Click here for video of this hearing.
Witnesses are listed below.
Chairman Stevens opening statement:
Some of my staff tried to steal my identity and I regret to say that they were successful. They demonstrated to me, when I came back from this recess, just how easy it really is to steal an identity. This is the first of several hearings that our committee is going to conduct to have a better understanding of data broker services, as well as how data brokers handle personal consumer information. This hearing is intended to discuss the recent data breaches and what the private industry is doing to mitigate the possibility of future breaches. The Committee will revisit this issue next month as we look to legislative solutions that might better protect consumers from future breaches. We believe we must be careful to strike a balance between ensuring the security of certain types of information while not inhibiting the legitimate flow of information that is vital to our economy. It is my intention to turn the chair over to Senator Smith when he arrives, Senator. I have a conflict today. Let me yield to my co-chairman, Senator Inouye.
Later in the hearing, Chairman Stevens said:
My staff provided me with information they got from a series of places. For $65 they were told they could get my social security number. Now this comes to the point where, I don’t know if you’ve done this, but in the report they got on me I found my daughter’s rental property in California and some of my son’s activities, he’s unfortunately a junior, out in California. I also found that there are probably two or three other people in this community right here that have the same basic name, Theodore F. Stevens. They are not all the same middle name. It has been suggested that I should change my name or use my middle name now if I want to maintain my own identity. But I think this is a very serious thing and I think we want to hear from you all. As I said, Senator Smith, this is just the first in a series of hearings because we want to hear Senator Schumer. He wants to be heard. We’ve got several bills that have been introduced in the Congress that address this. It’s going to be a very difficult thing for us to handle so we are not going to handle it on the basis of listening sessions on this one because basic information is going to come from people like the witnesses that are here today. Again, I thank them very much for being willing to join us. Senator Smith, it is your chair.
Daniel K. InouyeSenator
I am pleased that the Committee is meeting today to discuss data brokers, and the problem of identity theft. I look forward to hearing from the witnesses about why corporations that gather sensitive personal information appear unable to keep this data secure, and whether federal legislation is needed to protect innocent consumers.
Since January, there have been at least 32 major data security incidents potentially affecting 5.2 million Americans. These incidents only came to light because of a California law that requires disclosure of data security breaches. Who knows how many undisclosed breaches may have occurred prior to the implementation of the California law.
Equally disturbing is the probability that the full impact of these breaches may never be known, and millions of Americans remain unaware of their vulnerability to identity theft. With the advent of the Internet and the standardization of computer data files, information from separate databases can now be shared across networks, and aggregated with little effort.
Technological advances have fueled the development of businesses, commonly referred to as data brokers, that collect and sell data on millions of Americans. There are no federal laws that specifically regulate data brokers. On the state level, California enacted a law requiring disclosure of data security breaches. Currently, 31 states are considering similar legislation.
We will hear today from the largest data brokers about the steps they are taking to better secure their data, and to properly vet the customers to whom they sell their data. However, even if they improve their business practices, there are still hundreds of smaller data brokers who have no incentive to change their ways since there is no law governing their behavior.
Witness Panel 1
Mr. Kurt SanfordPresident and CEO, U.S. Corporate and Federal Government MarketsLexisNexis
Before the United States Senate Committee on Commerce, Science and Transportation
Hearing on Identity Theft and Data Broker Services
May 10, 2005
Kurt P. Sanford, President and CEO, U.S. Corporate and Federal Government Markets, LexisNexis
Good morning. My name is Kurt Sanford. I am the President and Chief Executive Officer for Corporate and Federal Markets at LexisNexis. I appreciate the opportunity to be here today to discuss the important issues surrounding identity theft and fraud and data security.
LexisNexis is a leading provider of authoritative legal, public records, and business information. Today, over three million professionals—lawyers, law enforcement officials, government agencies employees, financial institution representatives, and others—use the LexisNexis services. Government agencies, businesses, researchers, and others rely on information provided by LexisNexis for a variety of important uses.
One of the important uses of products and services provided by LexisNexis is to detect and prevent identity theft and fraud. In 2004, 9.3 million consumers were victimized by identity fraud. Credit card companies report $1 billion in losses each year from credit card fraud. Although the insidious effects of identity theft are fairly well known, until recently it was not fully appreciated that identity theft is part of the larger problem of identity fraud. Identity fraud, which encompasses identity theft, is the use of false identifiers, false or fraudulent documents, or a stolen identity in the commission of a crime. It is a component of most major crimes and is felt around the world today. As a result, both industry and government have asked LexisNexis to develop solutions to help address this evolving problem.
Financial institutions, online retailers and others depend on products and services provided by LexisNexis to help prevent identity theft and fraud. With the use of a LexisNexis solution called Fraud Defender, a major bank card issuer experienced a 77 percent reduction in the dollar losses due to fraud associated with identity theft and credit card origination.
LexisNexis products are becoming increasingly necessary to combat identity fraud associated with internet transactions where high dollar merchandise such as computers and other electronic equipment are sold via credit card. Lower fraud costs ultimately mean lower costs and greater efficiencies for consumers.
The following are some other examples of the important ways in which the services of LexisNexis are used by customers:
Locating and recovering missing children – Customers like the National Center for Missing and Exploited Children rely on LexisNexis to help them locate missing and abducted children. Since 1984, the Center has assisted law enforcement in recovering more than 85,000 children. Over the past 4 years, information provided by LexisNexis has been instrumental in a number of the Center’s successful recovery efforts.
Locating suspects and helping make arrests – Many federal, state and local law enforcement agencies rely on LexisNexis to help them locate criminal suspects and to identify witnesses to a crime. LexisNexis works closely with federal, state and local law enforcement agencies on a variety of criminal investigations. For example, the Beltway Sniper Task Force in Washington, D.C., used information provided by LexisNexis to help locate one of the suspects wanted in connection with that case. In another case, information provided by LexisNexis was recently used to locate and apprehend an individual who threatened a District Court Judge and his family in Louisiana.
Preventing money laundering – LexisNexis has partnered with the American Bankers Association to develop a tool used by banks and other financial institutions to verify the identity of new customers to prevent money laundering and other illegal transactions used to fund criminal and terrorist activities. This tool allows banks to meet Patriot Act and safety and soundness regulatory requirements.
Supporting homeland security efforts - LexisNexis worked with the Department of Homeland Security Transportation Safety Administration (TSA) in developing the Hazardous Materials Endorsement Screening Gateway System. This system allows TSA to perform background checks on commercial truck drivers who wish to obtain an endorsement to transport hazardous materials.
Locating parents delinquent in child support payments – Both public and private agencies rely on LexisNexis to locate parents who are delinquent in child support payments and to locate and attach assets in satisfying court-ordered judgments. The Association for Children for the Enforcement of Support (ACES), a private child support recovery organization, has had tremendous success in locating nonpaying parents using LexisNexis.
These are just a few examples of how our information products are used to help consumers by detecting and preventing fraud, strengthening law enforcement’s ability to apprehend criminals, protecting homeland security and assisting in locating missing and abducted children.
Types of Information Maintained by LexisNexis Risk Solutions
The information maintained by LexisNexis falls into the following three general classifications: public record information, publicly available information, and non-public information.
Public record information. Public record information is information originally obtained from government records that are available to the public. Land records, court records, and professional licensing records are examples of public record information collected and maintained by the government for public purposes, including dissemination to the public.
Publicly available information. Publicly available information is information that is available to the general public from non-governmental sources. Telephone directories are an example of publicly available information.
Non-public information. Non-public information is information about an individual that is not obtained directly from public record information or publicly available information. This information comes from proprietary or non-public sources. Non-public data maintained by LexisNexis consists primarily of information obtained from either motor vehicle records or credit header data. Credit header data is the non-financial identifying information located at the top of a credit report, such as name, current and prior address, listed telephone number, social security number, and month and year of birth.
LexisNexis is committed to the responsible use of personal identifying information. We have privacy policies in place to protect the consumer information in our databases. Our Chief Privacy Officer and Privacy and Policy Review Board work together to ensure that LexisNexis has strong privacy policies in place to help protect the information contained in our databases. We also undertake regular third-party privacy audits to ensure adherence to our privacy policies.
LexisNexis has an established Consumer Access Program that allows consumers to review information on them contained in the LexisNexis system. While the information provided to consumers under this program is comprehensive, it does not include publicly available information such as newspaper and magazine articles and telephone directories contained in the LexisNexis system.
LexisNexis also has a consumer opt-out program that allows individuals to request that information about themselves be suppressed from selected databases under certain circumstances. To opt-out of LexisNexis databases, an individual must provide an explanation of the reason or reasons for the request. Examples of reasons include:
• You are a state, local or federal law enforcement office or public official and your position exposes you to a threat of death or serious bodily harm;
• You are a victim of identity theft; or
• Your are at risk of physical harm.
Supporting documentation is required to process the opt-out request. While this opt-out policy applies to all databases maintained by our recently acquired Seisint business, it is limited to the non-public information databases in the LexisNexis service. The policy does not currently apply to public records information databases maintained by LexisNexis. We are currently evaluating what steps we can take to better publicize our opt-out program and extend the program to all public records databases in the LexisNexis service.
LexisNexis has long recognized the importance of protecting the information in our databases and has multiple programs in place for verification, authorization and IT security. Preventive and detective technologies are deployed to mitigate risk throughout the network and system infrastructure and serve to thwart potentially malicious activities. LexisNexis also has a multi-layer process in place to screen potential customers to ensure that only legitimate customers have access to sensitive information contained in our systems. Our procedures include a detailed authentication process to determine the validity of business licenses, memberships in professional societies and other credentials. We also authenticate the documents provided to us to ensure they have not been tampered with or forged.
Only those customers with a permissible purpose under applicable laws are granted access to sensitive data such as driver’s license information and social security numbers. In addition, customers are required to make express representations and warranties regarding access and use of sensitive information and we limit a customer’s access to information in LexisNexis products according to the purposes for which they seek to use the information.
Maintaining security is not a static process -- it requires continuously evaluating and adjusting our security processes, procedures and policies. High-tech fraudsters are getting more sophisticated in the methods they use to access sensitive information in databases. We continuously adapt our security procedures to address the new threats we face every day from those who seek to unlawfully access our databases. We undertake regular third-party security audits to test the security of systems and identify any potential weaknesses.
Even with the multi-layer safeguards in place at LexisNexis, we discovered earlier this year that unauthorized persons primarily using IDs and passwords of legitimate customers may have accessed personal identifying information at our recently acquired Seisint business. In February 2005, a LexisNexis integration team became aware of some billing irregularities and unusual usage patterns with several customer accounts. At that point we contacted the U.S. Secret Service. The Secret Service initially asked us to delay notification so they could conduct their investigation. About a week later, we publicly announced these incidents and within a week sent out notices to approximately 30,000 individuals.
The investigation revealed that unauthorized persons, primarily using IDs and passwords of legitimate customers, may have accessed personal-identifying information, such as social security numbers (SSNs) and driver’s license numbers (DLNs). In the majority of instances, IDs and passwords were stolen from Seisint customers that had legally permissible access to SSNs and DLNs for legitimate purposes, such as verifying identities and preventing and detecting fraud. No personal financial, credit, or medical information was involved since LexisNexis and Seisint do not collect such information. At no time was the LexisNexis or Seisint technology infrastructure hacked into or penetrated nor was any customer data residing within that infrastructure accessed or compromised.
Based on the incidents at Seisint, I directed our teams to conduct an extensive review of data search activity at our Seisint unit, and across all LexisNexis databases that contain personal identifying information. In this review, we analyzed search activity for the past twenty-seven months to determine if there were any other incidents that potentially could have adversely impacted consumers. We completed that review on April 11, 2005. As a result of this in-depth review, we discovered additional incidents where there was some possibility that unauthorized persons may have accessed personal identifying information of approximately 280,000 additional individuals.
We deeply regret these incidents and any adverse impact they may have on the individuals whose information may have been accessed. We took quick action to notify the identified individuals. We are providing all individuals with a consolidated credit report and credit monitoring services. For those individuals who do become victims of fraud, we will provide counselors to help them clear their credit reports of any information relating to fraudulent activity. We will also provide them with identity theft expense insurance coverage up to $20,000 to cover expenses associated with restoring their identity and repairing their credit reports.
We have learned a great deal from the security incidents at Seisint and are making substantial changes in our business practices and policies across all LexisNexis businesses to help prevent any future incidents. These include:
• Changing customer password security processes to require that passwords for both system administrators and users be changed at least every 90 days; <BR>
• Suspending customer passwords of system administrators and users that have been inactive for 90 days;<BR>
• Suspending customer passwords after five unsuccessful login attempts and requiring them to contact Customer Support to ensure security and appropriate reactivation;<BR>
• Further limiting access to the most sensitive data in our databases by truncating SSNs displayed in non-public documents and narrowing access to full SSNs and DLNs to law enforcement clients and a restricted group of legally authorized organizations, such as banks and insurance companies; and<BR>
• Educating our customers on ways they can increase their security.
Laws Governing LexisNexis Compilation and Dissemination of Identifiable Information
There are a wide range of federal and state privacy laws to which LexisNexis is subject in the collection and distribution of personal identifying information. These include:
The Gramm-Leach-Bliley Act. Social security numbers are one of the two most sensitive types of information that we maintain in our systems and credit headers are the principal commercial source of social security numbers. Credit headers contain the non-financial identifying information located at the top of a credit report, such as name, current and prior address, listed telephone number, social security number, and month and year of birth. Credit header data is obtained from consumer reporting agencies. The compilation of credit header data is subject to the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. §§ 6801 et seq., and information subject to the GLBA cannot be distributed except for purposes specified by the Congress, such as the prevention of fraud.
Driver’s Privacy Protection Act. The compilation and distribution of driver’s license numbers and other information obtained from driver’s licenses are subject to the Driver’s Privacy Protection Act (“DPPA”), 18 U.S.C. §§ 2721 et seq., as well as state laws. Information subject to the DPPA cannot be distributed except for purposes specified by the Congress, such as fraud prevention, insurance claim investigation, and the execution of judgments.
Telecommunications Act of 1996. Telephone directories and similar publicly available repositories are a major source of name, address, and telephone number information. The dissemination of telephone directory and directory assistance information is subject to the requirements of the Telecommunications Act of 1996, as well as state law.
