PA 09-239—sSB 838

General Law Committee

Judiciary Committee

Appropriations Committee

AN ACT CONCERNING CONSUMER PRIVACY AND IDENTITY THEFT

SUMMARY: This act makes numerous changes in laws relating to identity theft, Social Security numbers, and the dissemination of personal identifying information.

It makes the definition of “identity theft” broader, increases the penalty for criminal impersonation, and creates the crime of unlawful possession of personal access devices. The law makes it a crime to possess skimmers and reencoders under certain circumstances. The act also increases the penalties for identity theft when the victim is age 60 or older.

The act allows a victim of identity theft to sue for damages if the perpetrator was found guilty of trafficking in personal identifying information. Victims can already sue for damages if the perpetrator was found guilty of identity theft. The act extends the statute of limitations from two to three years and specifies that damages include documented lost wages and any financial loss suffered by the plaintiff as a result of the identity theft. It allows the court to award remedies that may be provided by law. It requires, rather than allows, courts to issue orders to correct public records when a person is convicted of identity theft.

The act voids a credential issued by the state or political subdivision of the state (1) obtained by making a material false statement or (2) physically altered to misrepresent a material fact. It requires the credential to be returned to the issuing authority provided the authority complies with notice provisions.

The act (1) allows perpetrators to be prosecuted in the geographical area or judicial district where the victim lives rather than where the alleged crime was committed; (2) penalizes employers for failing to (a) obtain and retain employment applications securely and (b) take reasonable measures to destroy or make them unreadable when disposing of them; (3) subjects property gained from committing identity theft to forfeiture and requires proceeds from its disposition to be deposited into the Department of Consumer Protection's (DCP) Privacy Protection Guaranty and Enforcement Account, which this act creates, to pay for enforcing certain privacy protection laws; (4) authorizes the DCP commissioner to investigate violations of these laws; and (5) allows the attorney general, upon request of the commissioner or another state agency required to enforce its provisions, to apply to the court to restrain or enjoin a violator.

The act creates the Privacy Protection Guaranty and Enforcement Account to enforce the law and reimburse individuals hurt by violations of the act's provisions on disseminating personal identifying information. The account is funded with fines imposed on violators and property forfeited under the act's provisions.

The act establishes a fine of between $500 and $5,000, to be deposited into the privacy protection account, for (1) filing a notice, statement, or document required by the act that includes false information or (2) willfully violating the provisions of this act or identity theft laws. It also establishes an appeals process for anyone aggrieved by a decision or order made by the commissioner under the act.

EFFECTIVE DATE: October 1, 2009, except for the provisions relating to the penalties for violating the duty to safeguard personal data investigations, the privacy protection account, appeals, and regulations, which are effective upon passage.

1 — IDENTITY THEFT

The act expands the definition of “identity theft” by eliminating the requirement that personal identifying information be obtained without permission. Under the act, a person commits identity theft when he or she knowingly uses another's personal identifying information to obtain or attempt to obtain money, credit, goods, services, property, or medical information. Under prior law, a person committed identity theft when he or she intentionally obtained, without permission, another person's personal identifying information and used it to illegally obtain or attempt to obtain money, credit, goods, services, property, or medical information. A violator commits a class D, C, or B felony, depending on the amount involved (see Table on Penalties).

By law, “personal identifying information” for this purpose includes any name, number, or other information that may be used, alone or with any other information, to identify a specific individual. It specifies that the information includes a person's (1) name; (2) birth date; (3) mother's maiden name; (4) motor vehicle operator, Social Security, employee identification, employer identification, taxpayer identification, alien registration, government passport, health insurance identification, demand deposit account, savings account, or credit or debit card number; or (5) unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation.

2 & 3 — INCREASED PENALTIES FOR CRIMES AGAINST SENIORS

By law, identity theft in the first degree is committed when the value of the goods or services is greater than $10,000. The act lowers the threshold to $5,000 if the crime is perpetrated against someone age 60 or older. First-degree identity theft is a class B felony.

Identity theft in the second degree is committed when the value of the goods or services is greater than $5,000 and less than $10,000. The act lowers the threshold to any amount if the crime is perpetrated against someone age 60 or older. Second-degree identity theft is a class C felony.

