SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
FIGHTING FRAUD: IMPROVING
INFORMATION SECURITY
Thursday, April 3, 2003
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Joint with the Subcommittee on
Oversight and Investigations,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to call, at 10:07 a.m., in Room 2128, Rayburn House Office Building, Hon. Sue W. Kelly [chairwoman of the Subcommittee on Oversight and Investigations] presiding.
Present: Representatives Bachus, Kelly, Shadegg, Fossella, Capito, Tiberi, Feeney, Hensarling, Murphy, Barrett, Renzi, Maloney, Gutierrez, Hooley, Carson, Sherman, Inslee, Moore, Ford, Lucas of Kentucky, McCarthy, and Matheson.
Chairwoman KELLY. The Committee on Oversight is pleased to be able to have this hearing today.
Personal information has to be safeguarded throughout our national credit system. Just as consumers shred their unwanted mail and take care with their receipts, financial institutions have to develop and upgrade their information security procedures to protect consumers. Financial records such as credit card numbers are combined with other pieces of personal information, and they are the first targets of identity thieves. Years of work are often necessary for both consumer and business victims to correct damaged credit histories and restore access to credit.
Page 2 PREV PAGE TOP OF DOC
Today two subcommittees will hear from the witnesses on three specific case studies to review current industry practices and to ensure that proper security procedures and protocols are in place or are being implemented.
Teledata Communications is a company in my home State of New York that enables businesses to access credit bureau information so they can grant credit to consumers. An employee inside the company allegedly stole and sold passwords and codes for accessing credit reports for thousands of people. According to law enforcement, his actions resulted in millions of dollars of financial theft.
TriWest Healthcare, an important health care provider for our active duty military personnel, honored veterans and their dependents, suffered the physical theft of its computer hardware. The equipment stored personal information about many of our heroes now involved in the war to liberate Iraq, including the Chairman of the Joint Chiefs of Staff, General Richard Myers. Fortunately, quick action by the company and the credit bureaus appears thus far to have prevented misuse of the information.
Another company, Data Processing International, in Nebraska saw its database of millions of credit card numbers hacked from the outside. It again appears that rapid action this time by the company and the credit card companies have prevented improper use of the numbers to date.
Through the examination of these cases the subcommittee will review how credit issuers, third party vendors that process transaction, credit bureaus and law enforcement agencies coordinate efforts to limit harm to consumers when data security is breached. Among our witnesses are officials of the law enforcement and regulatory agencies involved with these and other such cases, representatives of the companies involved, one of the most notorious computer hackers in the world, who is now a consultant, I am happy to report, and an expert in privacy.
I want to thank my distinguished colleague, Representative Spencer Bachus, the chairman of the Subcommittee on Financial Institutions and Consumer Credit, for joining us in holding this important hearing of our subcommittees. I also want to congratulate him for his leadership in the bipartisan passage of H.R. 522, the Federal Deposit Insurance Reform Act of 2003, by the full House yesterday.
Page 3 PREV PAGE TOP OF DOC
With that, I turn to Mr. Gutierrez.
[The prepared statement of Hon. Sue W. Kelly can be found on page 56 in the appendix.]
Mr. GUTIERREZ. Good morning, Chairs Kelly and Bachus, and members of the committee. Today more than ever identity theft takes myriad forms. Modern thieves are using massive digitized databases to access and steal consumers' personal information. As too many people are learning the hard way, identity thieves steal Social Security, bank account, and credit card numbers and use them to commit fraud, very often destroying the credit rating and financial future of their victims. Every year thousands of these victims are left financially ruined, often with severe credit problems and even false criminal records that they must spend years working to erase. Even in minor cases victims spend endless hours.
So we are gathered here today to discuss ways to help consumers by increasing the security of data that contains our personal information and to understand some of the possible loopholes that have enabled these cases to occur in the first place, to hear about data security efforts undertaken by the companies that hold our private information, and look for ways to help consumers have quick and better access to their personal records when identity theft incidents occur. One of the most fundamental problems is consumers are often left out of the loop after their information has been stolen and this is unacceptable.
In one of the cases that will be discussed today a former employee of Teledata is being charged with the biggest identity theft fraud in U.S. history. One of the most outrageous aspects of this specific case is that in March of 2000 the alleged perpetrator quit his job, but that didn't even slow down his scheme. He only worked there for 10 months but the scam continued for 3 years. The company security codes he allegedly stolen still worked and were accessible right up to the moment of his arrest. In the meantime 30,000 people had their identities stolen and financial losses reached more than $2.7 million.
Page 4 PREV PAGE TOP OF DOC
How could personal data be so easily accessible? What kinds of safeguards do companies have in place to deter these practices? I hope that this hearing will serve as an opportunity to answer these questions and others. I thank you for holding the hearing, and I look forward to the testimony, and I ask unanimous consent that my complete opening statement be submitted for the records.
Chairwoman KELLY. Thank you very much, Mr. Gutierrez. Mr. Bachus.
Mr. BACHUS. Thank you, Chairman Kelly, for telling me my mike wasn't on, that is very important, and also for convening this joint hearing of our two subcommittees to review issues relating to the security of personal information. This is an issue of critical importance to the financial service industry and I believe this hearing is a timely one, and it is actually one of a series of hearings that Chairwoman Kelly has been holding over the past year or two on this issue.
This hearing, which is titled ''Fighting Fraud: Improving Information Security,'' is one of many hearings that will be held by the Subcommittee on Financial Institutions and Consumer Credit regarding the security of personal information. I expect that at some point our efforts will culminate in comprehensive legislation addressing the broad issue of how secure consumers feel with respect to their personal information.
Today's hearing will focus on three cases where sensitive personal information was compromised through hacking or physical theft of computer databases. Each case that we will hear about today is illustrative of a different type of security breach: An outside computer hacker, employee misconduct, and a garden variety burglary. Using these cases, we will review how credit issuers, third party vendors that process transactions, credit bureaus, and law enforcement coordinate efforts to limit harm to consumers when data security is breached.
Fighting fraud and protecting the security of personal information is a topic that unites financial institutions and consumers. Each group is harmed by the fraudulent use of personal information. Financial institutions are the victims of fraud because the financial institution is usually liable for any losses suffered as a result of that fraud. Consumers obviously suffer unnecessary inconvenience and insecurity as a result of fraud and they can be exposed to additional crimes such as identify theft. Furthermore, at least a portion of financial institutions' fraud losses can be expected to be passed on to consumers in the form of higher prices. There can be no doubt that when fraud is committed everyone loses.
Page 5 PREV PAGE TOP OF DOC
For obvious reasons financial institutions take precautions to prevent fraud, including precautions to protect the security of personal information. In addition to the self-interest financial institutions have in minimizing their fraud losses, Congress has required financial institutions to maintain appropriate standards relating to information security, including standards to protect against unauthorized access to a financial institution's customer records as part of the Gramm-Leach-Bliley Act. The requirements as adopted by the Federal banking agencies also require financial institutions to oversee their relationship with third party service providers, including having the service providers agree by contract to implement a comparable information security program. It is my understanding that the Federal banking agencies have been examining financial institutions with respect to their compliance with these requirements.
However, I remain interested in learning more about the role service providers play with respect to information practices and the ability to maintain appropriate information security programs. It is my understanding that the Bank Service Company Act gives the bank regulators broad authority to examine third party providers. Two of the cases today illustrate that greater oversight of these entities may be necessary.
As part of Gramm-Leach-Bliley, Congress also enacted stiff prohibitions against a practice known as pretext calling, which is a fraudulent means of obtaining an individual's personal information. Pretext callers contact a financial institution's employees and attempt to obtain customer information usually while posing as a customer whose information they are trying to collect. This is a serious issue and one that both Subcommittees—actually the Oversight Committee has held several hearings previously. I am interested in learning more about efforts to enforce this prohibition and the Federal Trade Commission's advice on the amount of resources devoted to fighting this fraudulent practice.
We will also hear this morning from Federal law enforcement agencies about their approach to countering those who would compromise the security of personal information. It has always been my experience that law enforcement and the financial services industry works well together with respect to pursuing those who attempt to commit crimes against consumers and financial institutions. I look forward to hearing about law enforcement's perspective on this important topic, especially with respect to representatives from the FBI, Secret Service and FTC.
Page 6 PREV PAGE TOP OF DOC
In short, financial institutions, Congress, the banking agencies, and law enforcement have been working to address information security and fraud prevention issues. Regardless of the great pains taken by all these parties to protect the security of personal information, the chance remains that a breach may occur. Therefore, Congress must remain vigilant to ensure that existing regulations are implemented appropriately and examine whether new safeguards are necessary. Furthermore, it is just as important for financial institutions to have mitigation plans in place in the event that their information security program is hacked or otherwise compromised.
In conclusion, let me say I am pleased that we will hear from several witnesses today who will describe how various parties took action to address recent breaches and prevent subsequent fraud. Before we proceed I believe it is important to mention to the entire panel that although this hearing is a public forum, we should avoid discussing specific details which may give criminals ideas or even a road map for doing further harm.
Let me close by thanking Chairman Oxley for recognizing the importance of improving the security of personal information and scheduling this hearing. We must continue to work to improve security and protect sensitive data to ensure the consumers continue to have confidence in our nationwide credit system as well as our financial services system in general. I look forward to working with the chairman, Mrs. Kelly, and other colleagues as we continue to examine this complicated issue.
[The prepared statement of Hon. Spencer Bachus can be found on page 54 in the appendix.]
Chairwoman KELLY. Thank you. Mrs. McCarthy, do you have an opening statement?
Page 7 PREV PAGE TOP OF DOC
Mrs. MCCARTHY. Thank you. I will wait for the testimony.
Chairwoman KELLY. Mr. Moore.
Mr. MOORE. Thank you, Madam chair and Congressman Bachus. I appreciate both of you convening this hearing. I appreciate the witnesses being present. I want to reiterate, I won't say it all, what Congressman Bachus and Congresswoman Kelly said before, and that is this is a very important area. As a district attorney for 12 years I worked closely with people in fraud cases and a lot of the things—this was back in the 1970s and 1980s, so a lot of the things we are talking about here today weren't relevant then, weren't even around then. As the Internet has expanded and accessibility of the Internet is used not only by individuals but by financial institutions and other organizations and private and important individual data is contained in databases, I think it is very, very important that we protect that information. I think individuals who have private important information stored in those databases have a right to expect that companies and institutions will take adequate measures to protect that information. Obviously, theft of that information, identity theft and theft of financial information about an individual can cause great harm to a person and to their family, and it ends up costing all the consumers I think a lot of extra money.
