines. Any submission provided to the Committee by a witness, any supplementary materials submitted for the printed record, and any written comments in response to a request for written comments must conform to the guidelines listed below. Any submission or supplementary item not in compliance with these guidelines will not be printed, but will be maintained in the Committee files for review and use by the Committee. 1. All submissions and supplementary materials must be provided in Word or WordPerfect format and MUST NOT exceed a total of 10 pages, including attachments. Witnesses and submitters are advised that the Committee relies on electronic submissions for printing the official hearing record. 2. Copies of whole documents submitted as exhibit material will not be accepted for printing. Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material not meeting these specifications will be maintained in the Committee files for review and use by the Committee. 3. All submissions must include a list of all clients, persons, and/or organizations on whose behalf the witness appears. A supplemental sheet must accompany each submission listing the name, company, address, telephone and fax numbers of each witness. Note: All Committee advisories and news releases are available on the World Wide Web at http://waysandmeans.house.gov. The Committee seeks to make its facilities accessible to persons with disabilities. If you are in need of special accommodations, please call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four business days notice is requested). Questions with regard to special accommodation needs in general (including availability of Committee materials in alternative formats) may be directed to the Committee as noted above.Chairman MCCRERY. The Subcommittee hearing will come to order. Good afternoon, everybody. Welcome to our fifth in a series of hearings on high-risk issues related to Social Security numbers (SSNs). Today, we will examine the use of SSNs by government agencies, businesses, and others, as well as explore options for improving the confidentiality of SSNs. For many years, this Subcommittee has worked to protect SSN privacy. For example, the Committee on Ways and Means approved bills in the 108th and 106th Congresses that were introduced by my predecessor, Subcommittee Chairman Clay Shaw. Some of the provisions from Mr. Shaw's bill in the 108th Congress have become law, including limits on replacement SSN cards and a prohibition on the display of SSNs on drivers' licenses. The SSN plays a key role in both our government and in our economy. Since the SSN is a unique number for each person and is widely used, it helps link records at all levels. This, in turn, facilitates administration of government services and benefits, business transactions, and fraud prevention. However, once this essential piece of information is in the hands of identity thieves, it opens a Pandora's box of problems. Stolen SSNs can damage lives and businesses' bottom lines. Today, we will hear about the current patchwork of Federal and State laws that provide limited and inconsistent confidentiality protection for SSNs. For example, financial institutions are restricted in their ability to release SSN information, but SSNs may appear in any number of publicly available government records, such as court records or property ownership records. Computers and the Internet have enabled unprecedented information sharing, and anyone who collects, uses, or shares SSN information has a responsibility to protect its confidentiality. Today, we will hear about some of the voluntary steps that government agencies, businesses, and others are taking to protect SSNs from unauthorized disclosure. We also will have the opportunity to explore options for improving SSN protections. These options involve complicated trade-offs. In some cases, Federal laws and regulations require the collection of SSNs to achieve certain goals, such as efficient and accurate tax administration, child support enforcement, and identification of money launderers and terrorists. As we examine alternatives for improving SSN privacy to help prevent identity theft, we must consider the potential effect on the attainment of those goals. We must also be mindful of the costs that individuals, businesses, and government agencies may incur as a result. By carefully examining all options to keep SSNs out of the hands of identity thieves and by listening to as many stakeholders as possible, we seek a balance between protecting SSN privacy and allowing its use for legitimate and necessary purposes. Mr. Levin? Mr. LEVIN. Mr. Chairman, since I basically agree with your opening statement and since both of our colleagues here, I would simply ask that my opening statement be placed in the record. Chairman MCCRERY. Without objection. Thank you, Mr. Levin. [The prepared statement of Mr. Levin follows:] Opening Statement of The Honorable Sander M. Levin, a Representative in Congress from the State of Michigan The problem of identity theft is serious and growing, claiming almost 9 million victims and costing our economy an estimated $50 billion a year. The issue within our Committee's jurisdiction-- protecting the Social Security Number--is just one piece of a total strategy to address identity theft, but it is an important one. Government agencies and the private sector must both do their part to prevent and detect identity theft. When it comes to the Social Security number, the critical issue is striking the right balance between allowing beneficial uses of the number and protecting privacy for individuals. The rapid advance in technology in recent years has greatly aggravated the problem of identity theft. Identity thieves no longer have to rifle through people's trash in search of private information. They increasingly obtain this information by tapping into computer databases and other high-tech means. Given the evolving nature of the problem, there is a clear need for ongoing oversight. I look forward to hearing more about the issues and options from our witnesses. In the past, our Subcommittee has been able to work to find this balance in a genuinely bipartisan way, with Republicans and Democrats sitting across the table and coming to agreement on the issues. I hope we will be able to continue in that tradition, and work closely together to act on the information we receive today. Chairman MCCRERY. Our first panel today is composed of two distinguished colleagues, Mr. Dreier and Mr. Reyes, each of whom have expressed an interest in the issues that this Subcommittee has been exploring for some time now. They were supposed to be here last time, but we had a series of votes, and in an effort to not prolong the necessity for other witnesses to stay, we asked these two colleagues if they could come today, and they graciously agreed to do that. Welcome, gentlemen. We are interested in your views on this subject. We would like for you to try to summarize those views in about 5 minutes, and we will start with my colleague from California, Mr. Dreier. STATEMENT OF DAVID DREIER, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Mr. DREIER. Thank you very much, Mr. Chairman. Let me begin by expressing my appreciation to you for the hard work that you do in dealing with this issue of Social Security and the specific issue you are tackling right now, and to Mr. Levin and Mr. Johnson and Mr. Brady, I thank all of you for being here. I know we have completed our votes on the floor, but this is a very important issue. Mr. Reyes and I have come together in a bipartisan way to deal with an issue that is getting a great deal of attention. The issue is immigration reform and border security. I don't know if any of you all recall that we dealt with that back in December and our colleagues in the other body are tackling that question right now, as to how they move ahead this week and next on this issue. Virtually everything that we do focuses on the supply side of the immigration problem. On border security, what is it that we did? Well, we talked about building a 700-mile wall. We talked about dramatically increasing the size of the Border Patrol, a lot of things that are designed to stem the flow of people coming into this country illegally. What is it that we really haven't done? We haven't spent much time and effort looking at why it is that they come to the United States of America. That is why Mr. Reyes and I, with the encouragement of T.J. Bonner, who is the President of the National Border Patrol Council, which is the union of Border Patrol agents, said, let us not just look at the supply side. Let us focus on the demand side here. Why is it that people come into this country illegally? They come here, 98 percent of them, for one reason and one reason only. They come here looking for a job. They are looking to feed their families. They are looking for economic opportunity. We all know that. Of the 12 million people who are in this country illegally, we know that nearly all of them are here as productive members of society, working, paying taxes, doing things that need to be done in this country. We know that they are here illegally and there is a strong sense that we need to take action. We need to take action to deal with it. Right now, there are 94 different combinations of documents, including that flimsy little Social Security card that was first put into place in 1935, that has not been updated once since 1935, that are used for a potential employee to go to a potential employer and get a job--94 different combinations of documents, including a school ID card, a library card. What Mr. Reyes and I have come together to do is very simply to say, why don't we make an attempt to put into place a smart, counterfeit-proof Social Security card with an algorithm strip on the back of it, an algorithm strip which would simply go in and look at the data that is already there. No new data--the government would not get its hands on any new data at all. This counterfeit-proof card--actually, I carry a counterfeit example of my counterfeit-proof card, this is an old Union 76 credit card and I have just put the Social Security on the top of the card. I used T.J. Bonner's picture, since this was his idea, and his photo is here, and you would have an algorithm strip on the back. Someone is going in, Mr. Chairman, to look for a job. The potential employer decides, I might want to hire this person. They either swipe this card or call an 800 number. They dial the 800 number and it goes into a databank which is simply taking the SSN, linking it with the U.S. Department of Homeland Security (DHS), and the only information that would go out is yea or nay. Is this person a qualified worker or not a qualified worker? We put on the bottom of this that this is not a national ID card. I know that from testimony you all have had in the past, from your last hearing, I understood that real concern is raised about if it looks like a duck, walks like a duck, acts like a duck, talks like a duck, it may be a duck. The fact is, this is not a national ID card. Why? The only utilization of this card will be for, number one, Social Security purposes, which are correct, and number two, applying for a new job. Now, as I look around this room, I feel pretty sanguine that everybody here, including Xavier Becerra, will be reelected as they head toward this November election. Mr. BECERRA. Is that an endorsement? Mr. DREIER. You don't want my endorsement, Xavier. [Laughter.] That might jeopardize it, if you had my endorsement. The fact is, only people looking, Mr. Chairman, for a new job would be required to carry this. A senior citizen would never have to have a counterfeit-proof Social Security card. Someone who is a small business man or woman would never have to have a counterfeit-proof Social Security card. What we have got is we have got a situation where the magnet that draws people across the border is jobs, and if the thumbs-down comes from this card from the databank that is already there, we in our legislation increase the penalty dramatically and we increase enforcement dramatically. By 400 percent, we increase the penalty, from $10,000 to $50,000 for hiring, and we have a 5 year prison term, and we also increase by 10,000 the number of enforcement agents. Now, you and I were talking yesterday about this and I know that everyone in this room pays their taxes simply because they are patriotic Americans, but there may be some people out there who realize that the Internal Revenue Service (IRS) is there and that may be the reason that as April 15 approaches, they will be paying their taxes. I know none of us are among those. Similarly, if we were to see four or five high-profile arrests due to people who were knowingly hiring those who are here illegally, I am convinced that we would see a great diminution of the number of hirings taking place. I am convinced that we have, if not the panacea, we have the ability to look at what deals with 98 percent of the people who come here illegally to help us address this issue. Mr. Chairman, I think we have got a great opportunity to do something here and I am pleased that Members of the Hispanic Caucus have joined. Again, it is a very, very bipartisan measure. It is my hope that as we look at the issue of immigration reform, we will be able to recognize that this is better for the employer, easier for the businessman or woman who is looking to hire someone, because they don't have to look at 94 different combinations of documents and they are free of responsibility once they have gotten a yea or nay on it. It is going to help us deal with this very serious problem that we have of illegal immigration and finally see the Social Security Administration (SSA) bring that flimsy little paper to which I was referring into the 21st century. Thank you very much. Chairman MCCRERY. Thank you, Mr. Dreier. [The prepared statement of Mr. Dreier follows:] Statement of The Honorable David Dreier, a Representative in Congress from the State of California Chairman McCrery, Ranking Member Levin, Members of the Subcommittee, thank you for providing this opportunity to appear before the Subcommittee's hearing on Social Security high risk issues. Specifically, I would like to discuss the merits of legislation I authored with my friend from El Paso, Mr. Reyes, H.R. 98, the Illegal Immigration Enforcement and Social Security Protection Act, and how it would help to crack down on the hiring of illegal immigrants and curb abuse of the Social Security number and card. I have submitted testimony for the record to two of your previous hearings on this matter, so I'll keep my statement somewhat brief. I want to have ample time to answer your questions. As I mentioned in previous written testimony, there are 94 different combinations of documents on the current I-9 form that can be used to establish identity and employment eligibility. The Social Security card is one such document. Because the process by which job seekers prove their employment eligibility is so unwieldy and complicated, it plays right into the hands of illegal immigrants who can obtain or copy Social Security numbers and cards. In fact, easy employment powers the job-magnet that draws people to illegally enter our country. That is why Mr. Reyes and I authored H.R. 98. We need to address the ``demand-side'' of the illegal immigration issue. H.R. 98 makes the Social Security card fraud-proof and provides employers with a tamper-free tool to verify work authorization status. This will come as a great relief to employers who have been forced to act as immigration and document experts. Under the bill, the Social Security Administration (SSA) is required to issue cards that contain a digitized photo of the cardholder, as well as other countermeasures to reduce fraud. This includes replacing the flimsy Social Security banknote paper with a durable plastic or similar material. Also, each card will contain physical security features designed to prevent tampering, counterfeiting or duplication. In addition, this card will have an electronic signature strip that contains an encrypted electronic identification code unique to that individual. Employers could verify worker eligibility via a Department of Homeland Security (DHS) database by swiping the card through an electronic card-reader or simply calling a toll-free number. The employer would know instantaneously whether or not they were permitted to hire the individual in question. As my colleagues on the Subcommittee know, the House-approved border control bill directs SSA to study the implementation and feasibility of such a proposal. I understand that privacy concerns have been raised regarding H.R. 98; that the bill would create a national ID card. Let me just say unequivocally that H.R. 98 does not create a national ID card. In fact, section 11 of the bill unconditionally prohibits the use of the Social Security card as a national ID card. Let us not forget that job applicants, under current law, are already required to show documents that establish their identity and employment eligibility. Many, if not most, choose to show their employer the combination of a photo ID and their Social Security card. Eliminating a step by actually placing the photo on the Social Security card itself doesn't take us any further down the road of creating a national ID card. The only time anyone would actually be required to carry the improved Social Security card would either be for Social Security purposes or when they are applying for a new job. H.R. 98 explicitly states that individuals cannot be required to carry the new card, except for these two purposes. And the card itself will contain a disclaimer stating: ``This card not to be used for the purpose of identification.'' Social Security cards had a similar disclaimer from 1946 to 1972. I also understand that concerns have been raised regarding the privacy and security of the employment eligibility database created under H.R. 98. Let me just say that no one is more sensitive to concerns about privacy and data security than I am. But let's remember, I wouldn't be sitting here in front of you today if we were already doing a great job of securing our Social Security and immigration systems. Nonetheless, we have taken great care to ensure the integrity of the Employment Eligibility Database which H.R. 98 creates. Specifically, the bill prohibits the use of any information in the database by any DHS employee for any purpose other than administering the database, and it requires DHS to limit access to the database to only those employees who administer the database. We also need to keep in mind that the government already has the information that would be contained on this new Social Security card. An individual's eligibility to work under the law is dependent on whether they are a U.S. citizen, and if not, their immigration status. SSA already maintains citizenship and immigration status files for each worker issued a Social Security card, and our legislation would not require them to gather any additional information than they do currently. The only thing H.R. 98 does is allow the information that SSA already collects to be used for the purpose of verifying a prospective employee's eligibility to work--via the DHS database--and the authenticity of their Social Security card. This streamlines two separate pre-existing government functions: determining a person's eligibility to work and ensuring that employers do not hire anyone ineligible to work. Mr. Chairman, in recent years, we have improved the security of almost every government-issued document, passports, green cards, driver's licenses, save one--the Social Security card. With over five million cards issued annually, we need to realize that it's time to bring the Social Security card into the 21st Century. In the process, we will end the magnet of jobs for illegal immigrants. I believe that H.R. 98 represents an excellent starting point to secure the Social Security card and enhance our efforts to stop the hiring of illegal immigrants. I look forward to working with the Members of the Subcommittee to reach these important goals. Chairman MCCRERY. Now, our colleague from Texas, Mr. Reyes. STATEMENT OF SILVESTRE REYES, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. REYES. Thank you, Mr. Chairman, Mr. Levin, fellow colleagues. I am pleased to be here with my good friend and colleague from California, and I just want to make three points, but before I make those points, I want to tell you that in 1986, when the Immigration Control and Reform Act (P.L. 99- 603) (IRCA) was passed, it had a provision for employer sanctions in there. Had Congress provided the resources to INS, Border Patrol back then, we wouldn't be having the debates that we are having today. Fast forward to 2006 and the three points that I want to make are that, as my colleague stated, the technology has gotten to the point where we feel very confident that a Social Security card with biometrics and algorithm and all the other things that have been mentioned were included, it would be safe to say--I always hesitate from the law enforcement background that something is counterfeit-proof, but it would be very hard to replicate with the kind of technology that is available today. You need that card that would, in essence, relieve any employer from the responsibility of having to look at and file as many as nine and ten documents, as the I-9 provision currently requires, with the fraud-proof Social Security card. The second point I want to make is that along with that card, you need a system, a system where an employer, once he is presented with that card, can check and verify whether it is the individual. If there is a question, they can ask somebody to come out and check it out or maybe check it out through the computer. Those systems exist today. They are not cheap, but I would say they are a lot cheaper than all of these other proposals that have been--and not as controversial as the ones that have been proposed in the bill that we passed in December, the wall, taking citizenship, all these things that are very contentious. The third point I want to make is that adequate resources must be provided along with it. No system is good if you don't provide the resources for checks. You have got to provide the money. You have got to provide the people. Our bill does that. Those are the three basic points I wanted to make. I have a statement that I would like to include into the record, but now, being respectful of your time, I will yield back the balance of my time, subject to any questions you might have for me or for my colleague. Chairman MCCRERY. Thank you, Mr. Reyes. [The prepared statement of Mr. Reyes follows:] Statement of The Honorable Silvestre Reyes, a Representative in Congress from the State of Texas Good afternoon. I would like to thank Chairman Jim McCrery and Ranking Member Sander Levin for giving me the opportunity to testify before this Subcommittee today about the role a new, improved Social Security card could play in allowing employers to determine whether prospective employees are authorized to work in the United States and, ultimately, in helping to curb illegal immigration. I believe I come to this hearing with a somewhat unique perspective on this important issue. My district of El Paso, Texas--along with its sister city, Ciudad Jurez, Mexico--comprise the largest metropolitan area on the United States-Mexico border. Also, prior to coming to Congress, I was in the United States Border Patrol for 26\1/2\ years. I served as Chief, first in the McAllen sector and subsequently in the El Paso sector from 1984 until my retirement in 1995. I have also done my share of interior immigration enforcement at work sites where undocumented aliens were employed. As the only Member of Congress with a background in immigration and experience defending our nation's borders, I have firsthand knowledge of what we need to do to reduce illegal immigration and help keep America safe. I have witnessed the difference that strong enforcement of employment laws can make in discouraging attempted illegal entries into the United States. Furthermore, I believe that a fraud-proof Social Security card, coupled with a computerized employment eligibility verification system and properly enforced employer sanctions, could be a critical part of that effort. In 1986, Congress passed the Immigration Reform and Control Act, which included new sanctions against employers who hire illegal immigrants. After that law was enacted, in parts of the country such as the border region where those of us in law enforcement had the resources to enforce those sanctions, we saw a significant decrease in the number of people trying to enter the country unlawfully. Clearly, once word got out that employers would not hire illegal immigrants, a major incentive to enter the United States was greatly reduced and attempted entries dropped off considerably. I have been pleased to work with my friend and colleague from California, Rep. David Dreier, on H.R. 98, the Illegal Immigration Enforcement and Social Security Protection Act of 2005. The bill would substantially expand and improve on the 1986 provisions by enhancing the security of Social Security cards and allowing employers to instantaneously verify a prospective employee's eligibility to work in the United States. The bill would also increase civil and criminal penalties for employers who hire illegal immigrants or fail to verify their employment eligibility. If properly funded and with appropriate oversight and privacy protections, H.R. 98 would be an important step toward halting the flow of people seeking to enter the United States illegally in order to find employment. By doing so, our immigration and border security personnel will be able to focus more of their time, effort, and resources on those who may be trying to enter the country to do us harm. As you continue to hold hearings on important Social Security matters, I encourage this Subcommittee to consider how a next- generation Social Security card and employment eligibility system could help address some of the urgent immigration matters we face in this country. Again, thank you for allowing me to testify today, and I look forward to continuing to work with my colleagues on this important issue. Chairman MCCRERY. Both of your statements will be included in the record. Your written statements will be included in the record in their entirety. Mr. Dreier, you said the employer would either swipe the card or call an 800 number. Explain that. What 800 number would they call? Mr. DREIER. Basically, what that would mean is that there would be a databank, the information, again, that the government already has, known information. Is someone an American citizen? Are they here on an H-2A visa, which is basically a farmworker visa, some other kind of work permit? They would simply be told yes or no. This person who is applying for a job to work in your company is, in fact, a qualified worker, and---- Chairman MCCRERY. If you are an employer and you call this 800 number, what do you say? Mr. DREIER. What you do is you provide the information that is there, the SSN, and obviously the goal would be to have a swipe for people so that they would be able to utilize the algorithm strip. There would be a transition period, clearly, through which they would go that would--obviously, a big challenge---- Mr. REYES. Mr. Chairman, if I can just add to that, if you don't mind---- Chairman MCCRERY. Sure. Mr. REYES. What happens today when you go into a restaurant or you go into a shop and you pay with a credit card, they put it into the system. They swipe it or they insert it in the machine-readable system. If there is an issue or a problem that they think it may not be you or some other thing, then the merchant will call an 800 number and they will verify the account and all these other things. That is what we have in mind here. Remember, we are talking about employers, employers that are already used to, by and large, as every American is, in utilizing this kind of a system. It won't be exactly a system like the ATM or the credit card system, but it will be similar, with the card sufficing as proof that it is the individual, that it was presented to the employer, and the employer, in fact, verified it. Any other questions in there about that, there is an 800 number. They pick up the phone, they call and they talk to either a call center or a DHS system that would answer any questions and, again, would relieve the employer of the liability because they have gone and made a good faith effort. Chairman MCCRERY. I was just trying to get to the question of why the need for a tamper-proof card. If all you need is the number and you can call an 800 number, it seems to me you would need the card---- Mr. DREIER. Well, I think as Mr. Reyes says, it really would be designed as a back-up to deal with---- Chairman MCCRERY. With questions? Mr. DREIER. --because the goal is to really utilize this algorithm strip that is there that is---- Chairman MCCRERY. Yes. Mr. DREIER. --again, and I think that Silver is right on target when he says that the notion of saying that something is 100 percent absolutely counterfeit-proof is a bit of a stretch, but there has been no attempt since 1935 to really move the Social Security card itself into the modern era, and I think that we ought to at least engage in the fight, trying to put into place the most technologically advanced mechanism we possibly can to deal with this. Chairman MCCRERY. Would you put a picture on the---- Mr. DREIER. Yes, it has a photograph on it. Chairman MCCRERY. It has a photograph on the card, so that would be---- Mr. DREIER. When a person becomes of working age--I know that some people have raised this question, well, would you put the baby picture on, because people get their Social Security card. It is when in their State they would become of working age that the photo-embedded item would be provided on there. Chairman MCCRERY. Okay. Mr. Levin? Mr. LEVIN. I am tempted to ask a question, but I think it involves larger issues. For example, what would happen to the people of working age, the 12 million who are here now illegally? Mr. DREIER. Well, I am happy to answer that question. I think that part of the goal here is that since we are focusing on this question, if 98 percent of the people who come here illegally are coming to get a job, and with a tamper-proof, smart, counterfeit-proof, whatever you want to call it, Social Security card, they can't get a job, my sense is that many of them might choose to return to a country of origin. I am not saying that absolutely everyone, but I am convinced that would go a long way toward dealing with this overall sweeping problem that we are dealing with of our border security and the problem of illegal immigration. Mr. LEVIN. I guess my question does open up a larger issue, so we will leave it for another day since the Senate is kind of monopolizing discussion at the moment. Mr. DREIER. That is why we should weigh in over here a little bit this week on it. Mr. LEVIN. Okay. Thank you. Chairman MCCRERY. Well, obviously, if we went to a guest worker program of some sort, then that would facilitate getting something like this---- Mr. DREIER. Oh, absolutely. Chairman MCCRERY. --that could be used for---- Mr. DREIER. I will say that I believe that as we do this, it is imperative that we have a responsible, non-amnesty- granting temporary worker program that does go hand-in-hand with this so that we can meet the economic demand that exists in this country and then tackle the question that you correctly raise. Mr. REYES. If I can just---- Chairman MCCRERY. Please. Mr. REYES. We come together on offering this as one part of the solution, but I do believe that we have got to have comprehensive immigration reform. We have got to have secure borders. We have got to have a guest worker program, which this would fit in with. Then you have got to take care of, as Congressman Levin said, you have got to take care of those people that have been in this country, paying their taxes, being part of our community. That is what I think would be a realistic way to implement this. What this does is it becomes part of the mechanism of making sure that we don't have the magnet--I can tell you from personal experience, after IRCA, we saw a dramatic downturn in attempted illegal entries for about 3 years. Some areas of our border--I was chief in McAllen at the time with Border Patrol-- some areas of our border saw a decline in attempted entries into this country of as much as 80 percent. The reason for that was the publicity that was generated that, for the first time, there were employer sanctions in place. You would not be able to get a job. The attraction of undergoing that arduous trip through the border and trying to get a job somewhere in this country was gone. It wasn't until about 3 years into the program that people started realizing, well, Congress didn't allot the personnel to check, so my uncle or my cousin or my friend said that if you can make it to Denver, you can still get a job. Even though it had the requirements of the I-9, there were no teeth in the law. I think that this on its own probably is not the whole solution, but it gets us part of the way, and then comprehensive immigration reform, I think would take us the rest of the way. Mr. DREIER. Mr. Chairman, what this really does is, again, as we look at this question, why is it that people come into this country illegally, they come seeking a job. People use a Social Security card, often a fraudulent one, to get a job and this is the way to end that demand side, the magnet that draws them in, by having a structure in place like this. I agree that, overall, this is not the panacea, but I think that this will go an awful long way toward addressing this issue. Chairman MCCRERY. Mr. Johnson? Mr. JOHNSON. Thank you, Mr. Chairman. I am wondering how easy it is to duplicate a card like that. Mr. DREIER. It is a great question, Sam, and I will tell you that one of the things that we have done is we have said that nothing has been done since 1935. Mr. JOHNSON. Right. Mr. DREIER. I believe that with the technological advances that are made, that it would be, I hope, impossible to duplicate it. There are no guarantees, but we should do every single thing within our power to, after these many decades having done nothing, use the technology that we have today to ensure that it is as tamper-proof, as smart, as counterfeit- proof as we possibly can. Mr. JOHNSON. I couldn't agree with you more. What kind of upgrade are you going to have to have to get--business offices don't have the ability to scan cards, a lot of them. Mr. DREIER. Well, that is a great question, and obviously this is something that would have to be phased in over a period of time. At the end of the day, I think that it would be easier on businesses because of the fact that they don't have to look at these 94 different combinations of documents, and I am, frankly, offended by a lot of this stuff where you would ask one person whether or not they are an American citizen and not another person based in the way someone might look. I am very offended by that. I think that the existence of this card will go a long way toward helping that. Obviously, we will have to deal with businesses as they look at the challenge of having the equipment---- Mr. JOHNSON. Yes, there is going to be a cost involved. You are from California, and you have got a lot of agricultural migrant workers out there. How are you going to get them a card? Mr. DREIER. You know what? The fact---- Mr. JOHNSON. Are we going to--let me rephrase it a little bit. Mr. DREIER. Sure. Mr. JOHNSON. Guys that come across legally for migrant work, are we going to give them some kind of an identification? Mr. DREIER. Well, see, what they would have on this is they would, within the database, it would be stated that they are here, if it is an H-2A visa or any kind of work permit, that would mean that they are a qualified worker by virtue of it. If we do end up with some kind of responsible non-amnesty-granting temporary worker program, someone who is here under that would be able to have this card for those purposes. If someone is here illegally and they don't have a card and they are hired, then that employer would be subjected to a, as I said, a 400- percent increase in the fine, 5 years in prison, and we hire 10,000 enforcement agents to make sure that this is enforced, which gets back to Silver's point, which is a very important one. If you look at IRCA, we coupled amnesty with sanctions and unenforced sanctions is what ended up once again reigniting this flow of people in illegally---- Mr. JOHNSON. Well, that is what I was about to say. If you depend on the employer, they are not going to do it. Mr. DREIER. Exactly. Mr. JOHNSON. Thank you, Mr. Chairman. Mr. DREIER. I will say that I didn't believe that the employer should be turned into a Border Patrol agent. Mr. JOHNSON. I agree. Mr. DREIER. That is one of the concerns that I have, and I know we share that. I voted against the--I was here in 1986 and voted against IRCA for that reason. Mr. JOHNSON. Thank you. Chairman MCCRERY. Thank you, Mr. Johnson. Mr. Becerra? Mr. BECERRA. Thank you to the two of you for being here and making your presentation. It is rather interesting. We are about to have witnesses who will come and give us testimony on the Social Security card, the use of the number, and so forth, and we have had over the course of actually the last few years a number of hearings. Last session, we passed out, without a single ``no'' vote, legislation by Representative Shaw to actually restrict the use of the SSN. It is interesting, because your proposal would make it the universal identifier and we are about to hear from witnesses who are going to tell us why there are problems in allowing the number to be more universally available. It is a fascinating discussion. We need to figure out a way to be able to identify folks. Right now, the SSA would tell you, if they were here to testify, that just by having a number, we can't tell you, or they can't tell us if that individual is a citizen---- Mr. DREIER. Absolutely. Mr. BECERRA. --or not. They may or may not be able to tell us whether that person is here legally. You would have to do a lot of work before you could get the SSN to become a national identification number. Mr. DREIER. Well, we don't want it to be that, though. We don't want it to be a national ID card. In fact, as I said, we actually have on this card that it is not a national ID card and it is used only for Social Security purposes and when applying for a new job. Mr. BECERRA. Okay, so then, Mr. Chairman, let me ask you this. What are you going to tell all the credit bureaus, the banks, all the folks, all the industries that currently use the SSN--hospitals used to use them publicly as the patient identification number--what do you tell all those industries that are telling us right now, you can't do more to restrict our utilization of the number because that has become our universal identifier within our industry? Mr. DREIER. You see, that is up to them. What I have said is a national ID card, getting on board an airplane, utilizing it for a Federal purpose, which is really what we are in the business of doing. The way some private entity or a State or local entity handles the use of this number and card is their business---- Mr. BECERRA. Would you prohibit the use for any other purposes? Mr. DREIER. Yes, I am not saying--I am not saying that it can't be used, because I don't want to in any way restrict the SSN from being utilized for purposes that we determine are necessary. All I am saying is that I don't want the use of a smart, counterfeit-proof Social Security card to be misinterpreted as some sort of national identification card. That is all I am arguing. Mr. BECERRA. The thing there, David, is if indeed it is a strong identifier that has good firewalls from abuse, then it is going to become a great identifier for a lot of other folks, as well. If it works well for identifying whether or not you are entitled to work in this country, someone is going to say, well, it is probably going to work well to identify whether or not you have got good credit or whether or not we should offer you this mortgage. I think we have to be very careful. Unless you prohibit its use for other purposes---- Mr. DREIER. I think that is something we might consider looking at, if you want to. Mr. REYES. If I can say something, currently--I just became a grandfather for the third time. When your baby is born, he or she gets a Social Security card. Mr. BECERRA. Yes. Mr. REYES. When you volunteer for the Army or the Navy, the Marine Corps, the Air Force, your Social Security card becomes your identifier. When I was drafted, I was given a number, RN- 18746717. You never forget that. Today's service people use that Social Security card for those purposes. I don't know that--and maybe David has given it more thought, but I haven't given it a lot of thought in terms of why you would want to preclude or limit somebody's ability to use the SSN when I know---- Mr. BECERRA. If you were to stay a little longer, you would hear testimony by someone who actually had her SSN misused for identity purposes---- Mr. REYES. See, even in this system, I think here is what is important about having the system. I made the three points. The system would tell you if somebody else is using the same number, because in today's technology, the availability--if somebody presents--say, for instance, somebody came up with a system of---- Mr. BECERRA. Yes, but by then, it is too late---- Mr. REYES. No---- Mr. BECERRA. --for the person who had his or her identity stolen. Mr. REYES. The point is, it will raise an alert when that card is presented. It is like--and I don't know how they work currently on use of credit cards, but I know that occasionally when I give a credit card, especially when you travel out of the country, they will ask for identification. My wife will get a call at home and say, this purchase was made in London or whatever. We want to make sure that you or your husband is comfortable that one of you is in London. The technology exists that would be able to tell the system that the SSN that was presented in Peoria, Illinois, all of a sudden a week later was presented in Los Angeles and maybe within 72 hours was presented within Miami, so that tells you that number has been compromised somehow and the system alerts DHS and they would check all three people that presented that card. Mr. DREIER. Which one of the two of you is making all those purchases, too. Mr. REYES. Yes. Mr. BECERRA. Thank you, Mr. Chairman. Thank