[Senate Hearing 107-852] [From the U.S. Government Printing Office] S. Hrg. 107-852 PRIVACY, IDENTITY THEFT, AND THE PROTECTION OF YOUR PERSONAL INFORMATION IN THE 21ST CENTURY ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, TERRORISM, AND GOVERNMENT INFORMATION of the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ FEBRUARY 14, 2002 __________ Serial No. J-107-60 __________ Printed for the use of the Committee on the Judiciary 85-061 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2003 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON THE JUDICIARY PATRICK J. LEAHY, Vermont, Chairman EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah JOSEPH R. BIDEN, Jr., Delaware STROM THURMOND, South Carolina HERBERT KOHL, Wisconsin CHARLES E. GRASSLEY, Iowa DIANNE FEINSTEIN, California ARLEN SPECTER, Pennsylvania RUSSELL D. FEINGOLD, Wisconsin JON KYL, Arizona CHARLES E. SCHUMER, New York MIKE DeWINE, Ohio RICHARD J. DURBIN, Illinois JEFF SESSIONS, Alabama MARIA CANTWELL, Washington SAM BROWNBACK, Kansas JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky Bruce A. Cohen, Majority Chief Counsel and Staff Director Sharon Prost, Minority Chief Counsel Makan Delrahim, Minority Staff Director ------ Subcommittee on Technology, Terrorism, and Government Information DIANNE FEINSTEIN, California, Chairperson JOSEPH R. BIDEN, Jr., Delaware JON KYL, Arizona HERBERT KOHL, Wisconsin MIKE DeWINE, Ohio MARIA CANTWELL, Washington JEFF SESSIONS, Alabama JOHN EDWARDS, North Carolina MITCH McCONNELL, Kentucky David Hantman, Majority Chief Counsel Stephen Higgins, Minority Chief Counsel C O N T E N T S ---------- STATEMENTS OF COMMITTEE MEMBERS Page Cantwell, Hon. Maria, a U.S. Senator from the State of Washington 19 Feinstein, Hon. Dianne, a U.S. Senator from the State of California..................................................... 1 Grassley, Hon. Charles E., a U.S. Senator from the State of Iowa. 53 Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 54 Kyl, Hon. Jon, a U.S. Senator from the State of Arizona.......... 17 Thurmond, Hon. Strom, a U.S. Senator from the State of South Carolina....................................................... 63 WITNESSES Avila, Jonathan D., Executive Counsel, Walt Disney Company, Burbank, California............................................ 34 Comer, Douglas B., Director of Legal Affairs and Technology Policy, Intel Corporation, Washington, D.C..................... 30 Fisher, Susan, Executive Director, Doris Tate Crime Victims Bureau, Carlsbad, California................................... 27 Gregg, Hon. Judd, a U.S. Senator from the State of New Hampshire. 3 Stana, Richard M., Director, Justice Issues, General Accounting Office, Washington, D.C.; accompanied by Danny R. Burton, Assistant Director, Dallas Field Office, General Accounting Office; and Ronald J. Salo, Senior Analyst, Dallas Field Office, General Accounting Office.............................. 6 Torres, Frank, Legislative Counsel, Consumers Union, Washington, D.C............................................................ 38 SUBMISSIONS FOR THE RECORD American Electronics Association, William T. Archey, President and CEO, Washington, D.C., February 12, 2002, letter and attachment..................................................... 49 American Medical Association, Division of Legislative Counsel, Washington, D.C., statement.................................... 50 Intel Corporation, Jeff P. Nicol, Customer Privacy Manager, e- Business Group, Santa Clara, California, statement............. 55 NCR Corporation, Laura Nyquist, Chief Privacy Officer, Dayton, Ohio, statement................................................ 59 Privacy Times, Evan Hendricks, Editor/Publisher, Washington, D.C., statement................................................ 60 PRIVACY, IDENTITY THEFT, AND THE PROTECTION OF YOUR PERSONAL INFORMATION IN THE 21ST CENTURY ---------- THURSDAY, FEBRUARY 14, 2002 U.S. Senate, Subcommittee on Technology, Terrorism, and Government Information, Committee on the Judiciary, Washington, DC. The Subcommittee met, pursuant to notice, at 2:37 p.m., in room SD-226, Dirksen Senate Office Building, Hon. Dianne Feinstein, presiding. Present: Senators Feinstein, Cantwell, and Kyl. Chairperson Feinstein. In the interest of time, I think we will probably start. The Ranking Member has been delayed. He will be along very shortly, but Senator Gregg, we are delighted to have you here. I know Senator Kyl would like also to hear your remarks, probably more than my remarks, so why do I not go ahead and quickly make my remarks, and then in the meantime, he should be here to hear yours, if that is agreeable with you. Senator Kyl. I appreciate it. Whatever the Chairman wishes to do is fine with me. OPENING STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE STATE OF CALIFORNIA Chairperson Feinstein. All right. Let me just begin then by thanking you for your work on the Social Security numbers. I know you are going to speak about that and I will let you do it, but it has been a great pleasure for us to be able to work with you and I want you to know that. In 1928, Supreme Court Justice Louis Brandeis described privacy, and I quote, as the ``right most valued by civilized people,'' and he defined it simply as the right to be left alone. With the advent of instant communication, the preservation of this right, I very deeply believe, is at risk. There are ominous signs that we are losing control over our personal information. Here are just a few examples. Some websites store and sell data on the most intimate aspects of our personal lives--where we live, the value of our homes, the mortgages that we have, our financial histories, and even our medical conditions. Your Social Security number today can be purchased for as little as $25 on the Internet. One medical information service has, and can distribute at will, data bases containing the phone number, the gender, and the address of 368,000 people with clinical depression or 3.3 million people with allergies. And according to one privacy advocate, a typical person's name and address are known to 500 companies or more. So without a doubt, the threat posed by the misuse of personal information is there and needs to be addressed. First, as the General Accounting Office will report today, identity theft crimes continue to surge. Identity theft occurs when another person literally steals your identity for profit or other illicit motive. Recently, the Federal Trade Commission reported that identity theft was the largest complaint on the Commission's consumer complaint list last year, representing 42 percent of its 204,000 complaints. Some privacy groups