Topic:
CRIMINAL LAW; LEGISLATION; LITIGATION; PRIVACY LAW; SOCIAL SECURITY NUMBER;
Location:
PRIVACY;

OLR Research Report


May 6, 2008

 

2008-R-0302

CONSUMER PRIVACY AND IDENTITY THEFT

By: Daniel Duffy, Principal Analyst

You asked for a summary of a proposed amendment (LCO 5843) to An Act Concerning Consumer Privacy and Identity Theft (SB 30).

SUMMARY

This bill makes numerous changes in laws relating to the crime of identity theft and restricting the dissemination of Social Security numbers. In addition, it requires those who possess personal information to safeguard it.

Specifically, it changes the criminal law by making the definition of “identity theft” broader and increases the penalties for committing identity theft against the elderly and criminal impersonation. It creates the crime of unlawful possession of personal access devices; the law already makes it a crime to possess skimmers and reencoders under certain circumstances.

It makes void any state- or municipal-issued credential (1) obtained by making a material false statement or (2) physically altered to misrepresent a material fact.

It allows a victim of identity theft to sue for damages if the perpetrator was found guilty of trafficking in personal identifying information. Victims can already sue for damages if the perpetrator was found guilty of identity theft. The bill extends the statute of limitations for these suits from two to three years.

The bill requires, rather than allows, courts to issue orders to correct public records whenever a person is convicted of identity theft.

It allows perpetrators to be prosecuted in the area where the victim lives.

It requires employers to keep employment applications secure and to destroy them before disposal.

It makes property gained from committing identity theft subject to forfeiture and requires proceeds from its disposition to be deposited in the Privacy Protection Guaranty and Enforcement Account, which the bill establishes.

It requires banks and credit unions to take adequate measures to protect against identity theft when disposing of documents containing personal identifying information.

The bill places additional restrictions on how Social Security numbers may be disseminated and expands the exemptions from the restrictions. It prohibits state agencies and political subdivisions from using an individual's Social Security number on an identification card. It establishes certain enforcement procedures.

The bill creates a Privacy Protection Guaranty and Enforcement Account to reimburse individuals hurt by violations of current law's and the bill's provisions on the dissemination of Social Security numbers and the bill's provisions requiring personal information to be safeguarded. It is funded with forfeited proceeds derived from identity theft convictions and fines imposed on those who violate them.

1 — IDENTITY THEFT

The bill redefines “identity theft” by eliminating the requirements that personal identifying information be obtained intentionally and without permission. Under the bill, a person commits identity theft when he knowingly uses another's personal identifying information to obtain or attempt to obtain money, credit, goods, services, property, or medical information. Under current law, a person commits identity theft when he intentionally obtains, without permission, another person's personal identifying information and uses it to illegally obtain or attempt to obtain money, credit, goods, services, property, or medical information. A violator commits a class D, C, or B felony, depending on the amount involved (see BACKGROUND for penalties).

By law, “personal identifying information” for this purpose includes any name, number, or other information that may be used, alone or with any other information, to identify a specific individual. It specifies that the information includes a person's name; birth date; mother's maiden name; motor vehicle operator, Social Security, employee identification, employer identification, taxpayer identification, alien registration, government passport, health insurance identification, demand deposit account, savings account, credit or debit card number; or unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation.

2 & 3 — ENHANCED PENALTIES FOR CRIMES AGAINST SENIORS

By law, identity theft in the first degree is committed when the value of the goods or services is greater than $10,000. The bill lowers the threshold to $5,000 if the crime is perpetrated against someone age 60 or older. Identity theft in the second degree is committed when the value of the goods or services is greater than $5,000. The bill lowers the threshold to any amount if the crime is perpetrated against someone age 60 or older. The effect is to raise the penalty for committing identity theft against a senior from a class D to a class C felony when the amount involved is less that $5,000 and from a class C to class B felony when it is more (see BACKGROUND for penalties).