you, gentlemen. Chairman MCCRERY. Mr. Brady? Mr. BRADY. Thank you, Mr. Chairman, and David and Grandpa Reyes, it is good to have you here today. I think Xavier's comment about SSNs, one of the issues we are struggling with is our SSN system already so compromised that we can never really bring integrity to the system. Your point is that if Social Security is going to be a key employer verification in this whole immigration-Border Security debate, make it counterfeit- proof. Here is the way to do it. I think, in the end, the question of whether we will have a counterfeit or attempt to create a counterfeit Social Security document, it isn't a matter of if we do but when and how we do it, how we structure it, and I know that I supported the House bill on border security that passed earlier, or late last year, but I know that today, if we had to rely on the Social Security system to verify workers in this country, either new or existing, the system would simply crater. It doesn't have the integrity, the resources, the technology to do that, so I just appreciate you bringing a bipartisan idea to the table and I appreciate you, Chairman, letting us hear what some of our Members who are giving this issue some thought a chance to talk to us about that. I don't really have any questions. Thanks for giving this a thoughtful---- Mr. DREIER. Let me just thank you very much for that, Kevin, and say that I believe that we are in a position where this can go a long way toward addressing those identity issues, which Xavier correctly raised, dealing with the question that Sandy raised as to exactly what happens to the people who are here, and tackles this whole issue of the credibility of Social Security and the utilization of the number itself as we head to the future. I had a conversation yesterday with a number of Senators about this. They are in the midst of their debate on this, and I should say that this provision is actually included in one of the Senate bills that has been introduced. John Cornyn and Jon Kyl have introduced legislation that actually includes H.R. 98 as an important component of it. It is my hope that we will be able to see this move as expeditiously as possible through so that we can include this as part of a comprehensive package, and I certainly leave it up to you all to demonstrate for us what the best approach is. Chairman MCCRERY. Thank you, Mr. Brady. Mr. Dreier, Mr. Reyes, thank you very much for being with us---- Mr. DREIER. Thank you very much for having us. Chairman MCCRERY. --and for showing up today and sharing with us your thoughts. Mr. DREIER. Thanks, Mr. Chairman. Chairman MCCRERY. Our next panel is composed of two witnesses, Ms. Cynthia Fagnoni, Managing Director of Education, Work force, and Income Security, United States GAO, and Joel Winston, the Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission. Your written testimony will be included in the record in its entirety and we would like for you to try to summarize your written testimony in about 5 minutes, and Ms. Fagnoni, we will begin with you. Welcome. STATEMENT OF CYNTHIA M. FAGNONI, MANAGING DIRECTOR, EDUCATION, WORKFORCE, AND INCOME SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Ms. FAGNONI. Thank you. Thank you, Mr. Chairman, Mr. Levin, and Members of the Subcommittee. I am pleased to be here this afternoon to discuss ways to better protect the SSN. Although the SSN was originally created as a means of tracking workers' earnings and eligibility for Social Security benefits, today, the number is used for many non-Social Security purposes. The wide use of the SSN is significant because once it is obtained fraudulently, it can be used to create false identities for financial misuse, to falsely obtain credit, or to assume another person's identity. Today, I would like to discuss the use of SSNs by government agencies and certain private sector entities, Federal laws that regulate the use and disclosure of SSNs, and gaps that remain in protecting the SSN and what more could be done. My testimony is based on reports GAO has issued over the last several years, many of them completed at the request of this Subcommittee. First, let me begin with the widespread use of SSNs by both the public and private sectors. Federal, State, and county government agencies rely extensively on the SSN to maintain records with unique identifiers and ensure program integrity. Last year, we reported that SSNs are available in a variety of public records held by States, local jurisdictions, and courts, public records or documents routinely made available to the public for inspection, such as marriage licenses and property transactions. We also reported that information resellers, consumer reporting agencies, and health care organizations use SSNs for a variety of purposes, including verifying a person's identity or matching existing records. Earlier this year, we reported that banks, security firms, telecommunications companies, and tax preparation companies routinely obtain SSNs from their customers for authentication and verification purposes and sometimes share SSNs with their contractors for limited purposes, such as identification requirements, debt collection, and data storage. Regarding the laws, although Federal and State laws have been enacted to restrict the use and disclosure of consumers' personal information, including SSNs, no one law comprehensively regulates the SSN use and protections. Moreover, many of the laws enacted are industry-specific and do not apply broadly. Several States have enacted laws to restrict the use and display of SSNs. California, for example, has enacted such a law. Thirteen other States now have passed laws similar to California's. Four States--California, Georgia, Nevada, and New York--require notification of security breaches, another example. As a result of such State restrictions, some companies now notify customers of security breaches regardless of where they happen in the country. Although Congress and State legislatures have enacted laws that help to restrict SSN display and protect an individual's personal information, we have found gaps in the protection of SSNs. We have reported that government agencies at all levels lack the uniform approach to ensuring the security of the SSN. In addition, we found that gaps exist in the Federal law and oversight of different industries that share SSNs with their contractors. SSNs also continue to be exposed on government- issued ID cards. Finally, few restrictions are placed on information resellers to obtain and resell SSNs in the course of their business. GAO has made a number of recommendations in proposed matters for Congressional consideration to address these gaps. We propose that Congress pull together a representative group of Federal, State, and local officials to develop a unified approach to safeguarding SSNs used at all levels of government. We also recommended that OMB advise all levels of government of the applicability of the Privacy Act (P.L. 93-579) and develop a government-wide policy to ensure a consistent approach for displaying SSNs on ID cards. Regarding the private sector, we have recommended that Congress consider possible options for addressing the gaps in the existing Federal requirements for safeguarding SSNs shared with contractors. We continue to focus on SSN issues, identify gaps, and will continue to recommend possible solutions, where appropriate. Mr. Chairman, this completes my oral statement. I would be happy to answer any questions you or other Members of the Subcommittee may have. Thank you. [The prepared statement of Ms. Fagnoni follows:] Statement of Cynthia M. Fagnoni, Managing Director, Education, Workforce, and Income Security, U.S. Government Accountability Office Mr. Chairman and Members of the Committees: I am pleased to be here today to discuss ways to better protect the Social Security Number (SSN). The SSN was created as a means to track workers' earnings and eligibility for Social Security benefits. However, the SSN has evolved beyond its original intended purpose and has become the identifier of choice for public and private sector entities, and is used for numerous non-Social Security purposes. This is significant because SSNs, along with a name and date of birth, are the pieces of information most often sought by identity thieves. Once an SSN is obtained fraudulently, it can then be used to create false identities for financial misuse, assuming another individual's identity, fraudulently obtaining credit, violating immigration laws, or fleeing the criminal justice system. Recent statistics suggest that the incidence of identity theft is rapidly growing. The Federal Trade Commission (FTC) estimated that over a 1-year period nearly 10 million people--or 4.6 percent of the adult U.S. population--discovered that they were victims of some form of identity theft, translating into estimated losses exceeding $50 billion. FTC also reported that most victims of identity theft do not report the crime, and, therefore, the total number of identity theft incidences is unknown. Over the last few years Congress and some states have recognized the importance of restricting the use and display of SSNs by both public and private sectors. As a result, federal and state laws have begun to be enacted that to some degree protect individual's personal information, including SSNs. GAO has issued a number of reports and testified before this Subcommittee about the various aspects of SSN use in both the public and private sectors. (See related GAO products at the end of this testimony.) Accordingly, you asked us to speak about some of our findings regarding SSN use and protections. My remarks today will focus on (1) the use of SSNs by government agencies and certain private sector entities, (2) the federal laws that regulate the use and disclosure of SSNs, and (3) the gaps that remain in protecting the SSN and what more could be done. In summary, SSN use is widespread by both the public and private sectors. Agencies at all levels of government frequently collect and use SSNs to administer their programs, verify applicants' eligibility for services and benefits, and perform research and evaluations of their programs. In addition, SSNs are available in a variety of public records held by states, local jurisdictions, and courts, appearing in records that document common life events and transactions, such as marriages and home purchases. Certain private sector entities also use SSNs. Information resellers, credit reporting agencies (CRAs), and health care organizations routinely obtain SSNs from various public and private sources, and use SSNs for various purposes, such as to build tools that verify an individual's identity or match existing records. In addition, private sector entities that engage in third party contracting sometimes share SSNs with their contractors for limited purposes. There is no one law that comprehensively regulates SSN use and protections. However, certain federal laws have been enacted to restrict the use and disclosure of consumers' personal information, including SSNs, but these laws tend to be industry-specific and do not apply broadly. In addition, certain states had begun to enact their own legislation restricting the use and display of SSNs by public and private sector entities, which has subsequently led other states to start enacting similar regulation. Finally, Congress is currently considering several proposals to restrict SSN use and display, similar to state legislation. Although some action has been taken at the federal and state level to protect SSNs, more could be done. In our prior work, we found gaps in the practices for protecting SSNs by government agencies and across industry sectors. As a result, we made recommendations to federal agencies to address the issues we found and proposed matters for Congress to consider. For example, we found that certain measures that could help protect SSNs are not uniformly in place at all levels of government. In addition, there are gaps in the federal law and oversight in different industries that share SSNs with their contractors, and there are few restrictions placed on certain entities' abilities to obtain and use SSNs in the course of their business. Finally, SSNs are widely exposed in a variety of public records and are still subject to exposure on identity cards issued under federal auspices. To address some of these issues, we made recommendations and proposed matters for congressional consideration. For example, to address gaps in the government uses of SSNs and the exposure of SSNs in public records and on identification cards, we advised Congress to convene a group of government officials to develop a unified approach to safeguarding SSNs. To address the gaps in federal laws that would apply to industries that share SSNs with their contractors, we recommended Congress consider options to restrict the use and display of SSNs to third party contractors. Background The Social Security Act of 1935 authorized the Social Security Administration (SSA) to establish a record-keeping system to manage the Social Security program, which resulted in the creation of the SSN.\1\ Through a process known as ``enumeration,'' unique numbers are created for every person as a work and retirement benefit record. Today, SSA issues SSNs to most U.S. citizens, but they are also available to non- citizens lawfully admitted to the United States with permission to work. Lawfully admitted noncitizens may also qualify for a SSN for nonwork purposes when a federal, state, or local law requires that they have a SSN to obtain a particular welfare benefit or service. SSA staff collect and verify information from such applicants regarding their age, identity, citizenship, and immigration status. --------------------------------------------------------------------------- \1\ The Social Security Act of 1935 created the Social Security Board, which was renamed the Social Security Administration in 1946. --------------------------------------------------------------------------- With the enhancement of computer technologies in recent years, private sector businesses are increasingly computerizing their records; as a result, these enhancements have spawned new businesses activities involving the aggregation of person information. Information resellers, sometimes referred to as information brokers, are businesses that specialize in amassing consumer information including SSNs for informational services. They may provide their services to a variety of customers, either to specific businesses clients or through the Internet to anyone willing to pay a fee. Consumer reporting agencies, also known as credit bureaus, are agencies that collect and sell information about the creditworthiness of individuals. CRAs collect information that is considered relevant to a person's credit history, and obtain SSNs from their customers or businesses that furnish data to them, as well as from private and public sources. Organizations that provide health care services also commonly use consumers' SSNs. They obtain SSNs from individuals themselves and companies that offer health care plans. In recent years, companies have increasingly relied on the use of contractors to perform certain activities and functions related to their business operations. This trend has often been referred to as outsourcing. However, no commonly recognized definition of outsourcing exists, and there has been confusion over whether it encompasses only activities a company performed in-house or includes any activity a company may contract out. According to outsourcing experts, approximately 90 percent of businesses contract out some activity because they find either it is more economical to do so or other companies are better able to perform these activities. Some of the activities companies outsource will require that contractors be provided personal information about the companies' customers in order to perform those activities, in some cases, this information includes SSNs. Due to the pervasive use of SSNs, individuals are routinely asked to disclose their SSNs, along with other personal identifying information, for numerous purposes. In some instances where individuals provide their SSNs to government entities, documents containing the SSN are routinely made available to the public for inspection. The widespread disclosure of SSNs in public records has raised concern because it can put individuals at increased risk of identity theft. In addition, given the explosion in the Internet use and the ease with which personally identifiable information is accessible, individuals looking to steal someone's identity are increasingly able to do so. According to FTC, it receives roughly 15,000 to 20,000 contacts per week on its hotline and Web site, or through the mail from victims and consumers who want to avoid becoming victims. Both Government and Private Sector Entities Collect and Use SSNs for a Variety of Purposes Government entities are generally required by law to collect SSNs to determine individuals' eligibility for services and benefits. SSNs are also widely available in public records maintained by state and local governments and the courts. Certain private sector entities, such as information resellers, CRAs, and healthcare organizations obtain SSNs from public and private sources, or directly from their customers, and use them for various purposes. In addition, banks, securities firms, telecommunication firms, and tax preparers engage in third party contracting and sometimes share SSNs with their contractors for limited purposes. Government Entities Are Required by Laws and Regulations to Collect SSNs, and Use Them for Various Purposes As required by a number of federal laws and regulations, agencies at all levels of government frequently collect and use SSNs to administer their programs, to link data for verifying applicants' eligibility for services and benefits, and to conduct program evaluations.\2\ For example, the Personal Responsibility and Work Opportunity Act of 1996 mandates that, among other things, states have laws in place to require the collection of SSNs on driver's license applications. Such laws and regulations have contributed to the widespread use of SSNs by government agencies, because the SSN serves as a unique identifier. --------------------------------------------------------------------------- \2\ GAO, Social Security: Government and Commercial Use of the Social Security Number Is Widespread, GAO/HEHS-99-28 (Washington, D.C.: February 16, 1999) and GAO, Social Security Numbers: Government Benefits from SSN Use, but Could Provide Better Safeguards, GA0-02-352 (Washington, D.C.: May 31, 2002). --------------------------------------------------------------------------- Government agencies use SSNs for a variety of purposes. We have found that agencies typically used SSNs to manage their records and to facilitate data sharing to verify an applicant's eligibility for services and benefits.\3\ For example, agencies use SSNs --------------------------------------------------------------------------- \3\ GA0-02-352. for internal administrative purposes, which included activities such as identifying, retrieving, and updating records; to collect debts owed the government and conduct or support research and evaluations as well as using employees' SSNs for activities such as payroll, wage reporting, and providing employee benefits; to ensure program integrity, such as matching records with state and local correctional facilities to identify individuals for whom the agency should terminate benefit payments; and for statistics, research, and evaluation; \4\ --------------------------------------------------------------------------- \4\ The Bureau of the Census is authorized by statute to collect a variety of information and is prohibited from making it available, except in certain circumstances. --------------------------------------------------------------------------- SSNs Are Widely Available in Public Records Held by States, Local Jurisdictions, and Courts, but Many of These Agencies Are Taking Steps to Limit Display SSNs are publicly available throughout the United States, primarily at the state and local levels of government.\5\ Based on a survey of federal, state, and local governments, we reported in 2004 that state agencies in 41 states and the District of Columbia were displaying SSNs in public records; this was also true in 75 percent of U.S. counties.\6\ We also found that while the number and type of records in which SSNs were displayed varied greatly across states and counties, SSNs were most often found in court and property records. --------------------------------------------------------------------------- \5\ Not all records held by government or public agents are ``public'' in terms of their availability to any inquiring person. For example, adoption records are generally sealed. Personnel records are often not readily available to the public, although newspapers may publish the salaries of high, elected officials. There is no common definition of public records. However, we define public records as those records generally made available to the public for inspection in their entirety by a federal, state, or local government agency. Such documents are typically accessed in a public reading room, clerk's office, or on the Internet. \6\ GAO, Social Security Numbers: Governments Could Do More To Reduce Display in Public Records and on Identity Cards, GAO-05-59 (Washington, D.C.: November 9, 2004). --------------------------------------------------------------------------- Public records displaying SSNs are stored in multiple formats that vary by different levels of government. State government offices tended to store such records electronically, while most local government records were stored on microfiche or microfilm. However, our survey found that public access to such records was often limited to inspection of the individual paper copy or request by mail.\7\ --------------------------------------------------------------------------- \7\ GAO-05-59 --------------------------------------------------------------------------- We found that few state agencies make public records available on the Internet, although some do so. However, few state or local offices reported any plans to significantly expand Internet access to public records that display SSNs. Based on our survey results, only four state agencies indicated plans to make such records available on the Internet, and one agency planned to remove records displaying SSNs from Internet access. Private Sector Entities Obtain SSNs from Public and Private Sources and Use Them for Various Purposes Private sector entities such as information resellers, CRAs, and health care organizations generally obtain SSNs from various public and private sources. Large or well known information resellers have told us they obtain SSNs from various public records, such as records of bankruptcies, tax liens, civil judgments, criminal histories, deaths, real estate transactions, voter registrations, and professional licenses. They also said that they sometimes obtain batch files of electronic copies of jurisdictional public records where available. However, some reseller officials said they are more likely to rely on SSNs obtained directly from their clients, who would voluntarily provide such information for a specific service or product, than those found in public records.\8\ --------------------------------------------------------------------------- \8\ GAO, Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04-11 (Washington, D.C.: January 22, 2004). --------------------------------------------------------------------------- Like information resellers, CRAs also obtain SSNs from public and private sources. CRA officials have told us that they obtained SSNs from public sources, such as bankruptcy records. We also found that these companies obtained SSNs from other information resellers, especially those that specialized in obtaining information from public records. However, CRAs are more likely to obtain SSNs from businesses that subscribe to their services, such as banks, insurance companies, mortgage companies, debt collection agencies, child support enforcement agencies, credit grantors, and employment screening companies. Therefore, individuals who provide these businesses with their SSNs for reasons such as applying for credit would subsequently have their charges and payment transactions, accompanied by the SSN, reported to the CRAs. Health care organizations, including health care insurance plans and providers, are less likely to obtain SSN data from public sources. Health care organizations typically obtained SSNs either from individuals themselves or from companies that offer health care plans. For example, subscribers or policyholders enrolled in a health care plan provide their SSN as part of their health care plan application to their company or employer group. In addition to health care plans, health care organizations also included health care providers, such as hospitals. Such entities often collected SSNs as part of the process of obtaining information on insured people. However, health care provider officials told us that, particularly with hospitals, the medical record number is the primary identifier, rather than the SSN. We found that the primary use of the SSN by information resellers, CRAs, and health care organizations alike was to help verify the identity of an individual. Large information resellers said they generally use the SSN as an identity verification tool. They also use it for internal matching purposes of its databases, as a factor in identifying individuals for their product reports, or for conducting investigations for their clients for resident screening or employment screening. CRAs use SSNs as the primary identifier of individuals that enables them to match the information they receive from their business clients with information stored in their databases on individuals. Because these companies have various commercial, financial, and government agencies furnishing data to them, the SSN is the primary factor that ensures that incoming data is matched correctly with an individual's information on file. We found that in some cases CRAs and information resellers can sometimes be the same entity, a fact that blurs the distinction between the two types of businesses but does not affect the use of SSNs by these entities. Finally, health care organizations also use the SSN to help verify the identity of individuals. These organizations use SSNs, along with other information such as name, address, and date of birth, as a factor in determining a member's identity. Private sector companies also share customers' SSNs with their contractors. Banks, investment firms, telecommunication companies, and tax preparation companies we interviewed routinely obtain SSNs from their customers for authentication and identification purposes.\9\ All these companies contracted out various services, such as data processing, administrative, and customer service functions. Although these companies may share consumer information, such as SSNs, with contractors that provide services to their customers, company officials said that they only share such information with their contractors for limited purposes, generally when it is necessary or unavoidable. --------------------------------------------------------------------------- \9\ GAO, Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs, GAO-06-238 (Washington, D.C.: January 23, 2006). --------------------------------------------------------------------------- The companies we contacted provided us with standard contract forms they use in contracting with service providers to safeguard customers' personal information, such as SSNs, from misuse.\10\ In general, the types of provisions these companies included in their standard contract forms included electronic and physical data protections, audit rights, data breach notifications, subcontractor restrictions, and data handling and disposal requirements. We found that most of the companies we interviewed had established some type of due diligence or credentialing process to verify the reliability of potential contractors prior to and during contract negotiations. Furthermore, we found that some industry associations have voluntarily developed guidance for their members regarding the sharing of personal information with third parties. --------------------------------------------------------------------------- \10\ GAO-06-238 --------------------------------------------------------------------------- No Single Law Governs the Use and Disclosure of SSNs Although Various Laws Have Been Enacted That Help Protect SSNs Although no single law comprehensively governs the use and disclosure of SSNs, certain federal laws restrict the use and disclosure of personal information, including SSNs, by government agencies or private sector entities. These laws, however, tend to be directed at specific industries or governmental agencies and often do not apply broadly across public and private sectors or across private sector industries. For example, the overall use and disclosure of SSNs by the federal government is restricted under the Privacy Act, which, broadly speaking, seeks to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy. The Privacy Act requires that any federal, state, or local government agency, when requesting an SSN from an individual, tell individuals whether disclosing their SSN is mandatory or voluntary, cite the statutory or other authority under which the request is being made, and state what uses it will make of the individual's SSN. Other federal laws have also placed restrictions on private sector entities' use and disclosure of consumers' personal information, including SSNs. These include the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transaction Act (FACTA), the Gramm-Leach- Bliley Act (GLBA), the Drivers Privacy Protection Act (DPPA), and the Health Insurance Portability and Accountability Act (HIPAA). As shown in table 1, some of these federal laws either restrict certain private sector entities from disclosing personally identifiable information to specific purposes or with whom the information is shared. In addition, certain industries, such as the financial services industry, are required to protect individuals' personal information to a greater degree than entities in other industries. Table 1: Aspects of Federal Laws That Affect Private Sector Disclosure of Personal Information ------------------------------------------------------------------------ Federal Laws Restrictions ------------------------------------------------------------------------ Fair Credit Reporting Act Limits access to credit data that includes SSNs to those who have a permissible purpose under the law. ------------------------------------------------------------------------ Fair and Accurate Credit Amends FCRA to allow, among others Transactions Act things, consumers who request a copy of their credit report to also request that the first 5 digits of their SSN (or similar identification number) not be included in the file; requires consumer reporting agencies and any business that use a consumer report to adopt procedures for proper disposal. ------------------------------------------------------------------------ Gramm-Leach-Bliley Act Creates a new definition of personal information that includes SSNs and limits when financial institutions may disclose the information to nonaffiliated third parties. ------------------------------------------------------------------------ Health Insurance Portability and Protects the privacy of health Accountability Act information that identifies an individual and restricts health care organizations from disclosing such information to others without the patient's consent. ------------------------------------------------------------------------ Source: GAO analysis Congress has also introduced a federal statute that criminalizes fraud in connection with the unlawful theft and misuse of personal identifiable information. In 1998, Congress enacted the Identity Theft and Assumption Deterrence Act (Identity Theft Act). The act made it a criminal offense for a person to ``knowingly transfer, possess, or use without lawful authority,'' another person's means of identification ``with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable state or local law.'' Under the act, a name or Social Security number is considered a ``means of identification'' and a number of cases have been prosecuted under this law. Many states have begun to enact laws to restrict the use and display of SSNs. (See appendix 1 for a listing of state laws previously reported by GAO.) After one state took action, other states followed in enacting similar laws. For example, in 2001, California enacted a law restricting the use and display of SSNs, which generally prohibited companies and persons from engaging in certain activities, such as posting or publicly displaying SSNs, or requiring people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted. In addition, California enacted a law containing notification requirements in the event of a security breach where a business or a California state agency is required to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Subsequently, other states have enacted laws restricting the use and display of SSNs. Specifically, in our prior work, we identified 13 others states--Arizona, Arkansas, Connecticut, Georgia, Illinois, Maryland, Michigan, Minnesota, Missouri, Oklahoma, Texas, Utah, and Virginia--that have each passed laws similar to California's. \11\ While some states, such as Arizona, have enacted virtually identical SSN use and display restrictions, other states have modified the restrictions in various ways. For example, unlike the California law, which prohibits the use of the full SSN, the Michigan statute prohibits the use of more than four sequential digits of the SSN. The Michigan law also contains a prohibition against the use of SSNs on identification and membership cards, permits, and licenses. Missouri's law includes a prohibition against requiring an individual to use his or her SSN as an employee number. Oklahoma's law is unique in that it only limits the ways in which employers may use their employees' SSNs, and does not apply more generally to other types of transactions and activities. --------------------------------------------------------------------------- \11\ See Arkansas (Ark. Code Ann. 4-86-107 (2005)); Arizona (Ariz. Rev. Stat. 44-1373 (2004)); Connecticut (Conn. Gen. Stat. 42-470 (2003)); Georgia (Ga. Code Ann. 33-24-57.1 (2003)); Illinois (815 Ill. Comp. Stat. 505/2QQ (2004)); Maryland (Md. Code Ann., Com. Law 14-3301 et seq. (2005)); Michigan (Mich. Comp. Laws 445.81 et seq. (2004)); Minnesota (Minn. Stat. 325E.59 (2005)); Missouri (Mo. Rev. Stat. 407.1355 (2003)); Oklahoma (Okla. Stat. tit. 40, 173.1 (2004)); Texas (Tex. Bus. & Com. Code Ann. 35.58 (2003)); Utah (Utah Code Ann. 31A-21-110 (2004)); and Virginia (Va. Code Ann. 59.1- 443.2 (2005)). --------------------------------------------------------------------------- Some states have recently enacted other types of restrictions on the uses of SSNs as well. Arkansas, Colorado, and Wisconsin limit the use of a student's SSN as a student identification number.\12\ New Mexico requires businesses that have acquired consumer SSNs to adopt internal policies to limit access to authorized employees.\13\ Texas recently enacted a law requiring businesses to properly dispose of business records that contain a customer's personal identifying information, which is defined to include SSNs.\14\ --------------------------------------------------------------------------- \12\ Ark. Code Ann. 6-18-208 (2005); Colo. Rev. Stat. 23-5-127 (2003); and Wis. Stat. 36.32 (2001). \13\ N.M. Stat. Ann. 57-12B-1 et seq. (2003). \14\ Tex. Bus. & Com. Code Ann. 35.48 (2005). --------------------------------------------------------------------------- Other recent state legislation includes new restrictions on state and local government agencies. For example, South Dakota law prohibits the display of SSNs on all driver's licenses and nondriver's identification cards,\15\ while Indiana law generally prohibits a state agency from releasing a SSN unless otherwise required by law.\16\ In addition, as of January 1, 2007, a Nevada law will require governmental agencies, except in certain circumstances, to ensure that the SSNs recorded in their books and on their records are maintained in a confidential manner.\17\ --------------------------------------------------------------------------- \15\ S.D. Codified Laws 32-12-17.13 (2005). \16\ Ind. Code 4-1-10-1 et seq. (2005). \17\ Nev. Rev. Stat. 239.030 (2005). --------------------------------------------------------------------------- We also identified four states that have passed legislation containing notification requirements in the event of a security breach. For example, New York recently enacted a law requiring such notifications.\18\ California requires a business or a California state agency to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.\19\ In the last year, this law forced several large companies to notify individuals that their information was compromised because of certain circumstances. Under a Nevada law, government agencies and certain persons who do business in the state must notify individuals if their personal information is reasonably believed to have been compromised.\20\ Similarly, Georgia requires certain private sector entities to notify their customers if a security breach occurred that compromised their customers' personal information, such as their SSNs.\21\ --------------------------------------------------------------------------- \18\ N.Y. State Tech. Law 208 (2005). \19\ Cal. Civ. Code 1798.29 (2002); 1798.82 (2002). \20\ Nev. Rev. Stat. 603A.220 (2005). \21\ Ga. Code Ann. 10-1-910 et seq. (2005). --------------------------------------------------------------------------- In addition, we found that some state offices were beginning to take measures to change the way in which they displayed or shared SSNs in public records. For example, we found that many state agencies had restricted access to or redacted--covered or otherwise hidden from view--SSNs from public versions of records. Specific restrictions and other actions state agencies reported taking included blocking or removing SSNs from electronic versions of records, allowing individuals identified in the record to request removing their SSN from the publicly available version, replacing SSNs with alternative identifiers, and restricting access only to individuals identified in the records. Finally, Congress is currently considering consumer privacy legislation, which in some cases includes SSN restrictions. In 2005, there were more than 20 proposed bills pending before the U.S. House and Senate.\22\ In some cases, the provisions being considered mirrored provisions in enacted state laws. For example, some proposed legislation included prohibitions on the display of SSNs, similar to a Colorado law, while other proposed legislation address the solicitation of SSNs by public and private sector entities. In addition, some federal privacy legislation also proposed consumer safeguards, such as security freezes and prohibitions on the sale and purchase of SSNs. --------------------------------------------------------------------------- \22\ GAO, Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain, GAO-05-1016T (Washington, D.C.: September15, 2005) --------------------------------------------------------------------------- More Could Be Done To Protect SSNs Although laws at both state and federal levels have helped to restrict SSN display and protect individual's personal information, clearly gaps remain. We have issued a number of reports for this Subcommittee that have looked at the collection, use, and protections of SSNs by federal agencies and private sector entities. In some cases where federal action could be taken, we have proposed matters for congressional consideration to explore legislative actions or recommendations to a federal agency to address problems we found. In other cases, mainly those that relate to private sector entities, we have proposed a matter for Congressional consideration. OMB has implemented two of our recommendations and Congress is still considering what actions need to be taken. Prior Work Found Gaps in the Protections of SSNs In our review of government uses of SSNs, we reported that certain measures that could provide more assurances that SSNs obtained by government entities are secure are not universally in place at any level of government.\23\ Agencies that deliver services and benefits use SSNs to administer programs and took some steps to safeguard SSNs. However, when federal, state, and county agencies request SSNs, they did not consistently inform the SSN holders of whether they must provide the SSN to receive benefits or services and how the SSN will be used. In addition, although some agencies took action to limit the display of SSNs on documents that were not intended to be public but may be viewed by others, these actions sometimes took place in a piecemeal manner rather than as a result of a systematic effort. --------------------------------------------------------------------------- \23\ GAO-02-352 --------------------------------------------------------------------------- In our reviews of private sector entities' collection and use of SSNs, we found gaps in how different industries are covered by federal laws protecting individual's personal information. In our third party contractors' review, we reported that federal regulation and oversight of SSN sharing varies across four industries we reviewed, revealing gaps in federal law and agency oversight for different industries that share SSNs with their contractors.