estimate that as many as 750,000 people a year are victims of this crime. Second, stalkers and others with criminal intent can increase their ability to harm their victims by gaining access to their personal information. We will hear today from Susan Fisher, whose brother was killed by an ex-girlfriend who stalked him by gaining access to his personal records. Third, many people simply do not want their personal information, such as the amount of their bank account, the type of medications they take, or their home address, widely shared with other people, and I deeply believe that they have that right to privacy. Some have suggested that in light of the ongoing war on terror, privacy needs to take a backseat to issues of safety and security. I strongly challenge this view. Protecting basic consumer privacy is compatible with enhanced security. In fact, the goals of privacy and security are often complementary. The recent acts of terror show how personal information can be misused to advance terrorist or other criminal activities. According to the Social Security Administration, six of the 19 hijackers in the September 11 attack were using Social Security numbers illegally. Moreover, an al Qaeda associate recently testified that the organization trained its operatives how to obtain stolen licenses, credit cards, and Social Security numbers. It also must be acknowledged that efforts to protect privacy must be balanced with the benefits so many Americans enjoy because of the widespread use of personal information. Many of us appreciate the ability to get instant credit, locate long-lost college friends, purchase items swiftly on the Internet, or be notified of products that might interest us. Therefore, I believe it is critical that any initiative on privacy strike a proper balance, and I think we have crafted legislation to do just that. Today's hearing will discuss the need for comprehensive legislation to deter identity theft and protect personal privacy. It will specifically address S. 1055, the Privacy Act of 2001. I want to take just a brief moment to describe the bill because it sets out where I stand on privacy. The Privacy Act of 2001 creates a two-tiered system of privacy protection that recognizes that not all information is equally sensitive. For your most sensitive information, the bill requires that companies get your consent before they sell the data. It is called opt-in. For example, under the Privacy Act, you must give your consent before a bank can sell information about your account balance, the stocks you own, your spending habits, or other personal financial data. That is opt-in. You must give your consent before a school, university, life insurer, or any other entity sells or markets your sensitive health data, such as your mental state, your disease status, or the prescriptions that you buy. That is opt-in. You must give your consent before the sensitive information on your driver's license, such as your driver's license number, your height, your weight, your sex or birthdate, can be sold. That is opt-in. The Privacy Act will also stop the practice of companies selling Social Security numbers to any member of the public who wants your number. However, to reflect the legitimate needs of business, the Privacy Act proposes a lower threshold for the sale of less- sensitive information, such as a person's name and address. Under this lower threshold, businesses must give notice of their intent. They must give notice of their intent to use this information. After giving notice, the business can sell this less-sensitive data unless the individual tells them not to. That is opt-out. We have an impressive roster of witnesses at today's hearing. As I mentioned, Senator Judd Gregg, who has shown a lot of leadership on this subject, will testify as a first panel on the privacy of Social Security numbers. In the second panel, the GAO will give preliminary results of its year-long study of identity theft. In the third panel, we will hear testimony on this bill from Susan Fisher of the Doris Tate Crime Victims Bureau, Frank Torres of the Consumers Union, Doug Comer of Intel, and John Avila of the Disney Corporation. Senator Kyl should be along momentarily, but in the interim, Senator Gregg, I will turn to you now. Senator Gregg. Thank you, Senator. Chairperson Feinstein. Before you do, Senator, if I might just put in the record the statement of Laura Nyquist, the Chief Privacy Officer of NCR Corporation. I would also like to include a statement from the American Medical Association. Finally, I will include a statement by the Privacy Times, the testimony of Evan Hendricks. I would like to add these to the record. Please go ahead, Senator. STATEMENT OF HON. JUDD GREGG, A U.S. SENATOR FROM THE STATE OF NEW HAMPSHIRE Senator Gregg. Thank you, Senator. I appreciate the courtesy of your inviting me to testify at this hearing, which is an extremely important hearing on a very topical subject, and I congratulate you for all the work you have put into this issue as certainly one of the leaders in the Congress and the country on the issue of how to protect people's privacy. I have enjoyed very much having a chance to work with you on this issue. Chairperson Feinstein. Thank you. Senator Gregg. I might just start by explaining how I became involved in this issue. On October 15, 1999, a constituent of mine, Amy Boyer, who was a young woman who came from my hometown of Nashua, New Hampshire, was killed by a man who had gone on the Internet and taken possession of her Social Security number and other personal information by using access which he had obtained through the Internet. Until recently, we had thought that he had only obtained the Social Security number in order to stalk Amy, but unfortunately, it now turns out from court documents that he had paid a $75 fee to a company and that company had then used what they called a pretexter, who had posed as an insurance official and had called her and obtained personal information from her on the pretext that he was going to give her an insurance award, I guess. As a result of collecting that information, they then disseminated it to this individual over the Internet. The whole transaction, it appears, occurred via the Internet. Unfortunately, the pretexter's approach worked. Amy Boyer was stalked and she was killed by this individual. As a result of this extraordinarily tragic event and countless others which have come to my attention and which Senator Feinstein has mentioned have come to her attention, I believe that we should make some changes in how information, personal information, is conveyed and used in the marketplace and specifically relative to