Page 1       TOP OF DOC

Thursday, April 3, 2003
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Joint with the Subcommittee on
Oversight and Investigations,
Committee on Financial Services,
Washington, D.C.

    The subcommittee met, pursuant to call, at 10:07 a.m., in Room 2128, Rayburn House Office Building, Hon. Sue W. Kelly [chairwoman of the Subcommittee on Oversight and Investigations] presiding.
    Present: Representatives Bachus, Kelly, Shadegg, Fossella, Capito, Tiberi, Feeney, Hensarling, Murphy, Barrett, Renzi, Maloney, Gutierrez, Hooley, Carson, Sherman, Inslee, Moore, Ford, Lucas of Kentucky, McCarthy, and Matheson.
    Chairwoman KELLY. The Committee on Oversight is pleased to be able to have this hearing today.
    Personal information has to be safeguarded throughout our national credit system. Just as consumers shred their unwanted mail and take care with their receipts, financial institutions have to develop and upgrade their information security procedures to protect consumers. Financial records such as credit card numbers are combined with other pieces of personal information, and they are the first targets of identity thieves. Years of work are often necessary for both consumer and business victims to correct damaged credit histories and restore access to credit.
 Page 2       PREV PAGE       TOP OF DOC
    Today two subcommittees will hear from the witnesses on three specific case studies to review current industry practices and to ensure that proper security procedures and protocols are in place or are being implemented.
    Teledata Communications is a company in my home State of New York that enables businesses to access credit bureau information so they can grant credit to consumers. An employee inside the company allegedly stole and sold passwords and codes for accessing credit reports for thousands of people. According to law enforcement, his actions resulted in millions of dollars of financial theft.
    TriWest Healthcare, an important health care provider for our active duty military personnel, honored veterans and their dependents, suffered the physical theft of its computer hardware. The equipment stored personal information about many of our heroes now involved in the war to liberate Iraq, including the Chairman of the Joint Chiefs of Staff, General Richard Myers. Fortunately, quick action by the company and the credit bureaus appears thus far to have prevented misuse of the information.
    Another company, Data Processing International, in Nebraska saw its database of millions of credit card numbers hacked from the outside. It again appears that rapid action this time by the company and the credit card companies have prevented improper use of the numbers to date.
    Through the examination of these cases the subcommittee will review how credit issuers, third party vendors that process transaction, credit bureaus and law enforcement agencies coordinate efforts to limit harm to consumers when data security is breached. Among our witnesses are officials of the law enforcement and regulatory agencies involved with these and other such cases, representatives of the companies involved, one of the most notorious computer hackers in the world, who is now a consultant, I am happy to report, and an expert in privacy.
    I want to thank my distinguished colleague, Representative Spencer Bachus, the chairman of the Subcommittee on Financial Institutions and Consumer Credit, for joining us in holding this important hearing of our subcommittees. I also want to congratulate him for his leadership in the bipartisan passage of H.R. 522, the Federal Deposit Insurance Reform Act of 2003, by the full House yesterday.
 Page 3       PREV PAGE       TOP OF DOC
    With that, I turn to Mr. Gutierrez.

    [The prepared statement of Hon. Sue W. Kelly can be found on page 56 in the appendix.]

    Mr. GUTIERREZ. Good morning, Chairs Kelly and Bachus, and members of the committee. Today more than ever identity theft takes myriad forms. Modern thieves are using massive digitized databases to access and steal consumers' personal information. As too many people are learning the hard way, identity thieves steal Social Security, bank account, and credit card numbers and use them to commit fraud, very often destroying the credit rating and financial future of their victims. Every year thousands of these victims are left financially ruined, often with severe credit problems and even false criminal records that they must spend years working to erase. Even in minor cases victims spend endless hours.
    So we are gathered here today to discuss ways to help consumers by increasing the security of data that contains our personal information and to understand some of the possible loopholes that have enabled these cases to occur in the first place, to hear about data security efforts undertaken by the companies that hold our private information, and look for ways to help consumers have quick and better access to their personal records when identity theft incidents occur. One of the most fundamental problems is consumers are often left out of the loop after their information has been stolen and this is unacceptable.
    In one of the cases that will be discussed today a former employee of Teledata is being charged with the biggest identity theft fraud in U.S. history. One of the most outrageous aspects of this specific case is that in March of 2000 the alleged perpetrator quit his job, but that didn't even slow down his scheme. He only worked there for 10 months but the scam continued for 3 years. The company security codes he allegedly stolen still worked and were accessible right up to the moment of his arrest. In the meantime 30,000 people had their identities stolen and financial losses reached more than $2.7 million.
 Page 4       PREV PAGE       TOP OF DOC
    How could personal data be so easily accessible? What kinds of safeguards do companies have in place to deter these practices? I hope that this hearing will serve as an opportunity to answer these questions and others. I thank you for holding the hearing, and I look forward to the testimony, and I ask unanimous consent that my complete opening statement be submitted for the records.
    Chairwoman KELLY. Thank you very much, Mr. Gutierrez. Mr. Bachus.
    Mr. BACHUS. Thank you, Chairman Kelly, for telling me my mike wasn't on, that is very important, and also for convening this joint hearing of our two subcommittees to review issues relating to the security of personal information. This is an issue of critical importance to the financial service industry and I believe this hearing is a timely one, and it is actually one of a series of hearings that Chairwoman Kelly has been holding over the past year or two on this issue.
    This hearing, which is titled ''Fighting Fraud: Improving Information Security,'' is one of many hearings that will be held by the Subcommittee on Financial Institutions and Consumer Credit regarding the security of personal information. I expect that at some point our efforts will culminate in comprehensive legislation addressing the broad issue of how secure consumers feel with respect to their personal information.
    Today's hearing will focus on three cases where sensitive personal information was compromised through hacking or physical theft of computer databases. Each case that we will hear about today is illustrative of a different type of security breach: An outside computer hacker, employee misconduct, and a garden variety burglary. Using these cases, we will review how credit issuers, third party vendors that process transactions, credit bureaus, and law enforcement coordinate efforts to limit harm to consumers when data security is breached.
    Fighting fraud and protecting the security of personal information is a topic that unites financial institutions and consumers. Each group is harmed by the fraudulent use of personal information. Financial institutions are the victims of fraud because the financial institution is usually liable for any losses suffered as a result of that fraud. Consumers obviously suffer unnecessary inconvenience and insecurity as a result of fraud and they can be exposed to additional crimes such as identify theft. Furthermore, at least a portion of financial institutions' fraud losses can be expected to be passed on to consumers in the form of higher prices. There can be no doubt that when fraud is committed everyone loses.
 Page 5       PREV PAGE       TOP OF DOC
    For obvious reasons financial institutions take precautions to prevent fraud, including precautions to protect the security of personal information. In addition to the self-interest financial institutions have in minimizing their fraud losses, Congress has required financial institutions to maintain appropriate standards relating to information security, including standards to protect against unauthorized access to a financial institution's customer records as part of the Gramm-Leach-Bliley Act. The requirements as adopted by the Federal banking agencies also require financial institutions to oversee their relationship with third party service providers, including having the service providers agree by contract to implement a comparable information security program. It is my understanding that the Federal banking agencies have been examining financial institutions with respect to their compliance with these requirements.
    However, I remain interested in learning more about the role service providers play with respect to information practices and the ability to maintain appropriate information security programs. It is my understanding that the Bank Service Company Act gives the bank regulators broad authority to examine third party providers. Two of the cases today illustrate that greater oversight of these entities may be necessary.
    As part of Gramm-Leach-Bliley, Congress also enacted stiff prohibitions against a practice known as pretext calling, which is a fraudulent means of obtaining an individual's personal information. Pretext callers contact a financial institution's employees and attempt to obtain customer information usually while posing as a customer whose information they are trying to collect. This is a serious issue and one that both Subcommittees—actually the Oversight Committee has held several hearings previously. I am interested in learning more about efforts to enforce this prohibition and the Federal Trade Commission's advice on the amount of resources devoted to fighting this fraudulent practice.
    We will also hear this morning from Federal law enforcement agencies about their approach to countering those who would compromise the security of personal information. It has always been my experience that law enforcement and the financial services industry works well together with respect to pursuing those who attempt to commit crimes against consumers and financial institutions. I look forward to hearing about law enforcement's perspective on this important topic, especially with respect to representatives from the FBI, Secret Service and FTC.
 Page 6       PREV PAGE       TOP OF DOC
    In short, financial institutions, Congress, the banking agencies, and law enforcement have been working to address information security and fraud prevention issues. Regardless of the great pains taken by all these parties to protect the security of personal information, the chance remains that a breach may occur. Therefore, Congress must remain vigilant to ensure that existing regulations are implemented appropriately and examine whether new safeguards are necessary. Furthermore, it is just as important for financial institutions to have mitigation plans in place in the event that their information security program is hacked or otherwise compromised.
    In conclusion, let me say I am pleased that we will hear from several witnesses today who will describe how various parties took action to address recent breaches and prevent subsequent fraud. Before we proceed I believe it is important to mention to the entire panel that although this hearing is a public forum, we should avoid discussing specific details which may give criminals ideas or even a road map for doing further harm.
    Let me close by thanking Chairman Oxley for recognizing the importance of improving the security of personal information and scheduling this hearing. We must continue to work to improve security and protect sensitive data to ensure the consumers continue to have confidence in our nationwide credit system as well as our financial services system in general. I look forward to working with the chairman, Mrs. Kelly, and other colleagues as we continue to examine this complicated issue.

    [The prepared statement of Hon. Spencer Bachus can be found on page 54 in the appendix.]

    Chairwoman KELLY. Thank you. Mrs. McCarthy, do you have an opening statement?
 Page 7       PREV PAGE       TOP OF DOC
    Mrs. MCCARTHY. Thank you. I will wait for the testimony.
    Chairwoman KELLY. Mr. Moore.
    Mr. MOORE. Thank you, Madam chair and Congressman Bachus. I appreciate both of you convening this hearing. I appreciate the witnesses being present. I want to reiterate, I won't say it all, what Congressman Bachus and Congresswoman Kelly said before, and that is this is a very important area. As a district attorney for 12 years I worked closely with people in fraud cases and a lot of the things—this was back in the 1970s and 1980s, so a lot of the things we are talking about here today weren't relevant then, weren't even around then. As the Internet has expanded and accessibility of the Internet is used not only by individuals but by financial institutions and other organizations and private and important individual data is contained in databases, I think it is very, very important that we protect that information. I think individuals who have private important information stored in those databases have a right to expect that companies and institutions will take adequate measures to protect that information. Obviously, theft of that information, identity theft and theft of financial information about an individual can cause great harm to a person and to their family, and it ends up costing all the consumers I think a lot of extra money.
    So I am interested to hear what the witnesses have to say and very much appreciate you being here.
    Thank you.
    Chairwoman KELLY. Thank you very much.
    Mr. Shadegg.
    Mr. SHADEGG. Thank you, Chairwoman Kelly. I want to begin by thanking you and Chairman Bachus for holding this important hearing on information security. I also want to begin by thanking one of my constituents, David McIntyre, president and CEO of TriWest Healthcare Alliance, for agreeing to be here and testify today.
 Page 8       PREV PAGE       TOP OF DOC
    My personal interest in identity theft and information security began about 5 years ago when two of my constituents, Bob and Joanne Hartle of Phoenix, Arizona were victims of identity theft. My constituents, following their victimization, were instrumental in securing the passage of the first State law in the Nation criminalizing identity theft. Mr. and Mrs. Hartle suffered the devastation of identity theft when a convicted felon took Mr. Hartle's identity and made purchases totaling over $100,000. In addition, this individual purchased handguns using Mr. Hartle's clean record to get around the Brady law. Finally and shockingly in this day of terrorism, this individual also used Mr. Hartle's clean record and military record to obtain security clearance to secure areas of Phoenix Sky Harbor International Airport. As a result of this victimization at a time when there were no State laws and no Federal laws penalizing identity theft, Mr. and Mrs. Hartle were forced to spend more than 4 years of their life and more than $15,000 of their own money seeking to restore their credit.
    Their case led me to introduce legislation to criminalize identity theft at the Federal level. The Identity Theft and Assumption Deterrence Act of 1998 was signed into law by President Clinton on October 30th, 1998. It gives for the first time Federal law enforcement agencies, including those who are represented before us here today, the authority to investigate and prosecute identity theft.
    But following the passage of that law, I found there was more that needed to be done. We began to notice that the Federal agencies with this new authority were unfamiliar with it and did not have a habit of coordinating with local law enforcement on these issues. So we began a series of meetings that lasted over a year in Phoenix, Arizona between Federal law enforcement agencies, including the FBI and others here today and State and local law enforcement agencies, to try to resolve the tough issues of who should act and what they should do in the interplay between Federal and State laws and in the interplay of these crimes where someone is victimized in one place but lives many States away, thousands of miles away.
 Page 9       PREV PAGE       TOP OF DOC
    Mr. and Mrs. Hartle also turned their unfortunate circumstance into something very positive. They established a nonprofit organization to assist other victims of identity theft. Their Web site, www.idfraud.net, is available to provide guidance to any identity theft victims across the Nation, and they have devoted themselves to this task.
    Identity theft ranges from individual instances like the Hartles involving small or large amounts to large organized professional crime rings. In fact TriWest Healthcare Alliance may well have been the victim of a professional identity theft operation. Like the Hartles, Mr. McIntyre, my constituent, and his company took an unfortunate circumstance, a burglary of their computer in which data was stolen, and turned into a positive model for other companies to follow.
    Following the break-in of their Phoenix office and the theft of computer hard drives containing their clients' sensitive personally identifiable information, Mr. McIntyre and TriWest Healthcare Alliance embarked upon an aggressive effort to notify all 562,000 affected customers of the theft. The stolen data included personally identifiable information such as Social Security numbers, birth dates and addresses for military personnel, one quarter of whom were on active duty at the time, retirees and family members, all whom are served by TriWest under a contract with the Department of Defense.
    TriWest immediately reported the theft to the police, notified the Department of Defense officials and launched a 30-hour data run to determine what files were stolen. In addition, the company established a dedicated e-mail address and set up toll free telephone lines with a three-tier response network so that customers would not experience long delays in trying to find out information about the theft and about how it might affect them. TriWest mailed letters notifying victims of theft and provided guidance on steps they could take to protect their credit. TriWest also posted a $100,000 reward for leading to the conviction of those responsible for the theft.
 Page 10       PREV PAGE       TOP OF DOC
    In all, TriWest undertook great efforts to notify victims of the theft at great financial expense to the company. But due to their extraordinary efforts to date no information from the stolen computer files has yet led to a single instance of identity theft.
    The nature of identity theft has changed and the threat is more likely than ever to come from breaches of data security, which is why I think this hearing is most appropriate. According to an identity fraud manager at the Federal Trade Commission, there is a shift by identity thieves from going after single individuals to going after mass information. Law enforcement experts now estimate that half of all cases come from thefts of business data banks as more and more information is stored in databases which are vulnerable to attack from hackers.
    The Identity Theft and Assumption Deterrence Act of 1998 was an important first step in the road to crack down on identity theft crimes. However, more legislation is needed to protect people from these thieves and from easily obtaining Social Security and credit card numbers, to provide better coordination between victims and credit reporting bureaus, to establish procedures for businesses to follow in the event of a data security breach like we will discuss today, and provide stiffer penalties for those who steal and use other persons' ID.
    I look forward to the testimony of the witnesses and help to identify areas in which a legislative response may be needed. I yield back.

