Before The House Committee on Banking And Financial Services

Hearing on H.R. 4311
The Identity Theft Prevention Act of 2000

September 13, 2000

Testimony of Ronald L. Plesser

Coordinator, Individual Reference Services Group

www.irsg.org

The IRSG represents leading information industry companies, including major credit reporting agencies, that provide commercial information services to help verify the identity of or locate individuals. Customers use individual reference services for a variety of purposes. They include:

<

· finding witnesses, heirs, pension beneficiaries, and hidden assets—indeed, regulations issued by several federal agencies require the use of these types of services.

· tracking down missing and exploited children, and finding deadbeat dads,

· locating blood, bone, and organ donors, and

· verifying the identities of contributors to political campaigns.

Each of the companies that belong to the IRSG has adopted self-regulatory principles governing the dissemination and use of personal data. The IRSG developed these principles in 1997 in conjunction with the Federal Trade Commission. As part of these principles, companies commit, among other things, to restrict their distribution of non-public information through appropriate safeguards. One such safeguard prohibits the display of social security numbers and dates of birth in individual reference service products distributed to the general public and, for products distributed to professional or commercial users, a prohibition on the display of such information unless truncated in an appropriate manner (e.g., masking of the last four or more digits of social security numbers). This principle has helped reduce the availability of social security numbers for sale on the Internet.

The products offered by individual reference services are used in the fight against identity theft, where verifying an individual’s identity is crucial. Banks, credit card companies, and other types of credit institutions, as well as gas, electric, telephone utility companies and governmental entities distributing public entitlement programs are all becoming increasingly plagued by frauds who use an existing person's identity to illegally extract products, services and money.

Individual reference service products also are an important tool for other types of fraud prevention efforts by businesses. The insurance industry, for example, relies on individual reference service products to investigate fraudulent claims. Credit card companies and department stores use them to detect and limit credit card fraud. Banks use them to detect and report credit card fraud, insider abuse, and money laundering. Many businesses use them to minimize the risk of financial fraud when they receive an unusual order for delivery of merchandise.

Since the victims of identity theft are not only the businesses that lose billions to various forms of identity theft per year, but also the consumers whose credit is often ruined by this insidious act, everybody directly benefits by this application of the personal identifying information provided by individual reference services.

H.R. 4311 would directly affect individual reference services in two ways. First, section 7 would cut off the supply of the type of identifying information we obtain from consumer reporting agencies and use to help ensure accuracy in indexing and compiling disparate information. Second, section 8 would mandate that individual reference service companies enter a very different market than they ever sought to enter—the consumer market for public record information—as a condition of selling public record information to lawyers, law enforcement officials, journalists, and other professionals. These proposals are, at best, burdensome and unnecessary and, at worst, unconstitutional and harmful to consumers.

The IRSG supports other efforts by some members of Congress that strike the right balance on social security number privacy. These efforts focus upon restricting the display or sale of social security numbers to the public rather than any sale of social security numbers. This approach prevents people from discovering anyone’s social security number from a commercial source, thereby protecting privacy. At the same time, it preserves the ability of people who already know someone’s social security number, typically in a commercial, governmental, or law enforcement context, to use a commercial database for important public purposes, to use it for beneficial purposes, including fighting identity theft.

Good morning, Mr. Chairman, and thank you for the opportunity to appear before your Committee as it examines identity theft issues. My name is Ronald Plesser and I am the coordinator of the Individual Reference Services Group (IRSG). The IRSG is a group of the leading information industry companies, including major credit reporting agencies, that provide services to help identify, verify, or locate individuals. Each of the member companies has adopted self-regulatory principles governing the dissemination and use of personal data, principles which the IRSG developed in 1997 in conjunction with the Federal Trade Commission.

The members of the IRSG are committed to the responsible acquisition and use of personally identifiable information, and share the Committee’s concern about the potential misuse of data for identity theft and other harmful purposes. Indeed, in the fight against identity theft, where verifying an individual’s identity is crucial, individual reference service products are absolutely essential.

My remarks today will focus on three areas. First, because most people know relatively little about our industry and may confuse the sort of services that are the topic of this hearing with the mainstream of the industry, I will explain the customer base and socially beneficial uses for individual reference information. For example, law enforcement agencies and fraud investigators are major users of these services, and at a 1997 FTC workshop on database privacy the Secret Service, the Treasury Department’s Financial Crimes Enforcement Network ("FINCEN"), American Bankers Association, and National Retail Federation all testified to the importance of these services for their work preventing and pursuing fraud. Second, I will provide some background about the IRSG principles and their enforcement mechanisms. Finally, I will make some observations about the impact of the types of approaches to SSN regulation in both H.R. 4311 and H.R. 4857 on the individual reference services.