Social Security numbers. Senator Feinstein and I have worked very closely on this issue. We have developed language, which is S. 848, the Social Security Number Misuse Prevention Act. This Act is part of the bill which you are discussing here today, S. 1055, as I understand, I believe the second title of that Act. Although I am very interested in the other issues which are raised by your bill, I want to confine myself to the Social Security issue, because this is where I have concentrated most of my time, and I feel a deep personal responsibility as the representative of the family of Amy Boyer to do something in this area, so I have committed a considerable amount of time trying to reach legislation which will accomplish this. In drafting S. 848, there really is only one primary goal and that is to ensure that people would not be able to purchase Social Security numbers and that companies would not be able to sell Social Security numbers without an individual giving their consent. In introducing this legislation, Senator Feinstein and I have worked hard to strike a delicate balance between legitimate business and other lawful uses of Social Security numbers, of which there are many, and our shared desire to limit general public access to Social Security numbers because of the significant risk of invasion of privacy that comes from people being able to obtain your Social Security number. We have to understand that, like it or not, the Social Security number has become a national identifier, and in many instances, it is the only way to ensure accurate identification of people. Health care providers use Social Security numbers to maintain our health records to ensure we are receiving the services we need and we have a right to. Banks and financial institutions use them to prevent fraud against individuals. Social Security numbers tell them that a loan applicant is exactly who he or she says she is. The National Center for Missing and Exploited Children and the Association for Children, the enforcement of support, use Social Security numbers to track down kidnappers and deadbeat dads. Big Brothers/Big Sisters of America uses Social Security numbers to do background checks on volunteers to make sure they are not people who might harm the children who they are working with. A truly blanket prohibition, therefore, on Social Security numbers would probably undermine a great deal of legitimate uses. In reality, nobody wants to do this, so we worked on striking a balance, myself and Senator Feinstein. I believe that we have maybe not a perfect product, but we have succeeded in identifying and responding to the key issues in a thoughtful and, I believe, constructive way on this matter. Under the legislation, obtaining a Social Security number with wrongful intent is illegal. Under the legislation, no Social Security number may be displayed, sold, purchased without the individual's consent, except in the cases involving public health, national security, law enforcement, and certain limited business-to-business transactions. No individual may be required to provide a Social Security number when purchasing a commercial good or services unless the Social Security number is absolutely necessary as defined by the Act, and the definition is limited. Under the legislation, within 1 year, Social Security numbers may not appear on any driver's license, motor vehicle registration, or any other document issued to an individual for the purposes of identification of that individual. The obvious reason for that is that as you are going through an airport or something and you have to show your driver's license, you should not have to disclose your Social Security number. Under the bill, within 3 years, Social Security numbers may not appear on checks issued for payment by Federal, State, or local agencies, Federal Government agencies. Finally, on the issuance of public records, which was and remains a very difficult issue, we worked to strike a balance between maintaining public access and limiting the potential for harm that comes with that access. To that end, we considered the impact of possibly having to redact Social Security numbers from thousands, if not millions, of public documents. This would be a hugely expensive and labor intensive task and it is unclear whether we would in any significant way further reduce the illegal activity we are trying to prevent. In other words, it is unclear whether the administrative burden and the cost would outweigh the potential benefit, and this is a very real concern. Under our compromise proposal, there is no requirement for redaction of Social Security numbers until that document is sold or displayed to the public, and then only where the number appears on the face of the document or in a highly consistent and predictable place inside the document. For example, records which are known to always contain a Social Security number on a particular page, and in that case, the number would need to be redacted before that document could be sold to the public. There is no requirement that the Records Office would have to screen through documents that might incidentally contain a Social Security number. Madam Chairman, every year, as many as 700,000 instances of identity theft are reported. Limiting availability of Social Security numbers is one important way we can address this issue. S. 848 as it is incorporated into your bill is a well thought out, tightly woven piece of legislation that effectively recognizes and balances the many concerns surrounding the issue of Social Security numbers and their theft and misuse. Passing this legislation is one of the most important things that the Congress can do this year to reduce identity theft and protect individual privacy while permitting the continued legitimate and limited use of Social Security numbers. Madam Chairman, I thank you for the chance to testify today. Chairperson Feinstein. Thanks very much, Senator Gregg. I very much appreciate your comments. I think we have got a very secure and good part of this bill, and perhaps you and I--I know Senator Kyl was unavoidably detained. He is always here faithfully on the dot. So perhaps you and I can talk with him a little bit about it-- Senator Gregg. We will capture him somewhere. Chairperson Feinstein [continuing]. Because I hope to move this thing along. But thank you very much for your leadership and for being here today. Senator Gregg. I appreciate your courtesy. Chairperson Feinstein. I very much appreciate it. As you can probably tell from the buzzer and the beeper, there is a vote going on, but what I would like to do is begin the testimony and then perhaps 10 minutes into it, if