WRITTEN TESTIMONY

Good morning, Chairman Stevens, Co-Chairman Inouye, Presiding Senator Smith, Honorable committee members, and invited guests. Thank you very much for the opportunity to address you today regarding concerns about identity theft and Data Broker Services. I am grateful that Congress is studying this issue to craft strong measures to prevent identity theft in our society.Ý Your desire to shine the light on these problems and make needed changes deserves commendation. I also thank this panel of witnesses who will educate us about these issues from all perspectives and help to create solutions so that we may better protect our personal and confidential information and reduce this insidious crime. Additionally I thank Senator Bill Nelson for introducing S 500, The Information Protection and Security Act, which I support because it addresses the need for responsible and reasonable oversight over the Data Broker Services Industry while providing fair information principles.Ý I will be happy to assist this committee with other legislative proposals such as S 768 and others. Since this issue affects each one of us, I encourage a bi-partisan collaborative approach to protect ourselves from identity theft.

My name is Mari Frank. I am an attorney, privacy consultant, and author of several books on identity theft from Laguna Niguel, California. (My two newest books are Safeguard Your Identity: Protect Yourself with a Personal Privacy Audit (Porpoise Press, 2005 and From Victim To Victor: A Step By Step Guide For Ending the Nightmare of Identity Theft 2nd Edition with CD, Porpoise Press, 2005) www.identitytheft.org.) I serve as a volunteer Sheriff Reserve for the Orange County, California Sheriff Department, and sit on the Advisory Board of the State of California Office of Privacy Protection which focuses on privacy and identity theft safeguards for California citizens. Additionally, I am a member of the State of California's Department of Motor Vehicle's Task Force on Privacy and Identity Theft, I've served on the Los Angeles District Attorneyís Office Task Force on Identity Theft, and I am an advisory board member to the non- profitÝ Identity Theft Resource Center. I have personally assisted myriad victims across the country with my personal time and educational materials, and have donated hundreds of pro-bono hours to assist victims.Ý I have had the privilege of testifying before several legislative bodies and four US Congressional committees, and have consulted with national corporations on how to protect their clients, customers, vendors, employees, and their businesses from the challenges of and identity theft and other privacy concerns. I am a certified trainer for Continuing Legal Education of the State Bar of California, a former law professor, and I presently teach Conflict Management at the University of California, Irvine.

My own identity was stolen (in 1996) by an impostor who paraded as me- stealing my personal as well as my professional lawyer identity.Ý While wrecking my credit, she also destroyed my sense of security and peace of mind.Ý My impersonator obtained over $50,000 using my name, purchased a red convertible Mustang, and even caused me to be threatened with a lawsuit by a rental car company for the auto that she damaged in an accident. It took me almost a year and over 500 hours to clear my records and regain my credit and my life. I accumulated five banker boxes of correspondence, and lived in fear of how else this invisible person might harm me and my children. I finally learned that while working as a temporary secretary in a law office four hours from my own office, my evil twin (who I never met) was able to access my credit history (as well as the profile of other lawyers) from an information broker who had a contract with that office.Ý My impostor did not need to prove who she was or establish that she had a permissible purpose to download the profile, so it was instantly faxed to her.Ý From that report, she obtained my social security number and other personal and financial facts to become my identity-clone. When that data broker, situated across the country, electronically transferred my consumer profile to a criminal in a city 4 hours from my home, it was beyond my control to do anything to prevent the fraud.

From that arduous nightmare, I gained great insight into the tribulations that victims endure- I became an expert by necessity. After speaking with several thousand victims, I have learned that most victims are not negligent with their personal information, and that no amount of "consumer education" or vigilance will protect them from identity theft if their information is acquired in a security breach by an unscrupulous employee, or by faulty information handling practices of entities that maintain their data. Consumer privacy education is important to minimize your risk and keep you informed as to barriers to erect, but it won't guarantee that your identity won't be stolen by a data breach.

Your esteemed committee has invited me to focus on the concerns and problems experienced by victims of identity theft and security breaches. I will concentrate my testimony on answering the following questions:

II. HOW DOES IDENTITY THEFT OCCUR, AND WHAT ARE THE UNIQUE ISSUES AS TO DATA BROKERS?

III. WHAT ARE REAL LIFE EXAMPLES OF IDENTITY THEFT AS THEY RELATE TO INFORMATION BROKERS?

IV. WHAT IS THE IMPACT OF SECURITY BREACHES ON CITIZENS WHOSE INFORMATION IS STOLEN?

V. WHAT NEEDS TO BE DONE WITH REGARD TO MINIMIZING THE RISKS OF IDENTITY THEFT WITH REGARD TO INFORMATION BROKERS?

In our data driven society your personal information is readily transferred across the world in a nano-second through networks and on the Internet (whether or not you are a computer user).Ý Your personal information, worth more than currency itself, can be used to apply for credit cards, credit lines, mortgages, cell phones, insurance, utilities, products and services etc. all without your knowledge.Ý A fraudster can do anything you can do with your identifying information- and worse- even do things you wouldnít do such as commit crimes, seek revenge, or engage in terrorist activities.

A. WHAT IS IDENTITY THEFT AND HOW IS IT USED?

Identity theft occurs when your personal (or business) identifying information such as your name, social security number, address, birth date, unique passwords, business name or logo, or even biometric information, is used or transferred with the intent to use itÝ for an unlawful purpose. Below are the main motivations of fraudsters:

1.Ý Financial Gain-This includes credit, loans, new accounts, mortgages, employment, health care, insurance, welfare, citizenship, and other governmental and corporate benefits- anything that has a dollar value. The fraud may take place in multiple jurisdictions, and purchases and transfers can be made by phone, fax, on-line or in person. Usually, the perpetrator can buy or ìlegallyî obtain a driverís license, create checks on a computer with the victim's name, obtain, buy, or create other identity documents including medical cards, credit cards, passports, etc.