The effect is to raise the penalty for committing identity theft against a senior from a class D to a class C felony when the amount involved is less that $5,000 and from a class C to class B felony when it is more. These provisions are apparently in addition to penalties for larceny, which is the act of wrongfully taking, obtaining or withholding property from an owner, intending to deprive another of property or to appropriate the property to oneself or a third person (CGS 53a-119).

4 — CRIMINAL IMPERSONATION

The act increases the penalty for criminal impersonation from a class B misdemeanor to a class A misdemeanor. By law, a person commits criminal impersonation when he or she:

1. impersonates another and acts in the assumed character with intent to obtain a benefit or to injure or defraud another;

2. pretends to represent a person or organization and acts in the pretended capacity with intent to obtain a benefit or to injure or defraud another; or

3. pretends to be a public servant, other than a police officer (which is another crime), with intent to induce another to submit to, or act in reliance on, the pretended authority.

5 — UNLAWFUL POSSESSION OF PERSONAL INFORMATION ACCESS DEVICES

The act creates the crime of unlawful possession of “personal identifying information access devices. ” A person is guilty of committing it when he or she possesses access devices, document-making equipment, or authentication implements to alter, obtain, or use another's personal identifying information. The law already prohibits possession of a scanning device or reencoder under circumstances manifesting intent to use it to commit identity theft (see BACKGROUND).

For this purpose, “access devices” include a card, plate, code, account number, mobile identification number, personal identification number, telecommunication service access equipment, card-reading device, scanning device, reencoder or other means that could be used to access financial resources or obtain financial information, personal identifying information, or another person's benefits.

A violator commits a class A misdemeanor.

It is already a crime to (1) fraudulently use an automated teller machine with intent to deprive someone of property or to appropriate property to oneself or a third person and (2) knowingly use in a fraudulent manner an automated teller machine for the purpose of obtaining property (CGS 53a-127b).

6 — CREDENTIALS OBTAINED WITH FALSE INFORMATION

The act prohibits obtaining or attempting to obtain a license, registration, or certificate for another by misrepresentation or impersonation. It makes void from the date of issue any credential (1) obtained under these circumstances or (2) issued by the state or a political subdivision based upon an application containing a material false statement. It requires the credential, and any money paid for it, to be surrendered, on demand, to the issuing authority, provided the authority has complied with the notice requirements of the Uniform Administrative Procedure Act (UAPA). These provisions do not limit the power or authority of the state or any political subdivision to seek administrative, legal, or equitable relief. In many cases, such as driver's licenses, the law already makes void a credential issued based on a material false statement (CGS 14-43).

A violator commits a class A misdemeanor.

7 — CIVIL ACTION FOR DAMAGES, TRAFFICKING IN PERSONAL IDENTIFYING INFORMATION, AND STATUTE OF LIMITATIONS

By law, victims of identity theft can bring a civil action for damages against the offender in Superior Court. The act also allows civil actions for damages if the offender was guilty of trafficking in personal identifying information.

The law requires courts to award prevailing plaintiffs the greater of $1,000 or triple damages, costs, and reasonable attorney's fees. The act specifies that damages include documented lost wages and any financial loss the plaintiff suffered as a result of identity theft. Furthermore, it explicitly allows the court to award other remedies provided by law, including the cost of providing at least two years of commercially available identity theft monitoring and protection.

The act extends the two-year statute of limitations with regard to these cases to three years. By law, the limitation period starts from the date the violation is, or reasonably should have been, discovered.

8 — CORRECTING PUBLIC RECORDS

The act requires, rather than allows, a court to issue orders necessary to correct a public record that contains false information due to identity theft when a person is convicted of identity theft. It also applies the requirement to convictions of trafficking in personal identifying information.

9 — VENUE FOR PROSECUTING IDENTITY THEFT CASES

The law allows alleged identity theft offenders to be prosecuted in the Superior Court for the geographical area where the victim lives rather than the area where the crime was allegedly committed. The act specifies that the alleged violator may also be prosecuted in that judicial district or geographical area. It also applies the provision to prosecutions for trafficking in personal identifying information.

