General Assembly |
File No. 126 |
February Session, 2008 |
Senate, March 25, 2008
The Committee on General Law reported through SEN. COLAPIETRO of the 31st Dist., Chairperson of the Committee on the part of the Senate, that the substitute bill ought to pass.
AN ACT CONCERNING CONSUMER PRIVACY AND IDENTITY THEFT.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. Section 53a-129a of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2008):
(a) A person commits identity theft when such person [intentionally obtains personal identifying information of another person without the authorization of such other person and] knowingly uses [that] personal identifying information of another person to obtain or attempt to obtain, money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.
(b) As used in this section, "personal identifying information" means any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.
Sec. 2. Section 53a-130 of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2008):
(a) A person is guilty of criminal impersonation when [he] such person: (1) Impersonates another and does an act in such assumed character with intent to obtain a benefit or to injure or defraud another; or (2) pretends to be a representative of some person or organization and does an act in such pretended capacity with intent to obtain a benefit or to injure or defraud another; or (3) pretends to be a public servant other than a sworn member of an organized local police department or the Division of State Police within the Department of Public Safety, or wears or displays without authority any uniform, badge or shield by which such public servant is lawfully distinguished, with intent to induce another to submit to such pretended official authority or otherwise to act in reliance upon that pretense.
(b) Criminal impersonation is a class [B] A misdemeanor.
Sec. 3. (NEW) (Effective October 1, 2008) (a) A person is guilty of unlawful possession of personal information access devices when such person possesses access devices, document-making equipment or authentication implements for the purpose of obtaining, tampering with or using the personal identifying information, as defined in section 53a-129a of the general statutes, as amended by this act, of another person.
(b) For the purposes of this section, "access devices" includes any card, plate, code, account number, mobile identification number, personal identification number, telecommunication service access equipment, card-reading device, scanning device, reencoder or other means that could be used to access financial resources or obtain financial information, personal identifying information or benefits of another person.
(c) Unlawful possession of access devices is a class A misdemeanor.
Sec. 4. (NEW) (Effective October 1, 2008) (a) Any license, registration or certificate issued by the state or any political subdivision of the state that was based upon an application containing any material false statement is void from the date of issuance and shall be surrendered, on demand, to the issuing authority. Any moneys paid for such license, registration or certificate shall be forfeited to the issuing authority.
(b) No person shall obtain or attempt to obtain any license, registration or certificate for another person by misrepresentation or impersonation, and any license, registration or certificate obtained by misrepresentation or impersonation is void from the date of issuance and shall be surrendered, on demand, to the issuing authority. Any moneys paid for such license, registration or certificate shall be forfeited to the issuing authority.
(c) Any person who violates any provision of this section shall be guilty of a class A misdemeanor.
Sec. 5. Section 52-571h of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2008):
(a) Any person aggrieved by an act constituting a violation of section 53a-129a of the general statutes, revision of 1958, revised to January 1, 2003, or section 53a-129b, 53a-129c, [or] 53a-129d or 53a-129e may bring a civil action in the Superior Court for damages against the person who committed the violation.
(b) In any civil action brought under this section in which the plaintiff prevails, the court shall award the greater of one thousand dollars or treble damages, together with costs and a reasonable attorney's fee. Damages shall include, but not be limited to, documented lost wages and any financial loss suffered by the plaintiff as a result of identity theft, as defined in section 53a-129a, as amended by this act. The court shall issue an order that the person found guilty of identity theft shall pay restitution to the prevailing party.
(c) No action under this section shall be brought but within [two] three years from the date when the violation is discovered or in the exercise of reasonable care should have been discovered.
Sec. 6. Section 54-93a of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2008):
Whenever a person is convicted of a violation of section 53a-129a of the general statutes, revision of 1958, revised to January 1, 2003, or section 53a-129b, 53a-129c, [or] 53a-129d [,] or 53a-129e the court [may] shall issue such orders as are necessary to correct a public record that contains false information as a result of such violation.
Sec. 7. Subsection (e) of section 54-1d of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2008):
(e) Any defendant who is charged with a violation of section 53a-129a of the general statutes, revision of 1958, revised to January 1, 2003, or section 53a-129b, 53a-129c, [or] 53a-129d or 53a-129e and any defendant who is charged with any other offense committed as a result of such violation may be presented to the court in the geographical area in which the person whose personal identifying information has been obtained and used by the defendant resides and may be prosecuted in that judicial district or geographical area.
Sec. 8. (NEW) (Effective October 1, 2008) (a) An employer may maintain a list of employees' Social Security numbers, provided such numbers may not be disclosed in any way, except as required by law, without the written consent of the employee.
(b) Notwithstanding any other provision of law, no business entity or nonprofit group may sell or share an individual's personal identifying information, as defined in section 53a-129a of the general statutes, as amended by this act, with any third party without obtaining the consent of the individual whose information is to be shared.
(c) This section shall not be construed to prohibit a discount card issuer from requesting a Social Security number for a retailer discount card that can also be used as identification for check cashing purposes or to debit the checking or savings account of the cardholder, provided no discount card issuer may, as a condition of obtaining a retailer discount card, require a cardholder to obtain a retailer discount card that can also be used as identification for check cashing purposes or to debit the checking or savings account of the cardholder.
(d) Nothing in this section shall be construed to prohibit a business entity or nonprofit group from providing an individual's name and address to a third party for purposes of mailing information to the individual on behalf of the business entity or nonprofit group. Prior to sharing an individual's name and address, the business entity or nonprofit group shall obtain a written confidentiality agreement from the third party that the third party will not sell or share the information with any other entity. Such third party shall not use the information for any other purpose.
(e) Any employer, business entity or nonprofit group in possession of personal identifying information shall safeguard the data, computer files and documents containing the data from misuse by third parties, and any document, computer file or database containing personal identifying information shall be destroyed or erased prior to disposal.
(f) Any employer, business entity or nonprofit group that collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published in any employee handbook used by such employer, business entity or nonprofit group or displayed in an accessible and prominent location controlled by such employer, business entity or nonprofit group. Such policy shall: (1) Ensure confidentiality of personal identifying information, (2) prohibit unlawful disclosure of personal identifying information, (3) limit access to personal identifying information, (4) provide for proper disposal of documents containing personal identifying information, and (5) establish penalties for violation of the policy.
(g) Any waiver of the provisions of this section shall be contrary to public policy and shall be void and unenforceable.
(h) A violation of this section shall constitute an unfair or deceptive trade practice pursuant to section 42-110b of the general statutes.
(i) The Commissioner of Consumer Protection may adopt regulations, in accordance with the provisions of chapter 54 of the general statutes, to carry out the provisions of this section.
Sec. 9. (NEW) (Effective October 1, 2008) (a) Any license, registration or certificate issued by the state, or any political subdivision of the state, that is physically altered to conceal or misrepresent a material fact is void from the date of such alteration and shall be surrendered, on demand, to the issuing authority. Any moneys paid for such license, registration or certificate shall be forfeited to the issuing authority.
(b) No person shall alter any license, registration or certificate issued by the state, or any political subdivision of the state, and any license, registration or certificate so altered shall be void from the date of alteration and shall be surrendered, on demand, to the issuing authority. Any moneys paid for such license, registration or certificate shall be forfeited to the issuing authority.
(c) Any person who violates any provision of this section shall be guilty of a class A misdemeanor.
