ORAL TESTIMONY

OF

CATHERINE A. ALLEN

CHAIRMAN AND CEO, THE SANTA FE GROUP

BEFORE THE

UNITED STATES CONGRESS

committee on oversight and government reform

Subcommittee on information policy,
census and national archives

us house of representatives

HEARING ON

IDENTITY THEFT: A VICTIMS BILL OF RIGHTS

JUNE 17, 2009

Oral Testimony of Catherine A. Allen

Chairman and CEO, The Santa Fe Group

June 17, 2009

Introduction

Chairman Clay, Ranking Member McHenry, and members of the Subcommittee, thank you for your leadership in highlighting the issue of victims of identity crime and the often long and lonely road they walk toward restoration.

I have spent most of my career in the financial services industry, most recently as founding CEO of BITS a CEO-driven nonprofit financial services industry consortium and think tank, focused on fraud prevention, cybersecurity, and payments. I grew up in a small Missouri town where my family was in banking.

Today I am involved in efforts to examine the way the financial services industry is regulated and the impact of policy on consumers. In this area of identity theft, I believe we are just at the tip of the iceberg because of growing cybersecurity threats. We think a Victims’ Bill of Rights is necessary because the victims’ voice is seldom heard.

This testimony reflects the work of The Santa Fe Group Vendor Council, which was formed in 2006 to bring together thought leaders at service provider organizations to respond to the needs of industry and its customers. The Vendor Council promotes the development of secure, best-in-class technology solutions, standards, and business processes, as well as industry best practices related to fraud, payments, cybersecurity, data protection, and identity crime.

Last fall, the Vendor Council formed an Identity Management Working Group to develop an inventory of best practices for assisting victims of identity crime and suggesting improvements in law and corporate practice to make it easier for victims to dispute false records and reclaim their identity. From this work we have developed a framework that we refer to as an Identity Theft Bill of Rights. While my written testimony contains additional, helpful background material, I will focus my oral remarks on this framework.

An Identity Crime Victims Bill of Rights

Identity crime victims deserve the same rights as other crime victims. Identity crimes can have physical, emotional, and financial impacts comparable to other crimes. While much is being done in the private and public sectors to help victims, we still lack adequate provisions for restoration, reparation, or even prosecution. Today, most identity crimes will be treated as misdemeanors or very low-level felonies, and the majority of prosecutions will be civil as opposed to criminal actions for both individuals and organized crime thefts. We need better coordination, awareness of the victim experience, and concrete steps for correcting identity records.

For the benefit of individuals, business, and society, I propose the following rights for identity crime victims:

· The right to assessment

· The right to restoration

· The right to freedom from harassment

· The right to potential prosecution of the offender(s)

· The right to restitution

Right to Assessment

Consumers who suspect they have become a victim of identity crime should have the right to assess the nature and extent of damage to their identity. FACTA already grants many of these rights, but consumers face procedural Catch-22s. Businesses and government agencies should be required to provide notice to consumers when they suffer a data breach involving loss of sensitive personal information. The present patchwork of state laws and government policy needs to be replaced with a uniform federal statute spelling out notification requirements. Clear guidelines would help businesses contain costs and limit legal liability through compliance and enhance consumer protection.

Right to Restoration

Ideally, victims should be able to restore their identities to their pre-theft state. However this is not always possible because of the complexity of the crime, especially in cases of financial identity theft. Whether or not they can fully recover, it is imperative that victims be able to establish correct records. Relevant privacy laws need to be reviewed and amended, giving victims the power to access and correct their own record in cases of identity crime.

Right to Freedom from Harassment

Identity crime victims should be protected from harassment by collection agencies and others during and after the identity restoration process. Harassment often continues unabated because business and law enforcement have no way to distinguish victims from debtors and thieves. To combat this some states are issuing identity theft “passports” to verify that the carrier has been a victim of identity theft and help the person prove his or her identity. How effective these documents are remains to be seen, but a system that actually verifies victims is needed

Right to Potential Prosecution of Offenders

One of the great frustrations to identity crime victims is the lack of business and law enforcement resources to prosecute identity thieves. Of course, law enforcement needs to balance priorities and budgets, and business must weigh the costs and benefits of prosecution. However, these organizations need to also take the long view on the impact of identity crimes:

· First, identity crime continues precisely because it pays. Second, the FBI and Secret Service have found that where there is one victim, there are more. So instead of writing off the costs of an individual case, organizations should consider that for every instance of identity crime, there may be many others as yet undiscovered or yet to be committed by the same crime ring or individual.

