[Senate Hearing 106-885]
[From the U.S. Government Printing Office]




                                                        S. Hrg. 106-885

           ID THEFT: WHEN BAD THINGS HAPPEN TO YOUR GOOD NAME

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
                       AND GOVERNMENT INFORMATION

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                                   on

  EXAMINING THE EFFECTIVENESS AND FUNDING FOR THE IDENTITY THEFT AND 
                ASSUMPTION DETERRENCE ACT (P.L. 105-318)

                               __________

                             MARCH 7, 2000

                               __________

                          Serial No. J-106-70

                               __________

         Printed for the use of the Committee on the Judiciary


                    U.S. GOVERNMENT PRINTING OFFICE
69-821 CC                   WASHINGTON : 2001




                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman

STROM THURMOND, South Carolina       PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania          JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona                     HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio                    DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri              RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan            ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama               CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire

             Manus Cooney, Chief Counsel and Staff Director

                 Bruce A. Cohen, Minority Chief Counsel

                                 ______

   Subcommittee on Technology, Terrorism, and Government Information

                       JON KYL, Arizona, Chairman

ORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa            JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin

           Stephen Higgins, Chief Counsel and Staff Director

        Neil Quinter, Minority Chief Counsel and Staff Director

                                  (ii)




                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Kyl, Hon. Jon, U.S. Senator From the State of Arizona............     1
Leahy, Hon. Patrick J., U.S. Senator From the State of Vermont...     1
Grassley, Hon. Charles E., U.S. Senator From the State of Iowa...     8

                    CHRONOLOGICAL LIST OF WITNESSES

Prepared Statement of Susan Herman, executive director of the 
  National Center for Victims of Crime...........................     3
Prepared Statement of James G. Huse, Jr., inspector general, 
  Social Security Administration.................................     4
Statement of Maureen Mitchell, registered nurse and licensed 
  realtor, Madison, OH...........................................    10
Panel consisting of Gregory Regan, special agent in charge, 
  Financial Crimes Division, U.S. Secret Service, Washington, DC; 
  and Jodie Bernstein, director, Bureau of Consumer Protection, 
  Federal Trade Commission, Washington, DC.......................    22

                ALPHABETICAL LIST AND MATERIAL SUBMITTED

Bernstein, Jodie:
    Testimony....................................................    29
    Prepared statement...........................................    31
Herman, Susan: Prepared statement................................     3
Huse, James G., Jr.: Prepared statement..........................     4
Mitchell, Maureen:
    Testimony....................................................    10
    Prepared statement...........................................    16
Regan, Gregory:
    Testimony....................................................    22
    Prepared statement...........................................    25

                                APPENDIX
                         Questions and Answers

Responses of Jodie Bernstein to Questions From Senators:
    Feinstein....................................................    47
    Grassley.....................................................    48

 
           ID THEFT: WHEN BAD THINGS HAPPEN TO YOUR GOOD NAME

                              ----------                              


                         TUESDAY, MARCH 7, 2000

                           U.S. Senate,    
         Subcommittee on Technology, Terrorism,    
                            And Government Information,    
                                Committee on the Judiciary,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:06 p.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl 
(chairman of the subcommittee) presiding.
    Also present: Senator Grassley.

  OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE 
                        STATE OF ARIZONA

    Senator Kyl. Good afternoon. This hearing before the Senate 
Committee on Judiciary Subcommittee on Technology, Terrorism, 
and Government Information will please come to order. The 
subject of today's hearing is ``ID Theft: When Bad Things 
Happen to Your Good Name.'' I welcome all of you to the 
hearing.
    I will begin by indicating that Senator Feinstein is in her 
State of California because of her State's primary and 
therefore will not be joining us today. There may be other 
members of the panel, however, either on the Democrat or 
Republican side, joining us as the hearing progresses.
    There are some statements that I will put into the record 
at the very beginning. Senator Patrick Leahy has a statement 
for the record.
    [The prepared statement of Senator Leahy follows:]

             Prepared Statement of Senator Patrick J. Leahy

    Less than two years ago, President Clinton signed the ``Identity 
Theft and Assumption Deterrence Act of 1998'' into law to crack down on 
the theft of another person's identification information that results 
in harm to the person whose identification is stolen and then used for 
false credit cards, fraudulent loans or for other illegal purposes. 
This new law also set up a ``clearinghouse'' at the Federal Trade 
Commission to keep track of consumer complaints of identity theft and 
provide information to victims of this crime on how to deal with its 
aftermath.
    This law was the product of bipartisan concern and good faith 
efforts to develop a legislative response to the growing problem of 
identity theft. I am proud of the work Chairman Kyl, Senator Feinstein 
and I, and others, did together to produce a strong, effective law.
    Protecting the privacy of our personal information is a challenge, 
especially in this information age. Every time we obtain or use a 
credit card, place a toll-free phone call, surf the Internet, get a 
driver's license, or go shopping online, we are leaving virtual pieces 
of ourselves in the form of personal information, which can be used 
without our consent or even our knowledge. Too frequently, criminals 
are getting hold of this information and using, the personal 
information of innocent individuals to carry out other crimes.
    The consequences of identity theft for its victims can be severe. 
These victims can have their credit ratings ruined and be unable to get 
credit cards, student loans, or mortgages. They can be hounded by 
creditors or collection agencies to repay debts they never incurred, 
but were obtained in their name, at their address, with their social 
security number or driver's license number. It can take months or even 
years, and agonizing effort, to clear their good names and correct 
their credit histories. I understand that, in some instances, victims 
of identity theft have even been arrested for crimes they never 
committed when the actual perpetrators provided law enforcement 
officials with assumed names.
    The FTC has recently made available online a number of valuable 
resources for consumers and victims of identity theft. One such 
document, called ``ID Theft: When Bad Things Happen to Your Good 
Name,'' contains poignant stories from consumers about how ID thieves 
have damaged their lives.
    One consumer reported to the FTC that:

        ``Someone used my Social Security number to get credit in my 
        name. This has caused a lot of problems. I have been turned 
        down for jobs, credit, and refinancing offers. This is 
        stressful and embarrassing. I want to open my own business, but 
        it may be impossible with this unresolved problem hanging over 
        my head.''

    Yet another consumer reported:

        ``My elderly parents are victims of credit fraud. We don't know 
        what to do. Someone applied for credit cards in their name and 
        charged nearly $20,000. Two of the card companies have cleared 
        my parents's name, but the third has turned the account over to 
        a collection agency. The agency doesn't believe Mom and Dad 
        didn't authorize the account. What can we do to stop the debt 
        collector?''

    Identity theft is a problem that reaches into every state. One of 
my constituents had to deal with this problem several years ago. In 
June of 1997, on the night before her wedding, a woman stole Carla 
Chadwick's purse. Ms. Chadwick, a resident of Burlington, Vermont, 
canceled her credit cards and assumed that the story would end there. 
Unfortunately, this was just the beginning of her nightmare. For the 
next two years the thief assumed Ms. Chadwick's identity, and went on a 
cross-country spending spree, damaging Ms. Chadwick's credit along the 
way. The thief also checked into hospitals under Ms. Chadwick's name, 
and accrued thousands of dollars in medical charges. This thief even 
applied for welfare, again under Ms. Chadwick's name. Officials believe 
that, in total, the thief racked up more than $58,000 of fraudulent 
charges, all in Ms. Chadwick's good name.
    The nightmare finally came to an end in December, 1999, when the 
thief, later identified as Carla Mae Purdy, was arrested in Spokane, 
Washington. Carla Mae Purdy now faces prosecution under the ``Identity 
Theft and Assumption Deterrence Act of 1998,'' and Carla Chadwick can 
reclaim control of her good name.
    Such stories abound across the nation, and the ``Identity Theft and 
Assumption Deterrence Act'' appears to be helping law enforcement catch 
and prosecute ID thieves. For example:

   In July, 1999, the United States Secret Service announced 
        the indictment of Terkesha Lane, a resident of West Palm Beach, 
        Florida. Ms. Lane allegedly stole the identity of a co-worker 
        by obtaining a driver's license in the victim's name. With that 
        driver's license, Ms. Lane apparently withdrew more than 
        $13,000 from the victim's bank account and charged 
        approximately $4,000 on fraudulently obtained credit cards. 
        Like Ms. Purdy who victimized a Vermonter, Ms. Lane faces 
        charges under the ``Identity Theft and Assumption Deterrence 
        Act.''
   In July, 1999, a federal grand jury in Columbus, Ohio, 
        indicted nine individuals for Identity Theft. In this case, the 
        thieves used 36 fake or stolen names and checking accounts to 
        set up false bank accounts and withdraw real money. Officials 
        in Columbus say that this case represents one of the most 
        complex identity theft cases ever seen in the district.
   In October, 1999, Anthony Jerome Johnson, a California man, 
        pled guilty to a federal charge of identity theft. Mr. Johnson 
        admitted stealing the identity of Donald Lightfoot and opening 
        two bank accounts in Lightfoot's name, as part of a scheme to 
        obtain $764,000.

    The law we passed made prosecution of these individuals, and 
restitution to these victims, possible.
    Assisting crime victims is of critical concern to me and one I know 
is shared by Chairman Kyl and Senator Feinstein. The ``Identity Theft 
and Assumption Deterrence Act'' provides important remedies for victims 
of identity fraud. Specifically, the law makes clear that these victims 
are entitled to restitution, including payment for any costs and 
attorney's fees in clearing up their credit histories and having to 
engage in any civil or administrative proceedings to satisfy debts, 
liens or other obligations resulting from a defendant's theft of their 
identity. In addition, the new law directs the FTC to keep track of 
consumer complaints of identity theft and provide information to 
victims of this crime on how to deal with its aftermath.
    The FTC has done a good job with the statutory mandate we gave 
them, and I commend the Commissioners and staff for their work. The 
Federal Trade Commission provides user-friendly assistance to victims 
of identity theft on their website. The website informs victims of what 
they need to do right away, such as calling the fraud departments of 
the three major credit card bureaus. Also, the Federal Trade Commission 
provides an easy to fill out on-line complaint form to help the FTC 
track and combat identity theft, as well as links to other government 
agencies on this issue. Victims of identity theft can check out this 
site and learn about the applicable state and federal laws, learn about 
recent identity theft-related cases from around the country, and other 
helpful reports.
    The ``Identity Theft and Assumption Deterrence Act'' was an 
important accomplishment, but there may be more we can and should do to 
address this problem. I look forward to reviewing the testimony of the 
witnesses to evaluate how well the new law is working for law 
enforcement and, most importantly, for the victims of identity theft 
crimes.

    Senator Kyl. In addition, we have for the record statements 
provided by Susan Herman, Executive Director of the National 
Center for Victims of Crime, which has been very, very helpful 
to us in putting legislation together, and also testimony of 
James Huse, Inspector General, Social Security Administration. 
Both of those statements are very helpful and will be submitted 
for the record.
    [The prepared statements of Ms. Herman and Mr. Huse 
follow:]

Prepared Statement of Susan Herman, Executive Director of the National 
                      Center for Victims of Crime

    Chairman Kyl and members of the Subcommittee, we appreciate the 
opportunity to offer testimony on the important issue of identity theft 
and our response to victims of this pervasive crime.
    The number of identity theft cases is growing. Annual case 
estimates are in the hundreds of thousands. Identity theft is a crime 
that can strike any of us, yet its victims have been marginalized, 
essentially left struggling to restore their good name and credit as 
best they can. Since identity theft offenses are relatively new, and 
certainly newly prominent, neither law enforcement nor victim services 
have yet developed an adequate response.
    The National Center for Victims of Crime operates a toll-free 
information and referral line for victims of crime. One of the most 
frequent complaints we get from victims of identity theft is that law 
enforcement will not take a report. This is a significant problem, 
because victims are routinely advised to get a copy of the police 
report to use in clearing their credit record.
    Until recently, the only official ``victim'' in many cases of 
identity theft was the defrauded merchant or credit agency. The 
individual's liability for wrongfully incurred charges was generally 
limited, although it could take days of persistent phone calls and 
letters on the part of that individual to establish that point. Today, 
about half of the states have defined a separate ``identity theft'' 
offense, under which it is clear that a person whose identity is 
stolen, including cases of credit card fraud, is also a victim in the 
eyes of the law. However, even in those states, law enforcement 
officers often mistakenly inform individual victims that only the 
financial institution or commercial entity is a ``victim.''
    Victims have also been told by law enforcement that they can't take 
a report until they know where the crime was committed, Since identity 
theft can be committed in person, over the phone, through the mail, or 
over the Internet, this information is rarely available. Many laws 
state that the crime may be deemed to have occurred where the victim 
lives, but many front-line officers appear to be unaware of such 
provisions, perhaps because they have been inadequately trained.
    Even where police take reports, relatively few cases of identity 
theft are solved. The San Diego Police Department reported that in 1999 
there were 783 cases of identity theft, but only 50 ended in arrest. 
The Los Angeles Police Department received more than 3,000 reports of 
identity theft in 1999, but its Financial Crimes Division only solved 
about one percent of such cases. Since cases of identity theft can be 
very difficult to solve, they can drive down a police department's 
success rate.
    Victim service agencies have also not developed adequate services 
for identity theft victims. Currently, few resources are available. 
While the National Center has a referral database of thousands of 
agencies and organizations serving victims of crime, fewer than a dozen 
report that they serve victims of identity theft. And many of those 
simply take reports. They do not have crisis lines, nor do they provide 
counseling or any intervention or advocacy on behalf of identity theft 
victims.
    Perhaps one reason there are few services for victims of identity 
theft is that guidelines for victim assistance grants from the Victims 
of Crime Act (VOCA) Fund were changed only recently to allow funds to 
be used for services to victims of financial crimes. With VOCA's 
historical emphasis on victims of violent crime, many victim service 
agencies remain unaware of this change and need active encouragement to 
develop those services.
    Victims of identity theft often do not know the full extent of the 
crime for a long time. It can take one or more billing cycles for 
charges to appear on a bill. In the case of stolen checks, new 
instances of fraud can surface slowly over time. The person who has 
stolen their identity may commit crimes using that identity, giving the 
victim a criminal record that may resurface with any routine traffic 
stop or background check.
    A victim's financial security can be shattered. Even if they can 
limit their financial losses, it can take countless hours of work over 
several years to repair the damage to their credit rating and to 
restore their good name. Credit reporting agencies can be slow to 
change the credit record; fraudulent charges can reappear on the 
victim's account or credit report after once being removed; and bill 
collectors can appear time and again to attempt to collect wrongfully-
incurred debt.
    Victims who obtain a criminal record through the misuse of their 
identity have a particularly difficult time clearing their names. 
Police records, often incurred under the victim's social security 
number as well as name, can be hard to change. Some states are 
considering legislation that would require courts, in cases of identity 
fraud, to make a specific finding that the person whose identity was 
falsely appropriated to commit the crime is innocent of the crime.
    The effects of identity theft on victims are not well understood. 
Many victims become hypervigilant; the fraudulent misuse of their 
personal information makes them keenly aware of how many people in 
their daily lives have access to their credit card information or 
social security number. They find themselves unable to trust the 
billing staff at their doctor's office, the department store clerk, 
their office administrator, or the secretary at their child's school. 
This inability to trust others in the ordinary business of life. takes 
an emotional toll on victims.
    Victims of identity theft also are excluded from many state level 
victims' bills of rights. Victims who have had their identity 
misappropriated often have a great interest in being kept apprised of 
the-progress of the case, yet they have no legal rights to be kept 
informed or to participate because those rights are limited to victims 
of violent offenses.
    The federal Identity Theft and Deterrence Act of 1998 and many new 
laws at the state level have made significant improvements in our 
nation's response to victims of identity theft. However, as this 
problem continues to grow, it is clear there is more that we can and 
should do. Every victim of crime deserves adequate resources and 
assistance to rebuild their lives, even victims of non-violent crime 
such as identity theft. The incidence of identity theft is growing, and 
it is time to strengthen our national response.
                               __________

  Prepared Statement of James G. Huse, Jr., Inspector General, Social 
                        Security Administration

    It is an honor to provide this Subcommittee with the Social 
Security Administration's Office of the Inspector General's (SSA-OIG) 
status of ongoing work and our perspective on the direction we need to 
take to reduce the incidents of identity theft. Thanks to the 
leadership of Senator Kyl and the efforts of this Subcommittee, the 
Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft 
Act) was passed in October 1998. That Act provided this office with a 
powerful weapon to combat Social Security number (SSN) misuse when used 
to commit identity theft. While the SSN was never intended to be a 
``national identifier,'' this Act acknowledges that the SSN is a 
commonly used means of identification. Even before the passage of the 
Identity Theft Act, this office had gained insight into the widespread 
occurrence of identity theft, because of the vast number of complaints 
received by the SSA-OIG Fraud Hotline. Because of this, we developed an 
action plan to focus on SSN misuse. The American public has an 
expectation that the Government will establish safeguards to protect 
their SSN's from misuse. They also expect governmental action when 
misuse occurs. This office will do its best to meet the public's 
expectation.
    From the beginning, our office has taken a proactive stance to work 
with other Federal organizations to reduce the incidents and impact of 
identity theft crimes by participating in national and international 
work groups. We worked closely with the Federal Trade Commission (FTC) 
to develop informational materials that provide a consistent message 
throughout the Federal Government to assist and educate victims of 
identity theft. We have met with several U.S. Attorney's Offices to 
discuss the prosecutorial guidelines for identity theft and because 
this issue is so important, I have detailed an attorney from my office 
to the Department of Justice to assist in the prosecution of identity 
theft cases.
    Our office continues to share knowledge and data with the FTC. The 
FTC and our Office of Investigations are developing a referral system 
that will allow for the automated transfer of data between the 
agencies. This referral system will not only improve our ability to 
assist victims but allow us to detect individuals committing identity 
theft more quickly. Based on a recent analysis by FTC, we estimate that 
referrals of SSN misuse could reach 8,000 a month in addition to the 
2,500 we already receive. Because of this expectation, we are 
redesigning our systems to capture SSN misuse referrals in a more 
defined structure that will delineate SSN misuse by type.
    Our Office of Investigations is using existing programs to further 
develop the referral process with the FTC. The fugitive felon program--
designed to implement sections of the Personal Responsibility and Work 
Opportunity Reconciliation Act of 1996 (commonly known as the Welfare 
Reform Act)--identifies individuals illegally receiving Supplemental 
Security Income (SSI) payments through computer matching agreements 
with State and local law enforcement entities. Oftentimes, these data 
matches identify individuals whose SSN has been assumed by a fugitive. 
We refer this information to the FTC and our investigative units follow 
up on leads of those individuals who assumed the victim's SSN.
    In fiscal year 1999, our Office of Investigations launched SSN 
misuse pilot projects in five cities across the Nation. Our special 
agents provide the lead in working with Federal and State law 
enforcement agencies to review Hotline allegations and open an 
investigation, if warranted. Partnering with other law enforcement 
agencies allows us to have a greater impact with limited resources. 
Because of this partnership, we are able to present cases for 
prosecution, which if presented separately, would not be accepted. In 
the past year through these task forces, we opened 79 investigations, 
which so far, have resulted in the conviction of 18 individuals. U.S. 
Attorney's Offices and Federal and State law enforcement agencies have 
enthusiastically welcomed these pilots and have applauded my office for 
taking the investigative lead. In one city, Federal and State law 
enforcement agencies that were not part of the task force have asked to 
join because of its success.
    I would like to provide the Subcommittee with a synopsis of three 
different investigations related to SSA programs and identity theft 
that were successfully prosecuted.
    In the first case, our Office of Investigations was instrumental in 
the conviction of what is believed to be the first Federal prosecution 
under the Identity Theft Act. Our Milwaukee Sub-office opened an 
investigation, based on a referral from the Wisconsin Capitol Police, 
of Waverly Burns who was receiving SSI payments. During the course of 
the investigation, we discovered that Mr. Burns acquired the SSN of 
another individual and then used this number to secure employment as a 
cleaning crew supervisor. While working in this capacity, he gained 
access to the offices of the Wisconsin Supreme Court and stole over 
$80,000 in computer equipment. Meanwhile, he lied to SSA officials, in 
a statement for determining continuing eligibility for SSI, claiming 
that he was unemployed and continued to receive full SSI payments. Mr. 
Burns used the stolen SSN to secure a State of Wisconsin identity card, 
to open bank accounts and file fraudulent tax forms under the victim's 
name and SSN.
    On April 21, 1999, Waverly Burns was indicted for identity theft, 
SSN misuse, and making false statements to SSA and the Internal Revenue 
Service. On May 5, 1999, OIG Special Agents arrested Mr. Burns after 
tracking him to Chicago. Mr. Burns pled guilty to using the identity of 
another person to obtain employment, then using that employment to 
commit burglary. Mr. Burns was sentenced to 21 months in prison and 
ordered to pay over $62,000 in restitution directly to the Wisconsin 
Supreme Court.
    In the second case, our SSA/OIG special agents as part of the 
Delaware Financial Crimes task force, investigated Zaid Gbolahan Jinadu 
as he schemed to defraud several federally insured financial 
institutions. He solicited the assistance of bank employees to provide 
SSN's and other identifying data to open fraudulent credit card and 
bank accounts. These compromised employees also helped him to take over 
current accounts, make fraudulent wire transfers, receive cash advances 
and negotiate numerous checks. Mr. Jinadu was indicted by a Federal 
Grand Jury in the District of Delaware on October 26, 1999, on four 
counts-one count each of bank fraud; identity theft; fraud in 
connection with access devices; and misuse of SSN's. On December 20, 
1999, Mr. Jinadu and his co-defendants entered a guilty plea to one 
count of bank fraud and one count of identity theft. He is responsible 
for fraud losses of approximately $281,122. Total known losses to 
financial institutes by Mr. Jinadu and his cohorts during the past 4 
years exceeds $4 million.
    In our last case and perhaps one of the most egregious of identity 
theft crimes was one perpetrated against an elderly individual. Our 
Richmond Sub-office opened an investigation on Charles Fleming, a SSA 
disability beneficiary, who stole the identity of a 67-year old 
individual recovering from a stroke. He took personal documents from 
the victim's home and used them to obtain a State driver's license and 
SSN under the victim's name. Using these documents, he opened credit 
card and loan accounts and found work. He concealed this employment 
from SSA in order to continue receiving full disability benefits. Mr. 
Fleming pled guilty to identity theft and received a sentence of 12 
months and 1 day in a Federal penitentiary and 3 years of supervised 
release. The court ordered him to pay restitution to SSA of over 
$29,000 and to creditors of over $24,000. The victim is in the process 
of repairing his credit rating with the assistance of FTC.
    While it is apparent that our initial action plan has been 
successful, we have recognized that identity theft is on the increase 
and we need to expand our role. I believe the SSA-OIG should continue 
to lead the law enforcement community in the investigations of SSN 
misuse and identity theft to ensure the integrity of the SSN and SSA's 
programs. Because of this, I directed our Offices of Audit and 
Investigations to work together to define the most susceptible areas 
where SSN misuse and identity theft impact on SSA's programs. After 
completing this analysis, I focused our investigative resources on the 
following areas involving SSN misuse if:

          (1) there appears to be a failure of SSA's enumeration 
        business process or the wage and earnings reporting system, 
        since discrepancies in this vein can be indicative of SSN 
        misuse;
          (2) there is the suspicion or an allegation involving the 
        counterfeiting of SSN's;
          (3) there is concealment of work activity by false 
        identification, especially to obtain or maintain eligibility 
        for SSA benefits; and/or
          (4) there appears that a fake SSN is being used to maintain a 
        fictitious identity for the purpose of receiving other Federal 
        and State program benefit payments.