Senator Kyl is not able to be here, we will just take a brief break and I can run down and vote and come back. Let me begin with panel two and ask Mr. Richard Stana please to come and have a seat. Mr. Stana is the Director for Justice Issues at the GAO. During his 25-year career with GAO, he has directed reviews on a wide variety of complex military and domestic issues in headquarters, the field, and overseas offices. Most recently, he has directed the GAO's work relating to law enforcement, drug control, immigration, corrections, court administration, and election systems. He has received numerous awards throughout his career and he has been active in many civic and community organizations, as well as his work with the Federal Government. Mr. Stana, we are delighted to have you here and we welcome your testimony. STATEMENT OF RICHARD M. STANA, DIRECTOR, JUSTICE ISSUES, GENERAL ACCOUNTING OFFICE; ACCOMPANIED BY DANNY R. BURTON, ASSISTANT DIRECTOR, DALLAS FIELD OFFICE, GENERAL ACCOUNTING OFFICE; AND RONALD J. SALO, SENIOR ANALYST, DALLAS FIELD OFFICE, GENERAL ACCOUNTING OFFICE Mr. Stana. Thank you very much, Madam Chairman. I am pleased to be here today to discuss the preliminary results of our study on the extent or prevalence of identity theft and its cost to the financial services industry, to victims, and to the Federal justice system. With me at the table are Dan Burton, Assistant Director on this assignment, and Ron Salo, the lead analyst. Behind us is Robert Rivas, who contributed substantially to this product. As a matter of definition, identity theft involves stealing another person's personal identifying information, such as their Social Security number, date of birth, or mother's maiden name, and then using the information to create a false identity document to fraudulently establish credit and run up debt or to take control of existing financial accounts in order to make unauthorized purchases. My prepared statement discusses in detail our preliminary results. I would like to take this opportunity to briefly summarize a few important points and comment on several facets of identity theft that are addressed in S. 1055, the Privacy Act of 2001. The first point is that although identity theft numbers are not easily captured and sometimes reflect different viewpoints, the statistics we compiled indicate that identity theft continues to rise. Data from national credit bureaus show that the number of fraud alerts placed on consumer accounts is increasing. The data ranges from an estimated low of about 30,000 victims annually to an estimated high of about 178,000 victims annually. Although these statistics are significant, the lower-end figure understates the magnitude of the problem because it does not take into account both account takeover victims and identity theft victims. Neither estimate includes victims whose wallets or purses were stolen but who did not call the credit bureau. The most current statistics compiled by the FTC's Identity Theft Data Clearinghouse show that about 3,000 identity theft victims call each week. Additionally, the Social Security Administration's IG Fraud Hotline received over 65,000 allegations of Social Security number misuse in fiscal year 2001. About four of five SSN misuse allegations relate directly to identity theft. Statistics on arrests, investigations, and dollar losses compiled by leading Federal law enforcement agencies, that is, the Secret Services, the SSA IG, the IRS, the FBI, and the Postal Inspection Service, all show an increasing trend in criminal activity, as well as increasing law enforcement and prosecutorial activity. But these statistics do not indicate the full magnitude of victimization because not all incidents of identity theft are reported and investigated, nor do these statistics reflect activity at the State and local levels, where most identity theft allegations are reported. My second point is that the costs of identity theft to the financial services industry, to victims, and to law enforcement are substantial. The cost to the financial services industry in terms of documented bank check fraud and Visa and MasterCard total payment card fraud is about $1.8 billion from domestic operations alone. Check fraud losses by banks for individual accounts, considering both actual losses and loss avoidance, reached an estimated $2.2 billion in 1999, which was twice the amount of losses in 1997, according to the ABA. On average, about $1 in $3 of check fraud losses are identity theft related. Visa and MasterCard reported two categories of payment card fraud, account takeovers and fraudulent applications, which they associate closely with identity theft. These rose 43 percent, from about $80 million in 1996 to about $114 million in 2000. In the view of law enforcement, however, virtually all categories of payment card fraud encompass identity theft. Under their broader definition, the two associations' combined total fraud losses from domestic operations alone rose 45 percent from 1996 to 2000. These statistics do not include data from other firms, such as American Express, Diners Club, and Discover, that comprise about 25 percent of general purpose card markets. It should be noted also that we found no comprehensive data on direct fraud losses to the retail, insurance, or other industries. The cost of identity theft to individual victims can cause potential severe emotional distress as well as economic harm. Victims often feel personally violated and report significant amounts of time trying to resolve the problems caused by identity theft, problems such as bounced checks, loan denials, credit card application rejections, and debt collection harassment. The most common harm reported to the FTC was denied credit or other financial services. On the extreme end, victims had been subjected to criminal investigations, arrest, or even conviction. In terms of monetary harm, the FTC reported that about 15 percent of the victims reporting a loss alleged losing more than $5,000. The cost to the Federal criminal justice system to investigate, prosecute, incarcerate, and supervise offenders is difficult to capture because information systems do not separately track such costs. Nevertheless, in response to our request, the FBI and Secret Service indicated the average cost of an investigative matter was between $15,000 and $20,000. The average white collar prosecution costs about $11,000. And the average incarceration costs, about $17,000 per inmate, and annual supervision, about $3,000 per offender. Let me turn now--I am sorry? Chairperson Feinstein. I am going to try to wait, ask them to keep the vote open. You continue, and then we will recess when