So I am interested to hear what the witnesses have to say and very much appreciate you being here.
Thank you.
Chairwoman KELLY. Thank you very much.
Mr. Shadegg.
Mr. SHADEGG. Thank you, Chairwoman Kelly. I want to begin by thanking you and Chairman Bachus for holding this important hearing on information security. I also want to begin by thanking one of my constituents, David McIntyre, president and CEO of TriWest Healthcare Alliance, for agreeing to be here and testify today.
Page 8 PREV PAGE TOP OF DOC
My personal interest in identity theft and information security began about 5 years ago when two of my constituents, Bob and Joanne Hartle of Phoenix, Arizona were victims of identity theft. My constituents, following their victimization, were instrumental in securing the passage of the first State law in the Nation criminalizing identity theft. Mr. and Mrs. Hartle suffered the devastation of identity theft when a convicted felon took Mr. Hartle's identity and made purchases totaling over $100,000. In addition, this individual purchased handguns using Mr. Hartle's clean record to get around the Brady law. Finally and shockingly in this day of terrorism, this individual also used Mr. Hartle's clean record and military record to obtain security clearance to secure areas of Phoenix Sky Harbor International Airport. As a result of this victimization at a time when there were no State laws and no Federal laws penalizing identity theft, Mr. and Mrs. Hartle were forced to spend more than 4 years of their life and more than $15,000 of their own money seeking to restore their credit.
Their case led me to introduce legislation to criminalize identity theft at the Federal level. The Identity Theft and Assumption Deterrence Act of 1998 was signed into law by President Clinton on October 30th, 1998. It gives for the first time Federal law enforcement agencies, including those who are represented before us here today, the authority to investigate and prosecute identity theft.
But following the passage of that law, I found there was more that needed to be done. We began to notice that the Federal agencies with this new authority were unfamiliar with it and did not have a habit of coordinating with local law enforcement on these issues. So we began a series of meetings that lasted over a year in Phoenix, Arizona between Federal law enforcement agencies, including the FBI and others here today and State and local law enforcement agencies, to try to resolve the tough issues of who should act and what they should do in the interplay between Federal and State laws and in the interplay of these crimes where someone is victimized in one place but lives many States away, thousands of miles away.
Page 9 PREV PAGE TOP OF DOC
Mr. and Mrs. Hartle also turned their unfortunate circumstance into something very positive. They established a nonprofit organization to assist other victims of identity theft. Their Web site, www.idfraud.net, is available to provide guidance to any identity theft victims across the Nation, and they have devoted themselves to this task.
Identity theft ranges from individual instances like the Hartles involving small or large amounts to large organized professional crime rings. In fact TriWest Healthcare Alliance may well have been the victim of a professional identity theft operation. Like the Hartles, Mr. McIntyre, my constituent, and his company took an unfortunate circumstance, a burglary of their computer in which data was stolen, and turned into a positive model for other companies to follow.
Following the break-in of their Phoenix office and the theft of computer hard drives containing their clients' sensitive personally identifiable information, Mr. McIntyre and TriWest Healthcare Alliance embarked upon an aggressive effort to notify all 562,000 affected customers of the theft. The stolen data included personally identifiable information such as Social Security numbers, birth dates and addresses for military personnel, one quarter of whom were on active duty at the time, retirees and family members, all whom are served by TriWest under a contract with the Department of Defense.
TriWest immediately reported the theft to the police, notified the Department of Defense officials and launched a 30-hour data run to determine what files were stolen. In addition, the company established a dedicated e-mail address and set up toll free telephone lines with a three-tier response network so that customers would not experience long delays in trying to find out information about the theft and about how it might affect them. TriWest mailed letters notifying victims of theft and provided guidance on steps they could take to protect their credit. TriWest also posted a $100,000 reward for leading to the conviction of those responsible for the theft.
Page 10 PREV PAGE TOP OF DOC
In all, TriWest undertook great efforts to notify victims of the theft at great financial expense to the company. But due to their extraordinary efforts to date no information from the stolen computer files has yet led to a single instance of identity theft.
The nature of identity theft has changed and the threat is more likely than ever to come from breaches of data security, which is why I think this hearing is most appropriate. According to an identity fraud manager at the Federal Trade Commission, there is a shift by identity thieves from going after single individuals to going after mass information. Law enforcement experts now estimate that half of all cases come from thefts of business data banks as more and more information is stored in databases which are vulnerable to attack from hackers.
The Identity Theft and Assumption Deterrence Act of 1998 was an important first step in the road to crack down on identity theft crimes. However, more legislation is needed to protect people from these thieves and from easily obtaining Social Security and credit card numbers, to provide better coordination between victims and credit reporting bureaus, to establish procedures for businesses to follow in the event of a data security breach like we will discuss today, and provide stiffer penalties for those who steal and use other persons' ID.
I look forward to the testimony of the witnesses and help to identify areas in which a legislative response may be needed. I yield back.
[The prepared statement of Hon. John B. Shadegg can be found on page 65 in the appendix.]
Chairwoman KELLY. Ms. Hooley.
Ms. HOOLEY. Thank you, Madam Chairwoman and Mr. Chairman. I appreciate the Chairs and ranking members of both subcommittees in putting together today's hearing and look forward to hearing more about our Nation's data protection. This is an important hearing and hopefully it will be the first of many hearings on the issue of identity theft. It is the fastest growing crime in the United States. I know through these and other hearings we will not only learn about the challenges in fighting identity theft, but also hear unique and effective suggestions on how we in Congress can better protect our consumers and financial institutions from this crime.
Page 11 PREV PAGE TOP OF DOC
I know I can speak for everyone on the Financial Services Subcommittee when I say we are hear to listen with open minds and to put whatever work is necessary into solving this problem. This truly is a bipartisan issue, and in that regard I would like to thank Mr. LaTourette from Ohio for working so closely with me on legislation on identity theft that is nearly ready for induction. I would also like to thank Mr. Frank and all the members of the Democratic Task Force on Identity Theft for pledging to work together on this issue.
In order to protect both consumers and industry, we all certainly have our work cut out for us. But if the cooperation and dedication of people like Mr. LaTourette and Mr. Frank and the members of both subcommittees are any indication, we on the Financial Services Committee are up to the challenge.
Thank you again, and I look forward to today's proceedings and look forward to hearing from the panelists. Thank you.
Chairwoman KELLY. Mr. Hensarling. Mrs. Maloney just left. Mr. Matheson. Mr. Barrett. Mr. Ford left. Mr. Lucas. Mr. Tiberi. Mr. Feeney.
I will introduce our first panel: Mr. Tim Caddigan, the Special Agent in Charge of the Financial Crimes Division of the United States Secret Service, accompanied by Robert Weaver, Deputy Special Agent in Charge of the New York Field Office; James Farnan, Deputy Assistant Director of the Cyber Division in the FBI; and Mr. J. Howard Beales, III, Director of the Bureau of Consumer Protection in the Federal Trade Commission.
We look forward to having you here today, and we look forward to your testimony. We will begin with you, Mr. Caddigan.
STATEMENT OF TIM CADDIGAN, SPECIAL AGENT IN CHARGE, FINANCIAL CRIMES DIVISION, UNITED STATES SECRET SERVICE, ACCOMPANIED BY ROBERT WEAVER, DEPUTY SPECIAL AGENT IN CHARGE, NEW YORK FIELD OFFICE
Page 12 PREV PAGE TOP OF DOC
Mr. CADDIGAN. Thank you. Chairman Bachus, Chairwoman Kelly, Congressman Sanders, Congressman Gutierrez and members of both subcommittees, thank you for inviting me to be part of this distinguished panel and the opportunity to address the committee regarding the Secret Service efforts to protect our Nation's financial and critical infrastructures. Let me also take the opportunity to thank Chairman Oxley, Congressman Frank and all the members of the full committee for their long-standing support of the Secret Service and the interest this committee has conveyed in our mission, our programs and our employees.
With me today is Mr. Bob Weaver, Deputy Special Agent in Charge of the Secret Service's New York Field Office and head of the New York Electronic Crimes Task Force. I am also pleased to be here with my colleagues and partners in fighting identity crimes and related computer crimes from the Federal Trade Commission and the FBI.
In my full statement for the record I provided an overview of the Secret Service's investigative mission and our historic responsibility for safeguarding our currency and financial infrastructure. The Secret Service has statutory jurisdiction to investigate a wide range of technology based crime, including credit and debit card fraud, identity theft, false identification fraud, counterfeit currency and checks, financial institution fraud and telecommunications fraud. These investigations are pursued through our 134 domestic offices with additional support from our 20 foreign offices.
There is no shortage of information, testimony or anecdotal evidence, regarding the nature and variety of cyber based threats to our banking and financial sectors and the need to create effective solutions. There is, however, a scarcity of information regarding successful models to combat such crime in today's high tech environment. One such successful model is the New York Electronic Crime Task Force and the valuable formula this task force has developed and applied to the prevention and detection of computer based crimes.
Page 13 PREV PAGE TOP OF DOC
Our New York task force has brought together 50 different Federal, State and local law enforcement agencies as well as prosecutors, academic leaders and over 100 different private sector corporations. The task force investigates substantial electronic criminal activity involving e-commerce frauds, identity crimes, telecommunications fraud, and a variety of computer intrusion crimes which affect a number of infrastructures.
Since 1995, the New York task force has charged over 1,000 individuals with electronic crimes and the loss to Social Security exceeding $1 billion. It has trained over 60,000 law enforcement personnel, prosecutors and private industry representatives in the criminal abuses of technology and how to prevent them. The task force has identified tools and methodologies that can be employed by our partners to eliminate potential threats to their information systems.
We consider the New York task force to be the 21st century law enforcement model that modernizes criminal justice and incorporates partnership and information sharing within its core competencies. Accordingly, Congress authorized the Secret Service in the U.S.A. PATRIOT Act of 2001 to expand our task force initiative to cities and regions across the country. We have since established electronic crimes task forces in Los Angeles, San Francisco, Chicago, Boston, Charlotte, Miami, Las Vegas and Washington, D.C..
Our task force model stresses prevention through partnership. We focus on the mitigation of damage and the quick repair of any damage or destruction to get the system operational as soon as possible after an intrusion occurs.
Let me mention one critical point about our partnerships with other law enforcement agencies, academia and private sector. Partnerships cannot be legislated, regulated nor stipulated. Partnerships are voluntarily built between people and organizations that raise the value in joint collaboration towards a common end. They are fragile entities which need to be established and maintained by all participants and built on a foundation of trust. I cannot overstate the significance of these trusted partnerships to the success of our task force model.