FOIA and other Open Records Laws: Records held by local, state, and federal governments are another major source of name, address, and other personally identifiable information. The Freedom of Information Act, state open record laws, and judicial rules govern the ability of LexisNexis to access and distribute personally identifiable information obtained from government agencies and entities. See, e.g., 5 U.S.C. § 552.
Unfair and Deceptive Practice Laws: Section 5 of the Federal Trade Commission Act, and its state counterparts, prohibit companies from making deceptive claims about their privacy and security practices. These laws have served as the basis for enforcement actions by the Federal Trade Commission and state attorneys general for inadequate information security practices. The consent orders settling these enforcement actions typically have required companies to implement information security programs that conform to the standards set forth in the GLBA Safeguards Rule, 16 C.F.R. Part 314.
Information Security Laws: A growing body of state law imposes obligations upon information service providers to safeguard the identifiable information they maintain. For example, California has enacted two statutes that require businesses to implement and maintain reasonable security practices and procedures and, in the event of a security breach, to notify individuals whose personal information has been compromised. See California Civil Code §§ 1798.81.5, 1798.82-84.
Legislative Measures LexisNexis Supports
We recognize that additional legislation may be necessary to further enhance data security and address the growing problem of identity theft and fraud. LexisNexis supports the following legislative approaches:
Data Security Breach Notification. We support requiring notification in the event of a security breach where there is substantial risk of harm to consumers. It is important that there is an appropriate threshold for when individuals actually would benefit from receiving notification, such as where the breach is likely to result in misuse of customer information. In addition, we believe that it is important that any such legislation contain federal preemption to insure that companies can quickly and effectively notify individuals and not struggle with complying with multiple, potentially conflicting and inconsistent state laws.
Adoption of Data Security Safeguards for Information Service Providers Modeled After the GLBA Safeguards Rule. LexisNexis supports the adoption of data security protections for information service providers modeled after the Safeguards Rule of the GLBA.
Increased penalties for identity theft and other cybercrimes and increased resources for law enforcement. LexisNexis strongly encourages legislation that imposes more stringent penalties for identity theft and other cybercrimes. Additionally, consumers and industry alike would benefit from enhanced training for law enforcement and an expansion of the resources available to investigate and prosecute the perpetrators of identity theft and cybercrime. Too many of our law enforcement agencies do not have the resources to neutralize these high-tech criminals.
Finally, LexisNexis strongly encourages that any legislation considered strike a balance between protecting privacy and providing legitimate businesses, organizations, and government agencies with access to critical information that enables them to fulfill their important missions.
I appreciate the opportunity to be here today to discuss the important issues surrounding identify theft and fraud and data security. I look forward to working with the members of this committee as you consider these important public policy issues.
Mr. Douglas C. CurlingPresident and Chief Operating OfficerChoicePoint, Inc.
Witness Panel 2
Ms. Jennifer BarrettChief Privacy OfficerAcxiom Corporation
CHIEF PRIVACY OFFICER
UNITED STATES SENATE COMMITTEE ON COMMERCE, SCIENCE AND TRANSPORTATION
HEARING ON “IDENTITY THEFT AND DATA BROKER SERVICES”
MAY 10, 2005
Acxiom has an inherent responsibility to safeguard the personal information we collect and bring to the market, and we have focused on assuring the appropriate use of these products and providing a safe environment for this information since 1991 when the company brought its first information products to market.
Information has become an ever growing and ever more integral part of the American economy. Information is the facilitator of convenience and competition, and it provides the tools that reduce fraud and terrorism. As such, we believe that it is Acxiom’s obligation to provide effective safeguards to protect the information we bring to market regardless of the difficulties encountered in doing so.
Only Acxiom’s fraud management and background screening products involve the transfer of sensitive information. These products, therefore, are subject to law, regulations and our own company policies that help protect against misuse.
GLBA and DPPA: Our fraud management products utilize information covered under the Gramm-Leach-Bliley Act (GLBA), and driver’s license information covered under both state and federal driver’s privacy protection acts (DPPAs).
FCRA and FACTA: Our background screening products are covered by all of the regulations and consumer protections established by the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA).
Safeguarding Public Record Information: Although a heightened level of protection is not mandated for public record information, by virtue of the fact that such public information is blended with regulated information, Acxiom voluntarily chooses to apply the more stringent standards of the above-mentioned regulations to the resulting products.
Although Acxiom’s directory and marketing products do not contain any sensitive information that could put a consumer at risk for identity fraud, Acxiom is still subject to the following critical safeguards: various industry guidelines, compliance with all requirements in the original notice to consumers at the time the data was collected, and voluntary compliance with those laws to which our clients themselves are subject.
There has been much discussion, especially in recent weeks, about whether existing federal law sufficiently protects consumers from harm. In this regard, Acxiom does believe that additional, appropriately tailored measures, such as federal preemptive legislation requiring notice to consumers in the event of a security breach, would assist Acxiom, the rest of the information services industry and businesses in general in ensuring that consumers are protected from fraud and identity theft. But, as FTC Chairman Majoras has said, even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals’ intent on committing fraud.
Chairman Stevens, Senator Inouye, and distinguished Members of the Committee, thank you for holding this hearing to explore the treatment of data broker services under existing state and federal laws as well as possible solutions to the crime of identity theft. Acxiom appreciates the opportunity to participate in today’s hearing.
Acxiom has an inherent responsibility to safeguard the personal information we collect and bring to the market, and we have focused on assuring the appropriate use of these products and providing a safe environment for this information since 1991 when the company brought its first information products to market.
It is important that we all recognize that information has become an ever growing and ever more integral part of the American economy. Information is the facilitator of convenience, competition and provides the tools that reduce fraud and terrorism. As such, we believe that it is Acxiom’s obligation to provide effective safeguards to protect the information we bring to market regardless of the difficulties encountered in doing so.
Let me be blunt. The bad guys are smart and getting more organized. They will use all of the skills available to them to try to find ways to obtain the information they need to commit fraud. Acxiom must therefore remain vigilant and innovative, and that is why we employ a world-class information security staff to help us fend off criminals who attempt to access Acxiom’s data. Acxiom is constantly improving, auditing and testing its systems. Yes, Acxiom is even learning from security breaches when they occur, and we are certain that other responsible companies are doing so as well.
As Chairman Deborah Majoras of the Federal Trade Commission recently stated in her testimony before the Senate, “[T]here is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution.” Even though we believe that this is true, no one has a greater interest than Acxiom in protecting information because the company’s very existence depends on securing personal information pertaining to consumers.
In order to enjoy the benefits provided by a robust information-based economy and also to keep our citizens safe from fraudulent activity, there are no quick fixes or easy solutions. We believe that it is necessary that cooperation exists among policy makers, information service providers, Acxiom’s clients, law enforcement and consumers. We applaud your interest in exploring these issues and we very much want to be a resource in helping you achieve the proper legislative balance we all seek.
About Acxiom Corporation
Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas, with operations throughout the United States, and with processing centers in Arkansas, Illinois, Arizona, Ohio and California. The company also has offices in nine other countries across Europe and Asia. From a small company in Arkansas, Acxiom Corporation has grown into a publicly traded corporation with more than 6,000 employees worldwide
Acxiom’s U.S. business includes two distinct components: customized computer services and a line of information products. Acxiom’s computer services represent the vast majority of the company’s business and they include a wide array of leading technologies and specialized computer services focused on helping clients manage their own customer information. These services are offered exclusively to large businesses, not-for-profit organizations, political parties and candidates, and government agencies. Acxiom’s private sector computer services clients represent a “who’s who” of America’s leading companies. Acxiom helps these clients improve the loyalty of their customers and increase their market share, while reducing risk and assisting them with their compliance responsibilities under state and federal law. Finally, Acxiom helps government agencies improve the accuracy of the personal information they currently hold.
The balance of Acxiom’s business comes from information products that are comprised of four categories: fraud management products, background screening products, directory products and marketing products. These four product lines represent less than 20 percent of the company’s total business and the fraud management and background screening products represent less than 10 percent. While each product plays a unique role, all of Acxiom’s information products help fill an important gap in today’s business-to-consumer relationship.
To understand the critical role Acxiom plays in facilitating the nation’s economy and safeguarding consumers, it is important to understand what the company does not do. Over the years, a number of myths have developed about Acxiom that require clarification. Please allow us to set the record straight:
• Acxiom does not maintain one big database that contains detailed information about all individuals. Instead, the company safeguards discrete databases developed and tailored to meet the specific needs of Acxiom’s clients – entities that are appropriately screened and with whom Acxiom has legally enforceable contractual commitments. I cannot call up from the company’s databases a detailed dossier on myself or any individual.
• Acxiom does not provide information on particular individuals to the public, with the exception of Acxiom’s telephone directory products. These products, which are available on several Internet search engines, contain information already available to the public. The other information Acxiom processes is provided only to legitimate businesses for specific legitimate business purposes.
• Acxiom’s does not have any information in either its directory or marketing products which could be used to commit identity fraud. Acxiom also does not include detailed or specific transaction-related information, such as what purchases an individual made on the Internet or what websites they visited. The company‘s directory products include only name, address and telephone information. The company’s marketing products include only information that is general in nature and not specific to an individual purchase or transaction.
• Acxiom does not commingle client information that the company processes in its computer services business with any of our information products. Such activity would constitute a violation of the company’s services contracts with those clients and a violation of consumer privacy. A client for whom the company performs services may have a different agreement with us as a data contributor, but these two relationships are kept entirely separate.
Acxiom’s fraud management products are sold exclusively to a handful of large companies and government agencies – they are not sold to individuals. The company’s verification services only validate that the information our client has obtained from the consumer is correct. Only law enforcement, government agencies and the internal fraud departments of large financial institutions and insurance companies have access to additional information.
Acxiom’s background screening products provide employment and tenant screening services which utilize field researchers who do in-person, real-time research against public records and make calls to past employers to verify the information provided by the consumer. Where permitted by law, a pre-employment credit report can also be obtained. Acxiom does not pre-aggregate information for these products.
Acxiom’s directory information products contain only contact information on consumers such as name, address and telephone number. They are collected so businesses and consumers can locate other businesses or consumers. They are compiled from the white and yellow pages of published U.S. and Canadian telephone directories and from information available from the various directory assistance services provided by the telephone companies.
Acxiom’s marketing information products provide demographic, lifestyle and interest information to companies to reach prospective new customers who are most likely to have an interest in their products and to better understand and serve the needs of existing customers. They are compiled from pubic records, surveys and summarized customer information primarily from publishers and catalogers.
Respecting and Protecting Consumers’ Privacy
Acxiom has a longstanding tradition and engrained culture of protecting and respecting consumer interests in our business. The company is today, and always has been, a leader in developing self-regulatory guidelines and in establishing security policies and privacy practices. There are, as explained below, numerous laws and regulations that govern our business. Ultimately, however, Acxiom’s own comprehensive approach to information use and security goes far beyond what is required by either law or self-regulation.
Safeguards Applicable to Products Involving the Transfer of Sensitive Information
Only Acxiom’s fraud management and background screening products involve the transfer of sensitive information. These products, therefore, are subject to law, regulations and our own company policies that help protect against identity fraud. These legal protections and additional safeguards are addressed below:
GLBA, DPPAs, and FTC: Our fraud management products utilize information covered under the Gramm-Leach-Bliley Act (GLBA), and driver’s license information covered under both state and federal driver’s privacy protection acts (DPPAs). These obligations include honoring GLBA and DPPA notice and choice related to sharing and use of the information, the GLBA Safeguard Rules and FTC Privacy Rule and Interagency Guidelines. Any uses of data must fall within one of the permitted uses or exceptions specified in these laws.
FCRA and FACTA: Our background screening products are covered by all of the regulations and consumer protections established by the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). These protections include: the requirement that a consumer authorize the creation of employment reports; notice of adverse actions taken based on such report; and the right of consumers to obtain a copy of such reports and to dispute inaccuracies. Finally, such regulations require that re-verification or correction of disputed information be performed in a timely manner.
Safeguarding Public Record Information: Public records are used in both Acxiom’s fraud management and background screening products. Although a heightened level of protection is not mandated for such public record information, by virtue of the fact that such public information is blended with regulated information, Acxiom voluntarily chooses to apply the more stringent standards of the above-mentioned regulations to the resulting products.
Safeguards Applicable to Other Products
Although Acxiom’s directory and marketing products do not contain any sensitive information that could put a consumer at risk for identity fraud, Acxiom is still subject to the following critical safeguards: various industry guidelines, compliance with all requirements in the original notice to consumers at the time the data was collected, and voluntary compliance with those laws to which our clients themselves are subject.
Telephone Directory Safeguards: Acxiom’s directory products comply with all applicable policies regarding unpublished and unlisted telephone numbers and addresses. In addition, because Acxiom recognizes that consumers may object to published listings being available on the Internet, Acxiom itself offers an opt-out from such use. Further, Acxiom voluntarily suppresses all telephone numbers found on the Federal Trade Commission’s Do-Not-Call Registry and the eleven other state Do-Not-Call registries, when providing phone numbers for targeted telemarketing purposes.
Marketing Product Safeguards: Acxiom’s marketing products comply with all the self-regulatory guidelines issued by the Direct Marketing Association. These requirements include notice and the opportunity to opt-out. Consumers have the ability to opt-out from Acxiom’s marketing products by calling the company’s toll-free Consumer Hotline, accessing its Website, or by writing to the company. Since Acxiom does not have a customer relationship with individual consumers, Acxiom coordinates with its industry clients to research and resolve consumer inquiries.
Acxiom takes seriously its responsibility to assure that all the information we bring to market is appropriate for the use to which it is intended and to provide adequate safeguards specifically aimed at protecting against unauthorized use.
Consumer Care Department / Consumer Hotline: Acxiom maintains a Consumer Care Department led by a Consumer Advocate whose team interacted with more than 50,000 consumers in the past 12 months by way of answering questions, resolving issues, processing opt-outs, and handling requests for access to Acxiom’s fraud management, background screening, directory and marketing products. Acxiom provides consumers who contact the company (through the company website, or by calling a toll-free Consumer Hotline or by writing to the company) the options of: opting-out of all of Acxiom’s marketing products; receiving an information report from the company’s fraud management and directory products; or receiving a consumer report as specified in the FCRA from the company’s background screening products. Acxiom encourages consumers to notify the company if the information in any of these reports is inaccurate and it is the company’s policy either to correct the information, to delete it or to refer the consumer to the appropriate source to obtain the requested correction, such as a county or state agency.
