<DOC> [108th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:91576.wais] IDENTITY THEFT: ASSESSING THE PROBLEM AND EFFORTS TO COMBAT IT ======================================================================= HEARING before the SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ DECEMBER 15, 2003 __________ Serial No. 108-60 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house __________ U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2004 91-576PDF For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE W.J. ``BILLY'' TAUZIN, Louisiana, Chairman MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan JOE BARTON, Texas Ranking Member FRED UPTON, Michigan HENRY A. WAXMAN, California CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts PAUL E. GILLMOR, Ohio RALPH M. HALL, Texas JAMES C. GREENWOOD, Pennsylvania RICK BOUCHER, Virginia CHRISTOPHER COX, California EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia FRANK PALLONE, Jr., New Jersey RICHARD BURR, North Carolina SHERROD BROWN, Ohio Vice Chairman BART GORDON, Tennessee ED WHITFIELD, Kentucky PETER DEUTSCH, Florida CHARLIE NORWOOD, Georgia BOBBY L. RUSH, Illinois BARBARA CUBIN, Wyoming ANNA G. ESHOO, California JOHN SHIMKUS, Illinois BART STUPAK, Michigan HEATHER WILSON, New Mexico ELIOT L. ENGEL, New York JOHN B. SHADEGG, Arizona ALBERT R. WYNN, Maryland CHARLES W. ``CHIP'' PICKERING, GENE GREEN, Texas Mississippi KAREN McCARTHY, Missouri VITO FOSSELLA, New York TED STRICKLAND, Ohio ROY BLUNT, Missouri DIANA DeGETTE, Colorado STEVE BUYER, Indiana LOIS CAPPS, California GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine MARY BONO, California JIM DAVIS, Florida GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois LEE TERRY, Nebraska HILDA L. SOLIS, California ERNIE FLETCHER, Kentucky MIKE FERGUSON, New Jersey MIKE ROGERS, Michigan DARRELL E. ISSA, California C.L. ``BUTCH'' OTTER, Idaho Dan R. Brouillette, Staff Director James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Oversight and Investigations JAMES C. GREENWOOD, Pennsylvania, Chairman MICHAEL BILIRAKIS, Florida PETER DEUTSCH, Florida CLIFF STEARNS, Florida Ranking Member RICHARD BURR, North Carolina DIANA DeGETTE, Colorado CHARLES F. BASS, New Hampshire JIM DAVIS, Florida GREG WALDEN, Oregon JAN SCHAKOWSKY, Illinois Vice Chairman HENRY A. WAXMAN, California MIKE FERGUSON, New Jersey BOBBY L. RUSH, Illinois MIKE ROGERS, Michigan JOHN D. DINGELL, Michigan, W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio) (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Able, John M., Pennsylvania Attorney General................. 55 Broder, Betsy, Assistant Director, Division of Planning and Information, Bureau of Consumer Affairs, Federal Trade Commission................................................. 42 Burke, Kevin J., Deputy Chief Inspector, Eastern Field Operations, U.S. Postal Inspector.......................... 50 Kane, Michelle............................................... 11 Lenahan, Milissa J., Assistant VP/Assistant Operations Officer, First National Band and Trust Company of Newtown.. 30 O'Neill, Hon. Bernard T., Pennsylvania State Representative.. 5 O'Neill-Lagier, Brigid, Red Cross, Chief Executive Officer, American Red Cross Blood Services, Penn-Jersey Region...... 13 Periandi, Lt. Col. Ralph M., Deputy Commissioner, Operations, Pennsylvania State Police.................................. 61 Ryan, Robert, Senior Director of Government Relations, TransUnion................................................. 25 (iii) IDENTITY THEFT: ASSESSING THE PROBLEM AND EFFORTS TO COMBAT IT ---------- MONDAY, DECEMBER 15, 2003 House of Representatives, Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, Langhorne, PA. The subcommittee met, pursuant to notice, at 10:12 a.m., in Middleton Township Municipal Building, Langhorne, Pennsylvania, Hon. James C. Greenwood (chairman) presiding. Members present: Representatives Greenwood and Gerlach. Staff present: Ann Washington, majority counsel and Billy Harvard, legislative clerk. Mr. Greenwood. Good morning, everyone. I am Congressman Jim Greenwood, and I am chairman of the Subcommittee on Oversight and Investigations of the Energy and Commerce Committee, and I would like call this hearing to order. We thank you all for being here. Welcome to this field hearing of the Subcommittee on Oversight and Investigations of the House Energy and Commerce Committee. We are here today to discuss the problem of identity theft, one of the fastest growing white collar crimes in the United States. The Federal Trade Commission estimates that each year, 10 million Americans fall victim to identify theft, which translates into tremendous costs, both for the defrauded businesses and for the victimized consumers. What I hear from victims time and again is how draining the experience is, both emotionally and financially. Luckily, most victims are protected so that they usually do not incur any actual out of pocket loss. The problem lies in the other ways in which the theft of Social Security numbers, bank account numbers and related financial and personal information affects an individual's life. A victim's good credit can be severely damaged to the point of preventing the legitimate purchase of a new car or house, and the damage can take months to correct. What is astounding is the audacity of these thieves. They steal bill payments from your mailbox, they make scamming phone calls to banks. We have all heard some of the stories, but let me highlight a few particularly egregious ones. In 2001, a restaurant busboy in Brooklyn, New York used computers at a library, web-enabled cell phones, virtual voicemail and courier services to try to steal the identities of more than 200 CEOs, celebrities and tycoons. Their names were posted in a Forbes article on the 400 richest people in America. The crook was caught when one of the transactions he attempted drew attention because of its size, a transfer of $10 million from an account owned by Thomas Siebel, founder of Siebel Systems. In 2002, the largest ring of identity thieves was apprehended for stealing tens of thousands of credit reports over a period of 3 years. The ring members allegedly stole credit reports from three major commercial credit reporting agencies and used that information to siphon funds from bank accounts and to make fraudulent purchases. Authorities have accounted for $2.7 million in losses from that ring so far. And just last month, a California man was arrested for stealing computers containing the personal information of thousands of Wells Fargo Bank customers. The man was apprehended at his home with the computer and equipment used for scanning identity cards and checks. According to the FTC's Identity Theft Clearinghouse Data base, in Pennsylvania alone, 5,080 consumers reported that they were victims of identify theft in 2002. People between the ages of 30 and 39 were hardest hit. This is the time in life when typically people are starting to accumulate good credit and considering some of those important life decisions like buying a home or having a child, decisions that can be greatly complicated if one's credit has been damaged. Today, we will hear testimony from several victims of identity theft, Michelle Kane, whom I had the pleasure of meeting recently, and State Representative Bernie O'Neill, who as a victim himself and how assists other victims with their plight. We will hear from the Red Cross, which has also fallen victim to identity theft. This is a double travesty. The services that a reputable organization like the Red Cross provides, are essential to us all in times of great need. For someone to put an organization of the Red Cross' caliber at jeopardy by attempting to steal personal information from its blood donors is deplorable. I hope the Federal law enforcement agencies currently pursuing such actions will quickly find the perpetrators and swiftly bring them to justice. We will also hear today testimony from representatives from the private sector organizations that have to contend with identity theft, Bob Ryan from TransUnion and Missy Lenahan from a local financial institution, First National Bank and Trust. Banks are on the front line of this type of fraud, fielding the initial calls from victims and taking most of the financial losses. We will hear from Betsy Broder of the Federal Trade Commission, and Kevin Burke of the U.S. Postal Inspection Service this morning. They will discuss their efforts to assist victims and to chase down the fraudsters who so callously use other people's identities for their own purposes. John Abel from the Pennsylvania Attorney General's Office and Lieutenant Colonel Ralph M. Periandi from the Pennsylvania State Police will testify about their offices' efforts to combat this problem here at home and what services they can offer to victims. I want to thank everybody for participating this morning. We want to provide the public with as much assistive information as we can this morning as to what steps they can take to avoid becoming victims, and in the event that they do fall victim to this fraud, what they can do to stop the financial bleeding as quickly as possible. We recognize and are pleased that the Fair and Accurate Credit Transaction Act, or the FACT Act, was just signed into law by President Bush on December 4. This will provide victims of identity theft with additional assistance and protections by giving national uniformity to industry best practices regarding identity theft prevention and aid. I am eager to see the benefits flowing from this implementation of this Act, but also believe it is prudent to build a record on this important issue in this Subcommittee in case it becomes necessary to consider additional legislation within our Committee's jurisdiction on this topic further down the road. So I thank all of the witnesses for being, and I would like to yield now to my Pennsylvania Congressman--colleague, Congressman Jim Gerlach, who while not a member of this Subcommittee, is an active participant in legislating on this issue. Mr. Gerlach, welcome to Bucks County, and the microphone is yours. Mr. Gerlach. Thank you, Mr. Chairman, and thank you very much for the opportunity to be here today and to listen to the testimony of those that present to us on this very important issue. In addition to the facts that you have set forth to give us a sort of broad opening view of this problem nationwide, I wanted to have an opportunity to submit some remarks for the record which we have here on the issue that I have been involved in since being contacted by the Montgomery County District Attorney, Bruce Castor, on this issue some time ago. And what I would like to do is just maybe highlight some of those remarks very briefly, and hopefully allow that to also set a stage for what we are going to hear today from our presenters. In Montgomery County, hundreds of individuals were victimized by the owner of an auto dealership in Limerick Township. The victims provided their personal information to the alleged thief in their efforts to buy a new car. He then allegedly used that information to obtain more than $4 million in loans, some of which were fraudulent on their face and some which were legitimate loans used for fraudulent purposes. For instance, the thief secured the loans as requested by the victims, but instead of paying off the liens on the victims' old cars, used the money for his own purposes. Civil and criminal cases were then brought in Montgomery County, and those are pending, as a result of that fraudulent conduct, and while these victims may eventually receive financial damages, they have found themselves in a quagmire when it comes to getting their credit record repaired. After receiving notification from the Montgomery County District Attorney that these loans were fraudulently obtained, many creditors refused to withdraw any negative notations or entries on the victims' credit record. Further, many of these victims continue to be harassed by creditors or collection agencies, and some face foreclosure on their belongings, loss of life savings, and an inability to get loans of any kind. As many of the Montgomery County victims have found, while the thief may be criminally prosecuted, the burden to repair the damage inflicted by an identity thief is on the one that is harmed, and the only method by which one can individually attempt to repair his or her good name and credit is by pursuing civil action against the creditors and debt collectors. This has proven very difficult, very time consuming and very expensive. That is why we have introduced legislation called PITFALL, Prevent Identity Theft From Affecting Lives and Livelihoods Act, which provides relief and alternatives to those who have already been victimized by an identity thief. While existing legislation primarily focuses on prevention or mitigation of the crime, this legislation is designed to aid those for whom prevention and mitigation is too late. When existing laws fail to protect identify theft victims, this legislation prevents creditors, debt collectors, consumer reporting agencies and financial institutions from harassing victims and further sabotaging their financial well-being. Once the State's highest law enforcement officer, or in this case, a District Attorney of one of the counties of the Commonwealth of Pennsylvania, has conclusively determined that the debt or loan was fraudulently incurred, under the legislation, once the law enforcement official determines that a person is, in fact, a victim, a no fault statement would be issued. This statement would cite the victim's lack of involvement in obtaining the debt or loan, and the victim may then forward the statement to creditors, debt collectors, credit reporting agencies and financial institutions. Upon receipt of the no fault statement, any business acting as a creditor, credit agency, or collector would be required to cease all collection activities and hold the victim harmless from any fraudulently incurred financial obligations. They would further be required to withdraw or correct any negative entries on the victim's credit history with regard to those transactions or obligations created by the identity theft. Failure to recognize this no fault statement by those institutions and to cease collection activities or remove negative entries from the credit record would result in State enforcement and civil liability. It would also, the legislation, fill gaps in the law such as that which has allowed creditors to continue harassing the Montgomery County victims despite a determination by the law enforcement officials in that locality that they were not involved in incurring the debt. This legislation makes enforcement provisions in the Truth in Lending Act, the Fair Credit Reporting Act, the Fair Debt Collections Practices Act and the Electronic Funds Transfer Act consistent. Each of these Acts currently provide for civil liability and administrative enforcement, and the Fair Credit Reporting Act also provides for State enforcement in Federal District Court, and the Electronic Funds Transfer Act provides for criminal liability. The Truth in Lending Act currently permits State enforcement, but only for predatory lending practices. To make these four important Acts consistent, this legislation, H.R. 2396, will amend the Fair Debt Collection Practices Act and Electronic Funds Transfer Act to permit a State to bring about an action against a person or entity acting in violation of the PITFALL provisions. The PITFALL legislation will also expand State action provisions in Truth in Lending Act and provide actual damages, monetary fines and in the severest cases, imprisonment for violations. So you can see that, given what is even happening in our local area, there is a lot of need for continued Federal oversight and legislative action on this issue, and I want to extend my appreciation for you for taking on this issue as chairman of the subcommittee, and look forward to all the important information and testimony we will receive today. Thank you. Mr. Greenwood. Thank you, Congressman Gerlach. Before we call our first witness, I thought it would be an interesting way to introduce this subject. We are going to present a video made by the Postal Inspection Services that outlines, rather dramatically, what the--how this crime takes place and what its consequences may be. Technical difficulties here. Is it rewound? Here we go. [Video shown.] Mr. Greenwood. Okay. Now playing the part of our first witness will be State Representative Bernie O'Neill, and Mr. O'Neill, will you please come forward. Welcome, thanks for being with us this morning. Mr. O'Neill. Thank you. Mr. Greenwood. You can have a seat. As you--and if you want to bring one of the black microphones in front of you. As you probably have been told, this is an investigative hearing, and when we---- Mr. O'Neill. Sure. Mr. Greenwood. [continuing] take testimony at an investigative hearing, we do it under oath. Do you have any objections to giving your testimony under oath? Mr. O'Neill. Not at all. Mr. Greenwood. Okay. I also need to advise you you are entitled to counsel. This was something that was very important to our Enron witnesses, but probably not important to you. Do you wish to be advised by counsel? Mr. O'Neill. Not at all. Mr. Greenwood. Okay. Then if you would stand and raise your right hand. [Witnesses sworn.] Mr. Greenwood. You are under oath and you are recognized for your statement, sir. TESTIMONY OF HON. BERNARD T. O'NEILL, PENNSYLVANIA STATE REPRESENTATIVE; MICHELLE KANE; AND BRIGID O'NEILL-LAGIER, RED CROSS CHIEF EXECUTIVE OFFICER, AMERICAN RED CROSS BLOOD SERVICES Mr. O'Neill. Thank you, Mr. Chairman. Good morning. Good morning, Congressman Gerlach. Mr. Greenwood. Probably want to bring the microphone even a little closer than that. There. Mr. O'Neill. How is that? Here? I am State Representative Bernie O'Neill, from the 29th Legislative District here in Central Bucks County, and with me today is my legislative aide, Cindy Beck, who is leading the education effort on identify theft here in Bucks County. Identity thieves steal more than $1 billion a year from unsuspecting and unprepared consumers. In the bulk of cases, the consumers don't know their identity theft--were stolen. Credit card fraud accounts--or excuse me, credit card fraud accounts for 42 percent of the complaints, followed by scams where phone and utility accounts were created in a person's name without his or her knowledge. With these, criminals make thousands of dollars at their victim's expense. The victim is left with years of anguish and frustration trying to sort out and restore his good name and credit, or clear a criminal record. I am here today to share with you how identity theft has grown, especially here in Bucks County, and what we are trying to do to stop it. While the other witnesses today will go into the staggering statistics and efforts being undertaken to combat identity theft, I am here to put a face on this appalling crime. Anyone can become a target of identity theft. Thieves are stealing personal information from a number of different sources, including credit card receipts, birth certificates and Social Security cards. Just putting your bills in your mailbox to be sent out is a sign to a would-be identity thief that you are an easy target. To educate my constituents about this growing crime, I am holding public forums on identity theft throughout my legislative district. These forums will continue through the month of February. These forums have been very well attended. Our first forum was in Solebury Township on November 14. We have had presentations by local law enforcement officials, including Chief Richard Mangan of Solebury Township Police Department, Chief Henry ``Rick'' Pasqualini of the New Hope Borough Police Department and representatives from the Pennsylvania's Attorney General Office and the United States Postal Inspection Service. Dates are being finalized for the series of upcoming identity theft forums throughout the 29th Legislative District. January programs have been scheduled for Buckingham Township with Chief Daniels, Warminster Township with Chief Jim Gorczynski and a second evening forum in New Hope-Solebury with Chief Mangan and Pasqualini. February programs have been scheduled in Warwick Township with Chief Costello and Upper Southampton Township with Chief Schultz. Topics have included tips on avoiding identity theft, ways in which identity theft occurs and why students as well as senior citizens are targeted. It is sad that victims do not become aware that their identities have been stolen until they get an astronomical credit card statements, cell phone bills and other charges. I can personally attest that obtaining this information is far too easy. From my own personal experience, my phone number was stolen and for 3 to 4 months, my phone bill exceeded $300 to $500 in total charges. That number was used from the same pay phone in New York City, and my case is minor compared to other stories that have been shared with me. Even local enforcement officials who I have been dealing with have been victims of identity theft themselves. As a State legislator, I have been involved in helping make identity theft less attractive to would-be thieves. Last year, a new law was enacted that escalates the penalties for this crime. Through legislation introduced by Representative Matt Baker of Wellsboro, Tioga County, the Pennsylvania House of Representatives has taken steps to increase the penalties for identity theft, making a first offense of the crime a felony of the third degree, carrying a maximum penalty of 7 years in prison and a $15,000 fine. A third or subsequent offense raises the crime to a felony of the second degree, with a maximum penalty of 10 years in prison or a $25,000 fine. I am hopeful these forums will help residents become more educated about identity theft and will learn how they can protect themselves and their identities. There is nothing more frustrating than finding out that your whole identity has been stolen and used for fraudulent purposes. And I can tell you since we began the forums, my wife and I have stopped putting our mail in our mailbox with the little red flag up, and we have purchased a shredder for our home. I have always used one in the office, but it never dawned on me of using one at home. So, I am more than welcome to answer any questions that you may have. [The prepared statement of Hon. Bernard T. O'Neill follows:] Prepared Statement of Hon. Bernie O'Neill, Representative, Pennsylvania State House Good morning. I am State Rep. Bernie O'Neill from the 29th Legislative District in central Bucks County. Identity thieves steal more than $1 billion a year from unsuspecting and unprepared consumers. In the bulk of the cases, the consumers don't know how their identities were stolen. Credit card fraud accounts for 42 percent of the complaints, followed by scams where phone or utility accounts were created in a person's name without his or her knowledge. While these criminals make thousands of dollars at their victim's expense, the victim is left with years of anguish and frustration trying to sort out and restore his good name and credit or clear a criminal record. I'm here today to share with you how identity theft has grown, especially here in Bucks County and what we're trying to do to stop it. While the other witnesses today will go into the staggering statistics and efforts being undertaken to combat identity theft, I'm here to put a face on this appalling crime. Anyone can become a target of identity theft. Thieves are stealing personal information from a number of different sources, including credit card receipts, birth certificates and Social Security cards. Just putting your bills in your mailbox to be sent out is a sign to a would-be identity thief that you are an easy target. To educate my constituents about this growing crime, I am holding public forums on identity theft throughout my legislative district. These forums will continue through February. These forums have been very well attended, with 50 to 60 people coming out for our first forum in Solebury on Nov. 14, 2003. We have had presentations by local law enforcement officials, including Chief Richard Mangan of Solebury Township Police Department, Chief Henry ``Rick'' Pasqualini of the New Hope Borough Police Department, and representatives from the Pennsylvania Attorney General's Office and the United States Postal Inspection Service. Dates are being finalized for the series of upcoming identity theft forums throughout the 29th legislative district. January programs have been scheduled in Buckingham Township with Police Chief Stephen Daniels, Warminster Township with Police Chief Jim Gorczynski, and a second evening forum in New Hope-Solebury, with Chief Richard Mangan and Chief Henry ``Rick'' Pasqualini. February programs have been scheduled in Warwick Township with Police Chief Joe Costello, and Upper Southampton Township with Police Chief David Schultz. Topics have included tips on avoiding identity theft, ways in which identity theft occurs, and why students as well as senior citizens are targeted. It is sad that victims do not become aware their identities have been stolen until they get astronomical credit card statements, cell phone bills, or other charges. I can personally attest that obtaining this information is far too easy. From personal experience, my phone number was stolen and for three months my phone bill exceeded $300 in toll charges. That number was used from a pay phone in New York City. And my case is minor compared to other stories that have been shared with me. Even local law enforcement officials are identity theft victims. As a state legislator, I have been involved in helping make identity theft less attractive to would-be thieves. Last year, a new law was enacted that escalates the penalties for this crime. Through legislation introduced by Rep. Matt Baker from Wellsboro, Tioga County, the Pennsylvania House of Representatives has taken steps to increase the penalties for identity theft, making a first offense of the crime a felony of the third degree, carrying a maximum penalty of seven years in prison and a $15,000 fine. A third or subsequent offense raises the crime to a felony of the second degree with a maximum penalty of 10 years in prison and a $25,000 fine. I am hopeful these forums will help residents become more educated about identity theft and will learn how they can protect themselves and their identities. There's nothing more frustrating than finding out that your whole identity has been stolen and used for fraudulent purposes. Mr. Greenwood. Thank you, Representative O'Neill. The Chair will recognize himself for questioning. Tell us about after you discovered that your telephone bill was inflated and calls were being made from a pay phone in New York City. Was it difficult for you to--what did you go through with the phone company so that they would accept the fact that these were not your obligations? Mr. O'Neill. Right. The first thing I did was I--when I got the first phone bill, which exceeded $300, I called the phone company and I explained to them that these weren't my charges and I didn't understand where they were coming from, and they said they would investigate it, and they actually sent me some paperwork to fill out. It continued for several months after that, and they eventually were able to find out that what was actually stolen was my phone card ID number, which is very interesting, because I didn't carry the card with me. I never had the card. I knew it by rote memory, so what is really appalling is how they were able to get that number and use it. Mr. Greenwood. Did you ever figure out how they did that? Mr. O'Neill. To this day, we have never figured out how they ever got the number. The number was subsequently canceled, and that is when the charges certainly stopped. I believe, if I am not mistaken, I was held accountable for $50 each month for those expenses, and I did receive a phone call from the phone company several months later telling me that they finally tracked that all the phone calls were--every one of them were made from the same pay phone in--somewhere in the city of New York. Mr. Greenwood. And they were never able to catch the perpetrator? Mr. O'Neill. No, they never did catch him or her, no. Mr. Greenwood. And of course, you were personally responsible for the $50. Mr. O'Neill. Yes. Mr. Greenwood. The phone company picked up the rest. That means we all---- Mr. O'Neill. Yes. Mr. Greenwood. [continuing] picked up the rest. Mr. O'Neill. Everyone paid for it. That is correct. Mr. Greenwood. And I think that is an interesting thing that we found, is that frequently, as I mentioned in my opening statement, the victim him or himself may have limited financial exposure, and the credit card companies frequently have limited exposure, and it frequently falls to the--if it is a retail purchase, the retail store ends up absorbing the loss, which again means that in terms of the billions of dollars that are stolen in this method, that it is built into the prices that we all pay for goods and services. One of the issues that the Congress wrestles with in general, but in this case specifically, is whether to act Federal legislation, given the fact that obviously, here in your case, it was a crime perpetrated--you could say it was perpetrated in New York, you could say it was perpetrated in Pennsylvania. Mr. O'Neill. Correct. Mr. Greenwood. Or both. And the need for interstate cooperation is--and harmonization is important. On the other hand, some states, particularly California, which has a very strict law, doesn't like the fact that the U.S. Congress, most notably just on the bill signed by the President on December 4, superseded State law. Now, you are a State legislator. Do you have a view on whether you think it is appropriate for the Congress to supersede State laws, or do you think the states need to have their own---- Mr. O'Neill. Well, I would think--I think each State needs to certainly enact their own laws and make them as stiff as possible for what happens within the confines of their own state, but I would agree with you that I think the Congress has to--I can tell you that I am the guardian of my aunt, who is well along in Alzheimer's. And I am now dealing with her credit cards, which we are beginning to think they were fraudulently used, because we are talking about $28,000 were run up on her charge cards and not in this state, and we have no idea how these numbers ever got out, other than the fact that, you know, when she---- Mr. Greenwood. Is your credit card number, which was what was stolen from you, is that printed on your phone bill? Mr. O'Neill. No. Mr. Greenwood. That doesn't show up on your phone bill. Mr. O'Neill. Not that I am aware of, no. No. Mr. Greenwood. And certainly the PIN number does not. Mr. O'Neill. No. Mr. Greenwood. So someone would have either---- Mr. O'Neill. Yeah, I---- Mr. Greenwood. [continuing] I guess just hacked into the system to get your--to match your phone number---- Mr. O'Neill. Somehow, I actually saw on--a couple years ago, I saw on--it was either 20/20 or one of those type of shows on television, ways that they were stealing numbers at airports and that sort of thing when you were using them, and that may have been how it was taken. We are not really sure. Mr. Greenwood. And I suppose also someone could theoretically stand next to you at a phone and watch and listen as you---- Mr. O'Neill. Well, that is basically what they do in an airport, in a busy airport. They sit there and--they make-- pretend they are making a phone call, and they are standing right next to you and you are punching in your number and they are just watching your numbers go in, which is also your PIN number as well, after you---- Mr. Greenwood. Right. Mr. O'Neill. [continuing] punch in the number. Mr. Greenwood. Thank you. Congressman Gerlach? Mr. Gerlach. No questions, but the exact same thing happened to me. Mr. O'Neill. Oh, jeez. Mr. Gerlach. With my long distance credit card number, phone number, and---- Mr. O'Neill. Right. Mr. Gerlach. [continuing] had about 2 months worth of couple hundred dollars charges, calls to Europe, which I know I---- Mr. O'Neill. Yeah. Mr. Gerlach. [continuing] wouldn't have made, and you know, the phone company resolved it, but the exact same situation as yours. Mr. O'Neill. Right. Mr. Gerlach. And I had no idea how they got the numbers to do that, other than maybe, you know, the service plaza on the turnpike. I went back from Harrisburg at that time, and maybe somebody was standing next to me, but you know, you punch those numbers pretty darn quick. Mr. O'Neill. Yeah. Mr. Gerlach. You wonder how they can even keep track of it, but it is a bad problem, so I know exactly what you mean. But thank you. Mr. O'Neill. Thank you. Mr. Greenwood. Thank you. We have no further questions for you. Mr. O'Neill. Thank you. Mr. Greenwood. We appreciate your appearance here this morning. Thank you. Mr. O'Neill. Have a good day. Mr. Greenwood. And the Chair would now call forward our two next witnesses for the first panel, Mrs. Michael Kane of Warminster and Brigid O'Neill-LaGier, Chief Executive Officer of the American Red Cross Blood Services for the Penn-Jersey Region. Welcome. And I think we need you to make sure you pull those--each pull your microphone quite close to you as you testify, because they are apparently very directional. As-- welcome and thank you again for being here this morning, both of you. As you heard me indicate to Mr. O'Neill, we take our testimony under oath in this Committee. Do either of you have any objections to giving your testimony under oath? Ms. O'Neill-LaGier. No. Mrs. Kane. No. Mr. Greenwood. Okay. And you are both represented--entitled to be represented by counsel. Do either of you wish to be represented by counsel this morning? Ms. O'Neill-LaGier. No. Mrs. Kane. No need. Mr. Greenwood. Okay. If you would stand, then, and raise your right hands. [Witnesses sworn.] Mr. Greenwood. You are