[Senate Hearing 109-1087] [From the U.S. Government Publishing Office] S. Hrg. 109-1087 IDENTITY THEFT AND DATA BROKER SERVICES ======================================================================= HEARING before the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ MAY 10, 2005 __________ Printed for the use of the Committee on Commerce, Science, and Transportation ---------- U.S. GOVERNMENT PRINTING OFFICE 61-787 PDF WASHINGTON : 2010 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED NINTH CONGRESS FIRST SESSION TED STEVENS, Alaska, Chairman JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co- CONRAD BURNS, Montana Chairman TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West KAY BAILEY HUTCHISON, Texas Virginia OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota JOHN ENSIGN, Nevada BARBARA BOXER, California GEORGE ALLEN, Virginia BILL NELSON, Florida JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington JIM DeMINT, South Carolina FRANK R. LAUTENBERG, New Jersey DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska MARK PRYOR, Arkansas Lisa J. Sutherland, Republican Staff Director Christine Drager Kurth, Republican Deputy Staff Director David Russell, Republican Chief Counsel Margaret L. Cummisky, Democratic Staff Director and Chief Counsel Samuel E. Whitehorn, Democratic Deputy Staff Director and General Counsel Lila Harper Helms, Democratic Policy Director C O N T E N T S ---------- Page Hearing held on May 10, 2005..................................... 1 Statement of Senator Dorgan...................................... 25 Statement of Senator Inouye...................................... 1 Prepared statement........................................... 2 Statement of Senator Kerry....................................... 38 Statement of Senator Lautenberg.................................. 3 Prepared statement........................................... 3 Statement of Senator Bill Nelson................................. 2 Statement of Senator Pryor....................................... 27 Statement of Senator Smith....................................... 5 Chart, 2005 Data Security Incidents.......................... 32 Prepared statement of Senator McCain......................... 32 Statement of Senator Stevens..................................... 1 Statement of Senator Vitter...................................... 6 Witnesses Barrett, Jennifer T., Chief Privacy Officer, Acxiom Corporation.. 46 Prepared statement........................................... 48 Curling, Douglas C., President/Chief Operating Officer, ChoicePoint Inc............................................... 12 Prepared statement........................................... 15 Frank, Esq., Mari J., Attorney, Mari J. Frank, Esq. & Associates. 68 Prepared statement........................................... 73 Kurtz, Paul B., Executive Director, Cyber Security Industry Alliance (CSIA)................................................ 53 Prepared statement........................................... 55 Rotenberg, Marc, President/Executive Director, Electronic Privacy Information Center (EPIC)...................................... 58 Prepared statement........................................... 60 Sanford, Kurt P., President/CEO, U.S. Corporate and Federal Government Markets, LexisNexis................................. 6 Prepared statement........................................... 8 Appendix Dempsey, James X., Executive Director, Center for Democracy & Technology, statement before the Senate Committee on the Judiciary, April 13, 2005...................................... 107 Hillebrand, Gail, Senior Attorney, Consumers Union, prepared statement...................................................... 99 Ireland, Oliver I., Attorney, Morrison & Foerster LLP; on behalf of Visa U.S.A. Inc., statement before the Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce, United States House of Representatives, May 11, 2005................................................... 114 Response to written questions submitted by Hon. Daniel K. Inouye to Paul B. Kurtz.................................................. 116 Response to written questions submitted by Hon. Bill Nelson to: Jennifer T. Barrett.......................................... 118 Kurt P. Sanford.............................................. 121 IDENTITY THEFT AND DATA BROKER SERVICES ---------- TUESDAY, MAY 10, 2005 U.S. Senate, Committee on Commerce, Science, and Transportation, Washington, DC. The Committee met, pursuant to notice, at 2:30 p.m. in room SR-253, Russell Senate Office Building, Hon. Ted Stevens, Chairman of the Committee, presiding. OPENING STATEMENT OF HON. TED STEVENS, U.S. SENATOR FROM ALASKA The Chairman. Mr. Sanford, Mr. Curling, let me welcome you, gentlemen. And I thank the witnesses for coming, and appreciate their willingness to appear to discuss the recent data breaches that left exposed the personal information of thousands of consumers. Over the recess, my staff attempted to steal my identity, and I regret to say they were successful. So, they demonstrated to me, when I came back from this recess, just how easy it really is to steal an identity. This is the first of several hearings that our committee is going to conduct to have a better understanding of data brokerage services, as well as how data brokers handle personal consumer information. This hearing is intended to discuss the recent data breaches and what the private industry is doing to mitigate the possibility of future breaches. The Committee will revisit this issue next month as we look to develop legislative solutions that might better protect consumers from future breaches. We believe we must be careful to strike a balance between assuring the security of certain types of personal information, while not inhibiting the legitimate flow of information that is vital to our economy. Now, it's my intention to turn the chair over to Senator Smith when he arrives, Senator. I've got a conflict today. But let me yield to my Co-Chairman, Senator Inouye. STATEMENT OF HON. DANIEL K. INOUYE, U.S. SENATOR FROM HAWAII Senator Inouye. I thank you very much, Mr. Chairman. I agree with your words. And I'd like to point out that, since January, there have been at least 32 major data security incidents potentially affecting 5.2 million Americans. These incidents only came to light because of a California law that requires disclosure of data security breaches. No one knows how many undisclosed breaches may have occurred prior to the implementation of the California law. And equally disturbing is the possibility that the full impact of these breaches may never be known, and millions of Americans remain unaware of their vulnerability to identity theft. So, I look forward to hearing from the witnesses, and I thank them for appearing. And I ask that my full statement be made part of the record. The Chairman. Your statement will be made part of the record, and all the statements that the Senators have. [The prepared statement of Senator Inouye follows:] Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii I thank Chairman Stevens and Chairman Smith for holding a hearing today on this important issue of data brokers. Since January, there have been at least 32 major data security incidents potentially affecting 5.2 million Americans. And those are just the data breaches we know about due to the disclosure law in the State of California. There are many more that have not been made public. The identity theft that results from these data breaches can wreak havoc on the lives of consumers--weathly and poor--for many years. Recognizing the risks of computerizing personal data, Congress, in 1970, passed the Fair Credit Reporting Act. The FCRA requires credit reporting agencies to protect consumer information, and use it only for limited purposes. These agencies also are responsible for vetting their customers. Data brokers are now collecting different sensitive, personal information, yet their operations are not governed by any Federal law, and only one State law. We will hear today from the largest data brokers about the steps they are taking to better secure their data, and to properly vet their customers. We applaud you for taking those steps. But I am worried more about the hundreds of smaller data brokers who have no incentive to change their ways since there is no law governing their behavior. Almost every American--including this Senator--has their personal information stored in these databases whether we like it or not. This committee is responsible for making sure that this sensitive, personal information is not used for identity fraud that can ruin any family's financial future. We look forward to our witnesses helping us reach this goal. The Chairman. Senator, do you have a statement? STATEMENT OF HON. BILL NELSON, U.S. SENATOR FROM FLORIDA Senator Bill Nelson. Yes, sir, I do, Mr. Chairman, because one of the vehicles in front of the Committee is a bill that-- two bills that I have filed, one with Senator Schumer that's more of a comprehensive package. As I have met with identity victims, Mr. Chairman, one of the great parts of frustration for them is, once their identity is stolen, they don't know where to go to get it back. They go to local law enforcement; they send them to somebody at the State. The State sends somebody to the Federal. The reason my two bills have been referred here is that my solution to that is using the FTC as the repository, first of all, to give them some teeth in the law in which to regulate information brokers who heretofore have not been regulated as information brokers, and, second, to have a place where the consumer can go--one place, one-stop shopping--in order to get their identity back. And so, in the legislation, we create the Office of Identity Theft in our legislation, within the FTC, that creates that one-stop shopping. And our legislation would mandate that the companies must reasonably protect this consumer information that is now collected on billions of bits of information on virtually every one of us in America, and, as a result of what we've seen happen thus far, if we don't do something about this, Mr. Chairman, none of us are going to have any identity left. It's going to require the companies--these are the information brokers--to notify consumers when a security breach occurs. And the only reason that we know about this, Mr. Chairman Stevens, is the fact that there is a California State statute that requires just that; otherwise, we wouldn't have known about this. It's going to tighten the commercial usage of Social Security numbers, and it's going to create an Assistant Secretary of Cybersecurity within the Department of Homeland Security. And so, I'm really looking forward to the discussion today about these ideas. Thank you, Mr. Chairman. The Chairman. Senator Lautenberg? STATEMENT OF HON. FRANK R. LAUTENBERG, U.S. SENATOR FROM NEW JERSEY Senator Lautenberg. Yes, Mr. Chairman, I ask consent that my full statement be included in the record. But I do want to say a few things. And before I came here, I was CEO of a company called ADP, and--I was one of the founders of that company--and we were terribly conscious of the records that we had, because, through our company, we pay one out of six workers in the American private-sector labor market. One out of six are paid through the ADP company. And I thought our principal obligation, Mr. Chairman, was the protection of the identity of those people. And there is a treasure trove there that could be sold. We refused to do it, but--that wasn't our business, anyway--but this now has become such a problem, and I congratulate Senator Nelson for his initiative here, to try and get something done. But when you look at the numbers of identity--the people who are affected by identity theft, it's staggering--2002, 404,000 people reported identify-theft complaints; in 2004, just 2 years later, the number climbed by more than 230,000 more people who were exposed to identity theft. So, Mr. Chairman, I congratulate you for moving the agenda here on matters of great importance. [The prepared statement of Senator Lautenberg follows:] Prepared Statement of Hon. Frank R. Lautenberg, U.S. Senator from New Jersey Mr. Chairman, thank you for holding this important hearing on the ``data brokerage'' industry, and the role and responsibilities of firms that compile, store, and sell sensitive, personal information. The recent security breaches at the Nation's largest data brokerage firms have left millions of Americans increasingly vulnerable to identity theft and scams. Overall, some 10 million Americans were victimized by identity thieves last year. Mr. Chairman, before I ran for the Senate, I was a Co-Founder and CEO of a company called ADP, or Automatic Data Processing, which processes payrolls and maintains personnel records, and currently pays one out of every six private-sector workers in the United States. Throughout my years at ADP, we always recognized our obligation to maintain the confidentiality of the information that was entrusted to us. So I am extremely concerned about the security breaches and management failures that have recently exposed sensitive, personal information about millions of Americans. In the wrong hands, this data about an individual can be used to ruin that person's credit rating . . . their finances . . . and even their good name. In the past, personal information on individuals was available, but it was stored in multiple locations and often only on paper. It took significant effort to accumulate the information necessary to damage the credit or identity of a person. Today, however, technology permits faster and consolidated access to personal data in fewer databases. Collecting and selling personal information is a big business--but no matter how big it becomes, it must never overshadow the rights of the American people. Their privacy should never be compromised or neglected. Victims of identity theft often spend years of their precious time, and large amounts of their hard-earned money, to repair their financial records and credit history. In some cases, job opportunities are lost and loans are refused. In 2002, there were just under 404,000 reported identity theft complaints nationwide. In 2004, that number climbed to 635,000. Mr. Chairman, our laws must ensure that companies protect personal information with great care. I look forward to hearing from our two panels today. Thank you, Mr. Chairman. Senator Lautenberg. And, if I may indulge the Committee just one half-minute more, today is the last day for Rudy Brioche, who's been with me for these couple of years. Rudy is leaving me to go work for the FCC. And so, this is his last hearing, and I want to publicly thank him for his wonderful work for all of us. The Chairman. We wish him well. We'll keep him busy. [Laughter.] The Chairman. Let me just say, turning the hearing over to Senator Smith, I was surprised when my staff presented me the information they got from a series of places. For $65, they were told they could get my Social Security number. I don't know if you've done this, but in the report that they got on me, I found my daughter's rental property in California and some of my son's activities. And he's, unfortunately, a junior out in California. I also found that there are probably two or three other people in this community right here that have the same basic name, Theodore F. Stevens; they're not all the same middle name. It's been suggested that I should change my name, and use my middle name now if I want to maintain my own identity. I think this is a very serious thing, and we want to hear from you all. As I said, Senator Smith, this is just the first of a series of hearings. I do think we've got several bills now that have been introduced into Congress to address this, and it's going to be a very difficult thing for us to handle. So, we're not going to handle it on the basis of listening sessions, like this one, because basic information is going to come from people like the witnesses who are where today. Again, I thank them very much for being willing to join us. Senator Smith, it's your Chair. Senator Bill Nelson. Mr. Chairman, could I just add one thing to what Senator Stevens has said? This card that each one of us has, which is Bank of America, and it is the Senate travel card, the records are missing on 60 Senators. I am one of them. Now, we hope that this information is not stolen, but the records of over a million people, of which 60 United States Senators are included within that, those records are missing. If they are in the wrong hands, then, because they have the information on that card, they've got all of our Social Security numbers, and they've got detailed financial information. And this is, increasingly, what we're going to be facing. The Chairman. Well, I'm embarrassed to say, Senator, my staff doesn't trust me with that card. [Laughter.] The Chairman. Senator? Voice: Zero balance. [Laughter.] STATEMENT OF HON. GORDON H. SMITH, U.S. SENATOR FROM OREGON Senator Smith. [presiding] Well, thank you, Mr. Chairman. And I know you have another responsibility at some point, and I'm happy to sit in your stead. But I think this is a very, very important hearing, as all of my colleagues have indicated, and I read, with horror, that the FTC is reporting that over ten million Americans are victimized by identity thieves every year. These numbers translate into losses of over $55 billion per year, averaging over $10,000 stolen per fraudulent incident. In 2005, alone, there were at least 35 known incidents of data breaches potentially affecting over five million individuals. My State of Oregon ranks ninth in the Nation for fraud complaints and identity theft. So, today's hearing will focus on recent data-broker services and their relationship to identity-theft enforcement. Although this hearing will not focus on any particular legislative proposal, the Committee, as the Chairman has noted, will hold subsequent hearings with the FTC to discuss legislative solutions that we need to pursue on identify theft. At this hearing, the Committee will examine data-broker services, the recent data breaches, and the treatment of data brokers under existing Federal privacy laws. Specifically, we will have the chance to better understand the recent security breaches at ChoicePoint and LexisNexis and how the information industry has responded to prevent future breaches. We'll also explore public and private solutions to detect and prevent identity theft and fraud, and ensure that personal information is secure and protected from those who attempt to perpetrate these crimes. Protecting sensitive information is an issue of great importance for all Americans, and this issue does not register Democrat or Republican. Consumers should have confidence, when they share their information with others, that their information will be protected. At the same time, the ability of legitimate companies to access personal information certainly does facilitate commerce and continues to benefit consumers. Data-broker companies perform important commercial and public functions through their ability to quickly and securely access consumer data. Now, we look forward to working with all our colleagues in coming up with legislative solutions to this problem. We need to make sure that this legislation strikes the right balance to ensure the continued existence of critical services while ensuring the security of personal information to prevent its misuse and subsequent breaches. We've been joined by Senator Vitter on this Committee, and, Senator, if you have an opening statement, we'll hear from you before we go to our witnesses. STATEMENT OF HON. DAVID VITTER, U.S. SENATOR FROM LOUISIANA Senator Vitter. Mr. Chairman, I don't have an opening statement. Thank you, Chairman Stevens, for leading this matter. It's, unfortunately, a very legitimate area of growing concern because of these recent breaches and because of the phenomenon across the country. So, thank you for your, Senator Stevens, and others' leadership. Senator Smith. Thank you, Senator Vitter. We will, now hear first from Mr. Kurt Sanford, President and Chief Executive Office of U.S. Corporate and Federal Government Markets, LexisNexis, from Miamisburg, Ohio. Thank you, Mr. Sanford. The mike is yours. STATEMENT OF KURT P. SANFORD, PRESIDENT/CEO, U.S. CORPORATE AND FEDERAL GOVERNMENT MARKETS, LexisNexis Mr. Sanford. Chairman Stevens, Senator Inouye, Senator Smith, and distinguished members of the Committee, good afternoon. My name is Kurt Sanford. I am the President and Chief Executive Officer for Corporate and Federal Markets at LexisNexis. I appreciate the opportunity to be here today to discuss the important issues surrounding identity theft, fraud, and data security. LexisNexis is a leading provider of authoritative legal public records and business information, playing a vital role in supporting government, law enforcement, and business customers who use our information services for important uses, including detecting and preventing identity theft and fraud, locating suspects, and finding missing children. One of the important uses of our products and services provided by LexisNexis is to detect and prevent identity theft and fraud. The FTC has indicated that the total cost of identity fraud for businesses and individuals is approximately $50 billion per year. In 2004, 9.3 million consumers were victimized by identity fraud. Until recently, it was not fully appreciated that identity theft is part of a larger problem of identity fraud. Identity fraud is the use of false identifiers, fraudulent documents, or a stolen identity in the commission of a crime. Both industry and government have asked LexisNexis to develop solutions to help address this evolving problem. Financial institutions, online retailers, and other businesses have turned to LexisNexis to help them detect and prevent identity theft and fraud. With the use of LexisNexis, a major bank-card issuer experienced a 77 percent reduction in the dollar losses due to fraud associated with identity theft. Our products are becoming increasingly necessary to combat identity fraud associated with Internet transactions, where high-dollar merchandise, such as computers and other electronics, are sold via credit card. Lower fraud costs to businesses ultimately mean lower cost and greater efficiencies for consumers. While we work hard to provide our customers with effective products, we also recognize the importance of protecting the privacy of the consumer information in our databases. We have privacy policies, practices, and procedures in place to protect this information. Our Chief Privacy Officer and Privacy Policy Review Board work together to ensure that LexisNexis has strong policies to help safeguard consumer privacy. We also have multilayer security processes and procedures in place to protect our systems and the information contained in our databases. Maintaining security is not a static process; it requires continuously evaluating and adjusting our security procedures to address the new threats we face every day. Even with these safeguards, we discovered, earlier this year, some security incidents at our Seisint business, which we acquired last September. In February 2005, a LexisNexis integration team became aware of some billing irregularities and unusual usage patterns with several customer accounts. Upon further investigation, we discovered that unauthorized persons using IDs and passwords of legitimate Seisint customers may have accessed personally identifying information such as Social security numbers and driver's license numbers. No personal financial, credit, or medical information was involved, since LexisNexis and Seisint do not collect that type of information. In March, we notified approximately 30,000 individuals whose personally identifying information may have been unlawfully accessed. Based on these incidents at Seisint, I ordered an extensive review of data-search activity going back to January 2003 at our Seisint unit and across all LexisNexis databases that contained personally identifying information. We completed that review on April 11th and concluded that unauthorized persons, primarily using IDs and passwords of legitimate Seisint customers, may have accessed personally identifying information on approximately 280,000 additional individuals. At no time was the LexisNexis or Seisint technology infrastructure hacked into or penetrated, no customer data was accessed or compromised. We sincerely regret these incidents and any adverse impact they may have on the individuals whose information may have been accessed. We took quick action to notify those individuals. We are providing all individuals with a consolidated credit report and credit-monitoring services. For those individuals who do become victims of fraud, we will provide counselors to help them clear their credit reports of any information relating to fraudulent activity. We will also provide them with identify-theft insurance to cover expenses associated with restoring their identity and repairing their credit reports. We've learned a great deal from the security incidents at Seisint and are making substantial changes in our business practices and policies across all LexisNexis businesses to help prevent any future incidents. I have included the details of these enhancements in my written statement. I would like to focus the remainder of my time on policy issues being considered to further enhance data security, and address the growing problem of identity theft and fraud. LexisNexis would support the following legislative approaches. First, we support requiring notification in the event of a security breach where there is a significant risk of harm to consumers. In addition, we believe that it's important that any such proposal contain Federal preemption. Second, we would support the adoption of data-security safeguards modeled after the safeguard rules of the Gramm- Leach-Bliley Act. Finally, it's important that any legislation strike the right balance between protecting privacy and ensuring continued access to critically important information. Thank you, again, for the opportunity to be here today to provide the Committee with our company's perspective on these important public-policy issues. We look forward to working with the Committee as it considers these important issues. [The prepared statement of Mr. Sanford follows:] Prepared Statement of Kurt P. Sanford, President/CEO, U.S. Corporate and Federal Government Markets, LexisNexis Introduction Good morning. My name is Kurt Sanford. I am the President and Chief Executive Officer for Corporate and Federal Markets at LexisNexis. I appreciate the opportunity to be here today to discuss the important issues surrounding identity theft and fraud, and data security. LexisNexis is a leading provider of authoritative, legal, public records, and business information. Today, over three million professionals--lawyers, law enforcement officials, government agencies' employees, financial institution representatives, and others--use the LexisNexis services. Government agencies, businesses, researchers, and others rely on information provided by LexisNexis for a variety of important uses. One of the important uses of products and services provided by LexisNexis is to detect and prevent identity theft and fraud. In 2004, 9.3 million consumers were victimized by identity fraud. Credit card companies report $1 billion in losses each year from credit card fraud. Although the insidious effects of identity theft are fairly well known, until recently it was not fully appreciated that identity theft is part of the larger problem of identity fraud. Identity fraud, which encompasses identity theft, is the use of false identifiers, false or fraudulent documents, or a stolen identity in the commission of a crime. It is a component of most major crimes and is felt around the world today. As a result, both industry and government have asked LexisNexis to develop solutions to help address this evolving problem. Financial institutions, online retailers, and others depend on products and services provided by LexisNexis to help prevent identity theft and fraud. With the use of a LexisNexis solution called Fraud Defender, a major bank card issuer experienced a 77 percent reduction in the dollar losses due to fraud associated with identity theft and credit card origination. LexisNexis products are becoming increasingly necessary to combat identity fraud associated with Internet transactions where high-dollar merchandise such as computers and other electronic equipment are sold via credit card. Lower fraud costs ultimately mean lower costs and greater efficiencies for consumers. The following are some other examples of the important ways in which the services of LexisNexis are used by customers: Locating and recovering missing children--Customers like the National Center for Missing and Exploited Children rely on LexisNexis to help them locate missing and abducted children. Since 1984, the Center has assisted law enforcement in recovering more than 85,000 children. Over the past 4 years, information provided by LexisNexis has been instrumental in a number of the Center's successful recovery efforts. Locating suspects and helping make arrests--Many Federal, State and local law enforcement agencies rely on LexisNexis to help them locate criminal suspects, and to identify witnesses to a crime. LexisNexis works closely with Federal, State, and local law enforcement agencies on a variety of criminal investigations. For example, the Beltway Sniper Task Force in Washington, D.C., used information provided by LexisNexis to help locate one of the suspects wanted in connection with that case. In another case, information provided by LexisNexis was recently used to locate and apprehend an individual who threatened a District Court Judge and his family in Louisiana. Preventing money laundering--LexisNexis has partnered with the American Bankers Association to develop a tool used by banks and other financial institutions to verify the identity of new customers to prevent money laundering and other illegal transactions used to fund criminal and terrorist activities. This tool allows banks to meet Patriot Act and safety and soundness regulatory requirements. Supporting homeland security efforts--LexisNexis worked with the Department of Homeland Security Transportation Safety Administration (TSA) in developing the Hazardous Materials Endorsement Screening Gateway System. This system allows TSA to perform background checks on commercial truck drivers who wish to obtain an endorsement to transport hazardous materials. Locating parents delinquent in child support payments--Both public and private agencies rely on LexisNexis to locate parents who are delinquent in child support payments and to locate and attach assets in satisfying court-ordered judgments. The Association for Children for the Enforcement of Support (ACES), a private child-support recovery organization, has had tremendous success in locating non-paying parents using LexisNexis. These are just a few examples of how our information products are used to help consumers by detecting and preventing fraud, strengthening law enforcement's ability to apprehend criminals, protecting homeland security and assisting in locating missing and abducted children. Types of Information Maintained by LexisNexis Risk Solutions The information maintained by LexisNexis falls into the following three general classifications: public record information, publicly available information, and non-public information. Public record information. Public record information is information originally obtained from government records that are available to the public. Land records, court records, and professional licensing records are examples of public record information collected and maintained by the government for public purposes, including dissemination to the public. Publicly available information. Publicly available information is information that is available to the general public from non- governmental sources. Telephone directories are an example of publicly available information. Non-public information. Non-public information is information about an individual that is not obtained directly from public record information or publicly available information. This information comes from proprietary or non-public sources. Non-public data maintained by LexisNexis consists primarily of information obtained from either motor vehicle records or credit header data. Credit header data is the non- financial identifying information located at the top of a credit report, such as name, current and prior address, listed telephone number, Social Security number, and month and year of birth. Privacy LexisNexis is committed to the responsible use of personal identifying information. We have privacy policies in place to protect the consumer information in our databases. Our Chief Privacy Officer and Privacy and Policy Review Board work together to ensure that LexisNexis has strong privacy policies in place to help protect the information contained in our databases. We also undertake regular third-party privacy audits to ensure adherence to our privacy policies. LexisNexis has an established Consumer Access Program that allows consumers to review information on them contained in the LexisNexis system. While the information provided to consumers under this program is comprehensive, it does not include publicly available information such as newspaper and magazine articles, and telephone directories contained in the LexisNexis system. LexisNexis also has a consumer opt-out program that allows individuals to request that information about themselves be suppressed from selected databases under certain circumstances. To opt-out of LexisNexis databases, an individual must provide an explanation of the reason or reasons for the request. Examples of reasons include:You are a State, local or Federal law enforcement office or public official and your position exposes you to a threat of death or serious bodily harm; You are a victim of identity theft; or You are at risk of physical harm. Supporting documentation is required to process the opt-out request. While this opt-out policy applies to all databases maintained by our recently acquired Seisint business, it is limited to the non- public information databases in the LexisNexis service. The policy does not currently apply to public records information databases maintained by LexisNexis. We are currently evaluating what steps we can take to better publicize our opt-out program and extend the program to all public records databases in the LexisNexis service. Security LexisNexis has long recognized the importance of protecting the information in our databases and has multiple programs in place for verification, authorization and IT security. Preventive and detective technologies are deployed to mitigate risk throughout the network and system infrastructure and serve to thwart potentially malicious activities. LexisNexis also has a multi-layer process in place to screen potential customers to ensure that only legitimate customers have access to sensitive information contained in our systems. Our procedures include a detailed authentication process to determine the validity of business licenses, memberships in professional societies and other credentials. We also authenticate the documents provided to us to ensure they have not been tampered with or forged. Only those customers with a permissible purpose under applicable laws are granted access to sensitive data such as driver's license information and Social Security numbers. In addition, customers are required to make express representations and warranties regarding access and use of sensitive information and we limit a customer's access to information in LexisNexis products according to the purposes for which they seek to use the information. Maintaining security is not a static process--it requires continuously evaluating and adjusting our security processes, procedures and policies. High-tech fraudsters are getting more sophisticated in the methods they use to access sensitive information in databases. We continuously adapt our security procedures to address the new threats we face every day from those who seek to unlawfully access our databases. We undertake regular third-party security audits to test the security of systems and identify any potential weaknesses. Even with the multi-layer safeguards in place at LexisNexis, we discovered earlier this year that unauthorized persons primarily using IDs and passwords of legitimate customers may have accessed personal identifying information at our recently acquired Seisint business. In February 2005, a LexisNexis integration team became aware of some billing irregularities and unusual usage patterns with several customer accounts. At that point we contacted the U.S. Secret Service. The Secret Service initially asked us to delay notification so they could conduct their investigation. About a week later, we publicly announced these incidents and within a week sent out notices to approximately 30,000 individuals. The investigation revealed that unauthorized persons, primarily using IDs and passwords of legitimate customers, may have accessed personal-identifying information, such as Social Security numbers (SSNs) and driver's license numbers (DLNs). In the majority of instances, IDs and passwords were stolen from Seisint customers that had legally permissible access to SSNs and DLNs for legitimate purposes, such as verifying identities and preventing and detecting fraud. No personal financial, credit, or medical information was involved since LexisNexis and Seisint do not collect such information. At no time was the LexisNexis or Seisint technology infrastructure hacked into or penetrated nor was any customer data residing within that infrastructure accessed or compromised. Based on the incidents at Seisint, I directed our teams to conduct an extensive review of data-search activity at our Seisint unit, and across all LexisNexis databases that contain personal identifying information. In this review, we analyzed search activity for the past twenty-seven months to determine if there were any other incidents that potentially could have adversely impacted consumers. We completed that review on April 11, 2005. As a result of this in-depth review, we discovered additional incidents where there was some possibility that unauthorized persons may have accessed personal identifying information of approximately 280,000 additional individuals. We deeply regret these incidents and any adverse impact they may have on the individuals whose information may have been accessed. We took quick action to notify the identified individuals. We are providing all individuals with a consolidated credit report and credit monitoring services. For those individuals who do become victims of fraud, we will provide counselors to help them clear their credit reports of any information relating to fraudulent activity. We will also provide them with identity-theft expense insurance coverage up to $20,000 to cover expenses associated with restoring their identity and repairing their credit reports. We have learned a great deal from the security incidents at Seisint and are making substantial changes in our business practices and policies across all LexisNexis businesses to help prevent any future incidents. These include: Changing customer password security processes to require that passwords for both system administrators and users be changed at least every 90 days; Suspending customer passwords of system administrators and users that have been inactive for 90 days; Suspending customer passwords after five unsuccessful login attempts and requiring them to contact Customer Support to ensure security and appropriate reactivation; Further limiting access to the most sensitive data in our databases by truncating SSNs displayed in non-public documents and narrowing access to full SSNs and DLNs to law enforcement clients and a restricted group of legally authorized organizations, such as banks and insurance companies; and Educating our customers on ways they can increase their security. Laws Governing LexisNexis Compilation and Dissemination of Identifiable Information There are a wide range of Federal and State privacy laws to which LexisNexis is subject in the collection and distribution of personal identifying information. These include: The Gramm-Leach-Bliley Act. Social Security numbers are one of the two most sensitive types of information that we maintain in our systems and credit headers are the principal commercial source of Social Security numbers. Credit headers contain the non-financial identifying information located at the top of a credit report, such as name, current and prior address, listed telephone number, Social Security number, and month and year of birth. Credit header data is obtained from consumer reporting agencies.\1\ The compilation of credit header data is subject to the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. Sec. Sec. 6801 et seq., and information subject to the GLBA cannot be distributed except for purposes specified by the Congress, such as the prevention of fraud. --------------------------------------------------------------------------- \1\ Consumer reporting agencies are governed by the Fair Credit Reporting Act (``FCRA''), 15 U.S.C. Sec. Sec. 1681 et seq. Some information services, such as Seisint's Securint service and LexisNexis PeopleWise, also are subject to the requirements of the FCRA. --------------------------------------------------------------------------- Driver's Privacy Protection Act. The compilation and distribution of driver's license numbers and other information obtained from driver's licenses are subject to the Driver's Privacy Protection Act (DPPA), 18 U.S.C. Sec. Sec. 2721 et seq., as well as State laws. Information subject to the DPPA cannot be distributed except for purposes specified by the Congress, such as fraud prevention, insurance claim investigation, and the execution of judgments. Telecommunications Act of 1996. Telephone directories and similar publicly available repositories are a major source of name, address, and telephone number information. The dissemination of telephone directory and directory assistance information is subject to the requirements of the Telecommunications Act of 1996, as well as State law. FOIA and other Open Records Laws: Records held by local, State, and Federal governments are another major source of name, address, and other personally identifiable information. The Freedom of Information Act, State open record laws, and judicial rules govern the ability of LexisNexis to access and distribute personally identifiable information obtained from government agencies and entities. See, e.g., 5 U.S.C. Sec. 552. Other Laws Unfair and Deceptive Practice Laws: Section 5 of the Federal Trade Commission Act, and its State counterparts, prohibit companies from making deceptive claims about their privacy and security practices. These laws have served as the basis for enforcement actions by the Federal Trade Commission and state attorneys general for inadequate information security practices. The consent orders settling these enforcement actions typically have required companies to implement information security programs that conform to the standards set forth in the GLBA Safeguards Rule, 16 C.F.R. Part 314. Information Security Laws: A growing body of State law imposes obligations upon information service providers to safeguard the identifiable information they maintain. For example, California has enacted two statutes that require businesses to implement and maintain reasonable security practices and procedures and, in the event of a security breach, to notify individuals whose personal information has been compromised. See California Civil Code Sec. Sec. 1798.81.5, 1798.82-84. Legislative Measures LexisNexis Supports We recognize that additional legislation may be necessary to further enhance data security and address the growing problem of identity theft and fraud. LexisNexis supports the following legislative approaches: Data Security Breach Notification. We support requiring notification in the event of a security breach where there is substantial risk of harm to consumers. It is important that there is an appropriate threshold for when individuals actually would benefit from receiving notification, such as where the breach is likely to result in misuse of customer information. In addition, we believe that it is important that any such legislation contain Federal preemption to insure that companies can quickly and effectively notify individuals and not struggle with complying with multiple, potentially conflicting and inconsistent State laws. Adoption of Data Security Safeguards for Information Service Providers Modeled After the GLBA Safeguards Rule. LexisNexis supports the adoption of data security protections for information service providers modeled after the Safeguards Rule of the GLBA. Increased penalties for identity theft and other cybercrimes and increased resources for law enforcement. LexisNexis strongly encourages legislation that imposes more stringent penalties for identity theft and other cybercrimes. Additionally, consumers and industry alike would benefit from enhanced training for law enforcement and an expansion of the resources available to investigate and prosecute the perpetrators of identity theft and cybercrime. Too many of our law enforcement agencies do not have the resources to neutralize these high-tech criminals. Finally, LexisNexis strongly encourages that any legislation considered strike a balance between protecting privacy and providing legitimate businesses, organizations, and government agencies with access to critical information that enables them to fulfill their important missions. I appreciate the opportunity to be here today to discuss the important issues surrounding identify theft and fraud and data security. I look forward to working with the Members of this Committee as you consider these important public policy issues. Senator Smith. Thank you very much. Our next witness is Mr. Douglas C. Curling, President and Chief Operating Officer of ChoicePoint, of Alpharetta, Georgia. STATEMENT OF DOUGLAS C. CURLING, PRESIDENT/CHIEF OPERATING OFFICER, ChoicePoint INC. Mr. Curling. Thank you. Chairman Stevens, Chairman Smith---- The Chairman. Pull that mike up toward you, please? Thank you. Mr. Curling. Certainly. Better? Chairman Stevens, Chairman Smith, Ranking Member Inouye and Members of the Committee, good morning. I'm Doug Curling, President and Chief Operating Officer of ChoicePoint. ChoicePoint has, on several occasions, provided Congress with testimony about the recent improper data access and the criminals who perpetrated this fraud, the steps we are taking to protect affected consumers, and the measures we're taking to prevent similar violations from occurring in the future. I have provided the Committee with details of these actions in my written testimony. At ChoicePoint, we recognize that in an increasingly risky world, information and technology can be used to help create a safer, more secure society. At the same time, we know, and have been painfully reminded by recent events, that there can be negative consequences to the improper access of personally identifiable data. As a result of these experiences, we've made fundamental changes to our business model and products to prevent this from happening again in the future. I hope you see in ChoicePoint a company that has listened to consumers, to privacy experts, and to government officials, and learned from this experience. Accordingly, we've responded rapidly and in fundamental ways. We've provided benefits to potentially affected consumers that no other information company had done before and several companies have since emulated, including voluntary nationwide notification, dedicated call centers and websites, free three- bureau credit reports, and 1 year of credit monitoring at our cost. Once again, we extend our apology on behalf of our company to those who have been potentially affected. We learned that there are few places for consumers to turn to if their identity is stolen. This, alone, increases the fear and anxiety associated with identity theft. For this reason, we have recently formed a partnership with the Identity Theft Resource Center, a leading and well-respected nonprofit organization dedicated exclusively to assisting identity-theft victims. Most importantly, we have shifted our focus to ensuring our products and services provide a direct benefit to consumers or to society as a whole. While this has meant exiting an entire market, we decided that consumer interest must come first. We have already made broad changes to our products, limiting access to sensitive, personally identifiable information, and more changes are under development. Last year, we helped more than 100 million people obtain fairly priced home and auto insurance. More than seven million Americans get jobs through our pre-employment screening services, and we helped more than one million consumers obtain expedited copies of their own vital records--birth, death, and marriage certificates. These transactions were started by consumers, with their permission, and they provide a clear, direct benefit to them. Not all of our work is as obvious, but the value is. At a time when the news is filled with crimes committed against children, we're helping our Nation's religious institutions and youth-serving organizations protect those in our society who are least able to protect themselves. Our products and services have identified 11,000 undisclosed felons among those seeking to volunteer with children, 1,055 with convictions for crimes against children, 42 of which who were registered sex offenders. Consumers, businesses, and nonprofits are not the only ones that rely on ChoicePoint. In fact, government officials have recently testified to Congress that they could not fulfill their missions of protecting our country and its citizens without the help of ChoicePoint and others in our industry. Last month, ChoicePoint supported the U.S. Marshal Service in Operation Falcon, which served approximately 10,000 warrants in a single day. Mr. Chairman, apart from what we do, I also understand that the Committee is interested in how our business is regulated by Federal legislation, as well as various State regulations. Approximately 60 percent of ChoicePoint's business is driven by consumer-initiated transactions, most of which are regulated by the FCRA. These include pre-employment screening, auto- and home-insurance underwriting services, tenant screening services, and facilitating the delivery of vital records directly to consumers. Nine percent of ChoicePoint's business is related to marketing services, none of which include the distribution of personally identifiable information. Even so, we are regulated by State and Federal Do Not Mail and Do Not Call legislation, and, for some services, the FCRA. Five percent of ChoicePoint's business is related to supporting law enforcement agencies in pursuit of their investigative missions through information and data services. Six percent of our business supports law firms, financial institutions, and general business to help mitigate fraud through data and authentication services. The final 20 percent of our business consists of software and technology services that do not include the distribution of personally identifiable information. Although a majority of our products are already governed by the FCRA, we believe additional regulation will give consumers greater protections while strengthening our business model. I, therefore, want to conclude by stating for the record ChoicePoint's position on future regulation of our industry. We support independent oversight and increased accountability for those who handle personally identifiable information, including public records. This oversight should extend to all entities, including public-sector, academic, and other private-sector organizations that handle such data. We support a preemptive national law that would provide for notification to consumers, ensuring that the burden of notice follows the responsibility for breach. ChoicePoint supports providing consumers with the right to access and question the accuracy of public-record information used to make decisions about them, consistent with the principles of the FCRA. There are technical and logistical issues that will need to be solved, but they are solvable. We've already taken steps to restrict the display of Social Security and driver's license numbers, and would support legislation to restrict the display of Social Security numbers, modeling existing law, including GLB and FCRA. And, finally, we support increased resources for law enforcement efforts to combat identity theft, and stronger penalties for the theft of personally identifiable information. We have all witnessed the significant benefits to society that can come with the proper use of information, but we've been reminded firsthand the damage that can be caused when people with ill intent access sensitive consumer data. As a company, we have re-dedicated our efforts to creating a safer, more secure society. We look forward to participating in continued discussion of these issues. And I would be pleased to answer any questions you may have. [The prepared statement of Mr. Curling follows:] Prepared Statement of Douglas C. Curling, President/Chief Operating Officer, ChoicePoint Inc. Chairman Stevens, Ranking Member Inouye and members of the Committee, Good morning, I am Doug Curling, President and Chief Operating Officer of ChoicePoint. I have been with the company since its inception in 1997. ChoicePoint has on several occasions provided Congress with testimony about the recent improper data access and the criminals who perpetrated this fraud, the steps we are taking to protect affected consumers, and the measures that we are taking to prevent similar violations from occurring in the future. As you know, California has been the only State that requires consumers to be notified of a potential breach of personally identifiable information. We not only followed California law, we built upon it and voluntarily notified consumers who may have been impacted across the country, and we did that before anyone called upon us to do so. We've also taken other steps to help assist and protect the consumers who may have been harmed in this incident--first, we've arranged for a dedicated website and toll-free number for affected consumers where they can access additional information; second, we're providing, free of charge, a three-bureau credit report; and third, we're providing, free of charge, a one year subscription to a credit monitoring service. In addition to helping those affected consumers, we've taken strong remedial action and made fundamental changes to our business and products: ChoicePoint has decided to discontinue the sale of information products that contain personally identifiable information unless those products and services meet one of three tests: 1. The product supports consumer driven transactions such as insurance, employment and tenant screening, or provides consumers with access to their own data; 2. The product provides authentication or fraud prevention tools to large accredited corporate customers where consumers have existing relationships. For example, information tools for identity verification, customer enrollment and insurance claims; or 3. When personally identifiable information is needed to assist Federal, State or local government and criminal justice agencies in their important missions. Additionally, we've strengthened ChoicePoint's customer credentialing process and are re-credentialing broad sections of our customer base. Our new process will require more stringent due diligence such as bank references and site visits before allowing businesses access to personally identifiable information. Third, we've created an independent office of Credentialing, Compliance and Privacy that will ultimately report to our Board of Directors' Privacy Committee. This office is led by Carol DiBattiste, the former Deputy Administrator of the Transportation Security Administration, and a former senior prosecutor in the Department of Justice with extensive experience in the detection and prosecution of financial fraud. Finally, we've appointed Robert McConnell, a 28-year veteran of the Secret Service and former chief of the Federal Government's Nigerian Organized Crime Task Force, to serve as our liaison to law enforcement officials. In this role, he will work aggressively to ensure that criminal activities are investigated and prosecuted to the fullest extent possible. He will also help us ensure that our security and safeguard procedures continue to evolve and improve. Obviously, our investigation as well as those of law enforcement continues and if we identify additional instances of fraud related to personally identifiable information we will provide notice. At ChoicePoint, we recognize that in an increasingly risky world, information and technology can be used to help create a safer, more secure society. At the same time, we know, and have been painfully reminded by recent events, that there can be negative consequences to the improper access to personally identifiable data. As a result of these experiences, we've made fundamental changes to our business model and products to prevent this from happening in the future. I hope you see in ChoicePoint a company that has listened--to consumers, privacy experts and government officials--and learned from this experience. Accordingly, we have responded rapidly and in fundamental ways. We have provided benefits to potentially affected consumers that no other information company had done before and that several companies have since emulated--including voluntary nationwide notification, dedicated call centers and websites, free three-bureau credit reports and one year of credit monitoring at our cost. Once again, we extend our apology on behalf of our company to those who have been potentially affected. We learned that there are few places for consumers to turn for help if their identity is stolen. This alone increases the fear and anxiety associated with identity theft. For this reason, we have recently formed a partnership with the Identity Theft Resource Center--a leading and well respected non-profit organization dedicated exclusively to assisting identity theft victims. Most importantly, we have shifted our focus to ensuring our products and services provide a direct benefit to consumers or to society as a whole. While this has meant exiting an entire market, we decided that consumer interests must come first. We have already made broad changes to our products--limiting access to personally identifiable information--and more changes are under development. Mr. Chairman, before delving into the specifics of various policy proposals, perhaps it would be helpful if I gave Members of the Committee a brief overview of our company, the products we provide and some insight as to how we are currently regulated. The majority of transactions our business supports are initiated by consumers. Last year, we helped more than 100 million people obtain