4 — CRIMINAL IMPERSONATION

The bill increases the penalty for committing criminal impersonation from a class B to a class A misdemeanor (see BACKGROUND for penalties). By law, a person commits criminal impersonation when he:

1. impersonates another and acts in the assumed character with intent to obtain a benefit or to injure or defraud another;

2. pretends to represent a person or organization and acts in the pretended capacity with intent to obtain a benefit or to injure or defraud another; or

3. pretends to be a public servant, other than pretending to be a police officer (which is another crime), with intent to induce another to submit to, or act in reliance on, the pretended authority.

5 — UNLAWFUL POSSESSION OF PERSONAL IDENTIFYING INFORMATION ACCESS DEVICES

The bill creates the crime of unlawful possession of “personal identifying information access devices.” A person is guilty of committing it when he possesses access devices, document-making equipment, and authentication implements for the purpose of fraudulently altering, obtaining, or using another's personal identifying information. The law already prohibits possession of a scanning device or reencoder under circumstances manifesting intent to use it to commit identity theft (see BACKGROUND for Scanning Devices and Reencoders).

For this purpose, “access devices” include a card, plate, code, account number, mobile identification number, personal identification number, telecommunication service access equipment, card-reading device, scanning device, reencoder or other means that could be used to access financial resources or obtain financial information, personal information, or another person's benefits.

A violator commits a class A misdemeanor (see BACKGROUND for penalty).

6 — CREDENTIALS OBTAINED WITH FALSE INFORMATION

The bill prohibits obtaining or attempting to obtain a state- or municipal-issued license, registration, or certificate by misrepresentation or impersonation or helping another to do so. It makes any such credential that was based upon (1) an application containing a material false statement of personal identifying information or (2) misrepresentation impersonation void from the date of issue and requires it to be surrendered, on demand, to the issuing authority after notice and an opportunity to be heard has been given in accordance with the Uniform Administrative Procedure Act (UAPA). The bill makes any money paid for such a credential forfeited to the issuing authority.

A violator commits a class A misdemeanor (see BACKGROUND for penalty). The bill provides that it must not be construed as limiting the power of the state or a political subdivision to seek other administrative, legal, or equitable relief allowed by law.

7 — CIVIL ACTION FOR DAMAGES, TRAFFICKING IN PERSONAL IDENTIFYING INFORMATION, AND STATUTE OF LIMITATIONS

By law, victims of identity theft can bring a civil action for damages against their offender in Superior Court. The bill also allows civil actions for damages if the offender was guilty of trafficking in personal identifying information. The law requires courts to award prevailing plaintiffs the greater of $1,000 or triple damages, costs, and reasonable attorney's fees. The bill specifies that damages include documented lost wages and any financial loss suffered by the plaintiff as a result of identity theft. Further, it requires the court to order that the violator pay restitution and allows it to award other remedies provided by law, including the cost of providing at least two years of commercially available identity theft monitoring and protection.

The bill extends the two-year statute of limitations to three years. By law, the limitation period starts from the date the violation is discovered or reasonably should have been discovered.

8 — CORRECTING PUBLIC RECORDS

The law allows a court to issue orders necessary to correct a public record that contains false information due to identity theft whenever a person is convicted of identity theft. The bill requires, rather than allows, the court to issue orders to correct a public record and makes the requirement also apply to convictions of trafficking in personal identifying information.

9 — VENUE

The law allows alleged identity theft offenders to be presented in the Superior Court for the geographical area where the victim lives rather than the area where the crime was allegedly committed. The bill specifies that the alleged violator may also be prosecuted in that judicial district or geographical area. It also makes the requirement apply to prosecutions for trafficking in personal identifying information.

10 — EMPLOYMENT APPLICATIONS

The bill requires an employer to obtain and keep employment applications secure and take reasonable steps to destroy or make them unreadable when disposing of them. These steps must at least include shredding or permanently destroying them in a secure location.

The law requires employers to allow their employees to inspect their personnel records within a reasonable time after receiving a written request. The bill instead requires employers to allow inspection within five business days.

