The Fair Credit Reporting Act and Issues Presented by Reauthorization of the Expiring Preemption Provisions

according to the data we reviewed and the many officials of the public and private sector entities we contacted." Do you agree with that sentiment? Is that an understatement?

Mr. BEALES. I think there is no question it is a serious problem. I think there is also no question that we do not have a good fix right now on exactly how big a problem it is.

We have been conducting a survey in a random sample of people to try to find out how many victims there really are. We are in the process of analyzing that data now and expect to be able to release it at some point next month. And then we should have, I think for the first time, a good, solid estimate of what really is the incidence of identity theft.

Chairman SHELBY. Are you working, in that regard, with the FBI, the Secret Service, and local people to get all that informa

tion?

Mr. BEALES. On the survey, no. This was a consumer survey to figure out how many people have been victims. It is akin to the victim surveys that are sometimes done in other criminal areas. And that is what we are doing here.

Chairman SHELBY. What is the total number of staffers that you have involved at the Federal Trade Commission in this effort? And if identity theft is getting worse, as we all seem to believe, are you dedicating more and more staff resources to this area? Or are you standing pat or what?

Mr. BEALES. We have a somewhat unusual role in identity theft because we do not have a direct enforcement role because it is a criminal problem and we are not a criminal agency.

Where we have substantially increased resources is in handling the calls. As the call volume has grown, then the resources that we have to devote to it have grown correspondingly. And we have really made a significant increase in the resources that we have devoted to security enforcement to try to protect data that businesses keep that could become the source of identity theft. So it is a law enforcement effort that is really focused on preventing access to the kinds of data that identity thieves need.

Chairman SHELBY. That is your role at the FTC?

Mr. BEALES. Yes, sir.

Chairman SHELBY. Mr. Caddigan, or Special Agent Caddigan, excuse me, what is your view as to the level of sophistication of identity thieves and identity theft practices? In other words, is there any indication that the thieves are becoming more organized? I know a lot of them are very sophisticated.

Mr. CADDIGAN. Yes, sir, they have. I think a simple analogy would be: I do not need to go to the business to rob it anymore, I do not need to be in the same town, I do not need to be in the same State, and, quite frankly, I do not need to be in the same country.

So when you look at it, that the access to the information that makes up the predicate offenses of identity crime can be obtained globally, they move globally

Chairman SHELBY. They can rob without a gun.

Mr. CADDIGAN. That is correct, sir. And the anonymity that the access to the Internet provides makes the enforcement effort that much more difficult.

We do see an increase in organized groups, for example, gangrelated. We do see typical street crimes that would have been committed by groups that are now using a computer or the Internet or access to the Internet to get the same kind of profit return.

Chairman SHELBY. Are the identity thieves generally sophisticated enough to determine weaknesses in the system, in other words, do the thieves evolve?

Mr. CADDIGAN. They do evolve, sir. We find that the organized hacking groups that hack systems, whether it be business, public, or private, they hack for the thrill of the hacking. It is a personal challenge. But the rewards are the database files that they can get out of a business or an enterprise that are readily sellable on the Internet market.

Chairman SHELBY. Kind of high value to the thieves.

Mr. CADDIGAN. Yes, sir.

Chairman SHELBY. Help us understand what an identity thief could do, for example, if he or she obtained, a name, a Social Security number, and a mother's maiden name; the full contents of a credit report. I know you can speak to all of it.

Mr. CADDIGAN. With that information, you can pretty much have-well, assuming a good name that you have collected

Chairman SHELBY. You can ruin somebody, can't you?

Mr. CADDIGAN. You can definitely ruin somebody, and there are many case examples of where that has occurred.

Chairman SHELBY. How do thieves routinely go about obtaining these pieces of information? I know that they do not all go to the dumpster.

Mr. CADDIGAN. They all do not. That would be, obviously, the low-tech aspect.

Chairman SHELBY. But some do.

Mr. CADDIGAN. The low-tech aspect are just thieves, and thieves steal mail and information and anything they can get their hands on. The higher-tech, then we get into the hacking groups that work internationally, and there is a trade in the product. The end user typically would buy-it is very simple to buy that information over the Internet.