fairly priced home and auto insurance, more than seven million Americans get jobs through our pre-employment screening services, and we helped more than one million consumers obtain expedited copies of their family's vital records--birth, death and marriage certificates. These transactions were started by consumers with their permission, and they provide a clear, direct benefit to consumers. Not all of our other work is as obvious--but the value of it is. At a time when the news is filled with crimes committed against children, we're helping our Nation's religious institutions and youth-serving organizations protect those in our society who are least able to protect themselves. Our products or services have identified 11,000 undisclosed felons among those volunteering or seeking to volunteer with children--1,055 with convictions for crimes against children. Forty-two of those felons were registered sex offenders. In addition, using information and tools supplied by us, the National Center for Missing and Exploited Children has helped return hundreds of children to their loved ones. Consumers, businesses and non-profits are not the only ones that rely on ChoicePoint. In fact, government officials have recently testified to Congress that they could not fulfill their missions of protecting our country and its citizens without the help of ChoicePoint and others in our industry. Last month, ChoicePoint supported the U.S. Marshals Service in Operation Falcon, which served approximately 10,000 warrants in a single day for crimes ranging from murder to white-collar fraud. Mr. Chairman, apart from what we do, I also understand that the Committee is interested in how our business is regulated by Federal legislation, as well as various State regulations, including the Fair Credit Reporting Act (FCRA) and the recently enacted companion FACT Act, the Gramm-Leach-Bliley Act (GLB), and the Driver's Privacy Protection Act (DPPA). Approximately 60 percent of ChoicePoint's business is driven by consumer initiated transactions, most of which are regulated by the FCRA. These include pre-employment screening, auto and home insurance underwriting services, tenant screening services, and facilitating the delivery of vital records to consumers. Nine percent of ChoicePoint's business is related to marketing services, none of which include the distribution of personally identifiable information. Even so, we are regulated by State and Federal ``Do Not Mail'' and ``Do Not Call'' legislation and, for some services, the FCRA. Five percent of ChoicePoint's business is related to supporting law enforcement agencies in pursuit of their investigative missions through information and data services. Six percent of our business supports law firms, financial institutions and general business to help mitigate fraud through data and authentication services. The final 20 percent of our business consists of software and technology services that do not include the distribution of personally identifiable information. Although a majority of our products are already governed by the FCRA and other Federal and State legislation, a small percentage of our business is not subject to the same level of regulation. We believe additional regulation will give consumers greater protections while strengthening our business model. I, therefore, want to state for the record, ChoicePoint's positions on future regulation of our industry. We support independent oversight and increased accountability for those who handle personally identifiable information, including public records. This oversight should extend to all entities including public sector, academic and other private sector organizations that handle such data. We support a preemptive national law that would provide for notification to consumers, ensuring that the burden of notice follows the responsibility for breach and that consumers do not become de-sensitized to such notices. We also support notification to a single law enforcement point of contact when personally identifiable information has fallen into inappropriate hands. ChoicePoint supports providing consumers with the right to access and question the accuracy of public record information used to make decisions about them consistent with the principles of FCRA. There are technical and logistical issues that will need to be solved, but they are solvable. We have already taken steps to restrict the display of full Social Security numbers and would support legislation to restrict the display of full Social Security numbers modeling existing law including GLB and FCRA while extending those principles to public record information. Providing uniformity as to which portion of a Social Security number should be masked would be an important step. Finally, we support increased resources for law enforcement efforts to combat identity theft and stronger penalties for the theft of personally identifiable information. We have all witnessed the significant benefits to society that can come with the proper use of information. But we have been reminded, first-hand, the damage that can be caused when people with ill intent access sensitive consumer data. As a company, we have rededicated our efforts to creating a safer, more secure society. We look forward to participating in continued discussion of these issues and would be pleased to answer any questions you might have. Senator Smith. Thank you very much. For the benefit of my colleagues, the order is, after my questions, Senator Inouye, Senator Nelson, Senator Lautenberg, and Senator Vitter. We've been joined now by Senator Dorgan and Senator Pryor. If that's all right with you, gentlemen, we'll go in that order. Mr. Sanford, I think I heard you say that some 300,000 have had their security breached within your company. I guess my question is, have all these individuals, including, I believe, about 9,000 Oregonians, received a consolidated credit report? And are they getting any credit-monitoring services from you all? Mr. Sanford. Senator, when we announced the security breaches in March, we mailed notice to approximately 30,000 individuals within the same week, modeled our notice after California legislation, provided toll-free numbers for them to call to take advantage of those reports. April 11th, we also made notice of the additional incidents we discovered at our Seisint business. Again, within the week, we mailed notices to all 280,000. About 4 percent of the people that we've mailed notices to have responded. Senator Smith. And can you provide any update as to how many of those individuals actually experienced theft as a result of their identities being discovered? Mr. Sanford. It's a tricky question on what is ``theft,'' because of different state interpretations, but, in terms of financial losses, of the 12,800-or-so people who have notified us, the process is to provide them the credit reports and then a monitoring service. And if there was any indication of any fraud or financial losses that may have occurred, we have a set of counselors, professionals, to do that. We've referred about a dozen people to those counselors. All of those, except for one, have been resolved to show that there was no problem. Sometimes consumers just forget they have a credit card. Law enforcement has advised us of ten individuals that--in their investigation--that there may have been some loss. Seven of those were related to people opening AOL accounts or making credit inquiries under somebody else's identity. Three people may have suffered some financial loss, although law enforcement's not clear whether it's related to the breach in our system. We, personally, contacted, or tried to contact, all ten of those; I think we've reached eight--personally tried to enroll them all into our services; I think half of them actually took us up on that. Senator Smith. Thank you. Mr. Curling, I was encouraged to hear of the technological sorts of steps you have taken to protect Social Security numbers and driver's licenses. Is that something that has not been available until now? And is that a technological fix that you think actually makes less legislation necessary on our part? Mr. Curling. Well, the steps we've taken are a combination of technology changes and product offerings. We've completely changed the types of businesses we sell products to, and the circumstances under which, even if they're allowed to get access to that product under the law, we will choose to sell them products. So, most of the changes we made had to do with withdrawing from markets where there's, in our opinion, difficulty credentialing customers, particularly small businesses that, for a company like ChoicePoint, whose preponderance of revenue is in other markets that are unrelated to these kind of public-record offerings, just isn't in our commercial best interests to pursue. We have, however, taken steps and tried to change the products that we deliver to customers that we continue to serve, restricting access to Social Security numbers and driver's license numbers, just as a business practice, because we think, given the propensity to--of identity theft out there now, it's something everybody needs to step up to and go--we've got to find a way to link data correctly together by limiting the display of that Social Security number or other personal identifier. Senator Smith. Is it the case that the public is aware of all--however many security breaches have occurred at ChoicePoint? Mr. Curling. Well, I don't--I would presume the public is paying attention to this topic, as is everybody else. In the breaches that we've investigated and noticed, we indicated it was about 45 to 50 accounts that had been set up by a group of fraudsters. We noticed all of those folks and offered them the services I provided in my oral and written testimony. Senator Smith. Isn't it true that there was a breach 5 years ago that just became public? Mr. Curling. Yes, we became aware--I, personally, became aware very recently of a breach that took place in the latter part of 2001, where we apparently got a subpoena in a California subsidiary, responded to that subpoena, working with law enforcement, closed an account down, and didn't hear anything else about it again until the latter part of 2004. Back then, going back four or 5 years, I think that the practice of many of us, including our company, was to work with law enforcement to investigate potential crimes, turn over information to them, prosecute the perpetrators, and law enforcement had the responsibility to notify and communicate with victims. Obviously, since the California notice law has gone into place, our practices have changed substantially, and we now spend a lot more time trying to research all kinds of matters to make sure we can comply with that law, and that something like that would be communicated much more rapidly up the organization, going forward. Senator Smith. But when this occurred 5 years ago, were steps taken then to technologically get in the way of theft? Mr. Curling. I don't know, sir. I don't--I don't believe that the breach was communicated outside of the local area that was affected--the local company affected by it. Senator Smith. Thank you. Senator Inouye? Senator Inouye. Thank you, Mr. Chairman. Mr. Sanford, how many companies can be designated as data brokers? Mr. Sanford. I don't know the exact number. I would--in our industry, there are dozens and dozens of businesses. From a competitive intelligence--we tend to focus on about a dozen of them, as primary competitors, but there are many, many businesses in which you could get personally sensitive information on the Internet that I wouldn't consider to actually be in my industry, but have access to the same information. Senator Inouye. Mr. Curling testified that most of your activities, both of you, are covered by the FCRA provisions. Mr. Curling. Most of ours are, yes, sir. Mr. Sanford. Most of mine are not. Senator Inouye. Would you be in favor of having FCRA provisions cover all of the activities, Mr. Sanford? Mr. Sanford. I don't believe the FCRA, and the FACT Act that reauthorized it, is the appropriate framework. I mean, the FCRA, as I understand it, Senator, was intended to cover very specific transactions--the granting of insurance, granting credit. The information services that we provide that are not governed by the FCRA are about identity authentication, finding and locating people. The FCRA has very limited permissive uses. And if we were to extend the FCRA to this industry, there are at least seven or eight major applications for identity theft and fraud-detection purposes that would be eliminated. Senator Inouye. Mr. Curling, would you be in favor of FCRA---- Mr. Curling. Yes, sir. I think, in general, we'd be fine with extending the principles of FCRA to cover these records and products. Senator Inouye. At the present time, if a consumer wants to see his own file in your company, Mr. Sanford, would you let him do it? Mr. Sanford. We do have a consumer-access program in LexisNexis, and today a customer can ask for access to that information. We are not able to--if you recall, Senator, we have a--news and business information, as well, where we list all of the articles in the major newspapers--we're not able to--because we don't have personal identifiers--aren't able to tell that John Smith, who's asking for information, whether or not that's the same John Smith that's--appears in all of the different news articles or in the white pages, other public information. But we certainly would provide access to the information in our public/non-public-record databases. Senator Inouye. Can a consumer have that right in your company, Mr. Curling? Mr. Curling. Yes, sir, they do. We don't maintain dossiers on consumers, but we have information products that have this consumer data, and those products are available for consumers from a single point of entry, either via a website we maintain or a 1-800 number. Senator Inouye. Now, if that consumer finds that there's some incorrect information, is he provided the opportunity to correct it? Mr. Sanford. We have a small part of our business which is governed by the FCRA and there are provisions that indicate exactly how those corrections happen. For the part that's not part of the FCRA, our practice is, if the error in the information is related to the way in which we keyed the data or the way in which we stored the data in the database, we make the correction. If it's an error that the individual is claiming is in the public record, the way in which a mortgage record or tax lien is recorded in a county courthouse, we then point the individual to the county courthouse, because we don't have authority to change a public record, and we can't have a database where our version of the public record is different than what's available in the public record. Senator Inouye. What's the situation in your company, sir? Mr. Curling. The majority of our products are regulated by the FCRA, and, as a result, there's a defined process for consumers to, you know, note the dispute and for us to help them go through and navigate that correction. For the public- record products that we have, our present policy is similar to that of my colleague here, LexisNexis, although there are some things that, if we extend the practices we talked about earlier in this hearing to, we could potentially help consumers not only know which courthouse that record came from and how it was sourced, but we're also looking at ways to put disputes on the file much like the FCRA provides. So, even though it's a correction we cannot make legally on their behalf, we can note the dispute in future searches that we would serve up to our customers. Senator Inouye. Now, if I wanted to buy information from either one of your companies, would you permit me? Mr. Sanford. We have a new-customer authentication verification procedure, Senator, that you would go through, like any other customer, and, depending upon the documentation and records that you provided, depending upon the uses that you claimed in our investigation, you would be able to get access to certain types of databases. It might be our legal news and business information databases. It might be public records. It would unlikely, as a--in your current role, it would be unlikely to qualify you for access to a nonpublic-record information. Senator Inouye. Can I just buy information on a specific person? Mr. Sanford. Again, if you didn't qualify for permissive purposes, you wouldn't have access to that information. Senator Inouye. What is the policy in your company, Mr.---- Mr. Curling. You could not buy sensitive, personal identifiable information from ChoicePoint under our customer credentialing procedures. There are some information products you could buy. You can buy records--professional license records on your doctor and healthcare providers. You can buy your own vital records on behalf of your family. You can buy basic public records like real-estate records and directory searches, et cetera. But you wouldn't be able to gain--to set up an account to gain access to any products that contained sensitive, personal identifiable information. Senator Inouye. Thank you very much. Thank you, Mr. Chairman. Senator Smith. Thank you, Senator Inouye. Senator Nelson? Senator Bill Nelson. Thank you, Mr. Chairman. Mr. Sanford, does your company compile, store, and sell this information only, or does it also provide analysis of this information to your customers? Mr. Sanford. We compile data, and we have data analytics that link data. And then when a customer does a query, we, hopefully, give them the answer back which is the most correct answer available on the analysis. But you'd have to perhaps give me an example, Senator, of what you mean, ``beyond the analysis,'' so I make sure I'm responding to your question. Senator Bill Nelson. Well, what kind of analysis would you provide, for example, to law enforcement? Mr. Sanford. Law enforcement can do a specific query. If they're looking for a particular individual, they could do a query on that, and they might say, ``I'm looking for John Smith, who has the following type of vehicle, whose last known address was the following,'' and they could do a query, and we could then provide information of other known addresses for that same individual, or associates of that particular individual. Senator Bill Nelson. So, there is some analysis--instead of just giving them information, you would compile material, and there would be some analysis of this information. Mr. Sanford. In that way that you defined it, yes, Senator. Senator Bill Nelson. Other than law enforcement, who else would you provide analysis to? Give me an example, as a customer. Mr. Sanford. Financial institutions might want to be ensuring, or a bank, when they're opening an account, that the person who's there to open the account is who they purport to be. They might want to use an ID product that would allow them to ask the individual some qualifying questions to make sure they really are who they purport to be. Again, they would then be able to access to the broader databases to see unrelated information that might be in different repositories. Senator Bill Nelson. In following up to Senator Inouye, I think it's absolutely critical, for the protection of the consumer, that they have access to this data, so that if, in fact, it's wrong, they can correct it. And I, further, think that it's essential that the consumer should have access to the information of who is collecting that data, other than someone like a client of yours such as law enforcement. So, would you, for the record, state again what is the position of your company with regard to providing the consumer with information that is contained within your records? Mr. Sanford. If the question, Senator, is about--if I collected the information, should I provide notice to the consumer about its purposes and uses--I want to make sure you understand this--we don't collect that kind of information, I would have to say. I'm not really clear on whether there should be legislation on that. If the question is--once I collect information from public and nonpublic sources--I have white- page phone information, I have public-record documents--I would not be supportive of sending a notice to a consumer each and every time a query might have gone on a database that touched their name. We'd be talking about sending millions and millions of notices---- Senator Bill Nelson. No, that's not the question. The question is, If the consumer asks you for access to see what kind of information is being contained on that consumer---- Mr. Sanford. I'm sorry, Senator, I misunderstood. I thought there were two questions. I thought--one was access, and I thought I had previously indicated I was supportive of that-- and I thought the second part was, Should I send them a notice---- Senator Bill Nelson. No, I didn't ask about notice. Mr. Sanford. I misunderstood. Senator Bill Nelson. No. Notice is already what you're required to do in the State of California, which is--and that's something that I think this committee will be examining--once that information is breached and it has been withdrawn from the possession that you have, then, under California law, you're required to notify. What we're going to consider is that-- should that be nationally, other than just the State? So, your testimony is that, with regard to giving the consumer access to the information that you contain, that you would be willing to do that. Mr. Sanford. We do that today in our LexisNexis business. Senator Bill Nelson. Well, then that's very helpful. Now, tell us something about what is the procedure for becoming a LexisNexis client. When somebody becomes a client, does the client have access to all of LexisNexis's databases, for any purpose? For example, if an attorney became your client to help locate a witness, can that attorney also use your database for personal and other reasons? Mr. Sanford. The customers go through an authentication and credentialing process--applications, records. We do searches on various databases to verify their identity. Part of the application is, they have to indicate the permissive uses if they want to access personally identifying information and nonpublic record databases. Generally, lawyers do not qualify for access to that information. We call that, in our business, 5A access. Senator Bill Nelson. So, they have to qualify in order to be able to use the other parts of the database. Mr. Sanford. We have case law. We have news and business articles. This is not the kind of thing that goes through a special credentialing process. But access to, say, driver's license number data or credit header information, nonpublic information, there's a special credentialing process. Senator Bill Nelson. How do you monitor that? Mr. Sanford. Customers in each and every search session have to indicate what their permissive use is. We do have detection software. Under DPPA, I believe, each time you use a search where you access a driver's license, you make a statement subject to criminal sanctions. It's against the law to have an impermissive use under DPPA. We've instituted some recent procedures to do recredentialing, on a periodic basis, for customers when contracts are up for renewal. We're enhancing procedures all the time. We're looking at having systems administrators recertify on a monthly basis, or a 60-day basis. We're working with our customers to figure out how we do that. Because we are in a mobile society, and people do have employees that come and go from their business, we want to make sure that the people who have the passwords and IDs are still, you know, legitimate users in those businesses. Senator Bill Nelson. Mr. Chairman, I see my time is up. I will have some more questions in the next round. Senator Smith. We'll have another round. Senator Bill Nelson. Thank you. Senator Smith. Senator Lautenberg? Senator Lautenberg. Thanks, Mr. Chairman. Just curious about the material that's accessible when someone becomes a client of your firm, either one of you. Now, if--are most of these people likely to be looking for lists for mailing solicitations? Mr. Sanford. In LexisNexis, we don't have a marketing business, except for a--there's a very, very small business that helps people in bankruptcy, doesn't have personally identifying information or driver's license numbers. But 99 percent of what we do has nothing to do with marketing. We don't have financial---- Senator Lautenberg. How about ChoicePoint? Mr. Curling. We have a collection of businesses, one of which is purely direct marketing, but those--all of our customers are credentialed and have access to separate product platforms. There is no common ChoicePoint access or single database with all the information in it. The information is kept separate by product. So, for example, in direct marketing, the customers would have access to no sensitive, personal identifiable information. As I indicated in my testimony, it's about 9 percent of ChoicePoint's revenue. Senator Lautenberg. Yes, so if someone was a United States Senator, and they wanted to compile a mailing list for campaign solicitation, could they have that list, sorted out by--a list sorted out by income levels? Mr. Curling. Well, that's not a market we serve, so I can't answer that, but if it was in a market that I do serve--well, we're principally serving financial institutions and insurance companies. The preponderance of our revenue is in the insurance market. So, for insurance companies what they're typically trying to do is look at the people they have insured today for auto and home policies and try and find more---- Senator Lautenberg. So it would have to be specific---- Mr. Curling. Typically, they're going after a particular product. Senator Lautenberg. And when they sign up for your services, do they have to identify those lists that--or the area of listing that they might want to access? Mr. Curling. Yes. As a part of our credentialing--in marketing, as a part of that process, we would understand what products they wanted to buy---- Senator Lautenberg. So, they're limited. They can't---- Mr. Curling. They're completely separate from other products. Senator Lautenberg. What--when people have--are expected-- or suspected to be a substantial risk for identity and fraud, is it in the consumer's best interest for the company to make that call or to inform consumers when there's any breach at all? How do you anticipate that someone might be an easy target for identity theft? Do you? Mr. Sanford. Well, it's very much the process we went through beginning in February. We have a chief security officer in the business. We investigate security issues. No company is immune to the constant attempts at hacking and penetration of their services. And what we did in our situation was, we looked at security breaches where a customer had said, ``This is not my billing activity.'' And when we could see that that was an employee who left the company, who went across the street, say, figuratively, to work at the collection company across the street, and continued to conduct searches in the normal course of their business, that doesn't present a risk of harm to the consumer. When a employee in a business is searching celebrities on a database, that doesn't suggest a risk of harm to consumers. And so, what we looked for was anything in a search that we couldn't authenticate, where there was some suggestion of risk of harm to a consumer. So, for example if the IP address of where that search emanated from came from a foreign country, and this was a domestic business, that was suggestive of a problem, given the body of literature on this issue. If people were using anonymiers, or if there was a virus or spyware inside of a customer's environment, we said there's some risk of harm. And the real challenge, Senator, is this trigger--is, When do you make notice? Because if there's any risk of harm, or no risk of harm, I think you do run the risk of this over- notification. This is a very serious matter. But the facts, so far in our notices, have indicated, you know, next to no financial harm, at least, for those individuals. It's very discomfiting to them, it's a very serious matter, but I think we do have to wrestle with, What is it that's going to trigger notice? Because the intent of notice, I hope, is to help someone protect themselves, not to make them immune to the notices they get so they don't protect themselves that one time when they should. Senator Lautenberg. If someone--if a company is interested in debt collection, is that information fairly discernible in any of the groups that you have? Mr. Sanford. Debt collectors, credit departments, financial institutions, and collection organizations are a part of our business, and what they're looking for is authentication and location of the individual; so they may collect the debt from the correct person. Again, there are many, many John Smiths, and they're trying to find out which John Smith is the right John Smith for this particular debt. Senator Lautenberg. Thanks, Mr. Chairman. Senator Smith. Thank you, Senator Lautenberg. Senator Dorgan? STATEMENT OF HON. BYRON L. DORGAN, U.S. SENATOR FROM NORTH DAKOTA Senator Dorgan. Mr. Chairman, thank you. And thanks to the witnesses. This is a complicated set of issues for those of us who don't work in the business. And my understanding is that there is no Federal law prohibiting the use and sale of Social Security numbers. Would that be correct? Mr. Sanford. I think there are a number of laws. The most-- GLBA would be most applicable, where it talks about the use of---- Senator Dorgan. GLBA? Mr. Sanford. Gramm-Leach-Bliley Act. Senator Dorgan. OK. Mr. Sanford. Excuse me, Senator--where it talks about our business, for example, as a recipient of information from a financial institution. Our use of that credit-header information, which includes the Social Security number, is restricted. Senator Dorgan. Do both of you do business in Europe and the United States? Mr. Sanford. Yes. Senator Dorgan. And can we go---- Mr. Curling. We do, principally, business in the United States. Senator Dorgan. Do you do business in Europe? Mr. Curling. We do very, very small amounts of business in Europe, there are a few financial institutions that buy data for customer enrollment purposes, Patriot Act compliance, but very little; 99-plus percent of our revenue is domestic. Senator Dorgan. Mr. Sanford, can you describe for us the difference that exists with respect to the European approach protecting confidentiality, versus the U.S. approach at this point, given current law? Mr. Sanford. I'm not an expert on the European privacy issues. I can speak to the U.S. I'd be happy to give you the information. Our business in Europe is principally a legal news and business information service, as it is in Asia, Pacific, and Latin America. Our risk-management business focusing on public records is principally a U.S. business. Senator Dorgan. But if you--because you do business in Europe, you are required to comply with the--I believe it's called the Data Protection Directive in Europe? Mr. Curling. We don't collect public-record information or data from--on European citizens. Senator Dorgan. Well, the reason I was asking that--I was going to ask you your assessment of the approach the Europeans take, versus the approach that we take, under present law. And that, I think, goes to the heart of what we might ought to consider. Should we consider doing something that is much more restrictive, much more protective? And I believe that the Europeans do that. As I understand it, they require companies to provide consumers with notice, the ability to opt out with respect to nonsensitive commercial marketing of personal information, opt in with respect to sensitive, personal information, the right of access to personal information collected, reasonable security protections for the information, and so on, which I think is different than now exists in this country. Is that right? Mr. Sanford. I think some of them are the same, and some of them are different. It depends, again, if we're talking about FCRA applications, where I think you'd see opt-in--or, excuse me, opt-out, you would see notice and correction. Senator Dorgan. Tell me about, if you would--I expect neither of your companies are involved in this, but I think my colleague, Senator Inouye, was getting to it--if you, Mr. Sanford, go to the Internet today and decide you want to know about Senator Bill Nelson--you want to learn about him, you want to know everything there is to know about him, you want-- you'd like to get his Social Security number, you want to find out about his driving record, you want to know everything about him. And my guess is there are many options for you on the Internet to pay $100, $50, or $150 to gather information about Senator Nelson. Is that correct? Mr. Sanford. I believe there are. Senator Dorgan. And what kinds of companies are they that, on the Internet, are marketing that information? Do you know? It's obviously---- Mr. Sanford. Yes, I wouldn't want to speculate as to the business purposes. You wouldn't be able to do that on our service. Senator Dorgan. I understand that. Mr. Sanford. You'd be able to access news articles and public information that might be otherwise in a blog or, you know, in a Google-type search. Senator Dorgan. I understand that. And I'm not making a comparison that either of you are involved in that. I'm just saying that that's another type of data collection. Somebody is collecting information about Senator Nelson, and, for $150 or so, we can go find out what information they've collected, which I assume would probably almost always include his Social Security number and a whole range of issues relating to his life. And that is also part of this data-collection industry, albeit smaller companies, likely, companies that aren't operating within the guidelines that you operate within. But as we consider all of these issues, you, of course, will always have to bear the burden of others in this industry that are marketing information in different ways. How do you feel about that? Mr. Sanford. We have policies and practices which are more restrictive than some of the existing laws. I would certainly welcome enforcement of existing laws on my competitors. It is a competitive disadvantage for us, where we comply with laws, but people find ways to gain access to information that they shouldn't. Senator Dorgan. Is Social Security the critical identifier with respect to personal information? Mr. Sanford. The Social Security number would probably be the most commonly agreed item. California statute also suggested driver's license numbers. If you think about identity theft and getting a photo ID with a driver's license number, I would include that as a sensitive piece of data, as well. Senator Dorgan. Is identity theft a crisis or a very serious problem in this country, or is it overblown, in your judgment? Mr. Sanford. I think it's a very serious problem, but I think it's been a very serious problem for a long, long, long time. I've learned quite a bit from the research and--I mean, identity thefts's been going on, and fraud associated with identity theft's been going on for decades and decades. Technology, while it's very powerful, has facilitated it more recently. And that's--you know, again, without downplaying the seriousness of us having very strong security safeguards, the reality is--is that the bad guys now have technology tools available to them to go out and commit all kinds of fraud. And part of the solution has to be to create tools to stop them. Restricting access to data is certainly, in some people's minds, a way to do that. I think if the restriction goes too far, we will, in fact, enable the bad guys to do even more than they're doing now. Senator Dorgan. Mr. Chairman, first of all, I think it's a service for you to hold this hearing. And I know the work that Senator Nelson has done, and others, is very important. You know, I think, frankly, most people would be aghast--most of our citizens would be aghast at the information that's being collected with respect to their personal lives. And I think, as we dig into this issue and mine this issue a bit to understand it better, we have a lot of interesting choices to make about how to protect American citizens with respect to the gathering of their personal information by other companies. Senator Smith. I think you're right, Senator. Thank you. Next, Senator Pryor. And we have been joined by Senator Nelson--we'll go to your questions after that, Senator Ben Nelson. And then back to Senator Bill Nelson for round two. STATEMENT OF HON. MARK PRYOR, U.S. SENATOR FROM ARKANSAS Senator Pryor. Thank you, Mr. Chairman. Let me ask both of you a question, because, as I understand, what we're talking about here today is, the two entities you represent have very different business models, right? You all have different business models from one another. And they're--and I think what it shows is, there's kind of a diversity within the information-providers sector of our economy, if you will. What implications does the fact that you all have different business models--what implications does that have on possible legislation? In other words, when I see something like what you're talking about today, I'm concerned that a one-size-fits-all solution probably won't work. So, could you discuss a little bit, if you can do it fairly briefly, about, you know, how you're different and how you think we need to--as we look at legislation, how we should be careful to craft that to meet those differences? Mr. Sanford. Well, we're both alike, to the extent that if we have an FCRA solution, we're governed by the FCRA and the FACT Act. We're both alike to the extent that if we're dealing with information from financial institutions, we're governed by the privacy provisions of the Gramm-Leach-Bliley Act. We're different in our product mix. And that's our distinction. Now, our business practices may be different, and our policies, but, from a legislative standpoint, we are covered by the same laws; we just happen to have different concentrations. Senator Pryor. Do you agree with that, Mr. Curling? Mr. Curling. Well, I think, generally, that's probably an accurate characterization. I mean, we--our product mix is principally consumer-driven transactions that are regulated by FCRA or software and services. So, the segment of public-record sales that are non-FCRA, that are nongovernmental, it's a very small business for ChoicePoint. I think that the--some of the legislative proposals that have been put forth do deal with things, though, that all businesses and all enterprises should agree on. I think that, you know, identity theft is a crime that doesn't stay inside state borders. I think it's a crime that doesn't contain itself to a particular industry. You know, the breaches that were mentioned by the Committee members earlier in the meeting happened to universities, nonprofits, government agencies, commercial enterprises. So, I think that some of the topics under discussion, you know, notice, you know, how we're going to help affect the consumers. The things that we all need to do to try and provide more support for law enforcement to drive fraud and identity theft out of our society are things we all agree on, regardless of the industry we're in. And I think there is legislation there that everyone would agree on, and it would fit under one tent. Senator Pryor. Let me follow up on that, if I can, Mr. Curling, because there has been security breaches that have happened in a wide variety of companies and, as you said, some nonprofits, some--even some government entities. Should a security safeguards rule be applied only to information--only to information-service providers, or should it be broader than that and cover all businesses and even nonprofits and government agencies? Mr. Curling. We believe that consumers' interests are going to be best protected when, you know, it applies to all entities, regardless of the type of organization or structure of that company. As I indicated, you know, if you collect, assemble, maintain, transfer, or manage sensitive data, a breach is a breach, and, whether that took place in a commercial enterprise or a nonprofit organization, consumers need to be noticed. Senator Pryor. Mr. Sanford, you said, in your written testimony, that you acknowledge that maintaining security is not a static process. In other words, you have to continually evaluate new or--new types of security breaches. And, obviously, I know you have your hands full there. Do you think it is possible for a small company data-broker to maintain database security as diligently as they need to in order to prevent identity theft? It seems to me they might be at a disadvantage. Mr. Sanford. There are certainly high fixed costs for security. I mean, having credentialing programs, having detection software, monitoring, having resources to investigate certainly would be a disadvantage to a small business. Senator Pryor. What about third-party security audits? Do you use those in your company, right? Mr. Sanford. We do use them. Senator Pryor. And has that been a successful approach for you? Mr. Sanford. The third-party tends to be objective, has no loyalties, points it out to you, makes suggestions on things that are now available in the industry, state-of-the-art technology, different practices and procedures. Senator Pryor. Do you know how widespread third-party security audits are in the industry? I mean, do the smaller companies use them? Do we know? Mr. Sanford. I don't know, Senator. Senator Pryor. OK. Well, it looks like I'm just about out of time, so let me ask my last question here. Do you think that a consumer should have the ability to see his own file with your company? Mr. Sanford. In our non-FCRA businesses, we don't maintain consumer files or consumer reports, but we do have the ability for them to get access to the information, running a search to see what information's there. Senator Pryor. Is that available to them now? Mr. Sanford. Yes. Senator Pryor. And is that free? Mr. Sanford. No. There's a fee for that. I've asked the team to look at, you know, what that fee should be. Unlike a-- in a credit transaction, where data is pushed to you to assemble credit reports, we incur extraordinary cost to go collect and maintain all this information. We're not making a profit on giving them the reports. We have to authenticate the--I'm sorry, Senator---- Senator Pryor. Yes. Mr. Sanford.--we have to authenticate the individual to make sure who they are when they call up. We're not just going to turn that information over to somebody over the phone. Then we have to prepare the report, and we mail it out to them. Senator Pryor. And, just as a very brief follow-up to that, because we're out of time, is--should the consumer have the ability to correct information in your file? Mr. Sanford. If the information has an error, is related to work we've done with it--let's say we transposed data inadvertently when we were loading the file--we would certainly correct that. If it's a public-record file, or a non-public- record file, like a credit header, we need--we generally point them right back to the source and say, ``This is where we got this file from, let's get the public-record source collected so that we have the correct public-record information.'' Senator Smith. Thanks, Senator Pryor. Senator Nelson? Senator Ben Nelson. Thank you, Mr. Chairman. Mr. Curling, you mentioned that if information is breached--security is breached, information is now out--that there's a notice that should be sent out to the parties. Should that security breach also be a violation of the specific law? Should there be strict liability for anything that comes from the misuse or the access of that information? Mr. Curling. Well, as we indicated, I think, Senator, we do agree that, you know, if there is a breach, we should send notice. And we would prefer the legislature draw a bright line as to what that notice criteria should be, because we don't feel like we're in a position to judge whether or not that breach posed a significant risk. In the event there is a notice, you know, we do have obligations and responsibilities that we need to fulfill. The first is, we help those consumers that are affected, you know, try and do what they can to understand the breach, understand the significance of the effect on them, and give them access to information products that would help them monitor whether or not they're going to be a victim of identity theft. And we believe we've done that. Senator Ben Nelson. What about strict liability? In other words, if you have--if you have control over the information, and it gets accessed, should you have strict liability for anything that occurs that is damaging to the name whose identity theft has occurred? Mr. Curling. Well, I'm not a lawyer, I don't know that I'm prepared to understand---- Senator Ben Nelson. Well, no, I'm not necessarily saying you should you know right now, but do you think, as a matter of law, if you're not strictly liable now, that that might be the kind of imposition of responsibility that would be appropriate? Mr. Curling. Well, there are certainly penalties and fines already in place for breaches like this. I think that the primary, you know, view that ChoicePoint would have, as a commercial enterprise, is, we have market forces at play, as well, that already put, you know, tremendous pressure on companies to not only do the right thing, but maintain the appropriate safeguards. And I think that the, you know, primary liability is with the criminals. And I think what we want to try and support is law enforcement, getting the fraudsters out of our system. Senator Ben Nelson. Well, if you were faced with the question we're faced with--How does this get resolved?--what would be the first thing you would suggest we do? Mr. Curling. Well, I think there are many good proposals in place. You know, I previously testified in the Judiciary Committee that the proposal by Senator Schumer and Senator Nelson has a lot of good principles that we agree with. We believe in notice. We think notice is an important thing. You need to give a consumer a notice that a breach has occurred, and give them an opportunity to take the steps necessary to protect themselves. We believe that there need to be standards. And I think all of us, you know, would like to have a level playing field, whether that's for us to better understand the expectations that various constituencies place on us so we can feel like we're honoring and acting responsibly in our obligations, but also from a competitive and marketplace standard to understand what it is the rules should be. In my case, most of our products, as I indicated, that contain personally identifiable information, are already regulated by the FCRA, which, as you well know, has been a tried and true kind of 30-year standard for how this kind of information should be managed and what you should do if there is a breach or if there is some kind of dispute. We think that's a good model. Senator Ben Nelson. Mr. Sanford? Mr. Sanford. Senator, I would recommend that the three most important things that this committee could consider, if the ambitioning goal is to make a dent in the amount of fraud associated with identity theft, is, one, look at what the penalties are for the identity thieves, and make it a crime that nobody wants to commit. It's a very hard crime to prove. Sometimes the value of the theft is difficult to prove, and the penalties sometimes makes these misdemeanors, while the harm to society and the harm to the individuals and the financial institutions, the banking industry, is in the billions. So, that's one. Second, I do think a national notification standard is in order. California does have a law. Many, many states are considering, as we are here today, different notification bills across the United States, and I think having a national notification standard that has Federal preemption will ensure that when someone gets a notice, no matter where they live-- because, remember, our people in this country move around quite a bit--they'll understand what that notice means, and it won't depend upon which State it came from. And, third, I think insisting--as Mr. Curling pointed out earlier, insisting on data-security safeguards, regardless of where that data repository is, would make sense--not just for commercial organizations like us--so that we make it harder to get that information. And I--as indicated in my testimony, I believe that the Safeguard Rules, if they're modeled after what's in GLBA, would be a good start. I think that this framework needs to be flexible, because every company's business is a bit different, technologies are different, the size of the business is different, and the threats are evolving. I think proscribing specific security-- within a year or 18 months, we would have companies that might be in compliance with that, but would have ineffective security safeguards in place. Senator Ben Nelson. What about the--my question about strict liability for any kind of damages that the victim of identity theft might get as a result of information you held that was accessed by an identity thief? Mr. Sanford. It's not something that I've previously considered. I'd be glad to give it some thought. I, top of mind, wonder if it wouldn't provide some incentive for companies not to make notice--who were worried about the penalties--but it's something I'd be glad to work with your-- you and your staff on and consider. Senator Ben Nelson. Thank you. Thanks to both of you. Thank you, Mr. Chairman. Senator Smith. Thank you very much, Senator Nelson. As we go to a second round, I know Senator Inouye has expressed an interest, but if there is no objection, Senator McCain, a Member of this Committee, has asked that we include in the record his statement. It relates to the leadership, tragically, of Arizona on this issue, and it's an issue about which he is very concerned. Is there objection? [No response.] Senator Smith. We'll include it. [The prepared statement of Senator McCain follows:] Prepared Statement of Hon. John McCain, U.S. Senator from Arizona Our Nation--along with the rest of the world--is experiencing a data revolution. Thanks to information technology, innovative business models, and globalization, data is flowing faster, more widely, and more freely than ever before. This current of information is helping our economy grow, but like many other revolutions, this one has not been bloodless. The dark side of our Nation's information-based economy is that the wider availability of data--including personal identifiable information--has contributed to the theft of millions of American identities. Unfortunately, identity theft is especially common in my home State. Federal Trade Commission data indicates that there were more reported cases of identity theft per capita in Arizona than in any other state in 2004. In addition, the FTC reports that the Phoenix area leads other U.S. metropolitan areas in the incidence of the crime. This has led one Arizona newspaper to christen my home State the ``identity theft capital of the Nation,'' a distinction that no Arizonan is proud of and that I will continue working to shed. Today's hearing touches on yet another chapter in this country's battle against identity theft. And, though I'm extremely concerned about the security breaches at companies like ChoicePoint and LexisNexis, I am not surprised by the news. ChoicePoint, for example, has compiled 19 billion records covering virtually every American adult according to press reports. Targets do not get bigger and more predictable than that, and I have to say that I am disappointed to know that a company that should have had better security measures in place did not. I look forward to hearing what ChoicePoint and LexisNexis are doing to restore integrity to their businesses. I trust that this will be the first of many hearings that the Committee will have on the issues of information security and privacy, and that the Committee will build on the work it has done in the past by taking a broad look at security and privacy issues during this Congress. Our purpose in doing so should be to protect consumers while maintaining the integrity and viability of our information economy. I, for one, believe that those goals are not mutually exclusive. I thank Chairman Stevens for holding this important hearing and the witnesses for coming before the Committee. Senator Smith. Also, I'll include in the record the data security incidents in 2005 relating to public institutions, primarily universities, and the tremendous levels of identity theft that has occurred at some of the major universities of our Nation. [The information previously referred to follows:] Data Security Incidents--2005 (As of 5/9, at least 35 incidents have been disclosed, potentially affecting more than 5.2 million individuals) ------------------------------------------------------------------------ Date Entity Affected ------------------------------------------------------------------------ 01/03/05 George Mason University.............. 30,000 --Officials discover that hackers had accessed private information and Social Security numbers on students and staff.. 01/06/05 University of Kansas................. 1,400 --Administrators send letters to individuals whose personal information, including Social Security numbers, passport numbers, countries of origin, and birthdates, might have been compromised when a hacker accessed a server in November 2004.. 01/18/05 University of California, San Diego.. 3,500 --Officials reveal a mid-November breach may have compromised names and SSNs of students and alumni.. 01/25/05 Science Applications International Unknown (SAIC). --Desktop computers were stolen from the offices of Science Applications International Corp., an online payroll services company, compromising personal information of current and past stockholders. 01/27/05 Purdue University.................... 1,200 --An unknown person or group accessed a computer in the College of Liberal Arts' Theatre Division containing names and SSNs of faculty, staff, students, alumni and business affiliates.. 02/02/05 Indiana University................... Unknown --Officials reveal that the F.B.I. and campus police are investigating a computer security breach that left employees' personal information vulnerable. It is unknown at this point how many have been affected.. 02/14/05 ChoicePoint.......................... 145,000 --Company confirms it was victimized by a customer fraud in which public records information about approximately 30,000 consumers may have been compromised; number of potentially affected consumers later increased to 145,000.. 02/20/05 T-Mobile............................. 400 --Mobile phone accounts of Paris Hilton and 400 T-Mobile customers compromised by hackers. 02/24/05 Westlaw.............................. ``Millions'' --Accused by U.S. Sen. Charles Schumer of having ``egregious loopholes'' in one of its Internet data services that would allow thieves to harvest SSNs and financial identities of millions of people.. 02/25/05 Bank of America...................... 1.2 million --Announced it had lost computer data tapes containing personal information on Federal employees, including some members of the U.S. Senate.. 02/05 PayMaxx.............................. 25,000 --Flaws in the online W-2 service of PayMaxx exposed customers' payroll records.. 03/08/05 DSW Shoes............................ 1.4 million --Announced that credit card information from customers of more than 100 DSW Shoe Warehouse stores was stolen from a company computer's database. The company announces on April 18, the number of affected consumers could be 1.4 million.. 03/08/05 Harvard University................... 200 --Intruder gains access to its admission systems and helped applicants log on to learn whether they had been successful weeks before they were to find out.. 03/09/05 Reed Elsevier, Seisint Unit 310,000 (LexisNexis). --Announced that hackers gained access to sensitive, personal information of about 32,000 U.S. citizens on databases owned by Reed Elsevier. The company in April updates the actual number of potentially affected consumers to 310,000.. 03/11/05 Boston College....................... 120,000 --Announced that hackers had accessed personal information of alumni in a computer system used for fund- raising.. 03/11/05 University of California-Berkeley.... 100,000 --Laptop computer stolen from a graduate division office contained the names and Social Security numbers of 98,369 individuals.. 03/11/05 Nevada Department of Motor Vehicles.. 8,900+ --Personal information compromised when thieves stole a computer from a Nevada DMV office.. 03/14/05 California State University, Chico... 59,000 --Hackers broke into a housing and food service computer system, which contained names and SSNs of current, former and prospective students, as well as faculty and staff.. 03/18/05 University of Nevada, Las Vegas...... 5,000 --Administrators reveal that a hacker had been accessing the personal information of international students.. 03/23/05 Mutual funds......................... Unknown --Wall Street Journal reveals numerous mutual funds reported data security breaches, including Armada Funds; Pimco, a unit of German insurance giant Allianz AG; The Dreyfus unit of Mellon Financial Corp.; Bank of America Corp.'s Columbia Funds unit; Nuveen Investments; The First American Funds unit of U.S. Bancorp; AmSouth Bancorp's fund unit; CNI Charter fund unit of City National Bank of Los Angeles.. 03/25/05 Northwestern University.............. 21,000 --Hackers broke into a graduate school server, exposing the Social Security numbers of students, faculty, and alumni.. 03/28/05 San Jose Medical Group............... 185,000 --Someone stole two computers that contained patient billing information, including names, addresses, Social Security numbers and confidential medical information.. 03/28/05 University of Chicago Hospital....... Unknown --Announced an employee had been selling patient records.. 04/08/05 Eastern National (vendor for National 15,000 Park Service). --Hacker infiltrated its ``eParks.com'' computer system and may have gained access to customer names, credit card numbers and billing addresses.. 04/10/05 Christus St. Joseph Hospital, 16,000 Houston, Texas. --Published reports on 4/26 said the hospital had sent letters to 16,000 patients saying their medical records and SSNs were comprised due to the theft of a computer in a January burglary.. 04/10/05 Carnegie Mellon University, 5,000 Pittsburgh. --Published reports on 4/21 said the university had sent letters to more than 5,000 students, employees and graduates that their SSNs and other personal information was comprised in a breach of the school's computer network that was discovered on 4/10.. 04/12/05 Tufts University..................... 106,000 --Announced it was sending letters to 106,000 alumni, warning of ``abnormal activity'' on a computer that contained names, addresses, phone numbers, and, in some cases, Social Security and credit card numbers.. 04/13/05 HSBC North America................... 180,000 --Credit card issuer sending letters to consumers who used General Motors- branded MasterCards to make purchases at Polo Ralph Lauren, stating that criminals may have obtained access to their credit-card information.. 