    The Office of Audit has also been instrumental in providing 
recommendations to the Agency that, when implemented, will strengthen 
the integrity and security of the enumeration function. Enumeration is 
the process by which SSA assigns original SSN's, issues replacement 
cards to individuals with existing SSN's, and verifies SSN's for 
employers and other Federal agencies. SSA issues about 16 million new 
and replacement cards annually. There are nearly 300 million active 
cards at this time.
    Over the past 3 years, members of Congress have asked the Inspector 
General community to identify the most significant management issues 
facing their agencies. In my most recent response I included identity 
theft. False identities are being used to defraud SSA.
    Unscrupulous individuals can assume the identity of another person 
who is either alive or dead and work under the stolen identity. 
Individuals have also assumed the identity of another person and placed 
their assets under this identity in order to qualify for SSI payments 
under their own SSN. I have shared this assessment with the Agency and 
recommended that they concentrate on the prevention rather than the 
detection of identity fraud. Because of this, I am also encouraging the 
Agency to include SSN fraud and misuse as a key initiative in their 
Strategic Plan.
    In addition, SSA's Deputy Commissioner for Finance, Assessment and 
Management and myself are co-chairs of the National Anti-Fraud 
Committee. We formed this Committee to facilitate an exchange of 
ideas--determining what problems we face and suggesting solutions. The 
Committee is comprised of 10 Regional Anti-Fraud Committees located 
throughout the country. In the past year, identity theft and SSN misuse 
has become a major focus for discussion and because of its importance, 
we have included it as an agenda item for the National Anti-Fraud 
Conference that will take place in September.
    Currently, there is proposed legislation before the Congress asking 
to extend civil monetary penalties to those committing crimes involving 
the misuse of a SSN, who are not being punished by the Federal courts. 
I urge you to endorse this legislation. There are other legislative 
remedies such as statutory law enforcement that will enable our 
investigative offices to process these cases more efficiently and I 
hope that you support this as well.
    I thank the Subcommittee for giving me this opportunity to inform 
you of our work in the identity theft arena. I pledge, with your 
support, to vigorously attack the problem of SSN misuse and identity 
theft before it becomes a national crisis. I would be more than happy 
to provide the Subcommittee with any additional information or to 
answer any questions that may arise from these Hearings.

    Senator Kyl. In addition, we will keep the record open for 
either questions or statements of Senators who could not be 
here. And as I say that, Senator Grassley also has arrived. So, 
Senator Grassley, thank you for being here.
    Let me read a brief opening statement and then I will call 
upon Senator Grassley and then hear from our first witness.
    One of my goals as chairman of this subcommittee has been 
to prevent criminals from using technology to prey on society. 
There are few clearer violations of personal privacy than 
actually having your identity stolen and then used to commit a 
crime. Criminals often use Social Security numbers and other 
personal information of law-abiding citizens to assume their 
identity and steal their money. It is high-tech theft.
    To combat this, I sponsored the Identity Theft and 
Assumption Deterrence Act, which is now Public Law 105-318, 
which prohibits the stealing of a person's identity. The aim of 
the Act is to protect consumers and safeguard people's privacy. 
The bill was prompted by Bob Hartle, of Phoenix, who approached 
me about the problems he had suffered at the hands of an 
identity thief.
    With overwhelming bipartisan support, the bill became law 
in October of 1998. Under the law, a conviction for identity 
theft carries a maximum penalty of 15 years' imprisonment, a 
fine, and forfeiture of any personal property used or intended 
to be used to commit the crime. The bill also provides that the 
Federal Trade Commission must assist people whose identities 
have been stolen.
    Violations of the Act are investigated by Federal law 
enforcement agencies, including the U.S. Secret Service, the 
FBI, the Postal Service, and the Social Security Administration 
Office of Inspector General. Federal identity theft cases are 
prosecuted by the U.S. Department of Justice.
    Under the law, the Federal Trade Commission collects 
complaints about identity theft from consumers who have been 
victimized. The Commission helps victims of identity theft by 
providing information to assist them in resolving the financial 
and other problems that can result from this crime.
    It has now been 16 months since the law was signed by the 
President. The Office of Inspector General of the Social 
Security Administration released a report in August of last 
year, 10 months after the bill was signed into law. According 
to this report, 81.5 percent of Social Security number misuse 
allegations relate to identity theft.
    The report reaches the following conclusion: identity theft 
affects many areas of our society. Private citizens have had 
their credit histories destroyed by individuals who steal and 
use their Social Security numbers to obtain credit. These 
individuals run up large credit debts and then move on without 
paying the debt. This type of behavior not only destroys the 
citizen's credit history, it adversely affects the national 
economy as creditors raise interest rates to cover the losses 
arising from this fraudulent activity. Identity theft can, 
therefore, as the report shows, have a devastating effect.
    One purpose of this hearing today is to survey the effect 
of Public Law 105-318. The new law, I would say, seems to be 
working quite well. For example, in February the law was used 
to charge two men suspected of being involved in terrorist 
activities targeting the United States.
    Additionally, according to statistics from the Department 
of Justice for fiscal year 1999, 1,147 cases were opened, 
involving 1,350 possible defendants, including 169 cases opened 
in the District of Arizona, my State, involving 178 possible 
defendants. Five hundred thirty-five cases were closed, with 
644 defendants being sentenced nationwide. Ten cases were 
closed in Arizona, with 13 defendants being sentenced. Of the 
644 defendants sentenced, 407 entered guilty pleas. In Arizona, 
of the 13 defendants sentenced, 10 entered guilty pleas.
    Today, the subcommittee will hear from three witnesses 
about the effect of the Identity Theft and Assumption 
Deterrence Act. Maureen Mitchell, from Madison, Ohio, is a 
victim of identity theft and will discuss her case for us.
    Gregory Regan is Special Agent in Charge of the Financial 
Crimes Division for the Secret Service, which is one of the 
primary Federal law enforcement agencies investigating identity 
theft.
    Finally, the subcommittee will hear from Jodie Bernstein, 
the Director of the Bureau of Consumer Protection of the 
Federal Trade Commission. She will discuss how the FTC has 
responded to identity theft in carrying out its duties under 
the 1998 law.
    In closing, I would like to thank Senator Feinstein for her 
support in helping the identity theft bill to become law. As 
always, I must say it is a pleasure to work with her on 
subcommittee initiatives that aim to ensure that the law keeps 
pace with technology. I also give my thanks to Senator Grassley 
and other members of the committee who have worked very closely 
with me in pursuing these particular kinds of issues.
    Before we hear from Ms. Mitchell, let me ask Senator 
Grassley if he would like to make an opening statement.

STATEMENT OF HON. CHARLES E. GRASSLEY, A U.S. SENATOR FROM THE 
                         STATE OF IOWA

    Senator Grassley. Thank you very much for holding this 
hearing, following up on the effectiveness of the identity 
theft law that you were so instrumental in getting passed 
within the last couple of years. I think the hearing shows a 
recognition of the fact that it has become a very serious 
problem and we may need to do more about it.
    I think you have adequately described what the problem is. 
I am here today to make sure that the laws adequately protect 
the victims and that the criminals get the punishment they 
deserve. If there are any changes that need to be made to make 
this law better, I am ready to work with you on doing that.
    I am very concerned about how the Internet can facilitate 
this crime. While a lot of this information has been available 
through other sources for a long time, the Internet and other 
interactive computer services make collecting personal 
information extremely simple. It is kind of like one-stop 
shopping.
    Through government and corporate resources readily 
available on the Internet, an identity thief or stalker can 
collect information necessary to find his or her victim. This 
poses a real threat to all of us, but especially I am 
concerned--and this comes from my work as chairman of the Aging 
Committee--about the impact upon the elderly. So while the 
Internet has brought about incredible changes for the better, 
the legal system needs to be there to adequately safeguard the 
confidentiality of individuals' personal records.
    I am also concerned about the fact that personal 
information is being marketed without the knowledge of the 
persons affected. I have expressed my concern on a number of 
occasions about cookies and other devices that collect 
information about unsuspecting individuals using Web sites. And 
I have been particularly concerned about the ease with which a 
person's Social Security number can be utilized in stealing 
identity.
    In the last Congress, Senator Feinstein and I introduced 
legislation to prohibit the commercial use of Social Security 
numbers and to restrict their use by State departments of motor 
vehicles, especially for commercial use. This bill would have 
gone to the source to stop the dissemination of Social Security 
numbers which criminals use all to easily to steal people's 
identities. Unfortunately, we are now playing catch-up because 
technology advances so rapidly. But this is such a problem, I 
want to reintroduce this legislation to protect our 
constituents.
    Chairman Kyl, I hope that we can explore these difficult 
policy issues here in this subcommittee through this hearing 
and other meetings, and I want to work with you on any 
necessary changes or enhancements of the identity theft law. 
This is not a victimless crime and it should not be treated as 
such.
    Senator Kyl. Thank you very much, Senator Grassley, and you 
are absolutely right. We are taking a survey of the situation 
today to see whether there are changes that need to be made, to 
see how well the law is working. And as you also pointed out, 
as technology evolves, we are going to have to constantly keep 
tracking it and keep up to date because it can obviate the work 
that we do in this committee pretty fast if we don't continue 
to monitor it.
    Well, our first witness today is an actual victim of 
identity theft, and I thought it would be interesting to have 
you basically hear her case, her situation, to see how this 
crime can occur, how devastating it can be, and what can be 
done about it.
    Ms. Maureen Mitchell is a registered nurse and a licensed 
realtor. She lives in Madison, OH, with her husband, Raymond 
Mitchell. They have two children. She and her husband are 
victims of identity theft resulting in fraud in excess of 
$110,000.
    Ms. Mitchell, it is a pleasure to have you with us here 
today.

 STATEMENT OF MAUREEN MITCHELL, REGISTERED NURSE AND LICENSED 
                      REALTOR, MADISON, OH

    Ms. Mitchell. Thank you, Senator Kyl. It is a pleasure to 
be here.
    My husband and I have been married for 23 years. We have 
always been financially prudent and fiscally responsible 
people. We have never paid a debt late in our lives. We use 
credit conservatively and wisely. We have a daughter in college 
and a son in high school. We have always taken the normal 
consumer protections to try and keep our private information 
private. We do not throw out pre-approved solicitations intact, 
we do not bank on the Internet, we don't order via the 
Internet. We don't order merchandise through home shopping 
networks. When we do use our credit card, we are conscientious 
and always obtain a receipt.
    In spite of all these precautions, we found ourselves 
getting a phone call from our KeyBank Mastercard service 
provider in September alerting us to an unusual pattern of 
activity on our credit report that, based on our consumer 
profile, caused them some concern.
    It turns out there were a few thousand dollars' worth of 
mail order charges placed on our Mastercard. We had never lost 
our wallets, we never lost our credit cards, we had never been 
burglarized. Yet, our account number was compromised. KeyBank 
notified us. They closed our account. They reported the card 
lost or stolen, which we objected to because that is not what 
happened. They issued us new credit cards, and we thought that 
would be the end of it.
    We asked if there was anything else that we needed to do 
and we were told no. I asked about making out a police report 
and I was told that it was optional. I did make out a police 
report on September 12 and reported the fraudulent use of our 
credit card number. Two months later, on November 15, we 
received a phone call from J.C. Penney informing us that 
someone had used my husband's name and Social Security number 
to open an account at a Penney's store in Schaumburg, IL. We 
reside in Ohio.
    Penney's suggested that we call and place consumer alerts 
and fraud alerts on our credit reports with Trans Union, 
Experian and Equifax, which we did, and Penney's kindly 
provided us with those phone numbers. When I called Trans 
Union, I was dismayed to learn that there had been 25 inquiries 
into our credit in a 60-day period. There hadn't been 25 
inquiries into our credit in the entire 23 years that we had 
been married, and I asked Trans Union did that not send up red 
flags to them. The response I got was that it was not their job 
to monitor the number of inquiries. They did kindly give me the 
names and phone numbers of those 25 merchants.
    I then called Experian and found out that there had been 
six changes of address filed in that 2-month period of time. We 
have resided at the same residence for 20 years. Yet, six 
addresses now appeared on our Experian credit report. I spent 
the next few days frantically trying to call the merchants who 
had made inquiries into our credit report to alert them that we 
were not the applicants and to beg them not to extend credit in 
our name.
    I encountered automated answering system hell in trying to 
notify these merchants. I was never offered the option of 
pretending I had a rotary phone to speak to a human being, was 
never offered the option of pressing an extension to report 
fraud, was frequently asked to enter an account number, and I 
didn't have an account number because we are not the ones who 
opened the account. It was an effort in frustration and 
futility, but I did persist.
    Three days after we placed fraud alerts on our consumer 
credit reports, we received three very alarming phone calls in 
a 2-hour period of time. One was from Citibank, one was from 
BankOne, and one was from Marquette Bank. Forty-five thousand 
dollars of fraudulent loan applications had been made in a 2-
hour period at three different lenders in close geographic 
proximity to each other in the greater Chicago area using my 
husband's name and Social Security number.
    BankOne faxed us an affidavit. We signed it, we had it 
witnessed, we faxed it back. The Lansing, IL, detectives 
apprehended a suspect as he left BankOne with the $15,000 he 
had obtained fraudulently. This suspect was found to have an 
Illinois driver's license and an Illinois State identification 
card with his own picture on it, but my husband's name, my 
husband's Social Security number, my husband's vital 
statistics. This suspect said to the detectives as he was 
arrested, I did not use a gun, I did not use a knife, call my 
lawyer, I will plead guilty and they will put me on probation.
    The detectives ran the suspect's fingerprints and he was 
found to have 17 aliases and multiple priors. Yet, 2 days 
later, Judge Thomas Panicki, in Cook County, IL, released this 
suspect on his own recognizance on a signature bond. We were 
appalled. These criminals know that if they use a weapon to 
commit bank robbery, they will do mandatory jail time. 
Technology has now become their weapon, but it is not the 
typical gun and knife, and they are counting on being put on 
probation instead of incarceration.
    When this criminal was apprehended, it was only the tip of 
the iceberg of the information of the damages that were done 
fraudulently that was available. We have subsequently learned 
that a Lincoln Navigator was purchased using our credit. A Ford 
Expedition was purchased using our credit. Service Merchandise 
accounts were set up. Household bank accounts were set up. They 
are living large using our names and credit.
    The scales of justice here seem to be tipped in the wrong 
direction. This criminal is assumed innocent until proven 
guilty. Yet, the victim of identity theft is assumed guilty 
until proven innocent. We have had to prove our innocence over 
and over again to 30 different merchants, 30 different ways. 
This criminal is given a public defender to protect his legal 
rights. Yet, if we need to hire an attorney to clean up this 
mess and protect our rights, we are paying substantial legal 
fees out-of-pocket.
    It has come to light subsequently that the person who 
purchased the Ford Expedition is not the same person who was 
apprehended as he left the bank. This is an identity theft ring 
that is operating in an insidious manner. The detectives who 
apprehended this suspect are limited by their geographic 
boundaries to the community in which they work for their 
investigation. Yet, similar crimes are being committed in 
surrounding communities, but the detectives are limited; they 
can't investigate those crimes.
    We have begged, pleaded, cajoled. We have submitted 
notarized statements. We have over 100 pages of documentation 
on this. I have met with our Congressman, Steve LaTourette. He 
put me in touch with the FBI. I have met with the FBI. It was 
only through the intervention of Senator Kyl's office that we 
were actually able to obtain the Secret Service as the 
investigative authority in this case.
    As victims, we have found it to be a nightmare on filing 
out the forms and affidavits that are required by the 
individual merchants to prove our innocence. I strongly urge 
that there be a uniform protocol established for victims to 
fill out one set of forms and one set of documents.
    We were very fortunate early on in making our phone calls 
that I had contacted the Ohio Attorney General's office and 
they steered us to contact the Federal Trade Commission. The 
Federal Trade Commission advised us that we needed to contact 
the Social Security Administration, the Department of Motor 
Vehicles, the Internal Revenue Service, possibly our employers, 
and all of the other avenues where your Social Security number 
is your identifying number. Kathleen Lund, of the Federal Trade 
Commission, provided us with good information, and also moral 
support at a very difficult time.
    It is almost indescribable to try and put into words what 
it feels like to be a victim of identity theft. It has a huge 
impact. We were told by the detectives in Illinois that we 
needed to keep fraud alerts on for the rest of our lives 
because the criminals know when the fraud alerts expire and our 
information will be recirculated again. So the next time my 
husband and I go to apply for a loan, whether it be for a 
vehicle or to put our other child through college, we will have 
to explain this story to the merchant, hope they believe us, 
and hope that they don't perceive us to be the criminals.
    Prior to the Identity Theft Act going into effect, we 
wouldn't have even had a legal standing as victims here. We 
wouldn't have been considered true victims. We are indeed 
victims, but we are all victims because we are all paying for 
this in the higher cost of consumer goods and the higher cost 
of interest rates. The attempts on our credit exceeded 
$150,000. The actual amounts obtained are $111,00, and they may 
still be climbing. There may be information that we do not know 
as of yet.
    The criminals need to be held accountable. Technology needs 
to be considered as a weapon, as serious a weapon as a gun or a 
knife. We were thrown into a financial quagmire through no 
carelessness on our part. We don't know how they obtained our 
information, and all of us are vulnerable. People need to know 
that the Federal Trade Commission is the national clearinghouse 
on identity theft. They need to know that they are entitled to 
Federal investigation for these crimes, and that as victims we 
have rights to try and protect ourselves and assist in the 
prosecution of criminals.
    I included in my statement a list of 15 recommendations for 
your review. I thank you for your time. I appreciate this 
opportunity, and I hope you all never walk in the shoes of an 
identity theft victim.
    Senator Kyl. Thank you very much, Ms. Mitchell. I think 
that brings alive the nature of the problem that is faced here 
and makes it clear why we have to ensure that our law works.
    One of the things you did was to provide 15 specific 
recommendations for us. Let me begin by asking what more you 
think the FTC could or should be doing in a situation like 
this. In other words, did our attempt to provide a 
clearinghouse activity with the FTC work? Could it work better? 
What would you recommend in that regard?
    Ms. Mitchell. I found that the information that we received 
from the FTC was very valuable and very important for us. There 
were things that we would not have thought of, bureaus to 
notify, the Social Security Administration, the Internal 
Revenue Service. We were so focused on trying to notify the 
merchants to prevent further financial damage that we may have 
indeed overlooked those other things.
    I strongly urge that there be a uniform protocol for 
victims, one set of documents once it is established that you 
truly are a victim of identity theft. We have had to submit 
handwriting samples to 20 different merchants. We have had to 
submit notarized statements and affidavits. It is like filling 
out your income tax returns 20 different times with 20 
different sets of instructions. A uniform protocol for victims 
to follow, I think, would make--it is not easy to walk in these 
shoes. Whatever we can do to make it easier would be 
appreciated.
    Senator Kyl. That is an excellent suggestion and we will 
pursue that with our later witnesses.
    You also note that the police departments and local law 
enforcement agencies need to know more about the Federal law so 
that they will understand how it works and how they can take 
advantage of it. I think that is a good idea and we are going 
to have to try to figure out some ways to make sure that that 
information gets out.
    Is there anything else, one of the specific recommendations 
that you would like to bring not only to our attention but to 
the attention of the public at large here?
    Ms. Mitchell. I think the credit reporting agencies and the 
merchants who were defrauded of merchandise have an onus of 
responsibility here. KeyBank alerted us to an unusual pattern 
of activity on our credit report based on a consumer profile 
that has been developed about us for the last 20 years that we 
have been their customers. Trans Union, Experian and Equifax 
also have consumer profiles about us for our entire adult 
lives.
    We hadn't moved in 20 years. Why would they assume that 
moving 6 times in 2 months was not something to be alarmed 
about? We had never over-extended ourselves with credit. Yet, 
there were 25 inquiries in 2 months that didn't send up red 
flags to them. I think they are the first line of defense.
    It is already too late to safeguard the Social Security 
numbers; they are out there. We live in a State where our 
Social Security number up until recently appeared on our 
driver's license through no choice of ours. We had to have it 
that way. I think the credit reporting agencies can be a good 
first line of defense for the consumers. We did take 
precautions ourselves and they were not enough, and the credit 
reporting agencies are the ones--the accuracy of the 
information on your credit reports is very important. The 
merchants use that and perceive it as gospel because it came 
from the credit reporting agency. Yet, there doesn't seem to be 
a system of verification of that information prior to it being 
entered on your credit report. That needs to be remedied.
    And I also can tell you that in the example of them buying 
a Ford Expedition, there were four glaringly obvious errors on 
that application. Our name was misspelled. There were two co-
buyers who said they resided together. Yet, one used an address 
of North Grand and one used an address of West Grand on this 
application. They purchased the 60,000-mile extended warranty 
at the cost of $695. When that figure was transposed over to 
the debit column, it was transposed over as $1,695. I don't 
know how the merchants and lenders missed this.
    They also put down the area code to verify their place of 
employment as 300. That area code does not exist in the 
continental United States. Yet, this loan was approved, and it 
was a $40,000 vehicle. The credit reporting agencies need to 
use due diligence and the merchants need to use due diligence.
    Senator Kyl. Thank you.
    Senator Grassley.
    Senator Grassley. I have three short questions. After all 
you have been through--and by the way, I have a staff person 
whose sister and parents were victims, whether to the extent 
you were, I don't know, but they were victims of stolen 
identity.
    After all is said and done, did you ever find out how the 
criminals got your information?
    Ms. Mitchell. No, we haven't. Unfortunately, Senator, we 
are not all said and done yet. The case has not come to trial. 
We do not know how they obtained our identity. We do not 
believe it was through any carelessness on our part. And we 
would like to know how it was accomplished, but right now we do 
not know.
    Senator Grassley. Is this something that the police can't 
tell you or won't tell you? Is it some big secret?
    Ms. Mitchell. I don't believe the police departments know 
at this point how these people got this information about us. 
We reside in one State; the criminals and the criminal activity 
is taking place in another State.
    Senator Grassley. Now, you spoke about a central location 
you ought to be able to go to and have one form or one way of 
filling out a document indicating that you have been defrauded 
and to get the information out. I am aware of some companies 
that provide a centralized service where consumers can register 
their credit cards and make only one call if the cards are lost 
or stolen.
    Do you happen to know if these companies provide any 
assistance with regard to identity fraud?
    Ms. Mitchell. I don't know that, Senator. I know I 
encountered numerous merchants with numerous automated 
answering systems that never offered us the option of reporting 
fraud by pressing a button. I don't know about the consumer 
credit card companies. We only had one credit card number 
compromised. The remainder of what happened to us is that the 
criminals assumed our identity. It is not that they accessed 
our accounts. They posed as us.
    Senator Grassley. Will the credit bureaus include the fact 
that your identity was stolen on the face of the credit report, 
as well as reference police reports and the FTC reference 
number?
    Ms. Mitchell. I am glad you brought that up, Senator. Since 
we have placed the fraud alerts on our credit reports, we have 
received updated credit reports periodically, almost monthly. 
The fraud alerts on our consumer credit reports appear on the 
back page of the credit report, in the same size type as the 
rest of the information.
    In my recommendations, I put down that I strongly believe 
that the fraud alert should appear on the front page of the 
credit report, in bold-face type, to reduce the possibility of 
it being overlooked. Consumer credit reports can contain eight, 
nine pages of information of a 25-year credit history. Putting 
the fraud alerts on the last page maximizes the opportunity of 
it being overlooked. Placing it in bold-face print on the front 
page minimizes it from being overlooked.
    Senator Grassley. So in other words, it is helpful, but it 
could be a lot more helpful?
    Ms. Mitchell. Yes, it can.
    Senator Grassley. Thank you, Mr. Chairman. Thank you.
    Ms. Mitchell. Thank you, Senator.
    Senator Kyl. We are talking about your recommendations up 
here.
    Ms. Mitchell. OK.
    Senator Kyl. So I think having you present not only the 
story of what happened to you and how, but also the kinds of 
problems you have encountered and your specific recommendations 
on how to deal with it has been very, very helpful. I would 
like to thank you especially for that, as well as taking the 
time to come here today and to be with us to present this 
testimony.
    We will take your testimony very seriously, and especially 
your recommendations, and I think it would be good if we could 
remain in touch with you and find out what happens not only to 
your case, but also to track how long it takes finally for you 
to be free of this problem, because it undoubtedly will suggest 
other things that we can do so that at least people who come 
later aren't going to be troubled to the same extent that you 
and your husband have been.
    Ms. Mitchell. Receiving the phone calls from the collection 
specialists was heart-breaking at first. Now, it is almost 
becoming somewhat of a challenge because as they call us and 
ask us why we have failed to make the payment for our Lincoln 
Navigator, we tell them the story that we didn't buy the 
Lincoln Navigator. And then I always end my conversation with 
them--I cite the Federal Trade Commission's reference number 
and the police department's, et cetera. I now am able to tell 
them through your office, appreciatively, that the Secret 
Service has now taken this case.
    And I close my remarks with the collection specialists by 
saying it is ironic that you can now find the real Mr. and Mrs. 
Mitchell when you want your money; too bad you didn't find the 
real Mr. and Mrs. Mitchell before you loaned out the money.
    Senator Kyl. Good point, good point.
    Senator Grassley, anything further?
    Senator Grassley. No.
    Senator Kyl. I really appreciate your testimony today. This 
has been very, very helpful, and we will stay in touch with 
you. Thank you.
    Ms. Mitchell. Thank you, Senator.
    [The prepared statement of Ms. Mitchell follows:]