Sec. 10. Section 54-36h of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2008):
(a) The following property shall be subject to forfeiture to the state pursuant to subsection (b) of this section:
(1) All moneys used, or intended for use, in the procurement, manufacture, compounding, processing, delivery or distribution of any controlled substance, as defined in subdivision (9) of section 21a-240;
(2) All property constituting the proceeds obtained, directly or indirectly, from any sale or exchange of any such controlled substance in violation of section 21a-277 or 21a-278 of the 2008 supplement to the general statutes;
(3) All property derived from the proceeds obtained, directly or indirectly, from any sale or exchange for pecuniary gain of any such controlled substance in violation of section 21a-277 or 21a-278 of the 2008 supplement to the general statutes;
(4) All property used or intended for use, in any manner or part, to commit or facilitate the commission of a violation for pecuniary gain of section 21a-277 or 21a-278 of the 2008 supplement to the general statutes;
(5) All property constituting, or derived from, the proceeds obtained, directly or indirectly, by a corporation as a result of a violation of section 53a-276, 53a-277 or 53a-278;
(6) All property constituting, or derived from, the proceeds obtained, directly or indirectly, by a person as a result of a violation of section 53a-129b, 53a-129c, 53a-129d or 53a-129e.
(b) Not later than ninety days after the seizure of moneys or property subject to forfeiture pursuant to subsection (a) of this section, in connection with a lawful criminal arrest or a lawful search, the Chief State's Attorney or a deputy chief state's attorney, state's attorney or assistant or deputy assistant state's attorney may petition the court in the nature of a proceeding in rem to order forfeiture of said moneys or property. Such proceeding shall be deemed a civil suit in equity, in which the state shall have the burden of proving all material facts by clear and convincing evidence. The court shall identify the owner of said moneys or property and any other person as appears to have an interest therein, and order the state to give notice to such owner and any interested person by certified or registered mail, and shall promptly, but not less than two weeks after notice, hold a hearing on the petition. No testimony offered or evidence produced by such owner or interested person at such hearing and no evidence discovered as a result of or otherwise derived from such testimony or evidence, may be used against such owner or interested person in any proceeding, except that no such owner or interested person shall be immune from prosecution for perjury or contempt committed while giving such testimony or producing such evidence. At such hearing the court shall hear evidence and make findings of fact and enter conclusions of law and shall issue a final order, from which the parties shall have such right of appeal as from a decree in equity.
(c) No property shall be forfeited under this section to the extent of the interest of an owner or lienholder by reason of any act or omission committed by another person if such owner or lienholder did not know and could not have reasonably known that such property was being used or was intended to be used in, or was derived from, criminal activity.
(d) Notwithstanding the provisions of subsection (a) of this section, no moneys or property used or intended to be used by the owner thereof to pay legitimate attorney's fees in connection with his defense in a criminal prosecution shall be subject to forfeiture under this section.
(e) Any property ordered forfeited pursuant to subsection (b) of this section shall be sold at public auction conducted by the Commissioner of Administrative Services or his designee.
(f) The proceeds from any sale of property under subsection (e) of this section and any moneys forfeited under this section shall be applied: (1) To payment of the balance due on any lien preserved by the court in the forfeiture proceedings; (2) to payment of any costs incurred for the storage, maintenance, security and forfeiture of such property; and (3) to payment of court costs. The balance, if any, shall be deposited in the drug assets forfeiture revolving account established under section 54-36i, except that any balance attributable to a sale of property in connection with a prosecution for a violation of section 53a-129a, as amended by this act, or 53a-130, as amended by this act, or section 3, 4 or 9 of this act, shall be deposited in the consumer protection enforcement account established under section 21a-8a.
Sec. 11. Section 36a-40 of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
(a) The commissioner may, by regulation adopted in accordance with chapter 54, prescribe periods of time for the retention of records of any Connecticut bank or Connecticut credit union. Records which have been retained for the period so prescribed may thereafter be destroyed, and no liability shall thereby accrue against the Connecticut bank or Connecticut credit union destroying them. In any cause or proceeding in which any such records may be called in question or be demanded of any such bank or credit union or any officer or employee thereof, a showing that the period so prescribed has elapsed shall be sufficient excuse for failure to produce them.
(b) Each bank, branch in this state of an out-of-state bank, Connecticut credit union, federal credit union and branch in this state of an out-of-state credit union shall take adequate measures to protect against identity theft when disposing of documents containing personal identifying information such as Social Security numbers and bank account numbers. Such measures shall, at a minimum, include the shredding or other means of permanent destruction of such documents in a secure setting.
Sec. 12. (NEW) (Effective from passage) As used in sections 12 to 21, inclusive, of this act:
(1) "Personal identifying information" means an individual's Social Security number, date of birth or age;
(2) "Individual" means a resident of this state; and
(3) "Commissioner" means the Commissioner of Consumer Protection.
Sec. 13. (NEW) (Effective from passage) (a) Except as otherwise provided by law, on and after January 1, 2009, no person or entity may:
(1) Intentionally communicate or otherwise make an individual's personal identifying information available to the general public or make such information available in return for a fee;
(2) Print an individual's personal identifying information on any card required for the individual to receive products or services provided by the person or entity;
(3) Require the transmission of an individual's personal identifying information over the Internet unless the connection is secure or the personal identifying information is encrypted;
(4) Require the use of an individual's personal identifying information to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the site;
(5) Print a number that the person or entity knows to be an individual's personal identifying information on any materials that are mailed to the individual, unless state or federal law requires the personal identifying information to be on the document to be mailed, except that this section shall not prohibit the mailing of documents that include personal identifying information sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the personal identifying information. In a transaction involving or otherwise relating to an individual, if a person or entity receives a number from a third party, this section shall not impose any duty on such person or entity to inquire or otherwise determine if the number is or includes any of such individual's personal identifying information. Such person or entity may print such number on materials that are mailed to the individual unless the person or entity that received the number has actual knowledge that the number is or includes the individual's personal identifying information. This section shall not prohibit the mailing to the individual of any copy or reproduction of a document that includes personal identifying information if the personal identifying information was included on the original document before January 1, 2009; or
(6) Mail any document which allows personal identifying information to be visible without opening the envelope.
(b) Notwithstanding subsection (a) of this section, a person or entity that, before January 1, 2009, used an individual's personal identifying information in a manner inconsistent with said subsection (a) may continue using such individual's personal identifying information in such manner on and after January 1, 2009, subject to the following conditions:
(1) The use of the personal identifying information shall be continuous. If the use is stopped for any reason, subsection (a) of this section shall apply;
(2) After January 1, 2009, the person or entity shall provide the individual with an annual written disclosure of the individual's right to stop the use of the personal identifying information in a manner prohibited by subsection (a) of this section;
(3) If the individual requests, in writing or by electronic means established by the person or entity, such person or entity shall cease using the personal identifying information in a manner prohibited by subsection (a) of this section not later than thirty days after receiving the request. No fee may be charged for implementing such request and the person or entity shall not deny services to the individual because of the request; and
(4) A person or entity shall be subject to a civil penalty of not more than five hundred dollars for each act that violates this subsection. Such penalty shall be deposited into the privacy protection guaranty and enforcement account, pursuant to section 18 of this act.
(c) This section shall not prohibit the collection, use or release of personal identifying information as required by the laws of this state or the United States.
(d) On and after January 1, 2010, this state or any political subdivision of this state may not use an individual's personal identifying information, other than such individual's date of birth, on forms of identification issued by the state or any of its political subdivisions.
(e) This section shall not prohibit an agency of this state or a political subdivision of this state from disseminating or using the last four numbers constituting an individual's Social Security number.
(f) No agency of this state or any political subdivision of this state may transmit to an individual any material that contains both a piece of the individual's Social Security number and a bank, savings and loan association or credit union account number, except that this subsection shall not prohibit the transmitting of documents that include Social Security and bank, savings and loan association or credit union account numbers as a part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the Social Security, bank, savings and loan association or credit union account number.
