Testimony

Good morning Chairwoman Pheffer, Chairwoman Destito, Chairwoman Nolan and members of the Assembly. My name is Michael P. Smith and I am the President and Chief Executive Officer of the New York Bankers Association (NYBA). I thank you for the opportunity to testify here today. NYBA is comprised of community, regional and money center banks in the State of New York, which in the aggregate have over 320,000 employees and assets in excess of $3 trillion.

The privacy concerns of our customers have always been a top priority for the banking industry. We welcome these hearings, because we believe that it is essential to provide the public with information about the many extensive safeguards in place to protect consumer privacy – including the privacy of their Social Security numbers and other personal identifying information - and to discuss the possibility of further action.

It is important that New Yorkers know that the financial services industry has the most extensive safety net of federal and state privacy laws of any industry in the nation. Also, New Yorkers should be particularly heartened by the progress our industry has made in protecting consumers’ privacy in this State particularly. For example, the New York Bankers Association (in conjunction with the New York Clearing House) developed Best Practices Privacy Guidelines for Financial Institutions in 2000. Notably, these Best Practices include specific measures designed to combat identity theft. Moreover, NYBA has consistently supported legislation and worked in partnership with governmental authorities to protect the banking public against fraud and identity theft. In fact, NYBA testified regarding its commitment to the privacy concerns of New York’s consumers before the Legislature in March 2000 and provided the New York State Assembly and Senate with testimony on the issue of data security breaches in the Spring of 2005. Importantly, NYBA strongly supported the legislation enacted through your efforts, in New York in 2002 (Chapter 619 of the Laws of 2002), which criminalizes the theft of identity and the unlawful possession of personal identification information.

On April 7, 2005, NYBA testified on the issue of data security breaches before the Assembly Standing Committees on Banks, Consumer Affairs and Protection, and Codes, along with L. Richard Fischer, a partner at the law firm of Morrison and Foerster LLP, who specializes in privacy and data security matters. We, along with Mr. Fischer, provided similar testimony one month later, on May 24, 2005, before the Senate Committee on Investigations & Government Operations and the Senate Committee on Consumer Protection. In our testimony we stated our support for the establishment of reasonable notification provisions, which, in order to avoid unnecessary conflicts and consumer confusion, should be consistent with the procedures which are being recommended at the national level. As a result of your consideration of our concerns on this issue, we were able to withdraw our original objections to the security breach notification bill, prior to its passage into law.

Currently, there are a number of federal laws and regulations in place which are designed to protect consumer privacy and which take direct aim at the identity theft issue. At the conclusion of my testimony, Mr. Fischer will review this impressive body of law, as well as the efforts underway in Washington, D.C. to further address these issues. Thus, I will confine my comments to the ways in which New York has addressed, and continues to address, its citizens’ privacy concerns.

As I mentioned earlier, at the State level, legislation has also already been enacted to address the identity theft issue. Among those initiatives is the NYBA- supported 2002 law I previously referred to, that criminalized the theft of identity and enhanced consumers’ rights to recover damages caused by identity theft. In 2003, additional NYBA-supported legislation was enacted to prohibit businesses from printing credit or debit card numbers or expiration dates on electronically printed receipts (see General Business Law Section 520-a, paragraph 4-a). The language of this legislation was later incorporated – almost verbatim – in the Fair and Accurate Credit Transaction Act of 2003 (the “FACT Act”) at the federal level. New York law also specifically prohibits the recording of credit card numbers on checks, and also limits the notation of Social Security numbers on checks and other instruments. (See General Business Law Sections 520-a and 518-a, respectively.) Most recently, legislation was enacted in 2005 setting forth requirements for notification to affected consumers in the event of a breach of security of private information. Thus, there already exist a number of State laws that protect New York’s consumers against the perils of identity theft – and we commend the members of the Legislature for taking the lead on this important matter.

