Testimony of Edmund Mierzwinski on behalf of U. S. Public Interest Research Group (U.S. PIRG) Before the Subcommittee on Social Security House Ways and Means Committee Hearing on Misuse of Social Security Numbers

Honorable Clay Shaw, Chairman

22 May 2001  

Chairman Shaw and members of the committee: We are pleased to present the views of the U.S. Public Interest Research Group on the misuses of Social Security numbers. As you know, U.S. PIRG serves as the national lobbying office for state Public Interest Research Groups, which are non-profit and non-partisan consumer and environmental advocacy groups active around the country.

Summary

U.S. PIRG believes that the widespread availability of the social security number contributes to identity theft, which is well-documented as one of the nation’s fastest growing white-collar crimes. The 1999 and 2000 amendments to the Drivers Privacy Protection Act by Senator Shelby form an excellent basis toward changing the previous misguided Congressional strategy of carving out exceptions to Social Security Number protections and instead working to close loopholes. [1] We look forward to working with the committee on developing additional protections.

We believe that the two most important actions Congress could take would be to extend a strong anti-coercion provision to private sector use of the Social Security Number and to close the recently-narrowed credit header loophole, which allows secondary use of Social Security Numbers without consent. The credit header loophole has led to the proliferation of information broker websites that make it easy for identity thieves and stalkers to obtain Social Security Numbers and other bits and pieces of a consumer’s identity that are used to build a fraudulent identity in the victim’s name. Any legislation enacted should be simple, based on Fair Information Practices, and contain as few loopholes and exceptions as possible. It is critical that new legislation not preempt or roll back existing privacy protection under either the Gramm-Leach-Bliley regulations or the Shelby amendments.

(1) Principles of Social Security Number Protection: Simplicity, With Few, If Any Exceptions and Loopholes

U.S. PIRG concurs with the views of our colleagues today from the Electronic Privacy Information Center (EPIC) and the Privacy Times. We believe that the most effective way to protect Social Security Numbers would be to enact simple, straightforward legislation that reins in the widespread non-statutory uses of the Social Security Number as an identifier in the private sector. [2] One simple way to do this would be to extend Section 7 of the Privacy Act, [3] which protects the Social Security Number in government uses with an anti-coercion provision, to the private sector. Your bill in the 106th Congress, HR 4857, included such a provision. It would have made coerced demand of a consumer’s Social Security Number an unfair trade practice under Section 5 of the Federal Trade Commission Act.

Privacy expert Robert Ellis Smith [4] , the publisher of Privacy Journal and author of “Social Security Numbers: Uses and Abuses” (May 2001) has recently proposed a similarly simple Social Security Number protection scheme. Here is Smith’s proposal, with his explanations in brackets:

1. “It shall be illegal to buy or sell the Social Security number of a person.” [This is the source of much identity theft; it is always a secondary use of the SSN; and it is inconsistent with using the SSN as an AUTHENTICATOR of personal identity.]

2. “No person shall be required to provide a Social Security number on an application for credit or on a request for a copy of one’s own credit report under the Fair Credit Reporting Act.” [The FCRA merely requires satisfactory proof of identity to see one’s own credit file. Use of SSNs to make a match between a requested credit report (by a credit grantor) and a credit report in a credit bureau’s system has been the cause of confusion for credit grantors, nightmares for consumers, and identity theft. If credit bureaus did not rely on SSNs to make a match, 80 percent of identity theft would cease. There is a long list of case law to support the need for this provision.]

3. “No person shall be compelled or coerced into providing a Social Security number for any transaction unless there are income-tax consequences in the transaction or there is relevance to Social Security, Medicare, or Medicaid benefits. No person shall be compelled or coerced into providing a Social Security number on an application of employment until there has been a firm offer of employment. Any application for employment shall state that the request for the Social Security number prior to a firm offer of employment is voluntary.” [This would essentially freeze demands for Social Security numbers in a way least disruptive to organizations currently relying on SSNs. It would tie demands for Social Security numbers to the two original purposes (SSA administration and federal taxes) ­ two uses that are at least anchored in long-standing law. Placing SSNs on job-application forms increases the risk of exposing them to fraudulent users of SSNs.]

