<DOC>
[109th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:99916.wais]
PROTECTING CONSUMERS' DATA: POLICY ISSUES RAISED BY CHOICEPOINT
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
MARCH 15, 2005
__________
Serial No. 109-76
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
99-916PDF WASHINGTON : 2005
________________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
------------------------------
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
RALPH M. HALL, Texas JOHN D. DINGELL, Michigan
MICHAEL BILIRAKIS, Florida Ranking Member
Vice Chairman HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York
NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey
ED WHITFIELD, Kentucky SHERROD BROWN, Ohio
CHARLIE NORWOOD, Georgia BART GORDON, Tennessee
BARBARA CUBIN, Wyoming BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
HEATHER WILSON, New Mexico BART STUPAK, Michigan
JOHN B. SHADEGG, Arizona ELIOT L. ENGEL, New York
CHARLES W. ``CHIP'' PICKERING, ALBERT R. WYNN, Maryland
Mississippi, Vice Chairman GENE GREEN, Texas
VITO FOSSELLA, New York TED STRICKLAND, Ohio
ROY BLUNT, Missouri DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MIKE DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire TOM ALLEN, Maine
JOSEPH R. PITTS, Pennsylvania JIM DAVIS, Florida
MARY BONO, California JAN SCHAKOWSKY, Illinois
GREG WALDEN, Oregon HILDA L. SOLIS, California
LEE TERRY, Nebraska CHARLES A. GONZALEZ, Texas
MIKE FERGUSON, New Jersey JAY INSLEE, Washington
MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin
C.L. ``BUTCH'' OTTER, Idaho MIKE ROSS, Arkansas
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee
Bud Albright, Staff Director
James D. Barnette, Deputy Staff Director and General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
FRED UPTON, Michigan JAN SCHAKOWSKY, Illinois
NATHAN DEAL, Georgia Ranking Member
BARBARA CUBIN, Wyoming MIKE ROSS, Arkansas
GEORGE RADANOVICH, California EDWARD J. MARKEY, Massachusetts
CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York
JOSEPH R. PITTS, Pennsylvania SHERROD BROWN, Ohio
MARY BONO, California BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska GENE GREEN, Texas
MIKE FERGUSON, New Jersey TED STRICKLAND, Ohio
MIKE ROGERS, Michigan DIANA DeGETTE, Colorado
C.L. ``BUTCH'' OTTER, Idaho JIM DAVIS, Florida
SUE MYRICK, North Carolina CHARLES A. GONZALEZ, Texas
TIM MURPHY, Pennsylvania TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee JOHN D. DINGELL, Michigan,
JOE BARTON, Texas, (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Majoras, Deborah Platt, Chairman, Federal Trade Commission... 17
Sanford, Kurt P., President and Chief Executive Officer, U.S.
Corporate and Federal Government Markets, LexisNexis....... 37
Smith, Derek, Chairman and Chief Executive Officer,
ChoicePoint, Inc........................................... 44
Additional Material Submitted for the Record:
Smith, Derek, Chairman and Chief Executive Officer,
ChoicePoint, Inc, response for the record.................. 94
(iii)
PROTECTING CONSUMERS' DATA: POLICY ISSUES RAISED BY CHOICEPOINT
----------
TUESDAY, MARCH 15, 2005
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:10 a.m., in
room 2123 of the Rayburn House Office Building, Hon. Cliff
Stearns (chairman) presiding.
Members present: Representatives Stearns, Deal, Bass,
Pitts, Bono, Terry, Otter, Myrick, Murphy, Blackburn, Barton
(ex officio), Schakowsky, Markey, Towns, Brown, Green,
Strickland, DeGette, Gonzalez, and Baldwin.
Staff Present: David Cavicke, chief counsel; Chris Leahy,
policy coordinator; Shannon Jacquot, majority counsel; Andy
Black, deputy staff director; Brian McCullough, majority
professional staff; Will Carty, majority professional staff;
Bud Albright, staff director; Larry Neal, deputy staff
director; Jon Tripp, deputy communications director; Kevin
Schweers, communications director; Billy Harvard, legislative
clerk; Julie Fields, special assistant to the policy
coordinator; Consuela Washington, minority counsel; Jonathan
Cordone, minority counsel; Edith Holleman, minority counsel;
Voncille Hines, minority staff assistant; and Turney Hall,
minority staff assistant.
Mr. Stearns. Good morning, everybody. The subcommittee
hearing today will come to order on Protecting Consumers' Data:
Policy Issues Raised by ChoicePoint and identity theft.
Just like knowledge, information is power. In a world where
information can be transmitted at the speed of light to anybody
with the ability to access it, legitimately or fraudulently,
there are a multitude of potential security issues that
obviously can occur. The security of that information can be
compromised within the sanctuary of the data base, along the
pipeline of the network, and at the final destination, which in
many cases, is a point of sale.
What is more worrying is that sensitive information and
access to it involves very specific pieces about who we are,
where we live, what we buy, how much money we make, what we
drive, our criminal history, in fact, and so on. The growing
business of commercial data collection and brokering has made
products like packaged consumer information profiles tailored
for specific requirements and clients, a major and important
mode of business. These information products and their
applications are becoming more sophisticated and comprehensive,
as advances in technology continue to improve the capability to
collect, store, analyze, and package information, both personal
and non-personal.
My colleagues, our focus today is directed at the apparent
cracks in the comprehensive system of information sharing and
brokering, including understanding how penetrable and
vulnerable the data bases and network pipelines are, as well as
assessing the accuracy and effectiveness of identity
verification.
Now, the recent security breaches at two of the biggest and
most sophisticated companies in the industry, ChoicePoint and
LexisNexis, which are both represented here today, by their
CEOs, serve to highlight the need for Congress and this
committee to examine closely the effectiveness of the current
regulatory regimes. This would include Federal law, like the
Fair Credit Reporting Act, and State laws designated to protect
and secure this highly sensitive information from the criminals
working to breach these fortifications. These laws tend to
operate independently in the marketplace, in addition to the
State requirements. As a result, there is clearly a need to
consider a comprehensive Federal consumer notification
requirement, a uniform national standard, so that
jurisdictional issues don't cause unnecessary problems for
consumers victimized by this criminal activity. Any solution
needs to ensure that consumers are notified as quickly as
possible when these breaches occur. We owe that to every
American. And additionally, recent events compel us to visit
the fundamental privacy debate, as it relates to the power of
the consumer to control the transmission of that data, ensure
its accuracy, and be given notice when it is being used
legitimately or compromised for nefarious purposes.
Now, as we all know, this hearing today is taking place
against a backdrop of one of the most rapidly growing crimes in
America, identity theft. As we will hear today, a recent
Federal Trade Commission survey showed that almost 10 million
people in the United States discovered that they were involved
in some sort of identity theft. These numbers translate into
losses of almost $50 billion for businesses and $5 billion for
consumers. My colleagues, this is a huge and growing market for
fraudsters, and according to some reports, for terrorist
networks seeking to cash in in this lucrative crime.
The commercializing or monetarizing, as some may suggest,
of consumer data has made protecting it far more complex and
important, given its value in the wired marketplace. Today's
cyber-thieves employ high tech surveillance, in some case slip
anonymously into secure data bases to complete the heist. More
traditional criminals simply acquire official identification
and business licenses fraudulently, then dupe the verification
process used by the information company, and set up a shop to
receive their first shipment of sensitive consumer financial
data, personal data. These two case studies we have before us
this morning, the high tech and mundane, are now in the
headlines, and indicate the digital dike is starting to leak
very sensitive information about ourselves to those who wish to
do us harm. As we will learn, breaches can occur from inside
companies as well. Data security firms, including the one
joining us today are working on novel approaches to secure data
bases and network traffic before breaches destroy the financial
soundness and privacy of thousands of Americans.
At the same time, my colleagues, the ability to access much
of this personal information obviously facilitates legitimate
commerce that benefits all of us today. Trusted third parties,
including data brokers and financial institutions, facilitate
important commercial and public functions through their ability
to quickly and securely access vast amounts of consumer data.
Their technology and products help us, for example, screen out
risky job applicants from sensitive positions, obtain faster
credit and more securely, pay less for our insurance products,
and in a few dramatic cases, allow law enforcement to move
quickly to find criminal suspects. Many people value these
services and products, and may not even know about it.
Today's hearing is not an effort to demonize these
legitimate practices and companies. But, my colleagues, it is,
rather, an opportunity to understand the reasons behind the
recent breaches, examine the legal regimes involved, and create
a means by which consumers affected by a breach can be provided
prompt and detailed notice, as well as an opportunity to verify
and correct their personal information. The average consumers
loves the convenience many of these systems provide, but
obviously also want control over the details of his or her
life, public or not.
The value of that information in today's digital
marketplace, coupled with illicit motives, make its proper use
harder to police. Accordingly, this committee must ensure that
the commercial application of consumer information retains that
careful balance between security, the protection of privacy,
and liberty that every American holds so dear.
I would like to thank our panel, particularly the
Chairwoman of the Federal Trade Commission, for being with us,
and also, the CEOs of both ChoicePoint and LexisNexis, for
their time and their willingness to come forward with their
testimony.
With that, I recognize the Ranking Member, Ms. Schakowsky
of Illinois.
[The prepared statement of Hon. Cliff Stearns follows:]
Prepared Statement of Hon. Clifford Stearns, Chairman, Subcommittee on
Commerce, Trade, and Consumer Protection
Good Morning. Just like knowledge, information is power. And in a
world where information can be transmitted at the speed of light to
anyone with the ability to access it, legitimately or fraudulently,
there are a multitude of potential security issues that can occur. The
security of that information can be compromised within the sanctuary of
the database, along the pipeline of the network, and at the final
destination, which in many cases is the point of sale. What's more
worrying is that sensitive information and access to it involves very
specific pieces about who we are: where we live, what we buy, how much
money we make, how we drive, our criminal history, and so on. The
growing business of commercial data aggregation and brokering has made
products like packaged consumer information profiles, tailored for
specific requirements and clients, a major and important business.
These information products and their applications are becoming more
sophisticated and comprehensive as advances in technology continue to
improve the capability to collect, store, analyze, and package
information, both personal and non-personal. Our focus today is
directed at the apparent cracks in the comprehensive system of
information sharing and brokering, including understanding how
penetrable and vulnerable the databases and network pipelines are, as
well as assessing the accuracy and effectiveness of identity
verification.
The recent security breaches at two of the biggest and most
sophisticated companies in the industry, Choicepoint and LexisNexis,
which are represented before us today by their chief executives, serve
to highlight the need for Congress and this great Committee to examine
closely the effectiveness of the current regulatory regimes. This would
include federal law, like the Fair Credit Reporting Act, and state laws
designed to protect and secure this highly sensitive information from
the criminals working to breach those fortifications. These laws tend
to operate independently in the marketplace, in addition to the state
requirements. As a result, there is clearly a need to consider a
comprehensive federal consumer notification requirement, a uniform
national standard, so that jurisdictional issues don't cause
unnecessary problems for consumers victimized by criminal activity. Any
solution needs to ensure that consumers are notified as quickly as
possible when breaches occur. We owe that to every American.
Additionally, recent events compel us to revisit the fundamental
privacy debate as it relates to the power of the consumer to control
the transmission of that data, ensure its accuracy, and be given notice
when it's being used legitimately or compromised for nefarious
purposes. As we all know, this hearing today is taking place against
the backdrop of the most rapidly growing crime in America--identity
theft. As we will hear today, a recent Federal Trade Commission survey
showed that almost 10 million people in the United States discovered
that they were involved in some sort of identity theft. These numbers
translate into losses of almost $50 billion for businesses and $5
billion for consumers. This is a huge and growing market for fraudsters
and, according to some reports, for terrorist networks seeking to cash
in on this lucrative crime.
The commercializing or monetizing, as some may suggest, of consumer
data has made protecting it far more complex and important given its
value in the wired marketplace. Today's cyber-thieves employ high-tech
surveillance and, in some cases, slip anonymously into secure databases
to complete the heist. More traditional criminals simply acquire
official identification and business licenses fraudulently, dupe the
verification process used by the information company, and set up shop
to receive their first shipment of sensitive consumer financial and
personal data. These two case studies, the high-tech and mundane, are
now in the headlines and indicate the digital dike is starting to leak
very sensitive information about ourselves to those who wish to do us
harm. As we will also learn, breaches can also occur from inside
companies as well. Data security firms, including the one joining us
today, are working on novel approaches to secure databases and network
traffic before breaches destroy the financial soundness and privacy of
thousands of Americans.
At the same time, the ability to access much of this personal
information facilitates legitimate commerce that benefits all of us.
Trusted third parties, including data brokers and financial
institutions, facilitate important commercial and public functions
through their ability to quickly and securely access vast amounts of
consumer data. Their technology and products help us, for example,
screen out risky job applicants from sensitive positions, obtain credit
faster and more securely, pay less for our insurance products, and in a
few dramatic cases, allow law enforcement to more quickly find criminal
suspects. Many people value these services and products and may not
even know it.
Today's hearing is not an effort to demonize those legitimate
practices and companies, rather it is an opportunity to understand the
reasons behind the recent breaches, examine the legal regimes involved,
and create a means by which consumers affected by a breach can be
provided prompt and detailed notice, as well as an opportunity to
verify and correct their personal information. The average consumer
loves the convenience many of these systems provide, but also wants
control over the details of his life, public or not. The value of that
information in today's digital marketplace coupled with illicit motives
makes its proper use harder to police. Accordingly, this Committee must
ensure that the commercial application of consumer information retain
the careful balance between security, the protection of privacy, and
liberty that every American holds so dear.
I would like to again graciously thank our distinguished panel of
witnesses for joining us today. We look forward to your testimony.
Thank you.
Ms. Schakowsky. Thank you, Chairman Stearns, for holding
this hearing today on the risks that consumers face, because
the data brokers, like ChoicePoint, and problems that they have
had. We were all shocked to hear that a few criminals were able
to set up scams which jeopardized the personal and financial
security of hundreds of thousands of people. We need to close
the gaps in the law that are putting consumers and their
sensitive information at greater risk for privacy invasion,
identity theft, and other crimes.
Stories of security breaches of data bases of personal and
financial information have been all over the news in the past
few weeks. Most notably, we have heard about ChoicePoint
selling personal records of 145,000 people to sham businesses,
and of con artists using real accounts and passwords to access
32,000 people's records in LexisNexis' Seisint data base.
My own State of Illinois has already ranked ninth in the
Nation for identity theft cases, and the fact that 5,025 more
residents are at greater risk because of the ChoicePoint's
fumble, and 481 more, because of the LexisNexis' problem, I am
even more troubled by these reports. Chairman Stearns, being
that Florida is fifth in the Nation for ID theft, I know, and
you just testified that you are quite aware that these
breaches, what they can mean for consumers and our
constituents.
While our witnesses will admit that some of the data
accessed as a result of the breaches is sensitive personal
information, including Social Security numbers and driver's
license numbers, we are also going to hear disclaimers about
how most of that information was from public records.
Downplaying the security breaches does not provide me or many
others with comfort. Although the information may be public,
when those records are compiled and then linked to other
information about consumers, the nature of those records is
radically changed.
In fact, the power of aggregated information was one of the
driving forces before the 1974 Privacy Act, which makes it
illegal for government agencies to amass the kind of personal
information that data brokers do today. Our Congressional
predecessors knew that limits were needed to protect the
people's privacy from government spying. What they did not
realize was that Big Business would handle the dirty work for
Big Brother, and that technology would make it possible to
gather and store thousands of pieces of personal information
which is available with just the click of a mouse.
Despite its power, profit, and reach, the burgeoning data
brokerage industry is largely unregulated. The lack of
regulation is seriously troubling for a number of reasons.
First of all, data brokers sell their information to employers,
insurance companies, debt collectors, government agencies, and
in some cases, individuals. They see their role as being ``risk
mitigators'' for their clients. However, the information they
sell could cost people jobs, insurance, the right to vote, or
even their lives, if the information is sold to a stalker or
abusive spouse, for example.
The risk is shifted to defenseless and unaware people, at
times crime victims. There are no guarantees that the
information that data brokers are selling is accurate, and they
have few, if any, obligations to consumers to correct it. Data
brokers could blacklist people, and there is little victims can
do about it. On top of that, as these recent breaches reveal,
the very collection and sale of the information could mean that
even more accurate information is added to--inaccurate, excuse
me--that even more inaccurate information is added to
consumers' records.
Already, 700 people who had their information bought by
fraudsters from ChoicePoint have become victims to identify
theft, and although ChoicePoint has promised to help them
correct the problems they will incur, it will take these
individuals on average 2 years or longer to clear their names.
Even then, we have no guarantee that all their future records
will reflect that, and who knows the costs they will incur
along the way.
I find the lax security and regulation of data brokers
especially disturbing because of the government reliance on
them. One report put the number of government agencies using
data brokers at around 7,000, from local police stations to the
Department of Justice, with $67 million in contracts with
ChoicePoint in 2004 alone. Hundreds of millions of dollars are
flowing each year from the taxpayers' pockets and into the data
brokers' banks. While I am troubled by the prospect that the
government agencies may be violating the spirit of the 1974
Privacy Act, I am particularly concerned about the fact that
they are turning to freewheeling contractors to get their
information.
If we are going to be using taxpayer dollars to pay for
these services, we need to make sure data brokers are
accountable when it comes to the security and accuracy of the
data they are compiling. People's very lives are at stake, and
we do not need a Halliburton of the information industry, or
another legal black hole through which contractors fall, and
from which they profit.
Again, Chairman Stearns, I look forward to working with you
and the other members of our committee, to do what we can to
protect consumers. Thank you.
Mr. Stearns. I thank the gentlelady. The chairman of the
full committee, the distinguished gentleman from Texas, Mr.
Barton, is recognized.
Chairman Barton. Thank you, Mr. Chairman. Thank you for
holding this hearing, and thank you, Commissioner, for being
here. I would also like to recognize the former Chairman of the
Science Committee, Bob Walker of Pennsylvania, is in the
audience, and we appreciate him being here.
This is an important hearing. We are all very concerned
about what has happened. Nobody takes this more seriously than
I do, along with Congressman Markey of Massachusetts. We are
original founders of the Privacy Caucus in the House, and in
the Senate, the founders are Senator Chris Dodd of Connecticut,
and Senator Shelby of Alabama. So I have not only a
professional interest as Chairman of the Committee, but a
personal interest as a privacy--co-chairman of the Privacy
Caucus, with Mr. Markey here in the House.
It wasn't so long ago that your Social Security number was
known to two people, yourself AND the Social Security
Administration. I have stopped carrying my Social Security
card. I have just memorized it, but if I forgot it, it wouldn't
be very hard for me to get it. I could just almost touch base
with any number of creditors and, I think, get it very easily.
I didn't find out until I prepared for this hearing that your
Social Security number is routinely given, along with other
very sensitive information, a number of agencies--that data is
collected by two of the companies that are before us today,
that have had a problem, and that for almost any purpose, it
can be obtained rather easily. I think that is just wrong. I
just think that is wrong. If I want to give my Social Security
number to somebody, I will give it to them. I know if I go to
the bank, and I want a loan, I am going to have to give them
some information, and I will voluntarily disclose that in order
to get the loan, or at least to be reviewed for the loan. But I
don't see how it serves my purpose as an individual when my
number and my information is routinely given without my
permission. I just fundamentally think that is unfair. In the
Internet age, it is just dangerous.
With the availability of information sharing and file
sharing and all that over the Internet, it is just--it is
frightening. Identify theft, consequently, is becoming one of
the top issues in consumers' and voters' minds. My former wife
had her Social Security number stolen and used for medical
purposes at a hospital in Dallas, and only found out about it
when the hospital tried to collect some emergency room charges.
And since she was not in that hospital at any time for medical
services, we were able to prove that it wasn't her. If somebody
else had gotten her Social Security number, and tried to use it
to get medical treatment in Dallas.
I understand that some of these groups that are here today
provide a public service by collecting information and selling
it, so that business groups can market legitimately their
products, over the Internet and through the mail and by
telephone. But I don't think that that is a guaranteed right,
and I do believe that individuals have the right to know what
is going on with their information. I think that after we hold
this hearing, we are going to have to make a decision whether
we need to set some national standards about what can be
traded, when, and what you have to tell the individual that
their own information is being used, and whether when, in this
case, it is stolen, people should be notified of that.
Currently, there is no Federal standard or Federal law that
requires that.
Last year, according to the Federal Trade Commission, 10
million consumers were victims of identity theft. Ten million.
That number is going up, and if you are one of those 10 million
people, just getting your identity stolen is not the end of it.
It takes years and years, sometimes, to clean up the damage of
one inadvertent problem. We have a lot of members on this
committee that are very interested in this issue. I have
already mentioned Congressman Markey. Chairman Stearns has held
a number of hearings on this. Congressman Shadegg, our whip on
the committee, passed a Public Law, the Identity Theft and
Assumption Deterrence Act of 1998, 7 years ago. So we are ready
to go. We are going to hear our Chairman of the Federal Trade
Commission. We are going to hear some of our private sector
CEOs. Then we will hear some consumer advocates.
I don't know if this is the only hearing we are going to do
on this. We may do another one. But some time this spring, we
are going to sit down after we have listened and digested the
testimony, and make a decision what legislative strategy, if
any, we need to employ. But my guess is we are going to move
forward with some Federal legislation on this issue, and with
that, Mr. Chairman, I would yield back.
[The prepared statement of Hon. Joe Barton follows:]
Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy
and Commerce
Thank you Mr. Chairman for holding this hearing today. It is no
secret that privacy and information security are important to me. I co-
founded the Congressional Privacy Caucus, and as Chairman of the
Committee on Energy and Commerce, I have focused on Internet issues
like the spyware legislation that passed out of the Committee by a vote
of 43 to 0 just last week.
Not long ago, your Social Security number was between you and the
government and nobody else. Nowadays, everybody seems to have your
number. That knowledge is the key to your financial security. It opens
a door for identity thieves to sneak into your life and steal both your
money and your good name.
I just think this situation is fundamentally wrong any time. And in
the Internet age, it's downright dangerous. Under current law, anyone
has a near-perfect right to package your personal information and do
almost anything they want with it. They can change it, share it, rent
it or sell it. The constraints are so flimsy they're laughable.
Although I recognize the consumer benefits of an increased flow of
information--such as easier and cheaper access to credit--I do believe
that consumers should have some measure of control over their
information. In particular, I believe that the businesses that benefit
from the use of consumer information should bear greater responsibility
for the security and integrity of that information. While specific
industries and particular types of information are governed by Federal
data security standards, Congress has not set comprehensive data
security standards. It may be time we do so.
I believe we will need to consider whether there should be national
standards for protecting consumers when their personal information is
lost or wrongfully disclosed by a data broker. Consumers have no direct
relationships with these data brokers. To data brokers, we are not
customers--information about each of us is a product that is sold for
many purposes, including marketing without our knowledge or consent.
I have been troubled by the press accounts that have revealed
security breaches at companies in a range of industries from financial
institutions, to data brokers, to retail outlets. Those breaches range
from misplaced information to outright fraud by identity thieves. No
matter the particular circumstances, these breaches demonstrate that
American businesses must do more to outwit identity thieves, and this
Committee must take the lead in developing appropriate safeguards for
consumer information.
Identity theft is big business and the thieves are getting smarter
and more resourceful. According to the Federal Trade Commission,
approximately 10 million consumers were victims of identity theft in
2003. It is estimated that in 2003, identity theft victims spent 297
million hours trying to clear up the problems and their reputations.
Even after unauthorized credit cards are closed and charges are
settled, it can take years for an innocent consumer to repair a credit
report. All the while, home ownership and other personal goals innate
to the American Dream could be out of reach. Data brokers do not bear
direct responsibility, but we have to ask: What are these companies
doing to cure the epidemic of identity theft?
This Committee has a deep bench of experts in the areas of identity
theft and privacy. Chairman Stearns has held numerous hearings parsing
through important issues surrounding information privacy and security.
Representative Shadegg was the author of an important public law, the
Identity Theft and Assumption Deterrence Act of 1998. That Act has
provided significant tools for enforcement against identity theft. It
also directed the Federal Trade Commission to set up an identity theft
consumer resource center. That center has been a success as it has
gathered important information regarding identity theft, acted as a
central repository for complaints, and provided important consumer
education. I am pleased Chairman Majoras is here to testify today as
she brings much expertise in this area. I am eager to hear her
proposals for better and more comprehensive Federal data security
standards.
I would also like to welcome the other witnesses today and I thank
them in advance for their testimony. We have a number of witnesses with
busy schedules and we appreciate their cooperation and assistance in
working through these challenging policy questions. Thank you and I
yield back the balance of my time.
Mr. Stearns. I thank the gentleman. Ms. Baldwin, from
Wisconsin. I think. He was the first one here. She was the
first, actually. Mr.----
Ms. Baldwin. Representative Markey was here before me. I--
--
Mr. Stearns. Oh, okay.
Ms. Baldwin. He greeted me as I walked in the door.
Mr. Stearns. All right. Good. I am glad you corrected. The
gentleman from Massachusetts, Mr. Markey.
Mr. Markey. I thank the chairman very much. And I would
like to reiterate what the chairman of the full committee just
said, which is that this is an issue which knows no political
boundaries. Chairman Barton and I co-founded the Privacy
Caucus, 7 or 8 years ago, because there is a point on privacy
issues where the libertarian right and the liberal left agree
wholeheartedly, and that is that the privacy of individuals
should be inviolate.
Now, we find that there is a pragmatic middle that argues
that it interferes with the ability of businesses to make money
off of the privacy of individuals, but whether you are a
Democrat or a Republican, regardless of your age, it all polls
out the same way. Eighty percent to 90 percent of all Americans
want stronger privacy protections. And Chairman Barton and
Chairman Stearns and I, Democrats and Republicans, Jan
Schakowsky, we all agree on this issue. Americans take privacy
seriously. We guard our credit cards by carefully returning
them to our wallets. We keep our mortgage records and Social
Security cards and personal documents locked up.
How would consumers feel if they discovered that while they
take extra precautions to guard their personal information,
their names, Social Security numbers, tax records, credit
histories, and employment records were piled high into
wheelbarrows and baskets, and sold to the highest bidder, in a
bustling marketplace that is as frenetic and unregulated as the
streets of Bombay? Right here, get your Social Security
numbers, medical records, employment history, cheaper by the
dozen. Come, purchase them, the records of all Americans. How
would we all feel that our Social Security number was in some
identity vendor's suitcase of wares? How would we feel? We
would feel violated. That is exactly how two of my
constituents, Kei and Karen Kishimoto felt this week, when they
wrote me about a letter they received from ChoicePoint, stating
that they were among the 145,000 victims whose Social Security
numbers and other sensitive and personal data were compromised
by ChoicePoint.
``We are furious,'' they wrote, ``that ChoicePoint has
irresponsibly allowed this to happen. We take every precaution
within our power to minimize our risk of becoming victims of
identity theft.'' These are just two of 145,000 victims. They
had no choice about this, and that is the point. They all feel
violated, each and every one of them. And so as this scandal
grows, we must legislate. I have introduced one piece of
legislation with Senator Bill Nelson from Florida, which would
require the FTC to put tough new safeguards in place, that all
of these information brokers will have to abide by, and I have
a second bill, that Senator Feinstein, in the Senate, has the
counterpart to, that I have introduced for several years, that
will make it a crime for a person to sell someone's Social
Security numbers. I think we have reached a point where all of
America, through ChoicePoint, has begun to understand how
vulnerable each and every one of their families has become.
I thank you, Mr. Chairman, for holding this very important
hearing.
Mr. Stearns. I thank the gentleman. Mr. Terry is--if Terry
is not here, then Mr. Murphy.
Mr. Murphy. Thank you, Mr. Chairman. Thank you for holding
this very important meeting on a topic that is both timely and
pertinent in today's world.
Today, the Federal Trade Commission Chairman will remind us
that this committee, that in 2003, the FTC estimated almost 10
million Americans were the victims of identity theft. In the
last 5 years alone, the FTC estimates that 27 million Americans
have been victims, costing consumers more than $5 billion. Nary
a week goes by that I do not see a story on the nightly news
about the dire effects consumers suffer when they fall victims
to identify theft.
The term ``identity theft'' has unfortunately become
commonplace in the American lexicon. Yet, it is important to
take a second to consider the term and the crime, and remember
that it is, in fact, a crime as heinous as burglary or
extortion. The perpetrators of these crimes are the bane of e-
commerce, and must be hunted down, prosecuted, and imprisoned
for a long while.
Too often we hear of schemes involving numerous consumer
victims, and we focus on the companies that were also
victimized, instead of placing the blame squarely on the
shoulders of the terrorists who perpetrate these crimes. Recent
events have brought this topic into the limelight. ChoicePoint
and LexisNexis were both victims of malicious and fraudulent
crimes. ChoicePoint was deceived into selling aggregated
consumer data to criminals, who may or may not have used it to
defraud upwards of 150,000 consumers. According to early
estimates, data from almost 2,000 Pennsylvanians were placed in
jeopardy, and similarly, a LexisNexis data base was subject to
criminal hacking, which resulted in thousands of customers
being placed at risk for financial fraud being committed
against them.
I am alarmed at the amount of personal information that
most of think to be private is sold and traded every day
without the knowledge of the actual person. It is important for
Congress and especially this committee to be vigilant in
monitoring the personal data commodity markets, because an
infinitesimal number of consumers actually are aware of how
much their information is publicly available for companies to
purchase without giving you a dime. It is equally important not
to fear-monger on this topic. The ability of data aggregators
to provide accurate information about individuals is vital to
our credit-based economy, and has become essential to law
enforcement, and a vital component in our homeland security
network.
Every one of us submits to providing the detailed
information almost every time we enter into contract with a
vendor, whether it is for a credit card or even a newspaper
subscription. Some companies refuse to sell consumer--customer
information to data aggregators. If companies wish not to have
their data traded or disseminated, then they should seek out
such companies. However, it is important to emphasize that we
are not holding this hearing to take gratuitous potshots at an
industry that is vital. We are here this morning to figure out
what the industry and Federal Government are doing to ensure
consumer data does not fall prey to criminals who will use it
to defraud.
I am eager to hear from the witnesses, and stand ready to
take legislative actions to further protect consumers, and more
harshly punish the pirates that commit these crimes.
Thank you.
Mr. Stearns. I thank my colleague. The gentlelady from
Wisconsin.
Ms. Baldwin. Thank you, Mr. Chairman.
Over the past quarter century, we have all witnessed the
revolution in information technology, and with access to the
right data bases, a touch of the button, vast amounts of
information about a person can be immediately accessed, their
date of birth, Social Security number, credit rating, debt,
loans, insurance claims, magazine subscriptions, and even DNA
information. Much of this information is relatively easily
accessible to companies for a variety of legitimate purposes,
but such broad compilations raise significant concerns that
have been insufficiently considered by this Congress, and more
generally, by the American people.
First, how do we ensure that the data is not misused? The
potential here for fraud and abuse is significant, and as we
know from the Federal Trade Commission, identity theft
accounted for 39 percent of consumer fraud complaints in 2004.
Unfortunately, this problem is far greater than just
ChoicePoint.
Second, how do we ensure that the data is accurate? The
everyday lives of Americans are affected by business decisions
based on personal information dossiers that are compiled
without their knowledge or input. A person has no easy way to
review that data, or determine that the information is accurate
or, perhaps, inaccurate, misleading, perhaps incomplete. And I
realize, Mr. Chairman, that that second question is beyond the
scope of today's hearing, but I do hope that the subcommittee
will also focus on this question in the near future.
I am concerned that there is an inadequate and a sort of
patchwork of laws and regulations that cover and govern the
collection, compilation, distribution, and use of aggregated
personal and financial information. Today, I hope to hear from
our witnesses, as they articulate ways in which we can protect
consumers from identity theft and other misuses of their data.
Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentlelady. The gentlelady from
Wisconsin--from California, Ms. Bono. Waive, the gentlelady
waives. Mr. Deal. Waive. Mr. Pitts. Pass. Mr. Otter. Ms.
Blackburn. Waive, okay. Mr. Brown.
Mr. Brown. Thank you, Mr. Chairman.
Instead of data brokers, it is probably better to think of
companies like ChoicePoint as data banks. Like financial banks,
they hold something valuable, and by choosing to profit from
what they store, they must accept the responsibility to protect
it from those who misuse it. Imagine that the bank down the
street has been robbed repeatedly. The vault lock is pretty
old, the night watchman's vision isn't what it used to be, and
they have no alarm system. The crooks know the bank is an easy
mark, so the depositors keep taking it on the chin. Would we
respond, would we even consider responding only with tougher
bank robber penalties in mandatory robbery disclosure? Of
course not. We would make sure that the bank got a state-of-
the-art lock, perhaps Lasik surgery for the guard, and an alarm
system designed maybe for a nuclear missile silo.
We have to consider a similar approach here. We ought to
give the FTC clear authority to set and enforce tough rules for
data protection. We ought to make all these rules seamless, so
the bad guys can't sneak in through the cracks, and we ought to
put the--use the government's purchasing power to promote best
practices that take security beyond the bare minimum. If the
Federal Government fails to respond that way here, with a
comprehensive approach, we are as negligent as the data brokers
who allowed these violations to occur in the first place.
The economic impact of the crimes resulting from
ChoicePoint's negligence may reach the tens of millions of
dollars, but in a broader context, the stakes are much higher.
ChoicePoint, this same company, is famous, or should I say
infamous, for a mistake with the voter files in Florida during
the 2000 Presidential election. Its error, coupled with the
errors of public officials, disenfranchised thousands of
African-American voters, and may have decided the Florida
elections and the Presidential elections. But ChoicePoint, with
all of its political connections to the highest levels of the
government in this country, was not the only party at fault.
The politician who chooses a contractor to perform a basic
government function, like administering elections, is just
asking for trouble, and the costs of contracting out are not
measured only in terms of dollars.