\24\ For example, federal law and oversight of the sharing of personal information in the financial services industry is very extensive: financial services companies must comply with GLBA requirements for safeguarding customer's personal information, and regulators have an examination process in place that includes determining whether banks and securities firms are safeguarding this information. IRS has regulations and guidance in place to restrict the disclosure of SSNs by tax preparers and their contractors, but does not perform periodic reviews of tax preparers' compliance. FCC does not have regulations covering SSNs and also does not periodically review telecommunications companies to determine whether they are safeguarding such information. Companies in the industries we reviewed relied on accepted industry practices and primarily used the terms of their contracts to safeguard personal information, including SSNs they shared with outside contractors. --------------------------------------------------------------------------- \24\ GAO-06-238. --------------------------------------------------------------------------- We also found that there are few restrictions placed on certain entities' abilities such as information resellers to resell SSNs in the course of their business. Although certain federal laws have some restrictions on reselling nonpublic personal information, these laws only apply to certain types of private sector entities, such as financial institutions. In our review of SSNs in public records, we found that SSNs are widely exposed to view in a variety of public records and are still subject to exposure on identity cards issued under federal auspices.\25\ The number and type of records in which SSNs are displayed varies greatly for both states and counties, and SSNs are available in some federal court records. A number of government agencies and oversight bodies are taking steps to eliminate the open display of SSNs. For example, some actions state agencies reported taking included blocking or removing SSNs from electronic versions of records, and replacing SSNs with alternative identifiers. However, such initiatives to protect the SSN may slow its misuse, but the absence of uniform and comprehensive policy is likely to leave many individuals vulnerable. --------------------------------------------------------------------------- \25\ GAO-05-59. --------------------------------------------------------------------------- Finally, although they are not displayed in public records en masse, we found that millions of SSNs are still subject to exposure on individual identity cards issued under federal auspices. We found that in 2004 an estimated 42 million Medicare cards displayed entire 9-digit SSNs, as did approximately 8 million Department of Defense (DOD) insurance cards and 7 million Department of Veterans Affairs (VA) beneficiary cards. Some of these agencies have begun taking action to remove SSNs from identification cards. For example, VA is eliminating SSNs from 7 million VA identification cards and is replacing cards with SSNs or issuing new cards without SSNs from 2004 through 2009, until all such cards have been replaced. DOD has begun replacing approximately 6 million health insurance cards that display SSNs with cards that do not display the bearer's SSN, but continues to include SSNs on approximately 8 million military identification cards. The Centers for Medicare and Medicaid Services, with the largest number of cards displaying the entire 9-digit SSN, does not plan to remove the SSN from Medicare identification cards. GAO Has Proposed Matters for Congressional Consideration and Recommendations In order to address the issues we found, GAO has proposed matters for congressional consideration and recommended that a federal agency take action. To date, OMB has implemented two of our three recommendations, but Congress is still considering what other actions to take. In order to address the problems we found with how government entities assure the security of SSNs, we proposed that Congress consider convening a representative group of federal, state, and local officials to develop a unified approach to safeguarding SSNs used in all levels of government. The Privacy Act and other federal laws prescribe actions federal departments and agencies must take to assure the security of SSNs and other personal information. However, these requirements may not be uniformly observed. We presented a matter for congressional consideration to facilitate intergovernmental collaboration in strengthening safeguards at the state and local levels. We also made two recommendations to the Office of Management and Budget that it direct federal agencies to review their practices for securing SSNs and providing required information, and advise all federal, state, and local governments of the applicability of the Privacy Act to their uses of SSNs. OMB has implemented both our recommendations. In our report on third party contactors' uses of SSNs, we recommended that Congress consider possible options for addressing the gaps in existing federal requirements for safeguarding SSNs shared with contractors. The current gaps do not provide incentives for companies to commit to protecting personal information. Each industry is subject to different federal oversight and is often left to decide what established practices for safeguarding SSNs and other consumer information it wishes to follow. We suggested that one approach Congress could take would be to require industry-specific protections for the sharing of SSNs with contractors where such measures are not already in place. For example, Congress could consider whether the Telecommunications Act of 1996 should be amended to address how that industry shares SSNs with contractors. Alternatively, we suggested that Congress could take a broader approach. For example, in considering proposed legislation that would generally restrict the use and display of SSNs, Congress could also include a provision that would explicitly apply this restriction to third party contractors. We stated that with either approach, Congress would want to establish a mechanism overseeing compliance by contractors and enforcement. In our report on the display of SSNs on identification cards and in public records, we recommended that OMB identify all those federal activities that require or engage in the display of 9-digit SSNs on health insurance, identification, or any other cards issued to federal government personnel or program beneficiaries, and devise a governmentwide policy to ensure a consistent approach to this type of display. Although SSA has authority to issue policies and procedures over the Social Security cards that it issues, it does not have authority over how other federal agencies use and display SSNs. Rather, it is up to individual government agencies to have their own policies for the cards issued under their authority. The lack of a broad, uniform policy allows for inconsistent, but persistent exposure of the SSN. OMB has not yet taken action on our recommendation but said at the time we issued our report they would consider it. With regard to SSN exposure in public records, we again noted that it would be constructive for a representative group of federal, state, and local officials to develop a unified approach to safeguarding SSNs used in all levels of government, particularly those displayed in public records. Finally, with regard to private sector entities, such as information resellers reselling personal information, including SSNs, we noted that there are few restrictions placed on these entities ability to obtain, use, and resell SSNs for their businesses. The federal laws that have some restrictions can be interpreted broadly. The broad interpretation combined with the uncertainty about the application of the exceptions suggest that reselling personal information--including SSNs--is likely to continue. Conclusions The use of SSNs by both public and private sector entities is likely to continue given that it is used as the key identifier by most of these entities and there is currently no other widely accepted alternative. Given the significance of the SSN in committing fraud or stealing a person's identity, it is imperative that steps be taken to protect it. Without proper safeguards in place, SSNs will remain vulnerable to misuse, thus adding to the growing number of identity theft victims. SSNs are still widely used and publicly available, although becoming less so. State legislatures have begun to place restrictions on SSNs by enacting laws that restrict the use and display of SSNs and prohibit the theft of individuals' personal information. Yet, more could be done to protect SSNs. As Congress continues to propose and consider legislation to protect individuals' personal information, gaps in protections that have already been identified could help focus the debate on the areas that could be addressed immediately based on our work in order to prevent SSNs and other personal information from being misused. At this Subcommittee's request, we are continuing work on SSNs and the ease with which they can be purchased from Internet information resellers. We look forward to supporting continued congressional consideration of these important policy issues. That concludes my testimony, and I would be pleased to respond to any questions the subcommittee has. Appendix I: Selected State SSN Laws Previously Reported by GAO ------------------------------------------------------------------------ Type of Law Enacting States ------------------------------------------------------------------------ Imposes Limits on State and Local Connecticut Governments, including Restrictions Delaware on Public Disclosure Florida Georgia Hawaii Indiana Minnesota Nebraska Nevada New Jersey North Dakota Oregon South Carolina Tennessee Texas Virginia West Virginia ------------------------------------------------------------------------ Limits Use and Display of SSNs Arizona Arkansas California Connecticut Georgia Illinois Maryland Michigan Minnesota Missouri Oklahoma Texas Utah Virginia ------------------------------------------------------------------------ Limits Use of SSNs on Drivers' Indiana Licenses North Dakota South Dakota West Virginia ------------------------------------------------------------------------ Requires Notification of Security California Breaches Georgia Nevada New York ------------------------------------------------------------------------ Prohibits Certain Activities Related Arizona to Identity Theft Idaho New York ------------------------------------------------------------------------ Limits or Prohibits Use of SSN as Arkansas Student ID Number Colorado Wisconsin ------------------------------------------------------------------------ Authorizes Redaction of SSNs in California Certain Public Records New Jersey ------------------------------------------------------------------------ Limits Certain Activities of North Dakota Financial Institutions Vermont ------------------------------------------------------------------------ Prohibits Businesses From Requiring New Mexico SSNs as a Condition of Doing Rhode Island Business ------------------------------------------------------------------------ Requires Development of Employee New Mexico Access Policies ------------------------------------------------------------------------ Requires Business to Properly Dispose Texas of Business Records Containing Customers' Personal Information ------------------------------------------------------------------------ Provides Identity Theft Victim Washington Assistance ------------------------------------------------------------------------ Requires that SSNs be Truncated for Louisiana Certain Public Records ------------------------------------------------------------------------ Requires Third Party Contracting California Protections ------------------------------------------------------------------------ Source: GAO Analysis Related GAO Products Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs. GAO-06-238. Washington, D.C.: January 23, 2006. Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain. GAO-05-1016T. Washington, D.C.: September 15, 2005. Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards. GAO-05-59. Washington, D.C.: November 9, 2004. Social Security Numbers: Use Is Widespread and Protections Vary in Private and Public Sectors. GAO-04-1099T. Washington, D.C.: September 28, 2004. Social Security Numbers: Use Is Widespread and Protections Vary. GAO-04-768T. Washington, D.C.: June 15, 2004. Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information. GAO- 04-11. Washington, D.C.: January 22, 2004. Social Security Numbers: Ensuring the Integrity of the SSN. GAO-03- 941T. Washington, D.C.: July 10, 2003. Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards. GAO-02-352. Washington, D.C.:May 31, 2002. Social Security: Government and Commercial Use of the Social Security Number is Widespread. GAO/HEHS-99-28. Washington, D.C.: February 16, 1999. Chairman MCCRERY. Thank you, Ms. Fagnoni. Mr. Winston? STATEMENT OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION Mr. WINSTON. Mr. Chairman, Mr. Levin, Members of the Subcommittee, I am Joel Winston, Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC). I appreciate the opportunity to testify today about the important issue of SSNs and their relation to identity theft. Although the views expressed in the written testimony represent those of the Commission, my oral presentation and responses to your questions are my own and do not necessarily represent the opinions of the Commission or any individual Commissioner. Americans today are very concerned about protecting their identities, and with good reason. Identity theft is a pernicious and persistent problem. When a thief steals your identity, the economic and emotional impact can be severe. American businesses pay a heavy price, as well, as much as $50 billion every year. Every time consumers hear about the latest data breach that threatens to expose their personal information, they lose a little more confidence in our commercial system. Access to SSNs contributes to the worst form of identity theft, having new accounts opened in your name. The SSN has become an all-purpose identifier because of its convenience, its uniqueness to each individual, and its permanence over time. Many businesses also use the SSN to authenticate that the person presenting it is who he says he is. It is this dual use that makes the SSN so valuable to identity thieves. At the same time, the SSN serves many important functions in our financial system. For example, our credit reporting system hinges on the availability of SSNs to match consumers with their financial information. SSNs also are used to locate lost beneficiaries, collect child support, and detect fraud, among many other things. This presents a challenge, how to find the right balance between permitting beneficial use and disclosure of SSNs while keeping them out of the hands of criminals. The solution must combine a number of approaches. To begin with, public and private entities should use less sensitive identifiers whenever possible and they must do a better job of securing consumer data. This is a fundamental legal responsibility. Under the Federal Trade Commission Act, the Commission can act against firms that misrepresent their security procedures or fail to take reasonable steps to secure sensitive information. The FTC Safeguards Rule requires financial institutions to implement reasonable safeguards to protect consumer information. The FTC Disposal Rule requires businesses that hold certain consumer information to dispose of it in a safe manner. The Commission has acted aggressively to enforce these legal requirements. Our two most recent cases involved massive data breaches that led to numerous instances of identity fraud. In both cases, the Commission alleged that the company failed to have reasonable procedures to safeguard consumer information, including in one of the cases SSNs. In addition to law enforcement, education and outreach are critical weapons in this fight. The Commission has targeted its efforts at the three groups best situated to combat identity theft, consumers, industry, and law enforcement. We receive between 15,000 and 20,000 contacts per week from individuals seeking advice on avoiding identity theft or coping with the consequences. We provide information and assistance, including tools to simplify the recovery process. We are working to implement the provisions of the Fair and Accurate Credit Transactions Act of 2003 Act (P.L. 108-159) (FACT Act), many of which address identity theft. The free annual credit report program, for example, has allowed millions of consumers to obtain and check their credit reports, where the first signs of identity fraud often appear. The Commission also works with the business community to promote a culture of security. Our outreach efforts encourage and help businesses to maintain only the information that they need and to protect the information that they maintain. Finally, the Commission assists criminal law enforcement through our operation of the ID Theft Data Clearinghouse, a national database with over a million identity theft complaints. Law enforcers, ranging from the FBI to local sheriffs, use the clearinghouse to aid in their investigation. In closing, I want to emphasize that identity theft is a multi-faceted problem for which there is no simple solution. The challenge of determining how best to keep SSNs out of the hands of wrongdoers illustrates how difficult this problem is. Still, there is much that we can do to discourage unnecessary use of SSNs, enhance data protection, educate consumers, and assist criminal prosecutors. The Commission will continue to play a central role in the fight against identity theft and we look forward to working with the Congress in this endeavor. Thank you again for the opportunity to testify today and I would be happy to answer any questions. [The prepared statement of Mr. Winston follows:] Statement of Joel Winston, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission I. INTRODUCTION Mr. Chairman, Mr. Levin, and members of the Subcommittee, I am Joel Winston, Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity to present the Commission's views on identity theft and Social Security numbers (``SSNs''). --------------------------------------------------------------------------- \1\ The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily represent the views of the Commission or any Commissioner. --------------------------------------------------------------------------- The Commission has a broad mandate to protect consumers generally and to combat identity theft specifically. Controlling identity theft is an issue of critical concern to all consumers--and to the Commission. The FTC serves a key role as the central repository for identity theft complaints, facilitates criminal law enforcement in detecting and prosecuting identity thieves, and provides extensive victim assistance and consumer education. In recognition of the need to protect sensitive consumer information and prevent identity theft, the FTC recently created a new Division of Privacy and Identity Protection. This division--which consists of staff with expertise in privacy, data security, and identity theft--addresses cutting-edge consumer privacy matters through aggressive enforcement, as well as rulemaking, policy development, and outreach to consumers and businesses. This testimony describes the ways in which SSNs are collected and used, their relationship to identity theft, current laws that restrict the use or transfer of consumers' personal information, and the Commission's efforts to help consumers avoid identity theft or remediate its consequences. II. THE IDENTITY THEFT PROBLEM Identity theft is a pernicious crime that harms both consumers and businesses. Recent surveys estimate that nearly 10 million consumers are victimized by some form of identity theft each year.\2\ The costs of this crime are staggering. The Commission's 2003 survey estimated that identity theft cost businesses approximately $50 billion, and cost consumers an additional $5 billion in out-of-pocket expenses, over the twelve-month period prior to the survey.\3\ The 2003 survey looked at two major categories of identity theft: (1) misuse of existing accounts; and (2) the creation of new accounts in the victim's name. The 2003 survey found that the costs imposed by new account fraud were substantially higher than the misuse of existing accounts.\4\ --------------------------------------------------------------------------- \2\ See Federal Trade Commission--Identity Theft Survey Report (2003), http://www.ftc.gov/os/2003/09/synovatereport.pdf and Rubina Johannes, 2006 Identity Fraud Survey Report (2006), http:// www.javelinstrategy.com/research. A free summary of the 2006 Identity Fraud Survey Report is available at http://www.bbb.org/alerts/ article.asp?ID=651. \3\ Federal Trade Commission--Identity Theft Survey Report at 6 (2003), http://www.ftc.gov/os/2003/09/synovatereport.pdf. \4\ Id. --------------------------------------------------------------------------- III. USES AND SOURCES OF SOCIAL SECURITY NUMBERS SSNs today play a vital role in our economy. With 300 million American consumers, many of whom share the same name,\5\ the unique 9- digit SSN is a key identification tool for businesses, government, and others.\6\ For example, consumer reporting agencies use SSNs to ensure that the data furnished to them is placed in the correct file and that they are providing a credit report on the correct consumer.\7\ Businesses and other entities use these reports to evaluate the risk of providing to individuals services, such as credit, insurance, home rentals, or employment. Timely access to consumer credit, as well as the overall accuracy of credit reporting files, could be compromised if SSNs could not be used to match consumers to their financial information. Additionally, SSNs are used in locator databases to find lost beneficiaries, potential witnesses, and law violators, and to collect child support and other judgments. SSN databases also are used to fight identity fraud--for example, to confirm that an SSN provided by a loan applicant does not, in fact, belong to someone who is deceased.\8\ Without the ability to use SSNs as a personal identifier and fraud prevention tool, the granting of credit and the provision of other financial services would become riskier and more expensive and inconvenient for consumers. --------------------------------------------------------------------------- \5\ According to the Consumer Data Industry Association, 14 million Americans have one of ten last names, and 58 million men have one of ten first names. \6\ See General Accounting Office, Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information (GAO 04-01) (2004). \7\ See Federal Trade Commission--Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions Act of 2003 at 38-40 (2004),http://www.ftc.gov/reports/facta/041209factarpt.pdf. \8\ The federal government also uses the SSN as an identifier, for example, as both an individual's Medicare and taxpayer identification number. It also is used to administer the federal jury system, federal welfare and workmen's compensation programs, and military draft registration. See Social Security Administration, Report to Congress on Options for Enhancing the Social Security Card (Sept. 1997), www.ssa.gov/history/reports/ssnreportc2.html. --------------------------------------------------------------------------- SSNs are available from both public and private sources. Public records in city and county government offices across the country, including birth and death records, property records, tax lien records, voter registrations, licensing records, and court records, often contain consumers' SSNs.\9\ Increasingly, these records are being placed online where they can be accessed easily and anonymously.\10\ There also are a number of private sources of SSNs, including consumer reporting agencies that include name, address, and SSN as part of the ``credit header'' information on consumer reports. Data brokers also collect personal information, including SSNs, from a variety of sources and compile and resell that data to third parties.\11\ --------------------------------------------------------------------------- \9\ Local and state governments are reducing their reliance on SSNs for many administrative purposes in response to identity theft concerns. For example, only a few states still use SSNs as drivers license numbers. See David A. Lieb, Millions of Motorists Have Social Security Numbers on Licenses, The Boston Globe, Feb. 6, 2006, http:// www.boston.com/news/local/massachusetts/articles/2006/02/06/ millions_of_motorists_have_social_security_numbers_on_licenses/. In some cases, however, governments still use SSNs as identifiers when it is not essential to do so. See Mark Segraves, Registering to Vote May Lead to Identity Theft, WTOP Radio, Mar. 22, 2006, http://www.wtop.com/ ?nid=428&sid=733727. \10\ Improved access to public records has important public policy benefits, but at the same time raises privacy concerns. Some public records offices redact sensitive information such as SSNs, but doing so can be very costly. The Commission has recognized the sensitive nature of SSNs, even when they are contained in publicly available records. For example, in response to a comment on the DSW order, the Commission stated that ``[C]ertain publicly available records, such as court records, contain Social Security numbers and other highly sensitive information that can be used to perpetrate identity theft.'' The Commission response letter is available at http://www.ftc.gov/os/ caselist/0523096/0523096DSW LettertoCommenter BankofAmerica.pdf. \11\ Some data brokers have announced that they are voluntarily restricting the sale of SSNs and other sensitive information to those with a demonstrable and legitimate need. See Social Security Numbers Are for Sale Online, Newsmax.com, Apr. 5, 2005, http://www.newsmax.com/ archives/articles/2005/4/4/155759.shtml. --------------------------------------------------------------------------- The misuse of SSNs, however, can facilitate identity theft. For example, new account fraud--the most serious form of identity theft--is often possible only if the thief obtains the victim's SSN. The challenge is to find the proper balance between the need to keep SSNs out of the hands of identity thieves, while giving businesses and government entities sufficient means to attribute information to the correct person. Restrictions on disclosure of SSNs also could have a broad impact on such important purposes as public health, criminal law enforcement, and anti-fraud and anti-terrorism efforts. Moreover, as referenced above, regulation or restriction of the availability of SSNs in public records poses substantial policy and practical concerns. IV. CURRENT LAWS RESTRICTING THE USE OF DISCLOSURE OF SOCIAL SECURITY NUMBERS There are a variety of specific statutes and regulations that restrict disclosure of certain consumer information, including SSNs, in certain contexts. In addition, under some circumstances, entities are required to have procedures in place to ensure the security and integrity of sensitive consumer information such as SSNs. Three statutes that protect SSNs from improper access fall within the Commission's jurisdiction: Title V of the Gramm-Leach-Bliley Act (``GLBA'');\12\ Section 5 of the Federal Trade Commission Act (``FTC Act'');\13\ and the Fair and Accurate Credit Transactions Act of 2003 (``FACT Act''),\14\ amending the Fair Credit Reporting Act (``FCRA'').\15\ --------------------------------------------------------------------------- \12\ 15 U.S.C. 6801-09. \13\ 15 U.S.C. 45(a). \14\ Pub. L. No. 108-159, 117 Stat. 1952. \15\ 15 U.S.C. 1681-1681x, as amended. --------------------------------------------------------------------------- A. The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act (``GLBA'') imposes privacy and security obligations on ``financial institutions.''\16\ Financial institutions are defined broadly as those entities engaged in ``financial activities'' such as banking, lending, insurance, loan brokering, and credit reporting.\17\ --------------------------------------------------------------------------- \16\ 15 U.S.C. 6809(3)(A). \17\ 12 C.F.R. 225.28, 225.86. --------------------------------------------------------------------------- 1. Privacy of Consumer Financial Information In general, financial institutions are prohibited by Title V of the GLBA\18\ from disclosing nonpublic personal information, including SSNs, to non-affiliated third parties without first providing consumers with notice and the opportunity to opt out of the disclosure.\19\ However, the GLBA includes a number of statutory exceptions under which disclosure is permitted without having to provide notice and an opt- out. These exceptions include consumer reporting (pursuant to the FCRA), fraud prevention, law enforcement and regulatory or self- regulatory purposes, compliance with judicial process, and public safety investigations.\20\ Entities that receive information under an exception to the GLBA are subject to the reuse and redisclosure restrictions of the GLBA Privacy Rule, even if those entities are not themselves financial institutions.\21\ In particular, the recipients may only use and disclose the information ``in the ordinary course of business to carry out the activity covered by the exception under which . . . the information [was received].''\22\ --------------------------------------------------------------------------- \18\ Privacy of Consumer Financial Information, 16 C.F.R. Part 313 (``GLBA Privacy Rule''). \19\ The GLBA defines ``nonpublic personal information'' as any information that a financial institution collects about an individual in connection with providing a financial product or service to an individual, unless that information is otherwise publicly available. This includes basic identifying information about individuals, such as name, SSN, address, telephone number, mother's maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646, 33,680 (May 24, 2000) (the FTC's Privacy Rule). \20\ 15 U.S.C. 6802(e). \21\ 16 C.F.R. 313.11(a). \22\ Id. --------------------------------------------------------------------------- Entities can obtain SSNs from consumer reporting agencies, generally from the credit header data on the credit report. However, because credit header data is typically derived from information originally provided by financial institutions, entities that receive this information generally are limited by the GLBA's reuse and redisclosure provision. 2. Required Safeguards for Customer Information The GLBA also requires financial institutions to implement appropriate physical, technical, and procedural safeguards to protect the security and integrity of the information they receive from customers, whether directly or from other financial institutions.\23\ The FTC's Safeguards Rule, which implements these requirements for entities under FTC jurisdiction,\24\ requires financial institutions to develop a written information security plan that describes their procedures to protect customer information. Given the wide variety of entities covered, the Safeguards Rule requires a plan that accounts for each entity's particular circumstances--its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. It also requires covered entities to take certain procedural steps (for example, designating appropriate personnel to oversee the security plan, conducting a risk assessment, and overseeing service providers) in implementing their plans.\25\ --------------------------------------------------------------------------- \23\ 15 U.S.C. 6801(b); Standards for Safeguarding Customer Information, 16 C.F.R. Part 314 (``Safeguards Rule''). \24\ The Federal Deposit Insurance Corporation, the National Credit Union Administration (``NCUA''), the Securities and Exchange Commission, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Office of Thrift Supervision, and state insurance authorities have promulgated comparable information safeguards rules, as required by Section 501(b) of the GLBA. 15 U.S.C. 6801(b); see, e.g., Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness, 66 Fed. Reg. 8,616-41 (Feb. 1, 2001). The FTC has jurisdiction over entities not subject to the jurisdiction of these agencies. \25\ The Commission previously has recommended that Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety. Such a requirement could extend the FTC's existing GLBA Safeguards Rule to companies that are not financial institutions. See Statement of Federal Trade Commission Before the Committee on Commerce, Science, and Transportation, U.S. Senate, on Data Breaches and Identity Theft (June 16, 2005) at 7, http://www.ftc.gov/os/2005/06/ 050616databreaches.pdf. --------------------------------------------------------------------------- B. Section 5 of the FTC Act Section 5 of the FTC Act prohibits ``unfair or deceptive acts or practices in or affecting commerce.''\26\ Under the FTC Act, the Commission has broad jurisdiction over a wide variety of entities and individuals operating in commerce. Prohibited practices include making deceptive claims about one's privacy procedures, including claims about the security provided for consumer information.\27\ --------------------------------------------------------------------------- \26\ 15 U.S.C. 45(a). \27\ Deceptive practices are defined as material representations or omissions that are likely to mislead consumers acting reasonably under the circumstances. Cliffdale Associates, Inc., 103 F.T.C. 110 (1984). --------------------------------------------------------------------------- In addition to deception, the FTC Act prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumers nor offset by countervailing benefits to consumers or competition.\28\ The Commission has used this authority to challenge a variety of injurious practices, including companies' failure to provide reasonable and appropriate security for sensitive customer data.\29\ The Commission can obtain injunctive relief for violations of Section 5, as well as consumer redress or disgorgement in appropriate cases. --------------------------------------------------------------------------- \28\ 15 U.S.C. 45(n). \29\ Other practices include, for example, allegations of unauthorized charges in connection with ``phishing,'' high-tech scams that use spam or pop-up messages to deceive consumers into disclosing credit card numbers, bank account information, SSNs, passwords, or other sensitive information. See FTC v. Hill, No. H 03-5537 (filed S.D. Tex. Dec. 3, 2003), http://www.ftc.gov/opa/2004/03/ phishinghilljoint.htm; FTC v. C.J., No. 03-CV-5275-GHK (RZX) (filed C.D. Cal. July 24, 2003), http://www.ftc.gov/os/2003/07/ phishingcomp.pdf. --------------------------------------------------------------------------- C. The Fair and Accurate Credit Transactions Act of 2003 The FACT Act amended the FCRA to include a number of provisions designed to increase the protection of sensitive consumer information, including SSNs. One such provision required the banking regulatory agencies, the NCUA, and the Commission to promulgate a coordinated rule designed to prevent unauthorized access to consumer report information by requiring all users of such information to have reasonable procedures to dispose of it properly and safely.\30\ This Disposal Rule, which took effect on June 1, 2005, should help minimize the risk of improper disclosure of SSNs. --------------------------------------------------------------------------- \30\ 16 C.F.R. Part 382 (``Disposal of Consumer Report Information and Record Rule''). --------------------------------------------------------------------------- In addition, the FACT Act requires consumer reporting agencies to truncate the SSN on consumer reports at the consumer's request.\31\ Eliminating the unnecessary display of this information could lessen the risk of it getting into the wrong hands. --------------------------------------------------------------------------- \31\ 15 U.S.C. 1681g(a)(1)(A). The FTC advises consumers of this right through its consumer outreach initiatives. See e.g., the FTC's identity theft prevention and victim recovery guide, Take Charge: Fighting Back Against Identity Theft at 5 (2005), available at http:// www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf. --------------------------------------------------------------------------- D. Other Laws Other federal laws not enforced by the Commission regulate certain other specific classes of information, including SSNs. For example, the Driver's Privacy Protection Act (``DPPA'') \32\ prohibits state motor vehicle departments from disclosing personal information in motor vehicle records, subject to fourteen ``permissible uses,'' including law enforcement, motor vehicle safety, and insurance. The Health Information Portability and Accountability Act (``HIPAA'') and its implementing privacy rule prohibit the disclosure to third parties of a consumer's medical information without prior consent, subject to a number of exceptions (such as, for the disclosure of patient records between entities for purposes of routine treatment, insurance, or payment).\33\ Like the GLBA Safeguards Rule, the HIPAA Privacy Rule also requires entities under its jurisdiction to have in place ``appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.'' \34\ --------------------------------------------------------------------------- \32\ 18 U.S.C. 2721-25. \33\ 45 C.F.R. Part 164 (``HIPAA Privacy Rule''). \34\ 45 C.F.R. 164.530(c). --------------------------------------------------------------------------- E. FTC Enforcement Actions Over the past year or so, reports have proliferated about information compromises at U.S. businesses, universities, government agencies, and other organizations that collect and store sensitive consumer information, including SSNs. Some of these incidents reportedly have led to identity theft, confirming that security breaches can cause real and tangible harm to consumers, businesses, and other institutions. Since 2001, the Commission has brought twelve cases challenging businesses that have failed to take reasonable steps to protect sensitive consumer information in their files.\35\ Two of the Commission's most recent law enforcement actions arose from high- profile data breaches that occurred last year. In the first case, the Commission alleged that a major data broker, ChoicePoint, Inc., failed to use reasonable procedures to screen prospective subscribers and monitor their access to sensitive consumer data, in violation of the FCRA \36\ and the FTC Act.\37\ The Commission's complaint alleged that ChoicePoint's failures allowed identity thieves to obtain access to the personal information of over 160,000 consumers, including nearly 10,000 consumer reports. In settling the case, ChoicePoint agreed to pay $10 million in civil penalties for the FCRA violations--the highest civil penalty ever levied in a consumer protection case--and $5 million in consumer redress for identity theft victims. The Order also requires ChoicePoint to implement a number of strong data security measures, including bi-annual audits to ensure that these security measures are in place. --------------------------------------------------------------------------- \35\ Documents related to these enforcement actions generally are available at http://www.ftc.gov/privacy/index.html. \36\ 15 U.S.C. 1681-1681x, as amended. The FCRA specifies that consumer reporting agencies may only provide consumer reports for certain ``permissible purposes.'' ChoicePoint allegedly approved as customers individuals whose applications had several indicia of fraud, including false credentials, the use of commercial mail drops as business addresses, and multiple applications faxed from the same public commercial location. The FTC's complaint alleged that ChoicePoint did not have a permissible purpose in providing consumer reports to such individuals and failed to have reasonable procedures to verify prospective subscribers. \37\ United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga. Feb. 15, 2006). --------------------------------------------------------------------------- In the second action, the Commission reached a settlement with CardSystems Solutions, Inc., the card processor allegedly responsible for last year's breach of credit and debit card information for Visa and MasterCard, which exposed tens of millions of consumers' credit and debit numbers.\38\ This case addresses the largest known compromise of sensitive financial data to date. As in the ChoicePoint case, the FTC alleged that CardSystems engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer data. These settlements provide important protections for consumers and also provide important lessons for industry about the need to safeguard consumer information. --------------------------------------------------------------------------- \38\ In the Matter of CardSystems Solutions, Inc., FTC File No. 052-3148 (proposed settlement posted for public comment, Feb. 23, 2006). The settlement requires CardSystems and its successor corporation to implement a comprehensive information security program and obtain audits by an independent third-party professional every other year for 20 years. As noted in the FTC's press release, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach. --------------------------------------------------------------------------- V. THE COMMISSION'S EFFORTS TO COMBAT IDENTITY THEFT In addition to our efforts to ensure that businesses take reasonable steps to safeguard sensitive consumer information, the Commission works in many other ways to address the identity theft problem. Pursuant to the 1998 Identity Theft Assumption and Deterrence Act (``the Identity Theft Act''),\39\ the Commission has implemented a program that assists consumers, businesses, and other law enforcers. --------------------------------------------------------------------------- \39\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. 1028). --------------------------------------------------------------------------- A. Working with Consumers The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a secure online complaint form on its website, www.consumer.gov/idtheft, for consumers concerned about identity theft. Every week, the Commission receives about 15,000 to 20,000 contacts from victims and consumers seeking information on how to avoid identity theft. The callers to the hotline receive counseling from trained personnel who provide information on steps they can take both to prevent identity theft and to resolve problems resulting from the misuse of their identities. Victims are advised to: (1) obtain copies of their credit reports and have a fraud alert placed on them;\40\ (2) contact each of the creditors or service providers with which the thief has established or accessed an account to request that the account be closed and to dispute any associated charges; and (3) report the theft to the police and, if possible, obtain a police report. The police report is useful in demonstrating to purported creditors and debt collectors that the consumer is a victim of identity theft, and serves as an ``identity theft report'' that can be used for exercising various victims' rights granted by the FACT Act.