2.Ý Avoiding Arrest or Prosecution- A criminal commits crimes in the real world or virtual electronic world, or terrorist acts using the name and identifying information of another person.Ý Often the perpetrator also commits financial fraud as well to supplement her income.Ý In a recent meeting I attended with Senator Feinstein andÝ law enforcement, detectives and District Attorneys in CaliforniaÝ (and also in Washington) reported that that 80%- 90 % of identity thieves who are caught also have a pending or priorÝ methamphetamineÝ charge against them as well. In my own case, my impersonator was a "meth" addict who stole the identity of several lawyers to obtain credit and funds to feed her drug habit.

3. Revenge - One can remainî invisibleî by stealing an identity to hurt another person. This type of fraud may occur between ex-spouses, former business partners, ex-employees, disgruntled staff or angry customers.Ý We also see this type of fraud committed in businesses where one business owner will want to ruin the reputation of another. It can occur off-line or on-line. I've been contacted by employees, and business owners who learned that their e-mail address was used to discredit them.

4. Terrorism (Breaching Homeland Security) -The September 11, 2001 terrorists had opened 14 accounts at a Florida bank, using false social ÝÝ security numbers and other documents. They obtained credit cards, apartment units, leased cars, and ÝÝÝÝÝÝÝÝÝÝÝ fraudulently charged airline ÝÝÝÝÝÝ tickets.Ý They not only did this for financial gain, but also over half of them likely suspected that their true names were in FBI files as suspected terrorists, so theyÝ committed total identity take-over to avoid arrest. And worse, they used false identities to get revenge against our country.ÝÝ In Senator Feinstein's meeting with law enforcement in California on March 29, 2005, law enforcement ÝÝÝÝÝÝÝÝ reported that suspected terrorist cells have been apprehended with false ÝÝÝÝÝÝÝÝÝ documents in California. It is well known that foreign nationals have covertly crossed our borders and have easily obtained stolen identity documents to hide under the "radar screen".

II. HOW DOES IDENTITY THEFT OCCUR, AND WHAT ARE THE UNIQUE ISSUES AS TO DATA BROKERS?

A.Ý WAYS THAT YOUR PERSONAL INFORMATION IS STOLEN

ÝThe scope and extent of the problem of identity theft is rampant. In 2003 the FTC conducted a survey found almost 10 million new victims that year, and 27.3 million victims in the previous five years, with a cost to consumers of $5 billion and a loss to financial institutions of $48 billion. (www.consumer.gov/idtheft)Ý According to the Identity Theft Resource Center, victims paid an average of $1400 in out of pocket costs (not including attorney fees) and spent an average of 600 hours to regain their credit and identity.Ý (www.idtheftcenter.org) The monetary costs are miniscule compared to the devastation, stress and violation one feels when they are denied a job, unable to get an car or apartment, lose the opportunity for a home, lose insurance health benefits, or find out there is a warrant for their arrest - or worse yet, when they are convicted of a crime committed by their impostor.Ý Victims have a great burden to "prove" their innocence, beg for an identity theft report, and spend hundreds of hours calling and writing various agencies and companies to get their life back.

The epidemic of identity theft is growing because sensitive personal information is acquired very easily, and the issuers of credit are often less than careful in verifying and authenticating the true identity of the applicant.Ý There are many ways that fraudsters obtain data about us-It may be appropriated by , stolen mail, dumpster-diving, lost or stolen wallets,Ý shoulder surfing,Ý burglary, friends, relatives (only about 9%), unscrupulous employees, phone fraud, internet fraud (phishing and pharming), spy ware, hackers, unprotected wireless networks, unethical use of public documents that contain personal information, needless display ofÝ the social security numbers on government documents (such as; military and Medicare identification cards,); the transfer and sale and sharing of social security numbers and otherÝ dataÝ among financial institutions, credit reporting agencies and data brokers.

B. DATA BROKERS FILES PROVIDE MASSIVE, BROAD BASED INFORMATION WHEN ACCESSED BY FRAUDSTERS

Although an identity thief has a choice of simple easy ways to steal your good name, as listed above, your identity is especially vulnerable with regard to the mega data bases held by information brokers who are collecting, storing, sharing, buying, transferring and selling huge amounts of personal and sensitive information in all inclusive profiles without any governmental oversight. (For example it is reported that ChoicePoint has 19 billion files on citizens) Although the credit bureaus also hold vast financial and personal data- and if accessed also reek havoc for victims, (like what happened to me) at least these credit reporting agencies are regulated by the Fair Credit Reporting Act, and there was a way for me to correct my file. ÝÝÝÝÝÝ

The very essence of the data broker business is selling a broad range of very private and highly sensitive information which if acquired by a person with criminal intent, provides a complete comprehensive package ready made for total identity-takeover.Ý These data bases contain your personal, professional, social, (possibly criminal) and financial existence.Ý Tapping into your data profile is a fraudster's dream come true.Ý The huge lengthy dossiers provide far more than just a social security number or the limited information that could be accessed from stealing a bank account, your mail, or even your un-shredded trash. Many of these companies have various products for sale which will tell the recipient of the report far more about you than your family or friends know. Most of us have seen our credit reports and know how all embracing they are with regard to our financial profile, but few of us have seen our complete dossier stored and sold the data aggregators. To give you an example of one type of product, I have attached as Exhibit I, a sample AutoTrack report sold by ChoicePoint for you to see how much information may be revealed about you, which also includes the persons in your home, and surrounding neighborhood. It should startle you.

