ORAL TESTIMONY

OF

CATHERINE A. ALLEN

CHAIRMAN AND CEO, THE SANTA FE GROUP

BEFORE THE

UNITED STATES CONGRESS

committee on oversight and government reform

Subcommittee on information policy,
census and national archives

us house of representatives

HEARING ON

IDENTITY THEFT: A VICTIMS BILL OF RIGHTS

JUNE 17, 2009

Oral Testimony of Catherine A. Allen

Chairman and CEO, The Santa Fe Group

June 17, 2009

Introduction

Chairman Clay, Ranking Member McHenry, and members of the Subcommittee, thank you for your leadership in highlighting the issue of victims of identity crime and the often long and lonely road they walk toward restoration.

I have spent most of my career in the financial services industry, most recently as founding CEO of BITS a CEO-driven nonprofit financial services industry consortium and think tank, focused on fraud prevention, cybersecurity, and payments. I grew up in a small Missouri town where my family was in banking.

Today I am involved in efforts to examine the way the financial services industry is regulated and the impact of policy on consumers. In this area of identity theft, I believe we are just at the tip of the iceberg because of growing cybersecurity threats. We think a Victims’ Bill of Rights is necessary because the victims’ voice is seldom heard.

This testimony reflects the work of The Santa Fe Group Vendor Council, which was formed in 2006 to bring together thought leaders at service provider organizations to respond to the needs of industry and its customers. The Vendor Council promotes the development of secure, best-in-class technology solutions, standards, and business processes, as well as industry best practices related to fraud, payments, cybersecurity, data protection, and identity crime.

Last fall, the Vendor Council formed an Identity Management Working Group to develop an inventory of best practices for assisting victims of identity crime and suggesting improvements in law and corporate practice to make it easier for victims to dispute false records and reclaim their identity. From this work we have developed a framework that we refer to as an Identity Theft Bill of Rights. While my written testimony contains additional, helpful background material, I will focus my oral remarks on this framework.

An Identity Crime Victims Bill of Rights

Identity crime victims deserve the same rights as other crime victims. Identity crimes can have physical, emotional, and financial impacts comparable to other crimes. While much is being done in the private and public sectors to help victims, we still lack adequate provisions for restoration, reparation, or even prosecution. Today, most identity crimes will be treated as misdemeanors or very low-level felonies, and the majority of prosecutions will be civil as opposed to criminal actions for both individuals and organized crime thefts. We need better coordination, awareness of the victim experience, and concrete steps for correcting identity records.

For the benefit of individuals, business, and society, I propose the following rights for identity crime victims:

· The right to assessment

· The right to restoration

· The right to freedom from harassment

· The right to potential prosecution of the offender(s)

· The right to restitution

Right to Assessment

Consumers who suspect they have become a victim of identity crime should have the right to assess the nature and extent of damage to their identity. FACTA already grants many of these rights, but consumers face procedural Catch-22s. Businesses and government agencies should be required to provide notice to consumers when they suffer a data breach involving loss of sensitive personal information. The present patchwork of state laws and government policy needs to be replaced with a uniform federal statute spelling out notification requirements. Clear guidelines would help businesses contain costs and limit legal liability through compliance and enhance consumer protection.

Right to Restoration

Ideally, victims should be able to restore their identities to their pre-theft state. However this is not always possible because of the complexity of the crime, especially in cases of financial identity theft. Whether or not they can fully recover, it is imperative that victims be able to establish correct records. Relevant privacy laws need to be reviewed and amended, giving victims the power to access and correct their own record in cases of identity crime.

Right to Freedom from Harassment

Identity crime victims should be protected from harassment by collection agencies and others during and after the identity restoration process. Harassment often continues unabated because business and law enforcement have no way to distinguish victims from debtors and thieves. To combat this some states are issuing identity theft “passports” to verify that the carrier has been a victim of identity theft and help the person prove his or her identity. How effective these documents are remains to be seen, but a system that actually verifies victims is needed

Right to Potential Prosecution of Offenders

One of the great frustrations to identity crime victims is the lack of business and law enforcement resources to prosecute identity thieves. Of course, law enforcement needs to balance priorities and budgets, and business must weigh the costs and benefits of prosecution. However, these organizations need to also take the long view on the impact of identity crimes:

· First, identity crime continues precisely because it pays. Second, the FBI and Secret Service have found that where there is one victim, there are more. So instead of writing off the costs of an individual case, organizations should consider that for every instance of identity crime, there may be many others as yet undiscovered or yet to be committed by the same crime ring or individual.

· Third, not all the costs of identity crime are immediately visible or measurable.