    [The prepared statement of Hon. John B. Shadegg can be found on page 65 in the appendix.]

    Chairwoman KELLY. Ms. Hooley.
    Ms. HOOLEY. Thank you, Madam Chairwoman and Mr. Chairman. I appreciate the Chairs and ranking members of both subcommittees in putting together today's hearing and look forward to hearing more about our Nation's data protection. This is an important hearing and hopefully it will be the first of many hearings on the issue of identity theft. It is the fastest growing crime in the United States. I know through these and other hearings we will not only learn about the challenges in fighting identity theft, but also hear unique and effective suggestions on how we in Congress can better protect our consumers and financial institutions from this crime.
 Page 11       PREV PAGE       TOP OF DOC
    I know I can speak for everyone on the Financial Services Subcommittee when I say we are hear to listen with open minds and to put whatever work is necessary into solving this problem. This truly is a bipartisan issue, and in that regard I would like to thank Mr. LaTourette from Ohio for working so closely with me on legislation on identity theft that is nearly ready for induction. I would also like to thank Mr. Frank and all the members of the Democratic Task Force on Identity Theft for pledging to work together on this issue.
    In order to protect both consumers and industry, we all certainly have our work cut out for us. But if the cooperation and dedication of people like Mr. LaTourette and Mr. Frank and the members of both subcommittees are any indication, we on the Financial Services Committee are up to the challenge.
    Thank you again, and I look forward to today's proceedings and look forward to hearing from the panelists. Thank you.
    Chairwoman KELLY. Mr. Hensarling. Mrs. Maloney just left. Mr. Matheson. Mr. Barrett. Mr. Ford left. Mr. Lucas. Mr. Tiberi. Mr. Feeney.
    I will introduce our first panel: Mr. Tim Caddigan, the Special Agent in Charge of the Financial Crimes Division of the United States Secret Service, accompanied by Robert Weaver, Deputy Special Agent in Charge of the New York Field Office; James Farnan, Deputy Assistant Director of the Cyber Division in the FBI; and Mr. J. Howard Beales, III, Director of the Bureau of Consumer Protection in the Federal Trade Commission.
    We look forward to having you here today, and we look forward to your testimony. We will begin with you, Mr. Caddigan.

 Page 12       PREV PAGE       TOP OF DOC

    Mr. CADDIGAN. Thank you. Chairman Bachus, Chairwoman Kelly, Congressman Sanders, Congressman Gutierrez and members of both subcommittees, thank you for inviting me to be part of this distinguished panel and the opportunity to address the committee regarding the Secret Service efforts to protect our Nation's financial and critical infrastructures. Let me also take the opportunity to thank Chairman Oxley, Congressman Frank and all the members of the full committee for their long-standing support of the Secret Service and the interest this committee has conveyed in our mission, our programs and our employees.
    With me today is Mr. Bob Weaver, Deputy Special Agent in Charge of the Secret Service's New York Field Office and head of the New York Electronic Crimes Task Force. I am also pleased to be here with my colleagues and partners in fighting identity crimes and related computer crimes from the Federal Trade Commission and the FBI.
    In my full statement for the record I provided an overview of the Secret Service's investigative mission and our historic responsibility for safeguarding our currency and financial infrastructure. The Secret Service has statutory jurisdiction to investigate a wide range of technology based crime, including credit and debit card fraud, identity theft, false identification fraud, counterfeit currency and checks, financial institution fraud and telecommunications fraud. These investigations are pursued through our 134 domestic offices with additional support from our 20 foreign offices.
    There is no shortage of information, testimony or anecdotal evidence, regarding the nature and variety of cyber based threats to our banking and financial sectors and the need to create effective solutions. There is, however, a scarcity of information regarding successful models to combat such crime in today's high tech environment. One such successful model is the New York Electronic Crime Task Force and the valuable formula this task force has developed and applied to the prevention and detection of computer based crimes.
 Page 13       PREV PAGE       TOP OF DOC
    Our New York task force has brought together 50 different Federal, State and local law enforcement agencies as well as prosecutors, academic leaders and over 100 different private sector corporations. The task force investigates substantial electronic criminal activity involving e-commerce frauds, identity crimes, telecommunications fraud, and a variety of computer intrusion crimes which affect a number of infrastructures.
    Since 1995, the New York task force has charged over 1,000 individuals with electronic crimes and the loss to Social Security exceeding $1 billion. It has trained over 60,000 law enforcement personnel, prosecutors and private industry representatives in the criminal abuses of technology and how to prevent them. The task force has identified tools and methodologies that can be employed by our partners to eliminate potential threats to their information systems.
    We consider the New York task force to be the 21st century law enforcement model that modernizes criminal justice and incorporates partnership and information sharing within its core competencies. Accordingly, Congress authorized the Secret Service in the U.S.A. PATRIOT Act of 2001 to expand our task force initiative to cities and regions across the country. We have since established electronic crimes task forces in Los Angeles, San Francisco, Chicago, Boston, Charlotte, Miami, Las Vegas and Washington, D.C..
    Our task force model stresses prevention through partnership. We focus on the mitigation of damage and the quick repair of any damage or destruction to get the system operational as soon as possible after an intrusion occurs.
    Let me mention one critical point about our partnerships with other law enforcement agencies, academia and private sector. Partnerships cannot be legislated, regulated nor stipulated. Partnerships are voluntarily built between people and organizations that raise the value in joint collaboration towards a common end. They are fragile entities which need to be established and maintained by all participants and built on a foundation of trust. I cannot overstate the significance of these trusted partnerships to the success of our task force model.
 Page 14       PREV PAGE       TOP OF DOC
    Let me share with you some insights regarding a recent ongoing case which our Omaha office is investigating in conjunction with our Chicago, New York, and San Francisco task forces. The case which came to our attention early February through our contacts in the credit card industry involves an unlawful intrusion into the computer system of a third party credit card processor, the companies responsible for processing credit card transactions of companies such as Visa, Master Card, American Express and Discovery. We believe that multiple machines combined to attack this processor's computer system and unlawfully seized millions of credit card numbers along with expiration dates from the company's filings. Our investigation with the FBI determined that these multiple servers were located both within and outside the United States. The Secret Service is completing electronic forensic examinations and is working with foreign authorities in gathering further evidence concerning this attack.
    I want to conclude my statement by again thanking the members of both subcommittees and the full committee for their strong support of the Secret Service and our investigative mission.

    [The prepared statement of Tim Caddigan can be found on page 92 in the appendix.]

    Chairwoman KELLY. Thank you very much, Mr. Caddigan. Mr. Farnan.


    Mr. FARNAN. Good morning. I would like to thank the Chairs of both subcommittees as well as the other members for their opportunity to testify today. Holding this hearing demonstrates your commitment to improving the security of our Nation's information systems and this committee's leadership on this issue.
 Page 15       PREV PAGE       TOP OF DOC
    My testimony today will address the activities of the FBI's Cyber Division as they relate to a broad spectrum of cyber criminal acts.
    Last week a headline in the Atlanta Journal Constitution announced Hackers Strike Georgia Tech Computer, Gain Credit Card Data. The article goes on to discuss the information on 57,000 people that was available to the hackers, including about 38,000 credit card numbers. The university had moved the database from one system to another but it failed to put up a fire wall to protect the data.
    Incidents like this happen every week, even to organizations at technology's leading edge like Georgia Tech. American consumers and businesses are increasingly relying on the Internet. E-commerce is growing in all sectors of the U.S. economy. Although most e-commerce transactions are business to business, e-commerce retail sales in the United States reached $46 billion last year, up from $36 billion in 2001.
    When Internet users, be they businesses or consumers, are impacted by Internet crime, the viability of e-commerce is compromised. When a cyber crime is committed, the FBI is in a unique position to respond because it is the only Federal agency that has the statutory authority, expertise and ability to combine the counterterrorism, counterintelligence and criminal resources needed to effectively neutralize, mitigate and destruct illegal computer supported operations.
    The FBI's reorganization of the last 2 years included the goal of making our cyber investigative resources more effective. In 2002 the reorganization resulted in the creation of the Cyber Division where we have taken a two-tracked approach to the problem. One avenue is identified as traditional criminal activity that has migrated to the Internet, such as Internet fraud, online identity theft, Internet child pornography, theft of trade secrets and other similar crimes.
    The other nontraditional approach consists of Internet facilitated activity that did not exist prior to the establishment of computers, networks and the World Wide Web. This encompasses cyber terrorism, terrorist threats, foreign intelligence operations, and criminal activity precipitated by illegal computer intrusions into U.S. computer networks, including the disruption of computer supported operations and the theft of sensitive data by way of the Internet.
 Page 16       PREV PAGE       TOP OF DOC
    The FBI assesses the cyber threat to be rapidly expanding as the number of actors with the ability to utilize computers for illegal harmful and positively devastating purposes is on the rise. A typical case will come to the FBI through the Internet Fraud Complaint Center, which later this year will be renamed as the Internet Crime Complaint Center to more accurately reflect its mission. In its fourth year of operation the Center has proven to be a very successful clearinghouse, receiving over 75,000 complaints last year on crimes ranging from identity theft and computer intrusions to child pornography.
    If the Center, for example, received an intrusion report from a company in, say, Birmingham, Alabama, we would first attempt to locate where the intrusion took place. That same company may have its servers in Minneapolis while the intruder is routing through California and Europe. If the servers in Minneapolis were hacked, the Minneapolis Cyber Crime Task Force would be assigned to lead the case. The leads in California could end up in Eastern Europe, Nigeria or even back in Birmingham if an insider were involved. One of the FBI's response teams would be called upon to preserve evidence and that evidence would be forwarded to one of our new regional computer forensic laboratories now located in Chicago, Dallas, and San Diego. Simultaneously other FBI computer experts would determine the extent and duration of the intrusion and whether the attacker came from inside or outside the company. Depending on the sophistication of the intruder, the case may be solved in a few days or it may take years.
    Cases are routinely complex and often involve international connections. Cyber crime continues to grow at an alarming rate and security vulnerabilities contribute to the problem. We will soon begin staffing a public-private alliance unit within the FBI which will work with administrators and security professionals to reduce opportunities for criminals by employing best practices and patching vulnerabilities before they can be exploited. Through that unit's efforts combined with the efforts of those in this committee problems like the hacking experience by Georgia Tech will happen much less frequently. The FBI will continue to pursue cyber criminals as we try to stay one step ahead of them in the cyber crime technology race.
 Page 17       PREV PAGE       TOP OF DOC
    I thank you for your invitation to speak today. I on behalf of the FBI look forward to working with you on this very important topic.

    [The prepared statement of James E. Farnan can be found on page 98 in the appendix.]

    Chairwoman KELLY. Mr. Beales.


    Mr. BEALES. Thank you, Chairman Kelly and members of the committee. I am Howard Beales, Director of the Federal Trade Commission's Bureau of Consumer Protection. I am pleased to present the views of the Commission this morning.
    The Federal Trade Commission works to prevent and protect information security on a number of fronts. We take law enforcement actions, we provide victim assistance when security breaches result in identity theft. We educate both consumers and business and we hold public workshops to examine emerging issues.
    In our traditional role as a law enforcement agency the FTC has brought civil actions to enforce privacy promises, including cases where companies failed to take adequate security precautions with consumers' personal information. When an information breach is reported, the FTC staff activates our protocol for triaging the breach. We evaluate the incident on a number of levels, including the extent of the breach and the type of information that was exposed. We also analyze any jurisdictional issues. We do not have jurisdiction over banks and common carriers, for example. In addition, we determine whether there is an ongoing criminal investigation, given that the breach may involve an underlying theft of information. We coordinate any FTC investigation with criminal authorities because we don't want to get in the way of an ongoing criminal investigation.
 Page 18       PREV PAGE       TOP OF DOC
    When the Commission determines that law enforcement action is appropriate we have two valuable tools to work with. First, section 5 of the FTC Act, which prohibits unfair deceptive acts or practices such as misleading promises about information security; second, starting in May of this year, the Commission will enforce the Gramm-Leach-Bliley Act safeguards rule for the financial institutions within our jurisdiction.
    Last August the Commission announced a settlement with Microsoft regarding misleading claims about the information collected from consumers through its passport services. The Commission's complaint alleged that Microsoft misrepresented the privacy afforded by these services, including the extent to which Microsoft kept the information secure.
    Microsoft is an important case because it involved alleged misstatements about the security provided for millions of consumers' sensitive information. In addition, it held Microsoft to its security promises even in the absence of a known breach of the system. Thus, the Commission found even the potential for injury actionable when sensitive information and security promises were involved and when the potential for injury was significant.
    The Microsoft case was followed by the Commission's case against Eli Lilly. The Lilly case involved alleged misrepresentation regarding the security provided for important information. Like Microsoft, Lilly made claims that it had security measures in place to protect the information collected from consumers on its Web site. As in Microsoft, the Commission charged Lilly with failing to have reasonable measures in place to protect the information. The order in the Lilly case prohibits the misrepresentations and as in Microsoft it requires Lilly to implement a comprehensive information security program.
    It is important to note that the Commission is not simply saying gotcha for security breaches. Although a breach may indicate a problem with a company's security, breaches can happen even when a company takes all reasonable precautions. In such instances the breach does not violate the laws that the FTC enforces. Instead, the Commission recognizes that security is an ongoing process using reasonable and appropriate measures in light of the circumstances. That is the approach the mission took in these cases and in its Gramm-Leach-Bliley Act safeguards rule, and it is the approach we will continue to take.
 Page 19       PREV PAGE       TOP OF DOC
    As I mentioned earlier, in May the Commission's Gramm-Leach-Bliley Act safeguards rule takes effect. The rule requires financial institutions under our jurisdiction to develop and implement appropriate physical and procedural safeguards to protect customer information. The rule takes a flexible approach, requiring greater security measures for the most sensitive consumer information. It requires companies to assess the risks they face, take reasonable and appropriate steps to reduce those risks. Companies must also monitor their security performance and adjust their programs as the risks they face change over time.
    The FTC also plays a role in improving information security and in reducing risks to personal information by fostering dialogue and educating the public on security issues. For example, the Commission held a workshop last May to examine the security of consumer information, both as maintained by consumers on their own computers and by businesses on their systems. In May and June of this year the Commission will host workshops that focus on the role of technology again for both consumers and businesses.
    The cases of TriWest and Teledata communications Inc., in which massive numbers of individuals' personal information was taken are good examples of where the Commission carried out its traditional education and assistance role. The staff provided advice to those companies on how to notify the affected individuals and what steps those consumers should take to protect themselves.
    From these experiences and others the FTC has developed a response kit for businesses which have suffered information security breaches. The kit tells businesses what steps to take to respond to a breach and includes a form letter for notifying the individuals whose information has been taken. These kinds of information security breaches place substantial costs on individuals and businesses. The Commission is committed to reducing these breaches as much as possible through its civil law enforcement authority and its education and assistance programs.
    Thank you for holding this hearing, and I look forward to your questions.
 Page 20       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Thank you, Mr. Beales. I also want to note that we invited Dr. William Winkenwerder, the Assistant Secretary of Defense for Health Affairs at the Defense Department to discuss the DOD's role in mitigating the impacts of a theft at TriWest. Unfortunately, he had already accepted an invitation to testify about this before the Senate Finance Committee right now and his deputy is on travel.
    Dr. Winkenwerder submitted a statement for the record and with the members' unanimous consent I want to enter it into the record at this time.