As you explore what, if any, additional limitations on the use of personal identifying information, such as Social Security numbers, may be appropriate, we believe it important to keep in mind that many government entities, businesses and not-for-profit entities rely on identifiers such as Social Security numbers for important and appropriate uses. These range from the facilitation of consumer credit, to control of money laundering activities to the enforcement of parental support obligations. Thus, any new laws should not be so broadly drafted as to hinder important services and initiatives.

It is also important to ensure that any new legal requirements be consistent with those established at the federal level in order to avoid a patchwork of conflicting requirements. While Mr. Fischer will discuss in his testimony the federal laws and regulations already in place, we think it important to note that inconsistencies between State and federal requirements and restrictions, could only serve to cause inefficiencies and inaccuracies in the banks’ administration of their privacy policies and can unintentionally significantly impede commercial transactions, as well as the battles against money laundering, terrorist activities, and even identity theft itself. As the USA PATRIOT Act explicitly requires banks to request Social Security numbers to identify every new consumer customer, overly broad State restrictions may in some instances be unworkable and even unenforceable.

In New York, as well, a number of laws include provisions requiring the use of Social Security numbers and/or other personal identifying information. These include laws pertaining to enforcement of child support obligations (see, for example, Family Court Act Section 440); application information for drivers licenses (see, Vehicle and Travel Law Section 502); the ability of candidates to test the validity of test questions on civil service exams (see Civ. Service Law Section 50-a); and information required to be supplied by employers for the state directory of new hires (See Tax Law Section 171-h). Sweeping prohibitions on the use of personal identifying information could therefore unintentionally interfere with important government goals.

The banking industry will also continue to protect its customers’ privacy interests through vigorous self-regulation. Development and implementation of privacy principles have been part of individual banks’ corporate policies for many years. Indeed, long before the enactment of the privacy provisions contained in the Gramm-Leach Bliley Act of 1999 (GLBA), the American Bankers Association, Consumer Bankers Association and the Financial Services Roundtable developed joint industry privacy principles. Since the advent of these joint industry privacy principles, similar privacy policies were adopted voluntarily by many banks nationwide, and a number of banks have for some time also voluntarily posted their privacy policies on their websites.

Since the passage of the GLBA, I am proud to report that New York has taken the lead on advancing the privacy concerns of its banking customers, with the joint development by NYBA and the New York Clearing House, of Best Practices Privacy Guidelines for Financial Institutions (a copy of which is attached). These Guidelines seek to provide effective approaches for the development and implementation of privacy policies and include recommendations, among other things, for (i) participation by bank management in the implementation and oversight processes; (ii) appropriate and ongoing privacy training; (iii) limited employee access to and other security procedures for the protection of nonpublic personal information; and (iv) specific measures, designed to prevent security breaches. In this regard, the Guidelines endorse the use of procedures such as passwords, callbacks and signature verification to combat identity theft. Many NYBA member banks post information specifically addressing identity theft on their websites. NYBA itself is also now offering an array of educational seminars and products geared specifically towards the challenges of identity theft and security procedures. These programs are being widely used by our membership. Be assured, therefore, that New York’s bankers are taking a voluntarily aggressive role in championing the privacy and data security concerns of their customers.

Thank you for the opportunity to discuss this important issue and I now will turn to Mr. Fischer for his statement, after which we would welcome questions.

WRITTEN STATEMENT OF

L. RICHARD FISCHER

ON BEHALF OF

NEW YORK BANKERS ASSOCIATION

BEFORE THE ASSEMBLY STANDING COMMITTEE ON CONSUMER AFFAIRS AND PROTECTION

ASSEMBLY STANDING COMMITTEE ON GOVERNMENTAL OPERATIONS

ASSEMBLY STANDING COMMITTEE ON BANKS

STATE OF NEW YORK

SEPTEMBER 15, 2005

Chairwoman Pheffer, Chairwoman Destito, Chairwoman Nolan, and Members of the Assembly, my name is Rick Fischer. I am a partner in the law firm of Morrison & Foerster LLP, and I practice in the firm’s Washington, D.C. office. I have nearly 35 years of experience in advising banks, financial services companies and other companies on retail banking issues, including privacy and information security. I am pleased to appear before you today on behalf of the New York Bankers Association to discuss the important issue of the regulation of Social Security Numbers (“SSNs”) and other sensitive personal information.