4. “No institution of higher education or elementary or secondary school shall use a student’s Social Security number as a student identification number.” [An alarmingly high number of identity theft frauds originated from SSNs taken from universities. Deterring school systems from using the SSNs as a student ID number will permit parents to delay labeling their children with numerical IDs.]

Alternatively, several more comprehensive proposals were presented in the 106th Congress to protect Social Security Numbers. Most notably, HR 4857 (Shaw-Matsui-Kleczka) was favorably reported by the Ways and Means Committee. [5] The bill included two critical provisions. In addition to its strong private sector anti-coercion provision, HR 4857 incorporated provisions championed by Rep. Kleczka closing the so-called credit header loophole. Under an egregious 1994 decision of the Federal Trade Commission, credit reporting agencies (credit bureaus) have developed a thriving business selling Social Security Numbers without consumer consent. While a recent federal court decision upholding the Gramm-Leach-Bliley Act privacy regulations has narrowed the credit header loophole, [6] more needs to be done (see below).

In the 107th Congress, meritorious proposals include HR 1478 (Kleczka), HR 220 (Paul) and S 324 (Shelby) to protect Social Security Numbers. Among other Social Security Number bills with positive features in the 106th Congress was a proposal by Rep. Markey (HR 4611).

Unfortunately, the most prominent 2000 Senate proposal to ostensibly protect Social Security Numbers actually would have expanded commercial availability of Social Security Numbers. Originally intended to serve as a legacy for Amy Boyer, the first known victim of an Internet stalker, the Amy Boyer Law, as very nearly enacted into law, [7] was actually a Trojan Horse [8] and would have expanded commercial loopholes for obtaining Social Security Numbers, failed to protect Social Security Numbers on public documents and also would have preempted stronger state privacy laws.

We are, however, pleased that the Amy Boyer Law’s chief sponsor, Senator Gregg, is working on a stronger bill this year. However, we believe that your stricter HR 4857 anti-coercion provision is a better approach than the weaker anti-coercion language in the 2001 proposal by Sens. Feinstein and Gregg, S. 848, which includes broad “credit check” exceptions that swallow its nominal anti-coercion rule. Any time the Congress determines that an exception is needed, it should more narrowly define the exception—in this case, for example, reference should be made to obtaining a credit report under the Fair Credit Reporting Act. [9] In addition, although its business-to-business exceptions are more narrowly construed than the Amy Boyer Law’s and also subject to a rulemaking, S. 848 still retains the weak, pro-information broker structure of the Amy Boyer Law’s “professional and commercial” user business exceptions, rather than closing the credit header loophole.

We hope we can work with you, your staff, and the committee to ensure that any final legislation includes the strongest protections and the fewest exceptions possible to the use of Social Security Numbers for any purposes not associated with the Social Security Act. If the committee believes it is necessary to extend any exceptions at all allowing continued non-statutory collection of Social Security Numbers by the private sector, which has unfortunately come to depend on the Social Security Number as a crutch, then the committee should include technology-forcing time limits on private uses so that firms are forced to develop more accurate alternatives that do not pose the secondary use problems of continued use of the Social Security Number, which was originally intended only for Social Security and certain tax purposes.

(2) What Are Fair Information Practices?

A government report, produced by the Advisory Committee on Automated Personal Data Systems created by the U.S. Department of Health, Education, and Welfare in 1973, considered government use of social security numbers and issued the following recommendations [10] :

First, uses of the SSN should be limited to those necessary for carrying out requirements imposed by the Federal government.

Second, Federal agencies and departments should not require or promote use of the SSN except to the extent that they have a specific legislative mandate from the Congress to do so.

Third, the Congress should be sparing in mandating use of the SSN, and should do so only after full and careful consideration preceded by well advertised hearings that elicit substantial public participation.  Such consideration should weigh carefully the pros and cons of any proposed use, and should pay particular attention to whether effective safeguards have been applied to the automated personal data systems that would be affected by the proposed use of the SSN.

