Mr. Chairman, Members of the Committee: Thank you for the opportunity to present the views of the California Public Interest Research Group (CALPIRG), U.S. PIRG¹, and the Privacy Rights Clearinghouse² on solving the problem of identity theft.

As you know, the problem of identity theft has been growing rapidly throughout the 1990s. CALPIRG and U.S. PIRG released our first report on the problem in 1996. At the time, it was difficult to quantify the magnitude of the problem, since creditors and credit bureaus compiled data in different ways and the disparate government agencies investigating the crimes did not have the resources to work together. Nevertheless, in response to numerous indicators that identity theft was epidemic, several states³, and then, in 1998, the Congress, criminalized identity theft. The 1998 federal identity theft act⁴ also required the Federal Trade Commission to develop an identity theft clearinghouse, both to assist consumers and to coordinate inter-governmentally. Since March, the FTC has begun to release detailed data on the impact of identity theft that dovetail with the findings of our reports.

Unfortunately, the data show that criminalization has not significantly slowed the identity theft crime wave. In our view, greater effort must be paid to reining in the practices of creditors and credit bureaus that lead to or abet identity theft. If enacted, the Identity Theft Prevention Act of 2000, HR 4311, as introduced by Rep. Darlene Hooley (D-OR)⁵, would take several important steps to slow the rise of identity crimes.

In May 2000, CALPIRG and the Privacy Rights Clearinghouse released a joint survey of identity theft victims. This testimony summarizes the findings of that survey of victims. Less than half of the respondents felt that their cases had been fully resolved, and those with unsolved cases have been dealing with the problem for an average of four years. Victims estimated that they spent an average of 175 hours and $808 in additional out-of-pocket costs to fix the problems stemming from identity theft.

This testimony also discusses our identity theft and credit reporting reform platform, with an emphasis on how well HR 4311 incorporates four of the five key recommendations we believe are critical to slowing the rise of identity theft and making it easier for those who become victims to fight back.

PIRG and Privacy Rights Clearinghouse’s key recommendations to prevent identity theft are the following: (1) Require credit bureaus to provide free credit reports annually on request, as six states already do (Colorado, Georgia, Massachusetts, Maryland, New Jersey, Vermont). (Included in HR 4311.) (2) Provide victims, as well as other consumers, with the right to block access to their credit reports. (Included in HR 4311 as fraud alert verification provision.) (3) Require matching of at least four points of identity, such as exact name and exact address, date of birth, former address, and Social Security number between credit reports and credit applications. (4) Improve address-change verification. (Included in HR 4311.) (5) Close the "credit header" loophole that allows Social Security numbers to be sold on the information marketplace, including over the Internet. (Included in HR 4311.)

Experts divide financial identity theft into two main categories. "True name" fraud occurs when someone uses pieces of a consumer's personal identifying information, usually a Social Security number (SSN), to open new accounts in his or her name. Thieves can obtain this information in a variety of ways, from going through a consumer's garbage looking for financial receipts with account numbers and SSNs, to obtaining SSNs in the workplace, to hacking into computer Internet sites, or buying SSNs online.

"Account takeover" occurs when thieves gain access to a person's existing accounts and make fraudulent charges. Regardless of the types of fraud committed or the amount of money taken fraudulently, victims indicate that stress, emotional trauma, time lost, and damaged credit reputation -- not the financial aspect of the fraud -- are the most difficult problems they face. One victim from Nevada explained to us, "this is an extremely excruciating and violating experience, and clearly the most difficult obstacle I have ever dealt with."

Increasingly, thieves are also committing other crimes using the names generated from identity fraud. In the PIRG/PRC survey, thieves committed various other types of fraud with the respondents' information, including renting apartments, establishing phone service, obtaining employment, failing to pay taxes, and subscribing to online porn sites. In 15% of the cases, the thief actually committed a crime and provided the victim's information when he or she was arrested. A growing problem for victims is that thieves who have rented apartments or purchased homes using fraudulent identities are filing for bankruptcy in the victim’s name, with the intention of seeking a mandatory stay against eviction or foreclosure. The false public record bankruptcies are difficult for victims to remove.