04/19/05 Ameritrade........................... 200,000 --Online discount broker reported it has notified current and former customers that it has lost a backup computer tape containing their personal information.. 04/23/05 Georgia Southern University, ``Thousands' Statesboro, GA. ' --Associated Press reports on 4/28 that hackers broke into a GSU server that contained thousands of credit card and Social Security numbers collected over more than three years.. 04/26/05 Foster Wheeler, Clinton, NJ.......... (est.) 6,700 --Engineering/construction company writes to employees, retirees, advising them that a hacker broke into the company's computer system in February and might have stolen personal data, including SSNs and bank deposit information.. 04/28/05 Banks in New Jersey.................. 500,000 --NBC reports scheme by bank managers and employees who sold personal data of about 500,000 holders of accounts of Bank of America, Wachovia, and Commerce Bank branches in New Jersey.. 04/28/05 Oklahoma State University............ Unknown --University begins notifying students and alumni about the theft of a laptop computer from the career services office that contained Social Security numbers, genders, ethnicities, class levels and e-mail addresses of most Stillwater and Tulsa campus students and recent alumni.. 04/29/05 Florida International University..... Unknown --Sun-Sentinel newspaper in Orlando reports on a ``recent computer break- in'' potentially compromising personal data of students, professors and staffers. A school official told the newspaper that electronic intruders apparently dialed into FIU's computers from Europe.. 05/02/05 Time Warner.......................... 600,000 --Company announces that data on current and former employees stored on computer back-up tapes was lost by an outside storage company.. ------------------------------------------------------------------------ Total--At least 35 incidents, potentially affecting more than 5,244,300 individuals. Senator Smith. Senator Inouye? Senator Inouye. Thank you very much. On the present laws and rules and regulations, I can have my telephone number unlisted to protect my privacy. I can also demand that spam callers be prohibited from using my number. Can I call upon your companies and say to take my name off your list? Mr. Sanford. We have a opt-out program that has restrictions on it. You could make a request to opt out of our non-public-record information databases if were a victim of identity theft, if you were a law enforcement official who has had some threat of risk of harm, or we have a general other category which says any other threat of risk of harm that you would show us. And that might be, say, for example, a domestic- abuse victim. Senator Inouye. In other words, you have the final say as to whether I can or cannot take it out? Mr. Sanford. That's correct, Senator. Senator Inouye. Mr. Curling? Mr. Curling. Many of our products already are opt-in products driven by the FCRA. There are products that we offer that do have opt-out provisions--the direct-marketing products, et cetera. Some of our products, though, the ones, in particular, I think, the subject of this hearing, the public- record products, are products that there is not an opt-out on, except for a law enforcement or a government official opt-out. Those are generally not records that are, you know, unique to ChoicePoint. They are records that society has determined to be open public records, and people typically turn to ChoicePoint merely to--for cost effectiveness and convenience to acquire that record. Those are records that we don't source. We didn't originate them. We merely extract them from where--government repositories and courthouses around the country, and we don't have an opt-out provision for those. Senator Inouye. Thank you very much. Senator Smith. Thank you, Senator Inouye. Senator Bill Nelson? Senator Bill Nelson. Thank you, Mr. Chairman. And, before I forget it, I would like--because I'm not going to ask all the questions here--to submit a number of questions in writing, as did Senator McCain. Senator Smith. We will include those questions and ask for their answer. Senator Bill Nelson. Thank you. And thank you, Mr. Curling, for your response to the other Nelson with regard to this Nelson's legislation that is before this committee saying that, generally, the concept of it, that you would support it. And I want to go over those six items, things like creating a government industry working group to help develop best practices for safeguarding information, and creating an Assistant Secretary of Cybersecurity within the Department of Homeland Security, and tightening commercial usage of Social Security numbers. Those are things that certainly could be embraced. Is that accurate? Mr. Curling. Generally speaking, yes, Senator. Senator Bill Nelson. All right. How about requiring all of the information-broker companies to notify consumers when a security breach occurs? You've already answered that in relation to other questions, and you generally support that concept. Mr. Curling. Yes. Senator Bill Nelson. How about mandates in the law that all companies must reasonably protect sensitive consumer information? Mr. Curling. Yes, Senator. Senator Bill Nelson. And then having a one-stop shop? Whatever the regulatory agency--my suggestion is that it is the Federal Trade Commission, but this would be an Office of Identity Theft, where a consumer could get help to restore their identity. Mr. Curling. We would agree with the one-stop shop, and we agree with enhancing the FTC's oversight. Senator Bill Nelson. All right. Now, that's pretty much the comprehensive bill that Senator Schumer and I have filed. What do you think about that, Mr. Sanford? Mr. Sanford. Senator, it's a--it is a very comprehensive bill. I believe the intent, in terms of helping consumers and stopping identity theft and fraud, is certainly welcome. I think the parts of the legislation that strike me as the most relevant, that I would encourage this Committee, is the national notification standard for consumers. I would encourage Federal preemption so that we don't have competing notification standards in the market. I think data safeguards definitely modeled after GLBA, that flexible framework, I think, is the appropriate measure---- Senator Bill Nelson. For information brokers? Mr. Sanford. Well, I think--as I mentioned earlier, I think the--if you have personally identifying information, which, if it got in the wrong hands--and we could agree on what personally identifying information is--and that posed a risk of harm to individuals, then I would say if you are maintaining that database, and you have a breach, then notice--you should give notice to individuals when you have that breach. Senator Bill Nelson. But a law that would mandate that the companies must reasonably protect this sensitive consumer information? Mr. Sanford. I agree, Senator, that the safeguards that I have mentioned, in GLBA, I believe are the right--is the right framework. I think that would go a long way in protecting data for, not just us, but other people who maintain personally identifying information. Senator Bill Nelson. What do you think about the one-stop shopping? Mr. Sanford. I'm not sure anybody could argue with additional help in oversight and funding for the Federal Trade Commission to help in identity theft. I know that Chairman Majoras testifies how many thousands of calls a week they get, and I'm sure that that would just be something that would be very helpful. Senator Bill Nelson. I've talked to her personally about it, and she is--without endorsing it, she is clearly very positively inclined. Let me ask Mr. Curling, because, my previous round, I had the chance to talk to Mr. Sanford. ChoicePoint has described itself as a ``private intelligence service.'' ChoicePoint markets itself as ``selling actionable intelligence.'' Could you explain what this means for your company to be in the intelligence business, and explain how consumers would feel comfortable with that? Mr. Curling. Sure. I'm not sure that we characterized ourselves as a private intelligence agency. I believe that was an author of a book that characterized that. But we do--we do use---- Senator Bill Nelson. One of your staff yesterday told my staff attorney that it had been characterized that way. Mr. Curling. Well, I'll have to have a conversation with my staff. But we are a company that provides identification and credential verification solutions to principally commercial enterprises. And what we try and do is help them understand and manage the risks that they face. So, what we want to give them--as you're aware, data is expensive to acquire and time- consuming to analyze--what we want to give them is just the right information at the right time. So, our services are all oriented around things like helping an insurance company understand how to evaluate and price the risk of an applicant for auto insurance, so that consumer gets the insurance policy that they want at a price that's fair for them; how to help a commercial employer do a background check on a prospective employee, so that that employee is able to get the job that they want, but the employer is able to effectively manage the risk that the society puts on them to know who's engaged in their work force. That's the kind of actionable intelligence that ChoicePoint products offer. Senator Bill Nelson. You have a product named AutoTrackXP, and it's not subject to the Fair Credit Reporting Act, and it appears to contain some of the sensitive consumer information that is in other products that you admit are regulated, as are detailed and full credit reports. Explain to the Committee why ChoicePoint believes that the AutoTrackXP is not regulated under the Fair Credit Reporting Act. Mr. Curling. Well, that's a search engine, not really a report, but that product is used for investigative purposes. The largest customer set is law enforcement. But, again, as you've heard today in the testimony, there are other markets, like fraud prevention for insurance fraud research, as well as investigative research by commercial financial enterprises, that run searches to try and get information back. For those customers, that search does contain sensitive, personally identifiable information. Since we've made the business changes to our business, we don't offer that product with personally identifiable information in it to any segments other than law enforcement, large financial institutions, and insurance companies. Senator Bill Nelson. So, the theft that occurred by the Nigerians faking the identity could not have occurred in that sensitive information. Mr. Curling. No, it did, in fact, occur in that sensitive information, but, as a result of that fraud, we have changed our product, and won't offer--and do not offer that product to those parts of the market. Senator Bill Nelson. All right. And, if I may, just this last question. ChoicePoint has estimated that identity thieves obtained sensitive, personal information on about 145,000 people. I believe---- Mr. Curling. That's correct. Senator Bill Nelson.--I believe that's what you've stated. Mr. Curling. Yes. Senator Bill Nelson. Now, the L.A. Sheriff's Department estimates that figure to be four million. Can you explain why those figures are so different? Mr. Curling. Sure. I think that the quoted number of four million was a very early estimate by the L.A. Sheriff's Department, going back to September or October of last year. That was long before the investigation had actually gone through the searches that had been done, anybody had determined how many potentially affected consumers were affected by that. We've appointed Robert McConnell, a 28-year veteran of the Secret Service and, for the last 5 years of his career, the head of the Federal Government's Interagency Nigerian Organized Crime Task Force. I spoke with Robert yesterday. He has confirmed to me that L.A. Sheriff's Department now believes that our estimate is accurate. Senator Bill Nelson. Gentlemen, I look forward to working with you on this legislation. Senator Smith. Thanks, Senator Nelson. We're pleased to be joined by Senator Kerry. We've completed a second round of questions, Senator. If you have an opening statement or questions for this first panel, we'll be happy to---- STATEMENT OF HON. JOHN F. KERRY, U.S. SENATOR FROM MASSACHUSETTS Senator Kerry. Thank you, Mr. Chairman. No, I apologize for being late, but we had competing meetings, as is always the case here. I apologize to the witnesses. I've tried to get an update as fast as possible so I'm not overly repetitive here. And I know a lot of questions, good questions, have been asked. Obviously, from the participation here today, you can get a sense of the importance. But you already knew that before you came here, because of the outcry, publicly, and the concerns that people are expressing. And the moving, sort of, model statewide, beginning with California, of regulation is, obviously, an indication of people's desire to do something. I understand your business models, and I understand that the information you provide is, obviously, often used for very valid purposes, but, as we move forward, the question of how to protect this is, needless to say, critical. During the campaign last year, and I think it came to fruition yesterday or today, President Bush and I both talked about e-medical records and the need to try to reduce costs in the medical system. And, obviously, that's critical. And I just wonder if you could share with us a little bit, sort of, first of all, what types of personal information currently do your--do you maintain in your product lines, including information based on biometrics, DNA, and medical records? Mr. Curling? Mr. Curling. We don't maintain any data on biometrics, DNA, or medical data. The data---- Senator Kerry. Might you, as this opens up now with a certain amount of money? I mean, is this not a lucrative business prospect? Mr. Curling. I don't know whether it's a lucrative business prospect or not, but it's not an area where we have a lot of expertise or traction. We do have a DNA laboratory that supports our law enforcement initiatives, but that laboratory, Bode Labs, merely takes specimens on behalf of law enforcement agencies, processes the DNA, maintains chain of custody, and turns that back over to them for forensic purposes. Our scientists have been to the--Thailand to work on the tsunami. We identified the victims of the World Trade Center tragedy through that laboratory. But it's a forensic-science laboratory that's really an extension of the services we do to support law enforcement, not a business--part of our business model that we necessarily embrace. I think it is possible that the identifiers that we all begin to see used more in our society are perhaps biometric identifiers you're seeing today, technological solutions beginning to be deployed. They use authentications exceeding User IDs and passwords, and incorporating things like biometrics. But that's not something that, in the industry that I'm in, is in heavy use today. Senator Kerry. Mr. Sanford? Mr. Sanford. We don't collect medical information, Senator, or biometrics, or DNA, either. Senator Kerry. What about that information, Mr. Curling, that you do collect, in terms of the forensic chain-of- custody--is there any intrusive link in there that should be of concern? Mr. Curling. No, sir. That data doesn't get--the data repositories in ChoicePoint are generally housed at the product level. None of the information in Bode Laboratories, which is in Springfield, Virginia, goes out of the laboratory into other places in ChoicePoint. Senator Kerry. When you say you changed your business model, and essentially have tightened procedures, what loopholes did you tighten? Mr. Curling. Well, I don't know that I would say we tightened loopholes. We made business decisions that we thought were in the best interest of our company, given the experiences that we've had, and they were basically twofold. One, there are businesses that are hard to credential. Those are small businesses. And, given that the preponderance of our revenue is in large, either government contracts, or government--or commercial enterprises, small businesses are simply something that's awful hard for us to adequately credential and ensure that we know exactly who, on the other end, is buying the information products. We chose to exit the market of selling sensitive, personal information to those businesses, even though they have legitimate business interests to get at. And, you know, certainly small businesses face many of the challenges that big businesses do. Second, there are products that we sell that, while legal, don't have direct consumer benefit. And so, we chose to not sell to certain segments of the marketplace, sensitive, personal data that they're legally entitled to get, but they don't fit our business model. Senator Kerry. Was that small-business change specifically in response to the Nigerian---- Mr. Curling. Yes, it was. Senator Kerry. It was, OK. Is it your judgment now that those two problems were the only two problems? Or are you taking further steps that we should be aware of? Mr. Curling. Well, our investigations, and those of law enforcement, continue. There's--you know, we tend to think of security risks in five different categories--you know, basic physical-possession risk, which you can think of as common burglary or the--just loss of data; second, the hacking potential--and we have, like most in our industry, you know, monitoring software and extensive tools to try and monitor and track, and preventing hacking attempts; you have properly credentialed customers that have an employee that does a search they're not permitted to do, you know, the typical scenario of doing a background check on somebody's girlfriend or neighbor; you have properly credentialed customers that lose track of passwords and User IDs, which you've already heard of-- testimony today; and then, last, you have, you know, customers that get past credentialing procedures that simply should not have been credentialed as customers, and that's the experience we most recently had, where the notices were driven by. Senator Kerry. With respect to the law enforcement agencies, I gather you sell information to about 7,000 agencies. Is that correct? Mr. Curling. We serve 7,000 agencies. A lot of those don't buy data. They're buying software or tools from us. Senator Kerry. So, is there any limitation on the sale of that information to law enforcement? Mr. Curling. Well, we're limited by the type of information we're able to legally obtain from the repositories. The States have laws, as does the Federal Government, about what data can be sold and under what conditions it can be used. Senator Kerry. So, that's established by the States. Mr. Curling. And by Federal Government. But, Senator, largely--and, as I testified earlier today, largely the Federal agencies are turning to us to buy otherwise readily available public-record information. They're merely turning to us for convenience and cost-effectiveness. Senator Kerry. And which law enforcement agencies do you currently sell this--what I assume can be termed sensitive consumer information? Mr. Curling. We sell to a wide variety of Federal--we serve most of the Federal law enforcement agencies, and many State and local law enforcement agencies. Senator Kerry. Is there any standard of probable cause? Mr. Curling. There are--we have circumstances under which they inform us they want to buy data for investigations, but we're not privy, nor would you want us to be, to the actual investigations those law enforcement agents are conducting. Senator Kerry. So, it's an automatic affirmative response for information. Mr. Curling. In most cases, yes, sir. Senator Kerry. No matter what. A few years ago, you acquired VitalChek, which is a company responsible for handling vital records--birth, death, marriage, divorce--in all 50 states. How is that information shared with ChoicePoint? Mr. Curling. It's not. That's an ordering and payment platform where a consumer orders a vital record directly from a vital-records office. We provide a technology infrastructure to those vital-records offices. They receive the customer order, they pull the vital record, and they deliver it through secured carrier, directly back to the consumer. The records never come through ChoicePoint. Senator Kerry. So, there's no transfer of any of that information outside of VitalChek, itself. Mr. Curling. No, sir. Senator Kerry. Do both of you accept the premise that I think has been bouncing around here today that reasonable security standards ought to apply universally to any custodian of sensitive, personal information? Mr. Sanford. Yes, Senator. Senator Kerry. And Mr. Curling? Mr. Curling. Yes. Senator Kerry. Well, I think most of the other questions were touched on. Let me just ask you, for my own edification, How do you collect and maintain, store, and protect the information? What's the process by which you do that, if you could go through that? Mr. Curling? How do you collect the information and maintain it and store it? How do you go about that? Mr. Curling. It varies widely by market. In the largest market we serve, which is the insurance market, we gateway directly to states to get motor-vehicle records and driver's- license records, in most cases, and we deliver those back directly to our insurance customers an application at a time. So an application comes in, we break that application down against some decision rules the insurance company has given us, and then we begin to buy information products. Sometimes we-- their products that we database and warehouse, sometimes we go gateway to them. Senator Kerry. Do you gateway to credit-check companies, credit companies? Mr. Curling. We do. Senator Kerry. Do you see any distinction between the information that you use and sell, and the information that's on somebody's credit record? Mr. Curling. In many cases, from a regulatory standpoint, there's not a difference. We are a consumer reporting agency governed by the FCRA in many of the information products we have. The insurance products would be FCRA products. We would be treated similar to a credit-reporting company. The same is true for our pre-employment workplace solutions products and our tenant screening products. Senator Kerry. Do you think, from a legal point of view, that any individual in America, as a citizen, has a proprietary interest in their own information? Mr. Curling. I think citizens are obviously very concerned about the data---- Senator Kerry. Proprietary information, proprietary interest. In other words, should you be trafficking in their information, and they have no participation in the process? Mr. Curling. Again, the majority of our transactions that contain sensitive consumer information are initiated directly by consumers, so the transaction would not happen if a consumer hadn't initiated it. Senator Kerry. But, of course, that depends on knowledge, right? The knowledge standard. I mean, the opt-in---- Mr. Curling. Well, they---- Senator Kerry.--or out, whether they know or don't know---- Mr. Curling. Well, they applied for an automobile insurance policy, and, on the application---- Senator Kerry. But they didn't apply to have their information go to you to be winning you a profit for the transfer of whatever their life is, did they? Mr. Curling. I wouldn't know, Senator. Senator Kerry. Mr. Sanford? Mr. Sanford. I don't believe that a proprietary standard is workable. We use public-record information to provide very vital services that---- Senator Kerry. Is---- Mr. Sanford.--actually help consumers---- Senator Kerry.--is the information of a credit company public record, or is it private---- Mr. Sanford. We are not---- Senator Kerry.--privately held---- Mr. Sanford.--we don't collect---- Senator Kerry.--on a specific kind of contract relationship, the contract between the individual and that particular entity? Mr. Sanford. Yes. We do not collect financial or credit information on individuals, so we're not in that business. Senator Kerry. Mr. Curling, what about that? Is it specifically---- Mr. Curling. I'm not an expert in the Fair Credit Reporting Act, but I believe that a consumer--a credit-reporting agency has opt-in and opt-out, both provisions, on it with respect to certain uses of their products. And, in many cases, our products are regulated by the FTC under FCRA, just as they are. Senator Kerry. Well, I think one of the things, Mr. Chairman, we're going to have to think through very carefully as we go forward is, sort of, what is the level of knowledge and options available to anybody as to how far and how wide their information goes. I think that's central to this. And I thank you. Senator Smith. Thank you, Senator Kerry. We do need to go to our second panel, but Senator Nelson has one final brief, burning question. Senator Bill Nelson. Yes. And I think this will illustrate the extent to which information can be covered. Both of you have indicated that you don't collect and store medical records. Isn't that correct? Mr. Curling. That's correct. Mr. Sanford. That's correct, Senator. Senator Bill Nelson. Well, for example, Mr. Curling, you said you specifically represent, as clients, insurance companies. Mr. Curling. We do. Senator Bill Nelson. So, some of those are life-insurance companies. Mr. Curling. No. Mostly property and casualty, sir. I should have been more specific. Auto and home insurance. Senator Bill Nelson. No life insurance companies. Mr. Curling. No, sir. We have--may have some life-insurance customers in the marketing business, but we don't do underwriting of life-insurance products. Senator Bill Nelson. Well, if you represent life-insurance companies--and you're saying you don't--they have the medical records---- Mr. Curling. That is not---- Senator Bill Nelson.--for someone getting a life-insurance policy that they require a physical exam. How about you, Mr. Sanford? Do you represent any life- insurance companies? Mr. Sanford. We have life-insurance companies who are customers, but not in the medical-records business. For example, the legal departments of insurance corporations. But we don't collect medical records, we don't underwrite insurance, we don't have a business that does that. Senator Bill Nelson. You said, last October, that you bought a Florida company, in Boca Raton, named Seisint. Seisint has a program called Matrix. It's one of the most extensive tools that is used by law enforcement. As a matter of fact, the officials of that company told me, within a few days after September 11, that they could determine who were the hijackers, who were the perpetrators of September 11. That information, how do you protect that information? Mr. Sanford. The Matrix program was a federally funded pilot, which has ceased. I believe it stopped last month, actually. Matrix is a--was a search engine that allowed law enforcement to search our services for public-record information, and they could also, at the same time, search their own databases. We did not maintain or manage that. That was managed, I believe, by the Florida Department of Law Enforcement on behalf of the other States that participated in that. Senator Bill Nelson. And so, that system wouldn't have any biometric information, no DNA information, no medical information? Mr. Sanford. Again, the Matrix program, our participation in it, is to share our technology and access to our data. What the State law enforcement organizations are searching, I believe, are things like sexual offender databases, correction records, arrest records when they're trying to locate a suspect. I'm not aware--I'll be glad to check with my staff and get back to you if there was any medical information, access to that. I don't believe there was. Senator Bill Nelson. Blood types, diseases, scars, identification marks, et cetera, et cetera. Mr. Sanford. I'll have to get back to you, Senator. Senator Bill Nelson. I would appreciate it very much. Senator Bill Nelson. Mr. Chairman, I think you see the concern welling up here of the extent of which if these folks, which, thankfully, you all are very, very accommodating here to want to help us develop this legislation, but if we are not successful, you can see that no one in America is going to have any privacy left if people can invade your databases. You say you want to present--prevent that. That's what we're trying to do. Thank you very much. Senator Kerry. Could I just have one quick follow-up? Senator Smith. You bet, absolutely. Senator Kerry. Would either of you sell to a political committee? Mr. Sanford. I think you--Senator, we have legal research business, news and business information services. There's nothing that would stop them from having access. I don't think they would qualify for a permissive use under GLBA or the DPPA, though. I mean, those are around fraud detection and prevention and law enforcement type of permissive uses. Senator Kerry. But is there anything to stop a committee from--have you sold anything to a political---- Mr. Curling. Not that I'm aware of, no, Senator. Senator Kerry. But could they buy it? Mr. Curling. I don't believe that's a customer segment we serve. Senator Kerry. But could they? Mr. Curling. I don't believe they would get credentialed. But I can find out. I'm not--It's not a question I've heard before. But I don't believe--I've never heard--I've been around with the company---- Senator Kerry. Well, do you have a---- Mr. Curling.--since its inception, and---- Senator Kerry.--do you have a means of checking, sort of, the---- Mr. Curling. We have a business-purpose criteria upon which we'll enroll people as customers. I don't believe political committees meet the business purpose; therefore, I don't believe we would set up a customer---- Senator Kerry. What about a---- Mr. Curling.--account for them. Senator Kerry.--political consultant who's doing sophisticated political analysis---- Mr. Curling. We don't---- Senator Kerry.--polling analysis? Mr. Curling. I don't believe they're customers of ours, nor do I believe we'd serve them. Senator Kerry. You don't believe. But there's no set of guidelines with respect to---- Mr. Curling. I'm trying to be very specific. There are very specific guidelines about who we serve as customers. I've never heard of this customer segment being anybody we serve. The preponderance of our customers are large insurance companies, large financial institutions trying to process transactions so a consumer can get some kind of benefit--an insurance policy, a job--large retailers or large customers of ours. We don't have very many customers that aren't in the large commercial space or government enterprises. Senator Bill Nelson. May I ask a follow-up on that? But if one of your large commercial customers asked for this information, and you had some reason to know that they were going to use it for political purposes---- Mr. Curling. Our customers, by and large, have to send us-- they're asking questions an application at a time, so I'm not sure how they'd come in and ask that question, anyway. The most likely way they could present themselves is through the direct marketing business, where we don't sell sensitive, personal identifiable information anyway. But, again, I'll be happy to get back to the Senator and the Committee on that. I'm not aware this is a market we have any interest or any services to. Senator Smith. Like I said at the--earlier in the hearing, Senator, this was a question that didn't register Republican or Democrat, but maybe both sides are pretty interested now. [Laughter.] Senator Smith. But I think you raise---- Senator Kerry. Well, I've seen some pretty sophisticated analysis based on those things. [Laughter.] Senator Smith. Yes. But in all seriousness, I think your point is well taken, and I think both sides do have an interest in making sure that people's rights and privacy are protected. And so, we appreciate very much, gentlemen, your being here today and for the contribution you've made to our understanding of this issue and the kind of problem we're trying to wrestle with and get some results for the American people. So, we thank you. And we'll now call forward our second panel. It will consist of Ms. Jennifer T. Barrett, Chief Privacy Officer of Acxiom Corporation, in Little Rock, Arkansas; Mr. Paul Kurtz, Executive Director of the Cyber Security Industry Alliance, Arlington, Virginia; Mr. Marc Rotenberg, President and Executive Director, Electronic Privacy Information Center, in Washington, D.C.; and Ms. Mari Frank, of Mari J. Frank, Esquire, & Associates, of Laguna Niguel, California. Senator Pryor will introduce Ms. Barrett. Thank you all for being here. Senator Pryor. Thank you, Mr. Chairman. It's really an honor for me to introduce to the Committee today Jennifer Barrett. She's the Chief Privacy Officer at Acxiom Corporation. And I think that title is very significant, because, as I understand it, Ms. Barrett was one of the first chief privacy officers anywhere in the Nation, and I think it underscores a commitment that this particular company has, of trying to find that balance between privacy issues and also the burgeoning information age and the needs that we have there. So, Acxiom is a company that was founded in 1969. I think she's been with the company for a number of years--maybe not since the very beginning, but from the early days, at least. And it is based in Arkansas. And it employs more than 6,300 people in eight countries, with an annual revenue of $1.2 billion. So, we're fortunate in our State to have, really, the industry leader there, and we look forward to hearing her insights on this subject matter today. Senator Smith. Ms. Barrett, why don't we start with you? STATEMENT OF JENNIFER T. BARRETT, CHIEF PRIVACY OFFICER, ACXIOM CORPORATION Ms. Barrett. Thank you, Senator Smith and Senator Pryor. And thank you for allowing Acxiom the opportunity to participate in this important hearing. I ask that my written statement be inserted in the record. Senator Smith. Without objection. Ms. Barrett. Mr. Chairman, let me be blunt. The bad guys are smart, and they're getting better organized and using their skills to illegally and fraudulently access information. Acxiom must, therefore, remain vigilant and innovative by constantly improving, auditing, and testing our systems--and, yes, even learning from security breaches in the marketplace. Information is an integral part of the American economy, and Acxiom recognizes its responsibility to safeguard the personal information it collects and brings to market. As FTC Chairman Majoras recently stated in her testimony both before the Senate and the House, there's no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution. Although we believe this is true, no one has a greater interest than Acxiom in protecting the information we have, because our very existence depends on it and how well we do that. Acxiom's U.S. business includes two distinct components, our computer services and a line of information products. Our computer services, which represent more than 80 percent of the company's business, helps businesses, not-for-profit organizations, political parties, and government manage their own information. Less than 20 percent of Acxiom's business comes from its four information product lines--a fraud- management product line, background screening products, directory products, and marketing products. Our fraud management and background screening products are the only Acxiom products containing sensitive information, and they represent less than 10 percent of our business. Acxiom would like to take this opportunity to set the record straight in a number of misunderstandings that have developed about the company: First, Acxiom does not maintain one big database containing dossiers on anyone. Instead, we maintain discreet, segregated databases for each product. Second, Acxiom does not commingle our clients' information from our computer services business with our information products. Such activity would constitute a violation of our contracts and of consumer privacy. Third, Acxiom's fraud-management products are sold only to a handful of large companies and government agencies who have a legitimate need for them. The information utilized in these products is covered under the Safeguards Rules and Use Rules of Gramm-Leach-Bliley, and both State and Federal driver privacy protection laws. Fourth, Acxiom's fraud-management verification services only validate information already in the client's possession. Access to additional information is available only to law enforcement and the internal fraud departments of large financial institutions and insurance companies. Fifth, our background screening products are covered under the Fair Credit Reporting Act, and we do not pre-aggregate any of the information provided. Beyond these protections, there are additional safeguards that exist: First, because public information is blended with regulated information in both our fraud-management and background screening products, Acxiom voluntarily applies the more stringent security standard to all such blended data, even though not required to by law. Second, since 1997, Acxiom has posted its privacy policy on our website, describing our online and offline practices; thus, voluntarily subjecting the company to FTC rules governing unfair or deceptive conduct. Third, the company has imposed our own internal, more restrictive guidelines for the use of sensitive information such as Social Security numbers. Fourth, all of Acxiom's information products and practices have been audited on an annual basis since 1997, and our security policies are regularly audited, both internally and by many of our clients. Two years ago, Acxiom experienced a security breach on one of our external file-transfer servers. Fortunately, the vast majority of information involved was of a nonsensitive nature, and law enforcement was able to apprehend the suspects and ascertained that none of the information was used to commit identity fraud. Since then, Acxiom has put in place even greater protections for the benefit of both consumers and our clients. In conclusion, ongoing privacy concerns indicate that the adoption of additional legislation may be appropriate. Acxiom supports efforts to pass federally preemptive legislation requiring notice to the consumers in the event of a security breach which places consumers at risk of identity fraud. Acxiom also supports the recent proposal from FTC Chairman Majoras for extension of the Gramm-Leach-Bliley Safeguards Rules. Senator Smith, on behalf of Acxiom, I want to express my gratitude for the opportunity to participate in this hearing. I'll be happy to answer any questions the Committee may have. [The prepared statement of Ms. Barrett follows:] Prepared Statement of Jennifer T. Barrett, Chief Privacy Officer, Acxiom Corporation Summary Acxiom has an inherent responsibility to safeguard the personal information we collect and bring to the market, and we have focused on assuring the appropriate use of these products and providing a safe environment for this information since 1991 when the company brought its first information products to market. Information has become an ever growing and ever more integral part of the American economy. Information is the facilitator of convenience and competition, and it provides the tools that reduce fraud and terrorism. As such, we believe that it is Acxiom's obligation to provide effective safeguards to protect the information we bring to market regardless of the difficulties encountered in doing so. Only Acxiom's fraud management and background screening products involve the transfer of sensitive information. These products, therefore, are subject to law, regulations and our own company policies that help protect against misuse. GLBA and DPPA: Our fraud management products utilize information covered under the Gramm-Leach-Bliley Act (GLBA), and driver's license information covered under both State and Federal driver's privacy protection acts (DPPAs). FCRA and FACTA: Our background screening products are covered by all of the regulations and consumer protections established by the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). Safeguarding Public Record Information: Although a heightened level of protection is not mandated for public record information, by virtue of the fact that such public information is blended with regulated information, Acxiom voluntarily chooses to apply the more stringent standards of the above- mentioned regulations to the resulting products. Although Acxiom's directory and marketing products do not contain any sensitive information that could put a consumer at risk for identity fraud, Acxiom is still subject to the following critical safeguards: various industry guidelines, compliance with all requirements in the original notice to consumers at the time the data was collected, and voluntary compliance with those laws to which our clients themselves are subject. There has been much discussion, especially in recent weeks, about whether existing Federal law sufficiently protects consumers from harm. In this regard, Acxiom does believe that additional, appropriately tailored measures, such as Federal preemptive legislation requiring notice to consumers in the event of a security breach, would assist Acxiom, the rest of the information services industry and businesses in general in ensuring that consumers are protected from fraud and identity theft. But, as FTC Chairman Majoras has said, even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals' intent on committing fraud. Introduction Chairman Stevens, Senator Inouye, and distinguished members of the Committee, thank you for holding this hearing to explore the treatment of data broker services under existing State and Federal laws as well as possible solutions to the crime of identity theft. Acxiom appreciates the opportunity to participate in today's hearing. Acxiom has an inherent responsibility to safeguard the personal information we collect and bring to the market, and we have focused on assuring the appropriate use of these products and providing a safe environment for this information since 1991 when the company brought its first information products to market. It is important that we all recognize that information has become an ever growing and ever more integral part of the American economy. Information is the facilitator of convenience, competition and provides the tools that reduce fraud and terrorism. As such, we believe that it is Acxiom's obligation to provide effective safeguards to protect the information we bring to market regardless of the difficulties encountered in doing so. Let me be blunt. The bad guys are smart and getting more organized. They will use all of the skills available to them to try to find ways to obtain the information they need to commit fraud. Acxiom must therefore remain vigilant and innovative, and that is why we employ a world-class information security staff to help us fend off criminals who attempt to access Acxiom's data. Acxiom is constantly improving, auditing and testing its systems. Yes, Acxiom is even learning from security breaches when they occur, and we are certain that other responsible companies are doing so as well. As Chairman Deborah Majoras of the Federal Trade Commission recently stated in her testimony before the Senate, ``[T]here is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution.'' Even though we believe that this is true, no one has a greater interest than Acxiom in protecting information because the company's very existence depends on securing personal information pertaining to consumers. In order to enjoy the benefits provided by a robust information- based economy and also to keep our citizens safe from fraudulent activity, there are no quick fixes or easy solutions. We believe that it is necessary that cooperation exists among policy makers, information service providers, Acxiom's clients, law enforcement and consumers. We applaud your interest in exploring these issues and we very much want to be a resource in helping you achieve the proper legislative balance we all seek. About Acxiom Corporation Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas, with operations throughout the United States, and with processing centers in Arkansas, Illinois, Arizona, Ohio and California. The company also has offices in nine other countries across Europe and Asia. From a small company in Arkansas, Acxiom Corporation has grown into a publicly traded corporation with more than 6,000 employees worldwide Acxiom's U.S. business includes two distinct components: customized computer services and a line of information products. Acxiom's computer services represent the vast majority of the company's business and they include a wide array of leading technologies and specialized computer services focused on helping clients manage their own customer information. These services are offered exclusively to large businesses, not-for-profit organizations, political parties and candidates, and government agencies. Acxiom's private sector computer services clients represent a ``who's who'' of America's leading companies. Acxiom helps these clients improve the loyalty of their customers and increase their market share, while reducing risk and assisting them with their compliance responsibilities under State and Federal law. Finally, Acxiom helps government agencies improve the accuracy of the personal information they currently hold. The balance of Acxiom's business comes from information products that are comprised of four categories: fraud management products, background screening products, directory products and marketing products. These four product lines represent less than 20 percent of the company's total business and the fraud management and background screening products represent less than 10 percent. While each product plays a unique role, all of Acxiom's information products help fill an important gap in today's business-to-consumer relationship. To understand the critical role Acxiom plays in facilitating the Nation's economy and safeguarding consumers, it is important to understand what the company does not do. Over the years, a number of myths have developed about Acxiom that require clarification. Please allow us to set the record straight: Acxiom does not maintain one big database that contains detailed information about all individuals. Instead, the company safeguards discrete databases developed and tailored to meet the specific needs of Acxiom's clients--entities that are appropriately screened and with whom Acxiom has legally enforceable contractual commitments. I cannot call up from the company's databases a detailed dossier on myself or any individual. Acxiom does not provide information on particular individuals to the public, with the exception of Acxiom's telephone directory products. These products, which are available on several Internet search engines, contain information already available to the public. The other information Acxiom processes is provided only to legitimate businesses for specific, legitimate business purposes. Acxiom's does not have any information in either its directory or marketing products which could be used to commit identity fraud. Acxiom also does not include detailed or specific transaction-related information, such as what purchases an individual made on the Internet or what websites they visited. The company's directory products include only name, address, and telephone information. The company's marketing products include only information that is general in nature and not specific to an individual purchase or transaction. Acxiom does not commingle client information that the company processes in its computer services business with any of our information products. Such activity would constitute a violation of the company's services contracts with those clients and a violation of consumer privacy. A client for whom the company performs services may have a different agreement with us as a data contributor, but these two relationships are kept entirely separate. Acxiom's fraud management products are sold exclusively to a handful of large companies and government agencies--they are not sold to individuals. The company's verification services only validate that the information our client has obtained from the consumer is correct. Only law enforcement, government agencies and the internal fraud departments of large financial institutions and insurance companies have access to additional information. Acxiom's background screening products provide employment and tenant screening services which utilize field researchers who do in- person, real-time research against public records and make calls to past employers to verify the information provided by the consumer. Where permitted by law, a pre-employment credit report can also be obtained. Acxiom does not pre-aggregate information for these products. Acxiom's directory information products contain only contact information on consumers such as name, address and telephone number. They are collected so businesses and consumers can locate other businesses or consumers. They are compiled from the white and yellow pages of published U.S. and Canadian telephone directories and from information available from the various directory assistance services provided by the telephone companies. Acxiom's marketing information products provide demographic, lifestyle and interest information to companies to reach prospective new customers who are most likely to have an interest in their products and to better understand and serve the needs of existing customers. They are compiled from pubic records, surveys and summarized customer information primarily from publishers and catalogers. Respecting and Protecting Consumers' Privacy Acxiom has a longstanding tradition and engrained culture of protecting and respecting consumer interests in our business. The company is today, and always has been, a leader in developing self- regulatory guidelines and in establishing security policies and privacy practices. There are, as explained below, numerous laws and regulations that govern our business. Ultimately, however, Acxiom's own comprehensive approach to information use and security goes far beyond what is required by either law or self-regulation. Safeguards Applicable to Products Involving the Transfer of Sensitive Information Only Acxiom's fraud management and background screening products involve the transfer of sensitive information. These products, therefore, are subject to law, regulations and our own company policies that help protect against identity fraud. These legal protections and additional safeguards are addressed below: GLBA, DPPAs, and FTC: Our fraud management products utilize information covered under the Gramm-Leach-Bliley Act (GLBA), and driver's license information covered under both State and Federal driver's privacy protection acts (DPPAs). These obligations include honoring GLBA and DPPA notice and choice related to sharing and use of the information, the GLBA Safeguard Rules and FTC Privacy Rule and Interagency Guidelines. Any uses of data must fall within one of the permitted uses or exceptions specified in these laws. FCRA and FACTA: Our background screening products are covered by all of the regulations and consumer protections established by the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). These protections include: the requirement that a consumer authorize the creation of employment reports; notice of adverse actions taken based on such report; and the right of consumers to obtain a copy of such reports and to dispute inaccuracies. Finally, such regulations require that re-verification or correction of disputed information be performed in a timely manner. Safeguarding Public Record Information: Public records are used in both Acxiom's fraud management and background screening products. Although a heightened level of protection is not mandated for such public record information, by virtue of the fact that such public information is blended with regulated information, Acxiom voluntarily chooses to apply the more stringent standards of the above-mentioned regulations to the resulting products. Safeguards Applicable to Other Products Although Acxiom's directory and marketing products do not contain any sensitive information that could put a consumer at risk for identity fraud, Acxiom is still subject to the following critical safeguards: various industry guidelines, compliance with all requirements in the original notice to consumers at the time the data was collected, and voluntary compliance with those laws to which our clients themselves are subject. Telephone Directory Safeguards: Acxiom's directory products comply with all applicable policies regarding unpublished and unlisted telephone numbers and addresses. In addition, because Acxiom recognizes that consumers may object to published listings being available on the Internet, Acxiom itself offers an opt-out from such use. Further, Acxiom voluntarily suppresses all telephone numbers found on the Federal Trade Commission's Do-Not-Call Registry and the eleven other State Do-Not-Call registries, when providing phone numbers for targeted telemarketing purposes. Marketing Product Safeguards: Acxiom's marketing products comply with all the self-regulatory guidelines issued by the Direct Marketing Association. These requirements include notice and the opportunity to opt-out. Consumers have the ability to opt-out from Acxiom's marketing products by calling the company's toll-free Consumer Hotline, accessing its website, or by writing to the company. Since Acxiom does not have a customer relationship with individual consumers, Acxiom coordinates with its industry clients to research and resolve consumer inquiries. Additional Safeguards Acxiom takes seriously its responsibility to assure that all the information we bring to market is appropriate for the use to which it is intended and to provide adequate safeguards specifically aimed at protecting against unauthorized use. Privacy Policy/FTC Jurisdiction: Since 1997, long before it was a common practice, Acxiom has posted its privacy policy on the company's website. The privacy policy describes both Acxiom's online and offline consumer information products. The policy further describes: what data Acxiom collects for these products; how such data is used; the types of clients to which such data is licensed; as well as the choices available to consumers as to how such data is used. By making these extensive disclosures, Acxiom has voluntarily subjected itself to Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive conduct in the course of trade or commerce, as well as various State statutes governing unfair and deceptive acts and practices. Consumer Care Department/Consumer Hotline: Acxiom maintains a Consumer Care Department led by a Consumer Advocate whose team interacted with more than 50,000 consumers in the past 12 months by way of answering questions, resolving issues, processing opt-outs, and handling requests for access to Acxiom's fraud management, background screening, directory and marketing products. Acxiom provides consumers who contact the company (through the company website, or by calling a toll-free Consumer Hotline or by writing to the company) the options of: opting-out of all of Acxiom's marketing products; receiving an information report from the company's fraud management and directory products; or receiving a consumer report as specified in the FCRA from the company's background screening products. Acxiom encourages consumers to notify the company if the information in any of these reports is inaccurate and it is the company's policy either to correct the information, to delete it or to refer the consumer to the appropriate source to obtain the requested correction, such as a county or State agency. Certification and Compliance with Federal and State Law: Acxiom's privacy policy is designed to adhere to all Federal, State, and local laws and regulations on the use of personal information. The company is also certified under the Department of Commerce's European Union Safe Harbor and the Better Business Bureau's Online Seal. Consumer Education: Acxiom believes that consumers should be educated about how businesses use information. To that end, Acxiom publishes a booklet, entitled ``Protecting Your Privacy in the Information Age--What Every Consumer Should Know About the Use of Individual Information,'' which is available for free both on the company's website and upon written or telephone request. Voluntary Acxiom Policies: Above and beyond the industry- accepted guidelines with which Acxiom complies, Acxiom also has established its own internal guidelines, which are more restrictive than industry standards. For example, Acxiom only collects the specific information required to meet its clients' information needs, and the company properly disposes of the remaining data, when information is compiled from public records. Acxiom has also implemented specific guidelines regarding the use and protection of information that could be involved in identity fraud, such as Social Security numbers. Information Practice and Security Audits: Acxiom has had a longstanding focus on the appropriate use of information in developing and delivering its information products. While the creation of strong information use policies is a business imperative, assuring these policies are followed is equally important. To this end, all of Acxiom's information products and practices have been internally and externally audited on an annual basis since 1997. Since many of Acxiom's computer service clients are financial institutions and insurance agencies, Acxiom has been regularly audited for many years by these clients. Furthermore, Acxiom must honor the safeguards and security policies of the company's clients. Since Acxiom's security program is enterprise-wide, it is the company's policy to institute these high levels of protection across all lines of business. These client audits, along with Acxiom's own internal security audits, provide Acxiom with regular and valuable feedback on ways to stay ahead of hackers and fraudsters who may attempt to gain unauthorized access to Acxiom's systems. Lessons Learned Two years ago, Acxiom experienced a security breach on one of the company's external file transfer servers. The hackers were employees of an Acxiom client and a client's contractor. As users with legitimate access to the server, the hackers had received authority to transfer and receive their own files. The hackers did not penetrate the firewalls to Acxiom's main system. They did, however, exceed their authority when they accessed an encrypted password file on the server and successfully unencrypted about 10 percent of the passwords, which allowed them to gain access to other client files on the server. Fortunately, the vast majority of the information involved in this incident was of a non-sensitive nature. Upon learning of the initial breach from law enforcement, Acxiom immediately notified all affected clients and, upon further forensic investigation, the company informed law enforcement regarding a second suspected security incident. Fortunately, in both instances, law enforcement was able