\41\ The Commission's identity theft website, www.consumer.gov/idtheft, has an online complaint form where victims can enter their complaints into the Clearinghouse. --------------------------------------------------------------------------- \40\ The FACT Act added a requirement that consumer reporting agencies, at the request of a consumer, place a fraud alert on the consumer's credit report. Consumers may obtain an initial alert if they have a good faith suspicion that they have been or are about to become an identity theft victim. The initial alert must stay on the file for at least 90 days. Actual victims who submit an identity theft report can obtain an extended alert, which remains in effect for up to seven years. Fraud alerts require users of consumer reports who are extending credit or related services to take certain steps to verify the consumer's identity. See 15 U.S.C. 1681c-1. \41\ These include the right to an extended fraud alert, the right to block fraudulent trade lines on credit reports and to prevent such trade lines from being furnished to a consumer reporting agency, and the ability to obtain copies of fraudulent applications and transaction reports. See 15 U.S.C. 1681 et seq., as amended. --------------------------------------------------------------------------- The Commission also has taken the lead in developing and disseminating identity theft-related consumer education materials, including an identity theft primer, ID Theft: What It's All About, and a victim recovery guide, Take Charge: Fighting Back Against Identity Theft. The Commission alone has distributed more than 2.1 million copies of the Take Charge booklet (formerly known as ID Theft: When Bad Things Happen To Your Good Name) since its release in February 2000 and has recorded more than 2.4 million visits to the Web version. The Commission also maintains the identity theft website, www.consumer.gov/ idtheft, which provides publications and links to testimony, reports, press releases, identity theft-related state laws, and other resources. Last fall, the Commission, together with partners from law enforcement, the technology industry, and nonprofits, launched OnGuard Online, an interactive, multi-media resource for information and up-to- the minute tools on how to recognize Internet fraud, avoid hackers and viruses, shop securely online, and deal with identity theft, spam, phishing, and file-sharing.\42\ --------------------------------------------------------------------------- \42\ See www.onguardonline.gov. OnGuard Online is also available in Spanish. See www.AlertaEnLinea.gov. --------------------------------------------------------------------------- In addition, the Commission will launch this spring a major new identity theft education campaign. The campaign will encourage consumers to guard against identity theft by taking steps to reduce their risk, keep a close eye on their personal information, and move quickly to minimize the damage if identity theft occurs. The centerpiece of the campaign will be a turnkey toolkit--a comprehensive how-to guide that will help promote grassroots education about identity theft. The Commission also has developed ways to simplify the recovery process. One example is the ID Theft Affidavit, included in the Take Charge booklet and on the website. This standard form was developed in partnership with industry and consumer advocates for victims to use in resolving identity theft debts. To date, the Commission has distributed more than 293,000 print copies of the Affidavit and has recorded more than 1.1 million hits to the Web version. B. Working with Industry The private sector can play a key role in combating identity theft by reducing its incidence through better security and authentication. The Commission works with institutions to promote a ``culture of security'' by identifying ways to spot risks to the information they maintain and keep it safe. Among other things, the Commission has disseminated advice for businesses on reducing risks to their computer systems\43\ and on compliance with the Safeguards Rule.\44\ Our emphasis is on preventing breaches before they happen by encouraging businesses to make security part of their regular operations and corporate culture. The Commission also has published Information Compromise and the Risk of Identity Theft: Guidance for Your Business, a booklet on managing data compromises.\45\ This publication provides guidance on when it would be appropriate for an entity to notify law enforcement and consumers in the event of a breach of personal information. --------------------------------------------------------------------------- \43\ Security Check: Reducing Risks to Your Computer Systems, available at http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm. \44\ Financial Institutions and Customer Data: Complying with the Safeguards Rule, available at http://www.ftc.gov/bcp/conline/pubs/ buspubs/safeguards.htm. \45\ Information Compromise and the Risk of Identity Theft: Guidance for Your Business, available at http://www.ftc.gov/bcp/ conline/pubs/buspubs/idtrespond.pdf. --------------------------------------------------------------------------- In 2003, the Commission held a workshop that explored the challenges consumers and industry face in securing their computers. Titled ``Technologies for Protecting Personal Information: The Consumer and Business Experiences,'' the workshop also examined the role of technology in meeting these challenges.\46\ Workshop participants, including industry leaders, technologists, researchers on human behavior, and representatives from consumer and privacy groups, identified a range of challenges in safeguarding information and proposed possible solutions. --------------------------------------------------------------------------- \46\ See workshop agenda and transcripts available at www.ftc.gov/ bcp/workshops/technology. See Staff Report available at http:// www.ftc.gov/bcp/workshops/technology/finalreport.pdf. --------------------------------------------------------------------------- C. Working with Law Enforcement A primary purpose of the Identity Theft Act was to provide law enforcement with access to a centralized repository of identity theft victim data to support their investigations. The Commission operates this database as a national clearinghouse for complaints received directly from consumers and through numerous state and federal agencies, including the Social Security Administration's Office of Inspector General. With over 1,060,000 complaints, the Clearinghouse provides a detailed snapshot of current identity theft trends as reported by the victims themselves. The Commission publishes data annually showing the prevalence of complaints broken out by state and city.\47\ Since its inception, nearly 1,400 law enforcement agencies have registered for access to the Clearinghouse database. Individual investigators within those agencies can access the system from their desktop computers 24 hours a day, seven days a week. The Clearinghouse also gives access to training resources, and enables users to coordinate their investigations. --------------------------------------------------------------------------- \47\ See Federal Trade Commission--National and State Trends in Fraud & Identity Theft (Jan. 2006), available at http:// www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf. The Commission also conducts national surveys to learn how identity theft impacts the general public. The FTC conducted the first survey in 2003 and is conducting a second survey this spring. See Federal Trade Commission-- Identity Theft Survey Report (Sept. 2003), available at http:// www.ftc.gov/os/2003/09/synovatereport.pdf. --------------------------------------------------------------------------- The Commission also encourages use of the Clearinghouse through training seminars offered to law enforcement. In cooperation with the Department of Justice, the U.S. Postal Inspection Service, the U.S. Secret Service, and the American Association of Motor Vehicle Administrators, the Commission began organizing full-day identity theft training seminars for state and local law enforcement officers in 2002. To date, this group has held 20 seminars across the country. More than 2,880 officers have attended these seminars, representing over 1,000 different agencies. Future seminars are being planned for additional cities. To further assist law enforcers, the Commission staff developed an identity theft case referral program. The staff creates preliminary investigative reports by examining patterns of identity theft activity in the Clearinghouse, and refers the reports to financial crimes task forces and others for further investigation and possible prosecution. In addition, analysts from the FBI, U.S. Secret Service, and Postal Inspection Service work on-site at the FTC, developing leads and supporting ongoing investigations for their agencies. VI. CONCLUSION The crime of identity theft is a scourge, causing enormous damage to businesses and consumers. The unauthorized use of consumers' SSNs is an important tool of identity thieves, especially those seeking to create new accounts in the victim's name. Although current laws place some restrictions on the use or disclosure of SSNs by certain entities under certain circumstances, this information is still otherwise available from both public and private sources, thereby enabling identity thieves to obtain SSNs through legal means as well as illegal means. At the same time, SSNs are an important driver of our market system. Businesses and others rely on SSNs to provide many important benefits for consumers and to fight identity theft. There are a number of things that government, industry, and consumers can do to help stem the tide of identity theft. First, both government and industry need to consider what information they collect and maintain from or about consumers and whether they need to do so. Entities that possess sensitive consumer information should continue to enhance their procedures to protect it. The Commission will continue its law enforcement and outreach efforts to encourage and, when necessary, require better protections. Second, industry should continue the development of improved fraud prevention methods to stop identity thieves from misusing the consumer information they have managed to obtain. In this regard, the FACT Act should prove instrumental by requiring the bank regulatory agencies, the NCUA, and the FTC to develop jointly regulations and guidelines for financial institutions and creditors to identify possible risks of identity theft.\48\ --------------------------------------------------------------------------- \48\ 15 U.S.C. 1681m(e). --------------------------------------------------------------------------- Third, the Commission will continue and strengthen its efforts to empower consumers by providing them with the knowledge and tools to protect themselves from identity fraud and to deal with the consequences when it does occur. As discussed above, new consumer rights granted by the FACT Act should help consumers minimize the damage. Finally, the Commission will continue to assist criminal law enforcement in detecting and prosecuting identity thieves. The prospect of serious jail time hopefully will discourage those considering identity theft from perpetrating this crime. The Commission looks forward to continuing to work with Congress to address ways to reduce identity theft. Chairman MCCRERY. Thank you, Mr. Winston. Can you fill us in on what your agency does specifically to try to ensure compliance with the laws that you talked about in your testimony that fall in your jurisdiction? Mr. WINSTON. Well, we go about it in many ways. First and foremost, we are a law enforcement agency and we investigate and take action against companies that violate the laws that we enforce, for example, cases against companies that fail to safeguard information that they have. We brought 12 cases to date. We have a number of others under investigation. I think we have sent a pretty clear message to the business community that this is an important requirement. At the same time, we are strong believers in education, both for businesses and consumers. That is always the first line of defense and we work very hard in that regard. Chairman MCCRERY. Ms. Fagnoni, you talked about the fact that many States have enacted laws that restrict the use of SSNs. Can you give us an idea of how those actions by States affect businesses and commerce in those States and maybe even how it affects businesses and commerce across the country? Ms. FAGNONI. The work we did, we had more information about the impacts on different government activities and the ease of getting information. One example of how business and commerce has been affected by these laws is that, particularly when a State like California, a large State such as California enacts a law, for example, the law where any entity where there is a security breach involving information, private information, personal information from somebody who resides in the State of California, the California law is that those individuals have to be notified. Some large companies now have on that basis made it a practice to notify anyone when there is a security breach, regardless of what State they happen to live in, based on, perhaps the pressure and the precedent in having certain laws in place. That is one example where companies have had to adapt and adjust to some of those laws. Having different laws in different States probably can also cause some challenges for people who do business in multiple jurisdictions. As I said, a lot of what our studies have shown is that once, whether it is government or private entities become more aware of the ways in which the SSN can be fraudulently used and they start to take actions on their own to better secure the information, they can still continue to use the SSN for the purposes that are very important to commerce. They have a better sense and a clear understanding of the need to protect the exposure of that number beyond the uses for which it is needed. Chairman MCCRERY. Thank you. Would you talk a little bit about the Internet and the availability of SSNs on the Internet? Should we be looking at some new Federal laws regarding public display of SSNs? Ms. FAGNONI. In the work we did looking at government and selected private sector use of SSNs, we did not find a large percentage of entities that were placing the SSNs on the Internet, particularly in the local and State government levels. Most of the information that is publicly available through those entities is on paper or microfiche or microfilm and people actually have to go to a location, such as a courthouse or someplace like that, and actually look for the information. We do have some work ongoing right now where we are looking at the information resellers who are selling information via the Internet and we will have some information to report fairly soon on that. It does raise some questions about how carefully some information sellers are paying attention to who is actually asking for the information and what kinds of safeguards are in place to ensure that the information is being provided only to those where it is an appropriate use. Chairman MCCRERY. Thank you. Mr. Becerra? Mr. BECERRA. Thank you, Mr. Chairman, and thank you to the two of you for your testimony. Let me ask a question and revert back to the testimony of our two colleagues who were just here and talked about using the SSN for purposes of trying to determine one's eligibility to work in this country. Any comments on what you heard in the discussion that took place among the Members on that particular proposal? Ms. FAGNONI. We don't really have work that would comment on it directly, but there is a difference. First of all, they were talking about having a card that was tamper-proof, and there are all sorts of issues associated with looking at the different options and what would be appropriate and what the cost would be. There also is an issue which somebody raised about the information on the card which is only going to be as good as the information in the databases in DHS and SSA. We have reported on the fact that to the extent that, for example, information about somebody's visa status, if that is not kept up to date and isn't updated somehow through the encryption, then that is going to limit the usefulness of the database. There is a whole separate issue on the deterrent effect, which I really can't comment on. Mr. BECERRA. Okay. Mr. WINSTON. I found the discussion very interesting and I thought the point that you made actually was the one that I was thinking of, as well, and that is you can have a national number for immigrants or even for citizens, but any time you have a number that is the key to benefits, it is going to potentially be something that is valuable to identity thieves. The trick is to find a way of identifying people and authenticating who they are without having that information get in the hands of the wrongdoers and that is a very difficult task. Mr. BECERRA. As we explore how we can better protect the SSN, is there something that we have learned in these examinations about best practices or what some either public or private sector agencies, enterprises are doing to try to protect the number, anything that you can tell us that can help us with regard to this ongoing examination? Ms. FAGNONI. Keying off Mr. Winston's testimony, in the work we did where we looked at four sectors--banking, financial institutions, telecommunications, and tax preparers--it was clear that because of the laws and the regulatory structure surrounding the banking and financial institutions industries, there are a lot more protections in place regarding the protection of personal information, including the SSN. Particularly in telecommunications, there really are no laws that are designed to explicitly ensure that telecommunications companies are protecting SSNs. The companies are relying on individual contracts and things like that. As a matter for the Congress, one option would be to look at regulatory structures in terms of protecting information and consider whether or not those could be more broadly applied, or conversely, to look at some other specific sectors that don't now have laws in place that might warrant them. Mr. BECERRA. Let me ask just one last question, and if you wish to comment on something else, that is fine so long as I have time. I am not sure how to phrase it. Do we need to have one identifier, or should we ask all these various industries to have their own identifiers? The banking industry or financial services, you all keep an identifier that is for your purposes. Credit bureaus, those who are checking status of your demographic, your activities, whether purchasing or doing anything else, you keep your own number. The Federal Government, you keep your own number. State, driver's license and all the rest, you keep your own number. Should we have one, or should we, for purposes of trying to make sure we don't have a number that can be stolen or has that value if it is stolen, should we try to move toward something that says, you all keep your own numbers and that way no one can steal that much value from an individual when they get that identifier? Ms. FAGNONI. The reason the SSN is so valuable is because often, and I am sure you will hear this from the next panel, somebody who is trying to check somebody's credit or make sure that the individual they are talking to is the appropriate person and they should be sharing certain information, the only way they can ensure somebody's identity, looking across different kinds of pieces of information, is through that common identifier, the SSN. At the same time, though, we have a lot of examples where more and more kinds of entities are moving away from the display of the SSN. I think there is a difference between needing it and protecting it because it is a very important way to protect against fraud. At the same time, whether it is a driver's license or a health care card or whatever, over the past several years cards that routinely used SSNs now either first voluntarily and then now routinely across the board use other special identifiers unique to that particular entity for display purposes. They still have that SSN, behind the scenes that they need for data matching and things like that. Mr. WINSTON. I would just add very briefly, I agree with that, and there is a lot we can do to convince people to stop using SSNs when they don't need to, but at the same time, we have to look at the back end, and the back end is somebody appears before you with an SSN and wants to take out a loan. How do you make sure that person is who he says he is? It is the fact that the SSN is being used for that purpose, as well as for the identification purpose, that creates the problem. That is the key that unlocks the door to identity theft. The more we can go to systems of passwords, PINs, and get away from using the SSN as the authenticator, I think the better we will be. Mr. BECERRA. Thank you. Thanks very much, Mr. Chairman. Chairman MCCRERY. Mr. Brady? Mr. BRADY. Thank you, Mr. Chairman. A couple of questions, three, really. The first two are fairly direct. Identity theft is such a big issue. What percentage, would you guess, of identity thefts start with a stolen SSN? Mr. WINSTON. I can talk about the surveys we have done and that others have done, which indicate that about two-thirds of identity theft is what is called account takeover, and that is where somebody gets your credit card number or your bank card number and gets into your account. Typically, that doesn't require an SSN to do. The other one-third is new account fraud, where they actually go out and open a new account in your name. Typically, although not always, typically, you need an SSN to do that kind of fraud. It is about one-third. Mr. BRADY. That leads right to the second question. What is the most common way of obtaining a stolen SSN? Is it a stolen card? Is it mail theft, computer hacking, information resellers? What is the most common of those, would you guess? Mr. WINSTON. It is a little hard to tell from the surveys because most people don't know how their identity was stolen in the first place. They just know it happened. They don't know who did it. They don't know how it got done. If you look at just the data for people who do know what happened, you find that most of it is done through lost wallets or friends, relatives who get a hold of your information. That is not necessarily representative of half or more of the people who don't know. There are a lot of potential sources. It is really hard to tell what is the biggest. Mr. BRADY. A final question. Part of the, I think, complexity is the issue of information resellers. Even if we are able to sort of contain this issue at the source, as it gets sold, integrity becomes less and loose and things happen. I will ask both of you, who is responsible for ensuring that information resellers and financial institutions and those to whom they sell SSNs only disclose according to the law and who monitors it and what kind of resource do we use to tackle that problem? Ms. FAGNONI. Well, quickly, initially, who has authority, if anyone, is dependent on what industry is involved, and that is where we found, at least of the four industries we looked at and other examples we have, it varies. It is based on the laws that regulate that particular industry. In some cases, information resellers, for example, consider themselves to be financial institutions and therefore subject to the different kinds of laws regulating that industry. In other cases, they don't and it is honestly not clear if there is any regulatory framework. Mr. WINSTON. Just to elaborate on that, generally speaking, resellers get SSNs from credit bureaus. Credit bureaus get it from financial institutions. That is subject to the Gramm- Leach-Bliley Act (P.L. 106-102). There are restrictions on people who buy information from resellers in how they can use-- how they can get the information and how they can use it. We are responsible for enforcing that law as to the non-bank entities. The banking agencies are responsible for the banks. Mr. BRADY. How much resource do you put toward that? Mr. WINSTON. We have a new division at the FTC, the Division of Privacy and Identity Protection, which is devoted solely to issues of identity theft, consumer privacy, ensuring that consumer information is protected. We have a staff of about 30 people who are looking at these issues and enforcing the law. Mr. BRADY. For your agency, can you guess or do you know how many businesses have been investigated, information resellers, for example, or businesses using it fraudulently have been investigated and successfully prosecuted? Mr. WINSTON. There have been a number, but the most recent case against Choice Point is a good example. Mr. BRADY. Sure. Mr. WINSTON. Choice Point is one of the largest data brokers in the country and they didn't have procedures in place to ensure that the people who called them up to buy SSNs and other information were legitimate. As a result---- Mr. BRADY. Thankfully, that got a lot of attention, but are we talking about thousands of businesses across the country are investigated, hundreds are investigated, dozens are investigated? Mr. WINSTON. Keep going. [Laughter.] Mr. BRADY. Getting a little smaller, isn't it. Mr. WINSTON. We are a small agency. I don't know what the number would be. It is certainly not in the hundreds or thousands. That is all we can--that is all that we have the resources to do. Mr. BRADY. Thank you, Mr. Chairman, and thank you, both panelists. Ms. FAGNONI. Thank you. Chairman MCCRERY. Thank you, Ms. Fagnoni. Thank you, Mr. Winston. Our next panel is Nicole Robinson, North Atlantic Coast Volunteer Coordinator, Identity Theft Resource Center, San Diego, California; Mary McQueen, on behalf of the Council of State Court Administrators, Williamsburg, Virginia; Erik Stein, member of BITS Fraud Reduction Steering Committee; Stuart Pratt, President and CEO of Consumer Data Industry Association; and Bruce Hulme, Legislative Director, National Council of Investigation and Security Services from New York. Welcome, everybody. The same rules apply. Your written statements will be included in the record in their entirety, but we would ask you to summarize those statements in about 5 minutes. We will begin, Ms. Robinson, with you. Thank you for coming. You may begin. STATEMENT OF NICOLE ROBINSON, NORTH ATLANTIC COAST VOLUNTEER COORDINATOR, IDENTITY THEFT RESOURCE CENTER, SAN DIEGO, CALIFORNIA Ms. ROBINSON. Good afternoon, Mr. Chairman, Members of the Committee. Thank you for the opportunity to testify on behalf of this very important topic. My name is Nicole Robinson, and besides being the North Atlantic Coast Coordinator for the Identity Theft Resource Center, I am also a victim of identity theft, and I want to start first off to tell you--try to be brief about my identity theft case. It first started in 2000 and I was notified by a fraud investigator, Kay Jewelers said someone had used my SSN to open an instant credit account. That first night, she bought watches and a ring totaling $2,300. The next night, she came trying to max out the account and they were alerted to it because people don't usually do that with jewelry store accounts. Well, I contacted the three credit reporting agencies on that Monday. It was very difficult to get my credit reports because she had used different addresses in Texas and I couldn't get my own credit reports. I soon came to find out that she had applied for a personal loan at my mortgage lender. She was picked up by the Bear County police getting a personal check in my name. My mortgage lender never contacted me, although they knew they held a mortgage for me in Maryland and she was in Texas. The police let her go that day. She promised that she wouldn't do it again. She cried. She said she didn't know what she was doing was wrong and they let her go home. After that, since she knew I had a mortgage, she applied for a mortgage several days later. She continued to apply for credit, even though she had been picked up by the police. She, in a 3 month period, got $36,000 in goods and services. She had a Geico car insurance policy in my name and Geico would not give me the VIN number off the vehicle so I could track back to the dealership that sold it because they said they had to protect her privacy. As time went on, she was eventually indicted and she pled guilty to two counts of misusing my identifying information. She served no time in jail. She was ordered to pay restitution. I have only seen a small portion of the restitution thus far. As time has gone, I have borne the burden of her theft of my identity. I continue to get her collection notices at my home in Maryland. As recently as last summer, I got a collection notice from a collection agency where Nicole Robinson--and that is her name, her name is Nicole Robinson, as well--she had gone to a dentist in Texas while she was in police custody and had a tooth extracted. Well, of course she didn't pay for it and so the collection agency started to look for her. Instead of finding her in Texas, they sent a collection notice to my home in Maryland. I have continued to get collection notices for bad checks that she has written. I also get preapproved credit card offers at my home in her name, and the only reason why I know it is for her is because we have a different middle initial and they always come with her middle initial. As I started to get my credit reports, in 2004, I got a 54- page credit report. It had 170 accounts on it. A hundred-and- thirty of them were in collections. It had 42 different names and 65 different addresses. I was notified by another credit reporting agency that my SSN resided on five different credit reports. Even as recently as this year, when a mortgage broker ran my credit report, her bad debts, even a judgment from an apartment complex in Texas, is on my credit report, and it is not on the credit reports that the credit reporting agency sends to me, but it is on the credit report that they disclose to the lenders. As a result of me being a victim of identity theft, I do speak to consumer groups about protecting your SSN. The way my SSN was stolen by Nicole Robinson is that she worked for a business called Care Mark, and Care Mark used to provide mail- in pharmaceutical services for a law firm where I used to work. Even though I was no longer an employee of the law firm, she still had access to my information in their databases. I ultimately found out that she used the SSN of several people named Nicole Robinson and she was able to get cars and jewelry, and when she bought a vacuum cleaner, somebody reported to the police in Texas that she had a warehouse full of stuff that she had stolen. I just want to go over briefly some of the recommendations from the Identity Theft Resource Center on securing data. We realize that businesses do use the SSN. It is so much a part of what a lot of businesses do. We think that businesses should take extra precautions to secure the SSN. In my case, Nicole Robinson had access to my SSN years after I was a member of the health plan that required me to use my SSN as an identifier. She should have never had access to that number because I was no longer a member of that plan. Even if she had access to my records, my SSN should have been redacted in whole or in part. We believe that consumer education is key. A lot of people don't see the risk in carrying their Social Security cards in their wallets and we believe that when you get your annual statement from the SSA, there should be a consumer alert on there about protecting your SSN. We also believe that businesses should assume responsibility for the protection of your SSN. If they require it, they should also protect it. Thank you very much. [The prepared statement of Ms. Robinson follows:] Statement of Nicole Robinson, North Atlantic Coast Volunteer Coordinator, Identity Theft Resource Center, San Diego, California Members of the committee: Thank you for the opportunity to provide both written and oral testimony for your committee today and for your interest in the topic of identity theft. The oral portion of our testimony will be provided by Nicole Robinson, a survivor of identity theft, and the highest ranking ITRC volunteer on North Atlantic Coast. The nonprofit Identity Theft Resource Center (ITRC) is passionate about combating identity theft, empowering consumers and victims, assisting law enforcement, reducing business loss due to this crime and helping victims. We also realize that you are in a difficult position of trying to impose laws that may impact consumers, business and government. However, ITRC firmly believes that it is possible to find a balance between the creation of strong identity theft laws to protect consumers and businesses and allowing the business community to flourish and grow. It is critical that all parties be considered in any legislation you pass and in all of your deliberations. After all--In each case of Financial Identity Theft there are at least two sets of victims--the individual whose SSN was used and the business that has lost services, goods or money. We all victims of this crime and we appreciate your time in addressing this issue. We are honored by your invitation and will continue to make our opinions available upon request to your representatives over the next few months as you grapple with this complex crime and its many issues. Introduction: Governmental agencies at all levels, businesses and consumers have for ease and convenience tied and associated many critical elements of daily life to the individual Social Security Number (SSN). The individual number is the primary key to the individual's credit history, work history education and health information. You must have one to work, gain tenancy, credit and to identify individuals on tax forms. More and more business and entities are collecting personal information about each and every one of us. These can range from your bank to the soccer league that your child plays in. Add to that number the schools where you or your child attended, all the job applications you have ever filled out, the Funeral Home that is preplanning your final arrangements and the many health facilities that you have used. Some veterinarians, self-storage units and even car rental companies ask for SSNs. In some cases there is a valid reason to collect the information and the Identity Theft Resource Center holds that it should be allowed to continue. Our concern lies not in the collection of the Social Security number but in the use, storage, access and misuse of this key information. It must be noted that the crime of identity theft is not a particularly new crime. It is more that in the current environment of electronic credit and business identity theft has become extremely profitable and safe for the thief. The thief faces little chance of apprehension with minimal penalties for the theft of thousands of dollars. Each day the thieves grow more accomplished at their task. Now it is time for businesses, governmental agencies and consumers to adopt a more proactive position on the value of the Social Security number as a marketable commodity. Consumers need to realize it has value. Businesses and governmental entities need to accept responsibility for this item of value, the Social Security number. We need to create a plan that focuses on all involved parties and not just on the business community. Numerous surveys have proven that consumers do not feel trust for companies or the government proactively protecting their personal identifying information. They believe, with cause, their information is accessible to too many people and handled without protection. In order to increase customer, employee and client trust, new security processes must be implemented as soon as possible. Findings and Recommendations: SSN as an identifier on items in wallets Finding: Too many people carry their Social Security number on their person, in the form of the actual Social Security card, health insurance cards, Military ID cards, employee id cards or Medicare/ MediCal cards and driver's license numbers. Wallets are primary targets by identity thieves, pickpockets and drug addicts who hope to profit this information. Recommendation: The Social Security number should not be used as an identifier in any circumstances and should never be on cards carried in the wallet, even on the magnetic strip due to improvements in skimming technology. Randomized numbering systems should be used that match the SSN in a well-protected database when necessary such as for Medicare benefits. Consumer Education Recommendation: That all Social Security cards come with an advisory with the original card and that this advisory should also be sent out yearly with the person's work benefit statement. This advisory should include under what circumstances one should give out a SSN, when not to, a telephone number to call with questions or to file complaints, and not to carry a SS card in one's wallet, palm pilot or laptop. Recommendation: That the SSA work with other governmental and private entities to continue to educate consumers about scams that involve the SSN. A study of the SSA site only included one scam warning as the beginning of March 2006. Overcollection/misuse of the SSN Recommendation: Too many companies are unnecessarily asking for a person's SSN. While it may not be practical to limit the collection of the SSN, a blanket liability should be incurred all entities that collect this information from an individual or secondary source. It is not unreasonable for any individual to expect basic standards of protection of the information obtained by the entity doing the collection. Federal, state and private right of actions should included in any bill considered in order for there to be effective encouragement to self-enforce these standards. Information Security Finding: The number of publicized security breaches during 2005 clearly indicates a serious problem. Whereas it is not possible to build an impenetrable security system around data, it is clear that companies and governmental agencies need to have a tighter control on information. This rule cannot just apply to businesses. All governmental agencies need to be held to the same standard and be a leader in this movement. Recommendation: Companies and all levels of governmental agencies should be required to do an information risk assessment of both paper and electronic documents containing a Social Security number. This assessment should include the ability to follow information from the point of entry to beyond disposal, including the auditing of any person, department or storage space. A written policy should be designed that limits access to the SSN, describes the protection of the information and how information should be destroyed. ITRC strongly recommends a breach notification similar to California's or New Jersey's current laws. SSN as an identifier for customers or employees In order to limit access of an individual's SSN, all companies should assign a separate account number and the SSN should never been seen on a call center screen by an employee of the company. There are many other ways, including passwords, to verify a person's identity. Document Disposal Finding: A popular spot identified by law enforcement and other investigative entities is the unshredded documents and data recklessly discarded into or near trash cans and dumpsters. Only several states have passed mandatory document disposal laws stating that paper and electronic documents must be rendered unreadable prior to disposal. Example: A recent situation occurred in Los Angeles when the Department of Social Services had boxes of medical records, application forms and other documents with SSN put in boxes by a trash can. These documents never had been shredded but were being sent whole to China for recyling. Unfortunately they were also seen blowing in the wind and people went through boxes for information knowing they were out there. Recommendation: A law that states that all documents, no matter what form they are in, must be rendered unreadable prior to leaving the entity that no longer wishes to store them. Educational Facilities and SAT testing Finding: In 2005 more than half of the disclosed breaches were educational facilities, mainly colleges and universities. The University of Colorado had 4 breaches in the last 14 months. After speaking with IT departments and administrators at several of these colleges, it is clear that changes need to be made. Parents send children to colleges to help them on their career paths. One identity theft problem can stop a future before it begins. Recommendations: First, SSN should never be a student's public identification number, computer access number or publicly used for any other purpose. These steps will significantly limit the number of professors who have lost or had laptops stolen with student numbers and stop roster with names and SSNs from circulating classrooms. Second, other than a few departments that are involved in payroll, student loans, scholarships and such should have access to the student's SSN. While it is easy to track a student by SSN it is easy to have that information securely stored in a database with limited access so that when a student asks for a transcript or school records they be found. However, the SSN should never been printed in full on any document sent through the mail. Third, the ``College Boards,'' the company that does SAT testing must immediately stop asking students for SSN and stop placing them on mailing labels. ITRC has had numerous calls about this activity. Immigrants who no longer need or wish to have a SSN Finding: ITRC has heard from a number of people who lived in the United States for a limited period of time or have moved from the United States to live permanently in another country. They would like a way to prevent any possible use of their SSN now that they no longer need it. Recommendation: The creation of a national credit freeze program would not only help victims of identity theft and businesses from giving cards to thieves but would also solve this problem. However, that only solves the financial side of the problem. Other solutions would have to be found within the SSA so that those numbers would be tagged as inactive for employment or benefit purposes. SSN of the Deceased Finding: According to the SSA not all deceased individuals are on the Master Death Registry. It is partially consumer driven (change in benefit status) and partially populated by some states that do