                 Prepared Statement of Maureen Mitchell

    Mr. Chairman, Members of the Committee, my name is Maureen Mitchell 
and it is a privilege to have been invited to submit this testimony 
today.
    I am 44 years old, my husband and I have been married for 23 years, 
we have a daughter in college and a son in high school. I am a 
Registered Nurse, and I have been a licensed Realtor for 20 years.
    My husband and I have always been financially prudent and fiscally 
responsible people. We have never overextended ourselves, and we have 
always paid our bills in a timely manner. We also have exercised the 
normal consumer precautions to ensure our privileged information 
remains private. We have never lost our wallets, never been 
burglarized, we obtain the receipts when we make credit card purchases, 
we don't bank on the Internet, we don't order merchandise via the 
Internet, we don't order through home shopping networks, we rarely 
order from catalogs, and we always tear up the pre-approved 
solicitations that arrive in the mail prior to disposing of them to 
prevent someone from ``dumpster diving'' and obtaining our information. 
We have never given our personal account numbers or social security 
numbers over the phone. We even checked our credit reports in March of 
1999 to ensure their accuracy. In spite of all the precautions we have 
taken, we are now victims of identity theft.
    It started on a Sunday afternoon, September 12, 1999, when we 
received a phone call from our KeyBank Mastercard Service Center 
questioning an unusual pattern of activity on our credit card. After 
much discussion with the Service Center representative, it was verified 
that neither my husband nor I had authorized or made the charges to the 
account. I was told our credit card would be canceled, it would be 
reported lost or stolen, and new cards would be issued. I objected to 
the cards being reported lost or stolen because they were not: my 
husband had his card in his wallet and I had mine in my wallet. 
Nonetheless, I was told the cards had to be reported lost or stolen to 
close the account (I subsequently learned that we could have insisted 
that the account be closed at the request of the consumer due to 
fraudulent use).
    I was also told by the Service Center Representative to contact 
KeyBank Special Services when they opened for business on Monday 
morning. I called KeyBank Special Services at 8:15 A.M. Monday morning 
and was told that four attempts were made to place charges on our 
account, three were approved and the fourth was declined because the 
bank became suspicious due to the unusual level of activity on our 
credit card. KeyBank was able to determine the charges were made via a 
phone order, not by someone actually having our credit card. The amount 
obtained fraudulently was $2,164.55. I then went to our local KeyBank, 
branch office (where we've banked for twenty years) to inform them 
about the phone call from the Service Center, to verify the account was 
closed and to inquire if there was anything else I needed to do. I was 
told that there was nothing else I needed to do: the merchant slips 
would take a week to come into the bank, and the bank would look into 
it. I asked if I should make out a police report and was told that it 
was an option but not really necessary. The bank would issue us new 
credit cards with a different account number, the fraudulent charges 
would never appear on our billing statement, and our new cards would 
arrive in two weeks. I did, however, file a police report with our 
local police department to report the fraudulent use of our KeyBank 
Mastercard number. If KeyBank would have advised us, at this point, to 
place Fraud Alerts on our credit reports, the following events would 
not have occurred.
    On November 15, 1999 we received a phone call from J.C. Penney's 
credit department advising us that an account had been opened in 
Illinois using my husband's name and social security number. A line of 
credit had been extended in my husband's name, the persons making the 
application said they were our niece and nephew and were authorized 
users. When J.C. Penney's sent the bill to the address given on the 
application, it was returned by the post office because ``no such house 
number existed.'' The returned billing statement was what prompted J.C. 
Penney's to call us. We were advised by J.C. Penney's to immediately 
contact the three major credit reporting bureaus to place fraud alerts 
on our credit reports, and Penney's kindly gave me the phone numbers to 
contact. Upon contacting Trans Union, Experian and Equifax, we 
discovered that we had been plunged into Identity Theft Hell!
    In speaking to Trans Union, I discovered there had been 25 
inquiries into our credit report in the previous 60 days (from 
September 16 through November 15). None of those inquiries were 
initiated by us legitimately seeking credit. I told the representative 
at Trans Union that there had not been that many inquiries in the 
previous twenty years, and questioned whether that many inquiries in 
such a short time sent up ``red flags'' to Trans Union. The reply I 
received was that it was not their job to monitor the number of 
inquiries, and it was suggested that I call all the merchants who made 
the inquiries to alert them. Trans Union did provide me with the names 
and phone numbers of the merchants to contact. The list was extensive 
and included numerous car dealerships, banks, credit card companies, 
furniture stores, department stores, and communication service 
providers. Trans Union did place Fraud Alerts on our credit reports at 
this time.
    I also called Experian and Equifax to place Fraud Alerts on our 
credit reports, and learned that they too showed numerous inquiries 
into our credit during the same 60 day period. I requested that each 
credit reporting agency send me a copy of our credit reports, and I 
spent the next three days frantically making phone calls to the 
merchants who had made inquiries.
    I now entered automated answering system hell! As I called each 
merchant using the numbers provided by the credit reporting bureaus, I 
would be connected to an automated answering system, ``Press one for 
English, press two for Spanish, press three to increase your credit 
limit, press four to check your account balance, press five to see when 
the last payment was posted to your account, press 6 * * *'' I rarely 
encountered an option to speak to a human being. I never was given the 
option of pressing a number to report fraud, but I universally 
encountered the request to enter an account number (keep in mind I 
didn't have an account number because we were not the ones who opened 
the account); nonetheless I persisted through automation hell, never 
giving up hope that a ``live person'' would eventually come on the 
line. As the automated system requested I enter an account number, I 
waited; as the request was repeated, I waited; when I was unable to 
enter an account number instead of being transferred to a human being, 
I was disconnected! I then called back, went through additional 
automated answering system hell, and when I heard enter your account 
number I randomly entered 01010101010101 * * * hoping that I would 
eventually enter the required number of digits to speak to a human 
being. Instead a recording came on saying ``the numbers entered do not 
match an account of record, please re-enter your account number.'' I 
re-entered the numbers only to find that I was disconnected again 
because ``the account numbers do not match our accounts of record.'' I 
endured this frustration while trying to reach numerous merchants to 
alert them that a fraudulent application had been made using our name. 
This frustration of automation needs to be remedied. I strongly suggest 
that merchants be required to provide an option on their automated 
system to press a number to report fraud, and that the victim can speak 
to a human being!
    I also contacted our local police department who sent an officer 
over to take our statement and file a police report. The officer 
instructed me to fill out the police report as accurately and as 
thoroughly possible. I also contacted the Federal Trade Commission's 
Identity Theft Hotline and spoke to Kathleen Lund (877-438-4338). 
Kathleen confirmed that we were indeed victims of identity theft based 
on the facts that I gave her. She informed me of Title 18 (Identity 
Theft and Deterrence Act), and told me that Identity Theft was a 
Federal Offense. Kathleen told me to continue to write the police 
report I was working on and to continue to try to call the merchants 
who made inquiries. She assigned a reference number to our case and 
gave me the phone number for the Federal Information Center (800-688-
9889) to contact to see if they had merchant numbers other than the 
ones I had to try to circumvent the automated answering system hell I 
was encountering. It truly was a relief to speak to a live human being 
who was able to provide some guidance and encouragement during this 
very stressful time. Kathleen advised me to call the Social Security 
Administration, the Internal Revenue Service, the Department of Motor 
Vehicles in our home state and in Illinois, and the State's Attorney 
General's Office in our home state and in Illinois, to report that 
someone was using our credit and my husband's social security number 
fraudulently. Kathleen also asked me to keep her informed of any 
further fraudulent activity. I called the Federal Information Center 
and obtained the phone numbers I needed and then I made the necessary 
phone calls. I then continued on my mission of calling the merchants to 
alert them that the applications were made fraudulently.
    While I was again enduring the frustration of automation, I 
received three very alarming phone calls. The date was now November 18 
(three days after we placed the fraud alerts on our credit reports), 
and the first call was from Citibank in Illinois alerting us that an 
application for a twenty-five thousand dollar ($25,000.00) loan had 
just been made using my husband's name and social security number. The 
application had been made in person by an individual posing as my 
husband. The loan officer informed me that all of the pertinent 
information had been verified, legitimate looking identification had 
been presented and everything seemed fine until the Fraud Alerts on our 
credit report were activated. I explained to the fraud department at 
Citibank that we had placed the fraud alerts three days prior, when we 
became aware we were victims of Identity Theft. Citibank's Fraud 
Department said they were going to contact their Security Department, 
check to see if the suspect was on their security camera and get back 
to me.
    While waiting to hear back from Citibank, I received another phone 
call. It was a fraud investigator from Bank One (Thomas Retkowski) 
informing me that an application for a fifteen thousand dollar loan 
($15,000.00) had just been made in Illinois. I informed Thomas of the 
prior call from Citibank, and we discussed setting something up so the 
fraudulent applicants would return to the bank to pick up the money. 
Thomas faxed us an affidavit to sign and have witnessed. While we were 
in the process of faxing the affidavit back, another call came in. 
Marquette Bank in Illinois had just accepted an application from 
someone using my husband's name and social security number. This was 
for a five thousand ($5,000.00) personal loan. I told this fraud 
investigator about the other two applications and the affidavit we were 
faxing to Bank One. These three fraudulent applications were made 
within a two hour period (3:00-5:00 P.M. EST) and they totaled forty-
five thousand dollars ($45,000.00).
    After we faxed the affidavit back to Thomas Retkowski at Bank One, 
I continued to work on the police report. At 8:00 P.M. we received a 
phone call from an Illinois detective informing us that a suspect had 
been arrested as he left Bank One. The suspect had five thousand 
dollars ($5,000.00) cash and two-five thousand dollar bank checks 
($10,000.00) made payable to my husband's name. The money was recovered 
when the suspect was arrested. The suspect was also found to have an 
Illinois driver's license and an Illinois State Identification Card 
with his own picture on it, but my husband's name and social security 
number.
    I called the Federal Trade Commission the following day and told 
Kathleen Lund that a suspect had been apprehended in Illinois. I gave 
her the detectives' names and the case number for her records. I 
continued to type our police report, and I continued to try to notify 
the merchants listed on the credit reports. In our mail on November 19, 
1999, was a letter from PrimeCo, a cellular communication company, 
notifying us that a cell phone account had been established in Illinois 
using my husband's name and social security number. I called PrimeCo, 
at the number they provided in the letter, to let them know that we had 
not established the account. PrimeCo's fraud department immediately 
canceled the service to the cell phone, offered to provide the 
detectives with a copy of the application made to open the account, and 
said the detectives could obtain ALL of the outgoing numbers that were 
called from the fraudulent cell phone. The detectives needed to submit 
this request in writing on police letterhead stationary. I called the 
detectives to give them this information, and I was told they ran the 
fingerprints of the suspect who had been arrested the previous day. 
This suspect had 17 aliases and multiple priors. A preliminary hearing 
was set for November 20, 1999, and the detective said he would let me 
know what happened at the hearing.
    I continued to make phone calls to try to resolve this nightmare 
when I learned that the suspect was released on a signature bond at the 
preliminary hearing. Words can't even begin to describe the horror I 
felt knowing that a suspect with seventeen aliases, multiple priors and 
an extensive criminal background was released on a signature bond in 
his own recognizance. The hearing was in Cook County, Illinois and the 
Judge was Thomas Panicki. I was also told that when this suspect was 
arrested he had stated to the detectives: ``I didn't use a gun, I 
didn't use a knife, call my lawyer I will plead guilty and they will 
put me on probation''. It was appalling for me to realize the criminals 
commit these crimes with a premeditated methodology that accomplishes 
their criminal intent with the least possible risk for the criminal, if 
apprehended, serving jail time. The criminals are still committing bank 
robbery, fraud, identity theft, forgery and a litany of other criminal 
acts, but because a traditional weapon was not used they face probation 
instead of incarceration. These criminals are using weapons 
nonetheless, their weapon is technology. It was technology that 
provided these criminals with our personal information, it was 
technology that produced the fraudulent documents used to obtain the 
Illinois drivers license and State Identification Card. It was 
technology used with criminal intent that thrust us into the nightmare 
of identity theft. It was technology that provided these criminals with 
my husbands previous employment information and employers address which 
were then used on fraudulent applications. This same technology, 
properly implemented and with appropriate safeguards, can be utilized 
to circumvent the criminals' fraudulent intentions.
    It was the consumer profile of our spending habits established by 
the prior pattern of activity on our KeyBank Mastercard that prompted 
KeyBank to call us about the ``unusual level of activity on our credit 
card.'' This same consumer profile technology can also be used by the 
credit reporting agencies to recognize an ``unusual pattern of 
activity''. Our credit reports, as a result of fraudulent activity, 
contained 30 inquiries in 60 days, yet our consumer profile showed 
fewer than 30 inquiries in 20 years. Our consumer profile showed we had 
resided at the same address for 20 years, yet the addresses listed on 
our credit reports, as a result of fraudulent applications, changed six 
times in 2 months. It is imperative that a system of ``checks and 
balances'' be implemented and adhered with by the credit reporting 
agencies.
    As our Identity Theft saga continued we requested and received, 
from some cooperative merchants, copies of the applications that were 
made fraudulently. These applications contained numerous blatant errors 
that should have alerted the merchants and the banks that something was 
amiss. One example is an application that was made to purchase a Ford 
Expedition. This vehicle was purchased using my husband's name along 
with the name of a co-buyer. These two men presented themselves to the 
car dealership as residing together, yet on the application one man 
filled out the address as N. Grand and the other put W. Grand. On this 
same application the employer's phone number is listed with an area 
code of 300, this area code is not a valid area code in the continental 
United States. Our last name was misspelled on the application and on 
the fax from the lender approving the loan. On this same application 
the 60 month 60,000 mile extended warranty was purchased showing a cost 
of $695.00 on the application. When this figure was carried over to the 
debit column to determine the amount of credit to be extended it was 
entered as $1,695.00. In spite of these GLARING discrepancies this loan 
was approved and these two men purchased a Ford Expedition using our 
credit. If this was transaction was processed using due diligence and 
an iota of common sense these blatant discrepancies would have been 
caught. The possibility does exist that these criminals made the 
purchase through a car salesman, car dealership and lender that were 
co-conspirators, but I think that is a remote possibility. I do firmly 
believe that sloppy business practices substantially contribute to the 
criminal's ability to successfully defraud merchants and lenders. It 
was due diligence that was exercised by a salesperson in an Illinois 
furniture store that prevented the extension of credit to purchase 
furniture. The salesperson realized that ``something wasn't right'' 
after scrutinizing the credit application. Credit was not extended by 
the furniture store and the criminal was thwarted in this fraudulent 
attempt. I think this is a good example of how good business practices 
will diminish fraud.
    We also were able to determine from pictures we received from the 
car merchants that the criminals who purchased the vehicles were not 
the same persons as the suspect who was apprehended leaving BankOne. We 
have been victimized by an Identity Theft ring which operates in an 
organized and insidious manner. The detectives told us that the 
criminals know when the fraud alerts on our credit reports will expire 
and if we fail to reactivate the fraud alerts our information will be 
re-circulated through the ring again. We will have to keep fraud alerts 
on our credit reports for the rest of our lives. So, in the future, 
when my husband and I apply for any credit we will have to explain this 
nightmare to the lender, hope they believe us and don't perceive us as 
the criminals.
    Our efforts to restore our good names and good credit have been 
extensive. I have made hundreds of phone calls, I've met with our 
Congressman (Steve LaTourette), I've sent dozens of notarized, 
certified, return receipt requested letters to the merchants informing 
them that the applications they received were fraudulent. We have 
submitted numerous affidavits, notarized statements, and notarized 
handwriting samples. We have filled out over twenty different sets of 
forms and statements in order to comply with the merchants requests for 
further information. It's like filling out your income tax return 
twenty different times, using twenty different forms, and following 
twenty different sets of instructions. I strongly suggest that a 
standardized, uniform protocol be established so a victim of Identity 
Theft can fill out one set of papers which should include a notarized 
affidavit, a notarized handwriting sample, and a notarized statement 
that will be universally accepted by the merchants and lenders.
    A sad irony exists with Identity Theft: The criminal is assumed 
innocent until proven guilty, but the Identity Theft victim is assumed 
guilty until proven innocent. The criminal can have a public defender 
appointed to protect his legal rights, yet if we need to hire an 
attorney to assist in clearing our names we will be paying substantial 
legal fees out of pocket.
    We have exhausted all known resources in an effort to clear our 
names and restore our credit. I've met with numerous police officers, 
I've met with FBI Agents, I've met with a Victim's Assistance Program 
in our home state, and I've contacted a Victim Advocacy Program in 
Illinois. I've spoken to prosecuting attorneys, and sent packages of 
information to State's Attorneys. I was told by an assistant state 
prosecutor in Illinois: ``No one in the state of Illinois serves jail 
time for non-violent financial crimes.'' This prosecutor was not even 
aware that Illinois has an Identity Theft Statute in the Revised Code. 
I've begged, pleaded and cajoled to try and obtain a Federal 
Investigator and a United States' Attorney to take our case. Identity 
Theft cases encompass numerous geographic areas and requires a Federal 
investigator and Federal prosecution. The detectives in the community 
where the suspect was apprehended are limited to investigating crimes 
within their geographic boundary, yet the same criminal is committing 
the same crime a few towns away. It was suggested that I submit police 
reports in each community where a merchant was defrauded, not an easy 
task from 350 miles away.
    In spite of the efforts of my husband and myself to acquire Federal 
intervention into our case, it was the actions of Senator Jon Kyl and 
James McDermond of his staff, that resulted in the United States Secret 
Service and Postal Inspection Service initiating a Federal 
investigation.
    I have logged over 400 hours of time trying to clear our names and 
restore our good credit. Words are unable to adequately express the 
gamut of emotions that we have experienced as victims. The impact of 
being a victim of Identity Theft is all encompassing. It affects you 
physically, emotionally, psychologically, spiritually and financially. 
This has truly been a life altering experience.
    In spite of the extensive time and effort we have logged in trying 
to resolve this, we now have adverse ratings on our credit reports. We 
are also receiving phone calls from collection specialists wanting to 
know why we are overdue on the payments for our Lincoln Navigator and 
our Ford Expedition. I try to nicely explain to these collection 
specialists that we are victims of Identity Theft and we did not 
purchase these vehicles. I then provide them with the name and phone 
number of the detective, the case number and the reference number 
assigned by the Federal Trade Commission. I strongly suggest they not 
call me back unless they provide whatever information they may have to 
assist in the investigation. I always end my conversation with the 
collection specialist by saying: ``It's amazing to me that you can find 
the real Mr. & Mrs. Mitchell when you want to collect your money, too 
bad you didn't find the real Mr. & Mrs. Mitchell before you loaned out 
the money.''
    Identity Theft has become a national epidemic. Banks and merchants 
are being defrauded out of billions of dollars each year by Identity 
Theft criminals. We all pay the price through the higher cost of 
consumer goods, and higher interest rates on loans and credit cards. 
This epidemic must be stopped. The compromising of real identities is 
now the weakest link in the chain of financial transactions. The credit 
that has been extended using our identities fraudulently exceeds 
$111,000.00. Unfortunately for us, this saga is far from over. Once you 
become a victim of Identity Theft your life is forever changed. We 
still feel like we are ``waiting for the other shoe to drop.'' We do 
not know how many more accounts may still be outstanding, we do not 
know if a collection specialist is calling when our phone rings, we do 
not know if our good names and financial reputations will ever be truly 
restored. We need to be pro-active in the fight against Identity Theft 
and fraud and we need to impose mandatory jail sentences on criminals 
convicted of Identity Theft crimes.
    ``He that filches from me my good name robs me of that which not 
enriches him and makes me poor indeed.'' (Shakespeare--Othello)
    I've attached a list of personal recommendations for your review. I 
thank you for your time and consideration and I truly hope you never 
walk in the shoes of an Identity Theft Victim.