Consumer Education: Acxiom believes that consumers should be educated about how businesses use information. To that end, Acxiom publishes a booklet, entitled “Protecting Your Privacy in the Information Age - What Every Consumer Should Know About the Use of Individual Information,” which is available for free both on the company’s website and upon written or telephone request.
Voluntary Acxiom Policies: Above and beyond the industry-accepted guidelines with which Acxiom complies, Acxiom also has established its own internal guidelines, which are more restrictive than industry standards. For example, Acxiom only collects the specific information required to meet its clients’ information needs, and the company properly disposes of the remaining data, when information is compiled from public records. Acxiom has also implemented specific guidelines regarding the use and protection of information that could be involved in identity fraud, such as Social Security numbers.
Information Practice and Security Audits: Acxiom has had a longstanding focus on the appropriate use of information in developing and delivering its information products. While the creation of strong information use policies is a business imperative, assuring these policies are followed is equally important. To this end, all of Acxiom’s information products and practices have been internally and externally audited on an annual basis since 1997.
Since many of Acxiom’s computer service clients are financial institutions and insurance agencies, Acxiom has been regularly audited for many years by these clients. Furthermore, Acxiom must honor the safeguards and security policies of the company’s clients. Since Acxiom’s security program is enterprise-wide, it is the company’s policy to institute these high levels of protection across all lines of business. These client audits, along with Acxiom’s own internal security audits, provide Acxiom with regular and valuable feedback on ways to stay ahead of hackers and fraudsters who may attempt to gain unauthorized access to Acxiom’s systems.
Two years ago, Acxiom experienced a security breach on one of the company’s external file transfer servers. The hackers were employees of an Acxiom client and a client’s contractor. As users with legitimate access to the server, the hackers had received authority to transfer and receive their own files. The hackers did not penetrate the firewalls to Acxiom’s main system. They did, however, exceed their authority when they accessed an encrypted password file on the server and successfully unencrypted about 10 percent of the passwords, which allowed them to gain access to other client files on the server. Fortunately, the vast majority of the information involved in this incident was of a non-sensitive nature.
Upon learning of the initial breach from law enforcement, Acxiom immediately notified all affected clients and, upon further forensic investigation, the company informed law enforcement regarding a second suspected security incident. Fortunately, in both instances, law enforcement was able to apprehend the suspects, recover the affected information and ascertain that none of the information was used to commit identity fraud. One of the hackers pled guilty and was recently sentenced to 48 months in federal prison. The other is currently awaiting trial.
As a result of the breach, Acxiom cooperated with audits conducted by dozens of its clients, and both the Federal Trade Commission and the Office of the Comptroller of the Currency examined Acxiom’s processes to ensure that the company was in compliance with all applicable laws and its own stated policies.
This experience taught Acxiom additional valuable lessons regarding the protection of information. For example, Acxiom now requires the use of more secure passwords on the affected server. The process for transferring files has been changed, specifically by keeping information on the server for much shorter periods of time. And while it was always a recommended internal policy, Acxiom now requires that all sensitive information passed across such servers be encrypted. In addition, while Acxiom has had in place a Security Oversight Committee for many years, the company has also now appointed a Chief Security Officer with more than 20 years of IT experience. In short, Acxiom’s systems are more secure today as a result of the company’s experience and dedication to the privacy of consumers.
The Need For Additional Legislative Safeguards
There has been much discussion, especially in recent weeks, about whether existing federal law sufficiently protects consumers from harm. In this regard, Acxiom does believe that additional, appropriately tailored legislation would assist Acxiom, the rest of the information services industry and businesses in general in ensuring that consumers are protected from fraud and identity theft. But, as FTC Chairman Majoras has said, even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals’ intent on committing fraud.
Breach Notification: Acxiom supports efforts to pass federal preemptive legislation requiring notice to consumers in the event of a security breach, where such breach places consumers at risk of identity theft or fraud. California implemented similar legislation several years ago, and over thirty other states are involved in passing similar laws. The bottom line is that consumers deserve a nationwide mandate that requires that they be notified when they are at risk of identity theft, so they can take appropriate steps to protect themselves.
Extension of the GLBA Safeguards Rule: Currently, Acxiom voluntarily subjects itself to the GLBA Safeguards Rule with respect to the company’s computer services and information products. Acxiom also complies with the California safeguards law (AB 1950). FTC Chairman Majoras recently has proposed an extension of the GLBA Safeguards Rule to the information services industry as a whole. Acxiom supports her recommendation.
Mr. Chairman, Acxiom appreciates the opportunity to participate in this hearing and to assist Congress in identifying how best to safeguard the nation’s information and data. Acxiom is available to provide any additional information the Committee may request.
Mr. Paul KurtzExecutive DirectorCyber Security Industry Alliance
United States Senate
Committee on Commerce, Science, and Transportation
Testimony of Paul B. Kurtz
Executive Director, Cyber Security Industry Alliance
May 10, 2005
Thank you Chairman Stevens and Co-Chairman Inouye for inviting the Cyber Security Industry Alliance (CSIA) to testify before this committee on Identity Theft/Data Broker Services. As Executive Director of CSIA, I am pleased to speak about the importance of securing personal identify information.
The Federal Trade Commission estimates that 27 million Americans were victims of some kind of ID theft in the past five years. Other studies suggest 1 in 20 U.S. citizens have been hit by electronic fraud. The numbers are staggering. Every electronic breach of personal information is another reason for consumers to lose trust in our information systems. A recent survey conducted by the Poneman institute revealed that 57 % of consumers with high trust in their primary bank say they would cease all online services with their current bank in the event of a single privacy breach. The loss of trust or confidence in our information systems inhibits economic growth, our security as citizens as well as a nation. CSIA believes the right approach to securing consumers’ personal data requires a blend of appropriate policies, technical expertise and security technologies.
A central question before this Committee today is defining the government’s role—whether directly or indirectly—in protecting personal information residing on information systems owned and operated by the private sector. This Committee, rightfully, will also look at where the marketplace is succeeding at protecting personal information and where it is failing. At this critical time of technology development and innovation, the United States, as an economic force and a global technology leader, must carefully chart a public policy approach to information security that continues to encourage innovation while also providing protections.
In my testimony today, I will cover four areas.
• A brief introduction to CSIA;
• Security challenges in securing electronic data;
• Solutions and market activity;
• Recommendations for Congress’ consideration in securing electronic data.
Introduction to CSIA
CSIA is dedicated to enhancing cyber security through public policy initiatives, public sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards and public education. CSIA is led by CEOs from the world's top security providers, who offer the technical expertise, depth and focus to encourage a better understanding of cyber security policy issues. We believe that ensuring the security, integrity and availability of global information systems is fundamental to economic and national security. We are committed to working with the public sector to research, create and implement effective agendas related to national and international compliance, privacy, cybercrime, and economic and national security. We work closely with other associations representing vendors, critical infrastructure owners and operators, as well as consumers.
CSIA’s initiatives range from examining the cyber security implications of Sarbanes-Oxley to the security and reliability of Internet telephony, also known as Voice over IP, to advocating more government leadership in identifying and protecting critical information infrastructure.
CSIA understands that the private sector bears a significant burden for improving cyber security. CSIA embraces the concept of sharing that responsibility between information technology suppliers and operators to improve cyber security. Cyber security also requires bi-partisan government leadership.
Members of the CSIA include BindView Corp; Check Point Software Technologies Ltd.; Citadel Security Software Inc.; Citrix Systems, Inc.; Computer Associates International, Inc.; Entrust, Inc.; Internet Security Systems Inc.; iPass Inc.; Juniper Networks, Inc.; McAfee, Inc; PGP Corporation; Qualys, Inc.; RSA Security Inc.; Secure Computing Corporation; Symantec Corporation and TechGuard Security, LLC.
Challenges in Securing Electronic Data
Many large organizations, from corporations to universities and health care systems, are conducting more of their business using network technology such as the Internet. Therefore, customers, employees, students and patients are having their personally identifiable information gathered into vast electronic data storage repositories. Some industries already have requirements to protect personally identifiable information, such as the banking and health communities. Laws and regulations are being created at various levels to address security and privacy because the criminal activity related to stealing these electronic data is increasing exponentially. Multiple laws requiring potentially different requirements will quickly make compliance an overly complex task.
The problem of ensuring security and confidentiality of electronic data is complex. There are two fundamental areas requiring protection. The first is protecting the storage of personal information in data warehouses such as names, addresses and Social Security numbers. The second is protecting the movement of these data to and from the data warehouse.
Technical security safeguards are used to address both the storage and movement issues. Policy is also crucial for it governs implementation of the technical safeguards and access to the data. Movement of the data amplifies the challenge of security because it creates weak points in the system. Those points are often outside the direct control of security administrators overseeing data warehouses. The movement of data makes it difficult to define the set of users who should take action to ensure the security of personal information by a select group. Therefore, policy and best practices play a pivotal role in shoring up weak points.
The core information technology application of large data holders is a “data warehouse." It accumulates disparate records then analyzes, stores and distributes a vast amalgamation of information – billions of records about hundreds of millions of Americans. Many elements of the technology require special provisioning for security, including applications, systems and networks. A secure solution requires security provisions at the original source of data, at the data holder, at service providers, and at each customer location accessing the warehouse. The holder’s control of security diminishes as information passes over external networks. Control vanishes once information is injected into the customer’s internal applications.
The data warehouse’s database management system handles security and access control. Securing the warehouse is mostly a function of establishing, granting and updating access control permissions and rights – a configuration process based on policy. Security requirements extend to appropriate configuration of access controls and permissions for software applications feeding information into the data warehouse.
Data warehouse technology operates on a networked system of servers. The servers may physically exist on premise at the data holder or at an external hosting service provider. Other systems for the data warehouse include access devices such as PCs, laptops, handheld computing devices, and telephones. Primary security for all systems is mostly a function of their operating systems. Proper installation, configuration and patching of bugs in the operating system software are crucial for secure systems.
Solutions and Market Activity
Before considering steps the government should take to facilitate securing electronic data, it is appropriate to discuss solutions and market activity. There is no “silver bullet” technical or policy solution to secure data warehouses. A variety of technologies and policies are required. Key technologies and policies include:
• Policy Management: Enforces security rules and regulations. Provides guidance to management on who should access what, when and where<BR>
• Vulnerability Management: Remediate vulnerabilities through scanning devices that identify and patch vulnerabilities, as well mitigate misconfigurations, unnecessary services, unsecured accounts, and malicious code. Addressing major classes of network and desktop vulnerability improves IT enterprise and operational stability.
• Intrusion Detection/Prevention: Technologies that monitor content of network traffic for infections and block traffic carrying infected files or programs. Reducing incoming sick traffic closes another window for criminals to access these data
• Authentication: A critical first step to ensuring only appropriate users may access the data is using digital certificates and multiple factor authentication. This is a way to confirm legitimate customers and control internal end user access. Strong authentication also mitigates the problem of passwords, which are inherently weak, from being hacked or otherwise compromised.
• Access Controls: Ensure that authenticated users and applications can access only that data and information which they have been granted authority to use. Access controls may be based on a number of factors, including an individual's role in an organization. They are particularly important to prevent insider attacks and as a deterrent to inappropriate browsing of sensitive data.
• Audit Files: Detailed and protected records of computer and network traffic and transactions that can help ensure policy compliance and assist in forensic investigations of computer crime.
• Encryption: Transforms data into password (key)-protected packets that prevent reading by unauthorized users. Secure communication enables data warehouse vendors to safely and efficiently serve their customers.
• Anti-Virus: Software automatically checks new files for infection. Inoculates PCs and applications from diseased software code attempting to cause harm.
• Firewall: Blocks unauthorized traffic from entering PCs and servers from the Internet. Protects end users from unwanted activity on their PCs.
Some enterprises are beginning to see security as a means to differentiate themselves from their competition. For example, a well known e-trading firm is working with a CSIA member to use two factor authentication to improve the security of customer accounts. Some Internet Service Providers (ISPs) are differentiating themselves from others by highlighting the steps they are taking to protect personal information. Other CSIA member firms are providing managed security services, encryption technologies, intrusion prevention, vulnerability management services to a variety of owners and operators of infrastructure.
Policy Considerations for Securing Electronic Data
The security of data warehouses will require a blend of appropriate policies, technical expertise, and security technologies. Technical provisions for security are aimed to thwart unauthorized access to personally identifiable information – whether by electronic hackers who break in by securing a legitimate password (e.g. NexisLexis), or by in-person fraud (e.g. ChoicePoint). Technical provisions are only as strong as the security policy which implements them.
Security breaches of data warehouses can adversely affect the life of any American so it is appropriate for Congress to establish national policies in conjunction with the private sector for the protection and privacy of personal information.
While Congress is largely focused on data brokers, the protection of personal information is also critical in other businesses where data warehouse technology is used and where similar risks exist. Congress should examine the issue more broadly as it contemplates the need for legislation.
In this context, CSIA recommends Congress to consider the following:
• Take a holistic approach to addressing cyber security. Currently, Congress is considering cyber security problems such as spyware, phishing, and data warehouse security on an individual basis. In fact, each of these problems has at least one issue in common: the attacker is seeking and individual’s personal information in order to commit financial fraud. We can anticipate similar exploits in the future.
• Harmonize any new legislation with existing legislation at the federal level, filling gaps rather than duplicating requirements already contained in existing law, such as Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accounting Act (HIPAA) and the Fair Credit Reporting Act (FCRA). Use existing security standards wherever possible, rather than creating new ones. This approach would provide a framework for identifying areas of risk, as well as encouraging industry best practices.
• A piecemeal approach by Congress, in conjunction with the numerous laws states are passing will present consumers and businesses with a “patch work” quilt of confusing laws and complicated compliance issues. Already states are stepping into the void and creating a confusing patchwork of legislation on the issue. Legislation regulating Spyware has been introduced in 24 state legislatures this year, with approaches ranging from studies to changes in criminal code. Anti-phishing legislation is sitting on the Governor’s desk in Hawaii, and pending in states including Texas and Florida. And there are more than 300 bills pending on identity theft in our nation’s state legislatures. A federal preemption of the many laws recently passed or currently contemplated at the state level related to spyware, phishing, and data broker security would alleviate much of the concern and consternation within the private sector as a whole. However, any preemptive federal law should maintain, at the minimum, the security standards already put in place by corresponding state legislation.
• Encourage broader use of security technologies without mandating specific technology solutions. Urge adoption of the approach utilized in CA 1386 which calls for disclosure of a breach involving unencrypted data.