Fourth, when the SSN is used in instances that do not conform to the three foregoing principles, no individual should be coerced into providing his SSN, nor should his SSN be used without his consent.

Fifth, an individual should be fully and fairly informed and of his rights and responsibilities relative to uses of the SSN, including the right to disclose his SSN whenever he deems it in his interest to do so.

More broadly, that report developed the concept of Fair Information Practices, which apply to any use of personal information on consumers or citizens. Collecting information for one purpose (Social Security) and using it for another (government sector matching, private sector locator services, etc.) without the individual data subject’s consent violates those Fair Information Practices. The Fair Information Practices were incorporated in the Privacy Act of 1974 (for government uses) and articulated internationally in the 1980 Organization of Economic Cooperation and Development (OECD) Guidelines. Information use should be subject to Fair Information Practices that limit information collection, guarantee its integrity, security and accuracy and provide for the following consumer rights: notice, consent, access, correction, liability for violations. [11]

Fair Information Practices are discussed in numerous contexts in the Congress today. Unfortunately, many industry-supported bills and nearly all industry “studies” seek to dumb-down the comprehensive Fair Information Practices to unacceptable levels.

Notice is not enough. Nor is “notice and choice,” especially when choice means the virtually meaningless right to opt-out, rather than the right to expressly consent, or opt-in. Consumers and citizens are both entitled to and need the full panoply of rights and protections proposed by the 1973 committee, especially as recordkeepers develop new, unanticipated secondary uses, and newer, more powerful mechanisms for collecting, slicing and dicing data.

(3) What Is The Credit Header Loophole That Allows Easy Availability Of Social Security Numbers?

In 1994, the Federal Trade Commission granted an exemption to the definition of credit report when it modified a consent decree with TRW (now Experian). The FTC said that certain information would not be regulated under the Fair Credit Reporting Act. The so-called credit header loophole allowed credit bureaus to separate a consumer’s so-called header or identifying information from the balance of an otherwise strictly regulated credit report and sell it to anyone for any purpose.

Credit headers include information ostensibly not bearing on creditworthiness and therefore not part of the information collected or sold as a consumer credit report. The sale of credit headers involves stripping a consumer’s name, address, Social Security Number and date of birth from the remainder of his credit report and selling it outside of the FCRA’s consumer protections. Although the information, marketing and locater industries contend that header information is derived from numerous other sources, in reality, the best source of credit header data is likely financial institution information, which is updated regularly.

Two recent court decisions have narrowed, but not closed, the credit header loophole. In March 2000, the FTC had banned target marketing from credit reports and also held that dates of birth are credit-related information and removed them from headers. That decision was upheld on 13 April 01 by the U.S. Court of Appeals for the DC Circuit in a strong victory for privacy protection, since it also upheld the constitutionality of the Fair Credit Reporting Act. [12]

The final Gramm-Leach-Bliley financial privacy rules issued later that spring by the FTC and 5 other federal financial agencies defined Social Security Numbers as non-public personal information. That decision was upheld on summary judgment on 30 April 01 by U.S. District Court Judge Ellen Huvelle.

The result of the district court’s strong ruling, if upheld, is that credit bureaus cannot share credit header information (including Social Security Numbers) obtained from financial institutions, since the financial institutions have failed to provide consumers with notice of this information sharing practice and the right to opt-out of nonaffiliated third party sharing, as required by the Gramm-Leach-Bliley regulations. However, once banks and other financial institutions modify their defective privacy notices to describe this sharing, the protection will then only apply to consumers who exercise their right to opt-out.

While this is a very strong, pro-privacy decision, we believe that it still makes sense for the Congress to enact legislation closing the credit header loophole by statute. Even if Gramm-Leach-Bliley continues to be upheld, ultimately, consumers would have to exercise their modest opt-out rights to gain protections they should have by law. For example, HR 1478 (Kleczka) would re-define all sensitive information, including Social Security Numbers, held in credit report files to be protected by the Fair Credit Reporting Act as part of credit reports “except the name, address, and telephone number of the consumer if listed in a residential telephone directory available in the locality of the consumer.”