· Third, not all the costs of identity crime are immediately visible or measurable.

Right to Restitution

Identity crime victims can spend hundreds of dollars and dozens of hours, and can experience untold misery during the process of restoration. They deserve restitution, the same as victims of other crimes, yet a study by the Center for Identity Management and Information Protection shows that defendants were ordered to pay restitution in only about a third of the cases studied. Restitution will help make victims whole, sends a message that identity crime is real crime, and helps ensure that when perpetrators are caught, identity crime does not pay.

Recommendations for Protecting Victims’ Rights

In summary, my testimony today advocates for the following legislative actions to help victims:

· Enact a uniform scheme across industry and government to assist identity theft victims that includes the Identity Theft Victims’ Bill of Rights

· Create a national standard of identification — one that cannot be forged by identity thieves — that victims can use to distinguish themselves from thieves and identify themselves to businesses, law enforcement and others.

· Expand the definition of “compensable crime” under federal and state law to include identity crime.

Additionally, there are some steps that could be taken right now to strengthen victims’ rights and help stem the tide of identity theft:

1. Invest in independent research on the effects of identity crime. To make fully informed decisions, we need a thorough understanding of the costs of identity crime. There are too many unanswered questions about what’s happening in policy, industry, and law enforcement. Public funding should be made available. We need to get beyond the anecdotes to understand the connection between data breaches and identity theft.

2. Create standard dispute procedures in industry and law enforcement. Upon resolution, victims would receive standardized, verifiable letters proving that issues had been resolved.

3. Empower the FTC to oversee victims’ rights. The FTC should be charged with oversight of proposed policies for cohesion across national laws for effectiveness, and to anticipate and prevent unexpected consequences. This should include ensuring that law enforcement is investigating identity crime cases consistently and effectively.

4. Include identity theft victims’ rights in any dialogue about a Consumer Financial Protection Agency. If a proposed agency focused on financial products and services emerges, financial identity theft policies and education might be considered under its jurisdiction and should be included in the dialogue.

Conclusion

Thank you for this opportunity to present on the plight of victims and the Victims Bill of Rights, and thank you, again, for your leadership. I would be happy to answer any questions.

Scammers and identity thieves often take advantage of fears, hopes and dreams. This is what makes some of their crimes so emotionally devastating to victims. Often the fraud or scam they are running appears to be the only hope in the victim’s life, until the true intentions are revealed.

Current events are always a draw for scam artists, and exploiting consumers by playing on their most vulnerable emotions remains the most lucrative sources of income. Before you hand over information or money, stop and think about how emotional you are at that moment. If your emotions are running high, maybe it is time to cool it. Ask if you can come back tomorrow, or call them back at another time. If they insist that it must be done right away, or otherwise hurry you- it is probably a good sign that this is a scam. Scammers don’t want you to take the time to check with the Better Business Bureau or your local police- they want your money now, and they will tell you whatever you need to hear to believe that “time is running out” or it is a “limited offer”.

Particularly during this tough economic state, people are turning to others for help and are often taken in by crooks. When you combine this fear with a confusion about where to access legitimate resources, you are asking for trouble. Many Attorney General’s offices, privacy bloggers, and security professionals have made an effort to bring exposure to the real assistance available to those who are experiencing woes during this recession. Thanks to their efforts, I have compiled a Guide to Identity Theft and the Recession which can be found here.