• To encourage stronger cyber security, Congress should investigate incentives, including “safe harbors”, tax benefits, 3rd party or self certification, insurance and the adoption of best practices, without mandating specific technology solutions. Dictating a specific technology is counter-productive as it stifles innovation and discourages creativity.
• Congress should increase penalties for identity theft and other cyber crimes as well as ensure appropriate resources are available to law enforcement authorities. The Senate should swiftly ratify the Council of Europe’s Convention on Cybercrime which would create a global framework for investigating and prosecuting cyber criminals.
• Congress should also take a long-term view of information security. There is no coherent cyber security R&D agenda. Significant Federal funding is closeted in classified programs. While our national security needs must be met, we must anticipate that privately owned and operated networks will be attacked as well. We need to develop resilient, fault tolerant networks which degrade gracefully under attack.
Leadership in information technology is a constantly moving target. As the technology changes and improves, so must its security. Likewise, as the need for public protection evolves, so must our public policy. We call on Congress and the Administration to work with the private sector to develop a holistic approach to protection our nation’s personal information.
Mr. Marc RotenbergExecutive DirectorElectronic Privacy Information Center
Prepared Testimony and Statement for the Record of Marc Rotenberg, President, EPIC
Hearing on “Identity Theft and Data Broker Services
Before the Committee on Commerce, Science and Transportation, United States Senate
May 10, 2005
253 Senate Russell Office Building
Mr. Chairman, and members of the Committee, thank you for the opportunity to appear before you today. My name is Marc Rotenberg and I am Executive Director and President of the Electronic Privacy Information Center in Washington, DC. EPIC is a non-partisan public interest research organization established in 1994 to focus public attention on emerging civil liberties issues. We are very pleased that you have convened this hearing today on Identity Theft and Data Broker Services.
The main point of my testimony today is to make clear the extraordinary urgency of addressing the unregulated sale of personal information in the United States and how the data broker industry is contributing to the growing risk of identity theft in the United States. There is every indication that this problem is getting worse.
Whatever your views may be on the best general approach to privacy protection, I urge you to take aggressive steps to regulate the information broker industry and to protect the privacy and security of Americans.
The Significance of the Choicepoint Matter
With all the news reporting of the last few months, it has often been difficult to tell exactly how a criminal ring engaged in identity theft obtained the records of at least 145,000 Americans. According to some reports, there was a computer “break-in.” Others described it as “theft.” In fact, Choicepoint simply sold the information. This is Choicepoint’s business and it is the business of other companies that are based primarily on the collection and sale of detailed information on American consumers. In this most recent case, the consequences of the sale were severe.
According to California police, at least 750 people have already suffered financial harm. Investigators believe data on least 400,000 individuals may have been compromised. Significantly, this was not an isolated incident. Although Choicepoint CEO Derek Smith said that the recent sale was the first of its kind, subsequent reports revealed that Choicepoint also sold similar information on 7,000 people to identity thieves in 2002 with losses over $1 million. And no doubt, there may have been many disclosures before the California notification law went into effect as well as more recent disclosures of which we are not yet aware.
The consumer harm that results from the wrongful disclosure of personal information is very clear. According to the Federal Trade Commission, last year 10 million Americans were affected by identity theft. Identity theft is the number one crime in the country. For the fifth year in a row, identity theft topped the list of complaints, accounting for 39 percent of the 635,173 consumer fraud complaints filed with the agency last year. And there is every indication that the level of this crime is increasing.
Choicepoint is not the only company that has improperly disclosed personal information on Americans. Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the federal government, including many members of Congress. Lexis-Nexis originally reported that it made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders. That number was later revised to 310,000. DSW, a shoe company, announced that 103 of its 175 stores had customers’ credit and debit card information improperly accessed. Last week, Time Warner revolved that it lost track of detailed data concerning 600,000 current and previous employees.
Legislation in this area is long overdue. Regrettably, Choicepoint and other information brokers have spent a great deal of time and money trying to block effective privacy legislation in Congress. According to disclosure forms filed with the U.S. House and Senate, obtained by the Wall Street Journal, Choicepoint and six of the country's other largest sellers of private consumer data spent at least $2.4 million last year to lobby members of Congress and a variety of federal agencies. The Journal reports that, “Choicepoint was the biggest spender, with $970,000 either paid to outside lobbyists or spent directly by the company.”
But the real cost for these activities is born by Americans, all across the country. This improper disclosure and use of personal information is contributing to identity theft, which is today the number one crime in the United States. According to a 2003 survey by the Federal Trade Commission, over a one-year period nearly 5% of the adult populations were victims of some form of identity theft.
Growing Dependence on the Information Broker Industry
Mr. Chairman, the representatives of the information broker industry will testify this morning that the American economy and even our national security are becoming increasingly dependent on this industry. In many respects, this is true. These companies have become the true invisible hand of the information economy. Their ability to determine the opportunities for American workers, consumers, and voters is without parallel. If a Choicepoint record says you were late on a rent payment, whether or not that’s true, you may lose a chance for a new apartment or a job. If one of these companies wrongfully removes registered voters from the voting roles, those people are denied their Constitutional right to vote.
The stakes becomes even higher with homeland security. Axciom, for example, may play a central role in the identity verification procedures for Secure Flight, the new airline passenger prescreening system. According to the Wall Street Journal, a Virginia company named Eagle Force has tested sample passenger information against commercial databases supplied by Arkansas-based Acxiom Corp. Acxiom is the same company that stirred controversy after it shared information about JetBlue Airways' passengers, without their knowledge, with a defense contractor in 2002.
Even as we become more reliant on these firms, the reports of problems in the industry and the skyrocketing problem of identity theft have made clear that Congress must step in. There are simply no market mechanisms that protect privacy, ensure accuracy, or limit security breaches where there is no direct obligation to the person whose personal information is at risk.
EPIC’s Efforts to Bring Public Attention to the Problems with Choicepoint
Well before the recent news of the Choicepoint debacle became public, EPIC had been pursuing the company and had written to the FTC to express deep concern about its business practices and its ability to flout the law. On December 16, 2004, EPIC urged the Federal Trade Commission to investigate Choicepoint and other data brokers for compliance with the Fair Credit Reporting Act (FCRA), the federal privacy law that helps insure that personal financial information is not used improperly. The EPIC letter said that Choicepoint and its clients had performed an end-run around the FCRA and was selling personal information to law enforcement agencies, private investigators, and businesses without adequate privacy protection.
Choicepoint wrote back to us to say, in effect, that there was no problem. The company claimed to comply fully with FCRA and that the question of whether FCRA, or other federal privacy laws, should apply to all of its products as simply a policy judgment. It made this claim at the same time it was spending several million dollars over the last few years to block the further expansion of the FCRA.
Mr. Chairman, hindsight may be 20-20, but it is remarkable to us that Choicepoint had the audacity to write such a letter when it already knew that state investigators had uncovered the fact that the company had sold information on American consumers to an identity theft ring. They were accusing us of inaccuracy at the same time that state and federal prosecutors knew that Choicepoint, a company that offered services for business credentialing, had exposed more than a hundred thousand Americans to a heightened risk of identity theft because it sold data to crooks.
But the problems with Choicepoint long preceded this recent episode. Thanks to Freedom of Information Act requests relentlessly pursued by EPIC’s Senior Counsel Chris Hoofnagle, we have obtained over the last several yeas extraordinary documentation of Choicepoint's growing ties to federal agencies and the increasing concerns about the accuracy and legality of these products. So far, EPIC has obtained FOIA documents from nine different agencies concerning Choicepoint. One document from the Department of Justice, dated December 13, 2002, discusses a “Report of Investigation and Misconduct Allegations . . . Concerning Unauthorized Disclosure of Information.” There are documents from the IRS that describe how the agency would mirror huge amounts of personal information on IRS computers so that Choicepoint could perform investigations. Several documents describe Choicepoint’s sole source contracts with such agencies as the United States Marshals Service and the FBI.
Among the most significant documents obtained by EPIC were those from the Department of State, which revealed the growing conflicts between the United States and foreign governments that resulted from the efforts of Choicepoint to buy data on citizens across Latin America for use by the US federal law enforcement agencies. One document lists news articles that were collected by the agency to track outrage in Mexico and other countries over the sale of personal information by Choicepoint. A second document contains a cable from the American Embassy in Mexico to several different government agencies warning that a “potential firestorm may be brewing as a result of the sale of personal information by Choicepoint. A third set of documents describes public relations strategies for the American Embassy to counter public anger surrounding the release of personal information of Latin Americans to Choicepoint.
Lessons of Choicepoint
The Choicepoint incident proves many important lessons for the Congress as it considers how best to safeguard consumer privacy in the information age.
First, it should be clear now that privacy harms have real financial consequences. In considering privacy legislation in the past, Congress has often been reluctant to recognize the actual economic harm that consumers suffer when their personal information is misused, when inaccurate information leads to the loss of a loan, a job, or insurance. Consumers suffer harms both from information that is used for fraud and inaccurate information that leads to lost opportunities through no fault of the individual.
A clear example of how the company has contributed to the growing problem of identity theft may be found in Choicepoint's subscriber agreement for access to AutoTrackXP, a detailed dossier of individuals' personal information. A sample AutoTrackXP report on the ChoicePoint web site shows that it contains Social Security Numbers; driver license numbers; address history; phone numbers; property ownership and transfer records; vehicle, boat, and plane registrations; UCC filings; financial information such as bankruptcies, liens, and judgments; professional licenses; business affiliations; "other people who have used the same address of the subject," "possible licensed drivers at the subject's address," and information about the data subject's relatives and neighbors. This sensitive information is available to a wide array of companies that do not need to articulate a specific need for personal information each time a report is purchased. Choicepoint's subscriber agreement shows that the company allows access to the following businesses: attorneys, law offices, investigations, banking, financial, retail, wholesale, insurance, human resources, security companies, process servers, news media, bail bonds, and if that isn't enough, Choicepoint also includes "other."
Second, it should be clear that market-based solutions fail utterly when there is no direct relationship between the consumer and the company that proposed to collect and sell information on the consumer. While we continue to believe that privacy legislation is also appropriate for routine business transactions, it should be obvious to even those that favor market-based solutions that this approach simply does not work where the consumer exercises no market control over the collection and use of their personal information. As computer security expert Bruce Schneier has noted, “ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security.” This argues strongly for regulation of the information broker industry.
Third, there are clearly problems with both the adequacy of protection under current federal law and the fact that many information products escape any kind privacy rules. Choicepoint has done a remarkable job of creating detailed profiles on American consumers that they believe are not subject to federal law. Products such as AutoTrackXP are as detailed as credit reports and have as much impact on opportunities in the marketplace for consumers as credit reports, yet Choicepoint has argued that they should not be subject to FCRA. Even their recent proposal to withdraw the sale of this information is not reassuring. They have left a significant loophole that will allow them to sell the data if they believe there is a consumer benefit.
But even where legal coverage exists, there is insufficient enforcement, consumers find it difficult to exercise their rights, and the auditing is non-existent. According to EPIC’s research, while Choicepoint claims to monitor their subscribers for wrongdoing, there is no public evidence that the company has referred a subscriber to authorities for violating individuals' privacy. In other words, in the case where a legitimate company obtains personal information, there is no publicly available evidence that Choicepoint has any interest in whether that information is subsequently used for illegitimate purposes.
Law enforcement, which has developed increasingly close ties to information brokers such as Choicepoint, seems to fall entirely outside of any auditing procedures. This is particularly troubling since even those reports that recommend greater law enforcement use of private sector databases for public safety recognize the importance of auditing to prevent abuse.
And of course there are ongoing concerns about the broad permissible purposes under the FCRA, the use of credit header information to build detailed profiles, and the difficulty that consumers continue to face in trying to obtain free credit reports that they are entitled to under the FACTA.
Fourth, we believe this episode also demonstrates the failure of the FTC to aggressively pursue privacy protection. We have repeatedly urged the FTC to look into these matters. On some occasions, the FTC has acted. But too often the Commission has ignored privacy problems that are impacting consumer privacy and producing a loss of trust and confidence in the electronic marketplace. In the late 1990s, the FTC promoted self-regulation for the information broker industry and allowed a weak set of principles promulgated as the Individual References Service Group to take the place of effective legislation. It may well be that the Choicepoint fiasco could have been avoided if the Commission chose a different path when it considered the practices of the information broker industry.
The FTC has also failed to pursue claims that it could under section 5 of the FTC Act, which prohibits unfair practices. Practices are unfair if they cause or are likely to cause consumers substantial injury that is neither reasonably avoidable by consumer nor offset by countervailing benefits to consumers and competition. It may be that the unfairness doctrine could be applied in cases where there is no direct relationship between the consumer and the company, but to date the FTC has failed to do this.
Fifth, we believe the Choicepoint episode makes clear the importance of state-based approaches to privacy protection. Congress simply should not pass laws that tie the hands of state legislators and prevent the development of innovative solutions that respond to emerging privacy concerns. Many states are today seeking to establish strong notification procedures to ensure that their residents are entitled to at least the same level of protection as was provided by California.
In this particular case, the California notification statute helped ensure that consumers would at least be notified that they are at risk of heightened identity theft. This idea makes so much sense that 38 attorney generals wrote to Choicepoint to say that their residents should also be notified if their personal information was wrongly disclosed. Choicepoint could not object. It was an obvious solution.
Clearly, there is a need for Congress to act. Although Choicepoint has taken some steps to address public concerns, it continues to take the position that it is free to sell personal information on American consumers to whomever it wishes where Choicepoint, and not the consumer, believes there is a “consumer-driven benefit or transaction.” Moreover, the industry remains free to change its policies at some point in the future, and the steps taken to date do not address the larger concerns across the information broker industry.
Modest proposals such as the extension of the Gramm-Leach-Bliley Act’s Security Safeguards Rule are unlikely to prevent future debacles. The Safeguards Rule merely requires that financial institutions have reasonable policies and procedures to ensure the security and confidentiality of customer information. Recall that the disclosure by Choicepoint did not result from a “hack” or a “theft” but from a routine sale. Moreover, the Security Safeguards Rule will do nothing to give consumers greater control over the transfer of their personal information to third parties or to promote record accuracy.
Extending notification statutes such as the California bill would be a sensible step, but this is only a partial answer. Notification only addresses the problem once the disclosure has occurred. The goal should be to minimize the likelihood of future disclosures. It is also important to ensure that any federal notification bill is as least as good as the California state bill and leaves the states the freedom to develop stronger and more effective measures. What happens for example, when at some point in the future, we must contend with the extraordinary privacy problems that will result from the disclosure of personal information contained in a database built on biometric identifiers?
