Topic:
FRAUD; CRIME; PRIVACY LAW;
Location:
PRIVACY;

OLR Research Report


August 9, 2004

 

2004-R-0641

IDENTITY THEFT

By: Sandra Norman-Eady, Chief Attorney

You asked for information on identity theft, including how it is being addressed in Connecticut and whether a single state has emerged as a leader in addressing this issue.

SUMMARY

“Identity theft”, a relatively new term, is a type of fraud. While most states have had fraud statutes for a long time, state identity theft statutes are still evolving, often as enhanced or amended fraud statutes.

To date, Connecticut and at least 46 other states have laws addressing identity theft, which generally occurs when one person, without authorization, uses another person's personally identifying information for an illegal purpose. Identity theft is a class B, C, or D felony in Connecticut, depending on the value of the goods or services involved. It is also a crime in Connecticut to give, sell, or otherwise transfer another person's personal identifying information. In addition to criminal penalties, Connecticut law allows victims of identity theft to bring civil actions for damages against their offenders.

Connecticut actions to prevent identity theft include a uniform privacy policy for personal information collected by most state and local agencies and the regulated use and release of Social Security and credit and debit card numbers. Connecticut also has established procedures for reporting and processing identity theft crimes. Other preventive measures not discussed in this report include insurance and medical records privacy or security laws.

Generally, states have taken various but similar approaches to identity theft; with no one state appearing as a leader. However, Washington's attorney general states that its identity theft law served as a model for the federal identity theft law. Under Washington's identity theft law (RCW 9.35.010 et seq.), it is a crime for anyone to (1) improperly obtain, cause to be disclosed, or attempt to cause to be disclosed another person's financial information; or (2) knowingly obtain, possess, use, or transfer another person's identifying or financial information to commit or aid or abet any crime. It also prohibits anyone from using another person's identification or financial information to solicit undesired mail with the intent to harass, annoy, or embarrass that person. We have attached a copy of Washington's identity theft law for your information.

The federal Identity Theft and Assumption Act of 1998 (18 USCA 1028 et seq.), which became effective October 30, 1998 makes identity theft a federal crime with penalties up to 15 years imprisonment and a maximum fine of $250,000. It allows identity theft victims to seek restitution if there is a conviction. It requires the Federal Trade Commission (FTC) to act as a central clearinghouse for identity theft complaints, referrals, and resources.

Despite state efforts, the latest FTC statistics show that over 500,000 consumers filed fraud and identity theft complaints with that agency last year alleging in losses of over $400 million. These statistics show that Connecticut ranked 18th and 23rd, respectively, among the 50 states in the number of fraud complaints and identity theft victims per 100,000 unit of population. Connecticut consumers filed 3,368 fraud and 1,913 identity theft complaints with the FTC from January 1 through December 31, 2003.

CONNECTICUT'S IDENTITY THEFT LAWS

Crimes

A person commits third-degree identity theft when he intentionally obtains, without permission, another person's personal identifying information and uses it to illegally obtain or attempt to obtain money, credit, goods, services, property, or medical information. Third-degree identity theft is a class D felony, punishable by up to five years imprisonment, a $2,000 fine, or both (CGS 53a-129a, as amended by PA 03-156). “Personal identifying information” includes any name, number, or other information that may be used, alone or with any other information, to identify a specific individual. Specifically, it includes a person's date of birth; employer or taxpayer identification, alien registration, government passport, health insurance identification, or debit card number; or unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation. Under prior law, personal identifying information was limited to a driver's license, Social Security, employee identification, demand deposit, savings account, or credit card number; or someone's mother's maiden name.

It is (1) second-degree identity theft, a class C felony, to commit identity theft involving money, credit, goods, property, or services valued at over $5,000 and (2) first-degree identity theft, a class B felony, if the value is over $10,000. A class C felony is punishable by up to 10 years imprisonment, a $10,000 fine, or both. A class B felony is punishable by up to 20 years imprisonment, a $15,000 fine, or both.

