SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
H.R. 4321FINANCIAL INFORMATION PRIVACY ACT
TUESDAY, JULY 28, 1998
U.S. House of Representatives,
Committee on Banking and Financial Services,
The committee met, pursuant to call, at 10:00 a.m., in room 2128, Rayburn House Office Building, Hon. James A. Leach, [chairman of the committee], presiding.
Present: Chairman Leach; Representatives Roukema, Lazio, Kelly, Fox, LaFalce, Vento, Kilpatrick, J. Maloney of Connecticut, Sherman, Lee, and Goode.
Chairman LEACH. The hearing will come to order.
The committee meets this morning to consider an issue of vital importance to virtually every American consumer, the privacy of consumer information maintained by banks and other financial institutions.
America is increasingly an information-intensive society. Information that was once assumed to be safely in the private domain is now actively pursued for reasons ranging from civil litigation to corporate competition to idle curiosity. Where personal financial information is concerned, the prying is often done by individuals acting on their own behalf. Recent years have also witnessed the proliferation of business enterprises that specialize in the collection and dissemination of personal financial information, so-called ''information brokers'' who market their services to law firms, debt collection agencies, law enforcement authorities, and others seeking to obtain information of a public and nonpublic nature.
Page 2 PREV PAGE TOP OF DOC
While many of these businesses operate legitimately and squarely within the letter of the law, there is growing evidence that some do not. The purpose of today's hearing is to determine the extent of the threat to financial privacy posed by these information brokers who employ questionable methods in collecting confidential financial information and to consider the merits of a modest legislative proposal to address that threat.
This hearing is part of a broader committee focus in this Congress and the last on the issue of how to safeguard the privacy of individuals' financial information in an era where technological advances have made vast amounts of such information available at the click of a keystroke.
In the last Congress, the committee examined the issue of ''identity theft,'' a nightmarish process by which an individual's personal identificationname, address, Social Security number, mother's maiden nameis used to gain control over or open new bank or credit card accounts, apply for loans and incur other forms of debt. By the time the victim of the identity theft realizes what has happened, his or her credit record lies in shambles, and it is often years before can it can be rehabilitated.
Perhaps the most harrowing example presented in the committee's 1996 hearing was that of Dr. Mary Zupanc, the specialist at the Mayo Clinic whose life was literally turned upside down when criminals were able to use information gleaned from her stolen mail to essentially assume her identity, accessing her bank accounts, her retirement fund accounts and attempting to have credit cards issued to them in her name.
Page 3 PREV PAGE TOP OF DOC In addition to the identity theft issue, the committee has been active on a number of other fronts related to financial privacy. Under the leadership of Mrs. Roukema, the Chairwoman of the Financial Institutions Subcommittee, and Mr. Vento, the subcommittee's Ranking Minority Member, a hearing was held last fall addressing broad concerns about risks associated with the availability of consumer financial information, the potential for misuse and abuse of that information.
Further, the subcommittee examined the implication that emerging electronic payment systems, such as debit cards and online credit transactions, may have for individual financial information. In addition, Congressman LaFalce, the Ranking Minority Member of the full committee, has led efforts to address the effects on consumer privacy that the significant consolidation of the financial services industry has undergone in recent years.
The specific privacy issue we take up this morning is one that was poignantly brought to the committee's attention by one of our first witnesses, Robert Douglas, who runs his own private investigative firm in Alexandria, Virginia. Mr. Douglas had become concerned that the information brokers whose services he had retained to compile ''asset profiles'' of private individuals had engaged in fraudulent, deceptive practices, including impersonating the targets of their searches and engaging in other ruses to trick financial institutions into disclosing confidential account information. Though his own personal business interests would presumably have benefited from continuing access to the data supplied by the information brokers, Mr. Douglas chose instead to alert the committee to his concerns about the legality of their methods. By doing so, he has provided us with a commendable example of public service being performed by a private citizen.
Page 4 PREV PAGE TOP OF DOC Further inquiries by committee staff quickly confirmed the validity of Mr. Douglas' concerns. Indeed, one need only spend a few minutes on the Internet to discover numerous commercial pitches by firms advertising their ability to provide clients with a wide array of personal financial information on third parties such as location, number, balance and history of their bank accounts, and a complete listing of their financial holdings, including stock portfolios. Moreover, there is considerable evidence that such information is often obtained by persons who mislead financial institutions into believing that a legitimate customer request for account information is being satisfied, when in fact the questions are being posed by individuals who have been retained without the customer's knowledge or authorization to locate and identify their assets.
Some of the most compelling evidence of the threat to financial privacy presented by unscrupulous information brokers developed in Massachusetts, in an investigation that provides the committee with its second example of outstanding corporate citizenship in today's hearing. In 1993, officials of the security department of BankBoston became aware that a Massachusetts company was advertising ''asset and information services'' that included a system for obtaining complete bank account information, including balances, without the knowledge or authorization of the account holder. As a way of testing its internal controls for protecting customer account information and also gaining a better understanding of the nature of activities conducted by information brokers, BankBoston undertook a lengthy investigation of the firm whose services it had seen advertised. It later supplied the results of its inquiry to the Massachusetts Attorney General's office, which launched a broader probe into the information broker industry that to date yielded some $275,000 in civil penalties against nine firms in five States.
The committee will hear this morning from Jeff Clements, the Assistant Attorney General, who directed the successful Massachusetts investigation of the information brokering industry.
Page 5 PREV PAGE TOP OF DOC
To address a significant threat to consumers' financial privacy posed by the activities that are the subject of today's hearing, and make explicit that such practices are prohibited by Federal law, I have introduced H.R. 4321The Financial Information Privacy Act of 1998. The legislation makes it a Federal crime to obtain or attempt to obtain customer information from a financial institution through fraudulent means such as by misrepresenting the identity of the person requesting the information or otherwise deceiving a financial institution's officers or employees into divulging it. The bill would also make it unlawful for someone to receive such customer information if the person knows that the information has been obtained fraudulently.
I am pleased that Mr. LaFalce, as well as Representatives Lazio, Castle, Vento and Hinchey have signed on as original cosponsors of this legislation. At this point, let me turn to Mr. LaFalce.
Mr. LAFALCE. Thank you, Mr. Chairman, first for holding today's hearing. I commend you for your leadership in directing our committee's attention to the problems posed for consumer privacy by certain activities of private information brokers.
Issues of privacy are at the core of our most fundamental notions of individual freedom. At the same time, freedom of speech and the free flow of information are absolutely necessary for the functioning of our democratic society and market economy. How we reconcile the individual's right to privacy with the legitimate need of both Government and business for broader access to information is a complex and sometimes troubling policy issue.
Page 6 PREV PAGE TOP OF DOC There have been a number of articles in recent months describing how the activities and abuses of private information-sharing businesses or information brokers have raised concerns amongst banking officials, consumer advocates and law enforcement agencies. These businesses have the capacity to gather millions of bits of data from scattered sourcesfrom credit card transactions, from telephone numbers, from public records, from magazine subscriptions and other sourcesto create comprehensive pictures of an individual consumer's background and life-style, personal taste, buying habits, and so forth. While much of this information has always been available, advances in computer technology have allowed this information to be aggregated and accessed more easily, more cheaply than ever before, generally without a consumer's knowledge or consent. And widespread use of the Internet has made this information immediately available, with few, if any, restrictions on either access or use.
The ability of information brokers to assemble elaborate electronic dossiers on every American consumer and household, while legal, is a disturbing example of how technology is rapidly challenging and changing our traditional notions of personal privacy. While convenient access to comprehensive information about consumers can be beneficial to society in terms of law enforcement, news gathering and even location of missing children, it also poses a heightened threat to individual privacy. It can heighten discrimination amongst consumers by determining in advance who is most likely to purchase certain products, who should be offered credit cards and loans; and when combined with sensitive financial identifiers and account information, it can facilitate and encourage financial fraud and identity theft.
Recent articles have described how some information brokers openly advertise their ability to deliver up-to-the-minute information on private financial accounts and stock portfolios. They also reveal that much of this confidential financial information has been obtained by fraudulent or deceptive tactics, by posing as consumers, forging private documents or bribing bank staff. The absence of required security measures and procedures to protect private identifiers and account information is disturbing. It needs to be addressed by Congress.
Page 7 PREV PAGE TOP OF DOC
The Chairman has introduced legislation I am pleased to cosponsor, which provides a critical first step in stemming the illegal acquisition and sale of personal financial information. It would make it a Federal crime for any individual to obtain confidential customer information from a financial institution through fraudulent or deceptive means, and it makes it unlawful for anyone to receive financial information where there is reason to believe that the information was obtained through fraudulent means. The legislation provides strong enforcement authority and significant civil and criminal penalties to prosecute offenders and to deter repeat violations. This legislation provides an important first step to protect customer privacy. It is one of a number of steps that I believe need to be taken.
Additionally, I am concerned, for example, that while the legislation imposes penalties for individuals who employ fraudulent measures to obtain confidential financial information, it does not address the acquisition and sale of the same information if obtained with the unwitting cooperation or negligence of financial institutions. By shifting liability for the misuse of confidential financial information onto third parties, we run the risk of weakening the incentive to improve security measures within financial institutions if that was the only thing we were going to be doing. And so I will introduce additional legislation next week to provide a second step toward protecting the consumer from damage by the release of financial information.
That bill will direct the Federal financial regulators to issue joint guidelines under which all insured financial institutions would be required to implement security measures to protect customer information and to inform customers of their privacy rights. These standards, I believe, would be closely modeled on the privacy principles already adopted by the financial industry but would include supervisory authority to ensure that these security measures are broadly, universally, and adequately implemented.
Page 8 PREV PAGE TOP OF DOC
Mr. Chairman, I look forward to cooperating with you to win early enactment of this bill to curb abuses of the broad information-sharing industry, and I look forward to working with you on additional measures to further protect consumer privacy. I thank you.
Chairman LEACH. Mrs. Roukema.
Mrs. ROUKEMA. I do not have a full opening statement, Mr. Chairman. I just want to observe that my initial reaction when you announced this hearing was, well, what is the question?
I think I know what the question is, as has been outlined. There are horrendous abuses and violations of privacy occurring every day, I guess the question here today is to discover whether or not the sanctions and the fines proposed are anywhere near sufficient to stop these abuses and protect the public.
I am eager to hear what the witnesses have to say today, but I think we should do at least this and perhaps go furtherbut more than just additional regulations, it would seem to me.
Thank you, Mr. Chairman.
Chairman LEACH. Thank you very much, Mrs. Roukema.
Page 9 PREV PAGE TOP OF DOC Mr. Vento.
Mr. VENTO. Thank you for holding this hearing and introducing this measure, H.R. 4321. This is a positive step toward improving our laws and regulatory mechanisms so that people have some redress when their privacy is violated. It may also, by virtue of raising the penalties, discourage some from violating and brokering other people's private lives through the sale of information about them.
As you may know, Mr. Chairman, I have long held an interest in protecting privacy of Americans and have introduced, early this Congress, H.R. 98, and in previous Congresses similar legislation regarding privacy on the Internet. I have also worked with the Financial Institutions and Consumer Credit Subcommittee Chairwoman, Mrs. Roukema, on hearings on consumers' financial privacy which we are likely to continue oversight upon.
Information on privacy protection has been a sector-by-sector initiative by law and by industry, yet in the end it is the same person, the same personal privacy, and the same basic information about a person that is affected by the various sectors and privacy protection laws or policies. Because of the computer and the Internet, the sectors have merged, making all of our financial and personal information more vulnerable and accessible. The legislation introduced last week gets at one important aspect of such vulnerability.
While I commend this key bill, Mr. Chairman, I have to note that it may be a single dimensional approach in a world that has practically gone to the fourth dimension with the virtual world of the Internet. But importantly, it is a start, a first step.
Page 10 PREV PAGE TOP OF DOC Congress does have a duty, as do the regulators and privacy agencies, some of whom we will hear from today, to explore the privacy invasion and dissemination of personal information with its policy implications and proper safeguards to be accorded to American citizens encountering the opportunities and the risks presented by extensive use of, for example, personal identifiers in commerce today. The financial sector has a model for credit-related information in the Fair Credit Reporting Act. It is certainly not a perfect model; it is one avenue this committee may want to look at for updating our laws for the 21st century.
On a related matter in the subcommittee hearing last year we heard a mantra repeated by the industry and the FTC that the Government should give the technology time to evolve and that abuses are self-correcting with market innovation and new developments. Those good intentions seem to have badly eroded over the ensuing months. Experience does not bear out a self-correcting solution today.
The protection of consumer privacy must not take a back seat to the growth of market innovation. The economics of technology evolution are, in fact, eclipsing important safeguards of personal privacy. I have been monitoring the progress, as indicated by my statement, in terms of the self-regulatory solution to privacy rights. I have not been favorably impressed.
Informational demands for Social Security number, phone number, health records, addresses, mother's maiden name, and importantly to me, grandfathers' names, are growing more prolific every day. Financial institutions need this information as identifiers, but the potential for abuse is clear. You know, when you have a responsibility, when you have the authority to have the information, you ought to have the responsibility to care for the information.
I hope that this hearing today will help us in further exploring the appropriate balance between consumer demand to control personal information and business demand to, in essence, harvest the use of this personal information in an appropriate manner. I look forward to the hearing.
Thank you, Mr. Chairman.
Chairman LEACH. Thank you, Mr. Vento.
Does anyone else wish to make an opening statement?
Page 12 PREV PAGE TOP OF DOC Mrs. Kelly.
Mrs. KELLY. Mr. Chairman, in the interest of time, I would like to submit a statement for the record with unanimous consent, please.
Chairman LEACH. Without objection, all Members may present statements to the record. So ordered.
Before proceeding, let me turn to Mr. LaFalce to recognize a new Member of the committee who is here for his first meeting.
Mr. Goode, we welcome you.
Mr. LAFALCE. We welcome Mr. Goode to the committee. He has distinguished himself thus far in his brief tenure in Congress, and I know that he is going to be one of the more excellent Members of this committee.
Mr. GOODE. I am just honored to be on the committee and look forward to the deliberations here today and in the future.
Thank you, Mr. Chairman.
Chairman LEACH. Mr. Goode brings a background as a distinguished attorney. He represents the University of Virginia and the Boar's Head Inn, and I am told that more visitors to the area attend the latter than the former, but the architecture of Mr. Jefferson certainly ennobles this country, and we are glad for a representative from that area.
Page 13 PREV PAGE TOP OF DOC
At this point, let me turn to our witnesses, and our first is Mr. Al Schweitzer, who is a private investigator and a security consultant from Boulder, Colorado. And our second witness is Mr. Robert Douglas, who is president of Douglas Investigations of Alexandria, Virginia.
Mr. Schweitzer, we will begin with you, and I am told that you have extensive background in the kinds of information research that is currently going on. Mr. Schweitzer, please proceed.
STATEMENT OF AL SCHWEITZER, PRIVATE INVESTIGATOR AND SECURITY CONSULTANT, BOULDER, COLORADO
Mr. SCHWEITZER. Good morning, Mr. Chairman and Members of the committee, it is an honor for me to testify before the committee today.
I have been a private investigator, information broker, security consultant since I was 21 years old. For the better part of almost two decades I was a dominant force in the confidential information underground. I have been described by U.S. prosecutors as ''the godfather of the information industry,'' alleging that I was the largest and most successful of the confidential information brokers, a conclusion they reached after indicting me on three separate occasions. Many of my successes, as well as my lapse in judgment have been documented in the mainstream media.
Throughout my career, I have been involved in the gathering of confidential information of all typescredit information, unlisted telephone numbers, telephone toll records, medical records, tax information, Social Security information, credit card information, as well as other financial information obtained from banks, savings and loans, credit unions and brokerage houses. If the information exists on paper or in a computer databases, it can be obtained.
Page 14 PREV PAGE TOP OF DOC
I have provided services to every imaginable industry. My client list includes airlines, law firms, hospitals, hotel chains, insurance companies, banks, collection agencies, media, both mainstream and tabloid, manufacturers, casinos, travel and entertainment companies, high tech firms, department stores, over 1,500 private investigators and information brokers, as well as occasionally providing information directly and sometimes indirectly, through former members of law enforcement and intelligence agencies, to law enforcement agencies on all levels.
My company was doing approximately a million dollars a year at its height in the late 1980's. At that time, the confidential information industry was dominated by about a half-dozen companies, mine having been one of them. Now, there are literally hundreds directly involved in the obtaining of confidential information of all types. In addition, there are thousands if not tens of thousands reselling the confidential information obtained from the first group.
The explosion of this industry can be attributed to three primary factors: Most of the confidential information can be obtained in a matter of minutes and for the mere cost of a telephone call; it is extremely profitable; the private investigative information broker industry has the mind-set that as long as they are not selling Government information or bribing Government employees, they are not in violation of any laws.
The business community has an insatiable appetite for information. After all, information is what governments, businesses and individuals have sought since the beginning of time.
Page 15 PREV PAGE TOP OF DOC
As this committee concern is financial privacy, I will limit my testimony to my knowledge and experience in that area. I feel it is important to point out that although some of the methods used to obtain financial information may be considered ''gray'' or, in some cases, outright illegal, the information is typically obtained for use in legitimate applications such as business intelligence, collections, enforcement of judgments, due diligence, and so forth. It is also important to note that although not all information brokers or private investigators are involved in illegal activities, it is probably accurate to say that most have ventured into ''gray'' areas.
Asset investigations are one of the most often requested services of investigators and information brokers. A large portion of the information that contributes to an asset investigation can be obtained from public records, real property, vehicles, aircraft and business ownership and/or affiliation.
Banking information at times can also be located within public records, but not only is it more time-consuming to do so, the information is typically dated. Hence, the use of ''gray'' or illegal methods. This provides more timely and accurate information with little cost or time involved.
The methods used to obtain financial information can be summed up in three ways: public records available to anyone who cares to look; use of an accomplice within an organization that has custody to or access to the information sought; through the use of pretext, ruse or ''gag'' calls as they are referred to in this industry. A ''gag'' call is simply a telephone call initiated by the investigator/information broker in which either an individual or an organization is called. The investigator broker purports to be someone other than the true identity, claiming to be the party that the information would normally be released.