    [The prepared statement of William Winkenwerder can be found on page 145 in the appendix.]

    Chairwoman KELLY. We thank all of you and I would like to begin with you, Mr. Caddigan, asking you a couple of questions. We commend the entire Secret Service and especially the agents in the New York Field Office for your truly dedicated and outstanding service to this country. We in New York are understandably very proud of the tenacity of the New York Field Office as it recovered from the destruction of its offices at 7 World Trade Center.
    I would like to ask if your task force and the stronger emphasis on information security since 9/11 has led to law enforcement successes?
    Mr. CADDIGAN. Madam Chairwoman, I think it is safe to say yes, the proactive approach that the task force model in New York takes with regard to partnering with businesses, it gets on the front end of an issue. We help establish self-assessment vulnerabilities in a particular entity. We can help mitigate those on the front end. We can help develop a response plan for that business should they be victimized. So do those actions prevent activity or help mitigate that in the long run? Yes, ma'am, I would say that it does.
 Page 21       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. That is very good to hear.
    Mr. Farnan, your testimony discusses two cases in which the hacker was arrested overseas. How often are hacking cases originated from an overseas point? Do you want to answer that?
    Mr. FARNAN. Much more frequently than we might care to think about. What we have learned and the model we come from in law enforcement is to typically think along State jurisdiction lines and the FBI, of course we think when violations may cross State jurisdictional lines. With the advent of the Internet and the World Wide Web, we have to completely reevaluate those jurisdictional lines. We now have to think of the entire planet as a ground or platform from which perpetrators can act, and so we do see a lot of activity from persons based in overseas countries or outside the United States.
    Chairwoman KELLY. Mr. Caddigan, do you want to address that?
    Mr. CADDIGAN. I think crime has become global in nature, especially with the onset of the Internet and computer. What can take place in a criminal activity in California can almost instantaneously have the victim be victimized in Asia, for example. So we do look at things as a borderless society with regard to fighting crime. We do partner not only domestically with business and law enforcement, but I think it is also as critical to partner in the foreign arena with foreign businesses, foreign law enforcement and governments.
    Chairwoman KELLY. Mr. Farnan, is the FBI concerned that large scale hacks or the denial of service attacks might be an instrument of international terrorism?
    Mr. FARNAN. We are definitely concerned about that. In the Cyber Division what we have done is aligned our priorities along with those of the FBI. So counterterrorism is our number one priority and our number one focus followed by counterintelligence matters and then criminal matters in terms of our third priority. So we are definitely concerned about that. And we have seen, for example, terrorists who are interested in communicating by way of the Internet, like in many cases we all are. So we pay special attention to that arena.
 Page 22       PREV PAGE       TOP OF DOC
    There are two other sort of elements that help us focus on that. One is that in the international arena especially. We have our legal attache program that is located in about 46 countries, I believe it is, and we are going to start in the Cyber Division an Internet, or we have started an international investigative support unit to work with our legal attaches to make sure that we are addressing that very issue.
    Chairwoman KELLY. Good. Thank you, Mr. Farnan.
    Mr. Beales, can you give me more details? You mentioned that you have taken some specific measures with the FTC to—what measures, specifically, did you take with respect to the three cases to help the victims?
    Mr. BEALES. Well, what we did was to discuss with the companies the kind of a letter they might send and make discussions about the letter. We have a booklet that is consumer information about identity theft that is called Identity Theft: When Bad Things Happen to Your Good Name. And we make that booklet available and encourage companies to provide that booklet to consumers in need of information about what they should do next.
    Chairwoman KELLY. Thank you. I am about out of time.
    Mr. Farnan and Mr. Caddigan, I want to be sure, we want to be sure, we need to be sure that there is no unnecessary overlap or redundancy between the two of your agencies. I wonder if you would be willing to clarify your authority over cyber intrusions.
    Mr. FARNAN. Again we have our—well, the fact that Mr. Caddigan and I are sitting next to each other and Dennis Holly, who is sitting next to me is an agent actually assigned to FBI Headquarters, resources permitting, I want to assign an FBI agent to Secret Service Headquarters, I think we are working in an extremely cooperative and complementary fashion. There is enough crime, as I think you can sort of define from the testimony today, to go around. There is plenty of work to do. And with that, I think that our efforts complement each other. We have specific mechanisms in place to make sure that happens, including the sharing of personnel back and forth.
 Page 23       PREV PAGE       TOP OF DOC
    When it comes to intrusions, the one unique thing that we may bring is the fact that if it is a State-sponsored or foreign government who is trying to break into or hack into a system in the U.S., it is one kind of unique area that the FBI may bring to that. What we have done successfully is work on a case-by-case basis at the field level all the way through the headquarters level to make sure we are not duplicating and complementing efforts.
    Chairwoman KELLY. Mr. Caddigan, are you satisfied with that answer?
    Mr. CADDIGAN. I would concur completely. We recognize that any single entity can't handle this problem alone. By working together, combining our resources, combining our approach methodologies, we do provide a better product to the public we serve.
    Chairwoman KELLY. So you feel that there is not a problem with overlap there?
    Mr. CADDIGAN. I think, as Mr. Farnan mentioned, we detailed an Assistant Section Chief to the Cyber Division in headquarters, so conflict is not an issue. We do coordinate at the local level with our task forces. The Bureau has representation and membership in each of our electronic crimes initiatives throughout the country and, conversely, in smaller environments where we are not present we have membership in their initiatives.
    So I would suggest to the panel that the cooperation does exist at the highest level and although there maybe some appearance of overlap it does mesh well together.
    Chairwoman KELLY. Thank you. I am out of time. Mr. Gutierrez.
    Mr. GUTIERREZ. Thank you very much. First of all, I want to thank Mr. Weaver and Mr. Caddigan and Mr. Farnan and all of those that work with you at the FBI and Secret Service for the work that you do.
    I would like to ask Mr. Beales, I guess my concern is what are the responsibilities of financial institutions that suffer from intrusions to their client base in terms of information from them? Is there a 48-hour, 72-hour window, a week, 30 days? Is there something that says you must do this by the FBI's call, the Secret Service knows, they are investigating how long does it take and is there anything that says they have to do it in a specific amount of time?
 Page 24       PREV PAGE       TOP OF DOC
    Mr. BEALES. There is no specific requirement either to give notice or to give notice within a certain period of time. Notice is clearly appropriate in many circumstances and is clearly the best practice and was what we have generally seen in most cases that involve breaches. There are some cases though where notice may not be as useful. And I think in the case of the credit card hack that got the information about credit cards, providing that information to the financial institution so they could block fraudulent activity on those cards is a more effective way to address the problem and considerably reduces the need for notice to consumers.
    Mr. GUTIERREZ. So I guess then what you are saying is we have to rely on the credit card companies and the service that is provided to protect the consumer but we are not—we don't necessarily inform the consumer so that he can help protect himself and you think there might be just best practices where the consumer is left totally out of the picture and unaware? It seems to me the credit and the reputation belongs to the consumer and that credit and reputation is I trust—I entrust it to the financial institution, to my credit card company, my mortgage company and that they have a responsibility to me to alert me. I mean, if my bank didn't call me because somebody ripped off my money from my checking or bank account immediately, I think I would get pretty angry about it. I guess my question is don't you think there should be some best practices established so that consumers can help themselves?
    A booklet is nice and I am very happy that you issue that booklet, but at what point do we trust the consumer to engage and to cooperate with the Secret Service, with the FBI, with the District Attorney's office or whatever it is that is prosecuting the case. What do you think?
    Mr. BEALES. I completely agree with you that consumers need to find out in most of these cases. And we have—in the particular cases that are at issue here we have strongly encouraged the companies to provide information to consumers and try to make it easier for them to do that. I think there is no question that is the best practice in most cases.
 Page 25       PREV PAGE       TOP OF DOC
    Mr. GUTIERREZ. So the best practice is trust the companies to figure out when they should inform the consumer that their credit has been somehow hurt or compromised and that somebody has access to their information; we should just trust the companies to do this?
    Mr. BEALES. We don't have regulatory authority.
    Mr. GUTIERREZ. Who does?
    Mr. BEALES. I am not sure that there is any agency that has authority to.
    Mr. GUTIERREZ. So there is no authority that you understand that anyone has?
    Mr. BEALES. There is authority and there are regulations both by us and the bank regulatory agencies that govern the front end, that require financial institutions to have in place measures to prevent breaches of information security and to take appropriate steps in order to keep that from happening in the first place.
    Mr. GUTIERREZ. I understand that. And I guess then that maybe we should look at how it is ultimately the House of Representatives or legislatively we deal with the issue given that it is your testimony that there is no best practice other than let the companies figure out how it is they should deal with the consumers, but there is no 72 hours, 48 hours. So we probably may need some best practices established to protect the consumer because in the end that is who we have to protect and that is who is most hurt in this situation.
    Again, I want to thank the members of the Secret Service and the FBI for their work because I know they have a lot of work, especially after September 11th. I want to thank them for all the hard work that they do. I want to thank folks at the Federal Trade Commission, too. You do a great job there, too.
    I wanted to see if we could figure out what we might need to do, this committee and other committees. Thank you all so much for your testimony this morning.
 Page 26       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Thank you, Mr. Gutierrez.
    Mr. Bachus.
    Mr. BACHUS. Thank you. Mr. Beales, will the FTC be taking a closer look at banks' third party providers with respect to the service providers information security programs?
    Mr. BEALES. It is something that we are very interested in, in looking at security cases and information security cases in general. It is an area where the bank regulators also under their safeguards rules also have authority and it is a place where we would want to coordinate with the bank regulatory agency as to who was in the best position to address any particular case.
    Mr. BACHUS. Are you already doing that? Are you already looking at these?
    Mr. BEALES. We talk to the bank regulatory agencies on a very regular basis about a host of issues, including this.
    Mr. BACHUS. How about the bank's third party providers? Are you all in contact with them or are you reviewing their information security programs?
    Mr. BEALES. Well, we have—under the FTC rules we can't talk about particular investigations. They are not public.
    Mr. BACHUS. I don't want specifics, but is it a part of your general procedure? Do you——
    Mr. BEALES. Well, in our general procedures we are sort of looking for cases everywhere. They may come from reports in the media and they may come from complaints. They may come from referrals from other law enforcement agencies, and if they are in our jurisdiction and third party service providers, we would be very interested in pursuing.
    Mr. BACHUS. Banks' third party service providers are within your jurisdiction, aren't they, as far as their information security?
 Page 27       PREV PAGE       TOP OF DOC
    Mr. BEALES. Yes, I believe they are. They are also subject to the bank's——
    Mr. BACHUS. I understand that. But I am just talking about for a minute—without being specific, have you taken a closer look at any of their information security programs?
    Mr. BEALES. We do not have any—we haven't done anything that was specifically targeted to bank third party.
    Mr. BACHUS. I understand that. I am not talking about target. I am just saying are there instances when you have reviewed their information security programs?