    The following are my 15 recommendations:

    1. Victims of Identity Theft need to know to call the FTC @ (877-
438-4338). The general public needs to know the Federal Trade 
Commission is the National Clearinghouse for Identity Theft.
    2. The general public, police departments, law enforcement 
agencies, state prosecutors and judges need to know that a Federal 
Identity Theft and Deterrence Law is in effect making Identity Theft a 
Federal offense. (Title 18 US--Section 1028).
    3. Since Identity Theft is a Federal Offense, investigations need 
to be handled by Federal Investigators, and prosecutions handled by 
U.S. attorneys. A good law needs adequate resources for investigation 
and prosecution.
    4. Criminals convicted under the Identity Theft Laws should be 
prosecuted to the fullest extent of the Federal penalties and serve 
mandatory jail time when convicted.
    5. Social Security numbers should not be used as identification 
numbers. The social security number should not appear on drivers 
licenses, on medical insurance cards, on student identification cards, 
or on any other documents other than income tax returns and wage 
earnings statements. Identification numbers other than the social 
security numbers can be assigned.
    6. Credit Reporting Agencies must verify the accuracy of the 
information received prior to posting information on credit reports. 
The credit reporting agencies can use available technology to ``red-
flag'' information that does not fit the profile of the consumers' 
previous spending habits. Change of addresses need to be verified by 
the Credit Reporting Agencies prior to changing the address on the 
consumers' credit report. The information disseminated by the credit 
reporting agencies to the various lenders and merchants making credit 
inquiries is perceived by these banks and merchants as accurate because 
``it came from the credit bureau''. It seems incongruous to have banks 
and merchants rely on the information appearing on credit reports when 
this information has been entered without any verification of accuracy.
    7. Banks, lenders, merchants, car dealerships etc. need to use due 
diligence in scrutinizing the information received on loan applications 
for inaccuracies and blatant errors. Applications for credit have been 
approved with only the social security number matching, spelling of 
name was incorrect, address was changed, birth date was wrong, yet the 
loan was approved. Due diligence needs to be exercised at ALL steps of 
the loan process to reduce the occurrence of fraud.
    8. The Department of Motor Vehicles in each state should use 
available technology to cross-reference the information in their data 
bases to ensure that a license cannot be issued in another state 
fraudulently with the same name and social security number as a valid 
license in another state. Regulations prohibiting the Department of 
Motor Vehicles from selling information should be enacted and enforced. 
The same applies f6r state issued ID cards.
    9. The utilization of Bio-Metric technology, which is currently 
available, allowing a fingerprint, palm print or voice recognition 
system to be used as confirmation of identification will substantially 
reduce the current epidemic of credit fraud and identity theft.
    10. Establish a standardized, universally accepted national 
protocol for victims of Identity Theft to follow. The bona fide victim 
should have to fill out one set of documents containing a notarized 
affidavit, a police report, a notarized handwriting sample and whatever 
other documentation may be necessary for the victim to be able to 
submit copies to each merchant.
    11. Require banks to notify consumers to place fraud alerts on 
their credit reports if any of the consumers account or credit card 
information is compromised and used fraudulently.
    12. Educate the local law enforcement authorities regarding 
Identity Theft. Provide the law enforcement officers who are taking 
police reports from victims on credit card fraud or Identity Theft with 
the materials needed to provide the victims with the information to 
contact the Federal Trade Commission, and the credit reporting agencies 
to place fraud alerts.
    13. Impose financial penalties on merchants who, through their own 
carelessness and lack of good business practices, abet the criminals 
committing financial fraud.
    14. Require the credit reporting agencies place the fraud alerts in 
bold typeface in a prominent position on the first page of a consumers 
credit report to reduce the chance of the alert being overlooked.
    15. Eliminate advance checks and pre-approval solicitations being 
sent through the mail. The banks can mail a notice for the customer to 
obtain cash advance checks by coming into the bank to pick them up.

    Senator Kyl. I am now going to call the other two witnesses 
before us, Mr. Gregory Regan, Special Agent in Charge of the 
Financial Crimes Division of the U.S. Secret Service, and Ms. 
Jodie Bernstein, Director of the Bureau of Consumer Protection 
of the Federal Trade Commission.
    Now, we have written statements from both of you and they 
will, of course, be included in the record. If you could 
summarize the statements, I would appreciate that, and then we 
will have some questions for you.
    Mr. Regan.

  PANEL CONSISTING OF GREGORY REGAN, SPECIAL AGENT IN CHARGE, 
FINANCIAL CRIMES DIVISION, U.S. SECRET SERVICE, WASHINGTON, DC; 
 AND JODIE BERNSTEIN, DIRECTOR, BUREAU OF CONSUMER PROTECTION, 
            FEDERAL TRADE COMMISSION, WASHINGTON, DC

                   STATEMENT OF GREGORY REGAN

    Mr. Regan. Yes, sir, thank you very much, Mr. Chairman. Mr. 
Chairman, members of the subcommittee, thank you for the 
opportunity to address the subcommittee concerning the subject 
of identity theft and the Secret Service's efforts to combat 
this problem.
    My name is Gregory Regan and I am the Special Agent in 
Charge of the Financial Crimes Division for the U.S. Secret 
Service. A number of things have changed since the Secret 
Service last testified on this subject on April 1, 1998, before 
the Banking, Finance, and Urban Affairs Subcommittee. On behalf 
of the Secret Service, I would like to thank the subcommittee, 
and in particular the chairman, for taking a leadership role to 
effect this change.
    This subcommittee was instrumental in directing the Federal 
Government's efforts to address this very serious problem. At a 
time when very little attention was being paid to identity 
theft victims, Senator Kyl was at the forefront. His efforts 
created an increased congressional awareness to their plight. 
In addition, he became a leading advocate for legislative 
change. His actions resulted in a concerted effort by both 
Congress and Federal law enforcement to address this problem.
    We are proud to say that members of the Secret Service 
worked hand-in-hand with Senator Kyl's staff in drafting 
legislation which provided increased protection for the victims 
of identity theft through enhancements to 18 U.S.C. 1028. These 
enhancements became part of Senate bill 512, entitled The 
Identity and Assumption Deterrence Act, which was signed into 
law in October 1998.
    The law accomplished four things simultaneously. First, it 
identified people whose credit had been compromised as true 
victims. Historically, with financial crimes such as bank fraud 
or credit card fraud, the victim identified by statute was the 
person, business, or financial institution that lost the money. 
All too often, the victims of identity theft whose credit was 
destroyed were not even recognized as victims. This is no 
longer the case.
    Second, the law established the Federal Trade Commission as 
the one central point of contact for these victims to report 
all instances of identity theft. This collection of all ID 
theft cases allows for the identification of systemic 
weaknesses and the ability of law enforcement to retrieve 
investigation data at one central location. It further allows 
the FTC to provide people with the information and assistance 
they need in order to take the steps necessary to correct their 
credit records.
    Third, this law provided increased sentencing potential and 
enhanced asset forfeiture provisions. These enhancements help 
to reach prosecutorial thresholds and allow for the 
repatriation of funds to victims.
    Lastly, and probably most important in today's technology, 
this law closed a loophole in 18 U.S.C. 1028 by making it 
illegal to steal another person's personal identification 
information with the intent to commit a violation. Previously, 
under section 1028, only the production or possession of false 
identity documents was prohibited. With advances in technology 
such as e-commerce and the Internet, criminals today do not 
need actual documents to assume an identity.
    As we enter the new millennium, the strength of the 
financial industry has never been greater. A strong economy, 
burgeoning use of the Internet, and advanced technology, 
coupled with increased spending, has led to fierce competition 
within the financial sector. Although this provides benefits to 
the consumer through readily available credit and consumer-
oriented financial services, it also creates a target-rich 
environment for today's sophisticated criminals, many of whom 
are organized and operate across international borders.
    In addition, information collection has become a common by-
product of the newly emerging e-commerce. Internet purchases, 
credit card sales, and other forms of electronic transactions 
are being captured, stored and analyzed by entrepreneurs intend 
on increasing their market share. This has led to an entirely 
new business sector being created which promotes the buying and 
selling of personal information.
    A recently publicized Internet fraud investigation by the 
Secret Service, Department of Defense, Postal Inspection 
Service and the Social Security Administration Inspector 
General's office highlighted the ease with which criminals can 
obtain personal information through public sources. These 
defendants had access to Web sites that published the promotion 
lists of high-ranking military officers. The site further 
documented personal information on these officers that was used 
to fraudulently obtain credit, merchandise and other services.
    In this particular case, the financial institution, in an 
effort to operate in a consumer-friendly manner, issued credit 
over the Internet in less than a minute. Approval for credit 
was granted after conducting a credit check for the applicant, 
who provided a true name and matching true Social Security 
number. All other information provided, such as the date of 
birth, address and telephone number that could have been used 
for further verification, was fraudulent. The failure of this 
bank to conduct a more comprehensive verification process 
resulted in substantial losses, and more importantly a long 
list of high-ranking military officers who became victims of 
identity fraud.
    The Internet provides the anonymity that criminals desire. 
Now, with just a laptop and modem, criminals are capable of 
perpetrating a variety of financial crimes without identity 
documents through the use of stolen personal information. The 
Secret Service has investigated several cases where cyber 
criminals have hacked into Internet merchant sites and stolen 
the personal information and credit card account numbers of 
their customers. These account numbers are then used with 
supporting personal information to order merchandise, which is 
then sent throughout the world. Most account-holders are not 
aware that their credit card account has been compromised until 
they receive their billing statements.
    Cyber criminals are also using information hacked from 
sites on the Internet to extort money from companies. It is not 
unprecedented for international hackers to hack into business 
accounts, steal thousands of credit card account numbers, along 
with the accompanying personal identifiers, then threaten the 
companies with exposure unless the hackers are paid a 
substantial amount of money.
    The Secret Service continues to attack identity theft by 
aggressively pursuing our core violations. As stated earlier, 
identity theft and the use of false identification has become 
an integral component of most financial criminal activity. In 
order to be successful in suppressing identity theft, we 
believe law enforcement agencies should continue to focus their 
energy and available resources on the criminal activities which 
incorporate the misuse or theft of identification information.
    The Secret Service investigative program focuses on three 
areas of criminal schemes within our core expertise. First, the 
Secret Service emphasizes the investigation of counterfeit 
instruments. By counterfeit instruments, I refer to counterfeit 
currency; counterfeit checks, both commercial and government; 
counterfeit credit cards; counterfeit stocks or bonds; and 
virtually any negotiable instrument that can be counterfeited. 
Many of these schemes would not be possible without the 
compromise of innocent victims' financial identifiers.
    Second, the Secret Service targets organized criminal 
groups which are engaged in financial crimes on both a national 
and international scale. Again, we see many of these groups, 
most notably the Nigerian and Asian organized criminal groups, 
prolific in their use of stolen financial and personal 
information to further their financial crime activity.
    And, last, we focus our resources in areas that have the 
most deleterious effect on the communities in which we work. We 
also work very closely with both Federal and local prosecutors 
to ensure that our investigations are relevant, topical and 
prosecutable under existing guidelines. No area today is more 
relevant or topical than that of identity theft. Automated 
teller machines, electronic commerce, online banking, online 
trading, smart cards, all once considered futuristic concepts, 
are now a reality. Each of these technology lends themselves to 
creating a faceless society.
    One innovation which appears to address the problem of 
identity verification in Internet commerce has been developed 
and introduced by a member of the financial community. This new 
product is the first commercial venture by the credit card 
industry to provide the public with an online authentication 
process using chip technology in encryption. Although this 
product may not end credit card fraud on the Internet, it is 
the first step in providing a more secure environment in which 
to conduct Internet commerce.
    In addition, under the direction of the President, a 
national summit on the subject of identity theft will commence 
next week, on March 15, 2000, at the Omni Shoreham Hotel here 
in Washington, to address this very serious issue.
    As you have heard in this testimony, some very positive 
steps are being taken to address and combat identity theft. The 
Secret Service will always encourage both business and law 
enforcement to work together to develop an environment in which 
personal information is securely guarded. In this age of 
instant access, knowledge is power. We cannot allow today's 
criminals to abuse the very systems which were created for the 
betterment of society.
    The emotional toll on the lives of those whose identity has 
been compromised cannot be fully accounted for in dollars and 
cents. We do not believe, nor are we in the business of 
inhibiting the free flow of information so vital to a free 
society. We do, however, believe that those identified as 
misusing personal information for criminal purposes should be 
subject to punishment commensurate with the crime. The Secret 
Service acknowledges identity theft as a very real problem and 
pledges its support in the Federal Government's efforts to 
eliminate it.
    This concludes my testimony and I would be happy to answer 
any questions you have, sir.
    Senator Kyl. Thank you very much, Mr. Regan. That is great. 
I will be asking some questions in a moment.
    [The prepared statement of Mr. Regan follows:]