Do you know of additional resources or scams I did not mention? Please comment below, or follow us on Twitter @idexperts

The FTC wants you to know about the only official site to get your free credit report as granted under federal law. Since catchy tunes and funny videos are the way to our hearts, they have released some videos to help spread to word about how to monitor your credit report for free by using www.annualcreditreport.com

See the other videos at http://www.youtube.com/ftcvideos

by Doug Pollack

The Santa Fe Group, an industry consortium, announced today an identity crime victims’ bill of rights that proposes the rights that should be provided to all individuals and recommending an approach to legislation for adopting this bill of rights.

“The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available at http://santa-fe-group.com/whitepapers/register.php.”

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:

• Assessment of the nature and extent of the crime that removes the procedural ‘Catch-22s’ when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

“The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts (www.idexpertscorp.com).

‘Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,’ said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. ‘We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.’”

The Santa Fe Group, ID Experts and other members of the Vendor Council will be holding meetings in Washington, DC later this spring in order to drum up support for this concept and related legislation.

by Doug Pollack

We know that over 10MM Americans this year will far victim to identity theft. But a recent survey by Bankrate asks people whether they are worried about this problem. The results indicate that people who personally know a victim of identity theft tend to be both more worried about this and also more proactive about protecting themselves.

The poll titled “Americans worry about ID theft; but consumers may be confused about the most effective strategies to protect their privacy” highlights:

“The results show that consumers who personally know a victim of identity fraud tend to be more concerned about the crime overall. Further, their concern pushes them to take more steps toward protecting their personal information, although there does seem to be some ambiguity as to the most efficient privacy protection actions.”

The following chart illustrates people’s answers to the question of how concerned they are about identity theft.

How concerned are you about having your identity stolen? Total Know an identity theft victim Don’t know a victim Very/somewhat concerned 81% 88% 76% Very concerned 40% 46% 36% Somewhat concerned 41% 42% 40% Not very/not at all concerned 19% 12% 24% Not very concerned 12% 7% 15% Not at all concerned 7% 5% 9%

So while most of us are concerned about identity theft, this is a problem area where most of us do very little to actually protect ourselves. If you talk with a friend or family member that has had to recovery their identity from theft, you will learn just how scary and time consuming that this can be. So don’t be complacent.

by Rick Kam

On June 11, 2007 an article in Wired Blog Network reports CEO of Lifelock, Todd Davis’ identity being stolen. Mike Prusinski, spokesman for Lifelock is quoted as saying,

“…there’s no way to prevent all identity theft — especially in cases in which a business (such as the check-cashing operation) doesn’t run a credit report before providing someone with a loan or new credit card. It’s a loophole,” Prusinksi said. “We tell people that you can’t stop every form of identity theft.””

Todd Davis was so confident in Lifelock’s identity theft protection solution, he regularly displayed his social security number on the company website. It was only a matter of time before an identity thief would use his social security number.

The Federal Trade Commission, Better Business Bureau, AARP, and law enforcement, as well as Identity Safeguards, all suggest protecting your social security number to reduce the risk of identity theft. It is the “key” to your identity. The ability to “freeze” or lock your credit will reduce the risk that an identity thief will be able to open fraudulent credit accounts, but it is not “fool proof” in stopping other growing forms of identity theft.

So how was Todd Davis’ identity stolen?

A plausible scenario would be that an identity thief saw Todd Davis’ social security number on the LifeLock website and decided to use it to commit the crime. There are many other ways an identity thief can access and use your personal information. For many individuals today, a government agency or company who has their information may lose it or have it stolen by identity thieves potentially exposing them to misuse.

While setting up fraudulent checking accounts or credit lines are the likely ways an identity thief will use stolen personal information, it is not the only way. Identity thieves also can set up cell phone accounts, obtain fraudulent driver’s licenses, or access medical services (note that medical ID theft is one of the fastest growing issues today). A credit freeze or fraud alert set by the credit bureaus (or Lifelock in Mr. Davis’s case) won’t necessarily protect them from these forms of identity theft.

The good news is you can reduce their risk of falling victim to many forms of identity theft by taking a few simple steps to protect your good name. The FTC offers good suggestions to reduce the risk and is a great consumer resource. My suggestion, consistent with that of many other security experts, is carefully protect your social security number in order to reduce your risk of identity theft.