to apprehend the suspects, recover the affected information and ascertain that none of the information was used to commit identity fraud. One of the hackers pled guilty and was recently sentenced to 48 months in Federal prison. The other is currently awaiting trial. As a result of the breach, Acxiom cooperated with audits conducted by dozens of its clients, and both the Federal Trade Commission and the Office of the Comptroller of the Currency examined Acxiom's processes to ensure that the company was in compliance with all applicable laws and its own stated policies. This experience taught Acxiom additional valuable lessons regarding the protection of information. For example, Acxiom now requires the use of more secure passwords on the affected server. The process for transferring files has been changed, specifically by keeping information on the server for much shorter periods of time. And while it was always a recommended internal policy, Acxiom now requires that all sensitive information passed across such servers be encrypted. In addition, while Acxiom has had in place a Security Oversight Committee for many years, the company has also now appointed a Chief Security Officer with more than 20 years of IT experience. In short, Acxiom's systems are more secure today as a result of the company's experience and dedication to the privacy of consumers. The Need For Additional Legislative Safeguards There has been much discussion, especially in recent weeks, about whether existing Federal law sufficiently protects consumers from harm. In this regard, Acxiom does believe that additional, appropriately tailored legislation would assist Acxiom, the rest of the information services industry and businesses in general in ensuring that consumers are protected from fraud and identity theft. But, as FTC Chairman Majoras has said, even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals' intent on committing fraud. Breach Notification: Acxiom supports efforts to pass Federal preemptive legislation requiring notice to consumers in the event of a security breach, where such breach places consumers at risk of identity theft or fraud. California implemented similar legislation several years ago, and over thirty other states are involved in passing similar laws. The bottom line is that consumers deserve a nationwide mandate that requires that they be notified when they are at risk of identity theft, so they can take appropriate steps to protect themselves. Extension of the GLBA Safeguards Rule: Currently, Acxiom voluntarily subjects itself to the GLBA Safeguards Rule with respect to the company's computer services and information products. Acxiom also complies with the California safeguards law (AB 1950). FTC Chairman Majoras recently has proposed an extension of the GLBA Safeguards Rule to the information services industry as a whole. Acxiom supports her recommendation. Mr. Chairman, Acxiom appreciates the opportunity to participate in this hearing and to assist Congress in identifying how best to safeguard the Nation's information and data. Acxiom is available to provide any additional information the Committee may request. Senator Smith. Thank you, Ms. Barrett. Mr. Kurtz? STATEMENT OF PAUL B. KURTZ, EXECUTIVE DIRECTOR, CYBER SECURITY INDUSTRY ALLIANCE (CSIA) Mr. Kurtz. Thank you, Senator Smith. It's a pleasure to be here today. Thank you for inviting the Cyber Security Industry Alliance to testify before this Committee. As Executive Director of CSIA, I'm pleased to speak about the importance of securing personal identity information. Prior to leading CSIA, I served for 16 years in the Federal Government, 12 years at the State Department and 4 years at the White House, where I served on the National Security Council and the Homeland Security Council, working on counterterrorism and critical infrastructure protection. CSIA is an organization of 15 CEOs consisting of the world's top security providers who offer the technical expertise and depth of focus and encourage a better understanding of cybersecurity policy issues. We believe ensuring the security, the integrity, and the availability of global information systems is fundamental to economic and national security. We need, simply, to come to terms with our reliance on information systems and the vast amount of personal information in storage and in transit in such systems. Our information systems must be secure and reliable--in particular, protecting personal information from unauthorized disclosure. We need a strategic approach that is more preventative or preemptive in nature, rather than largely reactive and defensive, as a recent CRS study on cybersecurity indicates. Every electronic breach of personal information is another reason for consumers to lose trust in our information systems. A recent survey conducted by the Poneman Institute revealed that 57 percent of consumers with high trust in their primary banks say they would cease all online services with their current bank in the event of a single security breach. The loss of trust or confidence in our information systems inhibits economic growth, the security of our citizens and Nation. CSIA believes the right approach to securing consumers' personal data requires a blend of appropriate policies, technical expertise, and security technologies. Let me be clear, we are not mandating specific technology solutions. A key question before this Committee is defining the government's role, whether directly or indirectly, in fostering the protection of personal information on information systems owned and operated by the private sector. This Committee, rightfully, will also examine where the marketplace is succeeding at protecting personal information, and where it is failing. At this critical time of technology development and innovation, the United States, as an economic force and a global technology leader, must carefully chart a public-policy approach to information security that continues to encourage innovation while also providing protection. There is no silver-bullet approach solution. There are two fundamental areas requiring protection: the storage of personal information, such as names, addresses, and Social Security numbers, and the movement of the data. Movement of the data amplifies the challenge of security, because it creates weak points, if you will, in the system. The movement of data makes it difficult to define the set of users who should take action to secure the personal information. So, what is the solution set? It involves a combination of technologies, policies, and expertise. Key policies and technologies include vetting employees, establishing and enforcing corporate security policies, encryption, auditing, monitoring, anti-virus, intrusion detection, and firewalls, strong authentication and access controls. These technologies, in particular, are critical, as passwords are inherently weak and easily compromised. Market adoption of security technologies, however, is mixed. Some enterprises, however, are beginning to see security as a means to differentiate themselves from their competition. Congress should examine the protection of personal information more broadly than just the data brokers, as other organizations possess significant amounts of personal data. We have seen evidence of those breaches in recent days. In this context, CSIA recommends Congress consider the following: Take a holistic approach to understanding what cybersecurity problems are, such as spyware, phishing, data- warehouse security. They are, in fact, all related. In each case, the target is personal information in order to commit electronic fraud. Two, harmonize any legislation with existing legislation at the Federal level, filling gaps rather than duplicating requirements already contained in existing law. Use existing standards wherever possible, rather than creating new ones. Preempt State law, where appropriate, in order to avoid a patchwork quilt of regulations relating to the security of personal information. Encourage the broader use of security technologies without mandating such solutions. California, the Data base Protection Act, 1386, which went into effect in July 2003, encourages the encryption of personal information without mandating it. Investigate incentives, including safe harbors, tax benefits, third-party or self-certification, insurance, and adoption of best practices. Increase penalties for identity theft and cybercrimes, and ensure appropriate resources are available. Ratify the Council of Europe's Convention on Cybercrime, which will create a global framework for prosecuting and investigating cybercriminals. We need to see this in a global fashion. We need, also, to have leadership on the part of Federal Government, the formation of--or, excuse me, an Assistant Secretary at DHS focus on cybersecurity will be helpful. And we also can't forget R&D. Let me close by noting, again, the recent CRS study on cybersecurity. The study states there is currently no unified national framework for improving cybersecurity, and there are several areas of weaknesses where such a framework could be useful in generating improvements, and several means of leverage exist that could be used in the development or implementation of such a framework. We believe the points noted above offer, if you will, guideposts for the government's role in creating such a framework. I appreciate the opportunity to testify today. Thank you very much. [The prepared statement of Mr. Kurtz follows:] Prepared Statement of Paul B. Kurtz, Executive Director, Cyber Security Industry Alliance (CSIA) Thank you Chairman Stevens and Co-Chairman Inouye for inviting the Cyber Security Industry Alliance (CSIA) to testify before this committee on Identity Theft/Data Broker Services. As Executive Director of CSIA, I am pleased to speak about the importance of securing personal identifying information. The Federal Trade Commission estimates that 27 million Americans were victims of some kind of ID theft in the past five years. Other studies suggest 1 in 20 U.S. citizens have been hit by electronic fraud. The numbers are staggering. Every electronic breach of personal information is another reason for consumers to lose trust in our information systems. A recent survey conducted by the Poneman Institute revealed that 57 percent of consumers with high trust in their primary bank say they would cease all online services with their current bank in the event of a single privacy breach. The loss of trust or confidence in our information systems inhibits economic growth, our security as citizens as well as a nation. CSIA believes the right approach to securing consumers' personal data requires a blend of appropriate policies, technical expertise and security technologies. A central question before this Committee today is defining the government's role--whether directly or indirectly--in protecting personal information residing on information systems owned and operated by the private sector. This Committee, rightfully, will also look at where the marketplace is succeeding at protecting personal information and where it is failing. At this critical time of technology development and innovation, the United States, as an economic force and a global technology leader, must carefully chart a public policy approach to information security that continues to encourage innovation while also providing protections. In my testimony today, I will cover four areas. A brief introduction to CSIA; Security challenges in securing electronic data; Solutions and market activity; and Recommendations for Congress' consideration in securing electronic data. Introduction to CSIA CSIA is dedicated to enhancing cybersecurity through public policy initiatives, public sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards and public education. CSIA is led by CEOs from the world's top security providers, who offer the technical expertise, depth and focus to encourage a better understanding of cyber security policy issues. We believe that ensuring the security, integrity and availability of global information systems is fundamental to economic and national security. We are committed to working with the public sector to research, create and implement effective agendas related to national and international compliance, privacy, cybercrime, and economic and national security. We work closely with other associations representing vendors, critical infrastructure owners and operators, as well as consumers. CSIA's initiatives range from examining the cybersecurity implications of Sarbanes-Oxley to the security and reliability of Internet telephony, also known as Voice over IP, to advocating more government leadership in identifying and protecting critical information infrastructure. CSIA understands that the private sector bears a significant burden for improving cyber security. CSIA embraces the concept of sharing that responsibility between information technology suppliers and operators to improve cyber security. Cyber security also requires bi-partisan government leadership. Members of the CSIA include BindView Corp.; Check Point Software Technologies Ltd.; Citadel Security Software Inc.; Citrix Systems, Inc.; Computer Associates International, Inc.; Entrust, Inc.; Internet Security Systems Inc.; iPass Inc.; Juniper Networks, Inc.; McAfee, Inc; PGP Corporation; Qualys, Inc.; RSA Security Inc.; Secure Computing Corporation; Symantec Corporation and TechGuard Security, LLC. Challenges in Securing Electronic Data Many large organizations, from corporations to universities and health care systems, are conducting more of their business using network technology such as the Internet. Therefore, customers, employees, students and patients are having their personally identifiable information gathered into vast electronic data storage repositories. Some industries already have requirements to protect personally identifiable information, such as the banking and health communities. Laws and regulations are being created at various levels to address security and privacy because the criminal activity related to stealing these electronic data is increasing exponentially. Multiple laws requiring potentially different requirements will quickly make compliance an overly complex task. The problem of ensuring security and confidentiality of electronic data is complex. There are two fundamental areas requiring protection. The first is protecting the storage of personal information in data warehouses such as names, addresses and Social Security numbers. The second is protecting the movement of these data to and from the data warehouse. Technical security safeguards are used to address both the storage and movement issues. Policy is also crucial for it governs implementation of the technical safeguards and access to the data. Movement of the data amplifies the challenge of security because it creates weak points in the system. Those points are often outside the direct control of security administrators overseeing data warehouses. The movement of data makes it difficult to define the set of users who should take action to ensure the security of personal information by a select group. Therefore, policy and best practices play a pivotal role in shoring up weak points. The core information technology application of large data holders is a ``data warehouse.'' It accumulates disparate records then analyzes, stores and distributes a vast amalgamation of information-- billions of records about hundreds of millions of Americans. Many elements of the technology require special provisioning for security, including applications, systems and networks. A secure solution requires security provisions at the original source of data, at the data holder, at service providers, and at each customer location accessing the warehouse. The holder's control of security diminishes as information passes over external networks. Control vanishes once information is injected into the customer's internal applications. The data warehouse's database management system handles security and access control. Securing the warehouse is mostly a function of establishing, granting and updating access control permissions and rights--a configuration process based on policy. Security requirements extend to appropriate configuration of access controls and permissions for software applications feeding information into the data warehouse. Data warehouse technology operates on a networked system of servers. The servers may physically exist on premise at the data holder or at an external hosting service provider. Other systems for the data warehouse include access devices such as PCs, laptops, handheld computing devices, and telephones. Primary security for all systems is mostly a function of their operating systems. Proper installation, configuration and patching of bugs in the operating system software are crucial for secure systems. Solutions and Market Activity Before considering steps the government should take to facilitate securing electronic data, it is appropriate to discuss solutions and market activity. There is no ``silver bullet'' technical or policy solution to secure data warehouses. A variety of technologies and policies are required. Key technologies and policies include: Policy Management: Enforces security rules and regulations. Provides guidance to management on who should access what, when and where. Vulnerability Management: Remediate vulnerabilities through scanning devices that identify and patch vulnerabilities, as well mitigate misconfigurations, unnecessary services, unsecured accounts, and malicious code. Addressing major classes of network and desktop vulnerability improves IT enterprise and operational stability. Intrusion Detection/Prevention: Technologies that monitor content of network traffic for infections and block traffic carrying infected files or programs. Reducing incoming sick traffic closes another window for criminals to access these data. Authentication: A critical first step to ensuring only appropriate users may access the data is using digital certificates and multiple factor authentication. This is a way to confirm legitimate customers and control internal end-user access. Strong authentication also mitigates the problem of passwords, which are inherently weak, from being hacked or otherwise compromised. Access Controls: Ensure that authenticated users and applications can access only that data and information which they have been granted authority to use. Access controls may be based on a number of factors, including an individual's role in an organization. They are particularly important to prevent insider attacks and as a deterrent to inappropriate browsing of sensitive data. Audit Files: Detailed and protected records of computer and network traffic and transactions that can help ensure policy compliance and assist in forensic investigations of computer crime. Encryption: Transforms data into password (key)-protected packets that prevent reading by unauthorized users. Secure communication enables data warehouse vendors to safely and efficiently serve their customers. Anti-Virus: Software automatically checks new files for infection. Inoculates PCs and applications from diseased software code attempting to cause harm. Firewall: Blocks unauthorized traffic from entering PCs and servers from the Internet. Protects end-users from unwanted activity on their PCs. Some enterprises are beginning to see security as a means to differentiate themselves from their competition. For example, a well known e-trading firm is working with a CSIA member to use two factor authentication to improve the security of customer accounts. Some Internet Service Providers (ISPs) are differentiating themselves from others by highlighting the steps they are taking to protect personal information. Other CSIA member firms are providing managed security services, encryption technologies, intrusion prevention, vulnerability management services to a variety of owners and operators of infrastructure. Policy Considerations for Securing Electronic Data The security of data warehouses will require a blend of appropriate policies, technical expertise, and security technologies. Technical provisions for security are aimed to thwart unauthorized access to personally identifiable information--whether by electronic hackers who break in by securing a legitimate password (e.g. NexisLexis), or by in- person fraud (e.g. ChoicePoint). Technical provisions are only as strong as the security policy which implements them. Security breaches of data warehouses can adversely affect the life of any American so it is appropriate for Congress to establish national policies in conjunction with the private sector for the protection and privacy of personal information. While Congress is largely focused on data brokers, the protection of personal information is also critical in other businesses where data warehouse technology is used and where similar risks exist. Congress should examine the issue more broadly as it contemplates the need for legislation. In this context, CSIA recommends Congress to consider the following: Take a holistic approach to addressing cyber security. Currently, Congress is considering cyber security problems such as spyware, phishing, and data warehouse security on an individual basis. In fact, each of these problems has at least one issue in common: the attacker is seeking an individual's personal information in order to commit financial fraud. We can anticipate similar exploits in the future. Harmonize any new legislation with existing legislation at the Federal level, filling gaps rather than duplicating requirements already contained in existing law, such as Gramm- Leach-Bliley Act (GLBA), the Health Insurance Portability and Accounting Act (HIPAA), and the Fair Credit Reporting Act (FCRA). Use existing security standards wherever possible, rather than creating new ones. This approach would provide a framework for identifying areas of risk, as well as encouraging industry best practices. A piecemeal approach by Congress, in conjunction with the numerous laws states are passing will present consumers and businesses with a ``patchwork'' quilt of confusing laws and complicated compliance issues. Already states are stepping into the void and creating a confusing patchwork of legislation on the issue. Legislation regulating spyware has been introduced in 24 State legislatures this year, with approaches ranging from studies to changes in criminal code. Anti-phishing legislation is sitting on the Governor's desk in Hawaii, and pending in states including Texas and Florida. And there are more than 300 bills pending on identity theft in our Nation's State legislatures. A Federal preemption of the many laws recently passed or currently contemplated at the State level related to spyware, phishing, and data broker security would alleviate much of the concern and consternation within the private sector as a whole. However, any preemptive Federal law should maintain, at the minimum, the security standards already put in place by corresponding state legislation. Encourage broader use of security technologies without mandating specific technology solutions. Urge adoption of the approach utilized in CA 1386 which calls for disclosure of a breach involving unencrypted data. To encourage stronger cyber security, Congress should investigate incentives, including ``safe harbors'', tax benefits, third-party or self certification, insurance and the adoption of best practices, without mandating specific technology solutions. Dictating a specific technology is counterproductive as it stifles innovation and discourages creativity. Congress should increase penalties for identity theft and other cyber crimes as well as ensure appropriate resources are available to law enforcement authorities. The Senate should swiftly ratify the Council of Europe's Convention on Cybercrime which would create a global framework for investigating and prosecuting cyber criminals. Congress should also take a long-term view of information security. There is no coherent cyber security R&D agenda. Significant Federal funding is closeted in classified programs. While our national security needs must be met, we must anticipate that privately owned and operated networks will be attacked as well. We need to develop resilient, fault tolerant networks which degrade gracefully under attack. Leadership in information technology is a constantly moving target. As the technology changes and improves, so must its security. Likewise, as the need for public protection evolves, so must our public policy. We call on Congress and the Administration to work with the private sector to develop a holistic approach to protecting our Nation's personal information. Senator Smith. Thank you very much. Mr. Rotenberg? STATEMENT OF MARC ROTENBERG, PRESIDENT/EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER (EPIC) Mr. Rotenberg. Senator Smith, Senator Nelson, Senator Pryor, thank you for the opportunity to testify today. My name is Marc Rotenberg. I'm an Executive Director at the Electronic Privacy Information Center. EPIC is a nonpartisan research organization, and we focus our work on emerging civil- liberties and privacy issues. We'd like to thank you for holding this hearing today on identity theft and data brokers. We have a particular interest in this topic. Over the last several months, you, many of your constituents, and the American public have read quite a bit about the massive data disclosures taking place across the United States. But it was actually last year that EPIC wrote to the Federal Trade Commission and urged the FTC to begin an investigation of ChoicePoint and other companies in the data-broker industry. And we expressed particular concern about the products that were not covered under the Fair Credit Reporting Act. Our view was that these products contained much of the same sensitive information that would otherwise be regulated under Federal law. And, because this information wasn't covered under Federal law, we explained to the FTC, there was heightened risk of the loss of privacy of American consumers, of data breaches. And, in fact, many of the problems that we wrote about last year to the FTC came to pass over the last several months. So, we're very pleased that you're holding this hearing today. I'm going to focus my testimony this afternoon on the legislative proposals that have been put forward, because I think it's very important to understand the need to pass legislation at this point in time. Now, I will say, also, that, clearly, the companies have taken important steps, since the breaches have occurred, to try to improve their business practices and reduce the likelihood that future problems will arise, and they should be applauded for this. Senator Smith. But those steps, in your view, are not sufficient. Mr. Rotenberg. No, I don't think they are sufficient, sir. Senator Smith. So legislation is necessary. Mr. Rotenberg. I think legislation is part of the solution. Now, just to put this in context, this is not unlike the situation that the Congress faced when it first considered the Fair Credit Reporting Act. People understood that information about American consumers would be important for credit determinations and for loans. But it was also the case that that information had to be accurate and used only for appropriate purposes. So, Congress was able to pass the FCRA, improve the accuracy and reliability of the information for the businesses that had an appropriate reason to use it, and, at the same time, safeguard the privacy of American consumers. And what I'm suggesting today is that I think a similar approach should be taken with the information-broker industry. Now, you've heard quite a bit so far about industry's support for a notification bill. And we think this is also a good starting point. Certainly, the notification law in California made it possible for people to learn when this breach occurred, and to protect themselves so that they could minimize the risk resulting from the improper use of their personal information. And I think that approach will likely be adopted across the United States. But I don't think notification is adequate. And it is the two bills that are pending before this Committee, S. 500 and S. 768, that I think point us in the direction of how we reduce the likelihood that future problems will occur. S. 500, for example, will give the FTC the authority to establish basic regulations to ensure that companies in the information-broker industry--make sure that the information is accurate and reliable, and establish privacy safeguards. But I think the better approach, and the one that I know Senator Nelson has spent a great deal of time on, is S. 768. This legislation really gets to the key problems today in the United States, not only ensuring the accuracy of this information, but dealing directly with the problem if the misuse of the Social Security number, which is clearly contributing to the problem of identity theft--limiting the circumstances under which personal information may be sold, giving individuals a private right-of-action, and ensuring that the types of safeguards are established, that international cooperation is made possible, and that the FTC reports to you on an annual basis about how their work is progressing to limit the problem of identity theft. I think also the establishment of an identity theft center within the FTC would come as an enormous benefit to American consumers. As you may know, identity theft is now the number one crime in the United States. The FTC puts the figure at over $50 billion. It's one out of 20 adults in this country. I think S. 768 provides the type of framework, the type of comprehensive solution, consistent with the approach that was taken with the FCRA for the credit-reporting industry 30 years ago, that the American public needs today. So, I thank you, again, for holding this hearing, and I hope the Committee will be able to take action on that bill. [The prepared statement of Mr. Rotenberg follows:] Prepared Statement of Marc Rotenberg, President/Executive Director, Electronic Privacy Information Center (EPIC) Mr. Chairman, and members of the Committee, thank you for the opportunity to appear before you today. My name is Marc Rotenberg and I am Executive Director and President of the Electronic Privacy Information Center in Washington, DC. EPIC is a non-partisan public interest research organization established in 1994 to focus public attention on emerging civil liberties issues. We are very pleased that you have convened this hearing today on Identity Theft and Data Broker Services. The main point of my testimony today is to make clear the extraordinary urgency of addressing the unregulated sale of personal information in the United States and how the data broker industry is contributing to the growing risk of identity theft in the United States. There is every indication that this problem is getting worse. Whatever your views may be on the best general approach to privacy protection, I urge you to take aggressive steps to regulate the information-broker industry and to protect the privacy and security of Americans. The Significance of the ChoicePoint Matter With all the news reporting of the last few months, it has often been difficult to tell exactly how a criminal ring engaged in identity theft obtained the records of at least 145,000 Americans. According to some reports, there was a computer ``break-in.'' Others described it as ``theft.'' \1\ In fact, ChoicePoint simply sold the information.\2\ This is ChoicePoint's business and it is the business of other companies that are based primarily on the collection and sale of detailed information on American consumers. In this most recent case, the consequences of the sale were severe. According to California police, at least 750 people have already suffered financial harm.\3\ Investigators believe data on at least 400,000 individuals may have been compromised.\4\ Significantly, this was not an isolated incident. Although ChoicePoint CEO Derek Smith said that the recent sale was the first of its kind, subsequent reports revealed that ChoicePoint also sold similar information on 7,000 people to identity thieves in 2002 with losses over $1 million.\5\ And no doubt, there may have been many disclosures before the California notification law went into effect as well as more recent disclosures of which we are not yet aware. The consumer harm that results from the wrongful disclosure of personal information is very clear. According to the Federal Trade Commission, last year 10 million Americans were affected by identity theft. Identity theft is the number one crime in the country. For the fifth year in a row, identity theft topped the list of complaints, accounting for 39 percent of the 635,173 consumer fraud complaints filed with the agency last year.\6\ And there is every indication that the level of this crime is increasing. ChoicePoint is not the only company that has improperly disclosed personal information on Americans. Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the Federal Government, including many Members of Congress.\7\ Lexis-Nexis originally reported that it made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders.\8\ That number was later revised to 310,000.\9\ DSW, a shoe company, announced that 103 of its 175 stores had customers' credit and debit card information improperly accessed.\10\ Last week, Time Warner revealed that it lost track of detailed data concerning 600,000 current and previous employees. Legislation in this area is long overdue. Regrettably, ChoicePoint and other information brokers have spent a great deal of time and money trying to block effective privacy legislation in Congress. According to disclosure forms filed with the U.S. House and Senate, obtained by the Wall Street Journal, ChoicePoint and six of the country's other largest sellers of private consumer data spent at least $2.4 million last year to lobby Members of Congress and a variety of Federal agencies. The Journal reports that, ``ChoicePoint was the biggest spender, with $970,000 either paid to outside lobbyists or spent directly by the company.'' \11\ But the real cost for these activities is borne by Americans, all across the country. This improper disclosure and use of personal information is contributing to identity theft, which is today the number one crime in the United States. According to a 2003 survey by the Federal Trade Commission, over a one-year period nearly 5 percent of the adult populations were victims of some form of identity theft.\12\ Growing Dependence on the Information Broker Industry Mr. Chairman, the representatives of the information-broker industry will testify this morning that the American economy and even our national security are becoming increasingly dependent on this industry. In many respects, this is true. These companies have become the true invisible hand of the information economy. Their ability to determine the opportunities for American workers, consumers, and voters is without parallel. If a ChoicePoint record says you were late on a rent payment, whether or not that's true, you may lose a chance for a new apartment or a job. If one of these companies wrongfully removes registered voters from the voting roles, those people are denied their Constitutional right to vote. The stakes becomes even higher with homeland security. Axciom, for example, may play a central role in the identity verification procedures for Secure Flight, the new airline passenger pre-screening system. According to the Wall Street Journal, a Virginia company named Eagle Force has tested sample passenger information against commercial databases supplied by Arkansas-based Acxiom Corp.\13\ Acxiom is the same company that stirred controversy after it shared information about JetBlue Airways' passengers, without their knowledge, with a defense contractor in 2002.\14\ Even as we become more reliant on these firms, the reports of problems in the industry and the skyrocketing problem of identity theft have made clear that Congress must step in. There are simply no market mechanisms that protect privacy, ensure accuracy, or limit security breaches where there is no direct obligation to the person whose personal information is at risk. EPIC's Efforts To Bring Public Attention to the Problems With ChoicePoint Well before the recent news of the ChoicePoint debacle became public, EPIC had been pursuing the company and had written to the FTC to express deep concern about its business practices and its ability to flout the law. On December 16, 2004, EPIC urged the Federal Trade Commission to investigate ChoicePoint and other data brokers for compliance with the Fair Credit Reporting Act (FCRA), the Federal privacy law that helps insure that personal financial information is not used improperly.\15\ The EPIC letter said that ChoicePoint and its clients had performed an end-run around the FCRA and was selling personal information to law enforcement agencies, private investigators, and businesses without adequate privacy protection. ChoicePoint wrote back to us to say, in effect, that there was no problem. The company claimed to comply fully with FCRA and that the question of whether FCRA, or other Federal privacy laws, should apply to all of its products as simply a policy judgment. It made this claim at the same time it was spending several million dollars over the last few years to block the further expansion of the FCRA. Mr. Chairman, hindsight may be 20-20, but it is remarkable to us that ChoicePoint had the audacity to write such a letter when it already knew that State investigators had uncovered the fact that the company had sold information on American consumers to an identity theft ring. They were accusing us of inaccuracy at the same time that State and Federal prosecutors knew that ChoicePoint, a company that offered services for business credentialing, had exposed more than a hundred thousand Americans to a heightened risk of identity theft because it sold data to crooks. But the problems with ChoicePoint long preceded this recent episode. Thanks to Freedom of Information Act requests relentlessly pursued by EPIC's Senior Counsel Chris Hoofnagle, we have obtained over the last several years extraordinary documentation of ChoicePoint's growing ties to Federal agencies and the increasing concerns about the accuracy and legality of these products.\16\ So far, EPIC has obtained FOIA documents from nine different agencies concerning ChoicePoint. One document from the Department of Justice, dated December 13, 2002, discusses a ``Report of Investigation and Misconduct Allegations . . . Concerning Unauthorized Disclosure of Information.'' \17\ There are documents from the IRS that describe how the agency would mirror huge amounts of personal information on IRS computers so that ChoicePoint could perform investigations.\18\ Several documents describe ChoicePoint's sole source contracts with such agencies as the United States Marshals Service and the FBI.\19\ Among the most significant documents obtained by EPIC were those from the Department of State, which revealed the growing conflicts between the United States and foreign governments that resulted from the efforts of ChoicePoint to buy data on citizens across Latin America for use by the U.S. Federal law enforcement agencies.\20\ One document lists news articles that were collected by the agency to track outrage in Mexico and other countries over the sale of personal information by ChoicePoint.\21\ A second document contains a cable from the American Embassy in Mexico to several different government agencies warning that a ``potential firestorm may be brewing as a result of the sale of personal information by ChoicePoint.\22\ A third set of documents describes public relations strategies for the American Embassy to counter public anger surrounding the release of personal information of Latin Americans to ChoicePoint.\23\ Lessons of ChoicePoint The ChoicePoint incident proves many important lessons for the Congress as it considers how best to safeguard consumer privacy in the information age. First, it should be clear now that privacy harms have real financial consequences. In considering privacy legislation in the past, Congress has often been reluctant to recognize the actual economic harm that consumers suffer when their personal information is misused, when inaccurate information leads to the loss of a loan, a job, or insurance. Consumers suffer harms both from information that is used for fraud and inaccurate information that leads to lost opportunities through no fault of the individual. A clear example of how the company has contributed to the growing problem of identity theft may be found in ChoicePoint's subscriber agreement for access to AutoTrackXP, a detailed dossier of individuals' personal information. A sample AutoTrackXP report on the ChoicePoint website shows that it contains Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; UCC filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; ``other people who have used the same address of the subject,'' ``possible licensed drivers at the subject's address,'' and information about the data subject's relatives and neighbors.\24\ This sensitive information is available to a wide array of companies that do not need to articulate a specific need for personal information each time a report is purchased. ChoicePoint's subscriber agreement shows that the company allows access to the following businesses: attorneys, law offices, investigations, banking, financial, retail, wholesale, insurance, human resources, security companies, process servers, news media, bail bonds, and if that isn't enough, ChoicePoint also includes ``other.'' Second, it should be clear that market-based solutions fail utterly when there is no direct relationship between the consumer and the company that proposed to collect and sell information on the consumer. While we continue to believe that privacy legislation is also appropriate for routine business transactions, it should be obvious to even those that favor market-based solutions that this approach simply does not work where the consumer exercises no market control over the collection and use of their personal information. As computer security expert Bruce Schneier has noted, ``ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security.'' \25\ This argues strongly for regulation of the information-broker industry. Third, there are clearly problems with both the adequacy of protection under current Federal law and the fact that many information products escape any kind privacy rules. ChoicePoint has done a remarkable job of creating detailed profiles on American consumers that they believe are not subject to Federal law. Products such as AutoTrackXP are as detailed as credit reports and have as much impact on opportunities in the marketplace for consumers as credit reports, yet ChoicePoint has argued that they should not be subject to FCRA. Even their recent proposal to withdraw the sale of this information is not reassuring. They have left a significant loophole that will allow them to sell the data if they believe there is a consumer benefit.\26\ But even where legal coverage exists, there is insufficient enforcement, consumers find it difficult to exercise their rights, and the auditing is non-existent. According to EPIC's research, while ChoicePoint claims to monitor their subscribers for wrongdoing, there is no public evidence that the company has referred a subscriber to authorities for violating individuals' privacy. In other words, in the case where a legitimate company obtains personal information, there is no publicly available evidence that ChoicePoint has any interest in whether that information is subsequently used for illegitimate purposes. Law enforcement, which has developed increasingly close ties to information brokers such as ChoicePoint, seems to fall entirely outside of any auditing procedures. This is particularly troubling since even those reports that recommend greater law enforcement use of private sector databases for public safety recognize the importance of auditing to prevent abuse.\27\ And of course there are ongoing concerns about the broad permissible purposes under the FCRA, the use of credit header information to build detailed profiles, and the difficulty that consumers continue to face in trying to obtain free credit reports that they are entitled to under the FACTA. Fourth, we believe this episode also demonstrates the failure of the FTC to aggressively pursue privacy protection. We have repeatedly urged the FTC to look into these matters. On some occasions, the FTC has acted.\28\ But too often the Commission has ignored privacy problems that are impacting consumer privacy and producing a loss of trust and confidence in the electronic marketplace. In the late 1990s, the FTC promoted self-regulation for the information-broker industry and allowed a weak set of principles promulgated as the Individual References Service Group to take the place of effective legislation. It may well be that the ChoicePoint fiasco could have been avoided if the Commission chose a different path when it considered the practices of the information-broker industry. The FTC has also failed to pursue claims that it could under section 5 of the FTC Act, which prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumer nor offset by countervailing benefits to consumers and competition.\29\ It may be that the unfairness doctrine could be applied in cases where there is no direct relationship between the consumer and the company, but to date the FTC has failed to do this.\30\ Fifth, we believe the ChoicePoint episode makes clear the importance of state-based approaches to privacy protection. Congress simply should not pass laws that tie the hands of State legislators and prevent the development of innovative solutions that respond to emerging privacy concerns. Many states are today seeking to establish strong notification procedures to ensure that their residents are entitled to at least the same level of protection as was provided by California.\31\ In this particular case, the California notification statute helped ensure that consumers would at least be notified that they are at risk of heightened identity theft. This idea makes so much sense that 38 attorneys general wrote to ChoicePoint to say that their residents should also be notified if their personal information was wrongly disclosed.\32\ ChoicePoint could not object. It was an obvious solution. Recommendations Clearly, there is a need for Congress to act. Although ChoicePoint has taken some steps to address public concerns, it continues to take the position that it is free to sell personal information on American consumers to whomever it wishes where ChoicePoint, and not the consumer, believes there is a ``consumer-driven benefit or transaction.'' \33\ Moreover, the industry remains free to change its policies at some point in the future, and the steps taken to date do not address the larger concerns across the information-broker industry. Modest proposals such as the extension of the Gramm-Leach-Bliley Act's Security Safeguards Rule are unlikely to prevent future debacles. The Safeguards Rule merely requires that financial institutions have reasonable policies and procedures to ensure the security and confidentiality of customer information. Recall that the disclosure by ChoicePoint did not result from a ``hack'' or a ``theft'' but from a routine sale. Moreover, the Security Safeguards Rule will do nothing to give consumers greater control over the transfer of their personal information to third parties or to promote record accuracy. Extending notification statutes such as the California bill would be a sensible step, but this is only a partial answer. Notification only addresses the problem once the disclosure has occurred. The goal should be to minimize the likelihood of future disclosures. It is also important to ensure that any Federal notification bill is at least as good as the California state bill and leaves the states the freedom to develop stronger and more effective measures. What happens for example, when at some point in the future, we must contend with the extraordinary privacy problems that will result from the disclosure of personal information contained in a database built on biometric identifiers? There are several proposals pending in the Senate to address the growing problem of identity theft. In particular, the Notification of Risk to Personal Data Act, S. 751, and the Comprehensive Identity Theft Prevention Act, S. 768, provide strong complimentary safeguards. The Committee should act quickly to ensure their passage. Notification of Risk to Personal Data Act, S. 751 One of the lessons of the recent disclosures about the information- broker industry is that we could not understand the scope of the problem without information about actual security breaches. Imagine trying to legislate airline safety or the reliability of medical products without even basic information about the extent of the problem or the number of people affected. That is where the information security problem was before the passage of the California notification law. That critical State law ensured, for the first time, that those whose personal information had been wrongfully disclosed would be notified of the breach and given the opportunity to take additional measures. Not surprisingly, once the problem became known, other states urged ChoicePoint to provide notification to their residents. Thirty- eight State attorneys general wrote to the head of ChoicePoint. Many State legislatures are now considering bills that would establish similar notification obligations. Given this experience, Senator Feinstein's bill, the Notification of Risk to Personal Data Act, is an obvious first step in the effort to help ensure that Americans can protect themselves when security breaches occur. The bill would require Federal agencies and private sector businesses that engage in interstate commerce to provide notification when personal information is acquired by unauthorized persons. The bill recognizes that there may be delayed notification where this is necessary to aid a law enforcement investigation. The bill also provides certain exceptions for national security and law enforcement, though sensibly does not allow these exceptions to be used to hide violations of law or to protect poor administration. There are a number of alternatives for notification that recognize that there may be more efficient and less costly ways to notify individuals in certain circumstances. While this is a good measure, we are concerned that the bill will preempt stronger State laws that may be developed to address the problem of notification where risks to personal data arise. We understand the interest in a single national standard, but this is an area where the states should retain the freedom to innovate and explore new solutions to this far-reaching problem. We urge the Committee to remove Section 5 of the Act, which would preempt State law. We also caution against any effort to limit the circumstances under which notification might occur. As a matter of fairness, it should be the individual's right to know when his or her personal information has been improperly obtained. And it should be equally obvious that given the choice businesses will choose not to provide notice unless they are required to do so. Comprehensive Identity Theft Prevention Act, S. 768 Improved notification will play an important role in assisting consumers where security breaches occur, but clearly the long-term goal must be to reduce the risk of these disclosures and to minimize harm when these breaches occur. This is not a new problem. Congress has worked for more than thirty years to provide privacy safeguards and to protect against the risks associated with the automation of personal information. A good privacy bill works for both consumers and businesses. The Fair Credit Reporting Act, for example, was a benefit to both consumers and the credit reporting industry because it established privacy safeguards and helped ensure greater accuracy in the information that was made available to credit grantors. The problem today is that information brokers are operating outside of any comprehensive regulatory scheme. Moreover, they have no direct relationship with the individuals whose personal information they routinely sell to others. So, there are inadequate incentives to protect privacy or to ensure accuracy. There is a clear need to establish comprehensive protections for the information-broker industry. The Comprehensive Identity Theft Prevention Act, S. 768, provides an excellent framework for privacy protection in the information-broker industry. Building on the general approach of the FCRA and other privacy statutes, the bill aims to ensure that when personal information is collected, it will be used for appropriate purposes, and that when problems arise there will be meaningful remedies. The Act requires the Federal Trade Commission to establish rules for information brokers and for the protection of personal information. The rules cover data accuracy, confidentiality, user authentication, and detection of unauthorized use. Significantly, the Act also gives individuals the opportunity to review the information about them held by data brokers. This helps ensure accuracy and accountability and is similar to provisions currently found in the Fair Credit Reporting Act. The Information Protection and Security Act also provides meaningful enforcement by ensuring that the states are able to pursue investigations and prosecution, after appropriate notice to the FTC and the attorneys general. The Act also gives individuals, who of course are the ones that suffer the actual harm, to pursue a private right-of- action. Additional Safeguards Furthermore, to the extent that information brokers, such as ChoicePoint, routinely sell data to law enforcement and other Federal agencies, they should be subject to the Federal Privacy Act. A ``privatized intelligence service,'' as Washington Post reporter Robert O'Harrow has aptly described the company, ChoicePoint should not be permitted to flout the legal rules that help ensure accuracy, accountability, and due process in the use of personal information by Federal agencies.\34\ It would be appropriate to consider legislation that would establish safeguards for the use of commercial information by government agencies.\35\ Also, Professor Daniel Solove and EPIC's Chris Hoofnagle have put a very good framework forward.\36\ This approach is similar to other frameworks that attempt to articulate Fair Information Practices in the collection and use of personal information. But Solove and Hoofnagle make a further point that is particularly important in the context of this hearing today on ChoicePoint. Increasingly, the personal information made available through public records to enable oversight of government records has been transformed into a privatized commodity that does little to further government oversight, but does much to undermine the freedom of Americans. While EPIC continues to favor strong, open government laws, it is clearly the case that open government interests are not served when the government compels the production of personal information, sells the information to private data vendors, who then make detailed profiles available to strangers. This is a perversion of the purpose of public records. Looking ahead, there is a very real risk that the consequences of improper data use and data disclosure are likely to accelerate in the years ahead. One has only to look at the sharp increase in identity theft documented by the Federal Trade Commission, the extraordinary rate of data aggregation in new digital environments, and the enormous efforts of the Federal Government to build ever more elaborate databases to realize that the risk to personal privacy is increasing rapidly. Congress can continue to deal with these challenges in piecemeal fashion, but it seems that the time has come to establish a formal government commission charged with the development of long-terms solutions to the threats associated with the loss of privacy. Such a commission should be established with the clear goal of making specific proposals. It should include a wide range of experts and advocates. And it should not merely be tasked with trying to develop privacy safeguards to counter many of the government new surveillance proposals. Instead, it should focus squarely on the problem of safeguarding privacy. Congress needs to establish a comprehensive framework to ensure the right of privacy in the twenty-first century. With identity theft already the number one crime, and the recent spate of disclosures, any further delay could come at enormous cost to American consumers and the American economy. The REAL ID Act Finally, Mr. Chairman, I would like to say a few words about the REAL ID Act, a sweeping proposal for a new Federal identification system, that may be taken up tonight as part of the supplemental appropriation for the troops in Iraq. As you know, this bill, which was rejected in the last Congress, has gone forward in this Congress without even a hearing. It would require State agencies to collect sensitive, personal information on every American citizen who drives a car. It would put the State DMVs in the position of enforcing the country's immigration laws. It would give the Federal Government broad authority to regulate a traditional State function. Whatever one's views may be about the merits of the legislation, it should concern all sides that this proposal could pass in the Senate without a hearing or even debate. I make this point today in this hearing on identity theft because the State DMV record systems have actually become the target of identity thieves. In recent months, three State DMVs have been attacked by identity thieves. In March, burglars rammed a vehicle through a back wall at a DMV near Las Vegas and drove off with files, including Social Security numbers, on about 9,000 people. Recently, Florida police arrested 52 people, including 3 DMV examiners, in a scheme that sold more than 2,000 fake driver's licenses. Two weeks ago, Maryland police arrested three people, including a DMV worker, in a plot to sell about 150 fake licenses. It is obviously the case that the establishment of new identification requirements in the United States, the dramatic expansion of the authority of the Department of Homeland Security, and the requirement that we all now deposit with State agencies the very documents that establish our proof of identity will have a profound impact on the issues under consideration today.\37\ Under any reasonable policy process, there would be an opportunity to examine these issues in more detail and to assess the risks that will surely result from the implementation of this legislation. Before there is a vote on this proposal, there should be a hearing in this Congress on this bill.