Thank
you, Chair Prozanski and members of the committee, for the opportunity
to testify here today on the topic of protecting consumer credit
security and preventing identity theft. My name is Laura Etherton, and
I’m OSPIRG’s Consumer Advocate. OSPIRG, Oregon State Public Interest
Research Group, is a non-profit, non-partisan public interest
organization.
Consumers’ personal information is collected,
compiled and maintained by numerous companies and institutions, largely
for legitimate purposes. Banks, hospitals, universities, employers,
credit card companies and others maintain consumers and employees
information as an integral part of conducting their business. Data
brokers, on the other hand, such ChoicePoint have as their business,
the collection and sale of personal information. And finally, the three
national credit bureaus, Equifax, Experian and Trans Union, collect
information about consumer credit worthiness, maintaining a file on
nearly every adult American. We are all familiar with the resulting
credit report.
The
security consumers’ personal information is critically important. But
when that security is breached, it can cause damage, not only to the
consumer, but the entire system. Identity theft is currently the most
significant example of what happens when a consumer’s personal
information falls into the wrong hands.
Identity
theft occurs when someone uses your personal information without your
permission to commit fraud or other crimes. If identity thieves have
your personal information, such as your social security number, they
can often get credit issued to them in your name. Currently, gaps in
the system allow thieves to get access to personal information too
easily, and make it too easy for thieves to use that information to get
credit issued in the victim’s name.
The
entire nation is in the midst of an identity theft epidemic. The
problem is particularly acute here in Oregon – in fact the Federal
Trade Commission, the FTC, ranks Oregon as the 13th state in the nation
for identity theft.
To
protect consumers, Oregon must enact meaningful legislation to help
discourage identity theft from occurring in the first place, to give
law enforcement the tools to solve these crimes and protect public
safety, and to give consumers the tools they need to minimize the
damage identity thieves inflict on their finances, credit, and good
name.
To
succeed, it will take a two-pronged strategy. First, stop the flow of
personal information to identity thieves. Second, block thieves who
have obtained personal information from being able to get credit in the
victim’s name.
First, I’ll talk about the flow of personal information to thieves. One
major factor in the spread of identity theft crimes is the prevalence
of security breaches of thousands of individuals’ personal information.
Providence Home Services’ loss of over 350,000 patients’ private
information, including social security numbers, is just the most recent
example of a troubling trend. In 2005, we saw widespread security
breaches – where businesses and institutions allowed personal
information to be accessed by unauthorized people, losing or misplacing
personal information, or even selling information to a ring of identity
thieves.
For
example, Bank of America lost data tapes with over 1.2 million
customers’ personal information. Time Warner lost or misplaced over
600,000 individual employee records. LexisNexis, an online database and
data-broker breached computerized data effecting over 310,000
consumers. MasterCard, in the largest known breach this year in terms
of the numbers of individuals effected, breached the credit card
information of 40 million consumers. ChoicePoint sold 145,000
individuals’ personal information to an international ring of identity
thieves.
To
deter such flagrant breaches and encourage greater security be afforded
to consumer’s private information, Oregon must require companies to
notify consumers and law enforcement of any breach immediately. This
notification allows law enforcement to take appropriate action; and
alerts consumers to take appropriate action, such as monitor their
credit reports. In fact, the reason we know about the ChoicePoint
security breach is because another state required notification. Now,
security breach notification laws are on the books in 23 states. Oregon
ought to enact the strongest possible security breach notification law,
and do it as soon as possible.
In
addition to security breach notification, the other critical components
of the strategy to stop the flow of information to the wrong hands are
adequate document destruction on the part of businesses and
institutions, and protection of social security numbers.
Now
I’d like to talk about how Oregon can block would-be identity thieves
from getting get credit in the victim’s name. The most effective way to
do this is by giving all Oregonians the right to request a “security
freeze” on their credit reports.
With
a security freeze, a consumer can block access to his or her credit
report, through the use of a PIN. To initiate a security freeze the
consumer must take the proactive step of sending a certified letter to
a credit reporting agency. A security freeze does not hamper a
consumer’s ability to use existing credit, or seek new credit, as a
consumer can temporarily remove the freeze by using the PIN. Currently,
twelve states have Security Freeze laws on the books. OSPIRG urges the
Oregon Legislature to give all Oregonians the right to put a security
freeze on their credit reports to stop identity thieves in their tracks.
Thank
you for examining this important problem facing Oregonians. At OSPIRG,
we look forward to working with the Committee and the Legislature as a
whole to make sure Oregon provides consumers with robust measures to
protect credit security.