There are several proposals pending in the Senate to address the growing problem of identity theft. In particular, the Notification of Risk to Personal Data Act, S. 751, and the Comprehensive Identity Theft Prevention Act, S. 768, provide strong complimentary safeguards. The Committee should act quickly to ensure their passage.
Notification of Risk to Personal Data Act, S. 751
One of the lessons of the recent disclosures about the information broker industry is that we could not understand the scope of the problem without information about actual security breaches. Imagine trying to legislate airline safety or the reliability of medical products without even basic information about the extent of the problem or the number of people affected. That is where the information security problem was before the passage of the California notification law. That critical state law ensured, for the first time, that those whose personal information had been wrongfully disclosed would be notified of the breach and given the opportunity to take additional measures. Not surprisingly, once the problem became known, other states urged Choicepoint to provide notification to their residents. Thirty-eight state attorneys general wrote to the head of Choicepoint. Many state legislatures are now considering bills that would establish similar notification obligations.
Given this experience, Senator Feinstein’s bill, the Notification of Risk to Personal Data Act, is an obvious first step in the effort to help ensure that Americans can protect themselves when security breaches occur. The bill would require federal agencies and private sector businesses that engage in interstate commerce to provide notification when personal information is acquired by unauthorized persons. The bill recognizes that there may be delayed notification where this is necessary to aid a law enforcement investigation. The bill also provides certain exceptions for national security and law enforcement, though sensibly does not allow these exceptions to be used to hide violations of law or to protect poor administration. There are a number of alternatives for notification that recognize that there may be more efficient and less costly ways to notify individuals in certain circumstances.
While this is a good measure, we are concerned that the bill will preempt stronger state laws that may be developed to address the problem of notification where risks to personal data arise. We understand the interest in a single national standard, but this is an area where the states should retain the freedom to innovate and explore new solutions to this far-reaching problem. We urge the committee to remove Section 5 of the Act, which would preempt state law.
We also caution against any effort to limit the circumstances under which notification might occur. As a matter of fairness, it should be the individual’s right to know when his or her personal information has been improperly obtained. And it should be equally obvious that given the choice businesses will choose not to provide notice unless they are required to do so.
Comprehensive Identity Theft Prevention Act, S. 768
Improved notification will play an important role in assisting consumers where security breaches occur, but clearly the long-term goal must be to reduce the risk of these disclosures and to minimize harm when these breaches occur. This is not a new problem. Congress has worked for more than thirty years to provide privacy safeguards and to protect against the risks associated with the automation of personal information. A good privacy bill works for both consumers and businesses. The Fair Credit Reporting Act, for example, was a benefit to both consumers and the credit reporting industry because it established privacy safeguards and helped ensure greater accuracy in the information that was made available to credit grantors.
The problem today is that information brokers are operating outside of any comprehensive regulatory scheme. Moreover, they have no direct relationship with the individuals whose personal information they routinely sell to others. So, there are inadequate incentives to protect privacy or to ensure accuracy. There is a clear need to establish comprehensive protections for the information broker industry.
The Comprehensive Identity Theft Prevention Act, S. 768, provides an excellent framework for privacy protection in the information broker industry. Building on the general approach of the FCRA and other privacy statutes, the bill aims to ensure that when personal information is collected, it will be used for appropriate purposes, and that when problems arise there will be meaningful remedies.
The Act requires the Federal Trade Commission to establish rules for information brokers and for the protection of personal information. The rules cover data accuracy, confidentiality, user authentication, and detection of unauthorized use. Significantly, the Act also gives individuals the opportunity to review the information about them held by data brokers. This helps ensure accuracy and accountability and is similar to provisions currently found in the Fair Credit Reporting Act.
The Information Protection and Security Act also provides meaningful enforcement by ensuring that the states are able to pursue investigations and prosecution, after appropriate notice to the FTC and the Attorneys General. The Act also gives individuals, who of course are the ones that suffer the actual harm, to pursue a private right of action.
Furthermore, to the extent that information brokers, such as Choicepoint, routinely sell data to law enforcement and other federal agencies, they should be subject to the federal Privacy Act. A “privatized intelligence service,” as Washington Post reporter Robert O’Harrow has aptly described the company, Choicepoint should not be permitted to flout the legal rules that help ensure accuracy, accountability, and due process in the use of personal information by federal agencies. It would be appropriate to consider legislation that would establish safeguard for the use of commercial information by government agencies.
Also, Professor Daniel Solove and EPIC’s Chris Hoofnagle have put a very good framework forward. This approach is similar to other frameworks that attempt to articulate Fair Information Practices in the collection and use of personal information. But Solove and Hoofnagle make a further point that is particularly important in the context of this hearing today on Choicepoint. Increasingly, the personal information made available through public records to enable oversight of government records has been transformed into a privatized commodity that does little to further government oversight but does much to undermine the freedom of Americans. While EPIC continues to favor strong open government laws, it is clearly the case that open government interests are not served when the government compels the production of personal information, sells the information to private data vendors, who then make detailed profiles available to strangers. This is a perversion of the purpose of public records.
Looking ahead, there is a very real risk that the consequences of improper data use and data disclosure are likely to accelerate in the years ahead. One has only to look at the sharp increase in identity theft documented by the Federal Trade Commission, the extraordinary rate of data aggregation in new digital environments, and the enormous efforts of the federal government to build ever more elaborate databases to realize that the risk to personal privacy is increasing rapidly. Congress can continue to deal with these challenges in piecemeal fashion, but it seems that the time has come to establish a formal government commission charged with the development of long-terms solutions to the threats associated with the loss of privacy. Such a commission should be established with the clear goal of making specific proposals. It should include a wide range of experts and advocates. And it should not merely be tasked with trying to develop privacy safeguards to counter many of the government new surveillance proposals. Instead, it should focus squarely on the problem of safeguarding privacy.
Congress needs to establish a comprehensive framework to ensure the right of privacy in the twenty-first century. With identity theft already the number one crime, and the recent spate of disclosures, any further delay could come at enormous cost to American consumers and the American economy.
The REAL ID Act
Finally, Mr. Chairman, I would like to say a few words about the REAL ID Act, a sweeping proposal for a new federal identification system, that may be taken up tonight as part of the supplemental appropriation for the troops in Iraq.
As you know, this bill, which was rejected in the last Congress, has gone forward in this Congress without even a hearing. It would require state agencies to collect sensitive personal information on every American citizen who drives a car. It would put the state DMVs in the position of enforcing the country’s immigration laws. It would give the federal government broad authority to regulate a traditional state function. Whatever one’s views may be about the merits of the legislation, it should concern all sides that this proposal could pass in the Senate without a hearing or even debate.
I make this point today in this hearing on identity theft because the state DMV record systems have actually become the target of identity thieves. In recent months, three state DMVs have been attacked by identity thieves. In March, burglars rammed a vehicle through a back wall at a DMV near Las Vegas and drove off with files, including Social Security numbers, on about 9,000 people. Recently, Florida police arrested 52 people, including 3 DMV examiners, in a scheme that sold more than 2,000 fake driver’s licenses. Two weeks ago, Maryland police arrested three people, including a DMV worker, in a plot to sell about 150 fake licenses.
It is obviously the case that the establishment of new identification requirements in the United States, the dramatic expansion of the authority of the Department of Homeland Security, and the requirement that we all now deposit with state agencies the very documents that establish our proof of identity will have a profound impact on the issues under consideration today.
Under any reasonable policy process, there would be an opportunity to examine these issues in more detail and to assess the risks that will surely result from the implementation of this legislation. Before there is a vote on this proposal, there should be a hearing in this Congress on this bill. That power still remains with the Senate. I urge you to exercise it.
For many years, privacy laws came up either because of the efforts of a forward-looking Congress or the tragic experience of a few individuals. Now we are entering a new era. Privacy is no longer theoretical. It is no longer about the video records of a federal judge or the driver registry information of a young actress. Today privacy violations affect hundreds of thousands of Americans all across the country. The harm is real and the consequences are devastating.
Whatever one’s view may be of the best general approach to privacy protection, there is no meaningful way that market-based solutions can protect the privacy of American consumers when consumers have no direct dealings with the companies that collect and sell their personal information. There is too much secrecy, too little accountability, and too much risk of far-reaching economic damage.
There are two important bills now before the Committee. The Notification of Risk to Personal Data Act, S. 751, would provide meaningful notice to individuals when their personal information is wrongfully disclosed. The Comprehensive Identity Theft Prevention Act, S. 768, would help reduce the likelihood of future breaches. I hope the Committee will be able to act quickly on these proposals.
I appreciate the opportunity to be here today. I will be pleased to answer your questions.
EPIC Choicepoint Page, available at http://www.epic.org/privacy/choicepoint/
1. Associated Press, “ChoicePoint hacking attack may have affected 400,000,” Feb. 17, 2005, available at http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/10920220.htm.
2. Robert O’Harrow Jr., “ID Theft Scam Hits D.C. Area Residents,” Washington Post, Feb. 21, 2005, at A01.
3. Bob Sullivan, “Data theft affects 145,000 nationwide,” MSNBC, Feb. 18, 2005, available at http://www.msnbc.msn.com/id/6979897/.
4. Associated Press, “ChoicePoint hacking attack may have affected 400,000,” Feb. 17, 2005, available at http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/10920220.htm.
5. David Colker and Joseph Menn, “ChoicePoint CEO Had Denied Any Previous Breach of Database,” Los Angeles Times, March 3, 2005, at A01.
6. Federal Trade Commission, “FTC Releases Top 10 Consumer Complaint Categories for 2004,” (Feb. 1, 2005), available at http://www.ftc.gov/opa/2005/02/top102005.htm.
7. Robert Lemos, “Bank of America loses a million customer records,” CNet News.com, Feb. 25, 2005, available at http://earthlink.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3-5590989.html?tag=st.rc.targ_mb.
8. Jonathan Krim and Robert O'Harrow, Jr., “LexisNexis Reports Theft of Personal Data,” Washingtonpost.com, March 9, 2005, available at http://www.washingtonpost.com/ac2/wp-dyn/A19982-2005Mar9?language=printer.
9. LexisNexis Data on 310, 000 People Feared Stolen , New York Times, Apr. 12, 2005, available at http://www.nytimes.com/reuters/technology/tech-media-lexisnexis.html?.
10. Associated Press, “Credit Information Stolen From DSW Stores,” March 9, 2005, available at http://abcnews.go.com/Business/wireStory?id=563932&CMP=OTC-RSSFeeds0312.
11. Evan Perez and Rick Brooks, “Data Providers Lobby to Block More Oversight,” Wall Street Journal, March 4, 2005, at B1.
12. Federal Trade Commission, “Identity Theft Survey Report” (Sept. 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.
13. “US To Require Airline Passengers' Full Names, Birth Dates,” Wall Street Journal, May 4, 2005, available at http://online.wsj.com/article/0,BT_CO_20050504_012176,00.html
14. EPIC pursued a complaint against JetBlue and Axcio at the Federal Trade Commission, arguing that “JetBlue Airways Corporation and Acxiom Corporation have engaged in deceptive trade practices affecting commerce by disclosing consumer personal information to Torch Concepts Inc., an information mining company with its principal place of business in Huntsville, Alabama, in violation of 15 U.S.C. § 45(a)(1).” Although the FTC chose not to take action in response to the complaint, it continues to be our position that when a company represents that it will not disclose the personal information of its customers to a third party and subsequently does so, it has engaged in an unfair and deceptive trade practice.
15. Letter from Chris Jay Hoofnagle, Associate Director, EPIC, and Daniel J. Solove, Associate Professor, George Washington University Law School, to Federal Trade Commission, Dec. 16, 2004, available at http://www.epic.org/privacy/choicepoint/fcraltr12.16.04.html.
16. EPIC v. Dep’t of Justice et al., No. 1:02cv0063 (D.D.C. 2002).
17. Available at http://www.epic.org/privacy/choicepoint/default.html.
24. ChoicePoint, AutoTrackXP Report, http://www.choicepoint.com/sample_rpts/AutoTrackXP.pdf.
25. “Schneier on Security: Choicepoint” available at http://www.schneier.com/blog/archives/2005/02/choicepoint.html.
26. Aleksandra Todorova, “ChoicePoint to Restrict Sale of Personal Data,” Smartmoney.com, March 4, 2005, available at http://www.smartmoney.com/bn/index.cfm?story=20050304015004.
27. See Chris J. Hoofnagle, “Big Brother’s Little Helpers: How Choicepoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement,” University of North Carolina Journal of International Law & Commercial Regulation (Summer 2004), available at http://ssrn.com/abstract=582302.
28. See FTC’s investigation into Microsoft’s Passport program. Documentation available at http://www.epic.org/privacy/consumer/microsoft/passport.html.
29. 15 U.S.C. § 45(n); Letter from Michael Pertschuk, FTC Chairman, and Paul Rand Dixon, FTC Commissioner, to Wendell H. Ford, Chairman, House Commerce Subcommittee on Commerce, Science, and Transportation (Dec. 17, 1980), available at http://www.ftc.gov/bcp/policystmt/ad-unfair.htm.
30. In FTC v. Rapp, the "Touch Tone" case, the FTC pursued private investigators engaged in "pretexting," a practice where an individual requests personal information about others under false pretenses. No. 99-WM-783 (D. Colo. 2000), 2000 U.S. Dist. LEXIS 20627. In a typical scheme, the investigator will call a bank with another's Social Security Number, claim that he has forgotten his bank balances, and requests that the information be given over the phone. The FTC alleged that this practice of the defendants, was deceptive and unfair. It was deceptive because the defendants deceived the bank in providing the personal information of another. The practice was unfair in that it occurs without the knowledge or consent of the individual, and it is unreasonably difficult to avoid being victimized by the practice.
31. “Choicepoint Incident Prompts State Lawmakers to Offer Data Notification Bills,” 10 BNA Electronic Commerce & Law Report 217-18 (March 9, 2005).
32. Associated Press, “38 AGs send open letter to ChoicePoint,” Feb. 18. 2005, available at http://www.usatoday.com/tech/news/computersecurity/infotheft/2005-02
33. “Choicepoint Halts Sale of Sensitive Information, as Agencies Launch Probes,” 10 BNA Electronic Commerce and Law Report 219 (March 9, 2005)
34. Robert O'Harrow, No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society (Free Press 2005).
35. See, e.g., Center for American Progress, “Protecting Privacy in the Digital Age,” May 4, 2005, available at http://www.americanprogress.org/site/pp.asp?c=biJRJ8OVF&b=651807.
