Privacy Rights Clearinghouse
Comments on the Availability of Sensitive Information about Consumers and Its Possible Use for Financial Fraud
Board of Governors of the Federal Reserve System
Docket No. R-0953
By Beth Givens, PRC Director
Recent amendments to the Fair Credit Reporting Act, signed into law on September 30, 1996, directed the Board of Governors of the Federal Reserve Board to conduct a study on the availability of sensitive identification information about consumers and the possible use of such information for financial fraud.
The comments provided herein by the Privacy Rights Clearinghouse focus on "credit header" information as well as the widespread availability of Social Security numbers.
The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer education and research project serving primarily the state of California. It publishes a series of consumer guides on how to safeguard personal privacy and operates a hotline for consumers to call with their questions and complaints. Since is first began in October 1992, the PRC has fielded about 40,000 calls from consumers. PRC publications can be found on its Web site at http://www.privacyrights.org .
The PRC is a project of the Utility Consumers' Action Network (UCAN) of San Diego, California. For its first four years it was administered by the Center for Public Interest Law at the University of San Diego School of Law. The PRC was established with funding from the California Public Utilities Commission's Telecommunications Education Trust and is currently funded by several grant programs, corporate sponsors and family foundations.
Accessibility of credit header data
Credit header data is the identifying information that accompanies consumers' credit reports. It consists of name, name variations, address, former addresses, telephone number (even unlisted numbers if known), date of birth (usually limited to month and/or year of birth) and Social Security number. Although credit header information is generated as part of the credit reporting process, the Federal Trade Commission has determined that it is not part of the credit history and therefore is not regulated under the Fair Credit Reporting Act.
Therefore, credit header data is sold separate from the credit history and has become the mainstay of a number of "people-finding" services provided by information vendors such as CDB Infotek, Lexis-Nexis, Information America and IRSC, to name a few. (A description of CDB Infotek's "Missing Links" service is attached to these comments.)
In fact, it is the P-Trak service of Lexis-Nexis that sparked the controversy in the fall of 1996 when thousands of consumers demanded that their records be removed from the P-Trak data base. The outcry was prompted by a widely disseminated electronic mail message which claimed that personal data, including individuals' Social Security numbers (SSNs) and mother's maiden names, were being sold. In fact, the posting was partially in error. Lexis-Nexis had removed the SSN from the display screen earlier in the summer after receiving numerous complaints from consumers (however, it did not remove the SSN from the record itself); and it did not sell mother's maiden names, only maiden names when known.
Nonetheless, the outcry persisted. The P-Trak controversy is significant because it represents the first time that large numbers of consumers realized what had been going on for many years -- the unrestricted sale of personally identifiable data, including SSNs, and the availability of such data via online services.
What most consumers do not understand, however, is that P-Trak data is comprised of the credit header data sold by Trans Union, one of the three major credit reporting firms. And most consumers also do not understand that Lexis-Nexis is only one of many information vendors which sells this type of data.
The thousands of consumers who contacted Lexis-Nexis may have felt relief at being removed from that data base. But such relief is not warranted. The very same data is sold by many other information vendors who do not offer name-removal options. We liken the removal of one's record from P-Trak as taking a teaspoon down to the beach and attempting to remove the sand, spoonful by spoonful.
The use of sensitive data for financial fraud: the role of the Social Security number
The Federal Reserve Board has asked if the availability of such data is a factor in financial fraud. In addressing that question, we will limit our comments to "identity theft." This term has come to describe the fraudulent use of an individual's identifying data to take over existing credit accounts or apply for new credit accounts and to make purchases of goods and services in the individual's name. The term can also apply to checking accounts. ("Identity theft" can also pertain to other realms of life, such as utilities accounts and drivers licenses, which are outside the scope of this proceeding.)
The impact of identity theft on victims is devastating. Their credit histories are ruined and they are likely to spend months, even years, in restoring their financial health. Further, victims get virtually no help from the authorities in dealing with the problems they face. And they rarely have the satisfaction of seeing their perpetrators prosecuted and punished.
We have spoken with hundreds of identity theft victims in the past three years. (Identity theft was the number one topic of concern on the PRC hotline last year, constituting 25% of our calls.) The piece of data essential to the imposter=s success in impersonating nearly all of them was the Social Security number. We do not know to what extent credit header data, per se, is a factor in such identity theft cases. In fact, imposters have many ways to obtain Social Security numbers and other key pieces of data, among them, dumpster diving, mail theft, and fraudulent access to credit reports in companies such as auto dealerships where there is online access to credit bureau data bases.