Page 16 PREV PAGE TOP OF DOC
For example, if I wanted your bank account information, Mr. Chairman, I would first obtain your home telephone number either from public records or, if need be, directly from the telephone company using another gag. I would then call the billing office of your local telephone company and claim to be you. At this point, I know your name, address, telephone number and more often than not your Social Security number and date of birth. I would explain to the telephone company representative that although I know I paid my bill last month, I forgot to record it in my check register. I would then ask, ''Could you please tell me how much it was and when it was due?'' The service rep would then tell me the amount paid and when it was due.
Next, I ask when my next bill is due and how much it is. The service rep would also freely tell me that.
Now I change hats. I call you at home and either get you or maybe your wife on the telephone. This time, I am the service rep at your local telephone company. ''Mr. or Mrs. Subject, this is Mr. Sawyer with Bell Atlantic. I am calling about your May bill that was due in June 10 in the amount of $98. We haven't received payment and now your June bill in the amount of $122 is also due. If this can't be paid immediately, I will have to discontinue your service.''
The majority of individuals will immediately become indignant, claiming that they have already paid those bills. ''Let me get my checkbook. Here it is. I paid you on June 5, $98.''
''You did? What check number was that? What bank was that drawn on? The account number, please, so we can locate it in our billing system. It was probably credited incorrectly to another account. I am so sorry.''
Page 17 PREV PAGE TOP OF DOC
There you have it, Mr. Chairman. I now have the bank account information complete with your account number.
Now I have two options. First, call the automated line of the bank where, by entering your account number and Social Security number, the automated attendant will provide dates and amounts of deposit and checks that have cleared as well as your balance. The second option would be to call a customer service representative and claim to be you, as I now have everything I need to impersonate you. This method is very direct.
Other methods entail calling financial institutions and using one of two approaches, either impersonating the subject or claiming to be an employee of the financial institution working at another branch.
Using your personal information that I have previously obtained, I could now call financial institutions within a geographic area where I think that you may have a checking and/or savings account. I would call the customer service center claiming to be you and explain that I just received a letter from the Internal Revenue Service stating that I failed to disclose accounts located at this institution. Feigning ignorance, I would say that letter named this bank specifically and add that I never opened any account with this institution. I would then ask the rep if they could check and see if, in fact, I do have an account with their institution. I would add little comments like, ''Maybe my accountant or wife opened an account and used my name and Social Security number.''
If the rep discovers an account, I then quickly say, ''Really, am I rich?'' That usually will elicit a laugh and helps to disarm the customer service representative. Remember, a gag call is based on staying close to the normal workings of a real life scenario and using a bit of misdirection, much like the patter a magician uses.
Page 18 PREV PAGE TOP OF DOC
Once an account has been found, questions like, who opened it? When? What is the balance? These would be normal questions, even if the representative balked at giving any information other than confirming the existence of an account. I would then thank the rep and thank up. I then call the actual branch of the institution where the account was opened. I claim to be at another branch across town with the customer present. I tell the rep that the customer is at my branch and can't remember their account number, and that I can't look it up, as our computers are down. I ask if they would please pull the signature card from me. Once you have an employee on the line, there is nothing I can't ask.
Most gags are just as simple as I have described, but can in fact be as complex as requiring several telephone calls, using the names of employees as well as exploiting the hierarchy or the target institution. Although the examples I have provided seem simplistic, almost all gags for financial information are variations on the above themes.
The use of gags can be summed up in four steps: Identify the piece of information you are after; identify who or what institution is the custodian of the information sought; based on real world situations or actual operational procedures of the target institution, figure out under what circumstances and to whom the desired information would be released; be that person under those circumstances.
Mr. Chairman, I have read the proposed legislation and believe that, although it represents a step in the right direction in regards to protecting financial privacy of individuals adding language that places minimal requirements on the financial institutions themselves to implement safeguards will greatly enhance the effectiveness of this legislation, as it is currently written, this will be no more effective at deterring the activities of the information broker industry than are the existing statutes that could be used to prosecute these types of activities.
Page 19 PREV PAGE TOP OF DOC
Without the addition of requirements being placed on the institutions themselves, it is my belief and experience that the information broker industry will react in a predictable manner. A small percentage will quit providing those services which they interpret as violations of the legislation, and the remainder will simply raise their prices to reflect the increased risk.
Basic requirements placed on the custodians of the financial information would multiply the effectiveness of this legislation tenfold. Realizing that the Banking Committee may object to any requirement along these lines, no matter how minimal, arguing that it places a burden with additional costs on their operations, I can assure the banking industry that the same technology and procedures implemented to prevent the dissemination of privileged financial information would also be extremely effective at combating fraud.
More specifically, identity theft crimes. The perpetrators of identity theft crimes use very similar techniques to gather information. I firmly believe and could demonstrate that by implementing some safeguards not only would be the banking community realize a cost-benefit by defeating some types of fraud, they would be taking a huge step in stopping the flow of confidential customer information. This would be more valuable than any amount of legislation directed toward the information broker industry.
As long as someone is willing to pay for the information there will always be someone willing to obtain it.
Thank you, Mr. Chairman.
Page 20 PREV PAGE TOP OF DOC
Chairman LEACH. Thank you, Mr. Schweitzer.
STATEMENT OF ROBERT DOUGLAS, PRESIDENT, DOUGLAS INVESTIGATIONS, ALEXANDRIA, VA
Mr. DOUGLAS. Thank you, Mr. Chairman. My name is Robert Douglas and my firm is Douglas Investigations. First, on behalf of my associates, I would like to extend our sympathies and condolences to the family, friends, and coworkers of the brave officers who are lying in honor just a few hundred yards from here.
Mr. Chairman, my firm provides private investigative services to the Washington, DC., legal community. It is my experience with the information broker industry that brings me before you today. Before I address the substance of my testimony, I would like to state that I appreciate the opportunity to appear before you and to give my perspective on what I believe to be one of the most significant problems facing our Nation today. I want to personally thank you for your willingness and desire to address this serious issue and the time that you have invested on this problem.
I am aware from both the legislation that you have introduced and your public comments that you are committed to maintaining the privacy of financial information in the United States. I particularly want to thank your committee staff and, specifically, David Cohen for the time that they have invested with me discussing this problem.
Page 21 PREV PAGE TOP OF DOC
I also would like to recognize Bill Tate for his assistance in getting this critical issue before you and the committee. When I first approached Bill with my concerns about this subject last fall he immediately recognized this as an issue worthy of your committee's attention and moved quickly to bring it before you.
Mr. Chairman, I have a prepared statement which I hope you will consider including as part of the hearing's record.
Chairman LEACH. Without objection, that will occur.
Mr. DOUGLAS. Thank you. In order not to take up too much time, as there are other witnesses here today that the committee wishes to hear from, I will briefly summarize this testimony.
All across the United States, information brokers and private investigators are stealing and selling for profit our fellow citizens' personal financial information. The problem is so extensive that no citizen should have confidence that their financial holdings are currently safe. The types of financial information for sale include private bank account numbers and balances, stocks, bonds and mutual fund holdings, including the number of shares held, insurance policy data, including the types of insurance maintained and the amount or value of the policy, credit card information including account numbers, size of credit lines and transaction details including the specific purchases.
While the theft and sale of this information is occurring on a daily basis, much of society's focus on privacy as it relates to personal information has been concentrated elsewhere. To date, the majority of public scrutiny has been on issues related to basic data collected via the Internet and the explosion of information that is collected every day as part of routine commercial transactions. Issues such as the mass collection of citizens' Social Security numbers, home addresses, phone numbers and purchasing preferences by retailers have dominated the debate. As part of this debate, we routinely read and hear of generic what-ifs and concerns that sometime in the near future a citizen's most privately held information will be easily obtained by anyone willing to pay for it.
Page 22 PREV PAGE TOP OF DOC
We passed that point long ago and somehow it seems no one noticed. Currently, thousands of information brokers and private investigators are advertising their ability to locate financial information. These advertisements can be found in legal and investigative trade journals, general circulation newspapers, the Yellow Pages and most certainly on the Internet.
I would like to call the attention of the committee to the three enlarged representative samples of broker Web pages. Two of the boards illustrate the types of information that could be purchased. The third board is of an admission of the methods used and concerns of how the demonstrative techniques are and would be viewed by the public.
The genesis of this specialty niche within the information industry is a growing black market. As with most black markets, there needs to be a seller of a commodity and a buyer interested in that commodity. In this case, the sellers are information brokers and the commodity is private financial information. Originally, the buyers were lawyers looking to seize assets of individuals with unsatisfied judgments.
There is a substantial problem in this country concerning the ability of successful parties to a lawsuit collecting any monetary award. There are millions of judgments with billions of uncollected dollars in the United States today. This fact played a large role of the development of the black market for financial information. However, even if all brokers were only providing financial information to attorneys holding judgments, it would still be a gross violation of privacy, and in many States, a violation of the law.
Page 23 PREV PAGE TOP OF DOC Yet this is the argument that brokers that I have talked to make. Their position is that there is nothing wrong with what they do. In fact, they see themselves as financial bounty hunters and put forth the following two positions: First, it is not against the law to obtain financial information. Many brokers and, indeed, their attorneys have told me that they believe that there is not Federal law to prohibit a citizen from obtaining the financial information of another citizen.
The second position advanced is that pretexting, which Mr. Schweitzer has already referred to and which I will discuss in more detail shortly, is perfectly legal. The argument goes like this: If the bank is stupid enough to tell me the information, that is the bank's problem, not mine.
Five years ago there were a small number of brokers actively advertising their services with the ads being largely confined to trade journals. Today, there are hundreds of brokers advertising by means of the Internet. By way of example, I have provided to the committee and have here at the table with me today approximately 285 individual Web pages from approximately 40 companies advertising on the World Wide Web, and I would note that is an extremely small percentage of those out there. These firms' ads are reaching thousands of investigators, information resellers, and in many cases, individual consumers who can now purchase the personal financial information of any citizen in the United States.
The means by which private financial information is most commonly obtained is identity theft. The most common method of identity theft is for the broker to obtain through currently legal means enough biographic information on the target of the investigation to be able to falsely pretend that he, the broker, is the target. Having convinced a financial institution that he, the broker, is actually the institution's client, the institution will provide whatever information is requested.
Page 24 PREV PAGE TOP OF DOC
A second method is for the broker to falsely convey to the target that he, the broker, is an employee of a legitimate financial institution. Having gained the confidence of the target, the broker induces the target to provide the target's own financial data.
While pretexting is an accepted investigative technique, it is more properly classified as fraud when it rises to the level of identity theft. The difference between pretexting and identity theft is simple. In pretexting, the investigator poses as a generic individual or company in order to obtain public or nonprotected information such as an address, name of a witness or relative. Identity theft is the use of the target's personal and biographical information to impersonate the target as a means to obtain the target's private, protected information.
While identity theft is the most common method being used by brokersand it is almost always used to gain the balance of a financial accountit is not the only method. Other methods includes creditor networks and inside sources; and I would be happy to answer questions concerning those methods if any Member of the committee so desires.
In my introduction today, Mr. Chairman, I stated that the problem is so extensive that no citizen should have confidence that their personal financial holdings are safe. While I recognize that this in an incendiary charge, it is true. I would like to provide the committee with one known example of what can happen when information is in the wrong hands, and warn the committee of what can easily happen and perhaps has already if quick action is not taken.
A Maryland private investigator has worked on a case where a stalker has purchased, through brokers, the personal information of his target. The information included her driving record and personal banking information. As a form of harassment, terror and demonstration of power, the stalker distributed this information to all of the woman's neighbors.
Page 25 PREV PAGE TOP OF DOC
With the financial information that can be purchased, the following can be accomplished: You can steal money directly from a bank account. You can wire money directly from a bank account. You can use money directly from a bank account to make purchases on the Internet. You can use credit card information to make purchases by phone or on the Internet. You can cash in someone's investments. You can cash in certain types of insurance policies. You can close someone's financial accounts, stop payment on someone's checks. You can use the knowledge of financial holdings to assist in blackmail or kidnapping. You can determine a business competitor's financial holdings as a means to obtain a competitive edge. You can close a business competitor's accounts or place stops on his checks.
One of the questions I was asked to address in your invitation letter, Mr. Chairman, was whether I thought existing Federal and State laws adequately safeguard citizens' financial information. Quite simply, they do not. I would first note that all of the companies Massachusetts prosecuted for violation of their State laws are still in operation today, to the best of my knowledge.
I would also like to state that I researched the issue of whether obtaining private financial information is legal, off and on for more than four years. In my written statement, I detailed that process. Suffice it to say, I had a very difficult time finding an answer. Because of the ease with which brokers move from State to State and the confusion amongst even honest brokers, I believe there needs to be Federal law directly controlling the use of deceptive practices to obtain personal financial information.
I have had an opportunity to review the legislation introduced by Chairman Leach. The legislation evidences a thorough understanding of the issues presented and outlaws the use of identity theft to obtain financial information. I believe that passage of this law, coupled with enforcement, will end the problem. Enforcement of the law will require a minimal amount of resources; specifically, a single Federal agent with a computer, Internet access and a fax machine could shut this industry down in a matter of months.
Page 26 PREV PAGE TOP OF DOC
The last area I would like to address is education. We must do all we can to educate the public, financial institutions, hospitals, universities and any other company or institution that maintains private information about the dangers of identity theft. We need to teach businesses, institutions and individual citizens what steps they can take to protect the privacy of their information.
Mr. Chairman I would like once again to thank you for the invitation to appear here today. As a child, I was taught the first role of Government is to protect the people. This is an opportunity for this committee and this Congress to do so. As a professional in the investigative trade, I would ask you on behalf of the honest members of this profession that you stop the use of deceptive practices to access financial information. As a citizen of the United States, I insist that you do so.
I would be happy to answer any questions that the committee has.
Chairman LEACH. Let me thank both witnesses for the chilling review of the circumstances in the private sector today, and the circumstances that I sense are quantumly growing, as Mr. Schweitzer has indicated, as well as Mr. Douglas.
Mr. Douglas is correct that education is critical, and that is one of the reasons for this hearing, but I would like to stress that there are State laws that come into play here, as well as certain FTC rules that come into play, that might be considered nationally. The State of Massachusetts has prosecuted on this basis, but very few States have proceeded in this direction, and that is one of the reasons to move in the direction that we are doing.
Page 27 PREV PAGE TOP OF DOC
Second, what the statute that we have under review is designed to do is not only make it illegal for an information broker to seek this sort of information; it makes it illegal for anyone to receive knowingly illegal information, and so it puts a double burden.
The challenge also is to protect consumer privacy, and then run a delicate balance between protecting consumer convenience and consumers who like to be able to call up their bank and see where they are. By the same token, if you are too horrendous in some of your restrictions, one can pretty much bedevil the convenience issue, and so how to strike that balance is a difficult one for this committee to proceed on.
What I would like to ask both of youand let me begin with Mr. Schweitzeryou gave a long list of customers of these services, including many which appear to be legitimate sounding companies.
What is your sense of the motivation behind the receipt of this information? Can you speak to that?
Mr. SCHWEITZER. Yes, Mr. Chairman.
Typically, as I stated earlier, the information is used for more legitimate business practicescompetitor intelligence, enforcement of collections, enforcement of judgments, due diligence. So they take the information obtained in a gray scenario, or illegal scenario, and combine it with information obtained legally, and it makes for a more complete effective report, or picture, or overall view of the subject that they are looking at.
Page 28 PREV PAGE TOP OF DOC
The list of industries that I have worked for, as you mentioned, is quite impressive. I won't name any names here today, but I am sure that we would all recognize a large portion of them, the media being one of them. I have worked for all three networks.
The hunger for information in American business or in world business is probablyin the past, they looked at their cost of manufacturing and the cost of R&D. Now they look at the cost of information, and information plays a huge role as a critical success factor in industry worldwide. The company with access to timely and accurate information will prevail. And CEOs and CIOs, they all realize that. They have no problem picking up the phone and asking me for something point-blank. Can you get this company's phone bill? Can you get so-and-so's medical record? They don't ask me how I get it, and they don't want to know.
In the past, I alluded to the fact that I have been indicted by the Federal Government. That is true. The first two were for obtaining IRS records. The third was for obtaining Social Security records. The IRS records, obviously there is a Federal statute that prevents soliciting that disclosure. But the Social Security records, there was a 21-count indictment and they didn't have a clue what to charge me with. At that time, I informed the U.S. prosecutors, I said, if you want to close down the industry, you have to go up the food chain. When you don't prosecute the companies that are asking for this type of information, it sends a message to them it is OK. They are only going to go after the guy who obtains the information.
The first assault on Corporate America, when that occurs, the message will be loud and clear. They will quit asking for it.
Page 29 PREV PAGE TOP OF DOC Chairman LEACH. Mr. Douglas.
Mr. DOUGLAS. The only place I might differ with Mr. Schweitzer is, I think where we are starting today is the proper approach. If you put too much burden on the institutions where the information is being obtained from, I think you will make it difficult for consumers to get the types of information that they need to live on a daily basis in a modern society.
If you close down the market for this information, which are these institutionsand I will name names; I mean, the committee has a tape in its possession that I turned over, which is a 45-minute recording of another information broker that is currently under investigation by a Federal agency that I won't name because it is an ongoing investigation. But that broker named Citicorp, American Express, other major banks in the New York area, and clearly echoes what Mr. Schweitzer has said today. There is a huge market for this information.
But this type of legislation will almost overnight scare attorneys out of the market; and quite frankly, they are one of the major purchasers, and I think Mr. Schweitzer would agree, who are trying to collect on judgments. They will pay large sums of money. I know one firm that charges up to $5,000 to obtain banking information on individuals in order to locate assets.
One of the paragraphs in your proposed legislation, Mr. Chairman, makes it illegal for them to receive the information. I think if the word gets out today and this legislation passes, that many of those attorneys will stop tonight and tomorrow from purchasing this. They really think this is a ''gray'' area. To a certain degree, I believe many attorneys are just turning their heads, don't want to know where the information is coming from; but, boy, do they want it.
Page 30 PREV PAGE TOP OF DOC
If the word on this gets out, that will stop immediately, and that is where the focus needs to be.
The overall problem is identity theft, and I know that you and your staff are aware that I am concerned about that. I have asked for referrals to other appropriate committees within Congress to stop some of the other issues that we see on the price lists over there. That is a little difficult for the committee to see right now, but which refer to the purchasing of post office box address information, telephone information. You can purchase somebody's toll call records, where they have made their long distance toll calls to, and in some States you can purchase their local phone records.