Page 14 PREV PAGE TOP OF DOC
Let me share with you some insights regarding a recent ongoing case which our Omaha office is investigating in conjunction with our Chicago, New York, and San Francisco task forces. The case which came to our attention early February through our contacts in the credit card industry involves an unlawful intrusion into the computer system of a third party credit card processor, the companies responsible for processing credit card transactions of companies such as Visa, Master Card, American Express and Discovery. We believe that multiple machines combined to attack this processor's computer system and unlawfully seized millions of credit card numbers along with expiration dates from the company's filings. Our investigation with the FBI determined that these multiple servers were located both within and outside the United States. The Secret Service is completing electronic forensic examinations and is working with foreign authorities in gathering further evidence concerning this attack.
I want to conclude my statement by again thanking the members of both subcommittees and the full committee for their strong support of the Secret Service and our investigative mission.
[The prepared statement of Tim Caddigan can be found on page 92 in the appendix.]
Chairwoman KELLY. Thank you very much, Mr. Caddigan. Mr. Farnan.
STATEMENT OF JAMES FARNAN, DEPUTY ASSISTANT DIRECTOR, CYBER DIVISION, FBI
Mr. FARNAN. Good morning. I would like to thank the Chairs of both subcommittees as well as the other members for their opportunity to testify today. Holding this hearing demonstrates your commitment to improving the security of our Nation's information systems and this committee's leadership on this issue.
Page 15 PREV PAGE TOP OF DOC
My testimony today will address the activities of the FBI's Cyber Division as they relate to a broad spectrum of cyber criminal acts.
Last week a headline in the Atlanta Journal Constitution announced Hackers Strike Georgia Tech Computer, Gain Credit Card Data. The article goes on to discuss the information on 57,000 people that was available to the hackers, including about 38,000 credit card numbers. The university had moved the database from one system to another but it failed to put up a fire wall to protect the data.
Incidents like this happen every week, even to organizations at technology's leading edge like Georgia Tech. American consumers and businesses are increasingly relying on the Internet. E-commerce is growing in all sectors of the U.S. economy. Although most e-commerce transactions are business to business, e-commerce retail sales in the United States reached $46 billion last year, up from $36 billion in 2001.
When Internet users, be they businesses or consumers, are impacted by Internet crime, the viability of e-commerce is compromised. When a cyber crime is committed, the FBI is in a unique position to respond because it is the only Federal agency that has the statutory authority, expertise and ability to combine the counterterrorism, counterintelligence and criminal resources needed to effectively neutralize, mitigate and destruct illegal computer supported operations.
The FBI's reorganization of the last 2 years included the goal of making our cyber investigative resources more effective. In 2002 the reorganization resulted in the creation of the Cyber Division where we have taken a two-tracked approach to the problem. One avenue is identified as traditional criminal activity that has migrated to the Internet, such as Internet fraud, online identity theft, Internet child pornography, theft of trade secrets and other similar crimes.
The other nontraditional approach consists of Internet facilitated activity that did not exist prior to the establishment of computers, networks and the World Wide Web. This encompasses cyber terrorism, terrorist threats, foreign intelligence operations, and criminal activity precipitated by illegal computer intrusions into U.S. computer networks, including the disruption of computer supported operations and the theft of sensitive data by way of the Internet.
Page 16 PREV PAGE TOP OF DOC
The FBI assesses the cyber threat to be rapidly expanding as the number of actors with the ability to utilize computers for illegal harmful and positively devastating purposes is on the rise. A typical case will come to the FBI through the Internet Fraud Complaint Center, which later this year will be renamed as the Internet Crime Complaint Center to more accurately reflect its mission. In its fourth year of operation the Center has proven to be a very successful clearinghouse, receiving over 75,000 complaints last year on crimes ranging from identity theft and computer intrusions to child pornography.
If the Center, for example, received an intrusion report from a company in, say, Birmingham, Alabama, we would first attempt to locate where the intrusion took place. That same company may have its servers in Minneapolis while the intruder is routing through California and Europe. If the servers in Minneapolis were hacked, the Minneapolis Cyber Crime Task Force would be assigned to lead the case. The leads in California could end up in Eastern Europe, Nigeria or even back in Birmingham if an insider were involved. One of the FBI's response teams would be called upon to preserve evidence and that evidence would be forwarded to one of our new regional computer forensic laboratories now located in Chicago, Dallas, and San Diego. Simultaneously other FBI computer experts would determine the extent and duration of the intrusion and whether the attacker came from inside or outside the company. Depending on the sophistication of the intruder, the case may be solved in a few days or it may take years.
Cases are routinely complex and often involve international connections. Cyber crime continues to grow at an alarming rate and security vulnerabilities contribute to the problem. We will soon begin staffing a public-private alliance unit within the FBI which will work with administrators and security professionals to reduce opportunities for criminals by employing best practices and patching vulnerabilities before they can be exploited. Through that unit's efforts combined with the efforts of those in this committee problems like the hacking experience by Georgia Tech will happen much less frequently. The FBI will continue to pursue cyber criminals as we try to stay one step ahead of them in the cyber crime technology race.
Page 17 PREV PAGE TOP OF DOC
I thank you for your invitation to speak today. I on behalf of the FBI look forward to working with you on this very important topic.
[The prepared statement of James E. Farnan can be found on page 98 in the appendix.]
Chairwoman KELLY. Mr. Beales.
STATEMENT OF J. HOWARD BEALES, III, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION
Mr. BEALES. Thank you, Chairman Kelly and members of the committee. I am Howard Beales, Director of the Federal Trade Commission's Bureau of Consumer Protection. I am pleased to present the views of the Commission this morning.
The Federal Trade Commission works to prevent and protect information security on a number of fronts. We take law enforcement actions, we provide victim assistance when security breaches result in identity theft. We educate both consumers and business and we hold public workshops to examine emerging issues.
In our traditional role as a law enforcement agency the FTC has brought civil actions to enforce privacy promises, including cases where companies failed to take adequate security precautions with consumers' personal information. When an information breach is reported, the FTC staff activates our protocol for triaging the breach. We evaluate the incident on a number of levels, including the extent of the breach and the type of information that was exposed. We also analyze any jurisdictional issues. We do not have jurisdiction over banks and common carriers, for example. In addition, we determine whether there is an ongoing criminal investigation, given that the breach may involve an underlying theft of information. We coordinate any FTC investigation with criminal authorities because we don't want to get in the way of an ongoing criminal investigation.
Page 18 PREV PAGE TOP OF DOC
When the Commission determines that law enforcement action is appropriate we have two valuable tools to work with. First, section 5 of the FTC Act, which prohibits unfair deceptive acts or practices such as misleading promises about information security; second, starting in May of this year, the Commission will enforce the Gramm-Leach-Bliley Act safeguards rule for the financial institutions within our jurisdiction.
Last August the Commission announced a settlement with Microsoft regarding misleading claims about the information collected from consumers through its passport services. The Commission's complaint alleged that Microsoft misrepresented the privacy afforded by these services, including the extent to which Microsoft kept the information secure.
Microsoft is an important case because it involved alleged misstatements about the security provided for millions of consumers' sensitive information. In addition, it held Microsoft to its security promises even in the absence of a known breach of the system. Thus, the Commission found even the potential for injury actionable when sensitive information and security promises were involved and when the potential for injury was significant.
The Microsoft case was followed by the Commission's case against Eli Lilly. The Lilly case involved alleged misrepresentation regarding the security provided for important information. Like Microsoft, Lilly made claims that it had security measures in place to protect the information collected from consumers on its Web site. As in Microsoft, the Commission charged Lilly with failing to have reasonable measures in place to protect the information. The order in the Lilly case prohibits the misrepresentations and as in Microsoft it requires Lilly to implement a comprehensive information security program.
It is important to note that the Commission is not simply saying gotcha for security breaches. Although a breach may indicate a problem with a company's security, breaches can happen even when a company takes all reasonable precautions. In such instances the breach does not violate the laws that the FTC enforces. Instead, the Commission recognizes that security is an ongoing process using reasonable and appropriate measures in light of the circumstances. That is the approach the mission took in these cases and in its Gramm-Leach-Bliley Act safeguards rule, and it is the approach we will continue to take.
Page 19 PREV PAGE TOP OF DOC
As I mentioned earlier, in May the Commission's Gramm-Leach-Bliley Act safeguards rule takes effect. The rule requires financial institutions under our jurisdiction to develop and implement appropriate physical and procedural safeguards to protect customer information. The rule takes a flexible approach, requiring greater security measures for the most sensitive consumer information. It requires companies to assess the risks they face, take reasonable and appropriate steps to reduce those risks. Companies must also monitor their security performance and adjust their programs as the risks they face change over time.
The FTC also plays a role in improving information security and in reducing risks to personal information by fostering dialogue and educating the public on security issues. For example, the Commission held a workshop last May to examine the security of consumer information, both as maintained by consumers on their own computers and by businesses on their systems. In May and June of this year the Commission will host workshops that focus on the role of technology again for both consumers and businesses.
The cases of TriWest and Teledata communications Inc., in which massive numbers of individuals' personal information was taken are good examples of where the Commission carried out its traditional education and assistance role. The staff provided advice to those companies on how to notify the affected individuals and what steps those consumers should take to protect themselves.
From these experiences and others the FTC has developed a response kit for businesses which have suffered information security breaches. The kit tells businesses what steps to take to respond to a breach and includes a form letter for notifying the individuals whose information has been taken. These kinds of information security breaches place substantial costs on individuals and businesses. The Commission is committed to reducing these breaches as much as possible through its civil law enforcement authority and its education and assistance programs.
Thank you for holding this hearing, and I look forward to your questions.
Page 20 PREV PAGE TOP OF DOC
Chairwoman KELLY. Thank you, Mr. Beales. I also want to note that we invited Dr. William Winkenwerder, the Assistant Secretary of Defense for Health Affairs at the Defense Department to discuss the DOD's role in mitigating the impacts of a theft at TriWest. Unfortunately, he had already accepted an invitation to testify about this before the Senate Finance Committee right now and his deputy is on travel.
Dr. Winkenwerder submitted a statement for the record and with the members' unanimous consent I want to enter it into the record at this time.
[The prepared statement of William Winkenwerder can be found on page 145 in the appendix.]
Chairwoman KELLY. We thank all of you and I would like to begin with you, Mr. Caddigan, asking you a couple of questions. We commend the entire Secret Service and especially the agents in the New York Field Office for your truly dedicated and outstanding service to this country. We in New York are understandably very proud of the tenacity of the New York Field Office as it recovered from the destruction of its offices at 7 World Trade Center.