The lesson here, and I urge my colleagues to remember all
of that the next time someone suggests a privatization plan, a
privatization of any function that has been performed
effectively and efficiently, and honorably and honestly, by our
government. And I urge this subcommittee to act thoughtfully,
but quickly, on legislation to reform the data brokerage
industry.
Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman. Mr. Green. No, let's
see. Coming back over here. Okay. Now, Mr. Green. Yeah. The
gentleman from Texas.
Mr. Green. Thank you, Mr. Chairman. I would like to have my
full statement in the record, and I won't use all my time.
Mr. Stearns. By unanimous consent, so ordered.
[The prepared statement of Hon. Gene Green follows:]
Prepared Statement of Hon. Gene Green, a Representative in Congress
from the State of Texas
I'd like to thank Chairman Stearns and Ranking Member Schakowsky
for taking the lead on this issue and holding this important hearing.
I'd also like to welcome Chairwoman Majoras for being here today. Your
cooperation and willingness to share your knowledge and experience with
this committee is imperative to our success in combating data and
identity theft.
Also, Mr. Smith and Sanford are to be commended for being here as
the leaders of their companies to share with us how their business
works, what's wrong with the current system and how we might be able to
fix it.
Identity theft is the number one crime in the United States. The
FTC estimates about $48 billion is lost each year to business due to
this crime, and $5 billion to consumers. We have held an Identity Theft
Workshops for our constituents so they know what they can do to lower
the chance that someone can access their information.
These workshops only work when credit reporting agencies, financial
institutions and data brokers do their job to make sure information
doesn't fall into the wrong hands.
Now more than ever, we've ``become a number'': Most often, than
number is our Social Security Number. Every financial institution uses
that number to verify that you are who you say you are.
Most of the time, this system works. However, when the information
has been stolen and others have been using your name to get credit,
make purchases, or start phony businesses, the results can be tragic.
Without good credit, you can't buy a home, you may be turned down for a
job and it can take months even years to repair the damage that's been
done.
Our current systems of laws addressing this problem are piecemeal.
We have the Fair Credit Reporting Act to address Credit Reporting
Agencies. The Federal Trade Commission Act addresses unfair and
deceptive trade practices. There is a separate law for Drivers License
data, Gramm-Leach--bliley addresses Financial Institutions and of
course, there's HIPPA, which protects the security of our medical
records.
Today, there is no encompassing law that addresses this problem on
the federal level. I believe this is one of the problems. While I
support crafting legislation specifically to address the unique uses of
information, we have not sent a message to Americans that this is
something we are going to be tough on regardless of what type of
information is stolen or misused.
In the case of ChoicePoint, information was sold to a faulty
business and approximately 145,000 people are at risk of having their
information used without their knowledge. Hundreds are reported to have
already been affected in California.
Choice Point brokers information for a variety of purposes and does
so through some of their subsidiaries such as Database Technologies
(DBT). DBT was contracted with the State of Florida in 2001 and was
responsible for the removal of almost ten thousand minorities and
eligible voters from the rolls in Florida which threw our country into
uncertainty for several days while we determined who was elected
President of the United States.
In addition, Choice Point DNA data was used to help identify many
of the victims on September 11. The scope of the information out there
is immense and the responsibility that comes with collecting and
selling this information is just as large.
We are here today to begin a dialogue with industry, the FTC and
our colleagues to see what we can do to make our information as secure
as possible. Billions of dollars can be made by using this information
illegally. There will always be those who want to obtain this
information for illegal purposes. Our purpose is to improve the
safeguards to the consumer.
As we will hear today, this issue is complex. However, what is
clear is that something needs to be done to improve the security of our
identities. I believe requiring notification of individuals affected by
a security breech is where we should start.
I look forward to working with all of you on this important issue.
Thank you Mr. Chairman. I yield the balance of my time.
Mr. Green. But I just wanted to make three points.
One of them, I want to welcome our FTC Chairman here today,
and identity theft is such a major issue, and when we heard
about what happened with ChoicePoint, it was frustrating,
because ChoicePoint may have provided the data for 140,000
people, and I know they have a great deal of data. The bad part
is, is that they also struck some voters off the rolls in
Florida in 2001, but the good point is they were helping, they
actually helped victims of 9/11 to identify the folks.
The problem I have is that I know, under Federal law now,
we are allowed, our constituents and ourselves are allowed
copies of--annually, of our credit reports from the three major
agencies. But I have a copy of an MSNBC report about a lady,
Donna Pierce, who received her ClearPoint, or--sorry,
ChoicePoint document, and yet, it wasn't supposed to be in our
hands. Does not--does Federal law not allow me to ask
ChoicePoint, I want to see what you have on me?
If it is not, Mr. Chairman, we need to make sure that
changes, because if it is my information, I ought to have
access to it and correct it, just like we have now for our
three major credit agencies.
With that, Mr. Chairman, I will put my full statement in
the record. Thank you.
Mr. Stearns. I thank the gentleman. Mr. Otter.
Mr. Otter. Thank you, Mr. Chairman. I have a full statement
that I would like to submit for the record.
But just a couple of points that I would like to make that,
so far, no member on either side of the aisle has made. And
that is, in my belief, that your information is actually your
private property. And maybe it is our general disregard in this
country, any more, for private property, copyright, patent,
creative genius, or what have you. That is your private
property, and so long as you are engaged in peaceful use of
that private property, then it is the government's job to
protect that.
Yet, I also note, from the chairman, from the full
committee chairman, who was just, I asked him, in his
recollection, is there any law or any punishment for even a
government bureaucrat, saying the IRS, or saying some other
information gathering, Medicaid, Medicare, entity of
government, is there a penalty for them giving out private
information? And so far as we have been able to ascertain,
there is none.
So Mr. Chairman, this is far and reaching, and I think if
we just look at the private sector and the private sector only,
and forget about our privacy, and forget about our personal
rights to peaceful use of our privacy, we are making a big
mistake. I do appreciate your having this hearing, and allowing
a broad perspective research and development of this issue.
Thank you, Mr. Chairman.
[The prepared statement of Hon. C.L. ``Butch'' Otter
follows:]
Prepared Statement of Hon. C.L. ``Butch'' Otter, a Representative in
Congress from the State of Idaho
I would like to thank the chairman for holding this hearing. I
think it is an extremely important issue and believe we have a real
opportunity to assist businesses and their customers in providing a
safe electronic marketplace.
In recent years there has been an increased awareness of identity
theft, yet we still hear relatively little about the losses associated
with these thefts.
While there will always be those who are dishonest and seek to scam
the system, we must be more diligent in protecting our electronic
assets and information. A system of shields employed to provide
protections is certainly in the best interest of both consumers and
companies that rely on the Internet to conduct business.
I am very interested in hearing from the witnesses today on what
role they believe the government has in safeguarding consumers and
companies that rely on the Internet and electronic transactions to
conduct business.
Mr. Chairman, I thank you again for the opportunity to examine this
issue and I look forward to hearing from the witnesses.
Mr. Stearns. I thank the gentleman from Idaho. Mr.
Gonzalez, the gentleman from Texas.
Mr. Gonzalez. Thank you very much, Mr. Chairman. I will be
brief. But I was on Financial Services when the Fair Credit
Reporting Act and reauthorization and what we were thinking of
doing came up, and I was there when the Gramm-Leach-Bliley Act
came up, and we voted it out.
And the big question, then, was recognizing the economic
realities of how people do business, and the need to, of
course, acquire and store, exchange and share information, and
it was quite a debate. We finally came up and recognized
realities. But what we are faced with today is something that
everybody feared, and that is okay, what about the safekeeping
and the proper sharing with the proper individuals that are
entitled to the information? We assumed, of course, that there
would be some mischief out there, but maybe never to the scale
that we are experiencing today, with some of the stories that
are out there in the press, and what we are dealing with this
morning.
The question then comes down to, because you have heard how
strongly members on both sides of the aisle feel about the
nature of this information. If you can't protect it, if you
cannot secure it, should it be out there at all? And if we are
not going to have that kind of information collection and
sharing, how does it, then, impact the day to day businesses of
what we do in this country? And so I think we have to really
keep the two issues, and see if we can still, you know, come up
with some solutions to make sure that we don't impact the
bigger and greater picture out there, of the necessity for
responsible collection and sharing of information.
I yield back.
Mr. Stearns. The gentleman yields back. The gentlelady from
Colorado.
Ms. DeGette. Thank you. Mr. Chairman, I would ask unanimous
consent to put my full statement in the record.
Mr. Stearns. By unanimous consent.
Ms. DeGette. Let me just make a couple of points.
There is a real human face on this problem. Thirty-two
thousand people, people, our constituents, were affected by the
incidence at LexisNexis, and credit card numbers were stolen
from customers of over 100 stores at a popular retailer. One
hundred fourty-five thousand people were affected by the
ChoicePoint security lapse, and of course, 1.2 million Federal
workers now know that the Bank of America has lost computer
tapes that contained confidential financial data.
And what all of this shows together is that the information
broker business needs a closer look. These companies are
dealing in the business of people's most confidential
information, their Social Security numbers, their credit card
data, their driver's license records, and their other personal
information, and this is information that belongs to millions
and millions of people.
If these companies are vulnerable to hacking and other
fraudulent practices, which obviously they are, then we have no
choice but to draw the conclusion that the privacy and overall
security of our citizens is at risk, and so I am looking
forward to hearing more from the FTC about the recent study
that was released showing that in a 1-year period, over 10
million people in this country had their personal information
stolen and used in a fraudulent manner, and I am hoping that
there is some idea as to the new tools that we can use to deal
with this growing problem.
Society pays a great price, frankly, the citizen's personal
information is available to criminals. The economy suffers
because of business losses, and to individuals who are victims
of identity theft, it can be utterly devastating, and it takes
huge numbers of hours for people to try to deal with this. And
so, Mr. Chairman, I, like everyone else, am glad that you had
this hearing to decide what tools we have in place to combat
this problem, but more importantly, I am looking forward to, as
a committee, determining what more may need to be done to
protect this very sensitive data.
And with that, Mr. Chairman, I yield back.
Mr. Stearns. I thank the gentlelady. The gentleman, Mr.
Towns, from New York.
Mr. Towns. Thank you very much, Mr. Chairman, for holding
this hearing.
The recent high profile cases of consumers' personal data
being unwittingly sold or stolen has brought this issue to the
forefront. The American public is looking for answers to how
data brokers, such as ChoicePoint, could make such a glaring
error. I am hopeful today's hearing will begin the important
process of examining our current laws, and help our committee
determine what we can do to strengthen those laws, or improve
enforcement of our existing statutes.
I have had a longstanding interest in protecting consumers'
privacy. I first began advocating for safeguarding medical
records when I found my own medical records in a public trash
bin, and of course, the hospital had closed, and they threw the
records out, and the records were just there for anybody to
grab or to see, and in response, I introduced a bill protecting
the privacy rights of insurance claimants, which became part of
HIPAA.
Since last Congress, I have been working with my colleague,
Congresswoman Mary Bono, to protect consumer privacy on the
Internet from spyware. Our committee passed this bill last
week, and I am hopeful that we can send it to the President's
desk before the end of this year. But perhaps most frightening
is the ability of these large companies to aggregate data, so
that almost anything can be found out about you by a wide range
of people.
On one hand, ChoicePoint should be commended for using its
data to help clear wrongly convicted felons, as part of the
Innocence Project. However, on the other hand, its data was
mistakenly used to wrongly disenfranchise thousands of African-
American voters in the 2000 election.
I look forward to hearing from our witnesses today, Mr.
Chairman. I think this is a very important hearing, and I think
that what we do here will determine the lives of many, in terms
of what they will go through in years to come. So I look
forward to hearing from the witnesses.
Mr. Stearns. I thank the gentleman. I think we are ready.
Mr. Terry, did you have--I will--glad to consider. All right.
With that, we will have our first panel. Mr. Strickland. I
am sorry. Did you have an opening statement?
Mr. Strickland. No, thank you, Mr. Chairman.
Mr. Stearns. Okay. I thank the gentleman. With that, I
think the opening statements are complete.
[Additional statement submitted for the record follows:]
Prepared Statement of Hon. Barbara Cubin, a Representative in Congress
from the State of Wyoming
Thank you, Mr. Chairman, for holding this timely markup.
I would like to thank the three panels of witnesses who have agreed
to join us today. The subcommittee has compiled a very respectable list
of witnesses who will be able to offer us several distinct looks at the
role of data collection agencies, how these corporations operate, and
the federal laws governing these information services. The brokerage of
personal information is a complex issue, and I look forward to
benefitting from the testimony offered today.
Throughout my tenure on this subcommittee, we have continuously
addressed issues relating to privacy protection and the ability of
third parties to access and distribute personally identifiable
information. As we will hear today, there are most certainly valid and
appropriate roles for personal data collection. You can't argue with
the role data collection agencies play in prosecuting criminals and
monitoring national security threats. However, with the rapid advance
of technology, the definition of ``theft'' has been dramatically
altered. For every genuine and useful role of data collection, there
seems to be a corresponding opportunity to use this information in a
criminal nature.
Internet technology has opened the doors to business and consumer
opportunities and increased educational access to millions, and this
increased access is particularly important to the rural areas of
Wyoming I represent. However, this increasing reliance on web-based
technologies has opened the door for new crimes. As I said, many of the
people in Wyoming enjoy the benefits of the internet, but these same
folks still hold fast to the values of honesty and integrity. These
principles should not have to be compromised to enjoy the benefits of
internet technology.
It is my hope that today's hearing will open a dialogue that will
demonstrate if Congress is doing enough to protect the common citizen
from blatant crime and deception posed by identity theft. I also hope
to hear suggestions regarding what consumers can immediately do to
protect themselves from identity theft.
Again, I thank the Chairman, and I yield back the balance of my
time.
Mr. Stearns. We welcome the Chairwoman of the Federal Trade
Commission, Deborah Platt Majoras, for her opening statement,
and I am very glad to have her. And I had an opportunity to
meet with her, and we were very impressed, and worked in--close
together with Tim Muris, your predecessor, and we hope we can
do the same with you, and we have followed your testimony on
the Senate Banking Committee, so we hope to hear from you
again, and with that, welcome.
STATEMENT OF DEBORAH PLATT MAJORAS, CHAIRMAN, FEDERAL TRADE
COMMISSION
Ms. Majoras. Thank you very much, Mr. Chairman, members of
the committee. I am Deborah Majoras, Chairman of the Federal
Trade Commission. I am grateful for the opportunity to testify
about identity theft, security of consumer information, and in
particular, the collection of that information by data brokers.
Although the views expressed in the written testimony
represent the views of the Commission, my oral presentation and
responses to your questions are my own, and do not necessarily
represent the views of the Commission or any other individual
Commissioner.
Recent revelations about security breaches that have
resulted in disclosure of sensitive personal information about
thousands of consumers have put a spotlight on the practices of
data brokers like ChoicePoint that collect and sell this
information. The data broker industry includes many types of
businesses, providing a variety of services to an array of
commercial and governmental entities. Information sold by data
brokers is used for many purposes, from marketing to assisting
in law enforcement.
Despite the potential benefits of these information
services, the data broker industry is the subject of both
privacy and information security concerns. As recent events
demonstrate, if the sensitive information they collect gets
into the wrong hands, it can cause serious harm to consumers,
including identity theft.
As every member here has acknowledged today, identity theft
is a pernicious problem. As has also been acknowledged several
times today, our recent survey estimated that as many as 10
million consumers discovered that they were victims of some
form of identity theft in the 12 months preceding this survey.
That is 4.5 percent of our adult population, and it represented
an estimated nearly $5 billion in losses to consumers, and $48
billion in losses in business. We must look at ways to reduce
identity theft, which has shaken consumer confidence to the
core.
One means of reducing identity theft is to ensure that
sensitive, nonpublic information that is collected by data
brokers is maintained securely. There is no single Federal law
governing the practices of data brokers. There are, however,
statutes and regulations that address the security of the
information they maintain, depending on how the information was
collected, and how it is used. The Fair Credit Reporting Act,
for example, makes it illegal to disseminate consumer report
information, like credit reports, to someone who does not have
a permissible purpose, that is, a legitimate business purpose
for using that information. Thus, data brokers are only subject
to FCRA's requirements to the extent that they provide consumer
reports as that is defined in the statute.
Similarly, the Gramm-Leach-Bliley Act, which the Commission
also enforces, imposes restrictions on the extent to which
financial institutions may disclose consumer information
related to financial products and services. Under GLB, the
Commission issued its Safeguards Rule, which imposes security
requirements on a broadly defined group of financial
institutions that hold customer information, and the Commission
recently brought two cases in which we alleged the companies
had not taken reasonable precautions to safeguard consumer
information.
And finally, Section 5 of the FTC Act prohibits unfair or
deceptive practices by a broad spectrum of businesses,
including those involved in the collection or use of consumer
information. Using this authority, the Commission has brought
several actions against companies that made false promises
about how they would use or secure sensitive information, and
these cases make clear that an actual breach of security is not
necessary for an enforcement actions under Section 5, if the
Commission determines that the company's security procedures
were not reasonable in light of the sensitivity of the
information being maintained. Evidence of a breach, of course,
though, may indicate that the company's procedures were not
adequate.
Now, it is important to remember that there is no such
thing as perfect security, and breaches can occur, even for
companies that have taken reasonable precautions. The
Commission, consistent with the role that Congress gave us in
1998, has worked hard to educate consumers and business about
the risks of identity theft, and to assist victims and law
enforcement officials. The Commission maintains a website and a
toll-free hotline, staffed with trained counselors, who advise
victims on how to reclaim their identities.
We receive roughly 15,000 to 20,000 contacts per week on
the hotline, or through our website, or mail from victims, and
from consumers who want to avoid becoming victims. The
Commission also facilitates cooperation, information sharing,
and training among Federal, State, and local law enforcement
authorities fighting this crime.
Although data brokers are currently subject to a patchwork
of laws, depending on the nature of their operations, recent
events clearly raise the issue of whether these laws are
sufficient to ensure the security of this information. I
believe that there may be additional measures that would
benefit consumers. Although a variety of proposals have been
put forward, and all should be considered, the most immediate
need is to address the risks to the security of the
information.
Extending the Federal Trade Commission's Safeguards Rule to
sensitive personal information collected by data brokers is one
sensible step that could be taken. It also may be appropriate
to consider a workable Federal requirement for notice to
consumers when there has been a security breach that raises a
significant risk of harm to consumers.
Mr. Chairman, members of the committee, the FTC shares your
concern for the safety for the security of consumer
information. We have been working hard on this issue, and we
will continue to take all steps within our authority to protect
consumers.
I thank you for the opportunity to discuss this vitally
important subject, and I would be happy to respond to your
questions.
[The prepared statement of Deborah Platt Majoras follows:]
Prepared Statement of Deborah Platt Majoras, Chairman, Federal Trade
Commission
I. INTRODUCTION
Mr. Chairman and members of the Subcommittee, I am Deborah Platt
Majoras, Chairman of the Federal Trade Commission.<SUP>1</SUP> I
appreciate the opportunity to appear before you today to discuss the
laws currently applicable to resellers of consumer information,
commonly known as ``data brokers.''
---------------------------------------------------------------------------
\1\ This written statement reflects the views of the Federal Trade
Commission. My oral statements and responses to any questions you may
have represent my own views, and do not necessarily reflect the views
of the Commission or any individual Commissioner.
---------------------------------------------------------------------------
Data brokers provide information services to a wide variety of
business and government entities. The information they provide may help
credit card companies detect fraudulent transactions or assist law
enforcement agencies in locating potential witnesses. Despite these
benefits, however, there are concerns about the aggregation of
sensitive consumer information and whether this information is
protected adequately from misuse and unauthorized disclosure. In
particular, recent security breaches have raised questions about
whether sensitive consumer information collected by data brokers may be
falling into the wrong hands, leading to increased identity theft and
other frauds. In this testimony, I will briefly describe what types of
information data brokers collect, how the information is used, and some
of the current federal laws that may apply to these entities, depending
on the nature of the information they possess.
All of this discussion takes place against the background of the
threat of identity theft, a pernicious crime that harms both consumers
and financial institutions. A 2003 FTC survey showed that over a one-
year period nearly 10 million people--or 4.6 percent of the adult
population--had discovered that they were victims of some form of
identity theft.<SUP>2</SUP> As described in this testimony, the FTC has
a substantial ongoing program both to assist the victims of identity
theft and to collect data to assist criminal law enforcement agencies
in prosecuting the perpetrators of identity theft.
---------------------------------------------------------------------------
\2\ Federal Trade Commission--Identity Theft Survey Report (Sept.
2003) (available at http://www.ftc.gov/os/2003/09/synovatereport.pdf).
---------------------------------------------------------------------------
II. THE COLLECTION AND USE OF CONSUMER INFORMATION <SUP>3</SUP>
---------------------------------------------------------------------------
\3\ For more information on how consumer data is collected,
distributed, and used, see generally General Accounting Office, Private
Sector Entities Routinely Obtain and use SSNs, and Laws Limit the
Disclosure of this Information (GAO-04-11) (2004); General Accounting
Office, SSNs Are Widely Used by Government and Could be Better
Protected, Testimony Before the House Subcommittee on Social Security,
Committee on Ways and Means (GAO-02-691T) (statement of Barbara D.
Bovbjerg, April 29, 2002); Federal Trade Commission, Individual
Reference Services: A Report to Congress (December 1997) (available at
http://www.ftc.gov/os/1997/12/irs.pdf). The Commission has also held
two workshops on the collection and use of consumer information. An
agenda, participant biographies, and transcript of ``Information Flows,
The Costs and Benefits to Consumers and Businesses of the Collection
and Use of Consumer Information,'' held on June 18, 2003, is available
at http://www.ftc.gov/bcp/workshops/infoflows/030618agenda.html.
Materials related to ``The Information Marketplace: Merging and
Exchanging Consumer Data,'' held on March 13, 2001, are available at
http://www.ftc.gov/bcp/workshops/infomktplace/index.html.
---------------------------------------------------------------------------
The information industry is large and complex and includes
companies of all sizes. Some collect information from original sources,
others resell data collected by others, and many do both. Some provide
information only to government agencies or large companies, while
others sell information to small companies or the general public.
A. Sources of Consumer Information
Data brokers obtain their information from a wide variety of
sources and provide it for many different purposes. The amount and
scope of information that they collect varies from company to company,
and many offer a range of products tailored to different markets and
uses. Some data brokers, such as consumer reporting agencies, store
collected information in a database and allow access to various
customers. Some data brokers may collect information for one-time use
by a single customer. For example, a data broker may collect
information for an employee background check and provide that
information to one employer.
There are three broad categories of information that data brokers
collect and sell: public record information, publicly-available
information, and non-public information.
1. Public Record Information
Public records are a primary source of information about consumers.
This information is obtained from public entities and includes birth
and death records, property records, tax lien records, voter
registrations, licensing records, and court records (including criminal
records, bankruptcy filings, civil case files, and judgments). Although
these records generally are available to anyone directly from the
public agency where they are on file, data brokers, often through a
network of subcontractors, are able to collect and organize large
amounts of this information, providing access to their customers on a
regional or national basis. The nature and amount of personal
information on these records varies with the type of records and agency
that created them.<SUP>4</SUP>
---------------------------------------------------------------------------
\4\ Specific state or federal laws may govern the use of certain
types of public records. For example, the federal Driver's Privacy
Protection Act, discussed infra, places restrictions on the disclosure
of motor vehicle information.
---------------------------------------------------------------------------
2. Publicly-Available Information
A second type of information collected is information that is not
from public records but is publicly available. This information is
available from telephone directories, print publications, Internet
sites, and other sources accessible to the general public. As is true
with public record information, the ability of data brokers to amass a
large volume of publicly-available information allows their customers
to obtain information from an otherwise disparate array of sources.
3. Non-Public Information
Data brokers may also obtain personal information that is not
generally available to members of the public. Types of non-public
information include:
<bullet> Identifying or contact information submitted to businesses by
consumers to obtain products or services (such as name,
address, phone number, email address, and Social Security
number);
<bullet> Information about the transactions consumers conduct with businesses
(such as credit card numbers, products purchased, magazine
subscriptions, travel records, types of accounts, claims filed,
or fraudulent transactions);
<bullet> Information from applications submitted by consumers to obtain
credit, employment, insurance, or other services (such as
information about employment history or assets); and
<bullet> Information submitted by consumers for contests, website
registrations, warranty registrations, and the like.
B. Uses of Consumer Information
Business, government, and non-profit entities use information
provided by data brokers for a wide variety of purposes. For example,
the commercial or non-profit sectors may use the information to:
<bullet> Authenticate potential customers and to prevent fraud by ensuring
that the customer is who he or she purports to be;
<bullet> Evaluate the risk of providing services to a particular consumer, for
example to decide whether to extend credit, insurance, rental,
or leasing services and on what terms;
<bullet> Ensure compliance with government regulations, such as customer
verification requirements under anti-money laundering statutes;
<bullet> Perform background checks on prospective employees;
<bullet> Locate persons for a variety of reasons, including to collect child
support or other debts; to find estate beneficiaries or holders
of dormant accounts; to find potential organ donors; to find
potential contributors; or in connection with private legal
actions, such as to locate potential witnesses or defendants;
<bullet> Conduct marketing and market research; and
<bullet> Conduct academic research.
Government may use information collected by data brokers for:
<bullet> General law enforcement, including to investigate targets and locate
witnesses;
<bullet> Homeland security, including to detect and track individuals with
links to terrorist groups; and
<bullet> Public health and safety activities, such as locating people who may
have been exposed to a certain virus or other pathogen.
These are just some examples of how these entities use information
collected by data brokers.
It is important to understand that the business of data brokers
could cover a wide spectrum of activities, everything from telephone
directory information services, to fraud data bases, to sophisticated
data aggregations.
III. LAWS CURRENTLY APPLICABLE TO DATA BROKERS
There is no single federal law that governs all uses or disclosures
of consumer information. Rather, specific statutes and regulations may
restrict disclosure of consumer information in certain contexts and
require entities that maintain this information to take reasonable
steps to ensure the security and integrity of that data. The FTC's
efforts in this area have been based on three statutes: the Fair Credit
Reporting Act (``FCRA''),<SUP>5</SUP> Title V of the Gramm-Leach-Bliley
Act (``GLBA''),<SUP>6</SUP> and Section 5 of the Federal Trade
Commission Act (``FTC Act'').<SUP>7</SUP> Although the FCRA is one of
the oldest private sector data protection laws, it was significantly
expanded in 1996 and in the last Congress. The Commission is engaged in
a number of rulemakings to implement the new provisions of the FCRA,
many of which are directly targeted to the problem of ID Theft. The
GLBA is a relatively recent law, and its implementing rule on consumer
information privacy became effective in 2001. Other laws, such as the
Driver's Privacy Protection Act <SUP>8</SUP> and the Health Insurance
Portability and Accountability Act <SUP>9</SUP> also restrict the
disclosure of certain types of information, but are not enforced by the
Commission. Although these laws all relate in some way to the privacy
and security of consumer information, they vary in scope, focus, and
remedies. Determining which--if any--of these laws apply to a given
data broker requires an examination of the source and use of the
information at issue.
---------------------------------------------------------------------------
\5\ 15 U.S.C. Sec. Sec. 1681-1681u, as amended.
\6\ 15 U.S.C. Sec. Sec. 6801-09.
\7\ 15 U.S.C. Sec. 45(a).
\8\ 18 U.S.C. Sec. Sec. 2721-25.
\9\ 42 U.S.C. Sec. Sec. 1320d et seq.
---------------------------------------------------------------------------
A. The Fair Credit Reporting Act
Although much of the FCRA focuses on maintaining the accuracy and
efficiency of the credit reporting system, it also plays a role in
ensuring consumer privacy.<SUP>10</SUP> The FCRA primarily prohibits
the distribution of ``consumer reports'' by ``consumer reporting
agencies'' (``CRAs'') except for specified ``permissible purposes,''
and requires CRAs to employ procedures to ensure that they provide
consumer reports to recipients only for such purposes.
---------------------------------------------------------------------------
\10\ ``[A] major purpose of the Act is the privacy of a consumer's
credit-related data.'' Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C.
Cir. 1996).
---------------------------------------------------------------------------
1. Overview
In common parlance, the FCRA applies to consumer data that is
gathered and sold to businesses in order to make decisions about
consumers. In statutory terms, it applies to ``consumer report''
information,<SUP>11</SUP> provided by a CRA,<SUP>12</SUP> limiting such
provision for a ``permissible purpose.'' <SUP>13</SUP> Although the
most common example of a ``consumer report'' is a credit report and the
most common CRA is a credit bureau, the scope of the FCRA is much
broader. For example, there exist many CRAs that provide reports in
specialized areas, such as tenant screening services (that report to
landlords on consumers who have applied to rent apartments) and
employment screening services (that report to employers to assist them
in evaluating job applicants).
---------------------------------------------------------------------------
\11\ What constitutes a ``consumer report'' is a matter of
statutory definition (15 U.S.C. Sec. 1681a(d)) and case law. Among other
considerations, to constitute a consumer report, information must be
collected or used for ``eligibility'' purposes. That is, the data must
not only ``bear on'' a characteristic of the consumer (such as credit
worthiness, credit capacity, character, general reputation, personal
characteristics, or mode of living), it must also be used in
determinations to grant or deny credit, insurance, employment, or in
other determinations regarding permissible purposes. Trans Union, 81
F.3d at 234.
\12\ The FCRA defines a ``consumer reporting agency'' as an entity
that regularly engages in ``assembling or evaluating consumer credit
information or other information on consumers for the purpose of
furnishing consumer reports to third parties . . . .'' 15 U.S.C. Sec.
1681a(f).
\13\ As discussed more fully below, the ``permissible purposes''
set forth in the FCRA generally allow CRAs to provide consumer reports
to their customers who have a legitimate business need for the
information to evaluate a consumer who has applied to the report user
for credit, employment, insurance, or an apartment rental. 15 U.S.C. Sec.
1681b(a)(3).
---------------------------------------------------------------------------
CRAs other than credit bureaus provide many different types of
consumer reports. They may report information they have compiled
themselves, purchased from another CRA, or both. For example, a tenant
screening service may report only the information in its files that it
has received from landlords, only a consumer report obtained from
another CRA, or a combination of both its own information and resold
CRA data, depending on the needs of the business and the information
available. Data brokers are subject to the requirements of the FCRA
only to the extent that they are providing ``consumer reports.''
2. ``Permissible Purposes'' For Disclosure of Consumer Reports
The FCRA limits distribution of consumer reports to those with
specific, statutorily-defined ``permissible purposes.'' Generally,
reports may be provided for the purposes of making decisions involving
credit, insurance, or employment.<SUP>14</SUP> Consumer reporting
agencies may also provide reports to persons who have a ``legitimate
business need'' for the information in connection with a consumer-
initiated transaction.<SUP>15</SUP> Target marketing--making
unsolicited mailings or telephone calls to consumers based on
information from a consumer report--is generally not a permissible
purpose.<SUP>16</SUP>
---------------------------------------------------------------------------
\14\ 15 U.S.C. Sec. 1681b(a)(3)(A), (B), and (C). Consumer reports may
also be furnished for certain ongoing account-monitoring and collection
purposes.
\15\ 15 U.S.C. Sec. 1681b(a)(3)(F). This subsection allows landlords a
permissible purpose to receive consumer reports. It also provides a
permissible purpose in other situations, such as for a consumer who
offers to pay with a personal check.
\16\ The FCRA permits target marketing for firm offers of credit or
insurance, subject to statutory procedures, including affording
consumers the opportunity to opt out of future prescreened
solicitations. 15 U.S.C. Sec. 1681a(c), (e).
---------------------------------------------------------------------------
There is no general ``law enforcement'' permissible purpose for
government agencies. With few exceptions, government agencies are
treated like other parties--that is, they must have a permissible
purpose to obtain a consumer report.<SUP>17</SUP> There are only two
limited areas in which the FCRA makes any special allowance for
governmental entities. First, the law has always allowed such entities
to obtain limited identifying information (name, address, employer)
from CRAs without a ``permissible purpose.'' <SUP>18</SUP> Second, the
FCRA was amended to add express provisions permitting government use of
consumer reports for counterintelligence and counter-
terrorism.<SUP>19</SUP>
---------------------------------------------------------------------------
\17\ For example, a government agency may obtain a consumer report
in connection with a credit transaction or pursuant to a court order.
\18\ 15 U.S.C. Sec. 681f. The information a government agency may
obtain under this provision does not include Social Security numbers.
\19\ 15 U.S.C. Sec. Sec. 1681u, 1681v.
---------------------------------------------------------------------------
3. ``Reasonable Procedures'' to Identify Recipients of Consumer Reports
The FCRA also requires that CRAs employ ``reasonable procedures''
to ensure that they supply consumer reports only to those with an FCRA-
sanctioned ``permissible purpose.'' Specifically, Section 607(a)
provides that CRAs must make ``reasonable efforts'' to verify the
identity of prospective recipients of consumer reports and that they
have a permissible purpose to use the report.<SUP>20</SUP>
---------------------------------------------------------------------------
\20\ 15 U.S.C. Sec. 1681e(a).
---------------------------------------------------------------------------
The Commission has implemented the general and specific
requirements of this provision in a number of enforcement actions that
resulted in consent orders with the major nationwide CRAs <SUP>21</SUP>
and with resellers of consumer reports (businesses that purchase
consumer reports from the major bureaus and resell them).<SUP>22</SUP>
For example, in the early 1990s, the FTC charged that resellers of
consumer report information violated Section 607(a) of the FCRA when
they provided consumer report information without adequately ensuring
that their customers had a permissible purpose for obtaining the
data.<SUP>23</SUP> In settling these charges, the resellers agreed to
employ additional verification procedures, including verifying the
identities and business of current and prospective subscribers,
conducting periodic, unannounced audits of subscribers, and obtaining
written certifications from subscribers as to the permissible purposes
for which they seek to obtain consumer reports.<SUP>24</SUP> In 1996,
Congress amended the FCRA to impose specific duties on resellers of
consumer reports.<SUP>25</SUP>
---------------------------------------------------------------------------
\21\ Equifax Credit Information Services, Inc., 130 F.T.C. 577
(1995); Trans Union Corp. 116 F.T.C. 1357 (1993) (consent settlement of
prescreening issues only in 1992 target marketing complaint; see also
Trans Union Corp. v. FTC, 81 F.3d 228 (D.C. Cir. 1996)); FTC v. TRW
Inc., 784 F. Supp. 362 (N.D. Tex. 1991); Trans Union Corp., 102 F.T.C.