    Mr. BEALES. If we review information, it would be in the context of a particular investigation of a particular company.
    Mr. BACHUS. I understand that. I am not talking about particulars, but have you done that? I know you have the right to do it, and you might do it, but have you done it?
    I am not going to ask specifics about companies, but I want to know if that is part of your jurisdiction?
    Mr. BEALES. It is part of our jurisdiction.
    Mr. BACHUS. My question is, are you all taking advantage of it? Are you all doing that? Are you reviewing or have you reviewed any?
    Mr. BEALES. We have reviewed cases as they have come to our attention.
    Mr. BACHUS. Banks, third-party providers?
    Mr. BEALES. Yes, sir.
    Mr. BACHUS. Okay. You know, on the DPI case, this information was looked at, but it wasn't actually taken, is my understanding.
 Page 28       PREV PAGE       TOP OF DOC
    Mr. BEALES. I am not—I don't know that for sure.
    Mr. BACHUS. Okay. All right.
    Are you aware of any identity theft cases that resulted from the DPI hack?
    Mr. BEALES. I am not.
    Mr. BACHUS. How many personnel are dedicated to investigating pretext calls at your agency?
    Mr. BEALES. There probably isn't anyone that is completely dedicated. We are a small agency and people multi-task, but there are—there are four or five staff members who have been involved in pre-texting investigations.
    Mr. BACHUS. Let me ask the Secret Service, either one of you gentlemen, Mr. Weaver or Caddigan, in your experience how responsive have credit card issuers and processors been in notifying the Secret Service of data penetrations or other hacking events.
    Mr. CADDIGAN. I think, as a general statement, it is safe to say that they have been very responsive. We have ongoing and longstanding relationships with the credit card companies individually, the banks that they represent, and on occasion the third-party processors as it becomes important for us to deal with them.
    Mr. BACHUS. You have been in a position to know whether they are cooperative, and they are?
    Mr. CADDIGAN. Yes, sir. They are very cooperative.
    Mr. BACHUS. To Mr. Farnan, do you work closely with the private sector in monitoring data penetrations?
    Mr. FARNAN. Well, one thing to keep in mind here is that what has happened at the FBI is the former National Infrastructure Protection Center has now migrated to the Department of Homeland Security.
    So what is happening is on the vulnerability side of the house, the Department of Homeland Security is really assuming that responsibility. And to focus our limited resources the best we can, we are focusing more on the threat side of the house. By that I mean, who is it out there that is causing the problem.
 Page 29       PREV PAGE       TOP OF DOC
    So to answer your question, we are not directly monitoring.
    Mr. BACHUS. You are focusing on the perpetrators?
    Mr. FARNAN. Yes, sir.
    Mr. BACHUS. In our second panel, we are going to talk about TriWest, what happened there. Now, you know, this hearing has sort of focused on penetrations of data systems, hacking, that nature. But in that case, someone either on the inside, it is an ongoing investigation, or on the outside just walked in and walked away with hard drives containing information on half a million people.
    Which obviously, if you had a preference for what you would do, is, you know, go in and try to grab stuff. If you could just walk in and take the hard drives out or the disk out, you know, that would be the preferred method I would think for thieves.
    I read the testimony of TriWest's CEO, and it was 2 days before they discovered this theft. From a law enforcement agency perspective, what do you advise corporations that have these large databases of how to protect them from a security standpoint? Not someone hacking, but someone walking in or somebody walking out, whether they walked in or not.
    Mr. FARNAN. One of the things that we tend to see is sometimes we do tend to think of these cases as extremely complex, because once when we get into the world of electrons and what is happening in cyberspace, things can get complicated pretty quickly. But in doing that, sometimes we forget the fundamentals, sometimes we forget to lock the door.
    So there are times when you have to look at, where does any company or university or institution keep its servers, where do they keep their mainframes, what kind of security, in terms of locked doors, places in the building that kind of equipment is kept. Is it kept on site in the same place as the corporate headquarters or is it secured in an alternate location.
    So sometimes even though we get into lots of victims involved in these crimes, and the crimes can be really worldwide in nature, sometimes we forget the very fundamentals. And that is really, probably, the place to start with security matters.
 Page 30       PREV PAGE       TOP OF DOC
    Mr. BACHUS. I totally agree with you. I would think fundamentally you worry about sophisticated—through the network, but you obviously shouldn't—you should just protect the front door.
    How about the Secret Service? Any comments you would make?
    Mr. CADDIGAN. I would concur.
    I think in a proactive approach to information assurance or information security, a company, an organization, an entity needs to be concerned dually, both physical and cyber.
    And when you look at vulnerability assessment, an organization can be guided to conduct their own self-assessment, I think you do—those things rise right to the top. I don't know the particulars on this case, but as you describe them you would ask the simple questions on the front end, is there a lock on the door, is there protection on the hard drive, what schedule do you use in order to verify that information has not be compromised.
    And again, not having any knowledge of this case, protecting your cyber elements again is just as critical as your physical elements. So it is easy to critique on the back side, but the proactive approach I think might have determined that vulnerability on the front side.
    Mr. BACHUS. Thank you.
    Chairwoman KELLY. Mr. Caddigan, I want to follow up.
    Just one quick question to Mr. Bachus's question, and that is, about the way that the computers contain the information. If people are lifting the hard drives, then it seems to me that containing information that separates numbers from names and Social Security numbers from addresses, things like that can be done. Are you overseeing things like that? Are you looking at things like that, or recommending things like that to companies?
    Mr. CADDIGAN. Yes, ma'am. Recommending would be the proper word. We do have issues with regard to—these companies are private sector. We can't mandate, we can't legislate, but we certainly can recommend security mindedness. Those would be exactly the type of things that we would ask you to consider in how you collect and keep your data.
 Page 31       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Thank you. Ms. Hooley.
    Ms. HOOLEY. Thank you. I am going to direct most of my questions to Mr. Beales, but if any of you would like to jump in, please feel free to do so.
    I know you are to provide victims assistance and consumer education.
    Can you highlight, beyond your testimony specifically, specific steps the FTC has taken in regard to consumer education and victims assistance? Let me explain what I am looking for.
    I know in regard to victims assistance you have a centralized database to aid law enforcement. Are there any programs in place specifically to help victims of ID theft clean up their credit, which as many of you know can be a long and expensive process? And do you have any suggestions for new ways to help in this regard? That is the first part of my question.
    The second part is, you have to finalize rules which require financial institutions under FTC's jurisdiction to develop and implement appropriate physical, technical and procedural safeguards to protect consumer information.
    Can you tell me which financial institutions might be subject to this rule? Would the 400 companies which are sponsored by financial institutions to process credit card payments, such as DPI, be subject to the rule?
    Then the third part of my question is, I know your—you have been traveling around the country to educate local law enforcement. I would like to know how well that has gone.
    Can you tell us a little bit about the seminars, how many cities have you traveled to, how often are they held, and what might be coming next. And is there anything we can do to help you with that?
    I know I have used your brochures extensively for the education piece. Thanks.
 Page 32       PREV PAGE       TOP OF DOC
    Mr. BEALES. When consumers call our hotline for identity theft to report a problem, the phones are answered by trained counselors who will try to talk them through what they need to do next.
    Our role is to provide advice to consumers about the steps that they need to take. We do that to the best of our ability, but it is really up to consumers to do that.
    There are private programs that will help consumers individually on a one-on-one basis, go through the process of cleaning up their credit. It is not something that we do or would have the resources to do for the complaints we get. We get—last year we had approximately 161,000 victims who contacted our clearinghouse for information and assistance.
    Ms. HOOLEY. Let me ask you, are there any other things? I mean, I know what the directions are that you give victims, and it can take 3 or 4 years. I mean, I think the average time is an enormous amount of time to clear up their credit.
    Do you have suggestions or ideas, any of you, about how we can make that happen in a much quicker, less costly, less time consuming, less frustrating way?
    Mr. BEALES. We are constantly looking for better ways to do it, to make it simpler. We have—I mean that led us last year to put out a uniform affidavit. So consumers could report the fraud on one form and then submit copies to different financial institutions, as one way to try to simplify the process.
    We are working—we have been working with the credit reporting agencies to initiate a pilot program that would let consumers just make one call to contact all three credit recording agencies and establish a fraud alert. We expect that program to go into place later this month.
    We are continually looking as well for things that Congress might do to make this simpler. At this point we don't have any specific suggestions. But, it is something that we are very much alert to, and looking for ways that we or you or anyone else could make this process less of a hassle for the people who are victims.
 Page 33       PREV PAGE       TOP OF DOC
    As to our Safeguards Rule, there are a wide variety of firms that you wouldn't think of as financial institutions that are or may be financial institutions under the Gramm-Leach-Bliley Act rules that are subject to our jurisdiction and that would be subject to the Safeguards Rule.
    Accounting firms that do tax preparation and the like, for example, may well be subject to the rules. Auto companies that provide credit or dealers that provide credit or financial institutions are subject to the rules.
    The third parties that provide services, to banks or anyone else, that involve handling sensitive information would likely be financial institutions and subject to our rules.
    It is a hodgepodge of who it is, there is no easy way to describe the universe. But, our jurisdiction is basically any financial institution, except banks or financial institutions that are specifically regulated by some other regulator.
    As to the law enforcement training, I believe we did five——
    Ms. HOOLEY. Let me finish up that. The companies that are sponsored by financial institutions, like DPI, are they under your jurisdiction?
    Mr. BEALES. I believe they are, yes.
    Ms. HOOLEY. Okay.
    Mr. BEALES. As to the law enforcement training, I believe we did five cities last year. We did training programs in five cities last year. We thought it was successful and useful.
    We did those training programs in conjunction with the Justice Department and with the Secret Service and the Postal Inspection Service. We tried to bring in local officials, as well, in each one.
    This year we have five more planned in different cities around the country, and we are continuing to pursue that activity.
 Page 34       PREV PAGE       TOP OF DOC
    Ms. HOOLEY. How can we help you in increasing those numbers for law enforcement, because I think that is a really important piece, the law enforcement piece of identity theft.
    Mr. BEALES. Well, the—the piece that, I mean, the training piece I mean is simply limited by resources. It is—it is—it takes staff, time and effort. And we have tried very hard to work with the other law enforcement agencies involved to extend our resources and leverage them as much as possible.
    Ms. HOOLEY. Thank you.
    By the way, thank you for the booklets. We do send out a gazillion of them.
    Mr. BEALES. I am glad to hear that.
    Chairwoman KELLY. Mr. Shadegg.
    Mr. SHADEGG. I am going to pass.
    Chairwoman KELLY. Mr. Renzi.
    Mr. RENZI. Thank you, Madam Chairwoman.
    Just two real quick questions, so then we can go vote.
    I am really interested in the who behind all of this. You know, we have heard that there are hackers involved and terrorists involved, organized crime involved, and even insiders. And I know the FBI and the Secret Service has done a wonderful job in foiling some attempts. What can you share with me as far as the who behind this.
    I've got a little follow-up question. Thank you.
    Mr. FARNAN. First, our experience and our investigative activity to date suggests one thing that really kind of stands out. And that is, that the highest, the person that we are most concerned about is, in fact, the insider as opposed to an outsider. That person poses the most significant threat.
 Page 35       PREV PAGE       TOP OF DOC
    Secondly, what we focused on and what we are concerned about are organized groups that may be attempting to obtain, penetrate machines and obtain large amounts of data. And we are very concerned, also, about the threats that are posed from foreign countries, frankly.
    But, one important point, I think, to emphasize is the fact that it is the insiders. It is the people who have access to the machines and to the data that really pose a significant threat, which raises the question, who watches the watchers?
    Mr. RENZI. Well said.
    Congressman Shadegg and I share a real concern living in Arizona with the border. We are reminded weekly of the threat, particularly as it relates to terrorism. We recently just had an Iraqi arrested down in the Tucson area. That goes to my follow-up question, which is the market, the black market.
    We have probably a sophisticated black market as it relates to credit cards, as it relates to Arizona, drivers' licenses, passports. Los Angeles has a whole market that is even bigger than ours, because of the immigrants that move through our area looking for identification and also the terrorists, I think, that are also looking for that new identity.
    Could you talk real quickly then about the driving force of once the insiders or whoever have stolen this information, who they are selling it to, where is the purchasing, the fencers, I guess, is what I am talking about?
    Mr. CADDIGAN. The insider threat is—the correlation of the insider is permeated through many of the cases that we have.
    The hacking community, the groups out there that do hacking for a pastime, we think they fall maybe into three categories.
    One is those doing it for the challenge. They want to show that they can tap into your vulnerability and exploit you.
    The second is political, which means they get into websites. They deface them. They put a statement, a logo, again, sometimes just for encouragement.
 Page 36       PREV PAGE       TOP OF DOC
    The other is for profit. So they are the ones that I think we are all concerned about in law enforcement, those that are getting in there and stealing information. We find, in many cases, they make that information available in chat rooms on the webpage.
    They indiscriminately make it available to anyone willing to pay for it. Thus, it is hard to track where the sources are going to, because they are everything and anything.
    Mr. RENZI. Your answer leads me to believe that there is not an absolute purchaser. There is not an absolute market that you have been able to identify, indiscriminate purchasers?
    Mr. CADDIGAN. There is not an absolute market. I think that is safe to say.
    With regard to terrorism and the like, we do find—with illegal immigrants, terrorists, those that are truly trying to hide their identify, aren't using it to gain credit or to have purchasing power, they are using it to be able to live and exist with a different name that doesn't draw attention to them.
    Mr. RENZI. You are able to set up an electronic fencing operation, a pseudo fencing operation, where you look on the Internet and purchase that information and then go after that individual, just like you would——
    Mr. CADDIGAN. That does occur.
    We have always had sting operations with regard to, as your concern expressed, the immigrants. We have had some terrorism links to those that are just trying to have different breeder documents, and what they can get out of the breeder documents, meaning passports, driver's license and the like. It is just strictly to have a change of a named identity that they can use at will. So it does run the gamut in that regard.
    Mr. RENZI. Let me just thank you all of you for your testimony today, and especially at this time in our Nation's history for the work you are doing.
 Page 37       PREV PAGE       TOP OF DOC
    I know we are talking about incidents that have already occurred today. I can't imagine the amount of incidents that you have foiled. So thank you for that.
    Chairwoman KELLY. Thank you very much.
    We have just been called for two votes on the floor. So I will eventually deal with that, but I want to note that some of the Members may have additional questions for this panel, that they may wish to submit those questions in writing.
    So, without objection, the written hearing record will remain open for 30 days for members to submit written questions and to place responses in the record.
    This panel is excused with our great thanks. We appreciate the fact that you gave us so much of your time, and we look forward to being in continual contact with you, because this is quite a thorny issue. Thank you very much.
    In light of the vote, I am going to recess this committee for 20 minutes, and we will reconvene in 20 minutes for our second panel. Thank you very much, gentlemen.
    Chairwoman KELLY. As the second panel takes their seats at the witness table, and with the agreement of Members, I want to recognize the gentleman from Arizona, Mr. Shadegg, for the purpose of introducing our first witness before I proceed with the rest of the introductions.
    Mr. SHADEGG. Thank you, Madam Chairwoman.
    As I mentioned in my opening statement, I have the privilege of having a constituent on this panel.
    Mr. David McIntyre is here to testify about the burglary of his company's office located in my Congressional district, the burglary that occurred on the morning of December 14th, 2002, and about the response by his company to that burglary.
    Mr. McIntyre is president and CEO of TriWest Healthcare Alliance, which is a private corporation that administers the Department of Defense's TRICARE Program in a 16-State region in the central United States. TriWest is the largest Department of Defense contractor in Arizona.
 Page 38       PREV PAGE       TOP OF DOC
    Mr. McIntyre has more than 18 years of experience in healthcare and healthcare policy and in the healthcare business. He was previously Vice President of Blue Cross Blue Shield of Arizona, which is where I met him.
    For our purposes, Madam Chairman, he has 9 years of experience serving on the staff of Senator John McCain. So he is somewhat familiar with the hearing process.
    As I mentioned in my opening statement, in the wake of the burglary of TriWest's offices in Phoenix, Mr. McIntyre's company aggressively responded.
    Mr. McIntyre personally oversaw and took part in the plan to notify customers about the stolen information and personally telephoned a number of those whose credit card information was stolen.
    Mr. McIntyre has turned that negative experience, the burglary of his company's offices, into a positive model for other companies across the country who are victims of information theft.
    I appreciate him being here to testify, and I look forward, as I am sure the rest of the panel does to his testimony.
    Chairwoman KELLY. Thank you, Mr. Shadegg.
    Our remaining witnesses on the second panel are Mr. Kevin D. Mitnick, President and Co-founder of Defensive Thinking and a computer hacking expert. Stuart Pratt, President of the Consumer Data Industry Association. Mr. John Brady, Vice President for Merchant Fraud Control of MasterCard International, and Evan Hendricks, Editor and Publisher of Privacy Times. We welcome you all. We thank each of you for testifying here today.
    Without objection, your written statements will be made a part of the record. You will each be recognized for 5 minutes, and if you don't know the color codes on the lights in front of you, the green light is all go, and as soon as you see the yellow light it means it is time to sum up because the red light will come on. We all know what that means.
 Page 39       PREV PAGE       TOP OF DOC
    With that we will start with you, with Mr. McIntyre.


    Mr. MCINTYRE. Chairwomen Kelly and distinguished members of the Financial Services Committee, thank you for the invitation to appear before you today to discuss the important topic of identity theft.
    Congressman Shadegg, thank you for your overly generous and very kind remarks, and I appreciate your long interest, dedication and effective leadership on this critical consumer issue. It, in fact, is an issue that affects every consumer in America, probably a very unique one at that.
    As Congressman Shadegg said, my name is Dave McIntyre. I am the president and CEO of TriWest Health Care Alliance. We are a private corporation that delivers health care services to the Department of Defense and its beneficiaries in 16 states. We serve 1.1 million people.
    This was a very painful holiday period for me this last year, because like a number of organizations in this country, I have had the opportunity to learn firsthand about the information theft.
    What is most appalling to me, however, is that in many cases, it takes the individual who suffers the identity theft longer to clean up their credit report than is the jail term that is served by the criminal who actually perpetrated the act. As a consumer, as a business leader whose company suffered the theft of the personal information of its customers, I am grateful to you for your focus on this critical issue.
    On Saturday morning, December 14th, one of our offices was burglarized. Computer equipment and data files containing confidential and personal information of more than 570,000 members of the military, their dependents and retirees was stolen.
 Page 40       PREV PAGE       TOP OF DOC
    The information on the stolen hard drives included names, addresses and Social Security numbers, which we are required by the Federal Government to collect, along with other personal information. Fortunately, it only contained 23 credit card numbers.
    I was told by experts shortly after the theft that the most effective thing I could do was to get out in front of this issue and notify consumers as quickly as possible. So that is what we set out to do. We notified authorities on learning of the theft.
    Secondly, we contacted our DOD partners to jointly create and implement a comprehensive three-pronged action plan to protect our beneficiaries. We went to the media. Because many of these people were away from home during the holidays visiting their families. We wanted to make sure that we lost no time.
    The military worked through their chain of command and notified every installation worldwide, so that we would reach the leadership and all of the folks serving in the military.
    We sent the first of what will now be three letters to the individuals who were affected, to notify them of what had occurred, and give them advice based in part on the counsel of the FTC on what they could do to protect themselves.
    This has been a joint effort, working with Dr. Winkenwerder, the Assistant Secretary of Defense for Health Affairs, the Surgeon General of each service and all of the command structure in the military. It has been a fabulous partnership, albeit at a time when they didn't have time to spend on this issue.
    Third we posted a $100,000 reward to aid law enforcement in their efforts to try to detect who had done this. As you can imagine we were devastated by this event. However, we focused all of our energy on trying to do what we would want to have done were we the consumer who was sitting on the other side.
    Given the burden on the individual of placing a fraud flag with three different credit bureaus, we worked with the credit bureaus to develop a plan that has allowed us to request on the behalf of our customers, not forcing them to do it, the actual request of a fraud flag.
 Page 41       PREV PAGE       TOP OF DOC
    To date, more than 63,000 of the people on that list have chosen that option, and we have done that work on their behalf.
    Through this experience, I have learned a lot. I never planned to become an expert or even close to someone who knew a lot about the issue of information theft. I am pleased to be joined by a number of other people who obviously know a lot about this topic as well.
    I have come to believe that the work that was done by Congressman Shadegg needs to be built on in a couple of ways.
    First, I think that every leader of any organization, whether it is public or private, has an absolute obligation to their customers, that when that information is compromised, they have an obligation to inform their customer of the fact that has happened. It is painful. It is awkward. It is embarrassing. It is expensive. But you know what, it is not our information, and unless you arm the consumer with that information, they cannot protect themselves.
    Second, as a consumer, I have observed the inconsistencies in the last 4 months with how my credit card information is handled. Half of the receipts from restaurants have the full credit card number and authorization date or expiration date posted on it. That is all you need and a name to go to the Internet and buy something.
    In addition, I still belong to the Senate Credit Union. I went to the credit union to find out what comes on your statement. Social Security numbers are printed on those documents if you go and ask for the balance on your account today. Same is true in the House Credit Union.
    So we need to work to look at when is it necessary to have the full Social Security number printed on the document, when is it necessary to have the full credit card number printed.
 Page 42       PREV PAGE       TOP OF DOC
    I also think that penalties in this area for those who perpetrate such crimes need to be looked at and significantly enhanced.
    Fourth, I believe that credit bureaus should allow organizations to act on behalf of their customers, and that they should establish consistent timelines for the updating of fraud flags.
    Thanks for the invitation to be before you today. I hope that this is the year that you are able to take the incidents that we have all faced and use them as leverage to further protect consumers in this country. I look forward to answering any questions you may have.
    Thank you, ma'am.
    Chairwoman KELLY. Thank you.