I would like to ask if your task force and the stronger emphasis on information security since 9/11 has led to law enforcement successes?
Mr. CADDIGAN. Madam Chairwoman, I think it is safe to say yes, the proactive approach that the task force model in New York takes with regard to partnering with businesses, it gets on the front end of an issue. We help establish self-assessment vulnerabilities in a particular entity. We can help mitigate those on the front end. We can help develop a response plan for that business should they be victimized. So do those actions prevent activity or help mitigate that in the long run? Yes, ma'am, I would say that it does.
Page 21 PREV PAGE TOP OF DOC
Chairwoman KELLY. That is very good to hear.
Mr. Farnan, your testimony discusses two cases in which the hacker was arrested overseas. How often are hacking cases originated from an overseas point? Do you want to answer that?
Mr. FARNAN. Much more frequently than we might care to think about. What we have learned and the model we come from in law enforcement is to typically think along State jurisdiction lines and the FBI, of course we think when violations may cross State jurisdictional lines. With the advent of the Internet and the World Wide Web, we have to completely reevaluate those jurisdictional lines. We now have to think of the entire planet as a ground or platform from which perpetrators can act, and so we do see a lot of activity from persons based in overseas countries or outside the United States.
Chairwoman KELLY. Mr. Caddigan, do you want to address that?
Mr. CADDIGAN. I think crime has become global in nature, especially with the onset of the Internet and computer. What can take place in a criminal activity in California can almost instantaneously have the victim be victimized in Asia, for example. So we do look at things as a borderless society with regard to fighting crime. We do partner not only domestically with business and law enforcement, but I think it is also as critical to partner in the foreign arena with foreign businesses, foreign law enforcement and governments.
Chairwoman KELLY. Mr. Farnan, is the FBI concerned that large scale hacks or the denial of service attacks might be an instrument of international terrorism?
Mr. FARNAN. We are definitely concerned about that. In the Cyber Division what we have done is aligned our priorities along with those of the FBI. So counterterrorism is our number one priority and our number one focus followed by counterintelligence matters and then criminal matters in terms of our third priority. So we are definitely concerned about that. And we have seen, for example, terrorists who are interested in communicating by way of the Internet, like in many cases we all are. So we pay special attention to that arena.
Page 22 PREV PAGE TOP OF DOC
There are two other sort of elements that help us focus on that. One is that in the international arena especially. We have our legal attache program that is located in about 46 countries, I believe it is, and we are going to start in the Cyber Division an Internet, or we have started an international investigative support unit to work with our legal attaches to make sure that we are addressing that very issue.
Chairwoman KELLY. Good. Thank you, Mr. Farnan.
Mr. Beales, can you give me more details? You mentioned that you have taken some specific measures with the FTC to—what measures, specifically, did you take with respect to the three cases to help the victims?
Mr. BEALES. Well, what we did was to discuss with the companies the kind of a letter they might send and make discussions about the letter. We have a booklet that is consumer information about identity theft that is called Identity Theft: When Bad Things Happen to Your Good Name. And we make that booklet available and encourage companies to provide that booklet to consumers in need of information about what they should do next.
Chairwoman KELLY. Thank you. I am about out of time.
Mr. Farnan and Mr. Caddigan, I want to be sure, we want to be sure, we need to be sure that there is no unnecessary overlap or redundancy between the two of your agencies. I wonder if you would be willing to clarify your authority over cyber intrusions.
Mr. FARNAN. Again we have our—well, the fact that Mr. Caddigan and I are sitting next to each other and Dennis Holly, who is sitting next to me is an agent actually assigned to FBI Headquarters, resources permitting, I want to assign an FBI agent to Secret Service Headquarters, I think we are working in an extremely cooperative and complementary fashion. There is enough crime, as I think you can sort of define from the testimony today, to go around. There is plenty of work to do. And with that, I think that our efforts complement each other. We have specific mechanisms in place to make sure that happens, including the sharing of personnel back and forth.
Page 23 PREV PAGE TOP OF DOC
When it comes to intrusions, the one unique thing that we may bring is the fact that if it is a State-sponsored or foreign government who is trying to break into or hack into a system in the U.S., it is one kind of unique area that the FBI may bring to that. What we have done successfully is work on a case-by-case basis at the field level all the way through the headquarters level to make sure we are not duplicating and complementing efforts.
Chairwoman KELLY. Mr. Caddigan, are you satisfied with that answer?
Mr. CADDIGAN. I would concur completely. We recognize that any single entity can't handle this problem alone. By working together, combining our resources, combining our approach methodologies, we do provide a better product to the public we serve.
Chairwoman KELLY. So you feel that there is not a problem with overlap there?
Mr. CADDIGAN. I think, as Mr. Farnan mentioned, we detailed an Assistant Section Chief to the Cyber Division in headquarters, so conflict is not an issue. We do coordinate at the local level with our task forces. The Bureau has representation and membership in each of our electronic crimes initiatives throughout the country and, conversely, in smaller environments where we are not present we have membership in their initiatives.
So I would suggest to the panel that the cooperation does exist at the highest level and although there maybe some appearance of overlap it does mesh well together.
Chairwoman KELLY. Thank you. I am out of time. Mr. Gutierrez.
Mr. GUTIERREZ. Thank you very much. First of all, I want to thank Mr. Weaver and Mr. Caddigan and Mr. Farnan and all of those that work with you at the FBI and Secret Service for the work that you do.
I would like to ask Mr. Beales, I guess my concern is what are the responsibilities of financial institutions that suffer from intrusions to their client base in terms of information from them? Is there a 48-hour, 72-hour window, a week, 30 days? Is there something that says you must do this by the FBI's call, the Secret Service knows, they are investigating how long does it take and is there anything that says they have to do it in a specific amount of time?
Page 24 PREV PAGE TOP OF DOC
Mr. BEALES. There is no specific requirement either to give notice or to give notice within a certain period of time. Notice is clearly appropriate in many circumstances and is clearly the best practice and was what we have generally seen in most cases that involve breaches. There are some cases though where notice may not be as useful. And I think in the case of the credit card hack that got the information about credit cards, providing that information to the financial institution so they could block fraudulent activity on those cards is a more effective way to address the problem and considerably reduces the need for notice to consumers.
Mr. GUTIERREZ. So I guess then what you are saying is we have to rely on the credit card companies and the service that is provided to protect the consumer but we are not—we don't necessarily inform the consumer so that he can help protect himself and you think there might be just best practices where the consumer is left totally out of the picture and unaware? It seems to me the credit and the reputation belongs to the consumer and that credit and reputation is I trust—I entrust it to the financial institution, to my credit card company, my mortgage company and that they have a responsibility to me to alert me. I mean, if my bank didn't call me because somebody ripped off my money from my checking or bank account immediately, I think I would get pretty angry about it. I guess my question is don't you think there should be some best practices established so that consumers can help themselves?
A booklet is nice and I am very happy that you issue that booklet, but at what point do we trust the consumer to engage and to cooperate with the Secret Service, with the FBI, with the District Attorney's office or whatever it is that is prosecuting the case. What do you think?
Mr. BEALES. I completely agree with you that consumers need to find out in most of these cases. And we have—in the particular cases that are at issue here we have strongly encouraged the companies to provide information to consumers and try to make it easier for them to do that. I think there is no question that is the best practice in most cases.
Page 25 PREV PAGE TOP OF DOC
Mr. GUTIERREZ. So the best practice is trust the companies to figure out when they should inform the consumer that their credit has been somehow hurt or compromised and that somebody has access to their information; we should just trust the companies to do this?
Mr. BEALES. We don't have regulatory authority.
Mr. GUTIERREZ. Who does?
Mr. BEALES. I am not sure that there is any agency that has authority to.
Mr. GUTIERREZ. So there is no authority that you understand that anyone has?
Mr. BEALES. There is authority and there are regulations both by us and the bank regulatory agencies that govern the front end, that require financial institutions to have in place measures to prevent breaches of information security and to take appropriate steps in order to keep that from happening in the first place.
Mr. GUTIERREZ. I understand that. And I guess then that maybe we should look at how it is ultimately the House of Representatives or legislatively we deal with the issue given that it is your testimony that there is no best practice other than let the companies figure out how it is they should deal with the consumers, but there is no 72 hours, 48 hours. So we probably may need some best practices established to protect the consumer because in the end that is who we have to protect and that is who is most hurt in this situation.
Again, I want to thank the members of the Secret Service and the FBI for their work because I know they have a lot of work, especially after September 11th. I want to thank them for all the hard work that they do. I want to thank folks at the Federal Trade Commission, too. You do a great job there, too.
I wanted to see if we could figure out what we might need to do, this committee and other committees. Thank you all so much for your testimony this morning.
Page 26 PREV PAGE TOP OF DOC
Chairwoman KELLY. Thank you, Mr. Gutierrez.
Mr. Bachus.
Mr. BACHUS. Thank you. Mr. Beales, will the FTC be taking a closer look at banks' third party providers with respect to the service providers information security programs?
Mr. BEALES. It is something that we are very interested in, in looking at security cases and information security cases in general. It is an area where the bank regulators also under their safeguards rules also have authority and it is a place where we would want to coordinate with the bank regulatory agency as to who was in the best position to address any particular case.
Mr. BACHUS. Are you already doing that? Are you already looking at these?
Mr. BEALES. We talk to the bank regulatory agencies on a very regular basis about a host of issues, including this.
Mr. BACHUS. How about the bank's third party providers? Are you all in contact with them or are you reviewing their information security programs?
Mr. BEALES. Well, we have—under the FTC rules we can't talk about particular investigations. They are not public.
Mr. BACHUS. I don't want specifics, but is it a part of your general procedure? Do you——
Mr. BEALES. Well, in our general procedures we are sort of looking for cases everywhere. They may come from reports in the media and they may come from complaints. They may come from referrals from other law enforcement agencies, and if they are in our jurisdiction and third party service providers, we would be very interested in pursuing.
Mr. BACHUS. Banks' third party service providers are within your jurisdiction, aren't they, as far as their information security?
Page 27 PREV PAGE TOP OF DOC
Mr. BEALES. Yes, I believe they are. They are also subject to the bank's——
Mr. BACHUS. I understand that. But I am just talking about for a minute—without being specific, have you taken a closer look at any of their information security programs?
Mr. BEALES. We do not have any—we haven't done anything that was specifically targeted to bank third party.
Mr. BACHUS. I understand that. I am not talking about target. I am just saying are there instances when you have reviewed their information security programs?
Mr. BEALES. If we review information, it would be in the context of a particular investigation of a particular company.
Mr. BACHUS. I understand that. I am not talking about particulars, but have you done that? I know you have the right to do it, and you might do it, but have you done it?