report all deaths to the SSA. Recommendation: All governmental agencies that issue a death certificate should report that death to the SSA either directly or via a state program. Since this Registry is available to the credit reporting agencies and Department of Motor Vehicles this would significantly stop the use of a dead 7 year old's SSN by an adult. SSNs sent through the mail Finding: ITRC receives numerous inquiries from parents who never receive their newborns Social Security cards. Either they have been lost or intercepted by a would-be identity thief. Recommendation: After talking with the Chief Privacy Officer of the U.S. Postal Service, there are a number of ways that the Post Office and SSA can work together to help insure the delivery of these documents. ITRC recommends that a committee be formed and a new procedure implemented within six months. Finding: Companies still send information via the U.S. Mail with SSNs on mailing labels or in the body of the letter. In some cases it would clear to an identity thief that this envelope contains valuable information. Recommendation: That mailing labels may never include a SSN and that when a SSN is included in the body of a document that it must be partially truncated. IRS and selling of information ITRC would be remiss if it did not comment on the plan being considered by the IRS to allow the sale by tax preparation services of our tax returns or personal tax information. Many people get numerous papers from tax preparers and just sign them. They go unread or may be beyond an individual's reading ability. This proposed plan must not be implemented. It creates another public record that will benefit thieves more than anyone else. If this must be allowed then there can be no allowances for acceptance of any release that is not clear and specific. Public Records Recommendation: The SSN should never be published on the Internet by a business or governmental entity including court records. In response to those who state they need that information, it can be specifically requested of the court, with appropriate redaction of unnecessary information that may place the individual in harm's way. This includes witness and victim information, family records during custody and divorce hearings and bankruptcy hearings. Recommendation: In a court proceeding where information must be exchanged between opposing sides, the SSN should be at least partially redacted in order to protect the sanctity of that number. New Laws--A Standard and not the Ceiling The concepts discussed above are intended to benefit business and consumers. While we understand that companies don't want to deal with 50 different laws, it is also important to note that some states want to hold state and local governmental agencies and businesses to a higher standard than the ones recommended above. Any federal law should be a standard, to cover those citizens in states currently without information protection statutes and not pre-empt stronger state laws. In Conclusion: Protecting Social Security numbers from identity thieves needs to be everyone's job--not just the consumers. We need businesses and governmental agencies to work cooperatively with consumers to keep this valuable number out of the hands of those who have no regard for the damage they cause individuals and companies. Businesses cannot afford to continue to lose money to identity thieves. While the numbers discussed in terms of fraud loss may sound like a trickle now, it is going to worsen. Identity thieves are more sophisticated, meth addicts have turned to this crime for money for fixes, and information trafficking is big business. Without required control procedures for the handling of Social Security numbers, this crime will worsen and our economy will suffer. Its going to require the reeducation of consumers, businesses and governmental agencies. It going to require new behavior patterns, new ways of controlling information in the workplace and strict vigilance against new trends and attacks. The proactive and not reactive protection of the Social Security number is in your hands. This small nine-digit number has the ability to destroy a company or an individual when misused. It is clear that some states have taken great strides to protect consumers. Unfortunately some business groups believe that anything that will benefit consumers will harm them and have fought change. Consumers blame businesses. This is not a time for finger pointing. The blame game must end. We must be on the same team fighting a battle against this Goliath if we are to win. We must realize that we are one people and anything that harms one of us harms us all. Thank you for your time and interest. Linda Foley Jay Foley Chairman MCCRERY. Thank you, Ms. Robinson. Ms. McQueen? STATEMENT OF MARY C. McQUEEN, PRESIDENT, NATIONAL CENTER FOR STATE COURTS, ON BEHALF OF THE CONFERENCE OF STATE COURT ADMINISTRATORS Ms. MCQUEEN. Thank you, Mr. Chairman, Mr. Levin, Members of the Subcommittee. I am Mary McQueen. The Conference of State Court Administrators is pleased to present testimony on today's hearings before this important Committee. Before I begin my remarks, I would like to provide some background about who that group is, and I submit testimony on their behalf. I am a former member of the Conference of State Court Administrators, having served as the Chief Administrative Officer for the court system in the State of Washington for 25 years, and most recently assumed the position as the President for the National Center for State Courts. The National Center operates in coordination with the Conference of State Court Administrators and Chief Justices in a similar way that the Federal Judicial Center operates with the Federal judiciary. The Conference of State Court Administrators and the Conference of Chief Justices represent the top judicial officials and chief administrative officers in the 58 States, Commonwealths, and U.S. Territories, and we work very closely together with the chief justices to develop best practices to improve the administration of justice. You may know that more than 98 percent of all judicial proceedings in the United States are in State courts that consist of over 30,000 judges and over 16,000 courts. Mr. Chairman, let me begin by informing you that the State courts have taken several important steps to protect individual privacy and we share the Committee's concerns. The State courts hope to partner with the Chair and the Members of this Subcommittee in your efforts to increase those privacy steps. A question we are always asked is why do State courts need SSNs? What is the State courts' interest in collecting those numbers, and why do State courts require parties to provide them in litigation? I would like to just briefly identify five different uses of the SSN in State courts. The first and obvious one to those of you who are members of the bar is to ensure that accurate information is placed before a fact finder. We want to ensure, especially in family law cases, that we have access to the information that is necessary to determine child support, to distribute property, and to determine paternity. Secondly, we also need to identify the parties. Courts often use SSNs to identify criminal defendants that lack fingerprint information. We also use SSNs to enforce judgments in court orders. Courts often order restitution or the repayment of fines as a legal judgment, and SSNs have become the universal commercial identifier for use in monetary penalties. Litigants' SSNs are also necessary for use in State income tax intercept programs, where outstanding monetary judgments are deducted from State income tax returns. Federal law now requires State courts to place a party's SSN in records relating to divorce and child support decrees, and in October 1999, that requirement was extended to require SSNs for all children to whom support is required to be paid. We also need SSNs to create jury pools and to pay jurors. It requires us when we issue a check to jurors that that income is reported, and we are required to have SSNs for those individuals. Finally, we use SSNs to notify the SSA of incarcerated and absconded persons. The SSA cuts off payments to persons incarcerated in all Federal, State, and local prisons or jails who are fugitives from justice and they need to identify those persons. While traditionally that information comes from correctional agencies, the courts initially provide those agencies with that information. As previously mentioned, the Welfare Reform Act (P.L. 104- 193) does require courts to collect SSNs on court orders granting divorces, providing for child support, or determining paternity, and SSNs can appear in many financial records, such as tax returns, which are required to be filed in many court proceedings. We were encouraged by some of the language that accompanied H.R. 2971 in the report dealing with incidental versus non- incidental appearances of SSNs on public records and we would encourage that if you move forward, we would like to work with you on looking at some of those provisions. In drafting Social Security legislation, we respectfully request that you ask members of the court community participate in those discussions. Finally, in an effort to increase privacy and reduce the possibility of identity theft from court documents, the chief justices and the State court administrators have established a Standing Committee on Court Privacy and Access to Court Records. They have adopted national guidelines and model court rules, and we have identified three best practices. I would draw your attention to our visual aid here. These best practices include creating basically two sets of records. The State of Washington, the States of Michigan, Vermont, and South Dakota have adopted this approach, where basically in the types of records that incorporate sensitive information as well as SSN, there is a special procedure for sealing this information, placing them in a separate file, and when someone comes to the counter and asks to see the court file, those records are removed in the envelope and not provided to the public. We have also identified a best practices that we give an alert to the filing parties and make sure that they know they are responsible for including any SSNs in the documents that are filed and make sure that on all court model forms, that everybody uses, that there is an alert saying your SSN may be available, so please consider not including that. Also, as part of the two sets of records, several States have identified confidentiality filing forms, where you put that information on one sheet, not incorporate it into the court documents, and that one sheet is sealed. Finally, when requiring SSNs, we have recommended that you only use four digits that would appear in the court record. Mr. Chairman, we recognize the threat of identity theft as real. We commit that the State courts want to do our part in eliminating that opportunity. I have presented several reasons why the courts utilize SSNs as well as the solutions that we are working to implement. Thank you for allowing us to participate in this discussion and I will be happy to answer any questions you may have. [The prepared statement of Ms. McQueen follows:] Statement of Mary C. McQueen, on behalf of the Council of State Court Administrators, Williamsburg, Virginia Mr. Chairman and Members of the Subcommittee, The Conference of State Court Administrators (COSCA) is pleased to present testimony on today's fifth in a series of hearings on Social Security Number High Risk Issues. SUMMARY Mr. Chairman and members of the subcommittee, the state court community has been grappling with the issue of protecting privacy as it relates to court records for the past few years. We are taking a proactive stance in protecting the privacy of individuals and their social security numbers, while at the same time maintaining traditional open court access. Today, we will share examples of what state courts that are doing on this via the approval of court rules. In collaboration with the Conference of Chief Justices (CCJ), we established a project entitled ``Public Access to Court Records: CCJ/ COSCA Guidelines for Policy Development by State Courts,'' which outlines the issues that a jurisdiction must address in developing its own rules, and provides one approach. The Guidelines touch on the use of social security numbers (SSNs) in court records as well as other private information. The entire text of the Guidelines can be found online at http://www.courtaccess.org/modelpolicy/ 18Oct2002FinalReport.pdf. Both CCJ and COSCA, adopted a resolution endorsing the Guidelines and urged the states to address them. Mr. Chairman, SSNs are pervasive in state court documents and procedures. The testimony that follows gives the subcommittee numerous examples of how we use SSNs in day-to-day court proceedings. For example, we use SSNs to insure that judges have the best evidence available to them. We also use SSNs to collect fines and restitution. In addition, many SSNs appear in the public record in many types of court cases including, but not limited to, bankruptcy, divorce and child support cases. My testimony also details the federal requirements imposed on us to collect SSNs for various reasons, for example, to track parents who are not paying child support. Mr. Chairman, we stand ready to work with you to craft solutions to address the problem of identity theft. We want to do our part to eliminate it. We are at the same time concerned about the effort to require us to redact or expunge SSNs that appear in public records. We feel that this type of requirement would impose an unfunded mandate on state courts in this country. The cost to fulfill this requirement would be high because many SSNs appear in paper documents as well as other hard-to-redact microfilm/microfiche. ABOUT COSCA Before I begin my remarks, I would like to provide some background on our group and our membership. I submit this testimony on behalf of the Conference of State Court Administrators (COSCA). I am a former member of COSCA having served as State Court Administrator of the state of Washington. The National Center for State Courts, of which I am President, serves as secretariat to COSCA. COSCA was organized in 1955 and is dedicated to the improvement of state court systems. Its membership consists of the principal court administrative officer in each of the fifty states, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, and the Territories of American Samoa, Guam, and the Virgin Islands. A state court administrator implements policy and programs for a statewide judicial system. COSCA is a nonprofit corporation endeavoring to increase the efficiency and fairness of the nation's state court systems. As you know, state courts handle 98% of all judicial proceedings in the country. The purposes of COSCA are: To encourage the formulation of fundamental policies, principles, and standards for state court administration; To facilitate cooperation, consultation, and exchange of information by and among national, state, and local offices and organizations directly concerned with court administration; To foster the utilization of the principles and techniques of modern management in the field of judicial administration; and To improve administrative practices and procedures and to increase the efficiency and effectiveness of all courts. Although I do not speak for them today, I also would like to tell you about the Conference of Chief Justices (CCJ), a national organization that represents the top judicial officers of the 58 states, commonwealths, and U.S. territories. Founded in 1949, CCJ is the primary voice for state courts before the federal legislative and executive branches and works to promote current legal reforms and improvements in state court administration. COSCA works very closely with CCJ on policy development and administration of justice issues. STATE COURTS ARE RESPONDING TO PRIVACY CONCERNS Mr. Chairman, let me begin by informing you of the progress that many state courts are making to protect individual privacy rights, while maintaining the American tradition of open courts. Through court rules, state court systems are changing their procedures for viewing and accessing court records as they relate to the appearance of social security numbers. Washington State, for example, is establishing a procedure for ``sealing'' family case court records containing privileged information such as social security numbers and financial information. In effect, Washington is creating two sets of records: a public and a private one. Vermont is placing the burden on parties to expunge or redact social security numbers from papers filed with the court. Minnesota is requiring that parties in a divorce case fill out a confidential information sheet, which contains social security numbers, to be kept separate from the official record. South Dakota adopted a rule that protects SSNs and financial account number information by requiring these numbers to be redacted from documents and submitted to the Court on confidential information forms. As an example, I am attaching the South Dakota rule along with their required confidential information sheet to the end of my testimony. In addition to the proactive stance we are taking to this issue, we are also responding to some of the demands placed on our court systems by state legislatures and governors. In 2005, 53 bills were signed into law by governors dealing with social security number privacy. That's 17 more than in 2004; an increase of 46 percent. These bills range from simple prohibition of displays of SSNs on public records to new expansive criminal and civil statutes that punish wrongdoers and those that traffic in social security numbers as a means to steal a person's identity. Activity in this area has not diminished in the current year. In the ongoing 2006 sessions, state legislatures are considering 176 measures dealing with social security numbers and privacy. Again, this number is an increase over the prior year. At the direction of the CCJ and COSCA leadership, we established a special subcommittee of the CCJ/COSCA Court Management Committee to explore privacy protection innovations and share them with the Congress and the Administration. This committee meets twice a year at our annual and mid-year meetings. This subcommittee has been researching the issue and is responsible for compiling examples of best practices in this area that I am presenting today. NATIONAL EFFORT TO CRAFT PUBLIC ACCESS GUIDELINES TO COURT RECORDS Our project entitled, ``Public Access to Court Records: CCJ/COSCA Guidelines for Policy Development by State Courts'' was a joint effort of CCJ/COSCA and the NCSC to give state court systems and local trial courts assistance in establishing policies and procedures that balance the concerns of personal privacy, public access and public safety. The State Justice Institute (SJI) funded this project in 2001 and it was staffed by the NCSC and the Justice Management Institute. The project received testimony, guidance and comments from a broad-based national committee that included representatives from courts (judges, court administrators, and clerks), law enforcement, privacy advocates, the media, and secondary users of court information. The Guidelines recommend the issues that a jurisdiction must address in developing its own rules governing public access. The Guidelines are based on the following premises: Retention of the traditional policy that court records are presumptively open to public access The criteria for access should be the same regardless of the form of the record (paper or electronic), although the manner of access may vary The nature of certain information in some court records is such that remote public access to the information in electronic form may be inappropriate, even though public access at the courthouse is maintained The nature of the information in some records is such that all public access to the information should be precluded, unless authorized by a judge Access policies should be clear, consistently applied, and not subject to interpretation by individual courts or court personnel The Guidelines Committee examined the use of SSNs in current court practices. They looked at the inclusion of SSNs in bulk distribution of court records, and in other private information that courts traditionally protect, such as addresses, phone numbers, photographs, medical records, family law proceedings, and financial account numbers. Finally, the Committee examined various federal laws and requirements governing SSN display and distribution by state and local entities. On August 1, 2002, CCJ and COSCA endorsed and commended ``the Guidelines to each state as a starting point and means to assist local officials as they develop policies and procedures for their own jurisdictions.'' STATE COURTS' INTEREST IN COLLECTING AND USING SOCIAL SECURITY NUMBERS A question we are often asked is why do state courts utilize SSNs? What is the state court interest in collecting SSNs? Why do state courts need to require parties to provide their SSNs in the course of state court litigation? The following are some of the reasons we use them: Accurate determination of assets/income Judges need the most accurate information on assets and income when making their decisions, especially in family law cases. In many instances this involves examining assets by a social security number. There are numerous examples of individuals giving a false social security number to avoid paying child support, for example. The same logic applies in dealing with divorce cases in dividing assets. Identification of parties A growing number of court systems are using case management information systems in which an individual's name, address, and telephone number are entered once, regardless of the number of cases in which the person is a party. The advantage of these systems is to be able to update an address or telephone number for all cases in which the person is a party by a single computer entry. SSNs provide a unique identifier by which court personnel can determine whether the current ``John Smith'' is the same person as a previous ``John Smith'' who appeared in an earlier case. Courts have often used SSNs to identify criminal defendants as well as parties to civil cases. In the future, persons accused of crime will be identified by automated fingerprint identification systems (AFIS) which scan fingerprints and classify them electronically. The primary future need for SSNs as a means to identify individuals will therefore be in civil, not criminal, litigation. Collection of fees, fines and restitution by courts SSNs are the universal personal identifier for credit references, tax collection, and commercial transactions. When courts give a litigant an opportunity to pay an assessment resulting from a judgment in periodic payments, the court needs to be able to function as a collection agency. Having the convicted person's social security number is necessary for use of state tax intercept programs (in which a debt to the state is deducted from a taxpayer's state income tax refund) and other collection activities. Some states use additional means to enforce criminal fines and restitution orders, such as denial of motor vehicle registration; SSNs are often used for these purposes as well. Creation of jury pools and payment of jurors SSNs are a necessary part of the process by which multiple lists (for instance, registered voters and registered drivers) are merged by computer programs to eliminate duplicate records for individual citizens in the creation of master source lists from which citizens are selected at random for jury duty. Duplicate records double an individual's chance of being called for jury duty and reduce the representativeness of jury panels. Some courts use SSNs to pay jurors as well. Making payments to vendors SSNs are used as vendor identification numbers to keep track of individuals providing services to courts and to report their income to state and federal taxing authorities. Facilitating the collection of judgments by creditors and government agencies Courts are not the only entities that need to collect judgements. Judgment creditors need SSNs to locate a judgment debtor's assets and levy upon them. Courts often require that the judgment debtor make this information available without requiring separate discovery proceedings that lengthen the collection process and increase its costs. Federal law now requires state courts to place the parties' SSNs in the records relating to divorce decrees, child support orders, and paternity determinations or acknowledgements in order to facilitate the collection of child support. On October 1, 1999, that requirement was extended to include the SSNs of all children to whom support is required to be paid. Notification to the Social Security Administration of the names of incarcerated and absconded persons The Social Security Administration cuts off all payments to persons incarcerated in federal, state or local prison or jails, and to person who are currently fugitives from justice. The savings to the federal budget from this provision are substantial. To implement this process, Social Security Administration needs to identify persons who have been sentenced to jail or prison and persons for whom warrants have been issued. The agency has traditionally obtained this information from state and local correctional agencies. See 42 USC 402(x)(3) requiring Federal and State agencies to provide names and SSNs of confined persons to the Social Security Administration. The state courts of Maryland are involved in an experimental program to provide such information directly from court records. The Maryland program has two additional future advantages for state courts. First, the program offers the possibility of obtaining better addresses for many court records; social security and other welfare agencies have the very best address records because of beneficiaries' obvious interest in maintaining their currency. Second, cutting off benefits may provide a useful incentive for persons receiving benefits to clear up outstanding warrants without requiring the expenditure of law enforcement resources to serve them. Transmitting information to other agencies In addition to the Social Security Administration, many states provide information from court records to other state agencies. A frequently occurring example is the Motor Vehicle Department, to which courts send records of traffic violations for enforcement of administrative driver's license revocation processes. These transfers of information often rely upon SSNs to ensure that new citations are entered into the correct driver record. POTENTIAL LEGISLATION Mr. Chairman, in the past, this subcommittee has considered various pieces of legislation that would, in some form or another, prohibit the display of a person's social security number on a public record. Blanket prohibitions like these will place courts in the position of trying to comply with conflicting public policies. We submit the following questions for your consideration: The Welfare Reform Law requires courts to collect SSNs on court orders granting divorces or child support or determining paternity. State laws contain similar requirements in other types of cases in some states. What steps must a court take to restrict access to these documents, which are matters of public record in most states? SSNs appear in many financial documents, such as tax returns, which are required to be filed in court (e.g., for child support determinations) or are appended to official court documents, such as motions for summary judgments. What steps must a court take to restrict access to these documents, which are also matters of public record in most states? We were encouraged by language in the report accompanying HR 2971 (Rept. 108-685, Part 1, p. 21) in the 108th Congress dealing with incidental vs. non-incidental appearances of SSNs in public records: During Social Security Subcommittee hearings on the bill, court and other public records administrators testified they receive numerous documents filed by individuals, businesses, and attorneys that often include SSNs the government did not require to be submitted, and of which they are therefore unaware. They stated redaction of ``incidentally'' included SSNs would create a serious administrative burden, and it would require significant resources to review each document and redact such incidental SSNs--With respect to SSNs submitted in court documents absent the court's requirement to do so, the individual communicating the SSN in the document, not the court, would be held responsible according to Section 108 of the bill. (Emphasis ours) In drafting social security legislation, we respectfully ask that you expand on the above sentiments in actual legislative language of any future bill. Courts will have substantial increased labor costs in staff time to redact or strike the appearance of SSNs in paper records or in microfilm/microfiche if a redaction requirement is imposed. In the event you draft legislation dealing with redaction, we urge you to make a distinction between existing court records/documents and future documents. For example, requiring a court to retroactively redact or expunge old records would be a nightmarish task due to the cost in staff time and the actual compiling of said court records. Finally, in an effort to make courts and court records more open, many courts are now beginning to make available many public records on the internet either as text/character documents or by scanning and placing them online through imaging software (PDF files). While the removal of SSNS in text/character documents may be relatively easy in some computer generated records (XML), other scanned records, such as PDF files, will be harder to change necessitating more staff and an increase in labor costs. OUR FUTURE COURSE OF ACTION CCJ and COSCA have recommended that state courts adopt the following policies, unless state law directs them otherwise, to protect citizen privacy while providing service to litigants: Official court files State courts should not attempt to expunge or redact SSNs that appear in documents that are public records. As was mentioned earlier, federal law requires state courts to place the parties' SSNs in the records relating to divorce decrees, child support orders, and paternity determinations or acknowledgement in order to facilitate the collection of child support. The purpose of placing that data on judgments is not just to provide it to child support enforcement agencies; it is also to provide it to the parties themselves for their own private enforcement efforts. Any other interpretation puts the courts in an untenable position--having an affirmative obligation to provide judgments in one form to parties and child support enforcement agencies and in another form to all other persons. This same reasoning applies to income tax returns or other documents containing SSNs filed in court. It would be unreasonable, and expensive, to expect courts to search every document filed for the existence of SSNs. Further, court staff has no authority altering documents filed in a case; the social security number may have evidentiary value in the case--at the very least to confirm the identity of the purported income tax filer. Case management information databases Data in automated information systems raises more privacy concerns than information in paper files. Automated data can be gathered quickly and in bulk, can be manipulated easily, and can be correlated easily with other personal data in electronic form. Data in an automated database can also be protected more easily from unauthorized access than data in paper files. It is feasible to restrict access to individual fields in a database altogether or to limit access to specific persons or to specific categories of persons. Consequently, state courts should take steps to restrict access to SSNs appearing in court databases. They should not be available to public inquirers. Access to them should be restricted to court staff and to other specifically authorized persons (such as child support enforcement agencies) for whose use the information has been gathered. Staff response to queries from the public When court automated records include SSNs for purposes of identifying parties, court staff should be trained not to provide those numbers to persons who inquire at the public counter or by telephone. However, staff may confirm that the party to a case is the person with a particular social security number when the inquirer already has the social security number and provides it to the court staff member. In short, staff may not read aloud a social security number, but may listen to a social security number and confirm that the party in the court's records is the person with that number. This is the same distinction applied to automated data base searches. This distinction is one commonly followed in federal and state courts. CONCLUSION Mr. Chairman, we recognize the role of SSNs in the incidence of identity theft cases. The current state of affairs with regards to the treatment of SSNs provides lawbreakers the continued opportunity to exploit the current system at the expense of ordinary Americans. The threat of identity theft is real and we want to do our part to eliminate it. I have presented several ways our courts utilize SSNs. Finding solutions to protect an individual's privacy will be complex and difficult. Many state courts are already taking steps to fashion solutions in response to the problem. I remind you of the earlier mentioned approaches from Washington, Vermont, Minnesota and South Dakota. Other states are experimenting with different approaches. Thank you for asking for our input on this important matter. The Conference of State Court Administrators stands ready to work collaboratively and cooperatively to craft solutions to this important issue. I will be happy to answer any questions you may have. ______ Example of South Dakota court rule to protect SSNs from public dissemination UNIFIED JUDICIAL SYSTEM COURT RECORDS rule SDCL ch. 15-15A SDCL 15-15A-1. Purpose of rule of access to court records. The purpose of this rule is to provide a comprehensive policy on access to court records. The rule provides for access in a manner that: (1) Maximizes accessibility to court records, (2) Supports the role of the judiciary, (3) Promotes governmental accountability, (4) Contributes to public safety, (5) Minimizes risk of injury to individuals, (6) Protects individual privacy rights and interests, (7) Protects proprietary business information, (8) Minimizes reluctance to use the court to resolve disputes, (9) Makes most effective use of court and clerk of court staff, (10) Provides excellent customer service, and (11) Does not unduly burden the ongoing business of the judiciary. The rule is intended to provide guidance to 1) litigants, 2) those seeking access to court records, and 3) judges, court and clerk of court personnel responding to requests for access. SDCL 15-15A-2. Eho has access to court records under the rule. Every member of the public has the same access to court records as provided in this rule, except as provided otherwise by statute or rule and except as provided in 15-15A-7. ``Public'' includes: (1) any person and any business or non-profit entity, organization or association; (2) any governmental agency for which there is no existing policy, statute or rule defining the agency's access to court records; (3) media organizations. ``Public'' does not include: (4) court or clerk of court employees; (5) people or entities, private or governmental, who assist the court in providing court services; (6) public agencies whose access to court records is defined by another statute, rule, order, policy or database access agreement with the South Dakota Unified Judicial System; (7) the parties to a case or their lawyers regarding access to the court record in their case, which may be defined by statute or rule. SDCL 15-15A-3. Definition of terms. (1) ``Court record'' includes any document, information, or other thing that is collected, received or maintained by a clerk of court in connection with a judicial proceeding. ``Court record'' does not include other records maintained by the public official who also serves as clerk of court or information gathered, maintained or stored by a governmental agency or other entity to which the court has access but which is not part of the court record as defined in this section. (2) Information in a court record ``in electronic form'' includes information that exists as: (a) electronic representations of text or graphic documents; (b) an electronic image, including a video image, of a document, exhibit or other thing; or (c) data in the fields or files of an electronic database. (3) ``Public access'' means that the public may inspect and obtain a copy of the information in a court record unless otherwise prohibited by statute, court rule or a decision by a court of competent jurisdiction. The public may have access to inspect information in a court file upon payment of applicable fees. (4) ``Remote access'' means the ability to electronically search, inspect, or copy information in a court record without the need to physically visit the court facility where the court record is maintained. SDCL 15-15A-4. Applicability of rule. This rule applies to all court records, regardless of the physical form of the court record, the method of recording the information in the court record or the method of storage of the information in the court record. SDCL 15-15A-5. General access rule. (1) Information in the court record is accessible to the public except and as prohibited by statute or rule and except as restricted by 15-15A-7 through 15-15A-13. (2) There shall be a publicly accessible indication of the existence of information in a court record to which access has been restricted, which indication shall not disclose the nature of the information protected, i.e., ``sealed document.'' (3) An individual circuit or a local court may not adopt a more restrictive access policy or otherwise restrict access beyond that provided by statute or in this rule, nor provide greater access than that provided for by statute or in this rule. SDCL 15-15A-6. Court records that are only publicly available at a court facility. A request to limit public access to information in a court record to a court facility in the jurisdiction may be made by any party to a case, an individual identified in the court record, or on the court's own motion. For good cause, the court will limit the manner of public access. In limiting the manner of access, the court will use the least restrictive means that achieves the purposes of this access rule and the needs of the requestor. SDCL 15-15A-7. Court records excluded from public access. The following information in a court record is not accessible to the public: (1) Information that is not to be accessible to the public pursuant to federal law; (2) Information that is not to be accessible to the public pursuant to state law, court rule or case law as follows; (3) Examples of such state laws, court rules, or case law follow. Note this may not be a complete listing and the public and court staff are directed to consult state law, court rules or case law. Note also that additional documents are listed below that may not be within court records but are related to the court system; the public and court staff should be aware of access rules relating to these documents. (a) Abortion records (closed); 34-23A-7.1 (b) Abuse and neglect files and records (closed, with statutory exceptions); 26-8A-13 (c) Adoption files and adoption court records (closed, with statutory exceptions); 25-6-15 through 25-6-15.3 (d) Affidavit filed in support of search warrant (sealed if so ordered by court, see statutory directives); 23A-35-4.1 (e) Attorney discipline records (closed until formal complaint has been filed with Supreme Court by the State Bar Association's Disciplinary Board or Attorney General, accused attorney requests matter be public, or investigation is premised on accused attorney's conviction of a crime); 16-19-99 (f) Civil case filing statements (closed); 15-6-5(h) (g) Coroner's inquest (closed until after arrest directed if inquisition finds criminal involvement with death); 23-14-12 (h) Custody or visitation dispute mediation proceedings pursuant to 25-4-60 (closed, inadmissible into evidence) (i) Discovery material (closed unless admitted into evidence by court) 15-6-26(c); 15-6-5(g) (j) Domestic abuse victim's location (closed, with statutory exception); 25-10-39 (k) Employment examination or performance appraisal records maintained by Bureau of Personnel (closed); 1-27-1 (l) Grand jury proceedings (closed with statutory exceptions); 23A-5-16 (m) Guardianships and conservatorships (closed with statutory exceptions); 29A-5-311 (n) Involuntary commitment for alcohol and drug abuse (petition, application, report to circuit court and court's protective custody order sealed; law enforcement or prosecutor may petition the court to examine these documents for limited purpose); 34-20A-70.2 (o) Judicial disciplinary proceedings (closed until Judicial Qualifications Commission files its recommendation to Supreme Court, accused judge requests matter be public, or investigation is premised on accused judge's conviction of either a felony crime or one involving moral turpitude); ch. 16-1A, Appx. III(1) (p) Juvenile court records and court proceedings (closed with statutory exception); 26-7A-36 through -38; 26-7A-113 through -116 (q) Mental illness court proceedings and court records (closed); 27A-12-25; 27A-12-25.1 through -32 (r) Pardons (statutory exceptions, see 24-14-11) (s) Presentence investigation reports (closed); 23A-27-5 through -10; 23A-27-47 (t) Probationer under suspended imposition of sentence (record sealed upon successful completion of probation conditions and discharge); 23A-27-13.1; 23A-27-17 (u) Records prepared or maintained by court services officer (closed except by specific order of court); 23A-27-47 (v) Trade secrets (closed); 15-6-26(c)(7) (w) Trusts (sealed upon petition with statutory exceptions); 21- 22-28 (x) Voluntary termination of parental rights proceedings and records (closed except by order of court); 25-5A-20 (y) Wills (closed with statutory exceptions); 29A-2-515 (z) Written communication between attorney and client; attorney work product (closed unless such privilege is waived); ch. 16-18, Appx. Rule 1.6 (aa) Information filed with the court pending in camera review (closed) (bb) Any other record declared to be confidential by law; 1-27-3. SDCL 15-15A-8. Confidential