Identity Theft

The Federal Trade Commission Act prohibits 'unfair or deceptive acts or practices in or affecting commerce,' and section 5(a) of that Act empowers the FTC to commence civil actions against companies that violate the act. A number of cases in recent years have charged companies with violating the Act by failing to adhere to their own privacy policies with respect to customers' personal information. For example, the FTC recently brought a number of actions stemming from the company's failure to use reasonable measures to prevent consumer information from being accessed by viewers of the company's Web site. Each company entered into a consent agreement requiring it to implement a comprehensive information security program, not misrepresent the extent of its information protections, and conduct periodic independent audits of its security program.

The Gramm-Leach-Bliley Act

Title V of the Gramm-Leach-Bliley Act requires financial institutions to take steps to protect their customers' data, and imposes possible civil and criminal sanctions for non-compliance. Subsection I authorizes the applicable regulatory agency to promulgate appropriate standards for financial institutions to ensure that customer records and information are adequately safeguarded from unauthorized access. 15 U.S.C. ' 6801(b). Subsection I also imposes a duty on financial institutions to notify customers prior to any disclosure of their personal information to third parties and offers the customer an opportunity to direct that the information not be disclosed. 15 U.S.C. ” 6802(a) & (b). Subsection II prohibits any person from disclosing or causing to be disclosed customer information under false pretenses. 15 U.S.C. ' 6821(a). Violations of the provisions of subsections I and II are punishable by civil and criminal penalties. 15 U.S.C. ' 6823.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on health-care providers to safeguard personal information. A person who knowingly obtains or discloses confidential health information about a patient is subject to fines and imprisonment. Wrongful disclosure of individually identifiable health information carries up to a year in prison and up to a $50,000 penalty. If the wrongful disclosure is under false pretenses, the maximum term rises to 5 years, and the monetary penalty to $100,000. If the disclosure was with an intent to sell, transfer, or use for commercial advantage, personal gain, or to inflict malicious harm, the maximum sentence increases to 10 years, with a fine of up to $250,000. 42 U.S.C. ' 1177. In a June 1, 2005 opinion, the Justice Department Office of Legal Counsel announced that because the regulations establishing privacy standards under HIPAA applied only to 'covered entities,' the HIPAA criminal provisions did not reach individual employees. The Department noted, however, that those employees could still be prosecuted for identity theft and fraudulent use of a computer (see below).

The Fair and Accurate Credit Transactions Act

The Fair and Accurate Credit Transactions Act (FACTA) imposes liability on consumer reporting agencies that do not maintain 'reasonable procedures designed to avoid' im-proper disclosure of information. 15 U.S.C. ' 1681e. Such agencies must require anyone seeking information contained in a consumer report to identify themselves, certify the purpose for which they are seeking the information, and certify that they will not use the information for any other purpose. 15 U.S.C. ' 1681e. A violation of FACTA can result in civil liability, including punitive damages if the violation was willful. 15 U.S.C. ' 1681n. FACTA also imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully discloses an individual's personal information to an unauthorized person. 15 U.S.C.
' 1681r.; 18 U.S.C. ” 1028 and 1028A; 18 U.S.C. ' 1028.

One of the primary vehicles for prosecuting identity theft is 18 U.S.C. ' 1028, which is a general criminal statute prohibiting fraud in connection with identification documents. In 1998, congress enacted the Identify Theft and Assumption Deterrence Act, which amended 18 U.S.C. ' 1028 to criminalize the knowing transfer or use, without lawful authority, of 'a means of identification of another person' with the intent to commit, or to aid or abet, any violation of federal law. 18 U.S.C. ' 1028(a)(7). 'Means of identification' is defined broadly to include any name or number that may be used to identify a specific person, including any name, Social Security number, date of birth, officially issued driver's license or identification number, alien registration number, government passport number, or employer or taxpayer identification number. 18 U.S.C. ' 1028(d)(4). If convicted under this statute, a defendant faces up to 15 years in prison if he obtained anything in value aggregating $1000 or more during a 1-year period. 18 U.S.C. ' 1028(b)(1)(D).