I am not going to ask specifics about companies, but I want to know if that is part of your jurisdiction?
Mr. BEALES. It is part of our jurisdiction.
Mr. BACHUS. My question is, are you all taking advantage of it? Are you all doing that? Are you reviewing or have you reviewed any?
Mr. BEALES. We have reviewed cases as they have come to our attention.
Mr. BACHUS. Banks, third-party providers?
Mr. BEALES. Yes, sir.
Mr. BACHUS. Okay. You know, on the DPI case, this information was looked at, but it wasn't actually taken, is my understanding.
Page 28 PREV PAGE TOP OF DOC
Mr. BEALES. I am not—I don't know that for sure.
Mr. BACHUS. Okay. All right.
Are you aware of any identity theft cases that resulted from the DPI hack?
Mr. BEALES. I am not.
Mr. BACHUS. How many personnel are dedicated to investigating pretext calls at your agency?
Mr. BEALES. There probably isn't anyone that is completely dedicated. We are a small agency and people multi-task, but there are—there are four or five staff members who have been involved in pre-texting investigations.
Mr. BACHUS. Let me ask the Secret Service, either one of you gentlemen, Mr. Weaver or Caddigan, in your experience how responsive have credit card issuers and processors been in notifying the Secret Service of data penetrations or other hacking events.
Mr. CADDIGAN. I think, as a general statement, it is safe to say that they have been very responsive. We have ongoing and longstanding relationships with the credit card companies individually, the banks that they represent, and on occasion the third-party processors as it becomes important for us to deal with them.
Mr. BACHUS. You have been in a position to know whether they are cooperative, and they are?
Mr. CADDIGAN. Yes, sir. They are very cooperative.
Mr. BACHUS. To Mr. Farnan, do you work closely with the private sector in monitoring data penetrations?
Mr. FARNAN. Well, one thing to keep in mind here is that what has happened at the FBI is the former National Infrastructure Protection Center has now migrated to the Department of Homeland Security.
So what is happening is on the vulnerability side of the house, the Department of Homeland Security is really assuming that responsibility. And to focus our limited resources the best we can, we are focusing more on the threat side of the house. By that I mean, who is it out there that is causing the problem.
Page 29 PREV PAGE TOP OF DOC
So to answer your question, we are not directly monitoring.
Mr. BACHUS. You are focusing on the perpetrators?
Mr. FARNAN. Yes, sir.
Mr. BACHUS. In our second panel, we are going to talk about TriWest, what happened there. Now, you know, this hearing has sort of focused on penetrations of data systems, hacking, that nature. But in that case, someone either on the inside, it is an ongoing investigation, or on the outside just walked in and walked away with hard drives containing information on half a million people.
Which obviously, if you had a preference for what you would do, is, you know, go in and try to grab stuff. If you could just walk in and take the hard drives out or the disk out, you know, that would be the preferred method I would think for thieves.
I read the testimony of TriWest's CEO, and it was 2 days before they discovered this theft. From a law enforcement agency perspective, what do you advise corporations that have these large databases of how to protect them from a security standpoint? Not someone hacking, but someone walking in or somebody walking out, whether they walked in or not.
Mr. FARNAN. One of the things that we tend to see is sometimes we do tend to think of these cases as extremely complex, because once when we get into the world of electrons and what is happening in cyberspace, things can get complicated pretty quickly. But in doing that, sometimes we forget the fundamentals, sometimes we forget to lock the door.
So there are times when you have to look at, where does any company or university or institution keep its servers, where do they keep their mainframes, what kind of security, in terms of locked doors, places in the building that kind of equipment is kept. Is it kept on site in the same place as the corporate headquarters or is it secured in an alternate location.
So sometimes even though we get into lots of victims involved in these crimes, and the crimes can be really worldwide in nature, sometimes we forget the very fundamentals. And that is really, probably, the place to start with security matters.
Page 30 PREV PAGE TOP OF DOC
Mr. BACHUS. I totally agree with you. I would think fundamentally you worry about sophisticated—through the network, but you obviously shouldn't—you should just protect the front door.
How about the Secret Service? Any comments you would make?
Mr. CADDIGAN. I would concur.
I think in a proactive approach to information assurance or information security, a company, an organization, an entity needs to be concerned dually, both physical and cyber.
And when you look at vulnerability assessment, an organization can be guided to conduct their own self-assessment, I think you do—those things rise right to the top. I don't know the particulars on this case, but as you describe them you would ask the simple questions on the front end, is there a lock on the door, is there protection on the hard drive, what schedule do you use in order to verify that information has not be compromised.
And again, not having any knowledge of this case, protecting your cyber elements again is just as critical as your physical elements. So it is easy to critique on the back side, but the proactive approach I think might have determined that vulnerability on the front side.
Mr. BACHUS. Thank you.
Chairwoman KELLY. Mr. Caddigan, I want to follow up.
Just one quick question to Mr. Bachus's question, and that is, about the way that the computers contain the information. If people are lifting the hard drives, then it seems to me that containing information that separates numbers from names and Social Security numbers from addresses, things like that can be done. Are you overseeing things like that? Are you looking at things like that, or recommending things like that to companies?
Mr. CADDIGAN. Yes, ma'am. Recommending would be the proper word. We do have issues with regard to—these companies are private sector. We can't mandate, we can't legislate, but we certainly can recommend security mindedness. Those would be exactly the type of things that we would ask you to consider in how you collect and keep your data.
Page 31 PREV PAGE TOP OF DOC
Chairwoman KELLY. Thank you. Ms. Hooley.
Ms. HOOLEY. Thank you. I am going to direct most of my questions to Mr. Beales, but if any of you would like to jump in, please feel free to do so.
I know you are to provide victims assistance and consumer education.
Can you highlight, beyond your testimony specifically, specific steps the FTC has taken in regard to consumer education and victims assistance? Let me explain what I am looking for.
I know in regard to victims assistance you have a centralized database to aid law enforcement. Are there any programs in place specifically to help victims of ID theft clean up their credit, which as many of you know can be a long and expensive process? And do you have any suggestions for new ways to help in this regard? That is the first part of my question.
The second part is, you have to finalize rules which require financial institutions under FTC's jurisdiction to develop and implement appropriate physical, technical and procedural safeguards to protect consumer information.
Can you tell me which financial institutions might be subject to this rule? Would the 400 companies which are sponsored by financial institutions to process credit card payments, such as DPI, be subject to the rule?
Then the third part of my question is, I know your—you have been traveling around the country to educate local law enforcement. I would like to know how well that has gone.
Can you tell us a little bit about the seminars, how many cities have you traveled to, how often are they held, and what might be coming next. And is there anything we can do to help you with that?
I know I have used your brochures extensively for the education piece. Thanks.
Page 32 PREV PAGE TOP OF DOC
Mr. BEALES. When consumers call our hotline for identity theft to report a problem, the phones are answered by trained counselors who will try to talk them through what they need to do next.
Our role is to provide advice to consumers about the steps that they need to take. We do that to the best of our ability, but it is really up to consumers to do that.
There are private programs that will help consumers individually on a one-on-one basis, go through the process of cleaning up their credit. It is not something that we do or would have the resources to do for the complaints we get. We get—last year we had approximately 161,000 victims who contacted our clearinghouse for information and assistance.
Ms. HOOLEY. Let me ask you, are there any other things? I mean, I know what the directions are that you give victims, and it can take 3 or 4 years. I mean, I think the average time is an enormous amount of time to clear up their credit.
Do you have suggestions or ideas, any of you, about how we can make that happen in a much quicker, less costly, less time consuming, less frustrating way?
Mr. BEALES. We are constantly looking for better ways to do it, to make it simpler. We have—I mean that led us last year to put out a uniform affidavit. So consumers could report the fraud on one form and then submit copies to different financial institutions, as one way to try to simplify the process.
We are working—we have been working with the credit reporting agencies to initiate a pilot program that would let consumers just make one call to contact all three credit recording agencies and establish a fraud alert. We expect that program to go into place later this month.
We are continually looking as well for things that Congress might do to make this simpler. At this point we don't have any specific suggestions. But, it is something that we are very much alert to, and looking for ways that we or you or anyone else could make this process less of a hassle for the people who are victims.
Page 33 PREV PAGE TOP OF DOC
As to our Safeguards Rule, there are a wide variety of firms that you wouldn't think of as financial institutions that are or may be financial institutions under the Gramm-Leach-Bliley Act rules that are subject to our jurisdiction and that would be subject to the Safeguards Rule.
Accounting firms that do tax preparation and the like, for example, may well be subject to the rules. Auto companies that provide credit or dealers that provide credit or financial institutions are subject to the rules.
The third parties that provide services, to banks or anyone else, that involve handling sensitive information would likely be financial institutions and subject to our rules.
It is a hodgepodge of who it is, there is no easy way to describe the universe. But, our jurisdiction is basically any financial institution, except banks or financial institutions that are specifically regulated by some other regulator.
As to the law enforcement training, I believe we did five——
Ms. HOOLEY. Let me finish up that. The companies that are sponsored by financial institutions, like DPI, are they under your jurisdiction?
Mr. BEALES. I believe they are, yes.
Ms. HOOLEY. Okay.
Mr. BEALES. As to the law enforcement training, I believe we did five cities last year. We did training programs in five cities last year. We thought it was successful and useful.
We did those training programs in conjunction with the Justice Department and with the Secret Service and the Postal Inspection Service. We tried to bring in local officials, as well, in each one.
This year we have five more planned in different cities around the country, and we are continuing to pursue that activity.
Page 34 PREV PAGE TOP OF DOC
Ms. HOOLEY. How can we help you in increasing those numbers for law enforcement, because I think that is a really important piece, the law enforcement piece of identity theft.
Mr. BEALES. Well, the—the piece that, I mean, the training piece I mean is simply limited by resources. It is—it is—it takes staff, time and effort. And we have tried very hard to work with the other law enforcement agencies involved to extend our resources and leverage them as much as possible.
Ms. HOOLEY. Thank you.
By the way, thank you for the booklets. We do send out a gazillion of them.
Mr. BEALES. I am glad to hear that.
Chairwoman KELLY. Mr. Shadegg.
Mr. SHADEGG. I am going to pass.
Chairwoman KELLY. Mr. Renzi.
Mr. RENZI. Thank you, Madam Chairwoman.
Just two real quick questions, so then we can go vote.
I am really interested in the who behind all of this. You know, we have heard that there are hackers involved and terrorists involved, organized crime involved, and even insiders. And I know the FBI and the Secret Service has done a wonderful job in foiling some attempts. What can you share with me as far as the who behind this.