1109 (1983). Each of these ``omnibus'' orders differed in detail, but
generally covered a variety of FCRA issues including accuracy,
disclosure, permissible purposes, and prescreening.
\22\ W.D.I.A., 117 F.T.C. 757 (1994); CDB Infotek, 116 F.T.C. 280
(1993); Inter-Fact, Inc., 116 F.T.C. 294 (1993); I.R.S.C., 116 F.T.C.
266 (1993) (consent agreements against resellers settling allegations
of failure to adequately insure that users had permissible purposes to
obtain the reports).
\23\ Id.
\24\ A press release describing the consent agreement is available
at: http://www.ftc.gov/opa/predawn/F93/irsccdb3.htm.
\25\ Resellers are required to identify their customers (the ``end
users'') to the CRA providing the report and specify the purpose for
which the end users bought the report, and to establish reasonable
procedures to ensure that their customers have permissible purposes for
the consumer reports they are acquiring through the reseller. 15 U.S.C.
Sec. 1681f(e).
---------------------------------------------------------------------------
In addition to the reasonable procedures requirement of Section
607(a), the FCRA also imposes civil liability on users of consumer
report information who do not have a permissible purpose and criminal
liability on persons who obtain such information under false pretenses.
B. The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act imposes privacy and security obligations
on ``financial institutions.'' <SUP>26</SUP> Financial institutions are
defined as businesses that are engaged in certain ``financial
activities'' described in Section 4(k) of the Bank Holding Company Act
of 1956 <SUP>27</SUP> and its accompanying regulations.<SUP>28</SUP>
These activities include traditional banking, lending, and insurance
functions, as well as other activities such as brokering loans, credit
reporting, and real estate settlement services. To the extent that data
brokers fall within the definition of financial institutions, they
would be subject to the Act.
---------------------------------------------------------------------------
\26\ 15 U.S.C. Sec. 6809(3)(A).
\27\ 12 U.S.C. Sec. 1843(k).
\28\ 12 C.F.R. Sec. Sec. 225.28, 225.86.
---------------------------------------------------------------------------
1. Privacy of Consumer Financial Information
In general, financial institutions are prohibited by Title V of
GLBA and its implementing privacy rule <SUP>29</SUP> from disclosing
nonpublic personal information to non-affiliated third parties without
first providing consumers with notice and the opportunity to opt out of
the disclosure.<SUP>30</SUP> However, GLBA provides a number of
statutory exceptions under which disclosure is permitted without
specific notice to the consumer. These exceptions include consumer
reporting (pursuant to the FCRA), fraud prevention, law enforcement and
regulatory or self-regulatory purposes, compliance with judicial
process, and public safety investigations.<SUP>31</SUP> Entities that
receive information under an exception to GLBA are subject to the reuse
and redisclosure restrictions under the GLBA Privacy Rule, even if
those entities are not themselves financial institutions.<SUP>32</SUP>
In particular, the recipients may only use and disclose the information
``in the ordinary course of business to carry out the activity covered
by the exception under which . . . the information [was received].''
<SUP>33</SUP>
---------------------------------------------------------------------------
\29\ Privacy of Consumer Financial Information, 16 C.F.R. Part 313
(``GLBA Privacy Rule'').
\30\ The GLBA defines ``nonpublic personal information'' as any
information that a financial institution collects about an individual
in connection with providing a financial product or service to an
individual, unless that information is otherwise publicly available.
This includes basic identifying information about individuals, such as
name, Social Security number, address, telephone number, mother's
maiden name, and prior addresses. See, e.g., 65 Fed. Reg. 33,646,
33,680 (May 24, 2000) (the FTC's Privacy Rule).
\31\ 15 U.S.C. Sec. 6802(e).
\32\ 16 C.F.R. Sec. 313.11(a).
\33\ Id.
---------------------------------------------------------------------------
Data brokers may receive some of their information from CRAs,
particularly in the form of identifying information (sometimes referred
to as ``credit header'' data) that includes name, address, and Social
Security number. Because credit header data is typically derived from
information originally provided by financial institutions, data brokers
who receive this information are limited by GLBA's reuse and
redisclosure provision. For example, if a data broker obtains credit
header information from a financial institution pursuant to the GLBA
exception ``to protect against or prevent actual or potential fraud,''
<SUP>34</SUP> then that data broker may not reuse and redisclose that
information for marketing purposes.
---------------------------------------------------------------------------
\34\ 15 U.S.C. Sec. 502(e)(3)(B).
---------------------------------------------------------------------------
2. Required Safeguards for Customer Information
GLBA also requires financial institutions to implement appropriate
physical, technical, and procedural safeguards to protect the security
and integrity of the information they receive from customers directly
or from other financial institutions.<SUP>35</SUP> The FTC's Safeguards
Rule, which implements these requirements for entities under FTC
jurisdiction,<SUP>36</SUP> requires financial institutions to develop a
written information security plan that describes their programs to
protect customer information. Given the wide variety of entities
covered, the Safeguards Rule requires a plan that accounts for each
entity's particular circumstances--its size and complexity, the nature
and scope of its activities, and the sensitivity of the customer
information it handles. It also requires covered entities to take
certain procedural steps (for example, designating appropriate
personnel to oversee the security plan, conducting a risk assessment,
and overseeing service providers) in implementing their plans. Since
the GLBA Safeguards Rule became effective in May 2003, the Commission
has brought two law enforcement actions against companies that violated
the Rule by not having reasonable protections for customers'' personal
information.<SUP>37</SUP>
---------------------------------------------------------------------------
\35\ 15 U.S.C. Sec. 6801(b); Standards for Safeguarding Customer
Information, 16 C.F.R. Part 314 (``Safeguards Rule'').
\36\ The Federal Deposit Insurance Corporation, the National Credit
Union Administration, the Securities Exchange Commission, the Office of
the Comptroller of the Currency, the Board of Governors of the Federal
Reserve System, the Office of Thrift Supervision, and state insurance
authorities have promulgated comparable information safeguards rules,
as required by Section 501(b) of the GLBA. 15 U.S.C. Sec. 6801(b); see,
e.g., Interagency Guidelines Establishing Standards for Safeguarding
Customer Information and Rescission of Year 2000 Standards for Safety
and Soundness, 66 Fed. Reg. 8,616-41 (Feb. 1, 2001). The FTC has
jurisdiction over entities not subject to the jurisdiction of these
agencies.
\37\ Sunbelt Lending Services, (Docket No. C-4129) (consent order);
Nationwide Mortgage Group, Inc., (Docket No. 9319) (consent order).
---------------------------------------------------------------------------
To the extent that data brokers fall within GLBA's definition of
``financial institution,'' they must maintain reasonable security for
customer information. If they fail to do so, the Commission could find
them in violation of the Rule. The Commission can obtain injunctive
relief for such violations, as well as consumer redress or disgorgement
in appropriate cases.<SUP>38</SUP>
---------------------------------------------------------------------------
\38\ 15 U.S.C. Sec. 6805(a)(7). In enforcing GLBA, the FTC may seek
any injunctive and other equitable relief available to it under the FTC
Act.
---------------------------------------------------------------------------
C. Section 5 of the FTC Act
In addition, Section 5 of the FTC Act prohibits ``unfair or
deceptive acts or practices in or affecting commerce.'' <SUP>39</SUP>
Under the FTC Act, the Commission has broad jurisdiction to prevent
unfair or deceptive practices by a wide variety of entities and
individuals operating in commerce.
---------------------------------------------------------------------------
\39\ 15 U.S.C. Sec. 45(a).
---------------------------------------------------------------------------
Prohibited practices include deceptive claims that companies make
about privacy, including claims about the security they provide for
consumer information.<SUP>40</SUP> To date, the Commission has brought
five cases against companies for deceptive security claims, alleging
that the companies made explicit or implicit promises to take
reasonable steps to protect sensitive consumer information. Because
they allegedly failed to take such steps, their claims were
deceptive.<SUP>41</SUP> The consent orders settling these cases have
required the companies to implement rigorous information security
programs generally conforming to the standards set forth in the GLBA
Safeguards Rule.<SUP>42</SUP>
---------------------------------------------------------------------------
\40\ Deceptive practices are defined as material representations or
omissions that are likely to mislead consumers acting reasonably under
the circumstances. Cliffdale Associates, Inc., 103 F.T.C. 110 (1984).
\41\ Petco Animal Supplies, Inc. (Docket No. C-4133); MTS Inc., d/
b/a Tower Records/Books/Video (Docket No. C-4110); Guess?, Inc. (Docket
No. C-4091); Microsoft Corp., (Docket No. C-4069); Eli Lilly & Co.,
(Docket No. C-4047). Documents related to these enforcement actions are
available at http://www.ftc.gov/privacy/privacyinitiatives/promises--
enf.html.
\42\ As the Commission has stated, an actual breach of security is
not a prerequisite for enforcement under Section 5; however, evidence
of such a breach may indicate that the company's existing policies and
procedures were not adequate. It is important to note, however, that
there is no such thing as perfect security, and breaches can happen
even when a company has taken every reasonable precaution. See
Statement of the Federal Trade Commission Before the House Subcommittee
on Technology, Information Policy, Intergovernmental Relations, and the
Census, Committee on Government Reform (Apr. 21, 2004) (available at
http://www.ftc.gov/os/2004/04/042104cybersecuritytestimony.pdf).
---------------------------------------------------------------------------
In addition to deception, the FTC Act prohibits unfair practices.
Practices are unfair if they cause or are likely to cause consumers
substantial injury that is neither reasonably avoidable by consumers
nor offset by countervailing benefits to consumers or
competition.<SUP>43</SUP> The Commission has used this authority to
challenge a variety of injurious practices.<SUP>44</SUP>
---------------------------------------------------------------------------
\43\ 15 U.S.C. Sec. 45(n).
\44\ These include, for example, unauthorized charges in connection
with ``phishing,'' which are high-tech scams that use spam or pop-up
messages to deceive consumers into disclosing credit card numbers, bank
account information, Social Security numbers, passwords, or other
sensitive information. See FTC v. Hill, Civ. No. H 03-5537 (filed S.D.
Tex. Dec. 3, 2003), http://www.ftc.gov/opa/2004/03/
phishinghilljoint.htm; FTC v. C.J., Civ. No. 03-CV-5275-GHK (RZX)
(filed C.D. Cal. July 24, 2003), http://www.ftc.gov/os/2003/07/
phishingcomp.pdf.
---------------------------------------------------------------------------
The Commission can obtain injunctive relief for violations of
Section 5, as well as consumer redress or disgorgement in appropriate
cases.
D. Other Laws
Other federal laws not enforced by the Commission regulate certain
other specific classes of information. For example, the Driver's
Privacy Protection Act (``DPPA'') <SUP>45</SUP> prohibits state motor
vehicle departments from disclosing personal information in motor
vehicle records, subject to fourteen ``permissible uses,'' including
law enforcement, motor vehicle safety, and insurance.
---------------------------------------------------------------------------
\45\ 18 U.S.C. Sec. Sec. 2721-25.
---------------------------------------------------------------------------
The privacy rule under the Health Information Portability and
Accountability (``HIPAA'') Act allows for the disclosure of medical
information (including patient records and billing statements) between
entities for routine treatment, insurance, and payment
purposes.<SUP>46</SUP> For non-routine disclosures, the individual must
first give his or her consent. As with the DPPA, the HIPAA Privacy Rule
provides a list of uses for which no consent is required before
disclosure. Like the GLBA Safeguards Rule, the HIPAA Privacy Rule also
requires entities under its jurisdiction to have in place ``appropriate
administrative, technical, and physical safeguards to protect the
privacy of protected health information.'' <SUP>47</SUP>
---------------------------------------------------------------------------
\46\ 45 C.F.R. Part 164 (``HIPAA Privacy Rule'').
\47\ 45 C.F.R. Sec. 164.530(c).
---------------------------------------------------------------------------
IV. THE FEDERAL TRADE COMMISSION'S ROLE IN COMBATING IDENTITY THEFT
In addition to its regulatory and enforcement efforts, the
Commission assists consumers with advice on the steps they can take to
minimize their risk of becoming identity theft victims, supports
criminal law enforcement efforts, and provides resources for companies
that have experienced data breaches. The 1998 Identity Theft Assumption
and Deterrence Act (``the Identity Theft Act'' or ``the Act'') provides
the FTC with a specific role in combating identity theft.<SUP>48</SUP>
To fulfill the Act's mandate, the Commission implemented a program that
focuses on collecting complaints and providing victim assistance
through a telephone hotline and a dedicated website; maintaining and
promoting the Clearinghouse, a centralized database of victim
complaints that serves as an investigative tool for law enforcement;
and providing outreach and education to consumers, law enforcement, and
industry.
---------------------------------------------------------------------------
\48\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18
U.S.C. Sec. 1028).
---------------------------------------------------------------------------
A. Working with Consumers
The Commission hosts a toll-free hotline, 1-877-ID THEFT, and a
secure online complaint form on its website, www.consumer.gov/idtheft.
We receive about 15,000 to 20,000 contacts per week on the hotline, or
via our website or mail from victims and consumers who want to learn
about how to avoid becoming a victim. The callers to the hotline
receive counseling from trained personnel who provide information on
prevention of identity theft, and also inform victims of the steps to
take to resolve the problems resulting from the misuse of their
identities. Victims are advised to: (1) obtain copies of their credit
reports and have a fraud alert placed on them; (2) contact each of the
creditors or service providers where the identity thief has established
or accessed an account, to request that the account be closed and to
dispute any associated charges; and (3) report the identity theft to
the police and, if possible, obtain a police report. A police report is
helpful both in demonstrating to would-be creditors and debt collectors
that the consumers are victims of identity theft, and also serves as an
``identity theft report'' that can be used for exercising various
rights under the newly enacted Fair and Accurate Credit Transactions
Act.<SUP>49</SUP> The FTC's identity theft website, www.consumer.gov/
idtheft, has an online complaint form where victims can enter their
complaint into the Clearinghouse.<SUP>50</SUP>
---------------------------------------------------------------------------
\49\ These include the right to an extended, seven-year fraud
alert, the right to block fraudulent trade lines on credit reports, and
the ability to obtain copies of fraudulent applications and transaction
reports. See 15 U.S.C. Sec. 1681 et seq., as amended.
\50\ Once a consumer informs a consumer reporting agency that the
consumer believes that he or she is the victim of identity theft, the
consumer reporting agency must provide the consumer with a summary of
rights titled ``Remedying the Effects of Identity Theft'' (available at
http://www.ftc.gov/bcp/conline/pubs/credit/idtsummary.pdf).
---------------------------------------------------------------------------
The FTC has also taken the lead in the development and
dissemination of consumer education materials. To increase awareness
for consumers and provide tips for minimizing the risk of identity
theft, the FTC developed a primer on identity theft, ID Theft: What's
It All About? Together with the victim recovery guide, Take Charge:
Fighting Back Against Identity Theft, the two publications help to
educate consumers. The FTC alone has distributed more than 1.4 million
copies of the Take Charge booklet since its release in February 2000
and has recorded more than 1.7 million visits to the Web version. The
FTC's consumer and business education campaign includes other
materials, media mailings, and radio and television interviews. The FTC
also maintains the identity theft website, www.consumer.gov/idtheft,
which provides publications and links to testimony, reports, press
releases, identity theft-related state laws, and other resources.
The Commission has also developed ways to simplify the recovery
process. One example is the ID Theft Affidavit, which is included in
the Take Charge booklet and on the website. The FTC worked with
industry and consumer advocates to create a standard form for victims
to use in resolving identity theft debts. To date, the FTC has
distributed more than 293,000 print copies of the ID Theft Affidavit
and has recorded more than 709,000 hits to the Web version.
B. Working with Law Enforcement
A primary purpose of the Identity Theft Act was to enable criminal
law enforcement agencies to use a single database of victim complaints
to support their investigations. To ensure that the database operates
as a national clearinghouse for complaints, the FTC accepts complaints
from state and federal agencies as well as from consumers.
With almost 800,000 complaints, the Clearinghouse provides a
picture of the nature, prevalence, and trends of the identity theft
victims who submit complaints. The Commission publishes annual charts
showing the prevalence of identity theft complaints by states and
cities.<SUP>51</SUP> Law enforcement and policy makers use these
reports to better understand identity theft.
---------------------------------------------------------------------------
\51\ Federal Trade Commission--National and State Trends in Fraud &
Identity Theft (Feb. 2004) (available at http://www.consumer.gov/
sentinel/pubs/Top10Fraud2004.pdf).
---------------------------------------------------------------------------
Since the inception of the Clearinghouse, more than 1,100 law
enforcement agencies have signed up for the database. Individual
investigators within those agencies can access the system from their
desktop computers 24 hours a day, seven days a week.
The Commission also encourages even greater use of the
Clearinghouse through training seminars offered to law enforcement.
Beginning in 2002, the FTC, in cooperation with the Department of
Justice, the U.S. Postal Inspection Service, and the U.S. Secret
Service, initiated full day identity theft training seminars for state
and local law enforcement officers. To date, this group has held 16
seminars across the country. More than 2,200 officers have attended
these seminars, representing over 800 different agencies. Future
seminars are being planned for additional cities.
The FTC staff also developed an identity theft case referral
program. The staff creates preliminary investigative reports by
examining patterns of identity theft activity in the Clearinghouse. The
staff then refers the investigative reports to Financial Crimes Task
Forces and other law enforcers for further investigation and potential
prosecution.
C. Working with Industry
The private sector can help tackle the problem of identity theft in
several ways. From prevention of identity theft through better security
and authentication, to helping victims recover, businesses play a key
role in addressing identity theft.
The FTC works with institutions that maintain personal information
to identify ways to keep that information safe from identity theft. In
2002, the FTC invited representatives from financial institutions,
credit issuers, universities, and retailers to a roundtable discussion
of what steps entities can and do take to prevent identity theft and
ensure the security of personal information in employee and customer
records. This type of informal event provides an opportunity for the
participants to share information and learn about the practices used by
different entities to protect against identity theft.
The FTC also provides guidance to businesses about information
security risks and the precautions they must take to protect or
minimize risks to personal information. For example, the Commission has
disseminated guidance for businesses on reducing risks to their
computer systems,<SUP>52</SUP> as well as guidance for complying with
the GLBA Safeguards Rule.<SUP>53</SUP> Our emphasis is on preventing
breaches before they happen by encouraging businesses to make security
part of their regular operations and corporate culture. The Commission
has also published Information Compromise and the Risk of Identity
Theft: Guidance for Your Business, which is a business education
brochure on managing data compromises.<SUP>54</SUP> This publication
provides guidance on when it would be appropriate for an entity to
notify law enforcement and consumers in the event of a breach of
personal information.
---------------------------------------------------------------------------
\52\ Security Check: Reducing Risks to Your Computer Systems,
available at http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm.
\53\ Financial Institutions and Customer Data: Complying with the
Safeguards Rule, available at http://www.ftc.gov/bcp/conline/pubs/
buspubs/safeguards.htm.
\54\ Information Compromise and the Risk of Identity Theft:
Guidance for Your Business, available at http://www.ftc.gov/bcp/
conline/pubs/buspubs/idtrespond.pdf.
---------------------------------------------------------------------------
V. CONCLUSION
Data brokers collect and distribute a wide assortment of consumer
information and may therefore be subject to a variety of federal laws
with regard to the privacy and security of consumers' personal
information. Determining which laws apply depends on the type of
information collected and its intended use. The Commission is committed
to ensuring the continued safety of consumers' personal information and
looks forward to working with you to explore this subject in more
depth.
Mr. Stearns. I thank the Madam Chairman for her opening
statement. I will start with my questions. And it might be
helpful, in light of your opening statement, to indicate in
your answers whether this is your personal opinion, or whether
this is the policy of the Federal Trade Commission, if it turns
out that is the case.
And if you don't mind, I would like you just to give a yes
or no here. Should Congress prohibit the disclosure of Social
Security numbers without consumers' prior consent? Just yes or
no.
Ms. Majoras. I will try, Congressman Stearns. I----
Mr. Stearns. Well, we can go back to this, but you know,
as--dealing with these hearings, I like to put people right on
the spot, just yes or no.
Ms. Majoras. I understand, but I am afraid on that one, I
have to answer I can't absolutely answer yes.
Mr. Stearns. Because you are saying there is extenuating
circumstances.
Ms. Majoras. Absolutely.
Mr. Stearns. Okay. Okay. I will accept that. Would you say
that Social Security numbers that appear on credit headers
should be truncated?
Ms. Majoras. It depends on what they are used for.
Mr. Stearns. Okay. So in your--like the Chairman Barton
talked about, the Social Security number, and other members are
saying it is your personal property, so you are saying that
Congress should not prohibit the disclosure of Social Security
numbers in some cases?
Ms. Majoras. Well, that is correct.
Mr. Stearns. Okay.
Ms. Majoras. I don't think that would be valuable to
consumers----
Mr. Stearns. Okay. So there is a tipping point, then, you
are saying, where they get much more information of a consumer,
and where that Social Security number would be conclusive
enough that it should be----
Ms. Majoras. No question there is a line drawing.
Mr. Stearns. Okay. In your--you have indicated that there
should be a comprehensive Federal law dealing with privacy and
security of consumer information. That is correct, right?
Ms. Majoras. Yes.
Mr. Stearns. And is that your personal opinion, or the
Federal Trade Commission?
Ms. Majoras. It is not in my written testimony, so I will
have to say that it is my opinion that we can extend some of
the Federal laws in place today, and regulations, much more
broadly.
Mr. Stearns. Beyond the Gramm-Leach-Bliley Act----
Ms. Majoras. Correct.
Mr. Stearns. [continuing] and beyond the Sarbanes-Oxley,
you think there is another role for the Federal Government,
dealing with privacy and security. And I have a privacy bill,
so I am sympathetic to what you say.
Ms. Majoras. Yes.
Mr. Stearns. But I am just trying to--should consumers have
the right to inspect information maintained about them by data
brokers, and seek correction of errors in that information?
Ms. Majoras. It depends on what the data bank is being used
for. If it is a fraud data bank, for example, we wouldn't want
fraudsters to be able to see the information collected on them,
for example.
Mr. Stearns. But a lot of people would argue that just like
with a credit report, you can call the credit company and say,
what does a credit report look like on me, and I think I should
have the right, which you do today, to correct it.
Ms. Majoras. Yes.
Mr. Stearns. So following that line of reasoning, why
wouldn't consumers have the right to inspect this information
that is maintained by data brokers, and seek correction of
errors if there are some?
Ms. Majoras. And they do, in fact, if data brokers like
ChoicePoint are providing information that is considered to be
consumer report information under the statute.
Mr. Stearns. California has a law dealing with disclosure
to consumers, and of course, because of that law, that made
ChoicePoint have to notify these 146,000. That is extremely
time-consuming. It is difficult if they can find all these
people, but we can envision 50 States now starting to pass
their own laws, 49 others. Should there be a nationwide
requirement for disclosure, sort of a preemption that the
Federal Government does, so that all companies like
ChoicePoint, LexisNexis, deal with this Federal law, and not
have to deal with 50 separate laws?
Ms. Majoras. Yes. A Federal requirement would be
appropriate when there is a significant risk to consumers from
the breach.
Mr. Stearns. Okay. There is some talk about some people
saying we should--we are now--and we need a Communications Bill
of Rights, that specifies what a person dealing in this new
information technology age, he or she has a consumer--a
Communications Bill of Rights. Do you see anything like that
through the Federal Trade Commission?
Ms. Majoras. I am sorry, not particularly something we are
calling the Communications Bill of Rights.
Mr. Stearns. But what are you calling it then?
Ms. Majoras. I am--I want to make sure I am clear on what
you are talking about. Are you talking about communication
between a consumer and, for example, a financial institution?
Mr. Stearns. Yes. Well, dealing with a data base, and
dealing with--what are the rights of the consumers, in terms of
whether they opt in, opt out, and that is my next question,
whether you would favor it within this, an opt-in or opt-out
provision.
Ms. Majoras. First and foremost, we believe consumers want
to be sure that their personal information is safeguarded. We
think that is--that security is what consumers are first and
foremost concerned about, and that they do have the right to
ensure that those companies that have their information are
safeguarding it appropriately. No question about that.
With respect to opt-in or opt-out, I think it is important
that we learn from the Gramm-Leach-Bliley scheme. What we have
found is that, in fact, consumers have received millions
collectively of notices of their right to opt out of a
financial institution sharing their personal information, and
they have not exercised that right. They have not wanted to
bother with that. We believe, again, they really want to just
make sure that banks and merchants and others are responsibly
handling their information and safeguarding it.
Mr. Stearns. Going back to my first question, should
Congress prohibit the disclosure of Social Security numbers
without consumers' prior consent. You could not answer that yes
or no. Can you give me a sentence to answer that? A couple
sentences.
Ms. Majoras. Okay. Social Security numbers are used for
permissible purposes, like matching a particular consumer to a
particular credit report, for example, and for verifying
accuracy of credit reports, which is something we have talked
about here today already. And those are important purposes,
because there is no other unique identifier for U.S. citizens.
So the key is to not squelch use of Social Security numbers for
purposes for which consumers would want to--would want that
use, because in fact, consumers care a lot about things like
instant credit, and that is also important.
But one more sentence, I promise, Mr. Congressman, Mr.
Chairman. We believe there are instances in which Social
Security numbers may be asked for or shared just simply out of
habit, where they are really not necessary, and there, we
should be looking at whether further restriction would be
appropriate.
Mr. Stearns. Okay. My time has expired, but I would
interpret what you say, that should Congress prohibit the
disclosure of Social Security numbers without consumers, is you
would say no, they should not prohibit. That is what I
interpreted.
The ranking member, Ms. Schakowsky.
Ms. Schakowsky. Thank you. Welcome, Chairman Majoras.
Ms. Majoras. Thank you.
Ms. Schakowsky. Illinois just became eligible--Illinoisans
just became eligible to get free credit reports under a
program, I think, administered by you, that we can now get that
information. And it is pretty widely known, and I would assume,
pretty widely used, that consumer--is that correct?
Ms. Majoras. Yes, ma'am.
Ms. Schakowsky. People are doing that. But I am wondering
how many consumers really know about data brokers? You know, we
all know about credit agencies and about our credit reports,
but do you think most consumers actually know about data
brokers?
Ms. Majoras. Until recently, no. I don't believe so.
Ms. Schakowsky. I don't think so either. And so, I think
that this--the revelation that this information is out there,
and has been--that security has been breached has really been
an eye-opener, I think, for a lot of people, and I think
appropriately, now, the Congress is looking on where it fits
in.
And one of the questions I had, as I said in my opening
statement, the 1974 Privacy Act, I thought, said that the--
acknowledged the power of this aggregated information, and made
it illegal for government agencies to amass the kind of
personal information that it seems to me that data brokers do.
And yet, the government agencies, how many are they, that
actually purchase this information from data brokers? So it
seems to me that from the government standpoint alone, that
that is, if not a breach of the actual language of the law, the
spirit of the law, in saying that well, we can't do that kind
of data collection, but we will actually purchase it, and then,
that is further problematic, because that information is not--
there is no safeguards that it is even accurate.
I wanted your response, in relation to the 1974 law.
Ms. Majoras. Well, it is true that government agencies use
information that has been compiled by data brokers, and we need
to remember that the reason they use it is if there is a strong
need in tracking down deadbeats who have not paid their child
support, or in tracking down those, you know, criminals. There
is a need for information like that, and that is why, as I
understand it, government agencies have been using data
brokers.
Now, I don't enforce that statute, obviously, against
government agencies, and so I don't have a personal opinion on
the application of that statute. But I do wholeheartedly agree
with you that consumers have the right to ensure that the
information is safeguarded, and certainly, for the types of
information that data brokers are collecting, that is being
used for eligibility decisions on consumers, then data brokers
should be following the Fair Credit Reporting Act, which does
require certain standards for accuracy and the like.
Ms. Schakowsky. So who assures that that happens? If
consumers are unaware, actually, of the existence of these data
brokers, and if that information, then, is used to deny them
credit, for example, how do they--how would they know that?
Ms. Majoras. Well, there are certain requirements under the
FCRA that accompany--that is giving out the information is
required to follow. So if, for example--so any company that is
supplying consumer report information, and that is, generally,
information that is being used to make eligibility
determinations, has some requirements that it must follow, but
it is true that unlike with respect to the three credit
reporting agencies, who I agree with you, most consumers know
about, I don't know that at least to date, consumers have known
about these data brokers.
Ms. Schakowsky. So if I am applying for a loan, and the
financial institution is going to one of these data brokers for
the information, am I supposed to get notified that that is the
source of the information, that the data broker is the source
of the information? And does that ever happen?
Ms. Majoras. I don't believe you would be notified of the
source of the information, no. I can't think of an--in this
patchwork of laws we have, I can't think of one requiring in
particular----
Ms. Schakowsky. I am confused about what this notification
provision is for credit reporting agencies, for example. What
are you saying?
Ms. Majoras. Well, if information on your credit report is
used, and an adverse determination is made on that, then a
consumer----
Ms. Schakowsky. Is notified at their home.
Ms. Majoras. [continuing] is notified--would have to be
notified that they have been denied on the basis of that
information.
Ms. Schakowsky. Is that the responsibility of the financial
institution, rather than the credit reporting agency?
Ms. Majoras. I believe it is the financial institution.
Ms. Schakowsky. Okay. So do we know that they are, in fact,
if they are using this other source of information, are they
regularly telling consumers that it is, you know, ChoicePoint
or whatever, that it is the basis--on that basis, you are being
denied?
Ms. Majoras. They are being notified that they are being--
that it was on the basis of what has been supplied in their
consumer report. I don't know whether they are notified as to
which credit reporting agency or private data broker. I just
don't know the answer.
Ms. Schakowsky. Obviously, there is a lot of holes that we
need to be filling in. Thank you.
Ms. Majoras. It is very complicated. Thank you.
Mr. Stearns. The chairman of the full committee, Mr.
Barton.
Chairman Barton. Thank you, Mr.--Chairman Stearns. Madam
Chairwoman, I just have two questions.
Is there any reason that we should not make it illegal to
share or trade a person's Social Security number, and the data
that goes with it, without their permission?
Ms. Majoras. There are a couple of reasons why, and that
is, in the context of, for example, a transaction in which the
consumer is attempting to get credit or a loan.
Chairman Barton. I said without their permission.
Ms. Majoras. Right. So if they--if it is being provided.
The only other place I can think of, Chairman Barton, is with
respect to tracking down criminals. And if we are tracking down
criminals, and trying to match criminals, like, for example,
identity thieves, that might be another area where we would
want to consider----
Chairman Barton. So a law enforcement exception, and then,
when you give permission, in order to get something of value to
you, that they can check on you, and--so--but other than that,
you would support a law that Social Security number can't be
used, period, without your permission?
Ms. Majoras. I think we would want to take a closer look to
all the exceptions. For example, in Gramm-Leach-Bliley, which
are very similar to the law enforcement exceptions, to make
sure that we are not missing something. But in terms of--for
marketing purposes, or----
Chairman Barton. But under Gramm-Leach-Bliley, all they
have to do is tell you they are doing it. They don't have to
get your permission.
Ms. Majoras. Well, that is right, and they give you the
ability to opt out, but there are some exceptions in Gramm-
Leach-Bliley, where they don't even have to give you the chance
to opt out, and those are the exceptions, I think, that we
ought to look at closely, in the same context.
Chairman Barton. What would the Federal Trade Commission's
response be to requiring that if your personal information is
stolen, as has been--has happened in these two instances, that
at a minimum, the company that had the information compromised
would have to notify the individual that their information has
been stolen or compromised?
Ms. Majoras. If the information that has been stolen or
compromised puts the consumer at significant risk, then we
think that the company should be required to take reasonable
steps to provide notice to consumers.
Chairman Barton. Take reasonable steps. Define reasonable
steps.
Ms. Majoras. Well, it all depends on the circumstances.
Consumers move around, and so the question is, how--really, the
question is only to what degree does the company need to spend
time trying to track down that individual.
Chairman Barton. What if we said reasonableness is the same
standard as if you were trying to collect a bill from that
individual?
Ms. Majoras. Well, that would be something that most
companies would be very familiar with. Probably a good----
Chairman Barton. Well, they--see--you know----
Ms. Majoras. Probably a good starting point, Chairman.
Chairman Barton. Okay. Just a second. Staff would like me
to ask you about your--under Gramm-Leach-Bliley, one of the
exceptions is for fraud prevention, and my understanding is
that the ChoicePoint identity theft, or the theft of the
material, the company, the individuals, falsely portrayed
themselves to be a corporation that was trying to get
information to prevent fraud.
So is that something that we need to tighten up, the--
either eliminate as an exception, or tighten up the conditions
under which you could use that exception?
Ms. Majoras. Well, I think we should take a very close look
at the exception, and make sure it is not swallowing the rule,
but in addition, in this instance, we also need to look, I
think, at extending the Commission's Safeguards Rule, so that
all companies, like consumer reporting agencies, are required
to take certain steps when information is requested, so that
they are not just selling it to anyone, but they are, in fact,
selling it to someone who has a permissible purpose. That is
the other way we could tighten.
Chairman Barton. All right. And I guess my final question,
in general, would it be the Federal Trade Commission's position
that Federal legislation of some sort is necessary and helpful
in this area?
Ms. Majoras. Yes, that is my position.
Chairman Barton. Okay. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman. The gentlelady from
Wisconsin. Oh, the gentleman from Massachusetts. Yes.
Mr. Markey. Thank you, Mr. Chairman. Madam Chairlady, in
the prepared testimony submitted by the Electronic Privacy
Information Center, EPIC, Marc Rotenberg states that back on
December 16, 2004, EPIC urged the FTC to investigate
ChoicePoint and other data brokers for possible violations of
the Federal privacy laws.