under oath, and I think we will start alphabetically with Mrs. Kane. Welcome, and---- Mrs. Kane. Good morning. How are you? Mr. Greenwood. I am very well. How are you? Mrs. Kane. Nervous. Mr. Greenwood. Nervous. No need to be nervous. And you have as much time as you would like to make a statement for us this morning. Mrs. Kane. Okay. Can you hear me? No? Okay. Mr. Greenwood. All right. Tap on your--on that--okay. We have some ability to control the volume of the microphone. It seems to be on, but not---- Mrs. Kane. Okay. Is that better? Mr. Greenwood. Can you hear in the back yet? TESTIMONY OF MICHELLE KANE Mrs. Kane. All right. Identity theft has been referred to as an invisible assault, and I should know, because unbeknownst to me, a woman from Schenectady, New York was able to steal my good name. A little over 2 years ago, I was offered a free credit report. My credit was perfect, and I was expecting to receive a report that reflected that. Imagine my surprise when my report history came back 33 pages thick. I assumed there must be some sort of mistake of the credit agencies. Perhaps my name was mingled with another Michelle Kane. I had heard of that happening. After all, I had always been very careful with the use of my credit cards and my Social Security number. Boy, was I wrong. Unfortunately, the credit agencies were not mistaken. A woman from Schenectady, New York had been using my Social Security number for approximately 2 years, and managed to charge over $70,000 in my name. She started out small, opening a few credit cards, and then gained more confidence, obtaining a car loan and eventually a mortgage. The perpetrator, who is also named Michelle Kane, said she received the Social Security number from a friend and just thought she was able to use it. However, investigators believed that she obtained it through her place of employment. She worked for a vision company and had access to insurance company data bases. The Schenectady, New York Michelle Kane did get caught and served a year in prison, thank to the fact that investigators hired by the mortgage company worked so diligently. Even though the woman went to jail, the task of clearing my credit history still existed. The red tape and jumping through hoops started from the very beginning. The first step of reporting the crime was not very simple. I first called the Schenectady Police Department, and they were unable to do anything because I could not file a report in person. It was 5 hours away. When I called my local police department and they were unable to do much, because it was not in their jurisdiction. It did not get much easier with the three credit agencies, TransUnion, Experian and Equifax. They did send the information to me in my credit reports, but it was up to me to decipher it. The agencies' listed the creditors. However, many times as an abbreviation, and the biggest hassle was getting a phone number to go along with the bank. Sometimes, it was listed and sometimes, it was not. To get a number that was a 1-800 number that corresponded to the correct department in the bank was a rarity. For example, my husband and I spent countless hours trying to contact one of the names that was on the list, which was Verizon NE. It sounds simple enough until you try and actually find them. No one in the company knew who Verizon NE was when you called Verizon. Was it Northeast, New England, Nebraska? Which division did Verizon--which division of Verizon were we trying to contact? A wireless line, a land line, the Internet? So the countless hours of trying to figure out who you are contacting was very hassle-some. Aside from the financial burden of huge phone bills and trying to track down the banks, and the countless hours wasted trying to sort through the red tape, the biggest problem is proving your identity to the creditors and convincing them that you did not make the charges. Over 2 years have passed, and I am hopeful that my credit history will soon be clear. I am hopeful that this does not come back to haunt me, and I am hopeful that there will be some improvements for the rest of the victims out there. Now, I was told if I wanted to make some suggestions, which I did. [The prepared statement of Michelle Kane follows:] Prepared Statement of Michelle Kane Identity Theft has been referred to as the ``invisible assault'', and I should know because unbeknownst to me, a woman was able to steal my good name. A little over two years ago, I was offered a free credit report. My credit was perfect and I was expecting to receive a report that reflected that. Imagine my surprise when my report history came back 33 pages thick. I assumed there must be some sort of mistake with the credit agencies. Perhaps my name was mingled with another Michelle Kane; I have heard of that happening. After all, I have always been very careful with the use of my credit cards and Social Security Number. Boy, was I wrong! Unfortunately, the credit agencies were not mistaken. A woman from Schenectady, New York had been using my Social Security Number fro approximately two years and had managed to charge over $70,000 in my name. She stated out small, opening a few credit cards, then gained more confidence obtaining a car loan and eventually a mortgage. The perpetrator, who is also named Michelle Kane, said she received the Social Security Number from a friend and thought she was able to use it. However, investigators believe she obtained it through her place of employment. She worked for a vision company and had access to insurance company databases. The Schenectady, New York Michelle Kane did get caught and served a year in prison thanks to the fact investigators hired by the mortgage company work so diligently. Even though this woman went to jail, the task of clearing my credit history still existed. The red tape and the jumping though hoops started from the very beginning. The first step of reporting the crime was not very simple. I first called the Schenectady Police Department and they were unable to do anything unless I filed a police report in person. I then called my local police department they were unable to do much because it was not in their jurisdiction. It did not get any easier with the three credit agencies (Transunion, Experian and Equifax). They sent the information, but it was up to me to decipher it. The agencies listed the creditors, however many times just as an abbreviation. One of the biggest hassles was getting a phone number to the bank. Sometimes it was listed and sometimes it was not. To get a phone number that was a 1-800 number that corresponded to the correct department in the bank was a rarity. I.e., My husband and I spent countless hours trying to contact Verizon NE. No one in the company knew who this was; did NE stand for North East, New England, Nebraska? Which division of Verizon was this; wireless, landline or Internet? Aside from the financial burden of huge phone bills trying to track down the banks, and the countless hours wasted trying to sort though the red tape, the biggest problem is proving your identity to the creditors and convincing them you didn't make the charges. Over two years have passed and I am hopeful that my credit history will soon be cleared. I am hopeful that this does not come back to haunt me. And I am hopeful that there will be improvements for the rest of the victims out there. My Suggestions for Improvement: Free yearly credit reports Transunion, Experian and Equifax list a local advocates phone number on the credit report. (Consumer Protection Number). Mandatory listing of all creditors' phone numbers that appears on credit report. (1-800). Mr. Greenwood. Go ahead. Mrs. Kane. Okay. My first suggestion is that there be some sort of legislation, which I know there are some people working on this for a free credit report from the credit agency, whether it be via email or, you know, it is expensive to send postage to thousands and thousands of people, but I think in the long run, it could save lots of money. TransUnion, Experian and Equifax, I think should list a local advocate, a phone number on their credit report, which I was just going blindly through this, and I think it would save a lot of hassle if maybe at the end of the credit report, they say you can contact your local consumer report person and here is the steps which you follow, so you just don't go blindly through this. And last, a mandatory listing of all of the creditors' phone numbers that appear on your credit report, so you don't have to, once again, track down these people and try and clear your credit. They don't even give you, for security purposes, your account number. So when you are trying to tell them who you are, the first thing they say is your account number, please, and you don't have it, so. Anyway, they are my suggestions, oh, and, of course, a 1- 800 number at which to contact them, so. Mr. Greenwood. Those are very good suggestions, and that is why we are holding this hearing, to learn things like that. Thank you. Mrs. Kane. You are welcome. Mr. Greenwood. Ms. O'Neill-LaGier, am I pronouncing that right? Ms. O'Neill-LaGier. Yes, you are. Mr. Greenwood. Okay. Ms. O'Neill-LaGier. Thank you. Mr. Greenwood. Make sure you speak directly into the microphone, please. Ms. O'Neill-LaGier. I will try to do that. Mr. Greenwood. You are recognized for your testimony. TESTIMONY OF BRIGID O'NEILL-LAGIER Ms. O'Neill-LaGier. Good morning, Mr. Chairman, and Congressman Gerlach. Thank you for your invitation to testify on the important subject of identity theft. I am Brigid O'Neill-LaGier, Chief Executive Officer of the Penn-Jersey Blood Services Region of the American Red Cross, headquartered in Philadelphia. I would respectfully ask that my entire statement and attachments be included in the record. Mr. Greenwood. And will be without objection. Ms. O'Neill-LaGier. The Red Cross has been helping people since 1881. You can see us at work in communities across the country and here in southeastern Pennsylvania and New Jersey, thousands of times a day, teaching first aid or CPR classes, keeping members of the military and their families connected through emergency communications, caring for disaster victims, and collecting and delivering blood. Thousands of area residents participate in that work as volunteers, blood donors and financial contributors. As one of 36 Red Cross regional blood services, the Penn-Jersey region is the major supplier of blood in southeastern Pennsylvania and New Jersey. Continuing a tradition begun more than 50 years ago, the mission of the Penn-Jersey region is to fulfill the community's need for the safest, most reliable and cost-effective blood products and transfusion services. In 1994, the Red Cross dedicated the Musser Blood Center, which houses the blood supply for more than 125 southeastern Pennsylvania and New Jersey hospitals; the Philadelphia National Testing Laboratory, which provides infectious disease and type testing of blood donations for 4 Red Cross blood centers and several non-Red Cross blood centers; and the National Reference Laboratory for Blood Group Serology, serving more than 3,000 hospitals nationwide. Hospitals and patients in southeastern Pennsylvania and New Jersey benefit from an array of transfusion support services including lifesaving blood products delivered 24 hours a day, 365 days a year, and physicians and technical experts available for consultation around the clock. Mr. Chairman, last year, the Penn-Jersey Region collected more than 262,000 whole blood donations and nearly 11,000 platelet and granulocyte donations, and additionally imported 135,000 blood products to meet the local community transfusion needs of over 800,000 blood products. In southeastern Pennsylvania and New Jersey, the Red Cross conducted over 11,000 blood drive operations, which assisted over 300,000 volunteer blood donors who stepped forward to save lives. The Red Cross takes the confidentiality of our blood donors very seriously. As a regulated service, blood collection is a very detailed process designed to ensure the safety and security of the blood donor, the blood supply and those who are trained to collect, manufacture and distribute blood products. The Food and Drug Administration Center for Biologics Evaluation and Research is responsible for regulatory oversight of the U.S. blood supply. FDA promulgates and enforces standards for blood collection and for the manufacturing of blood products, including both transfusable components of whole blood, pharmaceuticals derived from blood cells or plasma, and related medical devices. The American Red Cross Penn-Jersey Blood Region activity is regulated not only by the FDA, but also, on a local level, by the State of Pennsylvania, the State of New Jersey, AABB, as well as national American Red Cross standards, policies and procedures. As you may know, an investigation is currently being conducted by Federal authorities into identity theft at the American Red Cross Penn-Jersey Blood Region. Investigators learned that several individuals' personal identification information, such as names and Social Security numbers, had been used to obtain credit and make purchases. A common denominator was that they had all donated at one of four Red Cross blood drives held in the southeastern Pennsylvania area in November and December 2002. We have recently learned that several donors at two additional blood drives during the same period were victims of identity theft. Social Security numbers are utilized during the donation process to uniquely identify each blood donor and help us accurately connect the donor with his or her donation history, which is important for both donor and patient safety. While advances in technology and record keeping have afforded us increased security options, Social Security numbers remain the universally accepted means of identification. Upon learning of the problem in February 2003, we immediately contacted the U.S. Attorney's Office for the Eastern District of Pennsylvania and requested that an investigation be opened and a task force of Federal law enforcement officials be developed to fully investigate the matter. We are also working closely with the Federal Bureau of Investigation and the U.S. Postal Inspection Service. We have acted aggressively and cooperated fully with investigators to assist them in resolving this matter quickly and thoroughly. We have also launched a rigorous review of our security procedures. We have no reason to believe that our electronic data base has been compromised. This continues to be an open case, and consequently, I am sharing with you only the details that have been made public and will not hinder the ongoing investigation. We want to make clear that the safety of the blood supply has in no way been compromised. To date, the investigation has been contained in the southeastern Pennsylvania area, and limited to six blood drives in the November through December 2002 timeframe. We are aware of at least 23 individuals who were blood donors and were also victims of identity theft. Our first concern is for those who may have been victimized. I have personally contacted representatives of the four blood drive sponsor groups, and I am in the process of contacting the two new groups we learned about last week. We have notified 1,400 donors in writing who participated in the first four blood drives, and letters are going out to all donors from the two additional identified blood drives. I have attached a generic copy of that correspondence for the record. This letter gives step by step actions they should take if they are concerned about the security of their personal information. The information was provided to us by Federal law enforcement officials. In addition to the information in the letter, we have set up a special Red Cross toll-free telephone number to assist donors who believe they may have been victims. This line is answered by specially trained staff to provide more detailed information about security of donor information and to assist donors in checking their credit reports. Despite this isolated situation, you can be certain that specific steps are taken throughout the Penn-Jersey Region's blood donor centers to ensure that blood donor information is secure. Some of them include that donor records are handled exclusively by authorized personnel trained to deal with confidential information. Before interacting with the public, our blood service region employees go through in-depth training that also requires signing a confidentiality agreement and a Code of Conduct agreement. Information entered on the blood donation record form completed by donors at the blood drive is protected from view by others during the donation process, and access to information is limited to authorized staff who need it in order to process the blood donation. Every person who handles this information is known and identified to us. Also, once donor information is entered into a computer at the blood center, the blood donation record form is shredded, and access to our computers and computer data bases is strictly limited. Mr. Chairman, the Red Cross relies on voluntary donations to ensure a safe and adequate blood supply. We regret that any donor has had to question his or her desire to give blood because of security concerns. We are committed to ensuring the safety and privacy of our donors and are working diligently to ensure that this situation is not repeated. We are appreciative of the thousands of donors who continue to support us every day. Without their generous donation of the gift of life, lives would be lost. Finally, we are proud of our people and the job they do. We hope that the details surrounding this case will not discourage people from donating blood in the future. Increasing the available supply of blood is critical to health care in our community, because much of modern medicine is only made possible because of blood donations. Yet, donations do not always keep pace with demand. Philadelphia is a major regional medical center with teaching hospitals that provide advanced care, such as organ transplants, specialized pediatric and neonatal care, cancer and cardiac care, all of which require a stable blood supply. For our region, blood donations given locally only meet 70 percent of our true need. Through planning and coordination, the Red Cross is able to ship blood from communities where there is an excess to those where there is a need. Still, history shows that our reserves of blood are not--have not been strong enough to compensate for seasonal swings in donations and weather-related disruptions of normal blood collection activities. Additionally, blood shortages seriously affect patient care. As the population ages, the need for blood is predicted to grow. Experts agree that a stronger blood supply is an essential part of community preparedness. After the terrorist attacks of September 11, 2001, a multidisciplinary task force of representatives from government agencies and the blood banking community was formed to study this issue. The task force concluded that the single biggest determinant of the success of the blood community's first response to a disaster, is the blood already on the shelves of blood centers and hospitals. It recommended that planning for future disasters include the requirement that all blood centers have available a 7-day supply of all blood types at all times. To meet our responsibility to the people we serve, the Penn-Jersey Region will continue to increase our blood supply by asking more people to donate blood, asking those already giving blood to donate more often and asking business and community groups to increase their support. On behalf of the Red Cross, thank you again, Chairman Greenwood, for the opportunity to testify before this Subcommittee. It is imperative for our national preparedness and the daily treatment of those with life-threatening conditions that Americans generously donate blood. This act can and does save lives. I would be happy to respond to your questions. [The prepared statement of Brigid O'Neill-LaGier follows:] Prepared Statement of Brigid O'Neill LaGier, Chief Executive Officer, Penn-Jersey Blood Services Region, American Red Cross Good morning, Mr. Chairman, Congresswoman Hart and Congressman Gerlach. Thank you for your invitation to testify on the important subject of identity theft. I am Brigid O'Neill LaGier, Chief Executive Officer of the Penn Jersey Blood Services Region of the American Red Cross headquartered in Philadelphia. The Red Cross has been helping people since 1881. You can see us at work in communities across the country, and here in southeastern Pennsylvania and New Jersey, thousands of times a day--teaching first aid or CPR classes, keeping members of the military and their families connected through emergency communications, caring for disaster victims, and collecting and delivering blood. Thousands of area residents participate in that work as volunteers, blood donors and financial contributors. As one of 36 Red Cross regional blood services, the Penn-Jersey Region is the major supplier of blood in southeastern Pennsylvania and New Jersey. Continuing a tradition begun more than 50 years ago, the mission of the Penn-Jersey Region is to fulfill the community's need for the safest, most reliable and cost-effective blood products and transfusion support services. In 1994, the Red Cross dedicated the Musser Blood Center, which houses: The blood supply for more than 125 southeastern Pennsylvania and New Jersey hospitals; The Philadelphia National Testing Laboratory, which provides infectious disease and type-testing of blood donations for four Red Cross blood centers and several non-Red Cross blood centers; and The National Reference Laboratory for Blood Group Serology, serving more than 3,000 hospitals nationwide. Hospitals and patients in southeastern Pennsylvania and New Jersey benefit from an array of transfusion support services, including: Lifesaving blood products delivered 24 hours a day, 365 days a year, and physicians and technical experts available for consultation around the clock; Products to meet special patient needs such as Granulocytes (infection fighting white cells) and HLA-matched platelets; Self-donation for planned surgery; Perioperative autologous cell salvage--a transfusion option benefiting orthopedic and other surgical patients; Reference laboratory services that identify and locate compatible units of platelets and red cells for patients; The American Rare Donor Registry--a joint American Association of Blood Banks (AABB) and Red Cross program that assists patients who need rare blood across the country and world; Stem cell and therapeutic apheresis services to help patients with cancer and other diseases; National Marrow Donor Program participation that helps cancer and other patients through donor recruitment and education; and Research activities in support of-- Cellular therapies to help cancer patients; Pathogen inactivation techniques that may prevent the transmission of AIDS, hepatitis or bacterial contamination; and Preservation and storage techniques for donated blood platelets so patients will receive the optimal benefit from their transfusion. Mr. Chairman, last year the Penn-Jersey Region collected more than 262,000 whole blood donations and nearly 11,000 platelet and Granulocyte donations and additionally imported 135,000 blood products to meet the local community transfusion needs of over 800,000 blood products. In southeastern Pennsylvania and New Jersey, the Red Cross conducted over 11,000 blood drive operations, which assisted over 300,000 volunteer blood donors who stepped forward to save lives. The Red Cross takes the confidentiality of our blood donors very seriously. As a regulated service, blood collection is a very detailed process designed to ensure the safety and security of the blood donor, the blood supply, and those who are trained to collect, manufacture and distribute blood products. The Food and Drug Administration (FDA)'s Center for Biologics Evaluation and Research (CBER) is responsible for regulatory oversight of the U.S. blood supply. FDA promulgates and enforces standards for blood collection and for the manufacturing of blood products, including both transfusable components of whole blood, pharmaceuticals derived from blood cells or plasma, and related medical devices. The American Red Cross, Penn-Jersey Blood Region activity is regulated not only by the FDA, but also on a local level by the State of Pennsylvania, the State of New Jersey, AABB as well as national American Red Cross standards, policies and procedures. As you may know, an investigation is currently being conducted by federal authorities into identity theft at the American Red Cross, Penn-Jersey Blood Region. Investigators learned that several individual's personal identification information, such as names and social security numbers, had been used to obtain credit and make purchases. A common denominator was that they had all donated at one of four Red Cross blood drives held in the southeastern Pennsylvania area in November and December 2002. We have recently learned that several donors at two additional blood drives during the same period were victims of identity theft. Social security numbers are utilized during the donation process to uniquely identify each blood donor and help us accurately connect the donor with his or her donation history, which is important for both donor and patient safety. While advances in technology and record keeping have afforded us increased security options, social security numbers remain the universally accepted means of identification. Upon learning of the problem in February 2003, we immediately contacted the U.S. Attorney's Office for the Eastern District of Pennsylvania, and requested that an investigation be opened and a task force of federal law enforcement officials be developed to fully investigate the matter. We are also working closely with the Federal Bureau of Investigation and the U.S. Postal Inspection Service. We have acted aggressively and cooperated fully with investigators to assist them in resolving this matter quickly and thoroughly. We also launched a rigorous review of our security procedures. We have no reason to believe that our electronic database has been compromised. This continues to be an open case and, consequently, I am sharing with you only the details that have been made public and will not hinder the ongoing investigation. We want to make clear that the safety of the blood supply has in no way been compromised. To date, the investigation has been contained to the southeastern Pennsylvania area and limited to six blood drives in the November through December 2002 timeframe. We are aware of at least 23 individuals who were blood donors and were also victims of identity theft. Our first concern is for those who may have been victimized. I have personally contacted representatives of four blood drive sponsor groups and I am in the process of contacting the two new groups we learned about last week. We have notified 1,400 donors in writing who participated in the first four blood drives and letters are going out to all donors from the two additionally identified blood drives. I have attached a generic copy of that correspondence for the record. This letter gives step by step actions they should take if they are concerned about the security of their personal information. The information was provided to us by federal law enforcement officials. In addition to the information in the letter, we have set up a special Red Cross toll-free telephone number to assist donors who believe they may have been victims. This line is answered by specially- trained staff to provide more detailed information about security of donor information and to assist donors in checking their credit reports. Despite this isolated situation, you can be certain that specific steps are taken throughout the Penn-Jersey Region's blood donor centers to ensure that blood donor information is secure. Some of them include: Donor records are handled exclusively by authorized personnel trained to deal with confidential information. Before interacting with the public, our Blood Services Region employees go through in- depth training that also requires signing a confidentiality agreement and a Code of Conduct agreement. Information entered on the blood donation record form completed by donors at the blood drive is protected from view by others during the donation process. Access to information is limited to authorized staff who need it in order to process the blood donation. Every person who handles this information is known/identified to us. Once donor information is entered into a computer at the blood center, the blood donation record form is shredded. Access to our computers and computer databases is strictly limited. Mr. Chairman, the Red Cross relies on voluntary donations to ensure a safe and adequate blood supply. We regret that any donor has had to question his or her desire to give blood because of security concerns. We are committed to ensuring the safety and privacy of our donors and are working diligently to ensure that this situation is not repeated. We are appreciative of the thousands of donors who continue to support us everyday. Without their generous donation of the gift of life, lives would be lost. Finally, we are proud of our people, and the job they do. We hope that the details surrounding this case will not discourage people from donating in the future. Increasing the available supply of blood is critical to healthcare in our community, because much of modern medicine is only made possible because of blood donations. Yet, donations do not always keep pace with demand. Philadelphia is a major regional medical center with teaching hospitals that provide advanced care, such as organ transplants, specialized pediatric and neonatal care, cancer and cardiac are, all of which require a stable blood supply. For our region, blood donations given locally only meet 70 percent of our true need. Through planning and coordination, the Red Cross is able to ship blood from communities where there is an excess to those where there is a need. Still, history shows that our reserves of blood have not been strong enough to compensate for seasonal swings in donations and weather-related disruptions of normal blood collection activities. Additionally, blood shortages seriously affect patient care. As the population ages, the need for blood is predicted to grow. Experts agree that a stronger blood supply is an essential part of community preparedness. After the terrorist attacks of September 11, 2001, a multi-disciplinary task force of representatives from government agencies and the blood banking community was formed to study this issue. The task force concluded that the single biggest determinant of the success of the blood community's first response to a disaster is the blood already on the shelves of blood centers and hospitals. It recommended that planning for future disasters include the requirement that all blood centers have available a seven-day supply of all blood types at all times. To meet our responsibility to the people we serve, the Penn-Jersey Region will continue to increase our blood supply by asking more people to donate blood, asking those already giving blood to donate more often, and asking business and community groups to increase their support. On behalf of the Red Cross, thank you again, Chairman Greenwood, for the opportunity to testify before this subcommittee. It is imperative for our national preparedness, and the daily treatment of those with life-threatening conditions, that Americans generously donate blood. This act can, and does, save lives. I would be happy to respond to your questions. Mr. Greenwood. Thank you very much. Thank you for your testimony, and we are very sensitive to the fact that, as you said, the supply of blood in this area, blood products, is a life and death matter, and we hope that it is helpful to let people know in this region that the precautions that you have taken now to fully their secure their personal identity and that that will encourage more donation and not less, because it is a matter of life and death. Let me recognize myself for some questions, and start with Mrs. Kane. Did the other Mrs. Kane, the bad Mrs. Kane. Mrs. Kane. The evil one, yes. Mr. Greenwood. The evil one. Went to jail for a year, you said. Did she serve that entire year, do you know, or---- Mrs. Kane. Yes. She was supposed to get 2 to 7 originally, but she served about a year. Mr. Greenwood. She served about 1 year of a 2 to 7, but it might have been a 2 to 7 year sentence. Mrs. Kane. Right. Well, she---- Mr. Greenwood. Do you know if she was ever required to make financial compensation to--either to yourself or to any of the businesses that were defrauded by her? Mrs. Kane. I have no idea if she was required to do that. I don't know. Mr. Greenwood. You didn't attend her trial or sentencing, or---- Mrs. Kane. I wasn't even notified until after she was sent to prison. Mr. Greenwood. Well, that is interesting in and of itself, isn't it, that you were the victim and you weren't notified of what--you weren't kept abreast of what was going on with her prosecution. Mrs. Kane. It was mostly the banks that were the victim, not me. So the banks knew about it and I found out after the fact. Mr. Greenwood. Now, you indicated in your testimony that your--this happened--this--you discovered this how long ago? Mrs. Kane. A little over 2 years ago. Mr. Greenwood. A little over 2 years ago. And you are still not finished cleaning up your mess. Mrs. Kane. We are about 95 percent. Mr. Greenwood. Okay. What remains to be done? Mrs. Kane. We just received the latest with our lovely Verizon. But we just received the third credit report of the three, and now they just have to take the 90 days or 30 to 90 days to make certain everything does come off. So hopefully, we are down to the last stretch. Mr. Greenwood. All right. And it is interesting you said that the banks were the victims, not you. I mean, one