I've got a little follow-up question. Thank you.
Mr. FARNAN. First, our experience and our investigative activity to date suggests one thing that really kind of stands out. And that is, that the highest, the person that we are most concerned about is, in fact, the insider as opposed to an outsider. That person poses the most significant threat.
Page 35 PREV PAGE TOP OF DOC
Secondly, what we focused on and what we are concerned about are organized groups that may be attempting to obtain, penetrate machines and obtain large amounts of data. And we are very concerned, also, about the threats that are posed from foreign countries, frankly.
But, one important point, I think, to emphasize is the fact that it is the insiders. It is the people who have access to the machines and to the data that really pose a significant threat, which raises the question, who watches the watchers?
Mr. RENZI. Well said.
Congressman Shadegg and I share a real concern living in Arizona with the border. We are reminded weekly of the threat, particularly as it relates to terrorism. We recently just had an Iraqi arrested down in the Tucson area. That goes to my follow-up question, which is the market, the black market.
We have probably a sophisticated black market as it relates to credit cards, as it relates to Arizona, drivers' licenses, passports. Los Angeles has a whole market that is even bigger than ours, because of the immigrants that move through our area looking for identification and also the terrorists, I think, that are also looking for that new identity.
Could you talk real quickly then about the driving force of once the insiders or whoever have stolen this information, who they are selling it to, where is the purchasing, the fencers, I guess, is what I am talking about?
Mr. CADDIGAN. The insider threat is—the correlation of the insider is permeated through many of the cases that we have.
The hacking community, the groups out there that do hacking for a pastime, we think they fall maybe into three categories.
One is those doing it for the challenge. They want to show that they can tap into your vulnerability and exploit you.
The second is political, which means they get into websites. They deface them. They put a statement, a logo, again, sometimes just for encouragement.
Page 36 PREV PAGE TOP OF DOC
The other is for profit. So they are the ones that I think we are all concerned about in law enforcement, those that are getting in there and stealing information. We find, in many cases, they make that information available in chat rooms on the webpage.
They indiscriminately make it available to anyone willing to pay for it. Thus, it is hard to track where the sources are going to, because they are everything and anything.
Mr. RENZI. Your answer leads me to believe that there is not an absolute purchaser. There is not an absolute market that you have been able to identify, indiscriminate purchasers?
Mr. CADDIGAN. There is not an absolute market. I think that is safe to say.
With regard to terrorism and the like, we do find—with illegal immigrants, terrorists, those that are truly trying to hide their identify, aren't using it to gain credit or to have purchasing power, they are using it to be able to live and exist with a different name that doesn't draw attention to them.
Mr. RENZI. You are able to set up an electronic fencing operation, a pseudo fencing operation, where you look on the Internet and purchase that information and then go after that individual, just like you would——
Mr. CADDIGAN. That does occur.
We have always had sting operations with regard to, as your concern expressed, the immigrants. We have had some terrorism links to those that are just trying to have different breeder documents, and what they can get out of the breeder documents, meaning passports, driver's license and the like. It is just strictly to have a change of a named identity that they can use at will. So it does run the gamut in that regard.
Mr. RENZI. Let me just thank you all of you for your testimony today, and especially at this time in our Nation's history for the work you are doing.
Page 37 PREV PAGE TOP OF DOC
I know we are talking about incidents that have already occurred today. I can't imagine the amount of incidents that you have foiled. So thank you for that.
Chairwoman KELLY. Thank you very much.
We have just been called for two votes on the floor. So I will eventually deal with that, but I want to note that some of the Members may have additional questions for this panel, that they may wish to submit those questions in writing.
So, without objection, the written hearing record will remain open for 30 days for members to submit written questions and to place responses in the record.
This panel is excused with our great thanks. We appreciate the fact that you gave us so much of your time, and we look forward to being in continual contact with you, because this is quite a thorny issue. Thank you very much.
In light of the vote, I am going to recess this committee for 20 minutes, and we will reconvene in 20 minutes for our second panel. Thank you very much, gentlemen.
[Recess.]
Chairwoman KELLY. As the second panel takes their seats at the witness table, and with the agreement of Members, I want to recognize the gentleman from Arizona, Mr. Shadegg, for the purpose of introducing our first witness before I proceed with the rest of the introductions.
Mr. SHADEGG. Thank you, Madam Chairwoman.
As I mentioned in my opening statement, I have the privilege of having a constituent on this panel.
Mr. David McIntyre is here to testify about the burglary of his company's office located in my Congressional district, the burglary that occurred on the morning of December 14th, 2002, and about the response by his company to that burglary.
Mr. McIntyre is president and CEO of TriWest Healthcare Alliance, which is a private corporation that administers the Department of Defense's TRICARE Program in a 16-State region in the central United States. TriWest is the largest Department of Defense contractor in Arizona.
Page 38 PREV PAGE TOP OF DOC
Mr. McIntyre has more than 18 years of experience in healthcare and healthcare policy and in the healthcare business. He was previously Vice President of Blue Cross Blue Shield of Arizona, which is where I met him.
For our purposes, Madam Chairman, he has 9 years of experience serving on the staff of Senator John McCain. So he is somewhat familiar with the hearing process.
As I mentioned in my opening statement, in the wake of the burglary of TriWest's offices in Phoenix, Mr. McIntyre's company aggressively responded.
Mr. McIntyre personally oversaw and took part in the plan to notify customers about the stolen information and personally telephoned a number of those whose credit card information was stolen.
Mr. McIntyre has turned that negative experience, the burglary of his company's offices, into a positive model for other companies across the country who are victims of information theft.
I appreciate him being here to testify, and I look forward, as I am sure the rest of the panel does to his testimony.
Chairwoman KELLY. Thank you, Mr. Shadegg.
Our remaining witnesses on the second panel are Mr. Kevin D. Mitnick, President and Co-founder of Defensive Thinking and a computer hacking expert. Stuart Pratt, President of the Consumer Data Industry Association. Mr. John Brady, Vice President for Merchant Fraud Control of MasterCard International, and Evan Hendricks, Editor and Publisher of Privacy Times. We welcome you all. We thank each of you for testifying here today.
Without objection, your written statements will be made a part of the record. You will each be recognized for 5 minutes, and if you don't know the color codes on the lights in front of you, the green light is all go, and as soon as you see the yellow light it means it is time to sum up because the red light will come on. We all know what that means.
Page 39 PREV PAGE TOP OF DOC
With that we will start with you, with Mr. McIntyre.
STATEMENT OF DAVID J. MCINTYRE, JR., PRESIDENT AND CEO, TRIWEST HEALTHCARE ALLIANCE
Mr. MCINTYRE. Chairwomen Kelly and distinguished members of the Financial Services Committee, thank you for the invitation to appear before you today to discuss the important topic of identity theft.
Congressman Shadegg, thank you for your overly generous and very kind remarks, and I appreciate your long interest, dedication and effective leadership on this critical consumer issue. It, in fact, is an issue that affects every consumer in America, probably a very unique one at that.
As Congressman Shadegg said, my name is Dave McIntyre. I am the president and CEO of TriWest Health Care Alliance. We are a private corporation that delivers health care services to the Department of Defense and its beneficiaries in 16 states. We serve 1.1 million people.
This was a very painful holiday period for me this last year, because like a number of organizations in this country, I have had the opportunity to learn firsthand about the information theft.
What is most appalling to me, however, is that in many cases, it takes the individual who suffers the identity theft longer to clean up their credit report than is the jail term that is served by the criminal who actually perpetrated the act. As a consumer, as a business leader whose company suffered the theft of the personal information of its customers, I am grateful to you for your focus on this critical issue.
On Saturday morning, December 14th, one of our offices was burglarized. Computer equipment and data files containing confidential and personal information of more than 570,000 members of the military, their dependents and retirees was stolen.
Page 40 PREV PAGE TOP OF DOC
The information on the stolen hard drives included names, addresses and Social Security numbers, which we are required by the Federal Government to collect, along with other personal information. Fortunately, it only contained 23 credit card numbers.
I was told by experts shortly after the theft that the most effective thing I could do was to get out in front of this issue and notify consumers as quickly as possible. So that is what we set out to do. We notified authorities on learning of the theft.
Secondly, we contacted our DOD partners to jointly create and implement a comprehensive three-pronged action plan to protect our beneficiaries. We went to the media. Because many of these people were away from home during the holidays visiting their families. We wanted to make sure that we lost no time.
The military worked through their chain of command and notified every installation worldwide, so that we would reach the leadership and all of the folks serving in the military.
We sent the first of what will now be three letters to the individuals who were affected, to notify them of what had occurred, and give them advice based in part on the counsel of the FTC on what they could do to protect themselves.
This has been a joint effort, working with Dr. Winkenwerder, the Assistant Secretary of Defense for Health Affairs, the Surgeon General of each service and all of the command structure in the military. It has been a fabulous partnership, albeit at a time when they didn't have time to spend on this issue.
Third we posted a $100,000 reward to aid law enforcement in their efforts to try to detect who had done this. As you can imagine we were devastated by this event. However, we focused all of our energy on trying to do what we would want to have done were we the consumer who was sitting on the other side.
Given the burden on the individual of placing a fraud flag with three different credit bureaus, we worked with the credit bureaus to develop a plan that has allowed us to request on the behalf of our customers, not forcing them to do it, the actual request of a fraud flag.
Page 41 PREV PAGE TOP OF DOC
To date, more than 63,000 of the people on that list have chosen that option, and we have done that work on their behalf.
Through this experience, I have learned a lot. I never planned to become an expert or even close to someone who knew a lot about the issue of information theft. I am pleased to be joined by a number of other people who obviously know a lot about this topic as well.
I have come to believe that the work that was done by Congressman Shadegg needs to be built on in a couple of ways.
First, I think that every leader of any organization, whether it is public or private, has an absolute obligation to their customers, that when that information is compromised, they have an obligation to inform their customer of the fact that has happened. It is painful. It is awkward. It is embarrassing. It is expensive. But you know what, it is not our information, and unless you arm the consumer with that information, they cannot protect themselves.
Second, as a consumer, I have observed the inconsistencies in the last 4 months with how my credit card information is handled. Half of the receipts from restaurants have the full credit card number and authorization date or expiration date posted on it. That is all you need and a name to go to the Internet and buy something.
In addition, I still belong to the Senate Credit Union. I went to the credit union to find out what comes on your statement. Social Security numbers are printed on those documents if you go and ask for the balance on your account today. Same is true in the House Credit Union.
So we need to work to look at when is it necessary to have the full Social Security number printed on the document, when is it necessary to have the full credit card number printed.