11 — ALTERED CREDENTIALS

The bill (1) makes a state- or municipal-issued license, registration, or certificate that is physically altered to conceal or misrepresent a material fact void from the date of alteration and (2) prohibits such alteration. In both circumstances, the bill requires the credential to be surrendered on demand to the issuing authority after notice and an opportunity to be heard has been given in accordance with the UAPA. The bill makes any money paid for the credential forfeited to the issuing authority.

A violator commits a class A misdemeanor (see BACKGROUND for penalty). The bill provides that it must not be construed as limiting the power of the state or a political subdivision to seek other administrative, legal, or equitable relief allowed by law.

12 — FORFEITURE OF PROCEEDS OF IDENTITY THEFT

The bill subjects to forfeiture all proceeds, or property derived from the proceeds, obtained, directly or indirectly, from identity theft, trafficking in personal identifying information, criminal impersonation, unlawful possession of personal information access devices, and obtaining a state or municipal credential through misrepresentation or impersonation or altering such a credential.

The law establishes procedures for hearings to handle the proceeds from the sale of forfeited property. The proceeds must be used to pay, in order: (1) preserved liens; (2) storage, maintenance, security, and forfeiture costs; and (3) court costs. The bill requires any remaining balances from the sale of property made in connection with a prosecution for identity theft, trafficking in personal identifying information, criminal impersonation, unlawful possession of personal information access devices, and obtaining or altering a state or municipal credential to be deposited in the Privacy Protection Guaranty and Enforcement Account, which this bill establishes.

13 — BANKS AND CREDIT UNIONS

The bill requires each bank, branch of an out-of-state bank, Connecticut credit union, federal credit union, and branch of an out-of-state credit union to take measures to protect against identity theft when disposing of documents containing personal information such as Social Security and bank account numbers. The measures must include shredding or permanently destroying the documents in other ways in a secure setting.

14 — RESTRICTING THE DISSEMINATION OF SOCIAL SECURITY NUMBERS

Restrictions

With certain exceptions, the law prohibits individuals, businesses, and other organizations from publicly disclosing Social Security numbers. Specifically, the law prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:

1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;

2. printing anyone's Social Security number on any card that the person must use to access the person's or entity's products or services;

3. requiring anyone to transmit his or her Social Security number over the Internet, unless the connection is secure or the number is encrypted; or

4. requiring anyone to use his or her Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.

The bill also prohibits mailing any document which allows a Social Security number to be visible without opening the envelope. It specifies that the prohibitions also apply to employees of the businesses or other organizations.

Exceptions

The law does not prohibit Social Security numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes. The bill instead provides that it does not prohibit the numbers from being (1) collected, used, or released as permitted, authorized, or as required to comply with state or federal law; (2) for a business purpose described in the federal Gramm-Leach-Bliley Act (see BACKGROUND); or (3) used for internal

verification, fraud investigation, or administrative purposes. In addition, the bill provides that it does not prohibit disseminating or using the last four digits of an individual's Social Security number.

Criminal Penalty

The bill increases the criminal penalty for willfully violating these provisions for a first offense from a fine of up to $100 to up to $500 and for a second offense from a fine of up to $500 to a fine of up to $1,000, up to six months in prison, or both. By law, subsequent offenses are punishable by up a fine of up to $1,000, six months in prison, or both.

State Agencies

The bill prohibits, beginning January 1, 2010, state agencies and political subdivisions from using a Social Security number on forms of identification they issue.

The bill also prohibits a state agency and its political subdivisions from sending material to an individual that includes both a part of the individual's Social Security number and a bank, savings and loan association, or credit union account number, except (1) as a part of an application or enrollment process; (2) to establish, amend, or terminate an account, contract, or policy; or (3) to confirm the accuracy of the Social Security, bank, savings and loan association, or credit union account number.