(g) Except as otherwise provided by law, documents or records that are recorded with the state or any political subdivision of the state and made available on the recording entity's public web site after the effective date of this section shall not contain more than five numbers that are reasonably identifiable as being part of an individual's Social Security number and shall not contain an individual's: (1) Credit card, charge card or debit card numbers; (2) retirement account numbers; (3) savings, checking or securities entitlement account numbers; or (4) date of birth or age of the individual.
(h) No agency of the state or any of its political subdivisions shall be subject to civil liability for any action relating to information recorded pursuant to subsection (g) of this section.
(i) A person or entity shall be subject to a civil penalty of not more than five hundred dollars for each act of recording that violates subsection (g) of this section. Such penalty shall not apply to a person or entity that transmits the document for recording but has no authority for the creation of the document.
(j) The Attorney General, at the request of the Commissioner of Consumer Protection, may apply to the Superior Court for an order temporarily or permanently restraining and enjoining any person or entity from violating any provision of this section.
Sec. 14. (NEW) (Effective from passage) Sections 12 to 21, inclusive, of this act shall not apply to:
(1) The use of personal identifying information by the Department of Revenue Services or by a law enforcement agency of this state or a law enforcement agency of a municipality or other political subdivision of this state, except that these agencies shall comply with the provisions of subdivisions (2), (5) and (6) of subsection (a) of section 13 of this act;
(2) The use of personal identifying information by an agency or political subdivision of this state in its administration of employee payroll, employee benefits and workers' compensation matters, except that the agency shall comply with subdivisions (1), (2), (4), (5) and (6) of subsection (a) of section 13 of this act;
(3) Documents or records that are required to be recorded pursuant to the laws of this state or by court rule or order, including, but not limited to, certificates for births, weddings or deaths;
(4) An individual's personal identifying information that is printed or caused to be printed on a document or form of identification by the individual or said individual's legal guardian;
(5) The use of personal identifying information by the administrator, as defined in subsection (c) of section 31-222 of the general statutes, or any person deemed to be a party, pursuant to chapter 567 of the general statutes, on documents or records related to an unemployment compensation claim, except that the administrator or any person deemed to be a party shall comply with subdivisions (1) to (4), inclusive, and (6) of subsection (a) of section 13 of this act;
(6) The use of personal identifying information by the Workers' Compensation Commission, established under section 31-276 of the 2008 supplement to the general statutes, or an intervenor or party, as defined in section 4-166 of the general statutes, on documents or records related to a workers' compensation claim, except that the Workers' Compensation Commission or the intervenor or party shall comply with subdivisions (1) to (4), inclusive, and (6) of subsection (a) of section 13 of this act; and
(7) The use of personal identifying information, if the person whose information is being used, or, if the person is a minor, such person's parent or legal guardian, has given permission for its use.
Sec. 15. (NEW) (Effective from passage) (a) A person or entity that knowingly or intentionally violates any provision of sections 12 to 21, inclusive, of this act, shall be subject to a civil penalty of one hundred dollars for each violation.
(b) All civil penalties received pursuant to this section shall be deposited in the privacy protection guaranty and enforcement account, pursuant to section 18 of this act.
(c) Violations of sections 12 to 21, inclusive, of this act shall be deemed an unfair or deceptive trade practice, as defined in chapter 735a of the general statutes.
Sec. 16. (NEW) (Effective from passage) (a) The commissioner may conduct investigations and hold hearings on any matter under the provisions of sections 12 to 21, inclusive, of this act. The commissioner may issue subpoenas, administer oaths, compel testimony and order the production of books, records and documents. If any person refuses to appear, to testify or to produce any book, record, paper or document when so ordered, upon application of the commissioner, the Superior Court may make such order, as may be appropriate, to aid in the enforcement of this section.
(b) The Attorney General, at the request of the commissioner, may apply to the Superior Court for an order temporarily or permanently restraining and enjoining any person from violating any provision of sections 12 to 21, inclusive, of this act.
Sec. 17. (NEW) (Effective from passage) (a) There is established a "privacy protection guaranty and enforcement account" which shall be a nonlapsing account within the General Fund. The account may contain any moneys required by law to be deposited in the account. Any balance remaining in the account at the end of any fiscal year shall be carried forward in the account for the fiscal year next succeeding. The account shall be used by the Commissioner of Consumer Protection (1) for the reimbursement of losses sustained by individuals injured by a violation of the provisions of sections 12 to 21, inclusive, of this act related to the release, posting or distribution of personal identifying information, as defined in section 1 of this act, and (2) for the enforcement of sections 12 to 21, inclusive, of this act.
(b) Payments received pursuant to sections 12 to 21, inclusive, of this act shall be credited to the privacy protection guaranty and enforcement account until the balance in said account equals seven hundred fifty thousand dollars. Quarterly, if said account has an excess, such excess amount shall be deposited into the General Fund. Any money in the privacy protection guaranty and enforcement account may be invested or reinvested and any interest arising from such investments shall be credited to the account.
(c) If, at any time, the money deposited in the privacy protection guaranty and enforcement account is insufficient to satisfy any duly authorized claim or portion thereof, the commissioner shall, when sufficient money has been deposited in the account, satisfy such unpaid claims or portions thereof, in the order that such claims or portions thereof were originally filed.
(d) Whenever an individual obtains a court judgment against any person or entity for a violation of sections 12 to 21, inclusive, of this act, such individual may, upon the final determination of, or expiration of time for, appeal in connection with any such judgment, and apply to the commissioner for an order directing payment out of said privacy protection guaranty and enforcement account of the amount unpaid upon the judgment for actual damages and costs taxed by the court against the person or entity, exclusive of punitive damages. The application shall be made on forms provided by the commissioner and shall be accompanied by a certified copy of the court judgment obtained against the person or entity, together with a notarized affidavit, signed and sworn to by the individual, affirming that the individual: (1) Has complied with all the requirements of this subsection; (2) has obtained a judgment stating the amount thereof and the amount owing thereon at the date of application; and (3) has caused to be issued a writ of execution upon said judgment, and the officer executing the same has made a return showing that no bank accounts or real property of the person or entity liable to be levied upon in satisfaction of the judgment could be found, or that the amount realized on the sale of them or of such of them as were found, under the execution, was insufficient to satisfy the actual damage portion of the judgment or stating the amount realized and the balance remaining due on the judgment after application thereon of the amount realized, except that the requirements of this subdivision shall not apply to a judgment obtained by the individual in small claims court. A true and attested copy of said executing officer's return, when required, shall be attached to such application and affidavit. No application for an order directing payment out of the account shall be made later than three years from the final determination of, or expiration time for, appeal of said court judgment.
(e) Upon receipt of said application together with said certified copy of the court judgment, notarized affidavit and true and attested copy of the executing officer's return, the commissioner or the commissioner's designee shall inspect such documents for their veracity and upon a determination that such documents are complete and authentic, and a determination that the individual has not been paid, the commissioner shall order payment out of the account of the amount unpaid upon the judgment for actual damages and costs taxed by the court against the person or entity, exclusive of punitive damages.
(f) Whenever an individual is awarded an order of restitution against any person or entity for loss or damages sustained by reason of a violation of this act, in a proceeding brought by the commissioner pursuant to sections 12 to 21, inclusive, of this act, or in a proceeding brought by the Attorney General, such individual may, upon the final determination of, or expiration of time for, appeal in connection with any such order of restitution, apply to the commissioner for an order directing payment out of the account of the amount unpaid upon the order of restitution. The commissioner may issue said order upon a determination that the individual has not been paid.