This is the appropriate first step. If you take away the marketand a large part of the market are attorneys and corporate CEOs and corporate counsel officesif they get the word, a lot of this will go away very quickly.
Chairman LEACH. Thank you.
Before turning to Mr. LaFalce, let me summarize. One, there is a second bill in the Congress on identity theft introduced by Senator Kyl on the Senate side and Mr. Shadegg on the House side.
Second, let me just say that you are so correct that many reputable people think that this is a gray area and may not want to participate themselves, but are happy to ask others to do it; and these are very reputable law firms in this country. I think it ought to be clear that under State law today, some of these practices are illegal. Under broad State laws not directed to this subjectonly three States have laws on this precise subject, but a number, in very comprehensive trade practices acts, under which the State of Massachusetts has brought its suits, do outlaw this practice; and every attorney in America today should know that this is an illegal activity, and they should be disinclined to participate.
Page 31 PREV PAGE TOP OF DOC
With passage of this bill, we make it very precise that anyone who knowingly receives or should know that the information received is illegal, that they come under the rubric of potential criminal action against them. And so this goes, to use Mr. Schweitzer's term, up the food chain and is intended so to do.
Mr. LAFALCE. Your testimony was riveting, and I thank both of you for it. I have long felt that this subject of privacy, given the technological age that we are in, is one of the most important that we have to come to grips with.
Your testimony was more than riveting; it was frightening in its prospects. Almost anyone can find out almost everything about everybody, and what does that do to the concept of individual privacy? We must address that. We must address it quickly and appropriately. You can help us do that.
You referred to ''gag'' calls. These are not gags in the traditional sense of gags. They are basically fraudulent phone calls. Somebody is pretending to be someone other than who they are, using misleading, deceptive information. So when you used the word ''gag'' calls, you really mean something that is fraudulent?
Mr. SCHWEITZER. That is correct.
Mr. DOUGLAS. Yes, sir.
Page 32 PREV PAGE TOP OF DOC
Mr. LAFALCE. What percentage of illegally obtained financial information is received with these type of calls, an estimate?
Mr. SCHWEITZER. Mr. LaFalce, I can only speak for my own organization experience. I would venture to say that in the 1990's, 90 percent of the financial information that we obtained is through the use of illegal telephone calls or through an accomplice in a particular financial organization if we identified that our subject had accounts there.
To find financial information, when it concerns stock portfolios or banking information, through public records is very time-consuming, and when you do discover it, it is usually dated. If you find an old divorce file or bankruptcy file, we are not interested other than that it is historical. We want current information, and that is the way that we obtain it.
Mr. LAFALCE. Mr. Douglas.
Mr. DOUGLAS. Just echoing that, in the exhibits that I provided to the committee previously, if you were to take two of the companies that we have the Web pages fromNoble Assets and the Pathfinder Group, which is in Virginiathey advertise, between the two of them, they have collected or located over $1.5 billion in assets.
Noble Assets is one of the companies, I believeand I know that you have a witness here from MassachusettsI believe was prosecuted or looked at in Massachusetts, and through an information broker that I recorded on tape they said, hey, what is the problem, $20,000 fine when he is making $250,000 a year?
Page 33 PREV PAGE TOP OF DOC
So that is why, again going back to Chairman Leach's final statements, I point out that this legislation is needed, because it is very easy for these companies to move across borders, to stop sellingin fact, one company says it does not sell in Massachusetts, well, they have 49 other States that they can sell for.
Mr. LAFALCE. You spoke of the food chain and the importance of going down the line to the recipients, but what about the financial institutions themselves?
Mr. Schweitzer, you indicated that it is imperative that we also have some legislation, at least calling upon them to adhere to certain standards.
Mr. Douglas, if I interpret you correctly, you said, be careful how you do it. I don't recall if you said, ''Do it,'' or, ''Don't do it.''
Can both of you expand upon that, because in my opening comments I indicated that I thought that it was absolutely necessary to go above and beyond the present bill to get at the institutions themselves.
Mr. SCHWEITZER. Yes, sir.
It is my belief that there needs to be some kind of standard or minimal requirement placed on the financial institutions themselves. There are a number of things that they can do, technological solutions to some of the problems. More importantly, employee awareness and education programs can help prevent these types of phone calls.
Page 34 PREV PAGE TOP OF DOC
I can understand the banking community being reluctant, feeling it places an unfair burden on them; and it is an additional cost on their operations, but I would be able to demonstrate to them
Mr. LAFALCE. These institutions are the custodians of our lives.
Mr. SCHWEITZER. I understand that, sir. The same procedural changes which would help prevent this type of activity would help prevent fraud, so they would receive a direct cost-benefit and be a leader in protecting their customers' privacy.
I have to tell you, the ease with which I obtain information from banks, credit card companies, it is almost laughable. I hang up the phone and the person at the other end probably thinks I was the biggest idiot in the world, but I am the one laughing.
Mr. LAFALCE. What percentage have passwords that help deter these types of phone calls?
Mr. SCHWEITZER. Even passwords between the bank branches for the exchange of information, we circumvent them. I am able to ''gag'' the codes from them. I can get an employee to tell me the codes before the end of the phone call, and it is based on terminology and it is placed on pleasantries. It is like being a salesman on the telephone.
You would be surprised at the easeand I am not just talking about the banking institutions. If there is a document or a record that I want to obtain, held by someone elseand I don't care what agency it isI can get someone to discuss it with me.
Page 35 PREV PAGE TOP OF DOC
Mr. LAFALCE. What concerns me, too, is not just obtaining information, but doing something with that information. For example, if you could trade via the Internet.
Now, what potential for mischief is there because of Internet trade? Can somebody say, ''I want to sell $1 million worth of stock,'' and do it rather easily? Could you explain that to us?
Mr. SCHWEITZER. Yes, sir.
Well, as I speak to my industry, the private investigative information broker industry, when I refer to my client list, I actually sleep well at night in the sense of I do not think this corporation is doing that with the information I provided them, but the potential for abuse and misuse is horrendous. I mean, once I have that information about you, I am you. I am you. And if you do not think I can get someone within an institution to cooperate, why do you think they call it customer service? They will do anything I ask them if they believe I am you.
And to exploit it, that is the growth in identity theft crimes. I mean, I actually investigated several in southern California, and I mean, the brazenness in which these people operate even makes me chuckle. And nobody prosecutes them.
Mr. LAFALCE. Are either of you personally aware of instances where individuals have deliberately attempted to create havoc or mischief, say, with another person's stock portfolio, like buying or selling?
Page 36 PREV PAGE TOP OF DOC
Mr. SCHWEITZER. I personally am not, sir, although in the almost 20 years I have been in the business, surely I have been approached to do such a thing. That is one of my lines. I have never crossed that line. I have never used it in that manner.
Mr. LAFALCE. Mr. Douglas, could you answer some of the questions that I raised?
Mr. DOUGLAS. Certainly. Thank you.
Addressing your last question, I am not personally aware of a specific instance of that type; however, I would like to point out, and I think Mr. Schweitzer would agree, that it would be very difficult to know that it has occurred.
You have somebody here today, I believe, from Privacy Times. I am sure they can recount many stories that have come to their attention of people who have had problems with their credit report and probably financial holdings. It is difficult to trace it back. It is difficult to go back and find out. Somebody who wants to create this type of financial tariff, I might call it, it is very difficult to figure out who did it because they have become you.
What I would say on that issue is it is harder to undo the damage than it is to create the damage. I can screw up your finances within about three hours, and it would probably take you three months, even as a Congressman, to get them to get it back on track, because if I call up and I close your account todayI can call up and close your bank account today, and you call them and say, ''What is going on, my checks are bouncing?'' ''Well, Congressman, you closed your account. There must be a problem.'' Now you are going to need to come in and see them in person and prove who you are and get it back on line, and it is more difficult to get it straightened out than it is to create the havoc.
Page 37 PREV PAGE TOP OF DOC
The other issue that you raised that I would like to address is I understood, and I made some notes here during your opening statement, your position on what the banks need to do, guidelines to the bank, to implement customer security measures and to notify customers. I fully support that.
The one point I would add is if the banks would just try minimally enforcing the procedures that they already know they should have or do have in place, it would be a tremendous benefit.
I noted just personally recently that to call in and check my own credit card account, I used to have to also provide the zip code where I live, something that easily would be gotten ahold of; and I am sure someone like Mr. Schweitzer could blow through that in half a second, but they now have stopped that. All I need to do is punch in my number, and I can learn all kinds of information about my own account.
So even the most common-sense methods, security measures, that are out there and every bank I am assure is aware of, they do not use them. Why? Because customer service is king.
And I will tell you one of the methods that I have learend of how they blow through the passwords that Mr. Schweitzer has talked about. One of the most common, and we all know of it is, ''What is your mother's maiden name?'' OK. I call in. I am Congressman Leach, and I call in and they say, ''Well, Congressman Leach, what is your mother's maiden name?'' Well, ''It is Smith.'' ''I am sorry, Mr. Leach, that is not the name we have here.'' Well, excuse me, but what you do is you get outraged. ''God damn it. I know what my mother's maiden name is. Who wrote that down on your end? I want to speak to your supervisor right now, and I want this straightened out, or I am pulling the account today.'' ''OK. Hang on. Hang on. We can get this worked out. I am sorry. Somebody must have made a mistake on our end, Congressman Leach. What is your mother's maiden name?'' Make one up. Now you just changed the password.
Page 38 PREV PAGE TOP OF DOC
That goes on. That is how they do it. Excuse my language there, but I wanted to be demonstrative.
Chairman LEACH. Well, thank you. My mother thanks you, too, for your not knowing.
Mrs. ROUKEMA. I am sorry, everybody else seemed to have gotten it. I did not quite get it at the end there.
But, in any case really, Mr. LaFalce's questions were my questions as well. I am not quite sure whether or not you believe that the enforcement in this legislation is adequate. In terms of the penalties, I noted that you said, if you take away the market, that is real penalty. The lawyers will pull out and the brokers will pull out if the penalties are credible. Also, it requires the banks to comply with their regulatory responsibilities so that they have a significant oblgation, too.
Now, I understandand some of these bankers are my best friends and I understand thatthat we do not want to impose extraordinarily burdensome regulations. But there are probably specific regulations that you could pinpoint that banks could easily comply with as part of their obligation to their own customers.
Can you name one or two of those regulatory requirements as well as whether or not you think these penalties are adequate enough to be credible to push the brokers and the lawyers, and so forth, out of the business because of the penalties that they see out there?
Page 39 PREV PAGE TOP OF DOC
Mr. DOUGLAS. Let me begin on the back end as far as the enforcement. I really do. Becauseand I think Mr. Schweitzer would echo thisbecause of the gray area that Chairman Leach has mentioned and I have also addressed, I think you would chase such a large percentage of the purchasing market, the honest information brokers, resellers, the honest private investigators, and I do not want to mislead the committee, that is the majority of the profession I truly believe, but they are out there purchasing this.
One of the difficulties I had as a business owner three years ago when I started looking at this and made the decision for a short period of time to purchase this information was it was everywhere, everybody was doing it. And it is a competitive issue. All of my clients, as Mr. Schweitzer has referred to, wanted the information.
Now, it certainly, on my own defense here I want to say, was not to the degree of the types of things he was talking about, but liquid asset information they wanted to satisfy judgments that are out there.
If, as we have talked, that the enforcement is put in place that I think is adequate in this legislation, five to ten years in a Federal prison is enough to get somebody's attention and the types of fines also. I really, truly believe that as the word gets out to the honest part of our profession that that is wrong, that just gussing it up by calling it pretexting does not cut it anymore in the United States of America, that accessing this type of information and posing yourself as the identity of another human being is inappropriate and would put you in Federal prison, that it really will come to a screaming halt.
Page 40 PREV PAGE TOP OF DOC Yes, there will always be people, as Mr. Schweitzer has referred to, who will go behind the scenes and will do it and and go underground, and it is up to law enforcement to root them out and stop them. But the majority of the market will go away.
Mrs. ROUKEMA. Do you want to address what you believe the banks should be responsible for?
Mr. DOUGLAS. I think that there does need to be some regulation. Specifically what, I am not sure. As a layman, what I would call it is just putting in place certain security procedures, passwords; and they need to be true passwords, not the mother's maiden name.
And one reason I think this issue is also important is I am a true fan and advocate of the Internet and the wonderful things that it is allowing us to do. I use it all the time. In fact, that is how I found a lot of this information that I have provided to the committee. If we cannot show the citizens of this country that we can protect this kind of information, the Internet will never take off.
Mrs. ROUKEMA. Very good point.
Mr. SCHWEITZER. Yes, ma'am. I think the legislation is effective in the sense of driving legitimate customers away from requesting the information, that surely will occur, but there will always be people that still want it. They will turn a blind eye as to how it is being obtained and do not really want to know. And, of course, there will always be investigators and brokers willing to obtain it. That much is true. And because of that, banks and financial institutions need to take some minimal steps to put some safeguards in place, some employee awareness programs, some minor technological changes that probably would not cost much. They probably have the ability to do it now. They are just not doing it.
Page 41 PREV PAGE TOP OF DOC
There is a balance between security of the information and customer service, and I think we can satisfy both sides. The customers need to access the information, and the bank's ability to protect the confidentiality of the records, especially if you educate your customers as well and let them know, this is for your benefit, once they understand that, they will go along with your program, whatever it might be.
Mr. Douglas mentioned the credit card company, about putting in your zip code. I think we all know who that was immediately. I mean, I recognize that immediately what company that was. They are one of the biggest in the world, and getting their information is so minor.
I have to tell you, I approached a very large credit card company a couple of years ago and suggested to them, let me show you how to defend against this. They were not interested.
Mr. DOUGLAS. Than happened to me, also.
Mr. SCHWEITZER. They always think it is going to cost them money to protect their customers' privacy, but by implementing the same types of safeguards that will benefit their customers, they will also thwart fraud and theft.
Chairman LEACH. Thank you very much.
Page 42 PREV PAGE TOP OF DOC
Mr. VENTO. Well, thank you, Mr. Chairman.
I think that the last statement, obviously, indicates that there needs to be a little more prompting in terms of the authority to collect information and maintain records. Obviously, with it goes responsibility to protect the privacy of that type of information. It is not just financial. It could be health. It could be a variety of other type of information that obviously has had, historically, laws that have been defined and interpreted which, in fact, protect the privacy.
And that is one of the concerns, Mr. Chairman. My staff was pointing out to me that the subcommittee previously asked questions about stolen identity and asked the Justice Department to respond to questions; that they stated that when it involved something less than $50,000, they do not bother prosecuting. Well, $50,000 from a series of different individuals can add up to a lot of money.
One of the modus operandi that has been taking place is that there has been a voluntary effort to establish privacy protections. I was reading ahead in our information from the Federal Trade Commission that they have established individual reference service groups, which makes up apparently the 14 largest companies, and that they are going to pursue and are pursuing practices and principles which, in fact, outline a precomprehensive strategy for avoiding improperly using information.
Do either of these witnesses have any knowledgeMr. Douglas, Mr. Schweitzer, do you have any knowledge with regard to this? If we are talking about the names I have heard thrown around here, it does not give me a lot of encouragement that others are all of sudden going to get a new type of sensitivity to this.
Page 43 PREV PAGE TOP OF DOC
One of the questions, Mr. Douglas, that I have for you, we have a long list of witnesses, but one of the questions dealt with the Fair Credit Reporting Act; and you point out that the Fair Credit Reporting Act is a report obtained that does not leave a notation on the top of the target report, so brokers are also trying to develop sources within the financial services sector. Do you think that we need to beef up the Fair Credit Reporting Act to, in fact, make misuse of that information a crime?
Mr. DOUGLAS. No, sir, not specifically. What I was referring to, there areand Mr. Schweitzer may have more firsthand knowledge of this than Iare brokers who refer to obtaining no footprint credit reports, the credit report being a very good starting point to obtain in one key location a lot of personal financial information and personal biographical information to use as part of an identity theft.
As I understand a no footprint credit record, it is developing a source in somebody inside one of the major credit reporting agencies to look at the data on a computer screen and sell it to the information broker, so that the report is never printed and there is never an inquiry notation at the bottom of the report showing who obtained the information.
That just calls for, again, employee education programs and security awareness within the credit reporting agencies themselves.
Mr. VENTO. Are they actually being paid, these inside individuals being paid to, in fact, take this information, Mr. Schweitzer?
Page 44 PREV PAGE TOP OF DOC Mr. SCHWEITZER. Large sums of money.
Mr. VENTO. I cannot hear you.
Mr. SCHWEITZER. Large sums of money.
Mr. VENTO. Large sums of money.
So, basically, this is already illegal; is it not? Is this commonplace, or is this a very unusual circumstance?
Mr. SCHWEITZER. No, sir. It is pretty common. Typically when you have a source, you have him for one of three reasons. He is a personal friend of yours and would do just about anything you would ask him to, or he is a business acquaintance of some type that owes you a favor, or you are paying him.
Mr. DOUGLAS. If I could make one note on that, sir. One of the things that I referred to in my written testimony and I just touched on lightly in my verbal statement today are creditor networks. I am sure Mr. Schweitzer is aware of this. Oftentimes it is not even an exchange of money or a particular bribe to an employee. It is the very names that we know, American Express, Citicorp, some of the other major banks all have creditor departments and what they call skip tracing departments. They trade this information amongst themselves. Information brokers insert themselves into that chain and often even pretext those departments.
In fact, on the Internet, I am sorry to say, you can buy what is called the Black Book, which are all of the unlisted phone numbers direct to these departments for hundreds, if not thousands, of different companies and banks around the country.
Page 45 PREV PAGE TOP OF DOC
Mr. VENTO. Of course, a lot of this is under the auspices, I guess, of trying to trace in terms of collecting bad debt and a lot of other activities, so it has a veneer of diligence that covers it, I take it.
But you did, Mr. Douglas, in your testimony point out that the Fair Credit Reporting Act, brokers are terrified of being put out of business or sued for violating the Fair Credit Reporting Act. So you are talking about actually reinforcing the legislation in terms of that law.
I guess we are interested in terms of prosecution, but if the Justice Department is unwilling to prosecute something for less than $50,000, I guess that means anything goes.
