July 10, 2003, State Coordinator, Financial Crimes Enforcement Network, Vice Chairman, Board of Directors, National White Collar Crime Center, Richmond, Virginia, Member, Georgia's Stop Identity Theft Network, Chair, Infragard Atlanta Chapter Watch and Warn Committee, and Special Agent in Charge, Financial Investigations Unit, Georgia Bureau of Investigations, Decatur, Georgia, Steve Edwards,

House Committee on Ways and Means

Statement of Steve Edwards, State Coordinator, Financial Crimes Enforcement Network, Vice Chairman, Board of Directors, National White Collar Crime Center, Richmond, Virginia, Member, Georgia's Stop Identity Theft Network, Chair, Infragard Atlanta Chapter Watch and Warn Committee, and Special Agent in Charge, Financial Investigations Unit, Georgia Bureau of Investigations, Decatur, Georgia

Testimony Before the Subcommittee on Social Security
of the House Committee on Ways and Means

July 10, 2003

Testimony of

Chairman Shaw and members of the subcommittee, thank you for this opportunity to address this subcommittee concerning the subject of identity theft.

Introduction

My name is Steve Edwards, and I am Special Agent in Charge of the Financial Investigations Unit of the Georgia Bureau of Investigations (GBI), State Coordinator to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), and Vice Chairman on the Board of Directors of the National White Collar Crime Center (NW3C). In addition, I am a committee member on the State of Georgia’s STOP IDENTITY THEFT Network and serve as chair on the FBI’s InfraGard Atlanta Chapter Watch and Warn Committee.

GBI is an independent, state-wide agency that provides assistance to Georgia’s criminal justice system in the areas of criminal investigations, forensic laboratory services and computerized criminal justice information.

NW3C is a non-profit corporation that provides a national support network for law enforcement agencies, state regulatory bodies, state and local prosecution offices, and other organizations involved in the prevention, investigation, and prosecution of high-tech and economic crime.

Overview of the Problem: On-the-ground Perspective

I would like to take this opportunity to briefly discuss Georgia’s STOP IDENTITY THEFT (STOP I.T.) Network and some of the reasons for its formation. A primary complaint of victims of identity theft is, in my experience, that they are unable to “get satisfaction.” By this I mean that they are often unable to find an agency or organization that is willing to assume responsibility for helping them to deal with the crime they have experienced. As a result, victims needlessly contact one organization after another in an effort to handle the violation, and may, in the end, receive no assistance at all. In many cases, for example, local law enforcement tell victims of identity theft, “you are not a victim” – particularly if the victim has suffered no direct financial loss. Their advice is often that the victim should contact the organization that was used for the perpetration. The organization involved, in turn, refers the victim to local law enforcement.

Victims of identity theft also have difficulties with the matter of legal jurisdiction. For example, if a victim who resides in Georgia is confronted with identity theft that has resulted in a violation in California, local law enforcement in Georgia may state that they do not have jurisdiction. To address this problem, Georgia, and other states, require that a police report be generated for all reported cases of identity theft. This police report is a useful tool for the victim when reporting the violation to other organizations, such as a credit bureau. Unfortunately, other factors – including lack of resources – often prevent local law enforcement from taking action beyond the generation of a report.

In essence, a primary need for victims of identity theft is a “one-stop-shop,” or a single “location” – whether physical or online – where victims can receive information about identity fraud prevention, file a complaint, and receive guidance concerning recovery from identity theft violations. In 2000, Georgia’s STOP I.T. Network was conceived as such a location. In October 2002, STOP I.T. went online for the first time, and since then 233 complaints have been received and processed.

After receiving a complaint from a victim, STOP I.T. serves as an intermediary between the victim and a number of agencies. For example, a complaint from a victim in Georgia is forwarded by STOP I.T. to city, county and state law enforcement appropriate to the complaint; to local and state law enforcement in any state where the victim identifies activity associated with the identity theft; to the FTC; and to the Internet Fraud Complaint Center. In addition, STOP I.T. sends to each organization a letter of explanation that includes a list of every other organization that has received the complaint. Finally, victims receive information to assist them in protecting against the continued fraudulent use of their personal information and in recovering financial and other losses that have resulted from the violation.