numbers and financial documents excluded from public access. The following information in a court record is not accessible to the public. (1) Social security numbers, employer or taxpayer identification numbers, and financial account numbers of a party or party's child. (2) Financial documents such as income tax returns, W-2's and schedules, wage stubs, credit card statements, financial institution statements, credit card account statements, check registers, and other financial information. SDCL 15-15A-9. Filing confidential numbers and financial documents in court records. (1) Social security numbers, employer or taxpayer identification numbers, and financial account numbers of a party or party's child, where required to be filed with the court shall be submitted on a separate Confidential Information Form, appended to these rules, and filed with the pleading or other document required to be filed. The Confidential Information Form is not accessible to the public. (2) Financial documents named in 15-15A-8(2) that are required to be filed with the court shall be submitted as a sealed document and designated as such to the clerk upon filing. The Sealed Financial Documents Information Form appended to these rules shall be attached to financial documents being filed with the court. The Sealed Financial Documents Information Form is confidential and is not accessible to the public. The sealed financial documents will not be publicly accessible, even if admitted as a trial or hearing exhibit, unless the court permits access pursuant to 15-15A-10. The court may, on its own motion, seal financial documents that have been submitted without the Sealed Financial Documents Information Form. (3) Parties with cases filed prior to the effective date of this rule, or the court on its own, may, by motion, protect the privacy of confidential information as defined in 15-15A-8. Parties filing this motion will submit a completed Confidential Information Form or Sealed Financial Documents Information Form as appropriate. SDCL 15-15A-10. Procedure for requesting access to sealed financial documents. (1) Any person may file a motion, supported by affidavit showing good cause, for access to sealed financial documents. Written notice of the motion shall be required. (2) If the person seeking access cannot locate a party to provide the notice required under this rule, after making good faith reasonable effort to provide such notice as required by applicable court rules, an affidavit may be filed with the court setting forth the efforts to locate the party and requesting waiver of the notice provisions of this rule. The court may waive the notice requirement of this rule if the court finds that further good faith efforts to locate the party are not likely to be successful. (3) The court shall allow access to sealed financial documents, or relevant portions of the documents, if the court finds that the public interest in granting access or the personal interest of the person seeking access outweighs the privacy interests of the parties or dependent children. In granting access the court may impose conditions necessary to balance the interests consistent with this rule. SDCL 15-15A-11. Requests for bulk distribution of court records. Dissemination of bulk information for resale is prohibited pursuant to 1-27-1. Any other bulk dissemination is prohibited except as authorized by the State Court Administrator or the Chief Justice of the Supreme Court. SDCL 15-15A-12. Access to compiled information from court records. (1) Compiled information is defined as information that is derived from the selection, aggregation or reformulation by the Supreme Court of some of the information from more than one individual court record. (2) Any member of the public may request compiled information that consists solely of information that is publicly accessible and that is not already available in an existing report. The Supreme Court may compile and provide the information if it determines, in its discretion, that providing the information meets criteria established by the Court, that the resources are available to compile the information and that it is an appropriate use of public resources. The State Court Administrator's Office will make the initial determination as to whether to provide the compiled information. (a) Compiled information that includes information to which public access has been restricted may be requested by any member of the public only for scholarly, journalistic, political, governmental, research, evaluation, or statistical purposes. (b) The request shall a) identify what information is sought; b) describe the purpose for requesting the information and explain how the information will benefit the public interest or public education, and c) explain provisions for the secure protection of any information requested to which public access is restricted or prohibited. (c) The Supreme Court may grant the request and compile the information if it determines that doing so meets criteria established by the Court, is consistent with the purposes of the access rules, that the resources are available to compile the information, and that it is an appropriate use of public resources. (d) If the request is granted, the Supreme Court may require the requestor to sign a declaration that: (i) The data will not be sold or otherwise distributed directly or indirectly, to third parties, except for journalistic purposes; (ii) The information will not be used directly or indirectly to sell a product or service to an individual or the general public, except for journalistic purposes; and (iii) There will be no copying or duplication of information or data provided other than for the stated scholarly, journalistic, political, governmental, research, evaluation, or statistical purpose. The Supreme Court may make such additional orders as may be needed to protect information to which access has been restricted or prohibited. SDCL 15-15A-13. Requests to prohibit public access to information in court records. A request to prohibit public access to information in a court record may be made by any party to a case, the individual about whom information is present in the court record, or on the court's own motion. Notice of the request must be provided to all parties in the case and the court may order notice be provided to others with an interest in the matter. The court shall hear any objections from other interested parties to the request to prohibit public access to information in the court record. The court must decide whether there are sufficient grounds to prohibit access according to applicable constitutional, statutory and common law. In deciding this the court should consider the purpose of this rule as set forth in 15-15A-1. In restricting access, the court will use the least restrictive means that will achieve the purposes of this access rule and the needs of the requestor. SDCL 15-15A-14. When court records may be accessed. (1) Court records will be available where available for public access in the courthouse during hours established by the court. Court records in electronic form to which the court allows remote access under this rule will be available for access at least during the hours established by the court for courthouse access, subject to unexpected technical failures or normal system maintenance announced in advance. (2) Upon receiving a request for access to information the court will respond within a reasonable time regarding the availability of the information and provide the information within a reasonable time. SDCL 15-15A-15. Fees for accessing court records. The Supreme Court may charge a fee for access to and copies of court records in electronic form, for remote access or compiled information. The fee shall be reasonable and may include costs for labor, materials and supplies. Fees for record searches are set forth in 16-2-29.5. Some entities, and other entities under certain conditions, are exempt from paying a record search fee pursuant to 16-2-29. Copying and certification fees shall be charged as determined by statute or Supreme Court Rule. CONFIDENTIAL INFORMATION FORM (Required by SDCL 15-15A-9) _________________________ Case No. ________ Plaintiff / Petitioner _________________________ Defendant / Respondent The information on this form is confidential and shall not be placed in a publicly accessible portion of a court record. NAME ____________________________________ SOCIAL SECURITY NUMBER ________________________ EMPLOYER IDENTIFICATION NUMBER ___________________ TAXPAYER IDENTIFICATION NUMBER ___________________ FINANCIAL ACCOUNT NUMBERS: ______________________ Plaintiff / Petitioner ______________________________ ______________________________ 1. ____________ ____________ ____________ 2. ____________ ____________ ____________ 3. ____________ ____________ ____________ Defendant / Respondent ___________________________ ___________________________ 1. ____________ ____________ ____________ 2. ____________ ____________ ____________ 3. ____________ ____________ ____________ Other Parties (including minor children) ___________________ ___________________ 1. ____________ ____________ ____________ 2. ____________ ____________ ____________ 3. ____________ ____________ ____________ 4. ____________ ____________ ____________ Information supplied by: ___________________________ Signed: ____________________________________ Firm: ____________________________________ Address: ___________________________________ ________________________________________ Date: _____________________________________ SEALED FINANCIAL DOCUMENTS INFORMATION FORM (Required by SDCL 15-15a-9) _________________________ Case No. ________ Plaintiff / Petitioner _________________________ Defendant / Respondent The information on this form is confidential and shall not be placed in a publicly accessible portion of a court record. __________ Income Tax Records Period Covered: __________ Financial Account Statements Period Covered: __________ Wage Stubs Period Covered: __________ Credit Card Account Statements Period Covered: __________ Other Information supplied by: ___________________________ Signed: ____________________________________ Firm: ____________________________________ Address: ___________________________________ ________________________________________ Date: _____________________________________ Chairman MCCRERY. Thank you, Ms. McQueen. Mr. Stein? STATEMENT OF ERIK STEIN, EXECUTIVE VICE PRESIDENT AND DIRECTOR, FRAUD RISK MANAGEMENT, COUNTRYWIDE FINANCIAL CORPORATION, ON BEHALF OF BITS FRAUD REDUCTION STEERING COMMITTEE Mr. STEIN. Thank you. Good afternoon, Chairman McCrery and Members of the Subcommittee. My name is Erik Stein. I am Executive Vice President and Director of Fraud Risk Management at Countrywide, America's largest residential mortgage lender and servicer, currently responsible for preventing, detecting, investigating, mitigating, and reporting on criminal conduct by, through, or within Countrywide Financial Corporation and its member family of companies. I am pleased to appear before you today on behalf of BITS and the Financial Services Roundtable to discuss the role of SSNs in identity theft and SSN privacy. I have submitted a more detailed written statement for the record, but would like to highlight five key points in my oral statement. First, SSNs have evolved, regardless of their original intent, to become the de facto unique identifier that today accompanies most consumers from cradle to grave. SSNs provide the link to associate consumers to their financial accounts, credit reports, public records, and a host of other critical relationships. SSNs are essential to financial institutions to meet various statutory obligations, such as knowing their customers, report tax-related activity, conduct financial crimes investigations, screen prospective employees, and more. All of these functions help keep our customers and their financial assets safe and ensure the security and reliability of the economy. Second, SSNs play a pivotal role in the accurate determination of an individual. With millions of citizens in America, the SSN is the single unique identifier common to them all. However, it is important to note that the verification of the SSN is not the same as the verification of identity. Verification of identity is accomplished through the use of other government-issued documentation, including drivers' licenses and passports, which financial institutions require to open accounts and make loans. However, financial institutions have not been afforded the tools to ensure the validity of SSNs and these other documents presented for identity verification even though the institutions are required by the USA PATRIOT Act (P.L. 107-56) to know their customers. That brings me to my third point, which is the proposed consent-based SSN verification, or CBSV program recently established by the SSA, is a critical first step in facilitating identity verification. The program allows verification of the SSN along with the corresponding name and date of birth provided by consumers to SSA's database. I and other fraud reduction professionals strongly encourage the Subcommittee to actively support the CBSV program and we urge the SSA to remove restrictions on the daily submission volume by participants, work to improve the proposed response times, eliminate the requirements for a stand-alone consumer authorization, allowing the authorization to be incorporated into loan or account documents, and review the cost structure. These changes would allow participants to consistently use CBSV on every new relationship, reducing fraud, identifying errors, and lowering costs. Fourth, criminals know the intrinsic value of SSNs in committing identity theft and other crimes. The sad reality is that criminals in search of identities with which to commit identity theft can readily obtain them through many means. For example, all a criminal need do is steal mail in January, when millions of 1099s and 1098s are distributed to taxpayers. These forms are required by statute to display the SSN and for mailing purposes must have the recipients' name and address. We recommend that Congress review statutory obligations that require the printing of SSNs on any documents to determine if the risk of compromise exceeds the value derived, and if so, enact changes to remove these obligations. My final point is that we should be mindful of the unintended consequences that could result from restricting the use of SSNs among legitimate businesses. Decreasing financial institutions' abilities to use SSNs could potentially lead to increased fraud, increased lending costs, decreased loan approval rates, and a myriad of other unforeseen results. It is important for Congress, the SSA, and other agencies to thoroughly consider the potential consequences and adverse impact such restrictions could have on commerce. In closing, it is important to note that through BITS, the financial services industry has been aggressive in efforts to mitigate identity theft, reduce fraud, and strengthen cyber security by working together to share information, analyze threats, and implement best practices. We need essential tools such as the CBSV program to continue these efforts. Thank you for the opportunity to testify before you today. I would be happy to answer any questions. [The prepared statement of Mr. Stein follows:] Statement of Erik Stein, Member, BITS Fraud Reduction Steering Committee Introduction Good afternoon Chairman McCrery and members of the Subcommittee. My name is Erik Stein. I am Executive Vice President and Director of Fraud Risk Management at Countrywide Financial Corporation, America's largest residential mortgage lender and servicer. I have over 25 years of banking, credit card, mortgage lending and dot com experience and am currently responsible for preventing, detecting, investigating, mitigating and reporting on criminal conduct by, through or within Countrywide and its family of companies. I am pleased to appear before you today on behalf of BITS and its Fraud Reduction Steering Committee (FRSC) to discuss the role of Social Security Numbers (SSNs) in identity theft and enhancing SSN privacy. BITS is a nonprofit industry consortium of 100 of the largest financial institutions in the U.S. BITS is the non-lobbying division of The Financial Services Roundtable. BITS' mission is to serve the financial services industry's needs at the interface between commerce, technology and financial services. BITS' member companies provide fuel for America's economic engine, accounting directly for $40.7 trillion in managed assets, $960 billion in revenue, and 2.3 million jobs. BITS works as a strategic brain trust to provide intellectual capital and address emerging issues where financial services, technology and commerce intersect. BITS focuses onkey issues where industry cooperation serves the public good, such as critical infrastructure protection, fraud prevention, and the safety of financial services. BITS' activities are driven by the CEOs and their direct reports--CIOs, CTOs, Vice Chairmen and Executive Vice President-level executives of the businesses. Especially relevant to today's testimony, the mission of the BITS Fraud Reduction Steering Committee (FRSC) is to identify fraudulent trend activity, reduce fraud losses, and foster new opportunities to reduce the impact of fraud on the financial services industry and our customers. Participants in the BITS Fraud Reduction Steering Committee include representatives from financial institutions, industry associations and the Federal Reserve. BITS works with government organizations including the U.S. Department of Homeland Security, U.S. Department of the Treasury, federal financial regulators, Federal Reserve, technology associations, and major third-party service providers to achieve its mission. BITS is also a founding and active member of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC). The mission of the FSSCC is to: Foster and facilitate the coordination of financial services sector-wide voluntary activities and initiatives designed to improve Critical Infrastructure Protection and Homeland Security Identify voluntary efforts where improvements in coordination can foster sector preparedness Identify barriers and recommend initiatives to improve sector-wide knowledge sharing and timely dissemination of critical information among all sector constituents Promote public trust and confidence in the financial services sector's ability to withstand and recover from terrorist attacks, cybercrime, and natural disasters. The financial services industry has been aggressive in its efforts to strengthen cyber security, reduce fraud, and mitigate identity theft. Members of BITS are sharing information, analyzing threats, creating best practices, urging the software and technology industries to do more to provide more secure products and services, and combating fraud and ID theft. As just one example of these efforts, the Identity Theft Assistance Center (ITAC), which BITS and the Financial Services Roundtable established in 2004, recently announced that it had helped over 5,000 individuals in restoring their financial identity. SSNs: A Unique Identifier SSNs have evolved, regardless of original intent, to become the de facto unique identifier for consumers. This number is the only unique identifier that today accompanies most consumers from cradle to grave. SSNs remain a constant in an ever-changing world of name change from marriage and divorce, shifting addresses, and driver's license re- issuance as consumers move from one state to another. SSNs are used in efforts to ensure the accurate association of financial accounts, credit reports, public records, medical records and a host of other critical relationships and services to a consumer. Critical Role of SSNs for Financial Institutions The use of SSNs by financial institutions is essential to satisfy a variety of statutory obligations such as to report earned interest income and deductible interest payments on mortgages for millions of American consumers. In addition, SSNs facilitate practical realities such as accessing credit reports to determine creditworthiness, performing due diligence on business partners and correspondent banks and, as required by the USA Patriot Act, performing enhanced due diligence on politically-exposed persons (PEP).\1\ --------------------------------------------------------------------------- \1\ The Federal Financial Institutions Examination Council's (FFIEC) Bank Secrecy Act Anti-Money Laundering Examination Manual defines a PEP as ``a person identified in the course of normal account opening, maintenance or compliance procedures to be a `senior foreign political figure,' any member of a senior foreign political figure's `immediate family,' and any `close associate' of a senior foreign political figure.'' --------------------------------------------------------------------------- Under the USA Patriot Act, financial institutions are obligated to ``know their customer,'' and to take steps to verify the identity of account holders. In addition, financial institutions perform due diligence on business partners and vendors. One of the integral parts of compliance with these obligations often involves the use of public records which are searched by use of the SSN, or, in the case of business, EIN, to ensure that the results returned are unique to the subject of the due diligence. After the customer's identity has been verified and the relationship has been established, many financial institutions utilize the SSN internally to track the customer's relationship with the financial institution across multiple accounts and for a variety of legitimate internal business reasons. This legitimate, internal business use should remain exempt from additional limitations. Criminal investigations initiated by financial institutions are facilitated by the availability of SSNs both in the financial institution's database and in public records. Public records are frequently used by financial institutions' staff during the investigation of potential criminal conduct. During the investigation, the SSN is the single most reliable method of identification, correlation and association of the perpetrators to their public records, which often provide critical details imperative to solving the crime and locating the suspect(s). The loss of this valuable tool would jeopardize the effective investigation of financial crimes. Financial institutions and other businesses routinely screen prospective employees to verify identity, validate applicant employment and education history, and check for criminal conduct prior to extending job offers. These background checks, particularly in high- risk occupations or vulnerable industries, can reduce the incidence of criminal infiltration, potential workplace violence and security risks, including customer data security and privacy risks. The SSN is critical in verifying a potential employee's background and allows for the ongoing monitoring of employees in high-risk positions. Without the use of a SSN, financial institutions would find it very difficult to adhere to a ``know your employee'' standard. SSN Verification: A Key Tool for Successful Identity Determination of Customers SSNs play a pivotal role in identity determination: the establishment and verification of the identity of unique persons with whom financial institutions, and others, conduct business. With millions of John Smiths in America, the identity determinate of which John Smith with whom a financial institution is dealing is made by the single unique identifier common to all Americans, his SSN. Importantly, financial institutions realize that the ability to successfully verify John's SSN is not the same as successfully determining his identity. A financial institution must do this through the use of identification documents such as driver's license, passport and other, typically government-issued, identity documents containing a picture, signature, expiration date, security features, a physical description, etc. It should be noted that SSNs have not been used for identity verification due to the lack of a highly secure SSN card, tamper-proof signature, picture and expiration. The SSN card contains few security features making it easy to counterfeit and reducing or eliminating any value in its use for identity verification. The SSN is thus only a tool, albeit an invaluable one, in the process of determining the identity of an individual. It is clear, however, that verification is a key tool for achieving positive identity determination. Value of the SSN to Criminals The critical role of SSNs is the fundamental reason for their intrinsic value to criminals' intent on committing crimes. Criminals utilize SSNs in the commission of identity theft. Identity Theft may be divided into ``true name'' fraud where the perpetrator uses the ``true'' identity of a consumer, or identity fraud where combinations of consumer's identities are pieced together or even fabricated to create a synthetic identity, a new person. It is important to recognize that criminals committing identity fraud don't need to steal or purchase SSNs to commit their crime. The structure of the SSN is common knowledge to anyone who has ever had, or seen, one or checked the Social Security Administration's (SSA) website (i.e. http://policy.ssa.gov/poms.nsf/lnx/0100201030?opendocument.) Valid SSNs can be determined by checking the SSA's website for the highest group issuance http://www.socialsecurity.gov/employer/ highgroup.txt. By selecting a recently issued SSN, and applying for credit, a criminal creates an identity with the Credit Reporting Bureaus (for which there will be no conflicting SSN information since the valid SSN holder is an infant). Since financial institutions and lenders don't have the ability to verify the SSN, name and date of birth combinations (other than the current Enumeration Verification System pilot in the mortgage industry which is not a robust, enterprise-strength, low cost, timely verification process and therefore narrowly used), the identity thief is unlikely to be caught. Restrictions on the sale and purchase of SSNs would do little to prevent this type of fraud. The fraud also doesn't rely on the theft of SSNs from their legitimate owner. BITS members would encourage the Subcommittee to remove the highest group issuance list from the public domain and make it available to financial institutions and others with a legitimate business need on a subscription basis as is currently done with SSA's Death Master File. While this list is an essential tool today to validate SSNs provided to financial institutions, its potential use by criminals is inconsistent with its availability to the general public. Another area of risk is that criminals in search of identities for committing true name fraud can readily obtain name, address, SSN and account number combinations by mail theft during January each year when millions of account holders and borrowers receive their 1099's or 1098. By statute, these tax forms are required to display the account holder's SSN, and, for mailing purposes, must have the recipient's name and address along with the account number to identify the account for which the form has been filed. These forms are mailed en masse by financial institutions at the beginning of the year for use in requisite income tax filing by the consumer thereby making for a target-rich environment for obtaining identities through mail theft. Combating Identity Theft through SSN Verification For decades, financial institutions have required SSNs and identity documents to open accounts, make loans and accept transactions by their customers. However, the industry has been relegated to validation methods that do not, and cannot, validate the existence of, and their association with, a consumer's personal identifiers (such as name, date of birth and gender). For SSNs, financial institutions have relied on rules that determine if the SSN had been issued (the highest group issuance list referenced above available from SSA), that the SSN holder had not been reported deceased (SSA's Death Master File), and that the holder was not born after the issuance of the SSN by SSA (from historical highest group issuance lists). The single most important validation has been unavailable, that the consumer presenting the number is the holder of record in SSA's database. The proposed Consent-Based SSN Verification (CBSV) program recently published for public comment by the SSA is an extension of the Enumeration Verification System pilot and is a critical effort to allow financial institutions to verify SSNs. It will allow financial institutions to verify the SSN holder's name and date of birth against SSA's database. Establishing a system capable of high volume, low cost, real time verification direct to financial institutions and lenders would significantly reduce the incidence of synthetic identities. ``True name'' identity theft would become more difficult with the validation of date of birth and the optional gender code by financial institutions utilizing a CBSV program. BITS' members strongly encourage the Subcommittee to support the CBSV program.\2\ We also request that the SSA evaluate the removal of restrictions on the daily volume of submissions by participants, work towards improving the proposed response times, eliminate requirements for a standalone consumer authorization allowing incorporation of the authorization into loan or account documents, and review the cost structure. --------------------------------------------------------------------------- \2\ Attached is the BITS/Financial Services Roundtable Comment Letter on the Social Security Administration's Consent-Based Social Security Verification Process (February 2006) --------------------------------------------------------------------------- Consumers would benefit from industry's ability to verify SSN information by reducing the incidence of fraud and errors. Erroneous data entry of consumer's SSNs would also be easily determined, reducing the incidence of erroneous tax reporting on interest earned and deductible interest expense and reducing the quantity of consumers required to be subjected to annual solicitation for a corrected SSN due to mismatches submitted to the IRS and misrepresentation. Further, the BITS members, due to the high perceived value of CBSV, would also encourage the consideration of federal legislation to mandate similar programs related to other governmental identity documents used in the financial industry to verify consumers including U.S. passports, alien registration documents (e.g. Non-Resident Alien card) and state driver's licenses. Financial institutions, while under obligations to know their customer under the USA Patriot Act, have not been afforded the tools to ensure the validity of the documents presented for identity verification. We have had to rely exclusively on the appearance of legitimacy (e.g. verification of security features, visual inspections or tests that validate the structure of a driver's license number but, again, not the name of the true license holder). Unintended Consequences for Limiting Use of SSNs The critical roles of SSNs for use in financial institutions, investigations, public records, lending, account servicing, tax reporting and much more makes the availability and use of the SSN for legitimate business uses an imperative. It is important that additional proposed restrictions on the use, sale and purchase of SSNs be thoroughly evaluated to ensure that unintended consequences do not occur. This could include potential increases in fraud; economic impacts from increased lending costs; and decreased loan approval rates and other adverse implications to commerce. Conclusion and Recommendations In summary, the use of SSNs is critically important to the financial services industry. They allow financial institutions to meet various statutory obligations such as knowing who their customers, employees, and business associates are; reporting earned interest income and deductible interest payments on mortgages; and satisfying due diligence expectations as set forth by statutory obligations. All of these functions are performed to keep our customers and their financial assets safe, and to ensure the security and reliability of the economy. On behalf of BITS and our member financial institutions, we encourage Congress to: Continue to allow financial institutions to use SSNs without additional restrictions and limitations; Exercise caution if changes are considered, to be especially alert to unintended consequences such as increased fraud; Support a verification program capable of high volume, low cost, real time verification in a manner consistent with customers' demands; and Review statutory obligations that require the printing of SSN's (e.g. 1098, 1099) to determine if the risk of compromise exceeds the value derived and, if so, enact changes to remove these obligations. Thank you for the opportunity to testify before you today. I would be happy to answer any questions. ______ February 26, 2006 Office of Management and Budget (OMB) Attn: Desk Officer for SSA Fax: 202-395-6974 Social Security Administration, DCFAM, Attn: Reports Clearance Officer Fax: 410-965-6400 E-mail: [email protected] Re: Comment to Consent Based Social Security Number Verification (CBSV) Process Dear Sirs and Madams: BITS and The Financial Services Roundtable appreciate the opportunity to participate in the Social Security Administration's (SSA) request for comment regarding the Consent Based Social Security Number Verification (CBSV) Process. BITS and The Financial Services Roundtable share membership and represent 100 of the largest integrated financial services companies providing banking, insurance, and investment products and services to the American consumer. Member companies participate through the Chief Executive Officer and other senior executives nominated by the CEO. BITS works to leverage the intellectual capital of its members, fostering collaboration to address emerging issues where financial services, technology, and commerce intersect. The Roundtable promotes the interests of member companies in legislative, regulatory and judicial forums. Roundtable member companies provide fuel for America's economic engine, accounting directly for $40.7 trillion in managed assets, $960 billion in revenue, and 2.3 million jobs. Our members have always been a favorite target for perpetrators of fraud. Institutions have long answered this challenge with reliable business controls, advanced technology, information sharing, and cooperative efforts with government and law enforcement agencies. While our members' foremost concern is to protect their customers and maintain their trust, they are also mindful of the need to comply with the regulations set forth by Section 326 of the Patriot Act. This section requires institutions to verify not only the identity of a customer, but also the accuracy of the information provided. In the interest of reducing fraud and complying with Section 326 of the Patriot Act, BITS members supported the initial pilot, the Enumeration Verification System (EVS), to allow institutions to affirmatively verify consumer's name, social security number and date of birth (DOB). This pilot provided a means to ensure accounts were opened for the legitimate consumer and not a ``fraudster'' and we applaud the SSA's efforts to provide enhancements in the form of the CBSV that would benefit our customers and our industry. After careful review of the information collection process outlined in the December 30, 2005 Federal Register, we respectfully offer the following comments: ``Valid Consent from Number Holders'' There is concern that, since the CBSV is designed to verify a person's Social Security Number (SSN) to their name (and potentially DOB), there may be instances where financial institutions are misled and the consent is not from the true applicant as may be the case in identity theft or identity manipulation. There should be acknowledgement that while financial institutions have established a process for verification, there is still an opportunity for applicants to provide false information. This verification process is fundamental to ensuring the name, SSN, and DOB (optionally) match the authorizing consumer. While we understand the use of ``valid consent from number holders,'' we want to ensure that there are no consequential impacts to financial institutions from the fraudulent completion of consent authorizations. Inclusion of Gender Code The public comment details the submission as consisting of a name, SSN and DOB (if available) and the results provide a match to name, SSN, date of birth and gender code (which is not part of the submission). Clarity needs to be provided on whether gender code is intended to be a submitted/verified field. Full Name Matching While SSN, DOB (and possibly gender assuming it is used) are unique variables, one's name is subject to wide variation. It is suggested that the full first and full last be used for matching and that a secondary field be available for each that could include a nickname, shortened name (Jim vs. James) and last name. The use of a secondary field for name matching would reduce the incidence of re-running queries; improve match rates including where Soundex matching is utilized and the name variation is not conducive to such matching logic; and would accommodate name changes due to marriage, divorce, etc. which may not yet have been reported to SSA. Real-time vs. Batch Submissions SSA had indicated its intention to continue the practice of EVS in providing the results of inquiries by Requesting Parties within 48 hours while not guaranteeing such response time. Institutions believe there is strong value in having real-time capabilities and encourage the SSA to evaluate methods to provide this verification service in real-time as soon as feasible. If batch submissions remain exclusively available, members strongly encourage SSA to provide a response, to inquiries submitted before midnight, by no later than 5am the following business morning consistent with other batch jobs run by financial institutions for fraud detection, verification and posting. Daily Limitation of Records and Expectation of Volume While strongly supportive of CBSV, we urge the SSA to reconsider the daily limitation of 5,000 records. One of the inherent values of an automated system of SSN verification is its scalability. With scalability in mind, we recommend the SSA remove the daily limitation. Should hardware limitations be reached by the overwhelming success and adoption of CBSV, the SSA should charge registered user businesses sufficient additional fees to allow the SSA to meet this demand. This linear scalability should also keep the cost per inquiry low. We believe that SSA's expectations of demand for CBSV are substantially below the industry's need for this verification solution. We encourage the SSA to revise its expectations and lower the cost of entry for business by reducing the initial fee of $40,288.10. While the basis for SSA's expectation of only 150 business users for CBSV is not explained in the publicly available documents, we believe that, with nearly 9,000 FDIC-insured financial institutions alone in the U.S., 5,000 business users is both reasonable and sustainable. This would lower the initial cost of entry to $1,208.64. However, to both encourage maximum participation and guarantee SSA's financial support of the program, we recommend the initial fee be set at $10,000. Document Requirements SSA-89--Authorization for the Social Security Administration (SSA) To Release Social Security Number (SSN) Verification Evidence of consumer authorization to verify their SSN is clearly both an obligation of the Requesting Party and a necessary privacy safeguard. However, the requirement for a standalone SSA-89 evidencing said authorization provides no additional safeguard over an obligation for equivalent language, approved by the SSA prior to usage, incorporated into account or loan documents. In addition, this document (SSA-89) cannot be incorporated into loan documents, account signature cards or any other documents. For efficiency and enhancement purposes, institutions must be able to incorporate the authorization language into existing documents that allows them to run the SSN which can then be retained for six years from the authorization date. The existing retention of these underlying documents already, in most cases, meets or exceeds the SSA minimum retention requirement. Where the existing document retention is shorter than SSA-89's retention requirement, Requesting Parties will voluntarily comply with modification of their retention schedules to achieve the efficiencies afforded by merging these documents with the CBSV authorization. The SSA should consider inclusion of specific authorization of the SSN owner for electronic signature in accordance with the Electronic Signatures in Global and National Commerce Act (ESIGN). SSA's existing allowance of storage of the SSA-89 electronically would be consistent with the use of ESIGN for electronification of the authorization process with inherent increased efficiency. SSA-89 cannot be modified by the Requesting Party. The defined term can be modified by agreement as specified in the User Agreement, by agreement of the parties executing the Authorization and documented therein. These two statements are mutually exclusive. We recommend SSA clearly delineate the method by which Authorization term extension is to be documented so the Requesting Party can ensure compliance with SSA's requirements. SSA-88--Pre-Approval Form for CBSV The Requesting Party has a contractual obligation to protect the integrity of SSA's systems, utilize information requested only for authorized purposes, and to be authorized by the Requesting Party in accordance with their internal approval policies. The need for completion of form SSA-88 for each employee in a large company that has access to the results of the inquiry is overly burdensome and inefficient. We strongly encourage the SSA to make user administration for Requesting Parties an obligation of authorized employees of the Requesting Party and managed through a user interface in Business Services Online (BSO). All service providers to the financial services industry allow the participant to manage their employees' access. The BSO administrative user interface can be designed so as to require the data elements mandated by SSA (e.g. name, SSN, phone number, and email address of each employee) with appropriate electronic attestation by the authorized admin user during new user setup. Maintenance (e.g. changes to the existing information as a result of job status changes, phone or email changes) and deletion (e.g. termination of the employee or job status changes no longer requiring access) can likewise be accomplished through the BSO administrative user interface by the authorized employee of the Requesting Party. This process is much more conducive to large scale employers who may have thousands of employees authorized to access the information from SSA during the processing of accounts or loans. SSA-1235--Agreement Covering Reimbursable Services SSA-1235 is ``effective upon signature of both parties and shall remain in effect until one or more of the following events occur. . . .'' While the Agreement is continuously in effect (barring one of the events listed), SSA requires an annual resubmission of the Agreement. The resubmission appears inconsistent with an Agreement with no defined term. We recommend the SSA eliminate the annual submission requirement for form SSA-1235. The provision of the annual fee as defined by SSA each year should be sufficient evidence of the Requesting Party's intent to continue the Agreement. The Conditions of Agreement, paragraph 6, stipulates that the Authorization ``must be presented within 60 days after its execution,'' however the Authorization itself indicates it ``is valid only for 90 days from the date signed. . . .'' These statements are incongruous and we recommend the SSA reconcile these documents to a consistent period of 90 days. The Conditions of Agreement, paragraph 8, stipulates the Agreement may be terminated ``by giving a 60 day advance written notice.'' However, Section XI. Duration of Agreement, Suspension of Services, Annual SSA-1235 of the User Agreement specifies ``the Agreement shall terminate 30 days after the date of the notice or at a later date specified in the notice.'' We recommend the SSA reconcile this discrepancy by establishing a consistent 30 day written notice requirement for termination. Submission of Requests The CBSV User Guide establishes the file format for submission of requests by the Requesting Party to SSA. The file format contains a field for a ``Multiple Request Sequence Number''; however, the SSA limits the number of file submissions by a Requesting Party to one. Since only one file can be submitted daily, there would never be a need for this field. If the field is anticipated for future use when Requesting Parties may be allowed multiple daily file submissions, we suggest ``Future Use'' indicated in the description for this field to remove ambiguity. If you have any further questions or comments on this matter, please do not hesitate to contact us or Heather Wyson at (202) 289- 4322. Sincerely, Catherine A. Allen CEO, BITS Richard M. Whiting Executive Director and General Counsel Chairman MCCRERY. Thank you, Mr. Stein. Mr. Pratt? STATEMENT OF STUART K. PRATT, PRESIDENT AND CHIEF EXECUTIVE OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION Mr. PRATT. Mr. Chairman and Members of the Committee, thank you for this opportunity to appear before you today to discuss the importance of SSNs. For the record, my name is Stuart Pratt and I am President and CEO of the Consumer Data Industry Association. We applaud this Committee for the thoughtful and open dialog regarding how SSNs are used and to identify risks associated with such use. Before I discuss how our members' systems make use of the SSN, let us just consider how demographics in our society really explain why the SSN is so important. First, identifiers in everyday life do change and do so more often than we might think. Over 40 million addresses change every year in this country. More than three million last names change due to marriage and divorce. We use our identifiers inconsistently. We don't do so purposefully, but a simple example is our choice to use a nickname in some transactions but to use our full name in others. Our name is not as unique as we might think. There are millions and millions of Smiths and Joneses in this country, and, in fact, more than 13 million consumers have only one of ten very common last names. Another 57 million males have only one of ten common first names. We provide other examples of how personal information changes in our written testimony, and by taking into account all of these facts, it really does become very apparent why the SSN is the key to stabilizing consumers' identifying information in the context of databases. The SSN is truly a unique identifier. Let us discuss how the use of the SSN works within our members' systems. Our members design products for determinations of a consumer's eligibility for a product or service, to prevent fraud, and to aid in the location of consumers for a variety of reasons. These products bring great value to us as consumers every day. Eligibility products, such as a credit or employment report, for example, lead to definitive decisions. These reports are regulated under the Fair Credit Reporting Act (P.L. 91-508). The FCRA imposes a duty that consumer reporting agencies employ reasonable procedures to ensure the maximum possible accuracy of the information in the report, and the SSN plays a vital role in helping our members to achieve this maximum possible accuracy standard. Absent the use of the SSN as a key identifier, consumers would be harmed in many ways through the exclusion or inclusion of information. Our members also produce products regulated under other laws, such as the Gramm-Leach-Bliley Act. Fraud prevention systems, for example, employ a diversity of strategies. The SSN plays an important role. In 2004 alone, businesses conducted more than 2.6 billion searches to check for fraud. The largest users of fraud detection systems are, in fact, financial services companies, accounting for about 78 percent of the transactions, but there were others users. 