Mr. DOUGLAS. That is exactly right. And what I was perhaps not clearly enough trying to point out there is if you were to look at almost all of these Web pages that I have before me where they talk about getting a credit report, almost all say, ''Must be in compliance with the Fair Credit Reporting Act.''
As I understand the legislation that Chairman Leach has introduced, this would be a separate title, title X, under the Consumer Credit Protection Act, where the Fair Credit Reporting Act is also in place. And I was sort of applauding that condition, including it in there, because I think it will get the word out quickly that this needs to stop and will be enforced, just like the SCRA has.
Page 46 PREV PAGE TOP OF DOC Mr. VENTO. My time has expired. Thank you, Mr.
Chairman LEACH. Mr. Lazio.
Mr. LAZIO. Thank you, Mr. Chairman. I want to thank you both for holding the hearing and for the introduction of the bill that allows us to address this issue.
One of the most significant public policies issues that we are facing right now is privacy, as technology is exploding, e-commerce, medical record privacy, and now we are discussing, of course, financial records.
Mr. Douglas, I am really intrigued by the Web site that you have brought to our attention. I have over here the photocopy of it. And this is a Web site that would be available to those people that want to tap in and actually obtain this information; is that correct?
Mr. DOUGLAS. Yes, sir.
Mr. LAZIO. I am looking at a couple of these. I just want to take an example. For example, this is a price list over here, and you have a number of different options that somebody who could access the Web site might be able to get. For example, on T it says, ''You supply the name, Social Security number, date of birth, current address, type of card. We supply the charges on the credit card for the billing period.''
Page 47 PREV PAGE TOP OF DOC
So you would actually be able to pick up every single charge that somebody might have made on a particular card if you were able to get that other information. ''You supply the cellular name, address, and phone number and Social Security number. We supply 1 month's toll calls, up to 50 calls.''
When I was in the District Attorney's Office, we generally had to have a court order before we were able to obtain that kind of information. But, in fact, this is available just through this Web site.
Mr. DOUGLAS. And very routine.
In fact, I participated with an investigative piece that was on a network here locally, and we did it on one of their producers. Not only did we get his banking information within eight hours, within a matter of days, we were able to get his telephone long distance toll records through the same broker.
I would like to make one note that I again skipped over in my verbal testimony, and you mentioning your past history as a prosecutor brought this to mind and the need for a warrant to get that. Almost without exception, most of these information brokers advertise that they are doing this for law enforcement, and that bamboozles me, because, if that is true, then that means our own Government investigators are going outside of the Federal regulations that are definitively on point, the Privacy Act, the Bank Secrecy Act, and I am sure many others that you are more familiar with than I, to do this if this is true. Maybe Mr. Schweitzer knows if it is true.
Page 48 PREV PAGE TOP OF DOC
Mr. LAZIO. I have got to believe, in my experience, that that has got to be an outright lie.
I also note over here another one: ''You supply the name and post office box number. We supply the physical address on file.''
The very reason why many folks get a post office box is so that they cannot be tracked, for whatever reason. They may have problems in terms of domestic violence, or who knows what the case may be. But this is not just financial, I guess is the point I want to make here. There was testimony about a stalker and folks that are able to exploit this information to really hurt somebody by delving into issues that we thought were otherwise private issues.
Mr. DOUGLAS. That is absolutly correct. And on that particular type of search, I am very familiar with this because of the work we do, we serve process for a lot of the courts around the country here locally, and you need a Freedom of Information Act request with the court documents in hand to obtain that information, but yet they are doing it, and they are selling it. So that is a very serious problem.
Mr. LAZIO. There are a lot of spouses, just getting back to this domestic violence issue, that actually fear for their physical safety and their lives. They do everything they possibly can to ensure that they have protection and privacy from a violent spouse who may be stalking them and may be threatening them. And this type of access, which I think is outrageous, actually violates that privacy and potentially puts their lives in danger as well.
Page 49 PREV PAGE TOP OF DOC
Mr. DOUGLAS. I worked just such a case approximately five years ago, Congressman, with a legal secretary at one of the major law firms here in Washington who was being threatened physically and harassed, and the firm was being harassed; and we took incredible amounts of steps to protect her and to protect the firm.
One of the things that she chose to do was uproot her entire family and move into the Virginia suburbs relatively far out. And I can tell you that the subject of that investigation, within a matter of weeks, had determined where she was living and thwarted all of her efforts and all of her expense to get some sense of privacy.
If I could just make one final note on the your earlier point. I have confined myself, and I think Mr. Schweitzer has done a good job of confining himself to the issue before the committee today, the larger issue is identity theft, and we should make no mistake about that. All of the things that apply here apply to any piece of information that any citizen in this country has out there today.
Mr. LAZIO. Just one last question if I can, Mr. Chairman. Mr. Schweitzer testified to the possible two-prong attack that companies who have this type of private information might be able to pursue in order to protect information. One was to educate employees, do a better job of training them, including, I would suggest, I guess, a seminar by folks like you who actually explain how one can be deceived.
But the other things you mentioned was technological changes. Which ones might you suggest? What might you think could be put in place?
Page 50 PREV PAGE TOP OF DOC
Mr. SCHWEITZER. Sir, when you call a credit card company, and it is as simple as putting the last four digits of the Social Security number and the bank account number, we have that long before we make that phone call. In some cases they just ask for your account number. We have already obtained that. Some institutions simply ask for a Social Security number, which we can obtain from any number of public records.
We are not talking about a major cost factor for the financial community. We are not talking about buying hundreds of thousands of dollars' worth of equipment. We are talking about some basic security procedures. There is not a security director at any bank who is not aware of the problem. He may not know how to address it, or he may just be too busy.
Typically the response from financial organizations as well as other custodians of other types of private information is simply this: When I call a bank in pretext for information, I have not cost them any money other than the type of the customer service rep or the employee who I engage in conversation. The person committing credit card fraud gets priority from the security department. He is costing them money.
The same with telephone companies. It is the same with hospitals. All I am doing is engaging their employee for a few minutes of conversation. They do not deem it as a loss factor. I have not cost them any money, I have just taken some information from them, and, for the most part, they never even knew it occurred.
Mr. DOUGLAS. Mr. Chairman, could I just take five seconds on a follow-up to Mr. Lazio's question on the issue of identity theft?
Page 51 PREV PAGE TOP OF DOC
Chairman LEACH. Of course.
Mr. DOUGLAS. Literally, as I was at my office desk preparing my testimony for today, Noble Venture Corporation, which I believe is the company that owns Noble Assets, who fax these fax advertisements to PIs all around the country, sent one on their July special: This is your reduced price special, ladies and gentlemen shoppers. ''Track Fed Ex and UPS package tracker. Regular $395. This month $250.''
Airline travel. I can find out what your airline travel plans are, where you are taking off from, who is traveling in your party, even what seat that you are going to be sitting on in the plane. I do not think I have to be too explicit as to the dangers of that in today's society. ''Regularly $395. This month on special for $250.''
Mr. LAZIO. Last point, Mr. Chairman, again on this excerpt from this broker Web site. One of the things that the Web site notes is that the ''buyer/viewer is hereby notified that the liquid asset information is developed using standard investigative methods including public records, third-party sources, creditor networks, deception, and pretext.''
Mr. DOUGLAS. Give them an ''A'' for honesty on that.
Mr. LAZIO. They are actually telling folks that fraud is being used in order to get this information, but holding out this fraudulent information for sale.
Page 52 PREV PAGE TOP OF DOC Mr. DOUGLAS. This is part of the disclaimer page from Noble Assets, again, one of the largest in the industry. They have that phrase right in their disclaimer telling you, ''We are stealing it.''
Mr. LAZIO. Thank you, Mr. Chairman. I yield back my time.
Chairman LEACH. Well, thank you.
I am tempted to observe that we have this movie called ''Face Off'' involving John Travolta and Nicholas Cage that was all about cutting off a person's face, and it ends up that was, as everyone knew, a farce. But in many areas of financial information, it is anything but a farce.
Mr. DOUGLAS. Behind a telephone I am faceless.
Chairman LEACH. Ms. Kilpatrick.
Ms. KILPATRICK. Thank you, Mr. Chairman, for having the hearing and for the testimony of the gentlemen. Quite intriguing I might add, as some of my colleagues have already stated.
A couple of questions to Mr. Schweitzer and to Mr. Douglas, I guess. I am not sure yetand I have heard from your testimony you offered to help the companies, credit card and otherwise, to teach them how to reverse that processwhy they are not interested.
Page 53 PREV PAGE TOP OF DOC Mr. SCHWEITZER. Mrs. Kilpatrick, I am surely interested. I have actually approached several credit card companies over the years, and, as I just stated previously, they are not interested. It does not cost them any money. When a broker gags an employee, he has not stolen any dollars from them; he has only engaged the employee in conversation. And that is why it is necessary that this legislation make minimal requirements of the financial institutions to protect this information, because if you do not, they are not going to.
Ms. KILPATRICK. Right. And that was a point I was getting to. Mr. Douglas, do you want to add to that?
Mr. DOUGLAS. In fairness to the industry, I think, and I hope this will change after today, I think even they do not realize the scope of this problem. I think today's hearing may help them sit up and take notice.
Ms. KILPATRICK. But if it is not costing them any money, as Mr. Schweitzer said, it is costing the people that we represent bundles, if not heartache and misery on top of the actual dollars.
Mr. DOUGLAS. Well, one of the things, Congresswoman, that I advise individuals who are concerned about this to do is to test their own financial institution's systems and, if they are not satisfied, take their accounts elsewhere. I think that will get their attention.
Ms. KILPATRICK. And this is the Banking Committee. That is why I want to single in on that. What is their responsibility? And you said, Mr. Schweitzer, and I think you both have said now, to make minimal requirements of the financial institutions. Can you give me an idea and speculateor not speculate, tell me exactly what those minimal requirements might include.
Page 54 PREV PAGE TOP OF DOC
Mr. SCHWEITZER. Well, Ms. Kilpatrick, I do not know that I know the verbiage that you would insert in this legislation, but along the lines of threatened vulverability surveys of their system should be conducted to see how vulnerable they are under this type of attack, and then take the necessary steps to reduce that.
OK, we know that if an individual calls and does this, we will do this for them. How can we stop that? There are many ways. There are many ways.
Anytime you have the human factor involved in handling information, all it takes is not to follow procedure. Once procedures are in place, guess what? It is quite effective. And on many occasions I have called an institutionI should not say many occasions. Frequently I have called institutions and got an employee who follows the letter of the procedures. Guess what I do? I hang up and I hit ''redial,'' and I get someone else.
Ms. KILPATRICK. And they do otherwise.
Mr. SCHWEITZER. That is correct. I mean, I am not saying in any way, shape, or form that the banks are totally ignorant to the problem and do not have any idea what is going on. In fact, they do. They may not realize the scope of it or how big this industry is that is operating beneath their noses there, but they could take additional minimal steps that would prevent a great deal of this activity.
If you make it difficult, they go somewhere else. The reason people are in this business, the reason a number I do not know, hundreds, thousands of private investigators changed their title to information brokers is because they would rather sit on the telephone and make $400 or $500 an hour than they would walk out and knock on doors for $65 an hour. If you make it difficult for them, on top of if they get caught, they are going to go to prison, it will stop.
Page 55 PREV PAGE TOP OF DOC
Mr. DOUGLAS. I would mostly echo that. In the beginning of my statement, I pointed out that much of the debate in society and the focus of society to date has been on the wrong area as far as the availability of information. It has been the collection aspect of common, everyday issues, such as Social Security numbers, addresses, phone numbers, when the real breakdown, as Mr. Schweitzer points out, is the human intelligence end of it, the human side of it. Because people naturally, and thankfully, I suppose, want to help, you can you almost always, if you are smooth, overcome the security procedures that are in place if they are not enforced by the institutions.
Ms. KILPATRICK. And finally, in this free society of ours and the global market that we live in and the technology that is available, are either of you recommending anything that this Congress does in terms of making laws that restrict or expand, if it might, Internet access or what goes on the Internet, how we protect ourselves with the technology that is available?
Mr. SCHWEITZER. Let me just briefly answer that. I think we have already clearly defined in this country and around other parts of the world what is public and what is private, for the most part. Most people would believe that their banking information is private. I am sure you intend your banking information to be private. I am sure the custodian intends it to be private. There are just some people out there who have developed an industry and make an awful lot of money obtaining it.
But there is the absolute need for the flow of public information: Property records; voter registration; DMV, Department of Motor Vehicles; secretary of state filings; on and on. It keeps people honest. Would you like to buy a house if you could not check the sale history of it? Would you like to do business with a company if you could not see if they were incorporated within the State?
Page 56 PREV PAGE TOP OF DOC
Ms. KILPATRICK. So certain things we want to keep.
Mr. SCHWEITZER. We want to keep them public.
Ms. KILPATRICK. What do we not want?
Mr. SCHWEITZER. The things that we already expect to be private: our financial records, our medical records. Our credit reports are only supposed to be used for specific purposes. The FCRA is very clear, although there is a clause that says, ''Any legitimate business purpose involving the consumer.''
Well, I guess if I am a private investigator, I would think it would be legitimate if I was trying to find that individual. You can interpret it any way you want. The information that an individual would believe to be private is what we need to keep private.
I do not think that there is any confusion as to what most people consider private. My phone calls should be private. They should not only not be intercepted, but I should not be able to get a list, or someone should not be able to obtain a list, of who I called all month long, because I have instantly developed your circle of friends, family and business assocations by obtaining your phone bill. I now know everybody that you do.
Ms. KILPATRICK. And everything else.
Mr. SCHWEITZER. Your credit card charges, should they be public? Do you want everybody to know where you had dinner every night of the week?
Page 57 PREV PAGE TOP OF DOC
The things that you already believe to be private are typically things that should continue to be private, and the things that most people take for granted are public should continue to be private. The problem does not lie in defining what is public or private. The problem lies in making it absolute, this is private, we will defend it, we will prosecute you.
Ms. KILPATRICK. The penalties. Then it goes back to the storer of the information and how they protect it?
Mr. SCHWEITZER. Yes, ma'am. I am not proud to say that I have been indicted three times in almost 18 years in this business. The first two indictments went away. The third indictment I ended up pleading guilty to, one count of conspiracy to bribe a public official.
I was getting the information from a former FBI agent, who was getting it from a current inspector general. It is pretty deep.
Ms. KILPATRICK. I think I saw a movie about this once.
Thanks. It is quite intriguing. Thank you very much.
Chairman LEACH. Thank you, Ms. Kilpatrick.
Page 58 PREV PAGE TOP OF DOC Let me say, we will have Mrs. Kelly be the last before the quorum call. Then we will come back to Mrs. Lee and Mr. Goode.
Mrs. KELLY. There are a couple of things I think should be said in the context of our discussion here. One is that the current billMr. Lazio brought this out, and I want to make it clearthat the current bill that we have under deliberation contains a prohibition against deception and pretext, as you saw here in what Noble Assets was saying. So that would be prevented according to this bill.
The second thing is as Mr. Lazio was talking about domestic violence, I have worked with women's shelters in my area. There are more than a million women and over 350,000 men who are stalked every year in the United States, and this information is one of the ways that people get stalked. This is cyberstalking. This is something that I am very concerned about, and I am glad to see you talking about this Mr. Douglas.
I am interested in how you would know, if you did not have, like Noble Assets has, deception and pretext up front, how would a person know that the information you are getting is obtained illegally?
Mr. DOUGLAS. It is extremely difficult, but the first tip-off point would be what had been obtained; would it come to the attention of the subject who is being stalked.
Obviously, if their credit card information, their banking information and other types of information are being spread around to their neighbors, as I spoke about the one case I am aware of, they would know that somebody had to get that illegally. The harder part of that is tracking it back to how it happened.
Page 59 PREV PAGE TOP OF DOC
The case in Maryland, they have been able to track it back, I believe, to a private investigator in Florida and an information broker in Ohio who were just advertising and selling this. It took them quite an extensive period of time to determine that. So it is not easy.
Mrs. KELLY. My next question along that line is should there be a civil liability that attaches as a remedy here?
Mr. SCHWEITZER. I would be agreeable to that in the sense that if someone was to get into my personal information, I would sue them. I would not even blink, because I know exactly how they obtained it. Most people do not know. ''Oh, they got this about me. They got my number.'' They do not know that the individual broke any law.
What I keep coming back to, the draft here, is that you have to put the burden on the financial institutions. There is no way around it, Because there are peoplelisten, I have argued for 18 years that what I do, I could be prosecuted under the mail fraud and wire fraud statutes. I have shared that with every investigator and information broker in the country. They go, ''Oh, we are not doing anything illegal.'' I go, ''Yes, you are. Read the mail fraud statutes,'' because in 1952 they added the telephone to the mail fraud statute, and it says, if you commit any act of dishonesty on the telephone, we all know that if a U.S. prosecutor decides to go after someone, he can surely find something to indict you for.
There are many, I mean dozens of statutes out there already that you could prosecute these brokers for. They may not be specific enought that it gets the brokers' attention. This might. But because of the existing statutes, the brokers go, ''Oh, so what?'' You need to try to protect the information as well as enforce legislation or statutes to go after the individuals who violate them. You just have to.
Page 60 PREV PAGE TOP OF DOC
Mrs. KELLY. Mr. Schweitzer, would it be a way of attracting customers for a financial institution to say that they were working with someone like you and had customer protections in place?
Mr. SCHWEITZER. Yes, ma'am. And that is the approach I took in marketing that service to a major credit card company was, look, don't you want to be a world leader in protecting your customers' data? I think that is a huge selling point. People are tremendously concerned about their privacy.
In addition, there are some things happening in the EU in the next 4 or 5 months. Guess what? If we cannot protect our own information here, do you think they are going to share theirs with us? Absolutely not.
Mr. DOUGLAS. If I could add one point. And call me a cynic, but I think some of those institutions do not want to hire somebody like Mr. Schweitzer and necessarily bring this to an end, because, as he has testified and I have learned through my many conversation with other brokers, it is some of those institutions that are purchasing this information.
Mrs. KELLY. That is scary.
Mr. DOUGLAS. It should be.
Mrs. KELLY. Thank you both very much.
Page 61 PREV PAGE TOP OF DOC
Chairman LEACH. Thank you.
Let me notify the witnesses, this is a very profound day on Capitol Hill. We have a quorum call on the floor in which the House of Representatives is then going to congregate to do a formal visitation to the two officers that were slain. We will have a service at 3:00.