In the 30 years that I have been involved in financial crime, I have seen no other crime directly affect more friends, associates, and family members than identity theft. Since 2000, when I became actively involved in the development of STOP I.T., I have received an average of 2 or 3 telephone calls per month from someone I know who has been a victim of identity theft. Data collected across the nation – to the extent that data on identity theft exist – also indicate that identity theft is a crime that is pervasive and expanding rapidly.

Overview of the Problem: Broad Perspective

Identity theft – or the use of “another person’s personal information in some way that involves fraud or deception”^[1] – is currently one of the fastest growing crimes in the United States.^[2] Two of the most common forms of identity theft include “true name fraud” and “account takeover fraud.”^[3] True name fraud occurs when someone uses an individual’s personal information to open a new account, and account takeover involves illegal access to an individual’s existing account for the purpose of making fraudulent charges against the account. Identity theft is also used to facilitate other crimes – including money laundering, bankruptcy fraud, computer crimes, and acts of terrorism – by providing a means of concealing the identity of the criminal and accessing funds or privileges available to the victim. It is important to note, however, that financial loss is not a necessary component of identity theft. “Criminal identity theft,” for example, occurs when a victim’s personal information is used by a criminal and subsequently associated with records of criminal violations, outstanding arrest warrants, or other public information without the knowledge of the victim.

The Federal Bureau of Investigation (FBI) and other law enforcement agencies have estimated that between 700,000 and 1.8 million Americans are victimized by identity theft each year – a figure that has increased substantially in recent years. In addition, recent surveys (conducted by Star Systems, a national electronic payments network) indicate that about 1 in 20 adults in the United States, or about 12 million Americans, have been victimized by identity theft at least once.^[4]

In 2002, the number of identity theft cases reported to the Federal Trade Commission (FTC) rose to 161,819 – almost twice the number reported in 2001.^[5] Other cases were reported directly to local law enforcement; reported to other federal agencies, including the FBI, Secret Service, Internal Revenue Service, and Postal Inspection Service; or never reported at all.

The cost of identity theft to businesses has been estimated to be more than $11.9 billion each year.^[6] The costs to victims of this crime include loss of credit, harm to reputation, and loss of wages, in addition to the direct loss of money, attorney fees and other recovery expenses. Despite these losses, and the considerable attention that has been paid to the problem in recent years, the average arrest rate for all identity theft cases reported by victims remains around 5 percent.^[7]

Identity Theft and the Use of Social Security Numbers

Since the illegal use of social security numbers (SSNs) “is key to laying the groundwork to take over someone's identity,”^[7]containment of the wide-spread use of SSNs could have a substantial impact on the prevalence of identity theft in the future. This containment is important not only in areas of government that use SSNs as individual identifiers, but also in private organizations, which are increasingly including SSNs on personal records and distributing this information for a variety of purposes. Examples of the current broad use of SSNs include

Driver’s Licenses: As many as eleven states and the District of Columbia currently display the SSN on the face of their drivers’ licenses. Several other states require a SSN for the issuance of a driver’s license but do not display the number on its face.
Student Records: Half of colleges and universities use SSNs to identify students, and 79% include them in official transcripts, according to a March 2002 survey by the American Association of Collegiate Registrars and Admissions Officers.
Other Records: A SSN is often required or requested for services such as bank accounts, utility services, insurance policies, check cashing services, medical services, apartment rental, extension of credit, employment, memberships, and library access. SSNs are also used as reference numbers for credit bureau reports, which are widely distributed, often without the knowledge of the credit holder.

While it may not be feasible to restrict the use of SSNs to the administration of Social Security taxation, for which it was originally designed, it may be feasible to restrict the use of SSNs to a set of identified purposes for which there is a legitimate legal reason to collect a SSN. In addition, government agencies and businesses that collect SSNs can be required to restrict access to SSNs – by employees and other organizations – and to dispose of records that include SSNs using specified procedures, e.g., encrypting personal information on databases and shredding paper documents containing personal information.