you are finished. Mr. Stana. Turning now to other aspects of identity theft, although the scope of our work for the subcommittee did not include an evaluation of various legislative proposals, we did compile information that offers perspectives on various provisions in S. 1055 that are designed to address some aspects of identity theft. For example, a major component of identity theft is acquiring personal identifiers, such as SSNs or drivers' licenses, to build false identities. According to a 1999 study by the Sentencing Commission, drivers' licenses and SSNs are the identification means most frequently used to generate or breed other fraudulent identifiers. As you know, S. 1055 would prohibit the use of SSNs and drivers' licenses for motor vehicle registration documents. Another potential source of personal identifiers for identity thieves is the personal financial information sold by financial institutions to non-affiliated third parties. Gramm- Leach-Bliley established the opt-out standard which you discussed before. S. 1055 would amend Gramm-Leach-Bliley to provide consumers an opt-in standard, whereby a bank would need prior consent of the consumers before selling personal financial information to non-affiliated parties. Resource levels and competing priorities can limit any one level of government's capacity, including the Federal Government's capacity, to address identity theft crimes. S. 1055 would empower State attorneys general to enforce the Privacy Act. Although Gramm-Leach-Bliley does not have a similar provision, the Act's legislative history indicates that earlier versions of the House and Senate bills included a similar State enforcement authority, which was dropped in conference. And finally, in a similar vein, resource constraints and dollar threshold levels have limited the numbers and types of cases that Federal law enforcement agencies have investigated. One type of case that has not often been investigated involves SSN misuse. Currently, the SSA IG devotes the vast majority of its investigative resources to program integrity priority areas rather than SSN misuse cases. SSN misuse allegations increased more than five-fold, to about 65,000, in 2001. S. 1055 would give SSA the authority to impose civil monetary penalties for SSN misuse. Now, it is not clear how the SSA IG would carry out this new authority or how many additional resources it would require and at what cost. Madam Chairman, this concludes my oral statement. We would be pleased to address any questions you or other members of the subcommittee may have. [The prepared statement of Mr. Stana follows:] Statement of Richard M. Stana, Director, Justice Issues, U.S. General Accounting Office, Washington, D.C. Madam Chairwoman and Members of the Subcommittee: I am pleased to be here today to discuss the preliminary results of our ongoing study requested by the Subcommittee and Senator Charles Grassley to develop information on the extent or prevalence of identity theft and its cost to the financial services industry, victims, and the federal criminal justice system. Generally, identity theft involves ``stealing'' another person's personal identifying information such as Social Security number (SSN), date of birth, and mother's maiden name and then using the information to fraudulently establish credit, run up debt, or to take over existing financial accounts. Although not specifically or comprehensively quantifiable, the prevalence and cost of identity theft seem to be increasing, according to the available data we reviewed and many officials of the public and private sector entities we contacted. Given such indications, most observers agree that identity theft certainly warrants continued attention, encompassing law enforcement as well as prevention efforts. Various recently introduced bills, including S. 1055 (Privacy Act of 2001), have provisions designed to enhance such efforts. While the scope of our work did not include an evaluation of S. 1055, we did compile information that could be useful in discussing related issues, and my testimony today will offer perspectives on several identity theft- related provisions of the bill. To obtain the most recent statistics on the incidence and societal cost of identity theft, we interviewed responsible officials and reviewed documentation obtained from the Department of Justice and its components, including the Executive Office for U.S. Attorneys (EOUSA) and the Federal Bureau of Investigation (FBI); the Department of the Treasury and its components, including the Secret Service and the Internal Revenue Service (IRS); the Social Security Administration's (SSA) Office of the Inspector General (OIG); the Postal Inspection Service; and the Federal Trade Commission (FTC). Also, we contacted representatives of the three national consumer reporting agencies (commonly referred to as ``credit bureaus'') and two payment card associations (MasterCard and Visa). Further, at our request and with the consent of the victims, FTC provided us with the names and telephone numbers of 10 victims to interview. According to FTC staff, the sample of 10 victims was selected to illustrate a range in the extent and variety of the identity theft activities reported by victims. The experiences of these 10 victims are not statistically representative of all victims. Background Since our earlier report in May 1998,\1\ various actions particularly passage of federal and state statutes have been taken to address identify theft. Later that year, Congress passed the Identity Theft and Assumption Deterrence Act of 19098 (the ``Identity Theft Act'').\2\ Enacted in October 1998, the federal statute made identify theft a separate crime against the person whose identity was stolen, broadened the scope of the offense to include the misuse of information as well as documents, and provided punishment generally, a fine or imprisonment for up to 15 years or both. Under U.S. Sentencing Commission guidelines even if (1) there is no monetary loss and (2) the perpetrator has no prior criminal convictions a sentence of from 10 to 16 months incarceration can be imposed. Regarding state statutes, at the time of our 1998 report, very few states had specific laws to address identity theft. Now, less than 4 years later, a large majority of states have enacted identify theft statues. --------------------------------------------------------------------------- \1\ U.S. General Accounting Office, Identity Fraud: Information on Prevalence, Cost, and Internet Impact is Limited, GAO/GGD-98-100BR (Washington, D.C.: May 1, 1998). \2\ Public Law 105-318 (1998). The relevant section of this legislation is codified at 18 U.S.C. Sec. 