When I attended the State Bar Annual Meeting last fall, I visited the exhibit hall and was summoned by one of the Data Brokers to view my profile to see if I wished to purchase this data information service in my law office. All I provided was my name, and instantly 30 pages of private information (including my social security number) appeared on the computer screen. I was shocked and horrified, not only because I felt very violated by all it revealed, but worse yet, by the numerous errors!Ý I asked the salesperson how I could correct the information and was told that I could not correct any information in the file; that this information was not subject to the Fair Credit Reporting Act.Ý Please review this attached sample profile and consider how each category heading is labeled, i.e.:" Possible Social Security Numbers Associated With This Subject; Possible Deeds Transferred; Possible Felony/Probation/ Parole". As a recovered identity theft victim, I was stunned by the prospect that some of those items in my report could have been reported as a result of my impostor's actions, and I was fearful of what could happen to me and my family if this information were to be acquired by someone who wished to do harm. I was reminded ofÝ the Amy BoyerÝ case a few years ago in which a young man, Liam Youens used an on-line information broker-Docusearch to obtain Amy's social security number, phone number, and work address in order to find her. He then appeared at her office and killed her and then committed suicide. Later in his computer, police found a message he had written about data broker services- "It's actually obscene what you can find out about people on the Internet".

D.Ý DATA BROKERS ARE OPERATING UNDER THE RADAR SCREEN AND ARE INVISIBLE TO MOST CITIZENS

Even with all the publicity about data brokers and recent security breaches, when I have spoken to large audiences in the last month about identity theft, most people still didn't know these companies by name or what they do, or how they gather data or what's in their databases. There is no transparency. In fact, most people tell me that if they had received a security breach letter from Choice Point or Lexis Nexis, they probably would have thrown it out as "junk mail" since they hadn't heard of the company and do not have a business relationship. Many potential victims who received security breach letters have not taken advantage of Lexis Nexis' offer for a year of credit monitoring (for example) because they didn't even open the envelope, or if they did, they didn't know what to worry about since they didn't know what was revealed from their files to cause alarm. None of the breach letters that I have seen contained a copy of the profile, or a detailed list of the data that was stolen.

E. EVERYONE IN THIS ROOM AND READING THIS TESTIMONY HAS A PROFILE IN THE DATA BROKER FILES.

Everyone in this room who has a birth certificate, a driver's license, if you've been married, divorced, have auto or homeowner's insurance, if you have ever worked, if you have a residence, if you have any government approved license, if you've been issued a speeding ticket- YOU ARE IN THOSE SECRETÝ FILES.Ý Every Senator in this room - and every one watching this hearing has a profile in those files. Have you seen your dossier? Do you know what fact or fiction is being sold about you? As the law stands now- you don't have the right to know what is in those files, nor do you have the right to correct the many errors, nor do you have the right to know who has had access to those sensitive files, nor can you limit their sale- actually none of us here (except perhaps the Data Broker persons) have control over anything in those files. These companies have operated in the shadows and have sold this often erroneous information to myriad companies, journalists and governmental agencies. Yet most Americans don't even know who these companies are or what they do. This is America- the home of freedom and liberty, this is not a communist country or Nazi regime where secret files are kept on citizens- and shared with various entities and governmental agencies. The FBI and other law enforcement agencies are purchasing this information from Data Brokers, so are employers, insurers, landlords, attorneys, private investigators, and others- shouldn't law abiding citizens have a right to at least see the dossiers and make sure that the information is correct?

Although the credit reporting agencies are also considered data brokers, they are regulated by the Fair Credit Reporting Act and that law gives us the right to see our data, review it, dispute it, correct it, find out who has accessed it, limit its sale and review, and give us the right to enforce our rights.Ý Unfortunately, the Information Service industry only acknowledges that a small portion of its products apply to the FCRA (i.e.: reports made for insurance, employment history, landlord tenant history, medical insurance). Why shouldn't the data brokers be subject to the same fair information principles?

III. WHAT ARE SOME REAL LIFE EXAMPLES OF IDENTITY THEFT AS THEY RELATE TO INFORMATION BROKERS?

1.Ý John is a recent widower. After his wifeÝ died of cancer at age 35,(leaving him with three young children,) he beganÝ receiving collection calls from credit card companies, a computer manufacturer, and a cell phone company for the items and services allegedly purchased by his deceased wife after her funeral.Ý He suspects that the imposter got the information from the death certificate which has the social security number and birth date on the document.Ý This could have been obtained in the funeral home, from public records off line or on line, through the social security administration, or from any information broker.

Many public records including birth certificates, death certificates, marriages, pilot and captain licenses etc. contain the social security number - which is the key to the kingdom of identity theft. The Data Brokers sell public records to almost anyone.Ý John became a victim prior to July 2003 when the California Security Breach disclosure law became effective. If he were a victim of a security breach after July 2003, he hopefully would have been notified, and would have had a chance to put up barriers to protect his deceased wife's good name and his finances.

2. Sidney, a wealthy retired executive learned that his identity was stolen many months after he and his wife purchased a new home. His loan application, with his 3 in one credit report attached, revealed his credit score, his checking, savings, and investment accounts, social security number, and all necessary information for an impostor to become Sidney. He believes his masquerader had gotten a copy of Sidneyís credit report which was on his broker's laptop.Ý The impostor opened new credit card accounts, purchased computers, electronic equipment, furniture, rented an apartment, obtained utilities, etc, stealing almost $100,000, and the couple are overwhelmed.

Allowing employees to download credit reports and maintain loan applications in unencrypted files on laptops which may be easily stolen outside a secured office, makes customers very vulnerable to identity theft.Ý It is imperative that all companies that collect data and transfer it for use, verify the recipient (that he or she has a lawful, permissible purpose), set up contracts and enforcement for the security of the information.Ý It's critical for victims to get notice immediately of any security breach, so that they may take steps to intervene and stop further fraud activities.