The development of these restrictions is appropriately the responsibility of Congress, and consistent with other privacy measures recently passed, particularly in the absence of uniform, aggressive action among state governments, local governments, and private industry to reduce opportunities for identity theft. In addition, the increasing number of cases being pursued by law enforcement throughout the country evidence the immediate importance of developing these restrictions. For example,

July 1 and 2, 2003, Consuelo Onate-Banzon and Rony Razon, and four other individuals, were arrested on charges of identification and social security fraud. According to the FBI, Onate-Banzon and Razon worked for the Virginia Department of Motor Vehicles (DMV) and allegedly produced and sold as many as 1,000 fraudulent Virginia driver's licenses, with the help of co-conspirators.^[8]
On May 8, 2003, Dorian Thomas, age 27, was indicted on charges of conspiracy, bank fraud, and identity theft. Thomas, an employee of a financial institution in California, had “obtained the confidential member profile information of account holders through financial institution computers and provided it to others,”^[9] who then completed more than $100,000 in fraudulent bank transactions.^[10]
Charmaine Northern, age 23, “pled guilty on March 10, 2003, to obtaining confidential customer account information from the computer at the financial institution where she was working and using it to open credit card accounts and incur unauthorized charges estimated to be approximately $50,000.” ¹³
Kimberly Smart, age 27, was sentenced on December 5, 2002, “in connection with using her financial institution position to obtain customer account information from the financial institution computer and provide it to others.”^[11]The losses incurred in this case were approximately $121,146.63.
Philip Cummings, a 33-year-old former “help desk” employee of Teledata Communications, Inc., faced charges on November 26, 2002, of accessing credit bureau databases, selling confidential information, and participating in a fraud scheme that resulted in a loss of more than $2.7 million to 30,000 victims.^[12]
Ivy Johnson, a former employee of H & R Block in White Plains, New York, was charged in January 2003, for obtaining customers’ personal information, and using the information to divert tax checks, open new credit card accounts, and making ATM withdrawals in victims’ names.^[13]

All of these cases involved access to and use of SSNs. Future cases of similar violations may be reduced if requirements for specific safeguards are mandated and enforced by federal statute. In addition to legislative restrictions, education and training is also important for the reduction of identity fraud in the future. This education and training should include

Educating individuals to take active steps to protect their personal information;
Training state and local law enforcement to identify and effectively handle identity theft cases, since these cases are often first reported to state and local rather than federal law enforcement agencies; and
Educating businesses, including banks and credit bureaus, to guard against and detect identity theft.

“Best Practices” to Combat Identity Theft

The following is an analysis of best practices either currently in place in the states or needed to fulfill assistance functions for victims of identity theft. These conclusions were generated through a synthesis of published commentaries and critiques of existing legislation, peer-reviewed academic articles, and analysis of pending legislation.

First, it is important to use a broad definition that explains the substance of the sort of information that should be considered “identifying information.” This definition should be broad enough to include account numbers, scanned or re-encoded credit or account access cards, and SSNs. Following the establishment of a working definition of the problem, the research of NW3C has indicated that there are numerous opportunities to help victims of identity theft.

Practice 1: Explicit recognition of identity theft as a crime committed against the individual.

States have taken a variety of approaches to dealing with identity theft victims. Chief among the issues that create inconsistencies among states is the nature of victimization in identity theft cases. For example, victims in states that do not recognize identity theft as a crime must often seek assistance through civil suits or ancillary charges. While the place of the civil suit is to rectify injustices that escape the criminal justice system, it is an arduous task least likely to be pursued by most people. Such circumstances exemplify a need for legislation that explicitly criminalizes the dissemination and misuse of identifying information such as SSNs rather than just the theft facilitated by information misuse. Specifically, statutory frameworks should explicitly criminalize identity theft in a manner that clearly underscores the method of information obtainment, as well as monetary damages.

Practice 2: Eligibility of identity theft victims for victims’ rights assistance.

The foremost need expressed by victims in recent NW3C research is for notification of victimization. Indeed, the most comprehensive framework for protecting the rights of victims and restoring them to their pre-victimized state is of little use if victims do not know that a crime has been committed. This is especially true in the instance of a SSN that is stolen from medical or business documents without the knowledge of the victim.