36. Daniel Solove and Chris Jay Hoofnagle, “A Model Regime of Privacy Protection,” March 8, 2005, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=681902.
37. See EPIC, “National ID Cards and REAL ID Act,” available at http://epic.org/privacy/id_cards/
38. See letter from Senators Sam Brownback, R-Kan., Joe Lieberman, D-Conn., and 10 other Senators to Senate Majority Leader Bill Frist, Apr. 11, 2005 (“Because of its magnitude, this legislation should be referred to the Senate Judiciary Committee on a schedule that provides adequate time for full and careful consideration. Legislating in such a complex area without the benefit of hearings and expert testimony is a dubious exercise and one that subverts the Senate's deliberative process.”), available at http://www.senate.gov/%7Egov_affairs/index.cfm?FuseAction=PressReleases.Detail&Affiliation=R&PressRelease_id=953&Month=4&Year=2005
Ms. Mari FrankMari Frank, Esq. & Associates
FOR THE UNITED STATES SENATE
COMMITTEE ON COMMERCE, SCIENCE AND TRANSPORTATION
HEARING ON IDENTITY THEFT AND DATA BROKER SERVICES
HEARING DATE: MAY 10, 2005, 2:30 PM
SENATE ROOM 253 SENATE RUSSELL BUILDING
TESTIMONY PROVIDED BY MARI J. FRANK, ESQ.
Good morning, Chairman Stevens, Co-Chairman Inouye, Presiding Senator Smith, Honorable committee members, and invited guests. Thank you very much for the opportunity to address you today regarding concerns about identity theft and Data Broker Services. I am grateful that Congress is studying this issue to craft strong measures to prevent identity theft in our society. Your desire to shine the light on these problems and make needed changes deserves commendation. I also thank this panel of witnesses who will educate us about these issues from all perspectives and help to create solutions so that we may better protect our personal and confidential information and reduce this insidious crime. Additionally I thank Senator Bill Nelson for introducing S 500, The Information Protection and Security Act, which I support because it addresses the need for responsible and reasonable oversight over the Data Broker Services Industry while providing fair information principles. I will be happy to assist this committee with other legislative proposals such as S 768 and others. Since this issue affects each one of us, I encourage a bi-partisan collaborative approach to protect ourselves from identity theft.
My name is Mari Frank. I am an attorney, privacy consultant, and author of several books on identity theft from Laguna Niguel, California. (My two newest books are <i>Safeguard Your Identity: Protect Yourself with a Personal Privacy Audit (Porpoise Press, 2005 and From Victim To Victor: A Step By Step Guide For Ending the Nightmare of Identity Theft 2nd Edition with CD,</i> Porpoise Press, 2005) www.identitytheft.org.) I serve as a volunteer Sheriff Reserve for the Orange County, California Sheriff Department, and sit on the Advisory Board of the State of California Office of Privacy Protection which focuses on privacy and identity theft safeguards for California citizens. Additionally, I am a member of the State of California's Department of Motor Vehicle's Task Force on Privacy and Identity Theft, I've served on the Los Angeles District Attorney’s Office Task Force on Identity Theft, and I am an advisory board member to the non- profit Identity Theft Resource Center. I have personally assisted myriad victims across the country with my personal time and educational materials, and have donated hundreds of pro-bono hours to assist victims. I have had the privilege of testifying before several legislative bodies and four US Congressional committees, and have consulted with national corporations on how to protect their clients, customers, vendors, employees, and their businesses from the challenges of and identity theft and other privacy concerns. I am a certified trainer for Continuing Legal Education of the State Bar of California, a former law professor, and I presently teach Conflict Management at the University of California, Irvine.
My own identity was stolen (in 1996) by an impostor who paraded as me- stealing my personal as well as my professional lawyer identity. While wrecking my credit, she also destroyed my sense of security and peace of mind. My impersonator obtained over $50,000 using my name, purchased a red convertible Mustang, and even caused me to be threatened with a lawsuit by a rental car company for the auto that she damaged in an accident. It took me almost a year and over 500 hours to clear my records and regain my credit and my life. I accumulated five banker boxes of correspondence, and lived in fear of how else this invisible person might harm me and my children. I finally learned that while working as a temporary secretary in a law office four hours from my own office, my evil twin (who I never met) was able to access my credit history (as well as the profile of other lawyers) from an information broker who had a contract with that office. My impostor did not need to prove who she was or establish that she had a permissible purpose to download the profile, so it was instantly faxed to her. From that report, she obtained my social security number and other personal and financial facts to become my identity-clone. When that data broker, situated across the country, electronically transferred my consumer profile to a criminal in a city 4 hours from my home, it was beyond my control to do anything to prevent the fraud.
From that arduous nightmare, I gained great insight into the tribulations that victims endure- I became an expert by necessity. After speaking with several thousand victims, I have learned that most victims are not negligent with their personal information, and that no amount of "consumer education" or vigilance will protect them from identity theft if their information is acquired in a security breach by an unscrupulous employee, or by faulty information handling practices of entities that maintain their data. Consumer privacy education is important to minimize your risk and keep you informed as to barriers to erect, but it won't guarantee that your identity won't be stolen by a data breach.
Your esteemed committee has invited me to focus on the concerns and problems experienced by victims of identity theft and security breaches. I will concentrate my testimony on answering the following questions:
I. WHAT ARE THE MOTIVATING FACTORS FOR STEALING YOUR SENSITIVE INFORMATION?
II. HOW DOES IDENTITY THEFT OCCUR, AND WHAT ARE THE UNIQUE ISSUES AS TO DATA BROKERS?
III. WHAT ARE REAL LIFE EXAMPLES OF IDENTITY THEFT AS THEY RELATE TO INFORMATION BROKERS?
IV. WHAT IS THE IMPACT OF SECURITY BREACHES ON CITIZENS WHOSE INFORMATION IS STOLEN?
V. WHAT NEEDS TO BE DONE WITH REGARD TO MINIMIZING THE RISKS OF IDENTITY THEFT WITH REGARD TO INFORMATION BROKERS?
VI. WHAT ELSE IS NEEDED TO PREVENT AND RESOLVE IDENTITY THEFT?
I. WHAT ARE THE MOTIVATING FACTORS FOR STEALING YOUR SENSITIVE INFORMATION?
In our data driven society your personal information is readily transferred across the world in a nano-second through networks and on the Internet (whether or not you are a computer user). Your personal information, worth more than currency itself, can be used to apply for credit cards, credit lines, mortgages, cell phones, insurance, utilities, products and services etc. all without your knowledge. A fraudster can do anything you can do with your identifying information- and worse- even do things you wouldn’t do such as commit crimes, seek revenge, or engage in terrorist activities.
A. WHAT IS IDENTITY THEFT AND HOW IS IT USED?
Identity theft occurs when your personal (or business) identifying information such as your name, social security number, address, birth date, unique passwords, business name or logo, or even biometric information, is used or transferred with the intent to use it for an unlawful purpose. Below are the main motivations of fraudsters:
1. Financial Gain-This includes credit, loans, new accounts, mortgages, employment, health care, insurance, welfare, citizenship, and other governmental and corporate benefits- anything that has a dollar value. The fraud may take place in multiple jurisdictions, and purchases and transfers can be made by phone, fax, on-line or in person. Usually, the perpetrator can buy or “legally” obtain a driver’s license, create checks on a computer with the victim's name, obtain, buy, or create other identity documents including medical cards, credit cards, passports, etc.
2. Avoiding Arrest or Prosecution- A criminal commits crimes in the real world or virtual electronic world, or terrorist acts using the name and identifying information of another person. Often the perpetrator also commits financial fraud as well to supplement her income. In a recent meeting I attended with Senator Feinstein and law enforcement, detectives and District Attorneys in California (and also in Washington) reported that that 80%- 90 % of identity thieves who are caught also have a pending or prior methamphetamine charge against them as well. In my own case, my impersonator was a "meth" addict who stole the identity of several lawyers to obtain credit and funds to feed her drug habit.
3. Revenge - One can remain” invisible” by stealing an identity to hurt another person. This type of fraud may occur between ex-spouses, former business partners, ex-employees, disgruntled staff or angry customers. We also see this type of fraud committed in businesses where one business owner will want to ruin the reputation of another. It can occur off-line or on-line. I've been contacted by employees, and business owners who learned that their e-mail address was used to discredit them.
4. Terrorism (Breaching Homeland Security) -The September 11, 2001 terrorists had opened 14 accounts at a Florida bank, using false social security numbers and other documents. They obtained credit cards, apartment units, leased cars, and fraudulently charged airline tickets. They not only did this for financial gain, but also over half of them likely suspected that their true names were in FBI files as suspected terrorists, so they committed total identity take-over to avoid arrest. And worse, they used false identities to get revenge against our country. In Senator Feinstein's meeting with law enforcement in California on March 29, 2005, law enforcement reported that suspected terrorist cells have been apprehended with false documents in California. It is well known that foreign nationals have covertly crossed our borders and have easily obtained stolen identity documents to hide under the "radar screen".
II. HOW DOES IDENTITY THEFT OCCUR, AND WHAT ARE THE UNIQUE ISSUES AS TO DATA BROKERS?
A. WAYS THAT YOUR PERSONAL INFORMATION IS STOLEN
The scope and extent of the problem of identity theft is rampant. In 2003 the FTC conducted a survey found almost 10 million new victims that year, and 27.3 million victims in the previous five years, with a cost to consumers of $5 billion and a loss to financial institutions of $48 billion. (www.consumer.gov/idtheft) According to the Identity Theft Resource Center, victims paid an average of $1400 in out of pocket costs (not including attorney fees) and spent an average of 600 hours to regain their credit and identity. (www.idtheftcenter.org) The monetary costs are miniscule compared to the devastation, stress and violation one feels when they are denied a job, unable to get an car or apartment, lose the opportunity for a home, lose insurance health benefits, or find out there is a warrant for their arrest - or worse yet, when they are convicted of a crime committed by their impostor. Victims have a great burden to "prove" their innocence, beg for an identity theft report, and spend hundreds of hours calling and writing various agencies and companies to get their life back.
The epidemic of identity theft is growing because sensitive personal information is acquired very easily, and the issuers of credit are often less than careful in verifying and authenticating the true identity of the applicant. There are many ways that fraudsters obtain data about us-It may be appropriated by , stolen mail, dumpster-diving, lost or stolen wallets, shoulder surfing, burglary, friends, relatives (only about 9%), unscrupulous employees, phone fraud, internet fraud (phishing and pharming), spy ware, hackers, unprotected wireless networks, unethical use of public documents that contain personal information, needless display of the social security numbers on government documents (such as; military and Medicare identification cards,); the transfer and sale and sharing of social security numbers and other data among financial institutions, credit reporting agencies and data brokers.
B. DATA BROKERS FILES PROVIDE MASSIVE, BROAD BASED INFORMATION WHEN ACCESSED BY FRAUDSTERS
Although an identity thief has a choice of simple easy ways to steal your good name, as listed above, your identity is especially vulnerable with regard to the mega data bases held by information brokers who are collecting, storing, sharing, buying, transferring and selling huge amounts of personal and sensitive information in all inclusive profiles without any governmental oversight. (For example it is reported that ChoicePoint has 19 billion files on citizens) Although the credit bureaus also hold vast financial and personal data- and if accessed also reek havoc for victims, (like what happened to me) at least these credit reporting agencies are regulated by the Fair Credit Reporting Act, and there was a way for me to correct my file.
The very essence of the data broker business is selling a broad range of very private and highly sensitive information which if acquired by a person with criminal intent, provides a complete comprehensive package ready made for total identity-takeover. These data bases contain your personal, professional, social, (possibly criminal) and financial existence. Tapping into your data profile is a fraudster's dream come true. The huge lengthy dossiers provide far more than just a social security number or the limited information that could be accessed from stealing a bank account, your mail, or even your un-shredded trash. Many of these companies have various products for sale which will tell the recipient of the report far more about you than your family or friends know. Most of us have seen our credit reports and know how all embracing they are with regard to our financial profile, but few of us have seen our complete dossier stored and sold the data aggregators. To give you an example of one type of product, I have attached as Exhibit I, a sample AutoTrack report sold by ChoicePoint for you to see how much information may be revealed about you, which also includes the persons in your home, and surrounding neighborhood. It should startle you.
C. VIEWING YOUR VAST PROFILE
When I attended the State Bar Annual Meeting last fall, I visited the exhibit hall and was summoned by one of the Data Brokers to view my profile to see if I wished to purchase this data information service in my law office. All I provided was my name, and instantly 30 pages of private information (including my social security number) appeared on the computer screen. I was shocked and horrified, not only because I felt very violated by all it revealed, but worse yet, by the numerous errors! I asked the salesperson how I could correct the information and was told that I could not correct any information in the file; that this information was not subject to the Fair Credit Reporting Act. Please review this attached sample profile and consider how each category heading is labeled, i.e.:" Possible Social Security Numbers Associated With This Subject; Possible Deeds Transferred; Possible Felony/Probation/ Parole". As a recovered identity theft victim, I was stunned by the prospect that some of those items in my report could have been reported as a result of my impostor's actions, and I was fearful of what could happen to me and my family if this information were to be acquired by someone who wished to do harm. I was reminded of the Amy Boyer case a few years ago in which a young man, Liam Youens used an on-line information broker-Docusearch to obtain Amy's social security number, phone number, and work address in order to find her. He then appeared at her office and killed her and then committed suicide. Later in his computer, police found a message he had written about data broker services- "It's actually obscene what you can find out about people on the Internet".
D. DATA BROKERS ARE OPERATING UNDER THE RADAR SCREEN AND ARE INVISIBLE TO MOST CITIZENS
Even with all the publicity about data brokers and recent security breaches, when I have spoken to large audiences in the last month about identity theft, most people still didn't know these companies by name or what they do, or how they gather data or what's in their databases. There is no transparency. In fact, most people tell me that if they had received a security breach letter from Choice Point or Lexis Nexis, they probably would have thrown it out as "junk mail" since they hadn't heard of the company and do not have a business relationship. Many potential victims who received security breach letters have not taken advantage of Lexis Nexis' offer for a year of credit monitoring (for example) because they didn't even open the envelope, or if they did, they didn't know what to worry about since they didn't know what was revealed from their files to cause alarm. None of the breach letters that I have seen contained a copy of the profile, or a detailed list of the data that was stolen.