of the things that we are trying to make clear here is yes, the banks were holding the financial bag as a result of this, but you and your husband obviously were victimized, because of the---- Mrs. Kane. Well, I certainly think so. Mr. Greenwood. Right. Because--have you ever estimated how many hours of your time this has consumed? Mrs. Kane. Countless. Mr. Greenwood. Countless hours of your time. Mrs. Kane. Countless. I have---- Mr. Greenwood. And you have had some phone bills, obviously, because you didn't have 800 numbers. Mrs. Kane. The phone bills were a lot, and just the nitty- gritty daily grind of having to get the $8 credit reports again and again and again, and the notarized--every time you had to send a bank a notarized statement that this was not you, the $10 charge or whatever the nominal fee is, but it adds up. Mr. Greenwood. And were there periods of time where you couldn't use your own credit, your own credit cards and so forth to---- Mrs. Kane. No, I was never---- Mr. Greenwood. That was not disrupted. Okay. Let me see what else I was going to ask you. What would you say was the best resource for you in trying to get this identity theft problem taken care of? Who was most helpful to you? Mrs. Kane. It wasn't until I staggered through that I found out, through my own relatives, or people that I knew that had gone through this, which way to go. My one relative worked for the Social Security office and said, oh, make certain you check Social Security, or my neighbor was a police officer that said oh, make certain you do this. But it was not from the banks, it was not from the credit agencies. It was networking and a little bit of luck that we found our way through it, and I hopefully don't find out more. We just 2 years after the fact, I figured out that there was a credit protection agency that could have helped me through this. I wish I would have known at the beginning. Mr. Greenwood. Well, that gives me an opportunity to segue into the fact that for anyone in the room, there are materials at the front desk here that give some information about how to protect against--how to avoid identity theft, and also how to respond to it should it happen to you. Let me ask a question or two of the representative from the Red Cross. You said that the Penn-Jersey Regional operation office has changed significantly, and you illustrated some of the ways that you changed your practices so that your staff is trained to protect identities, that only select people are able to view the identifying information for donated blood. Do you know if those practices have been put into place in the Red Cross' activities throughout--in other regions of the country as well? Ms. O'Neill-LaGier. Well, just to clarify, Mr. Chairman, those processes were in place prior to us knowing of the identity theft, so that is our standard practice. Mr. Greenwood. Okay. It is--would--did you make changes-- did you find that there were changes you had to make as a result or this, or not? Ms. O'Neill-LaGier. We did a thorough review of our security, and there were very few changes that we made. There were a few things that we thought we could tighten up, but for the most part, we felt that our system was very secure. Mr. Greenwood. Are you able to speculate, and we want to be sensitive to the fact that there is an ongoing investigation, and so you are perfectly free to say that you can't answer any of the questions, but have you been able to identify yet whether this was an inside job, so to speak, someone who worked for Red Cross, or whether it was someone who got access to this information who was not part of your organization? Ms. O'Neill-LaGier. I would respectfully have to decline answering that. Mr. Greenwood. Okay. Ms. O'Neill-LaGier. As it is part of the investigation. Mr. Greenwood. I understand that a person's Social Security number is still considered as--you mentioned in your testimony, the universally accepted means of ID, but in light of these recent events, has the Red Cross considered using other tracking methods besides the Social Security number? Ms. O'Neill-LaGier. And that I can answer---- Mr. Greenwood. Okay. Mr. O'Neill-LaGier. [continuing] with a positive yes. We are currently--the Red Cross, the entire organization, is currently producing a new donor card, which will have a unique donor identification number, and the new card will replace the Social Security number as the primary donor identifier, and will eliminate the need for the donor to verbally communicate their Social Security number at the blood drive. So, we expect that this initial distribution will begin in March 2004, and we expect to be fully implemented in the Red Cross system by the summer. So, we are very---- Mr. Greenwood. And that would be nationwide? Ms. O'Neill-LaGier. Yes. Mr. Greenwood. Okay. Ms. O'Neill-LaGier. For the Red Cross. Mr. Greenwood. That is very good. So therefore, if somebody needs access to that, knows the numerals, there is nothing---- Ms. O'Neill-LaGier. Right. It will be---- Mr. Greenwood. [continuing] they could do with them to---- Ms. O'Neill-LaGier. [continuing] just unique to their blood donation---- Mr. Greenwood. Okay. Ms. O'Neill-LaGier. [continuing] history. Mr. Greenwood. The FDA oversees our Nation's blood supply, and the Red Cross is therefore subject to its regulations. Are there steps that the FDA should be taking to assist in protecting the blood donors and their personal information, because obviously, the Red Cross isn't the outfit involved in the blood supply. Ms. O'Neill-LaGier. Well, the FDA requires that we are always able to track the blood donation back to the blood donor, and that is for many safety and security reasons, so we have to have a mechanism in place to always be able to take that donation back to the donor. An example of something that might require us to look back and be able to identify that donor is if a subsequent--a positive test on that donor would come up. We have to be able to go back to all of that donor's donations and recall them from the inventory, so it is critically important. That is the requirement of the FDA, so when we moved to this unique Red Cross identifier, that will allow us to do that in the same way that the Social Security does. Mr. Greenwood. But to your knowledge, the FDA hasn't come up with a regulatory scheme that says that all of the Nation's blood supplies should use these kind of non-Social Security identifying numbers. Ms. O'Neill-LaGier. Not to my knowledge. Mr. Greenwood. Okay. The FTC is tasked with being the flagship Federal Government agency for monitoring identity theft and providing guidance to victims. Did the Red Cross contact the FTC when this first happened? Ms. O'Neill-LaGier. Well, we worked with the U.S. Attorney's Office, the FBI and the Postal Inspector Office, and they took care of any of that notification. We took their advice on the information to send out to the blood donors, which I have included, giving them some guidance on how to contact the credit agencies and to put fraud alerts on the credit reports. Mr. Greenwood. Well, I think both of these cases illustrate the depravity of people who would take these numbers with total disregard to the impacts, in one case, very personal impact within a family and in another case, an impact, a series of impacts that could really be life and death matters, in terms of keeping a secure supply of blood. The Chair recognizes Mr. Gerlach for questions. Mr. Gerlach. Thank you. Just as a follow-up to that last comment. What has been the anecdotal feedback from those that have been identity theft victims that come through the blood drives that you have narrowed down as to be those that-- potentially, was where the fraudulent activity generated from. What has been the anecdotal feedback as to what they have experienced after being victimized that way? Ms. O'Neill-LaGier. Well, the victims that we--the Red Cross have talked to, you know, are very upset, very concerned. And very concerned that this would happen to the American Red Cross, because we truly have been victimized also. There has been a variety of amounts of money that were stolen. This is anecdotal to me. I mean, you could check with the investigators for better information, but it is really quite devastating to them and to us, because we just feel terrible about it. Remarkably, many people have returned to donate again, and feel that it is their obligation as members of the community and are willing to work through this, and we have shared with the victims our intent to move away from Social Security number, and so they are willing to wait for us to get that in place. Mr. Gerlach. Okay. And Mrs. Kane, on your--in your situation, the person that stole your identity was also named Michelle Kane, and do you know whether or not she, in fact, used other Michelle Kanes around the country, in addition to yourself as being the basis for which she undertook that fraudulent activity? Mrs. Kane. I don't know if she found any other Michelle Kanes in her medical data base that she was able to find their Social Security numbers as well. All I know is my account. Mr. Gerlach. Okay. When did you find out her identity as being the person that stole your identity? When in relation to the criminal prosecution she underwent and was convicted of and thereafter served time, when did you learn of her identity, so that you knew that was the person that stole your identity? Mrs. Kane. When she applied for a mortgage and took out a $40,000 loan, that is when it became big enough for the banks to get involved, and the bank that was involved hired an investigator. Mr. Gerlach. Okay. Mrs. Kane. And it was through the investigator, he asked me did I wear glasses, which I thought was an odd question, because I only wore them for college, and I rarely wore them. I think I have worn them 10 times total, and at first, I said no, because it was so long ago, and then I said well, I do have a pair, and here, she worked for a vision company, and she was able to go through the medical data bases. According to the investigator, she denies that this is how it came to be, but-- so it was once the mortgage company got involved that they told me how they think it went down. Mr. Gerlach. And that information was passed along to law enforcement where she resided? Mrs. Kane. Yes. They were---- Mr. Gerlach. And that was where? Mrs. Kane. Schenectady, New York. Mr. Gerlach. Schenectady. And then you had no contact yourself, however, with the Schenectady Police Department or the prosecuting attorney in that county---- Mrs. Kane. No. Mr. Gerlach. [continuing] where Schenectady is located. Mrs. Kane. No, I did not. I had only had contact with the investigator, who kept me abreast of the information. Mr. Gerlach. Okay. And after these activities occurred, was anybody coming to you, either credit reporting agencies, with information? Obviously, you saw that it was inappropriate, but were any debt collectors or anybody coming, financial institutions coming after you for payment on loans or indebtedness that had been incurred in your name? Mrs. Kane. Up until--once we got in touch with the credit agencies and once we told them we were victims, our number must have gotten onto the credit reports. Obviously, our phone number, our address, and then the debt collectors started calling us, but not beforehand, because she had her own Post Office box set up. Mr. Gerlach. Okay. Mrs. Kane. So once we got in the system, you would think the credit agencies would help. Instead, they put us down as-- they--just mistaken. It was a mistake of which Michelle Kane they should call, and they started calling us to pay off these debts. Mr. Gerlach. And what was your experience with those debt collectors? Mrs. Kane. Well, it was not pleasant. Mr. Gerlach. Did they accept your explanation that you were a victim? Mrs. Kane. No, they just denied--they said, I am sorry, we don't believe you. You know, pay up, honey. Mr. Gerlach. Okay. Mrs. Kane. So. Mr. Gerlach. And how long did that--how many different collectors were after you in that fashion? Mrs. Kane. Well, it was---- Mr. Gerlach. And how long did it take them to realize that---- Mrs. Kane. It wasn't very long. It was only two banks, and it did eventually get cleared up, but it was still not something I was expecting. Mr. Gerlach. Okay. And upon what information, if you know, did they rely upon to understand that you were a victim in this situation, and therefore should not be harassed with dunning notes or telephone calls? Did they receive information from some other source, either law enforcement in Schenectady or the private investigator hired by the one bank? Do you know how it was that they finally let you off the hook in terms of their thought that you should be paying on the debt? Mrs. Kane. I think, and this is just my own personal thoughts, I don't think that they got any information from any other outside sources. I think they just probably did their homework and looked at the information that was in front of them and realized---- Mr. Gerlach. That you were telling the truth. Mrs. Kane. That we were telling the truth. Mr. Gerlach. Yeah. Mrs. Kane. By looking at their information that we had sent through our credit--our criminal record. What did we send? The police reports and the ID and the notarized forms that they probably just put two and two together once we persisted enough and said that this is not us. But it took a few phone calls. Mr. Gerlach. Okay. Thank you. Mr. Greenwood. Thank you. One more question for Ms. O'Neill-LaGier. Are blood collection activities subject to the Act that protects the privacy of health information, HIPAA? Ms. O'Neill-LaGier. The HIPAA. We are not obligated to HIPAA, but I would have to check on that for you and get back to you on that. Mr. Greenwood. Okay. Would you do that and---- Ms. O'Neill-LaGier. Yeah. I will do that. Mr. Greenwood. [continuing] communicate with the committee staff on that. Okay. We thank you both for being here and for your testimony and for your willingness to help us in our investigation, and you are both excused. Mrs. Kane. Thank you. Ms. O'Neill-LaGier. Thank you. Mr. Greenwood. For the rest of the day. And we will now call forward the second panel, consisting of Mr. Robert Ryan from--he is the Senior Director of Government Relations for TransUnion, which is out of Chicago; and also Milissa Lenahan, who is the Assistant Vice President and Assistant Operations Officer for First National Bank and Trust, nearby in Newtown, Pennsylvania. Welcome, both of you. Mr. Ryan. Thank you. Ms. Lenahan. Thank you. Mr. Greenwood. You may sit down. Then I will ask you to stand up. As you have heard me say to the other witnesses that we take testimony here under oath, and so I need to ask if either of you objects to taking--giving your testimony under oath. Mr. Ryan. No. Mr. Greenwood. Okay. And you are both entitled to be represented by counsel. Do either of you choose to be represented by counsel? Ms. Lenahan. No. Mr. Ryan. No, Mr. Chairman. Mr. Greenwood. Okay. Now, if you would stand up again and raise your right hands. [Witnesses sworn.] Mr. Greenwood. Okay. You are both under oath, and I am going to start with you, Mr. Ryan. You are recognized to give your testimony. TESTIMONY OF ROBERT RYAN, SENIOR DIRECTOR OF GOVERNMENT RELATIONS, TRANSUNION; AND MILISSA J. LENAHAN, ASSISTANT VP/ ASSISTANT OPERATIONS OFFICER, FIRST NATIONAL BANK AND TRUST COMPANY OF NEWTOWN Mr. Ryan. Good morning, Mr. Chairman Greenwood, Congressman Gerlach. My name is Bob Ryan, and I am the Senior Director of Government Relations for TransUnion. We are a leading global provider of consumer report information supported by more than 4,100 employees in more than 24 countries worldwide. I appreciate the opportunity to appear before you here today to discuss the role of TransUnion in the credit granting process, and in assisting consumers, and our business customers in preventing and remediating identity theft. I would like to explain briefly how TransUnion plays a critical role in the economic engine of credit availability. We provide the information necessary to lenders, regardless of where they are located, to make credit available to consumers all across the United States. In order for a lender to extend a loan to a consumer, the lender needs to evaluate the credit risks inherent in lending to that consumer, and the proper evaluation of the consumer's credit risks allows the lender to determine whether to provide credit to the consumer and at what price. We believe that the most accurate and predictive piece of information a lender can use in evaluating credit risk is a consumer report, also commonly called a credit report, and we take great pride in our ability to collect and disseminate credit report information. We receive and process approximately 2 billion updates to consumers' credit files each month. Now, let me turn to our role in thwarting identity theft. Identify theft is a serious problem and TransUnion is part of the solution. Since the 1980's, when TransUnion developed the first application fraud detection services for credit grantors, we have been helping our business customers detect and avoid application fraud, thus reducing the number of consumers affected by identity theft. In the mid-1980's, we were the first consumer reporting agency to initiate the development of special procedures to assist identity theft victims, including expedited dispute verification processes. In the late 1980's, we developed the innovation of a security alert flag on credit reports, to alert our customers to use extra caution in opening new accounts in the cases of prospective victims or actual victims of identity theft. In 1992, we were the first consumer reporting agency to establish a special Fraud Victim Assistance group within our organization that is solely dedicated to identify theft problems. In 1997, we began immediate suppression at the same time the dispute investigation process was initiated, of fraud- related information on a consumer's file, upon their presentation to us of a police report or other documentation, such as a Postal Service report confirming the fraud. In March 2000, this process became an industry standard. Our identify fraud specialists work with consumers, industry and government agencies to remediate damaged credit files as quickly as possible, to take preventative steps that reduce further victimization and to cooperate with law enforcement authorities in their investigations and prosecutions of this crime. Our processes include posting a security alert to the victim's file, opting the victim out of prescreened, pre-approved offers of credit or insurance, if he or she wishes, providing the victim a free credit report and notifying credit grantors and others, whose inquiries on the victim's file are due to fraud. Congress, as you noted, Mr. Chairman, is also taking important steps with respect to identity theft. We applaud Congress for enacting the Fair and Accurate Credit Transactions Act, or the FACT Act, which makes permanent important national standards in the credit reporting system and includes a comprehensive set of provisions pertaining to identity theft. A significant provision of the new law is a requirement to provide a free credit report annually to consumers upon their request, so that was item one on Ms. Kane's suggestions. For many years, we have provided free credit reports to victims, and to individuals who think they may be--there may be fraudulent information on their reports. The new law also provides for three types of security alerts in credit reports: an initial alert, for cases of potential fraud; an extended alert, in cases of actual identity theft; and a special active duty alert for our men and women serving in the armed forces stationed away from home. TransUnion was a pioneer in giving consumers the opportunity to place security alerts in their credit files, as I noted a moment ago. The FACT Act also codifies what has been our industry's voluntary practice concerning the immediate blocking of information related to identity theft upon the consumer's providing us with an identity theft report. The FACT Act will also benefit consumers by requiring the Federal Trade Commission to develop a summary of consumer rights with respect to the procedures for remedying the effects of fraud or identity theft. The FACT Act also requires the consumer reporting agency to provide a heads-up, a notice, to a credit grantor if the grantor submits to a consumer reporting agency an address for a consumer that doesn't match an address in the consumer reporting agency's files. At TransUnion, we are proud of our leadership in the development of processes and procedures to prevent and remediate identity theft. We applaud the 108th Congress for enacting the FACT Act, creating important, new national standards to help remediate identity theft, and we are gratified that many of the provisions of the bill were based on credit reporting industry standards that TransUnion helped to put in place. Mr. Chairman, Congressman Gerlach, I sincerely appreciate your invitation to testify today on identity theft. TransUnion looks forward to continuing to be part of the solution to this terrible crime, and I would be pleased to answer any questions that you may have. [The prepared statement of Robert Ryan follows:] Prepared Statement of Robert Ryan, Senior Director of Government Relations, TransUnion introduction Good morning, Chairman Greenwood, Congressman Deutsch, and Members of the Subcommittee. My name is Robert Ryan, and I am Senior Director of Government Relations for TransUnion, LLC. TransUnion is a leading global provider of consumer report information supported by more than 4,100 employees in more than 24 countries worldwide. I appreciate the opportunity to appear before you today to discuss the role of TransUnion in the credit granting process and in assisting consumers and our business customers in preventing and remediating identity theft. the role of transunion in the credit granting process Consumer spending makes up approximately two-thirds of the U.S. gross domestic product. A critical component of this economic driver is the availability of consumer credit. Consumers in the United States have access to a wide variety of credit from a number of sources at extremely competitive prices. Consumers rely on the availability of credit for a variety of purposes, such as the purchase of homes, cars, education, and daily needs. In fact, there is approximately $7 trillion in outstanding mortgages and other consumer loans in the United States. There is no question that our economy would suffer if consumers could not easily access credit as they do today. It is my pleasure to explain how TransUnion plays a critical role in the economic engine of credit availability. In sum, we provide the information necessary for lenders, regardless of where they are located, to make credit available to consumers all across the United States. In order for a lender to extend a loan to a consumer, the lender must evaluate the credit risks inherent in lending to that consumer. The proper evaluation of the consumer's credit risks allows the lender to determine whether to provide credit to the consumer and at what price. We believe that the most accurate and predictive piece of information a lender can use in evaluating a consumer's credit risk is a consumer report (also commonly called a credit report). TransUnion is in the business of providing lenders with this critical information. The Credit Reporting Process In order to more fully understand TransUnion's role in the credit availability process, it is important to understand the credit reporting process itself. TransUnion is a national consumer reporting agency. We are a nationwide repository of consumer report information with files on approximately 200--million individuals in the United States. The information in our files generally consists of: (i)-- identification information (including social security numbers); (ii)-- credit history; (iii)--public records (e.g. tax liens, judgments, etc.); and (iv)--a list of entities that have received the consumer's credit report from us. It is also important to clarify what is not in a credit report. A TransUnion credit report does not include checking or savings account information, medical histories, purchases paid in full with cash or check, business accounts (unless the consumer is personally liable for the debt), criminal histories, or race, gender, religion, or national origin. Most of the information in our files is provided to us voluntarily by a variety of sources. Although the Fair Credit Reporting Act (FCRA) does not require anyone to furnish information to consumer reporting agencies, or have any rules on the scope or nature of such information, the law does establish certain important guidelines for those who voluntarily furnish information to consumer reporting agencies. For example, furnishers must meet certain accuracy standards when providing information to consumer reporting agencies. Furnishers must also meet requirements ensuring that the information the furnishers have reported to consumer reporting agencies remains complete and accurate. Despite these legal obligations imposed on data furnishers, lenders and others participate in the credit reporting process due to the recognized value of complete and up-to-date credit reporting. In essence, if lenders want accurate, complete, and up-to-date information on which they are to base credit decisions, they must ensure a continuing supply of such data to consumer reporting agencies. We take great pride in our ability to collect and disseminate credit report information. In fact, TransUnion receives and processes approximately 2 billion updates to consumers' credit files each month. However, we do not distribute credit reports to just anyone. Under the FCRA, we may not provide a credit report to anyone who does not certify to us that they have a permissible purpose for such information. This protection ensures that the distribution of credit reports is made only to those with a need for such information (e.g. granting credit). the role of transunion in identity theft prevention and remediation TransUnion Is Part of the Solution Identity theft is a serious problem and TransUnion is part of the solution. Since the 1980s, when TransUnion developed the first application fraud detection suite of services for credit grantors (our HAWK <SUP>'</SUP> products, introduced in 1983), we have recognized that fraud through identity theft is a problem for which we can be part of the solution. We have been helping our customers detect and avoid application fraud for over 20 years, thus reducing the number of consumers affected by identity theft. In the mid-1980s we were the first consumer reporting agency to initiate the development of special procedures to assist identity theft victims, including expedited dispute verification processes and the deletion of fraudulent information. In the late 1980s we developed the innovation of a ``security alert'' flag on credit reports, to alert our customers to use extra caution in opening new accounts. In 1992, we were the first national consumer reporting agency to establish a special Fraud Victim Assistance group within our organization that is solely dedicated to identity theft problems. In the 1997 we began immediate suppression, at the same time the dispute investigation process was initiated, of fraud-related information on a consumer's file upon their presentation of a police report or other documentation confirming the fraud. In March 2000, this process became an industry standard. Our identity fraud specialists work with consumers, industry, and government agencies to remediate damaged credit files as quickly as possible, to take preventive steps that reduce further victimization, and to cooperate with law enforcement authorities in their investigations and prosecutions of this crime. As we explain on our website, www.transunion.com, our process includes posting a security alert, opting the victim out of prescreening if the victim wishes, providing the victim a free credit report, and notifying inquirers whose inquiries were due to fraud. We are proud to have played a leadership role in the development of processes that have become national standards today and expect to continue this leadership to combat this growing crime. the importance of national standards in combating identity theft: the fact act of 2003 The Fair and Accurate Credit Transactions Act of 2003 As you know, on December 4, 2003, President Bush signed into law the Fair and Accurate Credit Transactions Act of 2003, or the FACT Act. We applaud Congress for enacting the FACT Act, which makes permanent important national standards in the credit reporting system, and includes a comprehensive set of provisions pertaining to identity theft. I am pleased to note that many of the identity theft provisions in the FACT Act are based on innovations that TransUnion and other consumer reporting agencies have developed to help consumers in the fight against identity theft. A significant provision in the new law is a requirement to provide free credit report annually to consumers upon request. This new obligation springs from the idea that if the credit report is free there will be increased access to credit histories by more people, and that increased access will improve accuracy and reduce identity theft by encouraging individuals to regularly review their credit reports. There remains significant debate as to the validity of this logic since credit reports were always accessible for a modest fee (currently $9) and for many years all national consumer reporting agencies have provided free credit reports, upon request, to identity theft victims and to individuals who think there may be fraudulent information on their reports. The new law also provides for three types of security alerts in credit reports--an initial alert (upon a good faith suspicion that the individual may be subject to identity theft), a ``military'' alert (for our men and women serving in the military away from home), and an extended alert (in cases of actual identity theft). As a general matter, certain users of consumer reports (e.g. creditors) are required to take steps to confirm a consumer's identity prior to extending credit when these alerts are present on credit reports. As I mentioned above, TransUnion was a pioneer in giving consumers the opportunity to place security alerts in their credit files. The FACT Act also codifies what has been our industry's voluntary practice concerning the immediate blocking of information related to identity theft upon the consumer's providing us with an identity theft report--usually a police report. This practice is also known as ``tradeline blocking.'' The national consumer reporting agencies are required to share information about security alerts and blocked data among themselves, so that a consumer's actions with one consumer reporting agency will flow to the others, and be reflected on their credit reports. The FACT Act will also benefit consumers by requiring the Federal Trade Commission to develop a summary of consumer rights under the FCRA with respect to the procedures for remedying the effects of fraud or identity theft involving credit or other financial accounts or transactions. This provision is designed to assist identity theft victims in understanding the numerous tools at their disposal, such as the use of security alerts or tradeline blocking, to mitigate the harms of identity theft. Consumer reporting agencies will provide a summary of these rights to any consumer who contacts them and expresses a belief that he or she is a victim of fraud or identity theft involving a financial transaction. The FACT Act also requires a consumer reporting agency to provide a ``heads up'' to a user of credit reports if the user submits to a consumer reporting agency an address for a consumer that does not match an address in the consumer reporting agency's files. This provision is based on existing practices used by TransUnion to notify creditors and others that the consumer's address does not match one we have on file. This serves as another protection against identity theft, where the criminal may use a victim's identification information but the criminal's address in order to obtain credit or other goods or services. Under the FACT Act, the user of a credit report that contains such a notice of discrepancy will need to take certain steps to reduce the risk that the transaction is the result of identity theft. The issue of data furnishers providing the consumer reporting agency information that has been identified as fraudulent by the consumer reporting agency, and has been ``blocked'' by the consumer reporting agency, has been addressed by the FACT Act in two ways. First, in certain circumstances, the law prohibits the sale to third parties of accounts on which the creditor has received a notice of identity theft from either the consumer directly, or from the consumer reporting agency. The intent is to prevent the fraudulent information from finding its way back onto the credit report in the form of a report from a third party collection agency. Second, the FACT Act prohibits data furnishers from providing information to a consumer reporting agency if the consumer provides them an identity theft report identifying the relevant information as resulting from identity theft, or if the furnishers are notified by a consumer reporting agency that an identity theft report has been filed with respect to such information. Furnisher Obligations Because the FACT Act makes permanent the national standards pertaining to data furnisher obligations, it removed the danger that state laws pertaining to furnisher obligations could have reduced the number of entities willing to provide information to consumer reporting agencies. Withdrawal of data furnishers from the system would result not only in a loss of the credit information they provide but would also result in the loss of the address updates they provide. TransUnion's