3. Susan, a physician received a letter from a company that she did business with, that her social security number and other information about her had been acquired by unauthorized persons.Ý She was terrified as to what could happen to her finances, and her practice.Ý She put fraud alerts on her credit profile, changed all her passwords, even closed accounts and opened new ones. She felt very violated, angry, frightened and upset.Ý Almost 1‡ years later, she started receiving calls from creditors from accounts she never owned - including cell phones, credit cards, and loans. She believed the fraud alert would remain on her credit profile - it did not. Even when the fraud alert was on her file, companies seemed to ignore the alert and issue credit.Ý Since she lives in California, she was able to place a security freeze on her profile so no one could see her credit report to issue credit without her providing a password to release her file.Ý Now she has sleepless nights about her impostor parading as a doctor and committing other crimes. She wants to see a full background check from the information brokers.

This case shows us why it is so important to receive notice of a security breach. Susan took proactive steps to prevent fraud, and several companies called her and did not issue credit.Ý Some negligent companies ignored the alert. Because she lives in one of the four states (presently California, Texas, Vermont, and Louisiana) that allow victims to "freeze" their reports, she was finally able to stop the financial fraud. But the fear of criminal identity theft is now haunting her. She should be able toÝ put a fraud alert on her consumer profile and obtain a complete background check at no cost if she is a victim- just as victims can obtain two free credit reports in the 12 months in which they learnedÝ of the fraud.Ý She should also be able to limit the sale of her consumer report and be notified with the name, telephone number and address of a business or governmental entity (other than Homeland Security) to see who is accessing her profile.

1. George, a disabled veteran living in Colorado was suddenly denied his disability payments, and hit with a large IRS bill for the income that his impostor had earned while working under his name in Tennessee.Ý Upon reporting this fraud to the police, we learned that Georgeís impostor had also established a criminal record in yet another state and there was a warrant for Georgeís arrest.

George's information about his impostor's criminal activity and work related fraud would not show up on a credit report (until the IRS reports it), but it would show up on a background check provided by the Data Brokers who are testifying today.Ý George found out the hard way, when he lost benefits and was arrested. If he had access to his consumer file, he would have found out about the fraud and wouldn't have lost his disability benefits.

George's case demonstrates why must be able to review, dispute and correct our consumer files. We should be able to get our complete dossiers at least once a year at no cost as is our right un to get a credit report from each of the three credit reporting agencies under the Fair and Accurate Credit Transactions Act.

2.Ý Lori, a disabled vet from Virginia, and single mom with a set of six year old twins was attending to school to get her Master's degree in Social Work, when the police showed up at her door.Ý She was arrested for a crime that she didn't commit. The woman who committed the fraud used the name Laura along with Lori's last name. Her fingerprints did not match the prints of the perpetrator, and the description of the fraudster was different from Lori, yet she was convicted. With my help and the help of new counsel, she was sentenced to probation- but the felony record must be corrected with a new trial. Her greatest fear isn't the new trial- it is the information broker data bases that may continue to report her as a felon even after the criminal records are cleared.Ý She has reason to fear as you will read in the next case.

3. Scott was laid off from a high paying job in the medical industry in Ohio.Ý He had great recommendations and felt sure he would be rehired.Ý For two years he was denied employment after several positive interviews and his permission to do a background check. Finally Scott hired a private investigator who showed him his criminal profile from a data broker.Ý It included two DUIs and an arrest for murder.Ý None of which belonged to him. I spent many months helping him to correct the sheriff and FBI databases.Ý But months after we cleared all the law enforcement databases, he applied for employment and was offered the job, but after reviewing his background, he was told that they couldn't hire him. He was in shock when the private investigator pulled his report again and found that a major information broker was still selling this false information to prospective employers without updating their files. Finally after a lawsuit was filed by an Ohio attorney, the information was corrected. But the years of anguish and lack of employment continues to damage his career and his personal life. Ý

Scott had no idea why he had trouble getting a job. Although a potential employer is supposed to tell you if you are denied employment due to a consumer report, and let you know how to review the report, it's understandable that an employer may be reticent to tell a "murderer" that he is denied employment due to his criminal history. Instead he was told that there were others who were more suitable for the position. If Scott had the right to see his file earlier and had the right to correct it, he would have been able to secure employment and perhaps not have divorced, lost custody of his son, nor become homeless for those years.Ý

1. Linda was married to a prominent Chicago lawyer for 25 years. When he decided to divorce to marry his secretary, he had a friend download Linda's consumer information and give it to a fraudster who applied for numerous credit cards, ordered furniture, and other luxury items. The fraudster also used Linda's name to set up e-mail accounts to send the estranged husband threatening messages. This was done to discredit Linda in court.

Obviously, there was no lawful purpose for downloading this report from the data broker.Ý There was no verification of permissive use by the data broker. It clearly was revenge and self interest.ÝÝ

2.Ý The first cyber stalking case prosecuted in Orange County, California turned out to be identity theft.Ý A computer expert was angry when a woman he liked shunned his advances.Ý He proceeded to go online to a chat room and pretend to be her- stating that she had fantasies of being raped. From a data broker, he was able to find her home phone number and address and shared it in the chatroom.Ý The woman didnít even own a computer.Ý When several men appeared at her door to share her fantasies, she was terrified and called the police. She had an emotional breakdown and the violation has left scars.

3.Ý A radio talk show host was shocked to learn that his own identity was stolen by a disgruntled listener who bought his dossier from an on-line information broker.Ý Aside from calling him at home and bullying him, he obtained access to his e-mail account and sent embarrassing e-mails to the station, pretending to be the talk show host.