In states that do recognize the individual whose identity has been stolen as an injured party, the degree of victimization is often deemed to be trivial in comparison to other offences, especially violent ones. In some states, victims’ assistance and, in some cases basic notification and participation rights, are denied to victims of property crime and only afforded to those who can demonstrate some form of physical injury. In other states, victims of non-violent crimes are only given full protection if the predation is judged to be a felony offence. It is therefore of great importance that those statutes that exist to aid crime victims recognize the victims of identity theft as targets of a serious crime who may require assistance in pulling their lives back together.

Practice 3: Phasing out use of private identifying information on non-secure documents.

While many states no longer use SSNs as identifiers on drivers’ licenses, these numbers are still widely used on non-secure public documents. For example, many schools that use SSNs as student identification numbers include these numbers on a variety of forms and correspondence, and order forms and applications often solicit personal information. Consequently, a Nexis public records search can reveal SSNs and dates of birth in seconds. Additionally, organizations that accumulate personal information apply varying levels of security. Ultimately, it is unhelpful for a dozen organizations to strictly protect personal information if only one organization makes that information publicly available. This issue is associated with the idea of liability for breaching a duty of confidentiality, but it is also a change in focus that requires unique legislative attention. In other words, it is important not only to protect personal information but also to establish safeguards for handling those forms that document personal information. What is required is legislation that mandates strict controls on the circumstances under which the recording of personal information is justified.

Practice 4: Eligibility for compensation and financial assistance.

Financial assistance is typically reserved for victims of violent crimes where the perpetrator has not been ordered to provide restitution or does not have the means to provide effective restitution. Such practices can also be helpful in identity theft cases that result from privacy breaches. Financial assistance, unlike restitution, is able to provide for and compensate immediate financial outlays without concern for the offender’s ability to pay. As the Privacy Rights Clearinghouse has demonstrated, a victim of identity theft typically spends as much as $1,200 out-of-pocket to correct the damage caused by the crime. Thus, just as victims of violent crimes have a need for funds to cover immediate emergency expenses, so do victims of identity theft. Therefore, legislation may be needed to assure that victims of identity theft can qualify for federal victim assistance funds.

Practice 5: Aid to identity theft victims in clearing their names.

Regardless of the efficiency of the legal system in prosecuting identity theft cases, victims often face many difficulties in removing fraudulent information that is associated with their names. Consequently, victims of identity theft remain vulnerable to future victimization through the continued use of their SSN on government documents, most of which require the use of the SSN as a personal identifier. A great need exists for aid in purging erroneous records maintained by credit bureaus, police departments, and other organizations that result from the crime of identity theft. Often, the mechanism for such corrections is complex, creating barriers for citizens of limited means or comprehension. Therefore, legislative guidance for aid to victims of identity theft would be helpful. Examples of policies that have been enacted by statute (nearly all from California) to address this problem are

Providing public agency aides to assist victims by making phone calls, preparing forms, or taking other steps on behalf of the victims;
Requiring that court records reflect that the person whose identity was falsely used to commit a crime did not commit that crime ( Cal. Penal Code 530.5(c)); and
Allowing the victim to petition the court for an expedited determination of factual innocence (Cal. Penal Code 530.6).

Legislative Treatment of Social Security Information

In those instances when SSNs are deemed suitable for recording, there exists a need to create statutory incentives for companies (especially, but not limited to, credit card companies) to safeguard this information. While a few states have some form of accountability already on the books (California’s Information Practices Act and Delaware’s concept of reckless disclosure of information stand out), none have gone so far as to explicitly create an actionable duty of care for all entities that collect private identifying information to protect said information to at least the level to which a reasonable person would have protected it. Delaware is the only state to even mention the reckless or negligent disclosure of personal information in their identity theft legislation.