(4) Why Isn’t Voluntary Self-Regulation Good Enough?

In 1997, the credit bureaus and several of the firms that traffic in the credit headers that the credit bureaus sell formed a so-called “self-regulatory” association known as the Individual References Services Group. The organization says its “principles impose significant restrictions on the access and distribution of non-public information, such as non-financial identifying information in a credit report. For example, Social Security numbers obtained from non-public sources may not be displayed to the general public on the Internet by IRSG companies.” [13] (How does IRSG protect Social Security Numbers obtained from other than “non-public sources?”)

Despite these nominal voluntary rules, U.S. PIRG, the Privacy Rights Clearinghouse, other advocates, reporters, and identity thieves and stalkers have found that SSNs can still be purchased from websites. We strongly support closing the credit header loophole because, even if the IRSG’s voluntary rules were effective in halting the sale of SSNs to the general public, it is easy to use a “pretext” to obtain SSNs from one of the many sites on the Internet that purports to only sell it to qualified requestors.

We also support Congressional review of the adequacy of the IRSG’s self-regulatory system. While the FTC encouraged the formation of the IRSG in 1997, it said at the time that the IRSG Principles did not meet all Fair Information Practices. The FTC also said that the IRSG must make public a “Summary” of the results of “third-party assessments,” or audits, of its members. To our knowledge, while the IRSG provided the FTC in 1999 with what we believe to be a highly unsatisfactory letter [14] stating that the assessments were completed, no summaries have ever been made public.

Unfortunately, the 106th Congress Amy Boyer Law and several 107th Congress proposals include private sector business-to-business loopholes allowing “professional and commercial” users continued access to Social Security Numbers. The Amy Boyer Law would have even expanded the access now allowed, under IRSG’s own weak voluntary operating rules.

To stave off legislation four years ago, IRSG proposed to FTC a set of principles its members are required to operate by. Under one principle, so-called “professional and commercial users” can use Social Security numbers, but only if displayed in truncated form. Here is the provision: [15]

B. Commercial and Professional Distribution of Non-Public Information: Individual reference services, when they limit the non-public information content of their products or services as set forth below, may distribute such products or services only to established professional and commercial users who use the information in the normal course and scope of their business or profession and the use is appropriate for such activities.

1. non-public information products or services distributed pursuant to this subsection shall not include:

a. Information that reflects credit history, financial history, medical records, mother's maiden name identified as such, or similar information;

b. Certain information like social security number and birth information unless truncated in an appropriate and industry consistent manner.

Yet, the Amy Boyer Law included specific language exempting "professional and commercial users," exactly the phrase from IRSG. These firms—including private detectives, Internet information brokers, debt collectors and skip tracers, would appear to gain a new right to use full untruncated Social Security Numbers under law, even though their own trade association had previously apparently limited them to truncated uses, to protect consumer privacy. In some states private detectives are not regulated at all, in most other states, private detectives are under-regulated at best.

(5) What Does It Mean To Be An Identity Theft Victim?

In our view, the mere fact that Social Security Numbers were never intended as a national identifier yet are being routinely used in the private sector for secondary purposes without consent is adequate reason for the committee to act. Yet, the Social Security Number is also the key to a consumer’s financial identity. Easy access to Social Security Numbers aids identity thieves and stalkers.

Just as one of the other witnesses has demonstrated today, I, along with other consumer and privacy advocates, have often used pretexts to demonstrate how easy it is to obtain Social Security Numbers from on-line information broker websites, despite supposed limitations on disclosure to unauthorized persons claimed by the sites. While identity thieves can also obtain social security numbers from other sources, such as drivers’ licenses in some states, student IDs, and medical records, why go to the trouble when you can log onto the Internet?