I wish to build on the testimony offered to you today by Michael Smith of the New York Bankers Association. First, I will review how businesses use SSNs and the legislative and regulatory framework for regulating the use of SSNs and other sensitive personal information.

Second, I will articulate key principles that, in my view, provide the basis for implementing a meaningful, workable approach to enhance information security and to protect against the significant risks of identity theft and other harms resulting from the inappropriate use of sensitive personal information, including SSNs.

The privacy of personal information, including SSNs, has received heightened attention as a result of media reports of security breaches affecting many U.S. consumers. This focus has renewed concerns about the loss of privacy, as well as possible monetary and reputational harm to consumers. A common focus of these concerns is the misuse of SSNs and other sensitive personal information and the role of this information in identity theft. While industry and government work together to promote increased protection for SSNs, it is important to remember that a broad range of government, business and non-profit entities use SSNs for many important legitimate purposes. As a result, policy makers must exercise care in their efforts to adopt legal reforms in order to avoid imposing unduly burdensome requirements or creating new risks for the governmental entities and private organizations that rely on this information.

The concern that the widespread use of SSNs for identification purposes could pose a threat to consumers is not new; it was raised over thirty years ago in a report commissioned by the then Department of Health, Education, and Welfare (“HEW”) entitled “Records, Computers and the Rights of Citizens” (“Report”). This HEW Report noted that “until safeguards against abuse of automated personal data systems have become effective, constraints should be imposed on use of the SSN.” While other recommendations in the HEW Report led to the adoption of the Privacy Act of 1974, which established requirements for notice, access and correction of information in federal government databases, Congress did not feel the need to take action with respect to SSNs.

Since 1973, the use of SSNs as identifiers in day-to-day transactions has grown dramatically. Today, such critical daily decisions as employment, credit and insurance are heavily dependent on the availability of SSNs. While some may argue that these industries existed prior to the expanded use of SSNs, the marketplace has changed dramatically. Any government-imposed curtailment of the use of SSNs must recognize the important uses of SSNs, at least until a suitable substitute can be identified and implemented.

Although the SSN is not a “standard universal identifier,” it does provide a unique number that is issued by the federal government and can be effectively used to link information to each individual. More than 280 million people live in the United States, and tens of thousands of these people share the same name. And, many people who share the same name also share other identifying information, such as city and state of residence. Unlike other identifying information, such as name, address and marital status, an individual’s SSN does not change over his or her life, and no other living person shares that unique number. Without SSNs, files on the same individual can become fragmented each time the individual’s name is abbreviated (e.g., using initials, shortening first name or dropping “Jr.” or “Sr.”) or misspelled, and a separate file may be established for each name variation. Using an individual’s SSN is the most reliable way to efficiently tie together such fragmented files.

In previous generations, most consumers lived, worked and shopped within their local community and could establish their good name in the community to obtain employment, credit, insurance and other services. With today’s more mobile population—and with the emergence of national markets due to the Internet and other improvements in communication—the vast majority of businesses obtain and use SSNs to effectively identify consumers. If a business obtains a consumer’s SSN for employment purposes or for a credit transaction involving the consumer, the consumer benefits because the business can use the SSN to identify the consumer and obtain accurate information about the consumer, such as a credit report, to enable the business to confidently and safely make a decision about a consumer who is not known to the business. Proper identification enables a business to effectively evaluate the consumer for employment, credit or insurance, to properly record transactions and to fulfill its legal obligations, including tax reporting and customer identification under the USA PATRIOT Act. In fact, section 326 of the USA PATRIOT ACT requires every bank to request an SSN to identify every new consumer customer. The more efficient and accurate the system, the greater are the benefits to pass through to consumers, and the more security that results for the employer and society as a whole. Any effort to regulate the sale, use or display of SSNs must recognize the tradeoff between privacy concerns and the important benefits that consumers receive from the use of their SSNs.