Chairman SHELBY. Are the older people in America, people like me, 39 and older, are they generally a lot of the victims?

Mr. CADDIGAN. You know, I do not know that we find that to be the case. I think the demographics

Chairman SHELBY. Cuts across everything?

Mr. CADDIGAN. Cuts across the whole spectrum.

Chairman SHELBY. With what you know about criminal activity, do you have any ideas that you can share today about the steps that all of us as consumers can take to protect ourselves? And, also, how can the industry protect itself? Because, you know, we are interested in both.

Mr. CADDIGAN. There is a tremendous need to identify you as a consumer to a business, and that is readily recognized. So that information is necessary to affect trade.

Where you can safeguard yourself is simple things at home. If you receive the preapproved credit applications in the mail, do not just throw them in the trash. Shred them. Your bank statements, shred them. That sounds a little drastic, but, again, the dumpster

diving does occur. It not only occurs at your curb; but also it occurs at the facilities that trash companies use and the dumps that they go to. So the more you can safeguard the information at your level, the better.

The other thing, be very wary of anyone that might call or reach out to you, Internet, telephone, e-mail, or otherwise, asking for your identifiers. If you have not solicited that information or that service, you should not be giving anyone anything.

Also, be very wary of companies that use spam. We have many examples on the Internet to where an Internet provider has been victimized because someone has accessed their system, provided a questionnaire under the head of that Internet provider, and people readily give it thinking it is valid.

So there are a lot of good anecdotal data that the less you give out, the better protected you are.

Chairman SHELBY. Thank you.

Senator Corzine.

Senator CORZINE. Thank you, Mr. Chairman.

I think the scope of questions that you raised are highly valuable so that we understand the nature of the problem. But when we are speaking about understanding it, one of the disciplines of financial markets is the information that people have about their own information that is involved in the system. That gets at a question that I think was asked to Mr. Beales in the House Financial Services Subcommittee. Do financial institutions have any requirement to notify a consumer if there is a security breach? Is that a weakness or a strength of our system?

Mr. BEALES. There is not at the present time, as far as I know, a requirement to notify consumers if the information has been breached. We think in many circumstances that notice to consumers clearly makes sense.

There may be some circumstances where you are fairly sure about how the information was lost, where there is not much of a risk and not much benefit to notifying the consumer. But we think in most cases certainly the best practice is to notify consumers when the information has been compromised in a way that puts them at risk.

Senator CORZINE. It is hard for me to imagine circumstances where personal information is breached without authorization that it would be a positive. Maybe it is a neutral, but I certainly can imagine situations where breaching poses a risk and certainly limits the individual's ability to clean up their credit history.

Is there a voluntary program on the part of the credit reporting agencies or credit-monitoring agencies, the Big Three, or any of the financial institutions? Has there been a survey taken about how much notification of consumers is actually taking place with regard to breaches?

Mr. BEALES. We know of notification in a number of incidents. We do not know systematically as to how frequently that happens or what fraction of all incidents it occurs. It clearly happens in many cases, but we do not know what fraction.

Senator CORZINE. And do you have any sense of the proportion or the awareness or how quickly even in those instances where institutions do notify, how quickly individuals know that so that

damage is not done? This is, by the way, costly both to the industry and to the individual, I presume, if someone has stolen an identity. Is there any sense or timing with respect to how people become aware? Since there is no requirement, I guess there is no deadline on that process.

Mr. BEALES. No, and there is no systematic monitoring of how long it takes. I think the big question is how long does it take to discover the breach. In many cases, that is maybe the main determinant of how much consumers are at risk is how much time went by before the breach was discovered at all.

I think one thing that is really important in those circumstances is for the financial institution or whoever it was that was the source of the information to make contact with the credit bureau, because that is in many ways the promptest way to get the information into the right places, to give it directly to the credit bureau that these accounts may have been compromised.

Senator CORZINE. So the primacy of the credit bureau to the individual?