Did the FTC initiate any investigation into ChoicePoint in
response to this request?
Ms. Majoras. The EPIC petition asked us to examine whether
existing laws provided adequate regulation and oversight over
companies like ChoicePoint, a very important question.
We actually had been looking at the issue before we
received the EPIC petition. When we received the EPIC letter,
we increased our efforts, and as you may have heard, we have
recently been able to publicly acknowledge that we have, in
fact, opened an investigation of ChoicePoint.
Mr. Markey. But had you officially begun an investigation
before press reports appeared, indicating that there had been
security breaches at ChoicePoint?
Ms. Majoras. No, we had no evidence that ChoicePoint had
violated the law at that point.
Mr. Markey. You did not believe that EPIC's information was
sufficient to trigger an investigation?
Ms. Majoras. We thought EPIC's information was sufficient
to look at the entire landscape, to see if new regulation or
law was necessary.
Mr. Markey. And what was deficient in EPIC's information?
What was lacking that you feel was--that would have been
necessary to trigger an investigation?
Ms. Majoras. I am sorry, sir, because I have an active
investigation of ChoicePoint, I am afraid I can't talk further
about their actual conduct in the public forum.
Mr. Markey. The point I am trying to make here is that I
think that there was a warning, that there was information at
the Federal Trade Commission, that the Federal Trade Commission
has to be much more aggressive than it has been in the pursuit
of the protection of the privacy of individuals, and this is a
perfect example of where the Federal Trade Commission was not
as aggressive as the American people would expect you to be.
Now, as I understand it, ChoicePoint maintained some data
bases of credit reports that would be regulated under the Fair
Credit Reporting Act, but that it also had other data bases of
information that did not meet the Federal Credit Reporting
Act's definition of a credit report. Is that right?
Ms. Majoras. That is my understanding from public sources,
yes.
Mr. Markey. And this information may have been amongst the
information that was compromised. Is that right?
Ms. Majoras. That is my understanding, again, from press
reports.
Mr. Markey. Now, a Social Security number is not considered
a credit report, and also, isn't protected under the Federal
Credit Reporting Act? Is that also correct?
Ms. Majoras. Correct.
Mr. Markey. So don't we really need a new law that
regulates these information brokers, so that we have fair
information practices in place to protect the public?
Ms. Majoras. I think we could use new law that focuses on
misuse and absolutely focuses on the security of sensitive
information, yes.
Mr. Markey. Shouldn't we ban the commercial sale of Social
Security numbers?
Ms. Majoras. It depends on what they are being used for.
Mr. Markey. If they are just being used in a way that
allows my neighbors to gain access to my Social Security
number, shouldn't that be banned?
Ms. Majoras. Yes, absolutely.
Mr. Markey. Should BJ's Wholesale have the ability to get
my Social Security number?
Ms. Majoras. Well, it all depends on what they are using it
for, and consumers, of course, part with their Social Security
number, indeed, to be able to buy goods and services, or to get
credit, for example.
Mr. Markey. But should they be able to obtain it, if I
haven't given it to them?
Ms. Majoras. They might--we might want them to be able to
obtain it, for example, from a credit reporting agency, if they
are trying to verify, for example, that I am who I say I am,
and so that is something we need to look at closely. But
certainly, banning misuse and purposes outside a window,
absolutely.
Mr. Markey. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman. Mr. Murphy.
Mr. Murphy. Thank you, Mr. Chairman. A couple of quick
questions. First of all, if we do nothing here in correcting
some of these patterns, what do you anticipate the level this
will grow to in 5 or 10 years?
Ms. Majoras. My goodness. I don't know that I can
speculate. I am--we try to look for good news wherever we can
find it. This isn't much good news, but at least between--from
what we can tell, between 2003 and 2004, the number of identity
theft victims didn't grow. We hope that is because some of the
steps that we have been able to take under our authority, and
that banking agencies have been taking, and of course,
merchants and responsible companies, are having some impact.
But it is--we do believe that more needs to be done to
safeguard personal information.
Mr. Murphy. My point is, do you believe that there will be
a number of technological advances that companies will make in
order to safeguard things on their own, or I am thinking your
testimony did not contain references to legislation needed to
protect consumers' security and privacy. So I am wondering if
you think that the current Federal law regarding data security
and privacy is adequate to protect consumers.
Ms. Majoras. Yes, sir. As I said in my oral remarks, we
think there are two places where we should start with respect
to new legislation, perhaps. The first is extending the
Commission's GLB Safeguards Rule beyond financial institutions,
to include far more institutions that collect or disseminate
personal data.
And the second would be to consider a Federal requirement
for notice when there have been security breaches that pose a
significant risk to consumers.
Mr. Murphy. All right. Thank you. And I want, you know, I
appreciate the work you are doing, to make sure you continue on
with an investigation that is protecting consumers. Thank you
very much.
And thank you, Mr. Chairman.
Ms. Majoras. Thank you.
Mr. Stearns. I thank the gentleman. The gentlelady from
Wisconsin.
Ms. Baldwin. Thank you, Mr. Chairman, and thank you for
your testimony today.
I wanted to probe just a little bit more with the
reasonableness standard that was being discussed earlier. Under
the Fair Credit Reporting Act, it would also--Gramm-Leach-
Bliley--companies have a duty to take, or make reasonable
efforts to verify both the identity of prospective recipients
of consumer reports, and they also have to make reasonable
efforts to make sure that these prospective recipients have a
permissible purpose.
Without getting into the details of any open investigation,
could you make this real for us by giving some examples of what
the Commission views as reasonable efforts?
Ms. Majoras. Okay. Yes.
We--and we have entered into some consent agreements with
companies over time, in which we have laid out, in fact, what
needs to be done. Now, in the statute itself, there are
requirements that a CRA that falls under the statute must
require certification of the identity, and certification of the
permissible purpose. That is one. Beyond that, there are other
things that can be done, and we understand are done, at times,
by CRAs, like audits, and like onsite drop-in visits. And
audits of the actual information as it is going out, and to
whom it is going to. Those are some of the measures.
Ms. Baldwin. Okay. And quickly, I wanted to note the
efforts undertaken by the Commission under the Identity Theft
Act, to provide consumers with information and assistance, and
particularly, assistance to victims of identity theft. I also
appreciate the Commission's leadership in providing educational
materials to increase consumer awareness about the problem of
identity theft.
I am wondering, in that arena, do you feel that the
Commission has sufficient statutory authority to provide any
services deemed necessary or advisable under that law?
Ms. Majoras. I think we do, and we will continue to educate
consumers, and help any consumers who have fallen victim, and
of course, what we really want to do is educate consumers in
advance, because there are a number of things that consumers
can do to at least decrease the risk.
It is always a matter of resources. We are a small agency,
and I think we are doing a lot in stretching our dollars. I
think our efforts in education and in training of law
enforcement have been greatly appreciated. I recently received
an email from a local police officer, talking about how much
they appreciate our educating them, because of course, they are
the first line in this. We don't have criminal enforcement
authority against this crime. We are facilitating the
prosecution of these thieves, and we are obviously facilitating
education.
Mr. Baldwin. Thank you.
Mr. Stearns. I thank the gentlelady. We have one vote, and
then we--I am going to come right back. So we are going to
recess the committee for this one vote, and with your patience,
if you will stay with us, and I will start immediately, and I
will urge members to come back quickly, and there is about 7
minutes before we have--they shut down the vote, so I will be
right back.
Ms. Majoras. Thank you, Mr. Chairman.
[Recess.]
Mr. Stearns. The subcommittee will reconvene, and the
gentleman from New Hampshire, Mr. Bass, is recognized.
Mr. Bass. Thank you very much, and I would just like to ask
some basic questions, if I could.
Could you tell the committee, the subcommittee exactly what
a credit bureau is, and do they sell consumers' information?
Ms. Majoras. Forgive me. A credit bureau is a company that
collects information regarding consumers, generally speaking,
so that it can be compiled and sold, so that merchants, banks,
and insurance companies and the like can make eligibility
determinations about consumers.
Mr. Bass. Do consumers have the ability to opt out of
information collection by credit bureaus?
Ms. Majoras. They do not.
Mr. Bass. Do credit bureaus sell information to entities
like ChoicePoint and LexisNexis, and is there Federal
supervision by a regulator of the downstream use of information
sold by credit bureaus to data brokers?
Ms. Majoras. Yes, there is some, so yes, they do sell the
information, and yes, there is some Federal supervision under
the Fair Credit Reporting Act.
Mr. Bass. Is there Federal supervision by a regulator of
the subsequent sale of consumers' information by a data broker
to other businesses?
Ms. Majoras. It depends on what kind of information they
are selling. If it is a consumer report, for example, that they
are reselling, which they originally got from a CRA, then the
answer is yes, then they must comply with the requirements of
the FCRA. There may be other information, however, that data
brokers collect, in fact, I believe there are, that are not
subject to the requirements of the FCRA.
Mr. Bass. Could you explain ``permissible purposes'' for
which consumer reports can be disclosed under the Fair Credit
Reporting Act?
Ms. Majoras. It--generally, a permissible purpose is to
determine a consumer's eligibility for credit, for insurance,
for employment, and the like.
Mr. Bass. You have testified that, ``targeted marketing is
generally not a permissible purpose.'' When is targeted
marketing permissible?
Ms. Majoras. There is an exception in the statute with
respect to prescreened offers.
Mr. Bass. Has the FTC brought any enforcement cases against
firms who have used credit reports for targeted marketing?
Ms. Majoras. No.
Mr. Bass. Okay. I yield back, Mr. Chairman.
Mr. Stearns. I thank the gentleman. Madam Chairman, we
would like to thank you very much for your patience and for
attending. We are now going to call up the second panel.
Ms. Majoras. Okay. Thank you very much, Mr. Chairman.
Mr. Stearns. We have Mr. Kurt Sanford, President and Chief
Executive Officer of U.S. Corporate and Federal Government
Markets, LexisNexis; Mr. Derek Smith, Chairman and CEO of
ChoicePoint; Mr. Joseph--no, excuse me, that is just the two.
So we are--just those two on the second panel, and we are going
to let you start your opening statement.
We have about 12\1/2\ minutes to a vote, so I was hoping we
could tear through this, so when we come back, this is a
surprise vote, we can start on the questions.
So Mr. Sanford, I will let you start with your opening
statement. Just make sure the mike is close to you, and it also
is turned on.
STATEMENTS OF KURT P. SANFORD, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, U.S. CORPORATE AND FEDERAL GOVERNMENT MARKETS,
LEXISNEXIS; AND DEREK SMITH, CHAIRMAN AND CHIEF EXECUTIVE
OFFICER, CHOICEPOINT, INC.
Mr. Sanford. Good morning, Chairman Stearns and other
distinguished members of the subcommittee. My name is Kurt
Sanford. I am the Chief Executive Officer for Corporate and
Federal Markets at LexisNexis. I appreciate the opportunity to
be here today to discuss the important public policy issues
associated with cybercrime, identity theft, and the protection
of consumer information. LexisNexis commends the subcommittee
for its leadership on these important issues.
LexisNexis is a leading provider of authoritative legal,
public records, and business information. Today, over 3 million
professionals, law enforcement officials, government agencies,
financial institutions, and others, subscribe to the LexisNexis
services. LexisNexis plays a vital role in supporting
government and business customers, who use our information
services for important uses, including preventing identity
theft and fraud, locating suspects, preventing and
investigating terrorist activities, and locating missing
children.
LexisNexis is committed to the responsible use of
personally identifiable information. We have stringent privacy
policies and security measures in place to protect the consumer
information in our data bases. We share the subcommittee's
concern about the potential misuse of this information to
commit identity theft and fraud. We look forward to sharing our
views on possible ways to further enhance information security,
and address the growing problems of cybercrime and identity
theft.
I would like to take a few minutes to discuss data security
incidents announced last week at Seisint, the information
company we acquired last September. As part of the integration
of Seisint with LexisNexis, we are conducting a thorough review
of the company's verification, authorization, and security
procedures and policies. During that process, a LexisNexis
integration team became aware of some billing irregularities
with several customer accounts. Upon further investigation, the
team detected some unusual usage pattern within these accounts.
The team then informed senior management, and I contacted the
United States Secret Service.
The incident is still being investigated, but it appears
that cybercriminals compromised IDs and passwords of legitimate
Seisint customers, and used those IDs and passwords to access
public records and certain personally identifying information,
such as Social Security numbers and driver's license numbers.
No personal financial, credit, or medical information was
involved, because Seisint does not collect or sell information
of this type. Because this is an ongoing law enforcement
investigation, the U.S. Secret Service has asked us to refer
all questions regarding the investigation to them. We sincerely
regret this incident and any adverse impact that this crime may
have upon the individuals whose information was accessed. We
have already begun to take steps to assist the affected
consumers.
First, based on the investigation to date, we are in the
process of notifying approximately 32,000 individuals whose
personal information may have been accessed. We expect to
complete mailing notices by March 16. Second, we are providing
all individuals with a consolidated report, containing
information from the three major credit bureaus, and credit
monitoring services for 1 year. Third, for those individuals
who do become victims of fraud as a result of this incident, we
will provide counselors to help them clear their credit reports
of any information relating to fraudulent activity.
I would like to take a minute to discuss the security
systems at LexisNexis and the specific steps we are taking to
prevent any future incidents. LexisNexis has long recognized
the importance of undertaking extensive measures to protect the
information in our data bases, and has a comprehensive security
program. Maintaining security is not a static process, but
rather, involves continuously evaluating and adjusting our
security program.
LexisNexis has physical, administrative, and technical
measures to protect the security of information it maintains.
Our data facilities are physically secure, and are monitored 24
by 7. Administratively, we have policies and procedures in
place to prevent and detect employee misuse of our systems. In
addition, we limit a customer's access to sensitive
information, according to the purposes which they seek to use
the information. Our Chief Privacy Officer and Privacy and
Policy Review Board work together to help protect the privacy
of information contained in our data bases.
We also undertake regular assessments by independent third
parties of both our privacy and security practices. In addition
to these security safeguards, LexisNexis has a multilayer
process in place to screen potential customers to ensure that
only legitimate customers have access to sensitive information.
Only those customers with a permissible purpose under Federal
law are granted access to sensitive data, such as driver's
license number and Social Security numbers.
LexisNexis plans to further restrict access to the most
sensitive data elements by extending the more restrictive
Social Security number truncation policy currently in place for
LexisNexis to its recently acquired Seisint business, and by
adding a policy to include the masking of driver's license
numbers. We are also enhancing ID and password administration
procedures. These steps are part of the ongoing review that
LexisNexis has undertaken on security practices and procedures
and privacy policies across its businesses.
I would like to focus the remainder of my time on policy
issues being considered to further protect consumer
information. While there are various laws currently in place
that govern the collection and distribution of personally
identifiable information, we recognize that additional
legislation may be necessary to address the growing problem of
cybercrime and identity theft.
LexisNexis would support the following legislative
approaches. First, consistent with the proposal outlined by FTC
Chairman Majoras in her testimony, we support requiring
notification in the event of a security breach, where there is
a substantial risk of harm to consumers. We share the concerns
that Chairman Majoras raised in her testimony about ensuring
that there is an appropriate threshold for when consumers
actually would benefit from receiving notification, such as
where the breach is likely to result in misuse of customer
information. In addition, we believe that is it important that
any such proposal contain Federal preemption.
Second, we would support the adoption of data security
safeguards, modeled after the Safeguard Rule of the Gramm-
Leach-Bliley Act. I understand that the FTC is supportive of
this approach as well.
And finally, we strongly encourage legislation that imposes
more stringent penalties for identity theft and cybercrimes.
Additionally, consumers and industry alike would benefit from
an enhanced training for law enforcement, and an expansion of
the resources available to investigate and prosecute the
perpetrators of identity theft and fraud.
It is critical that any legislation being considered ensure
that legitimate businesses, government agencies, and other
organizations continue to have access to identifying
information that they depend on for important purposes,
including fraud detection and prevention, law enforcement, and
other critical applications. Moreover, legislation must strike
the right balance between security, protecting privacy, and
ensuring continued access to critically important information
that is provided through information service providers.
Thank you again for the opportunity to be here today to
provide the subcommittee with our company's perspective on
these important public policy issues. We look forward to
working with the subcommittee as it develops proposals to help
protect consumers and help fight cybercrime and identity theft.
Thank you.
[The prepared statement of Kurt P. Sanford follows:]
Prepared Statement of Kurt P. Sanford, President and CEO, U.S.
Corporate and Federal Government Markets, LexisNexis
INTRODUCTION
Good morning. My name is Kurt Sanford. I am the Chief Executive
Officer for Corporate and Federal Markets at LexisNexis, a division of
Reed Elsevier Inc. On behalf of LexisNexis, I appreciate the
opportunity to be here today to discuss the important public policy
issues associated with the protection of consumer information,
cybercrime, and identity theft. LexisNexis commends the Subcommittee
for its leadership on these important issues.
LexisNexis is a leading provider of authoritative legal, public
records, and business information. Today, over three million
professionals--lawyers, law enforcement officials, government agencies,
financial institutions and others--subscribe to the LexisNexis
services. Government agencies at all levels, businesses, researchers,
and others rely on LexisNexis to carry out important functions in our
society. LexisNexis Risk Management unit plays a vital role in
supporting government and business customers who use our information
services for a variety of important uses.
The following are examples of some of the important ways in which
the services of LexisNexis are used by customers:
<bullet> Prevent identity theft and fraud--Banks and other financial
institutions routinely rely on personally identifying
information contained in LexisNexis' databases to verify the
identities of individuals and businesses and prevent identity
theft and fraud. For example, LexisNexis has partnered with the
American Bankers Association to enable banks and other
customers to prevent money laundering and ensure compliance
with applicable laws by helping the banks determine if they are
doing business with legitimate businesses and consumers. The
use of this information by financial institutions to verify and
validate information on prospective customers is critical to
the success of that program. With the help of LexisNexis, major
banks and bank card issuers have experienced significant
reductions in dollar losses due to fraud, holding down costs
charged to consumers. Special investigation units of insurance
companies have experienced similar successes through the use of
information in our databases.
<bullet> Locating suspects and helping make arrests--Many federal, state and
local law enforcement agencies rely on LexisNexis to help them
locate criminal suspects and to identify witnesses to a crime.
For example, Seisint products were used during the course of
the D.C. sniper investigation and helped lead to the arrest of
the suspects.
<bullet> Preventing and investigating terrorist activities--Information
service providers like LexisNexis offer important tools in the
battle against terrorism. Our data, technology, and policy
expertise has been instrumental in detecting and preventing
terrorist activities.
<bullet> Locating and recovering missing children and assisting in the
enforcement of child support obligations--For many years,
LexisNexis has partnered with the National Center for Missing
and Exploited Children to help that organization locate missing
and abducted children. Locating a missing child within the
first 48 hours is critical to success in the recovery effort.
The NCMEC has told us that information from LexisNexis has been
critical in the Center's successful recovery of many children.
In addition, public and private agencies rely on information
provided by LexisNexis to locate parents who are delinquent in
child support payments and to locate and attach assets in
satisfying court-ordered judgments. The Association for
Children for Enforcement of Support (ACES), a private child
support recovery organization, has had tremendous success in
locating nonpaying parents using LexisNexis.
LexisNexis is committed to the responsible use of personally
identifiable information and to the protection of consumer privacy. We
share the Subcommittee's concern about the potential misuse of this
information to commit identity theft and fraud. We look forward to
sharing our views on possible ways to further enhance information
security and address the growing problems of cybercrime and identity
theft.
THE PENDING INVESTIGATION OF THE SEISINT SECURITY INCIDENTS,
LEXISNEXIS' RESPONSE AND CYBERCRIME IMPLICATIONS
Before I proceed, I would like to take a few minutes to discuss the
data security incidents we recently discovered at Seisint, the
information company we acquired last September.
As part of LexisNexis integration of Seisint, we have been
conducting a thorough review of the company's verification,
authorization, and security procedures and policies. During that
process, a LexisNexis integration team became aware of some billing
irregularities within several customer accounts. Upon further
investigation, the team detected within those accounts some unusual
usage patterns. The team then informed senior management and we
contacted the United States Secret Service. The U.S. Secret Service was
notified because of its well-known expertise in investigating
cybercrime and because of its national High Tech Crime Task Force, in
which LexisNexis participates.
The incidents are still being investigated, but it appears that
cybercriminals compromised IDs and passwords of legitimate Seisint
customers and used those IDs and passwords to access certain Seisint
databases. The information accessed was limited to public record
information and certain identifying information, such as social
security numbers and driver's license information. No personal
financial, credit, or medical information was involved because Seisint
does not collect or distribute information of this type.
We take these incidents very seriously. LexisNexis has long been
committed to the protection of consumer privacy and security. We
sincerely regret that these criminals were able to fraudulently access
this information. We further regret any adverse impact that this crime
may have upon the individuals whose information was accessed. We have
already begun to take steps to assist individuals whose information may
have been accessed. First, based on the investigation to date, we are
in the process of notifying approximately 32,000 individuals whose
personal information may have been accessed and we expect to complete
mailing notices by March 16. Second, we will be providing all affected
individuals with a consolidated report containing information from the
three major credit bureaus. Third, we will be providing credit
monitoring service for one year. Fourth, for those individuals who do
become victims of fraud, we will provide them with ID theft counselors
to help them through the process of clearing their credit reports of
any information from related fraudulent activity.
Because this is an ongoing law enforcement investigation, the U.S.
Secret Service has advised us that discussing additional details could
compromise its investigation.
the types of measures used to safeguard identifiable information
LexisNexis has long recognized the importance of undertaking
extensive measures to protect the information in our databases and has
in place a comprehensive security program. Maintaining security is a
not a static process, but rather involves continuously evaluating and
adjusting our security program in light of technological advances and
perceived or real threats.
LexisNexis has physical, administrative, and technical measures to
protect the security of information it maintains on its services. Our
data facilities are physically secure. Comprehensive monitoring
capabilities exist throughout these facilities. These capabilities
include interior and exterior cameras and a badge-access system with
badge readers at all key entry points in the building, which are
monitored 24x7 by on-site security guards.
Administratively, we limit access to data center facilities to
those individuals with job-related needs and management authorization.
To prevent employee misuse of our systems, we have policies and
procedures in place to monitor usage and address policy abuses through
clearly stated measures, up to and including termination.
In addition, we limit a customer's access to information, including
sensitive information, in LexisNexis products according to the purposes
for which they seek to use the information. Our Chief Privacy Officer
and Privacy and Policy Review Board work together to ensure that
LexisNexis has strong privacy policies in place to help protect the
privacy of information contained in our databases. We also undertake
regular assessments by independent third parties of both our privacy
and security practices. In addition, because we recognize that the
success of our security program depends on our employees, we have
developed training programs on privacy and security policies and
practices.
We use a multi-layered technical approach to securing data and
applications. Preventive and detective technologies are deployed to
mitigate risk throughout the network and system infrastructure and
serve to thwart potentially malicious activities.
In addition to the security safeguards outlined above, LexisNexis
has a multi-layer process in place to screen potential customers to
ensure that only legitimate customers have access to sensitive
information contained in our systems. Our procedures include a detailed
authentication process to determine the validity of business licenses,
memberships in professional societies and other credentials. We also
authenticate the documents provided to us to ensure they have not been
tampered with or forged.
We have verification procedures in place to vet customers prior to
providing them with access to sensitive information. Customers
requesting access to sensitive information must go through a multi-step
application and approval process. Only those customers with a
permissible purpose under federal law are granted access to sensitive
data such as driver's license information and social security numbers.
In addition, customers are required to make express representations and
warranties regarding access and use of sensitive information.
LexisNexis plans to further restrict access to the most sensitive
data elements, Social Security Numbers and Driver's License Numbers, by
extending LexisNexis current more restrictive SSN truncation policy to
its recently acquired Seisint business and is adding a policy to
include the masking of DLNs. These steps are part of the on-going
review that LexisNexis has been conducting on security practices,
authorization and verification procedures and privacy policies across
its businesses.
We have also accelerated our program to review and integrate
verification and security procedures at LexisNexis and Seisint.
Specifically, LexisNexis is in the process of:
<bullet> Enhancing ID and password administration procedures;
<bullet> Enhancing security requirements applied to our customers; and
<bullet> Working with law enforcement and outside consultants to establish new
procedures and techniques to thwart criminal activity.
THE TYPES OF INFORMATION MAINTAINED BY LEXISNEXIS
The information maintained by LexisNexis falls into the following
three general classifications: public record information, publicly
available information, and non-public information. I briefly describe
each below.
Public record information. Public record information is information
originally obtained from government records that are available to the
public. Land records, court records, and professional licensing records
are examples of public record information collected and maintained by
the government for public purposes, including dissemination to the
public.
Publicly available information. Publicly available information is
information about an individual that is available to the general public
from non-governmental sources. Some examples of these non-governmental
sources are telephone directories, newspaper reports, and other
general-distribution publications.
Non-public information. Non-public information is information about
an individual that is not obtained directly from public record
information or publicly available information. This information comes
from proprietary or non-public sources. Non-public data maintained by
LexisNexis consists primarily of information obtained from either motor
vehicle records or so-called credit header data. Credit header data is
the non-financial individual identifying information located at the top
of a credit report, such as name, current and prior address, listed
telephone number, social security number, and month and year of birth.
LAWS GOVERNING LEXISNEXIS COMPILATION AND DISSEMINATION OF IDENTIFIABLE
INFORMATION
There are a wide range of federal and state privacy laws to which
LexisNexis is subject in the collection and distribution of personally
identifiable information. These include:
The Gramm-Leach-Bliley Act. Social security numbers are one of the
two most sensitive types of information that we maintain in our systems
and credit headers are the principal commercial source of social
security numbers. Credit header data is obtained from consumer
reporting agencies.<SUP>1</SUP> Starting in July 2001, the compilation
of credit header data is subject to the Gramm-Leach-Bliley Act
(``GLBA''), 15 U.S.C. Sec. Sec. 6801 et seq., and information subject to the
GLBA cannot be distributed except for purposes specified by the
Congress, such as the prevention of fraud. For credit header data
compiled prior to July 2001, the dissemination of this information is
subject to a set of industry-developed principles endorsed and enforced
by the Federal Trade Commission.
---------------------------------------------------------------------------
\1\ Consumer reporting agencies are governed by the Fair Credit
Reporting Act (``FCRA''), 15 U.S.C. Sec. Sec. 1681 et seq. Some information
services, such as Seisint's Securint service and LexisNexis PeopleWise,
also are subject to the requirements of the FCRA.
---------------------------------------------------------------------------
Driver's Privacy Protection Act. The compilation and distribution
of driver's license numbers and other information obtained from
driver's licenses are subject to the Driver's Privacy Protection Act
(``DPPA''), 18 U.S.C. Sec. Sec. 2721 et seq., as well as state laws.
Information subject to the DPPA cannot be distributed except for
purposes specified by the Congress, such as fraud prevention, insurance
claim investigation, and the execution of judgments.
Telecommunications Act of 1996. Telephone directories and similar
publicly available repositories are a major source of name, address,
and telephone number information. The dissemination of telephone
directory and directory assistance information is subject to the
requirements of the Telecommunications Act of 1996, as well as state
law.
FOIA and other Open Records Laws: Records held by local, state, and
federal governments are another major source of name, address, and
other personally identifiable information. The Freedom of Information
Act, state open record laws, and judicial rules govern the ability of
LexisNexis to access and distribute personally identifiable information
obtained from government agencies and entities. See, e.g., 5 U.S.C. Sec.
552.
Other laws:
Unfair and Deceptive Practice Laws: Section 5 of the Federal Trade
Commission Act, and its state counterparts, prohibit companies from
making deceptive claims about their privacy and security practices.
These laws have served as the basis for enforcement actions by the
Federal Trade Commission and state attorneys general for inadequate
information security practices. The consent orders settling these
enforcement actions typically have required companies to implement
information security programs that conform to the standards set forth
in the GLBA Safeguards Rule, 16 C.F.R. Part 314.
Information Security Laws: A growing body of state law imposes
obligations upon information service providers to safeguard the
identifiable information they maintain. For example, California has
enacted two statutes that require businesses to implement and maintain
reasonable security practices and procedures and, in the event of a
security breach, to notify individuals whose personal information has
been compromised. See California Civil Code Sec. Sec. 1798.81.5, 1798.82-84.
LEGISLATIVE MEASURES LEXISNEXIS SUPPORTS
We recognize that additional legislation may be necessary to
address the growing problem of cybercrime and identity theft.
LexisNexis supports the following legislative approaches:
Data Security Breach Notification. Consistent with the proposals
outlined by FTC Chairman Majoras in her testimony before the Senate
Banking Committee last week, we support requiring notification in the
event of a security breach where there is substantial risk of harm to
consumers. We share the concerns that Chairman Majoras raised in her
testimony about ensuring that there is an appropriate threshold for
when customers actually would benefit from receiving notification, such
as where the breach is likely to result in misuse of customer
information. In addition, we believe that it is important that any such
proposal contain federal preemption to insure that companies can
quickly and effectively notify consumers and not struggle with
complying with multiple, potentially conflicting and inconsistent state
laws.
Adoption of Data Security Safeguards for Information Service
Providers Modeled After the GLBA Safeguard Rule. LexisNexis would
support the proposal outlined by Chairman Majoras whereby the types of
security protections required by the Safeguard Rule of the GLBA would
be applicable to information service providers that are not themselves
``financial institutions'' as defined under GLBA.
Increased penalties for identity theft and other cybercrimes and
increased resources for law enforcement. LexisNexis strongly encourages
legislation that imposes more stringent penalties for identity theft
and other cybercrimes. Additionally, consumers and industry alike would
benefit from enhanced training for law enforcement and an expansion of
the resources available to investigate and prosecute the perpetrators
of identity theft and cybercrime. Too many of our law enforcement
agencies do not have the resources to neutralize these high-tech
criminals.
It is critical that any legislation being considered ensure that
legitimate businesses, government agencies, and other organizations
continue to have access to identifying information that they depend on
for important purposes including fraud detection and prevention, law
enforcement, and other critical applications. Moreover, legislation
must strike the right balance between protecting privacy and ensuring
continued access to critically important information that is provided
through information service providers.
CONCLUSION
Mr. Chairman, members of the Subcommittee, thank you again for the
opportunity to testify before you today. LexisNexis is committed to:
<bullet> Developing effective products involving the responsible use of
personally identifiable information to support law enforcement,
government, and responsible businesses ;
<bullet> Safeguarding consumer privacy; and
<bullet> Protecting the security of our data systems.
We look forward to working with you as you develop proposals to
help protect consumers and help fight cybercrime and identity theft.
Mr. Stearns. Thank you, Mr. Sanford. I was hoping we could
get the second opening statement in. We have one vote, and then
no votes for a long period of time.
So Mr. Smith, we are going to have to recess the
subcommittee, and I will go vote, and members have just been
emailed to come back, so the subcommittee is----
[Brief recess.]
Mr. Stearns. [continuing] members will be filing in, but
Mr. Smith, we wanted to give you an opportunity to proceed.
Mr. Smith. Chairman----
Mr. Stearns. And just move it a little closer. Sometimes,
it is--if you don't mind, that would be helpful. Thanks.
STATEMENT OF DEREK SMITH
Mr. Smith. Chairman Stearns, Representative Schakowsky, and
members of the committee. I am Derek Smith, Chairman and Chief
Executive Officer of ChoicePoint, Inc.
I have thought a great deal, both professionally and as a
father, about the role information can play in making our world
more or less secure. I have devoted the last 12 years to the
pursuit of making our society safer through the innovative but
proper use of information and technology.
At ChoicePoint, our customers cover a broad spectrum of
American business, nonprofits, and government services
organizations, including most of America's Federal, State, and
local law enforcement agencies. Last year, ChoicePoint helped
100 million American consumers obtain fairly priced home and
auto insurance, and thousands of American businesses obtain
commercial property insurance.
We also helped 8 million Americans get jobs through our
workplace pre-employment screening services. We helped more
than 1 million consumers obtain expedited copies of their vital
records, birth, death, and marriage certificates. ChoicePoint
helped government fulfill its mission guarding the safety of
Americans.
But regrettably, I know that I am not here today to talk
only about the good things that ChoicePoint has done. I know I
am here because your committee and your constituents are
concerned about the harm that may have been done to
approximately 145,000 Americans whose information may have
fallen into the hands of criminals who accessed ChoicePoint
systems.
Let me begin by offering an apology on behalf of our
company, and my own personal apology to those consumers whose
information may have been accessed by the criminals whose
fraudulent activity ChoicePoint failed to prevent. Beyond our
apology, I want to assure the public and the members of this
committee that we have moved aggressively to safeguard the
information in our possession from future criminal theft.
We have also moved promptly to provide assistance to every
affected individual, to help them avoid financial harm. We are
also participating in the efforts of--we also welcome
participating in the efforts of this committee and other
policymakers seeking to provide an appropriate regulation of
our industry. We have decided to exit the consumer-sensitive
data market not covered by the Fair Credit Reporting Act,
meaning ChoicePoint will no longer sell information products
containing sensitive consumer data, including Social Security
and driver's license numbers, except where there is a specific
consumer-driven transaction or benefit, or where the products
support Federal, State, or local government and criminal
justice purposes.
ChoicePoint will continue to provide authentication, fraud
prevention, and other services to large, accredited customers,
where consumers have existing relationships. We have
strengthened ChoicePoint's customer credentialing process, and
we are changing our products and services to many customer
segments. We are requiring additional due diligence, such as
bank references and site visits, to small business applications
before allowing access to personally identifiable information.
We are recredentialing broad sections of our customer base,
including our small business customers. We are modifying the
services that ChoicePoint is delivering to our customers. I
have created an Office of Credentialing Compliance and Privacy
that will report to our Board of Directors Privacy Committee,
and be independent of ChoicePoint management. This Office will
be led by Carol DiBattiste, previously Deputy Administrator of
the Transportation Security Administration, and a former senior
prosecutor in the Department of Justice, with extensive
experience in detection and prosecution of financial fraud.