1028(a)(7)(``fraud and related activity in connection with identification documents and information''). --------------------------------------------------------------------------- Prevalence of Identity Theft As we reported in 1998, there are no comprehensive statistics on the prevalence of identity theft or identity fraud. Similarly, during our current review, various officials noted that precise, statistical measurement of identity theft trends is difficult for number of reasons. Generally, federal law enforcement agencies do not have information systems that specifically track identity theft cases. For example, while the amendments of the Identity Theft Act are included as subsection (a)(7) of section 1028, Title 18 of the U.S. Code, EOUSA does not have comprehensive statistics on offenses charged specifically under that subsection because docketing staff are asked to record cases under only the U.S. Code section, not the subsection or the sub- subsection. Also, the FBI and the Secret Service said that identity theft is not typically a stand-alone crime; rather, it is almost always a component of one or more white-collar or financial crimes, such as bank fraud, credit card or access device fraud, or the use of counterfeit financial instruments. Nonetheless, a number of data sources can be used as proxies for gauging the prevalence of identity theft. These sources can include consumer complaints and hotline allegations, as well as law enforcement investigations and prosecutions of identity theft-related crimes such as bank fraud and credit card fraud. Each of these various sources or measures seems to indicate that the prevalence of identity theft is growing. consumer reporting agencies: an increasing number of fraud alerts on consumer files According to the consumer reporting agency officials that we talked with, the most reliable indicator of the incidence of identity theft is the number of 7-year fraud alerts placed on consumer credit files. Generally, fraud alerts constitute a warning that someone may be using the consumer's personal information to fraudulently obtain credit. Thus, a purpose of the alert is to advise credit grantors to conduct additional identity verification or contact the consumer directly before granting credit. One of the three consumer reporting agencies that we contacted estimated that its 7-year fraud alerts involving identity theft increased 36 percent over 2 recent years from about 65,600 in 1999 to 89,000 in 2000.\3\ A second agency reported that its 7 year fraud alerts increased about 53 percent in recent comparative 12-month periods; that is, the number increased from 19,347 during one 12-month period (July 1999 through June 2000) to 29,593 during the more recent period (July 2000 through June 2001). The third agency reported about 92,000 fraud alerts for 2000 but was unable to provide information for any earlier year.\4\ --------------------------------------------------------------------------- \3\ These estimates are approximations based on the judgment and experience of agency officials. \4\ An aggregate figure totaling the number of fraud alerts reported by the three consumer reporting agencies may be misleading, given the likelihood that many consumers may have contacted more than one agency. During our review, we noted that various Web sites including those of two of the three national consumer reporting agencies, as well as the FTC's Web site, advise individuals who believe they are the victimes of identity theft or fraud to contact all three national consumer reporting agencies. --------------------------------------------------------------------------- ftc: an increasing number of calls to the identity theft data clearinghouse The Identity Theft Act requires the FTC to ``log and acknowledge the receipt of complaints by individuals who certify that they have a reasonable belief'' that one or more of their means of identification have been assumed, stolen, or otherwise unlawfully acquired. In response to this requirement, in November 1999, FTC established the Identity Theft Data Clearinghouse (FTC Clearinghouse) to gather information from any consumer who wishes to file a complaint or pose an inquiry concerning identity theft.\5\ In November 1999, the first month of operation, the FTC Clearinghouse responded to an average of 445 calls per week. By March 2001, the average number of calls answered had increased to over 2,000 per week. In December 2001, the weekly average was about 3,000 answered calls. --------------------------------------------------------------------------- \5\ On November 1, 1999, FTC established a toll-free telephone hotline (1-877-ID-THEFT) for consumers to report identity theft. Information from complainants is accumulated in a central database (the Identity Theft Data Clearinghouse) for use as an aid in law enforcement and prevention of identity theft. --------------------------------------------------------------------------- At a congressional hearing in September 2000, an FTC official testified that Clearinghouse data demonstrate that identity theft is a ``serious and growing problem.'' \6\ More recently, during our review, FTC staff cautioned that the trend of increased calls to FTC perhaps could be attributed to a number of factors, including increased consumer awareness, and may not necessarily be attributed to an increase in the incidence of identity theft. --------------------------------------------------------------------------- \6\ FTC, prepared statement on ``Identity Theft,'' hearing before the Committee on Banking and Financial Services, U.S. House of Representatives (Sept. 13, 2000). --------------------------------------------------------------------------- ssa/oig: an increasing number of fraud hotline allegations SSA/OIG operates a fraud hotline to receive allegations of fraud, waste, and abuse. In recent years, SSA/OIG has reported a substantial increase in calls related to identity theft. For example, allegations involving SSN misuse increased more than fivefold, from about 11,000 in fiscal year 1998 to about 65,000 in fiscal year 2001. However, the increased number of allegations may be due partly to additional fraud hotline staffing, which increased from 11 to over 50 personnel during this period. SSA/OIG officials attributed the trend in allegations partly to a greater incidence of identity theft. Also, irrespective of staffing levels, a review performed by SSA/OIG of a sample of 400 allegations of SSN misuse indicated that up to 81 percent of all allegations of SSN misuse related directly to identity theft. federal law enforcement: increasing indications of identity theft- related crime Although federal law enforcement agencies do not have information systems that specifically track identity theft cases, the agencies provided us with case statistics for identity theft-related crimes. Regarding bank fraud, for instance, the FBI reported that its arrests increased from 579 in 1998 to 645 in 2000 and was even higher (691) in 1999. The Secret Service reported that, for recent years, it has redirected its identity theft-related efforts to focus on high-dollar, community-impact cases. Thus, even though the total number of identity theft-related cases closed by the Secret Service decreased from 8,498 in fiscal year 1998 to 7,071 in 2000, the amount of fraud losses prevented in these cases increased from a reported average of $73,382 in 1998 to an average of $217,696 in 2000.