E. EVERYONE IN THIS ROOM AND READING THIS TESTIMONY HAS A PROFILE IN THE DATA BROKER FILES.
DO YOU KNOW WHAT INFORMATION ABOUT YOU IS BEING SOLD?
Everyone in this room who has a birth certificate, a driver's license, if you've been married, divorced, have auto or homeowner's insurance, if you have ever worked, if you have a residence, if you have any government approved license, if you've been issued a speeding ticket- YOU ARE IN THOSE SECRET FILES. Every Senator in this room - and every one watching this hearing has a profile in those files. Have you seen your dossier? Do you know what fact or fiction is being sold about you? As the law stands now- you don't have the right to know what is in those files, nor do you have the right to correct the many errors, nor do you have the right to know who has had access to those sensitive files, nor can you limit their sale- actually none of us here (except perhaps the Data Broker persons) have control over anything in those files. These companies have operated in the shadows and have sold this often erroneous information to myriad companies, journalists and governmental agencies. Yet most Americans don't even know who these companies are or what they do. This is America- the home of freedom and liberty, this is not a communist country or Nazi regime where secret files are kept on citizens- and shared with various entities and governmental agencies. The FBI and other law enforcement agencies are purchasing this information from Data Brokers, so are employers, insurers, landlords, attorneys, private investigators, and others- shouldn't law abiding citizens have a right to at least see the dossiers and make sure that the information is correct?
Although the credit reporting agencies are also considered data brokers, they are regulated by the Fair Credit Reporting Act and that law gives us the right to see our data, review it, dispute it, correct it, find out who has accessed it, limit its sale and review, and give us the right to enforce our rights. Unfortunately, the Information Service industry only acknowledges that a small portion of its products apply to the FCRA (i.e.: reports made for insurance, employment history, landlord tenant history, medical insurance). Why shouldn't the data brokers be subject to the same fair information principles?
III. WHAT ARE SOME REAL LIFE EXAMPLES OF IDENTITY THEFT AS THEY RELATE TO INFORMATION BROKERS?
A. EXAMPLES OF FINANCIAL IDENTITY THEFT:
1. John is a recent widower. After his wife died of cancer at age 35,(leaving him with three young children,) he began receiving collection calls from credit card companies, a computer manufacturer, and a cell phone company for the items and services allegedly purchased by his deceased wife after her funeral. He suspects that the imposter got the information from the death certificate which has the social security number and birth date on the document. This could have been obtained in the funeral home, from public records off line or on line, through the social security administration, or from any information broker.
Many public records including birth certificates, death certificates, marriages, pilot and captain licenses etc. contain the social security number - which is the key to the kingdom of identity theft. The Data Brokers sell public records to almost anyone. John became a victim prior to July 2003 when the California Security Breach disclosure law became effective. If he were a victim of a security breach after July 2003, he hopefully would have been notified, and would have had a chance to put up barriers to protect his deceased wife's good name and his finances.
2. Sidney, a wealthy retired executive learned that his identity was stolen many months after he and his wife purchased a new home. His loan application, with his 3 in one credit report attached, revealed his credit score, his checking, savings, and investment accounts, social security number, and all necessary information for an impostor to become Sidney. He believes his masquerader had gotten a copy of Sidney’s credit report which was on his broker's laptop. The impostor opened new credit card accounts, purchased computers, electronic equipment, furniture, rented an apartment, obtained utilities, etc, stealing almost $100,000, and the couple are overwhelmed.
Allowing employees to download credit reports and maintain loan applications in unencrypted files on laptops which may be easily stolen outside a secured office, makes customers very vulnerable to identity theft. It is imperative that all companies that collect data and transfer it for use, verify the recipient (that he or she has a lawful, permissible purpose), set up contracts and enforcement for the security of the information. It's critical for victims to get notice immediately of any security breach, so that they may take steps to intervene and stop further fraud activities.
3. Susan, a physician received a letter from a company that she did business with, that her social security number and other information about her had been acquired by unauthorized persons. She was terrified as to what could happen to her finances, and her practice. She put fraud alerts on her credit profile, changed all her passwords, even closed accounts and opened new ones. She felt very violated, angry, frightened and upset. Almost 1½ years later, she started receiving calls from creditors from accounts she never owned - including cell phones, credit cards, and loans. She believed the fraud alert would remain on her credit profile - it did not. Even when the fraud alert was on her file, companies seemed to ignore the alert and issue credit. Since she lives in California, she was able to place a security freeze on her profile so no one could see her credit report to issue credit without her providing a password to release her file. Now she has sleepless nights about her impostor parading as a doctor and committing other crimes. She wants to see a full background check from the information brokers.
This case shows us why it is so important to receive notice of a security breach. Susan took proactive steps to prevent fraud, and several companies called her and did not issue credit. Some negligent companies ignored the alert. Because she lives in one of the four states (presently California, Texas, Vermont, and Louisiana) that allow victims to "freeze" their reports, she was finally able to stop the financial fraud. But the fear of criminal identity theft is now haunting her. She should be able to put a fraud alert on her consumer profile and obtain a complete background check at no cost if she is a victim- just as victims can obtain two free credit reports in the 12 months in which they learned of the fraud. She should also be able to limit the sale of her consumer report and be notified with the name, telephone number and address of a business or governmental entity (other than Homeland Security) to see who is accessing her profile.
B Examples of Criminal Identity Theft
1. George, a disabled veteran living in Colorado was suddenly denied his disability payments, and hit with a large IRS bill for the income that his impostor had earned while working under his name in Tennessee. Upon reporting this fraud to the police, we learned that George’s impostor had also established a criminal record in yet another state and there was a warrant for George’s arrest.
George's information about his impostor's criminal activity and work related fraud would not show up on a credit report (until the IRS reports it), but it would show up on a background check provided by the Data Brokers who are testifying today. George found out the hard way, when he lost benefits and was arrested. If he had access to his consumer file, he would have found out about the fraud and wouldn't have lost his disability benefits.
George's case demonstrates why must be able to review, dispute and correct our consumer files. We should be able to get our complete dossiers at least once a year at no cost as is our right un to get a credit report from each of the three credit reporting agencies under the Fair and Accurate Credit Transactions Act.
2. Lori, a disabled vet from Virginia, and single mom with a set of six year old twins was attending to school to get her Master's degree in Social Work, when the police showed up at her door. She was arrested for a crime that she didn't commit. The woman who committed the fraud used the name Laura along with Lori's last name. Her fingerprints did not match the prints of the perpetrator, and the description of the fraudster was different from Lori, yet she was convicted. With my help and the help of new counsel, she was sentenced to probation- but the felony record must be corrected with a new trial. Her greatest fear isn't the new trial- it is the information broker data bases that may continue to report her as a felon even after the criminal records are cleared. She has reason to fear as you will read in the next case.
3. Scott was laid off from a high paying job in the medical industry in Ohio. He had great recommendations and felt sure he would be rehired. For two years he was denied employment after several positive interviews and his permission to do a background check. Finally Scott hired a private investigator who showed him his criminal profile from a data broker. It included two DUIs and an arrest for murder. None of which belonged to him. I spent many months helping him to correct the sheriff and FBI databases. But months after we cleared all the law enforcement databases, he applied for employment and was offered the job, but after reviewing his background, he was told that they couldn't hire him. He was in shock when the private investigator pulled his report again and found that a major information broker was still selling this false information to prospective employers without updating their files. Finally after a lawsuit was filed by an Ohio attorney, the information was corrected. But the years of anguish and lack of employment continues to damage his career and his personal life.
Scott had no idea why he had trouble getting a job. Although a potential employer is supposed to tell you if you are denied employment due to a consumer report, and let you know how to review the report, it's understandable that an employer may be reticent to tell a "murderer" that he is denied employment due to his criminal history. Instead he was told that there were others who were more suitable for the position. If Scott had the right to see his file earlier and had the right to correct it, he would have been able to secure employment and perhaps not have divorced, lost custody of his son, nor become homeless for those years.
C. Examples of Identity Theft for Revenge
1. Linda was married to a prominent Chicago lawyer for 25 years. When he decided to divorce to marry his secretary, he had a friend download Linda's consumer information and give it to a fraudster who applied for numerous credit cards, ordered furniture, and other luxury items. The fraudster also used Linda's name to set up e-mail accounts to send the estranged husband threatening messages. This was done to discredit Linda in court.
Obviously, there was no lawful purpose for downloading this report from the data broker. There was no verification of permissive use by the data broker. It clearly was revenge and self interest.
2. The first cyber stalking case prosecuted in Orange County, California turned out to be identity theft. A computer expert was angry when a woman he liked shunned his advances. He proceeded to go online to a chat room and pretend to be her- stating that she had fantasies of being raped. From a data broker, he was able to find her home phone number and address and shared it in the chatroom. The woman didn’t even own a computer. When several men appeared at her door to share her fantasies, she was terrified and called the police. She had an emotional breakdown and the violation has left scars.
3. A radio talk show host was shocked to learn that his own identity was stolen by a disgruntled listener who bought his dossier from an on-line information broker. Aside from calling him at home and bullying him, he obtained access to his e-mail account and sent embarrassing e-mails to the station, pretending to be the talk show host.
The above cases demonstrate how identity theft is facilitated by the data broker industry. Unless a victim gets notice of a security breach or unless law enforcement or a private investigator can solve the mystery, most victims don't have a clue how the criminal has gotten his sensitive records. The assaults against these victims caused great anguish, overwhelmed them and negatively impacted every aspect of their lives. The time spent trying to regain their lives, the damage to their reputation, and the out-of-pocket costs were miniscule compared with the tremendous emotional turmoil these people endured.
IV. WHAT IS THE IMPACT OF SECURITY BREACHES ON CITIZENS WHOSE INFORMATION IS STOLEN?
Persons whose information has been stolen by criminals are victims of a crime. They may not yet be victims of identity theft- yet they are victims of a federal crime. Not only has their private, sensitive information gotten into the hands of unauthorized persons- but those unauthorized persons have done so with the intent to commit an unlawful act. Under 18 USC 1028 as stated below the persons committing the act are felons and those who are adversely affected are victims of a federal felony:
The Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) 18 U.S.C. § 1028) makes it a federal crime when anyone:
knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.
I have personally spoken with victims of security breaches who have received notice letters from entities such Lexis Nexis, ChoicePoint, Ameritrade, Bank of America, Wells Fargo and several universities, hospitals, and even smaller businesses. The victims of the breach feel very violated, angry, frightened and overwhelmed and helpless. It is well known that criminals steal the information and may often wait months or years to use it- or they sell it in exchange for methamphetamine or money. It may be transferred several times and used for financial gain or to commit other crimes. Because the victims of the breach don't know who the criminals are or their intent, they are anxious. Additionally, the victims are not notified as to exactly what information may have been taken, so they feel defenseless and don't even know what to protect. Although I tell these victims actions to take to put up barriers (placing fraud alerts, instituting security freezes, changing passwords, changing mother's maiden name, monitor credit reports, etc) victims still feel incapable of insuring that their identity won't be stolen. Many are fearful that their family home or office may be intruded by the perpetrators who may have their addresses, phone numbers, bank account information and perhaps an entire dossier.
Below are a couple of e-mails I received from victims of a security breach explaining their strong feelings of victimization.
"My husband and I are very upset and it is overwhelming. We are very anxious and it takes a tremendous amount of time and effort just to get a security freeze. The credit agencies shouldn't make it so difficult. I'm spending so much time monitoring accounts and credit reports- it's exhausting- I feel very vulnerable and frightened that some criminal knows all about me and may wait to use our stuff any time, now or in the future- what can I do?"
"I spend sleepless nights wondering when the phone may ring, or I will open a letter from a bill collector. I'm worrying if someone has obtained new identification under my wife's or my name. It is scary to think that I may be pulled over by the police for something I didn't do. What if they drag me or Lord forbid MY WIFE from the vehicle and handcuff us. My wife and I are losing too much sleep"
The emotional impact on these victims is intense and their fears are real. Why would a criminal steal the information if there was no intent to sell, transfer or use it for an unlawful purpose?
V. WHAT NEEDS TO BE DONE WITH REGARD TO MINIMIZING THE RISKS OF IDENTITY THEFT AS TO INFORMATION BROKERS?
Data Brokers must be regulated by imposing Fair Information Practices as follows:
1. TRANSPARENCY-The nature of personal data held by these companies should be readily available for inspection by the public. The uses of the information should be clearly defined.
2. CONSENT AND NOTICE-Consumers should be able to give their consent to the disclosure of their information prior to disclosure, such as the rights with regard to disclosure of credit reports. The exceptions would be for defined categories of law enforcement and Homeland Security. In other words there should be an established permissible purpose; i.e. - employment background checks, insurance, landlord tenant, etc. When a consumer gives his consent or it is considered a "permissible purpose", the consumer should be entitled to notice of the sale, and the consumer should receive a free copy from the entity that bought the report.
3. CONSUMER ACCESS AND INSPECTION- Individuals should have the right to one free disclosure per year as they have for credit reports. A central website and toll free numbers should be set up for consumers to get their entire profile- not just a "Clue Report". If a person has become a victim of identity theft, he should be entitled to at least one other free disclosure per year for 24 months after learning of the stolen identity. The inspection report should be the same as would be accessed by a company for a background check-the complete profile. The Disclosure should also provide a list of names addresses and phone numbers of all entities that received a copy of such report in the last 5 years. This would include governmental entities except for specific guidelines of Homeland Security or other law enforcement restrictions. Employers or others who order background checks on a consumer should be required to provide a copy to the consumer upon receipt whether or not the consumer report was a factor in hiring or reviewing an employee or prospective employee.
4. QUALITY CONTROLS AND TIMELY CORRECTION- The information collected should be accurate, complete, updated and relevant to the purpose for which it is to be used. The Data Broker industry should allow individuals to dispute and provide prompt correction of the files within no more than 30 days. The broker should reinvestigate without cost to the consumer and make all appropriate changes if the information cannot be verified. If after the data broker investigates, it finds that the investigation verified the information, the company shall provide the name, address and phone number of the verifying entity so that the consumer can directly dispute the information.