10 — SAFEGUARDING EMPLOYMENT APPLICATIONS

The act requires employers to obtain and retain applications in a secure manner and, when disposing of the applications, to employ reasonable measures to destroy or make them unreadable at least by shredding them. An “employer” is an individual, corporation, partnership, or unincorporated association. The requirement does not apply to state agencies or political subdivisions.

A violation is subject to a civil penalty of $500 per violation, not to exceed $500,000 per event. Civil penalties received must be deposited in the Privacy Protection Guaranty and Enforcement Account.

11 — ALTERED CREDENTIALS

The act prohibits anyone from physically altering any license, registration, or certificate issued by the state or a political subdivision to conceal or misrepresent a material fact. It makes any credential so altered void from the date of alteration. The act requires the credential to be surrendered on demand to the issuing authority, provided the authority has complied with the notice requirements of the UAPA. Under the act any money paid for the credential is forfeited to the issuing authority.

These provisions do not limit the power or authority of the state or any of its political subdivisions to seek administrative, legal, or equitable relief.

A violator commits a class A misdemeanor.

12 — FORFEITURE OF PROCEEDS OF IDENTITY THEFT

The act subjects to forfeiture all proceeds, or property derived from the proceeds, obtained, directly or indirectly, from identity theft, trafficking in personal identifying information, unlawful possession of personal information access devices, credentials obtained with false information, and altered credentials. It provides that property is not subject to forfeiture (1) to the extent of an owner's or lienholder's interest if the owner or lienholder did not know and could not have reasonably known that the property was being used, intended to be used, or derived from criminal activity or (2) if it is used, or is intended to be used, to pay legitimate attorney's fees in connection with the defense in a criminal prosecution.

The act establishes procedures for hearings to handle the proceeds from the sale of this forfeited property. The procedures are the same as those in the drug forfeiture law (CGS 54-36h). The proceeds must be used to pay (1) preserved liens; (2) storage, maintenance, security, and forfeiture costs; and (3) court costs. The act requires balances from the following to be deposited in the Privacy Protection Guaranty and Enforcement Account: sale of property made in connection with a prosecution for identity theft, criminal impersonation, unlawful possession of personal information access devices, making a material misstatement to obtain a credential, and altering a credential.

13 — VIOLATION REVENUE

PA 09-71 eliminates the requirement that penalties for violating the duty to safeguard certain personal information be deposited into the Privacy Protection Guaranty and Enforcement Account (see BACKGROUND) because the account was not created when the duty to safeguard personal information was established (PA 08-167). This act establishes the account ( 16) and reestablishes the requirement that penalties for violating the duty to safeguard information be deposited in it.

14 — PENALTY FOR VIOLATING THE RESTRICTION AGAINST DISSEMINATING SOCIAL SECURITY NUMBERS

The law restricts the dissemination of Social Security numbers and subjects willful violators to a criminal fine of $100 for a first offense, up to $500 for a second offense; and up to $1,000, six months imprisonment, or both, for subsequent offenses (see BACKGROUND). The act also subjects willful violators to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event.

15 — INVESTIGATIONS

The act authorizes the DCP commissioner to conduct investigations and hold hearings on violations of laws against misuse or failure to safeguard Social Security numbers, as well as the provisions of the act related to (1) safeguarding employee data, (2) filing documents with DCP containing false or material misstatement of fact, or (3) DCP regulations adopted in accordance with this act.

The commissioner may (1) issue subpoenas; (2) administer oaths; (3) compel testimony; and (4) order the production of books, records, papers, and documents. If an individual refuses to comply, the Superior Court may make an appropriate order to aid enforcement. The attorney general, at the request of the commissioner or other state agency required to enforce the act's provisions, may apply to the Superior Court for an order temporarily or permanently restraining and enjoining a person from violating the relevant laws.

16 — PRIVACY PROTECTION GUARANTY AND ENFORCEMENT ACCOUNT

Establishment of Account

The act establishes the Privacy Protection Guaranty and Enforcement Account as a nonlapsing General Fund account and allows it to contain any money the law requires to be deposited in it.