database relies on addresses that are in active use by creditors in mailing monthly statements to their customers. The fact that most data furnishers today also provide us with the social security number of their customers allows us to bridge address changes and name variations that commonly occur in our society. Businesses and government agencies with a permissible purpose to obtain a consumer report rely on our robust national database of names, social security numbers, and up to date addresses for a variety of fraud prevention and identity authentication services. With less current identification or address information coming into the database, the performance of these services would suffer. Reinvestigation Timeframes In identity theft cases, the consumer reporting agency is tasked with sorting out accurate and inaccurate information about the consumer. This is a difficult process and, if not done properly, could affect not only the consumer's ability to obtain credit but the safety and soundness of our financial institutions. We were gratified that the FACT Act preserved the national standard for reinvestigation processes and timeframes. In this regard, identity theft victims in Pennsylvania will continue to be treated no differently than victims from California to Florida. As a nation, we cannot have any other result. conclusion At TransUnion, we are proud of our leadership in the development of processes and procedures to prevent and remediate identity theft. We applaud the 108th Congress for enacting the FACT Act, creating important new national standards that will help remediate identity theft. We are gratified that many of the provisions in the bill were based on credit reporting industry standards that TransUnion helped put in place. Mr. Chairman, Congressman Deutsch, and members of the Subcommittee, I sincerely appreciate your invitation to testify today on identity theft. TransUnion looks forward to continuing to be part of the solution to this terrible crime. Mr. Greenwood. Thank you very much, Mr. Ryan. Ms. Lenahan. TESTIMONY OF MILISSA LENAHAN Ms. Lenahan. Hi. Thank you for the opportunity, and I would like to recognize American Bankers Association for giving me the opportunity to speak and they provided some materials, including a video, and I would just like for the record to recognize that. Mr. Greenwood. Okay. Ms. Lenahan. My name is Milissa Lenahan. I have been employed by First National Bank and Trust Company of Newtown for 20 years. My current position is Assistant Vice President and Assistant Operations Officer, Security Officer and Custodian of Records. Mr. Greenwood. Can you hear all right in the back, then? Okay. Ms. Lenahan. Okay. One of my primary functions as a Security Officer is researching and responding to fraud. I am currently working 20 cases of fraud that involve some form of identity theft. Twenty cases may not seem like a large number. However, First National Bank is a community bank, with our service area being in central and lower Bucks County. To us, one fraud is too many. Identify theft is on the rise and no one is exempt from the possibilities of having their identity compromised. Identity theft takes several forms, from a stolen piece of mail to a wealth of counterfeit documents with unknowing victims' information. My definition of identity theft is any time a person's information is used by someone other than themself. You don't have to have a fake driver's license to impersonate somebody and purchase something online with their stolen credit card. It has been my experience that retail locations rarely check the signature on the back of a credit card. Our bank takes pride in its customer service and we will use our abilities and resources to assist our customers who have victimized by identity theft. We provide whatever assistance is necessary to stop any further damage to our customer's good name. The following is a summary of the steps we take. Once notified by the customer, a hold is placed on all accounts. Notification is then broadcasted to every computer within the bank, tellers as well as back offices, as an alert. It is our practice to close customers' accounts and open new ones to prevent any future loss. We work with the customer in making sure legitimate payments are honored. We assist our customers with the paperwork necessary to credit back any missing funds as a result of the fraud, and in addition, we provide the customer with information on each credit reporting agency with the appropriate phone numbers, so that they can have an alert placed on their credit report. We recommend that our customers file a police report, and we will cooperate with police in an attempt to catch the fraudster and bring them to justice. Training and education is a large part of what we do. It is an ongoing process and we will pool any and all resources available to us that is put out by organizations such as the American Bankers Association. We will use these resources in training, as well as provide them to our customers in their monthly statement. We post security alerts on our website as another type of warning to our customers, and we will speak to organizations and schools when asked. The tellers on the front line are the most vulnerable to a perpetrator of identity theft. Split deposit fraud is one of the more common ways to pass yourself off as a customer by using a counterfeit or stolen check, presenting a portion for deposit and receiving a larger portion in cash back. The fraudster is usually prepared to present identification. The problem is there is no way for the teller to know that this identification is legitimate or not. Our new accounts people are also at risk. Technology has broadened the spectrum for someone intent on committing fraud. The only equipment you need is a home computer and a printer. A fake ID on the street would cost maybe $50. Check stock is readily available at stores that sell office supplies. All you need now is to take information off of someone's check. That check alone is a wealth of information, name, address, phone number, bank name, bank routing number and account number. When I started my career in banking in 1983, the only way you could get a supply of checks was by submitting your order to your bank. A bank would have the tools necessary to determine if this order is fraudulent, as would the check printing company they contracted their business with. Unfortunately, resources necessary are not always available or practical. We no sooner put tools and policies into place and then you are hit with a fraud with a new twist. Prevention is the key, but how do you prevent someone from stealing? If you are lucky enough to get an arrest, what is the punishment? Credit for time served and restitution that could take years. Our bank has a very good working relationship with local police departments, but police also have limited resources and tools to pursue these types of criminals. When our customer needs to file a police report, it is not clear which department they need to file with. Do you file in the municipality you live, or do you have a file in each location that an item was negotiated? One example of this that I had recently was our customer had to file a report in three separate municipalities after being turned away by their home municipality. The consumer is depending on the police to help. Identity theft leaves consumers with the feeling of total personal violation regardless of the dollar amount. The consumer spends countless hours trying to repair the damage. That is why we depend on organizations such as the ABA, the FBI, the FTC and local law enforcement to communicate and provide new tools to assist us in educating not only ourselves but our customers as well. Identity theft is one form of fraud that is extremely hard to prevent without access to certain tools only available to law enforcement. We can't call the police every time someone presents us with a driver's license to verify the validity of the document and the picture to the person in front of the teller. New technology is being made available in some states for this type of verification. Unfortunately, not in all states. New regulations and policies, such as the PATRIOT Act and the Customer Identification Program will help in the prevention of new account identity theft, but for how long? If the people responsible for the crime are not punished for their actions, regardless of the dollar amount, it is only a matter of time before a new type of fraud surfaces. Government organizations, law enforcement, financial institutions and consumers all need to work together to stop this growing fraud. Thank you. [The prepared statement of Milissa Lenahan follows:] Prepared Statement of Milissa J. Lenahan, First National Bank and Trust My name is Milissa J. Lenahan, I have been employed by The First National Bank and Trust Company of Newtown for 20 years. My current position is Assistant Vice President, Assistant Operations Officer, Security Officer and Custodian of Records. One of my primary functions as a Security Officer is researching and responding to fraud. I am currently working 20 cases of fraud that involve some form of Identity Theft. 20 cases may not seem like a large number however, First National Bank is a Community Bank with our service area being within Central and Lower Bucks County. To us one fraud is too many. Identity Theft is on the rise and no one is exempt from the possibilities of having their identity compromised. Identity Theft takes several forms from a stolen piece of mail to a wealth of counterfeit documents with unknowing victims information. My definition of Identity Theft is any time a persons information is used by someone other than them self. You don't have to have a fake Drivers License to impersonate someone and purchase something online with their stolen credit card. It has been my experience that retail locations rarely check the signature on the back of a credit card. Our bank takes pride in it customer service and we will use our abilities and resources to assist our customers who have been victimized by Identity Theft. We provide what ever assistance is necessary to stop any further damage to our customers good name. The following is a summary of the steps we take: Once notified by the customer, a hold is placed on all accounts. Notification is broadcasted to every computer, tellers as well as back offices as an alert throughout the bank. It is our practice to close the customers account and open new to prevent any further loss. We work with the customer in making sure legitimate payments are honored. We assist our customers with the paperwork necessary to credit back any funds missing as a result of the fraud. In addition we provide the customer with information on each credit reporting agency with the appropriate phone numbers so that they can have an alert placed on their credit report. We recommend that the customer file a police report. We will cooperate with police in an attempt to catch the ``Fraudster'' and bring them to justice. Training and education is a large part of what we do. It is an on going process and we will pull any and all resources available to us that is put out by organizations such as American Bankers Association. We will use these resources in training as well as providing them to our customers in their monthly statement. We post security alerts on our web site as another type of warming to our customers, and will speak to organizations and schools when asked. The tellers on the front line are the most vulnerable to a perpetrator of Identity Theft, split deposit fraud is one of the more common ways to pass yourself off as a customer by using a counterfeit or stolen check and presenting a portion for deposit and receiving a larger portion in cash back. The ``Fraudster'' is usually prepared to present identification. The problem is there is no way for the teller to know if this identification is legitimate or not. Our new accounts people are also at risk. Technology has broadened the spectrum for someone intent on committing fraud. The only equipment you need is a home computer and a printer. A fake ID on the street would cost maybe $50.00. Check stock is readily available at stores that sell office supplies. All you need now is to take information off of someone's check. That check alone is a wealth of information, name, address, phone number, bank name, bank routing number and account number. When I started my career in banking in 1983, the only way you could get a supply of checks was by submitting your order to your bank. A bank would have the tools necessary to determine if this order is fraudulent as would the check printing company they contracted their business with. Unfortunately resources necessary are not always available or practical. We no sooner put new tools and policies in place and then you are hit with a fraud with a new twist. Prevention is the key, but how do you prevent someone from stealing? If you are lucky enough to get an arrest, what is the punishment, credit for time served and restitution that could take years? Our bank has a very good working relationship with local Police departments. But Police also have limited resources and tools to pursue these types of criminals. When our customer needs to file a Police Report it is not clear which department they need to file with. Do you file in the municipality you live in or do you have to file in each location that an item was negotiated. One example of this I had recently was our customer had to file a report in three separate municipalities after being turned away by his home municipality. The consumer is depending on the Police to help. Identity Theft leaves consumers with the feeling of total personal violation regardless of the dollar amount. The consumer spends countless hours trying to repair the damage. That is why we depend on organizations such as the ABA, FBI, FTC and local Law Enforcement to communicate and provide new tools to assist us in educating not only ourselves but consumer as well. Identity Theft is one form of fraud that is extremely hard to prevent without access to certain tools only available to Law Enforcement. We can't call the Police every time someone presents us with a drivers license to verify the validity of the document and the picture to the person in front of the teller. New technology is being made available in some States for this type of verification, unfortunately not in all States. New regulations and policies such as the Patriot Act and Customer Identification Program will help in the prevention of new account Identity Theft but for how long? If the people responsible for the crime are not punished for their actions regardless of the dollar amount, it is only a matter of time before a new type of fraud surfaces. Government, Organizations, Law Enforcement, Financial Institutions and Consumers all need to work together to stop this growing fraud trend. Mr. Greenwood. Thank you very much. The Chair recognizes himself for questioning. And we will start with you, Mr. Ryan. You have heard the stories, including from Ms. Kane particularly this morning, that victims of identity theft find that the portion of their recovery that takes the longest is getting the fraudulent information off the victim's credit bureau. Can you explain what part of the process can take--why this part of the process can take such a long time, and what if anything is being done to shorten the time? Because I think Ms. Kane said that she was still trying to get--and one of the things she was--and I am a little bit confused, because you talked about free reports, and she said it was annoying to her to have to keep paying the $8 for the credit report. Was she not aware--do you think that she could get these for free? Mr. Ryan. I can't--I can only speak, Mr. Chairman, for TransUnion, and to identity theft victims---- Mr. Greenwood. She mentioned TransUnion by name, I think, in her testimony. Mr. Ryan. Our policy is to provide free disclosures to identity theft victims and has been for years, so I---- Mr. Greenwood. Well, let me--let us pursue that. If I am a victim of identity theft, and I say to myself, I better get my credit report, how would I--ordinarily, if I just go about the normal process of seeking a copy of my credit report, I would pay a fee unless--how would I know that I could get it for free? Mr. Ryan. Well, no, that is part of our script--part of the VRU, part of our--both our 1-800 telephone toll-free number that is provided to consumers for calling in for your credit disclosure, for your credit report, and part of our Internet website disclosure is that under certain circumstances, you can be entitled--you are--may be entitled to a free disclosure. Obviously, in the case of any adverse action, under the Fair Credit Reporting Act, but also under Fair Credit Reporting Act and our longstanding policy, you are entitled to a free disclosure if you believe there may be fraudulent information on your credit report as a result of identity theft or other fraud, and so that is part of our phone script and part of our Internet scripting as well. So, I can't, you know, reply in particular. Obviously, we will be happy to follow up and--if, I mean, if it was our company, we would be happy to refund or whatever. Mr. Greenwood. Is a credit bureau report easy for a layperson to read and understand? You heard Ms. Kane saying that sometimes there are abbreviations, there aren't necessarily numbers, toll-free numbers that can be gleaned from the report. Would I really know what to look for on my credit bureau report to determine whether I had been a victim of identity theft? Mr. Ryan. I may be a bit biased, Mr. Chairman, because I have been in the business so long, but when I--we have done a lot of work and testing of our consumer disclosure form. It is not the same credit report that would go to a bank, or you know, other financial institutions, so it is recast in English, and we do explain the different sections, so it is as clear as a very--typically long, 6, 7, 8 page, rather arcane listing of financial information, dates and dollar amounts can be, in my opinion. Mr. Greenwood. Okay. Another one of the major problems we hear regarding victims of identity theft is that they usually did not discover the theft for a long time, in some cases, for over a year. The question is what type of fraud detection systems or services could the credit bureaus provide to try and identify the fraud before the victim even becomes aware of it? Mr. Ryan. We are, as an ongoing matter of our business practice, we are looking at better ways to alert all of our constituents to possible fraud. We maintain, though, again, files on 220 million--all the credit active people in the United States, and so, I don't--we have not identified a way to proactively notify individual consumers. We certainly do--we are very available, you know, we are very open. And the new FACT Act, again, provides a free annual disclosure to everybody in the country, plus, as again, as I said, we have been open and available to providing free disclosures to consumers who even think there may be fraudulent information on their file. But--and that's the state-of-the-art pretty much today on this. Mr. Greenwood. Are there provisions that you would have preferred to see get into the FACT Act that were not? Mr. Ryan. I think that--no, the FACT Act is--it is a very comprehensive law. If, Mr. Chairman, you are asking if there are other issues pertaining to identity theft, that as a matter of public policy or legislation, were not addressed in the FACT Act, you--the committee has heard some of those earlier today. One is the issue of the robustness of our State identification, the driver's license system and ID cards and there is certainly legislation in Congress or it has been considered in Congress, aid to the states in making--providing for a more robust, perhaps biometric base identification system. Mr. Greenwood. I think that is where we are headed. That has been what has been going through my mind this morning is that eventually, we are going to have to--as a technological response that we are going to have to go to a more sophisticated system, that uses some kind of biometrics in order to really protect our financial security. Is that where you think we are headed? Mr. Ryan. That is where--that is at least one public policy issue that certainly is appropriate for Congress and perhaps this Committee to consider. Another issue that you heard mentioned earlier that I--we fully support are more resources for law enforcement for both data sharing, the FTC and the FBI, the Postal Inspector are all doing a lot, and as you also heard, the record is more uneven in the states. You know, some are doing more than others, but data sharing---- Mr. Greenwood. Do you think some states are doing too much? You know, there is an issue that I asked Representative O'Neill, which is how he felt about the Federal Government superseding the State laws, and I know California particularly felt that their law was more stringent and they weren't happy about having it superseded by the Federal Law. Is that your experience? Mr. Ryan. Well, I think the FACT Act got the preemptions on identity theft about right, Mr. Chairman. The preemptions were very narrow. They only--what got preempted by the FACT Act were the national standards for the security alerts, for example, or the national standards for the trade line blocking with a police report, and to us, it makes a lot of sense to have one national standard for how security alerts work. And apart from the benefits to business, the benefit is to consumer empowerment, consumer education. So this way, what gets published in the FTC education program that they will-- they are going to be working on in the next year or so, we will have a national standard, and one way security alerts and military active duty alerts operate one way. But in other areas, the preemptions were not there. The preemptions were narrow. I think they got it about right. Mr. Greenwood. Let me--before I turn to Mr. Gerlach, let me just ask some questions of Ms. Lenahan. When you look at the 20 cases that you are investigating, could you give us a sense of--you mentioned one specific act where someone will come in to one of your branches with a stolen check, let us say, and write the check to himself for $500 and then deposit $50 and take $450. Are the crimes that you are investigating, do they tend to actually occur in your branches where people walk in and do that, or is it more the case that they are just figuring out how to drain someone's account from an ATM machine, for instance? Ms. Lenahan. I would say that it is probably about even. We have about--we have 12 locations in Bucks County only, and usually, what happens is if we happen to be unfortunate enough to get hit inside the branch, it is all within a day. And they go from location to location, and---- Mr. Greenwood. Have your video cameras or your security cameras ever assisted in the---- Ms. Lenahan. Yes. Yes, they have. Mr. Greenwood. That is interesting. Ms. Lenahan. We have an excellent system called AccuTrack, and it provides beautiful pictures. Mr. Greenwood. So you can match, obviously, the transaction with the---- Ms. Lenahan. Yes, we can. Mr. Greenwood. [continuing] time of the transaction? Ms. Lenahan. Yes, we can. Mr. Greenwood. To the place with the--that moment in your videotape and try to identify the person on there. Ms. Lenahan. Yes, we can. Mr. Greenwood. When I go to an ATM machine and forget to say no, I don't want a receipt and a receipt comes out, and I crumple it up and stick it in that little slot that says trash. Do I have to worry about that receipt being used for fraudulently? Ms. Lenahan. No, you do not. It only lists the last four digits of the debit card number. Mr. Greenwood. Which brings me to another point. One of the things I have learned in this investigation is that, of course, the ideal is to have a truncated--in every transaction, to have a truncated credit card number, so you just have the last four numbers indicated and then lots of Xes, but not every vendor uses that, because it can be costly to have equipment that does that. And so, the perpetrator can make a purchase--well, it is--a purchase can be made in a--let us say, a smaller retail shop that doesn't truncate that information. That receipt can be picked up by a perpetrator, taken to a department store, and that number used there to perpetrate a crime on another retailer, and so the retailer who may have a truncated system is being victimized as a result of the fact that the smaller retailers don't. Ms. Lenahan. Right. Mr. Greenwood. And that is a problem. And it is not easily solved, because it is tough--because of the cost of that equipment, it is tough to mandate that all retailers do that. It is tempting to do that, but it is expensive for the---- Ms. Lenahan. You only need the credit card number. If that happened in a location, you wouldn't be able to take that piece of carbon number, or the number and go make a physical purchase. Mr. Greenwood. Right. You don't need to. Ms. Lenahan. But---- Mr. Greenwood. You can go online and go to Macy's and---- Ms. Lenahan. Online, telephone. Mr. Greenwood. [continuing] buy stuff all day long. Ms. Lenahan. Right. Mr. Greenwood. What types of security measures does your make take to ensure that your bank employees who have access to customers' personal information, are not abusing that information and potentially committing identity theft? Ms. Lenahan. Well, we are all bound to a code of ethics, and I don't think that there is anybody that is scrutinized more closely than our own employees. I am not going to say that is 100 percent foolproof, but in my experience, I have not had any experience in the last--since May 2002, of any negativity on an employee's end. Everything is security code and password sensitive. There is reports that we receive on a daily basis that are security department reviews, which includes employees' account activity. So it is watched. Mr. Greenwood. Okay. Mr. Gerlach, questions? Mr. Gerlach. A couple questions, thank you. Mr. Ryan, first, I am just looking at your testimony. On page 4, ``The FACT Act also codifies what has been our industry's voluntary practice concerning the immediate blocking of information related to identity theft upon the consumer's providing us with an identity theft report--usually a police report. This practice is also known as `tradeline blocking' ''. Can you describe that a little bit more fully for me, what ``tradeline blocking'' is, when a consumer says he or she is a victim of theft, perhaps gives you a police report? What do you do at that point? Mr. Ryan. Yes. Yes, I can, Congressman. The process typically begins when we provide the consumer a free copy of their complete credit report, so they--so in other words, the first step is the prospective identity theft victim, or the victim contacts us. We give them a copy of the free report. They may or may not at that point have a police report, but then at some point thereafter, or if they don't already have it, they get a police report, or a report by the U.S. Postal Service, or some other official document documenting the--make sure the fact of the identity theft. At that point, our consumer relations department, our Fraud Victim Assistance folks will receive from--the consumer tells us this, this, this and this item either trade--a trade line is a record of an account, so a Citibank, a record of the Citibank charge account or a Sears charge account. Mr. Gerlach. Right. Mr. Ryan. Or an inquiry could be associated--on the file could be associated with fraud. In other words, an--just the record of an inquiry by an institution that again, the consumer informs us is not a place they applied to, and therefore associated with a fraud. What happens in those cases of each element of information that is identified by the consumer, at that point gets suppressed from display. It gets blocked from display, so that it does not appear, can not appear on any future credit report, and we initiate a notice to the furnisher of each of those--the institution that furnished each of those elements of information, informing them that the data has been blocked from display, won't appear on future credit reports, has been associated to be connected with identity theft, and then they are--they have an opportunity, or an obligation, under the Fair Credit Reporting Act, to initiate their own investigation and take steps to not reintroduce it in subsequent reports to the credit reporting agency. Obviously, if they have--in their investigation, feel there is--that it was not identity theft, or it was some other kind of fraud going on there, there may be--they may come back to us, but the ordinary process stops there with our notice to them and their prevention of having it reintroduced. Mr. Gerlach. Okay. So, at this point, the consumer can initiate that simply by having noticed this information on the report, and you take that individual's objection to that information on face value, and you block it. Mr. Ryan. Once they have a police report. Yes, with a police report. Mr. Gerlach. Okay. And the police report being simply an incident report that they have gone, made contact with the local police, explained the situation to the police, issues a report, not necessarily a finding of---- Mr. Ryan. No. Mr. Gerlach. [continuing] criminality, or any of that sort, but that is--that paper is sufficient for you then to block that item for future use of that report by some other entity. Mr. Ryan. Yes, Congressman. Mr. Gerlach. Okay. Mr. Ryan. And again, that has been our practice for several years, and that is now codified under the FACT Act. Mr. Gerlach. Right. Okay. Real quick, Ms. Lenahan. We have heard information where the Mexican consulate could issue what is called a matricula consular card to those coming from Mexico and to have that card be the basis for coming into a bank and establishing an account and starting transactions through that account, but the individual that went into the consulate to say I am so and so uses a birth certificate that may or may not be valid or genuine or authentic and nonetheless gets that consular card that is then used to open up accounts. Are you aware of any problems with that in your area? I know you are out of Newtown Square. Are you aware of any problems with banks and how they, if at all, try to further evaluate the proper identity of the person that tries to open up an account and start undertaking financial transactions on that basis of that card that was used initially? Ms. Lenahan. I am not familiar with that particular instance, but I would have to say that the Customer Identification Program would eliminate somebody being able to come in and just use that one card only. They would have to come up with several other forms of identification to conduct any type of business like that. Mr. Gerlach. Okay. So the card itself is not a sufficient enough basis for opening an account. At least at your bank? Ms. Lenahan. Not at my bank. Mr. Gerlach. Or are you aware of any other---- Ms. Lenahan. I can't speak for the industry. American Bankers Association may be able to get back to you for the record. Mr. Gerlach. Okay. Ms. Lenahan. In reference to the industry. But in my bank, they would need more than that. Mr. Gerlach. Okay. Good. Thanks. Just a couple more questions. Do either of you, from your association or personal experience, use an estimate or see numbers that would estimate either how much it is costing the Nation as a whole a year from identity theft, or what theft comes down to as a household? Seen these numbers? Mr. Ryan. The--I think, Mr. Chairman, the RTC will--the recent report had some number--figures there, but they don't stick--it is millions and millions, but---- Mr. Gerlach. Well, the numbers that I have seen---- Mr. Ryan. [continuing] I don't have that number in my head. Mr. Gerlach. [continuing] are credit card theft, about $33 billion a year, and total identity theft numbers on an order of magnitude of $50 billion a year, and my math tells me that that is several hundred dollars a household, that every household in America is paying several hundred dollars more a year, which would be good about this time of year to have in your pocket instead of having to put out, but that is what we are paying to go shopping in the extra cost of goods that comes from this. Just a couple more questions. Ms. Lenahan, what is the banking industry as a whole doing about this? Do you have a sense of that? Is this the kind of thing that financial institutions are either--do you talk to your other--your fellow bankers from Bucks County or national conventions, is this a big part of what participants might be engaged in in educating themselves about? Ms. Lenahan. It is all of the above. I just attended a large security conference in Texas, and it covered several things, including the biometrics that you were speaking of, which we see that as a future trend. Banks are continually researching new software that would be compatible with their own to combat these types of things and catch them before they accelerate. My bank does not offer a credit card, so we don't see what the rest of the industry is seeing in reference to the credit card theft. However, we do offer the Visa check card, and that in itself, you know, we do have our fraud instances with those, but we are a little more fortunate than the bigger guys, because we don't offer the credit card, per se. But---- Mr. Gerlach. Well, somebody--suppose somebody does what is very easy now, every--most of us in this room probably, when you go home today, will find at least a couple of lovely offers of free credit cards that we don't even open any more and just throw in the trash, and they become pretty easy for somebody to pick up and fill out and send in and get a credit card. If somebody fills one of those out with my name on it and gets a credit card with my name in it and walks into your bank, and says I would like to put $1,000 on my Visa card, what does your bank do