Except as otherwise provided by law, the bill prohibits documents or records recorded with the state or a political subdivision and made available on the recording entity's public web site from containing (1) more than four numbers reasonably identifiable as being part of an individual's Social Security number or (2) an individual's (a) credit card, charge card, or debit card numbers; (b) retirement account numbers; (c) savings, checking, or securities entitlement account numbers; or (d) date of birth or age. The bill states that state agencies and political subdivisions are not subject to civil liability for any action relating to information recorded under this provision.

Investigation and Court Orders

The bill requires the attorney general, at the request of the DCP commissioner, to investigate and allows him to apply to Superior Court for temporary or permanent restraining orders.

15 — EXEMPTIONS

The bill exempts the following from its and the law's provisions restricting the dissemination of Social Security numbers and from the bill's provisions requiring personal information to be safeguarded:

1. documents or records that state law or court rules or orders require to be recorded, including birth, marriage, or death certificates;

2. printing an individual's Social Security number on a document or form of identification by the individual or individual's legal guardian;

3. the use of a Social Security number by the labor commissioner or by anyone in relation to administering the unemployment compensation law, except that the commissioner and others must comply with the provisions concerning public posting, ID cards, Internet transmissions, web site access, and envelopes;

4. the use of a Social Security number by the Workers' Compensation Commission, an intervenor, or a party on documents or records related to a workers' compensation claim, or an entity administering workers' compensation matters, except that the Workers' Compensation Commission, intervenor party, or entity must comply with provisions concerning public posting, ID cards, Internet transmissions, web site access, and envelopes; and

5. the use of a Social Security number, if the person whose information is being used, or if the person is a minor, such person's parent or legal guardian, has given permission.

16 — SAFEGUARDING PERSONAL INFORMATION

The bill requires anyone in possession of personal information to safeguard the data and computer files and documents containing it from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or database containing personal information before disposing of it. For this purpose, “personal information” means information capable of being associated with a particular individual through one or more identifiers, such as Social Security number, driver's license number, state identification card number, account number, credit or debit card number, passport number, alien registration number, or health insurance identification number. It does not include

publicly available information that is lawfully made available to the public from federal, state, or local government records or widely distributed media.

The bill requires anyone that collects Social Security numbers in the course of business to create a privacy protection policy that must be published or publicly displayed, which includes posting it on an Internet web page. The policy must:

1. protect confidentiality of Social Security numbers,

2. prohibit their unlawful disclosure, and

3. limit access to them.

For persons and entities that hold a state license, registration, or certificate issued by an agency other than DCP, the bill provides that its provisions requiring personal information to be safeguarded are enforceable by the agency that issued the credential only using its existing statutory and regulatory authority.

17 — PENALTIES

The bill subjects a person or entity that violates its provisions restricting the dissemination of Social Security numbers and requiring personal information to be safeguarded to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event. It provides that a violation is not a violation if it is inadvertent. Civil penalties must be deposited in the Privacy Protection Guaranty and Enforcement Account, which the bill establishes.

18 — ENFORCEMENT

The bill authorizes the DCP commissioner to:

1. conduct investigations and hold hearings on any matter under the provisions on the dissemination of Social Security numbers and safeguarding personal information and

2. issue subpoenas, administer oaths, compel testimony, and order the production of books, records, and documents.

If any person refuses to appear, testify, or produce documents when ordered, the bill authorizes the Superior Court, on the commissioner's application, to issue appropriate enforcement orders.

The bill requires the attorney general, at the commissioner's request, to investigate and allows him to apply to the Superior Court for temporary or permanent restraining orders.

19 — PRIVACY PROTECTION GUARANTY AND ENFORCEMENT ACCOUNT

The bill establishes the “Privacy Protection Guaranty and Enforcement Account” as a nonlapsing account within the General Fund. It may contain any money the law requires to be deposited in it. Any balance remaining in it at the end of a fiscal year is carried forward for use in the next fiscal year.

The bill requires the DCP commissioner to use it to:

1. reimburse individuals hurt by violation of the provisions restricting the dissemination of Social Security numbers and requiring personal information to be safeguarded; and

2. enforce the same provisions.