\7\ IRS reported on the extent of questionable refund schemes involving a ``high frequency'' of identity fraud, that is, cases very likely to have elements of identity fraud. Regarding such cases, for a 5-year period (calendar years 1996 to 2000), IRS reporting detecting fraudulent refund claims totaling $1.76 billion and that 83 percent ($1.47 billion) of this total occurred in 1999 and 2000. The Postal Inspection Service, in its fiscal year 2000 annual report, noted that identity theft is a growing trend and that the agency's investigations of such crime had ``increased by 67 percent since last year.'' --------------------------------------------------------------------------- \7\ In compiling case statistics, the Secret Service defined ``identity theft'' as any case related to the investigation of false, fraudulent, or counterfeit identification; stolen, counterfeit, or altered checks or Treasury securities; stolen altered, or counterfeit credits cards; or financial institution fraud. --------------------------------------------------------------------------- Cost of Identity Theft to the Financial Services Industry We found no comprehensive estimates of the cost of identity theft to the financial services industry.\8\ Some data on identity theft- related losses such as direct fraud losses reported by the American Banking Association (ABA) and payment card associations indicated increasing costs. Other data, such as staffing of the fraud departments of banks and consumer reporting agencies, presented a mixed and, in some instances, incomplete picture. For example, one consumer reporting agency reported that staffing of its fraud department had doubled in recent years, whereas another agency reported relatively constant staffing levels. Furthermore, despite concerns about security and privacy, the use of e-commerce has grown steadily in recent years. Such growth may indicate greater consumer confidence but may also have resulted from an increase in the number of people who have access to Internet technology. --------------------------------------------------------------------------- \8\ Generally, regarding the financial services industry, the scope of our work focused primarily on abstaining information from banks, two payment card associations (MasterCard and Visa), and the three national consumer reporting agencies. --------------------------------------------------------------------------- Regarding direct fraud losses, in its 2000 bank industry survey on check fraud, the ABA reported that total check fraud-related losses against commercial bank accounts considering both actual losses ($679 million) and loss avoidance ($1.5 billion) reached an estimated $2.2 billion in 1999, which was twice the amount in 1997.\9\ Regarding actual losses, the report noted that the 1999 figure ($679 million) was up almost 33 percent from the 1997 estimate ($512 million). However, not all check fraud-related losses were attributed to identity theft, which the ABA defined as account takeovers (or true name fraud). Rather, the ABA reported that, of the total check fraud-related losses in 1999, the percentages attributable to identity theft ranged from 56 percent for community banks (assets under $500 million) to 5 percent for superregional/money center banks (assets of $50 billion or more) and the average for all banks was 29 percent. --------------------------------------------------------------------------- \9\ ABA, Deposit Account Fraud Survey Report 2000. The ABA defined ``loss avoidance'' as the amount of losses avoided as a result of the banks' prevention systems and procedures. Because the overall response rate by banks to the survey was only 11 percent, the ABA's data should be interpreted with caution. --------------------------------------------------------------------------- The two major payment card associations, MasterCard and Visa, use very similar (although not identical) definitions regarding which categories of fraud constitute identity theft. Generally, the associations consider identity theft to consist of two fraud categories account takeovers and fraudulent applications.\10\ On the basis of these two categories, the associations' aggregated identity theft- related losses from domestic (U.S. operations) rose from $79.9 million in 1996 to $114.3 million in 2000, an increase of about 43 percent. The associations' definitions of identity theft-related fraud are relatively narrow, in the view of law enforcement, which considers identity theft as encompassing virtually all categories of payment card fraud. Under this broader definition, the associations' total fraud losses from domestic operations rose from about $760 million in 1996 to about $1.1 billion in 2000, an increase of about 45 percent. However, according to the associations, the annual total fraud losses represented about \1/10\th of 1 percent or less of U.S. member banks' annual sales volume during 1996 through 2000. --------------------------------------------------------------------------- \10\ Other fraud categories that the associations do not consider to be identity-theft related include, for example, lost and stolen cards, never-received cards, counterfeit cards, and mail order/ telephone order fraud. --------------------------------------------------------------------------- Regarding staffing and cost of fraud departments, in its 2000 bank industry survey on check fraud, the ABA reported that the amount of resources that banks devoted to check fraud prevention, detection, investigation, and prosecution varied according to bank size. For check fraud-related operating expenses (not including actual losses) in 1999, the ABA reported that over two-thirds of the 446 community banks that responded to the survey each spent less than $10,000, and about one- fourth of the 11 responding superregional/money center banks each spent $10 million or more for such expenses. One