For example, use of SSNs greatly facilitates the availability of credit to consumers, including facilitating credit checks and preventing fraud. Consumer credit plays a vital role in the United States economy. Two-thirds of the United States economy is based on consumer spending, and a significant portion of this spending depends on the availability of consumer credit, including mortgages, auto loans and credit card accounts. Consumer credit is important not only to banks, but also to businesses selling goods that often require financing, such as furniture, appliances and automobiles. Moreover, the use of credit cards for payment purposes is important to all retail businesses, particularly small businesses.

Banks, insurance companies, utility companies, wireless phone providers and many other businesses use SSNs to obtain credit reports, credit scores and credit-based insurance scores. The nationwide consumer reporting agencies (“CRAs”) maintain credit files on nearly 200 million individuals. These files are linked to SSNs. If businesses cannot obtain SSNs and provide these numbers to CRAs when requesting credit reports and credit scores, it would be difficult, if not impossible, to ensure that the credit report or credit score they receive corresponds to the appropriate consumer. At a minimum, this process of identifying and approving consumers would be slower, more costly, and far less accurate without the use of SSNs. And, delays in approving credit would be particularly hard on retail stores that offer “instant credit” to their customers, auto dealers seeking immediate financing and others for whom prompt approval of credit is key to business operations. Timing of the confirmation of identity and the availability of credit also is important to the consumer. Banks and other businesses use identification services based on SSNs to properly identify consumers and to prevent identity theft and other fraud.

Without the use of SSNs, the ability of businesses to screen applicants for employment also would be impaired. Many businesses obtain SSNs from job applicants in order to obtain credit reports or to conduct background checks. For example, businesses ranging from retail stores to nursing homes, day care centers, private schools and security companies obtain and use SSNs in order to determine job applicants’ histories. And, for tax purposes, all employers are required to obtain and enter on every W-2 form each employee’s name and SSN.

If the sale, use or display of SSNs is prohibited, creditors will have difficulty ascertaining the true identity of those to whom they are lending, insurers will not know who they are insuring and employers will not know who they are employing. If businesses cannot obtain and use SSNs to verify the identity of consumers, fraud, including identity theft, will increase dramatically.

In addition, if SSNs cannot be obtained, banks and other financial institutions will not be able to comply with federal laws designed to prevent money laundering and terrorist financing. As indicated above, the regulations implementing section 326 of the USA PATRIOT Act require every bank, as part of its customer identification program, to collect taxpayer identification numbers for consumers, typically SSNs, and to verify the identities of individuals seeking to establish a new credit account, open a new deposit account or establish any other retail or business customer relationship.

At some point, it may be possible to develop a secure and dependable replacement for SSNs such as a biometric identifier; however, any such system would require years, if not decades, to implement, could substantially increase personal verification and transactions costs and, ultimately, could be just as susceptible to fraud as SSNs. Other avenues of detecting and preventing identity theft and other abuses of personal information are being developed. Rather than trying to control access to information about consumers, the better approach is to encourage new technologies that focus on individual behavioral patterns and have shown the potential to spot fraudulent activity quickly.

In the meantime, any decision to limit the use of SSNs must include exceptions for the important and legitimate uses of SSNs by businesses, including for the prevention of fraud, the protection of the nation against terrorists and criminal activities, the facilitation of credit checks and the identification of individuals hired to care for others, particularly children and the elderly.

Federal Laws aFFecting THE USE OF SOCIAL SECURITY NUMBERS and OTHER sensitive PERSONAL INFORMATION

Existing federal laws and regulations already protect against the misuse of personally identifiable information, including SSNs, by limiting the disclosure of that information and by mandating data security programs for many, but not all, organizations.

The privacy provisions of the Gramm-Leach-Bliley Act of 1999 (“GLBA”), implemented through rules adopted by the federal banking agencies and the Federal Trade Commission (“FTC”), already prohibit banks and other financial institutions from disclosing personal information about consumers, including SSNs, to third parties beyond a limited list of exceptions, such as servicing a financial product requested by the consumer or complying with federal and state laws.