                  Prepared Statement of Gregory Regan

    Mr. Chairman, members of the subcommittee, thank you for the 
opportunity to address this subcommittee concerning the subject of 
identity theft and the Secret Service's efforts to combat this problem.
    My name is Gregory Regan, and I am the Special Agent in Charge of 
the Financial Crimes Division of the United States Secret Service.
    A number of things have changed since the Secret Service last 
testified on this subject on April 1, 1998, before the Banking, 
Finance, and Urban Affairs Subcommittee. On behalf of the Secret 
Service, I would like to thank this subcommittee, and in particular, 
the chairman for taking a leadership role to effect this change. This 
subcommittee was instrumental in directing the Federal Government's 
efforts to address this very serious problem.
    At a time when very little attention was being paid to identity 
theft victims, Senator Kyl was at the forefront. His efforts created an 
increased congressional awareness to their plight. In addition, he 
became a leading advocate for legislative change. His actions resulted 
in a concerted effort by both Congress and Federal law enforcement to 
address this problem.
    We are proud to say that members of the Secret Service worked hand 
in hand with Senator Kyl's staff in drafting legislation which provided 
increased protection for the victims of identity theft through 
enhancements to Title 18 United States Criminal Code, Section 1028. 
These enhancements became part of Senate bill 512, entitled The 
Identity Theft and Assumption Deterrence Act, which was signed into law 
in October 1998.
    This law accomplished four things simultaneously. First, it 
identified people whose credit had been compromised as true victims. 
Historically with financial crimes such as bank fraud or credit card 
fraud, the victim identified by statute, was the person, business or 
financial institution that lost the money. All too often the victims of 
identity theft whose credit was destroyed, were not even recognized as 
victims. This is no longer the case.
    Second, this law established the Federal Trade Commission (FTC) as 
the one central point of contact for these victims to report all 
instances of identity theft. This collection of all ID theft cases 
allows for the identification of systemic weaknesses and the ability of 
law enforcement to retrieve investigative data at one central location. 
It further allows the FTC to provide people with the information and 
assistance they need in order to take the steps necessary to correct 
their credit records.
    Third, this law provided increased sentencing potential and 
enhanced asset forfeiture provisions. These enhancements help to reach 
prosecutorial thresholds and allow for the repatriation of funds to 
victims.
    Lastly, this law closed a loophole in Title 18, United States Code, 
1028 by making it illegal to steal another person's personal 
identification information with the intent to commit a violation. 
Previously, under Section 1028 only the production or possession of 
false identity documents was prohibited. With the advances in 
technology such as e-commerce and the Internet, criminals today do not 
need actual documents to assume an identity.
    We believe the passage of this legislation was the catalyst needed 
to bring together both the Federal and State Government's resources, in 
a focused and unified response to the identity theft problem. Today, 
law enforcement, regulatory and community assistance organizations have 
joined forces through a variety of working groups, task forces, and 
information sharing initiatives to assist victims of identity theft. 
Victims no longer have to feel abandoned, with no where to turn.
    Policies and procedures are being initiated to expedite the 
reporting of this crime. Civil remedies are being created allowing for 
victims to seek restitution. The Secret Service victim-witness 
assistance program aids identity theft victims by providing resources 
and contact information for credit bureaus and service programs. The 
financial community continues to design and implement security measures 
which minimize the exploitation of true persons names and 
identification information.
    The Secret Service has broad investigative responsibilities 
relating to financial crimes. Today, some type of false identification 
is a prerequisite for nearly all financial fraud crimes. False ID's 
provide anonymity to criminals and allow for repeat victimization of 
the same individual while perpetrating a variety of fraud schemes. 
Often, in their attempt to remain anonymous, criminals may randomly 
assume the identity of another individual through the creation of false 
identification documents. In these cases, the goal may not be to target 
an individual for the purposes of stealing his or her identity. Yet, by 
coincidence, that individual's identity has been compromised through 
the criminal's use of their personal identifiers.
    False identification documents altered, counterfeited, or 
fraudulently obtained, are routinely used with loan and check fraud 
schemes, and almost all credit card fraud schemes. Ironically, the 
credit industry through capital investments over the past 10 years has 
strengthened the integrity of the system through security measures 
which effectively thwart some types of direct counterfeiting. 
Subsequently, criminals no longer simply create names and identities, 
they must more often rely on the identifiers of real people.
    As we enter the new millennium the strength of the financial 
industry has never been greater. A strong economy, burgeoning use of 
the Internet and advanced technology, coupled with increased spending 
has led to fierce competition within the financial sector. Although 
this provides benefits to the consumer through readily available 
credit, and consumer oriented financial services, it also creates a 
target rich environment for todays sophisticated criminals, many of 
whom are organized and operate across international borders.
    In addition, information collection has become a common by-product 
of the newly emerging e-commerce. Internet purchases, credit card 
sales, and other forms of electronic transactions are being captured, 
stored, and analyzed by entrepreneurs intent on increasing their market 
share. This has led to an entirely new business sector being created 
which promotes the buying and selling of personal information.
    With the advent of the Internet, companies have been created for 
the sole purpose of data mining, data warehousing, and brokering of 
this information. These companies collect a wealth of information about 
consumers, including information as confidential as their medical 
histories.
    Consumers routinely provide personal, financial, and health 
information to companies engaged in business on the Internet. Consumers 
may not realize that the information they provide in credit card 
applications, loan applications, or with merchants they patronize, are 
valuable commodities in this new age of information trading.
    Data collection companies like all businesses are profit motivated, 
and as such, may be more concerned with generating potential customers 
rather than the misuse of this information by unscrupulous individuals. 
This readily available personal information in conjunction with the 
customer friendly marketing environment has presented ample 
opportunities for criminals intent on exploiting the situation for 
economic gain.
    We have investigated numerous cases where criminals have used other 
people's identities to purchase everything from computers to houses. 
Financial institutions must continually practice due diligence lest 
they fall victim to the criminal who attempts to obtain a loan or cash 
a counterfeit check using someone else's identity.
    As financial institutions and merchants become more cautious in 
their approach to ``hand to hand'' transactions the criminals are 
looking for other venues to compromise. Today, criminals need look no 
further than the Internet.
    For example, a recently publicized Internet fraud investigation by 
the Secret Service, Department of Defense, Postal Inspection Service, 
and the Social Security Administration Inspector General's Office 
highlighted the ease with which criminals can obtain personal 
information through public sources. These defendants accessed a Web 
site that published the promotion list of high ranking military 
officers. This site further documented personal information on these 
officers that was used to fraudulently obtain credit, merchandise, and 
other services.
    In this particular case the financial institution, in an effort to 
operate in a consumer friendly manner issued credit over the Internet 
in less than a minute. Approval for credit was granted after conducting 
a credit check for the applicant who provided a ``true name'' and 
matching ``true Social Security number''. All other information 
provided such as the date of birth, address and telephone number, that 
could have been used for further verification, was fraudulent. The 
failure of this bank to conduct a more comprehensive verification 
process resulted in substantial losses and more importantly a long list 
of high ranking military officers who became victims of identity fraud.
    The Internet provides the anonymity criminals desire. In the past, 
fraud schemes required false identification documents, and necessitated 
a ``face to face'' exchange of information and identity verification. 
Now with just a laptop and modem, criminals are capable of perpetrating 
a variety of financial crimes without identity documents through the 
use of stolen personal information.
    The Secret Service has investigated several cases where cyber 
criminals have hacked into Internet merchant sites and stolen the 
personal information and credit card account numbers of their 
customers. These account numbers are then used with supporting personal 
information to order merchandise which is then sent throughout the 
world. Most account holders are not aware that their credit card 
account has been compromised until they receive their billing 
statement.
    Time and time again, criminals have demonstrated the ability to 
obtain information from businesses conducting commerce on the Internet. 
This information has been used to facilitate account takeover schemes 
and other similar frauds. It has become a frightening reality that one 
individual can literally take over another individual's credit card 
account and or bank account without the true subscriber's knowledge.
    Cyber criminals are also using information hacked from sites on the 
Internet to extort money from companies. It is not unprecedented for 
international hackers to hack into business accounts, steal thousands 
of credit card account numbers along with the accompanying personal 
identifiers, then threaten the companies with exposure unless the 
hackers are paid a substantial amount of money.
    The Secret Service continues to attack identity theft by 
aggressively pursuing our core violations. It is by the successful 
investigation of criminals involved in financial and computer fraud 
that we are able to identify and suppress identity theft.
    As stated earlier, identity theft, and the use of false 
identification has become an integral component of most financial 
criminal activity. In order to be successful in suppressing identity 
theft we believe law enforcement agencies should continue to focus 
their energy and available resources on the criminal activities which 
incorporate the misuse or theft of identification information.
    The Secret Service has achieved success through a consistent three 
tiered process of aggressive pro-active investigations, identification 
of systemic weaknesses, and partnerships with the financial sector to 
adopt fixes to these weaknesses.
    The Secret Service's investigative program focuses on three areas 
of criminal schemes within our core expertise. First, the secret 
service emphasizes the investigation of counterfeit instruments. By 
counterfeit instruments, I refer to counterfeit currency, counterfeit 
checks, both commercial and government, counterfeit credit cards, 
counterfeit stocks or bonds, and virtually any negotiable instrument 
that can be counterfeited. Many of these schemes would not be possible 
without the compromise of innocent victims financial identities.
    Second, the Secret Service targets organized criminal groups which 
are engaged in financial crimes on both a national and international 
scale. Again we see many of these groups, most notably the Nigerian and 
Asian organized criminal groups, prolific in their use of stolen 
financial and personal information to further their financial crime 
activity.
    And last, we focus our resources on cases that have the most 
deleterious effect on the communities in which we work. The Secret 
Service works in concert with the state, county, and local police 
departments to ensure our resources are being targeted to those 
criminal areas that are of a high concern to the local citizenry. 
Further, we work very closely with both Federal and local prosecutors 
to ensure that our investigations are relevant, topical and 
prosecutable under existing guidelines. No area today is more relevant 
or topical than that of identity theft.
    It has been our experience that the criminal groups involved in 
these types of crimes routinely operate in a multi- jurisdictional 
environment. This has created problems for local law enforcement who 
generally act as the first responders to their criminal activities. By 
working closely with other Federal, state, and local law enforcement, 
as well as international police agencies we are able to provide a 
comprehensive network of intelligence sharing, resource sharing, and 
technical expertise which bridges jurisdictional boundaries.
    This partnership approach to law enforcement is exemplified by our 
financial crimes task forces located throughout the country. Each of 
these task forces pools the personnel and technical resources and to 
maximize the expertise of each participating law enforcement agency. A 
number of these task forces are focused on the Nigerian criminal 
element operating in this country. As mentioned earlier, this 
particular ethnic criminal group has historically been involved in a 
myriad of financial crimes, which incorporate false identification and 
identity theft.
    In addition to our inter-dependant working relationship with law 
enforcement on all levels, our partnership with the private sector has 
proved invaluable. Representatives from numerous commercial sectors to 
include the financial, telecommunications, and computer industries have 
all pledged their support in finding ways to ensure consumer protection 
while minimizing corporate losses. The Secret Service has entered into 
several cooperative efforts with members of the financial sector to 
address challenges posed by new and emerging technologies. These 
initiatives have created some new and innovative approaches to 
identification verification in business.
    Automated teller machines, e-commerce, online banking, online 
trading, smart cards, all once considered futuristic concepts, are now 
a reality. Each of these technologies lends themselves to creating a 
``faceless society''. In order for businesses to be successful, they 
can no longer rely upon personal contact as a means of identity 
verification.
    One innovation which appears to address the problems of identity 
verification for Internet commerce has been developed and introduced by 
a member of the financial community. This new product is the first 
commercial venture by the credit card industry to provide the public 
with an online authentication process using chip technology and 
encryption. Although this product may not end credit card fraud on the 
Internet, it is the first step in providing a more secure environment 
in which to conduct Internet commerce.
    Efforts such as these provide a foundation by which law enforcement 
and the private sector can build upon. By applying the technologies 
used in this product and others being developed for the same purpose, 
we can systemically eliminate the weaknesses in our economic 
infrastructure, which allow for the misuse of personal information.
    In conjunction with these technological advances, the Secret 
Service is actively involved with a number of government sponsored 
initiatives. At the request of the Attorney General, the Secret Service 
joined an interagency identity theft subcommittee that was established 
by the Department of Justice. This group which is made up of Federal 
and state law enforcement, regulatory agencies, and professional 
agencies meets regularly to discuss and coordinate investigative and 
prosecutive strategies as well as consumer education programs.
    In addition, under the direction of the President, the Treasury 
Department, with the assistance of the Secret Service, has been tasked 
with convening a national, summit on the subject of identity theft. The 
purpose of this summit is to bring together various Federal, state, and 
private sector entities to discuss and develop policies that will help 
prevent identity theft crimes. This summit will commence next week on 
March 15, 2000, at the Omni Shoreham Hotel, herein Washington, DC.
    As you have heard in this testimony some very positive steps are 
being taken to address and combat identity theft. The Secret Service 
will always encourage both business and law enforcement to work 
together to develop an environment in which personal information is 
securely guarded. In this age of instant access, knowledge is power. We 
cannot allow todays criminals to abuse the very systems which were 
created for the betterment of society. The emotional toll on the lives 
of those whose identity has been compromised cannot be fully accounted 
for in dollars and cents. It is all of our responsibilities to protect 
personal information.
    We do not believe, nor are we in the business of inhibiting the 
free flow of information so vital to a free society. We do, however, 
believe that those identified as misusing personal information for 
criminal purposes should be subject to punishment commensurate with the 
crime. The concepts of criminal prosecution for the perpetrators, 
restitution for the victims, and ethical responsibilities for those 
earning a living through the use of personal information are noble 
goals.
    The Secret Service acknowledges that identity theft is a very real 
problem and pledges its support in the Federal Government's efforts to 
eliminate it.
    This concludes my prepared statement. I would be happy to answer 
any questions that you or any other member of the subcommittee may 
have. Thank you.

 GREGORY J., REGAN, SPECIAL AGENT IN CHARGE FINANCIAL CRIMES DIVISION 
                          U.S. SECRET SERVICE
    Mr. Gregory J. Regan was appointed Special Agent in Charge of the 
Financial Crimes Division on January 3, 1999. Prior to this 
appointment, he served as the Assistant Special Agent in Charge of the 
Richmond Field Office.
    Mr. Regan began his law enforcement career in 1980 as a Special 
Agent with the Naval Investigative Service. In 1982, Mr. Regan was 
appointed as a Special Agent with the U.S. Secret Service and assigned 
to the New York Field Office. His subsequent career assignment included 
duty on the Vice Presidential Protective Division, a prior assignment 
to Financial Crimes Division, the Office of Congressional Affairs, and 
the Counterfeit Division.
    A native of Brooklyn, New York, Mr. Regan received a Bachelor of 
Arts Degree from St. John's University in New York. He is married to 
the former Margaret Stokey of Westbury, New York and they have five 
children.
    Mr. Regan is the Chairman of the Law Enforcement Advisory Committee 
for the International Association of Financial Crimes Investigators; 
and is a member of the Investigative Operations Committee for the 
International Association of Chiefs of Police.
    Throughout his tenure with the U.S. Secret Service, Mr. Regan has 
been the recipient of numerous awards to include the law enforcement 
officer of the year award from the International Association of Credit 
Card Investigators.

    Senator Kyl. Let's hear now from Ms. Jodie Bernstein.

                  STATEMENT OF JODIE BERNSTEIN

    Ms. Bernstein. Thank you, Senator Kyl. As you said, I am 
Jodie Bernstein and I am the Director of the Bureau of Consumer 
Protection at the Federal Trade Commission. And I wanted to 
thank you particularly for including us in this hearing and 
giving us the opportunity to present the Commission's testimony 
on these problems.
    I would also like to introduce one of our staff, Beth 
Grossman, who has been very much involved, in fact critical, to 
the development of the FTC's initiatives following the passage 
of the Act.
    I would acknowledge also, as Ms. Mitchell did, Kathleen 
Lund, of our staff, who was Ms. Mitchell's counselor. And she 
doesn't often get the opportunity to be acknowledged for the 
really wonderful work that she did in connection with an 
individual case and was pleased to be able to attend this 
hearing.
    I will try to summarize my testimony, also, very briefly. 
And as Ms. Mitchell said so eloquently, identity theft causes 
significant and ongoing problems for its victims. Identity 
thieves can run up debts in the tens of thousands of dollars 
under their victims' names. Even when the victim is not legally 
liable for the debts, the consequences are often considerable. 
A victim's credit history is often scarred, and he or she 
typically must spend hundreds of hours, sometimes over the 
course of months and even years, contesting bills and 
straightening out credit reporting errors.
    The passage of the Act was an important step in combatting 
identity theft and in helping its victims. The Act, as you so 
correctly anticipated, strengthened the criminal laws against 
identity theft and recognized that the individual whose 
identity has been stolen is as much a victim as the financial 
institutions that may have borne most of the monetary loss.
    The Act also provided a framework for the FTC's new and 
unique program to assist victims of identity theft. The FTC's 
consumer assistance effort has three principal components, and 
we have some graphics to help illustrate it.
    First, we have established an identity theft hotline that 
consumers can call toll-free at, as you see, 887-IDTHEFT. The 
hotline provides the public with a central place to call to 
report identity theft and to receive information on the steps 
to take if they become identity theft victims.
    Second, we have another slide. We have a complaint 
clearinghouse, a database to track the reports that the FTC and 
other agencies receive about identity theft. The database will 
provide the FTC with information about the nature and extent of 
consumers' ID theft-related problems. Later this year, we plan 
to make the clearinghouse available to other law enforcement 
agencies through a secure Web-based interface.
    Through this secure Web site, criminal investigative 
agencies like the Secret Service will be able to access the 
database of complaints from their desktop PC's to spot patterns 
of criminal activity that might not otherwise be apparent from 
isolated reports. We have built this database on the model of a 
different database that we developed that is called Consumer 
Sentinel. It is a network to track consumer fraud generally, 
and really Sentinel has been such a great success that we 
expect to have no less of an effort from this database.
    Third, the Commission has launched a significant consumer 
education effort. We recently published a 21-page booklet, and 
I think we have copies of it here today as well. And it is 
called, as you know, ``Identity Theft: When Bad Things Happen 
to Your Good Name.'' This booklet that was put together with 
the assistance of several Federal agencies is a comprehensive 
guide for consumers with information ranging from how consumers 
can protect their personal information to how to correct 
credit-related problems that may result from identity theft. 
Several other agencies have agreed to reproduce and distribute 
the booklet, which will be extremely helpful. We have produced 
a number of shorter, more targeted pieces as well.
    The FTC also provides consumers with information through 
our identity theft Web site. The Web site, located at 
consumer.gov/idtheft, contains our publications, as well as the 
following: tips on what consumers can do to decrease the risk 
of becoming a victim, the steps consumers should take if they 
do become victims, information on recent identity theft cases 
and scams, lists and links to many of the State identity theft 
laws, links to other identity theft resources throughout the 
Government, and finally a public complaint form--and this has 
really been, I think, very useful--that allows consumers to 
submit reports of identity theft directly to our database at 
any time of the day or night. And because our database will 
have a record of their report, they can phone our call center 
during business hours for follow-up information.
    Since we launched our toll-free number just a little over 3 
months ago, we have been averaging over 400 calls a week from 
consumers. After a recent press release, the number of calls 
increased by about 25 percent. We expect that the volume of 
calls will continue to rise as more and more people know about 
the toll-free number. We anticipate that as it is more widely 
known, we are anticipating based on prior experience that we 
may be receiving more than 100,000 calls by next year.
    Because our data collection efforts are new, though, we 
can't yet do extensive data analysis of the calls. Our basic 
complaint data, though--we have a little bit of analysis we 
have been able to do--shows that the most common forms of 
identity theft are as follows: first, credit card fraud. Fifty-
five percent of the callers report that someone either opened 
up a credit card account in their name or, ``took over'' their 
existing credit card account.
    Second, 25 percent report that utility service, such as 
telephone or cellular service, has been opened up in their 
name. About 15 percent report a checking or savings account has 
been opened in their name and/or that fraudulent checks had 
been written. Ten percent complain that an identity thief 
obtained a loan, such as a car loan, in their name.
    Having succeeded in putting the basic components of the 
program in place, we are looking at new, additional ways that 
we can build on the foundation. And as we move forward, one 
focus will be on identifying ways we can work together with the 
private sector on this important issue. As the Identity Theft 
Act recognized, private companies, such as credit card issuers 
and credit bureaus, are essential to any effort to combat 
identity theft. Indeed, they are often, as Maureen said, in the 
best position to identify and prevent identity theft in the 
first place--and nothing is better than prevention--and to 
clear up fraudulent accounts opened in the consumer's name.
    As you know, the Treasury Department is sponsoring a 
national summit on identity theft next week which will 
specifically address ways in which government, business leaders 
and consumers can forge partnerships to counter identity theft. 
The FTC has been assisting in organizing the summit. Both the 
chairman of the Commission and I will participate in it, and we 
are looking forward to the opportunity to explore new ways of 
addressing the growing problem.
    Thank you, Mr. Chairman, again on behalf of the Commission, 
and we will be pleased to answer any of your questions.
    [The prepared statement of Ms. Bernstein follows:]

                 Prepared Statement of Jodie Bernstein

    Mr. Chairman Kyl, and members of the Subcommittee, I am Jodie 
Bernstein, Director of the Bureau of Consumer Protection, Federal Trade 
Commission (``FTC'' or ``Commission'').\1\ I appreciate the opportunity 
to present the Commission's views on the important issue of identity 
theft, and describe to you the Commission's achievements in 
implementing the Identity Theft and Assumption Deterrence Act.\2\
---------------------------------------------------------------------------
    \1\ The views expressed in this statement represent the views of 
the Commission. My oral presentation and response to questions are my 
own, and do not necessarily represent the views of the Commission or 
any Commissioner.
    \2\ Pub. L. No. 105-318, 112 Stat. 3007 (1998) (codified at 18 
U.S.C. Sec. 1028).
---------------------------------------------------------------------------
    In my remarks today, I will discuss the growing phenomenon of 
identity theft, how the Commission has responded to identity theft, 
both in carrying out its duties under the 1998 Act and its general 
enforcement measures, and what we see as future challenges in 
eradicating identity theft.

                  I. IDENTITY THEFT: A GROWING PROBLEM
    By now, many people have confronted, directly or through a third 
person, some form of identity theft: someone has used their name to 
open up a credit card account or someone has used their identifying 
information--name, social security number, mother's maiden name, or 
other personal information--to commit fraud or engage in other unlawful 
activities. Other common forms of identity theft include taking over an 
existing credit card account and making unauthorized charges on it 
(typically, the identity thief forestalls discovery by the victims by 
contacting the credit card issuer and changing the billing address on 
the account); taking out loans in another person's name; writing 
fraudulent checks using another person's name and/or account number; 
and using personal information to access, and transfer money out of, 
another person's bank or brokerage account. In extreme cases, the 
identity thief may completely take over his or her victim's identity--
opening a bank account, getting multiple credit cards, buying a car, 
getting a home mortgage and even working under the victim's name.\3\
---------------------------------------------------------------------------
    \3\ In at least one case, an identity thief reportedly even died 
using the victim's name, and the victim had to get the death 
certificate corrected. Michael Higgins, Identity Thieves, ABA Journal, 
October 1998, at 42, 47.
---------------------------------------------------------------------------
    Identity theft can arise from simple, low-tech practices such as 
stealing someone's mail or ``dumpster diving'' through their trash to 
collect credit card offers or obtain identifying information such as 
account numbers or social security numbers. There are also far more 
sophisticated practices at hand. In a practice known as ``skimming,'' 
identity thieves use computers to read and store the information 
encoded on the magnetic strip of an ATM or credit card when that card 
is inserted through either a specialized card reader or a legitimate 
payment mechanism (e.g., the card reader used to pay for gas at the 
pump in a gas station). Once stored, that information can be re-encoded 
onto any other card with a magnetic strip, instantly transforming a 
blank card into a machine-readable ATM or credit card identical to that 
of the victim.
    The Internet has dramatically altered the potential impact of 
identity theft. Among other things, the Internet provides access to 
collections of identifying information gathered through both illicit 
and legal means. The global publication of identifying details that 
heretofore were available only to the few increases the potential 
misuse of that information. Similarly, Internet expands exponentially 
the ability for a third party to disseminate the identifying 
information, making it available for others to exploit. The recent 
reports of a Russian hacker gaining access to the names, addresses and 
credit card account numbers of hundreds of thousands of customers is an 
extreme example of the type of harm that can occur through the 
wholesale theft of identifying information. In this instance, the 
hacker posted the names and credit card numbers on a website, providing 
the wherewithal for others to commit identity theft by using those 
credit card numbers to make purchases.\4\
---------------------------------------------------------------------------
    \4\ John Markoff, Thief Reveals Credit Card Data When Web Extortion 
Plot Fails, N.Y. Times, January 10, 2000, at A1.
---------------------------------------------------------------------------
    Anecdotes and news stories provide one indication of the growth of 
identity theft. Available statistics confirm this trend. The General 
Accounting Office, for example, reports that consumer inquiries to the 
Trans Union credit bureau's Fraud Victim Assistance Department 
increased from 35,235 in 1992 to 522,922 in 1997,\5\ and that the 
Social Security Administration's Office of the Inspector General 
conducted 1,153 social security number misuse investigations in 1997 
compared with 305 in 1996.\6\ In 1999, the telephone hotline 
established by the Social Security Administration Inspector General 
received reports of almost 39,000 incidents of misuse of Social 
Security Numbers.\7\
---------------------------------------------------------------------------
    \5\ Calls to this department included ``precautionary'' phone 
calls, as well as calls from actual fraud or identity theft victims.
    \6\ U.S. General Accounting Office, Identity Fraud: Information on 
Prevalence, Cost, and Internet Impact is Limited (May 1998). The Social 
Security Administration attributed the increase in investigations, in 
part, to the hiring of additional investigators.
    \7\ While we have created a database to capture information from 
complaints to our new toll-free Identity Theft Hotline (discussed in 
greater detail below), our data are still too limited to allow us to 
draw any significant conclusions about the extent of identity theft.
---------------------------------------------------------------------------
    For victims of identity theft, the costs can be significant and 
long-lasting. Identity thieves can run up debts in the tens of 
thousands of dollars under their victims' names. Even where the 
individual consumer is not legally liable for these debts,\8\ the 
consequences to the consumer are often considerable. A consumer's 
credit history is frequently scarred, and he or she typically must 
spend numerous hours sometimes over the course of months or even years 
contesting bills and straightening out credit reporting errors. In the 
interim, the consumer victim may be denied loans, mortgages, a driver's 
license, and employment; a bad credit report may even prevent him or 
her from something as simple as opening up a new bank account at a time 
when other accounts are tainted and a new account is essential. 
Moreover, even after the initial fraudulent bills are resolved, new 
fraudulent charges may continue to appear, requiring ongoing vigilance 
and effort by the victimized consumer.
---------------------------------------------------------------------------
    \8\ The Fair Credit Billing Act, 15 U.S.C. Sec. 1601 et seq. and 
the Electronic Fund Transfer Act, 15 U.S.C. Sec. 1693 et seq. limit 
consumers' liability for fraudulent transactions in connection with 
credit and debit cards, respectively.
---------------------------------------------------------------------------