So I am going to recess the committee pending the vote on the floor and the viewing, and then we will plan to end the hearing itself by 2:45 to allow all Members to go to the formal ceremony. And so, what I would like to do at this point is to excuse both of our two witnesses.
I want to thank Mr. Schweitzer for his frankness and Mr. Douglas for precipitating in large measure this hearing. And we will go to the next panel pending the vote and the viewing, and I would just guesstimate this will be about a one half-hour recess. The hearing is in recess.
Chairman LEACH. The hearing will reconvene.
Our second panel is composed of Ms. Julie L. Williams, who is Acting Comptroller of Currency; Mr. Mozelle W. Thompson, a Commissioner with the Federal Trade Commission; and Mr. Jeff Clements, who is assistant attorney general for the Commonwealth of Massachusetts.
Page 62 PREV PAGE TOP OF DOC
Chairman LEACH. We will begin with Mr. Thompson.
STATEMENT OF MOZELLE W. THOMPSON, COMMISSIONER, FEDERAL TRADE COMMISSION
Mr. THOMPSON. Thank you.
Mr. Chairman and Members of the committee, thank you for inviting me here today to discuss the Commission's views on protecting the privacy of consumers' financial information. The Commission strongly supports your efforts in this area and welcomes the introduction of your bill, the Financial Information Privacy Act, H.R. 4321.
At the outset, I would like to say that my comments this morning are my own and may not reflect the views of other Commissioners.
The FTC's mission is to protect American consumers by prohibiting unfair or deceptive acts under the Federal Trade Commission Act as well as other statutes governing specific industries and practices, including the Fair Credit Reporting Act.
Pursuant to this broad mandate, and particularly in the last few years, the FTC has done extensive work on the issue of consumer privacy. You have already heard witnesses describe the practice of pretexting. I would like to provide the Committee with a broader perspective on this problem based on our experience with privacy issues.
Page 63 PREV PAGE TOP OF DOC What makes this problem difficult to tackle and so serious is that it really is a chain of problems which feed upon each other. First, people are lying to obtain confidential information. Second, the information is being provided without consumers' knowledge or consent. Third, the information in some instances is being used for inappropriate purposes. And fourth, the information can now broadly and instantaneously be made available to anyone via the Internet.
The fact that we have a multifaceted problem also requires us to be creative and expansive in developing solutions. People have used deception to gather personal information about others for as long as there have been investigators, but recently this practice has become more pervasive and intrusive.
Fueled by growing public demand for information and rapid technological improvements, we have seen the development of a new class of high-tech private eyes, known as information brokers. The information they gather is often collected and disseminated without the subject's knowledge; and, for a fee, it can be made available to anyone via the World Wide Web. The Web sites of certain companies even claim that they can retrieve this information by keying in a few search terms into one of their many databases, and further imply that such services are perfectly legal.
Last week, the entire Commission appeared before Congress to discuss our recent survey of 1,400 commercial Web sites and our view of on-line privacy and self-regulation. While we are encouraged by recent progress in this area, much remains to be done, and we think Congress should act if industry does not take significant steps to protect consumer privacy by year's end.
Page 64 PREV PAGE TOP OF DOC
In 1997, the Commission conducted and published a study of computer database services that make available personal identifying information used to locate and identify people, such as names, addresses, and Social Security numbers. These services, known as look-up services, or individual reference services, are a subset of the information broker industry. Our study prompted these services to develop a self-regulatory program, known as the IRSG Principles. However, the principles, which become effective next year, only address certain types of personal information and do not fully cover the activities at issue here.
In addition, since the principles govern only the actions of individual reference services, they will not apply to other information brokers, nor do they cover information obtained from public records, which is a major concern because so much is now available.
Given these limitations, the Commission will need to tackle deceptive practices by doing what it does best, law enforcement. The Commission can take action against fraud and other serious misconduct pursuant to the FTC Act. In addition, obtaining and reselling confidential financial information may be an unfair act and in violation of section 5 of the same law.
But the Commission believes that H.R. 4321, if enacted, would clarify for courts and information brokers that pretexting violates the FTC Act and could result in the imposition of civil penalties and criminal sanctions. The ability to obtain such penalties would send a strong message of deterrence to those who misuse information.
Page 65 PREV PAGE TOP OF DOC In addition, H.R. 4321 would enable States to bring civil actions and criminal agencies to impose sanctions. In short, H.R. 4321 would get to the heart of the problem by drawing brighter lines to illuminate the underlying deception involved in obtaining personal information.
We share the OCC's interest in working cooperatively to help the financial services industry address these problems. Consumer confidence in financial institutions depends on the security of their personal information. Unfortunately, these institutions' safeguards may now be inadequate, so we must find creative ways to regain the technological edge against information pirates.
Mr. Chairman, I commend your leadership in recognizing this growing consumer problem; and the Commission agrees that the additional authority provided under H.R. 4321 could make our enforcement actions even more effective in determining pretexting. We look forward to working with you further. I am happy to answer any questions you may have.
Chairman LEACH. Thank you, Mr. Thompson.
I would now like to turn to Ms. Williams, unless you want to catch your breath.
STATEMENT OF HON. JULIE L. WILLIAMS, ACTING COMPTROLLER OF THE CURRENCY
Ms. WILLIAMS. Mr. Chairman, I apologize. I was delayed in the metal detectors.
Page 66 PREV PAGE TOP OF DOC
Mr. Chairman, I welcome this opportunity to appear before you today to testify on issues relating to the proper handling and safeguarding of customer financial information and the protection of consumer privacy. The OCC applauds your leadership in addressing the growing concerns about how customer information is used and sometimes misused in the financial marketplace.
These concerns have been heightened by recent changes in the financial services industry, particularly the continued trends of mergers and advances in technology. As banks merge or combine with other financial firms, the amount and types of information they have available has grown significantly. And, companies now can gather, analyze, and disseminate this customer data more efficiently and use it to target customers with products and services tailored to meet customers' needs and preferences. This information can result in increased business opportunities for industry and improved products and services for consumers.
But surveys reveal a growing uneasiness on the part of consumers about what becomes of their personal information once it passes into the hands of the companies receiving it. With whom is that information shared, and for what purpose? What safeguards do businesses have in place to prevent unauthorized individuals from obtaining personal information and using it improperly? Too often consumers cannot satisfactorily answer these questions on the basis of the information available to them. What they do know, based on what they read and hear in the media, is that more and more well-meaning Americans each year fall victim to information fraud and identity theft, causing hardship and inconvenience.
Mr. Chairman, the convergence of the two great trends of financial services consolidation and the information revolution confronts us with new challenges that need to be addressed on several fronts. Meeting the public's legitimate demands for convenience, safety and privacy in their financial dealings requires a constructive, concerted response from Congress, the regulatory agencies, and the financial services industry itself. Fortunately, action is going forward on all three fronts.
Page 67 PREV PAGE TOP OF DOC
With respect to the OCC's activities, shortly after becoming Acting Comptroller, I convened a Privacy Working Group, which has already begun to look into three areas: the security of bank customer information, the adequacy of disclosure of their privacy policies, and bank implementation of the information-sharing provisions of the Fair Credit Reporting Act. Our activities in connection with these issues are described in detail in my written statement; however, I will focus on the first issue area this afternoon.
As you have recognized, Mr. Chairman, customer information security today poses a particular new concern. Bank personnel are sometimes persuaded by unscrupulous and persistent third parties posing as customers to divulge confidential account information over the phone. This information is then either ''brokered'' to legal users or to others who use the information to set up fraudulent checking or credit card accounts.
Most banks have procedures in place that attempt to strike a balance that preserves the integrity of customer data without unduly inconveniencing legitimate customers. In the course of our supervisory activities, the OCC also examines national banks to test security procedures for information systems.
But the problem we see today is different from what many bank information security systems are designed to address: the goal of unscrupulous information brokers is not to steal the money in the customer's account, nor to corrupt a bank's information system, but rather to steal information about the customer's account for use by others.
Recently, we have been working with the other banking agencies and the FBI, IRS, Secret Service, and FTC to develop guidance for the financial services industry that specifically addresses this problem of information brokering using ''pretext phone calling''. Our guidance is already in draft form.
Page 68 PREV PAGE TOP OF DOC
It includes items on making bank employees aware of the tactics of information brokers; as well as detailed policies and procedures and guidelines about dissemination of confidential customer information; the use of authorization codes that are not commonly used types of information, such as not using Social Security numbers, savings, checking, loan, or other financial accounts or PIN numbers as authorization codes; and, finally, conducting unscheduled pretext phone calls to evaluate an institution's susceptibility to unauthorized disclosures of customer information.
These are the elements that we propose to advise banks about. Our efforts to tackle this problem to date however, have been hampered by the fact that, at present, there is no Federal law that directly prohibits the procurement of customer account information from financial institutions under false pretenses. That is why we strongly support the Financial Information Privacy Act of 1998.
We welcome the opportunity to work with the committee on this initiative which will benefit consumers and promises to be of great assistance to regulators and financial institutions in their efforts to safeguard confidential customer information.
There are other areas that may warrant attention in the future. For example, at present, there is no requirement that companies adopt privacy policies or disclose to consumers what those policies might happen to be. Instead, we are, for now, looking to various industries to adopt meaningful self-regulatory policiespolicies that respond to consumers' privacy concerns, provide adequate disclosure about privacy policies, afford customers meaningful control over the use of the information they furnish, include reasonable steps to protect the security and integrity of that information and offer some compliance assurance mechanism. Although we have seen some promising developments in the banking industry in this area, time will tell whether industry efforts prove to be effective. If not, new steps will be needed.
Page 69 PREV PAGE TOP OF DOC
Mr. Chairman, we commend you and Mr. LaFalce and other Members of the committee for recognizing how important the issue of consumer privacy is to the evolution of the financial services industry in this next century, and we look forward to working with the committee to address this challenge.
Chairman LEACH. Thank you, Ms. Williams.
Mr. Clements. I might say, by background, Mr. Clements is an Assistant Attorney General with the Commonwealth of Massachusetts who has brought one of the most significant actions in this area, and we welcome your perspective, Mr. Clements.
STATEMENT OF JEFF CLEMENTS, ASSISTANT ATTORNEY GENERAL, COMMONWEALTH OF MASSACHUSETTS
Mr. CLEMENTS. Thank you, Mr. Chairman and Mr. LaFalce, and thank you on behalf of Attorney General Scott Harshbarger for the opportunity to be here today to share some of our experience in taking enforcement action against privacy invasions by information brokers.
Twenty years ago the Privacy Protection Study Commission, which had been created by the Federal Privacy Act of 1974, concluded that ''Americans have long thought that the details of an individual's financial affairs are nobody's business but his own unless he chooses to reveal them. The recordkeeping policies and practices of depository institutions visibly reflect this view.'' Since then, nothing has changed about the public's expectation that their personal financial affairs are private.
Page 70 PREV PAGE TOP OF DOC
Much has changed, however, in the areas of technology and information storage and retrieval. In recent years, so-called information brokers have taken advantage of some of these tools, and have begun selling the private financial information of others. This information includes bank account numbers and specific balances. It is important to bear in mind, however, that no publicly available database or record holds information like account numbers and balances. The information is not out on the Internet somewhere waiting to be uncovered with the right software.
As we have heard this morning, software databases and on-line directories may have contributed to the increased trade in private financial information by making it easier to locate banks in the area where the search target lives or works, but in the end, the bank account information is obtained by old-fashioned deceit and trickery.
Approximately two years ago we learned that a Massachusetts information business known as Bearak Reports was offering to lawyers, investigators and anyone else liquid asset reports on people, detailing the person's financial affairs. These reports included not only real estate and motor vehicle ownership, but also bank account numbers and balances. Bearak's customers received reports itemizing the private financial information of the search target, and the target had no way of knowing that their financial information had been obtained and disclosed to others.
The company insisted that it used proprietary methods to obtain the information from publicly available sources. Our investigation convinced us that these claims were false. Bank account balances and numbers are not publicly available, but are safeguarded as confidential by financial institutions. Working with BankBoston, which has provided a great deal of assistance in our efforts, we were able to obtain tape recordings of information brokers calling the bank and falsely claiming to be the account holders in order to trick the bank into releasing the bank account numbers and balances.
Page 71 PREV PAGE TOP OF DOC
We also learned that such pretext calls are standard procedure for information brokers to obtain private financial information. Both banks and the search subjects are targeted for telephone calls where the information broker repeatedly lies about his identity and why he is calling in order to trick the bank or target into releasing confidential information.
I would add that Mr. Schweitzer's candid testimony, I think, confirms what we found in Massachusetts as a standard operating procedure of information brokers. In April, 1997 we filed a civil enforcement action under our State's consumer protection statute. We obtained a preliminary injunction barring the use of deception to obtain financial information and barring the sale or other disclosure of private financial information. After a period of litigation, Bearak agreed to a consent judgment incorporating the injunction against these asset searches and paid a fine of $50,000.
Since then Attorney General Harshbarger has brought enforcement actions against nine other information brokers, operating from Massachusetts, New York, California, New Hampshire, Washington and Missouri, who obtained private financial information about Massachusetts consumers from Massachusetts banks. One of these actions remains in litigation, while the rest have resulted in injunctions and fines totaling $225,000.
Are information brokers simply taking advantage of a gray area to engage in a legitimate business? We don't think so. While no Massachusetts statute specifically prohibits the buying and selling of private financial information, anyone who repeatedly makes false statements to financial institutions to trick them out of something of value should not be surprised that such conduct runs afoul of the law. Although Massachusetts has a broadly worded prohibition on substantial invasions of privacy and an electronic funds transfer act which prohibits the disclosure of account information, we believe that the Commonwealth's consumer protection statute also prohibits the conduct of these information brokers and provides an effective State enforcement mechanism.
Page 72 PREV PAGE TOP OF DOC
The Consumer Protection Act prohibits unfair or deceptive conduct in trade or commerce and empowers the attorney general to obtain injunctions, restitution and penalties of $5,000 for each violation. We brought these actions under the consumer protection statute because its prohibition of unfair or deceptive conduct in trade or commerce squarely fits those who engage in deceit as a matter of course and who use false statements to obtain and sell private information.
Further, we believe that the consumer privacy invasion inherent in this trade falls well within the concept of unfairness as contemplated by the statute.
Finally, many of these information brokers market their services with false assurances that the information is publicly available, thus creating a deceptive veneer of legitimacy for customers, such as attorneys who are subject to professional ethical obligations which would prohibit such conduct.
My counterparts who are here from the Federal agencies are far more appropriately placed to comment on what, if any, Federal statutes apply to the deceptive conduct of information brokers. I would say, given the prevalence of the conduct throughout the Nation and the continued expectation of most persons that their bank account numbers and balances will not be bought and sold in the marketplace, that the interest of this committee and Congress and the Federal Government in addressing this problem is to be commended and encouraged.
Thank you again for the opportunity to share with you Attorney General Harshbarger's views on this matter.
Page 73 PREV PAGE TOP OF DOC
Chairman LEACH. Thank you very much. I appreciate all of your statements and perspectives, and I am concerned in a number of areas, but first let me thank the Assistant Attorney General of Massachusetts for what I understand is bringing actions largely based on statutes that are not precisely directed at this issue, but are broader statutes on fraud. And the FTC is largelythe activities to date that it has conducted have been on a broader statutory basis as well.
One of the questions, as we pursue this law, is where should the locus of jurisdiction in the Federal Government be. This bill is crafted to give it to the Federal Trade Commission. A future witness will testify, this is VISA, with the recommendation that it be given to the banking regulators.
Let me first ask Ms. Williams what your judgment is on that? Do you think it is more appropriate in terms of this statute to give the authority to the FTC or banking regulators?
Ms. WILLIAMS. Mr. Chairman, I think that under the legislation you have proposed, which focuses on those who procure information under false pretenses and then use it either knowingly, or in an instance where they reasonably should have known that the information was obtained inappropriately, it makes sense for the locus of jurisdiction to be the FTC.
In cases where a bank uses information that was obtained inappropriately under the standards in your legislation, then I think that the banking or thrift regulatory agency that is the supervisor of that particular user institution would be the appropriate locus for enforcement.
Page 74 PREV PAGE TOP OF DOC
Chairman LEACH. That is a good distinction.
Mr. Thompson, would you concur in that?
Mr. THOMPSON. I think we would have to agree with the OCC, that we think that the FTC is uniquely suited here, because the problem has its roots in deception, a subject that we have spent decades working on and have experience fighting with our authority under the FTC Act. In addition, we have also taken enforcement actions where deceptive practices have resulted in improper uses of consumer information.
But what I would also like to say is, we have a history of working with the banking institutions and the banking regulators in areas that require reporting, such as the Fair Credit Reporting Act and other things, so I think it is a very good, cooperative relationship.
Chairman LEACH. So the title on your resume is Mozelle Thompson, Expert in Deception.
Mr. Clements, does this seem, from a State's perspective, a reasonable locus of enforcement at the FTC level?
Mr. CLEMENTS. From a State perspective, I don't think that I can fairly comment on which particular Federal agency is most appropriate. I would state, however, that our statute, like many of the State consumer protection statutes, is modeled on the FTC statute.
Page 75 PREV PAGE TOP OF DOC
Chairman LEACH. So as an analog?
Mr. CLEMENTS. I believe that is true.
I would also add that the important thing in the Federal role is that these activities are going on nationwideour jurisdiction can only address Massachusetts, of courseand that there be a Federal role is important, and which particular enforcement agency, I think is for you and the agencies to determine.
Chairman LEACH. One of the things that does have to be addressed, and I know that Ms. Williams is working on certain draft protections, but by perspective, the banks are being defrauded and their reputations are at stake, and so I think it is very important that whether we go forth with further refinements in this bill or whether the OCC and the State regulators go forth with further refinements and regulation, this is an issue that is critical to the banking industry for its reputation, as well as for consumer protection.
Ms. WILLIAMS. I could not agree with you more. This has been an issue. In the time that I have been Acting Comptroller, I have tried to highlight this as an issue where the banking industry should be leaders. The challenge that they face, as I mentioned, is the convergence of technology, bigness, and the accessibility of information.
