JOINT FAVORABLE REPORT
AN ACT CONCERNING IDENTITY THEFT.
Joint Favorable Substitute
SPONSORS OF BILL:
REASONS FOR BILL:
Currently there are no protections for individuals whose Social Security numbers have been disclosed by any person, entity, agency of the state or political subdivision of the state. The bill is needed to inform the individual of the reason why the State needs their personal identifying information number and authorization for that disclosure. If the State loses custody of personal identifying information, places requirements on the State to provide theft monitoring and protection and provides remedies for damages to the individual.
In section 2, the substitute bill removes “unauthorized disclosure” and replaces “loses custody” of a record containing an individual's Social Security number.
In section 3(b), the substitute bill deletes “unauthorized disclosure” but includes “disclosure unless authorized by the individual or required by law.”
RESPONSE FROM ADMINISTRATION/AGENCY:
Colleen M. Murphy, Executive Director, Freedom of Information Commission: The stated purpose of this bill is to provide greater protection and remedies with respect to the use and disclosure of personal identifying information. While the purpose of the bill is a worthy one, certain language in the bill has negative implications and is problematical.
This bill provides that: “Any person, entity, agency of the state or political subdivision of the state that causes the unauthorized disclosure of an individual's Social Security number….”, may be liable for damages in a civil action. The bill also provides a remedy to persons who are aggrieved by the unauthorized disclosure of personal identifying information.
From an access standpoint, the use of the term “unauthorized disclosure” is unclear and could have an adverse impact on the heart of the Freedom of Information ('FOI”) Act, which is aimed at ensuring public access to government records.
The FOI Commission requests the following be considered before amending the law. At present, the FOI Act authorizes the FOI Commission, upon finding a violation of the FOI Act, to require the production or copying of any public record and permits the FOI Commission to determine, on a case-by-case basis, whether to order disclosure of a public document.
This bill could have the unintended consequence of impinging on the public's right to know. Public agencies might not fully comprehend when disclosure is “authorized” and might deny access to records. Therefore, the FOI Commission requests that the term “unauthorized disclosure” be narrowly defined in the bill so as to avoid any chilling effect of the FOI Commission and other agencies with respect to the public's access to public information.
NATURE AND SOURCES OF SUPPORT:
Deborah J. Fuller, St. of CT Judicial Branch, External Affairs Division: This bill has a laudable purpose, but it is important to note some of the implementation issues that it engenders. Many of these issues arise from the fact that the bill would apply not only to records that have been recently created, but also to records that were created in the past. Older records may contain social security numbers, because they were created at a time when the concern was not as prominent as it is now.
Section 2 creates a financial penalty for the unauthorized disclosure of social security number information by a state agency. It is unclear what the term “unauthorized disclosure” means, as it is not defined in the bill. Depending on how the “unauthorized disclosure” is defined, this may create an obstacle for the Judicial Branch when deciding whether to allow online access to scanned court documents, because the Branch has little control over what personal identities are contained on exhibits or on documents created by litigants. Many of its criminal files contain social security numbers.
Would allowing the public access to criminal files be illegal? Would each file have to be redacted? While one can remove social security numbers from files prospectively, there are millions of files in storage that may include it. Reviewing these documents and redacting social security numbers en masse would be a very large project that would take considerable time and effort and would create a real hardship for the Judicial Branch, given its current shortage of Court Operations staff.
Section 3 gives injured persons the right to bring a civil action against the state for negligent, reckless or intentional disclosure of all personal identifying information listed in Sec 53a-129a (this particular statute not only includes social security numbers, but also name, date of birth, motor vehicle operator's license number, etc.). This may also have a chilling effect on the amount and types of court records the Branch decides to make available online.
State of Connecticut, Division of Criminal Justice: The Division of Criminal Justice request to amend 53a-129a: that a person unlawfully “obtain and use” personal identifying information of another in order to commit the crime of identity theft. Unfortunately, the current definition does not cover situations where the perpetrator comes into possession of the personal information in a lawful manner but subsequently uses such information without the victim's authorization. It is the unauthorized use of personal information and not how such information is initially obtained that should be the target of this statute.