5.5 million location searches were conducted by child support enforcement agencies, 378 million searches to enforce contracts to pay, tens of millions of searches were used by pension funds, blood donor organizations, and by organizations focused on missing and exploited children. The availability and permitted use of the SSN remains vital across this entire spectrum of consumer data products. Consumers and media often assume that the SSN is fully unregulated and, of course, this is not the case. As we have discussed, laws such as the FCRA and the Gramm-Leach-Bliley Act do regulate our members' products. However, we recognize that similar protections don't exist for all, and the SSN is sensitive personal information that must be protected. We believe that a national uniform system to establish information safeguards should be enacted so that anyone possessing sensitive personal information, such as an SSN in combination with my name and address, that they would be obligated to protect that information. There are a number of House and Senate committees that are looking at proposals. I think standards like this would cause more American businesses to move to encrypt such information, which we think is the right direction. I think other businesses would decide whether or not they really should be gathering it in the first place. We think that is another good result, as well. Our members want to protect that information. We think every company and every business in this country that is going to gather that information should do the same. Public records also contain SSNs, and it is encouraging to hear the State court organizations discussing strategies to protect them. We support this effort unequivocally. However, CDIA does believe that the disclosure of the SSN to the general public, while it must be addressed, we also believe that public records must be made available, including SSNs, to those with appropriate needs. Public records play a vital role in our society and they bring value to consumer data industry products and services. Bankruptcy records, for example, and tax liens as well as judgments are used by lenders. Records of eviction are critical to a landlord, and these are just a few examples. The public sector agencies are taking actions and we are encouraged by SSA's efforts to explore the viability of a system by which a party may verify a particular SSN is associated with another. However, the system is cumbersome. It does not allow for real-time automated processing of SSN verification and it will render it very ineffective, in fact, in assisting victims of identity theft. We hope the SSA will move toward a more effective system in the future. In conclusion, we believe that enacting law that imposes national uniform information security regulations on all who possess the SSN is the right step to take and this is the right year in which to do it. In contrast, laws that overreach and attempt to limit the SSN's use are likely to merely take fraud prevention tools off the table and out of the hands of legitimate businesses and expose--and ultimately at the expense of consumers. We believe consumers expect us to protect the SSN. We also know consumers expect us to maintain accurate databases. Thank you, Mr. Chairman. [The prepared statement of Mr. Pratt follows:] Statement of Stuart K. Pratt, President and Chief Executive Officer, Consumer Data Industry Association Chairmen McCrery, Ranking Member Levin and members of the committee, thank you for this opportunity to appear before you today to discuss the importance of Social Security Numbers to our members' consumer data systems. For the record, my name is Stuart Pratt and I am president and CEO of the Consumer Data Industry Association.\1\ Our members applaud this committee for the thoughtful and open dialogue it has sought regarding how Social Security Numbers are used and to identify risks associated with such use. --------------------------------------------------------------------------- \1\ CDIA, as we are commonly known, is the international trade association representing over 300 consumer data companies that provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services, systems for insurance underwriting and also collection services. As we will discuss below, the secure and protected use of the social security number (SSN) is an important key to the effectiveness of these systems and services. --------------------------------------------------------------------------- OVERVIEW Before I discuss how our members' systems make use of the social security number, it is important to take into account key demographics about our society that help explain why the SSN so important. Personal identifiers change: While it probably doesn't occur to most of us, the identifiers we use in everyday life do change and more often than most might think. For example, data from the U.S. Postal Service and the U.S. Census confirm that over 40 million addresses change every year. More than three million last names change due to marriage and divorce. While trends in naming conventions are changing, this fact is still far more often true for women than men. We use our identifiers inconsistently: It is a fact that we use our identifiers inconsistently for a wide variety of reasons. First, many citizens choose to use nicknames rather than a given name However, there are times where, in some official transactions, a full name is required, Some consumers, when hurried, use an initial coupled with a last name, rather than their full name or nickname. Consumers are also inconsistent in the use of generational designations (e.g., III, or Sr.). Finally, there are times where consumers themselves do make mistakes when completing applications. Thus, a consumer's identifiers may be presented in different ways in different databases and, in some cases, the data may be partially incorrect. Personal identifiers are not always unique: We think of our names as a very personal part of who we are. However, our names are less common and unique than we might think. For example, families carry forward family naming conventions leading to some consumers sharing entirely the same name. Further, U.S. Census data shows that both first and last names are, in some cases amazingly common. Fully 2.5 million consumers share the last name Smith. Another 3 million share the name Jones and more than thirteen million consumers have one of ten common last names. First names are also used very commonly leading to common naming combinations. Eight million males have either the name James or John and a total of 57 million males have one of ten common first names. An additional 26 million females have one of ten common first names. Common naming conventions make it more difficult and in some cases impossible to depend on name alone to properly match consumer data. Identifiers are shared: Our birthday is a unique day in our lives, but it is, nonetheless, a date shared with hundreds of thousands of others. Date of birth alone is not an effective identifier. Family members who live together end up sharing addresses and per our discussion above, where consumers share the same name due to family traditions and the address at which they live, distinguishing one consumer from another is complex. Data entry errors do happen: Hundreds of millions of applications for credit, insurance, cellular phone services, and more are processed every year. There is no doubt that in the process of entering a consumer's identifying information errors can be made which carry forward into databases and into the reporting of data to consumer reporting agencies. By taking into account all of these facts about our identifying information, it becomes far more apparent why the SSN is key in stabilizing a consumer's identifying information in the context of databases. The SSN is a truly unique identifier. USE OF THE SSN BY CDIA MEMBERS CDIA's members produce a range of critical consumer data products which bring great value to individual consumers, to society and the nation's economy. Our members design products used for determinations of a consumer's eligibility for a product or service, to prevent fraud and to aid in the location of consumers for a variety of reasons. Consumer Data Products Used for Eligibility Decisions Many CDIA-member products are focused on helping consumers to gain access to the goods and services for which they apply. These transactions focus on a consumer's eligibility and, as such, the consumer data products used are regulated under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) as ``consumer reports.'' Eligibility determinations include applications for any type of credit including unsecured credit, home purchases, auto financing, home equity loans, as well as for insurance of all types, employment, government benefits, apartment rentals, and for other business transactions initiated by the consumer. The FCRA, enacted in 1970, has been the focus of careful oversight by the Congress resulting in significant changes in both 1996 and again in 2003. There is no other law that is so current in ensuring consumer rights and protections are adequate. Of particular importance to our discussion here today, is the FCRA- imposed duty on consumer reporting agencies by the FCRA (and similar state laws) that reasonable procedures be used to ensure the maximum possible accuracy of the information contained in all types of consumer reports. This duty is established for the protection of consumers. The SSN plays a vital role in helping our members to achieve the ``maximum possible accuracy'' standard. Absent use of the SSN as a key identifier, consumers would be harmed in many ways. Consider the following illustrative examples: Incomplete data harms consumers: There would be a likely increase in the inability of consumer reporting agencies to properly match incoming information to the correct consumer about whom the information relates. Think about the consequence to consumers of having a consumer ``credit'' report that does not contain all of the accounts that they pay on time and which makes them eligible for the lowest cost loans. Incomplete data harms our banking system: The absence of the SSN would also put at risk the safety and soundness of lending decisions due to less information being included in consumer ``credit'' reports due to data matching problems. Incomplete data prevents consumer access to goods and services: Think about the consequence for consumers when a consumer reporting agency cannot locate the proper file on a consumer and thus a lender, insurer or other service provider wanting to do business with the consumer has to deny the application. There is no doubt that consumer reporting agencies of all types provide tremendous benefits to consumers directly and to the nation's economy and the use of the SSN in the context of our members' systems helps bring forward these benefits. Consider the following: Access to home ownership: Every homeowner benefits from a credit reporting system that reduces the costs of all mortgage loans by a full two percentage points, thus putting literally thousands of dollars in disposable income into their pockets.\2\ Homeownership is no longer a luxury of the well-to-do, but is a truly democratized American dream enjoyed by nearly seventy percent of the population.\3\ --------------------------------------------------------------------------- \2\ Kitchenman, Walter., U.S. Credit Reporting: Perceived Benefits Outweigh Privacy Concerns., Pp. 5 (1998). \3\ Turner, Michael., The Fair Credit Reporting Act: Access, Efficiency & Opportunity. Pp. 8 (2003). --------------------------------------------------------------------------- Check fraud prevention: Check fraud is reduced thanks to CDIA members' systems. It is estimated that more than 1.2 million worthless checks enter the payment system every day in the United States. This number speaks to the risks, but also the success of our members' systems which service as many as 40 billion check transactions a year. Tenant screening services: Tenant screening services help all landlords to make informed decisions, as well. Consider the circumstances of a retiree who owns a rental property on which he or she depends for income. A tenant screening service mitigates risks for literally millions of such individuals in a country where the majority of units for lease are owned by individuals and not by corporations. Employment/security screening: SSNs serve as vital links among disparate records that help businesses verify prospective employees' identities and conduct thorough, accurate background checks to ensure workplace safety and business security. Our members' systems and services help to ensure that hardened criminals and sex offenders do not end up working at daycare centers, schools, nuclear power plants, or secure-ID areas of airports. Small business B-to-B transactions: An SSN is the key business entity identifier to virtually all sole proprietorships or partnerships. As a result, SSNs are required to facilitate business-to- business transactions between small businesses. Securitized credit markets: Confidence in the U.S. securities market is made possible by accurate financial histories compiled using the SSN as a key identifier. Restricting use of the SSN could undermine confidence in these securities, resulting in substantially higher consumer costs for credit, including mortgages and auto loans. Investigative services and insurance fraud: SSN access is an important tool for investigative services and insurance fraud investigation. Insurance fraud losses are estimated to exceed $79 billion a year--$900 per family--in the U.S. Prohibiting use of SSNs for investigative purposes could drive those costs even higher. Consumer data products used for fraud prevention and location Not all CDIA member products are used for an eligibility determination, but products regulated under other laws such as the Gramm-Leach-Bliley Act (Pub. L. 106-102, title V) are used in critical ways for the benefit of all consumers. CDIA's members represent the leading companies in the field of consumer identity verification, fraud prevention and location services. Fraud prevention systems: Fraud prevention systems deploy a diversity of strategies, but clearly the SSN plays an important role. In fact, in 2004 alone, businesses conducted more than 2.6 billion searches to check for fraudulent transactions. As the fraud problem has grown, industry has been forced to increase the complexity and sophistication of the fraud detection tools they use. As the importance of fraud detection tools increases, the potentially negative consequences of allowing ``access and correction'' to these databases must be considered in order to protect the accuracy of the included data, and thus the overall integrity of these tools. How do Fraud Detection Tools Work? Fraud detection tools are also known as Reference, Verification and Information services or RVI services. RVI services are used not only to identify fraud, but also to locate and verify information for public and private sector uses. While fraud detection tools may differ, there are four key models used. Fraud databases--check for possible suspicious elements of customer information. These databases include past identities and records that have been used in known frauds or are on terrorist watch lists, suspect phone numbers or addresses, and records of inconsistent issue dates of SSNs and the given birth years. Identity verification products--crosscheck for consistency in identifying information supplied by the consumer by utilizing other sources of known data about the consumer. Identity thieves must change pieces of information in their victim's files to avoid alerting others of their presence. Inconsistencies in name, address, or SSN associated with a name raise suspicions of possible fraud. Quantitative fraud prediction models--calculate fraud scores that predict the likelihood an application or proposed transaction is fraudulent. The power of these models is their ability to assess the cumulative significance of small inconsistencies or problems that may appear insignificant in isolation. Identity element approaches--use the analysis of pooled applications and other data to detect anomalies in typical business activity to identify potential fraudulent activity. These tools generally use anonymous consumer information to create macro-models of applications or credit card usage that deviates from normal information or spending patterns, as well as a series of applications with a common work number or address but under different names, or even the identification and further attention to geographical areas where there are spikes in what may be fraudulent activity. Who uses Fraud Detection Tools? The largest users of fraud detection tools are financial businesses, accounting for approximately 78 percent of all users. However, there are many non-financial business uses for fraud detection tools. Users include: Governmental agencies--Fraud detection tools are used by the IRS to locate assets of tax evaders, state agencies to find individuals who owe child support, law enforcement to assist in investigations, and by various federal and state agencies for employment background checks. Private use--Journalists use fraud detection services to locate sources, attorneys to find witnesses, and individuals use them to do background checks on childcare providers. Location services and products CDIA's members are also the leading location services providers in the United States. These services, which help locate individuals, are a key business-to-business tool that creates great value for consumers and business alike. Locator services depend on a variety of matching elements, but again, a key is the SSN. Consider the following examples of location service uses: There were 5.5 million location searches conducted by child support enforcement agencies to enforce court orders. Access to SSNs dramatically increases the ability of child support enforcement agencies to locate non-custodial, delinquent parents (often reported in the news with the moniker ``deadbeat dads''). For example, the Financial Institution Data Match program required by the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (PL 104- 193) led to the location of 700,000 delinquent individuals being linked to accounts worth nearly $2.5 billion. There were 378 million location searches used to enforce contractual obligations to pay debts. Tens of millions of searches were conducted by pension funds (location of beneficiaries), lawyers (witness location), blood donors organizations, as well as by organizations focused on missing and exploited children. Clearly location services bring great benefit to consumers and to businesses of all sizes. Availability and permitted use of the SSN remains vital to the effective operation of these services for both private and public sector purposes. INFORMATION SECURITY AND THE SSN Because of recent media coverage regarding security breaches of sensitive personal information and also general concerns about identity theft, some consumers may well feel that data about them presents risks that outweigh benefits. But in reality as we have discussed above, there is clear and convincing value in the uses of such data, including the SSN, that bring direct value to consumers and our nation's economy, which must be preserved. Consumers and media often assume that use of the SSN is wholly unregulated and this is not the case. As we've discussed, the FCRA regulates SSNs in the context of consumer reports and our members' use of the SSN is also regulated under the restrictions of the GLB. Other laws such as the Fair Debt Collection Practices Act (15 U.S.C. 1601 et seq.), the Health Insurance Portability and Accountability Act (Pub. L. 104-191), and the Drivers Privacy Protection Act (18 U.S.C. 2721 et seq.), also impose protections on sensitive information about consumers which in turn protects the SSN. However, CDIA's members recognize that the laws which cover them may not extend to all and clearly the SSN is sensitive personal information which must be protected. The following statement delivered during our testimony before the Senate Banking Committee on September 22, 2005 continues to reflect our position on protecting sensitive data about consumers, including the SSN: ``The discussion of safeguarding sensitive personal information and notifying consumers when there is a substantial risk of identity theft has expanded beyond the boundaries of financial institutions. It is our view that rational and effective national standards should be enacted both for information security and consumer notification as it applies to sensitive personal information, regardless of whether the person is a `financial institution.' '' As this committee knows, there are a number of House and Senate committees that are focused on developing uniform national standards for ensuring the protection of sensitive personal information. We believe that enactment of national standards will ensure that the SSN is protected by all who possess it. New nationwide safeguards regulations authored by the Federal Trade Commission will compel all to deploy physical and technical strategies for the protection of sensitive information about consumers. Further they will likely cause American businesses to move to encrypt such information and finally some will question why they gather the SSN in the first place. Further, information safeguards rules would effectively bring into question the business model of operating publicly available websites that sell a consumer's SSN to virtually anyone who is willing to pay the price. Ultimately national standards for the safeguarding of the SSN and other sensitive personal information will address consumer concerns and perceptions. These are all good public policy results and CDIA remains committed to a constructive dialogue as various bills move through the House and Senate. PUBLIC RECORDS AND THE SSN The historical debate about the presence of the SSN in public records has suggested a binary proposition of either providing everyone with access to all of a record, including the SSN, or to deny all access to the record with an SSN. We think that this paradigm is dated and today encouraging trends in the technologies used to make public records available to all citizens, particularly via the internet, are allowing state and federal agencies to employ far more sophistication in how and when an SSN will be disclosed. It is also encouraging to hear state court organizations discussing strategies for protecting SSNs and CDIA will continue to engage in these dialogues. However, while CDIA believes that disclosure of the SSN to the general public must be addressed, we also believe that public records must be made available, including SSNs, to those with an appropriate need. States are seeking out dialogue with the private sector about future access to public records which shows promise. Consider the following excerpt from CDIA's April 18, 2002 letter to the National Center for State Courts: ``. . . consider the example of the Maryland court access project that tried to create a limitation on bulk access to court records. The concerns raised at a public hearing in December 2000 `prompted [Chief] Judge Bell to appoint an expanded, more representative task force.' \4\ The expanded task force recently issued a final report and noted that requestors of bulk data sell that information `with value added' to their customers. The report also noted that registration agreements between the court and the bulk data requestors 1can provide a vehicle for reasonable safeguards concerning released data.' '' \5\ --------------------------------------------------------------------------- \4\ Maryland Judiciary Website (visited March 20, 2002). \5\ Report of the Maryland Court of Appeals Committee on Access to Court Records 10 (Feb. 2002). --------------------------------------------------------------------------- Public records play a vital in our society and bring value to the consumer data industry's members. Bankruptcy records, tax liens and judgments are part of consumer ``credit'' reports used by lenders to make decisions that implicate safety and soundness. Records of eviction are critical to landlords who must themselves pay the bills and attempt to lease properties to consumers who will do the same. Validating professional licenses for employment screening agencies is yet another use of public records, as is accessing criminal histories. Through the development of nationwide databases of public record information, our members have solved the problems inherent in having to search through tens of thousands of federal and state court houses and agency databases. In this way, the SSN is as important an identifier in a public document as it is in a private-sector database. It is a critical identifier for all of the data management reasons we discuss above. Without an SSN, a consumer can simply alter a few items of information, such as moving to a new address, or even changing a name and thus separate himself/herself from a bankruptcy record, a tax lien, a record of eviction and even a criminal history, in some cases. Clearly this is not a positive outcome for consumers or for American businesses which are on the front lines of making, for example, fair and accurate risk-based lending and employment decisions, while at the same time fighting identity theft and fraud. Some federal proposals have suggested that state agencies must limit access to the SSN. The concern of the CDIA's members is that this apparent unfunded mandate will drive under-funded state agencies to either stop requesting the SSN when processing vital records, or to simply deny all access to the SSN for a variety of reasons including the fact that they cannot fund a bifurcated system of access to the SSN for some but not for others. Additionally, because some state public access laws appear to prohibit a bifurcated approach. Ultimately, dialogue with state and federal agencies coupled with the advancement of technologies will address concerns about public records which contain SSNs. An unfunded mandate will destabilize the system of public records which is so important to our democracy. In the context of discussing governmental agencies and the SSN, we do want to acknowledge and are encouraged by the Social Security Administration's efforts to explore the viability of a system by which a party may verify that a particular SSN is associated with a particular name. A discussion of this system can be found in the December 30, 2005 edition of the Federal Register, Vol. 70, No. 250. Entitled ``Consent Based Social Security Number Verification Process,'' the service will be available starting June 2006 and only a limited number of parties are allowed to enroll. As it currently stands, this system is very cumbersome and does not allow for a real-time automated process of SSN verification which will render it very ineffective for assisting victims of identity theft and also preventing the crime. We hope that the SSA will move towards a truly automated, system that meets the broader needs of the data industry. CONCLUSION In conclusion, you can see that the underlying theme in the discussion of SSN uses is that of balance and ultimately ensuring the security of the number. Law that that imposes national uniform information security regulations on all who possesses the SSN in combination with a person's name and address, is the most responsible and constructive focus for Congress. In contrast, law that overreaches in attempting to limit use of the SSN is likely to merely take fraud prevention tools out of the hands of legitimate businesses at the expense of consumers. Ironically, to prevent fraud you must be able to crosscheck information. To maintain accurate databases, you must be able to maintain a range of identifying elements. Absent the availability of the SSN, we will be less able to build accurate data bases, to accurately identify records and to help prevent identity theft through the development of fraud prevention and authentication tools. Ultimately consumers expect us all to accomplish the goals of protecting and securing the SSN, and also ensuring the accuracy and effectiveness of databases which contain information about them. Thank you for this opportunity to testify. Chairman MCCRERY. Thank you, Mr. Pratt. Mr. Hulme? STATEMENT OF BRUCE H. HULME, PRESIDENT, SPECIAL INVESTIGATIONS, INC., AND LEGISLATIVE DIRECTOR, NATIONAL COUNCIL OF INVESTIGATION AND SECURITY SERVICES, NEW YORK, NEW YORK Mr. HULME. Good afternoon, Mr. Chairman and Members of the Committee. My name is Bruce Hulme. I represent the National Council of Investigation and Security Services. I am a New York State licensed private investigator, having been so for 42 years. My company is Special Investigations, Inc. As a profession that has been helping victims through the identity theft maze for years, our experience is that such thefts result from purloining of documents, files, charge slips, credit cards, and wallets, and according to the Javelin Strategy and Research survey, 47 percent of such theft is perpetrated by friends, neighbors, and employees. We agree that additional measures can be taken to further reduce incidents of theft. Our concern is that some measures, unless amended, will have unintended consequences that would help create a safe haven for criminals and do substantial damage to the judicial system. We support Congressional efforts to protect data breaches. We favor limiting the use of the SSN on government documents, student IDs, and health cards. Certainly we do not believe that such information should be sold over the Internet to anybody willing to pay a fee. However, we do have strong concerns with some provisions of H.R. 1745 and a Senate measure that would have direct and harmful effects on how our profession conducts lawful investigations by banning the sale of SSNs. The result would be that databases would not have accurate information about individuals and private investigators would be hampered in our efforts to locate individuals and perform many functions essential to the judicial system. There are 46,000 American men named Bill Jones. Many of them have the same or similar dates of birth. Private investigators and others, of course, need to be able to differentiate between subjects for many purposes, including evidence in court proceedings. One critical and effective tool used by private investigators is what is referred to as the credit header, that portion of a credit report that includes location and identifying information but discloses no credit data. That search is by far the most important one used by investigators when locating female witnesses. Women often change their names due to marriage and divorce, and it also helps to locate other individuals, particularly transients. Pending legislation provides exceptions for law enforcement. This creates an obvious issue of due process because prosecutors with the full resources of the State will always have use of this tool while the accused would not. Database searches led directly to a witness or witnesses who recanted testimony and helped free a man wrongly imprisoned for 20 years. The same situation holds true in civil matters. Privacy legislation restricting the use of SSNs generally provides an exception for insurance companies, thereby creating an imbalance between insurance defense and plaintiffs' bars. Investigators do not have access to a central criminal history database, as does law enforcement, so it is essential to develop address information when seeking information about prior convictions so that we know what courthouses to go check out. In both civil and criminal trials, attorneys need to know the backgrounds of witnesses. We urge Congress that any restriction on the sale of SSN information include an exception to enable licensed private investigators and other State- regulated persons to conduct lawful investigations, including but not limited to identifying or locating missing or abducted persons, witnesses, criminals and fugitives, parties to litigation, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries, and missing heirs. Here are four quick examples of how we use SSNs. I was retained by the New York courts in a guardianship proceeding to recover $300,000 in assets stolen from a 97-year-old retired Army officer. It was a successful result. The suspect pled guilty, was sentenced 3 to 9 years in State prison and ordered to pay $360,000 in restitution and we got all the money back. In San Francisco, a businessowner started getting statements in the mail saying he owed tens of thousands of dollars on computers and other equipment he never purchased. Someone had hijacked his identity, opened credit cards, store accounts in his name, set up a similar-type website in his name and his company's name. The police said they would only take a report, they wouldn't investigate. They passed it off to the Secret Service. His loss was $80,000. The Secret Service said at that point, they had a $100,000 threshold. A private investigator came into the case and with the use of credit header information found that an ex-employee, checking things out, had been using three names or several different SSNs and birthdates. One of our association members reported a case that involved a woman who was left a sizeable inheritance by her uncle in the form of a trust. The investigator was able to eventually determine that she was recently married and living in Utah somewhere destitute, out of a pickup truck. That had a successful result. A former president of our council testified just several years ago, I think, about a similar case before this Committee regarding a custodial parent whose child had been abducted 2 years prior. Her mother spent 2 years having a run-around with the police and politicians trying to get somebody to do the job. She went to this private investigator. Within basically minutes, running a credit header, determined enough leads as to where the husband might be, turned the information over to the police. They went there, got in, and the child was reunited with its mother. As detailed in our statement, the association of regulators which regulates our profession, they support granting an exception for our industry in this, and we stand ready to assist the Committee in any way we can and thank you for this opportunity, Mr. Chairman. [The prepared statement of Mr. Hulme follows:] Statement of Bruce Hulme, Legislative Director, National Council of Investigation and Security Services, New York, New York Good afternoon Mr. Chairman and members of the subcommittee. My name is Bruce H. Hulme and I am appearing today on behalf of the National Council of Investigation and Security Services (NCISS) where I serve as Legislative Director. I am past president and chairman of the Council and serve as a member of the Board of Directors. I have been a licensed private investigator in New York for more than forty years and am president of Special Investigations, Inc. We appreciate the opportunity to discuss how Social Security numbers can be used by perpetrators of identity theft, what Congress can do to mitigate the risk of such fraud, and the impact of pending legislation. Social Security numbers (SSN's) have become the de facto identifier in the United States. The Social Security number is the single best way to distinguish among people of similar or identical names. That is why businesses have used SSN's on identity cards and customer records. It is also why SSN's are sought by those who wish to commit fraud, so they may attempt to establish an identity. When Congress created the Social Security System nearly three- quarters of a century ago, it was not intended that the numbers issued to nearly every American would become the universal identifier for modern times. But that is what has occurred. An entire system of commerce is predicated on citizens being able to identify themselves based on this identifier. Unless each person has a viable substitute such as a password to take the place of the SSN, Congress should be very circumspect about eliminating the use of the SSN as an identifier. Just as most commerce uses the SSN, the civil and criminal justice systems also require a means of identifying parties and witnesses in lawsuits and the commonality of dates of birth makes the SSN a necessary tool to be sure the courts have positive identification. It is true that some abuses have occurred by the misuse of the SSN, but the percentage of misuses pale in comparison to the number of positive uses applied every day in our economic and justice systems. As a profession that has been trying to help victims through the identity theft maze for years, we applaud Congress' efforts to put additional laws on the books that will bring victims some relief. Recently enacted legislation should be of some