There are a lot of very delicate lines to draw regarding the extent to which it is desirable to impose limitations which will be protections for bank customers, but will also be inconveniences. At this point, we are looking at areas of guidance where we think that banks should focus more on their internal procedures to protect against inappropriate disclosure of confidential customer information. Some of the issues that Mr. LaFalce mentioned this morning about more particular general obligations on banks, may also be worth exploring.
Page 76 PREV PAGE TOP OF DOC
Chairman LEACH. Well, since you reference Mr. LaFalce, maybe I should turn to Mr. LaFalce.
Mr. LAFALCE. Thank you very much, Mr. Chairman.
Ms. Williams, Mr. Thompson and Mr. Clements, I think this is an unbelievably important issue. And I think we are just beginning to come to grips with the magnitude of the problem and we are just scratching at the surface of what the appropriate solutions should be. And we have to be careful in crafting this solution, too.
The bill that we have before us today uses the truth in lending law. But we extend this to requesters of information too. That is quite a step to take under the Truth in Lending Act. I joined Mr. Leach in taking that step.
I have some concerns about taking that step in and of itself, but I have even more concerns about taking that step without going up the chain and in some way holding the financial institutions accountable, too, because then they really could wash their hands of it.
Do you share any of those concerns, either about not going for the information brokers, but going for the information requesters in and of itself; and B, without going to the holders of the information, the financial institutions, broadly speaking? Share your thoughts with me on that.
Ms. WILLIAMS. I think I would first look at those targeted.
Page 77 PREV PAGE TOP OF DOC
Mr. LAFALCE. The information brokers?
Ms. WILLIAMS. The standard for the requesters is, those that use the information with knowledge or on the basis that they should have known that the information was inappropriately gained.
Mr. LAFALCE. Historically, we have used the Truth in Lending Act to go to, not users, but providers of information?
Ms. WILLIAMS. I think there is some culpability on the part of the user, the party that takes the information which has been obtained by the information broker, if it is the type of information that by its nature is apparently inappropriate.
Mr. LAFALCE. Do you think that it is appropriate to use the reach of the Truth in Lending Act to get to the users?
Ms. WILLIAMS. As a technical matter, I am not sure how to answer that, since I was not looking at these provisions from that perspective.
Mr. LAFALCE. One of the advantages is that it avoids another committee's jurisdiction. Let me just go on.
Mr. Thompson and Mr. Clements, do you have any concerns about using the Truth in Lending Act to go to users, or had you not considered that?
Page 78 PREV PAGE TOP OF DOC
Mr. THOMPSON. I would say that not in and of itself. If you would like further views on that, we can get back to you.
But what I would say though is, what is good about the way this bill is crafted is that it is sufficiently broad to provide a degree of flexibility in addressing this problem, but it is pretty narrowly tailored to this problem. So we think that it is a good balance.
Mr. LAFALCE. Do you have anything to add to that, Mr. Clements?
Mr. CLEMENTS. Not at this time.
Mr. LAFALCE. Ms. Williams, what about going to the user without going to the financial institution in the same bill, rather than perhaps sequentially?
One of the difficulties when you separate the bills into separate steps, you may not get to the second bill. Do you have a concern about going to the user without going to the financial institution itself?
Ms. WILLIAMS. I am sympathetic to the principle that there ought to be some obligations on the financial institution, defined as not just banks, but a broader array of financial institutions.
Mr. LAFALCE. That is a separate issue which I will get to next if I have time.
Page 79 PREV PAGE TOP OF DOC
Ms. WILLIAMS. The bill, as currently drafted, will be very helpful to consumers, to financial institutions, and to regulators. If another component of it can be crafted to provide the balance of appropriate protection without causing customers undue inconvenience, then I am sympathetic to that approach. I would be happy to volunteer to work with the committee on the details.
Mr. LAFALCE. Do any of you have sufficient thoughts on that subject that you wish to express?
Mr. THOMPSON. Except to the extent that I think the OCC has taken real leadership in this area and I know that it is working extensively with industry about this and privacy generally, and we have been working extensively with them.
Mr. LAFALCE. We have significant jurisdiction, but in the world of information, financial information and other information, there is a much larger universe than the universe covered by the jurisdiction of this committee.
To what extent is the Federal Government or any of its entities considering these privacy issues? Are either of you participants in any task force? What studies are taking place? And what recommendations are being contemplated or being made for a universe of Federal laws that will deal with this existing and growing problem comprehensively?
Mr. THOMPSON. Well, let me try to begin. First of all, you are right, it seems like there is a great public concern about privacy of their personal identifying information. We have been involved in that issue from a variety of senses. The commission staff testified last week about the issue of identity theft and the important legislation that Senator Kyl introduced, and I believe there is a House counterpart now proposing to deal with that issue.
Page 80 PREV PAGE TOP OF DOC
Mr. LAFALCE. That is an incremental thing that you have donespecific, concrete and important. Is there any comprehensive view that is being taken of this whole issue with specific recommendations to address it comprehensively?
Mr. THOMPSON. What I can say is that we have been primarily focused on the consumer side of this issue and have given recommendations with regard to on-line privacy, that data.
But I would also caution this, and that is looking at how we in the Federal Government have approached regulation generally, and we have tried to avoid a one-size-fits-all approach; we have tried to look at the needs of individual industries, and tried to approach them on a sectorial basis, and that is what we are seeing now.
Mr. LAFALCE. I don't have any problem with that, but I wanted to make sure that we cover all of the industries and all of the sectors, and I am wondering if any entity has tried to take a comprehensive look at this? I am wondering if we need a bill to create a commission? I don't want to reinvent the wheel.
Ms. WILLIAMS. Congressman, I am not familiar with the details of all of the efforts. There are a number of interagency efforts that address privacy issues, but they tend, as Commissioner Thompson mentioned, to be focused on particular issue areas. I am generally aware that this is an issue the Administration is looking at. I am not personally familiar with the details, however.
Page 81 PREV PAGE TOP OF DOC Mr. LAFALCE. Does anybody else wish to add to that?
Chairman LEACH. Ms. Lee.
Ms. LEE. Thank you, Mr. Chairman.
Chairman LEACH. I want to be very generous in time for you because you were skipped over with the last panel.
Ms. LEE. Thank you, Mr. Chairman. Let me just thank you for conducting this hearing, and it is very clear from this hearing, as well as the hearing which you conducted on biometrics, that privacy issues are quickly becoming more complex and quite troubling.
Let me ask just a couple of questions, and whoever can answer them, feel free. Probably this question should be directed to Ms. Williams.
When information, financial information, is obtained either through illicit or through actual legal ways of procuring that information, when that information is provided for customer targeting or for illicit purposes, how is the consumer or the customer informed that that information has been released?
And my second question is that I am sure many of you are aware of the fact that Yahoo and Microsoft have programs now where mutual fund and other Web sites permit an individual to put their stock and mutual fund information on those Web sites, and it is consistently being updated so that the holdings are automatically updated as the stock and fund prices change.
Page 82 PREV PAGE TOP OF DOC
Do we know whether or not the security codes and ID codes are sufficient to prevent access of other information brokers from receiving that type of financial information for individuals who, say, are sitting in their homes trying to just manage their stock portfolio?
Ms. WILLIAMS. Congresswoman, with regard to the second part of your question, I am not familiar with the security procedures or protections with respect to that particular software system.
The first part of your question as to how somebody may know what is happening to information that he or she may have provided to a particular company, whether it is a bank or another type of financial institution, is an excellent question. There are some provisions in law today that call for certain measures to advise consumers, for example, that their information might be shared under the Fair Credit Reporting Act before an entity may share information with affiliated entities within a corporate family. The customer is to be provided a disclosure and the opportunity to opt out, to say, ''I don't want my information shared with your affiliated companies.''
The way in which that opt-out process is handled in practice varies quite a bit, specifically the extent to which customers are given full disclosure of the type of information that would be shared, as well as the affiliate businesses that it might be shared with. There is great variation in the level of detail that customers get, as well as the prominence of the disclosure and the ease by which they are able to make their opt-out choice.
There is not any overarching standard that directs all types of businesses to tell their customers whether the company is collecting private information and how that information will be shared with other companies; nor is there information provided to customers about how to opt out. That opt-out mechanism exists in a limited area.
Page 83 PREV PAGE TOP OF DOC
Ms. LEE. But if this information is disclosed and it is disclosed in a way that, for instance, harms the individual in the future, is there recourse under the law for the individual, the consumer, to sue based upon the release of this information without his or her knowledge?
Ms. WILLIAMS. It is unclear. It would depend on the type of information and the use to which it was put, as well as the way in which the consumer was damaged.
Mr. THOMPSON. With regard to your first question, one of the reasons that we have concerns at the commission is because in many instances the consumer does not know when their confidentiality is being breached. They don't know when the information is being sold or being bought by somebody who may not have the best motives. That is an issue of concern of ours, and one of the reasons why we think this bill is important is that it allows us to go after them and to seek penalties and so, perhaps, to chill that kind of business.
With regard to your second question dealing with privacy more generally and specifically on-linethat, we have made some recommendations as part of our report in June and most recently last week about on-line privacy and talked about some elements that we think are important for protecting the privacy of consumers, namely notice that somebody is collecting information from you on-line.
Second is choice, that a person has a choice as to whether their information is being collected or not and opt out.
Page 84 PREV PAGE TOP OF DOC Third is access to correct false information, and then security to make sure that the information gets to where you want it to go.
And finally, some enforcement mechanism so that if somebody's on-line privacy is breached, they have some recourse.
Those are the elements that we think are important for on-line privacy and that we think are important for any self-regulatory mechanism that an industry puts into place.
Ms. LEE. So could we just assume status quo at this point and that a person who is managing his or her stock portfolio has a risk of this information being picked up by whomever?
Mr. THOMPSON. I think whenever you give up personal information, there is a degree of risk. I think you have to look at what the policy of that company is, and they should be disclosing it to you along with the rights and remedies for you as the consumer, in the event that they do not comply with what they have promised you.
Also, pursuant to our deception authority, if they have gone on-line and promised you X, that they will treat your information in a certain way, and they don't do that, then there is a possibility that we could come after them for deceptive practices.
Ms. LEE. Just one more second, please.
Chairman LEACH. Of course.
Page 85 PREV PAGE TOP OF DOC
Ms. LEE. With regard to the actual programs, Microsoft, Yahoo, any other system that provides a program for the management of one's mutual funds or stock, how do we know that those programs aren't loose enough to provide access to these information brokers who are trying to come up with the kind of information on the person's stock and mutual fund portfolio?
Mr. THOMPSON. That is hard to tell.
Ms. LEE. We don't have a way to know right now?
Ms. WILLIAMS. I am constantly amazed by news stories about the types of systems that hackers can get into. So if you are looking for a 100 percent level of comfort, I would say that it is not there.
Ms. LEE. Thank you, Mr. Chairman.
Chairman LEACH. Thank you.
Mr. VENTO. Thank you very much, Mr. Chairman. I apologize for not being here to hear from the witnesses, but I did read the statements.
As you notice, Mr. Thompson, I questioned an earlier witness about what you are referring to as the IRSG principles, the Individual Reference Services Group, and you said the 14 companies comprising most of the industry developed and agreed to self-regulatory principles; but of course, you point out that there is no admission by these individual companies or entities that they in fact are obtaining any information improperly today. I would not say ''illegally,'' but I would say ''improperly.''
Page 86 PREV PAGE TOP OF DOC
The question is, do we have a good definition of ''improper''? There is a sale of information. Our States sell our driver's license registration, auto registration. Service providers, America Online at one point said that they were going to officially sell information, and there was such a storm of protest against it that they withdrew that; but informally, I think there had been some sharing of information and, of course, Web sites and the availability of a Web site to gain information.
Isn't it necessary that there should be an affirmative act on the part of the individual to permit the sharing of this information? I know for auto registration and driver's license, you can now rescind that authority, but it is usually an opt-out rather than opt-in type of system?
Mr. THOMPSON. In some Statesand you are raising the problem of publicly available information which, because of increased technology and the availability of information, even public information can be used in a way that is inappropriate.
I am glad you raised a question about the IRSG principles, because we think that it is an important start, a helpful start with regard to the lookup services, those who maintain credit data, for example, and how that information can be disclosed. It only affects certain kinds of personal information and not others, and it doesn't cover fully the activities that you heard about this morning.
In addition, they only apply to those 14 signatories and not to other information brokers, and they do not cover public records.
Page 87 PREV PAGE TOP OF DOC
I think the important part about the bill that the committee has before it is that it really gets at that broader subset and how that information is being used. We think that is very important.
Mr. VENTO. Do you agree that the prosecution of persons that are actually responsible or involved with these activities is a hit-and-miss proposition? I had the Justice Department suggestion, if it is not in the amount of $50,000, it is probably not going to receive their attention.
Mr. THOMPSON. I can tell you, we at the commission take action for a lot less than $50,000. It depends on the nature of the problem and the complaints we receive. We have a consumer hot line that talks to us about this.
But I would also say that the important part of this bill is not just the fact of individual actions that we are going to take sends a message about what is OK and not OK about the use of information, first of all.
Second, that it raises the cost of doing business for these information brokers to know that they have exposure, financial exposure, for engaging in some of these practices because right now with improvements of technology to do this is pretty cheap.
Mr. VENTO. I think acting Comptroller Julie WilliamsI just picked up the ABA risk manager newsletter, and they go through a list of suggestions. I notice that you emphasized training in your testimony to avoid pretext telephone calling activities, and I looked at the list of responsibilities here.
Page 88 PREV PAGE TOP OF DOC
Do we do any testing to determine whether or not financial institutions in fact are vulnerable to this particular type of activity?
Ms. WILLIAMS. That is one of the things that we will be recommending in the guidance that we are hoping to get out very shortly to financial institutions, that they test by having folks make pretext calls and see what vulnerabilities they may have in their institutions.
Mr. VENTO. For instance, I was just going to point out to you that one of the highlighted features here is demand that account inquiries be in writing. I mean, it sounds to me if the suggestion is that we have to tread very lightly here and let this system grow, if you look at their own suggestionsalthough they are not endorsing this as a bill, it seems to me that they are perfectly willing, at least the association is willing to make some recommendations that are pretty tough.
I have gone through this issue in terms of not permitting service providers of Web sites or others to share information without having a confirmation in writing, and they thought that it would destroy the entire Internet activity and growth.
I think that is properly where much of it is at, just empowering people to make decisions themselves and then determining what should be done.
Thank you, Mr. Chairman.
Page 89 PREV PAGE TOP OF DOC Chairman LEACH. Thank you.
Mr. SHERMAN. I want to commend you for holding the hearings, and I think the panel has been here a long time, and I would yield back.
Chairman LEACH. Thank you.
I am appreciative that Ms. Williams' and Mr. Thompson's offices at the Federal level are supporting this, and we thank them for their cooperation. And we want to commend the State of Massachusetts for their leadership in this area, and I thank this panel very much.
Our third and final panel will be composed of Mr. Boris F. Melnikoff, who is Senior Vice President of Wachovia Corporation, appearing on behalf of the American Bankers Association; Mr. Eddy L. McClain, National Council of Investigation and Security Services; Mr. Robert Glass, who is Vice President of National Information Services, LEXIS-NEXIS, appearing on behalf of the Individual Reference Services Group; Mr. Evan Hendricks, Editor and Publisher of Privacy Times; and Mr. Russell Schrader, Senior Vice President and Assistant General Counsel of VISA U.S.A.
Chairman LEACH. Let us begin with Mr. Melnikoff of Wachovia Corporation. I would like to request that you pull the microphone substantially closer. I think that would be helpful.
Page 90 PREV PAGE TOP OF DOCSTATEMENT OF BORIS F. MELNIKOFF, SENIOR VICE PRESIDENT, WACHOVIA CORPORATION, ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION
Mr. MELNIKOFF. Mr. Chairman and Members of the committee, I am Boris Melnikoff, Senior Vice President of Wachovia Corporation. I have served as Chairman of the American Bankers Association Security and Risk Management Executive Committee and its Security Committee, and currently serve as Chairman of their Money Laundering Task Force.
I am pleased to be here this afternoon on behalf of the ABA to discuss financial privacy, the problem of identity fraud and merits of your bill H.R. 4321, the Financial Information Privacy Act of 1998, which is designed to address a troubling aspect of fraud, deceiving banks into divulging customer information. The ABA is pleased to support this bill. I am glad to be here this afternoon to convey ABA's support of the measure, which penalizes individuals and entities which use deceit to obtain private bank account information.
The financial industry has been very active in its efforts to prevent all types of financial fraud and to provide extensive privacy for the consumer and the consumer's data. We are committed to customer privacy in our industry and support any reasonable attempt to go after those who prey on individuals and steal personal information from financial institutions to commit fraud. The long-held industry position to strengthen consumer privacy protection is evident by the strong support of the Federal identity theft legislation.
Mr. Chairman, our association has also focused on the problem you are addressing today, and we stand ready to work with Congress to ensure that personal data of consumers is not misused or compromised without adding unnecessary requirements on the industry. We believe that the industry's efforts in privacy, fraud prevention and education already greatly assist consumers in protecting their information. Together with your proposal, Mr. Chairman, private and public partnership will further strengthen electronic commerce.
Page 91 PREV PAGE TOP OF DOC
My written testimony covers three areas: the banking industry's historical commitment to privacy; ABA's strong support of fraud prevention, how identity fraud works; the need for Federal identity theft legislation and penalizing individuals who steal personal financial information for profit.
Mr. Chairman, I believe it would be useful for the committee to understand the nature of these frauds that rely on false and stolen identity. As you can see, the fraud artists rely on two methods, stealing from valid existing accounts and creating bogus accounts for fraudulent purposes. Fraud artists rely on valid accounts by obtaining personal information about the target account holder in various ways.
Mr. Chairman, the industry is consistently searching for new ways to prevent these types of fraud, primarily relying on technology procedures, education and reporting. The specifics of this are included in my written statement.
Since April of 1996, all financial institutions have been required to file suspicious activity reports, or SARs, on potential violations of Federal criminal law. Financial institutions may be penalized for intentional nonfiling of the SAR, but also receive civil liability protection from customer lawsuits for filing the SAR. Therefore, all financial institutions are required by law to file a SAR on transactions that may constitute check fraud, check kiting or other forms of bank fraud.
Mr. Chairman, I would also like to note that your money laundering bill, H.R. 4005, would give the industry additional protection for alerting an institution to the possible violation of law committed by ex-employees. This initiative would further assist us in preventing fraud.