to make sure that that doesn't happen to me? Ms. Lenahan. If it is an outside credit card, we are relying on the credit card company to give us the appropriate authorization, because that is the only tool that we have. For our own card, we would have had to have identified them through the Customer Identification Program before we would even process their application, so---- Mr. Gerlach. If someone gets--suppose if someone gets an extra copy, it wouldn't be difficult for someone to report to-- taking my place, that I--they lost a credit card, and ask for copies to be sent, or pick up my credit card when it comes in the--when it is renewed and it comes in the mailbox, to pick that up and then go into a bank and it--I would assume that the authorization would sail through. Ms. Lenahan. Well, any new cards that are coming through the mail have a sticker on it with an 800 number for activation that you can only use from your home telephone. So that is one feature that is in place to protect the consumer. Mr. Gerlach. Okay, so that seems to work pretty well, then, I guess. Ms. Lenahan. Right. I think that the most difficulty right now with credit card mailing is the ready access checks, get 0 percent if you use these checks. If the consumer doesn't open the envelope, they are throwing away a checkbook, you know, which is very easy for somebody else to pick up and try and use. Mr. Gerlach. That is an interesting point. Nowadays, I can tell--there are things I can do so that I don't get certain kinds of junk phone calls. Are there things that consumers can do if you don't want to get any more of these checks, for instance, because I get them all the time, and I try to remember to tear them up before I discard them, but I don't always open the envelopes, and I am not giving my address out at this hearing, but--can you--can a consumer avoid being sent those kinds of free checks? Ms. Lenahan. Well, the--they can contact their credit card company and just simply ask them to stop, and you don't usually receive those types of checks until you already have an account with that credit card company. It is after that that you start to get a lot of the mailing, use the checks, get this percentage rate. But there is---- Mr. Gerlach. I get checks from credit cards I haven't had in 10 years. Ms. Lenahan. Well, that is--they still have you--you didn't close the account. Mr. Gerlach. Right. Ms. Lenahan. I would recommend closing an account for any card that you are not using. But the State has the Do Not Call list, which is supposed to include mailing as well, but I do not believe that that covers an existing account, an open account. Mr. Gerlach. Mr. Ryan, did you have any comment on any of that? Mr. Ryan. No, I think that is exactly my sense. Mr. Gerlach. Okay. Well, that is it. Okay. Thank you both-- -- Ms. Lenahan. Thank you. Mr. Gerlach. [continuing] very much for your testimony. It has been very helpful. Mr. Greenwood. We are going to take about a 5-minute break before we call our next panel. [Brief recess] Mr. Greenwood. Okay. The committee will come to order, and I see that our third panel has arrived, and they are Ms. Betsy Broder of the Federal Trade Commission. She is the Assistant Director of the Division of Planning and Information of the Bureau of Consumer Protection from Washington; Mr. Kevin Burke, who is the Deputy Chief Postal Inspector for Eastern Field Operations, here in the--he is a U.S. Postal Inspector here in Langhorne, Pennsylvania, welcome; Mr. John M. Abel is the Pennsylvania Attorney General--from the Pennsylvania Attorney General's Office, Senior Deputy Attorney General, Bureau of Consumer Protection, welcome, sir thank you for coming here from Philadelphia; and from the State Police, we have Lieutenant Colonel Ralph M. Periandi. Am I saying that right? Mr. Periandi. Yes, sir. Mr. Greenwood. Okay. He is a Deputy Commissioner of Operations from Harrisburg, and we thank you for coming. As you have heard me say to the other witnesses, we take testimony in this Subcommittee under oath, and I have to ask if any of you object to giving your testimony under oath. Okay. You are, also pursuant to the rules of the committee and the House of Representatives, entitled to be represented by counsel. Any of you wish to be represented by counsel? You all have good clear consciences. No need for that. Okay, in that case, if you would stand and raise your right hands, please. [Witnesses sworn.] Mr. Greenwood. Okay. You are all under oath, and we will begin with Ms. Broder. Welcome and thank you for your testimony. You want to take that microphone there, not that one. You want them both near. The stenographer needs the one on the little white triangle, but you need to speak clearly into that one. Ms. Broder. Thank you, and---- Mr. Greenwood. And it is--thank you. TESTIMONY OF BETSY BRODER, ASSISTANT DIRECTOR, DIVISION OF PLANNING AND INFORMATION, BUREAU OF CONSUMER AFFAIRS, FEDERAL TRADE COMMISSION; KEVIN J. BURKE, DEPUTY CHIEF INSPECTOR FOR EASTERN FIELD OPERATIONS, U.S. POSTAL INSPECTOR; JOHN M. ABLE, PENNSYLVANIA ATTORNEY GENERAL; AND LT. COL. RALPH M. PERIANDI, DEPUTY COMMISSIONER, OPERATIONS, PENNSYLVANIA STATE POLICE Ms. Broder. Good morning, Mr. Chairman and Congressman Gerlach. Identify theft has become a consumer protection issue of dramatic proportions. As has been earlier stated, the numbers are staggering. Within the space of 1 year, almost 10 million persons suffered some form of identity fraud, from the misuse of an existing account to the complete takeover of their identity by opening new accounts, obtaining government benefits, or even filing for bankruptcy. In addition to the trauma to the victims, which cannot be underestimated, this crime costs our society over $53 billion in the space of 1 year, with an additional 300 million hours spent by victims trying to undo the damage. We appreciate the opportunity to describe today some of the initiatives the FTC has undertaken to respond to this growing problem. The Federal Trade Commission has been playing a key role in addressing identity theft and the problem it spawns well before the enactment of the Identity Theft and Assumption Deterrence Act of 1998, but that Act directed us to take a more central role in working with victims, educating the public, coordinating with law enforcement, criminal law enforcement in particular, and working with the private sector. For consumers, we offer victim assistance through our toll- free hotline at 877-IDTHEFT and our online complaint form and other resources at consumer.gov/idtheft. Through either of these portals, consumers provide us with information concerning the episode of identity theft, and our trained phone counselors guide them through the steps that they need to take to start repairing the damage done by the theft and reducing the risk of any additional harm. Online consumers can obtain the same information from the materials we have posted on our website. The ID Theft site also links to our identity theft affidavit, a uniformly accepted affidavit that victims can use to dispute fraudulently opened accounts. This takes the place of the cumbersome process which I think Ms. Kane referred to, of filling out separate and distinct forms for each of the fraudulently opened accounts. It makes the recovery that much easier, and a copy of the affidavit is contained in our identity theft book, When Bad Things Happen to Your Good Name. We have an additional identity theft piece, What's It All About, which is a practical guide for identity theft, a condensed version of our identity theft major publication, both of which are available in both English and Spanish. We want consumers to be empowered to take the steps that they need to to safeguard their identity, to be mindful of how they make information about themselves available online and off, to take care in how they make their personally identifying information available, how they handle our trash to whether they put firewalls up and engage in commerce on the Internet carefully and with due regard for their identifying information. I would just like to point out, Mr. Chairman, that you have made great use of our resources online by linking directly from your home site to our identity theft information, the booklets and the affidavit. This is exactly what we are trying to do, to leverage our resources, so that others make them available to audiences that we might not be able to reach. We appreciate very much all of your fine efforts in that regard. The FTC's role also extends to supporting criminal law enforcement and prosecution of these crimes. The FTC is a civil agency. We do not have jurisdiction to enforce the identity theft law, but our colleagues, some of whom are represented at this table, do. I mentioned that identity theft victims, when they contact us either by the phone or online, provide information about the incident of identity theft. That information we enter into our Identity Theft Data Clearinghouse, and we share it with law enforcement agencies around the country. Almost 800 individual agencies, representing thousands of investigators, can log on to this site through a secure Internet connection and get access to the more than 400,000 identity theft complaints that we have received and also that have been sent to us by the Social Security Administration Office of Inspector General. So law enforcement agencies from the Bucks County and Montgomery County District Attorney's Office, to the U.S. Postal Inspection Service nationwide, to a cop in the Los Angeles Police Department can see the big picture. They are all logging on to the same data at the same time. This aggregated data takes the place of the individual complaints that may have come across their desks, so rather than just seeing that one complaint from the one person, they are able to add to that complaint by searching the data base, and seeing how pervasive the problem is, making ID theft more attractive for prosecution. We have also teamed with the Inspection Service, the Secret Service and the U.S. Department of Justice to conduct training for law enforcement around the country. We have reached more than 1,000 of these first responders--with guidance on how to deal with identity theft victims, and how to build a case for prosecutors. So hopefully, what this means is that the story that we heard from Mrs. Kane about how the law enforcement would not listen to her, hopefully that tide is changing. They are looking at the individual as a victim of this crime, not simply the financial institutions that may have ultimately to carry the financial weight, but also, the person whose information has been misused are victims. The International Association of Chiefs of Police have passed a resolution urging their members to take police reports in the jurisdiction where the victim resides. That is the one thing that remains constant. The thief may be operating in many jurisdictions, making it very hard for law enforcement to nail it down, but the victim always remains where she is, and so the police departments in the municipality of the victim are urged to issue police reports. That is of even greater importance now that we have the Police Report Blocking Initiative. The police report is an essential piece of recovery for victims of identity theft. One other point on law enforcement. We provide our data in the central data base that can be accessed by investigators one by one, but we also reach out with more specialized assistance. For example, the Identity Theft Task Force in Philadelphia requested, and we provided, a set of data from our data base that matched their jurisdictional range, so what we did was we took from our data base the complaints pertaining to that jurisdiction in the Philadelphia area, and I think there are other jurisdictions represented on that Task Force. They add to that some of their own data, so they have richer resources to drill further into this crime and build better cases. We work both in the collective and the individual groups on rooting out this pervasive crime. And finally, the business community plays a key role in reducing the incidence of identity theft and working with victims. In addition to using and accepting the identity theft affidavit, the FTC has worked with companies who themselves have had their customers' or clients' data stolen, for example, the Red Cross. We provide direction to those companies on how to contact the persons whose information has fallen into the hands of criminals. The FTC staff also guides them to the appropriate law enforcement agency, and to work with the credit reporting agencies, so they can build together a mechanism to facilitate the recovery for the victims, and to provide them with the appropriate notice. We also have drafted a standard letter for these companies to use in sending out to the people whose information has been compromised, so they get all of the appropriate contact information. They don't have to do their own homework or discover it for themselves. It also provides them with a link to our identity theft materials. We know that these sorts of wholesale incidents of identity theft are becoming more commonplace, so rather than have our staff on the phone each and every time this happened, we have built an Identity Theft Response Kit that is posted on our home site that companies can go to to download the contact letter to see how to contact the credit reporting agencies and law enforcement as well, to make it easier for them to do their job. Finally, the recent amendments to the FCRA, the FACT Act, including the codification of the fraud alert process with the credit reporting agencies, and the development of what are called red flag indicators of identity theft for financial institutions will certainly have an impact on this daunting crime. But clearly there is much that remains to be done, and the FTC will continue to make this a priority of its work. We thank you very much for the opportunity to testify today. [The prepared statement of Betsy Broder follows:] Prepared Statement of Betsy Broder, Assistant Director, Division of Planning and Information, Bureau of Consumer Protection, Federal Trade Commission i. introduction Mr. Chairman, and members of the Subcommittee, I am Betsy Broder, Assistant Director of the Division of Planning and Information, Bureau of Consumer Protection, Federal Trade Commission (``FTC'' or ``Commission'').<SUP>1</SUP> I appreciate the opportunity to present the Commission's views on the impact of identity theft on consumers. --------------------------------------------------------------------------- \1\ The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily represent the views of the Commission or any Commissioner. --------------------------------------------------------------------------- The Federal Trade Commission has a broad mandate to protect consumers, and controlling identity theft is an important issue of concern to all consumers. The FTC's role in combating identity theft derives from the 1998 Identity Theft Assumption and Deterrence Act (``the Identity Theft Act'' or ``the Act'').<SUP>2</SUP> The Act directed the Federal Trade Commission to establish the federal government's central repository for identity theft complaints, to make available and to refer these complaints to law enforcement for their investigations, and to provide victim assistance and consumer education. Thus, the FTC's role under the Act is primarily one of facilitating information sharing among public and private entities.<SUP>3</SUP> The Commission also works extensively with industry on ways to improve victim assistance, including providing direct advice and assistance in cases of security breaches involving sensitive information of customers or employees. --------------------------------------------------------------------------- \2\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 U.S.C. 1028). \3\ Most identity theft cases are best addressed through criminal prosecution. The FTC itself has no direct criminal law enforcement authority. Under its civil law enforcement authority provided by Section 5 of the FTC Act, the Commission may, in appropriate cases, bring actions to stop practices that involve or facilitate identity theft. See, e.g., FTC v. Corporate Marketing Solutions, Inc., CIV-02 1256 PHX RCB (D. Ariz. Feb. 3, 2003) (final order) (defendants ``pretexted'' personal information from consumers and engaged in unauthorized billing of consumers' credit cards) and FTC v. C.J., CIV- 03 5275 GHK (RZx) (C.D. Cal. July 24, 2003) (final order) (defendant sent spam purporting to come from AOL and created an AOL look-alike website in order to obtain credit card numbers and other financial data from consumers which defendant used for unauthorized online purchases.). In addition, the FTC brought six complaints against marketers for purporting to sell international driver's permits that could be used to facilitate identity theft. Press Release, Federal Trade Commission, FTC Targets Sellers Who Deceptively Marketed International Driver's Permits over the Internet and via Spam (Jan. 16, 2003), available at http://www.ftc.gov/opa/2003/01/idpfinal.htm. --------------------------------------------------------------------------- ii. the federal trade commission's role in combating identity theft The Identity Theft Act strengthened the criminal laws governing identity theft <SUP>4</SUP> and focused on consumers as victims.<SUP>5</SUP> In so doing, Congress recognized that coordinated efforts are essential to best serve the needs of identity theft victims because these fraud victims often need assistance both from government agencies at the national and state or local level and from businesses. To fulfill the Act's mandate, the Commission implemented a program that focuses on three principal components: (1) collecting complaints and providing victim assistance through a telephone hotline and a dedicated website; (2) maintaining and promoting the Identity Theft Data Clearinghouse (the ``Clearinghouse''), a centralized database of victim complaints that serves as an investigative tool for law enforcement; and (3) providing outreach and education to consumers, law enforcement, and private industry on prevention of identity theft. --------------------------------------------------------------------------- \4\ 18 U.S.C. 1028(a)(7). The statute broadly defines ``means of identification'' to include ``any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual,'' including, among other things, name, address, social security number, driver's license number, biometric data, access devices (i.e., credit cards), electronic identification number or routing code, and telecommunication identifying information. \5\ Because individual consumers' financial liability is often limited, prior to the passage of the Act, financial institutions, rather than individuals, tended to be viewed as the primary victims of identity theft. Setting up an assistance process for consumer victims is consistent with one of the Act's stated goals: to recognize the individual victims of identity theft. See S. Rep. No. 105-274, at 4 (1998). --------------------------------------------------------------------------- A. Understanding Identity Theft On November 1, 1999, the Commission began collecting complaints from consumers via a toll-free telephone number, 1-877-ID THEFT (438- 4338) (``ID Theft hotline''). Every year since has seen an increase in complaints.<SUP>6</SUP> The Clearinghouse now contains over 400,000 identity theft complaints from victims across the country. By itself, though, this self-reported data does not allow the FTC to draw conclusions about the incidence of identity theft in the general population. Consequently, the FTC commissioned a survey to get a better picture of the incidence of identity theft and the impact of the crime on its victims.<SUP>7</SUP> The results are startling. Identity theft is more widespread and pernicious than previously realized. The data show that within the 12 months preceding the survey, 3.2 million people discovered that an identity thief opened new accounts in their name. An additional 6.6 million consumers learned of the misuse of an existing account. Overall, nearly 10 million people--or 4.6 percent of the adult population--discovered that they were victims of some form of identity theft. These numbers translate to nearly $48 billion in losses to businesses, nearly $5 billion in losses to victims, and almost 300 million hours spent by victims trying to resolve the problem. Moreover, according to the researchers, identity theft is a growing crime. The survey indicates a significant increase in the past 2-3 years--nearly a doubling from one year to the next, although the research shows that the rate of increase slowed during the past 1-2 years. It also is worth noting that most of the recent increase primarily involves the account takeover form of identity theft that tends to cause less economic injury to victims and is generally easier for them to identify and fix. Overall, the survey puts the problem of identity theft into sharper focus, and has spurred the FTC to even greater efforts to help victims and support law enforcement in its aggressive prosecution of identity thieves. --------------------------------------------------------------------------- \6\ Charts that summarize data from the Clearinghouse can be found at http://www.consumer.gov/idtheft/stats.html and \7\ The research took place during March and April 2003. It was conducted by Synovate, a private research firm, and involved a random sample telephone survey of over 4,000 U.S. adults. The full report of the survey can be found at http://www.consumer.gov/idtheft/stats.html. --------------------------------------------------------------------------- B. Assisting Identity Theft Victims In addition to taking complaints from victims, the FTC provides advice on recovery from identity theft. Callers to the ID Theft hotline receive telephone counseling from specially trained personnel who provide general information about identity theft and help guide victims through the steps needed to resolve the problems resulting from the misuse of their identities.<SUP>8</SUP> Victims are advised to: (1) obtain copies of their credit reports from the three national consumer reporting agencies and have a fraud alert placed on their credit reports; <SUP>9</SUP> (2) contact each of the creditors or service providers where the identity thief has established or accessed an account, to request that the account be closed and to dispute any associated charges; and (3) report the identity theft to the police and get a police report, which is very helpful in demonstrating to would-be creditors and debt collectors that the consumers are genuine victims of identity theft. --------------------------------------------------------------------------- \8\ Spanish speaking counselors are available for callers who are not fluent in English. \9\ These fraud alerts indicate that the consumer is to be contacted before new credit is issued in that consumer's name. See Section II.D.(3)(b) infra for a discussion of the credit reporting agencies ``joint fraud alert'' initiative. --------------------------------------------------------------------------- Counselors also advise victims having particular problems about their rights under relevant consumer credit laws including the Fair Credit Reporting Act, <SUP>10</SUP> the Fair Credit Billing Act, <SUP>11</SUP> the Truth in Lending Act, <SUP>12</SUP> and the Fair Debt Collection Practices Act.<SUP>13</SUP> If the investigation and resolution of the identity theft falls under the jurisdiction of another regulatory agency that has a program in place to assist consumers, callers also are referred to those agencies. --------------------------------------------------------------------------- \10\ 15 U.S.C. 1681 et seq. \11\ Id. 1666. The Fair Credit Billing Act generally applies to ``open end'' credit accounts, such as credit cards, revolving charge accounts, and overdraft checking accounts. It does not cover installment contracts, such as loans or extensions of credit that are repaid on a fixed schedule. \12\ Id. 1601 et seq. \13\ Id. 1692 et seq. --------------------------------------------------------------------------- The FTC's identity theft website, located at www.consumer.gov/ idtheft, provides equivalent service for those who prefer the immediacy of an online interaction. The site contains a secure complaint form that allows victims to enter their identity theft information for input into the Clearinghouse. Victims also can read and download all of the resources necessary for reclaiming their credit record and good name. One resource in particular is the FTC's tremendously successful consumer education booklet, Identity Theft: When Bad Things Happen to Your Good Name. The 26-page booklet, now in its fourth edition, comprehensively covers a range of topics, including the first steps to take for victims, how to correct credit-related and other problems that may result from identity theft, tips for those having trouble getting a police report taken, and advice on ways to protect personal information. It also describes federal and state resources that are available to victims who may be having particular problems as a result of the identity theft. The FTC alone has distributed more than 1.2 million copies of the booklet since its release in February 2000, and recorded over 1.2 million visits to the web version.<SUP>14</SUP> Last year, the FTC released a Spanish language version of the Identity Theft booklet, Robo de Identidad: Algo malo puede pasarle a su buen nombre. --------------------------------------------------------------------------- \14\ Other government agencies, including the Social Security Administration, the SEC, and the FDIC also have printed and distributed copies of Identity Theft: When Bad Things Happen to Your Good Name. --------------------------------------------------------------------------- C. The Identity Theft Data Clearinghouse Because one of the primary purposes of the Identity Theft Act was for criminal law enforcement agencies to use the database of victim complaints to support their investigations, the Commission took a number of steps to ensure that the database would meet the needs of law enforcement, before launching it. Initially, the FTC met with a host of law enforcement and regulatory agencies to obtain feedback on what the database should contain. Law enforcement access to the Clearinghouse via the FTC's secure website became available in July of 2000. To ensure that the database operates as a national clearinghouse for complaints, the FTC has solicited complaints from other sources. For example, in February 2001, the Social Security Administration Office of Inspector General (SSA-OIG) began providing the FTC with complaints from its fraud hotline, significantly enriching the FTC's database. The Clearinghouse provides a picture of the nature, prevalence, and trends of the identity theft victims who submit complaints. FTC data analysts aggregate the data and develop them into charts and statistics.<SUP>15</SUP> For instance, the Commission publishes charts showing the prevalence of identity theft by states and by cities. Law enforcement and policy makers at all levels of government use these reports to better understand the challenges identity theft presents. --------------------------------------------------------------------------- \15\ Charts that summarize data from the Clearinghouse can be found at http://www.consumer.gov/idtheft/stats.html and http:// www.consumer.gov/sentinel/index.html. --------------------------------------------------------------------------- Since the inception of the Clearinghouse, more than 770 law enforcement agencies, from the federal to the local level, have signed up for access to the database. Individual investigators within those agencies have the ability to access the system from their desktop computers 24 hours a day, seven days a week. The Commission actively encourages even greater participation. As previously stated, one of the goals of the Clearinghouse and the FTC's identity theft program is to support identity theft prosecutions nationwide.<SUP>16</SUP> Last year, in an effort to further expand the use of the Clearinghouse among law enforcement, the FTC, in cooperation with the Department of Justice, the United States Postal Inspection Service, and the United States Secret Service, initiated full-day identity theft training seminars for state and local law enforcement officers. To date, sessions have been held in Washington, D.C., Des Moines, Chicago, San Francisco, Las Vegas, Dallas, Phoenix, New York, Seattle, and San Antonio. The FTC also helped the Kansas and Missouri offices of the U.S. Attorney and State Attorney General conduct a training seminar in Kansas City. More than 1200 officers have attended these seminars, representing more than 300 different agencies. A session to be held in Orlando in January will commence next year's round of seminars. --------------------------------------------------------------------------- \16\ The Commission testified last year in support of S. 2541, the Identity Theft Penalty Enhancement Act of 2002, which would increase penalties and streamline proof requirements for prosecution of many of the most harmful forms of identity theft. See Testimony of Bureau Director J. Howard Beales, Senate Judiciary Committee, Subcommittee on Terrorism, Technology and Government Information (July 11, 2002). S. 2541 has been reintroduced in the 108th Congress as S. 153. --------------------------------------------------------------------------- The FTC staff also developed an identity theft case referral program.<SUP>17</SUP> The staff creates preliminary investigative reports by examining significant patterns of identity theft activity in the Clearinghouse and refining the data through the use of additional investigative resources. Then the staff refers the investigative reports to appropriate Financial Crimes Task Forces and other law enforcers located throughout the country for further investigation and potential prosecution. The FTC is aided in this work by its federal law enforcement partners including the United States Secret Service, the Federal Bureau of Investigation, and the United States Postal Inspection Service who provide staff and other resources. --------------------------------------------------------------------------- \17\ The referral program complements the regular use of the database by all law enforcers from their desktop computers. --------------------------------------------------------------------------- D. Outreach and Education The Identity Theft Act also directed the FTC to provide information to consumers about identity theft. Recognizing that law enforcement and private industry each play an important role in the ability of consumers both to minimize their risk and to recover from identity theft, the FTC expanded its outreach and education mission to include these sectors. (1) Consumers: The FTC has taken the lead in coordinating with other government agencies and organizations in the development and dissemination of comprehensive consumer education materials for victims of identity theft and those concerned with preventing this crime. The FTC's extensive consumer and business education campaign includes print materials, media mailings, and radio and television interviews. The FTC also maintains the identity theft website, which includes the publications and links to testimony, reports, press releases, identity theft-related state laws, and other resources. To increase identity theft awareness for the average consumer, the FTC recently developed a new primer on identity theft, ID Theft: What's It All About? This publication discusses the common methods of identity thieves, how consumers can best minimize their risk of being victimized, how to identify the signs of victimization, and the basic first steps for victims. Since its release in May 2003, the FTC has distributed almost 268,000 paper copies, and over 15,000 web versions. With the detailed victim recovery guide, Identity Theft: When Bad Things Happen to Your Good Name, the publication helps to fully educate consumers. (2) Law Enforcement: Because law enforcement at the state and local level can provide significant practical assistance to victims, the FTC places a premium on outreach to such agencies. In addition to the training described previously (see supra Section II.C.), the FTC staff joined with North Carolina's Attorney General Roy Cooper to send letters to every other Attorney General letting him or her know about the FTC's identity theft program and how each Attorney General could use the resources of the program to better assist residents of his or her state. The letter encouraged each Attorney General to link to the consumer information and complaint form on the FTC's website and to let residents know about the hotline, stressed the importance of the Clearinghouse as a central database, and described all of the educational materials that each Attorney General can distribute to residents. North Carolina took the lead in availing itself of the Commission's resources in putting together for its resident victims a package of assistance that includes the ID Theft Affidavit (see Section II.D.