The GLBA and agency privacy rules already apply to a broad range of financial institutions, including banks, insurance companies, securities firms, finance companies and mortgage lenders. In addition, any person or company that receives protected personal information from a financial institution must comply with limitations on how that information can be used and redisclosed.

Federal laws and regulations also impose obligations on financial institutions to protect the personal information of customers, including SSNs, and to protect both customers and themselves against fraud. By implementing section 501(b) of the GLBA, the federal banking agencies and the FTC have established security standards for all financial institutions. Under these federal agency standards, financial institutions must establish and maintain comprehensive information security programs to identify and assess the reasonably foreseeable threats to customer information and then control those potential risks by adopting appropriate security measures. In doing so, financial institutions also must carefully select and monitor their service providers and confirm that those service providers establish corresponding security standards for all sensitive customer information, including SSNs.

Under these same information security standards, financial institutions also must establish appropriate policies and procedures to properly dispose of personally identifiable information about their customers. This requirement is implemented by rules recently adopted by the federal banking agencies and the FTC under the Fair and Accurate Credit Transactions Act (“FACT Act”). These rules are designed to provide additional protection against identity theft or other harm that can occur as a result of the loss or theft of information being disposed of by a financial institution.

USA PATRIOT Act Identification Requirements and FACT Act “Red Flag” Guidelines

In accordance with section 326 of the USA PATRIOT Act and related federal rules, financial institutions must verify the identity of each customer who opens a new account or other banking relationship. Although generally designed to detect and deter money laundering and terrorist financing, these requirements also are instrumental in preventing fraud and identity theft. Each financial institution must develop a customer identification program to verify the identity of each new customer and must maintain the resulting identification and verification records. And, as noted above, the use of SSNs is essential to accurate verification and compliance. In fact, since banks are required by federal law to obtain and verify SSNs for all new consumer customers, it is unlikely that any state restrictions could interfere with this federal mandate.

In addition, recent amendments by the FACT Act direct the federal banking agencies and the FTC to adopt new regulations and guidelines that will require financial institutions to implement additional policies and procedures designed to detect and prevent identity theft. These “red flag” guidelines will require institutions to use additional measures to detect and respond to potential identity theft and other fraud, including new rules to verify the identity of loan applicants.

Federal banking agencies also recently issued final interagency guidance on response programs for unauthorized access to customer information and customer notice (“Guidance”). The Guidance requires every financial institution that is subject to the banking agency GLBA data security rules to implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution itself or by the institution’s service providers. A financial institution’s response program must include procedures to notify both the institution’s primary regulator and its customers in response to security breach incidents that compromise sensitive customer information, including SSNs. In addition, financial institutions must have procedures in place to assess the nature and scope of an incident, to identify what customer information systems and types of information have been accessed or misused and to take appropriate steps to contain and control the incident. Specifically, the Guidance establishes uniform rules that require each financial institution to: (1) notify the institution’s primary federal regulator; (2) notify appropriate law enforcement authorities consistent with existing suspicious activity report rules; and (3) notify its affected customers under prescribed circumstances.

In response to a series of highly publicized security breach incidents, several states, including New York, also have adopted laws identifying sensitive personal information, including SSNs, and requiring organizations to notify consumers of security breaches that compromise that information and create a risk of identify theft or other harm. Such consumer notice is important when the theft of sensitive information creates a significant risk of harm and notice will enable consumers to protect themselves against that risk of harm.

Congress also is currently considering a number of federal legislative initiatives that could affect the use of SSNs and other sensitive personal information. One type of legislation seeks to regulate so-called information brokers, or information service providers, that offer information products consisting of SSNs and other sensitive personal information that are not “consumer reports” and, thus, are not currently regulated under the federal Fair Credit Reporting Act. In particular, some of these legislative initiatives seek to promote greater security standards for a broader range of entities that maintain databases containing sensitive personal information, including SSNs. For example, some policy makers in Washington believe that the GLBA should be amended to require information companies that are not currently “financial institutions” under that statute to comply with information security standards similar to those that already apply to financial institutions under rules established by the federal banking agencies and the FTC. Still other federal legislative proposals would require notification of a security breach similar to the notification law recently adopted in New York.