    [The prepared statement of David J. McIntyre can be found on page 114 in the appendix.]

    Chairwoman KELLY. Mr. Mitnick.


    Mr. MITNICK. Good morning, Chairwoman Kelly, Chairman Bachus and distinguished members of the committee.
    My name is Kevin Mitnick. I appear before you today to discuss your efforts to review current industry practices concerning security procedures for the prevention of electronic theft of credit card information and identity theft.
 Page 43       PREV PAGE       TOP OF DOC
    I am primarily self-taught. My hobby as an adolescent consisted of studying methods, tactics and strategies for circumventing computer security, and for learning more about how computer systems and telecommunications systems work.
    I have 15 years experience circumventing information security measures, and I can report that I have successfully compromised all systems that I targeted for unauthorized access except one.
    I also have 2 years experience as a private investigator with responsibilities that included locating people and assets using social engineering techniques. Social engineering is the same thing as pre-texting that Mr. Bachus spoke to earlier.
    I have gained unauthorized access to computer systems at some of the largest corporations on the planet and have successfully penetrated some of the most resilient computer systems ever developed. I use both technical and nontechnical means to obtain source code to various operating systems and telecommunication devices to study their vulnerabilities and their inner workings.
    Currently, I am the Co-founder of Defensive Thinking, a Los Angeles based information security firm. I recently co-authored with William Simon a book titled the ''Art of Deception,'' published by John Wiley and Sons, which has become an international best seller. The book details nontechnical methods and tactics, in essence pre-texting, that computer intruders use to compromise valuable information assets, including credit card information.
    Social engineering is a method where the intruder deceives his target into complying with the request based on false pretenses and psychological manipulation.
    It is important to understand, and all companies and their employees need to realize, that the most insidious vulnerability to information security are the well-meaning, hard-working folks that use, operate and maintain information systems.
    The prevention and detection of social engineering attacks should not be ignored or underestimated. In fact, the majority of scams involving identity theft and credit card fraud include social engineering on some level.
 Page 44       PREV PAGE       TOP OF DOC
    In an attempt to deter carding, many retailers are now requiring an on-line customer to provide the three-digit CVC number that card issuers have begun to use.
    But the thieves also obtain the CVC number. With it, he is able to use the information to commit fraud against unsuspecting cardholders and merchants. I understand that the subcommittee will be examining three recent cases involving large-scale thefts of nonpublic, personal identifying information and credit card details.
    A major part of the problem is that the criminals only need to obtain information that is stored or processed in thousands of computers systems around the world. In February of 2003, DPI, a credit card processing services company, reported that an unknown intruder had compromised their network and gained access to a database that held over 8 million credit card accounts.
    DPI did not release any details describing how the breach occurred, citing cooperation with Federal law enforcement officials. The DPI case was widely reported in the press because of the astounding number of credit cards potentially compromised.
    But when examined closer, you will realize that these types of attacks happen all the time. In my opinion, the committee should not overlook that many similar attacks on networks containing financial information are not detected by the owner or operators. It is important to realize that many of these security incidents remain undetected because of poor security and auditing practices.
    DPI has publicly claimed that the intrusion occurred from the outside of the organization. Although, I do not like to hypothesize on facts and circumstances of an any attack without details, I would recommend that DPI consider the possibility that the attacker had assistance from the inside of the company.
    Every day the security community announces new vulnerabilities and operating systems in application software that have been identified. Vulnerabilities in software can be exploited to gain remote access to the target computer. Many system programs contain programming errors that enable the intruder to trick the software into behaving in a way other than which is intended in order to gain unauthorized access rights, even when the application is part of the operating system of the computer.
 Page 45       PREV PAGE       TOP OF DOC
    Once a new vulnerability is recognized, the software developer releases a patch, a modification to the software that might be installed by individual companies, a process that may be overlooked for days, weeks, months, even years. Meanwhile companies using that software remain vulnerable or are forced to disable or block access to the vulnerable service until the patch becomes available.
    Even then in many cases this is not enough. There are a number of sophisticated hackers who are able to discover previously unrecognized security vulnerabilities and then use them to compromise global computer systems and networks.
    I agree that it is essential to implement security strategies to prevent, detect and respond to security threats and attacks, but it is too easy to look in the wrong direction for an answer. In my view, attempting to solve the complex problem by micromanaging every on-line site that accepts credit card transactions would turn out to be wasteful, inefficient and not a very successful exercise.
    Instead, I recommend that the committee look into a different direction. I recommend that you explore mitigation strategies which focus on improving the authentication of the credit card user. In any on-line credit card transaction, identity and authorization is based on the information a consumer provides to the merchant. This is no better than a static password.
    There is an old saying among hackers. You never know if someone else has your password. The reality is that a password or its equivalent is too easy to steal. A first step towards a solution would be to strip away the identity value of all personal information.
    If knowledge of a credit card number, expiration date and the corresponding customer name and address is without value, stealing this information would be a useless to an imposter.
    Unfortunately, authentication technology has not yet matured to the point of being able to provide an easy solution to the issue. If not being done already, I would recommend that the finance industry explore additional authentication methods that may include digital certificates, identification of the user's location based on IP address or telephone number, or verification of a PIN through a separate communications channel.
 Page 46       PREV PAGE       TOP OF DOC
    For example, consider this scenario. You have just placed an Internet order for a new cell phone with a price tag of several hundred dollars, and placed an on-line order with your credit card information, but you were not required to give a PIN number. Instead, you next dial your credit card company, and when prompted you enter your card number. An automated system then reads off the details of the transaction. You are satisfied that the details are correct. The system tells you: To authorize this transaction, enter your PIN number.
    What would be the advantage of this approach? The thousands upon thousands of individual retailers would not have access to consumer PIN numbers. The fact that so many retailers store the credit card numbers of on-line customers gives rise to the kind of credit card theft that this hearing is addressing.
    If they also store the customer PINs, then there is no gain in security. The PIN becomes almost worthless as a security element. But under the approach I have suggested, only the bank would have access to the PIN number information. Under this arrangement, the theft of the card numbers would be of limited value.
    In another area, I would also recommend consumer-awareness training programs that educate people about the various scams being used to steal their credit card details and personal information, a practice that can prove highly valuable to effectively minimize identity theft and credit card fraud.
    I believe that all on-line retailers who accept credit cards should be encouraged or required to do the following:
    One, perform a regular, thorough risk assessment on their information assets, especially systems that process or store consumer financial and personal information.
    Two, implement policies, procedures, standards and guidelines as dictated by the results of the risk assessment.
    Three, create an audit and oversight program that measures compliance. The frequency of the audits ought to be determined consistent with the mission. The more valuable the data, the more frequent the audit process.
 Page 47       PREV PAGE       TOP OF DOC
    Develop a process to ensure meaningful and effective patch management for all computer systems. Employ authentication methods that do not use nonpublic personal identification information, such as a mother's maiden name, birth date, birth place, driver's license number, address, phone number or Social Security number.
    Next, effective audit procedures implemented from the top down must be part of an appropriate system of rewards and consequences in order to motivate system administrators, personnel managers, and employees to maintain effective information security, consistent with the goals of this committee.
    Next, establish a security-awareness training program designed to educate their employees on the threats to information security and to change employee behavior to foster a secure environment. These would follow the security recommendations described in detail in my book, ''The Art of Deception.''
    In terms of legislation, I recommend that the subcommittee consider the following:
    One, legislation that prohibits merchants or credit card processors from electronically storing PINs or other types of verification credentials such as the CVC, unless it is essential to business needs.
    Two, the requiring of periodic security assessment and or penetration testing to evaluate the security posture of any business that stores or processes credit card transactions, to be performed by an independent information security consulting firm.
    Three, require encryption of stored financial or personal information. If this was done by TriWest or by DPI, then the information would not be accessible to the hackers.
    Finally, I want to offer what I have deemed the most important factor in security, the human factor. This is essential, underlying all security issues, whether it is from deceptive credit card thieves or terrorist operatives to blend into our communities.
 Page 48       PREV PAGE       TOP OF DOC
    I believe it is essential to consider regulations that mandate security awareness training as part of an overall security program as required by HIPAA and the GLBA.
    Thank you.
    Chairwoman KELLY. Thank you very much, Mr. Mitnick.

    [The prepared statement of Kevin D. Mitnick can be found on page 124 in the appendix.]

    Chairwoman KELLY. Mr. Pratt.


    Mr. PRATT. Chairwoman Kelly, Chairman Bachus, members of the committee, thank you for this opportunity to appear before you today.
    For the record, I am Stuart Pratt, president of the Consumer Data Industry Association, and we commend you for holding this hearing on the implications of breaches in information security in a number of different cases. In each of these cases, you have asked us to comment on the security breaches from the perspective of our members who operate as nationwide consumer reporting agencies.
    I will start with TCI Communications. Our members have no direct relationship with TCI Communications, and we learned—our members report to us that they learned about access codes being compromised in particular through customer contacts with us.
    We work collaboratively with our customers. We worked collaboratively then with law enforcement to assist affected consumers. Let me just outline some of those steps.
 Page 49       PREV PAGE       TOP OF DOC
    Consumers received notices from consumer reporting agencies as well as in partnership with our customers to make sure that they were aware of the breach that had occurred with regard to our information. Consumer's files were in some cases frozen temporarily while we could get those notices to them.
    Notification letters also then allowed consumers to take advantage of free file disclosures, free access to monitoring services that our members provide, as well as opting those consumers out of pre-screened offers of credit, and also adding fraud alerts to their files.
    Beyond the priority of assisting consumers, we also took proactive steps to ensure that the scope of the fraud was contained. We analyzed the patterns that we identified through the crime, and we then adjusted our pattern recognition tools and initiated reviews all of all third-party access codes where we had similar third parties having access to those. We began rotating access codes more aggressively. Our customers are more accepting of the rotation of those access codes today.
    So we actually have a task force continuing to analyze yet additional steps we can take to further remove access codes from employees who might otherwise take advantage of the access that they have.
    We had no real involvement with DPI Merchant Services to the extent that we have been able to ask our members that question.
    I will move on to TriWest. With TriWest, TriWest is not a customer, it was not our information involved in this case. TriWest, as they reported themselves, took very quick action. On behalf of TriWest, many consumers then contacted consumer reporting agencies. We provided them voluntarily with free file disclosures. We also took them off a pre-screened offers of credit again, added security alerts to their files.
    These are just some of the various initiatives that we have for assisting potential victims or real victims of identity theft. A summary is included with our full comments here for the record.
 Page 50       PREV PAGE       TOP OF DOC
    TriWest then proactively contacted our members and coordinated an additional plan of work that would allow their customers to have an easier time of adding additional information to their files.
    We learned a number of things through this experience. One, criminal behavior by employees, we will never be rid of that completely. But, of course, thanks to Mr. Shadegg, we have the Identity Theft Assumption and Deterrence Act of 1998.
    Those employees who had access to those systems, in fact, violated that very law that you created in the first place. They also violated the Counterfeit Access Device and Consumer Fraud and Abuse Act of 1984. They violated the Fair Credit Reporting Act, amended in 1996, which also prohibited access and escalated criminal penalties as well as civil fines for perpetrating this type of crime. So we do have a number of different laws on the books today.
    That being said, obviously everything that we can do to vet employees who have access to sensitive information is a critical element going forward. We must begin to learn to measure the relative risks of various breaches. One of our concerns from our members is that if we were to encourage the entire Nation with every security breach to contact consumer reporting agencies, this would not be hundreds of thousands, but literally millions of contacts per year.
    One of our member companies estimates that it was, in servicing TriWest customers, which was the right thing to do, it was the right time to do it, we have no question about doing it, it cost one of our member companies $1.5 million in order to accomplish that goal.
    We obviously need to work with the Congress and work with this issue to make sure that we are not on our own handling the totality of that kind of cost. It would change and radically alter how we do business today.
    All of that being said, coordinating assistance for consumers is important, and that is what our initiatives do for victims of identity theft. We look forward to working with you and this committee in this process, doing everything possible for those consumers.
 Page 51       PREV PAGE       TOP OF DOC
    Thank you.
    Chairwoman KELLY. I thank you, Mr. Pratt.

    [The prepared statement of Stuart Pratt can be found on page 130 in the appendix.]

    Chairwoman KELLY. It gives me great pleasure to now call on Mr. John Brady, who is a constituent of mine. And I am very pleased to have him be here to testify from MasterCard today.
    Mr. Brady.


