Majority Statement

• Gordon H. Smith

  Senator
  Read statement

  Majority Statement

  Gordon H. Smith

  STATEMENT OF SENATOR GORDON H. SMITH
  
  I thank the witnesses for being here today. Today’s hearing takes place against the backdrop of one of the most rapidly growing crimes in America – identity theft

  We will hear from the Federal Trade Commission today that over 10 million Americans are victimized by identity thieves every year. These numbers translate into losses of over $55 billion per year, averaging over $10,000 dollars stolen per fraud.

  In 2005 alone, there were at least 43 known incidents of data breaches, potentially affecting over 9 million individuals. My own state of Oregon ranks ninth in the nation for fraud complaints and identity theft. These breaches range from sloppy record keeping and security procedures by companies to extremely sophisticated online thefts by computer hackers.

  Last month, this Committee held a hearing on the recent data breaches at ChoicePoint, Inc and Lexis-Nexis, and methods used by private industry to prevent future data breaches.

  At today’s hearing, the Committee will hear testimony concerning the current treatment of data broker services under existing state and federal privacy laws as well as proposals of public solutions to mitigate future data breaches and identity theft.

  Protecting sensitive information is an issue of great importance for all Americans. Consumers should have confidence when they share their information with others that their information will be protected. At the same time, the ability of legitimate companies to access personal information certainly does facilitate commerce and continues to benefit consumers. Data broker companies perform important commercial and public functions through their ability to quickly and securely access consumer data.

  Following today’s hearing, I will be introducing legislation shortly with my colleagues on this committee. The principles of this bi-partisan legislation will include a national obligation for companies to have a security procedure in place to safeguard sensitive and personal information, and a balanced breach notification trigger to inform consumers when ‘real risks’ of identity theft are at stake.

  We need to make sure that this legislation strikes the right balance to ensure the continued existence of the critical services while ensuring the security of personal information to prevent its misuse and subsequent breaches.

  I would also like to also especially welcome my fellow Oregonian, Congresswoman Darlene Hooley, who is here today to share her thoughts on this issue.
  

• Conrad Burns

  Senator
  Read statement

  Majority Statement

  Conrad Burns

  Burns Opening Statement

  Thank you all for coming today. I would also like to thank Senator Smith for chairing the hearing, and Senator Stevens and his staff for setting it up.

  This is a very timely issue and I am glad the Commerce Committee is addressing it. The question of data breaches, identity theft, and other issues concerning the use of an individual’s personal information by third parties has been given much press recently. And I believe the problem is only going to get worse over time.

  People out there are right to be concerned, and even angry, about the apparent lack of protection of their personal information. I look forward to hearing from our witnesses today from the government about the ways that current law safeguards citizens’ rights, and what kind of new legislation might be needed. I plan to be an active participant in any legislation that the Senate develops, and I will work to make sure that consumers’ rights are protected.

  But we also have to be careful not to throw the baby out with the bath water. The services that data brokers provide help make businesses more efficient and keep costs low for all Americans across a wide range of services, from mortgage rates to on-line shopping to a wide range of financial services. And we need to make sure we preserve the positive uses of this data as well.

  I look forward to discussing where the proper balance should be, and how the consumer’s interest can be protected. This is a very important topic, and I know today’s hearing will offer a lot of insight as we move forward. I look forward to hearing our witness’ testimony today, and I’d like to thank Senator Smith again for focusing our attention on this critical matter.
  

Minority Statement

• Daniel K. Inouye

  Senator
  Read statement

  Minority Statement

  Daniel K. Inouye

  Data breach and identity theft are serious problems that this Committee is committed to addressing. A 2003 Federal Trade Commission (FTC) survey report found that, during a one-year period, nearly 10 million Americans were victimized by identity thieves.

  Polls consistently find strong support among Americans for privacy rights to protect their personal information.

  The FTC and others have been working to come up with a federal legislative solution to protect America’s consumers from the data breaches that lead to identity theft.

  Consumer protection is our number one goal. Any solution must include a provision that notifies consumers of data breaches so they can protect themselves. In addition, consumers deserve to have certain rights in their dealings with the information industry, and to have those rights protected by their government.

  Senator Bill Nelson has undertaken a tremendous amount of work on this issue, and I appreciate his interest and guidance. We are looking forward to working with Chairman Stevens and Senator Smith to produce a bipartisan bill that serves American consumers and allows them to take advantage of our great marketplace without fear.
  