Mr. BEALES. What the individual has to do in order to reduce the risk is to call the credit bureau, and by making contact with the credit bureau in the first place, A, the credit bureau knows that they are going to get a lot of calls and what is going on and can be ready to handle that volume without being disrupted; and, B, in some circumstances, the fraud alert can be placed quicker and the risk reduced quicker rather than waiting for a letter to go to the consumer and the consumer to respond to the letter and place the fraud alert.

Senator CORZINE. They could do that simultaneously, I presume, both the individual and the credit bureau.

Mr. BEALES. Sure. There is no reason for contacting a credit bureau to delay a notice to the individual, but it is an important part of the process.

Senator CORZINE. Access to credit reports and I apologize for running over here conceptually, do you believe that this is an important element in being able to have an individual maintain certainty about their credit status and ability to manage their credit profile in this complex but important and well-functioning system in many ways?

Mr. BEALES. I think it is a critical part of the system, and the way the system functions now with notice when there is an adverse decision based on a credit report or when there is fraud, in either of those circumstances the consumer is entitled to a free credit report that will let them identify the problems and start the process of correcting them. And I think that is a crucial component for maintaining the accuracy of the data that is in credit reports. Senator ČORZINE. Thank you.

Chairman SHELBY. Senator Dole.

Senator DOLE. Mr. Beales, I would like to ask you about the affiliate-sharing preemption in the Act. In efforts to prevent identity theft and to detect it, is this preemption helpful or does it harm efforts?

Mr. BEALES. I think information sharing is really a key in the fight against identity theft. I think it is important for the creditor to know more about the real you than the thief knows, and that

way the creditor can ask you a question that only the real you can answer and the thief cannot answer.

Some of that information comes from affiliates, and some of it may come from databases from outsiders, and some of it may come from credit reporting agencies.

All of those sources are important to the overall sharing of information that makes it possible to detect that the identity thief is, in fact, a thief.

Senator DOLE. Let me just ask you the same question about the prescreening preemption.

Mr. CADDIGAN. I think information

Senator DOLE. How do you see-go ahead.

Mr. CADDIGAN. I would concur with Mr. Beales. Anytime there is information sharing that you can more quickly identify fraud or the potential for fraud, the easier it is to eliminate the problem as an individual. And I think as a total problem, the education and information sharing is critical from the enforcement perspective.

Senator DOLE. What about the prescreening preemption?

Mr. BEALES. We do not think that, based on the data we have seen, there are clearly instances where prescreening may lead to identity theft in that particular case. In the data we have seen, though, the overall losses to identity theft seem to be lower on prescreened accounts than they are on just general applications for credit. So, we do not think that prescreening in any systematic way contributes to identity theft or contributes to the problem.

Senator DOLE. And with regard to the widely reported cases of credit reports being stolen, I would like to ask both of you: Do you think the problem is primarily due to a lack of security in the system? Or is it just a cost of doing business, a fact of business in this technological age? Which would you say is primarily responsible?

Mr. CADDIGAN. I think on the user end of the consumer information. If you talk about the credit bureaus, speaking again from the enforcement perspective, we have very sound relationships with them, and we have worked extensively over the years. They take great measures in safeguarding their information. So when a person is violated, it is usually at the user end, and that is part of the education process that I think not only law enforcement does, but also I know the FTC does with businesses, is to teach them better safeguards with regard to their IT systems that control access to these credit reports.

There are many examples of someone who legitimately has access to report files who, for whatever reason, left his computer on when he walked away or granted access to others not knowing that they then could have access. So there are safeguards that are evolving, but we still find instances where they are not safeguarded.

Senator DOLE. Mr. Beales.

Mr. BEALES. Our safeguards rule that went into effect at the end of May really views security as a process. It asks companies to identify the risks they face and then look for the steps that they can take to reduce those particular risks.

I think one thing that is clear about security, though, is that the threats evolve, and that as you put in place a mechanism to deal with the last problem, identity thieves and other thieves will try

« Anterior Continuar »

Libros

The Fair Credit Reporting Act and Issues Presented by Reauthorization of the ...