Page 42 PREV PAGE TOP OF DOC
I also think that penalties in this area for those who perpetrate such crimes need to be looked at and significantly enhanced.
Fourth, I believe that credit bureaus should allow organizations to act on behalf of their customers, and that they should establish consistent timelines for the updating of fraud flags.
Thanks for the invitation to be before you today. I hope that this is the year that you are able to take the incidents that we have all faced and use them as leverage to further protect consumers in this country. I look forward to answering any questions you may have.
Thank you, ma'am.
Chairwoman KELLY. Thank you.
[The prepared statement of David J. McIntyre can be found on page 114 in the appendix.]
Chairwoman KELLY. Mr. Mitnick.
STATEMENT OF KEVIN D. MITNICK, PRESIDENT AND CO-FOUNDER, DEFENSIVE THINKING
Mr. MITNICK. Good morning, Chairwoman Kelly, Chairman Bachus and distinguished members of the committee.
My name is Kevin Mitnick. I appear before you today to discuss your efforts to review current industry practices concerning security procedures for the prevention of electronic theft of credit card information and identity theft.
Page 43 PREV PAGE TOP OF DOC
I am primarily self-taught. My hobby as an adolescent consisted of studying methods, tactics and strategies for circumventing computer security, and for learning more about how computer systems and telecommunications systems work.
I have 15 years experience circumventing information security measures, and I can report that I have successfully compromised all systems that I targeted for unauthorized access except one.
I also have 2 years experience as a private investigator with responsibilities that included locating people and assets using social engineering techniques. Social engineering is the same thing as pre-texting that Mr. Bachus spoke to earlier.
I have gained unauthorized access to computer systems at some of the largest corporations on the planet and have successfully penetrated some of the most resilient computer systems ever developed. I use both technical and nontechnical means to obtain source code to various operating systems and telecommunication devices to study their vulnerabilities and their inner workings.
Currently, I am the Co-founder of Defensive Thinking, a Los Angeles based information security firm. I recently co-authored with William Simon a book titled the ''Art of Deception,'' published by John Wiley and Sons, which has become an international best seller. The book details nontechnical methods and tactics, in essence pre-texting, that computer intruders use to compromise valuable information assets, including credit card information.
Social engineering is a method where the intruder deceives his target into complying with the request based on false pretenses and psychological manipulation.
It is important to understand, and all companies and their employees need to realize, that the most insidious vulnerability to information security are the well-meaning, hard-working folks that use, operate and maintain information systems.
The prevention and detection of social engineering attacks should not be ignored or underestimated. In fact, the majority of scams involving identity theft and credit card fraud include social engineering on some level.
Page 44 PREV PAGE TOP OF DOC
In an attempt to deter carding, many retailers are now requiring an on-line customer to provide the three-digit CVC number that card issuers have begun to use.
But the thieves also obtain the CVC number. With it, he is able to use the information to commit fraud against unsuspecting cardholders and merchants. I understand that the subcommittee will be examining three recent cases involving large-scale thefts of nonpublic, personal identifying information and credit card details.
A major part of the problem is that the criminals only need to obtain information that is stored or processed in thousands of computers systems around the world. In February of 2003, DPI, a credit card processing services company, reported that an unknown intruder had compromised their network and gained access to a database that held over 8 million credit card accounts.
DPI did not release any details describing how the breach occurred, citing cooperation with Federal law enforcement officials. The DPI case was widely reported in the press because of the astounding number of credit cards potentially compromised.
But when examined closer, you will realize that these types of attacks happen all the time. In my opinion, the committee should not overlook that many similar attacks on networks containing financial information are not detected by the owner or operators. It is important to realize that many of these security incidents remain undetected because of poor security and auditing practices.
DPI has publicly claimed that the intrusion occurred from the outside of the organization. Although, I do not like to hypothesize on facts and circumstances of an any attack without details, I would recommend that DPI consider the possibility that the attacker had assistance from the inside of the company.
Every day the security community announces new vulnerabilities and operating systems in application software that have been identified. Vulnerabilities in software can be exploited to gain remote access to the target computer. Many system programs contain programming errors that enable the intruder to trick the software into behaving in a way other than which is intended in order to gain unauthorized access rights, even when the application is part of the operating system of the computer.
Page 45 PREV PAGE TOP OF DOC
Once a new vulnerability is recognized, the software developer releases a patch, a modification to the software that might be installed by individual companies, a process that may be overlooked for days, weeks, months, even years. Meanwhile companies using that software remain vulnerable or are forced to disable or block access to the vulnerable service until the patch becomes available.
Even then in many cases this is not enough. There are a number of sophisticated hackers who are able to discover previously unrecognized security vulnerabilities and then use them to compromise global computer systems and networks.
I agree that it is essential to implement security strategies to prevent, detect and respond to security threats and attacks, but it is too easy to look in the wrong direction for an answer. In my view, attempting to solve the complex problem by micromanaging every on-line site that accepts credit card transactions would turn out to be wasteful, inefficient and not a very successful exercise.
Instead, I recommend that the committee look into a different direction. I recommend that you explore mitigation strategies which focus on improving the authentication of the credit card user. In any on-line credit card transaction, identity and authorization is based on the information a consumer provides to the merchant. This is no better than a static password.
There is an old saying among hackers. You never know if someone else has your password. The reality is that a password or its equivalent is too easy to steal. A first step towards a solution would be to strip away the identity value of all personal information.
If knowledge of a credit card number, expiration date and the corresponding customer name and address is without value, stealing this information would be a useless to an imposter.
Unfortunately, authentication technology has not yet matured to the point of being able to provide an easy solution to the issue. If not being done already, I would recommend that the finance industry explore additional authentication methods that may include digital certificates, identification of the user's location based on IP address or telephone number, or verification of a PIN through a separate communications channel.
Page 46 PREV PAGE TOP OF DOC
For example, consider this scenario. You have just placed an Internet order for a new cell phone with a price tag of several hundred dollars, and placed an on-line order with your credit card information, but you were not required to give a PIN number. Instead, you next dial your credit card company, and when prompted you enter your card number. An automated system then reads off the details of the transaction. You are satisfied that the details are correct. The system tells you: To authorize this transaction, enter your PIN number.
What would be the advantage of this approach? The thousands upon thousands of individual retailers would not have access to consumer PIN numbers. The fact that so many retailers store the credit card numbers of on-line customers gives rise to the kind of credit card theft that this hearing is addressing.
If they also store the customer PINs, then there is no gain in security. The PIN becomes almost worthless as a security element. But under the approach I have suggested, only the bank would have access to the PIN number information. Under this arrangement, the theft of the card numbers would be of limited value.
In another area, I would also recommend consumer-awareness training programs that educate people about the various scams being used to steal their credit card details and personal information, a practice that can prove highly valuable to effectively minimize identity theft and credit card fraud.
I believe that all on-line retailers who accept credit cards should be encouraged or required to do the following:
One, perform a regular, thorough risk assessment on their information assets, especially systems that process or store consumer financial and personal information.
Two, implement policies, procedures, standards and guidelines as dictated by the results of the risk assessment.
Three, create an audit and oversight program that measures compliance. The frequency of the audits ought to be determined consistent with the mission. The more valuable the data, the more frequent the audit process.
Page 47 PREV PAGE TOP OF DOC
Develop a process to ensure meaningful and effective patch management for all computer systems. Employ authentication methods that do not use nonpublic personal identification information, such as a mother's maiden name, birth date, birth place, driver's license number, address, phone number or Social Security number.
Next, effective audit procedures implemented from the top down must be part of an appropriate system of rewards and consequences in order to motivate system administrators, personnel managers, and employees to maintain effective information security, consistent with the goals of this committee.
Next, establish a security-awareness training program designed to educate their employees on the threats to information security and to change employee behavior to foster a secure environment. These would follow the security recommendations described in detail in my book, ''The Art of Deception.''
In terms of legislation, I recommend that the subcommittee consider the following:
One, legislation that prohibits merchants or credit card processors from electronically storing PINs or other types of verification credentials such as the CVC, unless it is essential to business needs.
Two, the requiring of periodic security assessment and or penetration testing to evaluate the security posture of any business that stores or processes credit card transactions, to be performed by an independent information security consulting firm.
Three, require encryption of stored financial or personal information. If this was done by TriWest or by DPI, then the information would not be accessible to the hackers.
Finally, I want to offer what I have deemed the most important factor in security, the human factor. This is essential, underlying all security issues, whether it is from deceptive credit card thieves or terrorist operatives to blend into our communities.
Page 48 PREV PAGE TOP OF DOC
I believe it is essential to consider regulations that mandate security awareness training as part of an overall security program as required by HIPAA and the GLBA.
Thank you.
Chairwoman KELLY. Thank you very much, Mr. Mitnick.
[The prepared statement of Kevin D. Mitnick can be found on page 124 in the appendix.]
Chairwoman KELLY. Mr. Pratt.
STATEMENT OF STUART PRATT, PRESIDENT CONSUMER DATA INDUSTRY ASSOCIATION
Mr. PRATT. Chairwoman Kelly, Chairman Bachus, members of the committee, thank you for this opportunity to appear before you today.
For the record, I am Stuart Pratt, president of the Consumer Data Industry Association, and we commend you for holding this hearing on the implications of breaches in information security in a number of different cases. In each of these cases, you have asked us to comment on the security breaches from the perspective of our members who operate as nationwide consumer reporting agencies.
I will start with TCI Communications. Our members have no direct relationship with TCI Communications, and we learned—our members report to us that they learned about access codes being compromised in particular through customer contacts with us.
We work collaboratively with our customers. We worked collaboratively then with law enforcement to assist affected consumers. Let me just outline some of those steps.
Page 49 PREV PAGE TOP OF DOC
Consumers received notices from consumer reporting agencies as well as in partnership with our customers to make sure that they were aware of the breach that had occurred with regard to our information. Consumer's files were in some cases frozen temporarily while we could get those notices to them.
Notification letters also then allowed consumers to take advantage of free file disclosures, free access to monitoring services that our members provide, as well as opting those consumers out of pre-screened offers of credit, and also adding fraud alerts to their files.
Beyond the priority of assisting consumers, we also took proactive steps to ensure that the scope of the fraud was contained. We analyzed the patterns that we identified through the crime, and we then adjusted our pattern recognition tools and initiated reviews all of all third-party access codes where we had similar third parties having access to those. We began rotating access codes more aggressively. Our customers are more accepting of the rotation of those access codes today.
So we actually have a task force continuing to analyze yet additional steps we can take to further remove access codes from employees who might otherwise take advantage of the access that they have.