Concerned with potential use of the Internet as a means of committing identity theft, Congress passed the Internet False Identification Prevention Act in 2000. This act further amended ' 1028 to prohibit the transfer of false identification information over the Internet. It also charged the Attorney General and Secretary of the Treasury with establishing a committee of agency heads to ensure that the creation and distribution of false identification documents is vigorously investigated and prosecuted.

In 2004, Congress again addressed the growing problem by passing the Identity Theft Penalty Enhancement Act, 18 U.S.C. ' 1028A, which significantly increased the penalties by adding a 2-year sentence to anyone who knowingly possesses, transfers, or uses a means of identification of another person without lawful authority. The Act also prohibits courts from imposing sentences of probation on persons convicted of identity theft, mandates, with limited exceptions, that sentences for identity theft run consecutively with any other term of imprisonment, and directs the U.S. Sentencing Commission to amend Guideline ' 3B1.3 (Abuse of Position of Trust), which adds two points to the base offense level, to apply to offenses in which the defendant 'exceeds or abuses the authority of his or her position in order to obtain unlawfully or use without authority any means of identification.'

18 U.S.C. ' 1030

The Computer Fraud and Abuse Act, 18 U.S.C. ' 1030 (1986), makes it a federal criminal offense to access and obtain information from protected computers without authorization. This statute has been used to prosecute individuals who obtained personal identification information from third-party computer systems. For example, in U.S. v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001), the defendant was convicted and sentenced to 48 months for hacking into the computer system of an e-commerce business that hosted Web sites and processed credit transactions and stealing passwords that gave the hacker access to the entire network.

But unauthorized access alone may not be enough to convict. The First Circuit reversed a conviction under 18 U.S.C. ” 1343 and 1030 in U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), where the defendant, a Contact Representative in the Boston office of the Taxpayer Services Division of the IRS, had access to the taxpayer information of everyone stored in the IRS's Integrated Data Retrieval System, and knowingly disregarded IRS policy by accessing this information outside of the scope of his employment. However, no evidence was introduced at trial showing that he used the information. The First Circuit held that the defendant had not violated the wire fraud statute because he had not 'deprived' anyone of a protected right. Similarly, he had not committed computer fraud because ' 1030 requires that a defendant personally benefit or further some scheme of fraud in order to be criminally liable.

Conclusion

Controversial pending federal legislation that would pre-empt state data-breach notification laws may change the statutory framework discussed above. In addition, courts have begun to recognize common-law remedies for people injured by identity theft. For example, recent cases in New York and Michigan have recognized private causes of action for identity theft. Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D.N.Y. 2006); Bell v. Michigan Council 25 AFSCME, 2005 Mich. App. Lexis 353 (Mich. Ct. App. 2005). Clearly, the legal landscape is in flux. The need for corporate counsel to monitor the situation is underscored by the Office of Legal Counsel's reminder in its June 1, 2005 opinion that 'in general, the conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf.'

Howard W. Goldstein, a member of this newsletter's Board of Editors, is a partner at Fried, Frank, Harris, Shriver & Jacobson LLP in New York, and a former federal prosecutor.

By now, conducting financial and business transactions on line on 'secure' sites has become a commonplace convenience. But, as we are reminded from time to time, it is not entirely safe to entrust confidential personal information to others. Just such a reminder occurred in late May 2006, when the U.S. Department of Veterans Affairs disclosed that the confidential personal information of about 26.5 million people, including their Social Security numbers, had been stolen when a Virginia analyst took data home and his home was burglarized. According to the Privacy Rights Clearinghouse, a non-profit organization, the theft brought the number of identities compromised since 2005 to over 80 million. Indeed, according to a Wall Street Journal article prompted by the VA incident, identity theft has become such a concern for employers, both in terms of potential liability and lost productivity, that some are providing a new employee benefit: 'identity theft resolution services,' ie, someone to deal with the employees' legal and credit problems when a theft occurs.

