Carders, Full Wallets and Identity Theft In Connecticut

Posted on November 4, 2010 by N. Kane Bennett

I recently attended the Connecticut Privacy Forum.  One of the presentations was by Kim Peretti who is Director of Forensic Services at Pricewaterhouse and a former federal prosecutor that chased down identity thieves globally. (read an interview with Kim here about the infamous TJX case).   I learned quite a bit of information about trafficking in personal identifying information also known as PII.  You can read my live tweets from her presentation here. 

In the data theft industry, the thieves are called "carders."  They are out there looking for victims in person and online.   The primary goal is not only credit card information, but  "full wallets."  Full wallets is when the carder gets all the information you might have in your wallet.  Credit cards, license, bank cards, etc.  The thieves might get this information from you personally, but more likely through a company that keeps this type of information.  Once they get a full wallet, they typically sell it overseas where the information is stored on computer servers and offered for sale on websites.  Scary stuff. 

As a coincidence, I have had a recent uptick of inquiries from victims of identity theft.  There are many laws that are implicated in cases of identity theft such as wire fraud, computer fraud, and theft statutes. The theft may also involve a data breach such as in the case of TJX.   

Here is a quick summary of Connecticut's statutory law for identity theft.

In Connecticut, an attorney can file a civil lawsuit on behalf of a victim of identity theft and obtain an award of one thousand dollars or treble damages, whichever is greater pursuant to statutory law. In addition, a victim can obtain an award of costs and reasonable attorney's fees.  Damages may include documented lost wages, or any financial loss that can be tied to the identity theft. Courts have the ability to award other types of relief also, including but not limited to, not less than two years of commercially available identity theft monitoring.  

In Connecticut, attorneys may prove identity theft for civil damages by showing a violation of the criminal identity theft statutes.  This is similar to the civil theft statute and computer crime statute.  In general, the criminal identity theft statutes may be broken down under the following categories:

  • Class B felony identity theft.  This violation concerns cases where the victim is under the age of 60 and the value of money or theft exceeds ten thousand dollars or the victim is over the age of 60 and the value is greater than five thousand dollars.
  • Class C felony identity theft.  This violation occurs where the victim is under 60 and the value is greater than five thousand dollars, or if the victim is over 60.
  • Class D felony identity theft.  This occurs for any violation regardless of age or value.

To prove the underlying violation or actual identity theft, an attorney must prove in the following:

A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain or attempt to obtain, in the name of such other person, money, credit, goods, services, property or medical information without the consent of such other person.
 

Personal identifying information is defined by the statute as:

any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.
 

If you are a victim of identity theft, you should take fast action.    Some of the actions you might consider: 

  • Identify potential defendants for a lawsuit, such as the actual perpetrator or the source where the perpetrator obtained the information
  • Assess provable damages
  • Seek police involvement and file a private complaint
  • Take immediate action to help restore credit ratings
  • Filing for an injunction, damages or other lawsuit against perpetrators

Consulting an identity theft attorney is also a good idea.  An identity theft attorney can help a victim sort through the various options, take direct action on behalf of the victim, and determine if there are grounds for a lawsuit to seek an injunction, restraining order, or damages. 

 

Tags: , , , , , , , ,

New Laws In Connecticut Affecting Business

Posted on October 2, 2009 by N. Kane Bennett

A whole series of new laws went into effect starting October 1, 2009.  For a full list of the laws you can find a link on Dan Schwartz's Employment Law Blog.  For a humorous "quick and dirty" summary you can go to Ryan McKeen's Connecticut Law Blog. If you want to know the new taxes and higher fees, read these articles by Susan Haigh of the Day and Christopher Keating of the Courant.

If you just want to know the laws affecting business, the Connecticut Office of Legislative Research puts together a nice summary.  From that summary, I offer a few highlights of the laws that went into effect October 1, 2009. 

BUSINESS CORPORATE ACT CHANGES-- PA09-55

There are several changes to the Connecticut Business Corporation Act.  To most significant change is on Dissolution and is summarized in section 23.  Here are the highlights:

  • eliminates requirement that court dissolve corporation in certain situations involving deadlock in management and elections
  • permits, instead of requires, court to dissolve corporation in certain situations involving deadlock and irreparable injury is threatened because of the deadlock

Safeguarding Personal Information-- PA 09-71

This is an act concerning state chartered banks and requires safeguarding of personal information, which is information that can be associated with an individual through an identifier like a Social Security number.  The act gives the Department of Banking authority to enforce the law against state chartered banks.  Any bank that adopts the security and privacy provisions that comply with the federal Gramm-Leach-Bliley Act is in compliance with the state act.

Penalty for Doing Business Without Authority -- PA09-83

This act increases the penalty on foreign businesses that conduct business without registering.  I covered this act on an earlier blog post here.

Consumer Privacy and Identify Theft -- PA 09-239

Several changes were made to social security numbers and the personal identifier information.  There were also changes to the laws concerning identity theft. 

Most significant to businesses are the provisions that penalize employers for failing to:

  • obtain and retain job applications securely
  • take reasonable steps to destroy applications when disposing of them
  • allows the Department of Consumer Protection and Attorney General to enforce its provisions
  • a civil penalty between $500 and $500,000 may be imposed for failure to comply. The fines will be deposited into a newly established Privacy Protection Guaranty and Enforcement Account

I intend to a more detailed blog post on this topic in the future.  Businesses should also be aware of the Act Concerning Social Security Numbers, which I wrote about in an earlier technology tip post here.

Customer Access to Restrooms - PA09-129

This act mandates that retail establishments give access to restrooms to individuals with certain medical conditions, even if the restroom is not open to the public.  The act applies to customers with proof of certain medical conditions, such as inflammatory bowel disease.  The act does not require any changes in construction for the non-public bathrooms.

 Employment--PA09101

This act makes changes to the ban on employer discrimination for gender in compensation to employees.  Allows the court to award back pay, compensatory, and punitive damages for claims that fall under the act.  Dan Schwartz details the provisions of this act here.

Tags: , , , , , ,