I have also appointed Robert McConnell, a 28 year veteran
of the Secret Service and former chief of the Federal
Government's Nigerian Organized Crime Taskforce, to serve as
our liaison to law enforcement officials. These changes reflect
some of the lessons that we have already learned as a result of
the breaches of ChoicePoint security, which have resulted in
the recent convictions of several individuals.
From what I now know, on September 27, 2004, a ChoicePoint
employee became suspicious while credentialing a prospective
small business customer based in the Los Angeles area. This
employee brought his concerns regarding the application to our
Security Services Department. After a preliminary review, the
manager of the Security Services Department alerted the Los
Angeles County Sheriff's Department. They decided to initiate
an official police investigation, and asked for our assistance.
The investigation is still ongoing, and has, I am told, already
resulted in the arrest and conviction of at least one
individual.
After the situation became public last month, I learned
that another instance in which ChoicePoint had been working
with law enforcement inquiry also involved a criminal use of
our information products, and late last year, had resulted in a
guilty plea.
With respect to California, we have learned that those
involved had previously opened ChoicePoint accounts by
presenting fraudulently obtained California business licenses
and other fraudulent documents. They were able to access
information products primarily containing the following
information: consumer names, current and former addresses,
Social Security numbers, driver's license numbers, certain
other public record information such as bankruptcies, liens,
and judgments, and, in certain cases, credit reports.
Based on the information currently available, we estimate
the data from approximately 145,000 consumers may have been
accessed as a result of unauthorized access to our information
products. Nearly one quarter of those consumers are California
residents. California is the only State that statutorily
requires affected consumers to be notified of a potential
breach of personally identifiable information, and authorized
law enforcement officials to delay notification to allow a
criminal investigation to proceed.
Last fall, ChoicePoint received such a request from the
Sheriff's Department, after the issue of consumer notification
was discussed between ChoicePoint and the Department. At that
time, ChoicePoint had not yet reconstructed all the searches
required to identify consumers at risk, and law enforcement
officers had not yet learned all the pertinent details of the
crime. Working cooperatively with the Sheriff's Department, and
after completing the necessary reconstruction, we began the
process of notifying consumers last month. We voluntarily
elected to use the California law as the basis for notifying
consumers in all States.
Absent specific notification from law enforcement
personnel, affected consumers, or others, we cannot determine
whether a particular consumer has been a victim of actual
identity theft. However, law enforcement officials have
informed us that they have identified approximately 750
consumers nationwide, where some attempt was made to compromise
their identity. The security breach that ChoicePoint discovered
last fall in California has caused us to go through some
serious soul searching at ChoicePoint.
In retrospect, the company should have acted more quickly.
I should have been notified earlier of the investigation being
conducted by the Los Angeles County Sheriff's Department. What
I can tell you today is that from now on, I will be notified
when ChoicePoint learns of a formal law enforcement inquiry
involving any potential breach of our security.
In the meantime, we have taken other steps to help and
protect the consumers who may have been harmed. First,
ChoicePoint established a dedicated toll-free customer service
number, and a special website to respond to inquiries. Second,
we are providing, free of charge, a combined three bureau
credit report. Third, we are providing, free of charge, a 1-
year credit monitoring service, and for anyone who has suffered
actual identity theft from this fraud, ChoicePoint will provide
further assistance to help them resolve any issue arising from
that identity theft. We hope these efforts will help those
individuals protect their personal data from being used in a
criminal manner, and that they will mitigate any harm.
Mr. Chairman, to conclude, I would like to state before
this committee, for the record, my position on further
regulation or oversight of information and credential
verification providers. For the past 2 years, I have been
working to prompt a broad discussion on how we can build a
framework that defines how personally identifiable information
should be used, by whom, and for what purpose.
I have called for independent oversight to give the public
the confidence it needs. I support increased penalties,
criminal penalties, for the unauthorized access to information.
I support a single, reasonable, nationwide, mandatory
notification requirement of any unauthorized access to
personally identifiable information.
Every advance in technology that makes our lives easier
also makes it easier for enemies to move swiftly against us.
You and I can be approved for a bank account in a matter of
minutes, but a person can use that same technology to get a
false or real driver's license, or to create a fake business.
The point being, technology and information are neither good
nor bad. People determine if the power of information is used
for the benefit of individuals or society, or to create harm.
I believe that only by adding a more formal structure to
the current scheme of information use will we realize the full
value of technology-based tools to society. The architects of
these guidelines will be working against a backdrop of
apparently conflicting principles. Increased concerns about
privacy, balanced against society's need to identify people who
would do us harm. But it is important to remember that these
two principles are not mutually exclusive, and that too much
weight on either end of the spectrum leads not to balance, but
to immobility, or worse, to a breaking point.
The privacy debate should not be a choice between civil
defense and civil liberty. We must aim to preserve both. We
look forward to participating in the continued discussion of
these issues, and I pledge our cooperation and my personal
cooperation to these efforts.
I thank you for your consideration, and I will be pleased
to answer any questions you might have.
[The prepared statement of Derek Smith follows:]
Prepared Statement of Derek Smith, Chairman and Chief Executive
Officer, ChoicePoint Inc.
Chairman Stearns, Representative Schakowsky, and Members of the
Committee: I am Derek Smith, Chairman and Chief Executive Officer of
ChoicePoint Inc.
I have thought a great deal, both professionally and as a father,
about the role information can play in making our world more, or less,
secure. I have devoted the last 12 years to the pursuit of making our
society safer through the innovative, but proper, use of technology and
information.
At ChoicePoint, our customers cover a broad spectrum of American
business, non-profits and government service organizations--from half
the Fortune 1000 to notable community organizations, and most of
America's federal, state and local law enforcement agencies.
Last year ChoicePoint helped 100 million American consumers obtain
fairly priced home and auto insurance, and thousands of American
businesses obtain commercial property insurance. We also helped 8
million Americans get jobs through our workplace pre-employment
screening services. We helped more than one million consumers obtain
expedited copies of their vital records--birth, death and marriage
certificates. ChoicePoint helped government fulfill its mission
guarding the safety of Americans.
But regretfully, I know that I am not here today to talk only about
the good things ChoicePoint has done. I know I am here because your
committee and your constituents are concerned about the harm that may
have been done to approximately 145,000 Americans, whose information
may have fallen into the hands of criminals who accessed ChoicePoint
systems.
Let me begin by offering an apology on behalf of our company, as
well as my own personal apology, to those consumers whose information
may have been accessed by the criminals whose fraudulent activity
ChoicePoint failed to prevent.
Beyond our apology, I want to assure the public and the members of
this committee that we have moved aggressively to safeguard the
information in our possession from future criminal theft. We have also
moved promptly to provide assistance to every affected individual to
help them avoid financial harm. We also welcome participating in the
efforts of this Committee and other policy-makers seeking to provide an
appropriate regulation of our industry.
We have decided to exit the consumer sensitive data market not
covered by the Fair Credit Reporting Act, meaning ChoicePoint will no
longer sell information products containing sensitive consumer data
including social security and drivers license numbers except where
there is a specific consumer driven transaction or benefit or where the
products support federal, state or local government and criminal
justice purposes. ChoicePoint will continue to provide authentication,
fraud prevention and other services to large accredited corporate
customers where consumers have existing relationships.
We have strengthened ChoicePoint's customer credentialing process
and we are changing our products and services to many customer
segments. We are requiring additional due diligence such as bank
references and site visits to small business applicants before allowing
access to personally identifiable information. We are recredentialing
broad sections of our customer base, including our small business
customers. We are modifying the services that ChoicePoint is delivering
to our customers.
The remaining ChoicePoint products and services that contain
sensitive information will satisfy one of three tests:
<bullet> Support consumer driven transactions, for which data is needed to
complete or maintain relationships such as insurance,
employment or tenant screening.
<bullet> Provide authentication or fraud prevention tools to large, accredited
corporate customers to enable services such as identity
verification, customer enrollment or insurance claims.
<bullet> Support federal, state or local government and law enforcement
purposes.
I have created an office of Credentialing, Compliance and Privacy
that will report to our Board of Directors' Privacy Committee and be
independent of ChoicePoint management. This office will be based here
in Washington and be led by Carol DiBattiste, previously deputy
administrator of the Transportation Security Administration and a
former senior prosecutor in the Department of Justice with extensive
experience in the detection and prosecution of financial fraud.
I have also appointed Robert McConnell, a 28-year veteran of the
Secret Service and former chief of the federal government's Nigerian
Organized Crime Task Force, to serve as our liaison to law enforcement
officials.
These changes reflect some of the lessons we have already learned
as a result of the breaches of ChoicePoint's security which have
resulted in the recent convictions of several individuals.
From what I now know, on September 27, 2004 a ChoicePoint employee
became suspicious while credentialing a prospective small business
customer based in the Los Angeles area. This employee brought his
concerns regarding the application to our Security Services Department.
After a preliminary review, the manager of the Security Services
Department alerted the Los Angeles County Sheriff's Department. They
decided to initiate an official police investigation and asked for our
assistance. That investigation is still ongoing, and has, I am told,
already resulted in the arrest and conviction of at least one
individual.
After this situation became public last month I learned that
another instance in which ChoicePoint had been working with a law
enforcement inquiry also involved a criminal use of our information
products and, late last year, had resulted in a guilty plea.
With respect to California, we have learned that those involved had
previously opened ChoicePoint accounts by presenting fraudulently
obtained California business licenses and fraudulent documents. They
were then able to access information products primarily containing the
following information: consumer names, current and former addresses,
social security numbers, driver's license numbers, certain other public
record information such as bankruptcies, liens and judgments and, in
certain cases, credit reports.
Based on information currently available, we estimate that data
from approximately 145,000 consumers may have been accessed as a result
of unauthorized access to our information products. Nearly one quarter
of those consumers are California residents. California is the only
state that statutorily requires affected consumers to be notified of a
potential breach of personally identifiable information, and authorizes
law enforcement officials to delay notification to allow a criminal
investigation to proceed. Last fall, ChoicePoint received such a
request from the Sheriff's Department after the issue of consumer
notification was discussed between ChoicePoint and the Department. At
that time ChoicePoint had not yet reconstructed all of the searches
required to identify consumers at risk and law enforcement officers had
not yet learned all of the pertinent details of the crime. Working
cooperatively with the Sheriff's Department and after completing the
necessary reconstruction, we began the process of notifying consumers
last month. We voluntarily elected to use the California law as the
basis for notifying consumers in all states. Absent specific
notification from law enforcement personnel, affected consumers or
others, we can not determine whether a particular consumer has been a
victim of actual identity theft. However, law enforcement officials
have informed us that they have identified approximately 750 consumers
nationwide where some attempt was made to compromise their identity.
The security breach that ChoicePoint discovered last fall in
California has caused us to go through some serious soul-searching at
ChoicePoint. In retrospect, the company should have acted more quickly.
I should have been notified earlier of the investigation being
conducted by Los Angeles County Sheriff's Department. What I can tell
you today is that from now on, I will be notified when ChoicePoint
learns of a formal law enforcement inquiry involving any potential
breach of our security.
In the meantime, we have taken other steps to help and protect the
consumers who may have been harmed.
<bullet> First, ChoicePoint has established a dedicated toll-free customer
service number and a special web site to respond to inquiries;
<bullet> Second, we are providing, free of charge, a combined three-bureau
credit report;
<bullet> Third, we are providing, free of charge, a one-year credit
monitoring service; and
<bullet> For anyone who has suffered actual identity theft from this
fraud, ChoicePoint will provide further assistance to help them resolve
any issue arising from that identity theft.
We hope these efforts will help those individuals protect their
personal data from being used in a criminal manner and that they will
mitigate any harm.
Mr. Chairman, I would like to state before this committee, for the
record, my position on further regulation or oversight of information
and credential verification providers. For the past two years, I have
been working to prompt a broad discussion on how we can build a
framework that defines how personally identifiable information should
be used, by whom and for what purposes. I have called for independent
oversight to give the public the confidence it needs. I support
increased penalties--criminal penalties--for the unauthorized access to
information. I support a single, reasonable, nationwide mandatory
notification requirement of any unauthorized access to personally
identifiable information.
Every advance in technology that makes our lives easier also makes
it easier for our enemies to move swiftly against us. You and I can be
approved for a bank account in a matter of minutes, but a person can
use that same technology to get a fake or real drivers' license or to
create a fake business.
The point being, technology and information are neither good nor
bad. People determine if the power of information is used for the
benefit of individuals or society or to create harm.
I believe that only by adding a more formal structure to the
current scheme of information use, will we realize the full value of
technology-based tools to society.
The architects of these guidelines will be working against a
backdrop of apparently conflicting principles: increased concerns about
privacy balanced against society's need to identify people who would do
us harm. But it is important to remember that these two principles are
not mutually exclusive, and that too much weight on either end of the
spectrum leads not to balance, but to immobility, or worse, to a
breaking point. The privacy debate should not be a choice between civil
defense and civil liberty. We must aim to preserve both.
Perhaps I might take a few minutes to describe some of the benefits
of having access to an individual's personal information. ChoicePoint
has helped find more than 800 missing children--we were even able to
find a baby kidnapped from a hospital the day he was born, and return
him to his parents within 24 hours. Our company works with the largest
youth services organizations around the country to help them screen
volunteers--we have helped identify more than 11,000 undisclosed felons
among those volunteering, or seeking to volunteer. Included in this
group, individuals who did not disclose they had been convicted of a
collective 5176 violent crimes, 1137 sex crimes, 11,397 illegal
substance offenses, 1055 crimes against children. Forty-two of these
individuals were registered sex offenders.
ChoicePoint's DNA laboratories have freed those wrongly accused
from prison, and helped to identify suspects and victims of violent
crimes. Our labs matched thousands of bone fragments found in the World
Trade Center rubble with DNA samples provided by victims' families. Our
scientists are currently in the tsunami ravaged areas of Asia helping
to identify victims to help bring closure to families devastated by the
disaster.
ChoicePoint helped Maryland police identify and locate two men
named John Allen Muhammad and Lee Boyd Malvo. The two had no obvious
relationship to one another and no known ties to Washington, DC.
Information technology found those hidden links, and provided the tools
for locating the people now known as the DC Snipers.
In fact, ChoicePoint provides service to more than 7,000 federal,
state and local law enforcement agencies.
Not all of what we do is so dramatic. ChoicePoint also serves 700
insurance companies, a large number of Fortune 500 companies, and many
large financial services companies.
And the products involved in these transactions are regulated by
the FCRA, which represents a significant portion of our business.
Certain other segments of our business are regulated by Gramm-Leach-
Bliley Act and various state laws.
We look forward to participating in continued discussion of these
issues, and I pledge our cooperation to your efforts.
I thank you for your consideration, and I would be pleased to
answer any questions you might have.
Mr. Stearns. I thank you, Mr. Smith, and first of all, I
would like to thank both of you, a President and CEO, Mr.
Sanford, and a Chairman and CEO, Mr. Smith, for coming here to
speak about these important issues.
And I would caution all members that they cannot actually
talk about the investigation with the Federal investigation
going on. It is going to be difficult for them to talk about
it, but they obviously can talk about what happened, and give
us policy presentation on what they think should happen.
Mr. Smith, my first question is to you. And I--you know,
everything I have read about this report in the paper. We have
had a little conversation ourselves. This case, a man from Los
Angeles filled out all the proper applications to receive
information from ChoicePoint, and it appears that due diligence
by you was to confirm his application, confirm a copy of a
business license he had. Evidently, this person paid his bills,
received information, including consumers' Social Security
numbers, which the person used fraudulently.
So the question for you is, based upon that scenario, what
would you do differently knowing what you do today, to make
sure that this person who got this business license, who paid
his bills, that seemed to be, to you, a legitimate customer,
how would you have stopped that, today?
Mr. Smith. Well, I think that there are a couple things.
First, we are strengthening the credentialing procedures now to
include even a more rigorous analysis of that process----
Mr. Stearns. Can you strengthen it----
Mr. Smith. [continuing] to include----
Mr. Stearns. [continuing] good enough, you think? On your
own, do you think you can strengthen it good enough?
Mr. Smith. Well, the reality is, one of the reasons why we
are exiting the consumer-sensitive market, particularly as it
relates to small businesses, is that it is possible for a
business to set up themselves as a legitimate business, operate
as a legitimate business, and yet, then subsequently use that
particular business for access to information that would be
inappropriate.
We can't find out how we would avoid that, and as we went
back through our recredentialing procedures, we determined that
the only way in which we could prevent the data from being
accessed inappropriately in that circumstance, was in fact, to
restrict the data and not provide it all in those instances, or
in a masked format.
Mr. Stearns. Well, that is what it seems to me. Now, as I
understand, I read that a scam like this had been perpetrated
against ChoicePoint before. Is that correct?
Mr. Smith. Well, what had happened is, back in 2001, we had
received a subpoena about one particular account. During 2002,
we actually received three subpoenas asking for additional
information about that account, but then, we never heard
anything else for almost a 2\1/2\ year period of time. And
then, in late 2004, we were asked to testify, potentially, at a
trial of an individual, which is the first time we had heard
about that since that point in time, that the person
subsequently pleaded guilty, and we were not asked to testify.
So during that previous incident, we had had subpoenas, but we
had not understood what the nature of the investigation was, or
what potentially the crime was, until just recently.
Mr. Stearns. Is there any way for a private citizen to find
out what types of information ChoicePoint data base may contain
about him or her?
Mr. Smith. There are several. I mean, to the extent that a
majority of products are actually governed under the Fair
Credit Reporting Act, and you have the right to be able to get
a copy of those particular reports. In the public record arena,
we do provide individuals who request access to those reports a
copy of a specific report, as it references themselves.
Mr. Stearns. Mr. Stanford, now your case is a little
differently than ChoicePoint. A person stole sensitive
information about consumers by the use of passwords
fraudulently obtained from your customer. And I guess the
customers affected the breach--do the customers affected by the
breach have to worry about identity theft for the rest of their
lives, and when will the elevated risk of identity theft
subside, if ever?
Mr. Sanford. Well, sir, in our situation, the facts as we
understand them, and I think we talked about this yesterday, in
early February of this year, one of our integration teams,
recall that we acquired the Seisint business late in 2004, one
of our integration teams which was charged with the
responsibility of reviewing the security procedures,
authentication, verification, and kind of the physical security
of the business we acquired. It came to their attention that
there were some irregular billing activities in a handful of
accounts, and they did that investigation. They gathered more
facts, they brought that to my attention late in February, I
think it was the February 28, and on March 2, I got on an
airplane and flew here to Washington, DC., and met with the
Assistant Director of the United States Secret Service, and
asked them if they would investigate it for us, and we have
turned over our records.
We don't know yet how that compromise occurred in the
customer environment. Law enforcement is investigating that,
and we will be forthright and share the details of that
investigation when it is completed.
Mr. Stearns. I am sorry I am asking you to speculate. It is
probably not fair, but you know, this identity theft, what is
your experience about--does it last a year, or 2 years? I mean,
what--I mean, this is--I mean, I've run into people that say it
is a long time.
Mr. Sanford. I haven't seen any statistics that indicate a
time, you know, a cause and effect timeline that says, if an
identity, you know, if a record is, you know, obtained
fraudulently, you know, is that going to then be used 4 or 5
years later? I don't know----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] if there are any published
reports on that, sir.
Mr. Stearns. Now, in your case, it wasn't LexisNexis. It
was Seisint. And this company, you acquired. And is it possible
that Seisint outsourced, in other words, they are a
subcontractor, they have this information, you are the parent--
they are not a subcontractor, but they are owned by you. But is
your data base effectively outsourced to all your customers, so
that a breach of their security systems potentially allows
criminals access to sensitive information in your data bases?
Mr. Sanford. I am not sure I understand the question. Let
me see if I can respond, and let me know if I am responsive to
what you are looking for. This is our company. We bought this
company.
Mr. Stearns. Right.
Mr. Sanford. This is not a subcontractor.
Mr. Stearns. Right.
Mr. Sanford. This is a LexisNexis business----
Mr. Stearns. Yeah.
Mr. Sanford. [continuing] that was acquired in the second
half of 2004. We enter into agreements with legitimate
businesses who subscribe to services. They have password and ID
access to a data base that we maintain.
Mr. Stearns. Does Seisint outsource some of their business
to some other companies?
Mr. Sanford. We license some of our data base information
to----
Mr. Stearns. Okay. So my question is, when you license it
to these other companies, is it possible their employees, then,
would have access to this information, they could fraudulently
do it?
Mr. Sanford. I am still not sure I follow the question,
sir.
Mr. Stearns. Okay. So if your new company outsources a lot
of their work, they give them the identity of individuals to
process, and----
Mr. Sanford. We license our data to other parties who are
resellers, credit bureaus, for example.
Mr. Stearns. Okay.
Mr. Sanford. And they contractually enter into agreements
with us to comply with all the same safety, verification,
security safeguards that we have in place for our business.
Mr. Stearns. So I think what we are saying is, if you allow
employees to have access to this information through passwords,
then you are effectively outsourcing the ability of others to
get access to this secured information.
Mr. Sanford. I am--I don't--I still don't understand how I
am outsourcing to employees.
Mr. Stearns. Okay. Okay. My time has expired. The Ranking
woman, Ms. Schakowsky.
Ms. Schakowsky. Okay. First, Mr. Smith, in your SEC filing
about the 145,000 consumers that were exposed, you say that
that number represents those whose data was compromised after
July 1, 2003, when the California law required you to report.
We know that there were earlier breaches, in fact, prior to
2003, that you were unaware of, the Benson case, where they
pled guilty and were guilty of fraud. So I would assume, then,
the numbers are higher than 145,000. Do you have any idea what
that number is, and are you going back at all to review your
records to find out if there were earlier breaches? What is
your plan here?
Mr. Smith. The Board or the committee has sanctioned a
study to go back and to look at not only this incident, but
prior incidents, to determine if, in fact, any other such
circumstances took place. And so that investigation is
currently underway, and is being done on a very aggressive
basis.
Ms. Schakowsky. I have to say that I am pretty surprised,
and I think a number of other people were, would be as well, to
find out that there was this case, you said subpoenas were
issued, but I guess you didn't bother to figure out why or what
the case was about, that you would have been unaware of a
criminal prosecution that resulted in a conviction. How could
that happen, and has anybody been made to take responsibility
for that at all?
Mr. Smith. Well, we do receive subpoenas to support law
enforcement investigations. They don't always give us
information, because of the sensitive nature of the
investigation, what type of investigation it might be. It could
have been involved in a situation such as identity theft, but
it could have been involved in any other type of criminal
potential incident.
Ms. Schakowsky. So in other words, such an instance could
go unnoticed still?
Mr. Smith. No, not today, as I have said, that we have now
changed our procedures so that in any circumstance where we are
issued a subpoena, it will be elevated to me personally. We
have also instituted a new department that is in charge of all
of our credentialing compliance and privacy. It is headed up by
Carol DiBattiste, who is a recognized leader in this area, and
she will be assuring that any type situation that this occurs
in the future will be dealt with very quickly, and will be
elevated appropriately and responsibly----
Ms. Schakowsky. Okay.
Mr. Smith. [continuing] immediately.
Ms. Schakowsky. You know, you said that some information is
available to the public if they ask for it. People understand
about credit reporting agencies, but I have a feeling before
all this came out with LexisNexis and with ChoicePoint that
nobody even knew really, hardly anybody knew about you. Could
you provide us with information, or--unless you have it at your
fingertips, of how many people have actually asked for their
information from you before the ChoicePoint, before these
scandals were revealed?
Mr. Smith. I will have to get you, and will be pleased to
get you that particular information.
Ms. Schakowsky. Do you have any order of magnitude, of how
many people actually asked for that information?
Mr. Smith. Again, many of our products and services are
under the Fair Credit Reporting Act, so that they would
naturally be part of the new FACT act, which requires a free
copy of that report----
Ms. Schakowsky. I understand what the requirement is, but I
am saying I don't think there is a lot of consumer awareness
about it, and I am just wondering----
Mr. Smith. There has not been----
Ms. Schakowsky. [continuing] how many people----
Mr. Smith. [continuing] an overwhelming number of people
who have requested the reports. That would be correct.
Ms. Schakowsky. Thousands of voters were inaccurately
listed as felons by your company in 2000, and were denied the
right to vote in the Florida election. That is very serious,
and we are talking more about identity theft, et cetera, but
this precious right to vote. Were any laws violated by that?
Mr. Smith. Well, first, I appreciate the opportunity to
respond to that particular question and situation. The incident
you are referring to was a project done between a company
called Data base Technologies and the State of Florida. It was
operated and run between 1998 and roughly 2000. At that
particular point in time, Data base Technologies was a very
significant competitor to ChoicePoint.
In the middle of 2000, but prior to the election, but after
all of that information had been provided to the State of
Florida, we acquired that company. So ChoicePoint was not
involved in any way in screening the voter rolls, in dealing
with the issues of what potential people were allowed to vote.
We have not been involved in any such situation in that regard.
So unfortunately, because we acquired that company, it has been
interpreted that we were involved. But we were not involved at
all in that particular situation.
Ms. Schakowsky. Did you know about it when you acquired
them?
Mr. Smith. We--I--we did not. It was a contract between
themselves and the State of Florida.
Ms. Schakowsky. If I could ask this last question, I
realize it may go over time, but I want to know from both of
you, what quality assessment of your data do you do? How do you
ensure that the information on people is correct, and perhaps,
most importantly, what do you feel is your responsibility if
someone is denied a home or a job or insurance because the
information you are selling and profiting from about them is
wrong?
Mr. Sanford.
Mr. Sanford. Sure. Congresswoman, we have a very few
products that are governed by the FCRA. These are products that
are involved in employment screening. And we follow a rigorous
procedure to make corrections. I personally get emails from
time to time, even phone calls from consumers that want to
question the accuracy of data in our data bases. We have a
group of lawyers who work with them. They have to first go
through an authentication and verification procedure to make
sure they really are who they say purport to be, and then, we
work with them to make corrections in the data base. Sometimes,
that requires them to go back to the source of where we got
that data from. Perhaps there is an error in a credit header
that we got from a credit bureau. The overwhelming majority
of----
Ms. Schakowsky. So they have to go back. You don't have to
go back. They have to go back.
Mr. Sanford. Well, normally, a credit bureau would not
allow us to correct a record of a consumer, since we are not
that consumer. We wouldn't have the legal authority to do that.
Ms. Schakowsky. Well, it is a source of data that you got
it from, though.
Mr. Sanford. We help them. We, you know, we advise them of
how they can make that correction. With respect to the rest of
the data in our systems, it is principally public record
information. And public record information is just that,
information that we get from public sources.
And again, we don't have the authority to change an
official public record that we have in our data base. We tell
people who ask these questions where we got the data from,
where the source is, to the extent that we have the contact
information, we provide them with that, and we ask them to go
and correct that. As soon as that is corrected, our records are
updated, and then, we have inaccurate information in our
systems.
Mr. Smith. Again, we apply extraordinarily rigorous
standards to ensure the accuracy of the information. And I
would suggest that--I believe that people should have the right
to access their public records, and that if, in fact, they
should have the right to question the accuracy of that
information, and have it done in a very prompt way.
Again, there are cases where, when that information is
inaccurate, the important part is to direct them back
immediately to the source of that information, which many
times, is in some kind of State repository. Otherwise, even if
we had the ability to change the information, it would
perpetuate itself through the system, because the source
document itself was fundamentally wrong.
I do believe that we should allow consumers, though, to
have, much like it is in a credit report, the ability to make a
comment on their public record, if a record is deemed correct,
but they want to make a comment, because there is some
extenuating circumstance associated with that information, they
should have the ability to do so, and I support that.
Mr. Stearns. The gentlelady's time has expired. The
gentlelady from Wisconsin.
Ms. Baldwin. Thank you, Mr. Chairman. A couple of brief
questions. Mr. Smith, you anticipated one of my questions in
your testimony, when you expressed support for mandatory
disclosure of any sort of security breach in which consumers'
data is compromised.
I didn't hear, Mr. Sanford, did you take such a position,
and is that your position also?
Mr. Sanford. Yes, we thought that the approach that the
Chairwoman of the Federal Trade Commission has outlined in her
testimony not only here today, but last week, in the Senate
Banking Committee, is a very sensible approach.
I can tell you that we, as a matter of policy, are
notifying consumers, where we believe there is a significant
risk that some harm could come to those consumers, irrespective
of the State in which that consumer resides.
I am very concerned that if we do have a host of
notification bills enacted across the United States in 30, 40,
50 jurisdictions, that we will actually defeat the intent of
what those statutes were intended to do, which is to put
consumers on notice, and have them take appropriate actions.
If they get flooded with a whole variety of different
standards, different bills, different approaches, I think we
are going to confuse consumers, and defeat the purpose of what
the legislation would have been intended from the first place.
So a national standard, and Federal preemption is most
appropriate here. We don't want to flood the market with a
bunch of notices, not just from companies like information
services, but financial institutions, where people lose things.
I think if we do that, they are going to end up like the junk
mail that people get and go right in the trashcan.
Ms. Baldwin. Thank you.
Mr. Smith, in your written testimony, and you also
reiterated it in your oral testimony, you stated that
ChoicePoint would no longer sell information products
containing sensitive consumer data, and I quote, ``except where
there is a specific consumer-driven transaction or benefit.''
I am interested in precisely what that means, and
particularly, does it mean that a consumer would have to give
permission for the release of that specific information, and if
not, how do you determine what would benefit the consumer?
Mr. Smith. Well, to give you an example of a consumer-
initiated transaction, it would be things such as the purchase
of insurance. It would be seeking employment, potentially,
trying to rent an apartment. And so what we were trying to
identify there were things that it was in the consumer's best
interest, and they, in essence, initiated a transaction.
There may be cases where, and I think, the majority of
cases, they would, in fact, have given their consent, but there
may be a circumstance where, in seeking a benefit, they didn't
directly do that, but in fact, they benefited from that
particular process that was taking place, and that certainly
can be defined.
Ms. Baldwin. And how are you defining that?
Mr. Smith. Well, today, again, we are in the process, over
the next 90-day period, as we said, that we were exiting that
market. Today, we are not doing it at all. We will try to
clarify that to a greater extent as the policy is implemented.
Ms. Baldwin. Okay. Thank you.
Mr. Stearns. The gentleman from Texas, Mr. Green.
Mr. Green. Thank you, Mr. Chairman. I apologize, because of
the vote schedule, and not being able to question our Chairman
of the Federal Trade Commission, but hopefully, we can submit
questions.
Mr. Stearns. Absolutely.
Mr. Green. Mr. Derek, Mr. Smith, one, I welcome, and up
until I guess 2 months ago, I didn't know what ChoicePoint was,
and as a lawyer, I understood what LexisNexis was, over the
years, and the expansion. But to find out that not only do you
gather this information, but you sell it to folks who want it,
I know under current law, I have the right to question the
three credit reporting agencies, and to get an annual report.
Do any of your companies come under your--come under that
requirement?
Mr. Smith. I will speak first. I mean, over a majority of
the products and services that we supply, particularly to the
insurance industry, as well as to major employers, who are
doing background pre-employment screenings, fall under the
jurisdiction of the Fair Credit Reporting Act, and therefore,
consumers have the same rights under those applications, as
they would any other particular application.
Mr. Green. So we would request from ChoicePoint or
LexisNexis the information on individual Members of Congress,
if we wanted? I mean, I could have my own information, for
example. I don't really need it on on the chairman, but the
chairman ought to, maybe ought to be interested in what his is
in your data base.
Mr. Smith. You can get information on yourself, yes, sir.
Mr. Green. Okay. And I know one of the concerns we have is
that the notification, I know California has a notification
requirement. Is that notification only when the--what is the
requirement under California law for notification?
Mr. Smith. It is when sensitive personal information may
have been compromised.
Mr. Green. Okay. So for example, if I applied for a job,
and my employer, or potential employer, requested information
from you, I would not necessarily know that that is where my
potential information was receiving that information from?
Mr. Smith. No. In fact, that is an application, pre-
employment screening, again under the Fair Credit Reporting
Act, and they would have to sign an application that allows
that that particular background screen to take place. So they
would know that the background screening was taking place on
behalf of that employer.
Mr. Green. Okay. Would they know it would be ChoicePoint or
LexisNexis? Or would it just be--it is a general approval that
I say yes, you can do a background check on me?
Mr. Smith. I don't know whether all specific applications
say the company. I would suggest generally that is not true. If
you, though, are for some reason denied employment as a result
of a particular instance, then that particular company is
identified as the company that provided that employer with the
specific information.
Mr. Green. Again, is that employer required to tell that
person----
Mr. Smith. Yes. Yes, they are.
Mr. Green. [continuing] the reasons that--and where the
information was from? I guess the MSNBC story worried me a
little bit, being from Texas, and when Ms. Pierce's report was,
it said ``possible Texas criminal history.'' You know, it seems
like that is just a mild innuendo, without saying if you are
charged with something, it is public record, and there should
be case number or something. Is that typical of what a pre-
employment search would say, would be ``possible Texas criminal
history'' without any basis?
Mr. Smith. No, a typical, in our case, we don't have arrest
records that are part of a background pre-employment. These are
the actual records that are warehoused by--you actually go into
the courthouse, and actually acquire the record itself. So it
would be reported as it was in the particular court.
Mr. Green. Okay. So you would go to that court, for
example, in Harris County, in Houston, Texas, we have the
Justice Information Management System, called JIMS. That is
public record, and only certain folks, law enforcement, have
access to it, typically. And--but you could be able to access
that.
Mr. Smith. I can't speak to the specific instance in which
you are talking about, but in general, when a record becomes
public in the court itself, then anyone, not just ourselves,
would have a right to go----
Mr. Green. Okay.
Mr. Smith. [continuing] and review the record.
Mr. Green. Okay. That is true, and I guess what concerns
me, instead of saying, you know, I don't know where Ms. Pierce
is from, but she said she only visited Texas a few times, what
would be the basis for putting in her employment record,
``possible Texas criminal history?''