5. STRICT SECURITY CONTROLS- There should be safeguards against risk of loss, unauthorized access, alteration, hacking, etc. Audit trails and limited access should be standard as well as encryption of the sensitive data. Customers should be screened both initially and with respect to how the end user is safeguarding the information from unlawful use. In the event of a security breach, the data broker must notify all individuals whose information was acquired either on paper or electronically with a letter providing the consumer the nature of the breach, what information was stolen, how to protect themselves with fraud alerts, security freezes and other useful tools. They should also provide a free copy of the report that was accessed. Credit monitoring and a background check monitoring would be needed. (Fraud resolution services may be necessary.)
6. ENFORCEMENT- The data broker industry must be held accountable to consumers and victims. Outside audits and training should be mandatory. A private right of action is essential to allow enforcement of the provisions of the law. A private right of action provides that the cost of the legal system policing against acts of preventable corporate negligence is paid by the guilty parties rather than by increasing taxes or adding to the size of government. We have seen that many provisions of FACTA and the GLB Act have not been enforced because federal agencies do not have the resources or manpower to take actions against all the violations, and why should our taxes be spent to right the wrongs of companies who violate the law. Individuals should be able to seek redress for their damages without having to rely on the government to intervene, however for large cases, enforcement should be available in state courts by private parties, attorney generals and the FTC.
7. PRESERVING STATES RIGHTS- Consumer reforms with regard to identity theft have derived from proactive States that were responsive to the plight of its citizens. Some examples of this are the right to a free credit report, annually, the right to place a fraud alert, the right of victims to obtain information from businesses and creditors to regain their identity. More recently we have found out about the security breaches of two of the data brokers here today only because of the California Security Breach law. Both ChoicePoint and Lexis Nexis admitted in a senate hearing that they both experienced significant breaches prior to July 2003 when the California law became effective, and did not notify any of the victims of the breach. Since February 2005, over 4 million Americans have been victims of various security breaches (See exhibit II from the Wall Street Journal) - none of which we would have heard about, but for the California law. Arizona and California were the first two states to make identity theft a crime- leading all the states and the federal government to establish the consumer as a true victim. Numerous states are instituting security freezes to lock up a consumer's credit so fraud cannot continue. Federal law should serve as a floor, not a ceiling, so that states can if need be quickly address the crises of their victims.
VI. WHAT ELSE IS NEEDED TO PREVENT AND RESOLVE IDENTITY THEFT?
1. Security Breach Notification must extend to all states. All governmental agencies, and private industry, schools, and other entities should be held accountable to quickly notify all persons whose sensitive and personal information (paper and electronic files) were acquired by an unauthorized person. There should be an exception for encryption only if it is robust and if the unauthorized acquisition was not capable of being decrypted by an unscrupulous employee or customer. The standard of providing notice should be triggered by the acquisition of the data rather than the use of it. A bank or other entity who experiences a breach should not be allowed to determine the possibility of the mis-use. The only delay of notice would be for law enforcement upon its written request. Allowing the business or entity to make the call as to when there might be a risk of harm is like allowing the wolf to tend the henhouse. There should be enforcement by the FTC, state attorney generals and private individuals. Any preemption should be a floor and not a ceiling so that states can protect their own citizens regarding unique needs. As a member of the advisory board of the California Office Of Privacy Protection, we created a list of "Recommended Practices on Notification of Security Breaches Involving Personal Information" as a guide for dealing with security breaches, please visit www.privacy.ca.gov to review those standards.
2. Governmental agencies as well as private industry should limit the use of the social security number since it is presently the key to kingdom of financial fraud.
Our advisory board to the Office of Privacy Protection in the California Office of Consumer Affairs also had the privilege of developing the “Recommended Practices for Protecting the Confidentiality of Social Security Numbers” (www.privacy.ca.gov). This document should be considered by both pubic and private sector entities as a guide to protect all consumers.
The social security number is used as the identifier for military cards and "dog-tags", Medicare, Medicaid, pilot's licenses, captain's licenses, etc. No entity should be allowed to display, post, or sell the SSN. The SSN in public records should be redacted before posting. There should be no collection of SSNs by private or governmental agencies except where necessary for a transaction and there is no other reasonable alternative. SSNs collected for a specified purpose should not be used for any other purpose.
3. Mandatory Destruction of Confidential Information- Governmental Agencies and Private Industry should be required to completely destroy personal information that they are discarding by shredding, burning or whatever means is necessary to protect the information from dumpster diving. This should extend to any confidential and sensitive information- not just information derived from consumer reports.
4. Departments of Motor Vehicle Licensing- Bureaus should establish more stringent monitoring and matching of duplicate licensing and new licenses. A photo ID and a fingerprint could be matched. Rather than developing a “national ID” with various forms of biometric information, credit cards and other unnecessary information which would complicate the process and invade privacy, this license would be help deter interstate identity theft without collecting too much information nor allow it to be accessed or sold to private industry.
5. Need for an Easier Process for Victims- Problems with the Fair and Accurate Credit Transactions Act (which was meant make things easier for victims.)
a. An Identity Theft Report is needed in order for victims to get an extended fraud alert, block the fraud on their profile, and gain access to records of the fraud. FACTA was meant to streamline and help victims of identity theft. However the new rules recently released by the FTC with regard to the "Identity Theft Report" clearly show the time-consuming maze that a victim must maneuver. Below is an example of the hassle of exerting your victim rights with regard FTC rule about the "Identity Theft Report."
"An Identity Theft Report may have two parts:
Part One is a copy of a report filed with a local, state, or federal law enforcement agency, like your local police department, your State Attorney General, the FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. There is no federal law requiring a federal agency to take a report about identity theft; however, some state laws require local police departments to take reports. When you file a report, provide as much information as you can about the crime, including anything you know about the dates of the identity theft, the fraudulent accounts opened and the alleged identity thief.
Note: Knowingly submitting false information could subject you to criminal prosecution for perjury.
Part Two of an identity theft report (depends on the policies of the consumer reporting company and the information provider) (the business that sent the information to the consumer reporting company). That is, they may ask you to provide information or documentation in addition to that included in the law enforcement report which is reasonably intended to verify your identity theft. They must make their request within 15 days of receiving your law enforcement report, or, if you already obtained an extended fraud alert on your credit report, the date you submit your request to the credit reporting company for information blocking. The consumer reporting company and information provider then have 15 more days to work with you to make sure your identity theft report contains everything they need. They are entitled to take five days to review any information you give them. For example, if you give them information 11 days after they request it, they do not have to make a final decision until 16 days after they asked you for that information. If you give them any information after the 15-day deadline, they can reject your identity theft report as incomplete; you will have to resubmit your identity theft report with the correct information:" (FTC Rules)
This rule is not only cumbersome it is confusing and allows the credit reporting agencies to delay unnecessarily and it gives victims a run around. I have already heard from many victims who are frustrated, angry, and unable to block the fraud or even extend the fraud alert.
b. Law enforcement agencies at the local, state and federal level should develop a uniform "identity theft report" to be compliant with FACTA.-and the FTC should determine what satisfies an "identity theft report." New provisions of the Fair Credit Reporting Act require a detailed "identity theft report" to send to the credit grantors, and the credit reporting agencies. If a proper identity theft report is sent to the credit reporting agencies they are required to do the following: place an extended fraud alert for 7 years, block all the fraud on the profile immediately; notify the creditor that the accounts are blocked. Additionally, if the victim provides a proper identity theft report to the creditors, they must provide all documentation of the fraud to the victim and to the law enforcement agency within thirty days. Unfortunately, the agencies themselves are deciding what is "proper" and many victims contacted us because they are not able to appease the credit reporting agencies nor the credit grantors with the reports. So they cannot exert these rights afforded under the law and there is no private right of action to enforce these rights.
The FTC should determine what will be acceptable as an identity theft report and facilitate the victim's report. It should be adhered to by law enforcement as well as the financial industry without imposing an arduous task upon the victim. Also, the victim should be able to get a police report in the jurisdiction where she lives even if the impostor is in another state. And, the case should be able to be prosecuted in the jurisdiction where the victim lives or the jurisdiction where the crime takes place. All police should be required to provide a proper identity theft report even if they do not have the resources to investigate the crime.
c. Initial Fraud alert should be one year- FACTA allows a victim of a breach or fraud to place a fraud alert on credit profiles for at least 90 days with their first phone call. To extend the alert they must write a letter and provide an "identity theft report. The initial fraud alert should be changed to at least 1 year especially because victims of a security breach may not be victimized for a long time.
d. Free credit report for victim should be available by phone when calling in the fraud alert. Prior to the passage of FACTA, victims could order their free credit report to review their files at the same time they place a fraud alert. Now, the credit reporting agencies (except for TransUnion "temporarily") do not give the victim an opportunity to get the free credit reports in the initial phone notification of the fraud. They are later sent a letter notifying of their right to a free report upon request. This is another delay which allows the impostor more time to do his "dirty work" and this is an added burden for victim and costlier for the creditor. The victim should be allowed to order the first of his two free reports during the initial fraud alert phone call.
e. Victims should be provided a complete report instead upon disputing the fraud and the victim should be able to see the report that the creditors see. The CRAs are now sending corrections instead of complete corrected reports to victims. This is dangerous since other new fraud may appear on the report. Also - the report that a creditor receives is more comprehensive than the report that the victim sees, so this is not complete disclosure.
6. Funding for law enforcement for identity theft cases should be greatly increased since this is also a Homeland Security Issue. All major metropolitan areas should be funded to set up identity theft task forces to include the Secret Service, the Postal Inspector, the Social Security Inspector, the FBI, INS, State Attorney General and local law enforcement to collaborate in the investigation and prosecution of these crimes since suspected terrorists will need to utilize stolen identities to attempt their missions.
7. Law enforcement agencies should help victims of criminal identity theft. A federal law should set forth steps for law enforcement to take (in conjunction with the judicial system) to assist victims of criminal identity theft. So a victim of criminal identity theft in California whose impostor is in New York could be declared innocent in New York as well as California. This would entail a national database of the criminal information and fingerprints. It would contain the order of the true person’s fingerprints for comparison with the fingerprints of the impostor-criminal in New York. The court would enter a declaration of factual innocence and any warrants for the victim would be dismissed. All databases would be corrected so that background checks would not show the victim as having an arrest or criminal record. (See California law and package for victims to clear their criminal record www.privacy.ca.gov)
8. Set up State and Federal Offices for Privacy Protection- There should be a federal office of privacy protection as well as state offices. The office of privacy protection should institute an ombudsmen office to assist citizens with identity theft and other serious privacy issues. It should also coordinate and review the various governmental offices of privacy to ensure oversight.
9. Credit Reporting Agencies:
a. Consumers should be able to put a complete freeze on their credit reports in order to prevent identity theft. This would enable the consumer to prevent their credit report from being accessed by a creditor without the specific authorization of release with a password. California, Texas, Vermont and Louisiana have passed such laws. It would be impossible for an impostor to apply for credit if there were a freeze on the file. The consumer would have the right to release the file when he so desires by a password or pin number. Every state should pass this legislation or if it is federal legislation, then there needs to be a private right of action and no federal preemption.
b. Credit reporting agencies should provide to victims a COMPLETE REPORT when providing corrections. All reports should include the names, addresses and phone numbers of the companies who accessed the consumer’s credit report including inquiries with the issuance of a consumer report so that potential victims could verify the permissible purpose.
c. Credit reporting agencies should notify a consumer by e-mail when his/her credit report has been accessed. The agency should be allowed to charge a minimal fee for this service- as to actual cost (i.e.: $10 per year),
d. Credit reporting agencies should set up hotlines with live persons to talk to victims of identity theft. A live employee in the fraud department should be assigned to a particular victim- so the victim doesn't have to re-explain all the problems in numerous letters.
10. Banks and other Creditors should be held accountable for protecting consumers and others from identity theft.
a. Creditors who issue credit to an impostor after a fraud alert is placed on a credit profile, should be held liable and the victim should have a private right of action to enforce his rights. Presently if a creditor ignores the fraud alert, only the Federal Trade Commission or other federal agencies may bring and action and they clearly cannot enforce individual rights nor do they have the resources to deal with most of the violations. There should be a fixed penalty of at least $1000 per occurrence or actual damages which ever is greater.
b. Need for private Enforcement of access to business records. If a fraud victim provides notification of fraud and includes an "identity theft report" and an affidavit, under the FCRA, a creditor should is required within 30 days to provide copies of all billing statements, applications and other documents of fraud to the victim and the designated law enforcement agency. Presently victims are contacting us that many companies are refusing to provide the information without a subpoena. Victims presently have no private right to force a company to provide this data. Only the FTC or other federal agencies may bring an action-but it cannot help an individual consumer. This must be changed so that there will be enforcement of the provision of the act.
c. Creditors should not be allowed to send “convenience checks” without a prior request by the consumer. I was told by a postal inspector that 35% of these checks are used fraudulently
d. Credit grantors should not be allowed to send pre-approved offers of credit without a PRIOR the request of the consumer.
Identity Theft Conclusions
Personal, confidential, and financial information is a valued commodity in our society. Data brokers have flourished abundantly while selling and transferring your extensive, aggregated personal profiles which include your income, credit worthiness, buying, spending, traveling habits, heath information, age, gender, race, etc. Facts about our personal and financial lives are shared legally and illegally without our knowledge or consent – on-line and off-line everyday. Privacy protection in the age of data collection is really more about limiting access and instituting inspection and correction to our records, rather than keeping the information secret. We have lost control over the dissemination of our sensitive data, and this had led to enormous epidemic of identity theft. The huge data breaches in recent months have shined the light on the immensity of the problem of identity thieves and the havoc they cause. But it also has enlightened our lawmakers to collaborate to create a new framework for reasonable regulation of the data broker industry.
To avert identity theft, the burden is on the data brokers, and the financial industry who are in the unique position on the front end, to take precautions, require verification, and authentication of employees, vendors, business associates and customers, and refuse to sidestep fair information principles. Data Brokers, the credit reporting agencies and the financial industry is in a powerful position to prevent the fraud before the impostor can establish a parallel “shadow profile”.
I am hopeful that as a result of the gigantic breaches of sensitive information, that this Congress will create a regulatory framework for the information brokers that will protect our citizens and enable the Data Broker industry to help society. I encourage you to strongly consider the thoughtful and well reasoned language of S 500 which implements the Fair Information Principles, yet acknowledges the importance the work that the data industry provides, while safeguarding the identity of every American.
Thank you for the opportunity to share these concerns and suggestions with this Honorable Committee. -Mari J. Frank, Esq.