The California Public Interest Research Group and the Privacy Rights Clearinghouse have been helping victims of identity theft for years through advocacy, free guides, hotlines, and monthly support group meetings. We have talked to thousands of victims over the phone, through letters and electronic mail, and in person, hearing new, unique and horrifying experiences every day. But so far there have been little in-depth data collected on the specific problems that victims face or on the specific gaps in law enforcement efforts and credit industry practices that make cleaning up a stolen identity such a time-consuming and seemingly impossible task.

In the spring of 2000, CALPIRG and Privacy Rights Clearinghouse sent surveys to victims who had recently contact our offices, and published a report based on the findings, entitled "Nowhere To Turn: Victims Speak Out on Identity Theft.⁶" The report followed up on CALPIRG's groundbreaking identity theft reports⁷ released in 1996 and 1997, and on the pioneering work of the Privacy Rights Clearinghouse in assisting victims and drawing attention to their plight. Both organizations have also worked with victims to find ways that they can help themselves, because until the Federal Trade Commission established its clearinghouse, there was no government agency that made identity theft solutions its priority.⁸

The data pinpoint the failure of law enforcement, government, and the credit industry to address the root causes of identity theft. By not changing their procedures, these stakeholders have both helped perpetuate identity theft and have made it difficult for victims to resolve their cases expeditiously. Although each identity theft case is different, we have been able to identify patterns and trends in the victims' responses. The survey data also verify that the stories in the news on identity theft are not extreme cases in which an unlucky victim has had an unusually bad experience. As one victim from California stated, "It was as terrible as all the books and articles say it is."

• Forty-five percent (45%) of the victims consider their cases to be solved; and it took them an average of nearly two years, or 23 months, to resolve them. Victims (55%) in the survey whose cases were open, or unsolved, reported that their cases have already been open an average of 44 months, or almost 4 years.
• Three-fourths, or 76%, of respondents were victims of "true name fraud." Victims reported that thieves opened an average of six new fraudulent accounts; the number ranged from 1 to 30 new accounts.
• The average total fraudulent charges made on the new and existing accounts of those surveyed was $18,000, with reported charges ranging from $250 up to $200,000. The most common amount of fraudulent charges reported was $6,000.
• Victims spent an average of 175 hours actively trying to resolve the problems caused by their identity theft. Seven respondents estimated that they spent between 500 and 1500 hours on the problem.
• Victims reported spending between $30 and $2,000 on costs related to their identity theft, not including lawyers' fees. The average loss was $808, but most victims estimated spending around $100 in out-of-pocket costs.

Victims most frequently reported discovering their identity theft in two ways: denial of either credit or a loan due to a negative credit report caused by the fraudulent accounts (30%) and contact by a creditor or debt collection agency demanding payment (29%).

• Victims surveyed reported learning about the theft an average of 14 months after it occurred, and in one case it took 10 years to find out.
• In one-third (32%) of the cases, victims had no idea how the identity theft had happened. Forty-four percent (44%) of all the victims had an idea how it could have happened, but did not know who the thief was. But in 17% of the cases, someone the victim knew -- either a relative, business associate, or other acquaintance -- stole his or her identity.
• Victims reported that all of the credit bureaus were difficult to reach, but the hardest one to get in touch with, and the one about which most negative comments were made, was Equifax. Over one-third of the respondents reported not being able to speak with a "live" representative at Equifax or Experian despite numerous attempts. Less than two-thirds felt that the credit bureaus had been effective in removing the fraudulent accounts or placing a fraud alert on their reports. Despite the placement of a fraud alert on a victim's credit report, almost half (46%) of the respondents’ financial fraud recurred on each credit report.⁹
• All but one of the respondents contacted the police about their cases, and 76% of those felt that the police were unhelpful. Law enforcement agents issued a police report less than three-fourths of the time, and assigned a detective to the victims' cases less than half of the time. Despite the high rate of dissatisfaction with law enforcement assistance, 21% of the victims reported that their identity thieves had been arrested, often on unrelated charges.
• Thirty-nine percent (39%) of the victims reported contacting the postal inspector about their cases, and only 28% (7 out of 25) of those respondents found the post office helpful. Only four of the respondents reported that the postal inspector placed a statement of fraud on their name and address.
• Forty-five percent (45%) of the respondents reported that their cases involved their drivers’ licenses. For example, the license had been stolen and used as identification, or the thief had obtained a license with his or her picture but containing the victim’s information. Fifty-six percent (56%) of the respondents contacted the Department of Motor Vehicles, and only 35% of those found the DMV helpful.
• Forty-nine percent (49%) of the respondents contacted an attorney to help solve their cases. Forty-four percent (44%) of those people found their attorney to be somewhat helpful. Many consumers contacted attorneys at public interest law firms and received advice for free. Attorneys’ fees ranged from $800 to $40,000.
• Respondents reported that the most common problem stemming from their identity theft was lost time (78% of consumers identified this problem). Forty-two percent (42%) of consumers reported long-term negative impacts on their credit reports, and 36% reported having been denied credit or a loan due to the fraud. Twelve percent (12%) of the respondents noted as a related problem that there was a criminal investigation of them or a warrant issued for their arrest due to the identity theft.