What are the legal liabilities a company faces when someone ' an employee or outsider ' breaches the company's security and accesses employee or customer confidential information? More than half the states have legislation addressing this problem. This article focuses on federal statutes that expose companies to potential civil and criminal liability for failing to take adequate steps to prevent the theft.

The Federal Trade Commission Act

The Federal Trade Commission Act prohibits 'unfair or deceptive acts or practices in or affecting commerce,' and section 5(a) of that Act empowers the FTC to commence civil actions against companies that violate the act. A number of cases in recent years have charged companies with violating the Act by failing to adhere to their own privacy policies with respect to customers' personal information. For example, the FTC recently brought a number of actions stemming from the company's failure to use reasonable measures to prevent consumer information from being accessed by viewers of the company's Web site. Each company entered into a consent agreement requiring it to implement a comprehensive information security program, not misrepresent the extent of its information protections, and conduct periodic independent audits of its security program.

The Gramm-Leach-Bliley Act

Title V of the Gramm-Leach-Bliley Act requires financial institutions to take steps to protect their customers' data, and imposes possible civil and criminal sanctions for non-compliance. Subsection I authorizes the applicable regulatory agency to promulgate appropriate standards for financial institutions to ensure that customer records and information are adequately safeguarded from unauthorized access. 15 U.S.C. ' 6801(b). Subsection I also imposes a duty on financial institutions to notify customers prior to any disclosure of their personal information to third parties and offers the customer an opportunity to direct that the information not be disclosed. 15 U.S.C. ” 6802(a) & (b). Subsection II prohibits any person from disclosing or causing to be disclosed customer information under false pretenses. 15 U.S.C. ' 6821(a). Violations of the provisions of subsections I and II are punishable by civil and criminal penalties. 15 U.S.C. ' 6823.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) imposes obligations on health-care providers to safeguard personal information. A person who knowingly obtains or discloses confidential health information about a patient is subject to fines and imprisonment. Wrongful disclosure of individually identifiable health information carries up to a year in prison and up to a $50,000 penalty. If the wrongful disclosure is under false pretenses, the maximum term rises to 5 years, and the monetary penalty to $100,000. If the disclosure was with an intent to sell, transfer, or use for commercial advantage, personal gain, or to inflict malicious harm, the maximum sentence increases to 10 years, with a fine of up to $250,000. 42 U.S.C. ' 1177. In a June 1, 2005 opinion, the Justice Department Office of Legal Counsel announced that because the regulations establishing privacy standards under HIPAA applied only to 'covered entities,' the HIPAA criminal provisions did not reach individual employees. The Department noted, however, that those employees could still be prosecuted for identity theft and fraudulent use of a computer (see below).

The Fair and Accurate Credit Transactions Act

The Fair and Accurate Credit Transactions Act (FACTA) imposes liability on consumer reporting agencies that do not maintain 'reasonable procedures designed to avoid' im-proper disclosure of information. 15 U.S.C. ' 1681e. Such agencies must require anyone seeking information contained in a consumer report to identify themselves, certify the purpose for which they are seeking the information, and certify that they will not use the information for any other purpose. 15 U.S.C. ' 1681e. A violation of FACTA can result in civil liability, including punitive damages if the violation was willful. 15 U.S.C. ' 1681n. FACTA also imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully discloses an individual's personal information to an unauthorized person. 15 U.S.C.
' 1681r.; 18 U.S.C. ” 1028 and 1028A; 18 U.S.C. ' 1028.