              II. THE FEDERAL TRADE COMMISSION'S AUTHORITY
A. Overview
    The FTC's mission is to promote the efficient functioning of the 
marketplace by protecting consumers from unfair or deceptive acts or 
practices and increasing consumer choice by promoting vigorous 
competition. The Commission's primary legislative mandate is to enforce 
the Federal Trade Commission Act (``FTC Act''), which prohibits unfair 
methods of competition and unfair or deceptive acts or practices in or 
affecting commerce.\9\ With certain exceptions, the FTC Act provides 
the Commission with broad civil law enforcement authority over entities 
engaged in or whose business affects commerce,\10\ and provides the 
authority to gather information about such entities.\11\ The Commission 
also has responsibility under more than forty additional statutes 
governing specific industries and practices.\12\
---------------------------------------------------------------------------
    \9\ 15 U.S.C. Sec. 45(a).
    \10\ Certain entities such as banks, savings and loan associations, 
and common carriers as well as the business of insurance are wholly or 
partially exempt from Commission jurisdiction. See Section 5(a)(2) of 
the FTC Act, 15 U.S.C. Sec. 45(a)(2), and the McCarran-Ferguson Act, 15 
U.S.C. Sec. 1012(b).
    \11\ 15 U.S.C. Sec. 46(a).
    \12\ In addition to the credit laws discussed in the text, the 
Commission also enforces over 30 rules governing specific industries 
and practices, e.g., the Used Car Rule, 16 C.F.R. Part 455, which 
requires used car dealers to disclose warranty terms via a window 
sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the 
provision of information to prospective franchisees; and the 
Telemarketing Sales Rule, 16 C.F.R. Part 310, which defines and 
prohibits deceptive telemarketing practices and other abusive 
telemarketing practices.
---------------------------------------------------------------------------
    Two of the Commission's specific statutory mandates are 
particularly relevant in the context of identity theft. The Fair Credit 
Billing Act and Fair Credit Reporting Act each provide important 
protections for consumers who may be trying to clear their credit 
records after having their identities stolen. The Fair Credit Billing 
Act, which amended the Truth in Lending Act, provides for the 
correction of billing errors on credit accounts and limits consumer 
liability for unauthorized credit card use.\13\ The Fair Credit 
Reporting Act (``FCRA'') regulates credit reporting agencies and places 
on them the responsibility for correcting inaccurate information in 
credit reports.\14\ In addition, entities that furnish information to 
credit reporting agencies have obligations under the FCRA to ensure the 
accuracy of the information they report.\15\ Finally, the FCRA limits 
the disclosure of consumer credit reports only to entities with 
specified ``permissible purposes'' (such as evaluating individuals for 
credit, insurance, employment or similar purposes) and under specified 
conditions (such as certifications from the user of the report).\16\
---------------------------------------------------------------------------
    \13\ 15 U.S.C. Sec. Sec. 1601 et seq.
    \14\ 15 U.S.C. Sec. Sec. 1681e, 1681i.
    \15\ 15 U.S.C. Sec. 1681s-2.
    \16\ 15 U.S.C. Sec. 1681-1681u.
---------------------------------------------------------------------------
B. The commission's involvement in identity theft issues
    As an outgrowth of its broader concern about financial privacy, the 
Commission has been involved in the issue of identity theft for some 
time. In 1996, the Commission convened two public meetings in an effort 
to learn more about identity theft, its growth, consequences, and 
possible responses. At an open forum convened by the Commission in 
August 1996, consumers who had been victims of this type of fraud, 
representatives of local police organizations and other federal law 
enforcement agencies, members of the credit industry, and consumer and 
privacy advocates discussed the impact of identity theft on industry 
and on consumer victims. Subsequent press coverage helped to educate 
the public about the growth of consumer identity theft and the problems 
it creates. In November 1996, industry and consumer representatives met 
again in working groups to explore solutions and ways to bolster 
efforts to combat identity theft.
    Having developed a substantial base of knowledge about identity 
theft, the Commission testified before this subcommittee in May 1998 in 
support of the Identity Theft and Assumption Deterrence Act. Following 
the passage of the Act, the Commission testified again, in April 1999, 
before the House Subcommittee on Telecommunications, Trade and Consumer 
Protection and the Subcommittee on Finance and Hazardous Materials of 
the Commerce Committee. This latest testimony focused on identity theft 
in the financial services industry.
C. The Identity Theft and Assumption Deterrence Act of 1998
    The Identity Theft and Assumption Deterrence Act of 1998 
(``Identity Theft Act'' or ``the Act'') addresses identity theft in two 
significant ways. First, the Act strengthens the criminal laws 
governing identity theft. Specifically, the Act amends 18 U.S.C. 
Sec. 1028 (``Fraud and related activity in connection with 
identification documents'') to make it a federal crime to:

        knowingly transfer[] or use[], without lawful authority, a 
        means of identification of another person with the intent to 
        commit, or to aid or abet, any unlawful activity that 
        constitutes a violation of Federal law, or that constitutes a 
        felony under any applicable State or local law.\17\
---------------------------------------------------------------------------
    \17\ 18 U.S.C. Sec. 1028(a)(7). The statute further defines ``means 
of identification'' to include ``any name or number that may be used, 
alone or in conjunction with any other information, to identify a 
specific individual,'' including, among other things, name, address, 
social security number, driver's license number, biometric data, access 
devices (i.e., credit cards), electronic identification number or 
routing code, and telecommunication identifying information.

    The second way in which the Act addresses the problem of identity 
theft is by focusing on consumers as victims.\18\ In particular, the 
Act requires the Federal Trade Commission to develop a centralized 
complaint and consumer education service for victims of identity theft. 
More specifically, the Act directs that the Commission establish 
procedures to: (1) log the receipt of complaints by victims of identity 
theft; (2) provide identity theft victims with informational materials; 
and (3) refer complaints to appropriate entities, including the major 
national consumer reporting agencies and law enforcement agencies.\19\
---------------------------------------------------------------------------
    \18\ Prior to the passage of the Act, financial institutions rather 
than individuals tended to be viewed as the primary victims of identity 
theft because individual consumers' financial liability is often 
limited. Setting up an assistance process for consumer victims is 
consistent with one of the Act's stated goals, to recognize the 
individual victims of identity theft. See S. Rep. No. 105-274, at 4 
(1998).
    \19\ Pub. L. No. 105-318 Sec. 5, 112 Stat. 3010 (1998) (codified at 
18 U.S.C. Sec. 1028 note).
---------------------------------------------------------------------------

      III. CURRENT EFFORTS: THE FTC'S CONSUMER ASSISTANCE PROGRAM
    In enacting the Identity Theft Act, Congress recognized that 
coordinated efforts are essential because identity theft victims often 
need assistance from both government agencies at the national and state 
or local level, and private businesses. Accordingly, the FTC's role 
under the Act is primarily one of managing information sharing among 
public and private entities. The goals of the FTC's information 
``clearinghouse''. are fourfold: (1) to support criminal law 
enforcement efforts by collecting data in one central database and 
making referrals as appropriate \20\; (2) to provide consumers with 
information to help them prevent or minimize their risk of identity 
theft; (3) to streamline the resolution of the credit and financial 
difficulties consumers may have when they become victims of identity 
theft; and (4) to enable analysis of the extent of, and factors 
contributing to, identity theft in order to enrich policy discussions. 
In order to fulfill the purposes of the Act, the Commission has begun 
implementing a plan that centers on three principal components:
---------------------------------------------------------------------------
    \20\ Most identity theft cases are best addressed through criminal 
prosecution. The FTC itself has no direct criminal law enforcement 
authority. Under its civil law enforcement authority provided by 
section 5 of the FTC Act, the Commission may, in appropriate cases, 
bring actions to stop practices that involve or facilitate identity 
theft. The practices the Commission expects to focus its law 
enforcement resources on are those where the effect is widespread and 
where civil remedies are likely to be effective. See, e.g., FTC v. J.K. 
Publications, Inc., et al., No. CV 99-00044 ABC (AJWx) (C.D. Cal., Mar. 
16, 1999) (order granting preliminary injunction) (alleging that 
defendants obtained consumers' credit card numbers without their 
knowledge and billed consumers' accounts for unordered or fictitious 
Internet services); FTC v. James J. Rapp and Regana L. Rapp, 
individually and doing business as Touch Tone Information Inc., et al., 
Docket No. CV 99-WM-783 (D. Colo., filed April 21, 1999) (alleging that 
defendants obtained private financial information under false 
pretenses).
---------------------------------------------------------------------------
    (1) Toll-free telephone line. The Commission has established a 
toll-free telephone number, 1-877-ID THEFT (438-4338), that consumers 
can call to report incidents of identity theft. Consumers who call the 
Identity Theft Hotline receive telephone counseling from specially 
trained FTC and contractor personnel to help them resolve problems that 
may have resulted from the misuse of their identities. In addition, the 
hotline phone counselors enter information from the consumers' 
complaints into a centralized database, the Identity Theft Data 
Clearinghouse. In operation since November 1, 1999, the Identity Theft 
Hotline has averaged over 400 calls per week.
    Our aim with each consumer call is to provide the comprehensive 
information needed to guard against or resolve problems caused by 
identity theft, and to assist in streamlining the process for the 
consumer wherever possible. Although there is generally no way for 
consumers to avoid contacting the many creditors who may be involved, 
our goal is that consumers should be able to make a single phone call 
to our hotline to report the offense, receive the information and 
assistance they need, and have their complaints referred to the 
appropriate government agency.
    In particular, consumers who are victims of identity theft receive 
specific information about how to try to prevent additional harm to 
their finances and credit histories. The phone counselors instruct the 
callers to contact each of the three credit reporting agencies to 
obtain copies of their credit reports and request that a fraud alert be 
placed on their credit report.\21\ We advise consumers to review the 
information on the credit reports carefully to detect any additional 
evidence of identity theft. The counselors also routinely inform 
callers of their rights under the Fair Credit Reporting Act and provide 
them with the procedures for correcting misinformation on a credit 
report. Consumers receive additional information telling them how to 
contact each of the creditors or service providers where the identity 
thief has established or accessed an account, and to follow up in 
writing by certified mail, return receipt requested. Where the identity 
theft involves ``open end'' credit accounts,\22\ consumers are advised 
on how to take advantage of their rights under the Fair Credit Billing 
Act, which, among other things, limits their responsibility for 
unauthorized charges to fifty dollars in most instances. Consumers who 
have been contacted by a debt collector regarding debts left behind by 
the identity thief are advised of their rights under the Fair Debt 
Collection Practices Act, which limits debt collectors in their 
collection of debts.
---------------------------------------------------------------------------
    \21\ These fraud alerts request that the consumer be contacted when 
new credit is applied for in that consumer's name.
    \22\ The Fair Credit Billing Act applies to ``open end'' credit 
accounts, such as credit cards, revolving charge accounts, and 
overdraft checking accounts. It does not cover installment contracts 
such as loans or extensions of credit that are repaid on a fixed 
schedule.
---------------------------------------------------------------------------
    In addition, the FTC phone counselors advise consumers to notify 
their local police departments, both because local law enforcement may 
be in the best position to catch and prosecute identity thieves, and 
because getting a police report often helps consumers in demonstrating 
to would-be creditors and debt collectors that they are genuine victims 
of identity theft. Almost half the states have enacted their own 
identity theft laws, and our counselors, in appropriate circumstances, 
will refer consumers to other state and local authorities, to pursue 
potential criminal investigation or prosecution.
    (2) Identity Theft complaint database. As mentioned above, detailed 
information from the complaints received on the FTC's toll-free 
Identity Theft Hotline is entered into the FTC's Identity Theft Data 
Clearinghouse (``Clearinghouse''). The Clearinghouse is designed to 
become a comprehensive, government-wide repository of information 
collected from victims of identity theft. In the near future, it will 
begin incorporating complaints received by other government agencies, 
such as the Social Security Administration. Consumers can also enter 
their own complaint information via the public user complaint form at 
www.consumer.gov/idtheft.\23\
---------------------------------------------------------------------------
    \23\ See page 14, infra.
---------------------------------------------------------------------------
    Having designed and built the Clearinghouse database itself, the 
Commission is now developing the tools to extract and analyze the 
information it contains.\24\ The information collected in the 
Clearinghouse will provide the Commission with a better understanding 
of how identity theft occurs. In particular, we will look at whether 
certain types of transactions or business practices lead to greater 
opportunities for the theft of a person's personal information or 
facilitate the misuse of that information once obtained. As we begin to 
identify trends and patterns in the occurrence of identity theft, we 
will share this information with our law enforcement partners so that 
they may better target their resources.\25\
---------------------------------------------------------------------------
    \24\ While Congress authorized the appropriation of such sums as 
may be necessary to carry out the FTC's obligations under the Identity 
Theft Act, Pub. L. No. 105-318 Sec. 5(b), 112 Stat. 310 (1998), no 
funds have been appropriated for the Commission's identity theft 
program. Our ability to fully build out our database, including making 
the information contained therein electronically available to our law 
enforcement partners, as well as our ability to perform sophisticated 
analyses of the data we collect, is contingent on the appropriation of 
adequate funds. Our budget requests for the next three years ask for 
funding of $2.8 million to complete the development of the system and 
maintain our call handling and consumer education responsibilities. 
Appropriations at the requested level would enable us to handle 100,000 
calls for fiscal year 2001, and 200,000 annually thereafter. We have, 
in addition, submitted a reprogramming request to provide $625,000 in 
funds for fiscal year 2000. Of this request, which is now pending with 
the Appropriations Subcommittees, $525,000 would be distributed to the 
agency's contract account, and $100,000 to our equipment account.
    \25\ In addition to our collaborative work with our law enforcement 
partners, the Commission is looking for opportunities to work with 
private sector entities who are critical to addressing identity theft 
issues. For example, credit reporting agencies could provide 
substantial assistance by detailing for this project how their existing 
fraud operations and databases function, and how information could most 
efficiently be shared with them.
---------------------------------------------------------------------------
    Moreover, the Identity Theft Data Clearinghouse will be available 
to law enforcement agencies at the federal, state, and local level 
through a secure, web-based interface. The Commission expects that the 
Clearinghouse will allow the many agencies involved in combating 
identity theft to share data, enabling these offices to work more 
effectively to track down identity thieves and assist consumers.\26\ 
Criminal law enforcement agencies could take advantage of this central 
repository of complaints to spot patterns that might not otherwise be 
apparent from isolated reports. For example, federal law enforcement 
agencies may be able to identify more readily when individuals may have 
been victims of an organized or large-scale identity theft ring.
---------------------------------------------------------------------------
    \26\ The Commission has successfully undertaken a similar effort 
with respect to consumer fraud. The FTC's Consumer Sentinel network is 
a bi-national database of telemarketing, direct mail, and Internet 
complaints accessible to law enforcement officials throughout the U.S. 
and Canada. Currently the Sentinel database contains more than 210,000 
entries, and is used by more than 200 law enforcement offices, ranging 
from local sheriff's offices to FBI field offices.
---------------------------------------------------------------------------
    In addition, the Clearinghouse will facilitate the referral process 
required by the Identity Theft Act. Building upon the Commission's 
experience in sharing data and making referrals to combat consumer 
fraud through its successful Consumer Sentinel network,\27\ we envision 
making identity theft referrals in a variety of ways beyond simply 
referring individual callers to appropriate agencies. As mentioned 
above, Clearinghouse members will be able to access this secure 
database directly from their desktops in order to support their 
investigations. In addition, the Commission plans to disseminate 
complaint information through customized standard reports, extracting 
for our law enforcement partners the Clearinghouse complaints that meet 
the criteria they have designated. Finally, when, during the course of 
our own in-house data analysis, we identify trends or patterns in the 
data that appear to have ramifications for our law enforcement 
partners, we will notify them of that information. Numerous law 
enforcement agencies have already expressed an interest in receiving 
information and referrals in these ways.\28\
---------------------------------------------------------------------------
    \27\ See supra note 26.
    \28\ Pursuant to the requirements of the Identity Theft Act, the 
FTC hopes to gain the cooperation of the three major credit reporting 
agencies to establish an analogous information sharing and referral 
system to allow us to refer complaints received on our toll-free number 
to individual credit bureaus for assistance or resolution, as 
appropriate.
---------------------------------------------------------------------------
    (3) Consumer Education. The FTC has taken the lead in coordinating 
the efforts of government agencies and organizations to develop and 
disseminate comprehensive consumer education material for victims of 
identity theft, and those concerned with preventing identity theft.\29\ 
The results of the FTC's efforts include both print publications and a 
website, located at www.consumer.gov/idtheft. This collaborative 
consumer education effort is ongoing; we hope to lead a similar joint 
effort with many of the private sector financial institutions that have 
an interest in preventing and curing the effects of identity theft.
---------------------------------------------------------------------------
    \29\ Among the organizations the FTC has brought into this effort 
are the Federal Reserve Board, the Office of the Comptroller of the 
Currency, the Federal Deposit Insurance Corporation, the National 
Credit Union Administration, the Office of Thrift Supervision, the 
Department of Justice, the U.S. Secret Service, the Federal Bureau of 
Investigation, the Postal Inspection Service, the Internal Revenue 
Service, the Social Security Administration, the Federal Communications 
Commission, the Securities and Exchange Commission, the U.S. Trustees, 
and the National Association of Attorneys General.
---------------------------------------------------------------------------
    The FTC's most recent publication in this area is a booklet 
entitled: Identity Theft: When Bad Things Happen to Your Good Name.\30\ 
The 21-page booklet covers a wide range of topics, including how 
identity theft occurs, how consumers can protect their personal 
information and minimize their risk, what steps to take immediately 
upon finding out they are a victim, and how to correct credit-related 
and other problems that may result from identity theft. It also 
describes federal and state resources that are available to consumers 
who have particular problems as a result of identity theft. In addition 
to our own initial distribution of this booklet, the Social Security 
Administration has ordered and plans to distribute 100,000 copies of 
the booklet. The Federal Deposit Insurance Corporation has also 
indicated that it will print and distribute the booklet.
---------------------------------------------------------------------------
    \30\ In April, 1999 the FTC took the interim step of issuing a 
consumer alert, Identity Crisis * * * What to Do If Your Identity Is 
Stolen, which gives consumers an overview of what to do if they are 
victims of identity theft.
---------------------------------------------------------------------------
    The Identity Theft web page features a web-based complaint form, 
allowing consumers to send complaints directly into the Identity Theft 
Data Clearinghouse. The website also includes the comprehensive 
identity theft booklet as well as other publications, tips for 
consumers, testimony and reports, information on recent identity theft 
cases, links to identity theft-related state and federal laws, 
descriptions of common identity theft scams, and links to other 
organizations and resources.\31\
---------------------------------------------------------------------------
    \31\ The www.consumer.gov site is a multi-agency ``one-stop'' 
website for consumer information. The FTC hosts the server and provides 
all technical maintenance for the site. It contains a wide array of 
consumer information and currently has links to information from 61 
federal agencies. The consumer.gov project was awarded the Hammer Award 
in March 1999.
---------------------------------------------------------------------------
    Finally, the Commission recognizes that the success of this effort 
hinges on the public's awareness of these resources. On February 17, 
2000, the Commission announced its Identity Theft Program, promoting 
the toll-free number, the website and our consumer education 
campaign.\32\ We anticipate that we will see an increase in our call 
volume and website visits following these efforts to raise the public 
awareness of identity theft.
---------------------------------------------------------------------------
    \32\ While the toll-free number has been operational since November 
1999, we waited several months to make a major announcement in order to 
fully train the telephone counselors, and otherwise smooth out the data 
collection operations. Even without a formal announcement, the toll-
free line has received an average of 400 calls per week.
---------------------------------------------------------------------------
                           iv. ongoing issues
    In May 1998, the Commission testified before this subcommittee in 
support of the Identity Theft and Assumption Deterrence Act. The 
Commission continues to believe that the Act is an important tool in 
addressing the problem of identity theft. Since its passage, the FTC 
has increased its efforts to develop a program to quantify the data 
regarding identity theft, to provide assistance to identity theft 
victims who seek help in resolving identity theft disputes, and provide 
consumers and others a central place in the federal government to go 
for information about identity theft. Already, in the relatively brief 
time our identity theft hotline has been operational, the FTC has 
assisted over 4000 consumers who have been, or are worried about 
becoming, victims of identity theft. We anticipate that our consumer 
assistance program will continue to expand and grow over the coming 
months.
    Notwithstanding our efforts and those of other law enforcement 
agencies, however, identity theft continues to pose significant 
problems for consumers. Some preliminary areas of concern to the 
Commission are as follows:
    Prevention. Although many bank, credit card issuers, and other 
companies have put into place extensive systems to guard against 
identity theft, there nonetheless remain a number of continuing 
practices that may contribute to the problem of identity theft. Fraud 
alerts, for instance, are not fulproof. Identity thieves may be able to 
open accounts in the victim's name notwithstanding a fraud alert either 
because the fraud alert is not picked up by the credit scoring or other 
automated system used by the new creditor, or because the creditor 
fails to take sufficient precautions to verify the applicant's 
legitimacy when presented with a fraud alert. One caller to the FTC's 
hotline whose wallet had been stolen, for example, reported that after 
placing a fraud alert on her credit reports, at least seven fraudulent 
accounts were opened in her name at various retail establishments that 
granted ``instant credit'' based only on a credit score that did not 
take into account fraud alerts.\33\
---------------------------------------------------------------------------
    \33\ Of course, it is important to the prevention of identity theft 
that creditors pay attention and follow-up with appropriate 
verification procedures wherever there are possible indicia of fraud. 
One Arlington, Virginia resident who called the FTC had been disturbed 
to find that her ATM card no longer worked. When she called her bank, 
she learned that someone using her name had reported her card lost, and 
asked that a replacement card be sent--to Brooklyn, New York. The 
sudden change-of-address presumably should have raised a red flag, but, 
in fact, apparently triggered no further investigation. Such 
oversights, often committed out of an understandable desire to provide 
prompt customer service, do not appear to be uncommon.
---------------------------------------------------------------------------
    In addition, although individual credit issuers have systems to 
detect automatically unusual patterns of activity, it is more difficult 
to detect unusual activity across creditors. Thus, for example, if an 
identity thief opens 30 different credit accounts in the course of 2 
days, none of the 30 individual creditors may notice anything unusual. 
However, taken as a whole, the pattern of activity would likely trigger 
suspicion. Thus, one possible area for further action lies in bringing 
together creditors and credit reporting agencies (the group that is 
probably best placed to notice when there have been numerous credit 
applications or new accounts opened) to develop mechanisms for 
detecting such fraud--and thus heading off identity theft.
    Remediation. Identity theft victims continue to face numerous 
obstacles to resolving the credit problems that frequently result from 
identity theft.\34\ For example, many consumers must contact and re-
contact creditors, credit bureaus, and debt collectors, often with 
frustrating results. Using the data collected from consumer complaints, 
the Commission is actively monitoring the nature and extent of problems 
reported by consumers, and looking at possible means of addressing 
these problems, including ways of streamlining the remediation process.
---------------------------------------------------------------------------
    \34\ Some identity theft victims face significant, non-credit-
related problems as well. For example, in a small but troubling number 
of cases, consumers calling the FTC's toll-free number have reported 
that they themselves have been arrested because of something an 
identity thief did while using their name, or that they learned they 
had a criminal arrest or conviction on record because an identity thief 
used identification with their name rather than his or her own when 
arrested for committing some other crime. Needless to say, correcting 
legal arrest or conviction records can prove extremely difficult.
---------------------------------------------------------------------------
    In particular, the FTC believes that, as a first step, it would 
benefit consumers if they could make a single phone call--presumably, 
to any of the major credit bureaus or to the FTC's hotline--and have a 
fraud alert placed on all three of their credit reports, and copies of 
each of their three reports sent to their home address. The success of 
such an effort depends on the cooperation of the major credit 
bureaus.\35\
---------------------------------------------------------------------------
    \35\ Another question potentially raised by the experiences of 
identity theft victims is whether the protections currently afforded by 
laws such as the Fair Credit Reporting Act and Fair Credit Billing Act 
are adequate for resolving the problems commonly faced by identity 
theft victims. Because the data the Commission has gathered in the 
short time its hotline has been operational are limited, it would be 
premature to try to resolve such questions at this time.
---------------------------------------------------------------------------
    As the FTC's new identity theft program expands, the Commission 
will have more data and experience from which to draw in determining 
what additional actions may need to be taken to best assist identity 
theft victims.

