OPENING STATEMENT OF CHAIRMAN SPENCER BACHUS SUBCOMMITTEE ON FINANCIAL INSTITUTIONS AND CONSUMER CREDIT "ENHANCING DATA SECURITY: THE REGULATORS' PERSPECTIVE" Good morning. The Subcommittee will come to order. This morning the subcommittee will continue its examination of data security and protecting sensitive information. Several weeks ago, the Full Committee held a hearing on this topic where we heard from representatives of companies that recently experienced data breaches. Today it is our intention to hear the regulators' perspective on this issue. I am pleased that Chairman Oxley continues to recognize the significance of this topic and has scheduled this hearing today. Over the last several months, there have been numerous news reports describing potentially serious breaches of information security. These breaches have generally involved sensitive personal information, such as individual names plus Social Security numbers or payment card information. Although the reports of subsequent fraud associated with these breaches have been relatively low, protecting consumers after such data breaches obviously remains a primary concern. Furthermore, data breaches, even if relatively uncommon and limited in scope, undermine consumer confidence more broadly. For instance, surveys suggest the growth of on-line commerce is restrained due to fears about information security. I do not expect companies to meet a standard of perfection. I doubt the witnesses here expect perfection either. Even the most prudent company can become the victim of a hacker or other criminal. However, it is reasonable to expect that those who possess sensitive information will take reasonable steps to protect against the unauthorized acquisition of such information. In this regard, it is important for us to hear how the regulatory community is approaching this issue, and whether additional legislation is needed. It is also reasonable to expect that, if we decide to legislate in this area, companies should have a single uniform standard to comply with, as opposed to dozens of inconsistent standards. I see little benefit to a hodgepodge of security standards resulting from several different laws triggering consumer notices. One of the key issues surrounding our investigation of data breaches is a question of how to inform consumers if their sensitive information is the subject of a security breach. For example, we are well aware that financial institutions must have information security programs designed to protect customer information under the Gramm-Leach-Bliley Act. The federal banking agencies also issued guidance recently with respect to the need for a bank to provide notice to its customers when information in the bank's control is the subject of a security breach. In my opinion the requirements of the law, and the guidance provided by the regulators, are appropriate. However, we need to learn more about this issue from the regulators, and that is why we are here today. I would like to take this opportunity to welcome our witnesses. We have with us today FTC Director of the Bureau of Consumer Protection Lydia B. Parnes, FDIC Deputy Director of the Division of Supervision and Consumer Protection Sandra Thompson and NCUA General Counsel Robert Fenner. I look forward to hearing from today's witnesses and thank them for taking time from their schedules to join us. OPENING REMARKS OF THE HONORABLE RUBEN HINOJOSA "ENHANCING DATA SECURITY: THE REGULATORS' PERSPECTIVE” MAY 18, 2005 Chairman Bachus and Ranking Member Sanders, I want to express my sincere appreciation for you holding this very important and timely hearing today. Having served as one of the Members of the Task Force on Identity Theft that contributed substantially to the language ultimately included in the FACT Act of 2003, I am very disturbed by the recent events that have endangered the personal privacy of many of our constituents, including over 300,000 in the Lexis-Nexis case alone. As I noted during last week's hearing, for weeks, the media has reported on the rampant loss of financial information of Americans from coast to coast. What at first seemed to be isolated incidents of theft now seems much larger and has impacted customers of wellknown companies like Ralph Lauren, DSW Shoes, Lexis-Nexis, and others. The frightening part of this lapse in security is that millions upon millions of people are now exposed to possible identity theft. The largest known security breach of financial data became public in February 2003 when the FBI announced a nationwide investigation of a breach of a computer database containing roughly 8 million Visa, MasterCard and American Express credit card numbers. Officials of British-based HSBC PLC notified at least 180,000 credit card customers in mid-April 2005 that their account information may have been obtained in a security breach of the computer database of a national retailer. DSW announced in April, 2005, that computer hackers had obtained account data from 1.4 million credit cards used by customers at 108 retail stores between November 2004 and February 2005. Checking account numbers and driver's license numbers were also stolen from nearly 95,000 customer checks. Identity theft can be devastating for consumers and can destroy their credit, their financial security and their sense of protection and well-being. Similar to a home invasion or robbery, victims of identity theft are exposed to the whims of those who stole their personal financial information. Identity theft tends to occur when an imposter steals a victim's personal information to gain credit, merchandise and/or services in the victim's name. It is the most common complaint received from consumers in all 50 states; and, my home state of Texas ranks third in the number of identity theft victims. According to Committee staff and to various press reports and press releases from the underlying entities, data thieves employed a variety of means to gain unauthorized access to consumers' private information. These include both high-tech means for stealing computer access codes and passwords, as illustrated in the various university and retail store security breaches, as well as such low-tech methods as impersonating legitimate business clients, as in the ChoicePoint and Lexis-Nexis examples. Other security breaches involved more traditional forms of theft, such as the theft of computers and computer backup tapes. Victims of identity theft may incur unauthorized charges to their credit cards and unauthorized withdrawals from bank accounts. Victims may lose job opportunities, be unable to secure a loan, obtain a mortgage, or be arrested for crimes they did not commit. According to the Federal Trade Commission, 27.3 million Americans have been victims of identity theft in the past five years, costing businesses and financial institutions $48 billion and consumers $5 billion. Victims pay an average of about $1,400 (not including attorney fees) and spend an average of 600 hours to clear their credit reports. Victims do not have to sit idly by - they can defend themselves against identity theft. They can tear or shred their receipts, copies of credit applications or offers, insurance forms, check and bank statements, and expired credit cards; keep their Social Security card in a safe place, and give their number only when necessary; pay attention to their billing cycles; do not write their PIN numbers on their credit or debit card; and, ensure that information they share on the Internet is with a legitimate institution or vendor. Furthermore, our constituents can access websites such as the BITS website created by the Financial Services Roundtable. The website helps consumers become aware of the many steps they can take to safeguard their personal information. The tips on the BITS website were adapted from the BITS white paper "Financial Identity Theft: Prevention and Consumer Assistance." The website provides guidance on how to protect your Social Security numbers and cards; your credit cards; your identity from predators on the Internet; your mail; and other topics. All of these documents are printed on the BITS website and available for download. You may access the website at www.bitsinfo.org/ci_identity_theft.html. Having noted all of the aforementioned, the question becomes one of what, if anything, can or should Congress do to address the increasing numbers of identity theft and protect our constituents. Yesterday, I received a letter from Consumers Union highlighting its “Have You Heard?” Column from the June 2005 Consumer Reports, which addresses the critical issue of identity theft. There are several recommendations in that column that I found very compelling. One of them focuses on preventing breaches from happening in the first place. It stresses how critical it is to impose strong requirements on information brokers to protect the information they hold and to screen and monitor the persons to whom they make that information available, and require creditors to take additional steps to verify the identity of an applicant when there is a sign of possible ID theft. Moreover, it recommends that Congress act to restrict the sale, sharing, posting, display, and secondary use of Social Security numbers. I ask that a copy of this letter and the column, |