(g) Before the commissioner shall issue any order directing payment out of the account to an individual pursuant to subsection (e) or (f) of this section, the commissioner shall first notify the person or entity of the individual's application for an order directing payment out of the account and of the person or entity's right to a hearing to contest the disbursement in the event that the person or entity has already paid the individual. Such notice shall be given to the person or entity within fifteen days of the receipt by the commissioner of the individual's application for an order directing payment out of the guaranty account. If the person or entity requests a hearing in writing by certified mail within fifteen days of receipt of the notice from the commissioner, the commissioner shall grant such request and shall conduct a hearing in accordance with the provisions of chapter 54 of the general statutes. If the commissioner receives no written request by certified mail from the person or entity for a hearing within fifteen days of the person's or entity's receipt of such notice, the commissioner shall determine that the individual has not been paid, and the commissioner shall issue an order directing payment out of the account for the amount unpaid upon the judgment for actual damages and costs taxed by the court against the person or entity, exclusive of punitive damages, or for the amount unpaid upon the order of restitution.
(h) The commissioner or the commissioner's designee may proceed against any person or entity for an order of restitution arising from loss or damages sustained by any individual by reason of such person's or entity's violation of any of the provisions of this section. Any such proceeding shall be held in accordance with the provisions of chapter 54 of the general statutes. In the course of such proceeding, the commissioner or the commissioner's designee shall decide whether to order restitution arising from said loss or damages, and whether to order payment out of the guaranty account. Notwithstanding the provisions of chapter 54 of the general statutes, the decision of the commissioner or the commissioner's designee shall be final with respect to any proceeding to order payment out of the guaranty account and the commissioner and the commissioner's designee are exempted from the requirements of chapter 54 of the general statutes as they relate to appeal from any such decision. The commissioner or the commissioner's designee may hear complaints of all individuals submitting claims against a single person or entity in one proceeding.
(i) No application for an order directing payment out of the account shall be made later than three years from the final determination of, or expiration of time for, appeal in connection with any judgment or order of restitution.
(j) Whenever the individual satisfies the commissioner or the commissioner's designee that it is not practicable to comply with the requirements of subdivision (3) of subsection (d) of this section and that the individual has taken all reasonable steps to collect the amount of the judgment or the unsatisfied part thereof and has been unable to collect the same, the commissioner or the commissioner's designee may, in the commissioner's or the commissioner's designee discretion, dispense with the necessity for complying with such requirement.
(k) In order to preserve the integrity of the account, the commissioner, in the commissioner's sole discretion, may order payment out of said account of an amount less than the actual loss or damages incurred by the individual or less than the order of restitution awarded by the commissioner or the Superior Court. In no event shall any payment out of said account be in excess of five thousand dollars for any single claim by an individual.
(l) If the money deposited in the guaranty account is insufficient to satisfy any duly authorized claim or portion thereof, the commissioner shall, when sufficient money has been deposited in the account, satisfy such unpaid claims or portions thereof, in the order that such claims or portions thereof were originally determined.
(m) When the commissioner has caused any sum to be paid from the guaranty account to an individual, the commissioner shall be subrogated to all of the rights of the individual up to the amount paid plus reasonable interest, and prior to receipt of any payment from the guaranty account, the individual shall assign all of this right, title and interest in the claim up to such amount to the commissioner, and any amount and interest recovered by the commissioner on the claim shall be deposited in the guaranty account.
(n) If the commissioner orders the payment of any amount as a result of a claim against any party, the commissioner shall determine if the person or entity is possessed of assets liable to be sold or applied in satisfaction of the claim on the account. If the commissioner discovers any such assets, the Attorney General shall take any action necessary for the reimbursement of the account.
(o) If the commissioner orders the payment of an amount as a result of a claim against any party, the commissioner may enter into an agreement with the party whereby the party agrees to repay the account in full in the form of periodic payments over a set period of time.
Sec. 18. (NEW) (Effective from passage) Any person filing with the commissioner any notice, statement or other document, required under the provisions of sections 12 to 21, inclusive, of this act which is false or untrue or contains any material misstatement of fact shall be fined not less than two hundred dollars. All fines received pursuant to this section shall be deposited in the privacy protection guaranty and enforcement account.
Sec. 19. (NEW) (Effective from passage) Any person aggrieved by any decision, order or regulation of the commissioner pursuant to sections 12 to 21, inclusive, of this act may appeal in accordance with the provisions of the Uniform Administrative Procedure Act and chapter 54 of the general statutes.
Sec. 20. (NEW) (Effective from passage) The Commissioner of Consumer Protection may adopt regulations, in accordance with the provisions of chapter 54 of the general statutes, to carry out the provisions of sections 12 to 19, inclusive, of this act.
Sec. 21. (NEW) (Effective from passage) No provision of this act shall be construed to prevent any person from obtaining personal identifying information, except such information contained in personal telephone records, if such person is attempting to enforce the provisions of sections 53a-122 to 53a-125, inclusive, 53a-125b, 53-142c or 29-128f of the general statutes or of 17 USC Sections 501 to 513, inclusive, or 1201 to 1204, inclusive, or 18 USC Section 2319A or 2319B.
This act shall take effect as follows and shall amend the following sections: | ||
Section 1 |
October 1, 2008 |
53a-129a |
Sec. 2 |
October 1, 2008 |
53a-130 |
Sec. 3 |
October 1, 2008 |
New section |
Sec. 4 |
October 1, 2008 |
New section |
Sec. 5 |
October 1, 2008 |
52-571h |
Sec. 6 |
October 1, 2008 |
54-93a |
Sec. 7 |
October 1, 2008 |
54-1d(e) |
Sec. 8 |
October 1, 2008 |
New section |
Sec. 9 |
October 1, 2008 |
New section |
Sec. 10 |
October 1, 2008 |
54-36h |
Sec. 11 |
from passage |
36a-40 |
Sec. 12 |
from passage |
New section |
Sec. 13 |
from passage |
New section |
Sec. 14 |
from passage |
New section |
Sec. 15 |
from passage |
New section |
Sec. 16 |
from passage |
New section |
Sec. 17 |
from passage |
New section |
Sec. 18 |
from passage |
New section |
Sec. 19 |
from passage |
New section |
Sec. 20 |
from passage |
New section |
Sec. 21 |
from passage |
New section |
GL |
Joint Favorable Subst. |
The following fiscal impact statement and bill analysis are prepared for the benefit of members of the General Assembly, solely for the purpose of information, summarization, and explanation, and do not represent the intent of the General Assembly or either chamber thereof for any purpose:
OFA Fiscal Note
Agency Affected |
Fund-Effect |
FY 09 $ |
FY 10 $ |
Judicial Dept. |
GF - Revenue Gain |
Minimal |
Minimal |
Judicial Department (Probation); Correction, Dept. |
GF - Cost |
Significant |
Significant |
Consumer Protection, Dept. |
GF - Cost |
Potential |
Potential |
Note: GF=General Fund
Explanation
Section 2 increases the penalty that may be imposed on any person convicted of criminal impersonation.1 This change would result in a significant state cost for incarceration and probation supervision since approximately 300 people are convicted of this crime annually. On average, it costs the state $3,736 to supervise an offender on probation in the community as compared to $44,165 to incarcerate the offender. Any revenue gain from fines is anticipated to be minimal.