The bill before the committee, HR 4311, incorporates key elements of the PIRG/Privacy Rights Clearinghouse Platform¹⁰ on Identity Theft and Fair Credit Reporting Act reform. Among its highlights are the following:

HR 4311 requires a free credit report annually: Credit bureaus should provide a free report annually on request to detect identity theft early and generally improve the accuracy and transparency of credit reporting.¹¹ Six states (Colorado, Georgia, Massachusetts, Maryland, New Jersey, Vermont) grant consumers the right to a free credit report annually on request from each of the Big Three credit bureaus – Equifax, Experian and Trans Union. Colorado’s law laudably also requires an annual notice from the Big Three national credit bureaus (also known as credit reporting agencies, or CRAs) to all credit-active consumers describing their rights under the law, including their right to a free report annually on request. Georgia allows consumers to obtain two free reports per year.

HR 4311 closes the "credit header loophole:" At the time of a 1994 consent decree with TRW (now Experian) that properly prohibited target marketing from credit reports, the FTC made a serious mistake. It defined certain sensitive personal demographic information contained in credit reports (name, address, phone number, previous address, date of birth, Social Security Number) as exempt from the definition of credit report. Under this loophole, the credit bureaus now traffic widely in "credit headers," which include the demographic information found in a credit report that is not associated with a specific credit trade line or public record. The fly-by-night information broker websites that sell Social Security Numbers to identity thieves and stalkers have generally obtained the Social Security Numbers from credit header data.

The FTC has taken two recent actions to protect privacy. First, in March 2000, in an order against Trans Union,¹² the FTC narrowed the definition of credit header. It removed dates of birth from credit headers, since age is a determinant of creditworthiness. It stated that since credit scoring and other credit decisions use age, then age information could only be sold by credit bureaus as part of a full credit report. Generally, the use of credit reports is subject to numerous restrictions to protect privacy and avoid misuse. The use of credit headers is not.

Second, in its final regulation implementing Title V of the Gramm-Leach-Bliley Act¹³, the FTC ruled that credit bureaus could not share credit headers in the circumstance where the subject consumers had exercised their (forthcoming) right under Gramm-Leach-Bliley to opt-out of information sharing with unaffiliated third parties.

We urge the members of the committee to exercise extreme diligence in the waning days of the 106th Congress. We fully expect the credit reporting and information reference services industries to attempt to slip language into whatever bills are moving on the floor that would roll back this important FTC effort to correctly interpret that Gramm-Leach-Bliley grants consumers greater control over the sale and sharing of their personal information to prevent identity theft and other abuses. While our preferred position is to enact the Hooley bill, we must be watchful that gains already made for consumers are not taken away.

The Hooley credit header proposal eliminates the need for consumers to opt-out to protect their credit header records. It identifies all sensitive personal information in a credit report (everything except name and address) as part of the credit report. So, Social Security Numbers or other non-public information could only be sold or shared with parties that have a permissible purpose to obtain a credit report. This is a strong and important provision to prevent identity theft. As William Safire pointed out in last week’s New York Times, in a column about the stalker-murder of Amy Boyer in New Hampshire, not all provisions before the Congress will rein in the practices of information brokers.