    Mr. BRADY. Good afternoon, Chairwoman Kelly, Mr. Bachus, Mr. Sanders, Mr. Gutierrez, and members of the subcommittee.
    My name is John Brady. I am the Vice President for merchant fraud control for MasterCard International in Purchase, New York.
    It is my pleasure to appear before you this afternoon to discuss the important topic of fighting fraud and safeguarding financial information. MasterCard takes its obligations to safeguard financial information and protect consumers extremely seriously. This issue is top priority for MasterCard.
    We have a team of experts devoted to working with law enforcement and maintaining the integrity and security of our payment systems. Our success in protecting consumers and preventing fraud is due in part to the constant efforts we undertake to keep our network secure.
 Page 52       PREV PAGE       TOP OF DOC
    The MasterCard Information Security Program is comprehensive, and we continually update it to ensure that it provides strong protections. Our member financial institutions also have information security protections in place, including those required under the applicable banking law.
    Also, MasterCard's bylaws and rules require each member and any third party acting on behalf of a member to safeguard the transaction and account information. Our bylaws and rules also require any merchant that accepts a MasterCard branded payment device to prevent unauthorized access to the information.
    In addition, MasterCard has a variety of consumer protections and antifraud tools. For example, MasterCard has voluntarily implemented a zero-liability policy with respect to unauthorized use of U.S. issued MasterCard consumer cards. Under this rule, a cardholder victimized by unauthorized use generally will not be liable for any loss at all.
    In addition, MasterCard has developed programs to protect against unauthorized use of the MasterCard payment cards. These include enhanced security features on the card, the MasterCard address verification system, and our proprietary fraud reporting system which helps identify fraud at merchant locations and allows us to better focus our global merchant auditing programs.
    We also offer a program to our issuers called Risk Finder, which assists issuers in proactively identifying fraud. These and other MasterCard tools have proven extremely effective in protecting cardholders and the security of our systems.
    I would now like to discuss a recent example of how we addressed a problem when it occurred. There was a recent incident involving a data processor called DPI, Data Processing International, who was acting as a service provider to a MasterCard member bank in Ohio, which, in turn, was providing bank card processing services for merchants.
    Earlier this year DPI detected that someone had obtained unauthorized access to its system. Although it is not clear at this point how much data the hacker successfully exported from DPI's system, we do know the hacker potentially had access to approximately 10 million Visa, Discover, American Express and MasterCard payment card account numbers.
 Page 53       PREV PAGE       TOP OF DOC
    Once DPI detected the problem, they took action, and quickly notified the Secret Service and FBI as well as affected payment card companies. MasterCard immediately took decisive action to protect its systems, its members, and most importantly MasterCard cardholders from fraudulent activity related to this breach.
    MasterCard interviewed the appropriate people at DPI in order to determine the nature and scope of the breach. MasterCard gathered the payment card account numbers and forwarded them to the appropriate issuers via our MasterCard alert system.
    MasterCard hired a third-party forensic firm to act on MasterCard's behalf during the investigation. MasterCard remains in ongoing contact with issuers of the card numbers that were involved. I am pleased to say that it does not appear that these numbers have been involved with unusual activity as a result of the DPI breach.
    As a final point, I would like to note that law enforcement agencies have done a commendable job in investigating this breach. MasterCard works closely with these organizations and greatly appreciates their efforts to resolve this issue.
    MasterCard continually strives to provide its members and MasterCard cardholders with strong protections. And we will continue to develop new strategies and tools to prevent those who seek to do harm from succeeding.
    I would like to thank the subcommittee for inviting me to discuss these issues, and I would be pleased to answer any questions you may have.
    Chairwoman KELLY. Thank you, Mr. Brady.

    [The prepared statement of John J. Brady can be found on page 86 in the appendix.]

    Chairwoman KELLY. Mr. Hendricks.
 Page 54       PREV PAGE       TOP OF DOC


    Mr. HENDRICKS. Thank you, Madam Chairwoman and Mr. Chairman.
    A lot of times in the privacy community, we like to talk about Supreme Court Justice Louis Brandeis, who wrote eloquently about the importance of privacy in a civilized society. But, he is also the one who wrote that sunshine is the best disinfectant, and one of the themes throughout my brief talk today is the importance of sunshine, that to improve privacy you need sunshine and transparency. Just by having this hearing today, you are bringing sunshine to a very important issue, and providing a vital public service. I really commend you for that. And again, thanks for the opportunity.
    A few fundamental observations. The problem that we are discussing today, of hacker access to sensitive data, data leakages and identity theft in general, is going to get worse before it gets better.
    There are several reasons. One, is that we have now in our society many databases filled with the personal data, and they, to me, are the electronic equivalent of swimming pools without fences around them. They are attractive nuisances.
    The reason they are attractive is because our personal data is worth a tremendous amount of money to many organizations, and the criminals have figured this out.
    The other thing is that identity theft losses are still a fraction of the overall revenue generated by the credit industry. So to this point, the Tower Group has just released a report saying that they don't expect any major changes in the practices of financial institutions because it can still be written off as a cost of doing business.
    I don't know if that is going to be very helpful to the people who would be the victims of identity theft, though. In addressing these problems, as I mentioned the lack of transparency is a major issue that comes from all of those cases. Thousands upon thousands of entities, large and small, have instant electronic access to very sensitive data on over 200 million Americans.
 Page 55       PREV PAGE       TOP OF DOC
    Consumers generally don't enjoy that same kind of instant electronic access to their own data. We must move toward a society in which they do, and I will explain why and how.
    Also, there is a lack of sunshine when things go wrong, and that is the issue of, are people going to be notified when their security is compromised. Currently there is not a requirement of that.
    I will talk about the culture of security that is really needed, and we must develop and advance. Also another problem that comes from all of these cases is the over reliance on the Social Security number.
    Now, in the Teledata Communications case, which I think is one of the more important cases we are discussing this morning, you see access as a vital part of the problem and the solution. If those 30,000 victims would have had instant electronic access or alert providing them that there had been activity on their credit report, and one of your constituents from New York or Alabama or Arizona saw there was an inquiry on their credit report from Texas Energy Supply, which is one of the institutions used for fraudulent access, then they would have known something was wrong.
    In fact, the credit bureaus have already started offering this service, and they have discovered it is a very good revenue stream. The problem is, they are charging as high as $79 per credit bureau to get a credit monitoring service. If you multiply that by all three credit bureaus, that can run over $200.
    It is a good business, if you can collect people's data and sell it back to them at that price. But we should remember that the Fair Credit Reporting Act gives you a right of access to your credit report, and caps how much they can charge for it. Yet, there is no cap for these sort of monitoring services I see moving toward a system where we are plugged into our personal data as being an important part of the solution.
 Page 56       PREV PAGE       TOP OF DOC
    So we should encourage that and see the economies of scale and can make it a win-win for everyone. This is also a model for the financial world. There are going to be databases of sensitive financial information kept by financial institutions that could fall outside the Fair Credit Reporting Act. I think that access is going to be a very important issue to address those problems as well.
    Also, I was concerned in this case with the lack of security in the TCI case. Because most of the credit card companies, and Mr. Brady can probably speak a lot about this, have software that monitors our purchases and activities, so they can spot suspicious patterns of activities.
    To my experience, I have not seen evidence that the credit bureaus are using this, even though this was a case where there was suspicious activity over and over again.
    In the TriWest case, I think one of the most important lessons emerging is the fact that the Social Security number should not be used as an identifier, and really this is a societal problem and a Defense Department problem, that they require that the Social Security number as an identifier, and just proposed a new rule to make it the health identifier for soldiers.
    I really fear that we will have soldiers returning from the Gulf War to find that they are victims of identify theft, because of over reliance on the Social Security number. We can explore more of this later in questions if you like.
    In the DPI merchant services cases, I think what was most troubling was the secrecy that surrounded the problem. At first they only revealed that there was a hit of credit cards. They wouldn't disclose who—that DPI merchant services was the credit card processor. Then they disclosed that.
    DPI told the Detroit News that consumers who were concerned about this should contact their issuing banks. Yet than they declined to name which of the issuing banks were hit. There was no systematic way. Then Visa levied substantial fines in the matter, but wouldn't say who they levied the fines on or for what amount or for what purpose.
 Page 57       PREV PAGE       TOP OF DOC
    So basically, this sort of secret society was saying, ''we will make sure that your personal information is corrected, but don't you worry your pretty little head about it.''
    I think the model for addressing this is California, which has passed a new statute, which takes effect July 1, which basically requires notification of individuals when their information is compromised in these sort of breaches.
    What I like about the law is the flexibility it includes, and I mentioned this in my testimony. The notice can be in writing, electronically, in accordance with the Federal E-signature law.

    Mr. HENDRICKS. If the cost of notice were to exceed $250,000 or were over 500,000 people, you could do it through a combination of different ways and they list some of the ways you could do it. Whenever you have a privacy problem, reasonableness is the standard for the solution. Any solutions have to be reasonable given the context. It is really case-by-case.
    The final thing is that when we have the issues of identity theft, as some of your witnesses have said, the main problem is the problem of cleaning up the polluted credit history. It is time-consuming, energy-consuming and very emotional and distressful. So the idea of having us plug into our credit reports and having a more instant means of communicating with our own data is an important part of the solution.

    [The prepared statement of Evan Hendricks can be found on page 105 in the appendix.]