                         V. COOPERATIVE EFFORTS
    The Commission has been working closely with other agencies in a 
number of ways to establish a coordinated effort to identify the 
factors that lead to identity theft, work to minimize those 
opportunities, enhance law enforcement and help consumers resolve 
identity theft problems. In April 1999, for example, Commission staff 
held a meeting with representatives of 17 federal agencies as well as 
the National Association of Attorneys General to discuss implementing 
the consumer assistance provisions of the Identity Theft Act. In 
addition, FTC staff participates in the identity theft subcommittee of 
the Attorney General's Council on White Collar Crime, which has, among 
other things, developed guidance for law enforcement field offices on 
how best to assist identity theft victims. FTC staff also coordinates 
with staff from the Social Security Administration's Inspector 
General's Office on the handling of social security number misuse 
complaints, a leading source of identity theft problems.
    Furthermore, almost half of the states have now enacted their own 
statutes specifically criminalizing identity theft. Others have passed, 
or are considering, further legislation to assist victims of identity 
theft,\36\ including legislation specifically designed to help victims 
clear up their credit records.\37\ The Commission is committed to 
working with states and local governments on this issue, and learning 
from their efforts.
---------------------------------------------------------------------------
    \36\ See, e.g., Iowa Code Sec. 714.16B (creating a private right of 
action for victims of identity theft).
    \37\ See Cal. Civ. Code Sec. 1785.6 (providing that if a consumer 
provides a credit bureau with a copy of police report of identity 
theft, the credit bureau ``shall promptly and permanently block 
reporting any information that the consumer alleges appears on his or 
her credit report as a result of a violation of Section 530.5 of the 
Penal Code [the California identity theft statute] so that the 
information cannot be reported''; the information may be unblocked 
``only upon a preponderance of the evidence'' establishing that the 
information was blocked due to fraud, error, or that the consumer knew 
or should have known that he or she obtained goods, services, or moneys 
as a result of the blocked transactions).
---------------------------------------------------------------------------
    Most recently, FTC staff has been assisting the Department of 
Treasury on plans for the upcoming National Summit on Identity Theft on 
March 15-16. The Summit provides a significant opportunity for 
government and business leaders to develop partnerships to combat 
identity theft and assist its victims.

                             VI. CONCLUSION
    The Commission, working closely with other federal agencies and the 
private sector, has already made strides towards identifying ways to 
reduce the incidence of identity theft. More focused law enforcement, 
greater consumer education and increased awareness by the private 
sector will all contribute to this effort. The FTC also looks forward 
to working with the Subcommittee to find ways to prevent this crime and 
to assist its victims.

    Senator Kyl. Thank you very much. I appreciate the 
testimony that both of you have given to us.
    Let me just get right to the heart of a couple of questions 
I had regarding the FTC. Have you been appropriated enough 
money, do you think, to accomplish the various tasks that the 
statute mandates to the FTC? If not, is there anything else 
that you need?
    Ms. Bernstein. We really haven't been appropriated any 
money for this program. What we have done so far in my bureau 
is shifting funds from other programs to try to staff, as we 
have, this program, and I think we have done well. However, we 
have a pending reprogramming request for $625,000 for the 
current fiscal year, and the Commission submitted a budget that 
requested $2.8 million for each of the next 3 years. We have 
estimated that if the reprogramming request was granted and the 
new budget put in place that we would be well provided for in 
terms of resources to be able to run a really more aggressive 
program.
    Senator Kyl. Was that the budget request from the White 
House?
    Ms. Bernstein. Yes.
    Senator Kyl. OK, good, and if you need help on the 
reprogramming, too, be sure and let us know about that.
    Ms. Bernstein. Thank you.
    Senator Kyl. Have the credit bureaus been working, do you 
think, well with the FTC to address the problem generally?
    Ms. Bernstein. With every effort to be diplomatic, I would 
say that we would have hoped for more cooperation.
    Senator Kyl. I kind of thought so. What about a special 
number? And I am not suggesting that the Federal Government 
mandate this, but considering one of Ms. Mitchell's problems, 
do you think that if we encouraged the credit bureaus to have a 
special number for ID theft reporting that people wouldn't have 
as much trouble getting through to a real person to talk about 
these things?
    Ms. Bernstein. I would think that that would be a great 
assistance to people. Just one central source, whether it be to 
the FTC or whether they do it separately, any way, as Maureen 
said, that you could cut down on the number of efforts that the 
individual has to make would be extremely helpful.
    Senator Kyl. Any recommendations that you would like to 
make to us in that regard I would appreciate very much, not 
necessarily as amendments to the existing law, not necessarily 
law, but recommendations that we might implement by encouraging 
credit agencies to do certain things or in some other way 
effectuating them. That would all be appreciated.
    With respect to local law enforcement, one of Ms. 
Mitchell's concerns was that they didn't seem to be as aware of 
the Federal law as they need to be. What more can we do to get 
notice--and maybe this is a question really for both of you--
notice more to the local law enforcement agencies?
    Mr. Regan. Yes, sir. We try to address that through our 
task force involvement. We have currently 28 task forces 
throughout the country and they include State, local and county 
police officers. Unfortunately, we are comparatively a small 
agency. So our task forces aren't in every city, but where they 
are we include all law enforcement agencies in that area and we 
try to get it out like that.
    We also have an Internet site, on which we put several 
things out there now. In fact, we see the future of identity 
theft basically being on the electronic side. We are moving 
toward a cashless society, or an electronic commerce type 
society ourselves here in the United States, and we are seeing 
most of the crime activity being used within the Internet, 
either the Internet being used as a tool to move it forward or 
to hide behind it, to be anonymous, and so forth.
    Identity theft is a component of what is going on there. 
The theft of people's account numbers through Internet hacking 
and through skimming, which is the theft of account information 
off the back of mag strips, are all part of it. And one of the 
things we are doing with local law enforcement--and I think you 
have a copy of it, sir--is we printed this up for local law 
enforcement and it is called ``Best Practices for Seizing 
Electronic Evidence.''
    And what this is for is to give the local police officer, 
who is usually the first responder, because, like I say, we are 
a comparatively small agency--if there is a problem, the local 
police officer is the first one on the scene. And if, in fact, 
it is an identity theft where they use the electronic medium, 
what is that police officer supposed to do with that computer? 
And it is supposed to make him a little bit comfortable in what 
could be considered evidence within that area, what holds 
information, what would hold account numbers in people's names, 
and so forth, and how to safely handle it, as well as a list of 
contacts and how to track back e-mail headers, and so forth.
    So we are doing certain things like that as outreach to the 
field now, and we continue to do it. This is also available on 
our Internet site for those agencies we haven't gotten the 
booklets to yet. We have distributed over 60,000 of them this 
year, and we are hoping to do another 100,000 by the end of 
this coming year.
    Senator Kyl. I might suggest that maybe there be some 
reference also when you do this again to the Federal law so 
that they can appreciate the fact that there are both Federal 
and State laws involved. This looks very helpful, by the way.
    Mr. Regan. Yes, sir, thank you.
    Senator Kyl. My understanding is that what has happened is 
since we got the law passed that a lot of people are now being 
charged under this new law, but that we might not be aware of 
the true magnitude of the crime because there are a lot of plea 
bargains taken, and that frequently the new law is the charge 
that is dropped in the course of making the plea bargain.
    It is obviously helpful to have that additional crime to 
charge because you can more likely get a plea bargain and a 
better sentence, but frequently this is the particular charge 
that is dropped. So we may not have a real good handle on the 
number of situations in which people have actually been guilty 
of this particular crime.
    Can you discuss that with us at all at this point?
    Mr. Regan. Yes, sir. I think you are a hundred percent 
correct. I think this law is used extensively in financial 
crimes. It would be virtually impossible to perform most 
financial crimes without some form of false identification, not 
necessarily an identity theft, but some form of false 
identification.
    When you talk about credit fraud, it is usually an identity 
theft. When you talk about skimming, it would be an identity 
theft. And what all too often will happen is we will pick up an 
individual and that individual might be indicted on 15, 20 
counts. And the agreement comes out that they take a plea to 
certain counts, maybe a bank card count or a credit card count. 
And the other counts, although they were all part of the 
indictment, just fall off by the plea, so that it is very hard 
to capture that information that comes through. But I think 
that this violation is used extensively in Federal financial 
criminal investigations, sir.
    Senator Kyl. Well, we will, of course, want to continue to 
follow the progress of that to make sure that what we have done 
is worthwhile for law enforcement agencies. And if there are 
any changes that need to be made in it, we can, based on your 
recommendations, make those changes.
    Are you getting the information you need from the FTC for 
the Secret Service to initiate an investigation when it is 
warranted?
    Mr. Regan. Yes, sir, very much so. In fact, we are working 
very, very closely with the FTC and it is working out very 
well. In fact, I have worked with Beth Grossman myself on 
numerous occasions and it is a pleasure to work with them on 
this.
    Ms. Bernstein. Mr. Chairman, I may mention in connection 
with the local law enforcement question that you asked that we 
think that when the identity theft clearinghouse is really 
fully established for the benefit of local law enforcement--
that has been our experience with our database that that is 
just a boon to a local law enforcement person. When he or she 
gets a call and is perhaps in a small community somewhere and 
doesn't have a lot of assistance to be able to dial into that 
database and quickly find out whether there have been other 
complaints about that particular theft, what has happened with 
it, where they can get assistance, it has just been an enormous 
help in other fraud areas that we have used. So when we are up 
to the place where it is fully developed--and we are not too 
far from that--I think it will be an enormous assistance to 
local law enforcement.
    Senator Kyl. That is great. That is one of the two 
directions we want to go. Let me focus on the other direction, 
and that is how to make the system more user-friendly and 
effective for the actual victims, people like Ms. Mitchell.
    Maybe you could walk us through what happens when somebody 
like Ms. Mitchell calls the FTC hotline. What do you do? And 
then more specifically, how is that helping her to both prevent 
continual violations of her identity or credit and cleaning up 
the credit violations that have already occurred?
    Ms. Bernstein. Well, the first thing that happens is Ms. 
Mitchell, for example, would call and in this case Kathleen 
Lund answers the telephone. And I would say that we have 
specially trained those counselors who are dealing with 
identity theft because it is more complicated; it is criminal 
as opposed to other types of fraud which are often civil, as 
you know. And we have worked hard to be sure that we were 
providing the counselors with enough information so that they 
would know how to proceed.
    And Kathleen would then ask her what happened, obviously, 
and she would tell her, get the relevant information about it. 
And then the first thing to do would be to advise her of what 
steps she ought to take immediately, and those steps, of 
course, are, as you heard from Ms. Mitchell, to notify the 
credit bureaus, to notify creditors, the merchants that she 
talked about, and most particularly to call the police. It is 
important to have a police report on record very quickly.
    She would then provide her with fuller information, which 
she can get on a Web site or we would put into the mail, 
whatever is convenient for her, to begin the process of getting 
those fraud alerts on the credit reports because that is the 
first line of defense.
    Senator Kyl. Now, how, physically, does that actually 
occur?
    Ms. Bernstein. How physically does it occur?
    Senator Kyl. Yes. She has now notified the FTC.
    Ms. Bernstein. The FTC tells her the numbers of the credit 
bureaus, and there are three of them, as she indicated, and 
they have a line that we ask her to call because that is what 
the process is. She then calls the credit bureau--and hopefully 
she doesn't get a ringing phone; hopefully, she gets a real 
person--and reports what has happened to her and asks them to 
immediately put a fraud flag on her credit report.
    The purpose of that obviously is to alert others--
merchants, the fellow who is going to issue a loan for a car--
when he or she asks for a credit report, which they do before 
opening a line of credit, to see that there is already a fraud 
alert on that credit report. That really should be a warning to 
that creditor to think carefully before extending credit to 
what may not be the appropriate person. So, that is how that 
gets done.
    Now, Ms. Mitchell's experience was, I think--and she made a 
valuable point about it--if it is on the last page of the 
credit report and it is in type that doesn't jump out at the 
person who is reviewing it and they are in a hurry, it 
certainly would be an improvement--and it doesn't have to be by 
Federal law; it could certainly be something that the committee 
could encourage the credit bureaus to undertake voluntarily to 
improve the fraud alerts that are on the credit reports.
    Senator Kyl. How do you at the FTC, or the credit bureaus 
themselves, verify the validity of the information presented by 
somebody such as Ms. Mitchell so that they know that it is not 
a scam themselves?
    Ms. Bernstein. Well, we have some ways of verifying who the 
person is. We can communicate back with them. They give us an 
address. We can check them out as to whether or not we have 
other indications of who they are. We have not experienced 
getting false claims into our system. That would be something 
that we would be careful with, obviously, before we proceed.
    The credit bureaus also have their regular means of 
verifying who people are that they have to do all the time 
because they are issuing credit reports. So they have various 
means of verification, like drivers' licenses and other 
documentation that they can ask for before proceeding.
    Senator Kyl. I think one thing that has occurred to me is 
that maybe we need to ask some of the credit agency or credit 
bureau people to come and testify to us, and we can present 
some concerns and questions to them and maybe they can tell us 
what they might do to improve the situation. Do you think that 
might be a helpful exercise?
    Ms. Bernstein. I think it would be very helpful.
    Senator Kyl. OK, I think we will consider doing that. Would 
it be possible to accomplish this notification electronically 
through the FTC, do you think?
    Ms. Bernstein. You mean a generalized notification to the 
credit bureaus?
    Senator Kyl. Yes.
    Ms. Bernstein. Yes, I think so; I think it could be.
    Senator Kyl. In other words, Ms. Mitchell has notified us. 
We have determined, at least prime facie, that there is a valid 
complaint on her part. Would the three of you please verify 
this independently and flag it, if appropriate?
    Ms. Bernstein. Right, and let us know that it has been 
verified or it has been flagged.
    Senator Kyl. Would you consider doing that and get back to 
us to see how easy that would be, or difficult?
    Ms. Bernstein. I would be glad to do that, and I would need 
to see how easy it is to do.
    Senator Kyl. Yes.
    Ms. Bernstein. But Beth here is almost as good on computers 
as the thieves are, and she will be able to tell me.
    Senator Kyl. Single-handedly.
    Ms. Bernstein. Single-handedly is right.
    Senator Kyl. Well, check that out as an additional way 
maybe to get this process undertaken.
    Ms. Bernstein. We would be glad to explore that, or perhaps 
there is another way that that would be useful, and we will be 
glad to respond to that.
    Senator Kyl. Well, I think what I am getting at here for 
both of you is, first of all, to compliment both of you for 
helping us to use the law that we passed, to confirm that we 
are on the right track, that it seems to be a positive 
development in the area. It obviously doesn't solve the 
problem, but it can make life a little easier for those whose 
identity has been stolen, and at least help you also to go 
after the perpetrators.
    What we would like to do is to get any other suggestions 
that either the Secret Service or the FTC have as additional 
experience shows you what is working and what isn't working, 
either to modify your internal operating procedures or perhaps 
to give us additional suggestions as to what we should do with 
the law.
    I would also ask on behalf of my colleagues on the 
committee to get the data together in whatever good, reportable 
form you are comfortable with and get that to us as soon as you 
can so that we can report to our colleagues how it is working 
and what changes may be needed--and we will call on you to 
determine what the best reportable form for that is and when 
you can get that data to us--and then finally any suggestions 
that you would have about any additional hearings, including 
perhaps the credit agencies.
    And I would suggest would it not be appropriate not only to 
have credit bureaus, but also a couple of the larger credit-
extending agencies? I don't want to pick on anybody in 
particular, but one of the major automobile manufacturers and 
sellers of automobiles extending credit, somebody like that. We 
will work with you so that you can give us some suggestions as 
to maybe the most representative of that kind of entity.
    There was one other thing in my mind and now it has flown 
out. Well, any other suggestions from either of you as to what 
the committee should be doing at this point in our continuing 
oversight? Anything else from either of you?
    [No response.]
    Senator Kyl. What will you be doing, either or both of you, 
at next week's seminar, and can you describe for us briefly how 
that will occur and what the public might expect from that, how 
they could tune in and participate. This is the President's 
symposium or whatever it is called.
    Mr. Regan. Yes, sir. As far as the Secret Service and 
myself in particular, I will be chairing one of the committees 
addressing law enforcement and our response to it, and more 
importantly how do we respond both nationally and 
internationally, because one of the things we are seeing on the 
identity theft issue today is there is no such thing as a case 
here in, say, Washington, DC.
    What we will see is they are organized and they are rings, 
as we heard earlier, and they are often both national and 
international in scope. A lot of things we are dealing with are 
on the international side of the house on how to deal with 
countries in the G-8 with law enforcement issues over there, 
how to identify points of compromise.
    One of the questions that Senator Grassley brought up, did 
you ever find out how your point of compromise came about--
well, it is very difficult at times when you are dealing with a 
multitude of different ways for your identity to be stolen. 
Some of the Nigerian organized criminal groups are very, very 
good at recruitment of individuals from banks and from private 
industry, and so forth, to get background information. The 
Chinese gangs have moved into the electronic age where they are 
using hacking devices and Internet theft to actually get into 
it.
    So we are trying to identify how points of compromise come 
about and shut them down. More importantly, how can law 
enforcement respond, especially as the technology moves forward 
and electronically everyday it just enhances. You know, today's 
computer equipment is really obsolete 6 months down the road, 
and that is kind of what we are looking at.
    Because we are going to an electronic commerce society, the 
United States becomes a huge pool of potential victims because 
we all have credit now. You know, 5 years ago who would have 
thought that you could go to a gas station, take your debit 
card and fill up your car and never see the attendant? People 
don't even get their paychecks anymore; they are electronically 
deposited into their accounts.
    So we are moving away from paper and we are moving toward 
electronics, and it is a good thing. But with all this 
enthusiasm for the Internet, you have got to temper it with a 
little caution. We are seeing the same tools that are being 
used to make our lives a little better are also being used to 
defraud financial institutions and steal people's identities.
    Senator Kyl. So you will be participating in the program?
    Mr. Regan. Yes, sir.
    Senator Kyl. Ms. Bernstein, before you answer, let me just 
for the benefit of the audience make something kind of clear 
here. This subcommittee of the Judiciary Committee is the 
Subcommittee on Technology, Terrorism, and Government 
Information. And it is not always the case that all three of 
those things intersect, but at least two of the three intersect 
here. Government information could, as a result of Social 
Security numbers and other information, be involved as well.
    The charge for our subcommittee is to try to keep track of 
the evolution of technology and how law needs to keep pace with 
that evolution. A couple of other examples: cell phone cloning 
didn't exist 10 or 12 years ago. It all of a sudden got to be a 
big crime and we needed to bring the law with respect to cell 
phone cloning up to date. We are trying to do the same with 
Internet gambling. Activity that has been prohibited since 1961 
under the Federal Wire and Telephone Act, we suddenly find may 
be somewhat outdated as a result of the difference in the 
transmission of the data. So the Senate unanimously passed 
revisions to that law.
    And there will be other efforts, including this identity 
theft, which isn't necessarily dependent upon electronic 
transfer of data or hacking into a computer system to get the 
information. Sometimes, it is as simple as going through a 
garbage can, but it is usually still pulling off a slip that 
has to do with some credit card or something else that is 
transmitted electronically, but not necessarily always.
    So, that is what our subcommittee is all about, and it 
takes the efforts of entities like the FTC and the Secret 
Service to help us do our job. So for anybody that is concerned 
or interested in that, you are welcome to contact our staff for 
further information. Or if you have some suggestions about 
other things we need to do, we would be happy to take those, 
too.
    Finally, Ms. Bernstein, what will your participation be in 
this meeting next week?
    Ms. Bernstein. Mr. Chairman, two of us are on panels. I am 
participating on a panel that is going to take some further 
initiatives for public-private partnerships for consumer 
education. Some of the things we have talked about today 
undoubtedly will be raised, and the private sector folks, I 
believe, will be attending and will participate on the panel. 
So we hope to get some commitments, if you will, from the 
private sector. We have in the past, and we are optimistic.
    Hugh Stevenson, who is also on our staff, is on a panel 
that will be discussing additional ways to be of assistance to 
victims. That is something that you addressed, I know, in 
connection with the sponsorship of the legislation itself. And 
while we believe we have done a good job of training counselors 
to do a certain amount, there may be some other ways in which 
we can provide, either with other Government agencies or with 
the private sector, better ways to assist victims because it is 
such a difficult, difficult thing to undertake.
    Senator Kyl. I would especially be interested in the 
conclusions in that regard because I still don't think we have 
gone far enough in being able to help somebody like Ms. 
Mitchell actually go back and clear her credit.
    Ms. Mitchell, could you come to the dias for one last 
question here that I neglected to ask before?
    My question is this. What would be helpful to you that you 
don't currently have to help you clear your credit or to 
prevent entities from extending credit to the people who have 
stolen your identity? Once you know, in other words, that it 
has occurred and you have contacted the FTC and now you have 
got to go about the job of getting your credit cleared and 
stopping any further violations, what would be useful for you 
to have, if anything, to do that?
    Ms. Mitchell. I think there would be two things that would 
be very helpful. One would be the fraud alerts appearing on the 
credit reports in a very conspicuous place.
    Senator Kyl. Right, we got that.
    Ms. Mitchell. The other would be once it is established 
that a victim is a bona fide victim with whatever system of 
verification needs to be there, then one package of boilerplate 
documents to be filled out, a protocol that is universally 
accepted by all of the merchants who have been defrauded, 
rather than having the victim fill out 20 or 30 different 
protocols.
    Senator Kyl. Excellent. Now, what I would like to suggest, 
Ms. Bernstein, is when you meet with these folks next week, put 
that to them, because this would be better done voluntarily 
than through a law.
    Ms. Bernstein. We agree.
    Senator Kyl. See if they are willing to work on this 
problem with you and develop this protocol, and also more 
clearly and forthrightly post the fraud alert on their credit 
reporting. Maybe if you could get back to us after that or 
after you have had some contact with them, contact our staff so 
that we can see what we need to do, maybe calling them before 
us to see whether they are agreeable to these things, perhaps 
getting a report back from you. Most especially, we want to be 
able to report back to Ms. Mitchell.
    So if there is nothing else that the three of you have, I 
will declare this meeting adjourned, but I thank you very, very 
much for joining us today. It has been very, very helpful.
    Mr. Regan. Thank you, Senator.
    Ms. Bernstein. Thank you.
    Senator Kyl. The hearing is adjourned.
    [Whereupon, at 3:20 p.m., the subcommittee was adjourned.]
                            A P P E N D I X