Mr. Smith. I am not familiar with that. I will certainly be
pleased to get back with you at that particular circumstance,
but I can't really comment on that incident.
Mr. Green. It just seems like in a report, it ought to be
more specific, and say, you know, instead of--and this in
quotes from the report, ``possible Texas criminal history,'' or
``possible New York criminal history.'' It seemed like it would
be--should be more specific. If you are providing that
information, and you are responsible, as your company or both
your companies, that it would seem like it would be much more
specific.
But I am glad to know that I can request my dossier, I
haven't done it with the FBI, Mr. Chairman, maybe I ought to do
with these two agencies, to see what reports. After my
briefcase was stolen last August, I got my reports from Equifax
and typically, it was just misnaming, there are a lot Gene
Greens that I didn't realize were running around. But anyway, I
appreciate that, Mr. Chairman. Thank you.
Mr. Stearns. I thank the gentleman. The gentleman from
Massachusetts.
Mr. Markey. Thank you, Mr. Chairman, very much. Mr. Smith,
I understand that ChoicePoint is offering consumers who have
been victimized by this enormous leakage of personal
information a free 1 year credit monitoring service that will
enable victims to have access to their credit report, and will
provide monitoring and email alerts of changes in consumers'
credit report activity.
My concern is what happens after 1 year? My constituents
who have written to me, who have been victimized by
ChoicePoint's privacy breach, are very concerned about the 1
year time limit. They are afraid that these bandits will just
wait 1 year, and then use all of this information, that will
bring them great profit.
Would you promise, Mr. Smith, to give these people a
lifetime monitoring service, and instant email and postal
alerts for each and every consumer who has been victimized as a
result of ChoicePoint's negligence?
Mr. Smith. Well, we will continue to look at other
remedies. To date, that was, as people--we were trying to
understand what was a reasonable amount of time to be done. We
chose that particular period. To the extent that we should
review that, or consider it, we will do so.
Mr. Markey. Would you give them 10 years? One year just
isn't enough time. Will you give them 5 years?
Mr. Smith. I would be pleased to work with you and others
of the committee, to find a way----
Mr. Markey. No, no, no, no, no, no, no. I want to know
right now. One year is not long enough. Will you give them more
than 1 year? Will you give them 2 years?
Mr. Smith. We will consider extending the period of time.
Mr. Markey. I know your lawyers said to make no
concessions. One year is too short, Mr. Smith. What do you
think? What do you think is a reasonable time? Do you think 1
year is a reasonable time, Mr. Smith?
Mr. Smith. What I would say is I share your concern, and I
will look at--to try to determine what is a reasonable amount--
--
Mr. Markey. What do you think----
Mr. Smith. [continuing] to extend that.
Mr. Markey. Would you think 1 year is reasonable? You
already made that decision. Now that you think about it, do you
think 1 year is too short or not, Mr. Smith?
Mr. Smith. Well, I can tell you that I personally was a
victim of identity theft.
Mr. Markey. All right. So what do you think?
Mr. Smith. So I conclude that----
Mr. Markey. Do you think--do you want these thieves to have
your name now for than--do you think after a year, that they
are not going to use it? Or do you think that you don't want
them, maybe, for 5 years, to have some kind of notice that you
are getting back that it is being compromised, Mr. Smith?
Mr. Smith. Well, I mean, identity theft is obviously a
very, you know, serious crime.
Mr. Markey. Right. So give us more than 1 year. Give these
people, give my constituents more than 1 year. Can you give
them 2 years, Mr. Smith?
Mr. Smith. As I said, I--we will take a very hard look----
Mr. Markey. No, no. I want you, you run the shop. Will you
give them more than 1 year, Mr. Smith? I don't want you to take
it under advisement. You have been thinking about this your
whole career. This is your business. You don't need any more
time to think about it. Is 1 year enough time, or should they
get more than 1 year----
Mr. Smith. It was----
Mr. Markey. [continuing] in terms of the protection that
they get?
Mr. Smith. It was our opinion at the time that 1 year was a
reasonable and responsible thing to do.
Mr. Markey. You think 1 year is reasonable and responsible.
Mr. Smith. I think, given what I know today, it is, but I
would be glad to, you know----
Mr. Markey. It sounds like you are not going to change,
then, Mr. Smith. Let me--and I don't think that is a good
answer for this committee, and I don't think you should be
coming in here letting us think that 1 year is enough time,
when these people can just sit, lay in wait, while the 1 year
statute of limitations runs, and then they are off with 145,000
names, okay? That is just absolutely preposterous.
Now, what types of personal information has been
compromised? You just said in the letter to my constituent,
``personally identifiable information, such as your name,
address, or Social Security number may have been viewed by
unauthorized individuals.'' Why can't you tell my constituents
whether or not it is their bank numbers, their credit card
numbers, their passwords, their children's names and ages,
passport numbers, home addresses, Social Security numbers, and
similar private information? Will you give my constituents and
all people affected exactly what personal information was
compromised, and not this vague letter telling them that it
could include all of this, but we are not going to give you the
exact information.
Will you give them the specific information that has been
compromised, and give all 145,000 people that specific
information, Mr. Smith?
Mr. Smith. Well, if they request this--again, we had to
recreate the searches that were done, but if they would like
the specific information that was on that report, that could--
potentially could have been used, then we will provide that
information to them, yes.
Mr. Markey. Well, why won't you just provide it to all of
them as a matter of course? That is, the information that has
been compromised? Why won't you just give each person that
information, so they will know?
Mr. Smith. Well, again, you have got to be--for their own
benefit, you have got to be careful in how you disseminate that
particular information. By simply sending that information out,
you put it back in the public domain, where----
Mr. Markey. Will you give a notification to each and every
person whose information has been compromised? The notice that
you will provide to them if they ask you for it, each and every
piece of information which will have been compromised, will you
give them that notice that you will do this search for them and
provide it to them?
Mr. Smith. To the extent that we can do that, because we
had to go back and recreate the search, and to the extent that
that doesn't compromise any law enforcement investigation that
is going on, then we would be willing to do that.
Mr. Markey. You will provide that information, and you--
will you notify them that they--that you will provide it for
them?
Mr. Smith. Given our ability to recreate the search, and
our ability to make sure we don't compromise law enforcement,
we will do that.
Mr. Markey. Do you believe that there should be a ban on
the sale of Social Security numbers?
Mr. Smith. Again, I--my position is basically the same as
the Chairperson of the FTC, in the sense that Social Security
numbers, for the most part, should be restricted. There are
certain uses----
Mr. Markey. No, no, I am talking about----
Mr. Smith. [continuing] of that information----
Mr. Markey. [continuing] the sale of Social Security
numbers. That is it. Just on the sale of Social Security
numbers. Would you support the ban on the sale of Social
Security numbers?
Mr. Smith. Again, I would have to better understand the
definition of sale, and how it is being done. But I don't
support----
Mr. Markey. Mr. Smith, you--this is your field. You are an
expert in this field. Let us--I am talking about, plain and
simple, the sale of Social Security numbers.
Mr. Smith. Well, there are certain circumstances where the
sale of those numbers are, in fact, in the consumer's best
interest, and so to the extent that that is correct, just the
direct sale of a Social Security number, without a consumer
benefit being derived associated with it, I am against that.
Mr. Markey. Give me one instance where you think the sale
of a Social Security number would be appropriate. The sale of
it.
Mr. Smith. Well, I mean, there are cases where you are
reviewing fraudulent circumstances associated with somebody's
account, and you want to make sure that you have got the
appropriate person, and you are matching them with the
appropriate fraudulent circumstances----
Mr. Markey. And who would you sell this number to? Who--to
whom could this number be sold, in your opinion?
Mr. Smith. Well, it could be potentially used by law
enforcement people. It could be used----
Mr. Markey. No, no, no. I am talking about the sale of the
number. To whom do you think my Social Security number, my
Social Security number could ever be sold, Mr. Smith? Who do
you think it would be appropriate for you to sell it to? Sell
it to.
Mr. Smith. Well, again----
Mr. Markey. Not law enforcement, not information given to a
police officer pursuant to a legally obtained warrant. Who else
besides a law enforcement official, in your opinion, Mr. Smith,
could you, or should you be allowed to sell my Social Security
number to?
Mr. Smith. Again, it is used when--and you have been in a
position to be defrauded by somebody. It could be an
authentication transaction, where I am trying to determine
whether or not you have, in fact, been a victim of identity----
Mr. Markey. I am talking about selling my number as a
product. Who do you think you should be allowed to sell it to,
Mr. Smith?
Mr. Smith. Well, again, if somebody is trying to determine
whether or not there is a fraudulent transaction against your
thing, they, in essence, get access to that Social Security
number as part of a broader-based service. So I don't know
whether you determine that a sale or not, but to the extent
that we derive income from the use of that information, I don't
know if that is what you determine a sale or not.
Mr. Markey. Mr. Sanford, would you oppose the sale, would
you oppose--would you support or oppose a ban on the sale of
Social Security numbers of ordinary Americans?
Mr. Sanford. I would not support a blanket ban on the sale
of Social Security numbers, as you are describing. I think
financial institutions need unique identifying Social Security
number information when they are investigating fraud, making
sure that they are doing business with the right individuals. I
think law enforcement needs access to Social Security numbers.
Businesses that are collecting legitimate debts, you need
unique Social Security number identifying information to do
their jobs.
Mr. Markey. Do you feel that I, or any American, has a
right to know that you have transferred my Social Security
number to a financial institution, which is now doing an
investigation of me? Do you have a responsibility to give me a
notification that you have transferred my number for that
purpose?
Mr. Sanford. Sir----
Mr. Markey. Do you think you should have a responsibility
to notify an individual that my information, or any American's
information, has been transferred to another party without my
explicit permission?
Mr. Sanford. No, I do not, sir. I think that the laws of
the United States clearly lay out the permissible purposes for
which sensitive information like Social Security numbers can be
used. This deliberative body has decided what those legitimate
and permissive uses are, and we responsibly use the information
that is charged to us, to provide for permissible uses to, in
fact, help consumers.
Mr. Markey. Well, the question is not whether or not the
laws that have already been passed are adequate. The question
is--are sufficient. The question is going forward, and learning
the lessons which we have learned, should we have tougher
protections on the use of Social Security numbers by companies
that collect them?
My opinion is, Mr. Chairman, that what we are hearing today
is basically an industry that is still in denial. It still
doesn't recognize how highly all Americans value their privacy,
and will hope to be able to ride out this scandal, without
having Congress have made the changes that are necessary, and
all I know is that Mr. Smith and his company are the largest
single contributors to a lobbying effort to block truly
effective privacy laws being passed in Congress. And that is
all I have to know, okay? Because we are not going to have a
discussion with him as he sits here, because his company is, in
fact, effectively the chief lobbyist to block any effective
privacy laws from being passed, and we are not going to get the
answers we need for the public at this hearing.
Mr. Stearns. The gentleman's time has expired. I would say
to all members we might go a second round, if people feel
strongly about it. We don't have a lot of members here. We have
the time allotted for it. The gentleman--Mr. Gonzalez.
Mr. Gonzalez. Thank you very much, Mr. Chairman. A question
for Mr. Smith. I wasn't real clear when you were answering Ms.
Baldwin's question, Mr. Smith. In your testimony, it says ``we
have decided to exit the consumer-sensitive data market not
covered by the Fair Credit Reporting Act.'' And you explained
some of that, about someone affirmatively asking for something
that benefits the consumer, and so on.
The incident in California, had you had that in place, that
person would not have qualified for that information?
Mr. Smith. The information on that particular report would
not have had the driver's license or, in fact, the Social
Security numbers on it under that situation. That is correct.
Mr. Gonzalez. So what you have in place, you would avoid
certain information having been transmitted to this fraudulent
business that was requesting your services.
Mr. Smith. That is correct.
Mr. Gonzalez. What is--where do you get all this
information? I am just curious. I know public record is public
record, and I think Mr. Sanford has alluded to it, and we all
know that. Once it is in the basic public domain, you collect
it, disseminate it, and so on. But what are your sources for
the Social Security numbers, Texas driver's license numbers,
that type, that is not generally made public?
Where do you get all that information? And I am not--Mr.
Sanford, Mr. Smith.
Mr. Smith. Well, I mean, the information comes from a
myriad of sources. It comes from basic Federal, State, and
local data repositories. It comes from--in terms of our Fair
Credit Reporting Act business, it comes from the insurance
industry itself. It comes, in some cases, from the consumers
themselves, and information that they have provided.
So there are a tremendous myriad of sources of the raw
data, that we either directly acquire or we get through
conduits for things such as the Fair Credit Reporting Act, and
get credit reports through the credit reporting agencies.
Mr. Gonzalez. Okay. And you have indicated in your
testimony that maybe there were some red flags, you should have
acted more quickly in responding to what happened in
California. Is that correct?
Mr. Smith. Now that we understand that situation, and how
it evolved, we should have recognized sooner the magnitude of
that particular crime, and escalated the processed to a greater
extent. That is correct.
Mr. Gonzalez. I am not familiar with specifics. Was this
just one individual company fraudulently operating that got
145,000 records or information on individuals?
Mr. Smith. In this particular case, it was--I mean, this is
an active law enforcement investigation, so I really can't talk
in great detail.
Mr. Gonzalez. Oh, you won't compromise anything, believe
me.
Mr. Smith. But the crime itself, but in essence, an
individual was able to get a legitimate, but unfortunately
fraudulent California business license, that was----
Mr. Gonzalez. One business license----
Mr. Smith. It was----
Mr. Gonzalez. [continuing] with regard to 145,000----
Mr. Smith. [continuing] with a business license, and then,
they were able to get subsequent account structures under
either that business license, or other fraudulent licenses
associate with that particular situation. It depends on the
type of small business in which you are, it would ring a flag
in terms of whether or not 145,000 or whatever the specific
number was in that case, would be abnormal or not.
Historically, there would have been sometimes, collection
agencies, for instance, would be using the information to help
find people who were due bad debts.
Mr. Gonzalez. So it was not unusual to have that kind of
number, in the way of requests, from any particular entity.
Mr. Smith. It depends on what the customer, the type of
business in which that customer was, and in particular, the
type of permissible purpose or access purpose in which they
were granted. You know, again, I would remind you that it was
through our audit processes, in this particular circumstance,
that we found that it appeared to be usage that was outside of
what would have been the normal patterns of this particular
circumstance, that ultimately led to the investigation in
California itself.
Mr. Gonzalez. Okay. Let me ask you something quickly. And I
am not real sure--I know it means a lot of work for you and
such. If someone is making an inquiry on Congressman Gene
Green, because someone--obviously, someone stole his briefcase.
It could be identity theft. Is there a problem notifying the
individual that an inquiry is being made by ABC Company, Wells
Fargo, or whatever, just basically Congressman Gene Green, you
are notified that our company has been requested to provide
certain information to Company ABC. Because then Gene would
know he has never gone into ABC Company. He has never made an
application for any type of--there is no type of transaction
relationship, transactional relationship.
Mr. Smith. Again, it would depend upon why that information
was being accessed. Many times, it is being accessed to
determine whether or not a fraudulent transaction or some other
situation, where not necessarily you would want to let the
consumer alerted to the fact that that information was being
accessed. So there are some cases where there certainly would
be nothing wrong with alerting to somebody that, in fact, their
information had been accessed. But in other situations, that
could, in essence, defeat the very purpose of why the
information was being used.
Mr. Gonzalez. And then, real quick, I think I am out of
time. I only need a minute, Mr. Chairman. And that is, if you
are a victim of identity theft, let us say Congressman Green
had been a victim of it, and he is trying to clear up all his
records.
Is it reflected in the information that you compile that
someone is a victim? In other words, so there is future
inquiries. Congressman Markey made a good point. You know, you
have got 1 year running on this thing. I guarantee you that
information has been sold, resold, it is all over the place. A
year does nothing, and it is ongoing.
Is there anything that alerts you guys that gather all this
information that this was a victim of identity theft, and
things that may be, again, relevant to that file, or account,
may be part of that fraudulent act?
Mr. Smith. There is no centralized system that allows for
that to take place. You can put a fraud alert on your credit
report that would indicate, in fact, that you have been a
victim of identity theft, which would change the nature of
which that report was being viewed.
Mr. Gonzalez. And that is not mandatory, that is just----
Mr. Smith. That is an option that the consumer, and some
consumers choose to take that option, and some consumers do
not.
Mr. Gonzalez. All right. Last question quickly. And what
would it cost to get a report? I know that from the credit
reporting agencies, that I am entitled to get a free report or
whatever it is, is it also free from ChoicePoint?
Mr. Smith. It is. It is governed, again, those particular
reports, on the Fair Credit Reporting Act, and you are entitled
to a free report on an annual basis.
Mr. Gonzalez. Thank you. Thank you, Mr. Chairman.
Mr. Stearns. The gentleman----
Mr. Strickland. Mr. Chairman--oh.
Mr. Stearns. Yes.
Mr. Strickland. I was just going to--expanding Mr.
Gonzalez's last question----
Mr. Stearns. Do you seek additional--unanimous consent?
Mr. Strickland. The unanimous consent. Is that report that
is at no cost similar to what we would get from a credit
reporting agency, or would it be the expanded report, or the
comprehensive report, that I know that was quoted in the MSNBC
article?
Mr. Smith. The public record report is not governed under
the Fair Credit Reporting Act, and so that would be a separate
report, in terms to be able to gain access to that report.
Mr. Strickland. Although you package that into a
comprehensive report for someone who subscribes to the service?
Mr. Smith. Well, no, that is just a technical name of a
public record report. That is not packaged together with those
other types of reports that are covered under the Fair Credit
Reporting Act. It is just--that is just a term used for a
specific type of public record report.
Mr. Strickland. Thank you, Mr. Chairman.
Mr. Stearns. I thank the gentleman.
Mr. Strickland. Just trying to get our definitions right.
Thank you. The full chairman of the committee.
Mr. Stearns. The full chairman is recognized.
Chairman Barton. Well, thank you. And of course,
Congressman Gonzalez just left, but we were in the enviable
position just then, that Ranking Member Schakowsky and
subcommittee Chairman Stearns were so lucky to be surrounded by
three Texans on the right and the left. Sometimes, it is just
fun to be alive in this committee, isn't it? There you go.
I want to first thank you two gentlemen for testifying
voluntarily. You know, we didn't have to subpoena you, and we
were able to work with your representatives to make sure that
you all could come, and felt comfortable coming. So I do want
to publicly on the record thank you for that.
I am going to ask one of the same questions that
Congressman Markey asked in his questions. I am really
wrestling with this issue of selling people's Social Security
numbers without their permission, and I asked this to the
Chairwoman of the Federal Trade Commission, and she has
indicated that she--if I heard her correctly, she didn't think
it should be traded or sold without the permission of the
individual, unless there was a law enforcement reason to do
that.
So I wanted to give you two folks, since you are two of the
biggest data collectors in the country, an opportunity to tell
why, if you do think it should be legal to continue to sell the
Social Security number, without the permission of the
individual, why that is so.
Mr. Sanford. Would you like me to go first?
Chairman Barton. Either one.
Mr. Sanford. All right. Chairman Barton, a Social Security
number is a particular unique identifying number, and there are
some Federal laws that govern the use of that, and which
provide for legally permissible uses. The intent of that law
was to facilitate commerce, to help law enforcement. And in
addition to law enforcement situations, having the ability to
actually associate broad records and information with a
particular individual, that Social Security number is that
unique identifying piece of information that allows financial
institutions, for example, to determine whether or not they are
having a fraudulent transaction in their business.
It clearly is critical for law enforcement. It is critical,
also, in the collection of debts, collection of debts for
companies. It is very, very important in terms of keeping costs
down for the rest of the consumer. We restrict the use of
Social Security numbers in our data bases for these specific
permissive uses. At LexisNexis, we truncate the Social Security
number, the last 4 digits, so that unless you have a specific
permissible use, under Federal law, you will not see that
Social Security number displayed in the answer for a query that
you do on the system.
We are also extending that kind of masking to sensitive
other information, like driver's license numbers, and our
restrictions are more restrictive than what is currently
required by law. I think that strikes the right balance, in
terms of making sure that we provide for lawful, legitimate
uses of this information, but at the same time, protecting the
privacy of the consumers.
Chairman Barton. Okay. Mr. Smith.
Mr. Smith. Well, first, you know, I would say that I do
support stronger legislation regarding the uses of Social
Security numbers, in particular, in the display of those Social
Security numbers, so that while they may need to be used to
validate and verify an individual, or help support a
transaction, the actual printing out of those numbers, or at
least certainly in their totality, I don't believe is a
necessary thing to do, and could be restricted in very dramatic
ways.
I think what you hear coming from at least me, and I think,
you know, my colleague shares this, is that there are more than
23,000 William Smiths in the United States, and as we try, and
society tries to determine how you can legitimately determine
one individual from another, or particularly, to ensure that
their data is correctly put with that individual and another,
people who are trying to find appropriate mechanisms to create
the uniqueness of that individual. One of the mechanisms that
has been used to do that has been the Social Security number.
Others, driver's licenses, so that--and what we are trying to
suggest is that there needs to be a recognition that the
ability to use some type of personal identifier, whatever
correct one it is. If you could get to a better, more specific
one, and not use Social Security numbers, that would be
terrific, so that you can make sure that you are dealing with
that unique individual.
As William Smith moves around statistically, will move
around the United States, 15 percent of them will move, you
want to make sure that you put the data with the correct one.
So I agree, the publishing and making available for anybody to
see a Social Security number is not an appropriate thing to do.
We just need to make sure that we can maintain the uniqueness
of individuals, and allow for those applications, such as fraud
or law enforcement, where it provides a very important tool.
Chairman Barton. Well, I don't want to belabor the point,
and we didn't do this for this hearing, but I thought about it,
to prove a point. I could have asked the staff to take your two
names, and without too much trouble, gotten your Social
Security number, and with that, gotten lots of information out
there that is collated on you two gentlemen. A lot of it, I
didn't need to know, you know, just almost for prurient
interest, to get a profile on you two gentlemen. Just to
prove--now, I didn't do that, because that would have been kind
of hitting below the belt, but it is--it would have been easily
done. And that is wrong.
You know, we had banks long before we had the Social
Security system, and bankers made loans, and bankers checked
up, and we had fraud long before the Internet, but the Internet
has made fraud a lot easier to commit, and you two folks are in
the business of collecting information, which is totally
legitimate, but sometimes, the information you collect, when
people apply to get that information, they apparently use this
loophole of trying to prevent fraud. They want to--and you sell
them the information totally legally, not illegal, but they
don't use it for that purpose, and you folks don't make any
real attempt to try to guarantee that it is used for the
purpose for which you allegedly, they purportedly ask that you
give it to them, and I think that is just wrong.
I mean, we have got to find a way to allow you folks to do
what you do, and protect the privacy of the average citizen,
and I am not sure what we are going to do, but I think there is
a very good chance we are going to put together a bill that
will make it illegal to sell the Social Security number without
the permission of the individual, unless there is a legitimate
law enforcement purpose, or there may be one or two other
exceptions. I don't know what they would be. I have just--I
have not heard anything that explains to me why we should allow
that to go on.
Mr. Chairman, I have exceeded my time. Thank you.
Mr. Stearns. I thank the full chairman. Let me just, we are
going to allow a second round here, if the chairman wishes. But
let me just follow up a little bit with what the chairman
mentioned. And with Mr. Markey. He was trying to ask you
specifically to give us a case example when you could sell the
Social Security number, and I would like each of you just to
take John Doe, for example. Under what circumstances would you
sell the Social Security number for John Doe? Just give me
specifically what that would be, each of you.
Mr. Sanford. Well, would you like a law enforcement
example?
Mr. Stearns. Well, let us--okay.
Mr. Sanford. Or a financial institution example?
Mr. Stearns. For selling, would you--do you actually sell
to the law enforcement, do the----
Mr. Sanford. What we----
Mr. Stearns. Does the FBI and the Justice Department pay
you for the Social Security numbers for John Doe?
Mr. Sanford. We enter into subscription agreements at
LexisNexis with----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] law enforcement agencies,
financial institutions. They are subscribers----
Mr. Stearns. Financial institution means banks.
Mr. Sanford. Yes, sir.
Mr. Stearns. All the banks in America. If they----
Mr. Sanford. That would be our hope.
Mr. Stearns. Yeah, if they----
Mr. Sanford. Not yet.
Mr. Stearns. [continuing] subscribe. Okay. Financial
institutions, law enforcement, who else?
Mr. Sanford. You would have credit departments of
legitimate businesses who are trying to collect legitimate----
Mr. Stearns. Right.
Mr. Sanford. [continuing] debts of----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] that organization. And then, on a
case by case basis, you could have a particular, you could have
a particular organization----
Mr. Stearns. Could this----
Mr. Sanford. [continuing] a government body who is
investigating----
Mr. Stearns. Yeah.
Mr. Sanford. [continuing] criminal or fraudulent activity.
Mr. Stearns. Well, let us say Chairman Barton wanted to get
the Social Security number for John Doe. Could he pay you?
Mr. Sanford. He would have to have a--one of the permissive
uses, and not just because he wanted to look it up. He would
not gain access.
Mr. Stearns. But if he had the permissive--permitted uses,
he could buy it from you.
Mr. Sanford. He would, as part of a subscription
agreement----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] do a query on the service, and he
would get an answer.
Mr. Stearns. Okay.
Mr. Sanford. And if he was----
Mr. Stearns. So let us say he goes out and opens up a
business. He gets a business license, and he calls himself
whatever is necessary to get this permitted use, then you would
give it to him.
Mr. Sanford. Well, I would like to tell you that our
verification procedures are not going to allow someone like
that to gain access, first of all, even to a--that kind of
information. We have a very, very rigorous verification
authentication process. And then, just because we credentialed
you, and we are willing even to do business with you, then we
go through a special access credentialing to make sure that you
have legitimate purposes.
Just because you are a bank doesn't mean we are
automatically going to----
Mr. Stearns. But in the case of ChoicePoint, they did all
this, and it still didn't work, and this person got the Social
Security numbers, right? That is what happened.
Mr. Sanford. Well, we are never going to--I can't guarantee
you that----
Mr. Stearns. So----
Mr. Sanford. Sir, I can't guarantee you that----
Mr. Stearns. So you are credentialing Chairman Barton to
get John Doe's Social Security number is the key. If that
credentialing is not done rigorously, robust, then for all
intents and purposes, that Social Security number is being sold
and being used--the key is that credentialing, don't you think?
Mr. Sanford. I think it is one of the keys. I think there
is actually a lot more to it than that.
Mr. Stearns. Okay.
Mr. Sanford. I think credentialing is the first step. I
think strong security protocols is the second step. Making sure
that companies that would appear to be legitimate businesses
still have a need, have a permissive use to use that, and then,
ongoing monitoring and security to make sure that the usage by
those customers is not abnormal. Detection software that people
like us use to monitor to see whether or not we have abnormal
usage.
Mr. Stearns. Now, I am not suggesting this, but is there a
possibility that we need an outside third party to credential
your credential? In other words, the credential is between you
and Chairman Barton in this case. Is it possible that we need
some kind of corroboration, authentication of what, how you
credential these people, some standards, or the fair--I mean, I
don't know. I mean, just your--I mean, I am just asking
whether----
Mr. Sanford. Yeah. I mean, we contract ourselves with third
parties to conduct security audits----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] to advise us. We talk to law
enforcement. We ask them what else should we be doing, not just
in this current----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] situation, where we have----
Mr. Stearns. Okay.
Mr. Sanford. [continuing] an investigation----
Mr. Stearns. All right.
Mr. Sanford. [continuing] ongoing.
Mr. Stearns. Mr. Smith, you have written a book called Risk
Revolution, and you have talked about how information
technology can be used to reduce risk and increase peace of
mind, and you also talk about personal privacy and how we need
to--need not trade civil liberties for civil defense, if we act
now, in this book called risk. But one of your quotes in the
book is, it says: ``Each of us have a right to privacy.
However, none of us have a right to absolute anonymity.'' And
could you explain that, what you mean by----
Mr. Smith. Yes.
Mr. Stearns. [continuing] that expression?
Mr. Smith. I will be glad to. What I am saying is is that
as people seek rights and privileges in society, for instance,
you are trying to drive a hazardous waste truck through the
Holland Tunnel in New York, where you could potentially put
millions of people at risk, then your ability to be anonymous,
or not having to disclose who you are, when you are trying to
get that particular right or privilege, is something that I
think in today's risky world, would be extraordinarily
problematic, and would create more problems than it would
solve.
Mr. Stearns. So any American who wants to be anonymous
cannot be so, in your--he will not have this absolute----
Mr. Smith. No.
Mr. Stearns. [continuing] anonymity, because he cannot have
it, in your expression?
Mr. Smith. No. Not at all. If you are sitting at a sidewalk
cafe, and you are not seeking any right or privilege from
society, or you are not at any risk to anyone else, then I
absolutely don't believe that people should have the right to
know who you are. This is more as you interact throughout
society, because there are risks that are being created every
day, and to give you an example, 3 percent of all volunteer
workers today have undisclosed serious criminal violations, and
just recently, we had a situation where, in Texas, in fact,
where somebody was applying to be a volunteer at a youth,
female youth organization, who had just been released for his
eighth conviction of child molestation 2 weeks prior to him
trying to volunteer. That is a circumstance and situation where
we can't allow someone to be anonymous and put our children at
risk. That is the kind of situation in which I was referring to
in the book.
Mr. Stearns. All right. Thank you. And the gentlelady.
Ms. Schakowsky. Thank you, Mr. Chairman. Our subcommittee
asked both of you to submit sample reports, that can be
redacted reports, for the record. And I wanted to be sure that
you are going to provide us with that information.
Mr. Smith. I didn't know we were asked to. Go ahead.
Mr. Sanford. I apologize. I understand we have not yet
submitted that. Chairman Stearns and I talked about my
attendance on Thursday, last week, so I am sure we will get you
that in a matter of days.
Ms. Schakowsky. And Mr. Smith.
Mr. Smith. We would be pleased to do that.
Ms. Schakowsky. You act as if you don't know that you were
asked for it.
Mr. Smith. I checked--I was not aware personally that we
were asked for that.
Ms. Schakowsky. Okay. Well----
Mr. Smith. But we would be pleased to do so.
Ms. Schakowsky. Okay. Thank you. I have a number of
questions I wanted to ask. Mr. Smith, how much does it cost you
to provide that information for--to provide that monitoring for
a year? How much is your company going to expend per year to
try and protect those whose privacy was breached?
Mr. Smith. That is a two--it approaches $2 million.
Ms. Schakowsky. Okay. And Mr. Smith, how much did your
company spend last year--well, let me just read you the quote
from the Wall Street Journal. ``These data sellers,'' and I am
assuming that would include LexisNexis, I am not sure, ``have
developed a deft combination of lobbying and industry-
affiliated think tanks to head off increased oversight.
ChoicePoint, and six of the country's other largest sellers of
private consumer data, spent at least $2.4 million last year to
lobby Members of Congress in a variety of Federal agencies,
according to disclosure forms filed with the U.S. House and
Senate. ChoicePoint was the biggest spender, with $970,000
either paid to outside lobbyists, or spent directly by the
company.'' And let me just make an editorial comment here. You
know, at the same time as you are saying that now, after the
fact, you want to help these consumers, your company, at least,
and I don't know about Mr. Sanford's, are engaged in lobbying
efforts to defeat increased oversight, to the tune, it appears,
of about $1 million last year.
Mr. Smith. Well, it is my understanding that the majority
of the dollars you just spent there were not spent in lobbying
for no regulation in our industry. A lot of that was done for
business development here in Washington. We serve a lot of
clients in this particular area. I mean, I would be glad to get
you a more accurate data as to what was done lobbying-wise. I
would----
Ms. Schakowsky. Well, I--let me ask you this. If both of
you could provide us with information on positions that you
have taken on legislation that has dealt--or regulations that
have dealt with privacy, I would appreciate seeing that
information.
Let me ask one final question that deals with victims of
domestic violence. I wondered if either of your companies make
any special efforts--I actually don't know if you are required
by law, if you voluntarily do anything to protect the
information of domestic violence victims?
Mr. Smith. I will have to get back with you to answer this.
I don't believe so, but I don't know the answer to your
question.
Ms. Schakowsky. You realize what I am getting at, that the
fact that this information, even as basic information as
address, could put the lives of people who have been victims of
domestic violence at risk.
Mr. Smith. Well, we take domestic violence very seriously.
We sponsored the National Rape Evidence Project, in which we
raised, as a company, over $200,000 to help get rape kits
tested----
Ms. Schakowsky. Well, sorry, but----
Mr. Smith. [continuing] the police, yeah, so this is an
issue that we believe very strongly in, and so we support you
in any way, in order to make sure that in no circumstance,
somebody could be subject to violence as a result of this
information.
Ms. Schakowsky. So you--I would hope that, then, you would
check what policies you have to prevent, and Mr. Sanford.
Mr. Sanford. Yes, we have a policy that under limited
situations, individual consumers can opt out of our data bases,
and that is actually one of the examples where people do opt
out, because making their identity known to others, then, would
put them at future risk.
Ms. Schakowsky. How would one opt out?
Mr. Sanford. I have on our LexisNexis website, we have a
privacy page that lays out the procedures, who they call, and
they usually submit documentation. It lays out, you know, what
is the reason.
Ms. Schakowsky. How would someone know to do that? How
would someone that is a victim of domestic violence know how to
avail themselves of that option?
Mr. Sanford. I think unless a consumer agency or a
counselor made them aware of it, they probably wouldn't know.
Ms. Schakowsky. Thank you.
Mr. Stearns. I thank both of you for your time and
forbearance here. We are completed with the second panel, and
we invite the third panel to come forward.
Mr. Joseph Ansanelli, Chairman and Chief Executive Officer
of Vontu, Incorporated, and Mr. Marc Rotenberg, Executive
Director, Electronic Privacy Information Center. We welcome
both of you, and thank you for your patience for waiting
through the second panel.
And Mr. Ansanelli, we will start with you, with your
opening statement.