The committee has heard today from several identity theft victims. The committee has also heard from experts about how easy it is to buy Social Security Numbers. This winter, stories about identity theft victim Tiger Woods were prevalent. In March, newspaper stories reported on how sloppy financial industry security practices enabled a high-school dropout working as a busboy to steal the identities of numerous celebrities:

Using computers in a local library, a Brooklyn busboy pulled off the largest identity-theft in Internet history, victimizing more than 200 of the "Richest People in America" listed in Forbes magazine, authorities say. Abraham Abdallah, 32, a pudgy, convicted swindler and high-school dropout, is suspected of stealing millions of dollars as he cunningly used the Web to invade the personal financial lives of celebrities, billionaires and corporate executives, law enforcement sources told The Post. [16]

In May 2000, California PIRG and the Privacy Rights Clearinghouse released a report [17] summarizing the results of a survey of victims. We found that identity theft victims had labored 2-4 years or more to rid themselves of an average of $18,000 in fraudulent accounts. However, worse than cleaning up the financial mess is the enormous time commitment victims spend cleaning up their lives:

Respondents spent an average of 175 hours actively trying to resolve problems caused by the theft of their identity. The victims reported missing several days or weeks of work to put their lives back together, and two people even reported losing their jobs due to the time devoted to identity theft resolution.   A victim from California felt that resolving her problem was "nearly a full-time job." Robin, a victim from Los Angeles, explains, "One bill -- just ONE BILL -- can take 6-8 hours to clear up after calling the 800 numbers, waiting on hold, and dealing with ignorant customer representatives." She concludes, "The current system is not created for actual assistance, it is created to perpetuate the illusion of assistance." [18]

Recently, the Federal Trade Commission published a detailed report summarizing identity theft complaints to the agency since passage of 1998 legislation requiring it to establish a database and clearinghouse.  Highlights of the report [19] , which covers the period from November 1999 through March 2001, are the following:

·         The volume of calls to our Hotline has grown dramatically. In November 1999, the Hotline answered about 445 calls per week. By March 2001, the Hotline was answering over 2,000 calls per week.

·         Taken together, the information in the Clearinghouse Database shows that identity theft has a devastating affect on consumers’ lives. Most consumers have no idea how this happened to them and do not discover their personal information has been misused for more than a year, and sometimes as long as five years.

·         Victims must spend significant amounts of time contacting creditors and credit reporting agencies in order to repair the damage done to their credit histories. In the meantime, they are often unable to obtain credit and financial services, telecommunication and utility services, and sometimes employment. Wages may be garnished, or tax refunds withheld, due to the bad debts or other penalties levied in their names.

·         Where the identity thief has created a criminal record in the victim’s name, consumers report having driving and other licenses revoked, failing background checks for employment and other purposes, and even being arrested and detained.

·         The difficulties victims experience as a result of identity theft are of great concern to the FTC.

(6) Who Else Wants Your Social Security Number? Stalkers.

As the Christian Science Monitor and Nando News explained last year:

So you think your private information is relatively safe? Think again. For a mere $49, someone can hop on the Internet, give a company your name, wait a few days, and bingo: up pops your Social Security number. Want someone's bank account balance? That costs $45. An unpublished telephone number? $59. [20]

The reporter in that story wasn’t writing about the “white-collar” crime of identity theft, however. Actually, the story was about the brutal stalker murder of Amy Boyer in New Hampshire. As the story explains:

Her killer, a man obsessed with her since 10th grade, left evidence that he tracked her down through the online personal-data service Docusearch.com.

On his own Web site, Liam Youens detailed his plans for killing Boyer, including how he found her: "I found an internet site to do that, and to my surprize everything else under the Sun. Most importantly: her current employment. It's accually obsene what you can find out about a person on the internet." After shooting Boyer, Youens turned the gun on himself.

Stunned that such information could be purchased by anyone, Boyer's parents, Tim and Helen Remsburg, recently filed a suit against Docusearch.com. They also testified before a Senate subcommittee about the killing. [21]

(7) What Other Actions Would Protect Social Security Numbers From Misuse?