As you are aware, New York currently is considering several bills that either seek to regulate the use of SSNs by businesses and state agencies or seek to regulate the use of other sensitive personal information by businesses and state agencies. Other states have enacted statutes governing SSNs. For example, Michigan enacted the “Social Security Number Privacy Act” (S.B. 795), with effective dates of March 1, 2005 and January 1, 2006, which restricts the use of more than four sequential digits of an individual’s SSN as the individual’s primary account number, prohibits a person from requiring an individual to use or transmit more than four sequential digits of the individual’s SSN over the Internet or a computer system, unless the connection is secure or the transmission is encrypted, and prohibits a person from including more than four sequential digits of the SSN in or on any document or information mailed or otherwise sent to an individual if the number is visible on or from the outside of the envelope.

In addition, California enacted S.B. 1618, which provides that by January 1, 2008, employers may display no more than the last four digits of an employee’s SSN, or other employee identification number, on pay stubs or on other checks or vouchers.

Congress also is considering legislation to restrict the public display or sale of SSNs. Some federal legislative initiatives, like S. 29, focus principally on the protection of SSNs, while other legislation, like S. 1408 recently passed by the Senate Commerce Committee, addresses a number of data security issues, including the protection of SSNs. Until Congress acts in this area, I believe that states have the ability to adopt laws to protect SSNs, like the Michigan and California laws described earlier, even if states do not have the ability to interfere with the obligation of banks to obtain and verify SSNs, as required by the USA PATRIOT Act.

While the various federal legislative initiatives are still very much in a state of flux, I believe that the approach offered by Chairwoman Deborah Majoras of the FTC takes the correct approach. The basic obligation to protect sensitive personal information, including SSNs, should apply broadly to all government and private entities that maintain such information. Since many types of companies currently are not subject to information security requirements like those applicable to banks under the GLBA, appropriate legislation could be enacted to require those companies to safeguard sensitive personal information, just like financial institutions are required to do today. Rather than attempting to prohibit industry use of SSNs and other personally identifiable information, however, a better response lies in more uniform standards for information security.

In this regard, I believe that a law that would require government and corporate entities that maintain sensitive personal information to notify individuals upon discovering a significant breach of security would protect against the misuse of such information. For example, the central public policy principle underlying the recently-enacted New York notification law, and which is increasingly predominant in discussions of proposals for a new federal law, is that an individual should be alerted about a security breach involving information when such a notice would actually help the individual protect himself or herself against what appears to be a significant risk of identity theft or other harm due to misuse of sensitive information. As FTC Chairwoman Majoras recently testified to Congress, however, notices should be sent only if there is a “significant risk of harm,” because notices sent when there is not a significant risk of harm actually can cause individuals to overlook those notices that really are important. Here again, I believe that Chairwoman Majoras has suggested a sensible approach.

Since you and other officials here in New York, and your counterparts in Congress, are considering whether new laws should be enacted or designed to reduce the harm associated with identity theft through restrictions on the sale or use of SSNs and other sensitive personal information, I would like to elaborate on the key principles that, in my view, should guide the development of such legislation. I believe the effective response must effectively address two objectives: to protect sensitive personal information, including SSNs, from the inappropriate sale or use without harming consumers or businesses by creating inefficiencies in the marketplace. Although protection of sensitive personal information and the prevention of identity theft are both important objectives, the central task is to accomplish these objectives without impeding legitimate access to sensitive personal information, including SSNs.

As Michael Smith from the New York Bankers Association has testified, any new laws in this area also should be consistent in order to avoid a patchwork of conflicting requirements across state borders. This undoubtedly would result in additional expenses, and inaccuracy and inconsistency in consumer information. As a result, given the federal initiatives presently under way, it may be prudent to allow the federal government to act before taking any legislative action on the state level with respect to restrictions on the sale or use of SSNs. A lack of uniform standards on SSNs and other sensitive personal information could be unintentionally harmful to the very people the laws are designed to protect by decreasing accuracies and efficiencies in essential areas, such as consumer credit and employment.