Page 92 PREV PAGE TOP OF DOC
Mr. Chairman, our association strongly supports House and Senate bills designed do address identity fraud; consumers and the entire business community stand to gain from any effort that strongly penalizes individuals who steal identities. The bill will make an important statement that if you steal another's identity, by whatever means, you will be punished.
The financial and emotional problems identity fraud causes consumers has been well documented. The financial industry is also harmed by identity theft because it leads to credit, debit card fraud, mortgage loan fraud, money laundering and, of course, check fraud. The ABA believes that the proposal such as these enhanced law enforcement tools are important to the Government and private sector's efforts to lessen the forms of fraud committed against banks and other institutions.
Mr. Chairman, support of these measures and privacy will help consumers. You have asked us for an opinion on the Financial Information Privacy Act. We support this legislation. Recent stories, such as the June, 1998 The Washington Post article on abuse of account information by data brokers, emphasizes the need to penalize those who steal account information. These types of activities harm all of us and affect the credibility of the institution.
I would just like to share with you, Mr. Chairman, one section that deals specifically with Wachovia as it comes to protecting information. We have a very, very strong policy which reads, ''Wachovia employees have access to confidential information about customers, employees and the plans, performance and services of the corporation. Such information is among the most valuable assets of Wachovia and must always be treated as strictly confidential. Confidential information shall not be misused by employees, former employees, or outsiders. Disclosing confidential information to persons not entitled to such information and assisting any person in gaining unauthorized access to company records are both a direct violation of Wachovia policy. The communication of false or derogatory information about Wachovia, its customers and employees is also a violation of corporate policy. Violations of this general information security policy or more specific, requirements included in the standards and procedures applicable to individual functions of Wachovia will result in appropriate disciplinary action, which may include termination of employment and legal action.''
Page 93 PREV PAGE TOP OF DOC
We have seen this as a problem not only in our institution, but institutions across the country; and in closing, our members applaud your dedication to privacy protection, and we are happy to continue working with you on this important proposal. As you refine and move the initiative, we urge the committee to ensure that legitimate business uses of information are not hindered. Your bill as currently drafted should go a long way toward further protecting customer privacy.
Thank you, Mr. Chairman.
Chairman LEACH. I thank you, Mr. Melnikoff, and before turning to Mr. McClain, let me ask unanimous consent that statements by Master Card International and America's Community Bankers be presented in the record at the conclusion of the final statement of Mr. Schrader, and without objection, so ordered.
STATEMENT OF EDDY L. McCLAIN, MEMBER, BOARD OF DIRECTORS, NATIONAL COUNCIL OF INVESTIGATION AND SECURITY SERVICES
Mr. MCCLAIN. Good afternoon, Mr. Chairman. My name is Eddy McClain. I am Chairman of Krout and Schneider, a 71-year-old private investigative firm in California. I am appearing this afternoon on behalf of the National Council of Investigation and Securities Services, NCISS, representing both investigative and security service companies throughout the United States.
Page 94 PREV PAGE TOP OF DOC
Before I begin, I would just like to say that I have never been indicted or convicted of a Federal felony. I find it chilling to find someone representing himself as being someone in my profession who is advising Congress, and I just was wondering if Willie Sutton ever appeared before the Banking Committee.
Chairman LEACH. If the gentleman would withhold for a minute, we invited the gentleman because he had expertise in a given subject, recognizing that he has had certain legal difficulties. That happens occasionally as a way of making it clear what happens in the law enforcement arena.
Mr. MCCLAIN. I believe he epitomized the problem. You couldn't have found someone any better to do it.
Our members share the concerns expressed here this morning with the privacy of financial records. We do not believe the general public should have access to confidential information about an individual's bank accounts or assets held by financial institutions. As consumers ourselves, we are dismayed by the conduct of a growing number of so-called information brokers who advertise they can provide an individual's private financial information to anyone willing to pay a fee. We suspect much of this data is probably obtained by questionable means.
Well, after this morning we don't suspect it any longer.
NCISS supports the thrust of the proposed legislation with some change and clarification, which we are submitting in our written material. To the extent the legislation would limit the use of deceit to obtain financial information from banks, we applaud it. Our concern is that in its effort to protect individual privacyand Mr. Vento mentioned thisCongress could inadvertently impede our ability to provide essential services.
Page 95 PREV PAGE TOP OF DOC
We believe, for example, that Congress made a grave error when it last amended the Fair Credit Reporting Act. The result is that the law now effectively requires employers to inform employees before investigators may conduct an investigation for the employer. The notice requirements thwart any kind of quiet inquiry in cases of suspected theft, sabotage, embezzlement, fraud or drug sales on the employer's premises. It doesn't take much imagination to guess what will become of evidence once notice is provided to an employee under suspicion.
In reviewing the statute, the Federal Trade Commission has determined that such notice must be given in any investigation that affects employment status. Our only resource is to ask Congress to revisit this issue and correct what has become an untenable situation for employers and investigators.
In April, the City of Cleveland was accused of violating the act repeatedly by attempting to verify the accuracy of statements by job applicants and employees about their criminal histories. This was after finding that several employees had failed to disclose criminal histories. The act prevents us from informing clients of pertinent facts and is in conflict with laws which require banks to investigate applicants for employment.
As amazing as it may seem, section 605(a)(5) prevents me from telling an armored car or bank client that they are about to hire a convicted bank robber if the disposition of his prior conviction is more than seven years old. Likewise, we can't tell the school district they are about to hire a pedophile, a murderer or rapist. I wonder if this is really what Congress intended.
Page 96 PREV PAGE TOP OF DOC We may inform the client about these crimes only if the applicant will earn more than $75,000 per year. Few armored car drivers or bank tellers earn that salary, nor do most teachers, nannies or health care workers. We are hopeful that you will remedy these infirmities in the amended Fair Credit Reporting Act, which became effective last October.
Once a court renders a judgment, creditors are on their own to find assets and attach them. Debtors often conceal assets. When a judgment for money lawfully owed has been obtained from a court, licensed investigators must use public records and conventional means to determine the location of bank and brokerage accounts. Subpoena power is useless if you don't know where to serve it.
Families often ask licensed investigators to find the account of a breadwinner who has died or is incapacitated or has become incompetent due to Alzheimer's disease. Such accounts are often diverted by health care workers or financial advisers.
Frequently, we must locate the assets of individuals who owe child support payments or alimony. Hiding assets is quite common following a marital breakup, and many spouses are kept in the dark about financial matters.
Though Congress and States have attempted to address this issue, the bulk of the work continues to be done by private investigators. If you walk into a police station today to complain of identity theft, you will be met by a blank stare. You probably can't show that a theft has taken place or prove the amount of your loss. Victims have the choice of doing their own sleuthing or turning to professional investigators for assistance. This crime is likely to proliferate in years to come, and it would be unfortunate if laws were enacted which would cause financial institutions to fear cooperating with investigators.
Page 97 PREV PAGE TOP OF DOC
The Federal Trade Commission, following its recent privacy hearings, concluded that licensed private investigatorsand I emphasize ''licensed''should retain the right to access personal information not available to the general public. In addition, Congress recognized the need for licensed investigators to obtain information essential for the legal process when it enacted the Driver Privacy Protection Act, which permits licensed investigators to access information for use in civil and criminal proceedings. Providing licensed private investigators who represent litigants or their counsel legal access to the information needed to perform their jobs and penalizing violators who have no legitimate business purpose would dry up most of the black market for rogue information brokers.
Private investigators, licensed private investigators, are an important and integral part of our legal system who should not be impeded from legally doing their jobs. I will be happy to work with your staff and review suggestions contained in our written statement.
I appreciate the opportunity to appear before you today, and I will be pleased to respond to any questions you may have.
Chairman LEACH. Thank you, Mr. McClain.
And before turning to Mr. Glass, let me make it clear that Mr. McClain represents a reputable company and a very reputable industry, and he is speaking on behalf of the reputation of an industry, and we appreciate his testimony.
Second, an extraordinarily reputable company from my area called Per Mar has made the exact same points the gentleman has with regard to the Fair Credit Reporting Act, and I think this committee will take a good hard look at all of the implications of that Act.
Page 98 PREV PAGE TOP OF DOC
STATEMENT OF ROBERT GLASS, VICE PRESIDENT OF NATIONAL INFORMATION SERVICES, LEXIS-NEXIS, ON BEHALF OF THE INDIVIDUAL REFERENCE SERVICES GROUP
Mr. GLASS. Thank you for the opportunity to testify before your committee on behalf of LEXIS-NEXIS and the Individual Reference Services Group. Representing LEXIS-NEXIS, our company supports your draft bill, and while we have not polled all of the members of the Individual Reference Services Group, I am confident that the members would strongly support your goals, in principle.
I am currently Vice President and General Manager of the NEXIS Business Information Group, and as such, I am highly familiar with our company's information practices.
My testimony today will address three points: first, the privacy policies of LEXIS-NEXIS; second, the enforceable self-regulatory code our industry has developed in cooperation with the FTC; third, our support for the goals of your draft legislation which should target abuses while preserving the important benefits of responsible information services.
LEXIS-NEXIS is the world's leading provider of enhanced information services and management tools for legal, news and business professionals. LEXIS-NEXIS is headquartered in Dayton, Ohio, and has more than 6,700 employees serving customers in more than 60 countries. LEXIS-NEXIS would never supply detailed personal financial information obtained from a bank or other financial institution, such as account numbers, balances or passwords or some of the other information that has been talked about this morning and this afternoon.
Page 99 PREV PAGE TOP OF DOC
We would never supply information obtained through pretext calling or other deceitful means. We check on the practices of our data suppliers and conduct site visits from time to time to confirm the practices of our data suppliers. We check to ensure that the information in our databases was obtained ethically, and that it is ethical to make that information available to others. We also work very hard to maintain the high level of accuracy for our databases that our customers demand.
Last year, and as Mr. Thompson previously testified, LEXIS-NEXIS, along with other leading companies in the business of providing information services and in recognition of a heightened interest in issues related to their services, came together as the Individual Reference Services Group, or IRSG, to take a leadership role in developing a self-regulatory framework to ensure consistent and comprehensive information practices for those companies. IRSG members have pledged to implement these principles fully by December 31, 1998.
The IRSG has adopted enforceable industry self-regulatory principles which prohibit obtaining information through deceitful means, as well as making nonpublic information, such as bank records, available to anyone over the Internet.
Working closely with the Federal Trade Commission, LEXIS-NEXIS joined with these other leading information services, including the three major credit bureaus, to develop these principles. The principles prohibit acquiring information obtained through illegal or deceitful means. The principles require member companies to employ sound data security methods. The principles require that nonpublic information, such as the financial information that is the subject of your draft bill, be available only to identified subscribers who have met special verification requirements and have stated their intended use of the information. Therefore, I would respectfully disagree with what I believe Mr. Thompson stated earlier, and I do apologize if I am misunderstanding what he said.
Page 100 PREV PAGE TOP OF DOC
I do believe that the IRSG principles do cover private, personally identifiable financial information even though companies such as ours do not provide it. These principles are self-regulation with teeth. They are enforceable by the FTC and State Attorneys General, by cutoffs of data from credit bureaus and by outside audit. We hope that these principles will be helpful to the committee as it considers draft legislation.
Mr. Chairman, we strongly support the goals of your draft legislation to prohibit access to personal information through false pretenses or other deceitful means. It is entirely appropriate to target such activities, but we urge you to do so in a way that does not sacrifice the important benefits that flow from the individual reference services.
Individual reference services, such as those provided by LEXIS-NEXIS, have a wide array of productive and socially beneficial uses. A major use is preventing fraud. For example, the Secret Service, Financial Crimes Enforcement Network, American Bankers Association, and National Retail Federation have all testified previously before the FTC of the importance of these services for their work, preventing and pursuing fraud. Other important uses include tracking so-called deadbeat parents who owe child support, locating long-lost family members, locating heirs to estates, pension fund beneficiaries, and witnesses.
We believe that legislation should be targeted at abuses and would like to continue to work with you on some of the details.
Thank you again for giving me the opportunity to testify on behalf of LEXIS-NEXIS and the Individual Reference Services Group.
Page 101 PREV PAGE TOP OF DOC
Chairman LEACH. Well, thank you very much, Mr. Glass.
STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, ''PRIVACY TIMES''
Mr. HENDRICKS. Thank you, Mr. Chairman.
My name is Evan Hendricks, editor and publisher of Privacy Times. I have been covering privacy law since 1977, over 21 years, and I think it is fair to say this is a very historic occasion, and I believe that Al Schweitzer's testimony this morning was comparable tohe was to the information broker industry what Vallachi was to the Mafia. And to get your hands on a problem, you have to understand what are the details of that problem, and I think that is what the committee did today.
People ask me what do I think is the biggest threat to privacy. The issues being covered today, the information broker industry, I consider the biggest threat to privacy because it hones in on the abuses and when things go wrong, they really go wrong.
And so, I congratulate the committee and the Chairman for holding these hearings. I think you are not only serving your constituents, you are serving all Americans. Your leadership on this is exemplary. And I have to say that I welcome the constructive efforts that you and other committee Members, Ms. Roukema and Mr. LaFalce and Mr. Vento, played on the Fair Credit Reporting Act. That was a long-needed amendment to pro-consumer law and I think was a lot of hard work for all of us, but it was very welcome.
Page 102 PREV PAGE TOP OF DOC
And Mr. Vento's Internet privacy law is something that we hope will get through this Congress. Mr. LaFalce, I was in this room back in 1978, when we passed the Right to Financial Privacy Act, and you might not recognize me. I am a little bit more gray now than I was back then.
Mr. LAFALCE. So am I, Mr. Hendricks.
Mr. HENDRICKS. I share your concern on that.
But I think this is an important issue because it goes to the heart of the problem of the vulnerability of our personal information. And in my testimony, for people who do not think this is a problem, I have included a waiver for them to sign so we can do a demonstration for you. It says, ''I,'' state your name, ''hereby authorize Evan Hendricks and his agents to obtain my financial data and use it without restriction. Hendricks and his agents shall not use this waiver to obtain my data, but must use information brokers' traditional tactics, including, but not limited to, pretext calls, bribes and reliable sources. I hereby release Hendricks and his agents from any liability resulting from his obtaining and/or using my previously confidential financial data.'' Just sign on the bottom line and I will turn this over to Al Schweitzer and we will get to work and see if we can demonstrate the problem for any nonbelievers.
I met Al Schweitzer in 1992 on the Oprah Winfrey Show and since then have been trying to get his story spread, and I welcome this day that we are finally getting it on the record.
Page 103 PREV PAGE TOP OF DOC
The problem is going to get worse. I mean, financial institutions not only contain your bank information but they are also engaged in what is called data warehousing, so they are going to outside sources to try to supplement the information they have on you. That means they are going to be sitting on that much more personal information. And I think one of the things that is very heartening here today is industry is taking a very enlightened and I think responsible approach by endorsing legislation to target the abuses as they see them, and I think that is a major step forward in itself.
And I also think, as we have discussed, this is not just a problem with financial institutions. There is a case in, I believe, Texas where a phone company employee let out to someI believe were drug dealers looking for someone who owed them a debtthe address of someone with a private phone number and they went to that address and did not find the person they were looking for but found the sister of that person and killed them. And that is a pending litigation in Texas.
My brother is an attorney in Portland, Oregon, and he had a case where a woman was fleeing an abusive spouse and did everything to try and keep information private, but I believe it was leaked out by a pharmacy. So this is a broad issue, but I am glad we are at least addressing it in the financial context.
The important thing to remember when we talk about privacy is that we are talking about privacy because privacy is for individuals. And we spend a lot of time talking about the institutions and the enforcement mechanisms, the FTC, the Attorney General's Office. But one of the things that is missing from this bill which I think we can get in easily and which I think we all agree on is that there should be a private right of action for individuals to sue information brokers who invade their privacy, and there should be attorneys fees for those cases because those information brokers are making money selling that information.
Page 104 PREV PAGE TOP OF DOC
And I apologize to the staff for not bringing this up earlier, but there was a lot of travel going on in July for me. But I think this is just a common-sensical approach because we are never going to be able to get the budgets and the staff for all enforcement agencies to do the job on such a huge issue, and so we have to empower individuals to enforce their own privacy rights whenever we can. So I think that is something that could be a major improvement in the bill and something which I think there could be easy consensus on.
I think the tougher issue and the one that Congressman LaFalce continues to raise is what obligations should financial institutions have. And this is a tougher issue politically as well, because no one wants to assume a liability that would be unfair. And I would be the first one to say that financial institutions cannot be blamed entirely for the fact that there are criminals and fraud artists and scamsters out there trying to exploit their systems.
But if you go to the Privacy Act, there is a standard in there, which I think is a very general standard, which says you have to do something. And it is my testimony. It says if Federal agencies already live under the standards, they must establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
What that says is that they have to do something and if they are notified that there is a real threat or problem going on and they completely ignore the issue, then some sort of limited liability would kick in. I think that is something that, since Federal agencies have lived under that standard, I do not think it is asking too much that we consider that for the industry in general.
Page 105 PREV PAGE TOP OF DOC
And we have a major problem with computer hacking in this country, and what has happened is that computer hackers as they grow up they become computer security experts; and everyone in the industry knows you need a former computer hacker to guard your systems, and now you have competition to test systems. And I think that is what we need to move toward in this area, and I think that is why this hearing is so important because we will begin to do that.
We need to have that sort of evolution where people who are on the wrong side of the fence and now willing to come to the right side of the fence can start teaching organizations how to guard against what they used to do. And I believe that this is something that Al Schweitzer is interested in doing. I would be interested in working with him. And I think legislation is very important here, but in the meantime we have to do something. And I think if we start working on this sort of training and testing and auditing programs, with the appropriate knowledge and expertise, we can accomplish this even before legislation and actually establish the standards that maybe we can all live under.
And I also agree with Mr. LaFalce that this is an issue that requires some centralized direction. I think a privacy commissioner is necessary, and I hope that I get a chance to maybe answer you. You asked what the Administration is doing. I did not hear any straight answers. I would be happy to try to get into that later if we have more time and maybe about the EC as well.
Thank you very much. I will be happy to answer any questions.
Chairman LEACH. Thank you, Mr. Hendricks.