The act requires the DCP commissioner to use the account to (1) reimburse individuals hurt by violations of laws against misuse of or failure to safeguard Social Security numbers (SSNs), as well as (a) the provisions of the act related to safeguarding employee data, (b) the filing of documents with DCP containing false, untrue, or material misstatements of fact, or (c) DCP regulations adopted in accordance with this act and (2) enforce the above laws and provisions.

Payments to Account

The act requires penalty payments for violating laws and implementing regulations against misuse of or failure to safeguard SSNs, as well as (1) failure to safeguard employee data, (2) filing documents with DCP containing false or material misstatements of fact, or (3) violating DCP regulations set forth in accordance with this act to be credited to the account. The money in the account may be invested or reinvested and any interest earned by the investments must be credited to the account.

Applying for Payment

After someone hurt by a violation of the act's, or implementing regulation's, restriction on disseminating personal identifying information has obtained a court judgment, the individual may apply to the commissioner for a payment from the account for the unpaid amount of the judgment for actual damages and costs, but not for punitive damages. The application must be made on DCP forms and be accompanied by a certified copy of the court judgment and a notarized, signed, and sworn affidavit. The affidavit must affirm that the applicant has:

1. complied with all the application requirements,

2. obtained a judgment, and

3. stated the judgment amount and the amount still owed as of the application date.

The applicant must also cause a writ of execution to be issued on the judgment, and the officer executing it must have made a return showing that it could not be satisfied, that the amount recovered was not enough to satisfy the actual damage portion of the judgment, or the amount realized and the balance remaining. It does not require an applicant who obtained a judgment in small claims court to fulfill these requirements.

The act also requires a true and attested copy of the executing officer's return, when required, to be attached to the application and affidavit.

Applications may be made after the final determination of, or expiration of time for, an appeal in connection with a judgment.

Commissioner's Determination

The act requires the DCP commissioner or his designee to inspect the application and accompanying documents for veracity. Once he determines that they are complete and authentic and that the applicant has not been paid, he must pay the unpaid amount, other than punitive damages, from the account.

Orders of Restitution

The act allows an individual awarded restitution for loss or damages sustained from a violation of the act or implementing regulations in a proceeding brought by the commissioner or the attorney general, to apply for payment of the unpaid amount from the account. The commissioner may make the payment after determining that the individual has not been paid and the time for appeal has passed.

Violator's Right to a Hearing

The act requires the commissioner, before making a payment from the account, to first notify the person or entity responsible for the damage caused by disseminating personal information of (1) the application for payment and (2) the person or entity's right to a hearing to contest the disbursement if the person or entity has already paid the applicant.

The act requires the notice to be given within 15 days after the commissioner receives an application for payment. If the person or entity requests a hearing in writing by certified mail within 15 days after receiving the commissioner's notice, the commissioner must conduct a hearing in accordance with the UAPA. If the commissioner does not receive such a request by certified mail, he must determine that the individual has not been paid and make a payment from the account.

Restitution Hearing

The act allows the commissioner or his designee to proceed for restitution from any person or entity for (1) dissemination of SSNs, (2) failure to safeguard SSNs and employee data, (3) filing false information in documents required by this act, or (4) violating DCP regulations adopted in accordance with this act. Proceedings must be held according to the UAPA. The act requires the commissioner or designee to decide in the course of the hearing whether to order restitution and whether to order payment from the account.

The act allows the commissioner or designee to hear complaints of all individuals submitting claims against a single person or entity in one proceeding.

Deadline for Applying

The act requires applications for payments to be made before three years have elapsed from the final determination or expiration of time for appeal of the court judgment.

Exemption from Applicant's Duty to Satisfy Judgment

The act allows the commissioner or his designee to dispense with the requirement that an applicant attempt to execute a judgment if the applicant satisfies the commissioner or designee that (1) it is not practicable, (2) he or she has taken all reasonable steps to collect, and (3) he or she has been unable to collect.

Preserving the Account's Integrity

It allows the commissioner, in his sole discretion, to pay less than the actual loss or damages or the amount of a court or DCP restitution order to preserve the integrity of the account. It requires the commissioner, when sufficient money has been deposited in the account, to satisfy such unpaid claims.