Using the Social Security Number as a employment ID, medical ID, college student ID or motor vehicle ID leads to identity theft or other problems. As noted above, last year Congress made permanent the 1999 Shelby amendment expanding consumer privacy rights in information held by state motor vehicle departments. The committee has heard testimony today about the widespread use of Social Security Numbers as student identification and as a health record identifier. These uses should be phased out, by enactment of trigger-based, sunset regulation prohibiting the use of Social Security Numbers in the private sector after a certain time.

Conclusion

While the U.S. has a strong history of privacy protection, our statutory privacy protections are a patchwork—what industry prefers to call a “sector-by-sector” approach. Yet, whatever the merits, if there ever were any, of the industry-prescribed sector-by-sector approach, it is rapidly obsolescing as industry sectors converge. The names of the videos you rent are better protected than your not-so-confidential bank account balances, credit card records and medical history. U.S. PIRG strongly supports enactment of over-arching privacy legislation that requires all businesses to protect consumer and customer information under laws based on Fair Information Practices and gives consumers enforceable rights if their personal information is misused.

The basic structure of information privacy law is to place responsibilities on organizations that collect personal data and to give rights to individuals that give up their data. This is sensible for many reasons, including the fact that it is the entity in possession of the data that controls its subsequent use. Information privacy law also promotes transparency by making data practices more open to scrutiny and encourages the development of innovative technical approaches. [22]

We want to thank you, Mr. Chairman, for the opportunity to present our views on the need for strong privacy protections to protect Social Security Numbers from misuse. We look forward to working with you on this and other matters to guarantee the privacy of American citizens. Restricting the widespread availability of Social Security Numbers is one of the most important solutions to the identity theft epidemic.



[1] Senator Shelby’s 2000 amendments to the Driver’s Privacy Protection Act were incorporated as Section 309 of the Transportation Appropriations bill (PL 106-346) signed by the President 23 October 2000. The amendment requires states to obtain express consent of drivers before the sharing or selling of a driver’s “highly sensitive personal information,” including Social Security Number, photograph, image, or medical or disability information. In 1999, Shelby had incorporated these provisions into law as part of the Appropriations bill, but only for one year, while the 2000 amendment amends the DPPA itself. In 2000, the Supreme Court upheld the constitutionality of the DPPA in Reno vs. Condon.

[2] Ideally, such a bill would also narrow many of the government use exceptions that have been established over the years allowing the Social Security Number to be used as an identifier and matching element for secondary purposes unrelated to Social Security.

[3] Privacy Act of 1974, Public Law 93-579.

[4] See the Privacy Journal website for more information. Smith’s latest book is “Ben Franklin's Web Site: Privacy And Curiosity From Plymouth Rock To The Internet” <http://www.townonline.com/specials/privacy/>

[5] The Social Security Number Privacy And Identity Theft Protection Act of 2000, House Report 106-996, 24 October 2000.

[6] Individual Reference Services Group, Inc., and Trans Union LLC v. FTC (District of the District of Columbia) Civil Action 00-1828, 30 April 01, granting summary judgment to the Federal Trade Commission on all counts and dismissing plaintiffs’ complaints with prejudice.

[7] The Amy Boyer Law, introduced as S. 2554, (Gregg), was incorporated as Section 626 into the Commerce-Justice-State Appropriations (HR 4690 RS) and passed into law as Section 635 of HR 5548, which was included in HR 4492 as sent to the President, but then was rescinded on the same day by language reversing its effect included in the Conference Report on HR 4577, the Consolidated Appropriations Act, (Labor-HHS Approps). Section 213 of HR 4577 amends HR 5548 by deleting a number of sections of HR 5548.  Section 213(a)(6) of HR 4577 strikes the Amy Boyer Law (Section 635 of HR 5548). See page H12261 of the Congressional Record for 15 Dec 00.