Right to Restitution

Identity crime victims can spend hundreds of dollars and dozens of hours, and can experience untold misery during the process of restoration. They deserve restitution, the same as victims of other crimes, yet a study by the Center for Identity Management and Information Protection shows that defendants were ordered to pay restitution in only about a third of the cases studied. Restitution will help make victims whole, sends a message that identity crime is real crime, and helps ensure that when perpetrators are caught, identity crime does not pay.

Recommendations for Protecting Victims’ Rights

In summary, my testimony today advocates for the following legislative actions to help victims:

· Enact a uniform scheme across industry and government to assist identity theft victims that includes the Identity Theft Victims’ Bill of Rights

· Create a national standard of identification — one that cannot be forged by identity thieves — that victims can use to distinguish themselves from thieves and identify themselves to businesses, law enforcement and others.

· Expand the definition of “compensable crime” under federal and state law to include identity crime.

Additionally, there are some steps that could be taken right now to strengthen victims’ rights and help stem the tide of identity theft:

1. Invest in independent research on the effects of identity crime. To make fully informed decisions, we need a thorough understanding of the costs of identity crime. There are too many unanswered questions about what’s happening in policy, industry, and law enforcement. Public funding should be made available. We need to get beyond the anecdotes to understand the connection between data breaches and identity theft.

2. Create standard dispute procedures in industry and law enforcement. Upon resolution, victims would receive standardized, verifiable letters proving that issues had been resolved.

3. Empower the FTC to oversee victims’ rights. The FTC should be charged with oversight of proposed policies for cohesion across national laws for effectiveness, and to anticipate and prevent unexpected consequences. This should include ensuring that law enforcement is investigating identity crime cases consistently and effectively.

4. Include identity theft victims’ rights in any dialogue about a Consumer Financial Protection Agency. If a proposed agency focused on financial products and services emerges, financial identity theft policies and education might be considered under its jurisdiction and should be included in the dialogue.

Conclusion

Thank you for this opportunity to present on the plight of victims and the Victims Bill of Rights, and thank you, again, for your leadership. I would be happy to answer any questions.

Identity theft can be difficult to correct as an adult. Anyone who has gone through the process on their own will explain the frustrating experience of trying to prove who you are to credit bureaus and merchants who are verifying against a credit report, which contains mostly incorrect fraudulent information. Victims are often asked to verify addresses they never lived at, phone number they never had or accounts they never opened.

As frustrating as this experience can be, it is nothing compared to a victim turning 18 and finding out that their entire credit file is fraudulent. Proving your identity when all records available to the credit bureaus and merchants are full of fraudulent information can be the most difficult process that an identity theft victim can go through. Most people are unaware that credit issuers may not have any method available to verify the age of an applicant, and that credit bureaus record the “official” age of an applicant with the first credit application. If the application indicates that your 3 your old son is actually 24, the record remains at age 24 until it is disputed and proven otherwise. This can also be difficult since it is common to take the information of a minor to get a driver’s license. As a result of this kind of identity theft, victims are sometimes turned down for college loans, denied welfare or other benefits, denied a driver’s license and occasionally arrested because of the fraud.

As a parent, you can help your children avoid this grim future. Your child may or may not have a legitimate credit history. Some banks and credit card companies allow parents to add children to the accounts as an authorized user, which could create credit history. Please be aware that receiving a pre-approved credit card offer in the mail for your child can be alarming, but does not necessarily mean that they have a credit history or that there is identity theft occurring. You can opt out of these offers for yourself or your children by calling 888-5OPTOUT or going to www.optoutprescreen.com

Experts recommend that if you inquire about your child’s credit history, that you do so no more than once a year. For security and privacy reasons, only parents or guardians may request a credit report on behalf of a child under the age of 13. For this reason, you may be requested to fax or mail documents providing that you are the parent or legal guardian before they will send the credit file. Be aware that it is also possible that an inquiry into a child’s credit history could be answered with a letter indicating a file cannot be found. TransUnion recommends that parents do not just request a copy of the credit report just to check and see. To that end, TransUnion has set up a special email address for parents and guardians to use to obtain a “yes/no” answer regarding if a file exists: childidtheft@transunion.com. They suggest that if the answer is “yes”, to weigh the risks and probability that there is use of your child’s identity and decide to order a copy report based on your assessment.You can find a sample form letter to request these reports here and a list of required documents by credit bureau here.