II. Uses of Individual Reference Service Information

Individual reference services are companies that furnish timely and reliable information to identify and locate individuals. The information is used by governmental, private sector, and non-profit entities for a wide range of beneficial purposes.

Individual reference services are often the only way that individuals with limited resources, through the assistance of a professional who has access to these services, can obtain critical information. IRSG customers are professionals, primarily in the fields of law, business, journalism, and law enforcement.

For example, law enforcement agencies use these services to locate criminals and witnesses to crimes, and to confirm identities. In fact, individual reference services play an important role in combating the very sorts of fraud that flow from personal financial information falling into the wrong hands. At the June 1997 FTC workshop examining reference services, witnesses from both FINCEN and the Financial Crimes Section of the U.S. Secret Service testified to the value and importance of these services for their work.

In the fight against identity theft, where verifying an individual’s identity is crucial, individual reference service products are absolutely essential. Banks, credit card companies, and other types of credit institutions, as well as gas, electric, and telephone companies and governmental entities distributing public entitlement programs, are all becoming increasingly plagued by fraudsters who use an existing person’s identity to illegally obtain products, services and money. The best, and perhaps only, means of preventing this type of fraud is to crosscheck through the use of personal identifying data, often provided by individual reference services. Since the victims of identity theft are not only the businesses that lose billions to various forms of identity theft per year, but also the consumers whose credit is often ruined by this insidious act, everyone directly benefits by this application of the personal identifying information provided by individual reference services.

Individual reference service products also are an important tool for other types of fraud prevention efforts by businesses. The insurance industry, for example, relies on individual reference service products to investigate fraudulent claims. Credit card companies and department stores use them to detect and limit credit card fraud. Banks use them to detect and report credit card fraud, insider abuse, and money laundering. Many businesses use them to minimize the risk of financial fraud when they receive an unusual order for delivery of merchandise. Other businesses use them when performing due diligence before engaging in a business venture with a little-known corporation in the increasingly mobile world economy. The Insurance Information Institute reports that special investigation units save their companies about $10 for every dollar invested in them.

Reference services help people in many other ways. One of the most compelling is child support enforcement. Whereas government-compiled child support databases have encountered difficulties in some instances, individual reference services have proven to be invaluable in tracking down parents who are delinquent in these obligations. In this way, these services advance personal responsibility, give much-needed income to divorced parents and their children, help free families from welfare dependency, and provide an additional source of revenue to state welfare programs. Individual reference services can locate non-custodial parents quickly and inexpensively, even in circumstances where they move to a different state or begin using a different name. The Association for Children for Enforcement of Support ("ACES"), the leading child support advocacy organization, uses LEXIS-NEXIS’ P-TRAK service to assist families—approximately 80 percent of whom are on welfare—in locating parents who have failed to meet legal child support obligations. ACES has reported tremendous success with the service, locating more than 75 percent of the "deadbeat" parents they sought, and helping families receive much-needed support.

Among the many other important uses of individual reference services are:

· finding long-lost family members,

Rapid advances in technology, a highly mobile society, the need to prevent fraud, and other market demands for information have spurred increased reliance upon information services provided by individual reference services. These changes in society and technology also have resulted in a heightened interest in the privacy considerations implicated by such services. The IRSG members are attuned to these issues and have strongly committed to taking a leadership role in effectively addressing them.

Privacy protection in the United States has evolved in a way that offers individuals effective protections while, at the same time, not limiting the benefits of technological advances. The ability to preserve both of these important interests results from a network of different policies. These policies are tailored to provide protections in specific circumstances in order to prevent actual or potential abuses of personal information. This sectoral approach is preferable to an omnibus or "one-size-fits-all" privacy policy that would govern all industries. Addressing privacy issues within specific industry sectors has proven very effective in evolving and responding to changes in industry and society.

The importance of defining privacy practices tailored to specific types of information is demonstrated in the IRSG principles.

In September 1996, in the closing hours of the 104th Congress, the Federal Trade Commission proposed a broad prohibition on the use of credit header information—non-financial identifying information obtained from a consumer reporting agency's database. Members of the individual reference service industry and those who rely on credit header information alerted Congress that such a prohibition would severely limit important uses of this information. As a result of arguments made by industry, regulatory efforts were postponed until a further study of the issues could be conducted.

Fourteen of the leading companies in the individual reference services industry joined together to form the IRSG. The companies that comprise the IRSG provide information and assisting users in identifying and locating individuals. In close consultation with the Federal Trade Commission, the IRSG developed a comprehensive set of self-regulatory principles backed by third-party assessments and government enforcement that these companies follow.