 Page 58       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Thank you, Mr. Hendricks. I am going to ask you, Mr. Hendricks, a couple of things. Having had my credit card number stolen, my 95-year-old mother-in-law had her credit cards stolen last week, and she has called me and said I still have my credit card but the bank just called me and said that my credit card number has been stolen and they are going to give me a new credit card. She didn't really understand it. My point is MasterCard called me when my number was stolen. The issuing card company called my mother-in-law, the bank called my mother-in-law. Since this is already being done, I wonder if you have ever estimated the cost of what it would be for banks, people, anybody to have to notify their customers, since there are millions of us.
    And after you answer that question I am going to go to Mr. McIntyre and talk to him about his cost. So what do you think that cost is going to be?
    Mr. HENDRICKS. I don't know. I have not calculated the cost. I would love to raise the money to do a really authoritative study on that, because I think it is important. But that is why I agree that there are cases where you have—your solution has to be reasonable to the problem. And if you don't see evidence of crime happening then you can find more general ways to try and issue notice. What I don't think is acceptable is that if you have a system where you know there has been a hit of 10 million numbers, if you simply can't even find out which banks—if you are trying to find out if my bank has been hit, you can't find that out, that is a lack of notice I think that is unacceptable.
    Chairwoman KELLY. Given the free market one would hope that the banks themselves would do some notification and do that pretty quickly. But you sat there and testified that you felt that the DOD should no longer use Social Security numbers as identifiers. I am wondering—what clicked immediately in my mind is how much is that going to cost?
    Mr. HENDRICKS. DOD, I am told by a fairly authoritative source, has a system—because a lot of soldiers do not have Social Security numbers or their dependents in the health care arena might not have Social Security numbers. So they already have a mechanism for generating another random number that can serve that identification purpose. We see this in a lot of other places. You go out there in the Department of Motor Vehicles in the District of Colombia and because of problems they had with Social Security numbers being compromised now for the last few years they will give you a randomly generated number for a driver's license number. If you want your Social Security number to be a driver's license number you have to request it.
 Page 59       PREV PAGE       TOP OF DOC
    So I don't think there is a tremendous amount—in this case the benefits far outweigh the cost, considering how we are seeing these leakages and the rise in identity theft.
    Chairwoman KELLY. Well, as a Congressperson we have to be responsible for the way we spend the money. So we need to get some kind of cost estimate.
    Mr. McIntyre, I now would like to ask you a question about how much it cost your firm to do the notification that you did. You certainly acted responsively. I think you were a model in the industry to show how rapidly and how proficiently people could access the fact that their information had been stolen. You did a number of things that had to have a bottom line cost. What did it cost?
    Mr. MCINTYRE. We had a lot of people cooperating and helping us in that process and we are grateful to all of them, including our colleagues in the Department of Defense. We have spent about a million dollars to date. That is this real hard cost. That is not the cost of having people work around the clock in our company, which we did from the 23rd of December all the way through the 3rd of January. And their impacts to the individuals who were involved in the Defense Department as well. So our real actual financial out-of-pocket cost is now about a million. We are not done with this issue. We cannot take our eyes off this issue nor in my opinion should we take our eyes off this issue until either the perpetrator is caught or we and the Defense Department are collectively convinced and that is no more risk to the consumer from this information being potentially in someone's hands.
    Chairwoman KELLY. Mr. Mitnick, what is the single most important step that financial services companies can take to protect large consumer databases? Is there any one thing that you would point out?
    Mr. MITNICK. I wouldn't say there is one thing. It is really a mixture of people, security processes and technology, and developing an information security program, because the attacker or the bad guys are going to look for the weakest link in the security chain. If they can exploit physical security weaknesses like with TriWest or potentially technical weaknesses like DPI, the bad guys are going to get the information. And again, I look at the information that is out there like the Social Security number. Anybody with a credit card and access to the Internet can access a variety of online information broker Web sites and obtain anybody's Social Security number. It is out there for sale. So it is really a difficult issue when this information is readily available and this information could be used to apply for extensions of credit.
 Page 60       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Thank you.
    Mr. Brady, I want to know what action you can take against a member bank that violates your safeguards. Have you ever taken action against—well, let me put it this way: Have you taken action against the member bank with regard to the DPI case?
    Mr. BRADY. I would be happy to talk to you about the DPI case. I think the DPI case is an illustration of how the system works, how the rules work in this case, such as the immediate notification to us and our ability to protect the consumers by getting the card numbers out there. And I can tell you this: the DPI case with my input is being reviewed by senior management. What I can further tell you is we have some seriously big sticks that we can apply in this case. I think you will see something probably in the next couple of weeks in the public domain with exactly what our position is in the DPI case, what specifics. So I have input into it, but I don't want to go into great detail about it today other than to just let you know that it is being looked at, it has reached the most senior part of MasterCard and that we have definitive rules that can be applied in this case and will be applied.
    Chairwoman KELLY. Thank you. My time is up. Mr. Bachus.
    Mr. BACHUS. Mr. McIntyre, you mentioned the truncating problem with merchants, people picking up the Social Security number and using that. And just on reading the paper, at least my impression is that a lot of identity theft and people using people's credit cards is someone at the merchants getting that information off the receipt. And Mr. Mitnick mentioned the fact if you truncate the credit card, you mentioned that too. And first of all, and I am sure—Mr. Brady, could you comment on this—it is my understanding that credit card companies are going to start requiring their merchants to do that in the very near future anyway. So I think that problem will be——
    Mr. BRADY. If I could. That is absolutely true. That has been a practice with ATM receipts and receipts when you go to a gas station, truncation for years. But both card associations are moving to that. That will be happening within the next 2 years, so you are absolutely correct. That has already been addressed.
 Page 61       PREV PAGE       TOP OF DOC
    Mr. BACHUS. Can you give us a target date on when that might happen?
    Mr. BRADY. I can't give you the exact target date, but I believe it is 2005. But I will confirm that and get back to you on that.
    Mr. BACHUS. See if it could be speeded along. Mr. McIntyre, you are talking about truncating and in the situation of a merchant, but let's go back to your situation. Did you truncate the Social Security numbers?
    Mr. MCINTYRE. No, sir. Currently we are required to use the Social Security number in its full breadth when we communicate certain information. That is a topic that is under discussion, and I will be making some recommendations to the Department of Defense for the health care system in that area. The important thing to understand, though, is we didn't e-mail the numbers out. They didn't get released on a paper. Someone stole the hard drives. And in doing it in the configuration that they were in at that time it was a database that allowed them to have access to the full Social Security number.
    Mr. BACHUS. Aren't there programs where even when they go into your data base it can be programmed to where they can't pull that out?
    Mr. MCINTYRE. There is some amazing technology available in the marketplace that I have actually put in place in our organization over the last several months. The fact of the matter is, though, if you go to today's standard it is not good enough 6 months from now. And the challenge in this area is there is so much growth in technology and it is changing so rapidly. Those little Blackberries that we all carry, those weren't available a year ago. It is changing so rapidly that we have got—this is something that you constantly have to stay on top of.
    Mr. BACHUS. Let me ask you this. The cost has been mentioned. You spent a million dollars but actually the credit bureaus—Mr. Pratt, I think he represents those companies—didn't they spend about a million and a half a piece? Did you testify to that on TriWest's case?
 Page 62       PREV PAGE       TOP OF DOC
    Mr. PRATT. One of our member companies did run the numbers and spent about a million five.
    Mr. BACHUS. Who pays for that if we were to design something and requiring someone to?
    Mr. MCINTYRE. I pay for my own cost, which I assume is what that organization is going to do. One of the reasons why they were willing to move to a process by which we could assist them in filing the fraud flag is to reduce that expense. So we took on that burden, which we willingly do. I don't have any problem with the million dollars I spent. I want to state that very clearly.
    Mr. BACHUS. What I am saying, Mr. McIntyre, information was stole from TriWest but it resulted in a million and a half to one of the credit bureaus.
    Mr. MCINTYRE. Actually the way it works, sir, when the information is compromised the most effective things the experts tell you that you can do if you have lost the type of information that was stolen from our organization is to get out in front of the issue as a consumer and file——
    Mr. BACHUS. I am not arguing with the fact it was done. I am just pointing out——
    Mr. MCINTYRE. The only place you can go is to those credit bureaus.
    Mr. BACHUS. It was great that they did it. I am just saying other people, as a result of that theft at TriWest, there were other companies that incurred expenses of—actually greater expenses than TriWest or comparable expenses.
    Mr. MCINTYRE. No question about that. That is why hopefully when they catch the person we can figure out how to be more creative than just use the maximum 5 years, $250,000 penalty.
 Page 63       PREV PAGE       TOP OF DOC
    Mr. BACHUS. Mr. Hendricks mentioned this. You know, as far as notice in all cases, when you say notice in all cases what if it interferes with a law enforcement investigation? What if the information that you get is not usable? I mean, I guess I am saying when you say notice in all cases, would you like to qualify that?
    Mr. MCINTYRE. One has to be very careful about under what situations you are deciding to provide notice. Where you end up in a case where the experts would tell you there is sufficient information to misuse it and obtain credit, that certainly is an area where you need to do notice. That is what happened in our case and what has happened in a series of cases.
    Mr. BACHUS. I understand that. So actually notice in all cases really is notice in all cases where it would be reasonable to assume?
    Mr. MCINTYRE. Absolutely.
    Mr. BACHUS. Not actually in a case where the information wasn't usable or there wouldn't be any reason to notify?
    Mr. MCINTYRE. And I think that California's standard is one that is worthy of looking at. They do talk about reasonable notice, reasonable timeliness under reasonable circumstances.
    Mr. BACHUS. That is what—and rush to notify in all cases. I think, you know, there are times when it is not reasonable.
    Mr. MCINTYRE. Agreed.
    Mr. HENDRICKS. May I comment on that? First, you have a reasonableness standard. I think my point is that the default should be that there should be notice. The general rule should be the notice and you have to justify when and why there will not be a notice. What is also important here as we talk about costs is look at the costs we have identified already just from the lax security procedures, what the credit bureaus had to spend to give people this rush of access to their credit reports, to the notice that TriWest had to do to notify a million people. Please don't forget the cost to the individuals that then have to spend time and emotional energy working on that. These are very costly matters if we don't get them right.
 Page 64       PREV PAGE       TOP OF DOC
    Mr. BACHUS. If you all would like to respond. Do you have any comment on that?
    Mr. PRATT. Well, in terms of the broader discussion, we agree that, first of all, not every security breach ends up in large scale, for example, identity theft. Doesn't mean that some don't. An example is in California 200,000 state employees' records were ostensibly or allegedly stolen. Our member companies cooperated with that breach as well. So there are 200,000, there is 562,000 and the risk potentially of 10 million over here. So you can see where the concern rests.
    We have tracked the 200,000 out of California and have not had a single incidence of identity theft related to that. Now does that mean we should do nothing? Of course not. But there is a lot of qualification that has to be gone through and deliberative process that we have to work our way through to make sure we are doing the right decision at the right time. In all of this obviously our members believe that if we have had our information breached it is a responsibility we have to take seriously, not just under fair credit but it is the right steps at the right time for the consumer, and, no differently than any other industry represented here at the table, we are going to take the right steps for the consumer.
    Mr. BACHUS. I think you are in the better position in most cases than people who don't have all the facts.
    Mr. Brady, would you like to respond?
    Mr. BRADY. I guess I would like to respond specifically to DPI and how it relates to this, because I think what you have to understand in the DPI case is that there has not been fraud on those accounts. And we notified the issuing banks promptly of the issue and the issuing banks in turn may notify their cardholders; in some cases they notified their cardholders. But the message I want to send here is one of let's not create panic here. You will read the headlines that something bad happened but the by-line on page 6 is that something good happened. And yes, something bad happened at DPI. But the message is that a lot of good things happen. There are a lot of people behind the scenes protecting the integrity of the process.
 Page 65       PREV PAGE       TOP OF DOC
    Mr. BACHUS. I think by talking about them to a certain extent allows people to—you know, Mr. McIntyre was telling me that happened to him, actually happened. There was a bank that had something very similar. Had he had notice of that, he probably could have avoided this entire incident. So I believe by highlighting this and taking steps that we are already preventing a lot of that and some of the proposals on the table.
    Mr. MITNICK. I have to ask a question of why would these companies not encrypt the credit card and financial information that is in their databases. Because if the bad guys are able to break into these systems the information is unintelligible. So maybe that is a standard that should be considered in the industry.
    Mr. BACHUS. Certainly if that happens notifying people would actually—I think that would be a downside. That would be something you wouldn't want to do.
    Chairwoman KELLY. Mr. Mitnick, what would that cost?
    Mr. MITNICK. What would the notification cost or the encryption? Well, there are different cost factors. If you encrypt stored information it is relatively inexpensive. If you are encrypting data in real time it is expensive. The actual dollars and cents I don't have at my fingertips at the moment.
    Mr. PRATT. I can attest to that. We operate as an association information exchange at financial institutions. When we have to hire three different terms to management in description process and testing on a monthly basis for penetration, it is staff, it is outside resources, it is internalized resources, it is software programs. I think Mr. McIntyre said it just right in every 6 months you have to change everything because you have to ramp up to a whole new standard because the criminals are moving almost with you and keeping pace in a lot of cases.
    Mr. MITNICK. Not necessarily with the encryption as long as you are using an algorithm that has been widely accepted and you are changing keys on a frequent basis. So that is my comment for now. I had something, but it slipped my mind, that I was going to say.
 Page 66       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Mr. Shadegg.
    Mr. SHADEGG. Thank you. Let me begin, Mr. McIntyre, with you. Your testimony doesn't go into great detail about the break-in. I think it might be helpful if we heard a little bit more about how it was accomplished, how you discovered it.
    Mr. MCINTYRE. Yes, sir. I will be as detailed as I can be given the fact that it is still under Federal investigation with the FBI, the Defense Criminal Investigative Service, and a number of other entities, and hopefully they will crack it soon. But we suffered a theft following another theft, and what happened on this particular Saturday at a building where we have no signage on the doors on the building that we are there is that someone broke into the property management office for that site and stole the master electronic key in order to enter our suite. Totally undetected. Many of the offices around here have those proxy cards. It allows you to know who is going in and who is going out, what time they go in, what time they go out, and their identity. And so it was a fairly sophisticated job. Was it an insider job? We don't know. The authorities don't know. They visited with 150 different people. They polygraphed a lot of folks. They have caught other people who have been engaged in other similar crimes, but not ours in the process of this investigation. And we have a very serious problem in Arizona as it relates to this issue, as you well know.
    Mr. SHADEGG. It has already been brought out in your initial testimony and questioning that you were required to maintain Social Security number information for these customers.
    Mr. MCINTYRE. Correct.
    Mr. SHADEGG. It seems to me and, as you know, I have put a lot of time into the health care industry, are we disadvantaged, are we doing ourselves a disservice to require a single number like that and to have—and to, for example, require you to use it? I take it you use the Social Security number because of a DOD reg and DOD is using Social Security numbers by choice, presumably not by statute?
 Page 67       PREV PAGE       TOP OF DOC
    Mr. MCINTYRE. Forty years ago they used to use an ID number and they switched to Social Security numbers. I am not an expert in why they switched and what the complications were that led to that. Probably somewhat trying to remember what all your different numbers are because I can't remember my pin number if I have been up all night. So there are different issues that would lead one to do that. My Blue Cross/Blue Shield card that I carry in my wallet has my Social Security number on it. So this is something that we all—I think you all need to take a look at. Where is that really necessary and what are the complications if you are going to move away from that? We are required to use them in our current contract.
    Mr. SHADEGG. To that point I would like to ask any member of the panel that wants to make a comment. Do you think numbers should be further restricted, the use of Social Security numbers, and should the DOD be using a different number than their Social Security? When I was on active duty in the military they used four digits of my Social Security number and it seems to me it is too broadly used. Anybody have a comment?
    Mr. HENDRICKS. I would like to comment on that because I think, yes, pending a study of the costs, the actual real costs, they won't be hard to calculate, I think we should basically place a moratorium on further use of Social Security numbers. It is already required by banks and employers and we have passed laws and we have this. But it is such an instrument of choice by identity thieves and it increases the value of information and the incentive for stealing it. So I think that we should look toward having—especially in the health care field it is very problematic that the Social Security number is used.
    The last thing you should remember is you didn't have time to fit the most recent case onto your agenda. That is the University of Texas, who got hit by an outside hacker. He was hitting their system with random Social Security numbers and once he found one it would suck it out of the system and was able to get thousands and thousands of Social Security numbers through this program. The University of Texas official said this was a mistake. We should not have used the Social Security number. We are changing. So I think we should do this more systematically instead of lost and found, by trial and error.
 Page 68       PREV PAGE       TOP OF DOC
    Mr. SHADEGG. You said pending a study of cost. It looks to me there are costs everywhere here. We will have cost to notify everybody. Mr. McIntyre recommended that there should be an obligation to notify everybody. I think that ought to be universally true. But that is expensive. Mr. Mitnick commented about encryption and then we discovered you can encrypt stored data but not current data. It is the current data that is at least viable. So it seems to me we are going to face costs to secure these systems no matter what. Go ahead.
    Mr. PRATT. I thought I would set this into context a little bit. We do have a difficult time in our society today with 40 million consumers moving every year, 3 million last names change due to marriage and divorce, about 6 million or 7 million second homes in this country with a lot of folks who move in between those two homes. There is a lot of flux in the ways we think about identifying ourselves. When you and I think about ourselves and we look at our own mail coming in the door, we go I know who I am and I know what my information is. For a database like a consumer credit reporting database which must have reasonable procedures to assure maximum possible accuracy of the information in the file, that is what the Fair Credit Reporting Act tells us, it would be very hard for to us build an accurate database if we did not have the Social Security number at least for those internal accuracy purposes.
    I think one of the issues that we haven't framed the question quite this way is access by the general public to Social Security numbers different than the use of the Social Security number in certain matching processes internalized, which allows us to build more accurate databases.
    Mr. SHADEGG. Mr. Mitnick.
    Mr. MITNICK. It is fine to use a Social Security number, but not to authenticate the person's identity. I think that is where the mistake is being made. I know it is a very expensive proposition, but the problem is people's Social Security numbers are readily available. There is—for example, the U.S. courts have PACER, public access court electronic records, and anybody that has had a bankruptcy, anyone could subscribe to the service and look at the party's Social Security numbers. They are there for anybody's viewing. Social Security numbers are easily obtainable and to use them as a means of identification I think is a mistake.
 Page 69       PREV PAGE       TOP OF DOC
    Mr. SHADEGG. Speaking of the government's complicity in this, Mr. McIntyre, isn't one of the cases that you have in this summary the result of the United States Senate publishing Social Security numbers?
    Mr. MCINTYRE. Yes, sir. I learned from a number of our Nation's distinguished general officers that they received training when they become a general officer on identity theft, and they receive that because there was a practice up until the late 1990s when on their confirmation in the Congressional Record their Social Security number and name was printed. Someone went out, published that on the Internet, it was taken, they ordered credit and abused the credit of those general officers. The striking thing to me was that criminal got only 2 years and 9 months for that crime. And it takes longer for those people to clean up their credit records than it did for the penalty that the criminal got.