Sections 3, 4 and 9 establish new crimes related to identity theft. To the extent that these changes increase the likelihood that offenders would be prosecuted or receive harsher penalties, a potential revenue gain from criminal fines and potential cost for incarceration and/or probation supervision in the community exist. It is anticipated that relatively few fines would be imposed on an annual basis, and, consequently, any revenue gain under the bill is expected to be minimal.
The bill results in a potential cost to the Department of Consumer Protection (DCP) should identity theft crimes continue to increase. Any new costs would be associated with the increased need for investigations and hearings as required under the bill.
The Out Years
The annualized costs identified above would continue into the future subject to inflation. The annualized, ongoing revenue from criminal fines would remain relatively constant into the future since criminal fine amounts are set by statute.
OLR Bill Analysis
sSB 30
AN ACT CONCERNING CONSUMER PRIVACY AND IDENTITY THEFT.
SUMMARY:
This bill makes numerous changes in laws relating to identity theft, Social Security numbers, and restricting the dissemination of personal identifying information.
It changes the criminal law by making the definition of “identity theft” broader, increases the penalty for criminal impersonation, and creates the crime of unlawful possession of personal access devices. The law already makes it a crime to possess skimmers and reencoders under certain circumstances.
It makes void any state- or municipal-issued credential (1) obtained by making a material false statement or (2) physically altered to misrepresent a material fact.
It allows a victim of identity theft to sue for damages if the perpetrator was found guilty of trafficking in personal identifying information. Victims can already sue for damages if the perpetrator was found guilty of identity theft. The bill extends the statute of limitations for these suits from two to three years.
The bill requires, rather than allows, courts to issue orders to correct public records whenever a person is convicted of identity theft.
It allows perpetrators to be prosecuted in the area where the victim lives.
It prohibits employers from disclosing an employee's Social Security number without the employee's written consent, with certain exceptions. The law already prohibits anyone from intentionally communicating or otherwise making an individual's Social Security number available to the general public.
It makes property gained from committing identity theft subject to forfeiture and requires proceeds from its disposition to be deposited in the Department of Consumer Protection's (DCP) Consumer Protection Enforcement Account to pay for enforcing the laws relating to the professions and trades it regulates.
It requires banks and credit unions to take adequate measures to protect against identity theft when disposing of documents containing personal identifying information.
The bill creates another definition of “personal identifying information” (an individual's Social Security number, age, or birth date) and restricts how it may be disseminated. It restricts how state agencies and political subdivisions may use an individual's personal identifying information.
The bill creates a Privacy Protection Enforcement Account to reimburse individuals hurt by violations of the bill's provisions on the dissemination of personal identifying information. It is funded with fines imposed on those who violate them.
EFFECTIVE DATE: October 1, 2008, except for the provisions restricting the dissemination of personal identifying information, establishing the Privacy Protection Guaranty and Enforcement Account, and concerning banks and credit unions, which are effective on passage.
§ 1 — IDENTITY THEFT
The bill redefines “identity theft” by eliminating the requirement that personal identifying information be obtained without permission. Under the bill, a person commits identity theft when he knowingly uses another's personal identifying information to obtain or attempt to obtain money, credit, goods, services, property, or medical information. Under current law, a person commits identity theft when he intentionally obtains, without permission, another person's personal identifying information and uses it to illegally obtain or attempt to obtain money, credit, goods, services, property, or medical information. A violator commits a class D, C, or B felony, depending on the amount involved (see BACKGROUND for penalties).
By law, “personal identifying information” for this purpose includes any name, number, or other information that may be used, alone or with any other information, to identify a specific individual. It specifies that the information includes a person's name; birth date; mother's maiden name; motor vehicle operator, Social Security, employee identification, employer identification, taxpayer identification, alien registration, government passport, health insurance identification, demand deposit account, savings account, credit or debit card number; or unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation.
§ 2 — CRIMINAL IMPERSONATION
The bill increases the penalty for committing criminal impersonation from a class B misdemeanor to a class A misdemeanor (see BACKGROUND for penalties). By law, a person commits criminal impersonation when he:
1. impersonates another and acts in the assumed character with intent to obtain a benefit or to injure or defraud another;
2. pretends to represent a person or organization and acts in the pretended capacity with intent to obtain a benefit or to injure or defraud another; or
3. pretends to be a public servant, other than pretending to be a police officer (which is another crime), with intent to induce another to submit to, or act in reliance on, the pretended authority.
§ 3 — UNLAWFUL POSSESSION OF PERSONAL INFORMATION ACCESS DEVICES
The bill creates the crime of unlawful possession of “personal information access devices.” A person is guilty of committing it when he possesses access devices, document-making equipment, and authentication implements to obtain, tamper with, or use another's personal identifying information. The law already prohibits possession of a scanning device or reencoder under circumstances manifesting an intent to use it to commit identity theft (see BACKGROUND for Scanning Devices and Reencoders).
For this purpose, “access devices” include a card, plate, code, account number, mobile identification number, personal identification number, telecommunication service access equipment, card-reading device, scanning device, reencoder or other means that could be used to access financial resources or obtain financial information, personal identifying information, or another person's benefits.
A violator commits a class A misdemeanor (see BACKGROUND for penalty).
§ 4 — CREDENTIALS OBTAINED WITH FALSE INFORMATION
The bill prohibits obtaining or attempting to obtain a license, registration, or certificate of another by misrepresentation or impersonation. It makes any state- or municipal-issued license, registration, or certificate that was based upon an application containing a material false statement void. In both circumstances, it makes a license, registration, or certificate obtained in this manner void from the date of issue and requires it to be surrendered, on demand, to the issuing authority. The bill makes any money paid for such license, registration, or certificate forfeited to the issuing authority.
A violator commits a class A misdemeanor (see BACKGROUND for penalty).
§ 5 — CIVIL ACTION FOR DAMAGES, TRAFFICKING IN PERSONAL IDENTIFYING INFORMATION, AND STATUTE OF LIMITATIONS
By law, victims of identity theft can bring a civil action for damages against their offender in Superior Court. The bill also allows civil actions for damages if the offender was guilty of trafficking in personal identifying information. The law requires courts to award prevailing plaintiffs the greater of $1,000 or triple damages, costs, and reasonable attorney's fees. The bill specifies that damages include documented lost wages and any financial loss suffered by the plaintiff as a result of identity theft. Further, it requires the court to order that the violator pay restitution.
The bill extends the two-year statute of limitations to three years. By law, the limitation period starts from the date the violation is discovered or reasonably should have been discovered.
§ 6 — CORRECTING PUBLIC RECORDS
The law allows a court to issue orders necessary to correct a public record that contains false information due to identity theft whenever a person is convicted of identity theft. The bill requires, rather than allows, the court to issue orders to correct a public record and makes the requirement also apply to convictions of trafficking in personal identifying information.
§ 7 — VENUE
The law allows alleged identity theft offenders to be presented in the Superior Court for the geographical area where the victim lives rather than the area where the crime was allegedly committed. The bill specifies that the alleged violator may also be prosecuted in that judicial district or geographical area. It also makes the requirement apply to prosecutions for trafficking in personal identifying information.
§ 8 — SOCIAL SECURITY NUMBERS, SHARING PERSONAL IDENTIFYING INFORMATION, AND SAFEGUARDING DATA
The bill specifically allows an employer to keep a list of employees' Social Security numbers, but prohibits them from being disclosed, except as required by law, without the employee's written consent. This provision is in addition to the current law prohibiting disclosure of Social Security numbers that applies to individuals and businesses (see BACKGROUND).
The bill prohibits, notwithstanding any other law, a business entity or nonprofit group from selling to, or sharing with, a third party an individual's personal identifying information (as defined in criminal law and described above in § 1) without obtaining consent.