This issue was brought about by a criminal case where the defendant obtained the victim's personal information in the ordinary course of business as an in-home caretaker and subsequently used that information without the victim's authorization. The defendant created credit card accounts in the victim's name and incurred substantial debt on those accounts without the victim's knowledge. The authorities were not able to charge identity theft because the information was not obtained without the victim's authorization.
To correct this situation, the Division of Criminal Justice recommends amending subsection (a) of section 53a-129a “A person commits identity theft when such person intentionally [obtains] uses personal identifying information of another person without the authorization of such other person [and uses that information] to obtain or attempt to obtain, money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.”
Steven Bearak, CEO, Identity Force: Identity Force is one of only three companies selected by the U. S. government to provide identity theft services to all federal agencies. Identity Force recommends many initiatives to preserving personal identifiable information including proper response to data breaches involving the loss or disclosure of personal identifying information which can and do lead to identity theft. Last year, over 8.1 million American were victims of identity theft and fraud. Also, there were hundreds of publicly-known data breaches (and likely thousands of concealed breaches) that released information on nearly 100 million citizens. Secondly, proper response to a data breach is not credit monitoring. Credit monitoring alone does nothing more than inform an individual that his or her identity has been stolen. It does not prevent identity theft or fraud. A government agency or business that has somehow released an individual's personal identifying information should be responsible for protecting that citizen from harm.
AT&T Connecticut: AT&T supports the intent of this legislation. Identity theft is a serious problem for both businesses and consumers. In this environment responsible businesses, including AT&T, have been proactive in creating privacy policies which inform consumers about intended uses of personally identifying information. Typically, businesses have responded to information breaches that may have occurred, with appropriate actions such as the prompt disclosure and identity theft protection services provided for in Section 2 of the bill. AT&T would suggest that there is value in allowing organizations flexibility to respond to cases of inappropriate disclosure in a manner specifically tailored to the unique situation.
In addition, AT&T has reservations about Section 3. This section would allow a person aggrieved by the negligent, reckless, or unauthorized disclosure of personal identifying information to sue the disclosing party for damages. While the bill provides that the individual bringing suit has the burden of proving that the disclosures caused the damage, it overlooks the fact that damages result from the criminal acts of the thief who misuses the information. AT&T therefore is concerned that by providing a cause of action against the disclosing party, it makes it easier and more attractive to sue that party, rather than to seek redress from the criminal. In doing so, businesses and other organizations could be forced to defend not only a burdensome number of expensive, but ultimately, unwarranted suits.
NATURE AND SOURCES OF OPPOSITION:
Kevin R. Hennessy, Staff Attorney, CBIA:
The Insurance Association of Connecticut: CBIA and the IAC are opposed to this legislation because it is too broad and it will increase unnecessary lawsuits against businesses. CBIA and the IAC do not want the General Assembly to enact overly broad identity theft legislation that will encourage lawsuit abuse. Rather, CBIA and the IAC want identity theft legislation that will increase penalties for identity thieves and encourage reasonable safeguards to protect personal identifying information.
Problem areas of the bill are in Section 2 that states that the government, any person or business responsible for the loss of personal identification theft is responsible for two years of identity monitoring. Rather than penalizing businesses that already take measures to protect personal identification information, it would better to penalize the actual identity thief. The identity thief should be the one responsible for paying for identity theft monitoring services and the costs and fees incurred to restore an individual's identity.
Section 3: Businesses are already subject to specific federal requirements regarding identifying information under the Gramm-Leach-Bliley Act of 1999, 15 U.S.C., the Health Insurance Portability and Accountability Act of 1996, (P. L. 104-191), the Fair Credit Reporting Act, 15 U.S.C. Subsection 1681 et. seq. and the Connecticut Insurance Information and Privacy Protection Act. These acts require insurers, agents and third party vendors to safeguard Connecticut insurance consumer's private information and provide sufficient and strict penalties for any violations. Subjecting businesses to potential state civil action is unnecessary. Additionally, Section 3 offers too broad of a standard for violation. Rather than casting a wide net and including negligent, reckless or intentional behavior, the bill should be narrower and limited to intentional behavior. This would prevent potential lawsuit abuse.
Reported by: David G. Kaplan
Date: March 26, 2008