  
  

• Barbara Boxer

  Senator
  Read statement

  Minority Statement

  Barbara Boxer

  Mr. Chairman, thank you for calling this hearing on the vitally important issue of identity theft. I commend you for making this issue a top priority.

  As you know, I am a strong and vocal proponent of privacy protection – especially with regard to the distribution of personal information that can lead to the physical, financial, or psychological harm of an individual if the information falls into the wrong hands.

  In 1994, after an actress in my state was murdered by a stalker who obtained personal information about her from the Department of Motor Vehicles, I authored the Driver’s Privacy Protection Act to keep personal information held by a state Department of Motor Vehicles from being released without the consent of the individual. The Supreme Court upheld this law on a unanimous 9-0 vote.

  That was during the days of the Internet’s infancy. While the Internet has done wonderful things, it – and the computerization of more and more data – is making it easier for identity thieves.

  The Privacy Rights Clearinghouse, a nonprofit group in San Diego, estimates that nearly 4 million people’s identities have been compromised through means such as hacking, dishonest insiders, and computer theft since mid-February. This number does not even include 5 million people whose sensitive information is on the back-up tapes lost by Bank of America and CitiFinancial.

  According to a 2003 FTC study, over a period of 1 year, nearly 10 million Americans were victims of identity theft. Losses to business and financial institutions were nearly $48 billion and consumer victims reported an additional $5 billion in out-of-pocket expenses.

  Criminals use misappropriated and stolen consumer information to assume the identity of innocent individuals. They get credit cards and mortgages in someone else’s name and even use an assumed identity if caught committing a crime. The identity thieves then disappear and it is the victim who is left answering the calls of debt collectors and the police.

  Data brokers are of particular concern when it comes to identity theft. These companies actively collect and sell information about individuals.

  As aggregators of sensitive information, data brokers are attractive targets for identity thieves. And, unfortunately, the last few months have shown that criminals are succeeding in stealing information from them.

  Since the beginning of the year, we have learned that breaches of security at ChoicePoint and LexisNexis have resulted in information on approximately 145,000 individuals in ChoicePoint’s case and 300,000 records in LexisNexis’s case being exposed.

  What is worse is if this had happened a few years ago, we might not have even known about them. It is only since a California credit law went into effect in mid-2003 that companies have been forced to notify Californians when their confidential information has been compromised. That required notification to California’s consumers has resulted in the whole country knowing about these thefts. But, outside of California, people do not have a right to know when their own personal data may be compromised.

  This must change. People have a right to know when they are at risk. They have a right to know before they get turned down for a loan because someone else ruined their credit record. They have a right to know before they are arrested for someone else’s crime. We, however, should not focus solely on data brokers. Many other organizations routinely store sensitive personal information. In April, DSW – the shoe store – admitted that its computer system had been hacked allowing criminals access to the credit card and driver’s license numbers of approximately 1.4 million customers.

  Identity theft also raises serious homeland security concerns. Terrorists, too, are able to use sensitive consumer information to assume false identities. Unlike criminals, however, terrorists will avoid the activities that normally alert a person to the fact their identity was stolen. So long as the terrorist pays the credit card bills, it could be years before the deception is revealed.

  Legislation is needed to address the consumer harm and security threat arising from identity theft. Therefore, I have cosponsored the Comprehensive Identity Theft Prevention Act (S. 768).

  The legislation would create and fund the Office of Identity Theft in the FTC and create an Assistant Secretary for Cyber Security in the Department of Homeland Security.

  Moreover, it would regulate data brokers and ensure that companies maintaining sensitive personal information protect that data. A notice provision based on California’s law would require companies to inform affected individuals of security breaches and give those consumers additional rights to protect their sensitive information.

  This legislation is timely and necessary. I look forward to working with my colleagues on this Committee to move the bill forward.

  I thank you again, Mr. Chairman.
  

• Byron L. Dorgan

  Senator
  Read statement

  Minority Statement

  Byron L. Dorgan

  North Dakota is first in the nation in many good respects. But I am happy to say that North Dakota ranks 49th in the nation in the number of ID theft cases, on a per-capita basis. There are almost five times as many cases of ID theft in Arizona, on a per capita basis, than in North Dakota.