Exceptions
The bill states that it must not be construed to prohibit a discount card issuer from requesting a Social Security number for a retailer discount card that can also be used (1) as identification for check cashing purposes or (2) to debit the cardholder's checking or savings account. But the issuer cannot condition the receipt of a retailer discount card on its being used in these two ways.
The bill also states that it must not be construed to prohibit a business entity or nonprofit group from providing an individual's name and address to a third party for purposes of mailing information to the individual on behalf of the business entity or nonprofit group. But it requires the business entity or nonprofit group, prior to sharing an individual's name and address, to obtain a written confidentiality agreement from the third party stating that it will not sell or share the information with any other entity. The bill prohibits the third party from using the information for any other purpose.
Safeguarding Data
The bill requires an employer, business entity, and nonprofit groups that have personal identifying information in their possession to safeguard the data, computer files, and documents containing it from misuse by third parties. Any document, computer file, or database containing personal identifying information must be destroyed or erased prior to disposal.
The bill requires an employer, business entity, or nonprofit group that collects Social Security numbers as a business practice to create a privacy protection policy and publish it as part of an employee handbook or display it in an accessible and prominent location. The policy must:
1. ensure confidentiality of personal identifying information,
2. prohibit its unlawful disclosure,
3. limit access to it,
4. provide for proper disposal of documents containing it, and
5. establish penalties for violation of the policy.
Enforcement and Implementation
The bill makes a waiver of its provisions on Social Security numbers, sharing personal identifying information, and safeguarding data contrary to public policy (1) void and unenforceable and (2) an unfair trade practice (see BACKGROUND on CUTPA).
It authorizes the DCP commissioner to adopt implementing regulations.
§ 9 — ALTERED CREDENTIALS
The bill (1) makes a state- or municipal-issued license, registration, or certificate that is physically altered to conceal or misrepresent a material fact void from the date of alteration and (2) prohibits such alteration. In both circumstances, the bill requires the credential to be surrendered on demand to the issuing authority. The bill makes any money paid for the credential forfeited to the issuing authority.
A violator commits a class A misdemeanor (see BACKGROUND for penalty).
§ 10 — FORFEITURE OF PROCEEDS OF IDENTITY THEFT
The bill subjects to forfeiture all proceeds, or property derived from the proceeds, obtained, directly or indirectly, from identity theft, trafficking in personal identifying information, and unlawful possession of personal information access devices.
The law establishes procedures for hearings to handle the proceeds from the sale of forfeited property. The proceeds must be used to pay, in order: (1) preserved liens; (2) storage, maintenance, security, and forfeiture costs; and (3) court costs. The bill requires balances from the sale of property made in connection with a prosecution for identity theft (see COMMENT), criminal impersonation, unlawful possession of personal information access devices, making a material misstatement to obtain a state or municipal credential, and altering a state or municipal credential to be deposited in the Consumer Protection Enforcement Account (see BACKGROUND).
§ 11 — BANKS AND CREDIT UNIONS
The bill requires each bank, branch of an out-of-state bank, Connecticut credit union, federal credit union, and branch of an out-of-state credit union to take adequate measures to protect against identity theft when disposing of documents containing personal identifying information such as Social Security and bank account numbers. The measures must, at a minimum, include shredding or permanently destroying the documents in other ways in a secure setting.
§§ 12 & 13 — RESTRICTING THE DISSEMINATION OF PERSONAL IDENTIFYING INFORMATION
For this purpose, the bill defines “personal identifying information” as an individual's Social Security number, date of birth, or age. Starting on January 1, 2009, the bill prohibits:
1. intentionally communicating or otherwise making an individual's personal identifying information available to the general public or making it available for a fee;
2. printing an individual's personal identifying information on a card required for the individual to receive products or services;
3. requiring the transmission of an individual's personal identifying information over the Internet, unless the connection is secure or the personal identifying information is encrypted;
4. requiring the use of an individual's personal identifying information to access an Internet web site, unless a password, unique personal identification number, or other authentication device is also required to access the site;
5. printing a number known to be an individual's personal identifying information on material mailed to the individual, unless state or federal law requires it to be in the document. But the bill does not prohibit mailing documents that include personal identifying information sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the personal identifying information. In a transaction involving an individual, if a person receives a number from a third party, the bill does not impose any duty to inquire or otherwise determine if the number is or includes an individual's personal identifying information. The number may be printed on material mailed to the individual, unless the person that received the number has actual knowledge that the number is or includes the individual's personal identifying information. The bill states that it does not prohibit mailing a copy of a document that includes personal identifying information to the individual, if the personal identifying information was included in the original document before January 1, 2009; or
6. mailing any document which allows personal identifying information to be visible without opening the envelope.
These provisions are in addition to the current law prohibiting disclosure of Social Security numbers, § 8 of the bill, and except as provided by other law (see BACKGROUND on Restrictions on Disclosing Social Security numbers).
§ 13(b) — Continued Use of Personal Identifying Information
If a person or entity used an individual's personal identifying information before January 1, 2009 in a manner inconsistent with the above prohibitions, the bill allows it to continue using information in the same way, subject to the following:
1. the use of personal identifying information must be continuous;
2. after January 1, 2009, the person or entity must give the individual an annual written disclosure of his or her right to stop using the information that is otherwise prohibited by the bill; and
3. if the individual requests, in writing or electronically, the person or entity must stop using the information in a manner prohibited by the bill within 30 days after receiving the request. The person or entity may not charge a fee for implementing the request or deny services because of it.
Violators are subject to a civil penalty of up to $500 for each violation. The penalty must be deposited into the Privacy Protection Guaranty and Enforcement Account, which the bill establishes.
§ 13(c) — Relationship to Other Laws
The bill states that it does not prohibit the collection, use, or release of personal identifying information required by federal or other state laws.
§ 13(d) — State and Political Subdivision Forms of Identification
Beginning January 1, 2010, the bill prohibits state agencies and political subdivisions from using an individual's personal identifying information, other than date of birth, on forms of identification they issue.
§ 13(e) — State and Political Subdivision Use of Truncated Social Security Numbers
The bill provides that it does not prohibit a state agency or political subdivision from disseminating or using the last four numbers of an individual's Social Security number.
§ 13(f) — State and Political Subdivision Correspondence
The bill prohibits a state agency and its political subdivisions from sending to an individual material that includes both a part of the individual's Social Security number and a bank, savings and loan association, or credit union account number, except (1) as a part of an application or enrollment process; (2) to establish, amend, or terminate an account, contract, or policy; or (3) to confirm the accuracy of the Social Security, bank, savings and loan association, or credit union account number.
§ 13(g,)(h), and (i) — State and Political Subdivision Web Sites, Immunity from Liability, and Enforcement
Except as otherwise provided by law, the bill provides that documents or records recorded with the state or a political subdivision and made available on the recording entity's public web site must not contain (1) more than five numbers reasonably identifiable as being part of an individual's Social Security number or (2) an individual's: (a) credit card, charge card, or debit card numbers; (b) retirement account numbers; (c) savings, checking, or securities entitlement account numbers; or (d) date of birth or age.
The bill states that state agencies and political subdivisions are not subject to civil liability for any action relating to information recorded under this provision.
The bill subjects a person or entity to a civil penalty of up to $500 for each act of recording that violates this provision. The penalty does not apply to a person or entity that transmits the document for recording but did not create it.
§ 13(j) — Court Enforcement
The bill authorizes the attorney general, at the request of the DCP commissioner, to apply to Superior Court for temporary or permanent restraining orders.