[8] See the U.S. PIRG Fact Sheet, “Why The Amy Boyer Law Is A Trojan Horse” at <http://www.pirg.org/consumer/trojanhorseboyer.pdf>

[9] As another example, the law enforcement exception in S 848 makes collection of delinquent child support a “law enforcement” purpose. Does that extend the exception to allow any private firm collecting child support to take advantage of the exception? It appears to do so, despite well-documented circumstances where some private child support collection firms have abused debt collection laws. Last year, a controversial proposal originally included as Title III in HR 4469 (Nancy Johnson) before the Ways and Means Committee would have extended child support enforcement to private firms but did not become law. See “Problems At Child Support, Inc., Business, Complaints Increase For Specialized Collection Firms” 18 May 2000, Washington Post, Caroline E. Mayer and Jacqueline Salmon.

[10] Records, Computers, and the Rights of Citizens, Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education & Welfare, (1973) 124. (emphasis theirs)

[11] Noted privacy expert Beth Givens of the Privacy Rights Clearinghouse has compiled an excellent review of the development of FIPs, “A Review of the Fair Information Principles: The Foundation of Privacy Public Policy.” October 1997. <http://www.privacyrights.org/AR/fairinfo.html>

[12] At the time, Equifax voluntarily agreed to stop target marketing from credit reports. Trans Union, on the other hand, refused, and then led the FTC through eight years of litigation, while it continued to use credit reports to generate target marketing lists in defiance of the FTC. On 1 March 2000, the FTC again ordered Trans Union to stop, although it agreed to stay the ruling while Trans Union appealed yet again. <http://www.ftc.gov/opa/2000/03/transunion.htm> Last month, in rejecting Trans Union’s constitutional arguments in that appeal, the U.S. Court of Appeals said “Contrary to the company's assertions, we have no doubt that this interest--protecting the privacy of consumer credit information--is substantial.” United States Court of Appeals For The District Of Columbia Circuit, 13 April 2001, No. 00-114, Trans Union Corporation v. Federal Trade Commission, On Petition for Review of an Order of the Federal Trade Commission.

[13]   See http://www.irsg.org

[14] See Letter from IRSG’s Ron Plesser to FTC, 28 April 1999, <http://www.irsg.org/html/letter_to_the_ftc.htm>

[15] < http://www.irsg.org/html/industry_principles_principles.htm>

[16] See New York Post, 20 March 2001, “HOW NYPD CRACKED THE ULTIMATE CYBERFRAUD “

<http://dailynews.yahoo.com/htx/nypost/20010319/lo/how_nypd_cracked_the_ultimate_cyberfraud_1.html>

[17] “Nowhere To Turn,” Benner, Givens and Mierzwinski, CALPIRG and Privacy Rights Clearinghouse, 1 May 2000. See <http://www.pirg.org/calpirg/consumer/privacy/idtheft2000/>. We have released two previous reports on identity theft "Theft of Identity: The Consumer X-Files", CALPIRG and US PIRG, 1996 and "Theft of Identity II: Return to the Consumer X-Files", CALPIRG and US PIRG, 1997, as well as four reports on errors by credit reporting agencies since 1991, most recently “Mistakes Do Happen,” 1998.

[18] See “Nowhere To Turn,” <http://www.pirg.org/calpirg/consumer/privacy/idtheft2000/>

[19] See Figures and Trends On Identity Theft November 1999 through March 2001 Federal Trade Commission <http://www.consumer.gov/idtheft/reports/rep-mar01.pdf>  Also see accompanying charts.  According to the FTC identity theft complaint summary, “The FTC’s Identity Theft program, established pursuant to the Identity Theft and Assumption Deterrence Act, Pub. L. No. 105-318, 112 Stat. 3007 (1998)(codified at 18 U.S.C. § 1028)(the “ID Theft Act”), assists consumers who are, or are concerned about becoming, identity theft victims.”

[20] “Suit alleges online privacy breach had deadly consequences” By KRIS AXTMAN, The Christian Science Monitor  (May 9, 2000 1:34 a.m. EDT http://www.nandotimes.com)

[21] ibid.

[22] See the “Privacy Law Sourcebook, 2000: United States Law, International Law and Recent Developments,” by Marc Rotenberg, Electronic Privacy Information Center, for a comparision of all important privacy laws.