19(b) — Investing the Account

The bill allows the money in the account to be invested or reinvested and requires any interest earned by the investments must be credited to the account.

19(c) — Applying for Payment

After someone hurt by a violation of the restrictions on disseminating Social Security numbers and provisions on safeguarding personal data has obtained a court judgment, the bill allows the individual to apply to the commissioner for a payment from the account for the unpaid amount of the judgment for actual damages and costs, but not for punitive damages. The application must be made on DCP forms and be accompanied by a certified copy of the court judgment and a notarized, signed, and sworn affidavit affirming that the applicant has:

1. complied with all the application requirements;

2. obtained a judgment;

3. stated its amount and the amount still owed as of the application date; and

4. caused a writ of execution to be issued on the judgment, and the officer executing it has made a return showing (a) that it could not be satisfied, (b) that the amount recovered was not enough to satisfy the actual damage portion of the judgment, or (c) the amount realized and the balance remaining.

The bill also requires a true and attested copy of the executing officer's return, when required, to be attached to such application and affidavit. It does not require an applicant who obtained a judgment in small claims court to fulfill these requirements.

19(d) — Commissioner's Determination

The bill requires the commissioner or his designee to inspect the application and accompanying documents for veracity. Once he determines that they are complete and authentic and that the applicant has not been paid, he must pay the unpaid amount and costs, other than punitive damages, from the account.

19(e) — Orders of Restitution

The bill allows an individual awarded restitution for loss or damages sustained from a violation of the bill in a proceeding brought by the commissioner or the attorney general, to apply for payment of the unpaid amount from the account. The commissioner may make the payment after determining that the individual has not been paid and the time for appeal has passed.

19(f) — Violator's Right to a Hearing

The bill requires the commissioner, before making a payment from the account, to first notify the person or entity responsible for the violation of (1) the application for payment from the account and (2) the person or entity's right to a hearing to contest the disbursement if the person or entity has already paid the individual.

The bill requires the notice to be given within 15 days after the commissioner receives an application for payment from the account. If the person or entity requests a hearing in writing by certified mail within 15 days after receiving the commissioner's notice, the commissioner must conduct a hearing in accordance with the UAPA. If the commissioner does not receive such a request by certified mail, he must determine that the individual has not been paid and make a payment from the account.

19(g) — Restitution Hearing

The bill allows the commissioner or his designee to proceed for restitution from any person or entity for violating the bill's restrictions on disseminating Social Security numbers and provisions requiring personal data to be safeguarded. Proceedings must be held according to the UAPA. The bill requires the commissioner or designee to decide in the course of the hearing whether to order restitution and whether to order payment from the account.

19(h) — Deadline for Applying

The bill requires applications for payments from the account to be made before three years have elapsed from the final determination of, or expiration of time for, appeal of the court judgment.

19(i) — Exemption from Applicant's Duty to Satisfy Judgment

The bill allows the commissioner or his designee to dispense with the requirement that an applicant attempt to execute a judgment if the applicant satisfies the commissioner or designee that (1) it is not practicable, (2) has taken all reasonable steps to collect, and (3) has been unable to collect.

19(j) — Payment Cap and Preserving the Account's Integrity

The bill allows the commissioner, in his sole discretion, to pay less than the actual loss or damages or the amount of a court or DCP restitution order to preserve the integrity of the account.

19(k) — Account Shortfall

If the money in the account is insufficient to satisfy a claim, the bill requires the commissioner to pay unsatisfied claims when enough money has been deposited, in the order that such claims were filed.

19(l) — Subrogation

The bill requires individuals to assign to the commissioner the right to recover the amount they have been paid from the fund, plus reasonable interest. Any amount and interest recovered by the commissioner on the claim must be deposited in the guaranty account.

19(m) — Commissioner's Duty to Seek Recovery

If the commissioner pays from the account, the bill requires him to determine if the person or entity that caused the injury has assets that could be sold or applied to satisfy the claim. If he discovers any such assets, the bill requires the attorney general to take necessary action to reimburse the account.