We had no real involvement with DPI Merchant Services to the extent that we have been able to ask our members that question.
I will move on to TriWest. With TriWest, TriWest is not a customer, it was not our information involved in this case. TriWest, as they reported themselves, took very quick action. On behalf of TriWest, many consumers then contacted consumer reporting agencies. We provided them voluntarily with free file disclosures. We also took them off a pre-screened offers of credit again, added security alerts to their files.
These are just some of the various initiatives that we have for assisting potential victims or real victims of identity theft. A summary is included with our full comments here for the record.
Page 50 PREV PAGE TOP OF DOC
TriWest then proactively contacted our members and coordinated an additional plan of work that would allow their customers to have an easier time of adding additional information to their files.
We learned a number of things through this experience. One, criminal behavior by employees, we will never be rid of that completely. But, of course, thanks to Mr. Shadegg, we have the Identity Theft Assumption and Deterrence Act of 1998.
Those employees who had access to those systems, in fact, violated that very law that you created in the first place. They also violated the Counterfeit Access Device and Consumer Fraud and Abuse Act of 1984. They violated the Fair Credit Reporting Act, amended in 1996, which also prohibited access and escalated criminal penalties as well as civil fines for perpetrating this type of crime. So we do have a number of different laws on the books today.
That being said, obviously everything that we can do to vet employees who have access to sensitive information is a critical element going forward. We must begin to learn to measure the relative risks of various breaches. One of our concerns from our members is that if we were to encourage the entire Nation with every security breach to contact consumer reporting agencies, this would not be hundreds of thousands, but literally millions of contacts per year.
One of our member companies estimates that it was, in servicing TriWest customers, which was the right thing to do, it was the right time to do it, we have no question about doing it, it cost one of our member companies $1.5 million in order to accomplish that goal.
We obviously need to work with the Congress and work with this issue to make sure that we are not on our own handling the totality of that kind of cost. It would change and radically alter how we do business today.
All of that being said, coordinating assistance for consumers is important, and that is what our initiatives do for victims of identity theft. We look forward to working with you and this committee in this process, doing everything possible for those consumers.
Page 51 PREV PAGE TOP OF DOC
Thank you.
Chairwoman KELLY. I thank you, Mr. Pratt.
[The prepared statement of Stuart Pratt can be found on page 130 in the appendix.]
Chairwoman KELLY. It gives me great pleasure to now call on Mr. John Brady, who is a constituent of mine. And I am very pleased to have him be here to testify from MasterCard today.
Mr. Brady.
STATEMENT OF JOHN J. BRADY, VICE PRESIDENT, MERCHANT FRAUD CONTROL, MASTERCARD INTERNATIONAL
Mr. BRADY. Good afternoon, Chairwoman Kelly, Mr. Bachus, Mr. Sanders, Mr. Gutierrez, and members of the subcommittee.
My name is John Brady. I am the Vice President for merchant fraud control for MasterCard International in Purchase, New York.
It is my pleasure to appear before you this afternoon to discuss the important topic of fighting fraud and safeguarding financial information. MasterCard takes its obligations to safeguard financial information and protect consumers extremely seriously. This issue is top priority for MasterCard.
We have a team of experts devoted to working with law enforcement and maintaining the integrity and security of our payment systems. Our success in protecting consumers and preventing fraud is due in part to the constant efforts we undertake to keep our network secure.
Page 52 PREV PAGE TOP OF DOC
The MasterCard Information Security Program is comprehensive, and we continually update it to ensure that it provides strong protections. Our member financial institutions also have information security protections in place, including those required under the applicable banking law.
Also, MasterCard's bylaws and rules require each member and any third party acting on behalf of a member to safeguard the transaction and account information. Our bylaws and rules also require any merchant that accepts a MasterCard branded payment device to prevent unauthorized access to the information.
In addition, MasterCard has a variety of consumer protections and antifraud tools. For example, MasterCard has voluntarily implemented a zero-liability policy with respect to unauthorized use of U.S. issued MasterCard consumer cards. Under this rule, a cardholder victimized by unauthorized use generally will not be liable for any loss at all.
In addition, MasterCard has developed programs to protect against unauthorized use of the MasterCard payment cards. These include enhanced security features on the card, the MasterCard address verification system, and our proprietary fraud reporting system which helps identify fraud at merchant locations and allows us to better focus our global merchant auditing programs.
We also offer a program to our issuers called Risk Finder, which assists issuers in proactively identifying fraud. These and other MasterCard tools have proven extremely effective in protecting cardholders and the security of our systems.
I would now like to discuss a recent example of how we addressed a problem when it occurred. There was a recent incident involving a data processor called DPI, Data Processing International, who was acting as a service provider to a MasterCard member bank in Ohio, which, in turn, was providing bank card processing services for merchants.
Earlier this year DPI detected that someone had obtained unauthorized access to its system. Although it is not clear at this point how much data the hacker successfully exported from DPI's system, we do know the hacker potentially had access to approximately 10 million Visa, Discover, American Express and MasterCard payment card account numbers.
Page 53 PREV PAGE TOP OF DOC
Once DPI detected the problem, they took action, and quickly notified the Secret Service and FBI as well as affected payment card companies. MasterCard immediately took decisive action to protect its systems, its members, and most importantly MasterCard cardholders from fraudulent activity related to this breach.
MasterCard interviewed the appropriate people at DPI in order to determine the nature and scope of the breach. MasterCard gathered the payment card account numbers and forwarded them to the appropriate issuers via our MasterCard alert system.
MasterCard hired a third-party forensic firm to act on MasterCard's behalf during the investigation. MasterCard remains in ongoing contact with issuers of the card numbers that were involved. I am pleased to say that it does not appear that these numbers have been involved with unusual activity as a result of the DPI breach.
As a final point, I would like to note that law enforcement agencies have done a commendable job in investigating this breach. MasterCard works closely with these organizations and greatly appreciates their efforts to resolve this issue.
MasterCard continually strives to provide its members and MasterCard cardholders with strong protections. And we will continue to develop new strategies and tools to prevent those who seek to do harm from succeeding.
I would like to thank the subcommittee for inviting me to discuss these issues, and I would be pleased to answer any questions you may have.
Chairwoman KELLY. Thank you, Mr. Brady.
[The prepared statement of John J. Brady can be found on page 86 in the appendix.]
Chairwoman KELLY. Mr. Hendricks.
Page 54 PREV PAGE TOP OF DOC
STATEMENT OF EVAN HENDRICKS, EDITOR AND PUBLISHER, ''PRIVACY TIMES''
Mr. HENDRICKS. Thank you, Madam Chairwoman and Mr. Chairman.
A lot of times in the privacy community, we like to talk about Supreme Court Justice Louis Brandeis, who wrote eloquently about the importance of privacy in a civilized society. But, he is also the one who wrote that sunshine is the best disinfectant, and one of the themes throughout my brief talk today is the importance of sunshine, that to improve privacy you need sunshine and transparency. Just by having this hearing today, you are bringing sunshine to a very important issue, and providing a vital public service. I really commend you for that. And again, thanks for the opportunity.
A few fundamental observations. The problem that we are discussing today, of hacker access to sensitive data, data leakages and identity theft in general, is going to get worse before it gets better.
There are several reasons. One, is that we have now in our society many databases filled with the personal data, and they, to me, are the electronic equivalent of swimming pools without fences around them. They are attractive nuisances.
The reason they are attractive is because our personal data is worth a tremendous amount of money to many organizations, and the criminals have figured this out.
The other thing is that identity theft losses are still a fraction of the overall revenue generated by the credit industry. So to this point, the Tower Group has just released a report saying that they don't expect any major changes in the practices of financial institutions because it can still be written off as a cost of doing business.
I don't know if that is going to be very helpful to the people who would be the victims of identity theft, though. In addressing these problems, as I mentioned the lack of transparency is a major issue that comes from all of those cases. Thousands upon thousands of entities, large and small, have instant electronic access to very sensitive data on over 200 million Americans.
Page 55 PREV PAGE TOP OF DOC
Consumers generally don't enjoy that same kind of instant electronic access to their own data. We must move toward a society in which they do, and I will explain why and how.
Also, there is a lack of sunshine when things go wrong, and that is the issue of, are people going to be notified when their security is compromised. Currently there is not a requirement of that.
I will talk about the culture of security that is really needed, and we must develop and advance. Also another problem that comes from all of these cases is the over reliance on the Social Security number.
Now, in the Teledata Communications case, which I think is one of the more important cases we are discussing this morning, you see access as a vital part of the problem and the solution. If those 30,000 victims would have had instant electronic access or alert providing them that there had been activity on their credit report, and one of your constituents from New York or Alabama or Arizona saw there was an inquiry on their credit report from Texas Energy Supply, which is one of the institutions used for fraudulent access, then they would have known something was wrong.
In fact, the credit bureaus have already started offering this service, and they have discovered it is a very good revenue stream. The problem is, they are charging as high as $79 per credit bureau to get a credit monitoring service. If you multiply that by all three credit bureaus, that can run over $200.
It is a good business, if you can collect people's data and sell it back to them at that price. But we should remember that the Fair Credit Reporting Act gives you a right of access to your credit report, and caps how much they can charge for it. Yet, there is no cap for these sort of monitoring services I see moving toward a system where we are plugged into our personal data as being an important part of the solution.
Page 56 PREV PAGE TOP OF DOC
So we should encourage that and see the economies of scale and can make it a win-win for everyone. This is also a model for the financial world. There are going to be databases of sensitive financial information kept by financial institutions that could fall outside the Fair Credit Reporting Act. I think that access is going to be a very important issue to address those problems as well.
Also, I was concerned in this case with the lack of security in the TCI case. Because most of the credit card companies, and Mr. Brady can probably speak a lot about this, have software that monitors our purchases and activities, so they can spot suspicious patterns of activities.
To my experience, I have not seen evidence that the credit bureaus are using this, even though this was a case where there was suspicious activity over and over again.
In the TriWest case, I think one of the most important lessons emerging is the fact that the Social Security number should not be used as an identifier, and really this is a societal problem and a Defense Department problem, that they require that the Social Security number as an identifier, and just proposed a new rule to make it the health identifier for soldiers.
I really fear that we will have soldiers returning from the Gulf War to find that they are victims of identify theft, because of over reliance on the Social Security number. We can explore more of this later in questions if you like.
In the DPI merchant services cases, I think what was most troubling was the secrecy that surrounded the problem. At first they only revealed that there was a hit of credit cards. They wouldn't disclose who—that DPI merchant services was the credit card processor. Then they disclosed that.
DPI told the Detroit News that consumers who were concerned about this should contact their is