                              ----------                              


                         Questions and Answers

                              ----------                              


    Responses of Jodie Bernstein to Questions From Senator Feinstein

    Question 1. It is my understanding that the identity theft victim 
bears the responsibility for correcting errors on her credit record 
even after reporting the theft to the major credit bureaus and having a 
fraud alert placed on her file. For example, it is typically up to the 
identity fraud victim to call the affected creditors individually and 
alert them to the fraudulent activity in her name.
    This task can be incredibly burdensome. There is no standardized 
form to report identity theft, so the victim must fill out multiple 
sets of forms with the same information. Despite months of effort and 
hundreds of phone calls, victims still report not being able to get 
their credit rating restored.
    Do you think more can be done to assist identity theft victims who 
are trying to restore their credit rating? Is it possible to draft a 
single, standardized set of documents that victims could fill out?
    Answer 1. We believe that more can, and should, be done to assist 
victims of identity theft restore their credit standing, and the 
Federal Trade Commission is working with other public and private 
organizations to identify the most effective ways to accomplish this. 
Many of the identity fraud victims who call the FTC's Identity Theft 
Hotline report their frustration at having to fill out numerous and 
different forms, and make a series of telephone calls in their attempt 
to resolve their identity theft-related disputes. Certainly, a single 
standardized affidavit, accepted by the credit reporting agencies 
(``CRA'') and major financial and credit granting institutions, would 
relieve some of this burden and streamline the complaint process. As I 
noted in my testimony before the Subcommittee, we would support such an 
effort, and are ready to work with industry to develop a form that 
would meet the needs of the affected institutions.
    A standardized form is just one measure that would relieve the 
burden on identity theft victims. Another practical step to streamline 
the complaint process would be to reduce the number of telephone calls 
the consumer has to make to report identity theft. Currently, an 
identity theft victim must contact each of the three major CRA's to 
request that a fraud alert be placed on her credit report. We would 
welcome a system that allowed a victim to call one of the agencies, and 
for that agency to transmit the information to the other two CRA's. In 
addition, some consumers learn only after calling our hotline that they 
should alert the CRA's if they are victims or potential victims of 
identity theft (e.g. if their wallet was lost or stolen). Assuming the 
availability of appropriate funding, we are prepared to establish the 
technology that would, with the consumer's consent, transmit the data 
to the CRA's to enable them to place a fraud alert on the credit report 
and send the victim a copy of their credit report, thus eliminating the 
need for the consumer to call the CRA's. We have raised this idea with 
representatives for the industry, and will move forward as soon as we 
obtain an indication of their willingness to pursue this system.

    Question 2. What is your best estimate of the annual number of 
victims of identity fraud in this country? What is your best estimate 
of the annual financial costs of identity fraud to American consumers 
and American industry?
    Answer 2. To the best of our knowledge, no current reliable 
statistics exist on the overall extent of identity theft in this 
country. From the limited available information, however, we estimate 
that there are hundreds of thousands of identity theft victims 
annually. According to the General Accounting Office's May 1998 report 
on identity fraud (which, too, found no comprehensive statistics on 
identity fraud), Trans Union, one of the nation's three major credit 
bureaus, reported that they received over 500,000 calls to their fraud 
victim assistance department in 1997, approximately two-thirds of which 
involved incidents of identity theft. Government agencies, too, have 
heard from significant numbers of identity theft victims. In 1999, for 
example, the Social Security Administration's Office of Inspector 
General received 39,000 consumer complaints of ``social security number 
misuse,'' a category generally equivalent to identity theft. The FTC, 
for its part, has recently received as many as 1,000 calls per week to 
its recently launched toll-free Identity Theft Hotline, and we believe 
that so far we are hearing from only a small minority of all identity 
theft victims.
    As to the financial costs of identity theft, the Treasury 
Department has estimated that credit card fraud alone results in $2-3 
billion dollars in fraud losses annually.

    Question 3. In your testimony, you describe the practice of 
``skimming'' in which identity thieves use sophisticated devices to 
intercept personal information on credit cards and ATM cards. How 
widespread is this practice? What can be done to stop this practice?
    Answer 3. The Commission is very concerned about the practice of 
skimming and its implications for identity theft, but, as a civil law 
enforcement agency, lacks first-hand knowledge about the extent of this 
criminal practice. The American Bankers Association, however, has 
described skimming as the most significant problem facing the credit 
card industry today and in the near future. One important measure being 
taken to combat skimming--announced at the recent National Summit on 
Identity Theft--is the U.S. Secret Service's skimming database. 
Developed in partnership with the financial industry, the database 
helps identify common suspects and address trends in skimming and 
related financial crimes. We hope that this will serve as a model for 
ways in which the public and private sector can cooperate to thwart not 
only skimming but other fraudulent practices as well.

                               __________

    Responses of Jodie Bernstein to Questions From Senator Grassley

    Question 1. In your testimony, you referred to the Fair Credit 
Billing Act and the Fair Credit Reporting Act, and how these two laws 
provide important protections for consumers trying to clear up their 
credit records after having their identity stolen. Are statistics 
compiled by the FTC, or any other agency, to support whether these two 
laws are successfully aiding consumers? Do we know with certainty that 
consumer liability is limited and that credit reporting agencies are 
correcting inaccurate information?
    Answer 1. As noted in our testimony, the Commission believes that 
the Fair Credit Billing Act and the Fair Credit Reporting Act provide 
important protections to consumers as they attempt to undue the credit 
damage done by an identity thief. Section 133 of the Fair Credit 
Billing Act (15 U.S.C. 1643) specifically limits liability of credit 
cardholders in the case of unauthorized use to $50. The Commission has 
received few complaints about companies not complying with this 
provision; indeed, it is our understanding that in most instances, 
credit card issuers waive the $50 charge and impose no liability on 
consumers for fraudulent credit card charges.
    Section 611 of the Fair Credit Reporting Act (15 U.S.C. 1681i) 
requires consumer reporting agencies to investigate information in 
their files that is disputed by consumers as inaccurate or incomplete, 
and to delete or correct information based on the results of the 
investigation. Similarly, Section 623 of the Fair Credit Reporting Act 
(15 U.S.C. 1681s-2) requires credit information furnishers to 
reinvestigate information provided to credit reporting agencies that is 
disputed by consumers as inaccurate or incomplete and to report the 
results of that investigation to the credit reporting agencies. Because 
our identity theft database is still new, it is still too early for us 
to determine the extent to which the credit report inaccuracies that 
often result from identity theft are being promptly corrected by credit 
reporting agencies and credit information furnishers. We continue to 
monitor complaints from consumers on this issue. That the Commission is 
committed to enforcing the requirements of the Fair Credit Reporting 
Act is demonstrated by the FTC's recent actions against three major 
credit bureaus for failing to maintain toll-free telephone numbers with 
personnel accessible to consumers during normal business hours. Those 
actions were based on Section 609(c)(1)(B) of the Fair Credit Reporting 
Act, and were settled by an agreement filed on January 13, 2000, under 
which those credit bureaus paid civil penalties totaling $2,500,000.

    Question 2. How do we know whether consumer information is provided 
only to entities with ``permissible purposes?'' Is that something we 
only find out when a consumer files a complaint?
    Answer 2. Consumer complaints are a principle way we learn of 
consumer information being provided for impermissible purposes. Many of 
the complaints we receive come to us through the toll-free number 
connected with our Consumer Response Center, where our phone counselors 
enter them into our consumer complaint database. This data reveals 
individual cases of impermissible use of consumer information, as well 
as broader trends.
    The Commission also learns of law violations through periodic 
reviews of industry business practices. For example, in the recent case 
against Trans Union, the Commission upheld the decision of an FTC 
administrative law judge, ordering Trans Union to stop selling consumer 
reports in the form of target marketing lists. The complaint had 
charged the sale of such lists violated the FCRA because the marketers 
to whom they were sold lacked a permissible purpose. The Commission had 
earlier entered into settlements with Experian and Equifax on similar 
charges.

    Question 3. How many individuals have been prosecuted under the 
Identity Theft and Assumption Deterrence Act, since its passage in 
1998, for knowingly transferring or using the identity of another 
person? How many have been convicted? Do you have any recommendations 
for changes in the identity theft law to enhance its effectiveness?
    Answer 3. As you know, the Commission does not have jurisdiction to 
bring criminal prosecutions, and we do not have statistics on the total 
number of cases brought by the Department of Justice under the Identity 
Theft and Assumption Deterrence Act. The most recent data available to 
us, compiled by the U.S. Sentencing Commission, indicate that there 
were 12 criminal convictions under the Identity Theft and Assumption 
Deterrence Act in fiscal year 1999.
    Such statistics may underestimate the number of recent identity 
theft cases for at least two reasons. First, because prosecutions under 
the Act may be brought only for crimes committed after the Act went 
into effect, there is necessarily a certain amount of lag time before 
convictions may be entered under the new statute. Second, identity 
theft is often part of a larger financial criminal scheme, and an 
identity theft prosecution may involve multiple counts under several 
different statutes; in a plea bargain one or more of these initial 
charges (including, in some instances, the identity theft charge) may 
be dropped.
    We believe that at the present time law enforcement agencies have 
sufficiently little experience with the Identity Theft and Assumption 
Deterrence Act that it is therefore premature for us to make any 
recommendations for changes. As the FTC's Identity Theft Data 
Clearinghouse grows, however, and we have additional data available to 
us, we expect to revisit the issue of whether there are additional 
legislative measures that would more effectively combat identity theft 
and ensure that its victims are made whole.

    Question 4. According to your testimony, it sounds like the 
centralized complaint and consumer education service has gotten 
underway only in the last few months. How long do you think it will 
take before you have the system in full operation?
    Answer 4. The core elements of the centralized complaint and 
consumer education service were developed and implemented within the 
statutory one year period after passage of the Identity Theft and 
Assumption Deterrence Act in October 1998. While awaiting an 
appropriation to support the fuller development of the program, we have 
continued to build upon those core elements. The program's current 
operating components include:

   Toll-free Telephone Number
    The FTC established a toll-free number, 1-877-IDTHEFT (1-877-438-
4338), that consumers can call to report identity theft and receive 
guidance on the steps they can take to resolve credit and other 
problems that may have resulted from the identity theft. The number 
became operational on November 1, 1999.

   Data Clearinghouse
    The FTC built and implemented the data collection functions of the 
Identity Theft Data Clearinghouse, a database to track identity theft 
complaints received by the FTC and other agencies. The database was 
launched in early November, in conjunction with the release of the 
toll-free number.

    Since November 1, 1999, the Commission has continued developing the 
centralized complaint service in a number of ways. We have established 
basic data accessing and reporting capabilities, enabling the FTC to 
begin to analyze and identify trends and patterns in the consumer 
complaint information we collect. In addition, the FTC has been meeting 
with the Social Security Administration's Office of Inspector General 
(SSA OIG) to establish mechanisms to download information obtained by 
the SSA Fraud Hotline into the FTC's Identity Theft Data Clearinghouse, 
as well as to refer complaints from the Clearinghouse to the SSA OIG's 
investigative staff. Finally, we have built the prototype for a web-
based interface through which law enforcement agencies at the federal, 
state, and local level can access the Identity Theft Data 
Clearinghouse.
    We added a public complaint form to the FTC's identity theft web 
site in mid-February. This form allows consumers to submit an identity 
theft complaint to the FTC via the Internet any time of the day or 
night. Consumers who use this form have access to all of the consumer 
education and referral material at the web site. In addition, their 
complaints go directly into the clearinghouse for analysis with the 
other consumer complaints about identity theft.

   Consumer Education
    As the first step in our consumer education campaign, we developed 
a consumer publication entitled Identity Crises * * * What to do If 
Your Identity is Stolen that covers the basic steps victims should take 
when they discover that their identity has been stolen. We also revised 
a number of more targeted credit-related publications that may be of 
assistance to identity theft victims. In addition, by November 1, 1999 
the FTC had established a web site devoted to identity theft issues at 
www.consumer.gov/idtheft. The web site contains tips for consumers, 
information on state and federal identity theft laws, recent cases and 
scams, links to other government agencies, and our consumer 
publications.
    In addition, the FTC published a comprehensive booklet for 
consumers entitled Identity Theft: When Bad Things Happen to Your Good 
Name, which was released to the public on February 17, 2000. The 
booklet, which included contributions from over a dozen other 
government agencies, provides guidance on what to do to decrease the 
risk of identity theft; how to protect your personal information; the 
steps to take if you do become an identity theft victim; how to resolve 
credit problems that may result from identity theft; and who to contact 
in the government for assistance. I was pleased to be able to provide 
copies of this 21-page booklet, as well as other of our consumer 
education materials, to the Subcommittee at the time of my recent 
testimony.
    The Commission achieved these accomplishments without yet receiving 
any appropriations earmarked for the Identity Theft Program. Additional 
steps to make the centralized complaint and consumer education service 
even more fully operational is dependent upon receiving necessary 
funding. There are several additional features that the Commission 
plans to add later this year if the agency receives approval of a 
pending $625,000 reprogramming request. Specifically, if funded, the 
FTC will make operational the web-based interface to provide direct 
access to the Identity Theft Data Clearinghouse by law enforcement 
agencies at the federal, state, and local level. With the receipt of 
necessary funding, the Commission would also be able to establish 
mechanisms to download into the FTC's data clearinghouse consumer 
complaint information gathered by other law enforcement partners, such 
as the Federal Reserve Board and the Office of the Comptroller of the 
Currency, thus enriching the data clearinghouse. The Commission would 
also further build out its data analysis tools to enable increased 
levels of review, analysis, and reporting on the data gathered through 
the complaint clearinghouse. This would permit us to identify 
categories of complaints suitable for referral to other law enforcement 
agencies for investigation or other action. The Commission would also 
develop automated mechanisms to make and track such referrals.

    Question 4A. Has the FTC notified all law enforcement agencies to 
refer victims to the FTC hotline?
    Answer 4A. From the outset, Commission staff has worked closely 
with all of the major federal law enforcement agencies that have a role 
in investigating and prosecuting identity theft. Representatives from 
these agencies are currently referring victims of identity theft to the 
FTC hotline. These agencies include the Department of Justice, the 
Federal Bureau of Investigation, the U.S. Secret Service, the U.S. 
Postal Inspection Service, and the Social Security Administration's 
Office of the Inspector General, as well as the banking regulatory 
agencies and other agencies with regulatory and policy-making 
functions. We are also working actively with the National Association 
of Attorneys General and the International Association of the Chiefs of 
Police and others to get word of our hotline out at the state and local 
level.
    The Commission actively reaches out to federal, state and local 
entities to provide information on and more effectively combat identity 
theft. In April 1999, the FTC held a meeting with representatives of 17 
federal agencies and the National Association of Attorneys General to 
discuss implementation of the consumer assistance provisions of the 
Identity Theft and Assumption Deterrence Act, including design of the 
identity theft database and plans for producing and disseminating 
consumer education materials. In addition, among other efforts, we have 
been participating in ongoing meetings with the Department of Justice's 
Identity Theft Subcommittee of the AG's White Collar Crime Committee, 
the Office of the Comptroller of the Currency's Bank Fraud Working 
Group, and have attended various meetings of local law enforcement and 
business groups that focus on identity theft prevention and 
prosecution. Most recently, the FTC was a key participant in the 
Treasury Department's National Summit on Identity Theft. At each of 
these gatherings, FTC staff actively promote the toll-free number and 
database as part of our ongoing effort to make the database as 
comprehensive as possible.

    Question 4B. Do you know if this (referral process) is happening?
    Answer 4B. Yes, we do. For the past six weeks, we have been 
monitoring how callers to the FTC Identity Theft Hotline heard about 
our service. We have found that, on average, approximately 22 percent 
of the callers were referred to the FTC Identity Theft Hotline by local 
law enforcement or other government agencies. This is a significant 
source of referrals to our hotline. The remaining callers report having 
heard about the FTC's ID Theft Hotline from three basic sources: 
approximately 33 percent were referred by credit bureaus, banks and 
creditors; around 32 percent heard about the hotline from newspaper, 
television or radio reports; and about 9 percent learned about our 
hotline from friends or family members. (The remaining 4 percent were 
unable to specify the source.)

    Question 5. What is the criteria used for referring complaints to 
the appropriate law enforcement authority?
    Answer 5. As mentioned above, our referral function is not yet 
completely built and implemented, due to the need for additional 
funding. We therefore have not established firm automatic referral 
criteria. Ultimately the Commission envisions making identity theft 
referrals in a variety of ways, and the criteria will vary accordingly.
    Currently, our phone counselors refer individual callers to 
appropriate agencies where those agencies or consumer assistance groups 
can offer real assistance to a caller with a particular problem. We 
also routinely refer callers to their local police to file a report, 
because we have found that even if the police are unable to investigate 
and catch the identity thief, having a police report can be of great 
assistance to the victim in clearing up the credit-related problems 
that may arise as a result of identity theft.
    In addition, the Commission plans to disseminate complaint 
information through customized standard reports, extracting for our law 
enforcement partners the Clearinghouse complaints that meet the 
criteria they have designated. For example, as mentioned above, we are 
currently working with the Social Security Administration's Office of 
the Inspector General to establish specific criteria tailored to that 
agency's law enforcement priorities. We will provide the SSA OIG the 
information they want in the format and time frame they choose. 
Finally, when, during the course of our own in-house data analysis, we 
identify trends or patterns in the data that appear to have 
ramifications for our law enforcement partners, we will notify them of 
that information. Numerous law enforcement agencies have already 
expressed an interest in receiving information and referrals in these 
various ways.
    Finally, we are designing systems so that our law enforcement 
partners can retrieve data directly from our database using their own 
desktop computers.

    Question 6. I serve as Chairman of the Special Committee on Aging 
and, although I have a keen interest in the issue of identity theft in 
general, I have a real interest in whether elderly citizens are 
particularly vulnerable to having their identity stolen, as well. Will 
the FTC's centralized complaint database be able to collect information 
that will tell us the age group of the victims?
    Answer 6. The database is able to reveal this information now. All 
information consumers provide to the FTC Identity Theft Hotline is 
strictly voluntary. Victims who call the hotline are asked for their 
date of birth. From its inception in November 1999 until March 31, 
2000, approximately 52 percent of the callers have been willing to 
provide that information. Of the consumers who provided their age, 
about nine percent are age 65 and older. Approximately 26 percent were 
between the age of 45 and 64, inclusive. Approximately 39 percent were 
between 30 and 44 years old. Approximately 23 percent were between 19 
and 29 years old, and less than three percent were age 18 and under.

    Question 6A. Will it provide us with enough information to identify 
whether specific kinds of individuals are being targeted?
    Answer 6A. Besides the consumer's address, with city, state, and 
zip code information, the database does not collect other types of 
demographic information. It does not, for example, collect information 
on the consumer's education level, type of employment, income level, or 
ethnicity. However, it does collect information on whether the victim 
has a relationship with the suspect. We have found that, through 
February 29, 2000, approximately 15 percent of the victims indicated 
that they had a relationship, such as a family, employment, or 
professional relationship, with the suspect.