The above cases demonstrate how identity theft is facilitated by the data broker industry. Unless a victim gets notice of a security breach or unless law enforcement or a private investigator can solve the mystery, most victims don't have a clue how the criminal has gotten his sensitive records.Ý The assaults against these victims caused great anguish, overwhelmed them and negatively impacted every aspect of their lives.Ý The time spent trying to regain their lives, the damage to their reputation, and the out-of-pocket costs were miniscule compared with the tremendous emotional turmoil these people endured.

ÝIV. WHAT IS THE IMPACT OF SECURITY BREACHES ON CITIZENS WHOSE INFORMATION IS STOLEN?

Persons whose information has been stolen by criminals are victims of a crime.Ý They may not yet be victims of identity theft- yet they are victims of a federal crime. Not only has their private, sensitive information gotten into the hands of unauthorized persons- but those unauthorized persons have done so with the intent to commit an unlawful act. Under 18 USC 1028 as stated below the persons committing the act are felons and those who are adversely affected are victims of a federal felony:

The Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) 18 U.S.C. ß 1028) makes it a federal crime when anyone:

knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

I have personally spoken with victims of security breaches who have received notice letters from entities such Lexis Nexis, ChoicePoint, Ameritrade, Bank of America, Wells Fargo and several universities, hospitals, and even smaller businesses.Ý The victims of the breach feel very violated, angry, frightened and overwhelmed and helpless.Ý It is well known that criminals steal the information and may often wait months or years to use it- or they sell it in exchange for methamphetamine or money.Ý It may be transferred several times and used for financial gain or to commit other crimes. Because the victims of the breach don't know who the criminals are or their intent, they are anxious.Ý Additionally, the victims are not notified as to exactly what information may have been taken, so they feel defenseless and don't even know what to protect.Ý Although I tell these victims actions to take to put up barriers (placing fraud alerts, instituting security freezes, changing passwords, changing mother's maiden name, monitor credit reports, etc) victims still feel incapable of insuring that their identity won't be stolen.Ý Many are fearful that their family home or office may be intruded by the perpetrators who may have their addresses, phone numbers, bank account information and perhaps an entire dossier.

Below are a couple of e-mails I received from victims of a security breach explaining their strong feelings of victimization.

Ý"My husband and I are very upset and it is overwhelming.Ý We are very anxious and it takes a tremendous amount of time and effort just to get a security freeze. The credit agencies shouldn't make it so difficult. I'm spending so much time monitoring accounts and credit reports- it's exhausting- I feel very vulnerable and frightened that some criminal knows all about me and may wait to use our stuff any time, now or in the future- what can I do?"

"I spend sleepless nights wondering when the phone may ring, or I will open a letter from a bill collector.Ý I'm worrying if someone has obtained new identification under my wife's or my name. It is scary to think that I may be pulled over by the police for something I didn't do.Ý What if they drag me or Lord forbid MY WIFE from the vehicle and handcuff us. My wife and I are losing too much sleep"

The emotional impact on these victims is intense and their fears are real. Why would a criminal steal the information if there was no intent to sell, transfer or use it for an unlawful purpose?

V. WHAT NEEDS TO BE DONE WITH REGARD TO MINIMIZING THE RISKS OF IDENTITY THEFT AS TO INFORMATION BROKERS?

ÝData Brokers must be regulated by imposing Fair Information Practices as follows:

1. TRANSPARENCY-The nature of personal data held by these companies should be readily available for inspection by the public.Ý The uses of the information should be clearly defined.

2. CONSENT AND NOTICE-Consumers should be able to give their consent to the disclosure of their information prior to disclosure, such as the rights with regard to disclosure of credit reports. The exceptions would be for defined categories of law enforcement and Homeland Security.ÝÝÝ In other words there should be an established permissible purpose; i.e. - employment background checks, insurance, landlord tenant, etc.Ý When a consumer gives his consent or it is considered a "permissible purpose", the consumer should be entitled to notice of the sale, and the consumer should receive a free copy from the entity that bought the report.

3. CONSUMER ACCESS AND INSPECTION- Individuals should have the right to one free disclosure per year as they have for credit reports. A central website and toll free numbers should be set up for consumers to get their entire profile- not just a "Clue Report".Ý If a person has become a victim of identity theft, he should be entitled to at least one other free disclosure per year for 24 months after learning of the stolen identity. The inspection report should be the same as would be accessed by a company for a background check-the complete profile. The Disclosure should also provide a list of names addresses and phone numbers of all entities that received a copy of such report in the last 5 years.Ý This would include governmental entities except for specific guidelines of Homeland Security or other law enforcement restrictions. Employers or others who order background checks on a consumer should be required to provide a copy to the consumer upon receipt whether or not the consumer report was a factor in hiring or reviewing an employee or prospective employee.

4.Ý QUALITY CONTROLS AND TIMELY CORRECTION- The information collected should be accurate, complete, updated and relevant to the purpose for which it is to be used. The Data Broker industry should allow individuals to dispute and provide prompt correction of the files within no more than 30 days. The broker should reinvestigate without cost to the consumer and make all appropriate changes if the information cannot be verified.Ý If after the data broker investigates, it finds that the investigation verified the information, the company shall provide the name, address and phone number of the verifying entity so that the consumer can directly dispute the information.

5. STRICT SECURITY CONTROLS- There should be safeguards against risk of loss, unauthorized access, alteration, hacking, etc. Audit trails and limited access should be standard as well as encryption of the sensitive data.Ý Customers should be screened both initially and with respect to how the end user is safeguarding the information from unlawful use. In the event of a security breach, the data broker must notify all individuals whose information was acquired either on paperÝ or electronically with a letter providing the consumer the nature of the breach, what information was stolen, how toÝ protect themselves with fraud alerts, security freezes and other useful tools. They should also provide a free copy of the report that was accessed. Credit monitoring and a background check monitoring would be needed. (Fraud resolution services may be necessary.)