One of the primary vehicles for prosecuting identity theft is 18 U.S.C. ' 1028, which is a general criminal statute prohibiting fraud in connection with identification documents. In 1998, congress enacted the Identify Theft and Assumption Deterrence Act, which amended 18 U.S.C. ' 1028 to criminalize the knowing transfer or use, without lawful authority, of 'a means of identification of another person' with the intent to commit, or to aid or abet, any violation of federal law. 18 U.S.C. ' 1028(a)(7). 'Means of identification' is defined broadly to include any name or number that may be used to identify a specific person, including any name, Social Security number, date of birth, officially issued driver's license or identification number, alien registration number, government passport number, or employer or taxpayer identification number. 18 U.S.C. ' 1028(d)(4). If convicted under this statute, a defendant faces up to 15 years in prison if he obtained anything in value aggregating $1000 or more during a 1-year period. 18 U.S.C. ' 1028(b)(1)(D).

Concerned with potential use of the Internet as a means of committing identity theft, Congress passed the Internet False Identification Prevention Act in 2000. This act further amended ' 1028 to prohibit the transfer of false identification information over the Internet. It also charged the Attorney General and Secretary of the Treasury with establishing a committee of agency heads to ensure that the creation and distribution of false identification documents is vigorously investigated and prosecuted.

In 2004, Congress again addressed the growing problem by passing the Identity Theft Penalty Enhancement Act, 18 U.S.C. ' 1028A, which significantly increased the penalties by adding a 2-year sentence to anyone who knowingly possesses, transfers, or uses a means of identification of another person without lawful authority. The Act also prohibits courts from imposing sentences of probation on persons convicted of identity theft, mandates, with limited exceptions, that sentences for identity theft run consecutively with any other term of imprisonment, and directs the U.S. Sentencing Commission to amend Guideline ' 3B1.3 (Abuse of Position of Trust), which adds two points to the base offense level, to apply to offenses in which the defendant 'exceeds or abuses the authority of his or her position in order to obtain unlawfully or use without authority any means of identification.'

18 U.S.C. ' 1030

The Computer Fraud and Abuse Act, 18 U.S.C. ' 1030 (1986), makes it a federal criminal offense to access and obtain information from protected computers without authorization. This statute has been used to prosecute individuals who obtained personal identification information from third-party computer systems. For example, in U.S. v. Ivanov , 175 F.Supp.2d 367 (D. Conn. 2001), the defendant was convicted and sentenced to 48 months for hacking into the computer system of an e-commerce business that hosted Web sites and processed credit transactions and stealing passwords that gave the hacker access to the entire network.

But unauthorized access alone may not be enough to convict. The First Circuit reversed a conviction under 18 U.S.C. ” 1343 and 1030 in U.S. v. Czubinski , 106 F.3d 1069 (1st Cir. 1997), where the defendant, a Contact Representative in the Boston office of the Taxpayer Services Division of the IRS, had access to the taxpayer information of everyone stored in the IRS's Integrated Data Retrieval System, and knowingly disregarded IRS policy by accessing this information outside of the scope of his employment. However, no evidence was introduced at trial showing that he used the information. The First Circuit held that the defendant had not violated the wire fraud statute because he had not 'deprived' anyone of a protected right. Similarly, he had not committed computer fraud because ' 1030 requires that a defendant personally benefit or further some scheme of fraud in order to be criminally liable.

Conclusion

Controversial pending federal legislation that would pre-empt state data-breach notification laws may change the statutory framework discussed above. In addition, courts have begun to recognize common-law remedies for people injured by identity theft. For example, recent cases in New York and Michigan have recognized private causes of action for identity theft. Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D.N.Y. 2006); Bell v. Michigan Council 25 AFSCME, 2005 Mich. App. Lexis 353 (Mich. Ct. App. 2005). Clearly, the legal landscape is in flux. The need for corporate counsel to monitor the situation is underscored by the Office of Legal Counsel's reminder in its June 1, 2005 opinion that 'in general, the conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf.'

Howard W. Goldstein, a member of this newsletter's Board of Editors, is a partner at Fried, Frank, Harris, Shriver & Jacobson LLP in New York, and a former federal prosecutor.