Page 106 PREV PAGE TOP OF DOC
STATEMENT OF RUSSELL SCHRADER, SENIOR VICE PRESIDENT AND ASSISTANT GENERAL COUNSEL, VISA U.S.A., INC.
Mr. SCHRADER. Chairman Leach, Ranking Member LaFalce, and Members of the committee, my name is Russell Schrader. I am Senior Vice President and Assistant General Counsel of VISA U.S.A., and I thank you for the opportunity to testify today.
VISA is the largest consumer payment system in the United States and the world. We have 21,000 financial institution members around the globe. Consumers hold over 641 million VISA cards, which are accepted at more than 14 million merchants and can be used at nearly a half million ATMs around the world.
We believe there are few companies better qualified than VISA to discuss the prevention and detection of fraud. This issue is critically important to VISA and to its members. We view it as essential to maintaining the confidence of consumers and merchants as well as the integrity of our brand.
Over the years, VISA has devoted enormous resources to combatting fraud. These efforts have been highly successful, and we have reduced dramatically the incidence of fraud. For example, VISA's ratio of fraud to sales has been cut almost in half since 1992. It now stands at a record low of 8 cents per $100. During recent years, the absolute number of fraudulent transactions have also declined even as card volume has soared.
Page 107 PREV PAGE TOP OF DOC
Now, while we have had unprecedented success in our war on fraud, we recognize that credit and debit card fraud will never be completely eliminated. Those who specialize in trying to defraud financial institutions are extremely sophisticated. We constantly employ new mechanisms and new technologies. They develop new schemes. Their goals are to seek loopholes and stay one step ahead of detection and prosecution.
VISA has long supported efforts to address many forms of financial fraud. We applaud you, Chairman Leach and Congressman LaFalce, for rapidly focusing on the topic of today's hearing; namely, the theft of consumer information by unscrupulous information brokers. These information brokers victimize not only consumers but financial institutions as well. These activities should be subject to swift prosecution and criminal punishment.
We believe that H.R. 4321 can provide a useful first step in addressing these crimes. In particular, section 1003(a) of the bill contains the framework on which to build an effective deterrent. However, we are concerned that the language included in section 1003(a) will have unintended consequences. It could prohibit certain activities which would not rise to the level of a criminal act.
For example, as it is now written, it would be a crime for consumers to get their own information if they misstate the reason for getting that information. This can occur where a consumer wants to hide the true reason for requesting his information, such as in a tax audit or a divorce proceeding.
Likewise, reporters or researchers who are looking at public offerings will be guilty of a crime if they obtained a publicly available prospectus by saying they are interested in purchasing stock rather than revealing their true research motives.
Page 108 PREV PAGE TOP OF DOC
These unintended consequences could be avoided. By prohibiting only those activities that are conducted with an intent to defraud or to otherwise harm the financial institution or consumer, an intent standard in the legislation would comprehensively prohibit the types of activities in which unscrupulous information brokers engage today. It would not inadvertently criminalize behavior, which in some cases may be morally questionable but which should not be criminally actionable.
That concludes my testimony. Once again, I would like to commend the committee for acting on this issue so quickly, and I thank the committee for the opportunity to present these views. I would be pleased to answer any questions you may have.
Chairman LEACH. Thank you, Mr. Schrader.
First, let me just comment that we are in the process of developing a manager's amendment to this bill and there will certainly be one as we move to markup, which may be as early as next week; and that I have become particularly concerned this last week about two issues Mr. Schrader has mentioned, one, a consumer seeking his own information, and second, about publicly available information. And we will have to move to be very cautious on that score.
An intent standard is one way to do it. There are other ways to do it as well. But we will look at the intent standard that the gentleman has suggested. In fact, we will look at all of the suggestions of this panel. I am a little doubtful we can go as far as Mr. McClain has suggested, exempting an entire industry from coverage in the bill, because that leaves the assumption that everybody in the industry is behaving perfectly and that is an assumption in law that would be difficult to assume.
Page 109 PREV PAGE TOP OF DOC
But we will take into consideration ideas that have been expressed both verbally as well as in the extensive statements of the Members, all of which has been placed in the record. And we are certainly open to further suggestions that anybody may have because this is an area of rather extraordinary significance.
Mr. LAFALCE. Thank you very much, Mr. Chairman.
Mr. Hendricks, I thank you for refreshing my recollection about the activities that I engaged in 20 some years ago on financial privacy. I remember working very closely with then Attorney General Ben Civiletti and his assistants at thewas it Legaramo? I have forgotten the exact name.
John Heiman was the head of the OCC at the time, and I remember working very, very closely too with then Representative from Nebraska John Cavanaugh. He was actively involved with me.
What were you doing at that timeframe, Mr. Hendricks?
Mr. HENDRICKS. I was writing a privacy news letter which preceded the one that I started myself.
Mr. LAFALCE. OK. Very good.
Page 110 PREV PAGE TOP OF DOC
Well, we were just scratching at the surface. That was a very important law at that time. But the world has exploded since then. The information that is available today is so much larger, it is a new world, and so much more readily with the Internet, that the need today is far, far greater than it ever was even then. And we have got to build on that.
I have been emphasizing the need for some institutional responsibility above and beyond the brokers. And you have raised another point that I think isI do not want to say of equal importance, perhaps it is of even greater importance, and that is the whole subject of effective enforcement of whatever legal standards we do impose. And we are having that debate on a patients' bill of rights now. You need to enforce it.
So often the FTC is the only enforcer. And they have such limited resources, whether you are dealing with the obligations of franchisors, you name it. So the whole subject of a private right of action, at least with respect to actual damages done, is extremely important and one that we ought to visit, too.
Clearly, it will have more political difficulty, but it is of tremendous importance. If we were at the beginning of this Congress, I would insist that all of these issues be taken up at one fell swoop. We are not. We are at this point in the Congress. And, so, we will have to make our judgments accordingly and do the doable. I think a private right of action might well be doable within this context.
I want to visit with you and others. I heard some other issues, though, on the whole subject of computer hackers, a privacy commission. I am convinced we need a privacy commission. But I am also intrigued. You mentioned the EC. It is my understanding that the United States Department of Commerce right now is working with the EC because the EC right now does have laws and rules that are applicable that are far broader in scope than those laws in existence either on a Federal or State level in the United States and that the U.S. Department of Commerce may have to come up with at least some recommendations that would make our laws compatible with the EC's laws and regulations, and they have to do that in fairly short order. I am not sure exactly what the timeframe would be, and I am not sure exactly what the ramifications would be if we were not. But I think they are quite stringent and severe.
Page 111 PREV PAGE TOP OF DOC
Could you expand upon some of these issues?
Mr. HENDRICKS. Yes. And in honor of the ceremony at 2:45, I will give you a brief version on this and talk as fast as possible.
The EC has a directive which takes effect the end of October. They have one law that gives you rights to your information and says it cannot be used for other purposes without your knowledge and consent.
Mr. LAFALCE. Knowledge and consent.
Mr. HENDRICKS. Knowledge and consent for other secondary purposes basically. And they have a privacy commissioner so you have somewhere to go if you have a problem. You just pick up the phone and they are supposed to investigate for you.
This is the system that Sam Irvin envisioned when he first proposed the Privacy Act, and then the Privacy Act just covered Federal agencies. We had the Privacy Protection Study Commission. You remember all that. And then we have sectors covered, and some sectors did not end up getting covered for different reasons.
So the EC looks at us and says, this is a human rights issue to us. We remember Hitler. He goes into town and he gets the list of Jews, communists, homosexuals, whatever; and, so, they take the issue very seriously. They do not want information on European citizens going to countries that do not have protection. And since we have huge gaps in the United States. We have a lot of video rental records. Because remember Judge Bork? But we do not have one that protects medical records. They see that there are some areas that they do not want information of their citizens to come to the United States. That has major implications.
Page 112 PREV PAGE TOP OF DOC
And the Commerce Department is weeks, maybe only days away, from issuing their report about what they should recommend. I fear that they will still be too timid and not recommend sort of the legislative proposals that I have been urging them to do for the last two years. They wanted to give voluntary self-regulation a chance. They have. It has not worked.
Mr. LAFALCE. I am going to suggest we should seriously consider mirror legislation to the EC directive.
Mr. HENDRICKS. It is the right thing to do domestically, and it will take this issue away. And I think if we do that, we will get the high ground and turn around and then say, you guys should be doing better on Freedom of Information Act too. But that is another issue. There is a lot we can do, and we should do it for domestic reasons.
Mr. LAFALCE. What about one aspect of my question that you did not address, the ramifications for the United States if we are not compliant by October 1 with EC directives?
Mr. HENDRICKS. Well, the curtain will not fall in one day. But they will have the legal authority and the moral high ground to say, we cannot allow this batch processing of this financial data to go to the U.S. or this kind of medical records or this public health research to be conducted in the United States because we cannot trust the data.
So it has major implications for losing jobs, data processing jobs, in the industries that we have the leading competitive edge for. And I think it is very short-sighted that the industry has been against a more general approach. Because I had compared it to the way the auto industries back in the sixties did not see fuel efficiency coming and then they end up losing market share to the Japanese and German companies, which I do not think they have totally regained. This is a parallel development.
Page 113 PREV PAGE TOP OF DOC
Mr. LAFALCE. What about the concept of a national commission to study the need for privacy protection in the broadest sense?
Mr. HENDRICKS. Well, privacy commissioner, they do not need to study it anymore; they need to get in there and do stuff.
Mr. LAFALCE. They need to what?
Mr. HENDRICKS. They would need to field complaints from individuals, report to Congress on new developments, study technology, and basically be a center and a clearinghouse. They might not even need regulatory power to start with. But what they would do is coordinate among all these agencies, the FTC, the OCC.
Mr. LAFALCE. I was not thinking so much of an on-line operating commission for enforcement purposes. I was thinking of a commission to make recommendations to the Congress for legislation.
Mr. HENDRICKS. Senator Simon had a bill. That would be one of the roles the commissioner would do. But they can also take complaints from citizens and be following issues, hold public hearings, and they would come up before Congress and testify. And I think legislation is necessary so that commission would be independent and be reporting to Congress, because every Federal agency has its own little conflict of interest when it comes to privacy.
Page 114 PREV PAGE TOP OF DOC Mr. LAFALCE. Thank you.
Chairman LEACH. Mr. Vento.
Mr. VENTO. Thanks, Mr. Chairman.
Time is brief. But I just want to thank the panel. I think, Mr. Glass, that the FTC testimony was in line with yours. I do not think there was disagreement. I think your suggestion was that the public domain of information is there and we really are only talking about the IRSG, the Individual Reference Services Group. I think he was talking about private information. So we may have been turned around. But I think that does not make any sense in terms of any other conclusion.
Mr. McClain, are you familiar with the Individual Reference Services Group work?
Mr. MCCLAIN. Yes, sir.
Mr. VENTO. And are you a representative, are you accepting those particular principles?
Mr. MCCLAIN. Yes. We use those companies and we consider them to be the reputable companies in the information business. And there are many reputable companies beyond the ones that belong to that group. Then there is a large number of the other kinds.
Page 115 PREV PAGE TOP OF DOC Mr. VENTO. It is sort of a dilemma here for all of us because it seems like, you know, all of the sort of different privacy issues like a patient, physician or the pharmacy or a lot of other locations where there seems to be covered by other types of laws all of a sudden now are circumvented by virtue of putting this on a computer. Don't you agree that that represents a certain challenge in terms of how we apply the policies?
I mean, in the past they have been very restrictive. I mean, if it is on the telephone, we know that privacy law is there. In fact, if you want to gain any information or listen to a conversation you have to get a court order in terms of obtaining that particular information without the individuals being recorded as to their knowledge.
Mr. MCCLAIN. Yes.
Mr. VENTO. And, so, I think the suggestion here is about what financial institutions need to do. For instance, Mr. Melnikoff, do you think that if somebody wants information about an account, the ABA is suggesting that one of the possibilities is to require they submit their request in writing?
Mr. MELNIKOFF. Yes, sir.
Mr. VENTO. Sounds good on black and white here. But the every day occurrence, I see problems.
Mr. MELNIKOFF. And I concur with you, Congressman.
Page 116 PREV PAGE TOP OF DOC The consumer today wants immediate information, immediate access to their account information, and at times immediate transactions. Requesting someone to write for this might prove to be extremely difficult.
I think ultimately, if you will, we will probablyand it is on the horizon, we will go to biometrics and in that respect be able to positively identify the individual requesting the information. To prove that the individual is indeed the legitimate account holder, consumer, or whatever the case may be. But we may need that type of tool I think ultimately to satisfy everyone.
Mr. VENTO. I paid close attention to some of the testimony. Mr. Schrader, did you have a comment?
Mr. SCHRADER. Yes. Whether it is biometrics, whether it is by request in writing, or anything else, we have to remember we are dealing with resourceful criminals and they just look for loopholes. They work at being one step ahead of the banks.
Whatever we invent today, they will be working at it. Whatever we do tomorrow, they will be working at that, too. We just need to get to the heart of the matter, and that is the criminal intent to defraud the banks.
Mr. VENTO. I am not an attorney, but I paid attention to your testimony and putting in there the intent to do all of this and so forth seems to me to put up another hurdle in terms of prosecution. I was going to say persecutionexcuse me. But it does send another hurdle. It is a higher threshold, is it not, in law, intent to fraud as opposed to defraud?
Page 117 PREV PAGE TOP OF DOC
Mr. SCHRADER. The intent to defraud you will show is that there are the elements of fraud. They will have made a representation that is not true and the banks will have relied on it. So it is a fairly simple standard and it is what we have today.
What the bill will do that we support very strongly is simply making absolutely clear and unambiguous that when there is pretext calling going on or pretext writing, or whatever it is, it will be covered and it will be punished.
Mr. VENTO. Well, I think it is fine. I appreciate, Mr. Hendricks, your work throughout the years and your comments about the range of different legislation that has been introduced. In fact, tracing us back for over 20 years in terms of activities I think is very useful. I see this emerging. I do not know if the European model is going to work for us. I think there are some tangible steps we can take now and wait and see how that works.
Obviously, I come down on the side of being very careful about the sharing of this information and trying to give consumers choice and empower them so they have the ability to, I think with education, basically understanding this.
My fear is that so many consumers and others are walking around, it has the equivalent of walking around with hundred dollar bills sticking out of your pocket and not knowing it. That is where we are at now, and we have a long way to go in terms of changing that. Obviously, being somewhat knowledgeable about what the consequence of your actions are is enormously important.
Page 118 PREV PAGE TOP OF DOC
Mr. HENDRICKS. I think what you are talking about is you have to create a culture of privacy. Just like in our security agencies, all the employees know they cannot walk off with classified data. We have to start moving toward that kind of sensitivity with personal data because privacy is to the Information Age what consumer product safety was to the Industrial Age. We are going to see those sort of parallels. We are switching to a new age.
It takes a great deal of flexibility to deal with this issue, and I think one of the ideas I like about a national office, a privacy office, is that every industry is different. What they have down in some countries, including Australia and the Netherlands, is the sector comes forward with a proposed code and they have to thrash it out with the consumer groups and the privacy commissioner and it is all done in public. But at the end of the day, the industry is the one that has come up with this code, they had to negotiate it, but then it becomes an enforceable standard, and I think that might be the way to go for us because we can learn from what other countries have done.
Mr. VENTO. I think I have some self-protection tendencies, but I think most Americans, I think they say, ''I want you to do this for me.'' They really do not have sort of the discipline that they have in some of the European countries or other places. Plus, I think our whole culture is different. As Mr. Melnikoff was pointing out, the whole culture is open. You can come in and get things done. There are not these types of limits, and it perhaps is one of the reasons that we have a successful and economic and social enterprise as we have.
Mr. HENDRICKS. On the other hand, I think there are a lot of privacy concerns about the Internet which are holding it back. And, so, I do not see privacy impeding the Internet. I think failure to address the privacy is holding it back.
Page 119 PREV PAGE TOP OF DOC
Mr. VENTO. I agree with you on that, but I think this could be the great American wastelands if we in fact put in some of these types of limits. I think the private right of action provides a limit, and I know it is not proper for trial lawyers these days, but we have had to have ways to enforce laws.
Mr. MCCLAIN. As investigators, we are not asking for special rules for ourselves so that we can commit deception. But our system is flawed. When you obtain a judgment in this country, it is up to you after the court tells you, OK, you have the judgment, you have got to find those assets somewhere. If there were a legal means to do that, then you would just cut these people out, they would not have anything to sell.
Mr. VENTO. I think we just came full circle, Mr. Chairman.
Mr. MCCLAIN. There is no central repository for this information, and so they go after it illegally. While it is true that most of the work that we do is through public records and conventional investigative sources, you know, this is the root of the problem. If you could get to that, you would do away with the need for the underground black market.
Mr. VENTO. I expect there is some balance there in terms of individual rights and privacy and various other things, other aspects of our culture and values that interfere.
But I appreciate very much your testimony, all of it. And, hopefully, we will be able to take some positive first steps without contradicting the final solution, Mr. Chairman. Thank you.
Page 120 PREV PAGE TOP OF DOC
Chairman LEACH. Well, thank you very much.
Let me just thank the panel. Certainly, our record has been laid today about this issue of financial bounty hunters, the issue about pretexting.
I would like to return to this analogy of this great movie of John Travolta and Nicholas Cage, ''Face Off,'' that people are assuming other people's identity to get what in effect are privacy information and sometimes using that information to become the other person, in the extreme. And this Congress is obligated to do something about it.
We have to bear in mind that there is a huge consumer issue on privacy or individual issue on privacy. There is also a huge consumer individual issue on convenience, and these two are juxtaposed. And, so, to try to be firm on illegal activities and a little bit flexible on the capacity of the American consumer in the new Information Age to obtain his own information or her own information I think is the balance we are going to have to want.
I appreciate all of the testimony presented today. I recognize there are some various perspectives that are somewhat juxtaposed. As we move to a markup, I think we are going to have to put some subtleties into this bill that are not totally there as yet.
Finally, let me just conclude by saying, we are dealing with a law enforcement issue and we are also today at the very severe edge of dealing with a great crime in the Capitol of the United States. So, as we move in a few minutes to the Congress reconvening, I want to thank you for your testimony, for your succinctness, and for your involvement in these areas for a long period of time.
Page 121 PREV PAGE TOP OF DOC
The hearing is adjourned.
[Whereupon, at 2:22 p.m., the hearing was adjourned.]