The Identity Theft Resource Center provides the following tips for parents to help prevent the identity theft of minor children:

• Parents: Parents are often asked to show a copy of a birth certificate and/or Social Security card in order for their children to participate in after school sports. Coaches often ask for photocopies of these papers. ITRC does not believe that this is a good security measure and that safer information handling practices should become policy. We recommend the following:
• Ask if the coach has had a criminal and financial background check done by an independent or hiring source. If not, will one be done? This should be an automatic practice due to the amount of child molestation and child information theft.
• Show the papers to the coach and then put them in a sealed envelope. Write your name across the sealed flap in colored ink so that you can tell if it has been opened.
• Initial the back of each page in colored ink that you place in the envelope. At the end of the season you will know if you got the original back.
• Ask where the papers will be stored during the season. Parents need to make sure that the envelopes will be stored in a locked box and returned unopened after the season has ended, unless you have been notified that there is a need to show them to other people.
• Shred all papers that you throw out that contain account or Social Security Number.
• Do not carry your or your child’s Social Security Number in your wallet, including Social Security cards. If necessary (i.e. health insurance cards) make a photocopy of the card, cut off the last 4 numbers of the Social Security Number and carry that photocopy with you on a daily basis. Only carry original cards on days you know you will need them. Then if your wallet is lost or stolen, this information will not be stolen.
• Students- when possible, ask your college not to use your Social Security Number as your college ID number. If they insist on doing so, only carry your original card on the days you need it. Ask to not include the number on rosters that others may see and insist that it not be posted in public display areas.
• Lock your information away. Roommates may seem friendly and end up as good friends, but too many victims have found out that an unscrupulous roommate or friend has stolen their information.
• Watch your backpacks, briefcases, or anything you carry your wallets or important papers at all times (this includes in class, at lunch and in the library).
• Use a locked mailbox to send and receive all mail. Do not leave mail unattended for pickup in an “out” box.
• Resist giving out your driver’s license number or Social Security Number (or child’s Social Security Number) unless they have a good reason for needing it. A doctor’s office is a great place for a child profiler to collect information. Make sure that the physician is aware of that and that his or her staff is taking proper precautions with your child’s information. Watch for people who may try to eavesdrop and overhear the information you give out orally.
• Scams- Teach children not to give out personal information over the phone and do not give out any of your or your child’s information on the Internet unless you are absolutely sure that you are dealing with a legitimate company. When in doubt, don’t. You can check out companies with the Better Business Bureau, the FBI or your State Attorney General if you have any concerns. Think first- don’t give out information and then later regret it.

Every year around tax time, we experience a spike in the number of calls we receive from clients as they discover that they are unable to file taxes because an identity thief has beat them to it. Until recently, victims of identity theft who had not been contacted by the IRS directly were unable to take any protective steps to notify the IRS of possible fraud. That was then…

Now- much to our delight-  the IRS has a method of “flagging” your information for monitoring! A copy of a police report documenting the identity theft and a copy of of your valid Federal or State issued identification, such as a social security card, driver’s license, or passport, etc should be forwarded along with Form 14026 to the IRS at:

Mailing address:
Internal Revenue Service
P.O. Box 9039
Andover, MA 01810-0939

FAX: Note that this is not a toll-free fax number
1-978-247-9965

You may also contact the IRS Identity Protection Specialized Unit toll-free 1-800-908-4490 for guidance. Hours of Operation: Monday – Friday, 8:00 a.m. – 8:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

For more information, please visit the IRS website.

You can also find helpful information about scams, suspicious emails and phishing attempts- including how to report them on their website here and here. Remember that identity thieves and scam artists are keen to try to trick you with timely scams that play on the hopes and fears of the average taxpayer. Emails or phone calls about audits, refunds, or stimulus payments should be treated with the utmost skepticism even if there is an official logo visible.

by Heather Wells

In a recent article dated June 20, 2008 from npr.org, writer Dina Temple-Raston reports on the arrest of hundreds of people believed to be guilty of scamming the public out of millions of dollars of hard earned home equity.

She writes, “instead of stealing an identity to secure a credit card, scammers have been zeroing in on people they think have a lot of equity in their homes. They steal their identities, then go online and get a home equity line of credit on that person’s house and take the money.”

It’s a terrifying scenario for consumers who have worked hard for years to establish good equity and credit. As someone who works directly with victims of id theft, I know how frustrating it is for victims when the person who stole their identity is never caught or prosecuted. I am hoping that the news of these crooks getting arrested will bring about a feeling of justice for victims; that something is being done and people are being punished.

Temple-Rason concludes her piece with this warning, “the FBI is sending a specific message: If you are involved with mortgage fraud — whether on Wall Street with high-level investors, or on Main Street with ordinary homeowners — the bureau intends to catch and prosecute you.”

Score one for the little guy. For more, check out this video:

by Rick Kam