Carders, Full Wallets and Identity Theft In Connecticut

Posted on November 4, 2010 by N. Kane Bennett

I recently attended the Connecticut Privacy Forum.  One of the presentations was by Kim Peretti who is Director of Forensic Services at Pricewaterhouse and a former federal prosecutor that chased down identity thieves globally. (read an interview with Kim here about the infamous TJX case).   I learned quite a bit of information about trafficking in personal identifying information also known as PII.  You can read my live tweets from her presentation here. 

In the data theft industry, the thieves are called "carders."  They are out there looking for victims in person and online.   The primary goal is not only credit card information, but  "full wallets."  Full wallets is when the carder gets all the information you might have in your wallet.  Credit cards, license, bank cards, etc.  The thieves might get this information from you personally, but more likely through a company that keeps this type of information.  Once they get a full wallet, they typically sell it overseas where the information is stored on computer servers and offered for sale on websites.  Scary stuff. 

As a coincidence, I have had a recent uptick of inquiries from victims of identity theft.  There are many laws that are implicated in cases of identity theft such as wire fraud, computer fraud, and theft statutes. The theft may also involve a data breach such as in the case of TJX.   

Here is a quick summary of Connecticut's statutory law for identity theft.

In Connecticut, an attorney can file a civil lawsuit on behalf of a victim of identity theft and obtain an award of one thousand dollars or treble damages, whichever is greater pursuant to statutory law. In addition, a victim can obtain an award of costs and reasonable attorney's fees.  Damages may include documented lost wages, or any financial loss that can be tied to the identity theft. Courts have the ability to award other types of relief also, including but not limited to, not less than two years of commercially available identity theft monitoring.  

In Connecticut, attorneys may prove identity theft for civil damages by showing a violation of the criminal identity theft statutes.  This is similar to the civil theft statute and computer crime statute.  In general, the criminal identity theft statutes may be broken down under the following categories:

  • Class B felony identity theft.  This violation concerns cases where the victim is under the age of 60 and the value of money or theft exceeds ten thousand dollars or the victim is over the age of 60 and the value is greater than five thousand dollars.
  • Class C felony identity theft.  This violation occurs where the victim is under 60 and the value is greater than five thousand dollars, or if the victim is over 60.
  • Class D felony identity theft.  This occurs for any violation regardless of age or value.

To prove the underlying violation or actual identity theft, an attorney must prove in the following:

A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain or attempt to obtain, in the name of such other person, money, credit, goods, services, property or medical information without the consent of such other person.
 

Personal identifying information is defined by the statute as:

any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.
 

If you are a victim of identity theft, you should take fast action.    Some of the actions you might consider: 

  • Identify potential defendants for a lawsuit, such as the actual perpetrator or the source where the perpetrator obtained the information
  • Assess provable damages
  • Seek police involvement and file a private complaint
  • Take immediate action to help restore credit ratings
  • Filing for an injunction, damages or other lawsuit against perpetrators

Consulting an identity theft attorney is also a good idea.  An identity theft attorney can help a victim sort through the various options, take direct action on behalf of the victim, and determine if there are grounds for a lawsuit to seek an injunction, restraining order, or damages. 

 

Tags: , , , , , , , ,

Lawyers Going Fishing on Facebook - - Is It Ethcial?

Posted on October 8, 2010 by N. Kane Bennett

Lawyers are all over Facebook and LinkedIn.  What are they doing?  If they are not marketing or social networking, they are fishing or "mining" for information about individuals and businesses.  They are looking for this information to help with lawsuits.  The business and employment trends involving social media are growing and as a result we will continue to see a variety of different lawsuits and legal issues involving some aspect of Facebook, LinkedIn, Twitter, MySpace and YouTube.  For example, read the posts yesterday by Dan Schwartz's Employment Law Blog detailing how privacy settings on Facebook permit easier production in electronic discovery and how facebook wall postings might be unavailable in discovery and deemed private. 

One of the issues lawyers will have to address when mining for data on Facebook and other sites is how to get the information.  Do you seek the material in discovery and possibly risk a judge deeming the information unavailable as private or irrelevant?  Do you just limit your search to what is publicly available?  Better yet, what about having an investigator try to "friend" your target so you can get access to the information that is not available to public searches?   If you are concerned about the ethics of this type of searching, you good instincts. 