Of the many clients I advise on privacy and data security issues, virtually all of them serve consumers in multiple states, if not all states. As a result, I have found that a set of consistent standards for obtaining, using and protecting sensitive personal information, like SSNs, is vital. If states continue to enact laws affecting SSNs and other personally identifiable information and those laws are not consistent throughout the country, compliance with the myriad of resulting requirements will become increasingly more difficult. If state and federal laws impose conflicting requirements, sorting through the various factors that affect a business’s data security and authentication practices wastes resources and valuable time and, thereby, impedes effective and timely delivery of services to consumers.

I believe that enacting new laws to implement a meaningful and workable approach to enhance information security generally, and the protection of SSNs in particular, should be based on four key principles:

· First, require all government and business entities to develop and use appropriate safeguards to protect the sensitive personal information they maintain, including SSNs;

· Third, require heightened security standards only for truly sensitive personal information, such as SSNs; and

· Fourth, include clear exceptions for obtaining and using SSNs and other sensitive information for legitimate government and business purposes.

Require All Entities to Develop Safeguards for Sensitive Personal Information

Any new law should apply to all government and business entities that maintain sensitive personal information, such as SSNs, not just to financial institutions. If statutory and regulatory requirements apply only to certain kinds of entities, like financial institutions, that maintain sensitive information, then identity thieves will exploit the gaps in that fragmented scheme of protection. And, from the perspective of an individual whose sensitive personal information is potentially at risk, the obligation to employ reasonable data security safeguards should depend only on the sensitivity of the data, not on the type of entity maintaining that data.

New laws should not prescribe detailed, static data security rules because the circumstances vary among organizations and the tactics used by identity thieves are constantly changing. In particular, companies must be allowed to use the safeguards that best suit the configurations of their own information systems and operations. Methods for using, storing and transmitting personal information vary dramatically among companies. In addition to the technological characteristics of their information systems, companies have different forms of organization, employee training programs and audit controls that, taken together, dramatically influence the safeguards that can be meaningfully applied to sensitive personal information. Moreover, articulating specific data security rules and uniformly requiring companies to implement those rules will greatly assist identity thieves in locating and accessing sensitive information.

Require Heightened Security Standards Only for Truly Sensitive Personal Information

New laws should require heightened security standards only for truly sensitive personal information, like SSNs. Organizations already invest substantial resources in protecting their information systems from a wide variety of internal and external threats, including environmental hazards. These safeguards are constantly improving and generally protect information from unauthorized acquisition or misuse by persons within or outside of their organizations.

Any new laws mandating rules for obtaining, using and storing personal information should not apply indiscriminately to all of the data that government and corporate entities maintain, because the marginal benefits potentially realized through those additional measures simply cannot be justified by the costs or the adverse impact on both consumers and businesses. Instead, any new laws should focus only on the most sensitive information that could place individuals at a significant risk of harm. Focusing on truly sensitive personal information, such as SSNs, enables entities to protect the most important personal information without unduly impairing their business operations.

As indicated above, both government agencies and businesses use SSNs, and other sensitive information, for many important legitimate purposes. Important anti-crime and anti-terror initiatives depend on the use of such information. Our national credit granting programs and credit reporting systems cannot effectively operate without SSNs, and SSNs are central to properly identifying prospective employees, particularly those who will be responsible for overseeing children and the elderly. As a result, a broad set of exceptions covering the full range of appropriate information uses is essential. At a minimum, any state or federal legislation that would restrict the acquisition or use of information, such as SSNs, must incorporate the full set of exceptions found in section 502(e) of the GLBA. The Senate Commerce Committee added this set of exceptions to the provision of S. 1408 governing SSNs and similar exceptions are essential for any other legislative initiatives in this area.

Again, I appreciate the opportunity to appear before you today, and I would be pleased to answer any questions.