STATEMENTS OF JOSEPH ANSANELLI, CHIEF EXECUTIVE OFFICER,
VONTU, INC.; AND MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Ansanelli. Chairman Stearns, Ranking Member Schakowsky,
and members of the committee, good afternoon, and thank you for
inviting me to testify, and thank you for your ongoing efforts
and focus on this issue of the protection of consumer data. I
am Joseph Ansanelli, CEO of Vontu. We provide information
security solutions to help Fortune 500 companies, such as Best
Buy, Prudential, Charles Schwab, and others prevent the loss of
consumer data over the Internet.
Given my work with these companies, I hope to provide a
unique viewpoint for policy considerations, and add to the
discussion of a need for a national consumer data security
standard. In order to reduce identity theft, it seems that
there are at least three important areas for policy.
The first is the criminals who actually steal the
identities. Second is the consumers who need education on the
importance of protecting their identities, as well as help if
they become victims. And the third area is the organizations
that actually store consumer data. It is third area, companies,
businesses, government agencies that store consumer data, in
which I have particular expertise, and is the focus of my
testimony.
An important point to understand is that these
organizations are not the criminals perpetrating identity
theft. In fact, all the companies with which I work invest
significant resources, and are fully committed, to protecting
consumer information. However, today, the question that many
people are asking is are these organizations doing enough to
ensure the security of consumer data?
To answer that question, I suggest we must first ask the
question, is it clear to these organizations what is required
and expected of them to ensure the security of consumer data?
Unfortunately, despite existing legislation, there is some
confusion around what is required, and confusion is the enemy
of consumer protection. To date, Congress has taken important
steps to address consumer data protection, through industry and
organization-specific regulations. For example, Congress has
passed Section 501(b) of Gramm-Leach-Bliley for financial
services, Part 164, subpart C of HIPAA for healthcare
providers, the Driver's Privacy Protection Act, the Fair Credit
Reporting and FACT Act, and many others. Additionally, many
States are creating de facto national standards and
requirements, such as California S.B.1386, which requires
notification in the case of a breach. These different
legislative acts have--all have aspects of consumer data
protection, yet each has tackled the problem differently, based
on either industry or State-specific requirements. And that is
where the confusion begins.
I think one important question for this committee to
consider is what is the difference in how a bank versus how a
retailer, versus how a utility provider should treat the
security of a Social Security number or any other consumer
information, and should the focus of policy be on the industry,
or instead, on the data itself? I think everyone would agree
that the data is what needs to be protected across all
industries. We support the suggestion of the Chairwoman of the
FTC earlier today that one possible solution to raise the level
of consumer data protection is to extend existing regulations,
such as GLBA, and the Safeguard Rules, to any organization
which stores data. This would enable and create a preemptive
and unified national consumer data security standard. We
suggest the standard would require organizations that store
nonpublic consumer information to one, ensure the security of
that information. This would create an affirmative obligation
of companies that store it to protect it.
Second, we think that organizations should protect against
reasonably anticipated threats to the security of such data. As
new threats emerge, this would allow the requirements to evolve
without requiring new legislation. Third, it is important that
companies protect against unauthorized access to or use of such
information that could result in substantial harm to a
consumer. This would help prevent against fraudulent efforts to
gain access to the data by outsiders or insiders, as is the
case in many recent breaches. Fourth, we think that companies
have an obligation, and should have an obligation, to ensure
compliance with their security policies by both their employees
and workforce, as well as third parties that they give access
to that information.
This would help address the issue of the insider threat,
which was the situation in the recent Teledata case, as well as
concerns regarding offshoring and outsourcing. These first four
are very similar to what is currently required under GLBA and
HIPAA.
The last requirement we suggest and we support is the idea
of notification. Companies should disclose any loss of
information, when it is reasonably believed that such loss
could result in substantial harm to the consumer. This would
clearly help consumers proactively protect themselves by
monitoring their credit reports, setting up fraud alerts, and
other efforts to watch for potential issues.
In addition, while these requirements serve as the
proverbial stick, I suggest the committee also consider any new
legislation also potentially provide a carrot as an incentive
to go beyond any base requirements. It is important to remember
that security is a journey, and like any other crime, it is
unlikely we will completely eliminate the theft of identities.
Therefore, a carrot might provide some level of protection
against the risk of excessive punitive damages for those
organizations with qualifying security programs. This is not
protection against economic or reasonable pain and suffering
damages, but against excessive punitive actions when companies
are already meeting or exceeding these requirements.
In summary, to reduce identity theft, policy should focus
on the three areas of criminals, the consumers, and the
organizations that store consumer data. I suggest this
committee consider the idea of a preemptive national consumer
data security standard that also protects organizations from
potential excessive punitive damages, when they are making the
best efforts to protect the data.
Thank you, and I look forward to any questions.
[The prepared statement of Joseph Ansanelli follows:]
Prepared Statement of Joseph Ansanelli, Chairman and CEO, Vontu, Inc.
Chairman Stearns, Ranking Member Schakowsky and all the Committee
members, thank you for your ongoing focus on the protection of consumer
data.
I am Joseph Ansanelli, CEO of Vontu, an information security
solutions company that helps Fortune 500 organizations such as Best
Buy, Prudential, Charles Schwab and others, prevent the loss of
consumer data over the Internet. Given my experience with helping some
of the largest companies in America protect their consumer data, I hope
to provide a unique viewpoint on the question of policy considerations
as a result of recent cases of consumer data loss and if there is a
need for a national consumer data security standard.
PROBLEM: IDENTITY THEFT AFFECTS MILLIONS EVERY YEAR
The FTC <SUP>1</SUP> estimated that in one year alone approximately
10 million people--or almost 5% of the US adult population--were
victims of Identity Theft. These victims reported $5 billion in out-of-
pocket expenses and countless hours of lost time repairing their credit
histories. In the previous five years, almost 30 million people were
victims of identity theft.
---------------------------------------------------------------------------
\1\ Federal Trade Commission--Identity Theft Survey Report,
September, 2003
---------------------------------------------------------------------------
This is not only a problem for consumers, but for business as well.
As part of the same FTC report, the losses to businesses totaled nearly
$50 billion.
Additionally, there is a risk to companies that is not mitigated
through insurance or other strategies--loss of consumer trust. Vontu
commissioned a survey <SUP>2</SUP> of 1000 consumers in the United
States to better understand the effect that security of customer data
has on consumer trust and commerce. Some of the findings include:
---------------------------------------------------------------------------
\2\ Vontu Consumer Trust Survey, See Appendix 1
<bullet> Security drives purchasing decisions--More than 75 percent of
consumers said security and privacy were important in their
decisions from whom they purchase.
<bullet> Consumers will speak with their wallets--Fifty percent said that they
would move their business to another company if they did not
have confidence in a company's ability to protect their
personal data.
<bullet> Insider theft increases concerns about a company's data security
efforts--More than 50 percent of the consumers surveyed said an
insider breach would cause them to be more concerned about how
a company secures their information
Clearly, financial costs and loss of consumer trust as a result of
identity theft are a significant problem today.
identity theft policy implications
In order to reduce Identity Theft, there are at least three areas
of focus for policy:
1. Criminals who steal identities. This is important not only for
reducing Identity Theft, but other crimes and threats to
national security. Professor Judith Collins of Michigan Statue
University's ID Theft Crime Lab states that virtually all
identity thieves are involved in other felonies or terrorist
acts. The Identity Theft Penalty Enhancement Act, which became
law in July 2004, was a positive step in the right direction to
increase the penalties and provide additional tools for law
enforcement and the courts to punish those found guilty of
identity theft.
2. Consumers who need continued education on the importance of
protecting their identities and as well as help if they are
victims. The efforts of the FTC with the ID Theft hotline,
privacy website and on-going educational efforts are important
and more can be done to raise awareness of those efforts.
Additionally, the FACT Act provided much needed tools for
consumers including free annual credit reports, the ability to
place fraud alerts in their credit report, and ability to more
easily correct inaccuracies in their credit report resulting
from identity theft.
3. Organizations that store consumer data.
RESPONSIBILITY OF ORGANIZATIONS
The third area, companies, government agencies and organizations
that store consumer data, is the one in which I have the most
experience and is the focus of my testimony. An important point to
understand, before we can truly begin to address the problem, is that
these organizations are not the criminals perpetrating Identity Theft.
In fact, all of the companies that I have worked with invest
significant resources and are thoroughly committed in their efforts to
protect consumer data.
However, we all recognize that organizations with consumer data are
a crucial ``link in the chain'' to prevent identity theft and the
question that many people are asking is:
``Are these organizations doing enough to ensure the security
of consumer data?''
To answer that question, I suggest one must first ask:
``Is it clear to organizations what is expected of them to
best protect consumer information?''
Unfortunately, despite existing legislation, there is confusion
around what is required of organizations and confusion is the enemy of
consumer protection.
CONFUSION IS THE ENEMY OF CONSUMER PROTECTION
To date, Congress has taken important steps to address consumer
information protection through industry and organization specific
regulations. For example, Section 501 (b) of Gramm Leach Bliley for
financial services, PART 164--Subpart C of HIPAA for healthcare
providers, the Driver's Privacy Protection Act for state DMVs, the Fair
Credit Reporting and FACT Act, and others. Additionally, many states
are creating de facto national requirements such as California SB 1386
which requires notification in the case of a breach.
These different legislative acts have aspects of consumer data
protection yet each has tackled the problem differently based on
industry or state specific requirements. And that is where the
beginning of the confusion lies.
One important question for this committee to consider is:
``What is the difference in how a bank versus a retailer
versus a utility provider should treat the security of a social
security number, and should the focus of policy be on the
industry of the data itself?''
NATIONAL CONSUMER DATA SECURITY STANDARD
I am sure everyone would agree, it is the data that matters and
needs to be protected across all industries. One possible solution to
raise the level of consumer data protection is to extend existing
industry specific consumer data protection requirements to cover any
organization which stores private consumer data and create a preemptive
and unified, National Consumer Data Security Standard.
One alternative would be very similar to GLBA and HIPAA
<SUP>3</SUP> in addition to a requirement for notification. The
difference is that it would apply to any organization that stores
consumer information regardless of industry or location.
---------------------------------------------------------------------------
\3\ See attached Appendix 2 and 3
---------------------------------------------------------------------------
This standard would require any organization that stores non-public
consumer data to:
1. Ensure the security and confidentiality of consumer information.
This would create an affirmative obligation of the companies to
protect the data.
2. Protect against any reasonably anticipated threats to the security
of such information. This would allow the requirements to
evolve as new threats emerge without new legislation.
3. Protect against unauthorized access to or use of such information
that could result in substantial harm to a consumer. This would
help prevent against fraudulent efforts to gain access to the
data by outsiders or insiders as is the cause in many recent
breaches.
4. Ensure compliance with their security policies by an organization's
workforce and third parties who are given access to the
information. This would address the issue of the insider
threat, which was the situation in the recent Teledata case, as
well as concerns regarding off shoring and outsourcing;
5. Disclose any loss of the information when it is reasonably believed
that such loss could result in substantial harm to a consumer.
This would help consumers to proactively protect themselves by
monitoring their credit reports, setting up fraud alerts and
other efforts to watch for potential issues.
Rule making for this legislation would exist in relevant agencies
and I believe that the FTC has already done much of the work under the
GLBA Safeguards Rule 16 CFR Part 314 and could apply this rule beyond
entities covered under GLBA.
In addition, while these requirements serve as the proverbial
``stick'', I suggest the Committee consider any new legislation also
provide a ``carrot'' as an inventive to go beyond any base
requirements. This ``carrot'' might provide some level of protection
against excessive punitive damages for those organizations with
qualifying security programs. This is important to help remove existing
and valid concerns that organizations have about increased litigation
risk as they proactively uncover new threats with respect to consumer
data security. This is not protection against economic or reasonable
pain and suffering damages, but against excessive punitive actions when
companies are clearly meeting and exceeding these requirements.
SUMMARY
In summary, to reduce identity theft policy must focus on the
criminals, consumers and organizations that store the data.
I suggest this Committee consider the idea of a preemptive,
national consumer data security standard that also protects
organizations from potential excessive punitive damages when they are
making best efforts to protect consumer information. The standard would
clearly state what is required of an organization and encourage them to
use their best efforts to improve the protection of consumer
information and help to reduce Identity Theft.
Appendix 1: Relevant GLBA Section
Gramm Leach Blilely
TITLE V--PRIVACY
Subtitle A--Disclosure of Nonpublic Personal Information
Sec. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.
(b) FINANCIAL INSTITUTIONS SAFEGUARDS.--In furtherance of the
policy in subsection (a), each agency or authority described in section
505(a) shall establish appropriate standards for the financial
institutions subject to their jurisdiction relating to administrative,
technical, and physical safeguards--
(1) to insure the security and confidentiality of customer records and
information;
(2) to protect against any anticipated threats or hazards to the
security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or
information which could result in substantial harm or
inconvenience to any customer.
Appendix 2: Relevant HIPAA Section
HIPAA Security Requirements
PART 164--SECURITY AND PRIVACY
Subpart C Security Standards for the Protection of Electronic Protected
Health Information
Section 164.306--General requirements
Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity
creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to
the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of
such information that are not permitted or required under
subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
Attachment 1: 2003 Consumer Information Trust Survey
Attachment 2: Harris Interactive Database Security Highlights
Attachment 3: Ponemon Research on Data Security Breaches
Attachment 4: Vontu 2004 Data Security Trends Report
2003 customer information trust survey
Those organizations that sit on the highest perch when it comes to
customer trust have the farthest to fall if they lose that trust
according to the 2003 Customer Information Trust Survey commissioned by
security technology innovator Vontu, Inc.
Consumers have the greatest amount of trust that companies within
the health care industry have measures in place to protect personal
information from identity thieves. Web retailers and retailers scored
near the bottom in consumer trust in a ranking of 14 major industries.
However, even the companies that scored well with consumers can face
serious financial consequences if security breaches within their
organization lead to a loss of consumer trust. Some of the major
findings of the survey are:
<bullet> Security is important in the purchasing decision. More than 75
percent of the consumers said security and privacy was
important in their decisions from whom they purchase.
<bullet> Not all security breaches are equal in the eye of the customer. More
than 54 percent said security breaches by insiders or
employees, now one of the fastest growing contributors to
identity theft, would have the greatest impact on their trust
in an organization.
<bullet> Consumers choose with their wallets. Fifty percent said that they
would move their business to another company if they did not
have confidence in a company's ability to protect their
personal data.
VONTU INFORMATION TRUST RANKINGS*
Hospital or Clinic 82%
Pharmacy 79%
Bank 78%
Charity/Religious Org. 78%
Airlines 60%
Car Rental Company 53%
Utility 48%
Credit Card Company 47%
Cable Company 42%
Restaurants 42%
Hotels 41%
Web Retailers 41%
Retail Stores 38%
Grocery Store 25%
* The Vontu Information Trust Rankings rate 14 major industries
based on the level of trust consumers surveyed said they had that these
organizations would protect personal information from identity theft.
Two examples of the questions from the survey are:
How important is privacy and security to your purchasing decision?
<bullet> Very important 19%
<bullet> Important 57%
<bullet> Not important 9%
<bullet> Unsure/No Comment 14%
If an insider (such as an employee of the company) stole your data
rather than an outsider (such as a computer hacker), would it change
your answers to previous question about trust?
<bullet> Yes--More concerned about insider 54%
<bullet> Yes--Less concerned about insider 12%
<bullet> No--No difference 17%
<bullet> Unsure/No comment 18%
<SUP><dbl-dagger></SUP>2003 Vontu Inc.
Mr. Stearns. I thank the gentleman. Mr. Rotenberg, welcome.
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Mr. Chairman, Congresswoman Schakowsky,
members of the committee. Thank you so much for the opportunity
to appear today. My name is Marc Rotenberg. I am Executive
Director of the Electronic Privacy Information Center. We are a
nonpartisan research organization here in Washington, and we
have been before the committee before, and we thank you, Mr.
Chairman, for holding this very important hearing today.
With all the news reporting of the ChoicePoint matter over
the last several weeks, I think it is very important to keep in
mind what actually happened here. This was not a computer hack.
This was not a theft. ChoicePoint sold this information on
American consumers to a criminal ring engaged in identity
theft.
ChoicePoint is in the business of selling personal
information about American consumers, and while many other
companies in the last few weeks have reported significant
security breaches, I think it is critical for the committee not
to lose sight of what is at issue here.
Our organization, EPIC, wrote to the Federal Trade
Commission in December, before any of this became public, and
we urged the FTC to open an investigation into ChoicePoint's
practices. We were concerned about whether current Federal
privacy law, and particularly, the Fair Credit Reporting Act,
adequately protected the privacy of American consumers. We were
also concerned because it became increasingly aware to us that
ChoicePoint had developed a number of products and services
that seemed to us very similar to the type of information
products that would otherwise be covered by the Fair Credit
Reporting Act, but ChoicePoint had, in fact, artfully found
ways to avoid Federal oversight. And so it seemed obvious to us
that the Federal Trade Commission would open an investigation,
and try to determine what, in fact, was happening with the
personal information of American consumers.
I have to say, Mr. Chairman, I was very disappointed this
morning, when I heard the Chairwoman of the FTC say that, in
fact, they did not open the investigation until the after the
incident was publicly reported. I don't think it can be the
case that the Federal Trade Commission waits until they read
about a matter in the morning newspaper before they pursue what
we believe was a very well-founded complaint that we had
pursued at the Federal Trade Commission.
Now, there are a number of others points that I make in my
testimony about the lessons that I believe we can draw from the
ChoicePoint matter. One of the critical concerns that I know
you have, sir, over the years, as we have talked about privacy
legislation, is the need to show that there is actual harm to
consumers. And I think here, with ChoicePoint, it should be
clear that the absence of effective privacy protection leads to
significant harms. In fact, the harm here, the harm of identity
theft, is the No. 1 crime that American consumers face, and the
crime is increasing, as the FTC's own reports show. Over the
last 5 years, the level of identity theft in this country is
becoming the No. 1 problem that American consumers have.
I think the question as to whether privacy protection is
necessary to prevent consumer harm has simply been answered by
the ChoicePoint matter. I think it is also important to
understand that with ChoicePoint, unlike a lot of other
American businesses, consumers do not have a direct
relationship. They can't exercise market control, as they might
with a bank or an insurer, or somebody else who might have a
bad privacy policy. People say about the Internet, for example,
if you don't like a website's privacy policy, you can go
somewhere else. But with ChoicePoint, consumers have no such
control to go somewhere else, because they have no direct
relationship with that company that simply collects and sells
personal information about them.
We know already that there are problems with the adequacy
of privacy protection, and we think particularly in this
industry, information brokers such as ChoicePoint have made
clear the need for more effective privacy regulation.
I think it is also important to understand from the
ChoicePoint episode just how important State legislation is.
Now, this has been another consideration before this committee,
and we fully understand why it may be the case that companies
would prefer to have a single, uniform standard, rather than 50
different State laws, and of course, we have had this
discussion in the past. But please don't lose sight of what
happened here.
Because the State of California took the initiative, and
said we are going to try a new, innovative approach, it wasn't
a comprehensive law, by the way, it was merely notification.
They simply told people after the fact, after the breach had
occurred, that they might be at heightened risk of identity
theft, and because of that, American consumers, and consumers,
you know, all across the country, outside of California, who
were also notified, will be able to respond more effectively to
this threat.
And I think we have to keep this in mind, even a national
notification standard should not prevent States from coming up
with more innovative solutions. States may find certain ways of
notification, maybe by electronic means, that turn out to be
more effective than what can be done here in Washington. So
there is a strong case, following from the ChoicePoint matter,
I believe, to avoid Federal preemption.
Now, I would like to say just a couple of words about the
proposals that have been discussed this morning, and again,
express a bit of concern that apparently, there has been some
significant discussion between the Chair of the Federal Trade
Commission, and the witnesses that have appeared before you,
about what might be done. But there has been no discussion with
the consumer organizations about what might be effective
privacy legislation to respond in this situation.
The Chairwoman proposes, for example, the extension of the
Gramm-Leach-Bliley security standards rule. Now, that is not a
bad proposal, and we certainly wouldn't oppose it, but we think
it is an inadequate proposal, because it simply deals with a
security matter, and as I have made clear at the outset, we
were talking about the routine sale of personal information on
American consumers by an information broker. So an effective
solution certainly must do something more than simply extend
the security standard rule.
In similar fashion, we think the California notification
law provides a good basis to notify consumers after the fact
when a breach has occurred, and without preemption, we think
that would be a sensible thing for the committee to support,
but what we really believe needs to be done at this point is
legislation that brings this industry within some type of
Federal control, accountability, oversight, that will safeguard
American consumers.
We think the legislation that Mr. Markey has introduced is
a very sensible starting point, and we have made some
proposals, in fact, about how that can be strengthened. We
think it is important that the Federal Trade Commission take a
proactive stand on these issues. It is not sufficient to create
a circumstance where there may be privacy violations, and the
FTC can effectively sit on that fact, and not provide the type
of assurance that would be necessary to safeguard American
consumers.
So in conclusion, Mr. Chairman, I thank you again for
holding this hearing. It is extremely important, for the
150,000 American consumers who are today at a heightened risk
of identity theft, that the Congress act swiftly and
effectively to make sure that we have no future incidents like
the one that has occurred recently.
[The prepared statement of Marc Rotenberg follows:]
Prepared Statement of Marc Rotenberg, President, EPIC
Mr. Chairman, and members of the Committee, thank you for the
opportunity to appear before you today. My name is Marc Rotenberg and I
am Executive Director and President of the Electronic Privacy
Information Center in Washington, DC. EPIC is a non-partisan public
interest research organization established in 1994 to focus public
attention on emerging civil liberties issues. We are very pleased that
you have convened this hearing today on protecting consumer's data and
the policy issues raised by Choicepoint.
In my statement today, I will summarize the significance of the
Choicepoint matter, discuss EPIC's efforts to bring public attention to
the problem before the incident was known, suggest several lessons that
can be drawn from this matter, and then make several specific
recommendations.<SUP>1</SUP>
---------------------------------------------------------------------------
\1\ Many other organizations have also played a critical role in
drawing attention to the growing problem of identity theft. These
include Consumers Union, the Identity Theft Resource Center, Privacy
International, the Privacy Rights Clearinghouse, the Privacy Times, the
US Public Interest Research Group, and the World Privacy Forum.
---------------------------------------------------------------------------
The main point of my testimony today is to make clear the
extraordinary urgency of addressing the unregulated sale of personal
information in the United States and how the data broker industry is
contributing to the growing risk of identity theft in the United
States. Whatever your views may be on the best general approach to
privacy protection, Choicepoint has made clear the need to regulate the
information broker industry.
THE SIGNIFICANCE OF THE CHOICEPOINT MATTER
With all the news reporting of the last several weeks, it has often
been difficult to tell exactly how a criminal ring engaged in identity
theft obtained the records of at least 145,000 Americans. According to
some reports, there was a computer ``break-in. ``Others described it as
``theft.'' <SUP>2</SUP> In fact, Choicepoint simply sold the
information. <SUP>3</SUP> This is Choicepoint's business and it is the
business of other companies that are based primarily on the collection
and sale of detailed information on American consumers. In this most
recent case, the consequences of the sale were severe.
---------------------------------------------------------------------------
\2\ Associated Press, ``ChoicePoint hacking attack may have
affected 400,000,'' Feb. 17, 2005, available at http://www.ledger-
enquirer.com/mld/ledgerenquirer/news/local/10920220.htm.
\3\ Robert O'Harrow Jr., ``ID Theft Scam Hits D.C. Area
Residents,'' Washington Post, Feb. 21, 2005, at A01.
---------------------------------------------------------------------------
According to California police, at least 750 people have already
suffered financial harm. <SUP>4</SUP> Investigators believe data on
least 400,000 individuals may have been compromised.<SUP>5</SUP>
Significantly, this was not an isolated incident. Although Choicepoint
CEO Derek Smith said that the recent sale was the first of its kind,
subsequent reports revealed that Choicepoint also sold similar
information on 7,000 people to identity thieves in 2002 with losses
over $1 million.<SUP>6</SUP> And no doubt, there may have been many
disclosures before the California notification law went into effect as
well as more recent disclosures of which that we are not yet aware.
---------------------------------------------------------------------------
\4\ Bob Sullivan, ``Data theft affects 145,000 nationwide,'' MSNBC,
Feb. 18, 2005, available at http://www.msnbc.msn.com/id/6979897/.
\5\ Associated Press, ``ChoicePoint hacking attack may have
affected 400,000,'' Feb. 17, 2005, available at http://www.ledger-
enquirer.com/mld/ledgerenquirer/news/local/10920220.htm.
\6\ David Colker and Joseph Menn, ``ChoicePoint CEO Had Denied Any
Previous Breach of Database,'' Los Angeles Times, March 3, 2005, at
A01.
---------------------------------------------------------------------------
The consumer harm that results from the wrongful disclosure of
personal information is very clear. According to the Federal Trade
Commission, last year 10 million Americans were affected by identity
theft. Identity theft is the number one crime in the country. For the
fifth year in a row, identity theft topped the list of complaints,
accounting for 39 percent of the 635,173 consumer fraud complaints
filed with the agency last year.<SUP>7</SUP> And there is every
indication that the level of this crime is increasing.
---------------------------------------------------------------------------
\7\ Federal Trade Commission, ``FTC Releases Top 10 Consumer
Complaint Categories for 2004,'' (Feb. 1, 2005), available at http://
www.ftc.gov/opa/2005/02/top102005.htm.
---------------------------------------------------------------------------
Choicepoint is not the only company that has improperly disclosed
personal information on Americans. Bank of America misplaced back-up
tapes containing detailed financial information on 1.2 million
employees in the federal government, including many members of
Congress.<SUP>8</SUP> Lexis-Nexis made available records from its
Seisint division on 32,000 Americans to a criminal ring that exploited
passwords of legitimate account holders.<SUP>9</SUP> DSW, a shoe
company, announced that 103 of its 175 stores had customers' credit and
debit card information improperly accessed.<SUP>10</SUP>
---------------------------------------------------------------------------
\8\ Robert Lemos, ``Bank of America loses a million customer
records,'' CNet News.com, Feb. 25, 2005, available at http://
earthlink.com.com/Bank+of+America+loses+a+million+customer+
records/2100-1029_3-5590989.html?tag=st.rc.targ_mb.
\9\ Jonathan Krim and Robert O'Harrow, Jr., ``LexisNexis Reports
Theft of Personal Data,'' Washingtonpost.com, March 9, 2005, available
at http://www.washingtonpost.com/ac2/wp-dyn/A19982-
2005Mar9?language=printer.
\10\ Associated Press, ``Credit Information Stolen From DSW
Stores,'' March 9, 2005, available at http://abcnews.go.com/Business/
wireStory?id=563932&CMP=OTC-RSSFeeds0312.
---------------------------------------------------------------------------
But there are factors that set Choicepoint apart and make clear the
need for legislation for the information broker industry. First,
Choicepoint is the largest information broker in the United Stares. The
company has amassed more than 19 billion records and has acquired a
large number of smaller companies that obtain everything from criminal
history records and insurance claims to DNA databases. The private
sector and increasingly government rely on the data provided by
Choicepoint to determine whether Americans get home loans, are hired
for jobs, obtain insurance, pass background checks, and qualify for
government contracts.
Choicepoint has become the true invisible hand of the information
economy. Its ability to determine the opportunities for American
workers, consumers, and voters is without parallel.
Second, the Choicepoint databases are notoriously inaccurate. A
recent article in MSNBC, ``Choicepoint files found riddled with
errors,'' recounts the extraordinary errors in just one Choicepoint
report that was provided to a privacy expert.<SUP>11</SUP> Among the
statements in the 20-page National Comprehensive Report was an
inaccurate entry that described ``possible Texas criminal history'' and
a recommendation for a follow-up search. The report listed an ex-
boyfriend's address, even though she had never lived with the fellow.
As MSNBC reporter Bob Sullivan writes, ``The report also listed three
automobiles she never owned and three companies listed that she never
owned or worked for.''
---------------------------------------------------------------------------
\11\ Bob Sullivan, ``ChoicePoint files found riddled with errors
Data broker offers no easy way to fix mistakes, either,'' MSNBC, March
8, 2005, available at http://www.msnbc.msn.com/id/7118767/.
---------------------------------------------------------------------------
The report on the document provided to Deborah Pierce is very
similar to an earlier report described by another privacy expert
Richard Smith, ``who paid a $20 fee and received a similar report from
Choicepoint several years ago. The company offers a wide variety of
reports on individuals; Smith purchased a commercial version that's
sold to curious consumers. Smith's dossier had the same kind of errors
that Pierce reported. His file also suggested a manual search of Texas
court records was required, and listed him as connected to 30
businesses that he knew nothing about.''
Third, Choicepoint and other information brokers have spent a great
deal of time and money trying to block effective privacy legislation in
Congress. According to disclosure forms filed with the U.S. House and
Senate, obtained by the Wall Street Journal, Choicepoint and six of the
country's other largest sellers of private consumer data spent at least
$2.4 million last year to lobby members of Congress and a variety of
federal agencies. The Journal reports that, ``Choicepoint was the
biggest spender, with $970,000 either paid to outside lobbyists or
spent directly by the company.'' <SUP>12</SUP>
---------------------------------------------------------------------------
\12\ Evan Perez and Rick Brooks, ``Data Providers Lobby to Block
More Oversight,'' Wall Street Journal, March 4, 2005, at B1.
---------------------------------------------------------------------------
This improper disclosure and use of personal information is
contributing to identity theft, which is today the number one crime in
the United States. According to a 2003 survey by the Federal Trade
Commission, over a one-year period nearly 5% of the adult populations
were victims of some form of identity theft.<SUP>13</SUP>
---------------------------------------------------------------------------
\13\ Federal Trade Commission, ``Identity Theft Survey Report''
(Sept. 2003), available at http://www.ftc.gov/os/2003/09/
synovatereport.pdf.
---------------------------------------------------------------------------
EPIC'S EFFORTS TO BRING PUBLIC ATTENTION TO THE PROBLEMS WITH
CHOICEPOINT
Well before the recent news of the Choicepoint debacle became
public, EPIC had been pursuing the company and had written to the FTC
to express deep concern about its business practices and its ability to
flout the law. On December 16, 2004, EPIC urged the Federal Trade
Commission to investigate Choicepoint and other data brokers for
compliance with the Fair Credit Reporting Act (FCRA), the federal
privacy law that helps insure that personal financial information is
not used improperly.<SUP>14</SUP> The EPIC letter said that Choicepoint
and its clients had performed an end-run around the FCRA and was
selling personal information to law enforcement agencies, private
investigators, and businesses without adequate privacy protection.
---------------------------------------------------------------------------
\14\ Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and
Daniel J. Solove, Associate Professor, George Washington University Law
School, to Federal Trade Commission, Dec. 16, 2004, available at http:/
/www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.
---------------------------------------------------------------------------
Choicepoint wrote back to us to say, in effect, that there was no
problem The company claimed to fully comply with FCRA and that the
question of whether FCRA, or other federal privacy laws, should apply
to all of its products as simply a policy judgment. It made this claim
at the same time it was spending several million dollars over the last
few years to block the further expansion of the FCRA.
Mr. Chairman, hindsight may be 20-20, but it is remarkable to us
that Choicepoint had the audacity to write such a letter when it
already knew that state investigators had uncovered the fact that the
company had sold information on American consumer to an identity theft
ring. They were accusing us of inaccuracy at the same time that state
and federal prosecutors knew that Choicepoint, a company that offered
services for business credentialing, had exposed more than a hundred
thousand Americans to a heightened risk of identity theft because it
sold data to crooks.
But the problems with Choicepoint long preceded this recent
episode. Thanks to Freedom of Information Act requests relentlessly
pursued by EPIC's Senior Counsel Chris Hoofnagle, we have obtained over
the last several yeas extraordinary documentation of Choicepoint's
growing ties to federal agencies and the increasing concerns about the
accuracy and legality of these products.<SUP>15</SUP> So far, EPIC has
obtained FOIA documents from nine different agencies concerning
Choicepoint. Much of the material is available on our web site at
http:www.epic.org/privacy/Choicepoint. One document from the Department
of Justice, dated December 13, 2002, discusses a ``Report of
Investigation and Misconduct Allegations . . . Concerning Unauthorized
Disclosure of Information.'' <SUP>16</SUP> There are documents from the
IRS that describe how the agency would mirror huge amounts of personal
information on IRS computers so that Choicepoint could perform
investigations.<SUP>17</SUP> Several documents describe Choicepoint's
sole source contracts with such agencies as the United States Marshals
Service and the FBI.<SUP>18</SUP>
---------------------------------------------------------------------------
\15\ EPIC v. Dep't of Justice et al., No. 1:02cv0063 (CKK)(D.D.C.).
\16\ Available at http://www.epic.org/privacy/choicepoint/
default.html.
\17\ Id.
\18\ Id.
---------------------------------------------------------------------------
Among the most significant documents obtained by EPIC were those
from the Department of State, which revealed the growing conflicts
between the United States and foreign governments that resulted from
the efforts of Choicepoint to buy data on citizens across Latin America
for use by the US federal law enforcement agencies.<SUP>19</SUP> One
document lists news articles that were collected by the agency to track
outrage in Mexico and other countries over the sale of personal
information by Choicepoint.<SUP>20</SUP> A second document contains a
cable from the American Embassy in Mexico to several different
government agencies warning that a ``potential firestorm may be brewing
as a result of the sale of personal information by
Choicepoint.<SUP>21</SUP> A third set of documents describes public
relations strategies for the American Embassy to counter public anger
surrounding the release of personal information of Latin Americans to
Choicepoint.<SUP>22</SUP>
---------------------------------------------------------------------------
\19\ Available at http://www.epic.org/privacy/choicepoint/
default.html.
\20\ Id.
\21\ Id.
\22\ Id.