(3)(b)), links to the FTC website and www.consumer.gov/idtheft. Through this initiative, the FTC hopes to make the most efficient use of federal resources by allowing states to take advantage of the work the FTC already has accomplished and at the same time continuing to expand the centralized database of victim complaints and increase its use by law enforcement nationwide. Other outreach initiatives include: (i) Participation in a ``Roll Call'' video produced by the Secret Service, which has been sent to thousands of law enforcement departments across the country to instruct officers on identity theft, investigative resources, and assisting victims and (ii) the redesign of the FTC's website to include a section for law enforcement with tips on how to help victims as well as resources for investigations. (3) Industry: The private sector can help with the problem of identity theft in a number of ways. For instance, businesses can prevent identity theft by keeping their customers' or employees' sensitive information secure and out of the wrong hands. In addition, businesses can implement procedures to assist identity theft victims in the recovery process. (a) Information Security Breaches: The FTC works with institutions that maintain personal information to identify ways to help keep that information safe from identity theft. Last year, the FTC invited representatives from financial institutions, credit issuers, universities, and retailers to an informal roundtable discussion of how to prevent unauthorized access to personal information in employee and customer records. The FTC will soon publish a self-assessment guide to make businesses and organizations of all sizes more aware of how they manage personal information and to aid them in assessing their security protocols. As awareness of the FTC's role in identity theft has grown, businesses and organizations that have suffered compromises of personal information have begun to contact the FTC for assistance. For example, in the cases of TriWest <SUP>18</SUP> and Ford/Experian, <SUP>19</SUP> in which tens of thousands of consumers' files were compromised, the Commission gave advice on how to notify those individuals and how to protect the data in the future. To provide better assistance in these types of cases, the FTC developed a kit, Information Compromise and the Risk of Identity Theft: Guidance for Your Business, that will be posted on the identity theft website in the coming weeks. The kit provides advice on which law enforcement agency to contact, business contact information for the three major credit reporting agencies, suggestions for establishing an internal communication protocol, information about contacting the FTC for assistance, and a detailed explanation of what information individuals need to know. The kit also includes a model letter for notifying individuals when their names and Social Security numbers have been taken. Organizations are encouraged to print and include copies of Identity Theft: When Bad Things Happen to Your Good Name with the letter to individuals. --------------------------------------------------------------------------- \18\ Adam Clymer, Officials Say Troops Risk Identity Theft After Burglary, N.Y. Times, Jan. 12, 2003, 1 (Late Edition), at 12. \19\ Kathy M. Kristof and John J. Goldman, 3 Charged in Identity Theft Case, LA Times, Nov. 6, 2002, Main News, Part 1 (Home Edition), at 1. --------------------------------------------------------------------------- The FTC particularly stresses the importance of notifying individuals as soon as possible when information has been taken that may put them at risk for identity theft. They can then begin to take steps to limit the potential damage to themselves. For example, individuals whose Social Security numbers have been compromised, and who place a fraud alert promptly have a good chance of preventing, or at least reducing, the likelihood that the theft or release of this information will turn into actual misuse. Prompt notification also alerts these individuals to review their credit reports and to watch for the signs of identity theft. In the event that they should become victims, they can quickly take action to clear their records before any long-term damage is done. Besides providing Information Compromise and the Risk of Identity Theft: Guidance for Your Business, the FTC staff can provide individual assistance and advice, including review of consumer information materials for the organization and coordination of searches of the Clearinghouse for complaints with the law enforcement officer working the case. (b) Victim Assistance: Identity theft victims spend significant time and effort restoring their good name and financial records. As a result, the FTC devotes significant resources to conducting outreach with the private sector on ways to improve victim assistance procedures. One such initiative arose from the burdensome requirement that victims complete a different fraud affidavit for each different creditor with whom the identity thief had opened an account.<SUP>20</SUP> To reduce that burden, the FTC worked with industry and consumer advocates to create a standard form for victims to use in resolving identity theft debts. From its release in August 2001 through October 2003, the FTC has distributed more than 293,000 print copies of the ID Theft Affidavit. There have also been nearly 479,000 hits to the web version. The affidavit is available in both English and Spanish. --------------------------------------------------------------------------- \20\ See ID Theft: When Bad Things Happen to Your Good Name: Hearing Before the Subcomm. on Technology, Terrorism and Government Information of the Senate Judiciary Comm. 106th Cong. (2000) (statement of Mrs. Maureen Mitchell, Identity Theft Victim). --------------------------------------------------------------------------- Another initiative designed to assist victims is the ``joint fraud alert'' administered by the three major credit reporting agencies (``CRAs''). After receiving a request from an identity theft victim for the placement of a fraud alert on his or her consumer report and for a copy of that report, each CRA now shares that request with the other two CRAs, thereby eliminating the requirement that the victim contact each of the three major CRAs separately. iii. new protections for identity theft victims On December 4, President Bush signed the Fair and Accurate Credit Transactions Act of 2003.<SUP>21</SUP> Many of the provisions amend the Fair Credit Reporting Act (``FCRA'') <SUP>22</SUP> and provide new and important measures to prevent identity theft, enhance consumer ability to detect it when it does occur, and facilitate identity theft victims' recovery.<SUP>23</SUP> --------------------------------------------------------------------------- \21\ Pub. L. No. 108-396 (2003) (codified at 15 U.S.C. 1681 et seq.). \22\ 15 U.S.C. 1681 et seq. \23\ The Commission testified on July 9 and 10, 2003 before the House Committee on Financial Services and the Senate Committee on Banking, Housing, and Urban Affairs respectively. The testimony can be found at http://www.ftc.gov/os/2003/07/fcratest.html and http:/// www.ftc.gov/os/2003/07/fcrasenatettest.htm. --------------------------------------------------------------------------- A. Access to free consumer reports <SUP>24</SUP> --------------------------------------------------------------------------- \24\ Pub. L. No. 108-396, 211 (2003). --------------------------------------------------------------------------- Previously, under the FCRA consumers were entitled to a free consumer report only under limited circumstances.<SUP>25</SUP> Now consumers have the right to request a free consumer report annually from nationwide CRAs. This benefit will enhance consumers' ability to discover and correct errors, thereby improving the accuracy of the system, and also can provide an early alert to identity theft victims about crimes committed in their names. --------------------------------------------------------------------------- \25\ Previously, free reports were available only pursuant to the FCRA when the consumer suffered adverse action, believed that fraudulent information may be in his or her credit file, was unemployed, or was receiving welfare benefits. Absent one of these exceptions, consumers had to pay a statutory ``reasonable charge'' for a file disclosure; this fee is set each year by the Commission and is currently $9. See 15 U.S.C. 1681j. In addition, a small number of states required the CRAs to provide free annual reports to consumers at their request. --------------------------------------------------------------------------- B. National fraud alert system <SUP>26</SUP> --------------------------------------------------------------------------- \26\ Pub. L. No. 108-396, 112 (2003). --------------------------------------------------------------------------- Under this provision, consumers who reasonably suspect they have been or may be victimized by identity theft, or who are military personnel on active duty away from home, can place an alert on their credit files. The alert will put potential creditors on notice that they must proceed with caution when granting credit in the consumer's name. The provision also codified and standardized the industry's ``joint fraud alert'' initiative (see Section II.D.(3)(b) supra). C. Identity theft account blocking <SUP>27</SUP> --------------------------------------------------------------------------- \27\ Id. 152. --------------------------------------------------------------------------- This provision requires CRAs immediately to cease reporting, or block, allegedly fraudulent account information on consumer reports when the consumer submits a police report or similar document, unless there is reason to believe the report is false. Blocking would mitigate the harm to consumers' credit records that can result from identity theft. D. Truncation of credit and debit card receipts <SUP>28</SUP> --------------------------------------------------------------------------- \28\ Id. 113. --------------------------------------------------------------------------- In many instances, identity theft results from thieves obtaining access to account numbers on credit card receipts. This source of fraud could be reduced by requiring merchants to truncate the full card number on the receipt. The use of truncation technology is becoming widespread, and some card issuers already require merchants to truncate. This law now requires truncation of credit and debit card numbers on electronic receipts, but creates a phase-in period to allow for the replacement of existing equipment.E. ``Red flag'' indicators of identity theft <SUP>29</SUP> --------------------------------------------------------------------------- \29\ Id. 114. --------------------------------------------------------------------------- Under this provision, the banking regulators and the FTC will jointly develop guidelines for ``red flag'' indicators of identity theft. The goal of this provision is to give financial institutions and creditors up-to-date information on identity theft patterns and practices so that they can take appropriate action to prevent this crime. iv. conclusion Identity theft places substantial costs on individuals and businesses. The Commission, through its education and enforcement capabilities, is committed to reducing identity theft as much as possible. The Commission will continue its efforts to assist criminal law enforcement with their investigations. Prosecuting perpetrators sends the message that identity theft is not cost-free. Finally, the Commission knows that as with any crime, identity theft can never be completely eradicated. Thus, the Commission's program to assist victims and work with the private sector on ways to facilitate the process for regaining victims' good names will always remain a priority. Mr. Greenwood. Thank you very much, Ms. Broder. Mr. Burke. TESTIMONY OF KEVIN J. BURKE Mr. Burke. Good morning, Mr. Chairman and Congressman Gerlach. On behalf of the United States Postal Inspection Service, thank you for holding this hearing and giving me the opportunity to discuss the subject of identity crimes and the significant role postal inspectors play in combating it. I am Kevin Burke, Deputy Chief Inspector for Eastern Field Operations for the Postal Inspection Service. The responsibility of safeguarding 200 billion pieces of mail and ensuring America's trust in the postal system falls squarely on the shoulders of the United States Postal Inspectors. As Federal law enforcement officers, we enforce over 200 Federal statutes. Primary among those are the theft or possession of stolen mail statute and the oldest, and still the most effective consumer protection law, the mail fraud statute. Mr. Greenwood. I am sorry, we are going to need you to pull that microphone up. Mr. Burke. Last year, Postal Inspectors made over 11,000 arrests. 3,000 of those arrests were made for identity theft. Identity theft arrests have increased in each of the past 3 years. I am sure all of you have received pre-approved credit applications in the mail. In the past, those mailings were prime targets for an identity thief, because they simply required the thief to sign the application and return it to the company. But times have changed, due to our efforts in raising awareness of the problem. For example, credit card companies have adopted recommendations we have made and have begun automatically discarding suspicious looking applications for credit, especially when there are differences between where the consumer claims they reside and what address their customer file indicates. In addition, credit card companies have changed another of their practices. Credit offers sent through the mail now contain much less information. Another favorite vehicle for thieves used to be the fraudulent change of address scheme, directing the Post Office to forward a victim's mail to an address the thief controlled. Not any more. A proactive effort by the Postal Service to prevent a false change of address is the Move Validation Letter. Now, whenever a change of address is filed, the Postal Service sends a letter to both the new and old addresses. The letter instructs the recipient to call an 800 number if they have not recently requested a change. This simple measure has virtually eliminated the placing of false change of address with the Postal Service as an avenue for committing identity theft. According to a report released by the FTC this past September, mail theft as a source of identity theft happened in only 4 percent of the cases surveyed. As we have made it more difficult for mail theft to be a component of identity theft, criminals have turned to other means, oftentimes recruiting the assistance of insiders, employees who have access to personal information of clients or other employees. Personal information contained in corporate and government records and computer data bases is a fertile area for dishonest employees working in conjunction with identity thieves. Three years ago, a Philadelphia resident reported to police that after her father's death, she continued receiving credit card bills showing changes made in her father's name. The statements even reflected a request for a new account. U.S. Postal Inspectors and detectives from the Philadelphia Police Department determined that her father's identity had been stolen when his body was processed through the Medical Examiner's Office. 16 suspects were ultimately identified, 10 of them employees working within the Medical Examiner's Office. The employees used the credit cards to make purchases for themselves or passed the credit cards on and other personal information they found to outsiders. The scheme went on for 3 years before they got caught. All 16 defendants were caught and convicted. Postal Inspectors were called in to participate in the investigation as bills for illegally purchased items were sent through the mail, as was financial information for newly and fraudulently opened accounts. Just last month, in a separate investigation, Postal Inspectors in Philadelphia and other task force member arrested the ringleader of an identity theft gang. A search of his Chester residence found a commercial grade credit card embossing machine that the suspect had purchased over the Internet. The suspect used a fictitious name and had his purchase delivered by private courier to an abandoned Philadelphia area address, all without arousing suspicion. When searching his house, we also recovered 2,500 blank credit cards, numerous counterfeited credit cards, valid credit cards that had been stolen from the mail and counterfeit Pennsylvania, Virginia, Florida and District of Columbia drivers' licenses. Postal Inspectors together with the FBI are also investigating the identity theft of about 30 Montgomery and Delaware County residents who donated blood to the American Red Cross in November or December of last year. Donors are required to supply their names, as was previously mentioned, Social Security number and other identifying information before giving blood. As was previously mentioned, this is a still active investigation, and I am not at liberty to discuss any details. However, I would like to commend the American Red Cross for their efforts in proactively--and assisting in this investigation. In 2002, Patrick J. Meehan, U.S. Attorney for the Eastern District of Pennsylvania, formed a regional working group to facilitate the sharing of intelligence and investigative resources in combating identity theft in and around the Philadelphia area. As a member of the Group, the Postal Inspection Service has taken the lead in developing a web-based data base that tracks customer and financial industry reports of mail theft and identity theft. The data base allows all Group members to track loss information and perform advanced searches on victims' names. The data base also performs what is known as ``link analysis,'' by automatically matching common addresses used by thieves. One of the most insidious aspects of identity theft is the length of time the scheme can be carried out before it is even detected. It may be months before a victim realizes they have been targeted. It is not until a consumer gets turned down for credit, a car loan, or a mortgage on that dream house because of bad credit ratings that they realize what has taken place. Damaged credit ratings may take years to restore. Victims run the gamut of society. They are wealthy, they are poor, they are old and they are young. No one is immune. Anyone is a potential victim. Aggressive law enforcement efforts are a key component of our mission. But arrests are not the only solution. We have found that creating awareness and prevention programs for consumers can go a long way to lessen the impact of this crime on the public. Over the past 10 years, the Inspection Service has published and distributed a series of brochures and posters and newsletters to enhance and raise public awareness. Our publication Identity Theft--Safeguard Your Personal Information has been distributed to over 2 million consumers and businesses. Detecting and Preventing Account Takeover Fraud, another of our publications, advises credit card companies on steps they can take to detect and prevent takeover schemes. Our most recent document is not going to be published, because it is an ever-changing, evolving document. It is called Fighting Identity Theft, and will be provided as a best practices to the financial industry, to law enforcement agencies and consumer groups and prosecutors throughout the United States. Just this past September, the Postal Inspection Service, along with our partners in the FTC and the Postal Service, launched a nationwide awareness campaign on identity theft. We used a two-pronged approach, providing prevention and awareness information to consumers and informing businesses on the need to safeguard their files and data bases containing customer information. Actor Jerry Orbach, or television's Law and Order fame, who himself was a victim of identity theft, was the campaign's spokesman. The Mullen agency of Pittsburgh provided support for this year's campaign on a pro bono basis. But what really makes this campaign unique is the funding source. We have all the saying ``crime doesn't pay.'' In the case of this awareness campaign, it does pay. The campaign was funded with a unique application of fines and forfeitures paid by criminals in past fraud cased. Sometimes, the most effective vehicle in getting out the message is when the message comes directly from an authoritative source, the criminals themselves. Last year, Postal Inspectors in Pittsburgh caught a man who stole the identities of several celebrities, including the actor Will Smith. The thief, Carlos Lomax, was prosecuted by the U.S. Attorney's Office in the Western District of Pennsylvania and convicted. Lomax agreed to let us tape an interview of him describing what he did and how he did it. Educating the public and working to reduce opportunities where the Postal Service and the mail can be used for illegal purposes are crucial elements in our fight against identity crimes. As always, we will do our part to remove criminals from society. We appreciate the subcommittee's recognition of this important issue, and with your permission, sir, we would like to play a brief portion of that tape. [The prepared statement of Kevin J. Burke follows:] Prepared Statement of Kevin J. Burke, Deputy Chief Inspector, Eastern Field Operations, United States Postal Inspection Service Good morning, Mr. Chairman, members of the subcommittee. On behalf of the United States Postal Inspection Service, thank you for holding this hearing and giving me the opportunity to discuss the subject of identity crimes and the significant role Postal Inspectors play in combating it. I'm Kevin Burke, Deputy Chief Inspector, Eastern Field Operations, for the Postal Inspection Service. The responsibility for safeguarding 200 billion pieces of mail a year and ensuring America's trust in the postal system falls on the shoulders of U. S. Postal Inspectors. As federal law enforcement officers, we enforce over 200 federal statutes; primary among those are the theft or possession of stolen mail statute and the oldest, and still the most effective consumer protection law, the mail fraud statute. Last year, Postal Inspectors made over 11,000 arrests. Three thousand of those arrests were for identity theft. Identity theft arrests have increased each year for the past three years. I'm sure all of you have received pre-approved credit applications in the mail. In the past, those mailings were prime targets for an identity thief because they simply required the thief to sign the application and return it to the company. But times have changed, due to our efforts in raising awareness of the problem. For example, credit card companies have adopted recommendations we've made and have begun automatically discarding suspicious-looking applications for credit, especially when there are differences between where the ``customer'' claims they reside and what address their customer file indicates. In addition, credit card companies have changed another of their practices--credit offers sent through the mail now contain much less information. Another favorite vehicle for thieves used to be the fraudulent change-of-address scheme, directing the Post Office to forward a victim's mail to an address the thief controlled. Not any more. A proactive effort by the Postal Service to prevent a false change-of- address is the Move Validation Letter. Now, whenever a change-of- address is filed, the Postal Service sends a letter to both the old and new addresses. The letter instructs the recipient to call an ``800'' number if they had not recently requested a change. This simple measure has virtually eliminated the placing of a false change of address with the Postal Service as an avenue for committing identity theft. According to a report released by the FTC this past September, mail theft as a source for identity theft happened in only 4% of the cases surveyed. As we have made it more difficult for mail theft to be a component of identity theft, criminals have turned to other means, oftentimes recruiting the assistance of insiders, employees who have access to the personal information of clients or other employees. Personal information contained in corporate and government records and computer databases is a fertile area for dishonest employees working in conjunction with identity thieves. Three years ago, a Philadelphia resident reported to police that, after her father's death, she continued receiving credit card bills showing charges made in her father's name. The statements even reflected a request for a new account. US Postal Inspectors and detectives from the Philadelphia Police Department determined that her father's identity had been stolen when his body was processed through the Medical Examiner's Office. Sixteen suspects were ultimately identified, ten of them employees working within the Medical Examiner's Office. The employees used the credit cards to make purchases for themselves or passed the credit cards and other personal information they found to outsiders. The scheme went on for three years before they got caught. All sixteen defendants were caught and convicted. Postal Inspectors were called in to participate in the investigation as bills for illegally purchased items were sent through the mail as was financial information for newly--and fraudulently--opened accounts. Just last month, in a separate investigation, Postal Inspectors in Philadelphia and other task force members arrested the ringleader of an identity theft gang. A search of his Chester residence found a commercial-grade credit card embossing machine that the suspect had purchased over the Internet. The suspect used a fictitious name and had his purchase delivered by private carrier to an abandoned Philadelphia area address, all without arousing suspicion. When searching his house, we also recovered over 2,500 blank credit cards, numerous counterfeited credit cards, valid credit cards that had been stolen from the mail, and counterfeit PA, VA, FL and DC drivers' licenses. Postal Inspectors together with the FBI are also investigating the identity theft of about 30 Montgomery and Delaware County residents who donated blood to the American Red Cross in November or December of last year. Donors are required to supply their names, social security numbers and other identifying information before giving blood. As this is still an active investigation, I am not at liberty to offer any details other than the Red Cross has been very forthcoming in cooperating with authorities and the case is ongoing. In addition to modifying industry practices and making financial mailings less attractive to a thief, our partnerships with regulatory, financial industry and other law enforcement groups have resulted in a number of initiatives. In 2002, Patrick J. Meehan, U.S. Attorney for the Eastern District of PA, formed a regional working group to facilitate the sharing of intelligence and investigative resources in combating identity theft in and around the Philadelphia area. As a member of the Group, the Postal Inspection Service has taken the lead in developing a web-based database that tracks customer and financial industry reports of mail theft and identity theft. The database allows all Group members to track loss information and perform advanced searches on victims' names. The database also performs what is known as ``link analysis,'' by automatically matching common addresses used by thieves. One of the most insidious aspects of identity theft is the length of time the scheme can be carried out before it is even detected. It may be months before a victim realizes they've been targeted. It's not until a consumer gets turned down for credit, a car loan or a mortgage on a dream house because of a bad credit rating do they realize what has taken place. Damaged credit ratings may take years to restore. Victims run the gamut of society--they're wealthy, they're poor; they're old, they're young. No one is immune. Anyone is a potential victim. Aggressive law enforcement efforts are a key component of our mission. But arrests are not the only solution. We have found that creating awareness and prevention programs for consumers can go a long way to lessen the impact of this crime on the public. Over the past 10 years, the Postal Inspection Service has published and distributed a series of brochures, posters and newsletters to raise public awareness. Our publication ``Identity Theft--Safeguard Your Personal Information,'' has been distributed to over two million consumers and businesses. ``Detecting and Preventing Account Takeover Fraud,'' another of our publications, advises credit card companies on steps they can take to detect and prevent takeover schemes. Just this past September, the Postal Inspection Service, along with our partners the FTC and the Postal Service launched a nationwide awareness campaign on identity theft. We used a two-pronged approach: providing prevention and awareness information to consumers, and informing businesses on the need to safeguard their files and databases containing customers' information. Actor Jerry Orbach, of television's Law and Order fame, who himself was a victim of identity theft, was the campaign's spokesman. The Mullen agency of Pittsburgh provided support for this year's campaign on a pro bono basis. But what really makes this campaign unique is the funding source. We've all heard the saying, ``crime doesn't pay.'' In the case of this awareness campaign, it does pay. This campaign was funded through a unique application of fines and forfeitures paid by criminals in a past fraud case. Sometimes the most effective vehicle for ``getting out the message'' is when the message comes directly from an authoritative source, the criminals themselves. Last year, Postal Inspectors in Pittsburgh caught a man who stole the identities of several celebrities, including the actor Will Smith. The thief, Carlos Lomax, was prosecuted by the U.S. Attorney's Office in the Western District of Pennsylvania and convicted. Lomax agreed to let us tape an interview of him describing what he did and how he did it. I would like to play a portion of that tape for you now. Educating the public and working to reduce opportunities where the Postal Service and the mail can be used for illegal purposes are crucial elements in our fight against identity crimes. As always, we will do our part to remove criminals from society. We appreciate the subcommittee's recognition of the importance of this issue. Mr. Greenwood. Please do. [Video shown.] Mr. Greenwood. Thank you. Mr. Abel, you are recognized for your statement. TESTIMONY OF JOHN M. ABEL Mr. Abel. Good afternoon, Chairman Greenwood and Congressman Gerlach. On behalf of the Pennsylvania Attorney General, Mike Fisher, I am honored to be here this afternoon to testify on this important topic. My name is John Abel, and I am a Senior Deputy Attorney General in the Philadelphia Regional Office of General Fisher's Bureau of Consumer Protection. Identity theft, as we heard, is a serious crime, and growing problem across the country with Pennsylvania's experience being no exception. Victim of this crime face devastating economic repercussions, and oftentimes spend countless hours undoing the harm in order to get their finances back in order. This can be a very stressful experience for the ordinary consumer, who in many instances does not realize until much later that their identity has been hijacked by an unknown perpetrator. By this time, hundreds if not thousands of dollars in unauthorized charges have been made in their name from any number of sources. I am here today to speak on behalf of the Bureau of Consumer Protection that is housed within the Public Protection Division. By way of background, the Bureau has several regional offices which handle more than 40,000 written complaints annually from consumers throughout the state. Nearly each of these consumer complaints is assigned to an individual agent, and in most instances, the agent will seek to mediate the case with the business, with the hopes of achieving a satisfactory resolution. Should the Bureau detect a pattern or practice of consumer fraud, based on the complaint history or from any other source, the Bureau may then commence a formal investigation and take legal action if necessary. With regard to the issue of identity theft, I will focus, for my few moments, on the efforts of the Bureau in educating consumers to avoid these thieves, and assisting consumers with restoring their credit. Although our office is vested with criminal authority to pursue perpetrators of identity theft, as a civil law litigator, I will not be able to speak specifically to the details of any criminal investigations or prosecutions. However, I would be happy to provide, later, any further information the subcommittee might desire. As for the scope of the problem, according to the Social Security Administration, more than 750,000 incidents of identity theft occurred nationwide last year. One study found that on the average, it takes victims 175 hours and over $800 in out of pocket costs to clear their name. Allow me to share with the committee some recent numbers which pertain specifically to Pennsylvanians. Statistics on identity theft are maintained by the Federal Trade Commission, which established an Identity Theft Hotline and Data Clearinghouse back in 1999. These records show that in 2002, Pennsylvania had reports of victims in 5,080 cases. The overwhelming majority, 46 percent, specifically experienced credit card fraud. Next, the most common instance involved unauthorized use of phone or utility services. Almost 1 in 4 of these crimes occurred in Philadelphia. However, every region of the State has experienced this brand of crime. Data shows the typical victim of identity theft is between 30 and 40 years of age and does not notice the crime until roughly a year after they have become a victim. Particularly disturbing is the victimization of our seniors, who with their good credit, retirement nest eggs and trusting nature are often targeted by scam artists. Only the State of Florida has a higher percentage of citizens over the age of 65 than Pennsylvania, and Attorney General Fisher's efforts to protect the Commonwealth's citizens include a special commitment to the protection of our seniors. As for efforts to combat the problem, the old saying that an ounce of prevention is worth a pound of cure is particularly true in this case. Attorney General Fisher has taken action to educate Pennsylvanians on how to avoid these tactics. Through various forms of outreach and public speaking, representatives from the