\38\ That power still remains with the Senate. I urge you to exercise it. Conclusion For many years, privacy laws came up either because of the efforts of a forward-looking Congress or the tragic experience of a few individuals. Now we are entering a new era. Privacy is no longer theoretical. It is no longer about the video records of a Federal judge or the driver registry information of a young actress. Today privacy violations affect hundreds of thousands of Americans all across the country. The harm is real and the consequences are devastating. Whatever one's view may be of the best general approach to privacy protection, there is no meaningful way that market-based solutions can protect the privacy of American consumers when consumers have no direct dealings with the companies that collect and sell their personal information. There is too much secrecy, too little accountability, and too much risk of far-reaching economic damage. There are two important bills now before the Committee. The Notification of Risk to Personal Data Act, S. 751, would provide meaningful notice to individuals when their personal information is wrongfully disclosed. The Comprehensive Identity Theft Prevention Act, S. 768, would help reduce the likelihood of future breaches. I hope the Committee will be able to act quickly on these proposals. I appreciate the opportunity to be here today. I will be pleased to answer your questions. References EPIC ChoicePoint Page, available at http://www.epic.org/privacy/ choicepoint/. ENDNOTES \1\ Associated Press, ``ChoicePoint hacking attack may have affected 400,000,'' Feb. 17, 2005, available at http://www.ledger- enquirer.com/mld/ledgerenquirer/news/local/10920220.htm. \2\ Robert O'Harrow Jr., ``ID Theft Scam Hits D.C. Area Residents,'' Washington Post, Feb. 21, 2005, at A01. \3\ Bob Sullivan, ``Data theft affects 145,000 nationwide,'' MSNBC, Feb. 18, 2005, available at http://www.msnbc.msn.com/id/6979897/. \4\ Associated Press, ``ChoicePoint hacking attack may have affected 400,000,'' Feb. 17, 2005, available at http://www.ledger- enquirer.com/mld/ledgerenquirer/news/local/10920220.htm. \5\ David Colker and Joseph Menn, ``ChoicePoint CEO Had Denied Any Previous Breach of Database,'' Los Angeles Times, March 3, 2005, at A01. \6\ Federal Trade Commission, ``FTC Releases Top 10 Consumer Complaint Categories for 2004,'' (Feb. 1, 2005), available at http:// www.ftc.gov/opa/2005/02/top102005.htm. \7\ Robert Lemos, ``Bank of America loses a million customer records,'' CNet News.com, Feb. 25, 2005, available at http:// earthlink.com.com/Bank+of+America+ loses+a+million+customer+records/2100-1029_3- 5590989.html?tag=st.rc.targ_mb. \8\ Jonathan Krim and Robert O'Harrow, Jr., ``LexisNexis Reports Theft of Personal Data,'' Washingtonpost.com, March 9, 2005, available at http://www.washingtonpost .com/ac2/wp-dyn/A19982-2005Mar9?language=printer. \9\ LexisNexis Data on 310,000 People Feared Stolen, New York Times, Apr. 12, 2005, available at http://www.nytimes.com/reuters/ technology/tech-media-lexis nexis.html?. \10\ Associated Press, ``Credit Information Stolen From DSW Stores,'' March 9, 2005, available at http://abcnews.go.com/Business/ wireStory?id=563932&CMP=OTC- RSSFeeds0312. \11\ Evan Perez and Rick Brooks, ``Data Providers Lobby to Block More Oversight,'' Wall Street Journal, March 4, 2005, at B1. \12\ Federal Trade Commission, ``Identity Theft Survey Report'' (Sept. 2003), available at http://www.ftc.gov/os/2003/09/ synovatereport.pdf. \13\ ``US To Require Airline Passengers' Full Names, Birth Dates,'' Wall Street Journal, May 4, 2005, available at http://online.wsj.com/ article/0,BT_CO_20050504 _012176,00.html. \14\ EPIC pursued a complaint against JetBlue and Axcio at the Federal Trade Commission, arguing that ``JetBlue Airways Corporation and Acxiom Corporation have engaged in deceptive trade practices affecting commerce by disclosing consumer personal information to Torch Concepts Inc., an information mining company with its principal place of business in Huntsville, Alabama, in violation of 15 U.S.C. Sec. 45(a)(1).'' Although the FTC chose not to take action in response to the complaint, it continues to be our position that when a company represents that it will not disclose the personal information of its customers to a third party and subsequently does so, it has engaged in an unfair and deceptive trade practice. \15\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and Daniel J. Solove, Associate Professor, George Washington University Law School, to Federal Trade Commission, Dec. 16, 2004, available at http:/ /www.epic.org/privacy/choicepoint/fcraltr12.16.04.html. \16\ EPIC v. Dep't of Justice et al., No. 1:02cv0063 (D.D.C. 2002). \17\ Available at http://www.epic.org/privacy/choicepoint/ default.html. \18\ Id. \19\ Id. \20\ Id. \21\ Id. \22\ Id. \23\ Id. \24\ ChoicePoint, AutoTrackXP Report, http://www.choicepoint.com/ sample_rpts/AutoTrackXP.pdf. \25\ ``Schneier on Security: ChoicePoint'' available at http:// www.schneier.com/blog/archives/2005/02/choicepoint.html. \26\ Aleksandra Todorova, ``ChoicePoint to Restrict Sale of Personal Data,'' Smartmoney.com, March 4, 2005, available at http:// www.smartmoney.com/bn/index.cfm?story=20050304015004. \27\ See Chris J. Hoofnagle, ``Big Brother's Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement,'' University of North Carolina Journal of International Law & Commercial Regulation (Summer 2004), available at http://ssrn.com/abstract=582302. \28\ See FTC's investigation into Microsoft's Passport program. Documentation available at http://www.epic.org/privacy/consumer/ microsoft/passport.html. \29\ 15 U.S.C. Sec. 45(n); Letter from Michael Pertschuk, FTC Chairman, and Paul Rand Dixon, FTC Commissioner, to Wendell H. Ford, Chairman, Senate Consumer Subcommittee, Committee on Commerce, Science, and Transportation (Dec. 17, 1980), available at http://www.ftc.gov/ bcp/policystmt/ad-unfair.htm. \30\ In FTC v. Rapp, the ``Touch Tone'' case, the FTC pursued private investigators engaged in ``pretexting,'' a practice where an individual requests personal information about others under false pretenses. No. 99-WM-783 (D. Colo. 2000), 2000 U.S. Dist. LEXIS 20627. In a typical scheme, the investigator will call a bank with another's Social Security Number, claim that he has forgotten his bank balances, and requests that the information be given over the phone. The FTC alleged that this practice of the defendants, was deceptive and unfair. It was deceptive because the defendants deceived the bank in providing the personal information of another. The practice was unfair in that it occurs without the knowledge or consent of the individual, and it is unreasonably difficult to avoid being victimized by the practice. \31\ ``ChoicePoint Incident Prompts State Lawmakers to Offer Data Notification Bills,'' 10 BNA Electronic Commerce & Law Report 217-18 (March 9, 2005). \32\ Associated Press, ``38 AGs send open letter to ChoicePoint,'' Feb. 18. 2005, available at http://www.usatoday.com/tech/news/ computersecurity/infotheft/2005-02-19-ag-letter-to-choicepoint_x.htm. \33\ ``ChoicePoint Halts Sale of Sensitive Information, as Agencies Launch Probes,'' 10 BNA Electronic Commerce & Law Report 219 (March 9, 2005). \34\ Robert O'Harrow, No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society (Free Press 2005). \35\ See, e.g., Center for American Progress, ``Protecting Privacy in the Digital Age,'' May 4, 2005, available at http:// www.americanprogress.org/site/pp.asp?c=biJRJ8 OVF&b=651807. \36\ Daniel Solove and Chris Jay Hoofnagle, ``A Model Regime of Privacy Protection,'' March 8, 2005, available at http:// papers.ssrn.com/sol3/papers.cfm? abstract_id=681902. \37\ See EPIC, ``National ID Cards and REAL ID Act,'' available at http://epic.org/privacy/id_cards/. \38\ See letter from Senators Sam Brownback, R-Kan., Joe Lieberman, D-Conn., and 10 other Senators to Senate Majority Leader Bill Frist, Apr. 11, 2005 (``Because of its magnitude, this legislation should be referred to the Senate Judiciary Committee on a schedule that provides adequate time for full and careful consideration. Legislating in such a complex area without the benefit of hearings and expert testimony is a dubious exercise and one that subverts the Senate's deliberative process.''), available at http://www.senate.gov/&7Egov_affairs/ index.cfm?FuseAction =PressReleases.Detail&Affiliation=R&PressReleaseg_id=953&Month=4&Year=20 05. Senator Smith. Mr. Rotenberg, it is a fact that--I think one of my colleagues--Senator Kerry was asking--if you sign up to buy insurance on your property, you're not signing up to have your information shared, necessarily. Or are there, in most of these transactions, opt-in and opt-out factors or provisions? Mr. Rotenberg. Well, this is a very important point, Senator. In most of these transactions, the individual actually has no direct relationship with the information broker. In other words---- Senator Smith. Are they even aware? Mr. Rotenberg. They don't know who these companies are. They don't deal directly with them. If you have a privacy problem with a bank, for example, you might decide not to do business with that bank, and you would have the opportunity in the marketplace to find another bank to do business with. But, you see, these companies are very similar to the credit- reporting companies, in that they provide information that affects the ability of consumers to participate in the marketplace, to get jobs, to rent apartments, to obtain insurance, but consumers have no direct relationship with them. And that's why we think regulation in this area is so important. Senator Smith. But if we had--if this were at all possible, would you recommend, in the legislation, they have a means for opting-in to some of this identity--identification---- Mr. Rotenberg. Yes. Senator Smith. Yes. Mr. Rotenberg. Yes. Under circumstances where the consumer believes---- Senator Smith. They want---- Mr. Rotenberg.--there's a benefit. Senator Smith.--they want it known. Mr. Rotenberg. Absolutely. In fact, that's one of the approaches, we think, for credit reports, for example, consumers certainly would want to make their credit reports available if they're seeking a loan. And I don't think any legislation should stop them from doing that. We're concerned about the circumstances where their credit reports are made available that they haven't made that choice. Senator Smith. Thank you. Ms. Frank? STATEMENT OF MARI J. FRANK, ESQ., ATTORNEY, MARI J. FRANK, ESQ. & ASSOCIATES Ms. Frank. Hi. Thank you, presiding-Senator Smith and honorable Committee members, invited guests. And I want to especially thank Senator Nelson for S. 500, which I wholeheartedly support. And I will be happy to help you on S. 768, because I think there are a lot of great things in that, as well. I'm an attorney. My name is Mari, by the way--people call me everything, but it is Mari--my name is Mari Frank, and I'm an attorney and privacy---- Senator Smith. We're called a lot of things, too. [Laughter.] Ms. Frank. I know. I know. [Laughter.] Ms. Frank. I'm an attorney and privacy consultant from Orange County, California. I've assisted thousands of identity- theft victims, and I also sit as an advisor to the State of California Office of Privacy Protection. In 1996, my identity was stolen by an imposter who paraded as me, robbing not only my personal life, but my professional identity. She took over $50,000 in credit, purchased a red convertible, rented a car and crashed it, and I was sued by the rental agency. I learned that, while working as a temporary secretary in an office 4 hours from my home, my evil twin downloaded my consumer report from an information broker. Because there is no law requiring a data broker to inform me of the purchase, I couldn't do anything to prevent this heist. Most victims are not negligent with their personal information, and nothing will protect them from fraud if their information is acquired from a security breach or by faulty information practices of data aggregators. Your personal information is worth more than currency itself. A fraudster can do anything you can do with your identification, and, even worse, they can do things like you-- that you would not do, such as commit crimes, seek revenge, or even engage in terrorist activities. Here are some examples of the main types of identity theft: The first one is financial gain. These are examples of people who have personally contacted me. George had a great job in the financial industry. When he was up for promotion, he permitted a background check, which showed that he had several very expensive properties, luxury cars, and even a boat. Also, it showed a problem with his CPA license. He learned that there were many credit accounts also that did not belong to him. He was flabbergasted, since this was not true, none of these things were true. Needless to say, he lost the promotion. Second use, avoiding prosecution or avoiding arrest. Lori-- and, by the way, Lori is here with me today. I have been helping her since last December, and Lori drove 4 hours to meet me and come to this hearing. She's with me today. Lori, a disabled vet who--and a single mom with a set of 6-year-old twins, was attending school to get her B.A. degree when the police showed up at her door. She was arrested and convicted for a crime that was committed by her imposter. Neither her fingerprints nor her physical description matched the impersonator. She's hoping that we'll get a new trial for her, but, more worrisome than that, she's fearful that, even when we get this cleaned up--which I'm sure we will--that the incorrect data will be resold. And here's the reason why I'm thinking this will happen. Scott Lewis is another client of mine who wanted to drive from Ohio today, but I think he sent the Senators a note. Scott was laid off from a high-paying job. He had great recommendations and felt sure that he would be rehired. For 2 years, he was denied employment. After hiring a private investigator, he saw his file from a data broker. Included in it were two driving-- three DUIs and an arrest for murder, none of which belonged to him. After the databases were finally cleaned up, after a tremendous amount of time and effort, he still couldn't get a job. So, again, we pulled his consumer background check. And, what did we find? The data broker was continuing to sell the erroneous information to all the prospective employers. Scott spent hundreds of hours living the nightmare of identity theft, and we did get him on Dateline and finally we were able to get him a job. Revenge. This is another reason someone does this. A radio talk-show host called me. He was shocked to learn that his own identity was stolen by a disgruntled listener who bought his dossier from an online information broker. Aside from calling him at home and bullying him, he obtained access to his e-mail and sent embarrassing e-mails to the station, pretending to be the talk-show host. And, finally, the last, but scariest, is terrorism and the threat to homeland security. The 9/11 terrorists had opened over 14 accounts at a Florida bank, using the false Social Security numbers and other documents. They also received thousands of dollars worth of credit. Not only did they do this for financial gain, but over half of them had names that were known as suspected terrorists. So they committed total identity-theft takeover. And, worse, they used these false identities to get revenge against our country. Recently, at a meeting that I attended with Senator Feinstein in California, law enforcement reported to her that suspected terrorists have been apprehended with many false documents in California so that they could hide under the radar screen and come over across our borders. Your identity is especially vulnerable with regard to the mega-databases held by information brokers who are selling huge amounts of your sensitive information in all-inclusive profiles without any governmental oversight. The very essence of the data-broker business is selling a broad range of very private and highly sensitive information, which, if acquired by a person with a criminal intent, provides a complete comprehensive package ready for identity takeover. These databases contain your personal, professional, social, possibly criminal--true or not--and financial existence. Tapping into your data profile is a fraudster's dream come true. In my written testimony, I attached Exhibit I, which has the ChoicePoint AutoTrack, which will show you the kinds of information--it's a sample--it's not a real person, by the way; it's just a sample. It will shock you, as it did me. When I recently attended the State Bar of California annual meeting, a data broker in the exhibit hall pulled my background after I gave him just my name. I was horrified--not only because I felt violated by all that it revealed, but, worse, by the tremendous number of errors. I was told that there was no way to correct the egregious mistakes. I was stunned by the prospect that aspects of that report may have resulted from my imposter's actions. Also, I was reminded of the Amy Boyer case, where Liam Youens used information broker Docusearch to obtain Amy's Social Security number and work address to kill her and then himself. Police later found a message on his computer that said, ``It's actually obscene what you can find out about people on the Internet.'' Data brokers are invisible to most citizens. Everyone in this room who has a birth certificate, a driver's license--or if there's any public record about you at all, you are in those secret files. And there's much more about you from the data aggregation. Every Senator and everyone watching this hearing is in those profiles. Have you seen your dossier? Do you know what fact or fiction is being sold about you? As the law stands now, you don't have the right to know what is in these files, nor do you have the right to correct the many errors, nor do you have the right to know who has had access to these sensitive files, nor can you limit the sale. Actually, none of us here, except maybe the data brokers, have control over anything in those files. These companies have operated in the shadows and have sold this often erroneous information to myriad companies, the government, and even to fraudsters. Most Americans don't even know who these companies are or what they do. This is America, the home of freedom and liberty. This is not a communist country or a Nazi regime where secret files are kept on citizens and shared with various entities and governmental agencies. Don't law-abiding citizens have a right to at least see the dossiers and make sure that the information is correct? Although the credit-reporting agencies are considered data brokers, they're regulated by the FCRA, the Fair Credit Reporting Act. And that law gives us the right to see our data, review it, dispute it, correct it, find out who has had access to it, and we can even limit the sale. What is the impact of security breaches of the data brokers that are here today? Those impacted may not yet be victims of identity theft, yet they are victims of a Federal crime. The Identity Theft and Assumption Deterrence Act of 1998, which I testified for back then, 18 U.S.C. 1028, makes it a Federal crime when anyone knowingly transfers or uses without lawful authority a means of identification of another person with the intent to commit or aid or abet any unlawful activity that constitutes a Federal--a violation of Federal law or that constitutes a felony under applicable State or local law. I have personally spoken with victims of many of these security breaches. The victims feel very violated, frightened, and helpless. It is well known that criminals steal the information, but may not use it for months, or even years, afterwards. Additionally, the victims have not been notified of exactly what was stolen. They haven't seen these dossiers. So they feel entirely defenseless and don't even know what to protect. All right. So, what needs to be done? I'm going to go quickly. I really appreciate everything in S. 500, and I have a lot more, 25 pages, in my written testimony, but I'm going to just do a quick sweep here. Senator Smith. We'll include it all in the record. Ms. Frank. Right, OK. So, you can all see it. And I would really like you to look at my attachments, as well. I think they're very important. Number one, what do we need? We need transparency. That means we need to see what they have available, in front of us, for inspection. We need to define the uses of this information. Number two, we need consent and notice. Consumers should be able to give their consent to disclosure of their information prior to disclosure. The consumer should be able to know when it's sold. And the consumer should receive a free copy once a year, like we do under FCRA. The consumer should also have access and inspection and the ability to correct. There should also be quality controls and timely correction, so that if I contact an agency and I see-- for example, what happened to me, I would like to correct what's in that file, yet I--at this point, I can't. And I want to know that I can correct it. And if it's a public record, I need to know where to go to correct it. There must be strict security controls against risk of loss. We know this from what recently happened. We need enforcement. Unfortunately, what I have seen, in the past 9 years since I have been a victim, is that the Federal Trade Commission is overwhelmed. I also now am also a sheriff reserve in Orange County, and I know that--and California is one of the top states for identity theft--about one in ten cases are investigated; and, of those one in ten cases, about one in ten are prosecuted. So, enforcement is really important. And the Federal Trade Commission doesn't take many cases on this. So---- Senator Smith. What do they find? Do they lead to a few people, or to many? Ms. Frank. Depends. It depends on the circumstance. They usually won't take the case unless it's of very high jurisdictional value or if they think it's a fraud ring, because they just have to prioritize. They just have limited resources. Enforcement should be by private right-of-action. It should also be by attorneys general and the Federal Trade Commission. And it's very important that we preserve State rights. I'm from a State that has been very proactive. We have the best privacy legislation, we are the only State with an Office of Privacy Protection. And it's our laws--in fact, we were the second State to have an identity-theft statute. We have the best identity-theft statutes, as far as penal codes, in the country. We have the security-breach law. We also allow security freezes to lock up your credit report, so, if you're a victim or even a consumer, you--no one can steal your credit identity. So---- Senator Smith. Are those laws working? Ms. Frank. Yes. And--well, we know that the security-breach law is working, because in July of 2003, our law became effective. Prior to July 2003, we know that LexisNexis and ChoicePoint both had security breaches that they admitted in a hearing before the U.S. Senate. And they did not reveal it to anyone--I mean, to law enforcement, yes--but they did not reveal to potential victims. After 2003, we have seen a tremendous amount of disclosure because of our security-breach law. If it had not been for California, you would not even be here today to know about all this. So, that and the security-freeze laws, if we did not lock up the credit reports--right now, there are four states that allow you to close up your credit report for your credit freeze, and they are California, Texas, Vermont, and Louisiana. And I know there are 19 states that have introduced such legislation. So, if you tie the hands of State legislators, you're going to find that there is going to be a huge amount of problems for victims who cannot get some regulation to help them. And a lot of your bills, even the bills that were introduced by Senator Feinstein with regard to Social Security are based on California law. I understand about Federal preemption, that companies don't want to have to speak to all of the various states and deal with that--it's expensive--but I think we need to have a floor, not a ceiling. And I'll be happy to help this committee in any way I can. Thank you. [The prepared statement of Ms. Frank follows:] Prepared Statement of Mari J. Frank, Esq., Attorney, Mari J. Frank, Esq. & Associates Good morning, Chairman Stevens, Co-Chairman Inouye, Presiding Senator Smith, Honorable Committee Members, and invited guests. Thank you very much for the opportunity to address you today regarding concerns about identity theft and data broker services. I am grateful that Congress is studying this issue to craft strong measures to prevent identity theft in our society. Your desire to shine the light on these problems and make needed changes deserves commendation. I also thank this panel of witnesses who will educate us about these issues from all perspectives and help to create solutions so that we may better protect our personal and confidential information and reduce this insidious crime. Additionally I thank Senator Bill Nelson for introducing S. 500, The Information Protection and Security Act, which I support because it addresses the need for responsible and reasonable oversight over the data broker services industry while providing fair information principles. I will be happy to assist this Committee with other legislative proposals such as S. 768 and others. Since this issue affects each one of us, I encourage a bi-partisan collaborative approach to protect ourselves from identity theft. My name is Mari Frank. I am an attorney, privacy consultant, and author of several books on identity theft from Laguna Niguel, California. (My two newest books are Safeguard Your Identity: Protect Yourself with a Personal Privacy Audit (Porpoise Press, 2005 and From Victim To Victor: A Step By Step Guide For Ending the Nightmare of Identity Theft 2nd Edition with CD, Porpoise Press, 2005) www.identitytheft.org.) I serve as a volunteer Sheriff Reserve for the Orange County, California Sheriff Department, and sit on the Advisory Board of the State of California Office of Privacy Protection which focuses on privacy and identity theft safeguards for California citizens. Additionally, I am a member of the State of California's Department of Motor Vehicle's Task Force on Privacy and Identity Theft, I've served on the Los Angeles District Attorney's Office Task Force on Identity Theft, and I am an advisory board member to the nonprofit Identity Theft Resource Center. I have personally assisted myriad victims across the country with my personal time and educational materials, and have donated hundreds of pro-bono hours to assist victims. I have had the privilege of testifying before several legislative bodies and four U.S. Congressional Committees, and have consulted with national corporations on how to protect their clients, customers, vendors, employees, and their businesses from the challenges of identity theft and other privacy concerns. I am a certified trainer for Continuing Legal Education of the State Bar of California, a former law professor, and I presently teach Conflict Management at the University of California, Irvine. My own identity was stolen (in 1996) by an impostor who paraded as me--stealing my personal as well as my professional lawyer identity. While wrecking my credit, she also destroyed my sense of security and peace of mind. My impersonator obtained over $50,000 using my name, purchased a red convertible Mustang, and even caused me to be threatened with a lawsuit by a rental car company for the auto that she damaged in an accident. It took me almost a year and over 500 hours to clear my records and regain my credit and my life. I accumulated five banker boxes of correspondence, and lived in fear of how else this invisible person might harm me and my children. I finally learned that while working as a temporary secretary in a law office four hours from my own office, my evil twin (who I never met) was able to access my credit history (as well as the profile of other lawyers) from an information broker who had a contract with that office. My impostor did not need to prove who she was or establish that she had a permissible purpose to download the profile, so it was instantly faxed to her. From that report, she obtained my Social Security number and other personal and financial facts to become my identity-clone. When that data broker, situated across the country, electronically transferred my consumer profile to a criminal in a city 4 hours from my home, it was beyond my control to do anything to prevent the fraud. From that arduous nightmare, I gained great insight into the tribulations that victims endure--I became an expert by necessity. After speaking with several thousand victims, I have learned that most victims are not negligent with their personal information, and that no amount of ``consumer education'' or vigilance will protect them from identity theft if their information is acquired in a security breach by an unscrupulous employee, or by faulty information handling practices of entities that maintain their data. Consumer-privacy education is important to minimize your risk and keep you informed as to barriers to erect, but it won't guarantee that your identity won't be stolen by a data breach. Your esteemed Committee has invited me to focus on the concerns and problems experienced by victims of identity theft and security breaches. I will concentrate my testimony on answering the following questions: I. What Are the Motivating Factors for Stealing Your Sensitive Information? II. How Does Identity Theft Occur, and What Are the Unique Issues as to Data Brokers? III. What Are Real Life Examples of Identity Theft as They Relate to Information Brokers? IV. What Is the Impact of Security Breaches on Citizens Whose Information Is Stolen? V. What Needs to Be Done with Regard to Minimizing the Risks of Identity Theft With Regard to Information Brokers? VI. What Else Is Needed To Prevent and Resolve Identity Theft? I. What Are the Motivating Factors for Stealing Your Sensitive Information? In our data-driven society your personal information is readily transferred across the world in a nano-second through networks and on the Internet (whether or not you are a computer user). Your personal information, worth more than currency itself, can be used to apply for credit cards, credit lines, mortgages, cell phones, insurance, utilities, products and services, etc., all without your knowledge. A fraudster can do anything you can do with your identifying information--and worse--even do things you wouldn't do such as commit crimes, seek revenge, or engage in terrorist activities. A. What Is Identity Theft and How Is It Used? Identity theft occurs when your personal (or business) identifying information such as your name, Social Security number, address, birth date, unique passwords, business name or logo, or even biometric information, is used or transferred with the intent to use it for an unlawful purpose. Below are the main motivations of fraudsters: 1. Financial Gain This includes credit, loans, new accounts, mortgages, employment, health care, insurance, welfare, citizenship, and other governmental and corporate benefits--anything that has a dollar value. The fraud may take place in multiple jurisdictions, and purchases and transfers can be made by phone, fax, online or in person. Usually, the perpetrator can buy or ``legally'' obtain a driver's license, create checks on a computer with the victim's name, obtain, buy, or create other identity documents including medical cards, credit cards, passports, etc. 2. Avoiding Arrest or Prosecution A criminal commits crimes in the real world or virtual electronic world, or terrorist acts using the name and identifying information of another person. Often the perpetrator also commits financial fraud as well to supplement her income. In a recent meeting I attended with Senator Feinstein and law enforcement, detectives and district attorneys in California (and also in Washington) reported that that 80- 90 percent of identity thieves who are caught also have a pending or prior methamphetamine charge against them as well. In my own case, my impersonator was a ``meth'' addict who stole the identity of several lawyers to obtain credit and funds to feed her drug habit. 3. Revenge One can remain ``invisible'' by stealing an identity to hurt another person. This type of fraud may occur between ex-spouses, former business partners, ex-employees, disgruntled staff or angry customers. We also see this type of fraud committed in businesses where one business owner will want to ruin the reputation of another. It can occur offline or online. I've been contacted by employees, and business owners who learned that their e-mail address was used to discredit them. 4. Terrorism (Breaching Homeland Security) The September 11, 2001 terrorists had opened 14 accounts at a Florida bank, using false Social Security numbers and other documents. They obtained credit cards, apartment units, leased cars, and fraudulently charged airline tickets. They not only did this for financial gain, but also over half of them likely suspected that their true names were in FBI files as suspected terrorists, so they committed total identity take-over to avoid arrest. And worse, they used false identities to get revenge against our country. In Senator Feinstein's meeting with law enforcement in California on March 29, 2005, law enforcement reported that suspected terrorist cells have been apprehended with false documents in California. It is well known that foreign nationals have covertly crossed our borders and have easily obtained stolen identity documents to hide under the ``radar screen.'' II. How Does Identity Theft Occur, and What Are the Unique Issues as to Data Brokers? A. Ways That Your Personal Information Is Stolen The scope and extent of the problem of identity theft is rampant. In 2003 the FTC conducted a survey found almost 10 million new victims that year, and 27.3 million victims in the previous five years, with a cost to consumers of $5 billion and a loss to financial institutions of $48 billion. (www.consumer.gov/idtheft) According to the Identity Theft Resource Center, victims paid an average of $1,400 in out-of-pocket costs (not including attorney fees) and spent an average of 600 hours to regain their credit and identity. (www.idtheftcenter.org) The monetary costs are miniscule compared to the devastation, stress and violation one feels when they are denied a job, unable to get an car or apartment, lose the opportunity for a home, lose insurance health benefits, or find out there is a warrant for their arrest--or worse yet, when they are convicted of a crime committed by their impostor. Victims have a great burden to ``prove'' their innocence, beg for an identity theft report, and spend hundreds of hours calling and writing various agencies and companies to get their life back. The epidemic of identity theft is growing because sensitive, personal information is acquired very easily, and the issuers of credit are often less than careful in verifying and authenticating the true identity of the applicant. There are many ways that fraudsters obtain data about us--it may be appropriated by, stolen mail, dumpster-diving, lost or stolen wallets, shoulder surfing, burglary, friends, relatives (only about 9 percent), unscrupulous employees, phone fraud, Internet fraud (phishing and pharming), spyware, hackers, unprotected wireless networks, unethical use of public documents that contain personal information, needless display of the Social Security numbers on government documents (such as; military and Medicare identification cards); the transfer sale and sharing of Social Security numbers and other data among financial institutions, credit reporting agencies and data brokers. B. Data Brokers Files Provide Massive, Broad-Based Information When Accessed by Fraudsters Although an identity thief has a choice of simple easy ways to steal your good name, as listed above, your identity is especially vulnerable with regard to the mega-databases held by information brokers who are collecting, storing, sharing, buying, transferring and selling huge amounts of personal and sensitive information in all inclusive profiles without any governmental oversight. (For example, it is reported that ChoicePoint has 19 billion files on citizens.) Although the credit bureaus also hold vast financial and personal data--and if accessed also reek havoc for victims, (like what happened to me) at least these credit reporting agencies are regulated by the Fair Credit Reporting Act, and there was a way for me to correct my file. The very essence of the data broker business is selling a broad range of very private and highly sensitive information which if acquired by a person with criminal intent, provides a complete comprehensive package ready made for total identity-takeover. These databases contain your personal, professional, social, (possibly criminal) and financial existence. Tapping into your data profile is a fraudster's dream come true. The huge, lengthy dossiers provide far more than just a Social Security number or the limited information that could be accessed from stealing a bank account, your mail, or even your un-shredded trash. Many of these companies have various products for sale which will tell the recipient of the report far more about you than your family or friends know. Most of us have seen our credit reports and know how all embracing they are with regard to our financial profile, but few of us have seen our complete dossier stored and sold by the data aggregators. To give you an example of one type of product, I have attached as Exhibit I, a sample AutoTrack report sold by ChoicePoint for you to see how much information may be revealed about you, which also includes the persons in your home, and surrounding neighborhood. It should startle you. C. Viewing Your Vast Profile When I attended the State Bar Annual Meeting last fall, I visited the exhibit hall and was summoned by one of the data brokers to view my profile to see if I wished to purchase this data information service in my law office. All I provided was my name, and instantly 30 pages of private information (including my Social Security number) appeared on the computer screen. I was shocked and horrified, not only because I felt very violated by all it revealed, but worse yet, by the numerous errors! I asked the salesperson how I could correct the information and was told that I could not correct any information in the file; that this information was not subject to the Fair Credit Reporting Act. Please review this attached sample profile and consider how each category heading is labeled, i.e.: ``Possible Social Security Numbers Associated With This Subject; Possible Deeds Transferred; Possible Felony/Probation/Parole.'' As a recovered identity theft victim, I was stunned by the prospect that some of those items in my report could have been reported as a result of my impostor's actions, and I was fearful of what could happen to me and my family if this information were to be acquired by someone who wished to do harm. I was reminded of the Amy Boyer case a few years ago in which a young man, Liam Youens used an on-line information broker--Docusearch to obtain Amy's Social Security number, phone number, and work address in order to find her. He then appeared at her office and killed her and then committed suicide. Later in his computer, police found a message he had written about data broker services--``It's actually obscene what you can find out about people on the Internet.'' D. Data Brokers Are Operating Under the Radar Screen and Are Invisible to Most Citizens Even with all the publicity about data brokers and recent security breaches, when I have spoken to large audiences in the last month about identity theft, most people still didn't know these companies by name or what they do, or how they gather data or what's in their databases. There is no transparency. In fact, most people tell me that if they had received a security breach letter from ChoicePoint or LexisNexis, they probably would have thrown it out as ``junk mail'' since they hadn't heard of the company and do not have a business relationship. Many potential victims who received security breach letters have not taken advantage of LexisNexis' offer for a year of credit monitoring (for example) because they didn't even open the envelope, or if they did, they didn't know what to worry about since they didn't know what was revealed from their files to cause alarm. None of the breach letters that I have seen contained a copy of the profile, or a detailed list of the data that was stolen. E. Everyone in This Room and Reading This Testimony Has a Profile in the Data Broker Files Do You Know What Information About You Is Being Sold? Everyone in this room who has a birth certificate, a driver's license, if you've been married, divorced, have auto or homeowner's insurance, if you have ever worked, if you have a residence, if you have any government approved license, if you've been issued a speeding ticket--YOU ARE IN THOSE SECRET FILES. Every Senator in this room--and every one watching this hearing has a profile in those files. Have you seen your dossier? Do you know what fact or fiction is being sold about you? As the law stands now--you don't have the right to know what is in those files, nor do you have the right to correct the many errors, nor do you have the right to know who has had access to those sensitive files, nor can you limit their sale--actually none of us here (except perhaps the data broker persons) have control over anything in those files. These companies have operated in the shadows and have sold this often erroneous information to myriad companies, journalists and governmental agencies. Yet most Americans don't even know who these companies are or what they do. This is America--the home of freedom and liberty, this is not a communist country or Nazi regime where secret files are kept on citizens--and shared with various entities and governmental agencies. The FBI and other law enforcement agencies are purchasing this information from data brokers, so are employers, insurers, landlords, attorneys, private investigators, and others-- shouldn't law abiding citizens have a right to at least see the dossiers and make sure that the information is correct? Although the credit reporting agencies are also considered data brokers, they are regulated by the Fair Credit Reporting Act and that law gives us the right to see our data, review it, dispute it, correct it, find out who has accessed it, limit its sale and review, and give us the right to enforce our rights. Unfortunately, the information service industry only acknowledges that a small portion of its products apply to the FCRA (i.e., reports made for insurance, employment history, landlord tenant history, medical insurance). Why shouldn't the data brokers be subject to the same fair information principles? III. What Are Some Real Life Examples of Identity Theft as They Relate to Information Brokers? A. Examples of Financial Identity Theft 1. John is a recent widower. After his wife died of cancer at age 35, (leaving him with three young children), he began receiving collection calls from credit card companies, a computer manufacturer, and a cell phone company for the items and services allegedly purchased by his deceased wife after her funeral. He suspects that the imposter got the information from the death certificate which has the Social Security number and birth date on the document. This could have been obtained in the funeral home, from public records offline or online, through the Social Security Administration, or from any information broker. Many public records including birth certificates, death certificates, marriages, pilot and captain licenses, etc. contain the Social Security number--which is the key to the kingdom of identity theft. The data brokers sell public records to almost anyone. John became a victim prior to July 2003 when the California Security Breach disclosure law became effective. If he were a victim of a security breach after July 2003, he hopefully would have been notified, and would have had a chance to put up barriers to protect his deceased wife's good name and his finances. 2. Sidney, a wealthy retired executive learned that his identity was stolen many months after he and his wife purchased a new home. His loan application, with his 3-in-1 credit report attached, revealed his credit score, his checking, savings, and investment accounts, Social Security number, and all necessary information for an impostor to become Sidney. He believes his masquerader had gotten a copy of Sidney's credit report which was on the broker's laptop. The impostor opened new credit card accounts, purchased computers, electronic equipment, furniture, rented an apartment, obtained utilities, etc., stealing almost $100,000, and the couple are overwhelmed. Allowing employees to download credit reports, and maintain loan applications in unencrypted files on laptops, which may be easily stolen outside a secured office, makes customers very vulnerable to identity theft. It is imperative that all companies that collect data and transfer it for use, verify the recipient (that he or she has a lawful, permissible purpose), set up contracts and enforcement for the security of the information. It's critical for victims to get notice immediately of any security breach, so that they may take steps to intervene and stop further fraud activities. 3. Susan, a physician, received a letter from a company that she did business with, that her Social Security number and other information about her had been acquired by unauthorized persons. She was terrified as to what could happen to her finances, and her practice. She put fraud alerts on her credit profile, changed all her passwords, even closed accounts and opened new ones. She felt very violated, angry, frightened and upset. Almost 1\1/2\ years later, she started receiving calls from creditors from accounts she never owned-- including cell phones, credit cards, and loans. She believed the fraud alert would remain on her credit profile--it did not. Even when the fraud alert was on her file, companies seemed to ignore the alert and issue credit. Since she lives in California, she was able to place a security freeze on her profile so no one could see her credit report to issue credit without her providing a password to release her file. Now she has sleepless nights about her impostor parading as a doctor and committing other crimes. She wants to see a full background check from the information brokers. This case shows us why it is so important to receive notice of a security breach. Susan took proactive steps to prevent fraud, and several companies called her and did not issue credit. Some negligent companies ignored the alert. Because she lives in one of the four states (presently California, Texas, Vermont, and Louisiana) that allow victims to ``freeze'' their reports, she was finally able to stop the financial fraud. But the fear of criminal identity theft is now haunting her. She should be able to put a fraud alert on her consumer profile and obtain a complete background check at no cost if she is a victim--just as victims can obtain two free credit reports in the 12 months in which they learned of the fraud. She should also be able to limit the sale of her consumer report and be notified with the name, telephone number and address of a business or governmental entity (other than Homeland Security) to see who is accessing her profile. B. Examples of Criminal Identity Theft 1. George, a disabled veteran living in Colorado was suddenly denied his disability payments, and hit with a large IRS bill for the income that his impostor had earned while working under his name in Tennessee. Upon reporting this fraud to the police, we learned that George's impostor had also established a criminal record in yet another state and there was a warrant for George's arrest. George's information about his impostor's criminal activity and work related fraud would not show up on a credit report (until the IRS reports it), but it would show up on a background check provided by the data brokers who are testifying today. George found out the hard way, when he lost benefits and was arrested. If he had access to his consumer file, he would have found out about the fraud and wouldn't have lost his disability benefits. George's case demonstrates why we must be able to review, dispute and correct our consumer files. We should be able to get our complete dossiers at least once a year at no cost as is our right to get a credit report from each of the three credit reporting agencies under the Fair and Accurate Credit Transactions Act. 2. Lori, a disabled vet from Virginia, and single mom with a set of six-year-old twins was attending school to get her Master's degree in Social Work, when the police showed up at her door. She was arrested for a crime that she didn't commit. The woman who committed the fraud used the name Laura along with Lori's last name. Her fingerprints did not match the prints of the perpetrator, and the description of the fraudster was different from Lori, yet she was convicted. With my help and the help of new counsel, she was sentenced to probation--but the felony record must be corrected with a new trial. Her greatest fear isn't the new trial--it is the information broker databases that may continue to report her as a felon even after the criminal records are cleared. She has reason to fear as you will read in the next case. 3. Scott was laid off from a high-paying job in the medical industry in Ohio. He had great recommendations and felt sure he would be rehired. For two years he was denied employment after several positive interviews and his permission to do a background check. Finally Scott hired a private investigator who showed him his criminal profile from a data broker. It included two DUIs and an arrest for murder. None of which belonged to him. I spent many months helping him to correct the sheriff and FBI databases. But months after we cleared all the law enforcement databases, he applied for employment and was offered the job, but after reviewing his background, he was told that they couldn't hire him. He was in shock when the private investigator pulled his report again and found that a major information broker was still selling this false information to prospective employers without updating their files. Finally after a lawsuit was filed by an Ohio attorney, the information was corrected. But the years of anguish and lack of employment continues to damage his career and his personal life. Scott had no idea why he had trouble getting a job. Although a potential employer is supposed to tell you if you are denied employment due to a consumer report, and let you know how to review the report, it's understandable that an employer may be reticent to tell a ``murderer'' that he is denied employment due to his criminal history. Instead he was told that there were others who were more suitable for the position. If Scott had the right to see his file earlier and had the right to correct it, he would have been able to secure employment and perhaps not have gotten divorced, lost custody of his son, nor become homeless for those years. C. Examples of Identity Theft for Revenge 1. Linda was married to a prominent Chicago lawyer for 25 years. When he decided to divorce her to marry his secretary, he had a friend download Linda's consumer information and give it to a fraudster who applied for numerous credit cards, ordered furniture, and other luxury items. The fraudster also used Linda's name to set up e-mail accounts to send the estranged husband threatening messages. This was done to discredit Linda in court. Obviously, there was no lawful purpose for downloading this report from the data broker. There was no verification of permissive use by the data broker. It clearly was revenge and self-interest. 2. The first cyber stalking case prosecuted in Orange County, California turned out to be identity theft. A computer expert was angry when a woman he liked shunned his advances. He proceeded to go online to a chat room and pretend to be her--stating that she had fantasies of being raped. From a data broker, he was able to find her home phone number and address and shared it in the chatroom. The woman didn't even own a computer. When several men appeared at her door to share her fantasies, she was terrified and called the police. She had an emotional breakdown and the violation has left scars. 3. A radio talk show host was shocked to learn that his own identity was stolen by a disgruntled listener who bought his dossier from an on-line information broker. Aside from calling him at home and bullying him, he obtained access to his e-mail account and sent embarrassing e-mails to the station, pretending to be the talk show host. The above cases demonstrate how identity theft is facilitated by the data broker industry. Unless a victim gets notice of a security breach or unless law enforcement or a private investigator can solve the mystery, most victims don't have a clue how the criminal has gotten his sensitive records. The assaults against these victims caused great anguish, overwhelmed them and negatively impacted every aspect of their lives. The time spent trying to regain their lives, the damage to their reputation, and the out-of-pocket costs were miniscule compared with the tremendous emotional turmoil these people endured. IV. What Is the Impact of Security Breaches on Citizens Whose Information Is Stolen? Persons whose information has been stolen by criminals are victims of a crime. They may not yet be victims of identity theft--yet they are victims of a Federal crime. Not only has their private, sensitive information gotten into the hands of unauthorized persons--but those unauthorized persons have done so with the intent to commit an unlawful act. Under 18 U.S.C. 1028, as stated below the persons committing the act are felons and those who are adversely affected are victims of a Federal felony: The Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) 18 U.S.C. Sec. 1028) makes it a Federal crime when anyone: knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law. I have personally spoken with victims of security breaches who have received notice letters from entities such LexisNexis, ChoicePoint, Ameritrade, Bank of America, Wells Fargo and several universities, hospitals, and even smaller businesses. The victims of the breach feel very violated, angry, frightened and overwhelmed and helpless. It is well known that criminals steal the information and may often wait months or years to use it--or they sell it in exchange for methamphetamine or money. It may be transferred several times and used for financial gain or to commit other crimes. Because the victims of the breach don't know who the criminals are or their intent, they are anxious. Additionally, the victims are not notified as to exactly what information may have been taken, so they feel defenseless and don't even know what to protect. Although I tell these victims actions to take to put up barriers placing fraud alerts, instituting security freezes, changing passwords, changing mother's maiden name, monitoring credit reports, etc.), victims still feel incapable of insuring that their identity won't be stolen. Many are fearful that their family home or office may be intruded by the perpetrators who may have their addresses, phone numbers, bank account information and perhaps an entire dossier. Below are a couple of e-mails I received from victims of a security breach explaining their strong feelings of victimization. ``My husband and I are very upset and it is overwhelming. We are very anxious and it takes a tremendous amount of time and effort just to get a security freeze. The credit agencies shouldn't make it so difficult. I'm spending so much time monitoring accounts and credit reports--it's exhausting--I feel very vulnerable and frightened that some criminal knows all about me and may wait to use our stuff any time, now or in the future-- what can I do?'' ``I spend sleepless nights wondering when the phone may ring, or I will open a letter from a bill collector. I'm worrying if someone has obtained new identification under my wife's or my name. It is scary to think that I may be pulled over by the police for something I didn't do. What if they drag me or Lord forbid MY WIFE, from the vehicle and handcuff us. My wife and I are losing too much sleep'' The emotional impact on these victims is intense and their fears are real. Why would a criminal steal the information if there was no intent to sell, transfer or use it for an unlawful purpose? V. What Needs To Be Done With Regard to Minimizing the Risks of Identity Theft as to Information Brokers? Data brokers must be regulated by imposing Fair Information Practices as follows: 1. Transparency--The nature of personal data held by these companies should be readily available for inspection by the public. The uses of the information should be clearly defined. 2. Consent and Notice--Consumers should be able to give their consent to the disclosure of their information prior to disclosure, such as the rights with regard to disclosure of credit reports. The exceptions would be for defined categories of law enforcement and Homeland Security. In other words there should be an established, permissible purpose; i.e.--employment background checks, insurance, landlord tenant, etc. When a consumer gives his consent or it is considered a ``permissible purpose,'' the consumer should be entitled to notice of the sale, and the consumer should receive a free copy from the entity that bought the report. 3. Consumer Access and Inspection--Individuals should have the right to one free disclosure per year as they have for credit reports. A central website and toll free numbers should be set up for consumers to get their entire profile--not just a ``Clue Report.'' If a person has become a victim of identity theft, he should be entitled to at least one other free disclosure per year for 24 months after learning of the stolen identity. The inspection report should be the same as would be accessed by a company for a background check--the complete profile. The disclosure should also provide a list of names, addresses and phone numbers of all entities that received a copy of such report in the last 5 years. This would include governmental entities except for specific guidelines of Homeland security or other law enforcement restrictions. Employers or others who order background checks on a consumer should be required to provide a copy to the consumer upon receipt whether or not the consumer report was a factor in hiring or reviewing an employee or prospective employee. 4. Quality Controls and Timely Correction--The information collected should be accurate, complete, updated and relevant to the purpose for which it is to be used. The Data Broker industry should allow individuals to dispute and provide prompt correction of the files within no more than 30 days. The broker should reinvestigate without cost to the consumer and make all appropriate changes if the information cannot be verified. If after the data broker investigates, it finds that the investigation verified the information, the company shall provide the name, address and phone number of the verifying entity so that the consumer can directly dispute the information. 