CONTENTS Fenner, Robert M., General Counsel, National Credit Union Administraton Parnes, Lydia B., Director, Bureau of Consumer Protection, Federal Trade Thompson, Sandra, Deputy Director, Division of Supervision and Consumer (V) ENHANCING DATA SECURITY: Wednesday, May 18, 2005 U.S. HOUSE OF REPRESENTATIVES, COMMITTEE ON FINANCIAL SERVICES, Washington, D.C. The subcommittee met, pursuant to call, at 10:04 a.m., in Room 2128, Rayburn House Office Building, Hon. Spencer Bachus [chairman of the subcommittee] Presiding. Present: Representatives Bachus, Kelly, Hensarling, Pearce, Neugebauer, McHenry, Sanders, Maloney, Sherman, Moore, Frank, Carson, Baca, Green, Moore, Clay, and Matheson. Chairman BACHUS. Good morning. The Subcommittee on Financial Institutions and Consumer Credit will come to order. This morning the subcommittee is continuing its hearings on data security breaches. In the past few months there has been widely reported breaches of security at financial institutions and other stores of data about security breaches, and the subject of these hearings is whether or not there ought to be a standard notice when that occurs, what the standard of care ought to be for those who maintain consumers' personal information, and whether or not the current legislation both in Gramm-Leach-Bliley and the FACT Act and the guidance from the regulators is sufficient or whether we need to go further, whether consumers, in addition to notice, ought to have other rights or ought to be empowered further. I think the standards were just issued in March under Gramm-Leach-Bliley for the notifications, so it may be a little premature to make a final decision at this time. We have several members that are working on legislation, I know Chairman Castle and Chairman Price are working on legislation establishing a standard. I also know Mr. LaTourette is working on legislation which would give consumers the right to freeze their credit information in the event that they felt like it was being fraudulently used as a result of a data breach. The witnesses here today have only been given about a week to prepare for their testimony today, which is about half the time we normally like to give our witnesses, so I do apologize for that. And at this time I am going to take the opportunity to introduce our witnesses, and then I am going to yield to Mr. Sanders for an opening statement. I am going to introduce my entire opening statement for the record, but in the interest of going ahead and expe (1) diting the hearing, hearing from our witnesses, I will abbreviate my opening statement. But we have with us today the FTC Director of the Bureau of Consumer Protection, Lydia Parnes. Ms. PARNES. Parnes. Chairman BACHUS. Thank you. FDIC Deputy Director of the Division of Supervision and Consumer Protection, Sandra Thompson. We welcome you, Ms. Thompson. And Ms. Parnes, am I getting it right now? Ms. PARNES. Yes, you are. Chairman BACHUS. Thank you. And I should have asked before the hearing. I apologize. And NCUA General Counsel Robert Fenner. Thank you. We look forward to hearing from the witnesses and thank them for taking time from their schedules to join us. And if you all would move the mikes up pretty close to you. And at this time I will yield to Mr. Sanders for an opening state ment. [The prepared statement of Hon. Spencer Bachus can be found on page 34 in the appendix.] Mr. SANDERS. Thank you very much, Mr. Chairman. And thank you very much to our panelists who are here today. This is clearly an important issue. Identity theft and breach in security at some of our Nation's largest companies are huge issues that this committee has got to address, and I am glad that we are holding this hearing today. According to the Federal Trade Commission, 27.3 million Americans have been victims of identity theft in the past 5 years-that is a huge number of people-costing businesses and financial institutions some 48 billion and consumers $5 billion. Victims of identity theft pay an average of about $1,400, not including attorney fees, and spend an average of 600 hours to clear their credit reports. So we are dealing with an issue of real concern to the American people. In addition, Mr. Chairman, since 2003, there have been a number of security breaches at some of the biggest companies in this country, threatening the financial privacy of millions of Americans. The largest one became public in February of 2003 when the FBI announced a nationwide investigation of a computer database security breach containing roughly 8 million Visa, MasterCard, and American Express credit card numbers. This breach forced many financial institutions to reissue thousands of Visa and MasterCards as a precaution against potential fraud. But we are not just talking about credit card companies; we are talking about Time Warner, Lowe's stores, T-Mobile USA, ChoicePoint, Lexus Nexus, Wells Fargo, Bank of America, Chevy Chase, and SunTrust. The list goes on and on. For a variety of reasons, Social Security numbers, debit and check card information, driver's license numbers, e-mails, personal computer files, and information about student loans and mortgages are being stolen by computer hackers and other scam artists. Mr. Chairman, this has got to stop. We must make sure that identity thieves are prosecuted to the fullest extent of the law, but we must also make sure that the largest, the most profitable multinational companies in this country do everything they can to make sure that these scam artists don't succeed in the first place. In addition, Mr. Chairman, this committee must focus on how the outsourcing of financial service jobs to China, India, and other low-wage countries are threatening the privacy of our citizens. That is an issue I think that we can no longer ignore. According to a study published by the consulting firm A.T. Kearney, more than 500,000 financial service jobs in the United States, representing 8 percent of all jobs in banking, brokerage, and insurance firms, will move offshore in the next 5 years, saving these companies some $30 billion. Now that is an issue unto itself from a worker perspective, but it is also a major issue in terms of the privacy issue that we are dealing with today. It seems that no financial service firms or credit bureau agency is immune to overseas outsourcing, and we are the biggest ones doing that. One example of the troubling trend in outsourcing is occurring at TransUnion. According to David Emory, executive vice president and chief financial officer of TransUnion, quote, 100 percent of our mail regarding customer disputes is going to India at some point, end of quote. And according to a report in the San Francisco chronicle, quote, two of the three major credit reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time, end of quote. Mr. Chairman, with growing problems in identity theft and with no domestic legal protection for the privacy of the personal records of American citizens, the situation is unhappily ripe for abuse, and the evidence is mounting. It was recently reported that three former call center workers in India allegedly cheated Citibank customers in the U.S. out of hundreds of thousands of dollars. It has also been reported that Geometric Software Solutions in India, another overseas outsourcer, illegally tried to sell the U.S. clients' intellectual property. And an employee in Pakistan doing clerical work for a medical center in California threatened to post confidential medical records of U.S. patients on the Internet unless she was adequately compensated for her work. I would like to ask that witnesses today-and I hope that this is an issue that you will cover, the following questions. Exactly what kind of legal protections do U.S._consumers have when our privacy laws are violated overseas? As I understand it, it would be difficult, if not impossible, to prosecute financial services or credit bureau workers outside of the United States for breaking laws relating to financial privacy and consumer protection. That is why I am supportive of legislation introduced by Congressman Markey that would make it illegal for companies in the U.S. to send financial data abroad without the express written consent of their customers. Mr. Chairman, thank you again for holding this very important hearing. And I look forward to hearing our witnesses. [The prepared statement of Hon. Bernard Sanders can be found on page 40 in the appendix.] Chairman BACHUS. I thank the ranking member. |