While civil actions are always available to punish such disclosures, they do not possess the desired deterrent effect unless they are easily factored into a rational analysis of policy options. As it stands, one can only assume that the current rate of identity theft and credit card fraud are an acceptable cost of business for the corporations that currently treat with social security numbers and other private identifying information in an unsafe way. Creating a statutory category of liability would serve both to increase the victim’s chances in court and to alter the equation for those corporations, putting them on notice to change their behavior lest it eat into their profit margin.

California is one state that has imposed liability on entities that handle personal data. Cal Civ Code § 1798.29 (2003), for example, requires any agency that “owns or licenses computerized data that includes personal information” to report security breaches to the people whose personal information may have been compromised. Cal Civ Code § 1798.82 (2003) extends similar requirements to people and businesses doing business in California. This approach is proposed for Federal law in S. 1350, the Notification of Risk to Personal Data Act, recently filed by Senator Feinstein.

Of course, regardless of how rigorously SSNs are protected, there will be instances in which they are abused. On this matter, the following recommendations are proposed:

Make possession of fraudulent social documents either illegal in and of itself or allow it to create a permissible inference of forgery. There is already a provision in many forgery and credit card fraud statutes that states that the ownership of some small number of forged or unauthorized instruments is enough to create an inference of a guilty motive without the necessity of proving a definite intent. Additional measures can be taken to address unauthorized possession of identifying documents or information. Some states have already adopted various measures of this type. Alabama and Kentucky lead the way in this regard, and set the required number of identity documents (a term that would include social security cards) in one’s possession that are not one’s own to create an inference of identity trafficking at five.
When SSNs are abused, they are often abused for long periods of time. While a victim of a burglary may change their locks, a victim who was targeted through their SSN has little ability to prevent this means of victimization in the future. Unless SSNs are easily changed, the victims of these crimes have little protection against repeat predation, especially as the SSN is passed to other unscrupulous types. To address this problem, some sort of repository for compromised SSNs, which could flag SSNs that have been the target criminal abuse, could be established.

Current Legislative Issues

It has been recognized that no federal law currently limits use or disclosure of SSNs among private entities, leaving them free to deny credit or services without SSNs; and that the Social Security Administration (SSA) cannot control how private entities keep, use or distribute SSNs, thus leaving the burden on consumers who have no real power.^[14]

Many bills, taking a variety of approaches to preventing or enhancing responses to identity theft, have been introduced in recent Congresses, and several are again pending in this, the 108^th Congress. Some of these legislative measures propose enhancements in the penalties under the federal ID Theft statute in the interest of increasing the deterrent effects, or would make modifications aimed at facilitating investigations or prosecutions. Others go more directly to the topic at hand today: augmenting the protections against disclosure and misuse of certain information, including SSNs.

These bills, such as H.R. 2036 which you sponsored in the 107^th Congress, Mr. Chairman, would enhance privacy protections and otherwise help prevent “fraudulent misuse” of SSNs by restricting display or use of SSNs, restricting dissemination of SSNs or any derivative or their use as PINs without an individual’s consent, and providing for regulation and criminal punishment of sales and purchases of SSNs. As you know, measures are also pending to protect other personal identifying information by, for example, prohibiting sale and disclosure of personally identifiable information by commercial entities to non-affiliated third parties absent prescribed procedures for notice and opportunity to restrict such disclosures.

Specifically,

H.R. 70, the Social Security On-line Privacy Protection Act, would prohibit an interactive computer service from disclosing to a third party an individual's SSN or related personally identifiable information without the individual's prior informed written consent.
H.R.220, the Identity Theft Prevention Act of 2003 pending before this subcommittee, would, among other things, amend the Social Security Act and Internal Revenue Code to protect the integrity and confidentiality of SSNs, prohibiting their use or disclosure except for specified social security and tax purposes.
H.R. 637, the Social Security Number Misuse Prevention Act, and the companion bill, S. 228, would, among other things, prohibit display, sale, or purchase of SSNs without affirmative, express consent of the persons to whom they belong; prohibit use of SSNs on government-issued checks, the appearance of SSNs on driver's licenses or motor vehicle registrations, and inmate access to SSNs; prohibit commercial entities from requiring individuals to provide SSNs when making purchases or from denying such purchases if the persons refuse to provide such numbers; and establish civil and criminal penalties for misuse of SSNs. (Similar provisions are included within other, broader bills, including but not limited to S. 745, the Privacy Act of 2003.)
H.R. 1931, the Personal Information Privacy Act of 2003, would, in part, prohibit commercial acquisition or distribution of SSNs, or derivatives, as well as their use as personal identification numbers, without written consent.