Account Shortfall

If the money in the account is insufficient to satisfy a claim, the act requires the commissioner to pay unsatisfied claims when enough money has been deposited in the order that such claims were determined.

Subrogation

The act requires individuals to assign to the commissioner the right to recover the amount they have been paid from the fund, plus reasonable interest. Any amount and interest the commissioner recovers on the claim must be deposited in the guaranty account.

Commissioner's Duty to Seek Recovery

If the commissioner pays from the account, the act requires him to determine if the person or entity that caused the injury has assets that could be sold or applied to satisfy the claim. If he discovers any such assets, the act requires the attorney general to take necessary action to reimburse the account.

Commissioner's Authority to Make Repayment Agreements

The act authorizes the commissioner to make repayment agreements where the party agrees to repay the account in full through periodic payments over a set period of time.

17 — FALSE STATEMENTS

The act subjects to a fine of from $500 to $5,000 anyone who files with DCP a notice, statement, or other document required by the act or implementing regulation on dissemination of personal identifying information if it is false or includes a material misstatement of fact.

18 — APPEALS

The act authorizes anyone aggrieved by any decision or order the commissioner makes under the act's or implementing regulation's provisions restricting the dissemination of personal identifying information to appeal in accordance with the UAPA.

19 — REGULATIONS

The act authorizes the DCP commissioner to adopt regulations implementing the act's provisions on restricting the dissemination of personal identifying information. It subjects violators of the regulations to the same penalties as violators of the act.

BACKGROUND

Scanning Devices and Reencoders

The law prohibits using a scanning device to access, read, obtain, memorize, or temporarily or permanently store information encoded on a computer chip or a payment card's magnetic strip without the authorized user's permission and with the intent to defraud the authorized user, issuer, or a merchant. It also prohibits using a reencoder to take information encoded on a computer chip or a magnetic strip and put it on a computer chip or the strip of a different card without the authorized user's permission and with the intent to defraud the authorized user, the card issuer, or a merchant.

By law, a “scanning device” is a scanner, reader, or any other electronic device used to access, read, scan, obtain, memorize, or store information on a computer chip or a magnetic strip of a payment card. A “reencoder” is an electronic device that places encoded information from a computer chip or magnetic strip of a payment card on a computer chip or magnetic strip of another card or any electronic medium that allows an authorized transaction to occur. A “payment card” is a credit, charge, debit, or any other card issued to an authorized user allowing him to obtain goods, services, money, or anything else of value from a merchant. A “merchant” is a person who receives a payment card from its authorized user or someone he believes to be its authorized user in return for goods or services.

The law authorizes the attorney general to sue to enforce its scanner and reencoder provisions. A violator is subject to one to 10 years imprisonment, a fine of up to $10,000, or both (CGS 53-388a).

Restrictions on Disclosing Social Security Numbers

With certain exceptions, the law prohibits individuals and businesses from publicly disclosing Social Security numbers. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes.

Specifically, the law prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:

1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;

2. printing anyone's Social Security number on any card that the person must use to access the person's or entity's products or services;

3. requiring anyone to transmit his Social Security number over the Internet, unless the connection is secure or the number is encrypted; or

4. requiring anyone to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.

The penalty for willful violations is a fine of up to $100 for the first offense, up to $500 for a second offense, and up to $1,000 or six months in prison for each subsequent offense (CGS 42-470).

Duty to Safeguard Personal Information

The law requires anyone possessing personal information about another person to safeguard it and the computer files and documents that contain it. “Personal information” is information that can be associated with an individual through an identifier like a Social Security number.

It requires a business that collects Social Security numbers to create a privacy protection policy that must ensure confidentiality of Social Security numbers.

The law exempts state agencies and political subdivisions from the duty to safeguard personal information.

It subjects willful violators to a fine of $500 for each violation, up to a maximum of $500,000 per event. It provides that a violation is not a violation if it is unintentional. Civil penalties must be deposited into the privacy protection guaranty and enforcement account (CGS 42-471).

OLR Tracking: DD: KM: JL: DF