6. ENFORCEMENT- The data broker industry must be held accountable to consumers and victims. Outside audits and training should be mandatory.Ý A private right of action is essential to allow enforcement of the provisions of the law.Ý A private right of action provides that the cost of the legal system policing against acts of preventable corporate negligence is paid by the guilty parties rather than by increasing taxes or adding to the size of government. We have seen that many provisions of FACTA and the GLB Act have not been enforced because federal agencies do not have the resources or manpower to take actions against all the violations, and why should our taxes be spent to right the wrongs of companies who violate the law.Ý Individuals should be able to seek redress for their damages without having to rely on the government to intervene, however for large cases, enforcement should be available in state courts by private parties, attorney generals and the FTC.

7.Ý PRESERVING STATES RIGHTS- Consumer reforms with regard to identity theft have derived from proactive States that were responsive to the plight of its citizens.Ý Some examples of this are the right to a free credit report, annually, the right to place a fraud alert, the right of victims to obtain information from businesses and creditors to regain their identity.Ý More recently we have found out about the security breaches of two of the data brokers here today only because of the California Security Breach law.Ý Both ChoicePoint and Lexis Nexis admitted in a senate hearing that they both experienced significant breaches prior to July 2003 when the California law became effective, and did not notify any of the victims of the breach.ÝÝ Since February 2005, over 4 million Americans have been victims of various security breaches (See exhibit II from the Wall Street Journal) - none of which we would have heard about, but for the California law.ÝÝ Arizona and California were the first two states to make identity theft a crime- leading all the states and the federal government to establish the consumer as a true victim.Ý Numerous states are instituting security freezes to lock up a consumer's credit so fraud cannot continue.Ý Federal law should serve as a floor, not a ceiling, so that states can if need be quickly address the crises of their victims.

1. Security Breach Notification must extend to all states. ÝAll governmental agencies, and private industry, schools, and other entities should be held accountable to quickly notify all persons whose sensitive and personal information (paper and electronic files) were acquired by an unauthorized person.Ý There should be an exception for encryption only if it is robust and if the unauthorized acquisition was not capable of being decrypted by an unscrupulous employee or customer. The standard of providing notice should be triggered by the acquisition of the data rather than the use of it.Ý A bank or other entity who experiences a breach should not be allowed to determine the possibility of the mis-use. The only delay of notice would be for law enforcement upon its written request.ÝÝÝÝ Allowing the business or entity to make the call as to when there might be a risk of harm is like allowing the wolf to tend the henhouse.Ý There should be enforcement by the FTC, state attorney generals and private individuals.Ý Any preemption should be a floor and not a ceiling so that states can protect their own citizens regarding unique needs. As a member of the advisory board of the California Office Of Privacy Protection, we created a list of "Recommended Practices on Notification of Security Breaches Involving Personal Information" as a guide for dealing with security breaches, please visit www.privacy.ca.gov to review those standards.

2. Governmental agencies as well as private industry should limit the use of the social security number since it is presently the key to kingdom of financial fraud.

Our advisory board to the Office of Privacy Protection in the California Office of Consumer Affairs also had the privilege of developing the ìRecommended Practices for Protecting the Confidentiality of Social Security Numbersî (www.privacy.ca.gov). This document should be considered by both pubic and private sector entities as a guide to protect all consumers.

The social security number is used as the identifier for military cards and "dog-tags", Medicare, Medicaid, pilot's licenses, captain's licenses, etc.Ý No entity should be allowed to display, post, or sell the SSN. The SSN in public records should be redacted before posting. ÝThere should be no collection of SSNs by private or governmental agencies except where necessary for a transaction and there is no other reasonable alternative.Ý SSNs collected for a specified purpose should not be used for any other purpose.Ý

3. Mandatory Destruction of Confidential Information-Ý Governmental Agencies and Private Industry should be required to completely destroy personal information that they are discarding by shredding, burning or whatever means is necessary to protect the information from dumpster diving.Ý This should extend to any confidential and sensitive information- not just information derived from consumer reports.

4. Departments of Motor Vehicle Licensing- Bureaus should establish more stringent monitoring and matching of duplicate licensing and new licenses.Ý A photo ID and a fingerprint could be matched.Ý Rather than developing a ìnational IDî with various forms of biometric information, credit cards and other unnecessary information which would complicate the process and invade privacy, this license would beÝ help deter interstate identity theft without collecting too much information nor allow it to be accessedÝ orÝ sold to private industry.

5.Ý Need for an Easier Process for Victims- Problems with the Fair and Accurate Credit Transactions Act (which was meant make things easier for victims.)

a.ÝÝ An Identity Theft Report is needed in order for victims to get an extended fraud alert, block the fraud on their profile, and gain access to records of the fraud. FACTA was meant to streamline and help victims of identity theft. However the new rules recently released by the FTC with regard to the "Identity Theft Report" clearly show the time-consuming maze that a victim must maneuver. Below is an example of the hassle of exerting your victim rights with regard FTC rule about the "Identity Theft Report."

"An Identity Theft Report may have two parts:

Part One is a copy of a report filed with a local, state, or federal law enforcement agency, like your local police department, your State Attorney General, the FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. There is no federal law requiring a federal agency to take a report about identity theft; however, some state laws require local police departments to take reports. When you file a report, provide as much information as you can about the crime, including anything you know about the dates of the identity theft, the fraudulent accounts opened and the alleged identity thief.