§14-Exemptions
The bill exempts the following from its provisions restricting the dissemination of personal identifying information:
1. the use of personal identifying information by the Department of Revenue Services or a state, municipal, or other political subdivision law enforcement agency, except that these agencies must comply with the provisions concerning ID cards, mailed documents, and envelopes;
2. the use of personal identifying information by a state agency or political subdivision administering employee payroll, employee benefits, and workers' compensation matters, except that these agencies must comply with the provisions concerning sales of personal identifying information, ID cards, web site access, mailed documents and envelopes;
3. documents or records that state law or court rules or orders require to be recorded, including birth, marriage, or death certificates;
4. an individual's personal identifying information that is printed or caused to be printed on a document or form of identification by the individual or individual's legal guardian;
5. use of personal identifying information by the labor commissioner or a party under unemployment compensation law on documents or records related to an unemployment compensation claim, except that the commissioner and parties must comply with the provisions concerning sales of personal identifying information, ID cards, Internet transmissions, web site access, and envelopes;
6. the use of personal identifying information by the Workers' Compensation Commission, an intervenor, or party on documents or records related to a workers' compensation claim, except that the Workers' Compensation Commission, intervenor or party must comply with provisions concerning sales of personal identifying information, ID cards, Internet transmissions, web site access, and envelopes; and
7. the use of personal identifying information, if the person whose information is being used, or if the person is a minor, such person's parent or legal guardian, has given permission.
§15 — Penalties
The bill subjects a person or entity that knowingly or intentionally violates its provisions restricting the dissemination of personal identifying information to a civil penalty of $100 for each violation. Civil penalties must be deposited in the Privacy Protection Guaranty and Enforcement Account, which this bill establishes.
A violation is deemed to be an unfair trade practice (see BACKGROUND).
§16 — Enforcement
The bill authorizes the DCP commissioner to:
1. conduct investigations and hold hearings on any matter under the bill's provisions on the dissemination of personal identifying information and
2. issue subpoenas, administer oaths, compel testimony, and order the production of books, records, and documents.
If any person refuses to appear, testify, or produce documents when ordered, the bill authorizes the Superior Court, on the commissioner's application, to issue appropriate enforcement orders.
The bill authorizes the attorney general, at the commissioner's request, to apply to the Superior Court for temporary or permanent restraining orders.
§17 — PRIVACY PROTECTION GUARANTY AND ENFORCEMENT ACCOUNT
The bill establishes the “Privacy Protection Guaranty and Enforcement Account” as a nonlapsing account within the General Fund. It may contain any money the law requires to be deposited in it. Any balance remaining in it at the end of a fiscal year is carried forward for use in the next fiscal year.
The bill requires the DCP commissioner to use it to:
1. reimburse individuals hurt by violation of the bill's provisions on dissemination of personal identifying information that are related to the release, posting, or distribution of such information as defined by the law establishing the crime of identity theft; and
2. enforce the bill's provisions on restricting the dissemination of personal identifying information (see COMMENT).
§ 17(b) — Cap on Account Size
The bill requires payments to be credited to the account until the balance in the account equals $750,000. If the account has an excess, it must be deposited into the General Fund each quarter. The money in the account may be invested or reinvested and any interest earned by the investments must be credited to the account.
§ 17(c) — Account Shortfall
If the money in the account is insufficient to satisfy a claim, the bill requires the commissioner to pay unsatisfied claims when enough money has been deposited, in the order that such claims were filed (see COMMENT).
§ 17(d) — Applying for Payment
After someone hurt by a violation of the bill's restriction on disseminating personal identifying information has obtained a court judgment, the individual may apply to the commissioner for a payment from the account for the unpaid amount of the judgment for actual damages and costs, but not for punitive damages. The application must be made on DCP forms and be accompanied by a certified copy of the court judgment and a notarized, signed, and sworn affidavit affirming that the applicant has:
1. complied with all the application requirements;
2. obtained a judgment;
3. stated its amount and the amount still owed as of the application date; and
4. caused a writ of execution to be issued on the judgment, and the officer executing it has made a return showing (a) that it could not be satisfied, (b) that the amount recovered was not enough to satisfy the actual damage portion of the judgment, or (c) the amount realized and the balance remaining.
The bill also requires a true and attested copy of the executing officer's return, when required, to be attached to such application and affidavit. It does not require an applicant who obtained a judgment in small claims to fulfill these requirements.
Applications may be made after the final determination of, or expiration of time for, appeal in connection with a judgment. The bill requires applications to be made before three years have elapsed from the final determination of, or expiration time for, appeal of the court judgment (see COMMENT).
§ 17(e) — Commissioner's Determination
The bill requires the commissioner or his designee to inspect the application and accompanying documents for veracity. Once he determines that they are complete and authentic and that the applicant has not been paid, he must pay the unpaid amount, other than punitive damages, from the account.
§ 17(f) — Orders of Restitution
The bill allows an individual awarded restitution for loss or damages sustained from a violation of the bill in a proceeding brought by the commissioner or the Attorney General, to apply for payment of the unpaid amount from the account. The commissioner may make the payment after determining that the individual has not been paid and the time for appeal has passed.
§ 17(g) — Violator's Right to a Hearing
The bill requires the commissioner, before making a payment from the account, to first notify the person or entity responsible for the damage caused by disseminating personal information of (1) the application for payment from the account and (2) the person or entity's right to a hearing to contest the disbursement if the person or entity has already paid the individual.
The bill requires the notice to be given within 15 days after the commissioner receives an application for payment from the account. If the person or entity requests a hearing in writing by certified mail within 15 days after receiving the commissioner's notice, the commissioner must conduct a hearing in accordance with the Uniform Administrative Procedure Act (UAPA). If the commissioner does not receive such a request by certified mail, he must determine that the individual has not been paid and make a payment from the account.
§ 17(h) — Restitution Hearing
The bill allows the commissioner or his designee to proceed for restitution from any person or entity for violating the bill's provision establishing the Privacy Protection Guaranty and Enforcement Account (see COMMENT). Proceedings must be held according to the UAPA. The bill requires the commissioner or designee to decide in the course of the hearing whether to order restitution and whether to order payment from the account.
Despite the UAPA, the decision of the commissioner or designee is final with respect to any proceeding to order payment from the account and the commissioner and designee are exempt from the UAPA's requirements relating to appeals. The bill allows the commissioner or designee to hear complaints of all individuals submitting claims against a single person or entity in one proceeding.
§ 17(i) — Deadline for Applying
The bill requires applications to be made before three years have elapsed from the final determination of, or expiration of time for, appeal of the court judgment (see Comment).
§ 17(j) — Exemption from Applicant's Duty to Satisfy Judgment
The bill allows the commissioner or his designee to dispense with the requirement that an applicant attempt to execute a judgment if the applicant satisfies the commissioner or designee that (1) it is not practicable, (2) has taken all reasonable steps to collect, and (3) has been unable to collect.
§ 17(k) — Payment Cap and Preserving the Account's Integrity
The bill establishes a $5,000 limit on payments from the account for any single claim by an individual.
It allows the commissioner, in his sole discretion, to pay less than the actual loss or damages or the amount of a court or DCP restitution order to preserve the integrity of the account. It requires the commissioner, when sufficient money has been deposited in the account, to satisfy such unpaid claims (see Comment).
§ 17(l) — Account Shortfall
If the money in the account is insufficient to satisfy a claim, the bill requires the commissioner to pay unsatisfied claims when enough money has been deposited, in the order that such claims were filed (see Comment).
§ 17(m) — Subrogation
The bill requires individuals to assign to the commissioner the right to recover the amount they have been paid from the fund, plus reasonable interest. Any amount and interest recovered by the commissioner on the claim must be deposited in the guaranty account.