Lawyers fishing on Facebook would be well advised to read through a few ethical opinions on the issue. Recently, the New York Bar Association issued an opinion related to ethical concerns for lawyers "fishing" for information and evidence on Facebook and LinkedIn.  The verdict?  Relying in part on a 2009 Pennsylvania Bar Association opinion, it was deemed ethical for lawyers to search for this information from public pages.  Seeking to "friend" for improper purposes, however, is more problematic and may land a lawyer in ethical trouble.  Specifically, if deception was used (by either the lawyer or a third party directed by the lawyer) to gain access as a "friend," it likely would violate the rules of professional conduct. 

Clearly, LinkedIn and Facebook are treasure troves for litigation attorneys.  However, it is a good idea to be cautious about how you access any information from these sites, especially if the information is not generally available from public searches. 

Tags: , , , , , , , ,

Wondering Where The Line Is On Internet Privacy - - Just Watch Facebook

Posted on June 3, 2010 by N. Kane Bennett

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

Tags: , , , , , , , ,

The Connecticut Privacy Forum Highlights Very Real Risks For Businesses

Posted on September 23, 2009 by N. Kane Bennett

On Monday,  I attended the Connecticut Privacy Forum hosted by Travelers.  This Forum was a well attended inaugural meeting of privacy and data security professionals.  I came away from the meeting very impressed with the panel of speakers and topics on the agenda.  I also came away from the meeting as convinced as ever that data loss and security breaches pose a significant risk for nearly all businesses that use computers. 

In one of my earlier posts,  I touched on some of the risks involved for businesses related to data loss and security breaches.  I also offered some potential solutions.  At the Privacy Forum, data loss statistics were presented by the speakers and confirmed that these risks are very real for businesses.  Here is a sample of some of the statistics from 2008 alone:

  • 80 million records were compromised
  • 580 data loss or breach incidents were reported
  • $202 per record was the average cost to business for loss or breach 
  • 47% of the incidents involved corporations or businesses
  • 33% involved compromised social security numbers 

The speakers also offered some of the solutions for businesses in terms of risk management and planning.  The seminar further included a detailed overview of federal and state laws covering privacy rights and data security.   You can access the presentation materials at ctprivacy.com 

Overall, this was a great event concerning a topic that will continue to be relevant to business litigation in the coming years.  Congratulations to the organizers, David Baker and Peter Bernstein, from Travelers on a well run event!

Tags: , , , , , , , , ,

Technology Tips For Connecticut Businesses To Avoid Litigation

Posted on July 9, 2009 by N. Kane Bennett

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit. 

Tags: , , , , , , , , , ,

Social Networking Lawsuits Are Big Risk to Business

Posted on July 6, 2009 by N. Kane Bennett

I just read an excellent article posted on Law.com from the New York Law Journal on social networking and challenges to business owners and their legal counsel.  The authors Christopher Boehning and Daniel Toal focus on a new emerging problems associated with electronic discovery of social networking data.  The authors also point out many of the potential problems for employers and businesses related to social networking sites.

When Facebook started exploding in popularity, you could see that the future in communication was social networking.  Boehning and Toal cite to a New York Times articles that indicates the future is now upon us as more people spend time on social networking sites than e-mailing.  The authors correctly point out something I emphasize to all my business clients:  businesses need to have a policy on how to handle social networking sites like Facebook, MySpace, LinkedIn and Twitter.  The policy should cover the business' use of such sites and use by employees.  Policies on preservation of the data should also be included as social networking data is akin to the new email.

Lawsuits involving some aspect of social networking sites are increasing in frequency from across the country. Take for example the recent jury verdict in New Jersey against Hillstone Restaurant for violation of the Federal Stored Communications Act. 

In that case, the employers accessed an employee MySpace group that was dedicated to criticizing the employer.  Although the verdict amount was relatively small, the implications are far reaching.  This case was reported on by Charles Toutant in the New Jersey Law Journal.  The employees' trial brief is a good read and spells out some of the arguments in favor of employees' rights to privacy with social networking sites. 

The outcome in the New Jersey case may have been different if the restaurant had a policy addressing use and access to social networking sites.  Businesses will have different concerns when it comes to adopting a policy, and no policy will cover every situation.  However, the lack of any policy at all is likely to lead to problems and potential litigation.  The best way to avoid litigation is to implement a written policy on use and access to social networking sites.  

Tags: , , , , , , ,