  Still, even though we have had relatively few cases in North Dakota, the first-hand stories of North Dakota victims are certainly devastating ones. This is clearly a national epidemic. And I am particularly worried about the many instances in which data brokers have lost the sensitive financial records of hundreds of thousands of Americans.

  I am a cosponsor of the S. 768, the Comprehensive Identity Theft Prevention Act, which my colleague Senator Nelson (along with Senator Schumer) has introduced.

  This bill does a number of things

   

  • It bans unregulated commercial trading of Social Security numbers, and prohibits commercial entities from asking individuals for their Social Security numbers, unless no other alternative identifier that can be used.

     

  • It establishes an Office of Identity Theft within the Federal Trade Commission (FTC), as a “one stop shop” to help the millions of victims of identity theft each year restore their identities. This office would also be responsible for passing regulations to protect consumers’ sensitive personal information that is collected, maintained, sold, or transferred by commercial entities. It would have the authority to bring enforcement actions for violators of the regulations.

     

  • It requires safeguard rules for all commercial entities: companies must take “reasonable steps” to protect all sensitive personal information that they store.

     

  • It requires information brokers subject to full regulations by the FTC; and consumers would be afforded the rights they have under the Fair Credit Reporting Act regarding credit bureaus.

     

  • It requires breach notification: all commercial entities must notify individuals when there has been a breach of the individual’s sensitive personal information.

  I am particularly concerned about the pervasive use of Social Security numbers by businesses as a means of identifying potential customers. I believe that the use of misappropriated Social Security numbers is one of the main accelerants that fuels the epidemic of ID theft. I know that many businesses will argue that they need Social Security numbers to distinguish one customer from another. But the Better Business Bureau estimates that there were 9.3 million victims of identity theft in 2004. Clearly, there are competing interests here – and given the number of victims, I think we need to provide much more protection for the confidentiality of Social Security numbers.

  When a company like LexisNexis is hacked into, and thieves steal the personal data of 310,000 Americans – including not only their Social Security numbers, but even the date and location where the Social Security card was issued – it is clear that we have a serious problem on our hands.

  I have read through FTC testimony. It states that “private and public entities routinely have used Social Security numbers for many years to access their voluminous records,” and suggests that the solution is not to restrict the use of Social Security numbers, but rather to go after those who use Social Security numbers for criminal purposes. I am certainly in favor of going after the bad guys, but I think we also need to restrict the use of Social Security numbers far beyond the status quo.

  So I look forward to discussing this point with the other commissioners today.

  I am also interested to hear from Vermont Attorney General William Sorrell on whether federal legislation on the issue of ID theft should create a ceiling that preempts recently enacted state laws in this area. North Dakota is one of the states that has recently passed legislation requiring notification of individuals when their personal data has been compromised. I am not sure that we want to be capping the efforts of states to protect individuals from ID theft. The bill that I have cosponsored with Senator Nelson does not do that.

  With that, I thank the witnesses for attending today.

Testimony

• The Honorable Orson Swindle

  Commissioner

  Federal Trade Commission
  Read statement

  Testimony

  The Honorable Orson Swindle

  Please see Federal Trade Commission testimony under Commissioner Majoras.

• The Honorable Jonathan Leibowitz

  Commissioner

  Federal Trade Commission
  Read statement

  Testimony

  The Honorable Jonathan Leibowitz

  Please see Federal Trade Commission testimony under Commissioner Majoras.

• The Honorable Deborah Platt Majoras

  Chairman

  Federal Trade Commission
  Read statement

  Testimony

  The Honorable Deborah Platt Majoras

  Click here for the Federal Trade Commission's testimony.

• The Honorable Pamela Jones Harbour

  Commissioner

  Federal Trade Commission
  Read statement

  Testimony

  The Honorable Pamela Jones Harbour

  Please see Federal Trade Commission testimony under Commissioner Majoras.

• The Honorable Thomas B. Leary

  Commissioner

  Federal Trade Commission
  Read statement

  Testimony

  The Honorable Thomas B. Leary

  Please see Federal Trade Commission testimony under Commissioner Majoras.

Witness Panel 2

• The Honorable William Sorrell

  Vermont Attorney General, and President

  National Association of Attorneys General
  Read statement

  Witness Panel 2

  The Honorable William Sorrell

  Click here for Attorney General Sorrell's testimony.