§17(n) — Commissioner's Duty to Seek Recovery
If the commissioner pays from the account, the bill requires him to determine if the person or entity that caused the injury has assets that could be sold or applied to satisfy the claim. If he discovers any such assets, the bill requires the attorney general to take necessary action to reimburse the account.
§ 17(o) — Commissioner's Authority to Make Repayment Agreements
The bill authorizes the commissioner to make repayment agreements whereby the party agrees to repay the account in full through periodic payments over a set period of time.
§18 — FALSE STATEMENTS
The bill subjects to a $200 fine anyone who files a notice, statement, or other document required by the bill's provisions on dissemination of personal identifying information if it is false or untrue or includes a material misstatement of fact.
§19 — APPEALS
The bill authorizes anyone aggrieved by any decision, order, or regulation the commissioner makes under the bill's provisions restricting the dissemination of personal identifying information to appeal in accordance with the UAPA (see Comment).
§20 — REGULATIONS
The bill authorizes the DCP commissioner to adopt regulations implementing the bill's provisions on restricting the dissemination of personal identifying information.
§21 — CRIMINAL INVESTIGATIONS
The bill states that it may not be construed to prevent anyone from obtaining personal identifying information, except information in personal telephone records, if the person is attempting to enforce the laws:
1. prohibiting larceny in the 1st, 2nd, 3rd, 4th, and 6th degrees, but not larceny in the 5th degree;
2. prohibiting knowing participation in the business of black market records, discs, tapes, the audio portion of movies, or audio or video cassettes or discs;
3. engaging in camcorder piracy in a movie theater;
4. federal copyright law, including circumvention of copyright processes;
5. federal law prohibiting unauthorized trafficking in recordings or videos of live musical performances; and
6. federal law prohibiting the unauthorized recording of movies in movie theaters.
BACKGROUND
Criminal Penalties
Classification |
Imprisonment |
Fine | |
Class A misdemeanor |
Up to 1 year |
Up to |
$2,000 |
Class B misdemeanor |
Up to 6 months |
Up to |
1,000 |
Class B felony |
1 to 20 years |
Up to |
15,000 |
Class C felony |
1 to 10 years |
Up to |
10,000 |
Class D felony |
1 to five years |
Up to |
5,000 |
Scanning Devices and Reencoders
The law prohibits using a scanning device to access, read, obtain, memorize, or temporarily or permanently store information encoded on a computer chip or a payment card's magnetic strip without the authorized user's permission and with the intent to defraud the authorized user, issuer, or a merchant. It also prohibits using a reencoder to take information encoded on a computer chip or a magnetic strip and putting it onto a computer chip or the strip of a different card without the authorized user's permission and with the intent to defraud the authorized user, the card issuer, or a merchant.
By law, a “scanning device” is a scanner, reader, or any other electronic device used to access, read, scan, obtain, memorize, or store information on a computer chip or a magnetic strip of a payment card. A “reencoder” is an electronic device that places encoded information from a computer chip or magnetic strip of a payment card onto a computer chip or magnetic strip of another card or any electronic medium that allows an authorized transaction to occur. A “payment card” is a credit, charge, debit, or any other card issued to an authorized user allowing him to obtain goods, services, money, or anything else of value from a merchant. A “merchant” is a person who receives a payment card from its authorized user or someone he believes to be its authorized user in return for goods or services from the merchant.
The law authorizes the attorney general to sue to enforce its scanner and reencoder provisions. A violator is subject to one to 10 years imprisonment, a fine of up to $10,000, or both.
Restrictions on Disclosing Social Security Numbers
With certain exceptions, the law prohibits individuals and businesses from publicly disclosing Social Security numbers. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes.
Specifically, the law prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:
1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;
2. printing anyone's Social Security number on any card that the person must use to access the person's or entity's products or services;
3. requiring anyone to transmit his Social Security number over the Internet, unless the connection is secure or the number is encrypted; or
4. requiring anyone to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.
The penalty for willful violations is a fine of up to $100 for the first offense, up to $500 for a second offense, and up to $1,000 or six months in prison for each subsequent offense.
Connecticut Unfair Trade Practices Act (CUTPA)
The law prohibits businesses from engaging in unfair and deceptive acts or practices. CUTPA allows the DCP commissioner to issue regulations defining what constitutes an unfair trade practice, investigate complaints, issue cease and desist orders, order restitution in cases involving less than $5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. The act also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorneys fees; and impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order.
Consumer Protection Enforcement Account
The statutorily established account is funded with revenue generated from imposing fines for licensing law violations and with up to $400,000 per year from the Home Improvement Guaranty Fund. DCP must use the account “to fund positions and other related expenses” to enforce the licensing and registration laws it administers (CGS § 21a-8a).
COMMENT
§ 10 — Forfeiture
The bill dedicates the proceeds of property forfeited in connection with a violation of § 53a-129a to the Consumer Protection Enforcement Account. Section 53a-129a defines “identity theft” for crimes of identity theft in the 1st, 2nd, and 3rd degrees and trafficking in identity theft, which are established by §§ 53a-129b, 53a-129c, 53a-129d, and 53a-129e. The bill apparently refers to prosecutions under these provisions.
In addition, the bill specifies how to distribute proceeds for violations of §§ 3, 4, and 9 of the bill, but it does not expressly authorize forfeiture for violations of those sections.
§ 17 — Privacy Protection Guaranty and Enforcement Account
The bill requires the DCP commissioner to use the guaranty and enforcement account to reimburse individuals for losses sustained from violations of the bill's provisions restricting the dissemination of personal identifying information under sections 12 to 21 of the bill. Those provisions define “personal identifying information” as an individual's Social Security number, date of birth, or age (§ 12). But § 17 refers to the definition of “personal identifying information” in § 1 rather than the definition in § 12. The § 1 definition is the one used in the law making identity theft a crime and is much broader. As a result, it is not clear how the guaranty account may be used.
§ 17(h) — Restitution Hearing
The bill authorizes the commissioner to proceed against a person or entity for damages sustained by “violation of any of the provisions of this section.” Since the section establishes the guaranty account and does not contain any prohibitions or penalties, the bill apparently intends to refer to different sections or perhaps to the whole bill.
§ 17(h) and § 19 — Appeals
Section 17(h) provides that decisions made by the DCP commissioner or his designee in restitution hearings “are final with respect to any proceeding to order payment out of the guaranty account” and the commissioner and his designee are “exempted from the requirements of chapter 54 [the UAPA] of the general statues as they relate to appeal.” Section 19 states “any person aggrieved by any decision, order or regulation of the commissioner pursuant to sections 12 to 20, inclusive, of this act may appeal in accordance with the provisions of the Uniform Administrative Procedure Act and chapter 54 of the general statutes.” It is unclear how these two conflicting provisions may be reconciled.
§ 17 — Commissioner's Power to Reduce a Payment
The bill has two nearly-identical provisions authorizing the commissioner to reduce payments if there are insufficient funds in the account (§§ 17(c) and 17(l) and another subsection includes nearly-identical provision (§ 17(k)).
§ 17 — Deadline for Applying
Two identical provisions require applicants to apply within three years, the final sentence of § 17(d) and subsection § 17(i).
COMMITTEE ACTION
General Law Committee
Joint Favorable Substitute
Yea |
19 |
Nay |
0 |
(03/06/2008) |
1 Current law makes this crime punishable by up to six months in prison and/or a fine of up to $1,000; the bill makes this crime punishable by up to one year imprisonment and/or a fine of up to $2,000.