These principles focus on non-public information, that is, information about an individual that is of a private nature and neither available to the general public nor obtained from a public record. For example, the principles govern information obtained from credit headers, such as social security numbers and addresses and telephone numbers.

Companies that sign on to the IRSG principles commit—among other things—to:

One of the safeguards on the distribution of non-public information is a prohibition on the display of social security numbers and dates of birth in individual reference service products distributed to the general public and, for products distributed to professional or commercial users, a prohibition on the display of such information unless truncated in an appropriate manner (e.g., masking of the last four or more digits of social security numbers). This IRSG principle has helped reduce the availability of social security numbers for sale on the Internet.

Third-party assessments backed by government enforcement provide real "teeth" for enforcing these principles. Enforcement rests on the following three pillars:

• Legal sanctions—Any company that holds itself out to the public as following the principles may be responsible under existing federal and state law if the company fails to live up to them. Both the Federal Trade Commission and state attorneys general can bring charges under Section 5 of the Federal Trade Commission Act and similar state laws against member companies that fail to adhere the principles.

• Cut-off of data supply—Signatories to these principles require by contract that all companies buying non-public data from them for resale abide by the principles. Non-complying companies risk losing access to the data they need for their products or services. This is particularly significant in that the FTC estimated that IRSG signatories control 90% of all non-public information obtained from credit headers.

• Independent assurance reviews—Every IRSG company must undergo a third-party assessment to verify compliance with the principles. I will describe this in more detail below.

In the spirit of openness, the principles require individual reference services to have an information practices policy statement available to the public upon request. These statements describe:

This openness enables individuals to understand the reference service’s use of the information it possesses. Individual reference services also inform individuals, upon request, of the choices available to limit access to or use of information about them contained in a company’s products and services. Further, the principles require an individual reference service to provide information about the nature of public record and publicly available information that it makes available in its products and services and the sources of such information.

To help ensure that member companies do not make unsubstantiated assertions of compliance, the IRSG principles require that independent professional services conduct annual third-party assessments of their compliance. These independent professional services can be accounting firms, law firms, or security consultants who use the criteria developed by PriceWaterhouseCoopers for the IRSG.

When the principles were adopted in December 1997, these companies agreed that the assurance reviews would be completed within 15 months. I am pleased to report that this is the second consecutive year in which the companies that offer products that fall within the scope of the IRSG principles and subscribe to the principles have successfully undergone these assessments. As this milestone attests, the IRSG has made great strides through self-regulation to secure the benefits of information service resources and ensure effective protection of consumer privacy.

H.R. 4311 would directly affect individual reference services in two ways. First, section 7 would cut off the supply of the type of identifying information we obtain from consumer reporting agencies and use to help ensure accuracy in indexing and compiling disparate information. Second, section 8 would mandate that individual reference service companies enter a very different market than they ever sought to enter—the consumer market for public record information—as a condition of selling public record information to lawyers, law enforcement officials, journalists, and other professionals. These proposals are, at best, burdensome and unnecessary and, at worst, unconstitutional and harmful to consumers.

In prohibiting consumer reporting agencies from supplying anything other than a consumer’s name and current address without a "permissible purpose," as defined by the Fair Credit Reporting Act, section 7 would have the effect of cutting off identifying information that we use to index and organize disparate information. Distinguishing between "John Smiths" who live in the same town is far more effective when we have available to us prior addresses, age, and social security number information. These indexing and verification uses are critical to ensuring that the products IRSG members offer to professional and government agencies contain accurate and complete information.

The use of social security number information for indexing and verification purposes is different than the display of such information in individual reference service products. As noted earlier, the IRSG principles prohibit the display of social security numbers and dates of birth in individual reference service products distributed to the general public and, for products distributed to professional or commercial users, prohibit the display of such information unless truncated in an appropriate manner.¹

Cutting off the availability of social security numbers and similar identifying information for indexing and verification purposes is particularly ironic in light of the requirement in section 8, discussed below, that individual reference service companies provide consumers with copies of "their files," who in turn will probably review the information for accuracy and completeness.

Requiring individual reference service providers, upon request, to disclose to a consumer "the nature, content, and substance of all information in the file maintained by the provider," is unnecessary, burdensome, and unwise.

Section 8’s requirement is unnecessary insofar as the IRSG’s access principle already requires an individual reference service to provide an individual with "non-public information contained in" its look-up products that specifically identifies him or her. (Two types of information are exempted from this requirement: information obtained on a limited use basis from a governmental agency and information whose disclosure is limited by law or legally recognized privilege.)