national consumer reporting agency told us that staffing of its Fraud Victim Assistance Department doubled in recent years, increasing from 50 individuals in 1997 to 103 in 2001. The total cost of the department was reported to be $4.3 million for 2000. Although not as specific, a second agency reported that the cost of its fraud assistance staffing was ``several million dollars.'' And, the third consumer reporting agency said that the number of fraud operators in its Consumer Services Center had increased in the 1990s but has remained relatively constant at about 30 to 50 individuals since 1997. Regarding consumer confidence in online commerce, despite concerns about security and privacy, the use of e-commerce by consumers has steadily grown. For example, in the 2000 holiday season, consumers spent an estimated $10.8 billion online, which represented more than a 50 percent increase over the $7 billion spent during the 1999 holiday season. Further, in 1995, only one bank had a Web Site capable of processing financial transactions; but, by 2000, a total of 1,850 banks and thrifts had Web sites capable of processing financial transactions.\11\ --------------------------------------------------------------------------- \11\ Federal Deposit Insurance Corporation, Evolving Financial Products, Services, and Delivery Systems (Washington, D.C.). (Feb. 14, 2001). --------------------------------------------------------------------------- The growth in e-commerce could indicate greater consumer confidence but could also result from the increasing number of people who have access to and are becoming familiar with Internet technology. According to an October 2000 Department of Commerce report, Internet users comprised about 44 percent (approximately 116 million people) of the U.S. population in August 2000. This was an increase of about 38 percent from 20 months prior.\12\ According to Commerce's report, the fastest growing online activity among Internet users was online shopping and bill payment, which grew at a rate of 52 percent in 20 months. --------------------------------------------------------------------------- \12\ Department of Commerce, Falling Through the Net: Toward Digital Inclusion (Oct. 2000). This report was the fourth in a series of studies issued by Commerce on the technological growth of U.S. Households and individuals. --------------------------------------------------------------------------- Cost of Identity Theft to Victims Identity theft can cause substantial harm to the lives of individual citizens potentially severe emotional or other nonmonetary harm, as well as economic harm. Even though financial institutions may not hold victims liable for fraudulent debts, victims nonetheless often feel ``personally violated'' and have reported spending significant amounts of time trying to resolve the problems caused by identity theft problems such as bounced checks, loan denials, credit card application rejections, and debt collection harassment. For the 23-month period from its establishment in November 1999 through September 2001, the FTC Identity Theft Data Clearinghouse received 94,100 complaints from victims, including 16,781 identity theft complaints contributed by SSA/ OIG. The leading types of nonmonetary harm cited by consumers were ``denied credit or other financial services (mentioned in over 7,000 complaints) and ``time lost to resolve problems'' (mentioned in about 3,500 complaints). Also, in nearly 1,300 complaints, identity theft victims alleged that they had been subjected to ``criminal investigation, arrest, or conviction.'' Regarding monetary harm, FTC Clearinghouse data for the 23-month period indicated that 2,633 victims reported dollar amounts as having been lost or paid as out-of-pocket expenses as a result of identity theft. Of these 2,633 complaints, 207 each alleged losses above $5,000; another 203 each alleged losses above $10,000. From its database of identity theft victims, after obtaining the individuals' consent, FTC provided us with the names and telephone numbers of 10 victims. We contacted the victims to obtain an understanding of their experiences. In addition to the types of harm mentioned above, several of the victims expressed to us feelings of ``invaded privacy'' and ``continuing trauma.'' In particular, such ``lack of closure'' was cited when elements of the crime involved more than one jurisdiction and/or if the victim had no awareness of any arrest being made. Some victims told us of filing police reports in their home state but not being able to do so in the states where the perpetrators committed fraudulent activities using the stolen identities. Only 2 of the 10 victims told us they were aware that the perpetrator had been arrested. In a May 2000 report, two nonprofit advocacy entities the California Public Interest Research Group (CALPIRG) and the Privacy Rights Clearinghouse presented findings based on a survey (conducted in spring 2000) of 66 identity theft victims who had contacted these organizations.\13\ According to the report, the victims spent 175 hours, on average, actively trying to resolve their identity theft- related problems. --------------------------------------------------------------------------- \13\ CALPRIG (Sacramento, CA) and Privacy Rights Clearinghouse (San Diego, CA), ``Nowhere to Turn: Victims Speak Out on Identity Theft'' (May 2000). --------------------------------------------------------------------------- Also, not counting legal fees, most victims estimated spending $100 for out-of-pocket costs. The May 2000 report stated that these finding may not be representative of the plight of all victims. Rather, the report noted that the findings should be viewed as ``preliminary and representative only of those victims who have contacted our organizations for further assistance (other victims may have had simpler cases resolved with only a few calls and felt no need to make further inquiries).'' Later, at a national conference, the Director of Privacy Rights Clearinghouse expanded on the results of the May 2000 report. For instance, regarding the 66 victims surveyed, the Director noted that one in six (about 15 percent) said that they had been the subject of a criminal record because of the actions of an impostor.\14\ Further, the Director provided additional comments substantially as follows: --------------------------------------------------------------------------- \14\ Beth Givens, Director, Privacy Rights Clearinghouse, ``Identity Theft: Growing Problem of Wrongful Criminal Records,'' paper presented at the SEARCH National Conference on Privacy, Technology and Criminal Justices Information, Washington, D.C. (June 2000).