But the fact remains that the credit header data, which includes consumers' SSNs, is available inexpensively through numerous outlets; and laws and regulations do not restrict access to such data. (We are aware of one local information vendor which offers to provide a data profile on anyone for as little as $29.)
A further fact about credit header data deserves your consideration. Credit header data bases are, for all practical purposes, not consensual. Consumers have no choice in the matter. Anyone who participates in the credit economy, which is the vast majority of adults and even many youth, has a credit report. As a result of having a credit report, credit header data is compiled. The credit bureaus do not offer consumers the ability to "opt out" of the sale of credit header data to the many information vendors who package and resell that data as part of people-finding and other investigative services. (The credit bureaus do allow consumers to opt out of the sale of their data for credit pre-screening and marketing purposes, but that is another matter entirely and does not pertain to this inquiry.)
Restricting access to such data
We believe it is imperative that credit header data be considered an integral part of the credit report, and that it therefore be regulated under the Fair Credit Reporting Act (FCRA). This would limit access to such data for the permissible purposes associated primarily with granting credit. The sensitive data that is contained in the credit header would, as a result, be significantly restricted. (We also favor not expanding the permissible purposes of the FCRA beyond the credit realm.)
We note that the unfettered sale of credit header data runs contrary to one of the basic tenets of the Fair Information Practices, namely "secondary use," which states: Information that is obtained for one purpose shall not be used for other purposes without the consent of the data subject (paraphrased from the code of Fair Information Practices developed by the U.S. Department of Health, Education and Welfare in 1973, as cited in Robert Ellis Smith's The Law of Privacy Explained, Privacy Journal, 1993).
Policymakers might be tempted to take the narrow action of removing only the SSN and birthdate from credit header data and allowing the continued sale of credit header data containing name, address, former addresses, and telephone number.
We would not favor such an approach for the following reasons. First, as discussed above, credit header data is essentially nonconsensual. No personal information should be sold where consumers lack the ability to opt out of such sale. Second, for a growing number of consumers, address and phone number are considered to be highly sensitive. We have talked to many who are as concerned about limiting access to this information as they are about their SSNs. Third, identity thieves can get a great deal of mileage out of name, address and telephone number information. When fraudulently filling out credit card applications, their ability to enter correct addresses, former addresses and phone numbers, especially unlisted numbers, enhances their ability to be granted credit.
Further restrictions on Social Security numbers
We further believe that, given the centrality of the Social Security number in financial fraud, restrictions should be placed on uses of the SSN throughout society. Today, SSNs are used as record-keeping and account numbers by countless entities in the private, nonprofit and public sectors. As a result, SSNs are a common part of the information landscape, easily available to anyone bent on committing financial fraud.
The argument could be made that "too much water has gone over the dam" and that it may be impractical to attempt to rein in the myriad uses made of the SSN today. However, given the harm experienced by victims of identity theft and financial institutions due to the ease of access to SSNs, it is imperative that policymakers address this issue.
We can envision a two-pronged law which (1) restricts the uses that can be made of the SSN in the public, private and nonprofit sectors and (2) prohibits its display on objects and documents that are easily viewed by others. The following list includes a small sampling of the many items on which SSNs are displayed today: employee name badges, employment parking permits, health insurance cards, drivers licenses, Medicare cards, military ID cards, college ID cards, the posting of grades for college classes, mailing labels of federal and state tax authorities, mailing labels of the Social Security Administration, to name just a few. It takes no stretch of the imagination to see how easy it is for identity thieves to obtain Social Security numbers to perpetrate financial fraud. Action should be taken to remove SSNs from the information landscape.
The Privacy Rights Clearinghouse appreciates the opportunity to submit comments for this proceeding. You may feel free to contact us if you wish further information on the problem of financial fraud, and particularly on identity theft. As discussed above, identity theft is the number one topic of concern on the PRC's hotline. We have compiled a great deal of information from consumers who have contacted us on that subject. We have also received many calls from consumers who have complained about the widespread uses and abuses made of Social Security numbers by private, public and nonprofit sector entities. We are willing to share that information with policymakers as well.