19(n) — Commissioner's Authority to Make Repayment Agreements

The bill authorizes the commissioner to make repayment agreements whereby the party agrees to repay the account in full through periodic payments over a period of time, which may be up to five years.

20 — FALSE STATEMENTS

The bill subjects anyone who files a notice, statement, or other document required by the bill's provisions (1) restricting the dissemination of Social Security numbers, (2) requiring personal information to be safeguarded, or (3) guaranty fund payments that is false or untrue or includes a material misstatement of fact to a fine of at least $500. Fines must be deposited into the guaranty fund.

21 — APPEALS

The bill authorizes anyone aggrieved by any decision, order, or regulation the commissioner makes under the bill's provisions restricting the dissemination of Social Security numbers and safeguarding data to appeal in accordance with the UAPA.

22 — REGULATIONS

The bill authorizes the DCP commissioner to adopt regulations implementing the bill's provisions on restricting the dissemination of Social Security numbers and safeguarding data.

BACKGROUND

Criminal Penalties

Classification

Imprisonment

 

Fine

Class B felony

1 to 20 years

Up to

15,000

Class C felony

1 to 10 years

Up to

10,000

Class D felony

1 to five years

Up to

5,000

Class A misdemeanor

Up to 1 year

Up to

$2,000

Class B misdemeanor

Up to 6 months

Up to

1,000

Scanning Devices and Reencoders

The law prohibits using a scanning device to access, read, obtain, memorize, or temporarily or permanently store information encoded on a computer chip or a payment card's magnetic strip without the authorized user's permission and with the intent to defraud the authorized user, issuer, or a merchant. It also prohibits using a reencoder to take information encoded on a computer chip or a magnetic strip and putting it onto a computer chip or the strip of a different card without the authorized user's permission and with the intent to defraud the authorized user, the card issuer, or a merchant.

By law, a “scanning device” is a scanner, reader, or any other electronic device used to access, read, scan, obtain, memorize, or store information on a computer chip or a magnetic strip of a payment card. A “reencoder” is an electronic device that places encoded information from a computer chip or magnetic strip of a payment card onto a computer chip or magnetic strip of another card or any electronic medium that allows an authorized transaction to occur. A “payment card” is a credit, charge, debit, or any other card issued to an authorized user allowing him to obtain goods, services, money, or anything else of value from a merchant. A “merchant” is a person who receives a payment card from its authorized user or someone he believes to be its authorized user in return for goods or services from the merchant.

The law authorizes the attorney general to sue to enforce its scanner and reencoder provisions. A violator is subject to one to 10 years imprisonment, a fine of up to $10,000, or both.

Gramm-Leach-Bliley

The federal act requires all financial institutions, including insurance companies, to disclose to customers their policies and practices for protecting the privacy of nonpublic personal information. Customers must receive the disclosure when they purchase the insurance and at least annually thereafter. The policies must also allow customers to “opt-out” of information-sharing arrangements with unaffiliated third parties. It allows the disclosure of nonpublic personal information for certain business purposes described in federal law:

1. to administer or fulfill a transaction requested or authorized by a consumer or related to (a) processing a financial product or service, (b) maintaining a consumer's account, or (c) a proposed or actual securitization or secondary market sale;

2. with the consumer's consent or direction;

3. to protect the security or confidentiality of a consumer's financial records;

4. to protect against or prevent actual or potential fraud or other liability;

5. for required institutional risk control or to resolve customer disputes;

6. to persons holding a legal or beneficial interest relating to the consumer;

7. to persons acting in a fiduciary capacity;

8. to provide information to insurance rate advisory organizations, guaranty funds or agencies, rating agencies of financial institutions, persons assessing the financial institution's compliance with industry standards;

9. to the extent specifically allowed or required by law and in accordance with the federal Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or investigations related to public safety;

10. to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act; and

11. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a part of a business (15 USC 6802(e)).

DD:dw