It is a class D felony for anyone to sell, give, or otherwise transfer another person's personal identifying information to a third person knowing that the (1) information was obtained without the owner's authorization and (2) third person intends to use it for an unlawful purpose (PA 03-156).

Identity Theft Reporting and Processing

People who believe that they are identity theft victims may file complaints with the law enforcement agency in the town where they live. The agency must accept the complaint, prepare a police report, give the complainant a copy of the report, and investigate the allegation and any other related violations. Where necessary, the agency must coordinate investigations with other law enforcement agencies.

The alleged identity theft offenders must be arraigned in the Superior Court for the geographical area where the victim lives rather than the area where either the crime was allegedly committed or the arrest was made.

Credit Protection for Identity Theft Victims

People who believe that they are identity theft victims can ask most credit rating agencies to block and not report information appearing on their credit reports as a result of the crime. Within 30 days after receiving the request, the agency must stop reporting any information that resulted from the crime. The agency must also promptly notify the person or business that furnished the information of the police report and the effective date of the block.

A credit rating agency may decline to block or rescind a block if it has a good faith belief that the consumer (1) misrepresented the facts in the request for a block; (2) agrees that information, or portions of it, was blocked in error; (3) knew or should have known that he received goods, services, or money as a result of blocked transactions; (4) knew of, or participated in, fraud to get the information blocked; or (5) lied about being a crime victim. The agency must give consumers prompt written notice of their decision not to block or to rescind a block on information.

Credit rating agencies that willfully violate the blocking provision or prohibition against reporting credit information resulting from identity theft are subject to the same graduated penalty that they face for (1) failing to disclose to consumers, upon request, information in their credit report or (2) improperly charging them for the information. The penalty is up to a $100 fine for a first offense, up to $500 fine for a second, and up to a $1,000 fine or six-month prison term for each subsequent offense.

Civil Action for Damages

Victims of identity theft have two years from the date the violation is discovered or reasonably should have been discovered to bring a civil action for damages against the offender in Superior Court. Courts must award prevailing plaintiffs the greatest of $1,000 or treble damages, costs, and reasonable attorney's fees (CGS 51-571h, as amended by PA 03-156).

Prohibition Against Account Numbers on Receipts

Beginning January 1, 2005, the law prohibits individuals and businesses, other than the state or its political subdivisions, that accept credit or debit cards from printing more than the last five digits of the cards' account numbers or expiration dates on consumers' receipts. The prohibition applies only to electronic receipts and not to transactions solely recorded by handwriting or by imprinting the card.

The penalty for willful violations is up to a $100 fine for the first offense, up to a $500 fine for a second offense, and up to a $1,000 fine or six months in prison for each subsequent offense (PA 03-156).

Prohibition Against Publicly Disclosing Social Security Numbers

With certain exceptions, the law prohibits individuals and businesses from publicly disclosing Social Security numbers. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes.

Beginning January 1, 2005, the law prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:

1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;

2. printing anyone's Social Security number on any card that the person must use to access the person or entity's products or services;

3. requiring anyone to transmit his Social Security number over the Internet, unless the connection is secure or the number is encrypted; or

4. requiring anyone to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.

The prohibition against publicly disclosing Social Security numbers does not apply to certain individual and group health insurance policies delivered, issued for delivery, renewed, or continued on and after July 1, 2005. The affected policies cover (1) basic hospital, (2) basic medical-surgical, (3) major medical expenses, (4) accident only, (5) limited benefit, and (6) hospital and medical expenses paid by HMOs.

The penalty for willful violations is up to a $100 fine for the first offense, up to a $500 fine for a second offense, and up to a $1,000 fine or six months in prison for each subsequent offense (PA 03-156).