Two other bills very recently filed in the House of Representatives and pending before the Ways and Means Committee, H.R. 2617, the Consumer Identity and Information Security Act of 2003, and H.R. 2633, the Identity Theft Protection and Information Blackout Act of 2003, include (but are not limited to) provisions that would similarly place prohibitions or restrictions on certain uses of SSNs.

While we are not necessarily endorsing every aspect of these various measures, we certainly commend them to your careful consideration as Congress acts, along with the states, to better enable effective responses and efforts to prevent identity theft.

Conclusion

Thank you for the opportunity to testify before you today. Mr. Chairman, I am eager to answer any questions you or other members of the subcommittee may wish to direct to me.

References

¹U.S. Department of Justice. (2003, July 27). Fraud. Retrieved July 7, 2003, from http://www.usdoj.gov/fraud.htm

²U.S. Department of Justice. (n.d.). Identity theft: Prosecution and protection. Retrieved July 2, 2003, from http://www.usdoj.gov/usao/txs/releases/May%202002/020502-identitysheet.htm

³ Benner, J., Givens, B. & Mierzwinski, E. (2000). Nowhere to Turn: Victims speak out on identity theft: A CALPIRG/ Privacy Rights Clearinghouse report. Privacy Rights Clearinghouse. Retrieved June 13, 2002, from http://www.privacyrights.org/ar/idtheft2000.htm

⁴ Star Systems (STARsm). (2003, April 16). Americans want action on identity theft. [Press Release]. Retrieved July 7, 2003, from http://www.star-systems.com/cfm/news-press.cfm?id=81

⁵ Federal Trade Commission. (2003, January 22). National and state trends in fraud and identity theft: January – December 2002. Retrieved July 1, 2003, from http://www.consumer.gov/sentinel/pubs/Top10Fraud_2002.pdf

⁶ Identity Theft Resource Center. (2003, February). Facts and statistics. Retrieved July 2, 2002, from http://www.idtheftcenter.org/facts.shtml

⁷ Identity Theft Resource Center. (2003, February). Facts and statistics. Retrieved July 2, 2002, from http://www.idtheftcenter.org/facts.shtml

⁸ Federal Bureau of Investigation. (2003, July 7). Operation easy rider: FBI puts stop to driver's license fraud. Retrieved July 7, 2003, from http://www.fbi.gov/homepage.htm

⁹ U.S. Department of Justice. (2003, May 12). Three indicted on conspiracy to commit bank fraud and identity theft. [Press Release]. Retrieved July 3, 2003, from http://www.cybercrime.gov/thomasIndict.htm

¹⁰ Sanchez, E. (2003, May 13). Scam alert: Insider help giving a new look to bank robberies. The Sacramento Bee. Retrieved July 3, 2003, from http://www.sacbee.com/content/news/scam_alert/v-print/story/6657347p-7609218c.html

¹¹ U.S. Department of Justice. (2003, May 12). Three indicted on conspiracy to commit bank fraud and identity theft. [Press Release]. Retrieved July 3, 2003, from http://www.cybercrime.gov/thomasIndict.htm

¹² Masters, B.A. (2002, November 26). Huge ID-theft ring broken; 30,000 customers at risk. The Washington Post. Retrieved July 3, 2003, from http://seattletimes.nwsource.com/html/consumeraffairs/134584039_idtheft26.html

¹³ O’Connor, T. (2003, January 2). Four charged in ID-theft scam. The Journal News. Retrieved July 3, 2003, from http://www.nyjournalnews.com/newsroom/010203/A102idtheft.html

¹⁴ Harry A. Valetk, Identity Theft: What It Is and How to Protect Against It, originally published on GigaLaw.com and found November 22, 2002, at http://www.wiredpatrol.org/idtheft/whatisit.html