5. Strict Security Controls--There should be safeguards against risk of loss, unauthorized access, alteration, hacking, etc. Audit trails and limited access should be standard, as well as encryption of the sensitive data. Customers should be screened both initially and with respect to how the end-user is safeguarding the information from unlawful use. In the event of a security breach, the data broker must notify all individuals whose information was acquired either on paper or electronically with a letter providing the consumer the nature of the breach, what information was stolen, how to protect themselves with fraud alerts, security freezes and other useful tools. They should also provide a free copy of the report that was accessed. Credit monitoring and a background check monitoring would be needed. (Fraud resolution services may be necessary.) 6. Enforcement--The data broker industry must be held accountable to consumers and victims. Outside audits and training should be mandatory. A private right-of-action is essential to allow enforcement of the provisions of the law. A private right-of-action provides that the cost of the legal system policing against acts of preventable corporate negligence is paid by the guilty parties rather than by increasing taxes or adding to the size of government. We have seen that many provisions of FACTA and the GLB Act have not been enforced because Federal agencies do not have the resources or manpower to take actions against all the violations, and why should our taxes be spent to right the wrongs of companies who violate the law. Individuals should be able to seek redress for their damages without having to rely on the government to intervene, however for large cases, enforcement should be available in state courts by private parties, attorneys general and the FTC. 7. Preserving States Rights--Consumer reforms with regard to identity theft have derived from proactive States that were responsive to the plight of its citizens. Some examples of this are: the right to a free credit report, annually, the right to place a fraud alert, the right of victims to obtain information from businesses and creditors to regain their identity. More recently we have found out about the security breaches of two of the data brokers here today only because of the California Security Breach law. Both ChoicePoint and LexisNexis admitted in a Senate hearing that they both experienced significant breaches prior to July 2003, when the California law became effective, and did not notify any of the victims of the breach. Since February 2005, over 4 million Americans have been victims of various security breaches. (See Exhibit II from the Wall Street Journal)--none of which we would have heard about, but for the California law. Arizona and California, were the first two states to make identity theft a crime-- leading all the states and the Federal Government to establish the consumer as a true victim. Numerous states are instituting security freezes to lock up a consumer's credit so fraud cannot continue. Federal law should serve as a floor, not a ceiling, so that states can, if need be, quickly address the crises of their victims. VI. What Else Is Needed To Prevent and Resolve Identity Theft? 1. Security Breach Notification must extend to all states--All governmental agencies, and private industry, schools, and other entities should be held accountable to quickly notify all persons whose sensitive and personal information (paper and electronic files) were acquired by an unauthorized person. There should be an exception for encryption only if it is robust and if the unauthorized acquisition was not capable of being decrypted by an unscrupulous employee or customer. The standard of providing notice should be triggered by the acquisition of the data rather than the use of it. A bank or other entity who experiences a breach should not be allowed to determine the possibility of the misuse. The only delay of notice would be for law enforcement upon its written request. Allowing the business or entity to make the call as to when there might be a risk of harm is like allowing the wolf to tend the henhouse. There should be enforcement by the FTC, State attorneys general and private individuals. Any preemption should be a floor and not a ceiling so that states can protect their own citizens regarding unique needs. As a member of the advisory board of the California Office Of Privacy Protection, we created a list of ``Recommended Practices on Notification of Security Breaches Involving Personal Information'' as a guide for dealing with security breaches, please visit www.privacy.ca.gov to review those standards. 2. Governmental agencies as well as private industry should limit the use of the Social Security number since it is presently the key to kingdom of financial fraud--Our advisory board to the Office of Privacy Protection in the California Office of Consumer Affairs also had the privilege of developing the ``Recommended Practices for Protecting the Confidentiality of Social Security Numbers'' (www.privacy.ca.gov). This document should be considered by both pubic and private sector entities as a guide to protect all consumers. The Social Security number is used as the identifier for military cards and ``dog-tags,'' Medicare, Medicaid, pilot's licenses, captain's licenses, etc. No entity should be allowed to display, post, or sell the SSN. The SSN in public records should be redacted before posting. There should be no collection of SSNs by private or governmental agencies except where necessary for a transaction and there is no other reasonable alternative. SSNs collected for a specified purpose should not be used for any other purpose. 3. Mandatory Destruction of Confidential Information--Governmental agencies and private industry should be required to completely destroy personal information that they are discarding by shredding, burning or whatever means is necessary to protect the information from dumpster- diving. This should extend to any confidential and sensitive information--not just information derived from consumer reports. 4. Departments of Motor Vehicle Licensing--Bureaus should establish more stringent monitoring and matching of duplicate licensing and new licenses. A photo ID and a fingerprint could be matched. Rather than developing a ``national ID'' with various forms of biometric information, credit cards and other unnecessary information which would complicate the process and invade privacy, this license would help deter interstate identity theft without collecting too much information nor allow it to be accessed or sold to private industry. 5. Need for an Easier Process for Victims--Problems with the Fair and Accurate Credit Transactions Act (which was meant to make things easier for victims)-- a. An Identity Theft Report is needed in order for victims to get an extended fraud alert, block the fraud on their profile, and gain access to records of the fraud--FACTA was meant to streamline and help victims of identity theft. However, the new rules recently released by the FTC with regard to the ``Identity Theft Report'' clearly show the time-consuming maze that a victim must maneuver. Below is an example of the hassle of exerting your victim rights with regard to the FTC rule about the ``Identity Theft Report.'' ``An Identity Theft Report may have two parts: Part One is a copy of a report filed with a local, State, or Federal law enforcement agency, like your local police department, your State attorney general, the FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. There is no Federal law requiring a Federal agency to take a report about identity theft; however, some State laws require local police departments to take reports. When you file a report, provide as much information as you can about the crime, including anything you know about the dates of the identity theft, the fraudulent accounts opened and the alleged identity thief. Note: Knowingly submitting false information could subject you to criminal prosecution for perjury. Part Two of an identity theft report (depends on the policies of the consumer reporting company and the information provider) (the business that sent the information to the consumer reporting company). That is, they may ask you to provide information or documentation in addition to that included in the law enforcement report which is reasonably intended to verify your identity theft. They must make their request within 15 days of receiving your law enforcement report, or, if you already obtained an extended fraud alert on your credit report, the date you submit your request to the credit reporting company for information blocking. The consumer reporting company and information provider then have 15 more days to work with you to make sure your identity theft report contains everything they need. They are entitled to take five days to review any information you give them. For example, if you give them information 11 days after they request it, they do not have to make a final decision until 16 days after they asked you for that information. If you give them any information after the 15-day deadline, they can reject your identity theft report as incomplete; you will have to resubmit your identity theft report with the correct information:'' (FTC Rules) This rule is not only cumbersome it is confusing and allows the credit reporting agencies to delay unnecessarily and it gives victims a run around. I have already heard from many victims who are frustrated, angry, and unable to block the fraud or even extend the fraud alert. b. Law enforcement agencies at the local, State and Federal level should develop a uniform ``identity theft report'' to be compliant with FACTA--and the FTC should determine what satisfies an ``identity theft report''--New provisions of the Fair Credit Reporting Act require a detailed ``identity theft report'' to send to the credit grantors, and the credit reporting agencies. If a proper identity theft report is sent to the credit reporting agencies they are required to do the following: place an extended fraud alert for 7 years, block all the fraud on the profile immediately; notify the creditor that the accounts are blocked. Additionally, if the victim provides a proper, identity theft report to the creditors, they must provide all documentation of the fraud to the victim and to the law enforcement agency within thirty days. Unfortunately, the agencies themselves are deciding what is ``proper'' and many victims contacted us because they are not able to appease the credit reporting agencies nor the credit grantors with the reports. So they cannot exert these rights afforded under the law and there is no private right-of-action to enforce these rights. The FTC should determine what will be acceptable as an identity theft report and facilitate the victim's report. It should be adhered to by law enforcement as well as the financial industry without imposing an arduous task upon the victim. Also, the victim should be able to get a police report in the jurisdiction where she lives even if the impostor is in another state. And, the case should be able to be prosecuted in the jurisdiction where the victim lives or the jurisdiction where the crime takes place. All police should be required to provide a proper identity theft report even if they do not have the resources to investigate the crime. c. Initial Fraud alert should be one year--FACTA allows a victim of a breach or fraud to place a fraud alert on credit profiles for at least 90 days with their first phone call. To extend the alert they must write a letter and provide an ``identity theft report. The initial fraud alert should be changed to at least 1 year especially because victims of a security breach may not be victimized for a long time. d. Free credit report for victim should be available by phone when calling in the fraud alert--Prior to the passage of FACTA, victims could order their free credit report to review their files at the same time they place a fraud alert. Now, the credit reporting agencies (except for TransUnion ``temporarily'') do not give the victim an opportunity to get the free credit reports in the initial phone notification of the fraud. They are later sent a letter notifying them of their right to a free report upon request. This is another delay which allows the impostor more time to do his ``dirty work,'' and this is an added burden for the victim and costlier for the creditor. The victim should be allowed to order the first of his two free reports during the initial fraud alert phone call. e. Victims should be provided a complete report upon disputing the fraud and the victim should be able to see the report that the creditors see--The CRAs are now sending corrections instead of complete corrected reports to victims. This is dangerous since other new fraud may appear on the report. Also--the report that a creditor receives is more comprehensive than the report that the victim sees, so this is not complete disclosure. 6. Funding for law enforcement for identity theft cases should be greatly increased since this is also a Homeland Security issue--All major metropolitan areas should be funded to set up identity theft task forces to include the Secret Service, the Postal Inspector, the Social Security Inspector, the FBI, INS, State attorney general and local law enforcement to collaborate in the investigation and prosecution of these crimes since suspected terrorists will need to utilize stolen identities to attempt their missions. 7. Law enforcement agencies should help victims of criminal identity theft--A Federal law should set forth steps for law enforcement to take (in conjunction with the judicial system), to assist victims of criminal identity theft. So a victim of criminal identity theft in California, whose impostor is in New York, could be declared innocent in New York as well as California. This would entail a national database of the criminal information and fingerprints. It would contain the order of the true person's fingerprints for comparison with the fingerprints of the impostor-criminal in New York. The court would enter a declaration of factual innocence and any warrants for the victim would be dismissed. All databases would be corrected so that background checks would not show the victim as having an arrest or criminal record. (See California law and package for victims to clear their criminal record www.privacy.ca.gov). 8. Set up State and Federal Offices for Privacy Protection--There should be a Federal office of privacy protection as well as State offices. The office of privacy protection should institute an ombudsmen office to assist citizens with identity theft and other serious privacy issues. It should also coordinate and review the various governmental offices of privacy to ensure oversight. 9. Credit Reporting Agencies-- a. Consumers should be able to put a complete freeze on their credit reports in order to prevent identity theft--This would enable the consumer to prevent their credit report from being accessed by a creditor without the specific authorization of release with a password. California, Texas, Vermont and Louisiana have passed such laws. It would be impossible for an impostor to apply for credit if there were a freeze on the file. The consumer would have the right to release the file when he so desires by a password or pin number. Every State should pass this legislation or if it is Federal legislation, then there needs to be a private right-of-action and no Federal preemption. b. Credit reporting agencies should provide to victims a COMPLETE REPORT when providing corrections--All reports should include the names, addresses and phone numbers of the companies who accessed the consumer's credit report, including inquiries with the issuance of a consumer report so that potential victims could verify the permissible purpose. c. Credit reporting agencies should notify a consumer by e-mail when his/her credit report has been accessed--The agency should be allowed to charge a minimal fee for this service--as to actual cost (i.e., $10 per year), d. Credit reporting agencies should set up hotlines with live persons to talk to victims of identity theft--A live employee in the fraud department should be assigned to a particular victim--so the victim doesn't have to re-explain all the problems in numerous letters. 10. Banks and other Creditors should be held accountable for protecting consumers and others from identity theft-- a. Creditors who issue credit to an impostor after a fraud alert is placed on a credit profile, should be held liable and the victim should have a private right-of-action to enforce his rights--Presently if a creditor ignores the fraud alert, only the Federal Trade Commission or other Federal agencies may bring and action and they clearly cannot enforce individual rights nor do they have the resources to deal with most of the violations. There should be a fixed penalty of at least $1000 per occurrence or actual damages, which ever is greater. b. Need for private enforcement of access to business records-- If a fraud victim provides notification of fraud and includes an ``identity theft report'' and an affidavit, under the FCRA, a creditor is required, within 30 days, to provide copies of all billing statements, applications and other documents of fraud to the victim and the designated law enforcement agency. Presently, victims are contacting us that many companies are refusing to provide the information without a subpoena. Victims presently have no private right to force a company to provide this data. Only the FTC, or other Federal agencies, may bring an action--but it cannot help an individual consumer. This must be changed so that there will be enforcement of the provision of the Act. c. Creditors should not be allowed to send ``convenience checks'' without a prior request by the consumer--I was told by a postal inspector that 35 percent of these checks are used fraudulently d. Credit grantors should not be allowed to send pre-approved offers of credit without a PRIOR the request of the consumer. Identity Theft Conclusions Personal, confidential, and financial information is a valued commodity in our society. Data brokers have flourished abundantly while selling and transferring your extensive, aggregated personal profiles which include your income, credit worthiness, buying, spending, traveling habits, heath information, age, gender, race, etc. Facts about our personal and financial lives are shared legally, and illegally, without our knowledge or consent--on-line and off-line everyday. Privacy protection in the age of data collection is really more about limiting access and instituting inspection and correction to our records, rather than keeping the information secret. We have lost control over the dissemination of our sensitive data, and this has led to the enormous epidemic of identity theft. The huge data breaches in recent months have shined the light on the immensity of the problem of identity thieves and the havoc they cause. But it also has enlightened our lawmakers to collaborate to create a new framework for reasonable regulation of the data broker industry. To avert identity theft, the burden is on the data brokers, and the financial industry who are in the unique position on the front end, to take precautions, require verification, and authentication of employees, vendors, business associates and customers, and refuse to sidestep fair information principles. Data brokers, the credit reporting agencies and the financial industry is in a powerful position to prevent the fraud before the impostor can establish a parallel ``shadow profile.'' I am hopeful that as a result of the gigantic breaches of sensitive information, that this Congress will create a regulatory framework for the information brokers that will protect our citizens and enable the Data Broker industry to help society. I encourage you to strongly consider the thoughtful and well reasoned language of S. 500, which implements the Fair Information Principles, yet acknowledges the importance the work that the data industry provides, while safeguarding the identity of every American. Thank you for the opportunity to share these concerns and suggestions with this Honorable Committee. Exhibit I Sample Auto Track Data on Fictitious Person From ChoicePoint National Comprehensive Report Plus Associates Compiled on 01/05/2002 at 3:39PM Reference: 123456 ZACHARY K THUL DOB: JAN 1955 SSN 960-45-XXXX issued in New York between 1968 and 1970 Possible AKA's for Subject THUL, ZACK K SSN: 960-45-XXXX Possible Other Social Security Numbers Associated with Subject THUL, ZACHARY K SSN: 690-45-XXXX THUL, ZACHARY K SSN: 690-45-XXXX **ALERT** A Death claim was filed for SSN 690-45-XXXX in FEB 1962. Possible Other Records/Names Associated with Social Security Numbers KIRBY, LOARDA SSN: 983-16-XXXX KIRBY, LORADA SSN: 960-45-XXXX Possible Driver Licenses THUL, ZACHARY K DL: T432117680470 issued in Ohio on 12/19/1996 expires 02/07/2001 DOB: 01/17/1955 Height: 5,08" 7891 W FLAGLER ST MIAMI, OH 38972 Possible Addresses Associated with Subject SEP-1997/DEC-2000--7891 W FLAGLER ST MIAMI, OH 38972 JUN-1995/AUG-1997--15 ROBY AVE (555) 123-4567 HAMPTON BAYS, NY 11238 JUN-1996/JUN-1996--1400 35TH ST K 4I SPRINGFIELD, FL 34090 MAY-1995/MAY-1995--4833 STORM ST APT 33 SPRINGFIELD, OH 34443 JUL-1994/JUN-1996--4833 STORM ST I33 SPRINGFIELD, OH 34443 SEP-1994/JUL-1995--305 WAYBREEZE BLVD COLUMBUS, OH 34209 DEC-1992/APR-1995--70 REARVIEW DR RIVERBEND, NY 11903 438 BULLSIDE TER W HACKENSACK, NJ 09348 The following is a sample National Comprehensive Report SM Plus Associates. The amount and type of records identified in a report will vary from subject to subject. All names and other information are fictional and are for illustrative purposes only. Any resemblance to real persons or public record information is unintentional. Some National Comprehensive Reports SM may locate a partial date of birth. Frequently, subjects of a National Comprehensive Report SM will be linked to other names because two public records reference two different names, but only one Social Security number. The most common reasons for these occurrences are: 1. Typographical errors 2. Jointly filed public records which list both the subject and the second name 3. Father and son who have the same name 4. Fraudulent use of a Social Security number The dates represent the approximate time period when the linked address appeared on a publicly available record document for the subject. The subject may or may not have resided at any of the addresses. Some public records link the subject to an address without noting a date range. Addresses without date ranges will appear at the bottom of the address list. Such an address may be current or historical. Underlined Items provide a Link to record details. Phone Listings for Subject's Addresses 1400 35TH ST W SPRINGFIELD, FL 34090 Over 100 phone numbers found, only same last name considered. 4833 STORM ST SPRINGFIELD, OH 34443 ACME RENTALS (555) 555-1935 305 WAYBREEZE BLVD COLUMBUS, OH 34209 THUL ZACHARY (555) 498-5525 Possible Real Property Ownership 4833 STORM ST SPRINGFIELD, OH 34443 Ohio Assessment Record--County of: CLARK Owner Name: THUL, ZACHARY Parcel Number: 998-8748-9448 Short Legal Desc: STORM ST IR PT LOT 7& ADK J S BUCKINGHAM AM EST Property Type: SINGLE FAMILY Recorded Date: Situs Address: 4833 STORM ST I 33 SPRINGFIELD, OH 34443 Mailing Address: 7891 W FLAGLER ST MIAMI, OH 38972 Assessment Year: 1995 Tax Year: 1997 Assessed Land Value: Market Land Value: $366,800 Assessed Improvements: Market Improvements: $192,000 Total Assessed Value: Total Market Value: $558,800 Most Recent Sale: $305,000 Prior Sale Price: A manual search of Real Property using the name THUL ZACHARY K is recommended. 4 additional property records exist (including historicals) but are not included, as they do not match all necessary criteria. Possible Deed Transfers 305 WAYBREEZE BLVD COLUMBUS OH 34209 Ohio Deed Transfer Records--County of: FRANKLIN Parcel Number: T545663 Legal Desc: LT 56 BLK 87 PB 14/38 Sale Price: $84,000 Loan Amount: $67,200 Contract Date: 8/14/1995 Lender: LIBERTY SAV BK Situs Addr: 305 WAYBREEZE BLVD COLUMBUS, OH 34209 Seller(s): THUL, ZACHARY K Buyer(s): SMITH, BART O Possible Vehicles Registered at Subject's Addresses 1400 35th ST K 4I SPRINGFIELD, FL 34090 Plate: K387KJ State: NY Date Registered: 08/14/1995 Expire Date: 08/29/2000 Title: 76174678 Title Date: 10/30/1998 OWNER: ZACHARY K THUL Color: WHITE This message probably indicates that a multi-unit building is located at this address. By comparing the list of Possible Addresses Associated with Subject with the listed phone numbers in the Phones module, the report finds phone numbers, which have been listed at the given address. In this report, one property record was found in Real Property SM which matched the subject's name and address and the properties situs address. This message indicates that additional records in Real Property SM match the subject's name, but none of these records had a situs address that matched an address found at the top of the report. These additional properties may belong to the subject or may simply belong to someone with the same name. Search Real Property SM by name for a complete list of possible properties. A list of states and counties for which AUTOTRACK XP SM has deed transfer records can be located by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. The property information returned from this database may differ from the information found in Real Property SM. (See the above note on Possible Property Ownership.) A list of states for which AUTOTRACK XP SM has vehicle registration records can be located by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. Underlined items provide a link to record details. 1999 DODGE GRAND CARAVAN SE DODGE GRAND CARAVAN SE--3.3L V6 SOHC FLEXFUE VIN: 2B5CD3595EK253648 MINIVAN Plate: ID036H State: FL Date Registered: 04/28/1999 Expire Date: 10/30/2000 Title: 77465960 Title Date: 09/29/1998 OWNER: ZACHARY K THUL Color: RED 1997 CHEVROLET S10 PICKUP CHEVROLET S10 PICKUP--2.2L L4 EFI OHV 8V VIN: 1GCCS144X8144822 PICKUP Possible Watercraft Owner: THUL ZACHARY Address: 70 REARVIEW DR RIVERBEND, NY 11903 Year: 1988 Length: 41.9, MFG: Reg Number: K989495 State Registered: NY Hull Const.: FIBERGLASS Hull Number: Use: PLEASURE Propulsion: INBOARD Fuel: GASOLINE Possible FAA Aircraft Registrations Owner: THUL ZACHARY K Year: 1957 Make: PIPER Model: PA-22 N-Number: N0225J Aircraft: FIXED WING SINGLE ENGINE Address: 4833 STORM ST I33 SPRINGFIELD, OH 34090 Possible UCC Filings Original Date: 02/09/1988 Action: INITIAL FILING Date: 1988 File State: OHIO Debtor: ZACHARY THUL Address: 305 WAYBREEZE BLVD COLUMBUS OH 34209 Secured Party: HOME SAVINGS & LOAN ASSOC AKRON OH Possible Bankruptcies, Liens and Judgments Court Location: EASTERN DISTRICT OF OHIO--FRANKLIN Filing Type: CHAPTER 7 DISCHARGE Filing Date: 08/14/1996 Case Number: 98555555 Release Date:12/18/1996 Creditor/Plaintiff: MARTIN T MARTINSON Amount: Debtor/Defender: THUYL ZACHARY K 305 WAYBREEZE BLVD SSN: 960-45-XXXX A list of states for which AUTOTRACK XP SM has Uniform Commercial Code lien records can be located by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. COLUMBUS, OH 34209 Attorney: MARTIN T MARTINSON Possible Professional Licenses Type: OHIO Professional License License Type: LICENSED SOCIAL WORKER Lic. Number: 42389 Status: ACTIVE Original Date: 01/10/1990 SSN: DOB: Phone: Full Name: THUL, ZACHARY K Address: 4833 STORM ST I33 SPRINGFIELD, OH 34090 County: CLARK Possible FAA Pilot Licenses Pilot Name: THUL, ZACHARY K FAA Class: PRIVATE PILOT FAA Rating: SINGLE ENGINE LAND Medical Class: THIRD CLASS--VALID FOR 24 MONTHS Medical Date: 07/19/98 FAA Region: NORTHWEST/MOUNTAIN--CO, ID, MT, OR, UT, WA, WY Address: 4833 STORM ST I33 SPRINGFIELD, OH 34090 Possible DEA Controlled Substance Licenses Business: PRACTITIONER Name: THUL, ZACHARY K MD Expires: 09/30/1999 Address: 7891 W FLAGLER ST MIAMI OH 38972 Authorized Drug Schedules: II, II, III, III, IV, V Possible Business Affiliations 15 ROBY AVE HAMPTON BAYS, OH 11238 STETSON HAULING, INC. OH 2543854 CHAIRMAN ACTIVE Officer Name Match Only (NOT necessarily affiliated) Matching Name : THUL ZACHARY K OLSON FAMILY PROPERTIES & INVESTMENTS, INC. MA 789123 REG AGENT ACTIVE TOO HOT TO HANDLE FL H76543 SECRETARY INACTIVE Possible Relatives (* denotes match with one of subject's addresses) (R-1) THUL CLAIRE DOB: DEC 1954 SSN 999-15-XXXX issued in New York in 1973 SEP 1994/JUL 1998--*305 WAYBREEZE BLVD COLUMBUS, OH 34209 Certain individuals and businesses are required to be registered under the Controlled Substance Act. Physicians, dentists, and veterinarians are among this group. For a more complete explanation and definition of the drug schedules, choose the Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. A list of states for which AUTOTRACK XP SM has corporation records can be located by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. A person will qualify as a possible relative in the National Comprehensive Report Plus Associates SM if he or she has the subject's last name and has been linked to one or more of the same addresses which appear under Possible Addresses Associated with Subject on page 1. The asterisks indicate an address match between the possible relative and the subject of the report (see Possible Addresses Associated with Subject on page 1). JUL 1995/JUL 1995--*15 ROBY AVE (555) 123-4567 HAMPTON BAYS, NY 11238 OCT 1994/OCT 1996--355 LAVERNE AVE COLUMBUS, OH 34492 DEC 1992/DEC 1996--*70 LAKEVIEW DR RIVERHEAD, NY 11901 (R-2) THUL TOMMY DOB: DEC 1995/DEC 1996--599 MAIN ST RIVERBEND, NY 11093 APR 1995/AUG 1995--355 LAVERNE AVE COLUMBUS, OH 34492 Other People Who Have Used the Same Address of the Subject (* denotes match with one of subject's addresses) 15 ROBY AVE HAMPTON BAYS, NY 11238 (O-1) GENNINE LOWELL SSN 972-45-XXXX issued in New York between 1966 and 1969 SEP 1993/SEP 1994--5 NEWTON AVE HAMPTON BAYS, NY 12983 12 M BAY ST HAMPTON BAYS, NY 13987 *15 ROBY AVE HAMPTON BAYS, NY 11238 305 WAYBREEZE BLVD COLUMBUS, OH 34209 (O-2) MARIE G SMITH SSN 991-25-XXXX issued in New Jersey in 1962 SEP 1993/SEP 1994--*305 WAYBREEZE BLVD COLUMBUS, OH 34209 AUG 1995/AUG 1996--301 BAYSIDE TER CHARLOTTE, OH 34258 SEP 1993/SEP 1994--*438 BULLSIDE TER W HACKENSACK, NJ 09348 Possible Licensed Drivers at Subject's Addresses 7891 W FLAGLER ST MIAMI, OH 33144 THUL, EDWARD H DL: T600465 issued in Ohio on 07/27/1994 expires 09/11/2000 DOB: 04/19/1969 Height: 5,02" 1400 35TH ST K 4I SPRINGFIELD, FL 34090 **No Drivers Found At This Address** 4833 STORM ST I33 SPRINGFIELD, OH 34443 **91 Drivers found at this address, only last name considered. ** **No Drivers Found At This Address** 305 WAYBREEZE BLVD COLUMBUS, OH 34209 THUL, STACEY B DL: T600788 issued in Ohio on 07/24/1994 expires 04/27/2001 DOB: 05/26/1926 Height: 5,04" Driver License Information is unavailable for the following states: NEW YORK, NEW JERSEY The report will attempt to locate a brief list of addresses for the possible relative. To possibly locate more current addresses for the relative, run a report by clicking on the underlined link. A person will qualify for this category in the National Comprehensive Report SM Plus Associates if he or she has a last name different from the report subject's last name and has been linked to one or more of the same addresses, which appear under Possible Addresses Associated with Subject on page 1. A person may be linked to one of the same addresses as the subject, even though he or she has never known the subject. Two people might be linked to the same address but at different time periods. For example, one person could be a former resident of the address where the subject now resides. Multiple address matches with the subject, denoted by multiple asterisks, will identify people who have a greater likelihood of knowing the subject. This message probably indicates that a multi-unit building is located at this address. Neighbor Phone Listings for Subject's Addresses (only first six addresses included) 7891 W FLAGLER ST MIAMI, OH 33144 STATER OFFICE PRODUCTS 7895 W FLAGLER ST (555) 555-0482 BIG ED'S MUFFLER SHOP 7897 W FLAGLER ST (555) 555-3358 BUD'S USED CARS 7900 W FLAGLER ST (555) 555-8288 15 ROBY AVE HAMPTON BAYS, NY 11238 FELLINGHAM MIKE 4 ROBY AVE (555) 555-8697 SCOTT GORDON G 6 ROBY AVE (555) 555-1297 GHERSI JOHN 8 ROBY AVE (555) 555-6819 ELIAS SIMON 9 ROBY AVE (555) 555-2659 SCALCIONE STAN 10 ROBY AVE (555) 555-8425 CANGIANO F P 12 ROBY AVE (555) 555-5217 CORCORAN STEVE 26 ROBY AVE (555) 555-9917 1400 35TH ST K SPRINGFIELD, OH 34443 AHRENDT DAN 1400 35 ST K (555) 555-1664 ALPIN JEFF 1400 35 ST K (555) 555-8117 AMBROSE A 1400 35 ST K (555) 555-7553 APURTON J 1400 35 ST K (555) 555-0735 ARNOLD ROBY 1400 35 ST K (555) 555-4071 BAKER C R 1400 35 ST K (555) 555-8490 BALCHUNAS TERRY 1400 35 ST K (555) 555-5753 BAMBERGER RICHARD 1400 35 ST K (555) 555-8203 The following databases were searched but data for the subject was not found: ABI Business Directory, Active U.S. Military Personnel, Broward County Felonies/Misdemeanors, Broward County Traffic Citations, Federal Firearms and Explosives License, Florida Accidents, Florida Banking and Finance Licenses, Florida Beverage License, Florida Boating Citations, Florida Concealed Weapon Permits, Florida Day Care Licenses, Florida Department of Education, Florida Felony/Probation/Parole, Florida Fictitious Name, Florida Handicap Parking Permits, Florida Hotels and Restaurants, Florida Insurance Agents, Florida Marriages, Florida Money Transmitter Licenses, Florida Salt Water Product Licenses, Florida Securities Dealers, Florida Sexual Predator, Florida Tangible Property, Florida Tobacco License, Florida Unclaimed Property, Florida Worker's Compensation Claims, Marine Radio Licenses, Significant Shareholders, Trademarks/Service Marks, and state-specific databases. ***End of Report SS--009/01*** Control Numbers: 5661614--5661620--1BF47FA5975FBA0 Exhibit II--The Wall Street Journal Online, May 2, 2005 In the last few months, several major companies reported that customer data, including credit-card information, was compromised. The list includes: ------------------------------------------------------------------------ Date announced to Number of Affected Security Company general people data breach Response public affected ------------------------------------------------------------------------ ChoicePoin Feb. 15 About Addresses, Thieves Informed t--compil 145,000 Social posing as Federal er of consumers Security legitimat authoriti consumer had data numbers e es. Will data. in the and customers no longer system. credit bought sell At least reports. informati sensitive 750 fraud on. , cases are personal known. data to clients other than governmen tal agencies, accredite d corporate customers or other businesse s whose use is driven by a consumer- initiated transacti on. Bank of Feb. 25 Holders of Social Computer Contacted America-- as many Security backup Federal bank and as 1.2 numbers. tapes authoriti credit- million were es, then card Federal lost. consumers company. Governmen . t charge cards. DSW Shoe March 8 Initially, Credit- Hackers Reported Warehouse the theft and debit- stole to -shoestor was said card, data from Federal e chain, to be checking a authoriti a unit of limited account database es. Retail to about and for 108 Customers Ventures 100,000 driver's of the advised Inc. customers license chain's to check ; a month numbers, 175 credit- later, it and stores. card was personal- statement raised to shopping s. 1.4 informati million. on. LexisNexis March 9 Initially, Social Unauthoriz Informed -consolid data for Security ed use of Federal ator of as many numbers customer authoriti legal and as 32,000 and logins es and business consumers driver's and consumers informati was at license passwords , on, a risk. A numbers. . improved division month security, of Reed later, limited Elsevier raised to customer PLC. about access to 310,000, personal though data. only 59 incidents of illegal action are known. Boston March 17 Database Addresses Intruder Notified College* included and hacked affected records Social into a alumni. on Security school 120,000 numbers. computer alumni. operated by an outside fundraise r. Polo Ralph April 14 As many as Credit- n.a. Card Lauren--c 180,000 card issuer lothing customers data. HSBC retailer. who hold notified GM- consumers branded . MasterCar ds. Ameritrade April 19 About Varies by Backup Notified -online 200,000 customer. computer affected discount current tape was consumers stock and lost in . broker. former shipping. customers from 2000 to 2003. Time May 2 About Social Backup Notified Warner--m 600,000 Security computer those edia current numbers tape was affected. conglomer and and lost in ate. former details shipping U.S. on by an employees beneficia outside back to ries and data- 1986. dependent storage s. company. ------------------------------------------------------------------------ *Other recent university-level security breaches occurred at California State University-Chico, University of California-Berkeley, Tufts University and Northwestern University. Sources: WSJ, Associated Press, the companies. Note: Unless where noted, these are cases of data being at risk, not of data being fraudulently used. In all cases the stolen data included the names of the affiliated consumers. Senator Smith. Thank you very much. This hearing has to conclude at 5 o'clock. And so, with that, I'll let Senator Nelson--I know he has a number of questions. Senator Bill Nelson. OK. And, Mr. Chairman, what I'll do is submit most of them in writing for the record. But let me just go through a couple of questions each for each of the four of you. Ms. Barrett, there was a report that, in your company, you had the theft of information through a person gaining illegal access to sensitive, personal information of 20 million people. When your company was alerted about this breach, Acxiom allegedly alerted its clients, but not the individual consumers that had been affected. Is it true--this report that's in a book that we have read, entitled, ``No Place to Hide''--is it true that someone gained access to the sensitive records of 20 million people? Ms. Barrett. No, it's not, Senator. The incident occurred in 2003. It was a server that our clients use to transfer files to us for processing, and then we posted the results of that processing back on the file--on the server, to be transferred back to the client. The theft did involve many, many records. And, while that 20 million number may be ballpark in terms of how many records were involved, that did not necessarily represent individuals. And it certainly in no way represented sensitive information. The standard for that particular server was that information of a sensitive nature--Social Security number and so forth--be encrypted. Senator Bill Nelson. Did law enforcement later search the perpetrator's home and find a CD that contained the Acxiom data? Ms. Barrett. Yes. There were actually two perpetrators involved in this. And in one incident the perpetrator had copied information onto a CD and had it in his possession when law enforcement apprehended him. Senator Bill Nelson. And did that include the 20 million records? Ms. Barrett. I don't know exactly how many records were on those CDs. We worked with law enforcement to identify the files that were involved. But it would have contained some of that information. Senator Bill Nelson. Well, if it--I mean, that's what--the purpose of this hearing. We're trying to point out what the problem is, and if there's a CD in somebody's home that they illegally stole, and it's got 20 million records, that's 20 million potential thefts. Ms. Barrett. It did not have 20 million records containing sensitive information. Senator Bill Nelson. How many did it have? Ms. Barrett. The CD? Senator Bill Nelson. Yes. Ms. Barrett. I do not know. I can try to get an estimate of that information for you. Senator Bill Nelson. And when you say ``not sensitive information,'' is a Social Security number sensitive information? Ms. Barrett. Absolutely. Senator Bill Nelson. How about a driver's license number? Ms. Barrett. Absolutely. Senator Bill Nelson. So---- Ms. Barrett. I would define ``sensitive information'' in the way that California has defined it in their notice-breach law. Senator Bill Nelson. But you don't know how many numbers were taken from the company. Ms. Barrett. How many sensitive-information---- Senator Bill Nelson. That's correct. Ms. Barrett. We do not know, exactly. Our clients sent us this information. In some cases, it's encrypted, and--in many cases, the sensitive information is encrypted; in some cases, nonsensitive information is encrypted. When we send the files back to the clients, what happened after the breach was, we identified which files had been accessed inappropriately and illegally, and our clients went through an inventory of exactly what data was included in those files. In many cases, we did not have the data in our possession. Senator Bill Nelson. Mr. Chairman, the point that I'm merely making here, instead of quibbling at the numbers, is that, so often--obviously, the company doesn't want people to know that somebody has gained illegal access to the information. And the information is often described in a certain figure. And in the case of both ChoicePoint and LexisNexis, the first figure that was given out publicly was much, much less than what it ultimately was. In the case of LexisNexis--and I'm a little more sensitive to this, because it was a Florida company that they had acquired--and they first said it was 30,000, and then they admitted that it was 300,000. So, we've got--I think the whole point here is, instead of quibbling with you about 20 million or one million or whatnot, that we've got a problem. All right, let me ask you about--you had made some assertions--specifically, an e-mail, Ms. Barrett, on May 21, 2002, to John Poindexter. And in that e-mail, you allegedly stated--and tell us if this is true--quote, ``The U.S. may need huge databases of commercial transactions that cover the world,'' and that Acxiom could build this mega-scale database. Why would such a--why would such a database of commercial transactions be necessary? And what steps has Acxiom taken to create this database? Ms. Barrett. Senator, I'm not familiar, specifically, with the e-mail that you're referring to. Senator Bill Nelson. Did you send---- Ms. Barrett. Back in---- Senator Bill Nelson.--an e-mail to John---- Ms. Barrett. I did not---- Senator Bill Nelson.--Poindexter? Ms. Barrett.--personally send an e-mail to John Poindexter, no. I would--could check and see if someone from our company did. We worked with the Department of Defense and some of the staff on John Poindexter's--in John Poindexter's organization back in 2002, in an advisory capacity talking about some of the projects that he was exploring. And, specifically, we advised that Department that there were significant privacy concerns that needed to be taken into account in the development of any kind of large-scale databases. Senator Bill Nelson. That information, supposedly--and we'll check it out--was obtained under the Freedom of Information Act by the Electronic Privacy Information Center. And that's---- Ms. Barrett. I'm---- Mr. Rotenberg. Senator, the e-mail is on our website. Ms. Barrett. The e-mail is an e-mail--if it's the specific situation we're talking about with EPIC, the e-mail is not from me; it is from a member of John Poindexter's staff. Senator Bill Nelson. OK, thank you for clarifying that. Rather chilling. ``The U.S. may need huge databases of commercial transactions to cover the world.'' Let me ask you, Mr. Rotenberg, the Privacy Act of 1974, in part, prevented the Federal Government from creating central databases where all personal information could be stored for government access. It now appears at least some levels of government are out-sourcing this task to information brokers, witness my further--earlier questioning about Seisint and the database called Matrix. In your opinion, is the Federal Government complying with the letter and the spirit of the law of the Privacy Act of 1974? Mr. Rotenberg. No, it's not, Senator. In fact, one of the things that we realized as we pursued a Freedom of Information Act request involving ChoicePoint was the extraordinary amount of personal information that was being obtained by Federal agencies for law enforcement purposes. Now, we don't dispute that the information may have value for investigations. We understand that. The question is whether there is any legal safeguard in place to ensure that the Privacy Act principles, such as due process and oversight and protection of First Amendment freedoms, are being respected. And our view is that, in the absence of explicit application of the Privacy Act to the information brokers, the answer is that there is not the protection of the 1974 Act, as there should be. Senator Bill Nelson. Just quick questions here, because the Chairman needs to get out of here. Do you think the legislation that Senator Schumer and I have filed would help restore greater consumer privacy and reduce identity theft? Mr. Rotenberg. Yes, I do, Senator. And I think it is absolutely urgent for the Committee to act on it. One of the points that I make in my written statement is that the problem of identity theft is rapidly escalating in this country. In fact, today the Senate may take up the Real ID Act, a dramatic expansion of identification credentials in this country, without even any debate. And you may be interested to know that state DMVs have become the targets of identity thieves. Senator Bill Nelson. Mr. Kurtz, what do you think about the legislation that we filed? Mr. Kurtz. Well, first of all, I want to commend you and Senator--Senator Nelson and Senator Schumer for taking the lead on pulling together legislation in this space. I think there are several good points with regard to the legislation. First, notice, mandatory notice, and the scope which you've applied with regard to the notice. You've noted that it's broader than just the data brokers that we need to think about. Two, you've talked about reasonable security measures and the importance of that. And I would note, in that space, under the Privacy Act, there are reasonable measures that need to be taken by the Federal Government in order to secure Social Security numbers and dates of birth and the like. Three, you've given victims a place to go. We, at the Cyber Security Alliance, get a lot of calls, ``Where do we go? Who are we supposed to talk to?'' You can report it in to the FTC, as it is right now, but, frankly, they have limited means in order to deal with it. They can keep it in the Sentinel database and track things, but they don't actually have an apparatus where you can go to actually do follow-up. And, the final point that I would make--and I'm probably leaving something out--is the importance of leadership. You've identified the need to have the executive branch take a greater leadership role in cybersecurity overall, understanding that this is just not one single slice of an issue. All these issues that we've dealing with--phishing, spyware, data-warehouse security--they're all interconnected. Having an Assistant Secretary at DHS to be that strategic leader would be incredibly helpful. Senator Bill Nelson. Thank you for that. I mean, and that underscores the next part of this legislation, which is protection of the homeland, as well as protection of our individuals. Thank you, Mr. Chairman. Senator Smith. Thank you, Senator Nelson. Senator Pryor, do you have a question? Senator Pryor. Mr. Chairman, if you need to head out, I can---- Senator Smith. Go ahead. Senator Pryor. OK. Because I don't mind taking over the leadership of this Committee. I don't think I can do a whole lot of damage from here. [Laughter.] Senator Pryor. As much as I'd like to. [Laughter.] Senator Pryor. But I can--I'll be glad to. If you need to run, please just--I'll try to make my questions brief. Mr. Rotenberg---- Senator Bill Nelson. We can do a mark-up if he leaves. [Laughter.] Senator Pryor. That's right. If you'd just leave---- [Laughter.] Senator Pryor.--and allow us a little time here by ourselves, we would appreciate it. Do you mind? [Laughter.] Senator Smith. I trust you guys implicitly, but I think my colleagues might question my wisdom, I'm sure. [Laughter.] Senator Pryor. Mr. Rotenberg, let me start with you, if I may. I want to know what your experience has been with credit- freeze laws in the states. And I'm seeing a story here--I believe it comes out of Texas, or maybe Vermont, I'm not quite sure--but can you tell us, first, what credit freeze is, and how it's worked, if you think it's a good idea? Mr. Rotenberg. Sure. Senator, I think it's a very good idea. Simply stated, what a credit freeze does is puts your credit report in the off-setting. In other words, it isn't disclosed to others unless you decide that you want to make your credit report available. Currently, credit reports are widely available. They're used for very many purposes that most consumers aren't aware of. And what the four states have done that have passed credit-freeze legislation, has been to basically say to consumers, ``If you need to get a home mortgage, if you need a loan for the car, sure, you're going to want to make your credit report available. But, otherwise, that report will stay in the off-setting, and others won't get access to it.'' And we think it's a very sensible way to reduce the risk of identity theft. Ms. Frank. May I add something? Senator Pryor. Yes. Ms. Frank. Our State was the first State to ask for it, and I helped with that legislation. The reason we had a need for a security freeze is because the fraud alerts weren't working. In other words, when you became a victim of identity theft, you could call the credit-reporting agencies and put a fraud alert on your credit profile, and it says, ``Don't issue credit without calling me first.'' What we were finding is that myriad victims would have that fraud alert on their credit profile, yet there were creditors that still issued credit. So, we went to the legislature and said, ``We need something that is going to be a real key to lock the door.'' And so, the credit freeze is such that a victim, or even, in our State, a consumer, can write to the credit-reporting agencies--and if you're a victim, for free--you can put this credit freeze on, which gives you a password. So, let's say I have a credit freeze on my credit report and I want to go out and buy a car. I can unfreeze, or ``thaw,'' with my password for a specific industry, like all the car dealerships, or I can do it for everyone. And then I refreeze it. Now, if you're a non-victim, you pay $10 to freeze it or non-freeze it. If fraud alerts worked, which now you know, it's written into the FACTA, which is the Fair and Accurate Credit Transactions Act--if they really worked 100 percent, and people called you, that would be one thing. But under FACTA, if a creditor issues credit when there's a fraud alert on your credit report, you have no private right-of-action. You have no recourse. And so, I'm telling all California citizens, and those who are in the states that have this freeze, the only way you can guarantee that you can protect yourself from financial identity theft is to use the freeze. It won't help you for criminal identity theft, but it will help you for financial. Senator Pryor. OK. Well, I--thank you for that. Ms. Frank, let me ask you, while we're talking about this--changing gears a little bit--but we know that data brokers have information like Social Security numbers, dates of birth, you know, street addresses, records of what we purchase, you know, things like that, but can you give me some examples of information--if you know any--examples of information that are so intensely private that the data should never be allowed to be shared? Ms. Frank. Well, if you look at my written testimony, on page 17---- Senator Pryor. OK. Ms. Frank.--you will find an exhibit of an actual sample of AutoTrack, which is from ChoicePoint. It has not only the Social Security number, date of birth, aka's, and then it says ``other possible Social Security numbers.'' Senator Pryor. OK. Ms. Frank. It also has, if you look down here, driver's licenses, height, weight--let's see--past addresses. You go down here, and it has other things, like, hmm, you name it, it's in here, places you've lived, cars you've bought, boats or anything like that, if you have a pilot's--any kind of license you ever had, any problem with the license, if you were ever suspended for something, deeds, all the deeds that you've ever owned. Now, some of these are public records. Now, I want to say one thing about public records. Death certificates, birth certificates, marriage certificates, they have your Social Security number. In the State of California, we have passed laws to redact those numbers, because your mother's maiden name, for example, is on your birth certificate, and your parents' Social Security number is on your birth certificate. OK. So, if you look at this--I don't want to take--I'm seeing the red light coming on--you can look, yourself, for-- this thing goes from page 17 all the way to page 23 of all the things--24. Senator Pryor. But are you saying that some of that is so intensely private that it should not be shared? Ms. Frank. Well, if you got this, which I have seen on other people--if you got this, you would have an entire package to take someones identity--it even says your family and your neighbors and your family's name--the members of your family, who lives there, what licenses they have. And it even gives neighbors around the block. So, basically, if somebody wanted to steal your identity, Senator, they'd have everything that they need to talk about who you are, what properties you've owned, where you've lived. So, what I'm saying, it's the entire profile that is so terribly frightening, and the Social Security number, at this point, is the key to the kingdom of identity theft. And it's all in here. Senator Pryor. OK. One last question, if I may, Mr. Chairman, and this is for Ms. Barrett, and that is--you mentioned, during your testimony a few moments ago, that your company encrypts data. If we required all companies that handle, you know, personally identifiable data--if we required them to encrypt it, would that help solve this problem? Ms. Barrett. Yes, I think it would. Encryption is a wonderful tool for protecting data, both in the static state, as well as in transit. And as one of the--it was mentioned earlier, information in transit is one of the riskier areas where identity thieves have an opportunity to take hold of data. Encryption is not as easy as we would like for it--to think it is. It's not a plug-and-play kind of thing for companies to do. But we need all the incentives we can to make it much more of a universal standard. Ms. Frank. Senator, one thing. If we had encryption, it would not have helped in the ChoicePoint, when it's a dirty insider. So--and, also, if you have somebody in the IT department who can un-encrypt--so, if you had encryption, that's great, but you have to have an exception for security notice if it is a dirty insider. Senator Pryor. Mr. Chairman, I'm sorry, I think Mr. Kurtz had a---- Mr. Kurtz. Yes. Senator, Pryor, I just wanted to add--I think what California 1386 did, which I thought was rather elegant, was, they didn't mandate that encryption be used. They said that, for any unencrypted breach of information, that the owner of the information needed to be notified. I think the point that I guess I'm trying to make here is, we need to think more broader--broadly, and not just a technology mandate of one type of technology--or, excuse me, no mandates of specific type of technologies; let's look at the whole set of tools that are available which are, in fact, technologies, policies, and expertise that need to be brought together. And I've outlined that in my written testimony for you folks to review. Senator Smith. So, it left it up to the companies and technologies to---- Mr. Kurtz. Yes, in fact---- Senator Smith.