"A stalker paid only $45 to an Internet research service to get Amy Boyer's Social Security number. That supposedly private, personal information led her former suitor to the workplace of the 20-year-old New Hampshire woman. He murdered her and killed himself.

That's the sort of horror story that moves officials to make a pass at action. The Senate Appropriations Committee, at the behest of the New Hampshire Republican Judd Gregg, sent to the floor a bill prohibiting individuals from "displaying to the public" anybody's Social Security number without consent.

His weak bill exempts "information brokers" that led the stalker to his prey…¹⁴"

Allowing some continued trafficking in Social Security Numbers, as the well-intentioned, but flawed, Amy Boyer Law would allow, is not adequate to protect privacy. We need stronger protections for sensitive personal information. The Hooley bill’s provision to close the credit header loophole completely is more protective than the Gregg proposal. We note that one other bill moving in the House includes a credit header protection provision similar to HR 4311’s. The Ways and Means Committee’s Subcommittee on Social Security has already approved H.R. 4857, (Shaw-R-FL) the "Privacy and Identification Protection Act of 2000." This bill may be marked up soon in the full Ways and Means Committee and has a subsequent referral to the Banking Committee, for consideration of its credit header provision. We urge its support.

HR 4311 Improves Change Of Address Notification: Incredibly, identity thieves often steal mail, including pre-approved credit applications, and then apply for credit at a new address. Alternatively, they apply in department stores for "instant credit" in the victim’s name, but at a different address. Creditors routinely grant this credit to the thief. Consumers will benefit from the new address change notification provisions of the Hooley bill.

HR 4311 Requires Fraud Alert Flags: Past victims often complain to our organizations that the so-called fraud alert flags used by the credit reporting agencies (credit bureaus) are either ineffective, ignored, or not sent to report requesters. The Hooley bill would make such notification a requirement, even if the CRA were providing information for the establishment of a credit score. Currently, no requirement in law requires that either credit score models or credit decision makers relying on credit reports take the presence of fraud flags into account. Importantly, the Hooley provision would prevent the issuance of credit on any account with a fraud flag unless the creditor confirms the identity of the consumer and the particular consumer has actually authorized the issuance of credit. Essentially, this fraud flag provision implements in a very effective way one of our most important recommendations: it empowers consumers to control access to their credit reports. We call that "the right to block." Although the credit reporting industry is generally subject to strong information practice rules (relative to other industries that maintain databases on consumers) credit reports can generally be obtained without consumer consent. All a requester needs is a "permissible purpose." The Hooley fraud flag provision gives victims a strong right to block, or control access to their reports. The provision is highly appropriate, since victims often become repeat victims.

The Identity Theft Prevention Act of 2000 has great potential to slow the growth of identity theft and stalking. Identity theft is a white-collar crime that wrecks financial lives. High-tech stalking can result in grave physical harm. In our view, unless they are subjected to the logical rules proposed by Rep. Hooley, creditors and credit bureaus will not do all that they can to stop identity theft. Consumers deserve greater protection against this horrible crime than these firms have provided on their own. We urge support for the bill.

________________________________
1.  The California Public Interest Research Group (CALPIRG) is a statewide, non-profit non-partisan public interest advocacy group that works on environmental, consumer, and good-government issues. Since 1972, CALPIRG has been one of the state’s leading public interest groups, with 70,000 student and citizen members across the state. The consumer program works to protect consumers from financial rip-offs, unsafe products, and invasions of privacy. U.S. PIRG serves as the national lobbying office for CALPIRG and the other state PIRGs. <http://www.pirg.org>

14. Senator Gregg’s "Amy Boyer Law," S. 2554, has been incorporated as a committee amendment into HR 4690, the Commerce-Justice-State Appropriations bill, which is being prepared for Senate floor action. Also see "Guarding Your Identity, William Safire, The New York Times, 7 Sept 00, opinion page.