Bureau help to spread the word on the rather simple and easy steps that consumers can take to avoid becoming a victim. We appear before religious and other community organizations, senior groups, numerous civic associations. We staff information booths at shopping malls and county fairs all throughout the state. Just this last year, the Bureau joined the National Consumer Protection Week by participating in education fairs and activities throughout the state. The theme was ``Consumer Confidential: The Privacy Story.'' Consistent with what I had said about the seriousness of these crimes against seniors, the Attorney General's Office has also launched a program known as the Senior Crime Prevention University to educate older Pennsylvanians and their families on crime prevention. This program is presented in conjunction with other law enforcement agencies, who provide training to help stop the multitude of crimes, including identity theft against the senior citizens of Pennsylvania. The Bureau has specially published a brochure with particular tips on how to protect one's personal identification information. For example, minimize identification information in cards you carry. Don't carry your Social Security card with you. Purchase a shredder. We have seen identity thieves that commonly sift through garbage seeking discarded mail. Be mindful of billing cycles. If it seems like one of your bills didn't arrive, follow up with the business. Don't give out personal information over the phone, through the mail, or over the Internet, unless you have initiated the contact or know with whom you are dealing. And last, order a copy of your credit report at least on an annual basis. If, despite taking these precautions, a person's information does end up in the wrong hands, our Office then recommends taking the following steps immediately. Call the fraud departments of the credit bureaus and request that a fraud alert be put on your file. You should also ask for a copy of your credit report and then follow up with those bureaus by asking that they remove any fraudulent or incorrect information. Contact banks, credit card companies and all other creditors who issued credit in your name and/or permitted access to your existing account and close all affected accounts. Finally, then contact your local police department and file a criminal report on the incident. As I mentioned before, each consumer complaint that the Bureau receives is assigned to an individual agent. In the case of identity theft, this agent is available to direct the consumer to the appropriate agencies. Additionally, these agents are available to work with and provide information to other parties in an effort to address some of the problems created by this theft. The Bureau has also taken action within the context of legal actions to protect consumer privacy and avoid identity theft. For instance, when an online retailer of children's education materials announced that it was going to cease operations and sell off its assets, Pennsylvania, along with a majority of other states, filed an Objection in the Bankruptcy Court to prevent that company from selling its customer list. Ultimately, through the efforts of Pennsylvania, the FTC and 42 other states, this company agreed to destroy the customer list. In another, more recent case, the Bureau took action against Bucks County based national seller of computers, and made certain that the settlement there prohibited the sale or disclosure of other consumer information. Once again, thank you for the opportunity to comment today on the Bureau of Consumer Protection's efforts to assist consumers in preventing the growing problem of identity theft, and we want to commend Congress for its recent enactment of the Fair and Accurate Credit Transactions Act, which should further assist consumers in combating this problem. For instance, one of the two provisions that quickly come to mind is the one providing for a free annual credit report that will allow consumers to do this annual checkup that we talked--that we heard about this morning that is so important. Another provision is the one that speaks to the truncation of credit card and debit card account information. These and the other provisions should assist in combating this problem. I will be happy to take any questions. [The prepared statement of John M. Abel follows:] Prepared Statement of John M. Abel, Senior Deputy Attorney General, Pennsylvania Office of Attorney General, Bureau of Consumer Protection i. introduction Good morning Chairman Greenwood and distinguished members of the House Subcommittee on Oversight and Investigations. On behalf of the Pennsylvania Attorney General Mike Fisher, I am honored to be here this morning to testify on the important topic of identity theft. My name is John Abel and I am a Senior Deputy Attorney General in the Philadelphia Regional Office of General Fisher's Bureau of Consumer Protection. Identity theft is a serious crime and growing problem across the country with Pennsylvania's experience being no exception. Victims of this crime face devastating economic repercussions and oftentimes spend countless hours undoing the harm in order to get their finances back in order. This can be a very stressful experience for the ordinary consumer who in many instances does not realize until much later that their identity has been hijacked by an unknown perpetrator. By this time, hundreds, if not thousands, of dollars in unauthorized charges have been made in their name from any number of sources. I am here today to speak on behalf of the Bureau of Consumer Protection of the Attorney General's Office that is housed within the Public Protection Division. Along with the Bureau of Consumer Protection, a number of other offices are located within Public Protection including the Health Care Section, AntiTrust Section, Charitable Trusts and Organization Section and the Civil Rights Enforcement Section. ii. background Before I begin to talk about this problem, let me start by giving you a brief background of the Bureau of Consumer Protection. By law, the Attorney General's Bureau of Consumer Protection is authorized to perform the following duties: Investigate commercial and trade practices in the distribution, financing and furnishing of goods and services for the use of consumers; Conduct studies, investigations and research into matters affecting consumer interests and make such information available to the public; Advise the Pennsylvania Legislature on matters affecting consumer interests, including the development of policies and the proposal of programs to protect consumers; Investigate fraud and deception in the sale, servicing and furnishing of goods and products, and strive to eliminate such illegal actions; Promote consumer education and publicize matters relating to consumer fraud, deception and misrepresentation. The Bureau of Consumer Protection has seven regional offices which handle more than 40,000 written complaints annually from consumers throughout the Commonwealth. Over the past couple of years, the number of complaints has risen dramatically by more than 30 percent. This increase is due to a number of factors, one of which includes a growing wave of bankruptcies of a number of large retail establishments. Each of these consumer complaints is assigned to an individual agent and in most instances, that agent will seek to mediate the case with the business with hopes of achieving a satisfactory resolution. Should the Bureau detect a patten or practice of consumer fraud, based on complaint history or other sources, the Bureau may then commence a formal investigation. Under the law, the Bureau is authorized to file a formal legal action where it has reason to believe that a business has engaged in such a pattern of illegal practices and it is in the public interest to do so. On average, the Bureau files 150 actions per year. Legal actions take the form of a lawsuit filed in the Commonwealth Court or local Court of Common Pleas. These actions also include a settlement agreement permitted by law which is known as an Assurance of Voluntary Compliance. Through these actions, the Bureau can seek injunctive relief, such as prohibiting a company from doing business in the Commonwealth, as well as consumer restitution. The Bureau is authorized to seek a penalty of $1,000 per violation and $3,000 per violation where the consumer is of age 60 or older. With regard to the issues of identity theft, I will focus on the efforts of the Bureau of Consumer Protection in educating consumers to avoid these thieves and in assisting consumers with restoring their credit. Although our Office is vested with criminal authority to pursue perpetrators of identity theft, as a civil law litigator with the office, I will not be able to speak specifically to the details of any criminal investigations or prosecutions. However, I would be happy to provide later any further information that the subcommittee might desire. iii. scope of problem According to the Social Security Administration, more than 750,000 incidents of identity theft occurred nationwide last year. One study found that on the average, it takes victims 175 hours and over $800 in outofpocket to clear their name. The Federal Trade Commission reports that in 2002 they received 161,819 identity theft complaints. This national figure is almost double that which was reported in 2001, when the FTC tracked 86,198 complaints of identity theft. We have every reason to believe that the trend is increasing this year. Allow me to share with the Committee some recent numbers which pertain specifically to Pennsylvanians. Statistics on identity theft are maintained by the Federal Trade Commission which established an Identify Theft Hotline and Data Clearinghouse in 1999. These records show that in 2002, Pennsylvania had reports of victims in 5,080 cases. The overwhelming majority, 46 percent, specifically experienced credit card fraud. Next to credit card fraud, the most common instance involved unauthorized use of phone or utility services. Almost 1 in 4 of these crimes occurred in Philadelphia. However, every region in the Commonwealth has experienced this brand of crime. With statistics such as these, which have been steadily increasing, identity theft is a problem that certainly warrants the continued attention of the Subcommittee. Data shows that the typical victim of identity theft is between 30 and 40 years old and does not notice the crime until roughly a year after they have become a victim. At this age, people generally have an established credit history and a steady income. Similarly, with children, work, and other commitments, there are a lot of priorities and responsibilities to tackle. It is often easy to take your financial privacy and security for granted. Particularly disturbing is the increasing victimization of our seniors who, with their good credit, retirement nest eggs and trusting nature, are often targeted by scam artists. Only the state of Florida has a higher percentage of citizens over the age of 65 than Pennsylvania, and Attorney General Fisher's efforts to protect the Commonwealth's citizens includes a special commitment to protection of our seniors. These criminals use a variety of methods to access your information. They steal purses and wallets for personal information; they complete changeofaddress cards to have personal information forwarded out of the victim's hands. Other practices include ``dumpster diving,'' where criminals steal discarded statements and preapproved credit offers from the victim's trash. ``Shoulder surfing'' refers to the practice of stealing PIN numbers and account numbers over the person's shoulder while they are using an ATM. Of course, the Internet is fertile ground for these thieves. A fraudulent email can be sent promising some benefit in exchange for personal information. A surprising number of people quickly sent out the information without taking any steps to determine the validity of the offer. iv. efforts to combat problem The old saying that ``an ounce of prevention is worth a pound of cure'' is particularly true in the case of identity theft. Attorney General Fisher has taken action to educate Pennsylvanians on how to avoid these tactics. Through various forms of outreach and public speaking, representatives from the Bureau of Consumer Protection help to spread the word on the rather simple and easy steps that consumers can take to avoid becoming a victim. We appear before church and other community organizations, senior groups, as well as numerous civic associations. We staff information booths at shopping malls and county fairs throughout the state. Just this last year, the Bureau joined in National Consumer Protection Week by participating in consumer education fairs and activities throughout the Commonwealth. The theme was ``Consumer Confidential: The Privacy Story.'' As part of this event, the Bureau rolled out a new brochure titled ``Consumer Privacy: Protecting Your Personal Information.'' Consistent with what I had mentioned about the seriousness of these crimes against seniors, the Attorney General's Office has also launched a program known as the Senior Crime Prevention University to educate older Pennsylvanians and their families on crime prevention. The Senior Crime Prevention University is presented in conjunction with other law enforcement agencies who provide training to help stop the multitude of crimes, including identity theft, against the senior citizens of Pennsylvania. The Bureau has also specially published a brochure which offers specific tips to protect personal identifying information. For instance: Minimize the identification information and cards you carry. Don't carry your social security card with you and carry other cards that list your social security number (such as prescription cards or insurance cards) only when necessary. Purchase a shredder. As I said earlier, identity thieves commonly sift through garbage seeking discarded mail such as preapproved credit card offerings and bank statements. Be mindful of billing cycles if it seems like one of your bills didn't arrive, follow up with the business. Remember, that in addition to containing your name, address and other information, monthly statements also contain account numbers. Don't give out personal information over the phone, through the mail, or over the Internet unless you have initiated the contact, or know with whom you are dealing. To get your information, identity thieves may pose as representatives of banks, Internet services providers, even government agencies. Order a copy of your credit report. If, despite taking these precautions, a person's information does end up in the wrong hands, our Office recommends taking the fallowing steps immediately: Call the fraud departments of the credit bureaus and request that a ``fraud alert'' be put on your file. This lets creditors know to call you before they open any new accounts in your name. You should also ask for a copy of your credit report and follow up with these credit bureaus by asking that they remove any fraudulent or incorrect information. Contact banks, credit card companies and all other creditors who issued credit in your name and/or permitted access to your existing account and close all affected accounts. Finally, contact your local police department and file a criminal report on the incident. Such a report can help in clearing up your credit records and, or course, may lead to the arrest of the thief. As I mentioned before, each consumer complaint that the Bureau receives is assigned to an individual agent. In cases of identity theft, this agent is available to direct the consumer to the appropriate agencies. Additionally, the agents are available to work with, and provide information to, other parties in an effort to address some of the problems created by the theft. The Bureau has also taken action within the context of legal actions to protect consumer privacy and avoid identity theft. For instance, when an online retailer of children's education materials announced that it would cease operations and sell off its assets, Pennsylvania, along with a majority of other states, filed an Objection in the Bankruptcy Court to prevent that company from selling its customer list as an asset. Ultimately, through the efforts of Pennsylvania, the FTC and 42 other states, this company agreed to destroy the customer list. In another case where the Bureau took action against a Bucks County based national seller of computers, the Office made certain that the settlement prohibited the sale or other disclosure of customer information. In another legal action, this Office reached an Assurance of Voluntary Compliance with a Bucks County developer and distributor of computer games to resolve alleged violations related to the company's use of ``spyware'' in its computer games. Customers who purchased the product were unaware that the games included a computer file attachment which allowed third party advertisers to secretly interact with the consumers' computers and trace their steps on the Internet. Asserting that this conduct violated consumer privacy rights, the Commonwealth secured an agreement from the business barring the inclusion of such programs in its products and requiring the company to provide a means for customers to remove the software program from previously purchased products. Once again, thank you for the opportunity to comment today on the Bureau of Consumer Protection's efforts to assist consumers in preventing the growing problem of identity theft and I want to commend Congress for its recent enactment of the Fair and Accurate Credit Transactions Act which should further assist consumers in combating this problem. I would be happy to take any questions. Mr. Greenwood. Thank you. Lieutenant Colonel Periandi. TESTIMONY OF LT. COL. RALPH M. PERIANDI Mr. Periandi. Good morning, Chairman Greenwood. I am Lieutenant Colonel Ralph Periandi, Deputy Commissioner of Operations for the Pennsylvania State Police. On behalf of Colonel Jeffrey B. Miller, Commissioner of the Pennsylvania State Police, I would like to thank the House Energy and Commerce Subcommittee on Oversight and Investigations for this opportunity to speak on the issue of identity theft. Identity theft is delineated in Title 18, Pennsylvania Crimes Code, Section 4120. This statute indicates a person commits the offense of identity theft of another person if he possesses or uses, through any means, identifying information of another person without consent of that person to further any unlawful purpose. The unlawful activity could involve a criminal utilizing a victim's information in order to obtain access to loans, credit, or debit cards, bank accounts, services such as telephone or cable, or personal property ranging from groceries to automobiles. Following the tragic events of September 11, 2001, law enforcement must also consider the use of another person's identifying information by criminals or terrorists in an attempt to gain access to restricted areas, information--restricted areas or information in order to further their criminal enterprise. In recent years, the crime of identity theft has grown in scope with the advent of the inexpensive personal computer. Those criminals possessing familiarity with computers now have powerful resources at their disposal. By obtaining personal, biographical and financial information which is readily available on the Internet, an identity thief can pose as anyone. Additionally, by utilizing the wide range of high quality computer peripherals, they are able to craft documents and identification which allow them to create new identities or steal the identity of someone else. Another computer aided method of committing identity theft is known as skimming. Skimming is the practice of reading and storing the magnetic information on a debit or credit card. It is easily accomplished by those in the service or retail industry by swiping a provided credit or debit card through a second card reader at the time of a legitimate transaction. The stored information is then used by that individual or sold to others for criminal purposes. Conversely, the technologically challenged identity thief continues to resort to time tested low-tech methods for obtaining the personal information of a victim. Stealing mail, digging through garbage, generally provides the criminal with extensive personal information, to include the victim's full name, date of birth, Social Security number, bank account information, utilities account information, address and telephone number. Armed with this knowledge, the identity thief is ready to apply for credit or access funds in the name of the victim. Currently, the best source for documented statistical information concerning the problem of identity theft, and it has previously been testified to, is the Federal Trade Commission. The FTC has been maintaining data and information regarding this crime since enactment of the Identity Theft and Assumption Deterrence Act. In furtherance of this Act, the FTC developed the Identity Theft Data Clearinghouse and its reporting vehicle, the Consumer Sentinel. To quantify the problem of identity theft, the following information is provided from the Consumer Sentinel. Of over 380,000 fraud complaints received nationally in 2002, the largest category of complaint was identity theft at 43 percent. Individual victim costs per fraud is estimated at $2,000. This, Mr. Chairman, the next area, national reporting of identity theft has steadily increased since the year 2000, I think you are going to find to be staggering. In 2000, which represents the first full year of reporting, slightly over 31,000 reports were received. 2001, slightly over 86,000 reports were received. This increase indicates a 177 percent change from 2000 to 2001. In 2002, almost 162,000 reports were received. Actually, 161,819, which represents an 88 percent increase over 2001. So from 2000 to 2001, we have a 177 percent increase. From 2001 to 2002, we have an additional 88 percent increase. In the year 2002, 75 percent of victims were between the ages of 18 and 49. Of a little over 13,000 fraud complaints received in Pennsylvania during 2002, again, as is reflected nationally, the largest category of complaint was identity theft. In Pennsylvania, it amounted to 39 percent of all complaints. In 2002, Pennsylvania ranked 22nd among the states for victims of identity theft per 100,000 population, with approximately 5,080 victims. Mr. Abel, representing the Pennsylvania Attorney General's Office, has previously testified to related statistics to these. The top three crimes committed in concert with identity theft in Pennsylvania during 2002 were credit card fraud, 46 percent of those complaints, phone or utilities fraud, 22 percent of the complaints and bank fraud, 12 percent. The top three victim locations for identity theft in 2002 in Pennsylvania were Philadelphia, with 24 percent of the complaints, Pittsburgh, with 5 percent and Allentown, with 1 percent. Continuing in an effort to quantity this problems since the inception of the Pennsylvania statute regarding identity theft in 2001, Pennsylvania State Police have received 714 complaints involving this crime. 302 were received in the year 2001, while 412 were received in the year 2002. This represents a 27 percent increase in the number of complaints we have received in the State Police, and I think it should be noted that we are responsible for 80 percent, we are responsible for policing 80 percent of the land mass in the state, but 30 percent of the population, so a full 70 percent of the population is not reflected in the statistics regarding the complaints received by our department. This data provides a general overview of the raw, cold, statistical information regarding the crime of identity theft. What it does not provide is insight into the associated emotional problems victims of the crime encounter. Many individuals do not discover they are the victim of an identity theft for months, if not years. Some victims have been duped for as long as 5 years. Upon discovery, victims must spend significant amounts of time contacting creditors and credit reporting agencies in an attempt to repair the damage to their credit histories. While this is occurring, they are often unable to obtain credit and financial services, telecommunication, utility services and even employment. Many victims report having wages garnished and tax refunds withheld. In those instances when an identity theft--an identity thief has received a criminal record in the victim's name, victims have reported having licenses revoked, family background checks and even being arrested or detained. Combating the crime of identity theft in Pennsylvania requires law enforcement to achieve three main objectives. First, law enforcement personnel must be properly trained and informed regarding this crime. Second, they must be appropriately staffed with criminal investigators to conduct these sometimes in-depth and lengthy investigations. Finally, the public needs to be provided with information concerning methods to protect themselves from identity theft, as well as information regarding the steps to take should they become a victim. Each of these objectives will be explored more fully. In Pennsylvania, the State Police are tasked with providing police services to those areas and citizens who find themselves without their own police department. We are a full service department, performing functions ranging from traffic enforcement to criminal investigations. Our criminal investigators are responsible for the investigation of all types of crime. As such, our investigators must receive training and obtain expertise in all facets of criminal investigation. Training specific to identity theft and fraud is available to them and Pennsylvania's law enforcement community through numerous sources. Some examples are at our own Academy, Pennsylvania State Police Academy in Hershey and our regional training centers; at the Middle Atlantic Great Lakes Organized Crime Law Enforcement Network, or MAGLOCLEN, which is headquartered right here in Bucks County; the National White Collar Crime Center; International Association of Financial Crimes Investigators; the United States Department of Justice. The FTC has been previously testified to, and local banking institutions. Generally, individual instances of identity theft are investigated by a criminal investigator assigned to one of our troop commands In those instances when a case of identity theft is indicative of organized criminal activity, the Pennsylvania State Police rely on the Organized Crime Division of our Bureau of Criminal Investigation. Members of this specially selected group of investigators are strategically located in task forces throughout Pennsylvania. They work with their troop counterparts as well as local and Federal investigators on cases involving large monetary losses, which are usually associated with organized groups of criminals. These groups may be associated with traditional organized crime, displaced ethnic groups, or simply enterprising local criminals. Identity theft is increasingly becoming an international crime, with roots in Canada, Eastern Europe, Asia and Africa. This has made prosecution difficult, and in some cases, impossible, even with the involvement of Federal law enforcement. In an attempt to deter or mitigate the crime of identity theft, the Pennsylvania State Police provide the following information to law enforcement agencies and the general public, and I do this, Mr. Chairman, at the risk of repeating previous recommendations, because I think we all believe it is very important that we get this information to the public. Let us answer a few questions for our citizens. First, how do I protect myself? These and other protective measures will not absolutely guarantee you will never become a victim of identity theft, but employing one or more of these can drastically reduce your risk. Give your Social Security number only when it is absolutely necessary and do not carry your Social Security card with you. Leave it at home or in a secure place. Annually, review your Social Security personal earnings and benefits statement, which is mailed to all participants. A copy can also be requested from the Social Security Administration. Memorize your ATM password and shield the keypad when entering your password at any ATM machines. Previously, Mr. Chairman, I believe you asked a question relative to passwords and PIN numbers particularly. And we have had instances where criminals from a remote location will videotape the keypad and then, by certainly expanding or utilizing that videotape to basically just look at the particular PIN information, and they have already captured possibly your password information or your account number information. Do not place bill payments in your mailbox for pickup. We saw that in one of the videos. Mail your bills directly from the Post Office. Shredding of documents, which we have already talked about. Annually obtaining your credit report from the three major credit reporting agencies. Carefully review them for accuracy and immediately correct all mistakes. Have your name removed from lists sold to companies offering pre-approved credit cards. That has already been testified to and questioned and discussed, by contacting three credit card reporting agencies. Do not give your credit card number over the telephone unless you have initiated the call. Ensure that neither you nor the called party is using a mobile or cellular telephone. This is another issue that we deal with where people speak freely on mobile phones and cellular telephones without regard for the fact that that can often be intercepted. When you purchase items with a credit card, take your receipts with you. Do not toss them away. Do not put your credit card number on the Internet unless it is an encrypted or secured site. How about the question what if I become a victim of identity theft? Identity theft can occur even if you have been careful about protecting your personal information because of the ever-increasing skill employed by professional thieves. The exact steps that you should take after becoming a victim of identity theft will vary depending upon your circumstances, but in most instances, the following steps should be taken. Mr. Greenwood. I am going to ask you to just kind of go through these steps real---- Mr. Periandi. Skip through those? Mr. Greenwood. Real quickly, and--because---- Mr. Periandi. Okay. Contact the security department of the respective financial institution. Contact each of the Nation's credit reporting agencies. File a complaint with your local police department or law enforcement agency where the identity theft took place, and I know previously Mrs. Kane talked about the problem relative to jurisdiction and venue. That has been cleared up with an amendment in 2002 in Pennsylvania, so that prosecution can be taken at either the residence or the work location of the victim. Report fraudulent use of your Social Security number to the Social Security Administration. Notify the United States Postal Service, which has been testified to, and notify immediately your agency, if an ATM card has been lost or stolen or any of that information has been compromised. Same thing with checks. If you are a victim of identity theft, never agree to pay any portion of the debt just to get a collection agency off the case. The Fair Debt Collection Act prohibits collectors from contacting you if within 30 days after you receive their written notice, you send them a letter refuting the debt, et cetera, with supporting documentation relative to criminal violation. Unfortunately, it is impossible to protect yourself entirely from identity theft, but following the safeguards detailed herein can greatly reduce your risk. Additionally, the Pennsylvania State Police provides numerous other services to Pennsylvania citizenry and law enforcement community in dealing with the problem of identity theft. The Bureau of Forensic Services offers examination of questioned documents, handwriting comparisons, patent and latent fingerprint identification comparison. The Polygraph Unit in many instances is required to determine the veracity of involved suspects. Community Services Unit performs speeches and provides information to community groups concerning how to reduce the probability of becoming a victim of this type of theft. The Bureau of Criminal Investigation, through the Department's Pennsylvania Criminal Intelligence Center, or PaCIC, provides briefs, which contain information concerning prevention and response methods for crimes such as identity theft. In addition, ongoing analysis of data helps PaCIC to identity trends in an effort to alert law enforcement statewide to potential organized efforts to commit identity theft. Finally, with the advent and ease of access to computer technology, the State Police Area Computer Crime Task Forces have become an invaluable resource to Pennsylvania law enforcement, particularly in those instances when a computer has been utilized in some way to steal an individual's identity or commit a crime utilizing another's identity. As you can see, Mr. Chairman, the Pennsylvania State Police brings a wide variety of investigative resources to combat the evolving problem of identity theft in the Commonwealth. Through experience, we have learned to utilize and share these resources with local, State and Federal investigators. Only by sharing resources and staying ahead of the criminal mind will we be effective in this crime fighting effort. Finally, recent legislative changes to Pennsylvania's identity theft statute have made investigation and prosecution for this crime a more efficient and effective process. I mentioned the fact that the venue has been changed and penalties have been enhanced. The clarification of venue is particularly important, as many of the crimes associated with identity theft occur in other jurisdictions, states and countries. In closing, I would like to thank Chairman Greenwood and the Members of the committee for the opportunity to address you today on this issue. As a member of the Pennsylvania State Police, each officer carries on a tradition of excellence begun in the year 1905. As part of this tradition, it is the mission of each member of our department to effectively investigate crime and criminal activity, provide investigative assistance and support to all law enforcement within the Commonwealth, and promote public awareness concerning personal responsibility regarding crime reduction. This includes the crime of identity theft. I welcome the opportunity to respond to any questions or comments you may have. [The prepared statement of Ralph M. Periandi follows:] Prepared Statement of Lt. Col. Ralph M. Periandi, Deputy Commissioner of Operations, Pennsylvania State Police Good morning Mr. Chairman and members of the Committee. I am Lt. Col. Ralph M. Periandi, Deputy Commissioner of Operations for the Pennsylvania State Police. On behalf of Colonel Jeffrey B. Miller, Commissioner of the Pennsylvania State Police, I would like to thank the House Energy and Commerce Committee for this opportunity today to speak on the issue of Identity Theft. Identity Theft is delineated in Title 18, the Pennsylvania Crimes Code, Section 4120. This statute indicates a person commits the offense of identity theft of another person if he possesses or uses, through any means, identifying information of another person without consent of that other person to further any unlawful purpose. The unlawful activity could involve a criminal utilizing a victim's personal information in order to obtain access to loans, credit or debit cards, bank accounts, services such as telephone or cable, or personal property ranging from groceries to automobiles. Following the tragic events of September 11, 2001, law enforcement must also consider the use of another persons identifying information by criminals or terrorists in an attempt to gain access to restricted areas/information in order to further their criminal enterprise. In recent years, the crime of Identity Theft has grown in scope with the advent of the inexpensive personal computer. Those criminals possessing familiarity with computers now have powerful resources at their disposal. By obtaining personal biographical and financial information, which is readily available on the Internet, an identity thief can pose as anyone. Additionally, by utilizing the wide range of high quality computer peripherals available, they are able to craft documents and identification, which allow them to create new identities or steal the identity of someone else. Another computer aided method of committing Identity Theft is known as ``skimming''. ``Skimming'' is the practice of reading and storing the magnetic information on a debit or credit card. It is easily accomplished by those in the service or retail industry by ``swiping'' a provided credit or debit card through a second card reader at the time of a legitimate transaction. The stored information is then used by that individual or sold to others for criminal purposes. Conversely, the technologically challenged identity thief continues to resort to time tested low-tech methods for obtaining the personal information of a victim. Stealing mail and digging through garbage generally provides the criminal with extensive personal information to include the victim's full name, date of birth, social security number, bank account information, utilities account information, address, and telephone number. Armed with this knowledge, the identity thief is ready to apply for credit or access funds in the name of the victim. Currently, the best source for documented statistical information concerning the problem of Identity Theft is the Federal Trade Commission (FTC). The FTC has been maintaining data and information regarding this crime since enactment of the Identity Theft and Assumption Deterrence Act in 1998. (Pub. L. No. 105-318, 112 Stat. 3007) In furtherance of this Act, the FTC developed the Identity Theft Data Clearinghouse and its reporting vehicle, the Consumer Sentinel. To quantify the problem of identity theft, the following information is provided from the Consumer Sentinel: Of 380,103 fraud complaints received nationally in 2002, the largest category of complaint was Identity theft at 43%. The Financial costs to victims of all fraud reported in the nation during the year 2002 is estimated at nearly \1/2\ billion dollars. 