For public record information (and publicly available information) contained in an individual reference service’s products, the IRSG principles require a company, upon request, to advise an individual about the nature of such information that it makes available in its products and the sources of such information. Public record information is information about or related to an individual that has been obtained originally from the records of a federal, state, or local government entity that are open for public inspection. Examples of public records include titles to real property, real property tax assessor records, bankruptcies, judgments, liens, state professional licenses, and death records.

When contacted by an individual concerning an alleged inaccuracy about that individual in its public record information, the IRSG principles further require an individual reference service company to inform the individual of the source of the information and, if reasonably available, where a request for correction may be directed. To be effective, any correction of errors must be made with the government entities that are the sources of this information. The task of individual reference services in this regard is to reflect reliably the data made available by the originating public record source.

Moreover, neither inaccuracies nor consumer harm are a significant issue in connection with individual reference services. Technological developments and quality assurance measures yield information that reliably mirrors the original public records. Furthermore, the FTC acknowledged in its 1997 Report to Congress on Individual Reference Services that "neither workshop participants nor commentators identified concrete evidence of harm linked directly to inaccurate records offered by look-up services." Nor has any evidence to the contrary emerged since 1997. In addition, statutory safeguards do exist for individuals in the vast majority of circumstances in which the distribution of inaccurate public record information might cause them real harm. For example, the Fair Credit Reporting Act already regulates extensively the use of public record information in connection with decisions about a consumer’s eligibility for employment, credit, or insurance.

Weighed against this dearth of evidence of inaccuracies or consumer harm is the enormous potential burden associated with retrieving potentially relevant information from the large number of databases of public records and verifying that it pertains to the individual making the request. This is necessary because many individual reference services, unlike consumer reporting agencies, do not maintain "files" in connection with specific individuals. For example, individual reference services leave to their customers the tasks of formulating their search inquiries, of personally reviewing the search results to determine whether the search might have been under-inclusive and, where the search inquiry is over-inclusive, of personally reviewing the search results to determine what records may be relevant. To meet the bill’s demands, however, individual reference services would need to hire teams of customer service representatives, train them, and assume the risk of error in formulating search inquiries and making associated decisions. In short, it would force individual reference services to assume risks they long ago shifted to their customers.

Finally, section 8 would require that, as a condition of selling public record information to lawyers, law enforcement officials, journalists, and other professionals, individual reference services enter the consumer market for public record information. This is a very different market than most individual reference services ever sought to enter. Moreover, imposing this condition would run afoul of the First Amendment because it would unduly burden the publication of information already in the public domain. See, e.g., The Florida Star v. B.J.F., 491 U.S. 524 (1989) (striking down statute that imposed civil liability upon a newspaper for publishing the name of a rape victim which it had obtained from a publicly released police report); Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979) (finding unconstitutional the indictment of two newspapers for violating a state statute forbidding newspapers to publish the name of any youth charged as a juvenile offender).

Other legislative alternatives, including H.R. 4857, threaten to cut off the best commercial source of SSNs to the detriment of socially beneficial efforts to combat financial fraud, locate individuals, and verify their identities. Specifically, section 106 of this bill would amend the Fair Credit Reporting Act to include SSNs as among the information included in a consumer report. As noted above, the continued ability to use SSNs for indexing and verification of information is critical to ensuring that the products the IRSG members offer to professional and government agencies contain accurate and complete information. Ironically, this provision would have the effect of increasing identity theft by preventing use of SSNs by commercial databases that are a significant tool in fighting identity theft.

The IRSG supports other efforts by some members of Congress that strike the right balance on social security number privacy. These efforts focus upon restricting the display or sale of SSNs to the public rather than any sale of SSNs. This approach prevents people from discovering anyone’s social security number from a commercial source, thereby protecting privacy. At the same time, it preserves the ability of people who already know someone’s social security number, typically in a commercial, governmental, or law enforcement context, to use a commercial database for important public purposes, to use it for beneficial purposes, including fighting identity theft.

Members of the IRSG are committed to the responsible acquisition and use of personally identifiable information, and share the Committee’s concern about the potential misuse of data for identity theft and other harmful purposes. Nevertheless, individual reference service products are absolutely essential in the fight against identity theft, and the Congress should not take any steps that would jeopardize the usefulness of such services.

_____________________
1. This IRSG principle has helped reduce the availability of social security numbers for sale on the Internet. The most common sources of such information today are Web sites operated by private investigators and Web sites selling "stale" information they obtained prior to the implementation of the IRSG principles.