Note: Knowingly submitting false information could subject you to criminal prosecution for perjury.

Part Two of an identity theft report (depends on the policies of the consumer reporting company and the information provider) (the business that sent the information to the consumer reporting company). That is, they may ask you to provide information or documentation in addition to that included in the law enforcement report which is reasonably intended to verify your identity theft. They must make their request within 15 days of receiving your law enforcement report, or, if you already obtained an extended fraud alert on your credit report, the date you submit your request to the credit reporting company for information blocking. The consumer reporting company and information provider then have 15 more days to work with you to make sure your identity theft report contains everything they need. They are entitled to take five days to review any information you give them. For example, if you give them information 11 days after they request it, they do not have to make a final decision until 16 days after they asked you for that information. If you give them any information after the 15-day deadline, they can reject your identity theft report as incomplete; you will have to resubmit your identity theft report with the correct information:" (FTC Rules)

This rule is not only cumbersome it is confusing and allows the credit reporting agencies to delay unnecessarily and it gives victims a run around.Ý I have already heard from many victims who are frustrated, angry, and unable to block the fraud or even extend the fraud alert.

b. Law enforcement agencies at the local, state and federal level should develop a uniform "identity theft report" to be compliant with FACTA.-and the FTC should determine what satisfies an "identity theft report." ÝNew provisions of the Fair Credit Reporting Act require a detailed "identity theft report" to send to the credit grantors, and the credit reporting agencies. If a proper identity theft report is sent to the credit reporting agencies they are required to do the following: place an extended fraud alert for 7 years, block all the fraud on the profile immediately; notify the creditor that the accounts are blocked.Ý Additionally, if the victim provides a proper identity theft report to the creditors, they must provide all documentation of the fraud to the victim and to the law enforcement agency within thirty days.Ý Unfortunately, the agencies themselves are deciding what is "proper" and many victims contacted us because they are not able to appease the credit reporting agencies nor the credit grantors with the reports. So they cannot exert these rights afforded under the law and there is no private right of action to enforce these rights.

The FTC should determine what will be acceptable as an identity theft report and facilitate the victim's report. It should be adhered to by law enforcement as well as the financial industry without imposing an arduous task upon the victim.Ý Also, the victim should be able to get a police report in the jurisdiction where she lives even if the impostor is in another state.Ý And, the case should be able to be prosecuted in the jurisdiction where the victim lives or the jurisdiction where the crime takes place.Ý All police should be required to provide a proper identity theft report even if they do not have the resources to investigate the crime.

c.Ý Initial Fraud alert should be one year-Ý FACTA allows a victim of a breach or fraud to place a fraud alert on credit profiles for at least 90 days with their first phone call. To extend the alert they must write a letter and provide an "identity theft report.Ý The initial fraud alert should be changed to at least 1 year especially because victims of a security breach may not be victimized for a long time.

d. Free credit report for victim should be available by phone when calling in the fraud alert.Ý Prior to the passage of FACTA, victims could order their free credit report to review their files at the same time they place a fraud alert. Now, the credit reporting agencies (except for TransUnion "temporarily") do not give the victim an opportunity to get the free credit reports in the initial phone notification of the fraud. They are later sent a letter notifying of their right to a free report upon request. This is another delay which allows the impostor more time to do his "dirty work" and this is an added burden for victim and costlier for the creditor. The victim should be allowed to order the first of his two free reports during the initial fraud alert phone call.

e. Victims should be provided a complete report instead upon disputing the fraud and the victim should be able to see the report that the creditors see.Ý The CRAs are now sending corrections instead of complete corrected reports to victims. This is dangerous since other new fraud may appear on the report. Also - the report that a creditor receives is more comprehensive than the report that the victim sees, so this is not complete disclosure.

6.Ý Funding for law enforcement for identity theft cases should be greatly increased since this is also a Homeland Security Issue.Ý All major metropolitan areas should be funded to set up identity theft task forces to include the Secret Service, the Postal Inspector, the Social Security Inspector, the FBI, INS, State Attorney General and local law enforcement to collaborate in the investigation and prosecution of these crimes since suspected terrorists will need to utilize stolen identities to attemptÝ their missions.

7.Ý Law enforcement agencies should help victims of criminal identity theft.ÝÝ A federal law should set forth steps for law enforcement to take (in conjunction with the judicial system) to assist victims of criminal identity theft.Ý So a victim of criminal identity theft in California whose impostor is in New York could be declared innocent in New York as well as California. This would entail a national database of the criminal information and fingerprints.Ý It would contain the order of the true personís fingerprints for comparison with the fingerprints of the impostor-criminal inÝÝ New York.Ý The court would enter a declaration of factual innocence and any warrants for the victim would be dismissed.Ý All databases would be corrected so that background checks would not show the victim as having an arrest or criminal record. (See California law and package for victims to clear their criminal record www.privacy.ca.gov)

8. Set up State and Federal Offices for Privacy Protection- There should be a federal office of privacy protection as well as state offices.Ý The office of privacy protection should institute an ombudsmen office to assist citizens with identity theft and other serious privacy issues. It should also coordinate and review the various governmental offices of privacy to ensure oversight.

a. Consumers should be able to put a complete freeze on their credit reports in order to prevent identity theft. This would enable the consumer to prevent their credit report from being accessed by a creditor without the specific authorization of release with a password.Ý California, Texas, Vermont and Louisiana have passed such laws.Ý It would be impossible for an impostor to apply for credit if there were a freeze on the file. The consumer would have the right to release the file when he so desires by a password or pin number. Every state should pass this legislation or if it is federal legislation, then there needs to be a private right of action and no federal preemption.

b. Credit reporting agencies should provide to victims a COMPLETE REPORT when providing corrections.Ý All reports should include the names, addresses and phone numbers of the companies who accessed the consumerís credit report including inquiries with the issuance of a consumer report so that potential victims could verify the permissible purpose.

c.ÝÝ Credit reporting agencies should notify a consumer by e-mail when his/her credit report has been accessed.Ý The agency should be allowed to charge a minimal fee for this service- as to actual cost (i.e.: $10 per year),

d. Credit reporting agencies should set up hotlines with live persons to talk to victims of identity theft.ÝÝ A live employee in the fraud department should be assigned to a particular victim- so the victim doesn't have to re-explain all the problems in numerous letters.