assistance. The Fair and Accurate Credit Transactions Act included several identity theft provisions, and the 108th Congress adopted the Identity Theft Penalty Enhancement Act to increase sentences of convicted fraudsters. We were appalled to read recently that two caretakers who committed such fraud against their elderly patients received suspended sentences. Until the courts take the crime seriously, it will be difficult to deter such thieves. Although a percentage of identity thieves no doubt gather their victims' identities from the Internet, our experience is that most such thefts result from the purloining of documents, files, charge slips, credit cards, and wallets from restaurants, stores, trash bins, the mails and private property. In fact, according to the Javelin Strategy and Research survey 47 percent of such theft is perpetrated by friends, neighbors or employees. But we agree that additional measures can be taken to further reduce incidents of theft. Our concern is that some measures, unless amended, would have unintended consequences that could help create a safe haven for criminals and do substantial damage to the judicial system. Publicity over data breaches for the past year have led to numerous bills in Congress and state legislatures to require that sensitive personal information, including Social Security numbers, be protected by those who hold it. Such breaches have occurred not only from data providers, but universities, banks and other institutions. Breaches have also occurred at every level of government. These breaches have been caused by lost computers, hacking, misplaced files and other means. We support efforts to protect such sensitive personal data. Consumers should be informed when such data are divulged and should be provided assistance in order to protect themselves. And, businesses and other institutions holding such data have a responsibility to protect it. With regard to Social Security numbers, we support limiting their use on government documents, student id's, health cards and other means of identification that could fall into the wrong hands. And we certainly don't believe that such information should be sold on the Internet to anyone willing to pay a fee. Many of these provisions are found in HR 1745, the Social Security Number Privacy and Identity Theft Protection Act. We do, however, have strong concerns with provisions of HR 1745 and other measures that would have a direct and harmful effect on how our profession conducts lawful investigations. The Senate Committee on Commerce, Science and Transportation, for example, amended S 1408, the Identity Theft Protection Act, to effectively prohibit the sale of Social Security numbers with few exceptions. The result would be that databases would not have accurate information and private investigators would be hampered in our efforts to locate individuals and perform many of the functions essential to the judicial system. How Private Investigators Use SSNs As indicated earlier, the Social Security number is critical for determining identity. In past hearings, Lexis-Nexis has testified that there are 46,000 men in America named Bill Jones. Many of them have the same or similar dates of birth. Licensed private investigators need to be able to positively differentiate between subjects when rendering reports which will be used for many purposes including evidence in court proceedings. Behind any civil or criminal court case of consequence, you will usually find a licensed private investigator assisting the attorneys involved in such cases. The investigators are also then bound by the attorney-client privilege which adds a further measure of security to the information developed on individuals during the course of an investigation. Contrary to popular belief, most investigators work for law firms, insurance companies and corporations, not the general public. One critical and effective tool used by private investigators is the ``credit header,'' that portion of a credit report that includes location and identifying information but discloses no credit data. That search is by far the most important one currently used by investigators when locating female witnesses. Since women often change surnames over the course of their lives due to marriage or divorce, it makes it even more critical to be able to identify them by their SSN. The SSN does not change and allows us to locate these otherwise difficult to find witnesses. In California recently, database searches led directly to witnesses who recanted testimony and helped free a man wrongly imprisoned for twenty years. In both civil and criminal trials, justice is served best by all parties getting access to all possible witnesses. Access to a fair trial is a fundamental right of American citizens. Without the ability to identify and locate all witnesses, that right is threatened. The address information is used routinely to locate witnesses, particularly when they may be transient. Legislation restricting the use of Social Security numbers always provides exceptions for law enforcement. This creates an obvious issue of due process because prosecutors, with the full resources of the state, would have use of this tool while the accused would not. The criminal justice system needs balance. . . . the private investigator provides a counterpoint to the investigators in the public sector. The same situation holds true in civil matters. Privacy legislation generally provides an exception for insurance companies, thereby creating an imbalance between the insurance defense and plaintiffs' bars in obtaining evidence in civil trials. Investigators do not have access to the central criminal history database that law enforcement officials do, so it is essential to have addresses when seeking information about prior convictions. With prior address data, investigators know which courthouse records to search. This information is important for more than pre-employment purposes. In both civil and criminal trials, attorneys need to know the backgrounds of witnesses and potential witnesses. Address information is valuable in locating stolen assets. I was retained by the New York courts in a guardianship proceeding to recover over $300,000 in assets stolen from a 97-year-old retired Army officer by a neighbor caregiver. Through the use of credit headers I was immediately able to determine the identities and locations of the wrongdoer's relatives, properties and eventually their assets that had been taken from the victim. It was the initial header check on the suspect that uncovered an address in Myrtle Beach, South Carolina. That information developed leads that the victim's assets had been used to purchase expensive automobiles, real property in South Carolina and increased the bank account balances of the suspect. All under the guise that the 97-year-old victim, who was suffering from dementia, had given his life savings as gifts to the suspect. The suspect eventually pled guilty and was sentenced to three to nine years in state prison for second-degree grand larceny and ordered to pay $360,000 in restitution to the estate of the victim, who, regrettably, died a month before sentencing of the defendant. In numerous cases, such data have led to recovery of funds from persons not meeting their child support obligations. And missing persons, including abducted children, have been located with leads generated from credit headers. It is no secret that law enforcement does not have the resources to respond effectively to most victims of identity theft. The crime is difficult to solve, and often involves several jurisdictions. So victims turn to private investigators for assistance. Congress must consider that many licensed private investigators are former law enforcement officers and can assist the overwhelmed public law enforcement sector in fraud and identity theft related cases. Law enforcement is often under-manned and ill--equipped to deal with identity theft and usually violent crime cases take precedence. The victims then must turn to investigators in the private sector to assist them in determining the extent of the fraud and the identity of the perpetrators. Investigators must have access to the necessary tools such as the credit header SSN search. Without access to this important investigative tool, it will become easier for criminals to shield themselves from discovery. They are fully aware of the limitations facing law enforcement. Here is how SSN information helped solve one case: In San Francisco, an investigator reports working a case for a successful business owner who started getting statements in the mail saying he owed tens of thousands of dollars on computers and other purchases, none of which he knew anything about. He found someone had hijacked his identity, opened credit card and store accounts in his name and had even opened a web page mirroring his web page and had an e-mail address similar to his. The San Francisco Police said they would take a report, but would not investigate and suggested he go to the Secret Service. Although losses approached $80,000, the Secret Service declined to take a report because losses had not reached a $100,000 threshhold. The victim hired a private agency. Using credit header information, they learned that the suspect, was an ex-employee with three aliases, three or four social security numbers, and three different dates of birth. The suspect was apprehended and prosecuted. Such information is also valuable for locating lost heirs. One of our association members reported a case that involved a woman who was left a sizeable inheritance by her uncle in the form of a trust. The family had not had any contact with her for a number of years, so the attorney handling the trust asked for assistance. By using header information, the investigator was able to eventually determine that she was recently married and was living someplace in Utah. He was able to locate her husband's relatives and learned that she and her husband were destitute and living out of a pick-up truck in Oregon. He sent the requisite documentation to her in care of her husband's relatives and she rightfully obtained her substantial inheritance. Without access to header information, the investigator would not have been able to locate her. A former president of our Council--NCISS--helped a custodial parent whose child had been abducted two years prior. The mother had spent those two years unsuccessfully trying to keep the police interested and writing various public officials seeking help. A credit header search revealed an address in Palm Beach, Florida, where the estranged husband had recently applied for credit. The police apprehended the husband and reunited the child with his mother. One of our Texas members reports using a Social Security number ``trace'' to locate a female in need of assistance. A charitable fund had been set up to assist her with prenatal care and her childbirth. The credit header was an efficient means for the licensed investigator to quickly locate a needy person for charitable purposes at low cost. Last year, NCISS met with members of the Federal Trade Commission to apprise them of the many ways private investigators rely on the SSN. We presented a dozen actual case examples of the sixty we had brought with us to that meeting. We urge Congress to provide that any restriction on the sale of Social Security information include an exception to enable licensed private investigators and other state regulated persons to conduct lawful investigations, including, but not be limited to, identifying or locating missing or abducted persons, witnesses, criminals and fugitives, parties to litigation, parents delinquent in child support payments, organ and bone marrow donors, pension fund beneficiaries and missing heirs. It is ironic that the end result of such well-intentioned legislation would be to make it more difficult to assist victims of identity theft and other frauds. It would make it less likely that the courts would hear from all relevant witnesses in both civil and criminal trials and less likely that stolen funds are recovered. In conclusion, I would like to share with this committee the position of the International Association of Security and Investigative Regulators with respect to this issue. IASIR is an association of state and province regulatory agencies in the United States and Canada, having jurisdiction over a large part of the security industry and investigative profession. At their annual meeting last fall they passed the following motion: IASIR acknowledges that regulated investigators are an integral part of the effective administration of justice, civil as well as criminal. In addition, state licensed investigators provide an essential service to the public, to businesses and government, and to the legal community for the purpose of preventing or investigating fraud including identity theft; reducing business losses such as embezzlement, robberies, burglaries, thefts, fires and other casualty claims; investigating workplace allegations including harassment, discrimination and other workplace risks; locating missing and abducted persons, witnesses, heirs, and deadbeat parents; as well as assisting in uncovering significant misrepresentations or critical non- disclosures in conducting due diligence. Since access to personally identifiable information is crucial to the welfare of many and often concerns not only individual physical safety but the protections of homeland security, IASIR recognizes and supports the necessity of those investigators, who are licensed and monitored by regulatory agencies, to maintain access to personal identifying information including but not limited to, social security numbers, dates of birth and driver's license numbers to assist in their important investigative mission. NCISS stands ready to assist the Committee in its endeavor to protect consumer privacy without causing unintended consequences. Chairman MCCRERY. Thank you, Mr. Hulme. Ms. Robinson, I am curious about one thing that we have discovered. According to the FTC, 61 percent of identity theft victims never contact the police department to report their identity theft. Do you have any idea why that is? Ms. ROBINSON. Well, from my experience in working with victims, victims feel like the police don't care, and like the gentleman just said, the police will only take a report. They won't actively investigate the crime. They won't actively pursue the perpetrator. Chairman MCCRERY. Does anybody else have a thought on that? Mr. Hulme? Mr. HULME. Well, it is multiple jurisdictions that present problems. Law enforcement basically is just now starting to come up to speed. I can tell you from testimony I heard on the first panel that I probably investigated more ID thefts than the two government agencies. I know many of our members certainly have. I think it is a question of passing the buck, but it is definitely a major problem that has to be addressed. Chairman MCCRERY. Thank you. Mr. Stein, you mentioned how financial institutions use SSNs as a tool to help verify the identity of their customers. Could you explain how, for example, a bank's customer identification program might work? What information do you request in addition to the SSN? Mr. STEIN. Identity documents are always requested to prove up identity. The SSN helps as a determinant of an individual. As my esteemed colleagues have all represented about the Smiths, the Jones, and so forth, the SSN serves to identify the specific Jones or Smith that you are dealing with and to be able to tie those relationships, for example, together within a financial institution, to ensure that when you pull credit reports to determine creditworthiness for a loan, a mortgage, a credit card, you are actually receiving the information about the specific applicant who has applied to you so that you can make that credit worthiness decision appropriately. Those are a number of ways in which that number is used. It is not used to verify identity per se. It is used to ensure that you are the Smith with whom we are dealing, and then we use your identity documents, typically a driver's license in today's society, and perhaps other pieces of identification, whether it be a passport, credit card, whatever, to confirm your identity. The SSN itself doesn't confirm your identity in the absence of a CBSV or its predecessor, the Enumeration Verification System, where we have the ability to actually go out to SSA's database and pull back or confirm the SSN, name, date of birth combination so that we know, in fact, we are dealing with the same person. In the absence of that, the number itself simply allows us to tie together disparate people using our disparate accounts that are using that same number as an identifier. Chairman MCCRERY. Let us take Ms. Robinson's case, for example. Another Ms. Robinson stole her SSN, or got it, started using it, and applied for loans, evidently, and got them. Why couldn't that financial institution have just done a couple of extra things that might have raised flags and made them question the person sitting before them? She probably had a driver's license, that had her name which was almost the same, and it may have left out her middle initial, and that is not unusual, and so the person at the bank or the financial institution said, okay. Maybe then he should have looked at the address on the driver's license, and then surely the financial institution did a credit check. Maybe they should have compared the address on the driver's license to the address on her credit report, and when those are not the same, a flag goes up and you just either ask her there at the desk or call her back and say, there is a discrepancy in the address in your credit report. What is the deal? Mr. STEIN. I have---- Chairman MCCRERY. Just a couple things. Why shouldn't you do that? Mr. STEIN. I have two answers to that. The first one is, again, going back to the CBSV and the EVS system, had that been commercially available so that the financial institution could have verified the consumer's name along with the SSN and along with the date of birth, and assuming that the person who was misrepresenting her didn't have all three of those correct and documentation to support all three of those correct, the financial institution could have had an opportunity right there to have caught that. Number one, I would promote that the ability to verify that information is a key step in this entire process. Now, not knowing exactly what the financial institution saw, and so I am--you have sort of asked me to second-guess what they did or didn't do here--but with respect to the credit reports that would be pulled based on the SSN and the name, I think that Mr. Pratt here has indicated the volume of address changes that happen in a year and the information tends to lag what gets into the credit reports, and so it wouldn't necessarily in and of itself as the sole trigger. The fact that the address wasn't in that credit report that represented the person in front of them wouldn't necessarily by itself have been a key indicator. I also think that in a high-volume environment as card issuers deal with, it may also be difficult for them to find those really fine nuances between two people of the same name with the same SSN. I will tell you that had they been using a different name with her SSN, there would have been a warning that would have appeared on the credit report that would have indicated there is another name in the Bureau that is used sharing that same SSN. One of the problems is the very close similarity between the two names in this particular instance. Chairman MCCRERY. Okay. Mr. Hulme, you have stated that your organization agrees that additional measures can be taken to reduce identity theft. You undoubtedly have a lot of experience in dealing with information resellers. Do you have any recommendations as to how they can improve their protection of SSNs, these resellers? Mr. HULME. First of all, if there was a manner of getting a lot of the resellers--and I am not referring to the major ones, but two levels down or a level down--from selling this--pull this off the Internet and eliminate sales to the general public and you will eliminate 95 percent of the problems, in my opinion. Chairman MCCRERY. Say that again? Mr. HULME. I think one will eliminate 95 percent of the problems if sales of---- Mr. BECERRA. Could you repeat the whole answer? Pull it from the Internet---- Mr. HULME. Sure. Don't allow the sale of the SSN and personally identifiable information to be sold to the general public over the Internet. That would be my--I think that would be my first, strongest suggestion, and I heard one of the speakers earlier today say there were studies that maybe showed that. I can tell you that anecdotal information, and if you talk to most investigators and certainly our association, we think that if you pull down the sale of these items of personal information direct to the general public over the Internet, you will eliminate an awful lot of identity theft. Chairman MCCRERY. Thank you. Mr. Levin? Mr. LEVIN. Just one question. To sum up, how easy is it to steal identity? Mr. HULME. Well, I am not a thief, but I would say---- [Laughter.] Mr. LEVIN. I said how easy, not how. Mr. HULME. Well, I think in some cases, the door is being left open. In some situations, I think there is the availability to get this information and it is being displayed often in areas where it shouldn't be displayed. The information obviously has to come off a lot of government documents, more than are necessary. The tons of mail that we get that get sometimes sent to the wrong place, even when it comes back to the Post Office, just check with the postal inspectors and you will find that they are now investigating quite a few crimes regarding what has been done with the mail that has been returned. Mr. LEVIN. You are saying it is easy? Mr. HULME. Yes. Mr. LEVIN. Does anybody disagree with that? Mr. PRATT. I don't think we disagree with that. I just want to emphasize, though, the point that has already been made, but just to drive it home, that fraud prevention systems are moving past the simple question of do you have a Social and a name that match up together. We discuss in our testimony different fraud prevention strategies that are being used today, and they really do have to do with bringing together disparate sets of information and attempting to foil the dilemma of having information which is far too openly sold out on the Internet, for example, by, for example, asking additional questions of the consumer that would probably not--that the ID thief would not necessarily know. In an online environment, it might be to ask consumers additional questions that the thief probably wouldn't even know even if he or she had stolen a wallet. Fraud prevention systems have clearly moved past the simple, do you have a set of data and have you matched it, yes or no, and we, too, agree that the SSA concept of matching information is a good one, but I suspect we would all agree that it is not the sum total of how you ultimately validate a consumer's identity. You may be able to validate that you have a real SSN, but then you are going to raise yellow flags. What about that address? The Fair Credit Reporting Act, by the way, was amended in 2003 to obligate all lenders to have a system by which they will compare the old address or the address on the application with the address that you find in the credit report. What about fraud alerts? The Fair Credit Reporting Act was amended in 2003 to obligate a lender to pay attention to the fraud alert, to make sure that it was actually processed, so that if one was placed on the file, that there would be additional contact measures taken to further authenticate the identity of the individual and attempt to foil the criminal from opening up new accounts. I think those kinds of steps have been taken and that is why the world is a little different than even the last time I appeared before this Committee, when we talked about SSNs and the availability of them. Those are good steps along the continuum and the challenge is thieves become more clever and so, too, do the fraud prevention systems that have to stop them. Mr. LEVIN. Thank you. Chairman MCCRERY. Mr. Johnson? Mr. JOHNSON. Thank you, Mr. Chairman. Mr. Pratt and Mr. Stein, I guess, you all haven't talked about how some companies will use the last four digits and some of them the first five, maybe, to identify people. Does that have any validity at all? Mr. PRATT. From our perspective, again, Congressman, the Fair Credit Reporting Act stipulated that consumers could truncate SSNs when they order their credit report so that they could look at their credit report. For example, some laws attempt to do that. Yes, there can be some strategies where I suppose truncation works. There are risks any time you start to truncate the number. For example, we actually have run data to show that even with the last four digits of an SSN, you can match up as many as 90 different Joneses in this country. You have to be careful. You have to be careful about when and where to employ a truncation strategy. In some kinds of database management systems, that is good. In some, that might not be so good. Mr. STEIN. I think that one of the reasons that we use truncated SSNs is a layered approach for role-based access. If you segment a need around Social Security within a financial institution, there are three sets of needs. There are those people who don't ever need to see an SSN. You may have employees who, by virtue of their job role, have no need to ever see a customer's SSN, and by virtue of that role-based access, when they pull up information on the customer to respond to a question or whatever, they shouldn't see the customer's SSN at all. There may be others within the organization who have a need to verify that as a component of the identity verification process, but they have no need for the full SSN. They don't need to know the whole thing for that consumer. A customer service center, for example, gets a phone call from Mr. Jones and one of the ways they may verify Mr. Jones in a remote environment is by having Mr. Jones tell them, or alternatively key into a voice response unit the last four digits of their SSN as a means to uniquely identify that Mr. Jones is the one for whom I am going to pull their account records. Again they have no need to see the full thing. Then there are other employees within the organization who have clearly a need to work with the entire SSN, and that is a much, much smaller population. We are reducing the risk throughout that whole thing by taking it from the old world of financial institutions, where every employee saw every SSN, to a very small number who see a full SSN. Mr. JOHNSON. Now, we tried at one time to get the military to change their procedure, but all of them use the SSN as an ID and it is on their ID card. Not only that, but my wife's ID card has both our numbers on it, not just one. Have you got any suggestions about how we can fix that problem, because that is an easy theft, I think. Mr. PRATT. Congressman, all I can say is I think the world has changed enough that it is time to ask that question again of the military to see if they are willing to alter that system now. Mr. JOHNSON. Okay. We can make them do it, I guess. [Laughter.] Mr. PRATT. It is true that every time the SSN is used on a medical identification card, when it is used on all the different places that it can occur, those are all risks that I think my colleague to the left has expressed are potential risks. Mr. JOHNSON. Mr. Hulme, you are talking about people stealing your identity. I got stopped at the airport because they said I was a terrorist. Sam Johnson--there are a lot of them around. [Laughter.] They didn't have to have an SSN to verify who I was. They used other means. I think there is a way to get around that if we really want to and you all are probably doing as good a job as anybody. Have you got any suggestions on that? Mr. HULME. No. All I can say is that some people definitely need to have access to that SSN. Along the same line, in fairness, it doesn't need to be laid out for the world to have. Mr. JOHNSON. Yes. You are right. Thank you. Thank you, Mr. Chairman. Chairman MCCRERY. Mr. Becerra? Mr. BECERRA. Thank you all for your testimony. It is enlightening and also very disturbing. Ms. Robinson, let me ask you something. Have you cleared up your credit record yet? Ms. ROBINSON. No, sir. As a result of Nicole Robinson using my data, one of the credit reporting agencies is still reporting her bad debt as mine. Mr. BECERRA. Okay, stop. Mr. Pratt, you represent the credit bureaus. Mr. PRATT. I do. Mr. BECERRA. You hear Ms. Robinson saying that she has been going through this for years. Is there any reason why, if we contact you pretty soon, you can't tell us that the credit bureaus haven't taken care of Ms. Robinson's credit record? Mr. PRATT. None whatsoever. Mr. BECERRA. Okay. We will make sure that you get Mr. Pratt's phone number---- [Laughter.] Mr. BECERRA. --and you will have---- Ms. ROBINSON. May I also add, though, that I have been dealing with that particular credit reporting agency for the last 4 years over the same problem, and it prevented me from getting a mortgage last year because they were reporting $35,000 in bad debt that belonged to her. Mr. BECERRA. Stop. Mr. Pratt said that you won't worry about that. Ms. ROBINSON. Okay. Mr. BECERRA. We will be in touch, and certainly you will be in touch with---- Ms. ROBINSON. Yes, I will be in touch. Mr. BECERRA. Thank you, and Mr. Pratt, thank you for that. Mr. Stein, let me ask a question. What does Countrywide do with customers who, for whatever reason, close their accounts and their relationship with Countrywide. What do you do, what does Countrywide do with that personal private data that it has for that individual? Mr. STEIN. There may be continuing obligations we have even after a relationship is closed, and let me speak more broadly for the financial industry in general because I think it is true whether lenders or financial institutions. There may be continuing obligations we may have with respect to that information that keeps it within the organization. That having been said, again, we talked about this role-based access and restricting the access to the information to those who have a true need so that you see only really that information which you have need by virtue of your job. Mr. BECERRA. I have a mortgage through Countrywide. I pay it off. I no longer owe Countrywide any money. You have my SSN through the fact that I took out a mortgage with you. I no longer have any banking activity with you. You still maintain a file with my SSN? Mr. STEIN. For our retention period, yes. Mr. BECERRA. Which is how long? Mr. STEIN. I believe it is probably either 5 or 7 years. Offhand, I don't---- Mr. BECERRA. Who has access to that? Mr. STEIN. Again, it would depend on the specific job functions within an organization, but it would be those people who have, by virtue of their job function, a need to access it. For example---- Mr. BECERRA. Let me, because I am going to run out of time, so I don't want to do that, but let me ask you this. Would it be feasible economically for a company, an industry, to try to do more to shut down access to that personal data sooner than 5 to 7 years or make it much more restricted in terms of access to that information, once there is no need to have an ongoing review of that information because the accounts, in essence, have been closed? Mr. STEIN. Right, and I don't want to imply that once you close your relationship, the same people who have had access to that information when your relationship was open necessarily have it when your relationship is closed. Mr. BECERRA. Okay. Mr. STEIN. There is some population that does continue to have it, because you may call up a year later or 2 years later and have some question about your closed relationship that someone now needs to get access to. Mr. BECERRA. Well, let me ask you this. If I were to call your toll-free number to check on the status of my mortgage 2 years after I have already finished and I punch in on the phone my old mortgage account number and I have some questions I need to have answered so I get an actual voice on the phone, would that person be able to pull up the information that would include the SSN? Mr. STEIN. The answer is, it depends. Mr. BECERRA. Okay. Don't go any further, because I will run out of time. If you can guide us on this, I think what we have heard is that we have got to try to limit the access as much as possible, but we also have to recognize that a lot of commerce depends on this information. Let us know what you are doing. What are the best practices that you are using to make sure that once you don't need it, you are not using it, and once you don't need it, others can't access it. It would be helpful to know who is doing a good job of making sure that we are closing the door on that information the quicker we can. Mr. STEIN. Right. Mr. BECERRA. That would be helpful. A hypothetical here. Social Security says, tomorrow, we are going to scrap the current SSN and the system that we have used. We are going to reinstate something totally different. Maybe it is with a number, but it is different. Everyone in America who has an SSN, you will be issued something else. At the same time, we pass a law saying we prohibit the use of this new Social Security identifier for anything other than Social Security. What do your industries, your agencies, what do you do? Mr. PRATT. Beyond panic, I guess, would be the question. [Laughter.] Mr. PRATT. I think there are several parts to that answer. One, clearly, biometrics are being used in certain contexts and so, yes, there are even today--again, it is very important to distinguish between how the number is used to create an accurate database to say, I have data associated with this number and with this name together, versus how I am going to identify you and make sure that you are 100 percent who you say you are. Even today, consumers' acceptance of concepts like biometrics is much greater than it was perhaps a decade ago. I think you would always find some sort of substitutes effect. I think the question is at what level of disruption in the system overall, between the time that you were to close off the system completely and then try to reinstate something else. There would be, by the way, a legacy effect. All the data that was currently mediated by SSNs would remain. Court records would remain associated with the SSN. You are really talking almost generationally, anyway. You are talking about very, very long periods of time as you move away. It does get into discussions of cards and whether cards will have algorithms on them and whether cards will store additional information and whether they are used for limited purposes or more extended purposes. These are very complicated issues that certainly go well beyond the pale of our industry or, I suspect, any of us here at the table. Mr. BECERRA. One way or the other, you will find some type of universal identifier that can help you keep tabs of the population. Mr. PRATT. Well, I would say two things could happen. Number one, you could have less data mediated, which means, for example, consumers today who already are unhappy when we don't have a certain account that they have been paying on time for many, many years that Countrywide wants to use to approve a loan, when it is not in their credit report, they are also unhappy with us, just as they are unhappy when there might be data in their credit report that they say is not theirs. What you do have with the removal of an identifying system or a single unique identifier like the SSN is potential disintermediating and disconnecting data which can be mediated and which can be used for good things, such as me getting the car loan on the weekend or getting the student loan for my kids and so on and so forth. There are effects like that that we probably can't entirely predict today. Even the FTC was asked to look at how SSNs interplayed with credit reports, and that was a study that was done during the 2003 FACT Act, and they concluded that, really, you move away from a binary, good or bad, proposition and you are on a continuum, move one direction, and maybe there is less SSNs and so maybe certain types of risks are reduced, but maybe you have disintermediated data. It was all about do you move toward more inclusivity or do you move toward more exclusion or separation? That is the kind of database continuum our members tend to operate on. Which way do I go? Mr. BECERRA. Thank you. Mr. STEIN. If I may just take one moment, when you talk about things like biometrics and other kinds of identifiers to uniquely identify an individual and you compare it to the SSN issue, the one thing to keep in mind is that the SSN is a national unique identifier. In the absence of having a national registry of fingerprints, retinal scans, facial recognition, hand geometry, whatever you want it to be, there is no way to take those disparate pieces and put them all together into a credit report. In the absence of that, it is probably more likely rather than less likely that the Nicole Robinsons of the world get joined with someone who really isn't them. In this case, the person used her SSN with her same name. In other circumstances, you are going to have people, a whole bunch of Nicole Robinsons that may get joined together because there is not that unique identifier that puts them together. Mr. BECERRA. Thank you. Thank you, Mr. Chairman. Chairman MCCRERY. Thank you very much, gentlemen and ladies. We appreciate your testimony and your responses to our questions. That concludes today's hearing. The Subcommittee is adjourned. [Whereupon, at 4:40 p.m., the Subcommittee was adjourned.] [Submissions for the record follow:] Corona Del Mar, California March 27, 2006 Dear Members of the Subcommittee and Participants of this series of Hearings: My name is John Patrick Kenney. I earn my living as a real estate developer and I am licensed as a real estate broker in California. I am a former recipient of Long Term Social Security of Disability Benefits. I am recent recipient of the National Republican Congressional Committee Ronald Reagan Medal and 2005 Businessman of the year Award. I am also the plaintiff in a Federal District Court Lawsuit against the commissioner of Social Security, currently awaiting a decision in case #SACV 05-00426 (MAN). John P. Kenney Vrs. Commissioner of Social Security. The agency misused my Social Security Number, identifying me as the recipient of a mistaken overpayment decision. This resulted in damages similar to those incurred in identity theft and was a violation of the bill of rights in the constitution of the United States. As I expect tot win this case, actual damages today are approximately 12.5 million daollars and increasing at a rate of about $30,000.00 per calendar day. Patrick O'Carroll, the SSA Inspector General has recently in this series and through reports, informed you, that the SSA may have made: 600,000 errors of overpayments and underpayments of the Social Security Benefits, has put you on notice of this, I'm sorry to say, error prone agency. The problem is that you, the congress, has backed this error prone agency with police powers to collect erroneous debts with minimal if any oversight. For example, the Federal Trade Commission is not permitted to enforce fair credit reporting or fair debt collection laws you enacted for our protection against the SSA. The president's management agenda is I believe correct . . . get our money out of the hands of this poorly managed bureaucracy. So, as a consequence of the above I legitimately expect a ``Social Security'' check soon between $12,000,000.00 and $20,000,000.00 depending on how long this agency wants to fight by withholding evidence, slandering my character in the public court record, appealing to the 9th circuit or whatever failure prone tactic they may want to attempt. So . . . this error prone agency should not of and by itself and without real oversight possess the police powers have given it. I expect to prevail in my case and expect some public notice in the media to precipitate many an angry or scared taxpayer to contact you. What would happen to the general fund if 600,000 individuals had the opportunity, the inclination, the resources to sue the Social Security Administration for violating the privacy act as I have done? Please call on me if you need some help, even though I've missed meals and been forced by the above to try to relocate my business out of the country. I'm willing to help this subcommittee any way I am able. John P. Kenney Statement of J. Michelle Sybesma, Fishers, Indiana You may find it hard to believe that once upon a time I carried an affidavit from the United States Postal Inspection Service verifying was indeed who I professed to be. From the looks of my photo, you might find it amusing to read my most recent state registered identification had said that I was not only Male, but of a Latin American heritage, 2 inches shorter, and about 15 lbs heavier than when I stood in front on you. The truth was, before I figured out what happened I had a house in the low-income projects in Danville, IL and another just outside my hometown in Indianapolis, IN. Someone was utilizing my personal information and morphing it into someone that was in no way aligned with the principles of good ethics. This was over ten years ago. I now know better than most what it takes to establish new social security number and have to spend years in the fighting to reclaim your identity. However, I am no victim. I am inclined to believe things happen for a reason and this happened to me so I might teach others how to prevent it. The experience left me smarter, credit wiser and fighting mad to make sure it does not happen to others. The most recent Federal Trade Commission statistics show that 12.7% of individuals surveyed have been personally touch by some sort of credit card fraud or identity theft. As a consultant and professional speaker who covers topic to teach groups the importance of proper precautions to risk factors of Identity theft, I can tell you a more accurate statistic never stood. If requested to testify, I can tell you a great deal about the inherent risk in business using our SSNs a primary identifier. Most people do not understand the long term impact this can have on the rise of this epidemic. Please consider contacting me to speak for your sub- committee. Not since the Fair Credit Reporting Act of 1996 has there been a piece of potential legislation that had such impact on that of Identity Theft. Thank you.