43% of this figure would indicate Identity Theft nationwide cost victims approximately $200 Million. Individual victim cost per fraud is estimated at $2,000. National reporting of Identity Theft has steadily increased since the year 2000. In 2000, which represents the first full year of reporting, 31,117 reports were received. During 2001, 86,198 reports were received. This increase indicates a 177% change over the previous year. Finally, in 2002, 161,819 reports were received, which represents an 88% increase over the year 2001. In the year 2002, 75% of victims were between the ages of 18-49. Of 13,119 fraud complaints received in Pennsylvania during 2002, the largest category of complaint was Identity theft at 39% of all complaints. In 2002, Pennsylvania ranked 22nd among states for victims of Identity Theft per 100,000 population, with 5,080 victims. The top three crimes committed in concert with an Identity Theft in Pennsylvania during 2002 were Credit Card Fraud with 2,359 victims (46%), Phone or Utilities Fraud with 1,103 victims (22%), and Bank Fraud with 623 victims (12%). The top three victim locations for Identity Theft in 2002 were Philadelphia with 1,202 victims (24%), Pittsburgh with 226 victims (5%), and Allentown with 70 victims (1%). Continuing, in an effort to quantify this problem since the inception of the Pennsylvania statute regarding Identity Theft in 2001, the Pennsylvania State Police have received 714 complaints involving this crime. 302 were received in the year 2001, while 412 were received in 2002. This represents a 27% increase. This data provides a general overview of the raw, cold statistical information regarding the crime of Identity Theft. What it does not provide is insight into the associated emotional problems victims of this crime encounter. Many individuals do not discover they are the victim of Identity Theft for months, if not years. Some victims have been duped for as long as five years. Upon discovery, victims must spend significant amounts of time contacting creditors and credit reporting agencies in an attempt to repair the damage to their credit histories. While this is occurring, they are often unable to obtain credit and financial services, telecommunication and utility services, and even employment. Many victims report having wages garnished and tax refunds withheld. In those instances when an identity thief has received a criminal record in the victim's name, victims have reported having licenses revoked, failing background checks, and even being arrested or detained. Combating the crime of Identity Theft in Pennsylvania requires law enforcement to achieve three main objectives. First, law enforcement personnel must be properly trained and informed regarding this crime. Second, they must be appropriately staffed with criminal investigators to conduct these sometimes in-depth and lengthy investigations. Finally, the public needs to be provided with information concerning methods to protect themselves from Identity Theft, as well as information regarding the steps to take should they become a victim. Each of these objectives will be explored more fully. In Pennsylvania, the State Police are tasked with providing police services to those areas and citizens, who find themselves without their own police department. We are a full service department, performing functions ranging from traffic enforcement to criminal investigations. Our criminal investigators are responsible for the investigation of all types of crime. As such, our investigators must receive training and obtain expertise in all facets of criminal investigations. Training specific to Identity Theft and fraud is available to them and Pennsylvania's law enforcement community through numerous sources. Some examples are: the Pennsylvania State Police Academy; the Middle Atlantic-Great Lakes Organized Crime Law Enforcement Network (MAGLOCLEN); the National White Collar Crime Center (NW3C); the International Association of Financial Crimes Investigators; the U.S. Department of Justice; and local banking institutions. Generally, individual instances of Identity Theft are investigated by a Criminal Investigator assigned to one of our Troop commands. In those instances when a case of Identity Theft is indicative of organized criminal activity, the Pennsylvania State Police rely upon the Organized Crime Division of the Bureau of Criminal Investigation. Members of this specially selected group of investigators are strategically located in task forces throughout Pennsylvania. They work with their Troop counterparts, as well as local and federal investigators on cases involving large monetary losses, which are usually associated with organized groups of criminals. These groups may be associated with traditional organized crime, displaced ethnic groups, or simply enterprising local criminals. Identity Theft is increasingly becoming an international crime with roots in Canada, Eastern Europe, Asia and Africa. This has made prosecution difficult and in some cases impossible even with the involvement of federal law enforcement agencies. In an attempt to deter or mitigate the crime of Identity Theft, the Pennsylvania State Police provide the following information to law enforcement agencies and the general public: How Do I Protect Myself? These and other protective measures will not absolutely guarantee you will never become a victim of Identity Theft, but employing one or more of these can drastically reduce your risk: Give your social security number only when it is absolutely necessary, and do not carry your social security card with you. Leave it at home or in a secure place. Annually review your social security personal earnings and benefit statement which is mailed to all participants. A copy can also be requested from the Social Security Administration (1.800.772.1213). Memorize your ATM password and shield the keypad when entering your password at ATM machines. Do not place bill payments in your mailbox for pickup. Mail your bills directly from the post office. Shred all documents containing personal information especially bills, credit card receipts, pre-approved credit card offers, and bank statements, before you throw them away. Annually obtain a copy of your credit report from the three major credit reporting agencies (Trans Union, 1.800.680.7289) (Equifax, 1.888.766.0008) (Experian, 1.888.397.3742). A basic report costs $9.00 from any of the three agencies. Certain states have passed legislation giving residents free or reduced prices on credit reports. Carefully review them for accuracy and immediately correct all mistakes identified on your credit reports in writing. Have your name removed from lists sold to companies offering preapproved credit cards by contacting the three credit reporting agencies and taking advantage of their ``optout'' service. One number, 1.888.567.8688, reaches all three agencies. Do not give your credit card number over the telephone unless you have initiated the call. Ensure that neither you nor the called party is using a mobile or cellular telephone. When you purchase items with a credit card, take your receipts with you, do not toss them away. Do not put your credit card number on the Internet unless it is an encrypted or secured site. What If I Become A Victim of Identity Theft? Identity Theft can occur even if you have been careful about protecting your personal information because of the ever-increasing skill employed by professional thieves. The exact steps that you should take after becoming a victim of Identity Theft will vary depending upon your circumstances, but in most instances, the following steps should be taken: Contact the security department of the respective financial institution, both verbally and in writing, for each account that has been opened or tampered with and close these accounts. The federal Fair Credit Billing Act limits your liability for unauthorized charges to $50.00, but it's your responsibility to make the appropriate notification, in writing, within 60 days after the fraudulent activity has been discovered. Once the financial institution acknowledges the fraud, ask them to send all three credit reporting agencies a letter confirming fraudulent activity. In the past, one necessary step included contact with each of the nation's three major credit reporting agencies (TransUnion, Equifax, and Experian). In an effort to streamline the process, the credit reporting agencies have agreed to begin sharing fraud related information. As of April 15, 2003, Identity Theft victims need only make one toll-free call to any of the three nationwide credit reporting agencies. The information they provide will be automatically shared with the remaining agencies for inclusion in their records. Within 24 hours of being notified, each credit reporting agency will post a security alert on the victim's credit file, which will be viewed by all lenders or other users accessing future reports. The alert will notify lenders of the reported fraud, thereby assisting them to avoid opening a fraudulent account in the victim's name. The credit reporting agencies will also remove the victim's name from the lists of pre-approved credit or insurance offers for a period of two years. Additionally, the agencies have agreed to provide each victim with a copy of his or her credit file, and to simplify the information verification process to include deletion of fraudulent information. File a complaint with your local police department or the law enforcement agency where the Identity Theft took place. Also, file a complaint with the Federal Trade Commission (FTC) Identity Theft Hotline by telephone at 1.877.IDTHEFT. Although the FTC has no criminal law enforcement authority, they can pursue civil remedies and assist victims in resolving the problems associated with the crime. Report the fraudulent use of your social security number to the United States Social Security Administration at 1.800.269.0271. Under certain circumstances, a new social security number may be issued. Notify your nearest United States Postal Inspection Service if you suspect the theft of your mail. If your ATM card has been lost or if your password has been compromised, immediately notify your bank. The Electronic Fund Transfer Act limits your losses to $50.00 if you make this report within two business days. If you wait more than 60 days to make the report, you could lose all the money that was taken from your account. If checks were stolen or fraudulent bank accounts were established, report this to your bank and to the major check verification companies (Telecheck, 1.800.710.9898) (Certegy Inc., 1.800.437.5120) (International Check Services, 1.800.631.9656). Request they notify retailers who use their service that you were the victim of Identity Theft. If you're a victim of Identity Theft, never agree to pay any portion of the debt just to get collection agencies off the case. The Fair Debt Collection Act prohibits collectors from contacting you if within 30 days after you receive their written notice, you send them a letter refuting the debt. Along with your letter, send supporting documentation (police report, letters from credit reporting agencies, etc.) to substantiate your position. Unfortunately, it is impossible to protect yourself entirely from Identity Theft, but following the safeguards detailed herein can certainly reduce your risk. Publications by the Federal Trade Commission (FTC) can provide further information on how to prevent Identity Theft. These publications can be obtained by contacting the FTC by telephone at 1-877-IDTHEFT or by visiting their web sites at http://www.ftc.gov or at http://www.consumer.gov. Phone counselors at the FTC can assist callers on how to take advantage of their consumer rights and on what actions need to be taken to restore their credit. Additionally, The Pennsylvania State Police provides numerous other services to Pennsylvania's citizenry and law enforcement community in dealing with the problem of Identity Theft. The Bureau of Forensic Services offers examination of questioned documents, handwriting comparisons, and patent and latent fingerprint identification and comparison. The Polygraph Unit in many instances is required to determine the veracity of involved suspects. The Community Services Unit performs speeches and provides information to community groups concerning how to reduce the probability of becoming a victim of this type of crime. The Bureau of Criminal Investigation through the Department's ``Pennsylvania Criminal Intelligence Center'' (PaCIC), provides Briefs, which contain information concerning prevention and response methods for crimes such as Identity Theft. In addition, ongoing analysis of data helps PaCIC to identify trends in an effort to alert law enforcement statewide to potential organized efforts to commit Identity Theft. Finally, with the advent and ease of access to computer technology, the State Police Area Computer Crime Task Forces have become an invaluable resource to Pennsylvania law enforcement, particularly in those instances when a computer has been utilized in some way to steal an individual's identity or commit a crime utilizing another's identity. As you can see, the Pennsylvania State Police brings a wide variety of investigative resources to combat the evolving problem of Identity Theft in the Commonwealth. Through experience, we have learned to utilize and share these resources with local, state and federal investigators. Only by sharing resources and staying ahead of the criminal mind will we be effective in this crime fighting effort. Finally, recent legislative changes to Pennsylvania's Identity Theft statute have made investigation and prosecution for this crime a more efficient and effective process. Penalties have been stiffened and venue now includes the residence or employment address of the person whose identifying information has been lost or stolen or has been used without the person's consent. The clarification of venue is particularly important as many of the crimes associated with Identity Theft occur in other jurisdictions, states, or countries. In closing, I would like to thank the Chairman and members of the Committee for the opportunity to address you today on this issue. As a member of the Pennsylvania State Police, each officer carries on a tradition of excellence begun in the year 1905. As part of this tradition, it is the mission of each member to effectively investigate crime and criminal activity, provide investigative assistance and support to ALL law enforcement agencies within the Commonwealth, and promote public awareness concerning personal responsibility regarding crime reduction. This includes the crime of Identity Theft. I welcome the opportunity to respond to any questions or comments you may have. Mr. Greenwood. Thank you, sir. I appreciate it. Let me go back to the tape we saw with Mr. Lomax, if that is, in fact, his real name. Walked through how easy it was for him to steal actor Will Smith's identity. He basically looked in a magazine that probably had an article that said who his mother and his mother's maiden name, what his mother's maiden name was, address and enough identifying information gleaned from a source like that to then go, and what he said he did, as I recall, was to go and get, first off, a duplicate birth certificate, and then take that and get a duplicate Social Security card, and then take that and get a duplicate driver's license. The question I have for any or all of you. If Mr. Lomax gets out of jail tomorrow, and wants to start all over again, picking another victim, would he be able to do it just as easily today as he did initially? Anything changed that makes his job more difficult? Mr. Burke. Well, sir, I would like to believe no. One of the---- Mr. Greenwood. Pull the microphone close to you. Mr. Burke. One of the--he mentioned mother's maiden name. I will give you an example. The Inspection Service, in concert with the banking industry, meets, they have an initiative, it is the Financial Crimes Mail Security Initiative, and we meet twice a year, and at those meetings, we discuss best practices. The young lady from the bank in Newtown mentioned the--as an example, the 1-800 number, and then of course, Mr. Lomax, I believe that is his real name, mentioned the mother's maiden name. Well, the 1-800 sticker that you now get on your credit cards was a result of an Inspection Service initiative, and in particularly, a now retired Inspector working out of Florida, and as odd as this may seem, in developing this 1-800 number and asking for pertinent information that only the individual would know, someone suggested at one of these meetings that they use the mother's maiden name. Well, lo and behold, it became an industry standard. Now, the good news is that they are varying that. They are asking other pertinent information. So that is an example of how it is becoming more difficult. And as was mentioned several times here today, the interaction with State and local, Federal law enforcement now, and the publicity due in large part because of committees and meetings and public referendums like this is doing a great deal of good to prepare people for it. In the past, local law enforcement may take a complaint on a credit card and quite honestly, it was difficult for them to give it the time and effort it needed, because it crossed jurisdictional lines. Now, with the FTC downloading the data and everything and everyone having access to that, we have minimized that, too, so I think through educating the public and the aggressive interaction across the board from law enforcement at every law, there are more and more stopgaps that are being put in that will make it more and more difficult. Mr. Greenwood. You may share the microphone with Ms. Broder. Ms. Broder. I guess I can't say with real confidence that it would be that much more difficult to accomplish what Mr. Lomax did if he gets out of jail tomorrow. But one of the new provisions of the FACT Act requires the FTC, along with the bank regulatory agencies to develop guidelines for red flags, that is the pattern, what are the indicia of fraud, and when we see these types of patterns emerging, what should be done? He talked about 17 to 18 accounts opened in a short period of time. Mrs. Kane referred to a 33 page credit report for someone who had a very normal pattern before. So the question is what can the financial agencies do to pinpoint that where now they are not, where they are not aware of the fraud, they are not paying attention to those as closely as they might. Mr. Periandi. Mr. Chairman. Mr. Greenwood. What about the--go ahead, yes, please, Colonel. Mr. Periandi. If I could add. Unfortunately, your question is right on point. But it goes to something that we have found even in the area of terrorism, and that is, it goes to the identifying documents, the base documents. When someone has a birth certificate, Social Security card and driver's license that appears to be legitimate, and is in fact legitimate, because it has been obtained from legitimate agencies, it makes it very, very difficult for law enforcement. I won't comment for the private sector, but it makes it very, very difficult for law enforcement to work through that and identity this individual as being a criminal, because all the documents, the supporting documentation that you would look at is accurate. They have a reliable and accurate birth certificate. They have a reliable and accurate driver's license, particularly which is a photo identification, so I can only assume that when they present this at a retail establishment, or even within the banking industry, that that information is going to be accepted, and that--so it gets, I think you make a very good point. We need to look at how easy it is for criminals to obtain that identifying documentation that really gives them access to the rest of the system. Once they have that documentation, they have access to the rest of the system. Mr. Greenwood. And of course, the tricky part in this is that any of us can lose our driver's license or Social Security card, or for that matter, our birth certificate, and want to get copies of it, and so we don't want the government to make it impossible or extraordinarily difficult. Sometimes, we might need those documents in a hurry, like for travel or something like that, and so it is a tough balance. Let me talk--ask about the consequences on the other side of this quotient. We have--I think the Postal Inspection Service talked about 3,000 arrests in a year. One of the things that seems to make a difference in criminal conduct is when someone says--when people are talking, potential criminals, criminal are talking amongst themselves, they say I went to jail, or I did hard time, or you know, I got off easy. When we make all these arrests, are we in fact coming down hard enough on the perpetrators in terms of are they--do we have the--are we--sometimes, I see that in law enforcement--is given limited resources and time and money. It is only the biggest cases that are actually taken in to prosecution and the smaller cases are disposed of in some other way, probationary response. There is not even always restitution, so it is a--who would like to comment on how effective we are being in various law enforcement agencies in actually making sure that people pay consequences for these crimes? Mr. Burke. Congressman, I think that--I think we are starting to see a change in the trends, but as is often the case in local prosecutor, State and Federal prosecution, they have quite a lot on their table, and oftentimes, they will put dollar restrictions or dollar limitations that a case would have to be over, say, $50,000 for it to be accepted for prosecution, and that varies, and of course, each case stands in and of itself. From an investigator's standpoint, certainly you are not going to get to me to say that every perpetrator that commits identity theft, or any crime for that matter, gets a fair and just sentence, because certainly as investigators, we would like to see them get as much as possible. Oftentimes, some of the groups, as was mentioned by the State Police, are organized ethnic groups, and then you are dealing with Federal entities like the INS and all, and you can identify these people, and quite honestly, sometimes, they are deported and back several years later. You run into them again. So, I think we can go a long way to come up with uniform sentencing guidelines. Certainly, there is, in the Federal Government sentencing guidelines, but they are not always applied equally, because of the size of the case and other considerations. Mr. Greenwood. Anyone else wish to comment on that? Mr. Periandi. I would say I tend to agree, if we take Mrs. Kane's example, an individual who perpetuates an identity theft generally is perpetuating it on numerous individuals, so it makes sense to prosecute that individual where they are located. In her case, it was in Schenectady, New York. However, I think we recognize that if that individual would have been extradited to Bucks County and tried here, where the victim resides, and where the victim would be identified, or the judges and the court system would identify with the victim, the probability for a stronger, harsher sentence and to actually server that stronger, harsher sentence is increased. So, we really need to work between the states to ensure that when that case is prosecuted in Schenectady, New York, that somehow, we drive home the same kind of identity with the victim and the emotions associated with what would happen if that individual were tried here in Bucks County, and I think it does come to some type of standard sentencing, but you know, I don't know how you do that in 50 individual states without impacting states' rights issues from the Federal level. Mr. Greenwood. Ms. Kane talked about the fact that the people prosecuting the case really didn't stay much in touch with her, that the banks had experienced the actual financial losses, so they hired an investigator, and then they gave that information to law enforcement, but that she was pretty much out of the loop and didn't have the opportunity to ever to confront the woman who had defrauded her, or to observe the trial, testify at the trial. What is the state-of-the-art today? Are we seeing your agencies, those of you particularly in the criminal side of this thing, actually staying and recognizing that the victim is not just the finance institution but the person whose identity has been stolen and keeping in touch with that person, or keeping them in the loop? Mr. Periandi. We try to, Mr. Chairman, but that really is a function of the prosecutor's office, and what we have found, particularly if the prosecutor is in touch with the victim, at least specifically during the sentencing stage, that that is very helpful to have the victim present and able to testify prior to sentencing, or just say a few words to the Court prior to sentencing. But we certainly will reach out to victims when the case proceeds to that particular point, as long as we are notified, again, by the prosecutor's office, but that really becomes their function at that point. Mr. Greenwood. Ms. Broder, let me ask you, much has been mentioned of the FACT Act today. Does the FTC feel that the U.S. Congress has completed its work on identity theft, or is there more to do? Ms. Broder. Well, in light of the 18 rulemaking, studies and reports, we think they have done enough for the time being. This is--it has been a dramatic change through the FACT Act, and substantial changes will take place in the financial industries as well, and I think this, speaking for myself here, is the right step, and then we see what effect these changes have on the incidence of identity theft and the recovery of victims, and if this is not adequate, I think it is time to go back to the drawing board, but for the time being, it seems like a very comprehensive approach to the problem, sir. Mr. Greenwood. Congress has given you a lot of work to do. Has Congress given you enough resources to do it? Ms. Broder. I think we are well prepared to take on these tasks, Mr. Chairman. Part of our program is to leverage our resources so that we make our resources available to others. That is the whole idea behind the training of local law enforcement. Let them convey our message as well. We do that also through the credit reporting agencies and the financial institutions. We make all of our publications available on a CD-ROM, English and Spanish, the books, the affidavit, so that other agencies, banks, can print them as well, put their names on the front cover. We don't care, as long as they get the message out. So for the time being, I think we are okay. Thank you very much. Mr. Greenwood. The--when we heard about the Red Cross and the folks using the information on blood supplies, I though that was about as low as it could go, until we learned about the Medical Examiner's employees gleaning information from dead bodies. How did the perpetrators achieve that crime, accomplish that crime? Mr. Burke. Well, they--the pedigree of the information they got, actually, from my understanding, is the credit card from the deceased, and then once they had that---- Mr. Greenwood. So they actually go through the wallets of-- -- Mr. Burke. They go through the personal belongings of the deceased, and of course, once you have that basic data, then you can build your fraudulent activity from there. Mr. Greenwood. That is as low as you can go. Mr. Burke. I would say it is, sir. Mr. Greenwood. You also talked in your testimony, Mr. Burke, about individuals purchasing commercial grade credit card embossing machines over the Internet. Is anyone looking at--there are so many purchases you can make over the Internet now, of a very illegal nature, and at least--ways to access all kinds of tools for committing crimes, and this is the latest one that I have heard of. Is anyone taking action to try to limit the access, the availability of this equipment? Mr. Burke. Not--certainly not the Inspection Service. What I have here, Congressman, is a copy of--one of our Inspectors downloaded this. This is the same website, and there is an embosser there, so I can give it to your---- Mr. Greenwood. Okay. Well, the staff will pick that up after the hearing. And I think that is something that should be pursued. It would be interesting to know whether the actual manufacturers are marketing their products this way, and why they would do that. Maybe they have a perfectly legitimate reason, but it seems that that is the kind of equipment that is very dangerous, obviously, in the hands of the wrong individuals, and we need to be careful with that. Let me just see if I have another kind of question that needs to be asked. Well, I think we have gone long enough, and I do thank all of the witnesses in this last panel as well as all of the witnesses throughout this hearing the last several hours. It is a big help. Our intent here is twofold, one is to use the media that is here to help inform the public in this region of the precautions that they need to take and what they should do if they are victims, and the others to see what kinds of tasks that may lay before Congress and if it is not giving more authority to the FTC, it may be pursuing issues like the availability of this kind of equipment on the Internet. So with that, I would also like to thank Ms. Washington, to my right, who as the counsel for this committee, and my staff and the District and Washington for helping this--organize this hearing, and it is now adjourned. [Whereupon, at 1:14 p.m., the subcommittee was adjourned.] <all>