--to meet the standard, rather than to prescribe a standard. Mr. Kurtz. Yes. And, in fact, we haven't talked about standards today, but there are standards out there that people can look and turn to in order to get some guidance as to what they might need to do in order to secure their systems. There are--you know, there are international standards, there are American standards that people could look at that could really be used for folks to turn to. Now, sometimes they're criticized for being too broad, or to general, but there are some, you know, if you will, key guideposts there that companies can look at, or you could ask companies to look at, in order to ensure they're doing the right thing. Senator Smith. And their motivation is, they've got legal liability for that. Mr. Kurtz. That's an issue that the Congress might consider investigating. What type of incentives might you build into this in order to get folks to go down that road? Senator Smith. Well, what did California do? What was their elegant solution? What was it? Mr. Kurtz. Their elegant solution was, they didn't require encryption. Senator Smith. So, if they didn't require it, did they just give them the assignment and left open the liability? Mr. Kurtz. Excuse me. I don't have the language in front of me, but it basically said for any unencrypted breach of information, there's a requirement to notify. So, if you unpack that, it means that if you encrypt, there is not an obligation to notify. Ms. Frank. And we're thinking of amending that for--you know, we like the idea of encryption, but we're thinking of amending it for those who know that there was access without encryption. Senator Smith. What's the penalty if they don't do all of that? Ms. Frank. Well, they can be sued. Senator Smith. OK. That's what I'm getting at. Mr. Kurtz. Oh. Senator Smith. And do they specifically address that, or do they leave it open, do you recall? Ms. Frank. Well, I'm trying to think exactly what the language says, since---- Senator Smith. That's OK. Ms. Frank. I can send it to you. I'll give it you. Senator Smith. Senator, did you have any more questions? Senator Pryor. All I was going to say is really just a comment. I notice in this month's Fortune magazine, there's a article called ``The Great Data Heist,'' and, in there, they talk about how security information typically walks out the door in one of three ways--hackers grab it, employees steal it, or companies lose it. And I think that's probably right. I assume you all would agree with that. And so, what you're saying is right. Encryption, I think, is an important piece of this, but it doesn't solve all the problems. It doesn't--it's not a cure-all. Mr. Kurtz. It's not a panacea. Senator Pryor. Yes. Thank you, Mr. Chairman. Senator Smith. Thank you, Senator Pryor. And, ladies and gentlemen, thank you each for the contribution you've made to this first very important hearing on a very vital topic to the American people. We will, no doubt, be pursuing legislative proposals. The Chairman, Senator Stevens, has so indicated. But I think you have laid a good foundation in this hearing today, and we thank you very much for your time and contribution. We're adjourned. [Whereupon, at 5:15 p.m., the hearing was adjourned.] A P P E N D I X Prepared statement of Gail Hillebrand, Senior Attorney, Consumers Union Identity for Sale? Protecting Consumers from Identity Theft Summary Consumers Union, \1\ the non-profit, independent publisher of Consumer Reports, believes that the recent announcements by ChoicePoint, Lexis-Nexis, and many others about the lack of security of our most personal information underscores the need for Congress and the States to act to protect consumers from identity theft. --------------------------------------------------------------------------- \1\ Consumers Union is a non-profit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education and counsel about goods, services, health and personal finance, and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union's income is solely derived from the sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees. In addition to reports on Consumers Union's own product testing, Consumer Reports with more than four million paid circulation, regularly, carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions which affect consumer welfare. Consumers Union's publications carry no advertising and receive no commercial support. --------------------------------------------------------------------------- Identity theft is a serious crime that has become more common in recent years as we have delved further into the ``information age.'' According to the Federal Trade commission, 27.3 million Americans have been victims of identity theft in the past five years, costing businesses and financial institutions $48 billion and consumers $5 billion. Victims pay an average of $1,400 (not including attorney fees) and spend an average of 600 hours to clear their credit reports. The personal costs can also be devastating; identity theft can create unimaginable family stress when victims are turned down for mortgages, student loans, and even jobs. And as ongoing scandals involving ChoicePoint, Lexis-Nexis, and others point to, American consumers cannot fully protect themselves against identity theft on their own. Even consumers who do ``everything right,'' such as paying their bills on time and holding tight to personal information such as Social Security numbers and dates of birth, can become victim through no fault of their own because the companies who profit from this information have lax security standards. Therefore, Congress and the States must enact new obligations grounded in Fair Information Practices \2\ on those who hold, use, sell, or profit from private information about consumers. In this context, Fair Information Practices would reduce the collection of unnecessary information, restrict the use of information to the purpose for which it was initially provided, require that information be kept secure, require rigorous screening of the purposes asserted by persons attempting to gain access to that information, and provide for full access to and correction of information held. --------------------------------------------------------------------------- \2\ The Code of Fair Information Practices was developed by the Health, Education, and Welfare Advisory Committee on Automated Data Systems, in a report released two decades ago. The Electronic Privacy Information Center has described the Code as based on these five principles: (1) There must be no personal data recordkeeping systems whose very existence is secret. (2) There must be a way for a person to find out what information about the person is in a record and how it is used. (3) There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent. (4) There must be a way for a person to correct or amend a record of identifiable information about the person. (5) Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data. Electronic Privacy Information Center, http://www.epic.org/privacy/consumer/ code_fair_info.html. --------------------------------------------------------------------------- Consumers Union Recommends That Lawmakers Do the Following Require notice of all security breaches: Impose requirements on businesses, nonprofits, and government entities to notify consumers when an unauthorized person has gained access to sensitive information pertaining to them. Consumers Union supports S. 751, by Senator Dianne Feinstein, which would put these requirements in place. We also believe that S. 768, introduced by Senator Charles Schumer and Senator Bill Nelson, will make an excellent notice of breach law. Require and monitor security: Impose strong requirements on information brokers to protect the information they hold and to screen and monitor the persons to whom they make that information available. S. 768, as well as S. 500 and H.R. 1080, introduced by Senator Bill Nelson and Representative Ed Markey, respectively, would direct the Federal Trade Commission to develop such standards and oversee compliance with them. Give consumers access to and a right to correct information: Give individuals rights to see, dispute, and correct information held by information brokers. This is also addressed in the Schumer/Nelson and Nelson/Markey bills. Protect SSNs: Restrict the sale, collection, use, sharing, posting, display, and secondary use of Social Security numbers. Require more care from creditors: Require creditors to take additional steps to verify the identity of an applicant when there is an indicator of possible ID theft. Grant individuals control over their sensitive information: Give individuals rights to control who collects--and who sees-- sensitive information about them. Restrict secondary use of sensitive information: Restrict the use of sensitive, personal information for purposes other than the purposes for which it was collected or other uses to which the consumer affirmatively consents. Fix FACTA: A consumer should be able to access more of his or her Fair and Accurate Credit Transactions Act (FACTA) rights, such as the extended fraud alert, before becoming an ID theft victim. Further, one of the key FACTA rights is tied to a police report, which victims still report difficulty in getting and using. Create strong and broadly-based enforcement: Authorize Federal, State, local, and private enforcement of all of these obligations. Recognize the role of states: States have pioneered responses to new forms of identity crime and risks to personal privacy. Congress should not inhibit states from putting in place additional identity theft and privacy safeguards. Provide resources and tools for law enforcement: Provide funding for law enforcement to pursue multi-jurisdictional crimes promptly and effectively. Law enforcement also may need new tools to promote prompt cooperation from the Social Security Administration and private creditors in connection with identity theft investigations. After a very brief discussion of the problem of identity theft, each recommendation is discussed. The Problem of Identity Theft Is Large and Growing Current law simply has not protected consumers from identity theft. The numbers tell part of the story: According to the Federal Trade Commission, 27.3 million Americans have been victims of identity theft in the last five years, costing businesses and financial institutions $48 billion, plus another $5 billion in costs to consumers. Commentator Bob Sullivan has estimated that information concerning two million consumers is involved in the security breaches announced over just the six weeks ending April 6, 2005. Is Your Personal Data Next?: Rash of Data Heists Points to Fundamental ID Theft Problem, http://msnbc.msn.com/id/ 7358558 Based on a report to the FTC in 2003, which concluded that there were nearly 10 million identity theft victims each year, Consumers Union estimates that every minute 19 more Americans become victims of ID theft. These numbers can't begin to describe the stress, financial uncertainty, lost work-time productivity and lost family-time identity theft victims experience. Even financially responsible people who routinely pay their bills on time can find themselves in a land of debt collector calls, ruined credit and lost opportunities for jobs, apartments, and prime credit. With more and more scandals coming out every week, the time has come for Congress to act to protect the security of our personal information. Recommendations Notification Notice of security breaches of information, whether held in computerized or paper form, are the beginning, not the end, of a series of steps needed to begin to resolve the fundamental conundrum of the U.S. information U.S. society: collecting information generates revenues or efficiencies for the holder of the information but can pose a risk of harm to the persons whose economic and personal lives are described by that information. The first principle of Fair Information Practices is that there be no collection of data about individuals whose very existence is a secret from those individuals. A corollary of this must be that when the security of a collection of data containing sensitive information about an individual is breached, that breach cannot be kept secret from the individual. Recognizing the breadth of the information that business, government, and others hold about individuals, Consumers Union recommends a notice of breach requirement that is strong yet covers only ``sensitive'' personal information, including account numbers, numbers commonly used as identifiers for credit and similar purposes, biometric information, and similar information. This sensitive information could open the door to future identity theft, so it is vital that people know when this information has been breached. Consumers Union supports a notice-of-breach law which does the following: Covers paper and computerized data. Covers government and privately-held information. Does not except encrypted data. Does not except regulated entities. Has no loopholes, sometimes called ``safe harbors.'' Is triggered by the acquisition of information by an unauthorized person. Requires that any law enforcement waiting period must be requested in writing and be based on a serious impediment to the investigation. Gives consumers who receive a notice of breach access to the Federal right to place an extended fraud alert. Consumers Union supports S. 751, which contains these elements. S. 768 contains most, but not all, of these elements and in certain other respects provides additional protections. Three of these elements are of special importance: covering all breaches without exceptions or special weaker rules for particular industries, covering data contained on paper as well as on computer, and covering data whether or not it is encrypted. First, a ``one rule for all breaches'' is the only way to ensure that the notice is sufficiently timely to be useful by the consumer for prevention of harm. ``One rule for all'' is also the only rule that can avoid a factual morass which could make it impossible to determine if a breach notice should have been given. By contrast, a weak notice recommendation such as the one contained in the guidance issued by the bank regulatory agencies \3\ cannot create a strong marketplace incentive to invest the time, money, and top-level executive attention to reduce or eliminate, future breaches. --------------------------------------------------------------------------- \3\ That weak recommendation allows a financial institution to decide whether or not its customers need to know about a breach, and the explanatory material even states that it can reach a conclusion that notice is unnecessary without making a full investigation. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 CFR Part 30, 12 CFR Parts 208 and 225, 12 CFR Part 364, 12 CFR Parts 568 and 570. Other reasons why those guidelines are insufficient to substitute for a statutory requirement to give notice include that they do not apply to non- customers about whom the financial institution has sensitive data, that there is no direct or express penalty for violation of the guideline, and that their case-by-case approach will make it extremely hard to determine in which circumstances the guidance actually recommends notice to consumers, complicating the process of showing that an obligation was unmet. --------------------------------------------------------------------------- Second, unauthorized access to paper records, such as hospital charts or employee personnel files, are just as likely to expose an individual to a risk of identity theft as theft of computer files. Third, encryption doesn't protect information from insider theft, and the forms of encryption vary widely in their effectiveness. Further, even the most effective form of encryption can quickly become worthless if it is not adapted to keep up with changes in technology and with new tools developed by criminals. A requirement to give notice of a security breach elevates the issue of information security inside a company. A requirement for swift, no-exemption notice of security breaches should create reputational and other marketplace incentives for those who hold sensitive consumer information to improve their internal security practices. For example, California's security breach law has led to improved data security in at least two cases. According to news reports, after giving its third notice of security breach in fifteen months, Wells Fargo Bank ordered a comprehensive review of all its information handling practices. The column quoted a memo from Wells Fargo's CEO stating in part: ``The results have been enlightening and demonstrate a need for additional study, remediation and oversight. . . . Approximately 70 percent of our remote data has some measure of security exposure as stored and managed today.'' \4\ --------------------------------------------------------------------------- \4\ D. Lazarus, ``Wells Boss Frets Over Security,'' S.F. Chronicle, Feb. 23, 2005. http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/02/ 23/BUGBHBFCR11.DTL. --------------------------------------------------------------------------- In another example, UC Berkeley Chancellor Robert Bigeneau announced plans to hire an outside auditor to examine data gathering, retention, and security, telling employees: ``I insist that we safeguard the personal information we are given as if it were our own.'' \5\ This announcement followed the second announced breach of the security of data held by the University in six months, this one involving 100,000 people.\6\ --------------------------------------------------------------------------- \5\ ``Cal Laptop Security Put Under Microscope,'' April 6, 2005, Inside Bay Area, http://www.insidebayarea.com/searchresults/ci_2642564. \6\ Opinion Page, Oakland Tribune, April 5, 2005. --------------------------------------------------------------------------- In the Sarbanes-Oxley Act, Congress recognized the importance of the ``tone at the top,'' and for that reason took steps to require the corporate boards and CEOs work to improve the quality and accuracy of audited financial statements. A strong, clear notice of security breach law, without exceptions, could similarly focus the attention of top management on information security--creating an incentive for a ``tone at the top'' to take steps to minimize or eliminate security breaches. Security Consumers Union supports S. 500 and H.R. 1080, introduced by Senator Bill Nelson and Representative Ed Markey, respectively. These measures would direct the Federal Trade Commission (FTC) to promulgate strong standards for information security and a strong obligation to screen customers, both initially and with respect to how those customers further protect the information from unauthorized use. They also provide for ongoing compliance monitoring by the FTC. S. 768, the Schumer-Nelson bill, contains similar provisions. If Congress wanted to take even stronger steps with respect to information brokers, it could require information brokers to undergo annual audits, paid for by the broker and performed by an independent auditor retained by the FTC, with specific authority in the FTC to require corrective action for security and customer screening weaknesses identified in the audit, as well as allowing the FTC to specify particular aspects of information security that should be included in each such audit. Any Federal information broker law must require strong protections in specific aspects of information security, as well as imposing a broad requirement that security in fact be effective and be monitored for ongoing effectiveness. Congress must determine the balance between the public interest in the protection of data and the business interest in the business of information brokering. Security breaches and the effects on consumers of the ongoing maintenance of files on most Americans by information brokers are issues too important to be delegated in full to any regulatory agency. Access and Correction Two of the basic Fair Information Practices are the right to see and the right to correct information held about the consumer. S. 768, S. 500, and H.R. 1080 all address these issues. While the Fair Credit Reporting Act (FCRA) allows consumers to see and correct their credit reports, as defined by FCRA, consumers currently have no legal right to see the whole file held on them by an information broker such as ChoicePoint and Lexis-Nexis, even though the information in that file may have a profound effect on the consumer. There is also lack of clarity about what a consumer will be able to see even under the FCRA if the information broker has not yet made a report to a potential employer or landlord about that consumer.\7\ --------------------------------------------------------------------------- \7\ Testimony of Evan Hendricks, Editor/Publisher, Privacy Times before the Senate Banking Committee, March 15, 2005, http:// banking.senate.gov/files/hendricks.pdf. --------------------------------------------------------------------------- Because the uses of information held by data brokers continue to grow and change, affecting consumers in myriad ways, consumers must be given the legal right to see all of the information data brokers hold on them, and to seek and win prompt correction of that information if it is in error. Protection for SSNs The Social Security number (SSN) has become a de facto national identifier in a number of U.S. industries dealing with consumers. Some proposals for reform have emphasized consent to the use, sale, sharing or posting of Social Security numbers. Consumers Union believes that a consent approach will be less effective than a set of rules designed to reduce the collection and use of sensitive consumer information. Take, for example, an analogy from the recycling mantra: ``Reduce, reuse, recycle.'' Just as public policy to promote recycling first starts with ``reducing'' the use of materials that could end up in a landfill, so protection of sensitive, personal information should begin with reduction in the collection and use of such information. Restrictions on the use of the Social Security number must begin with restricting the initial collection of this number to only those transactions where the Social Security number is not only necessary, but also essential to facilitating the transaction requested by the consumer. The same is true for other identifying numbers or information that may be called upon as Social Security numbers are relied upon less. Consumers Union endorses these basic principles for an approach to Social Security numbers: Ban collection and use of SSNs by private entities or by government except where necessary to a transaction and there is no alternative identifier which will suffice. Ban sale, posting, or display of SSNs, including no sale of credit header information containing SSNs. There is no legitimate reason to post or display individuals' Social Security numbers to the public. Ban sharing of SSNs, including between affiliates. Ban secondary use of SSNs, including within the company which collected them. Out of the envelope: ban printing or encoding of SSNs on government and private checks, statements, and the like Out of the wallet: ban use of the SSN for government or private identifier, except for Social Security purposes. This includes banning the use of the SSN, or a variation or part of it, for government and private programs such as Medicare, health insurance, driver's licenses or driver's records, and military, student, or employee identification. Any provision banning the printing of SSNs on identifying cards should also prohibit encoding the same information on the card. Public records containing SSNs must be redacted before posting. There should be no exceptions for regulated entities. There should be no exception for business-to-business use of SSNs. Congress should also consider whether to impose the same type of ``responsibility requirements'' on the collection, sale, use, sharing, display and posting of other information that could easily evolve into a substitute ``national identifier,'' including drivers license number, state non-driver information number, biometric information and cell phone numbers. Creditor Identity Theft Prevention Obligations Information is stolen because it is valuable. A key part of that value is the ability to use the information to gain credit in someone else's name. That value exists only because credit granting institutions do not check the identity of applicants carefully enough to discover identity thieves before credit is granted. Financial institutions and other users of consumer credit reports and credit scores should be obligated to take affirmative steps to establish contact with the consumer before giving credit or allowing access to an account when there is an indicator of possible false application, account takeover or unauthorized use. The news reports of the credit card issued to Clifford J. Dawg, while humorous, illustrate a real problem--creditor eagerness to issue credit spurs inadequate review of the identity of the applicant.\8\ When the applicant is a dog, this might seem funny, but when the applicant is a thief, there are serious consequences for the integrity of the credit reporting system and for the consumer whose good name is being ruined. --------------------------------------------------------------------------- \8\ Both the news stories about Clifford J. Dawg and a thoughtful analysis of the larger problem of too lax identification standards applied by creditors is found in C. Hoofnagle, Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors, in Securing Privacy in the Information Age (forthcoming from Stanford University Press), http://papers.ssrn.com/sol3/ papers.cfm?abstract_id=650162. --------------------------------------------------------------------------- As new identifiers evolve, criminals will seek to gain access to and use those new identifiers. Thus, any approach to attacking identity theft must also impose obligations on those who make that theft possible--those who grant credit, goods, or services to imposters without taking careful steps to determine with whom they are dealing. At minimum, creditors should be required to actually contact the applicant to verify that he or she is the true source of an application for credit when certain triggering events occur. The triggering events should include any of the following circumstances: Incomplete match on Social Security number. Address mismatch between application and credit file. Erroneous or missing date of birth in application. Misspellings of name or other material information in application. Other indicators as practices change. Under FACTA, the FTC and the Federal financial institution regulators are charged with developing a set of red flag ``guidelines'' to ``identify possible risks'' to customers or to the financial institution. However, FACTA stops with the identification of risks. It does not require that financial institutions do anything to address those risks once identified through the not-yet-released guidelines. The presence of a factor identified in the guidelines does not trigger a statutory obligation to take more care in determining the true identity of the applicant before granting credit. Congress should impose a plain, enforceable obligation for creditors to contact the consumer to verify that he or she has in fact sought credit when certain indicators of potential identity theft are present. Control for Consumers Over Affiliate-Sharing, Use of Information, Use of Credit Reports and Credit Scores Consumers are caught between the growth in the collection and secondary use of information about them on the one hand and the increasing sophistication of criminals in exploiting weaknesses in how that information is stored, transported, sold by brokers, shared between affiliates, and used to access credit files and credit scores. Identity theft has been fueled in part by information-sharing between and within companies, the existence of databases that consumers don't know about and can't stop their information from being part of, the secondary use of information, and the granting of credit based on a check of the consumer credit file or credit score without efforts to verify the identity of the applicant.\9\ Consumers Union has consistently supported Federal and State efforts to give consumers the legal right to stop the sharing of their sensitive, personal information among affiliates. Finally, it is essential to stopping the spread of numbers that serve as consumer identifiers that Congress and the States impose strong restrictions on the use of sensitive, personal information for purposes other than the purpose for which the consumer originally provided that information. --------------------------------------------------------------------------- \9\ Secondary use is use for a purpose other than the purpose for which the consumer gave the information. --------------------------------------------------------------------------- Fix FACTA FACTA has made some things more difficult for identity theft victims, according to information provided to Consumers Union by nonprofits and professionals who assist identity theft victims. Moreover, FACTA gives only limited rights to those who have not yet become victims of identity theft, and FACTA fails to offer a pure prevention tool for all consumers. A consumer who asserts in good faith that he or she is about to become a victim of identity theft gets one right under FACTA--the right to place, or renew, a 90 day fraud alert. However, this type of alert places lower obligations on the potential creditor than the extended alert, which is restricted only to identity theft victims. A consumer should be able to access more of his or her FACTA rights, such as the extended fraud alert, before becoming an identity theft victim. One key FACTA right is tied to a police report, which victims still report difficulty in getting and using. Here are some key ways to make FACTA work for victims: Initial fraud alert should be one year, not 90 days. Extended alert and other victims' rights, other than blocking of information, should be available to all identity theft victims who fill out the FTC ID theft affidavit under penalty of perjury. Business records should be available to any consumer who fills out the FTC ID theft affidavit under penalty of perjury. Consumers who receive a notice of security breach should be entitled to place an extended fraud alert. Consumers who place a fraud alert have the right under FACTA to a free credit report, but this should be made automatic. There is also work to do outside of FACTA, including work to develop a police report that could be given to victims that is sufficiently similar, if not uniform, across jurisdictions, so that the victim does not find creditors or businesses in another jurisdiction refusing to accept a police report from the victim's home jurisdiction. Congress Must Encourage the States To Continue To Pioneer Prompt Responses to Identity Crime Virtually every idea on the table today in the national debate about stemming identity theft and protecting consumer privacy comes from legislation already enacted by a state. Congress must not cut off this source of progress and innovation. Instead, any identity theft and consumer privacy legislation in Congress should expressly permit states to continue to enact new rights, obligations, and remedies in connection with identity theft and consumer privacy to the full extent that the State requirements are not inconsistent with the specific requirements of Federal law. Criminals will always be more fast-acting, and fast-adapting, than the Federal Government. An important response to this reality is to permit, and indeed encourage, State legislatures to continue to act in the areas of identity theft and consumer privacy. Fast-acting states can respond to emerging practices that can harm consumers while those practices are still regional, before they spread nationwide. For example, California enacted its notice of security breach law and other significant identity theft protections because identity theft was a significant problem in California well before it became, or at least was recognized as, a national crime wave. Identity theft illustrates how much quicker states act on consumer issues than Congress. According to numbers released by the FTC, there were 9.9 million annual U.S. victims of identity theft in the year before Congress adopted the relatively modest rights for identity theft victims found in FACTA. The identity theft provisions adopted by Congress in FACTA were modeled on laws already enacted in states such as California, Connecticut, Louisiana, Texas, and Virginia.\10\ --------------------------------------------------------------------------- \10\ See California Civil Code Sec. Sec. 1785.11.1, 1785.11.2, 1785,16.1; Conn. SB 688 Sec. 9(d), (e), Conn. Gen. Stats. Sec. 36a-699; IL Re. Stat. Ch. 505 Sec. 2MM; LA Rev. Stat. Sec. Sec. 9:3568B.1, 9:3568C, 9:3568D, 9:3571.1 (H)-(L); Tex. Bus. & Comm. Code Sec. Sec. 20.01(7), 20.031, 20.034-039, 20.04; VA Code Sec. Sec. 18.2- 186.31:E. The role of the states has also been important in financial issues unrelated to identity theft. Here are two examples. In 1986, California required that specific information be included in credit card solicitations with enactment of the then-titled Areias-Robbins Credit Card Full Disclosure Act of 1986. That statute required that every credit card solicitation to contain a chart showing the interest rate, grace period, and annual fee. 1986 Cal. Stats., Ch. 1397, codified at California Civil Code Sec. 1748.11. Two years later, Congress chose to adopt the same concept in the Federal Fair Credit and Charge Card Disclosure Act (FCCCDA), setting standards for credit card solicitations, applications, and renewals. P. L. 100-583, 102 Stat. 2960 (Nov. 1, 1988), codified in part at 15 U.S.C. Sec. Sec. 1637(c) and 1610(e). The implementing changes to Federal Regulation Z included a model form for the Federal disclosure box which is quite similar to the form required under the pioneering California statute. 54 Fed. Reg. 13855, Appendix G. --------------------------------------------------------------------------- Strong and Broadly-Based Enforcement Consumers need effective enforcement of those obligations and restrictions Congress imposes in response to the increasing threats to consumer privacy, and of the growth of identity theft. A diversity of approaches strengthens enforcement. Each statutory obligation imposed by Congress should be enforceable by Federal agencies, the Federal law enforcement structure with the Attorney General and U.S. Attorneys, and State attorneys general. Where a state is structured so that part of the job of protecting the public devolves to a local entity, such as a district attorney or city attorney, those local entities also should be empowered to enforce anti-identity theft and privacy measures in local civil or, where appropriate, criminal courts. There is also a role for a private right-of-action. It is an unfortunate reality in identity theft is that law enforcement resources are slim relative to the size of the problem. This makes it particularly important that individuals be given a private right-of- action to enforce the obligations owed to them by others who hold their information. A private right-of-action is an important part of any enforcement matrix. Money and Tools for Law Enforcement Even if all the recommended steps are taken, U.S. consumers will still need vigorous, well-funded law enforcement. At a meeting convened by Senator Feinstein which included some twenty representatives of law enforcement, including police departments, sheriffs, and district attorneys, law enforcement uniformly proposed that they be given tools to more effectively investigate identity theft. Law enforcement costs money, and the law enforcers noted that the multi-jurisdictional nature of identify theft increases the costs and time, it takes to investigate these crimes. Law enforcers in California and Oregon have noted a strong link between identity theft crime and methamphetamine. The Riverside County Sheriff noted at a March 29, 2005 event that when drug officers close a methamphetamine lab, they often find boxes of fake identification ready for use in identity theft. The drug team has closed the lab; without funding for training and ongoing officer time, there may be no investigation of those boxes of identities. To prove a charge of attempted identity theft, a prosecutor may need to prove that the real person holding a particular driver's license number, credit or debit card number, or Social Security number is different from the holder of the fake ID. Doing this may require the cooperation of a State Department of Motor Vehicles, a financial institution, or the Social Security Administration. The public meetings of the California High Tech Crimes Advisory Committee have including discussion of the difficulties and time delays law enforcement investigators encounter in trying to obtain this cooperation. Congress should work with law enforcement and groups representing interest in civil liberties to craft a solution to verifying victim identity that will facilitate investigation of identity theft without infringing on the individual privacy of identity theft victims and other individuals. Law enforcement may have more specific proposals to enhance their effectiveness in fighting identity theft. Consumers Union generally supports: Funding for regional identity theft law enforcement task forces in highest areas of concentration of victims, and of identity thieves. Funding for investigation and prosecution. An obligation on creditors, financial institutions, and the Social Security Administration to provide information about suspected theft-related accounts or numbers to local, State, and Federal law enforcement after a simple, well designed, request process. Consumers Union believes that the time has come for both Congress and State legislatures to act to stem identity theft through strong and meaningful requirements to tell consumers of security breaches; strong and detailed security standards and oversight for information brokers, reining in the use of Social Security numbers, increased control for consumers over the uses of their information, and obligations on creditors to end their role in facilitating identity theft through lack of care in credit granting. This should be done without infringing on the role of the states, with attention to the need to fund law enforcement to fight identity theft, and with attention to the need for private enforcement by consumers. We look forward to working with the Chair and Members of the Committee, and others in Congress, to accomplish these changes for U.S. consumers. These recommendations by Consumers Union have been informed by the work of victim assistance groups, privacy advocates, and others. \11\ --------------------------------------------------------------------------- \11\ Many law enforcers, victim assistance workers, and consumer and privacy advocates were engaged in the issue of identity theft prevention long before the most recent ChoicePoint security breach came to light. Consumers Union has worked closely for many years on efforts to fight identity theft and protect consumer financial privacy with other national groups, and with consumer privacy and anti-identity theft advocates and victim assistance groups based in California. Our views and recommendations are strongly informed by the experiences of consumers reported to us by the nonprofit Privacy Rights Clearinghouse, the nonprofit Identity Theft Resource Center, and others who work directly with identity theft victims. These groups have worked to develop the State laws that are the basis for many of the proposals now being introduced in Congress. Consumers Union is grateful for the leadership of the Privacy Rights Clearinghouse in consumer privacy policy work, the work of the State PIRGs and U.S. PIRG on consumer identity theft rights which includes the preparation of a model State identity theft statute in cooperation with Consumers Union, for the work for consumers on the accuracy of consumer credit reporting issues done over the past decade by the Consumer Federation of America and U.S. PIRG, and for the contributions to the policy debate of organizations such as the Electronic Privacy Information Center, Privacy Times, and others too numerous to mention. --------------------------------------------------------------------------- Consumer Reports, June 2005 The Fight Against Identity Theft by Jim Guest, President ``I was mugged once, years ago,'' one of our editorial researchers told me. ``It was bad, but at least that guy had the guts to look me in the eye.'' This time, she'd gotten a call from her bank alerting her that someone in Oregon had just withdrawn $2,000 from her account. Since she and her husband were both at home in New York, that was very bad news. Like many of the estimated 10 million people a year whose lives and accounts are invaded by identity thieves, our staffer had been as cautious as she could be and still be part of today's marketplace. But either her financial records were leaked or a hacker typed his or her way through the barriers protecting her account. In either case, companies who hold sensitive, personal and financial information about us, and the lawmakers who should be overseeing them, are failing to build stronger protections against the increasingly prevalent crime of ID theft. Lawmakers and regulators must work fast. Here are three things that Consumers Union, the publisher of Consumer Reports, is pushing them to do: Oversee information brokers, companies that collect and sell people's personal and financial data. Federal law should require them to safeguard those data, sell data only to carefully screened clients, tell consumers what's in their files, and correct mistakes promptly, since mistakes can lose you a job, a mortgage, or an insurance policy. Pass strong Federal and State laws that require companies to notify the consumers whose personal and financial information they hold when their privacy is compromised. Now, only California residents have that protection. Pass laws in every state allowing consumers to ``freeze'' their credit-bureau files. With a security freeze in place, your credit report and score can't be given to potential new creditors unless you choose to ``unlock'' the file when you apply for, say, a car loan. Most businesses won't issue new credit or loans without first checking credit records. This way, thieves will hit a brick wall trying to open an account in your name. There's no single solution to shielding consumers from the fast- changing schemes of ID thieves, so Congress should preserve the right of States to continue developing ever more sophisticated guards. For more about what CU is doing, and for what you can do to protect yourself, go to our websites www.consumersunion.org/privacy and www.consumersunion.org/money. ______ Statement of James X. Dempsey, Executive Director, Center for Democracy & Technology,\1\ before the Senate Committee on the Judiciary, April 13, 2005 --------------------------------------------------------------------------- \1\ The Center for Democracy & Technology (CDT) is a non-profit public interest organization dedicated to promoting privacy and other democratic values for the new digital communications media. Among other activities, CDT coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for computer, communications, and public interest organizations, companies and associations interested in information privacy and security issues. --------------------------------------------------------------------------- Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use Chairman Specter, Senator Leahy, and Members of the Committee, thank you for the opportunity to testify today. Recent security breaches at a range of companies and institutions resulting in the loss of sensitive, personal information have highlighted the need for a more substantial legal framework at the national level for entities collecting, using and selling personal data. A range of harms, including identity theft, can flow from the failure to protect electronic personal data and from governmental or corporate misuse of data or reliance on inaccurate data. We offer here today an overview of the policy landscape and suggest some approaches that Congress should consider to ensure the appropriate level of security and privacy protection. We look forward to working with you and interested stakeholders to achieve balanced solutions. The New Marketplace for Personal Data In the past decade, the commercial collection and sale of personal information has changed dramatically, driven by a combination of factors, facilitated by the Internet, and resulting in an ever more rapid flow of sensitive, personal information in ways that most consumers barely understand. The implications for commerce, national security and personal privacy have been detailed in recent books such as Robert O'Harrow's ``No Place to Hide.'' The private sector and the Federal Government have many legitimate needs for personal information, and the sharing of data offers benefits to consumers in the form of readily available credit. Businesses and non-profit entities, ranging from landlords to retailers, to lawyers, to universities, obtain and share personal information to provide services and facilitate economic transactions. Indeed, an important use of commercial data services is for anti-fraud purposes, including the prevention of identity theft. The Federal Government uses personal information to determine eligibility for government benefits, to support law enforcement, and to fight the war on terror. An important category of this information is drawn from public records at courthouses and other government agencies. Data brokers (we use the term throughout our testimony for lack of a better one, without intending to be derogatory and recognizing that it is not well-defined) add considerable value by aggregating and categorizing this information to provide a more complete picture of the individuals to whom it pertains. While data brokers provide important services to the government and the private sector, they also raise a host of privacy issues and concerns about the security of this information. The recent security breaches at ChoicePoint and LexisNexis have prompted calls for examination of this new industry. Already-regulated entities, such as Bank of America, have also lost control of sensitive, personal information. So have merchants whose primary business is not data aggregation. DSW Shoe Warehouse, a chain of shoe retailers, announced recently that someone had stolen customers' credit card information from its database. And the New York Times reported that already this year nine universities have reported the loss or compromise of sensitive, personal information.\2\ Precisely because databases of electronic personal data have tremendous value, they are attracting identity thieves. --------------------------------------------------------------------------- \2\ Tom Zeller, Jr., Some Colleges Falling Short In Data Security, New York Times, Apr. 4, 2005, at B1. --------------------------------------------------------------------------- Even legitimate uses of personal data can result in harm to individuals. For instance, individuals can suffer adverse consequences when data brokers sell inaccurate or incomplete information that results in the loss of employment opportunities. In the context of government use of personal information, adverse consequences could include being suspected of criminal or terrorist activity. Congress has addressed privacy and security issues with respect to credit reporting agencies in the Fair Credit Reporting Act (FCRA), financial institutions in Gramm-Leach-Bliley (GLB), and healthcare providers in the Health Insurance Portability and Accountability Act (HIPAA). But Congress's sectoral approach to information privacy has left gaps in the coverage of the law. Overview of Policy Responses We see at least five sets of issues facing Congress at this time: 1. As a first step towards preventing identity theft, entities, including government entities, holding personal data should be required to notify individuals in the event of a security breach. 2. Since notice only kicks in after a breach has occurred, Congress should require entities that electronically store personal information to implement security safeguards, similar to those required by California AB 1950 and the regulations under Gramm-Leach-Bliley. 3. Congress should impose tighter controls on the sale, disclosure and use of Social Security numbers and should seek to break the habit of using the SSN as an authenticator. 4. Congress should address the Federal Government's growing use of commercial databases, especially in the law enforcement and national security contexts. 5. Finally, Congress should examinee the ``Fair Information Practices'' that have helped define privacy in the credit and financial sectors and adapt them as appropriate to the data flows of this new technological and economic landscape. What Is Privacy? Information privacy is not merely about keeping personal information confidential. Rather, it is well established by United States Supreme Court cases, the Federal Privacy Act, and privacy laws like the FCRA and HIPAA that the concept of privacy extends to information that an individual has disclosed to another in the course of a commercial or governmental transaction and even to data that is publicly available.\3\ Information privacy is about control, fairness, and consequences. Data privacy laws limit the use of widely available, and even public, information because it is recognized that individuals should retain some control over the use of information about themselves and should have redress to the consequences that result from others' use of that information. A set of commonly accepted ``Fair Information Practices'' captures this broader conception of privacy and is reflected, albeit in piecemeal fashion, in the various privacy laws and in the practices of commercial entities and government agencies. These principles govern not just the initial collection of data, but also the use of information collected and shared in the course of governmental and commercial transactions. --------------------------------------------------------------------------- \3\ In United States Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749, 762-63 (1989), the Supreme Court rejected the ``cramped notion of personal privacy''that ``because events . . . have been previously disclosed to the public, . . . [the] privacy interest in avoiding disclosure of a . . . compilation of these events approaches zero.'' The Court held in that case that the government can withhold from public disclosure databases composed entirely of publicly available data because there is a ``distinction, in terms of personal privacy, between scattered disclosure of the bits of information . . . and revelation of the [information] as a whole.'' The Court based its ruling on the conclusion that, ``Plainly there is a vast difference between the public records that might be found after a diligent search of courthouse files, county archives, and local police stations throughout the country and a computerized summary located in a single clearinghouse of information.'' 489 U.S. at 764. The Court rejected the notion that an individual has no privacy interest in data that is publicly available somewhere. See id. at 770 (``In sum, the fact that an event is not wholly `private' does not mean that an individual has no interests in limiting disclosure or dissemination of the information.'' (quotation omitted)). See also Reno v. Condon, 528 U.S. 141, 148 (2000) (upholding Federal statute restricting States' sale of driver's license information to commercial entities even though the information was available to the public for a range of purposes). --------------------------------------------------------------------------- The ``Fair Information Practices'' were first articulated in the 1970s and have been embodied in varying degrees in the Privacy Act, the FCRA, and the other ``sectoral'' Federal privacy laws that govern commercial uses of information. The concept of Fair Information Practices (FIPs) has remained remarkably relevant despite the dramatic changes in information technology that have occurred since they were first developed. While mapping these principles to the current data landscape poses challenges, and while some of the principles may be inapplicable to public record data, they provide a remarkably sound basis for analyzing the issues associated with creating a policy framework for the privacy of commercial databases. The FIPs principles are variously enumerated, but we see eight: (1) notice to individuals of the collection of personally identifiable information, (2) limits on use and disclosure of data for purposes other than those for which the data was collected in the first place, (3) limitations on the retention of data, (4) a requirement to ensure the accuracy, completeness and timeliness of information, (5) the right of individuals to access information about themselves, (6) the opportunity to correct information or to challenge decisions made on the basis of incorrect data, (7) appropriate security measures to protect the information against abuse or unauthorized disclosure, and (8) the establishment of redress mechanisms for individuals wrongly and adversely affected by the use of personally identifiable information.\4\ --------------------------------------------------------------------------- \4\ http://www.cdt.org/privacy/guide/basic/generic.html. --------------------------------------------------------------------------- A lot more work would be needed to develop a regulatory framework imposing all of these principles on all entities that hold or use personally identifiable data. Nevertheless, these principles do provide a framework for analyzing the current situation. They suggest certain immediate steps that Congress could take. Notice of Breach As a first step, there should be a national requirement that individuals be notified when their information held by a third party is obtained by an unauthorized user. CDT would support appropriate Federal legislation modeled on the California disclosure law that would require holders of sensitive, personal information to notify people whose information might have been stolen or otherwise obtained by unauthorized persons.\5\ Some industry leaders have also supported Federal notice legislation, as did the Chairman of the Federal Trade Commission at earlier Congressional hearings. --------------------------------------------------------------------------- \5\ The California law states that any agency or business ``that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.'' Cal. Civ. Code Sec. 1798.29(a), Sec. 1798.82(a). --------------------------------------------------------------------------- The California law worked well after the ChoicePoint security breach. As a result of the California law, ChoicePoint was required to notify individuals so they could take protective action. And public pressure led ChoicePoint to give nationwide notice. California is currently the only state with such a law on the books, but other states are currently considering similar legislation. Congress should enact Federal legislation that is as protective as the California statute. There has been some debate about when entities should be required to give notice of a breach. Some have argued that the holder of the information should be allowed to exercise discretion in determining whether the breach is one that poses a significant risk of harm to individuals. Concern has been expressed that if consumers are notified of every security breach, they would receive too many notices and become immune to them. While the risk of over-notification is real, guidance issued by the State of California on its disclosure law seems to address concerns about over-notification. An appropriate standard might be to require entities that discover a breach of security of a system containing unencrypted personally identifiable data in electronic form to notify any U.S. resident whose data was, or is reasonably believed to have been, acquired by an unauthorized person. If the entity is not certain whether the breach warrants notification, it should be able to consult with the Federal Trade Commission. This would allow the entities to avoid giving notice in the case of accidental unauthorized access that does not pose a risk of harm to the public, while ensuring that the public is adequately protected in those cases where data has been acquired unlawfully. Additionally, it may be desirable to have a two-tiered system, with notice to the FTC of all breaches of personal data and notice to consumers where there is a potential risk of identity theft. Broader notice to the FTC would help with oversight and would allow for adjustment in reporting thresholds. Notice alone, however, is not enough. Consideration needs to be given to the question of what options a consumer has after receiving notice of a breach. Consumers can require a fraud alert on their credit reports, but under current law that has to be renewed every 90 days unless the individual is actually the victim of identity theft, in which case he is entitled to a 7 year notice. Another approach is to give consumers the ability to ``freeze'' their credit reports, blocking their release and thus preventing the issuance of credit. Texas and California currently allow credit report freezes, and Vermont and Louisiana freeze legislation is supposed to take effect this summer. At least 15 other states are considering similar legislation. \6\ Another way to allocate risk may be to create a ``Do Not Issue Credit without Verification List,'' allowing consumers to post a warning to creditors to obtain additional identity verification before issuing credit. This would not be a freeze, but would put creditors on alert that they need to be careful. --------------------------------------------------------------------------- \6\ Andrew Shain, ``Nation, N.C. address ID security breaches,'' Charlotte Observer, Mar. 24, 2005, http://www.charlotte.com/mld/ charlotte/11215774.htm. --------------------------------------------------------------------------- Security of Personally Identifiable Information While notice legislation would be helpful in mitigating the damage from a security breach and might prod companies to improve security proactively, Congress should enact legislation requiring commercial entities that hold personal information to implement information security programs. Already there is a patchwork of requirements. Financial institutions are already subject to information security requirements under Gramm-Leach-Bliley, \7\ and the Health Insurance Portability and Accountability Act imposes similar requirements on health care providers and insurers, \8\ the Sarbanes-Oxley legislation also has a provision that is interpreted as imposing some kind of data security obligation. The Federal Trade Commission has exercised its Section 5 authority and obtained consent agreements with a number of companies that are looked to as models. And the California law known as AB 1950 has imposed a general data security obligation on companies doing business there. --------------------------------------------------------------------------- \7\ 15 U.S.C. Sec. 6801(b). \8\ Pub. L. 104-191, Sec. 264. --------------------------------------------------------------------------- It is probably time to bring some uniformity to these requirements. The Federal Trade Commission regulations implementing Gramm-Leach- Bliley provide a good framework and probably have about the right level of detail for security programs for data brokers and other commercial entities.\9\ They require an entity to develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards that are tailored to the size and nature of the entity. Among other elements of a security program, they require entities that hold personal information to conduct a risk assessment to identify and develop systems to protect against anticipated threats and unauthorized access to information, to train employees, to audit their systems to identify unauthorized access, and to periodically reassess the program's effectiveness. Otherwise, the FTC approach gives entities that collect and store personal information the flexibility to develop security programs that fit their business models. --------------------------------------------------------------------------- \9\ See Standards For Safeguarding Customer Information, 16 C.F.R. Sec. Sec. 314.1-.5 (2005). --------------------------------------------------------------------------- Social Security Number Protection Personal privacy is not just threatened by ineffective or nonexistent information security systems, however. Another threat to personal privacy is the proliferation and misuse of Social Security numbers. When the Federal Government first issued Social Security numbers in 1936, it limited their use to identifying accounts for workers with earnings from jobs covered by the Social Security Act of 1935. Social Security numbers were not supposed to serve as the universal identifiers that they have become. In fact, they were initially called Social Security Account Numbers and for many years the words ``Not For Identification''appeared on Social Security cards.\10\ Over time, however, Social Security numbers have become de facto national identifiers, serving as the key that unlocks many databases containing medical records, university records, employee files and bank records, just to name a few. --------------------------------------------------------------------------- \10\ www.epic.org/privacy/hew1973report/c7.htm --------------------------------------------------------------------------- Worse, the SSN is used as an authenticator. That is, it is used like a PIN number--even though SSNs are widely available, entities treat them as if they were a secret and that therefore someone is you if he knows your SSN. This is very poor security practice. As a result, Social Security numbers are a major factor in identity theft. CDT supports legislation that would tighten controls on the sale, purchase and display of Social Security numbers. Given the ubiquity of Social Security numbers in the public domain, it might not be possible to prevent criminals from acquiring them, but that does not mean we should give up trying to curtail the SSN's overuse and misuse. We believe that this can be done without prohibiting the use of the SSN as an identifier or disambiguator in large databases. Certainly, the SSN should be phased out as a student or employee ID number reflected on ID cards, transcripts and other records disclosed outside an institution. Congress should also, where feasible, limit the use of Social Security numbers by government entities. In particular, states should be prohibited from using Social Security numbers on drivers' licenses. These changes will have limited effect, however, unless it is also recognized that it is poor security practice to use the SSN as an authenticator--treating it like a password or an obscure bit of information likely to be known only to the one person to whom it was issued. The habit of relying on the SSN for verification of identity needs to be broken.