Personal Data Act

The act requires each state or municipal board, commission, department, or officer, except town or regional boards of education, that maintains a collection of records containing personal data to:

1. keep a record of everyone who has obtained access to or to whom disclosure has been made of personal data and the reason for each disclosure or access for at least five years;

2. make this record available upon request;

3. maintain only that information about a person that is relevant and necessary for the agency to accomplish its lawful purpose;

4. inform an individual who makes a written request whether the agency maintains personal data concerning him;

5. disclose to anyone who so requests all personal data concerning him that the agency maintains; and

6. establish procedures that allow a person to contest the accuracy, completeness, or relevancy of his personal data; allow personal data to be corrected when the agency concurs with the proposed correction; and allow a person who believes that the agency maintains inaccurate or incomplete personal data concerning him to add a statement to the record setting forth what he believes to be an accurate or complete version of that personal data (CGS 4-193).

“Personal data” means any information about a person's education, finances, medical or emotional condition or history, employment or business history, family or personal relationships, reputation or character, which because of name, identifying number, mark, or description can be readily associated with a particular person (CGS 4-190 (9)).

If an agency determines that disclosing a person's medical, psychiatric, or psychological data directly to him would be detrimental, the agency may refuse to disclose that personal data and advise the requestor of his right to seek judicial relief. Any agency that refuses to disclose personal data on this ground must permit a qualified doctor to review it to determine if it should be disclosed. If the doctor recommends disclosure, the agency must disclose it. If he recommends nondisclosure, the agency must not disclose it and must inform the requestor of his right to seek judicial relief (CGS 4-194).

Anyone aggrieved by an agency's decision not to disclose his personal data to him may petition the Superior Court for the judicial district in which he resides for an order requiring the agency to disclose it. The petition must be filed within 30 days of the date of the refusal. The court must issue the requested order unless it determines that disclosure would be detrimental to the person or otherwise prohibited by law (CGS 4-195).

Each agency maintaining personal data must have regulations describing the nature and purpose of its personal data system, the categories of personal and other data kept in the system, the agency's procedures regarding personal data maintenance, and how the agency intends to use the information (CSG 4-196).

Any agency that violates the act is subject to an action for injunctive relief, a declaratory judgment, or a mandamus or civil action for damages. The action may be brought in the Hartford-New Britain Superior Court. In all actions, except a civil action for damages, prosecution may be brought in the name of the state. Anyone who prevails in an action against an agency is entitled to court costs and reasonable attorney's fees (CGS 4-197).

IDENTITY THEFT STATISTICS

The FTC published National and State Trends in Fraud and Identity Theft January-December 2003 on January 22, 2004. This report shows how states ranked in the number of fraud and identity theft complaints filed with the FTC in 2003. The ranking is based on the number of complaints per 100,000 unit of state residents as determined by the 2003 U.S. census. With 3,368 fraud complaints filed (96.7 per 100,000) Connecticut ranked 18th among the states with the most complaints. A report of 1,913 identity thefts complaints (54.9 per 100,000) caused Connecticut to rank 23rd among the states with the most complaints.

Table 1 shows the most frequent types of identity theft reported to the FTC by Connecticut residents in 2003.

Table 1: Identity Theft Types Reported by Connecticut Victims

Types

Number of Victims

Percentage*

Credit Card Fraud

713

37%

Telephone or Utilities Fraud

459

24

Bank Fraud

234

12

Employment-Related Fraud

142

7

Loan Fraud

132

7

Government Documents or Benefits Fraud

116

6

Other

367

19

Attempted Identity Theft

168

9

*Percentages add up to more than 100 because approximately 18% of Connecticut victims reported experiencing more than one type of identity theft.

Table 2 shows the top five Connecticut cities where identity theft victims resided at the time the complaints in Table 1 were reported.

Table 2: Top Identity Theft Connecticut Locations

Victim City

Number of Victims

Hartford

152

New Haven

92

Bridgeport

86

Stamford

54

Waterbury

54

SN-E:ro