10.Ý Banks and other Creditors should be held accountable for protecting consumers and others from identity theft.

a. Creditors who issue credit to an impostor after a fraud alert is placed on a credit profile, should be held liable and the victim should have a private right of action to enforce his rights. Presently if a creditor ignores the fraud alert, only the Federal Trade Commission or other federal agencies may bring and action and they clearly cannot enforce individual rights nor do they have the resources to deal with most of the violations.Ý There should be a fixed penalty of at least $1000 per occurrence or actual damages which ever is greater.

b. Need for private Enforcement of access to business records. If a fraud victim provides notification of fraud and includes an "identity theft report" and an affidavit, under the FCRA, a creditor should is required within 30 days to provide copies of all billing statements, applications and other documents of fraud to the victim and the designated law enforcement agency.Ý Presently victims are contacting us that many companies are refusing to provide the information without a subpoena.Ý Victims presently have no private right to force a company to provide this data.Ý Only the FTC or other federal agencies may bring an action-but it cannot help an individual consumer.Ý This must be changed so that there will be enforcement of the provision of the act.

c. Creditors should not be allowed to send ìconvenience checksî without a prior request by the consumer. I was told by a postal inspector that 35% of these checks are used fraudulentlyÝ

d. Credit grantors should not be allowed to send pre-approved offers of credit without a PRIOR the request of the consumer.

ÝPersonal, confidential, and financial information is a valued commodity in our society. Data brokers have flourished abundantly while selling and transferring your extensive, aggregated personal profiles which include your income, credit worthiness, buying, spending, traveling habits, heath information, age, gender, race, etc.ÝÝ Facts about our personal and financial lives are shared legally and illegally without our knowledge or consent ñ on-line and off-line everyday.Ý Privacy protection in the age of data collection is really more about limiting access and instituting inspection and correction to our records, rather than keeping the information secret. ÝWe have lost control over the dissemination of our sensitive data, and this had led to enormous epidemic of identity theft.ÝÝ The huge data breaches in recent months have shined the light on the immensity of the problem of identity thieves and the havoc they cause. But it also has enlightened our lawmakers to collaborate to create a new framework for reasonable regulation of the data broker industry.

To avert identity theft, the burden is on the data brokers, and the financial industry who are in the unique position on the front end, to take precautions, require verification, and authentication of employees, vendors, business associates and customers, and refuse to sidestep fair information principles. Data Brokers, the credit reporting agencies and the financial industry is in a powerful position to prevent the fraud before the impostor can establish a parallel ìshadow profileî.Ý

I am hopeful that as a result of the gigantic breaches of sensitive information, that this Congress will create a regulatory framework for the information brokers that will protect our citizens and enable the Data Broker industry to help society.Ý I encourage you to strongly consider the thoughtful and well reasoned language of S 500 which implements the Fair Information Principles, yet acknowledges the importance the work that the data industry provides, while safeguarding the identity of every American.ÝÝ

Thank you for the opportunity to share these concerns and suggestions with this Honorable Committee.ÝÝÝ -Mari J. Frank, Esq.

DL: T432117680470 issued in Ohio on 12/19/1996 expires 02/07/2001

in a report will vary from subject to subject. All names and other information are fictional and are for illustrative purposes only. Any resemblance to real persons or public record information is unintentional. Some National Comprehensive Reports SM may locate a partial date of birth. Frequently, subjects of a National Comprehensive Report SM will be linked to other names because two public records reference two different names, but only one social security number. The most common reasons for these occurrences are:

4. Fraudulent use of a social security number The dates represent the approximate time period when the linked address appeared on a publicly available record document for the subject. The subject may or may not have resided at any of the addresses. Some public records link the subject to an address without noting a date

range. Addresses without date ranges will appear at the bottom of the address list. Such an address may be current or historical. Underlined Items provide a Link to record details.

A manual search of Real Property using the name THUL ZACHARY K is recommended. 4 additional

property records exist (including historicals) but are not included, as they do not match all necessary

Plate: K387KJ State: NY Date Registered: 08/14/1995 Expire Date: 08/29/2000

This message probably indicates that a multi-unit building islocated at this address.

By comparing the list of Possible Addresses Associated with Subject with the listed phone numbers in the Phones module, the report finds phone numbers, which have been listed at the given address. In this report, one property record was found in Real PropertySM which matched the subjectís name and address and the properties situs address. This message indicates that additional records in Real PropertySM

match the subjectís name, but none of these records had a situs address that matched an address found at the top of the report. These additional properties may belong to the subject or may simply belong to someone with the same name. Search Real PropertySM by name for a complete list of possible properties. A list of states and counties for which AUTOTRACK XP SM has deed transfer records can be located by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. The property information returned from this database

may differ from the information found in Real PropertySM. (See the above note on Possible Property Ownership.)A list of states for which AUTOTRACKXP SM has

vehicle registration records can be located by choosing the Help link from the blue

AUTOTRACKXP SM navigation bar at the top of the screen. Underlined items provide a link to record details.

Plate: ID036H State: FL Date Registered: 04/28/1999 Expire Date: 10/30/2000