---------------------------------------------------------------------------
Choicepoint's activities have fueled opposition to the United
States overseas and raised the alarming prospect that our country
condones the violation of privacy laws of other
government.<SUP>23</SUP> As USA Today reported on September 1, 2003:
---------------------------------------------------------------------------
\23\ EPIC and Privacy International, Privacy and Human Rights: An
International Survey of Privacy Laws and Developments 123-24, 182, 493
(2004) (Public Records, Argentina country report, Mexico country
report)
---------------------------------------------------------------------------
After the Mexican government complained that its federal
voter rolls were the source, and were likely obtained illegally
by a Mexican company that sold them to Choicepoint, the
suburban Atlanta company cut off access to that information.
In June, ChoicePoint wiped its hard drives of Mexicans' home
addresses, passport numbers and even unlisted phone numbers.
The company also backed out of Costa Rica and Argentina.
ChoicePoint had been collecting personal information on
residents of 10 Latin American countries--apparently without
their consent or knowledge--allowing three dozen U.S. agencies
to use it to track and arrest suspects inside and outside the
United States.<SUP>24</SUP>
---------------------------------------------------------------------------
\24\ Associated Press, ``Vendor sells Latin American citizen data
to U.S.,'' Sept. 1, 2003, available at http://www.usatoday.com/tech/
news/techpolicy/2003-09-01-choicepoint_x.htm.
---------------------------------------------------------------------------
The revelations helped kindle privacy movements in at least
six countries where the company operates. Government officials
have ordered--or threatened--inquiries into the data sales,
saying ChoicePoint and the U.S. government violated national
sovereignty.
LESSONS OF CHOICEPOINT
The Choicepoint incident proves many important lessons for the
Congress as it considers how best to safeguard consumer privacy in the
information age.
First, it should be clear now that privacy harms have real
financial consequences. In considering privacy legislation in the past,
Congress has often been reluctant to recognize the actual economic harm
that consumers suffer when their personal information is misused, when
inaccurate information leads to the loss of a loan, a job, or
insurance. Consumers suffer harms both from information that is used
for fraud and inaccurate information that leads to lost opportunities
through no fault of the individual.
A clear example of how the company has contributed to the growing
problem of identity theft may be found in Choicepoint's subscriber
agreement for access to AutoTrackXP, a detailed dossier of individuals'
personal information. A sample AutoTrackXP report on the ChoicePoint
web site shows that it contains Social Security Numbers; driver license
numbers; address history; phone numbers; property ownership and
transfer records; vehicle, boat, and plane registrations; UCC filings;
financial information such as bankruptcies, liens, and judgments;
professional licenses; business affiliations; ``other people who have
used the same address of the subject,'' ``possible licensed drivers at
the subject's address,'' and information about the data subject's
relatives and neighbors.<SUP>25</SUP> This sensitive information is
available to a wide array of companies that do not need to articulate a
specific need for personal information each time a report is purchased.
Choicepoint's subscriber agreement shows that the company allows access
to the following businesses: attorneys, law offices, investigations,
banking, financial, retail, wholesale, insurance, human resources,
security companies, process servers, news media, bail bonds, and if
that isn't enough, Choicepoint also includes ``other.''
---------------------------------------------------------------------------
\25\ ChoicePoint, AutoTrackXP Report, http://www.choicepoint.com/
sample_rpts/AutoTrack
XP.pdf.
---------------------------------------------------------------------------
Second, it should be clear that market-based solutions fail utterly
when there is no direct relationship between the consumer and the
company that proposed to collect and sell information on the consumer.
While we continue to believe that privacy legislation is also
appropriate for routine business transactions, it should be obvious to
even those that favor market-based solutions that this approach simply
does not work where the consumer exercises no market control over the
collection and use of their personal information. As computer security
expert Bruce Schneier has noted, ``ChoicePoint doesn't bear the costs
of identity theft, so ChoicePoint doesn't take those costs into account
when figuring out how much money to spend on data security.''
<SUP>26</SUP> This argues strongly for regulation of the information
broker industry.
---------------------------------------------------------------------------
\26\ ``Schneier on Security: Choicepoint'' available at http://
www.schneier.com/blog/archives/2005/02/choicepoint.html.
---------------------------------------------------------------------------
Third, there are clearly problems with both the adequacy of
protection under current federal law and the fact that many information
products escape any kind privacy rules. Choicepoint has done a
remarkable job of creating detailed profiles on American consumers that
they believe are not subject to federal law. Products such as
AutoTrackXP are as detailed as credit reports and have as much impact
on opportunities in the marketplace for consumers as credit reports,
yet Choicepoint has argued that they should not be subject to FCRA.
Even their recent proposal to withdraw the sale of this information is
not reassuring. They have left a significant loophole that will allow
them to sell the data if they believe there is a consumer
benefit.<SUP>27</SUP>
---------------------------------------------------------------------------
\27\ Aleksandra Todorova, ``ChoicePoint to Restrict Sale of
Personal Data,'' Smartmoney.com, March 4, 2005, available at http://
www.smartmoney.com/bn/index.cfm?story=20050304015004.
---------------------------------------------------------------------------
But even where legal coverage exists, there is insufficient
enforcement, consumers find it difficult to exercise their rights, and
the auditing is non-existent. According to EPIC's research, there is no
indication that commercial data brokers audit their users and refer
wrongdoers for prosecution. In other words, in the case where a
legitimate company obtains personal information, there is no publicly
available evidence that Choicepoint has any interest in whether that
information is subsequently used for illegitimate purposes.
Law enforcement, which has developed increasingly close ties to
information brokers such as Choicepoint seems to fall entirely outside
of any auditing procedures. This is particularly troubling since even
those reports that recommend greater law enforcement use of private
sector databases for public safety recognize the importance of auditing
to prevent abuse.<SUP>28</SUP>
---------------------------------------------------------------------------
\28\ See Chris J. Hoofnagle, ``Big Brother's Little Helpers: How
Choicepoint and Other Commercial Data brokers Collect, process, and
Package Your Data for Law Enforcement,'' University of North Carolina
Journal of International Law & Commercial Regulation (Summer 2004),
available at http://ssrn.com/abstract=582302.
---------------------------------------------------------------------------
And of course there are ongoing concerns about the broad
permissible purposes under the FCRA, the use of credit header
information to build detailed profiles, and the difficulty that
consumers continue to face in trying to obtain free credit reports that
they are entitled to under the FACTA.
Fourth, we believe this episode also demonstrates the failure of
the FTC to aggressively pursue privacy protection. We have repeatedly
urged the FTC to look into these matters. While on some occasions, the
FTC has acted.<SUP>29</SUP> But too often the Commission has ignored
privacy problems that are impacting consumer privacy and producing a
loss of trust and confidence in the electronic marketplace. In the late
1990s, the FTC promoted self-regulation for the information broker
industry and allowed a weak set of principles promulgated as the
Individual References Service Group to take the place of effective
legislation. It may well be that the Choicepoint fiasco could have been
avoided if the Commission chose a different path when it considered the
practices of the information broker industry.
---------------------------------------------------------------------------
\29\ See FTC's investigation into Microsoft's Passport program.
Documentation available at http://www.epic.org/privacy/consumer/
microsoft/passport.html.
---------------------------------------------------------------------------
The FTC has also failed to pursue claims that it could under
section 5 of the FTC Act that prohibits unfair practices. Practices are
unfair if they cause or are likely to cause consumers substantial
injury that is neither reasonably avoidable by consumer nor offset by
countervailing benefits to consumers and competition.<SUP>30</SUP> It
may be that the unfairness doctrine could be applied in cases where
there is no direct relationship between the consumer and the company,
but to date the FTC has failed to do this.<SUP>31</SUP>
---------------------------------------------------------------------------
\30\ 15 U.S.C. 45(n); Letter from Michael Pertschuk, FTC Chairman,
and Paul Rand Dixon, FTC Commissioner, to Wendell H. Ford, Chairman,
House Commerce Subcommittee on Commerce, Science, and Transportation
(Dec. 17, 1980), at http://www.ftc.gov/bcp/policystmt/ad-unfair.htm.
\31\ In FTC v. Rapp, the ``Touch Tone'' case, the FTC pursued
private investigators engaged in ``pretexting,'' a practice where an
individual requests personal information about others under false
pretenses. No. 99-WM-783 (D. Colo. 2000), 2000 U.S. Dist. LEXIS 20627.
In a typical scheme, the investigator will call a bank with another's
Social Security Number, claim that he has forgotten his bank balances,
and requests that the information be given over the phone. The FTC
alleged that this practice of the defendants, was deceptive and unfair.
It was deceptive because the defendants deceived the bank in providing
the personal information of another. The practice was unfair in that it
occurs without the knowledge or consent of the individual, and it is
unreasonably difficult to avoid being victimized by the practice.
---------------------------------------------------------------------------
Fifth, we believe the Choicepoint episode makes clear the
importance of state-based approaches to privacy protection. Congress
simply should not pass laws that tie the hands of state legislators and
prevent the development of innovative solutions that respond to
emerging privacy concerns. Many states are today seeking to establish
strong notification procedures to ensure that their residents are
entitled to at least the same level of protection as was provided by
California.<SUP>32</SUP>
---------------------------------------------------------------------------
\32\ ``Choicepoint Incident Prompts State Lawmakers to Offer Data
Notification Bills,'' 10 BNA Electronic Commerce & Law Report 217-18
(March 9, 2005)
---------------------------------------------------------------------------
In this particular case, the California notification statute helped
ensure that consumers would at least be notified that they are at risk
of heightened identity theft. This idea makes so much sense that 38
attorney generals wrote to Choicepoint to say that their residents
should also be notified if their personal information was wrongly
disclosed.<SUP>33</SUP> Choicepoint could not object. It was an obvious
solution.
---------------------------------------------------------------------------
\33\ Associated Press, ``38 AGs send open letter to ChoicePoint,''
available at http://www.
usatoday.com/tech/news/computersecurity/infotheft/2005-02-19-ag-letter-
to-choicepoint_x.htm.
---------------------------------------------------------------------------
Finally, there is still a lot we do not know about the Choicepoint
company. This firm has expanded so rapidly and acquired so many
companies in the last few years, it is very difficult to assess how
much information it actually has on Americans. As a starting point for
further work by the Committee, I would urge you and Committee Staff to
obtain your own Choicepoint records in the AutoTrackXP service as well
as the National Comprehensive Report. This is the information about you
that Choicepoint sells to strangers. If you want to understand the
serious problem of record accuracy, this is one good place to start.
RECOMMENDATIONS
Clearly, there is a need for Congress to act. Although Choicepoint
has taken some steps to address public concerns, it continues to take
the position that it is fee to sell personal information on American
consumers to whomever it wishes where Choicepoint, and not the
consumer, believes there ``consumer-driven benefit or transaction.''
<SUP>34</SUP> Moreover, the company remains free to change its policies
at some point in the future, and the steps taken to date do not address
the larger concerns across the information broker industry.
---------------------------------------------------------------------------
\34\ ``Choicepoint Halts Sale of Sensitive Information, as Agencies
Launch Probes,'' 10 BNA Electronic Commerce and Law Report 219 (March
9, 2005).
---------------------------------------------------------------------------
Modest proposals such as the extension of the Gramm-Leach-Bliley
Act's Security Safeguards Rule are unlikely to prevent future
Choicepoint debacles. The Safeguards Rule merely requires that
financial institutions have reasonable policies and procedures to
ensure the security and confidentiality of customer information. Recall
that the disclosure by Choicepoint did not result from a ``hack'' or a
``theft'' but from a routine sale. Moreover, the Security Safeguards
Rule will do nothing to give consumers greater control over the
transfer of their personal information to third parties or to promote
record accuracy.
Extending notification statutes such as the California bill would
be a sensible step but this is only a partial answer. Notification only
addresses the problem once the disclosure has occurred. The goal should
be to minimize the likelihood of future disclosure. It is also
important to ensure that any federal notification bill is as least as
good as the California state bill and leaves the states the freedom to
develop stronger and more effective measures. What happens for example,
when at some point in the future, we must contend with the
extraordinary privacy problems that will result from the disclosure of
personal information contained in a database built on biometric
identifiers?
At this time, legislation such as the Information Protection and
Security Act, H.R. 1080, provides a good starting point to safeguard
consumer privacy and reduce the growing threat of identity theft. It
would allow the FTC to develop fair information practices for data
brokers; violators would be subject to civil penalties. Enforcement
authority would be given to the FTC and state attorneys general.
Consumers would be able to pursue a private right of action, albeit a
modest one. And states would be free to develop stronger measures if
they chose.
But a stronger measure would establish by statute these same
authorities and impose stricter reporting requirements on the
information broker industry. It would include a liquidated damages
provision that sets a floor, not a limit, on damages when a violation
occurs, as is found in other privacy laws. It is even conceivable that
Congress could mandate that information brokers provide to consumers
the same information that they propose to sell to a third party prior
to the sale. This would make consent meaningful. It would promote
record accuracy. And it would allow the consumer to determine for
himself or herself whether in fact the transaction will provide a
``consumer-driven benefit.'' Proposals for credit report ``freeze''
legislation that allow consumers to determine when it is in their
benefit to release personal credit information provides a good parallel
for strong legislation in the data broker field.
Furthermore, to the extent that information brokers, such as
Choicepoint, routinely sell data to law enforcement and other federal
agencies, they should be subject to the federal Privacy Act. A
``privatized intelligence service,'' as Washington Post reporter Robert
O'Harrow has aptly described the company, Choicepoint should not be
permitted to flout the legal rules that help ensure accuracy,
accountability, and due process in the use of personal information by
federal agencies.<SUP>35</SUP>
---------------------------------------------------------------------------
\35\ Robert O'Harrow, No Place to Hide: Behind the Scenes of Our
Emerging Surveillance Society (Free Press 2005).
---------------------------------------------------------------------------
Also, a very good framework has been put forward by Professor
Daniel Solove and EPIC's Chris Hoofnagle.<SUP>36</SUP> This approach is
similar to other frameworks that attempt to articulate Fair Information
Practices in the collection and use of personal information. But Solove
and Hoofnagle make a further point that is particularly important in
the context of this hearing today on Choicepoint. Increasingly, the
personal information made available through public records to enable
oversight of government records has been transformed into a privatized
commodity that does little to further government oversight but does
much to undermine the freedom of Americans. While EPIC continues to
favor strong open government laws, it is clearly the case that open
government interests are not served when the government compels the
production of personal information, sells the information to private
data vendors, who then make detailed profiles available to strangers.
This is a perversion of the purpose of public records.
---------------------------------------------------------------------------
\36\ Daniel Solove and Chris Jay Hoofnagle, ``A Model Regime of
Privacy Protection,'' March 8, 2005, available at http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=681902.
---------------------------------------------------------------------------
Looking ahead, there is a very real risk that the consequences of
improper data use and data disclosure are likely to accelerate in the
years ahead. One has only to look at the sharp increase in identity
theft documented by the Federal Trade Commission, consider the
extraordinary rate of data aggregation in new digital environments, as
well as the enormous efforts of the federal government to build ever
more elaborate databases to realize that the risk to personal privacy
is increasing rapidly. Congress can continue to deal with these
challenges in piecemeal fashion, but it seems that the time has come to
establish a formal government commission charged with the development
of long-terms solutions to the threats associated with the loss of
privacy. Such a commission should be established with the clear goal of
making specific proposals. It should include a wide range of experts
and advocates. And it should not merely be tasked with trying to
develop privacy safeguards to counter many of the government new
surveillance proposals. Instead, it should focus squarely on the
problem of safeguard privacy.
Congress needs to establish a comprehensive framework to safeguard
the right of privacy in the twenty-first century. With identity theft
already the number one crime, and the recent spate of disclosures, any
further delay could come at enormous cost to American consumers and the
American economy.
Finally, Mr. Chairman, there are several practical questions left
open by the Choicepoint matter. First, as we said to the FTC in
December, Choicepoint has done a poor job tracking he use of personal
information on American consumers that it routinely sells to strangers.
Now is the time for Choicepoint to go back to its audit logs and
determine what the legal basis was for selling the information that was
provided to the identity theft ring. In fact, we believe that
Choicepoint should be required to review all of its audit logs for the
past year and report to this committee on whether it has uncovered any
other instance of breaches within the company. Just as heads of
financial companies are now required to vouch for the accuracy of their
financial statements, the heads of the information broker companies
should be required to make an annual representation tot he public that
they have reviewed the audit logs of their companies and are assured
that the information they have disclosed has only been used for lawful
purposes.
Second, there is the question of what Choicepoint intends to do
with the money that it received from the sale of personal information
to an identity theft ring. How can Choicepoint possibly keep the funds
from those transactions? In a letter that EPIC sent to Choicepoint COO
Douglas Curling, we urged the company to ``disgorge the funds that you
obtained from the sale of the data and make these funds available to
the individuals who will suffer from identity theft as a result of this
disclosure.'' Since Mr. Smith, the company's President is at the
hearing today, perhaps he can explain what Choicepoint will do with the
funds.
Third Choicepoint has still not provided to the victims of the
negligent sale the same information that it disclosed to the identity
thieves. At the very least, we think the company should give people the
same records it sold to the crooks.
CONCLUSION
For many years, privacy laws came up either because of the efforts
of a forward-looking Congress or the tragic experience of a few
individuals. Now we are entering a new era. Privacy is no longer
theoretical. It is no longer about the video records of a federal judge
or the driver registry information of a young actress. Today privacy
violations affect hundreds of thousands of American all across the
country. The harm is real and the consequences are devastating.
Whatever one's view may be of the best general approach to privacy
protection, there is no meaningful way that market-based solutions can
protect the privacy of American consumers when consumers have no direct
dealings with the companies that collect and sell their personal
information. There is too much secrecy, too little accountability, and
too much risk of far-reaching economic damage. The Choicepoint debacle
has made this clear.
The Committee may not be able to solve every privacy problem, but I
urge you today to focus on the information broker industry and to pass
legislation such as the Information Protection and Security Act. The
information broker industry has been flying under the radar for too
long.
I appreciate the opportunity to be here today. I will be pleased to
answer your questions
REFERENCES
EPIC Choicepoint Page, available at http://www.epic.org/privacy/
choicepoint/
Mr. Stearns. I thank the gentleman, and I will start the
questions. Just the two of us. Mr. Rotenberg, I think you are
saying that ChoicePoint, in your opinion, violated the Fair
Credit Reporting Act. Is that true?
Mr. Rotenberg. Well, it is not clear to us, sir, at this
point, if we can say that, because we don't know exactly what
type of information was disclosed, and if it was subject to the
Fair Credit Reporting Act.
Mr. Stearns. But you are saying that, you know, that you
thought the products and service they are providing, they
provided something so they wouldn't have to comply, so they
just tweaked a bit, tailored a bit, so that they could avoid
oversight that you feel is critical to the consumer, and would
have the applicability of the Fair Credit Reporting Act.
Mr. Rotenberg. Yes.
Mr. Stearns. So you are sort of--you are suggesting that
they did this so that they wouldn't have to comply, so the
question is, you can't really say whether they violated it at
this point, only because you don't know--you are asking the FTC
to tell us, right?
Mr. Rotenberg. Right.
Mr. Stearns. Yes.
Mr. Rotenberg. Well, we did say in our letter that we
believe that a particular product, the AutoTrack XP product,
which contains a great deal of detailed personal information on
American consumers, much like a credit report does, should be
subject to rules like the Fair Credit Reporting Act. Now,
ChoicePoint has taken the position that that product is not
subject to the Fair Credit Reporting Act.
Mr. Stearns. It is called Auto----
Mr. Rotenberg. AutoTrack XP.
Mr. Stearns. XP. Gee, I don't think many people, Members of
Congress----
Mr. Rotenberg. No, I don't think so.
Mr. Stearns. [continuing] know anything about the
AutoTrack--so it is pretty much like a consumer report.
Mr. Rotenberg. Yes, that is our view.
Mr. Stearns. Yeah, and they are--they don't think it is.
Mr. Rotenberg. No. In fact, we had an exchange of letters
with them when we filed our complaint at the Federal Trade
Commission, I heard from Mr. Curling, who is their Chief
Operating Officer, and he said that their company had simply
taken the position that this product was not subject to the
FCRA. He----
Mr. Stearns. Is the AutoTrack XP, still--are they still
doing it? Is ChoicePoint----
Mr. Rotenberg. This is the interesting question that is
raised by the hearing today, because Mr. Smith suggested that
ChoicePoint was withdrawing from the non-FCRA products.
Mr. Stearns. Okay. So doesn't----
Mr. Rotenberg. But then, he left----
Mr. Stearns. [continuing] the withdrawal now, that
attention has been called.
Mr. Rotenberg. That is right. But he left significant
loopholes.
Mr. Stearns. Yeah.
Mr. Rotenberg. And he said for example, products that might
provide a consumer benefit, they would continue with. So it is,
I think an open question at this point, what they plan to do
with this particular product.
Mr. Stearns. Mr. Ansanelli, you have software, is that what
you have, is your company providing software? Is that primary--
your product?
Mr. Ansanelli. That is correct. We provide software for
information security.
Mr. Stearns. And do you work with ChoicePoint, or do you
work with LexisNexis at all?
Mr. Ansanelli. Currently, neither of those are customers of
ours now.
Mr. Stearns. Tell me some of your customers.
Mr. Ansanelli. Companies like Prudential Financial, Best
Buy, Charles Schwab, basically a lot of companies that store
lots of consumer data, and want to make sure that it doesn't
get out inappropriately over the Internet.
Mr. Stearns. Do you feel--you have heard most of the
testimony today--do you feel that we need Federal legislation,
as Mr. Rotenberg has talked about?
Mr. Ansanelli. I think there has been a discussion about
two parts of Federal legislation, both security and privacy. I
am a little bit more knowledgeable on the security side, and I
would----
Mr. Stearns. Right.
Mr. Ansanelli. [continuing] say that things like Gramm-
Leach-Bliley, in financial services, have made an impact in
terms of the data at banks and other financial institutions
being more secure, and I do think it is a question why, when
the similar data is stored by other organizations that might
not be in financial services, like a Social Security number, or
a credit card, why that data does not have to be protected in
the same way we require a bank or a financial institution. And
I think that in order to ever get to a state where we have
improved privacy, you must first have security, so that is why
we do suggest that some improvements in clarifying what the
requirements are for data security, regardless of the industry,
would make a big difference.
Mr. Stearns. When I was talking to Mr. Sanford, he didn't
quite understand my question. Maybe outsourcing was not the
right word, but I was saying that if you had a company, and you
bought me, as another company, and then I had employees that
had access to all these passwords right on up the line, how do
you have the assurance that the password he has, he works for
me, he is not using that for his own personal use? So how does
a CEO, in this case, of LexisNexis, control the company they
bought's employees, who have access to, all up the line, the
passwords? And that is why I started to go--I mean, how would
you suggest we control the security on that?
Mr. Ansanelli. I think you are commenting on something many
people refer to as the insider security threat.
Mr. Stearns. Yeah, insider. That is better than
outsourcing. That is why--he didn't quite--that is what I mean,
insider security threat.
Mr. Ansanelli. And it is obviously quite complicated.
Mr. Stearns. Yeah.
Mr. Ansanelli. Most security and infrastructure has focused
on the issue of hackers trying to break into networks, and
trying to get access to data, where many of the very known
cases are actually issues of people with legitimate, allegedly
legitimate credentials, either by borrowing a password, or
stealing a password, gaining access to information.
Mr. Stearns. But you could include the customers, not just
the employees, too.
Mr. Ansanelli. Correct. I mean----
Mr. Stearns. So you have not only the insider trading, but
you have customers having this access.
Mr. Ansanelli. Correct. I mean, the case at AOL, it is
alleged that there was an IT professional who stole all the
email addresses at AOL, because he borrowed a password from
somebody else and got access to that data base. A number of
things that people can do. Clearly, you know, one of the things
is clearly what we do, which is monitoring to make sure that
the data is not getting out. So for example, if someone gets
access to that data that shouldn't be sending it, either via
email or over the Web, we can help organizations to understand
when information like Social Security numbers or credit card
numbers are being distributed inappropriately electronically,
outside the company. That is clearly an important thing that
many, many companies are starting to do.
There is also--there is important things in terms of sort
of physical precautions. How do you limit----
Mr. Stearns. You change the passwords frequently.
Mr. Ansanelli. Changing passwords frequently, making sure
that the--there is also technologies which allow for stronger
things than just a password and a name. You might have to
actually have a physical card that has an identifier which is
constantly changing, for example. So there is many, many things
that people can do, and you know, one thing I would say,
though, is I think it is important that legislation not
recommend any particular technology.
Mr. Stearns. No, no. I understand. It is just that----
Mr. Ansanelli. There is lots going----
Mr. Stearns. My time has expired. Mr. Rotenberg, when I had
the discussion with the CEOs, I sort of alluded to the fact
there might be a third party required to authenticate their--
that their system is secure, or that they are--have best
practices. And I don't think they want that. Do you think that
is something that is necessary? I mean, like, to verify that
the corporations P&L, they have an outside accounting firm. And
he--the accounting firm authenticates, and if it turns out,
like in the case of Enron, in which--and that accounting firm
shows a lack of credibility, and they lose their business. So
it is to the advantage of the accounting firm, just like it
would be to the security firm, to say this company is secure,
and is doing best practices.
I don't know. Is that----
Mr. Rotenberg. I think that is a very good proposal, Mr.
Chairman. In fact, when we wrote to the FTC in December, one of
the issues that we raised with them was the lack of auditing.
You know, under the FCRA, people get information for
permissible purposes, but very little effort is made after the
information is disclosed, to determine if, in fact, the
information was used for a permissible purpose. And we think
systems of better auditing and outside auditing would reduce
the likelihood of the misuse of information, and I think it
would make the companies more accountable.
Mr. Stearns. I mean, just the fact if you kept a data base
of companies that have breaks in security, and you pretty soon
knew which companies did and which didn't, and it started to be
a reoccurring pattern, that would be something that would be
very helpful to alert the Federal Trade Commission and
everybody else, hey, there is a problem here with our security.
Just the reporting process.
Mr. Rotenberg. Yeah, I think it is a very good proposal,
and I think also for the CEO to certify the adequacy of the
auditing, the accounting of this personal information, would
serve much of the same purpose that was done when concerns were
raised about financial reporting, and the risks to consumers
are very similar. When mistakes are made, consumers carry those
costs.
Mr. Stearns. Well, obviously, you could do this voluntarily
through a best practice association that does this for them,
but it seems to me, in the case of ChoicePoint, this individual
in Los Angeles, they did everything, yet the individual was
using it fraudulently, and there is nothing they could have
done about it.
My time has expired. Ms. Schakowsky.
Ms. Schakowsky. You know, Mr. Chairman, there actually was
a report issued. I don't know much about--the Ponemon, Ponemon
Institute, of 163 U.S. companies that were surveyed in the past
12 months, 75 percent reported a serious security breach
resulting in stolen data, and of those breaches, 27 percent
involved customer information.
I mean, we haven't heard reports about that. I am
wondering, is this because there is unwillingness to make the
investment, because they don't know best practices, because we
have failed to make requirements on them to implement certain
practices? Mr. Ansanelli?
Mr. Ansanelli. I do think that one of the issues is clear
requirements for organizations that store data. I mean,
financial services organizations under GLBA clearly now, and
have a requirement, and guidelines both by the FTC, as well as
the financial services agencies, to what they are supposed to
do. But other companies in different industries that have
similar data don't have the same requirements. So without clear
requirements, with respect to protecting the data, as well as
notification, I don't think it should be too much of a surprise
that necessarily people haven't come forward with it.
I do think that one of the other challenges and issues is
that there is a concern that if companies are proactive in
doing things, that they are taking on additional litigation
risk, that people are going to sue them for punitive damages,
and that has definitely been something which, I think, presents
a bit of a stumbling block for some companies, that I suggest
we can deal with as well.
Ms. Schakowsky. To both of you. A few--California and a few
other States have laws that allow consumers to put security
freezes on their credit reports, and the freezes mean that
their credit reports can't be accessed, unless the consumer
allows it to be accessed, an opt-in. Do you think laws of this
type would be useful for other personal information that is
held by data brokers? Mr. Rotenberg.
Mr. Rotenberg. I think it is a very sensible proposal. I
mean, all of us understand that this disclosure of personal
information will, in some circumstances, provide important
benefits to consumers, to obtain a loan or, you know, a job, or
some of these other things. But if there is a benefit to the
consumer, it would seem obvious that the consumer should be
able to decide when the information is disclosed. And what
consumer organizations have realized over the last couple of
years is that if we simply say, if you are intending to get a
home loan, for example, at that point, you will make your
credit report available, and others can make use of it, and
make a determination, and if you are not intending to get a
loan, or there is no other basis for someone to get access to
your credit report, then it really should be in the offsetting.
So that particular approach, which both recognizes that
this information is important to businesses making decisions
about consumers, and gives consumers control over the
disclosure of the information, I think is absolutely the right
approach. I hope we will follow it in more areas.
Ms. Schakowsky. Thank you. I wanted to follow up on this
issue of victims of domestic violence, where it didn't sound
like--well, at least off the top of their head, that either
company was aware of the kind of procedures that may be put in
place.
Is this a problem, and is there an obvious solution to that
problem, where even an address could put someone's life in
jeopardy?
Mr. Rotenberg. Congresswoman, I am not certain about the
specific practices of the information broker industry today. I
can tell you that in the privacy world, we confronted a very
similar issue more than 15 years ago, when Caller ID first
became available, and you know, and people who were in shelters
and elsewhere were very concerned about their ability to make
contact with family members, without having their location or
actual phone number disclosed, and at that time, when we were
arguing for privacy protection as Caller ID was being
introduced, the telephone companies agreed to put in place what
was called per line blocking, so that people calling from
shelters would not have their numbers disclosed, and they
wouldn't even have to worry about it.
I think today, you know, to do at least something like
that, in the information broker industry, should be expected.
Ms. Schakowsky. You know, the fact that these data brokers
are required, under--to have certain data under the Fair Credit
Reporting Act, under Gramm-Leach-Bliley, under all those
protection, the usefulness of that fact is dependent on anybody
knowing about it. I mean, I have been asking all the witnesses
who the heck knew before the ChoicePoint scandal came out
really, that these companies even really existed? I mean, in
terms of mass knowledge of this, I think it was nonexistent.
So is this really useful, that they have to comply, and
they have to provide information back to consumers, if nobody
knows about it, and what are we going to do about that?
Mr. Rotenberg. Well, as I tried to explain in my testimony,
I think the absence of the relationship between the consumer
and the business makes clear that market-based solutions simply
can't work. I mean, you have to regulate in this area, because
there is no other effective mechanism, and in fact, this was
exactly the same theory that the Congress pursued, leading up
to the passage of the Fair Credit Reporting Act in 1970. And
the Congress looked at it, and they said well, this information
is being compiled on American consumers. They are not going to
have a choice over which credit reporting agency is going to
collect and use this information, so it has to be regulated,
and you have to do what you can to minimize the misuse of this
information, which continues to be a problem as well.
Ms. Schakowsky. I would agree with that. Do you want to----
Mr. Ansanelli. I think the one thing I would add is again,
with respect to ID theft, I do think that consumer education is
really, really important, and I do think that the FTC has done
a fair amount in that area, and I think they continue to do
more, in terms of people just not understanding what is going
on. There is no--there is very--there is not an obvious place
where they go right now to get that information about where
their data is, and how they can deal with it, and I do think
more can be done there.
Ms. Schakowsky. That is true, but I think that putting the
onus on the consumer is ultimately a problem, because I think
there are so many actors in this field that you could spend
your life trying to get that information, and make sure that
you are protected. I think we do have a role here.
Mr. Ansanelli. I would agree. I wasn't suggesting that
would be the only thing. I do think that there are those three
areas, again, the criminals, the companies, and the consumers
all play a role in this, and I think we could do more on all
three of those efforts.
Ms. Schakowsky. Thank you very much.
Mr. Stearns. Well, I want to thank you for staying with us
all through this roughly 4 hours, and your contribution is very
helpful, and I think it is nice to have a little bit of a
different slant.
So we are going to conclude the hearing. I think it has
been very productive, and I want to thank you again for waiting
for the other two panels.
And with that, the committee is adjourned.
[Whereupon, at 2 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
[GRAPHIC] [TIFF OMITTED] T9916.001
[GRAPHIC] [TIFF OMITTED] T9916.002
[GRAPHIC] [TIFF OMITTED] T9916.003
[GRAPHIC] [TIFF OMITTED] T9916.004
[GRAPHIC] [TIFF OMITTED] T9916.005
[GRAPHIC] [TIFF OMITTED] T9916.006
[GRAPHIC] [TIFF OMITTED] T9916.007
[GRAPHIC] [TIFF OMITTED] T9916.008
[GRAPHIC] [TIFF OMITTED] T9916.009
[GRAPHIC] [TIFF OMITTED] T9916.010
[GRAPHIC] [TIFF OMITTED] T9916.011
[GRAPHIC] [TIFF OMITTED] T9916.012
[GRAPHIC] [TIFF OMITTED] T9916.013
[GRAPHIC] [TIFF OMITTED] T9916.014
[GRAPHIC] [TIFF OMITTED] T9916.015
[GRAPHIC] [TIFF OMITTED] T9916.016
[GRAPHIC] [TIFF OMITTED] T9916.017
[GRAPHIC] [TIFF OMITTED] T9916.018
[GRAPHIC] [TIFF OMITTED] T9916.019
[GRAPHIC] [TIFF OMITTED] T9916.020
[GRAPHIC] [TIFF OMITTED] T9916.021
[GRAPHIC] [TIFF OMITTED] T9916.022
[GRAPHIC] [TIFF OMITTED] T9916.023
[GRAPHIC] [TIFF OMITTED] T9916.024
[GRAPHIC] [TIFF OMITTED] T9916.025
[GRAPHIC] [TIFF OMITTED] T9916.026
[GRAPHIC] [TIFF OMITTED] T9916.027
[GRAPHIC] [TIFF OMITTED] T9916.028
[GRAPHIC] [TIFF OMITTED] T9916.029
[GRAPHIC] [TIFF OMITTED] T9916.030