    Mr. MITNICK. One other case, I believe it was a New York busboy had obtained the personal identifying information of celebrities that were like the top 100 and started obtaining their identity credentials and applying for credit. That was a huge case out of New York that you might not be aware of.
    Mr. PRATT. If I could add one point, I have heard Mr. McIntyre say several times it takes longer for people to clear up their credit history than it does for the perpetrator to remain in jail. I appreciate his enthusiasm for quoting some of the consumer groups in terms of that statistic. We are processing consumers every day successfully through consumer dispute processes. We recently looked at 5,000 credit reports where security alerts have been added to see if additional activity occurred in those files. In one-half of 1 percent of the cases was there ever even a subsequent dispute relative to that set of 5,000 cases where we had added security alerts to the files.
    I have to resist the characterization of our entire industry of being slipshod and unable to keep information out of the file and unable to be responsive. What is happening, and this is why in our initiatives that you will see in our testimony, it is a longitudinal crime. It isn't like burglary. It is over a period of time. So in some cases we are able to correct the initial information in the file but there is still crime occurring or there is still more bad information on its way to the credit bureau file.
 Page 70       PREV PAGE       TOP OF DOC
    So understandably from the consumer's perspective, that is all the same thing to me. But from our perspective we are wrestling with trying to keep the right information in the file for safety and soundness purposes, which is of course important to this committee, and at the same time to keep the fraudulent information out of the file, which is something that we believe is a top priority job, one for us just as it would be for anybody else.
    Mr. SHADEGG. In defense of Mr. McIntyre and those consumer groups, I can tell you that my constituents who brought the first legislation to me they spent far longer than 2 years and 9 months trying to clean their record up, indeed probably four or five times that length of time.
    I guess the problem I have is the reality that both summaries are wrong and really the real problem is how long it takes to apprehend them, because in most cases they are not apprehended at all.
    Before the earlier act passed the response of law enforcement—and I know this is not your responsibility—the response of law enforcement was to say this isn't a crime. They may have stolen your identity but until they use the credit and you can show me the credit then I have a credit card fraud case. And, by the way, I am only interested in that credit fraud case if you live here and the credit card was used here. If the credit card was used in Pennsylvania and you live in Phoenix, Arizona, I don't care. So we have a serious problem we have to address here.
    I want to conclude by asking Mr. McIntyre if you would describe how the fraud alert security mechanism works and what changes or improvements would you suggest making to it?
    Mr. MCINTYRE. I am very grateful to the credit bureau industry for what they have done. I am sorry that my remarks were misinterpreted, because I actually think that the Federal laws need to be enhanced and the penalties. I think the bureaus have done a good job of helping protect consumers wherein they have been notified and they are aware they can get that protection.
 Page 71       PREV PAGE       TOP OF DOC
    What I was advised to do was to contact the consumers, let them know this had happened. Because the most effective thing you can do when this occurs and you have information in the public domain that could potentially be used to create credit and misuse it is to put a fraud flag on your file. What that does is it notifies those that may be interested in granting you credit or may be contacted to grant you credit that they need to verify you are who you say you are so your identity isn't misused and you end up with a subsequent problem. That is why we took that action. We were advised by the bureaus and the FTC that was the best thing to do in this case.
    What I have discovered, together with the bureaus, is that we do need a process by which corporations that are willing to do this on behalf of their customers can do it. It helps the bureaus reduce cost and it helps the customer reduce the hassle, because it was on average taking 3 hours for people to go through this process just because of the sheer weight of the volume that had been put onto the back of the credit bureaus.
    The second thing I discovered is that in order to keep people protected I now have to notify people every 90 days that they have to go out and update their fraud flag because each of the credit bureaus is on a different cycle. One of the credit bureaus requires an update every 90 days. One of the credits bureaus requires an update every 6 months. One of the credit bureaus requires an update everybody 12 months. I think it would be helpful for them and for us and for the customers to have that in alignment.
    The issue I face now is when I update people in the next 4 weeks that unless the crime has been solved, and I will update them about that, but their information is potentially still at risk. Guess what, some of my customers are now deployed. Their fraud flags could drop if I don't make sure and the credit bureaus together with me don't make sure that stuff stays. So we are talking to the credit bureaus now and we are going to talk to the Defense Department and the lawyers to figure out how do we get around that problem.
 Page 72       PREV PAGE       TOP OF DOC
    Mr. PRATT. In fact, every one of those consumers when they contacted the credit bureau can add a 7-year alert to their file. So that once you contact the bureau what we are talking about is two different things. The temporary alert is added by the credit bureau without a question. In other words, the consumer said I want you to believe me at least to a certain extent, I don't have to go through a bureaucracy just to get a fraud flag on the file. The key here is once the consumer receives his or her file disclosure and goes over the report at that time a 7-year alert can be added to the file and our member companies are consistent across the board in adding 7-year alerts. So I think there is a difference in practice, or at least we need to clarify the practice here.
    Mr. MCINTYRE. I would suggest in cases where the crime may actually be solved because there is lots of focus of law enforcement on it that the hassle of having a long-term alert may not necessarily be the right action. But I am not an expert in this area.
    Mr. PRATT. Of course after a consumer discovers that he or she is safe we will voluntarily remove that alert any time during the 7-ear period.
    Mr. SHADEGG. I know I have more questions, but my time has long since expired. I will yield back. If there is a second round, I will take advantage of it.
    Chairwoman KELLY. Mr. Renzi.
    Mr. RENZI. Thank you, Madam Chair. Appreciate your testimony and traveling all the way out here, especially from Arizona, and sharing with us the sophistication behind the theft operation and particularly that struck TriWest. Many of you know, particularly my friend from Arizona, I am the father of 12 children, 7 boys and 5 girls. I am particularly concerned about the niche as it relates to how we take care of the children's identity that has been stolen. If the identity of the parents had been stolen, name, address, phone numbers, everything, then obviously also the child's address. We go back to the days of those spy movies where they would take identity theft out of the obituaries. We now move forward into electronic theft, full and complete information provided not just on adults but on children. You can imagine a child of 5 or 6, 7 years old having their identity stolen from them and then yet no flags go up until they are about 18 years old, 16 years old and all of a sudden for the last 10 years their identity has been stolen, their identity has been used.
 Page 73       PREV PAGE       TOP OF DOC
    So I would ask what kind of remedies, and I know there is some talk in this area, what kind of remedies are you looking at, what kind of means are we putting together to help protect our children?
    Mr. MCINTYRE. I can't respond to that part of the question, but what I can tell you is we did many responses to that issue. We looked at that. We were concerned about that issue. I have three young kids, so it is the question of what impact is this going to have on them. The fact of the matter is that in our case all of the information, the breadth of it, on the people over 18 was not also on the database for the people under 18. In some cases it was just their name. In other cases there wasn't any information because they were—the primary sponsor was the one who was actually on the database.
    What we did was we talked to the FTC, we talked to the credit bureaus, we talked to others who were experts in the industry what do you do, how do you deal with this issue? What we did was set up a database. The database can be reviewed by the primary sponsor to determine what information was on the stolen hard drives to determine what secondary impact it may have on them or their families and then to advise them of the risks if you add a fraud flag for kids under 18 who have no credit record, and then how you would go about doing that so that they could make an informed decision on their own, and then we have offered to assist them in that way.
    Mr. HENDRICKS. I would like to respond to that because I am working with some folks on a case right now where a young man from Alabama was mixed up with an older person from Arizona actually. Just an old-fashioned mixed file case based on a similarity in Social Security numbers. They weren't the same but because the algorithms, if they are just one or two digits different they will merge the files. What is troubling in the case is the young man from Alabama is basically being assigned unpaid debts from when he was like 12, 13 and 14 years old. So you would think the system would identify that at his age he wouldn't have been able to incur those debts. But they don't seem to have a system in place. He has had a terrible time getting his files unmixed. His mother has gotten involved. So when he became of age and his rite of passage, when he got to apply for credit he was rejected. So there are some very old-fashioned problems in this system.
 Page 74       PREV PAGE       TOP OF DOC
    Mr. MITNICK. In certain States like California, Texas and Kentucky birth records are public record. You can go onto the Internet and look up anyone's birth record which gives criminals the ability to apply for that person's birth record because all they need to do is send a letter to the Department of Vital Statistics, give them the information on the birth certificate, they get a certified copy of the birth certificate back, and they become that child. They can get extensions of credit set up and the account at the credit bureau. So that is a problem that certain States have, birth records in the public domain.
    Mr. RENZI. Thank you. One of the things I know that is being kicked around as a remedy is the idea—Mr. McIntyre, I appreciate you mentioning it—is that those children who have had their identities stolen from them would have an alert or flag put on their credit. So that if anyone was checking their credit, if anyone was using their credit, even when that credit was being checked it would warn the person checking the credit that, hey, this is a stolen identity. Let's say a child goes through 10 years of that and then all of a sudden it is time for them to use their credit. What I worry about on the alert system is how do you then take it off? What detail is provided to show that child was innocent. So as we look at remedies we also not only impose the remedy to protect the child but then the release in order to have the child given back.
    Mr. McIntyre.
    Mr. MCINTYRE. That is exactly why I felt uncomfortable making the decision to advise people on what they ought to do and that it made more sense to lay out the facts so that every parent who might otherwise have someone on that list could look at the information that was there and make an informed decision on their own, and each parent needs to do that.
    Mr. HENDRICKS. I agree this fraud alert is kind of a sledgehammer. It is sort of all or nothing. And I think what is common if have you a problem, you say we don't want my information used for pre-screened offers, too. So you wipe yourself from all those. Obviously we need a finer tuned system so you can really sort of go in with the scalpel and fix problems. But that is what we have now. To me that is why it is very important to have instant access to your credit report so you can see what is on it and what activity has there been on it. That is the best way you can keep it accurate.
 Page 75       PREV PAGE       TOP OF DOC
    Mr. MITNICK. How about developing a partnership with the Social Security Administration so these companies could determine the age of the person requesting the extension of credit, verify that the name really did match the Social Security number, because it would be kind of strange for a 16-year-old to be applying for a MasterCard.
    Mr. RENZI. Well said. Creative idea. I serve on the Veterans' Affairs Committee. At this point in our Nation's history we have got women with children, men with children in America who are being kicked out of their homes because the checks, their military pay doesn't get home in time. And we are looking at legislation that is going to protect our veterans and servicemen and women so that you can't move them out of their dwellings, you can't take away their cars if they are late on a payment. I am thinking how this might tie in this piece of legislation that we are working on in that if a serviceman or woman was to have their identity stolen, and since we are barely paying them enough anyway, the cost for them to get their identification back is going to be enormous. And that cost or that loss of revenues could then impact their ability to house their family, to provide decent transportation.
    Is there an ability or would you be in agreement, particularly Mr. McIntyre given the fact that you helped the TRICARE portion and how it affects our servicemen and women, would there be an ability to protect our servicemen and women as it relates to identity theft?
    Mr. MCINTYRE. I would be more than willing to look at that with you. You have described exactly why I have no qualms nor does my board to spent the kind of money and effort that we have had to spend. The thing that concerned me greatly about the case that involves us and the theft that was perpetrated against us and the information involved is because we are talking about people who serve all of us who do not make a lot of money and a blight on their credit report can be the difference between having a car, renting an apartment or buying a house. And so we felt an absolute obligation to do what we did. But I would be glad to work with you, sir, in that area.
 Page 76       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Thank you very much. We have just been called for another vote. In the interest of time I am going to call on Mr. Moore and I am going to call on Mr. Fossella. I would like everybody to keep their questions and answers within the 5-minute period, please.
    Mr. MOORE. Thank you, Madam Chairman. I wanted to just ask you a couple of questions, Mr. McIntyre. We have talked before and I appreciate the actions that your company has taken since the theft, the burglary and the theft to try
to—and your personal call to the people but I wanted to ask, obviously I think it is in everybody's best interest that not only do we punish somebody who has committed a crime like this but we try to prevent it in the future and that is the best way to protect people, I think. I was concerned in reading some of the materials, I think in your State, that I think it was 2 days after the incident until you even learned that there had been a theft.
    What kind of security precautions did you have or security systems did you have in place on the day of the incident? And apparently they failed.
    Mr. MCINTYRE. I have been asked by authorities not to address all the details of the security systems and the like because they are still attempting to catch who did it, and FBI agents have interviewed over 150 folks and polygraphed a number in this area. What I can tell you is that we were the subject of a secondary theft. Whoever was responsible for this broke into the property management office, the place where we had this secondary office. They then stole the electronic master key which allows you to get into a locked door undetected, although it would read as though you were the property manager, and enter our suite. And that is how the theft occurred. Thus we weren't aware—it happened on a Saturday. We didn't learn about it until first thing Monday morning when our folks when in to turn on the computer and found out that the computer system did not work.
    Mr. MOORE. Obviously there are video monitor systems and security systems and other precautions that can be taken to notify somebody if there has been an entry even if it appears to be an authorized entry, because at some point they had to steel the electronic key, isn't that correct?
 Page 77       PREV PAGE       TOP OF DOC
    Mr. MCINTYRE. Correct.
    Mr. MOORE. From your materials in your statement it appears that you have and I hope that you are taking substantial strides in trying to correct the system so something like that doesn't happen again. If there is an unauthorized entry, you or somebody would be notified immediately.
    Mr. MCINTYRE. I will tell you that we have brought in security experts, we have partnered with the Department of Defense. They are now looking at their entire system worldwide. They found deficiencies in their areas. But you know what is interesting to me about this is that in Arizona 6 months prior to the theft in our building, five financial institutions were hit with a very similar crime. A bank in Tucson was hit 6 months prior after hours. Penetrated all the security systems, got through, stole the hard drives, left the bank with that information. And so this is something that unfortunately, given the rise of the prevalence of information and the like, that we have a real serious problem with in this country. That is why I think when it does happen, even if they are able to get beyond the safeguards, that is when we have to look at where are the responsibilities for notification.
    Mr. MOORE. Absolutely. How long after the incident was it that you notified the Department of Defense?
    Mr. MCINTYRE. I notified the Department of Defense immediately when I discovered there was a problem. They then ran the database and we contacted the senior management in the Department of Defense, not the operations people who we had contacted the first day that we discovered it. We contacted them once we had the database fully run and knew what the extent of the problem was.
    Mr. MOORE. Thank you. I will conclude by saying when these large databases exist and if in fact hard drives are stolen, not just data or information from a computer system but hard drives and there has to be a physical entry and I hope that you have told me and I trust what you have said that your company is looking at this very seriously and making sure this doesn't happen in the future. I think financial institutions, anybody else who has databases like this needs to take similar precautions.
 Page 78       PREV PAGE       TOP OF DOC
    Chairwoman KELLY. Mr. Fossella.
    Mr. FOSSELLA. Thank you. I will just throw out two questions and the second is sort of two parts and allow you to answer in light of the time here.
    First, Mr. Brady, in light of your efforts at MasterCard I am sure you are doing what you think is providing the highest level of security on the network. In your mind—if it has been asked before I apologize—in your opinion what would be the best thing that could be done to provide incentives perhaps for other companies to do as you are doing and in providing the highest level of security? And secondly, I will throw this out to all of you. If you can answer me, great.
    Earlier the Secret Service testified and argued, it seems, for a better working relationship or continued working relationship among different agencies and academic institutions to prevent what has been alluded to a number of times here. In your experiences how have those relationships been working and what, if any, ways can those be improved? And the second part of that question is the cost of prosecution and whether local or State or Federal prosecutors are doing what they can given the resources they have.
    I will give you an example. It has been argued that perhaps a local district attorney, given the nature of this type of crime, will say, hey, I have a limited budget here; in my view, the cost of following through on prosecution to indict with a conviction is going to cost me X amount of dollars, which could be, you know, such a disproportionate share of my budget that I don't have those resources to follow through. So are there any ways to, A, if in your experience that is true, and, B, if so, are there any ways in which those situations could be addressed in order to prosecute those crimes as efficiently and as swiftly as possible?
    Mr. BRADY. Yes. I would like briefly to talk on your point of security. MasterCard, without getting into too much data on our security network, has a very robust network. We do outside penetration testing on networks to ensure they are secure and they are. One of the things that I really want today to bring out here, and I alluded to it before, was there is no need for hysteria because MasterCard is vigilant behind the scenes. When there is a compromise and the DPI hack is one of those examples, We notify the issuers, we follow the protocol, we not only follow the protocol of MasterCard and working with law enforcement, but the entity that was breached follows the MasterCard protocol in place, the timely notification to us and also the timely notification to law enforcement. We have sufficient penalties in place so that if that didn't happen that they could be fined on a per day basis, a draconian amount of money.
 Page 79       PREV PAGE       TOP OF DOC
    So I think the law enforcement gentleman brought up that these companies are coming forward, and part of that is because there are effective rules in place to bring them forward when something does happen. And the good news again with the DPI hack is we are not seeing general fraud. But everybody is being vigilant, looking at the account numbers, and monitoring the account numbers on a daily basis.
    And MasterCard has a wide array of fraud controls in place, I know we are short on time, but we have controls in place for auditing merchants, controlling fraud, and we have penalties and policies in place for the bad actors that are in the system.
    So your second point was on law enforcement and our relationships, and from where I sit we greatly value those relationships. The gentleman from the Secret Service that were here from this morning, the electronic crimes task forces that have been put together over the past several years, the effort is tremendous and it really fits a need out there. And I would just like to say that one thing that was brought up this morning about these hacks and what we find out from the hacks is that there is little fraud on the hacks. When you see account numbers that are being hacked we track it. There is little fraud on it. And you know what it is? A lot of them that are out there that are joy riding, that are stealing numbers, that are causing harm. And the question is what do we and the prosecutors that are out there, do with them not only in the Federal level but the State levels. I will wrap up. Sorry. And I think tougher penalties are important here because even though there is not fraud there is a lot of costs when these things happen.
    Chairwoman KELLY. Thank you very much. The Chair notes that some members may have additional questions for the panel. They may wish to submit those in writing. Without objection, the hearing record will remain open for 30 days for members to submit written questions to the witnesses.
    The second panel is excused with the committee's great appreciation for your time. Thank you. I want to thank all the members and staff for their assistance in making the hearing possible.
 Page 80       PREV PAGE       TOP OF DOC
    This hearing is adjourned.
    [Whereupon, at 1:25 p.m., the joint subcommittee was adjourned.]