\11\ --------------------------------------------------------------------------- \11\ The habit of relying blindly on the SSN as an identifier also needs to be broken. See Lesley Mitchell, ``New wrinkle in ID theft; Thieves pair your SS number with their name, buy with credit, never get caught; Social Security numbers a new tool for thieves,'' The Salt Lake Tribune, June 6, 2004, at E1. --------------------------------------------------------------------------- Government Use of Commercial Databases An often overlooked but very important issue is the Federal Government's use of commercial databases. As discussed earlier, the government uses commercial data for law enforcement and national security purposes. The Privacy Act of 1974 was supposed to subject government agencies that collect personally identifiable information to the Fair Information Practices, but the Act's protections only apply to Federal ``systems of records.'' \12\ That means that the government can bypass the Privacy Act by accessing existing private sector databases, rather than collecting the information itself. Thus, although the Privacy Act requires notice to and consent from individuals when the government collects and shares information about them, gives citizens the right to see whatever information the government has about them, and holds government databases to certain accuracy standards, none of those rules applies when the government accesses commercial information without pulling that data into a government database. Currently, the government need not ensure (or even evaluate) the accuracy of the data; it need not allow individuals to review and correct the data; and the government is not limited in how it interprets or characterizes the data. --------------------------------------------------------------------------- \12\ The term ``system of records'' is defined as ``a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.'' 5 U.S.C. Sec. 552a(a). --------------------------------------------------------------------------- Commercial information can and should play a key role in law enforcement and national security investigations. But agencies relying on that data should have clear guidelines for its use--guidelines that both protect individual rights and ensure the information is useful for investigative purposes. One option would be to make it clear that the Privacy Act applies whether the government is creating its own database or acquiring access to a database from a commercial entity. Also, Congress could apply the concept of Privacy Impact Assessments to the acquisition of commercial databases. Section 208 of the E-Government Act of 2002 already requires a PIA if the government initiates a new ``collection'' of information.\13\ The same process should apply when the government acquires access to a commercial database containing the same type of information that would be covered if the government itself were collecting it. --------------------------------------------------------------------------- \13\ E-Government Act of 1002, Pub. L. 107-347, Sec. 208(b)(1). Under the E-Government Act, an agency is required to perform a privacy impact assessment before it ``develop[s] or procure[s] information technology that collects, maintains, or disseminates information that is in an identifiable form'' or ``initiat[es] a new collection of information. . . .'' Sec. 208(b)(1)(A). A privacy impact assessment is required to address, ``(I) what information is collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; (VI) how the information will be secured; and (VII) whether a system of records is being created under'' the Privacy Act. Sec. 208(b)(2)(B). --------------------------------------------------------------------------- Another approach, based on a bill that Senator Wyden introduced in the last Congress,\14\ would be to require the government to perform an accounting of private sector databases before using them. Under the Wyden proposal, a government agency that acquired access to databases containing personally identifiable information concerning U.S. citizens would be required to publish in the Federal Register a description of the database, the name of the entity from which the agency obtained the database and the amount of the contract for use of the database. In addition, the agency would be required to adopt regulations that establish --------------------------------------------------------------------------- \14\ S. 1484, 108th Cong. (1st Sess. 2003). the personnel permitted to access, analyze or otherwise use --------------------------------------------------------------------------- the database; standards that govern the access to and analysis and use of such information; standards to ensure that personal information accessed, analyzed and used is the minimum necessary to accomplish the government's goals; standards to limit the retention and re-disclosure of information obtained from the database; procedures to ensure that such data is accurate, relevant, complete and timely; auditing and security measures to protect against unauthorized access to or analysis, use or modification of data in the database; applicable mechanisms that individuals may use to secure timely redress for any adverse consequences wrongly experienced due to the access, analysis or use of such database; mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies or guidelines; and an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or unauthorized access to or use of the database. Agencies might also incorporate into their contract with commercial entities provisions that provide for penalties when the commercial entity sells information to the agency that the commercial entity knows, or should know, is inaccurate or when the commercial entity fails to inform the agency of corrections or changes to data in the database. The Intelligence Reform Act that Congress passed last December established guidelines for the government's evaluation of Secure Flight plans that suggest a broader framework for use of data.\15\ Congress could adopt similar guidelines for government agencies to follow before implementing any screening program that uses commercially available data. As an initial matter, all government screening programs should be Congressionally authorized. This would ensure some degree of public accountability and Congressional oversight. In addition, all screening programs should be subject to regulations that include, at a minimum, the following elements: --------------------------------------------------------------------------- \15\ Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-458, Sec. 4012(a). procedures to enable individuals, who suffer an adverse consequence because the system determined that they might pose a security threat, to appeal the determination and correct any --------------------------------------------------------------------------- inaccurate data; procedures to ensure that the databases the government uses to establish the identity of individuals or otherwise make assessments about individuals will not produce a large number of false positives or unjustified adverse consequences; procedures to ensure that the search tools that the department or agency will use are accurate and effective and will allow the department or agency to make an accurate prediction of who may pose a security threat; \16\ --------------------------------------------------------------------------- \16\ This provision is drawn from the Department of Homeland Security Appropriations Act, 2005, Pub. L. 108-334, Sec. 552. sufficient operational safeguards to reduce the chance for --------------------------------------------------------------------------- abuse of the system; substantial security measures to protect the system against unauthorized access; policies that establish effective oversight of the use and operation of the system; and procedures to ensure that the technological architecture of the system does not pose any privacy concerns. These approaches, all of which Congress has previously approved in similar contexts, strike a balance between the government's need for information and the privacy interests of individuals. Adapting the Privacy Act and Fair Information Principles to government uses of commercial databases would go a long way toward closing the unintended gap in privacy protection that exists under the current law. Regulation of Data Brokers Finally, Congress should consider whether there are gaps in the current sectoral laws that protect privacy and focus on the harms that can flow from use of inaccurate or misleading information. This is not about use of marketing data to send catalogues or sales offers. Rather, in the context where adverse consequences can result, Congress should apply to data brokers the Fair Information Practices that are the framework of the Fair Credit Reporting Act and other privacy laws. As the law stands now, these Fair Information Practices apply only when data brokers collect and use information in a way that is governed by the Fair Credit Reporting Act. For instance, if a data broker sells personal information to a third party that uses the information to determine eligibility for insurance, the Fair Credit Reporting Act would apply and certain rights would attach to the individual to whom the information pertains. The individual would be able to obtain a copy of the report, challenge the accuracy of the data and correct any inaccurate information. The ability to do this is particularly important when a person can suffer adverse consequences--such as the denial of insurance--from the use of the personal information. But if the data broker sold that same information to an insurance company for use in claims processing--in which case the individual might be denied reimbursement under her insurance policy--the individual would not have any of those same rights.\17\ --------------------------------------------------------------------------- \17\ Michael Hiltzik, Data Show Information Collector Can't Be Trusted, Los Angeles Times, Mar. 3, 2005, at C1. --------------------------------------------------------------------------- We note that Derek Smith, the Chairman and CEO of ChoicePoint, last year called for a national dialogue on privacy, to develop a policy framework for his companies and others. Specifically, Smith called for expanding the principles reflected in the FCRA: ``We should agree that the consensual model is best to the maximum degree possible, understanding that law enforcement and national security uses may outweigh getting prior consent for certain information. By this I mean that individuals should give permission (or not) at the time information is gathered and should agree to its use. Data should not be used for a different purpose unless new permission is obtained. However, we must recognize that public record data is, fundamentally, just that--public--and does not fit within the consensual model because of the current local, State, and Federal freedom of information acts. Everyone should have a right of access to data that is used to make decisions about them--subject to the same caveats about law enforcement and national security uses. In other words, expand the principles of the Fair Credit Reporting Act to all types of information: right to access, right to question the accuracy and prompt a review, and right to comment if a negative record is found to be accurate.'' \18\ --------------------------------------------------------------------------- \18\ Derek V. Smith, ``Risk Revolution: The Threats Facing America and Technology's Promise for a Safer Tomorrow'' (Longstreet Press, 2004) 185. Conclusion Resolving these issues will require a broad-based and inclusive dialogue. We must strike a balance, but the current absence of a comprehensive legal framework for the collection, sale and use of sensitive, personal information is yielding harms that are made clear every day. The Center for Democracy and Technology looks forward to working with the Committee, with all of today's witnesses, and with all stakeholders. We are not helpless in the face of the ongoing revolution in information technology. Through the policy process, we can decide whether there is ``No Place to Hide.'' ______ Statement of Oliver I. Ireland, Attorney, Morrison & Foerster LLP; on Behalf of Visa U.S.A. Inc., Before the Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce, United States House of Representatives, May 11, 2005 Securing Consumers' Data: Options Following Security Breaches Good morning Chairman Stearns, Ranking Member Schakowsky, and Members of the Subcommittee. I am a partner in the law firm of Morrison & Foerster LLP, and practice in the firm's Washington, D.C. office. I am pleased to appear before the Subcommittee on behalf of the Visa, U.S.A. Inc., to discuss the important issue of consumer information security. The Visa Payment System, of which Visa U.S.A. is a part, is the largest consumer payment system, and the leading consumer e-commerce payment system, in the world, with more volume than all other major payment cards combined. Visa plays a pivotal role in advancing new payment products and technologies, including technology initiatives for protecting personal information and preventing identity theft and other fraud. Visa commends the Subcommittee for focusing on the important issue of information security. As the leading consumer electronic commerce payment system in the world, Visa considers it a top priority to remain a leader in developing and implementing technology, products, and services that protect consumers from the effects of information security breaches. As a result, Visa has long recognized the importance of strict internal procedures to protect Visa's members' cardholder information, thereby to protect the integrity of the Visa system. Visa has substantial incentives to maintain strong security measures to protect cardholder information. The Visa system provides for zero liability to cardholders for unauthorized transactions. Cardholders are not responsible for unauthorized use of their cards. The Visa Zero Liability policy guarantees maximum protection for Visa cardholders against fraud due to information security breaches. Because the financial institutions that are Visa members do not impose the losses for fraudulent transactions on their cardholder customers, these institutions incur costs from fraudulent transactions. These costs are in the form of direct dollar losses from credit that will not be repaid, and also can be in the form of indirect costs attributable to the harm and inconvenience that might be felt by cardholders or merchants. Accordingly, Visa aggressively protects the cardholder information of its members. Existing Federal Laws and Rules for Information Security Existing Federal laws and regulations also obligate financial institutions to protect the personal information of their customers. Rules adopted under section 501(b) of the Gramm-Leach-Bliley Act of 1999 by the Federal banking agencies and the Federal Trade Commission (FTC) (GLBA 501(b) Rules) establish information security standards for the financial institutions subject to the jurisdiction of these agencies. Under the GLBA 501(b) Rules, financial institutions must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then control these potential risks by adopting appropriate security measures. Each financial institution's program for information security must be risk-based. Every institution must tailor its program to the specific characteristics of its business, customer information and information systems, and must continuously assess the threats to its customer information and systems. As those threats change, the institution must appropriately adjust and upgrade its security measures to respond to those threats. However, the scope of the GLBA 501(b) Rules is limited. Many holders of sensitive, personal information are not financial institutions covered by the GLBA 501(b) Rules. For example, employers and most retail merchants are not covered by the GLBA 501(b) Rules, even though they may possess sensitive information about consumers. Visa's Cardholder Information Security Plan Because of its concerns about the adequacy of the security of information about Visa cardholders, Visa has developed and is implementing a comprehensive and aggressive customer information security program known as the Cardholder Information Security Plan (CISP). CISP applies to all entities, including merchants, that store, process, transmit, or hold Visa cardholder data, and covers enterprises operating through brick-and-mortar stores, mail and telephone order centers, or the Internet. CISP was developed to ensure that the cardholder information of Visa's members is kept protected and confidential. CISP includes not only data security standards but also provisions for monitoring compliance with CISP and sanctions for failure to comply. As a part of CISP, Visa requires all participating entities to comply with the ``Visa Digital Dozen''--twelve basic requirements for safeguarding accounts. These include: (1) install and maintain a working network firewall to protect data; (2) do not use vendor- supplied defaults for system passwords and security parameters; (3) protect stored data; (4) encrypt data sent across public networks; (5) use and regularly update anti-virus software; (6) develop and maintain secure systems and applications; (7) restrict access to data on a ``need-to-know'' basis; (8) assign a unique ID to each person with computer access; (9) restrict physical access to data; (10) track all access to network resources and data; (11) regularly test security systems and processes; and (12) implement and maintain an overall information security policy. Payment Card Industry Data Security Standard Visa is not the only credit card organization that has developed security standards. In order to avoid the potential for imposing conflicting requirements on merchants and others, in December of 2004, Visa, MasterCard, American Express, Discover, and Diners Club collaborated to align their respective data security requirements for merchants and third parties. Visa found that the differences between these security programs were more procedural than substantive. Therefore, Visa has been able to integrate CISP into a common set of data security requirements without diluting the substantive measures for information security already developed in CISP. Visa supports this new, common set of data security requirements, which is known as the Payment Card Industry Data Security Standard (PCI Standard). Neural Networks To Detect Fraud and Block Potentially Unauthorized Transactions In addition to the CISP program, which helps to prevent the use of cardholder information for fraudulent purposes, Visa uses sophisticated neural networks that flag unusual spending patterns for fraud and block the authorization of transactions where fraud is suspected. When cardholder information is compromised, Visa notifies the issuing financial institution and puts the affected card numbers on a special monitoring status. If Visa detects any unusual activity in that group of cards, Visa again notifies the issuing institutions, which begin a process of investigation and card re-issuance. These networks, coupled with CISP and Visa's Zero Liability, provide a high degree of protection from fraudulent credit card transactions to cardholders. Expansion of Existing Requirements Current protections notwithstanding, Visa believes that an obligation to protect sensitive, personal information, similar to the GLBA 501(b) Rules, should apply broadly so that all businesses that maintain sensitive, personal information will establish information security programs. Because consumer information knows no boundaries, it is critical that this obligation be uniform across all institutions in all jurisdictions. Security Breach Notification Closely related to the issue of information security is the question of what to do if a breach of that security occurs. Visa believes that where the breach creates a substantial risk of harm to consumers that the consumers can take action to prevent, the consumers should be notified about the breach so that they can take appropriate action to protect themselves. Both Federal and California law already address this issue. California law currently requires notice to individuals of a breach of security involving their computerized personal information. The California law focuses on discrete types of information that are deemed to be sensitive, personal information. The statute defines sensitive, personal information as an individual's name plus any of the following: Social Security Number, driver's license number, California identification card number, or a financial account number, credit or debit card account number, in combination with any code that would permit access to the account. The California law includes an exception to the notification requirement when this personal information has been encrypted. The California law only requires notice to be provided when personal information is ``acquired by an unauthorized person.'' Other states recently have enacted or are considering security breach notification laws; however, the details of some of the laws differ. In March, the Federal banking agencies issued final interagency guidance on response programs for unauthorized access to customer information and customer notice (Guidance). The Guidance applies to all financial institutions that are subject to banking agency GLBA 501(b) Rules and requires every covered institution that experiences a breach of security involving sensitive customer information to: (1) notify the institution's primary Federal regulator; (2) notify appropriate law enforcement authorities consistent with existing suspicious activity report rules; and (3) notify its affected customers where misuse of the information has occurred or is reasonably possible. The keen interest that states have shown to legislate on the issue of security breach notification emphasizes the need for a single national standard for security breach notification in order to avoid confusion among consumers as to the significance of notices that they receive and among holders of information about consumers as to their notification responsibilities. In addition, any legislation on security breach notification should recognize compliance with the Guidance as compliance with any notification requirements. Visa believes that a workable notification law that would require entities that maintain computerized, sensitive personal information to notify individuals upon discovering a significant breach of security of that data should be risk-based to avoid inundating consumers with notices where no action by consumers is required. As FTC Chairwoman Majoras recently testified to Congress, notices should be sent only if there is a ``significant risk of harm,'' because notices sent when there is not a significant risk of harm actually can cause individuals to overlook those notices that really are important. Thank you, again, for the opportunity to present this testimony today. I would be happy to answer any questions. ______ Response to Written Questions Submitted by Hon. Daniel K. Inouye to Paul B. Kurtz Question. Companies often protest against regulation by maintaining that the market will address the problem and correct it. However, in the case of ChoicePoint and other information brokers, those with the buying power are not adversely affected by poor security and thus do not demand it from the information suppliers. Can either of you comment on the economics of security and how they apply, or not apply as the case may be, to the information-broker industry? When should government intervene? Answer. In determining the Government's role with regard to cyber security regulation, the President's National Strategy to Secure Cyber Space is an appropriate place to start. The National Strategy provides clear policy guidance for the Federal Government's role: ``In general, the private sector is best equipped and structured to respond to an evolving cyber threat. There are specific instances, however, where Federal Government response is most appropriate and justified.'' The Strategy goes on to describe the Government's role in the private sector: ``Externally, a government role in cybersecurity is warranted in cases where high transaction costs or legal barriers lead to significant coordination problems; cases in which governments operate in the absence of private sector forces; resolution of incentive problems that lead to under-provisioning of critical shared resources; and raising awareness.'' According to this description, it seems that information brokers may fall into the narrow category where there is an absence of private sector forces prompting cyber security. As such, it appears appropriate for the Federal Government to intervene. What makes regulation of this issue complex is the threat to unsecured, sensitive personal information does not stop with information brokers. Recent security breaches have occurred in a variety of organizations in regulated and non-regulated industries, ranging from banks and hospitals, to educational institutions and large employers. We believe there are five key principles that should be included in legislation to address this issue. 1. Federal Pre-emption. Any new law should establish a national data breach notification ``floor'' for unauthorized access to unencrypted personal information while enabling State attorneys general to prosecute the Federal law so long as the U.S. Attorney General is notified. Nine states have already passed legislation requiring notification of unauthorized access to unencrypted personal information. Without Federal pre-emption, we will face a web of potentially conflicting breach notification requirements. 2. Scope. The scope of the breach notification bill should apply to any agency or person, as defined in title 5 of the U.S. Code, who owns or licenses computerized data containing sensitive, personal information and should not be limited to data brokers. In developing this legislation, it is important not to duplicate requirements set forth under existing Federal law such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), or other relevant Federal legislation. Legislation should address ``gaps'' in existing legislation related to the security of personal information. Recent security breaches have occurred in a variety of organizations, ranging from data brokers, banks and hospitals, to educational institutions and large employers. 3. Reasonable Security Practices. Reasonable security practices encompass a combination of technology, policy, and expertise. Consistent with existing State law, organizations that own or license computerized data containing personal information should implement and maintain reasonable security measures based on widely accepted voluntary industry standards or existing Federal law. Security Practices. The term ``security practices'' shall mean reasonable security and notification procedures and practices appropriate to the nature of the information to protect sensitive, personal information from unauthorized access, destruction, use, modification or disclosure. Certification. Congress should consider self-certification to help safeguard sensitive, personal information. In the case of self-certification, covered entities would be required to self- certify that they have met a widely adopted standard in order to safeguard sensitive, personal information. If a breach occurs and it is clear that reasonable measures were not taken to safeguard sensitive, personal information, then the covered entity involved would be subject to criminal prosecution by the Department of Justice. Congress should also consider an option for certification by a third-party, coupled with liability protection to foster protection. Encryption. Congress should encourage the use of encryption technologies without requiring it, similar to California's SB 1386. Encryption is defined as ``the protection of data in storage or in transit using a NIST approved encryption algorithm implemented within a FIPS 140 validated cryptographic module combined with the appropriate key management mechanism to protect the confidentiality and integrity of associated cryptographic keys in storage or in transit.'' Existing voluntary standards include: International Standards Organization (ISO) 17799 Control Objectives for Information and Related Technology (COBiT) British Standard (BS) 7799 Information security governance framework issued by the National Cyber Security Summit Task Force in April 2004 Existing regulatory standards include: Fair Credit Reporting Act (http://www.ftc.gov/os/statutes/ fcra.htm#607) Gramm Leach Bliley, Safeguards Rule FDA, Title 21, Subchapter A, Protection of Privacy Basel II, Revised International Capital Framework Health Insurance Portability and Accounting Act (HIPAA) Security Rule 4. Definition of ``breach.'' A breach of unencrypted personal information should be defined so that it encourages the implementation of reasonable security measures and minimizes false positives. 5. Regulatory Authority. The Federal Trade Commission is the most appropriate authority to oversee breach notification on a civil level and refer criminal cases to the Department of Justice. Wherever possible, the FTC should be directed to adopt existing standards, rather than to create new standards. Regarding the economics of security, a recent CRS report states that investments in cyber security cannot be easily analyzed in terms of return on investment, since they do not contribute to income in a measurable way. While such investments may not contribute directly to income, their impact on the way an organization does business is immeasurable. Information is the lifeblood of today's economy and protecting that information--maintaining its confidentiality while assuring its accessibility and reliability--are of the utmost importance. Cyber security is more than just protecting names and Social Security numbers held by data brokers. The economy depends on the free flow of information and we need to be able to trust that information to be what it purports to be. The issues we hear, seemingly on a day to day basis--spyware, identity theft, phishing, breach notification--are all symptoms in the larger problem of unsecured information systems. We encourage the Congress to take a more holistic approach to the issue of cyber security, rather than reacting to each problem. In this context, CSIA believes that there are a number of incentives that have not yet been investigated such as legislative safe harbors, tax incentives, the use of cyber insurance, or other motivating factors that would promote the use and development of stronger security measures by information brokers. Finally, there is very little economic data available to determine the costs of cyber security attacks and vulnerabilities. Developing cost estimates requires reporting of incidents as well as a common methodology of breaking down lost productivity, system down time, identifying vulnerabilities, testing patches, and personnel hours. Federally funded research in this area would be of great value. ______ Response to Written Questions Submitted by Hon. Bill Nelson to Jennifer T. Barrett Question 1. Does Acxiom merely compile, store, and sell sensitive consumer information? Or does your company perform analysis of such information. Can you describe what this analysis involves? And what sorts of analysis is your company performing generally for law enforcement, such as the FBI? Answer. Acxiom does compile consumer information, including SSNs and Driver's License Numbers (DL#s), in order to develop our fraud management products. The ``analysis'' performed in building such products is limited to determining how to accurately integrate or combine the multiple sources of information. Our verification services only validate that the information our client has obtained from the consumer is correct. There is no ``analysis'' performed in providing those services. Rather, the record being verified is compared to the information Acxiom already possesses and a ``match'' or ``no-match'' indicator is returned. Only law enforcement and the internal fraud departments of large financial institutions and insurance companies have access to additional information in connection with these verification services. The additional information made available to this select group of users includes such information as previous addresses, additional SSNs or DL#s associated with the particular consumer. Again, no ``analysis'' is performed by Acxiom. Acxiom's background screening products utilize field researchers who do in-person, real-time research against public records and make calls to past employers to verify the information provided by the consumer. Acxiom does not pre-aggregate information for these products. As a result, the compilation of this product is only done in preparation of the actual report and the file is stored only for purposes of compliance with the FCRA. Question 2. What is the procedure for becoming an Acxiom client? When someone becomes a client, does that client have access to all of your company's databases for any purpose? For example, if an attorney becomes an Acxiom client to help locate a witness, can that attorney also use Acxiom's databases for personal or other reasons? How does your company monitor this? Answer. Acxiom sells its fraud management products exclusively to very large financial services and insurance clients and law enforcement agencies. These products are not sold to individuals, such as attorneys. The sales cycle for these types of clients is typically several months long and involves many in-person visits and customized interfaces between systems. The problem the client is trying to address with the data, and the data to be provided by Acxiom, are fully vetted by Acxiom's product, legal and compliance teams. Once the appropriate Acxiom products for a particular solution are determined, the client enters into a signed written agreement with terms and conditions of use of the data. Once a formal relationship is established, a client is permitted to utilize only the data products for which it has been approved and granted a license. A log is kept of every transaction made by Acxiom's clients to our fraud management products which provide access to sensitive information. These are used for billing purposes and periodically audited/reviewed by the product team. Our background screening products, which are regulated by the Fair Credit Reporting Act, are available only to employers and landlords. All clients using these products are credentialed with such agencies as the Better Business Bureau and, for those who receive any sensitive information, onsite inspections of potential clients also are conducted by Acxiom. Only pre-employment credit reports provide sensitive information that employers or landlords do not already possess. Question 3. Can you explain how Acxiom organizes and maintains its sensitive consumer information? Is all information--regulated or unregulated--contained in one database? If information is maintained separately, can information from one database make its way into another database? If not, how does Acxiom prevent information from migrating from one database into others? Answer. Acxiom builds distinct databases to support each of its different data product lines. The only products Acxiom offers that contain sensitive consumer information are its fraud management products and background screening services. Although the fraud management products are built from both regulated and unregulated data, the entire database is maintained and utilized as if it was all regulated. Different Acxiom teams are responsible for the creation and maintenance of each distinct product line and the databases from which they are built. Only the appropriate team has access to the data within each database. This strategy prevents the unintentional migration of information from one database to another. Acxiom voluntarily submits itself to external annual audits of its information practices for the purpose of reviewing the data and data sources utilized in each product line and to assure compliance with our own principles, source contacts and applicable laws and regulations. The background screening reports are provided by a separately run subsidiary of Acxiom and are fully regulated under the Fair Credit Reporting Act. The reports are compiled on an ``as needed'' basis by associates and field agents who are employed by that subsidiary and who are focused only on that business. The information in those reports is not stored in a database and is not utilized in any other area of the company. Question 4. Some information brokers have cited the difficulty in correcting consumer files, claiming that the inaccurate information is generated from public records. But this addresses only part of the issue. One problem is that information brokers may place information regarding one person into another person's file. This is particularly common with persons who have the same name. What steps does Acxiom take to try to avoid this problem? Answer. Acxiom utilizes all available identifying information in consolidating the information from various sources to build the company's data products. In the case of individuals with the same or similar names, the use of address, telephone, date of birth and SSN, if available, will assist in accurately differentiating between the two persons. No one element is used to consolidate information. Rather a combination of elements are utilized, reducing the chance that an error or a similarity in one element will result in an error. We also conduct quality audits of consolidation procedures to help identify problems and to refine our consolidation algorithms. Access to increased information reduces chances for errors. Should some of these elements of differentiating data become unavailable to the information services industry, the accuracy of the consolidation may suffer. Question 5. To what extent does Acxiom sell sensitive consumer information to Federal, State, and local law enforcement agencies. Does Acxiom have any limitations on the sale of information to law enforcement entities? Answer. Acxiom has only one contract with the Federal Government which involves the sale of sensitive information. We impose similar restrictions on the sale of sensitive information to government agencies as we do for the fraud departments of large financial institutions and insurance companies. Examples of such restrictions include: Sensitive data provided to the government may only be used to verify the accuracy of personal information for the purposes of preventing fraud or to locate individuals. Driver's License data must be used by the government in compliance with the Drivers Privacy Protection Act for the verification of accuracy of personal information. If the personal information is incorrect, the driver's license data may be used to obtain the correct information, but only for the purpose of preventing fraud. The data provided cannot be stored in any other form or used for any other purpose unless express written permission is received from Acxiom. Question 6. Please describe the procedures governing who can purchase sensitive consumer information from Acxiom. Please tell us about the types of holes Acxiom had in its old process and how the company is now plugging those holes. Answer. Acxiom sells our fraud management product exclusively to large companies and has only several dozen clients for these products. As described earlier, only the fraud departments of large financial institutions and insurance companies and government agencies have access to this investigative tool which provides sensitive information. We do not believe we have any holes in our current process for screening clients, as that process has never been compromised. However, after the incidents involving ChoicePoint and Lexis-Nexis, Acxiom undertook a review of all our client credentialing procedures, including those procedures that apply to clients with access to only non-sensitive data. As a result of that review, which will conclude next month, Acxiom may implement additional credentialing procedures if such procedures are determined to be appropriate. While the security breach Acxiom suffered in 2003 did not involve any of Acxiom's information products and did not result in access to any of Acxiom's sensitive data, we did make substantial technical changes in how files are transferred to and from Acxiom by our clients, to prevent such an incident from reoccurring. Question 7. Does Acxiom favor giving consumers wider access to information that the company stores about them? This is a central principle of the legislation I have introduced. What information should companies like Acxiom make available to consumers? Answer. Acxiom's fraud products and the background screening products are the only products which contain sensitive information. Since 1997, Acxiom has voluntarily provided consumers access to the information Acxiom has about them in the company's fraud management and directory products. We also provide consumer access to the company's background screening product, pursuant to the requirements of the Fair Credit Reporting Act. Question 8. Does Acxiom perform any audits of its systems to ensure accuracy of the sensitive consumer information that it compiles? Answer. Acxiom is constantly auditing its data compilation processes, and the quality of the files it obtains, in order to assure maximum possible accuracy. These audits include manual reviews of the data, comparisons to other sources, and verification of the company's consolidation procedures. Acxiom obtains sensitive data from only a few select sources with which Acxiom has worked for years. Question 9. What auditing does Acxiom perform on its business and government clients? Are clients required to type in a specific justification for each search of personal information, or do they just see a ``click through'' agreement? How long are audit logs maintained? Has auditing ever revealed wrongdoing that led to a client being prosecuted for misusing personal information? Answer. Acxiom does not allow access to data products containing sensitive information via a ``click through'' agreement. As described above, the problem the client is trying to address with the data, and the data to be provided by Acxiom, are fully vetted by Acxiom's product, legal and compliance teams. Once the appropriate Acxiom products for a particular solution are determined, the client enters into a signed written agreement with terms and conditions of use of the data. Acxiom's practice is to maintain audit logs as described above for our fraud management products for at least 7 years. We have never had an audit reveal wrongdoing that led to a client being prosecuted for misusing personal information. Question 10. To which Federal Government agencies does Acxiom sell sensitive consumer information? Answer. Acxiom currently provides sensitive data to only one Federal law enforcement agency engaged in homeland security efforts. Question 11. Does your company compile information garnered from warranty cards filled out by consumers? If so, what companies generally supply you with this information and how is this information stored and used? Answer. Acxiom does not compile information garnered from warranty cards, but we do license general lifestyle data from sources that do. That information is only used for marketing purposes. Question 12. Please give a complete listing of the types of personal information that your company maintains in all of its product lines, including information based on DNA and biometrics. Answer. Acxiom possesses absolutely no information based on, derived from, or in any way related to DNA or biometrics. Marketing Products--Acxiom develops and maintains databases containing information on households in the U.S. for companies to use in their marketing and customer service programs. These databases are developed from many different sources, including: Public Record and Publicly Available Information--Telephone directories, website directories and listings, real property recorder and assessor information, historical drivers license information and historical motor vehicle information. Data from Other Information Providers--Demographic information, survey information and summary buyer information. These databases do not include credit information, medical information, Social Security Number (or other related information) or personally identifiable information about children. Reference Products--Acxiom develops and maintains databases containing information about many individuals and households in the U.S. for directory reference and fraud management purposes and provides online links to other information provider services for use by qualified businesses and government agencies for lawful and ethical purposes. These databases are developed from many different sources, including: Public Record and Publicly Available Information--Telephone directories; real property recorder and assessor information; historical drivers license information; current drivers license information, where allowed by law; historical motor vehicle information; current motor vehicle information, where allowed by law; deceased information; and other suppression information. Data from Other Information Providers--Identifying information only (header data) from consumer reporting agencies, where allowed by law, and information about household characteristics collected and permissioned by the consumer. These databases and access to other information provider services include financial information, Social Security Number and other related information where permitted by law. This information is provided only to qualified businesses primarily in the finance, insurance, mortgage, real estate and retail industries for the purpose of risk management including verifying information about customers, issuing mortgages, speeding transactions, employment screening and reducing the chance of fraud. This information is also provided to government agencies for the purposes of risk management including verifying information, employment screening, national security and assisting law enforcement. In order to protect the use of this information, Acxiom does not provide any information, whether public or non-public, to individuals. Acxiom also does not allow our clients to make any non-public information available to an individual. Acxiom does allow our clients to make only public record and publicly available information available to individuals in the form of commonly used and accepted real estate research tools and public listing searches via the Internet. ______ Response to Written Questions Submitted by Hon. Bill Nelson to Kurt P. Sanford Question 1. Can you explain how LexisNexis organizes and maintains its sensitive consumer information? Answer. LexisNexis stores all data in electronic files. Individual records comprise databases which are distinguished by source. The LexisNexis system has the capability to search individual sources or search multiple data sources simultaneously in group files, which is a grouping of discrete data files from multiple sources. At Seisint, data from multiple sources is generally combined into a group file. Even though data is combined into a group file, Seisint retains the ability to distinguish the source from which each record in the group file originated. Question 1a. Is all information--regulated or unregulated-- contained in one database? Answer. No. In a few limited instances LexisNexis has successfully combined data from multiple sources into a group file or report, allowing a single search to be run on the resulting group file or report. However, regulated data either separately or combined with non- regulated data still requires a declaration of permissible use before access is permitted. Similarly, at Seisint, regulated data either separately or combined with non-regulated data still requires a declaration of permissible use before access is permitted. Question 1b. If information is maintained separately, can information from one database make its way into another database? Answer. Information from one database (source file) cannot migrate into another database due to system constraints, permissions, data file and record structure. However, in a few limited instances we have purposefully combined data into group files and reports for ease of use by our customers, as described above. Question 1c. If not, how does LexisNexis prevent information from migrating from one database into others? Answer. N/A. Question 2. Some information brokers have cited the difficulty in correcting consumer files, claiming that the inaccurate information is generated from public records. But this addresses only part of the issue. One problem is that information brokers may place information regarding one person into another person's file. This is particularly common with persons who have the same name. What steps does LexisNexis take to try to avoid this problem? Answer. To be linked, data must match on multiple data elements such as name and Social Security number, or name, address and telephone number, or some similar combination of multiple data elements. We investigate reported mismatches. If we confirm an error, we take steps to correct the error. If it is our error we correct it, otherwise we direct the consumer to the originating source so that consumer can pursue correction directly with the source. Question 3. To what extent does LexisNexis sell sensitive consumer information to Federal, State, and local law enforcement agencies? Answer. The vast majority of information available through LexisNexis comes from public records, court decisions, statutes, and other open source publications like newspapers, periodicals, and directories. ``Sensitive information'' on LexisNexis is limited to full Social Security numbers obtained from nonpublic sources such as credit headers, in accordance with both the Fair Credit Reporting Act (FCRA) and the privacy provisions of the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA), and drivers license numbers obtained from State departments of motor vehicles in compliance with Federal and state implementations of the Drivers Privacy Protection Act (DPPA). Sensitive information, as defined above, is made available to Federal, State, and local law enforcement agencies where such agencies certify that their access is in compliance with and expressly permitted under the provisions of the applicable laws. Question 3a. Does LexisNexis have any limitations on the sale of information to law enforcement entities? Yes. Law enforcement use of regulated data is limited to only those uses specifically permitted under the GLBA and DPPA. Question 4. Please describe the procedures governing who can purchase sensitive consumer information from LexisNexis. Answer. Access to sensitive information is limited to those customers with a permissible purpose under DPPA or GLBA. Prior to entering into a contract with LexisNexis, a customer must disclose its intended purpose for the data, which must correspond to one or more of the permissible purposes under the GLBA and/or the DPPA. In addition, the customer must qualify as an authorized user and must certify that it has one of a limited number of authorized uses. LexisNexis has the right to review and audit the customer's use to ensure compliance with terms of the agreement. Question 4a. Please tell us about the types of holes LexisNexis had in its old process and how the company is now plugging those holes. Answer. The security incidents we uncovered primarily involved unauthorized persons misusing IDs and passwords of legitimate Seisint customers. As a result, we have enhanced our business practices and policies involving the issuance and administration of customer IDs and passwords. These include: Changing customer password security processes to require that passwords for both system administrators and users be changed at least every 90 days; Suspending customer passwords of system administrators and users that have been inactive for 90 days; Suspending customer passwords after five unsuccessful log in attempts and requiring them to contact Customer Support to ensure security and appropriate reactivation; and Requiring that system administrators review the list of employees issued IDs and passwords to ensure that access is terminated when an employee leaves the company. Question 5. Does LexisNexis perform any audits of its systems to ensure accuracy of the sensitive consumer information that it compiles? Answer. LexisNexis employs a number of procedures to test the accuracy of sensitive information received and to test the accuracy of this data prior to making the data available to customers. Accuracy is measured by determining whether the data received matches the data in the source document or record. LexisNexis only obtains data from known, reputable sources. Credit header data is obtained directly from the originating credit bureau, not through brokers or other third parties. We receive the most current data that the supplier can provide; Any questions arising regarding the accuracy of the content delivered to LexisNexis are resolved quickly and effectively; Data is delivered in the same, mutually agreed upon format, thereby maintaining the integrity of the data conversion process and minimizing the risk of conversion errors; We respond to any questions regarding data accuracy brought to our attention by consumers or others; and Any updates, additions, or changes will be received from the supplier. The data conversion process is itself subject to a series of system checks. The data is run through the conversion process where computer systems and software check for conformance with formatting specifications. Deviations, anomalous data, and data omissions are noted and brought to the attention of the appropriate LexisNexis personnel for verification, review, or remediation with the data supplier. Question 6. What auditing does LexisNexis perform on its business and government clients? Answer. LexisNexis has established systems that allow us to monitor usage and identify abnormal usage patterns. When abnormal usage is discovered, access is shut off and the use investigated. Question 6a. Are clients required to type in a specific justification for each search of personal information, or do they just see a ``click through'' agreement? Answer. LexisNexis does provide electronic access to applicable terms and conditions on use for all users. These terms and conditions keep users informed of their obligations under the written agreement. In addition, LexisNexis employs a series of electronic notices and responses to determine whether users have a legally permissible purpose for accessing legally restricted, personal information such as credit headers subject to restrictions on use under the privacy provisions of the GLBA or driver's license records restricted under the DPPA. These notices provide users with the permissible purposes authorized under the applicable statutes. Unless the user indicates a specific, enumerated permissible purpose, access is denied. Users are given notice that records of their use of these materials is subject to recordkeeping requirements of applicable Federal and State laws and of data suppliers. Records are maintained of the user ID, permissible purpose, date, and time of the search. Question 6b. How long are audit logs maintained? Answer. In accordance with the requirements of the DPPA records of the identity of the user and of the applicable permitted use must be maintained for at least 5 years for searches involving information covered by that statute. Question 6c. Has auditing ever revealed wrongdoing that led to a client being prosecuted for misusing personal information? Answer. We have identified instances where it appeared from searching patterns that customers could have been misusing personal information. In those instances system access was either suspended or modified to avoid the possibility of improper use. Question 7. To which Federal Government agencies does your company sell sensitive consumer information? Answer. LexisNexis works with virtually every agency in the Federal Government. Some of our customers include: Homeland Security agencies Law enforcement agencies Intelligence agencies Entitlements agencies Regulatory agencies Revenue agencies Question 8. Does your company compile information garnered from warranty cards filled out by consumers? Answer. No. Question 8a. If so, what companies generally supply you with this information and how is this information stored and used? Answer. N/A. Question 9. Please give a complete listing of the types of personal information that your company maintains in all of its product lines, including information based on DNA and biometrics. Answer. The information maintained by LexisNexis falls into the following three general classifications: public record information, publicly available information, and non-public information. Public record information. Public record information is information originally obtained from government records that are available to the public. Real estate records, court records, and professional licensing records are examples of public record information collected and maintained by the government for public purposes, including dissemination to the public. Publicly available information. Publicly available information is information that is available to the general public from non- governmental sources. Telephone directories are an example of publicly available information. Non-public information. Non-public information is information about an individual that is not obtained directly from public record information or publicly available information. This information comes from proprietary or non-public sources. Non-public data maintained by LexisNexis consists primarily of information obtained from driver's license records, motor vehicle records or credit header data. Credit header data is the non-financial identifying information located at the top of a credit report, such as name, current and prior address, listed telephone number, Social Security number, and month and year of birth. LexisNexis does not collect or distribute personal financial information such as credit card account information or personal medical records. LexisNexis does not collect or maintain either DNA or biometric data.