Wednesday, June 26, 2013
IRS Targeting Should be No Surprise to BSA/AML Specialists
I'm just shocked that more private sector people have not come out to say "this is not a surprise to me". To me, I had not clue that revealing this would be "whistle-blowing" since my own career suggested this was exactly what happens at the IRS.
Briefly, AML specialists operate under the Bank Secrecy Act (BSA) which was largely started in an effort to fight organized crime. If you remember, Al Capone went to jail largely for tax evasion - not for the violent crimes. The United States figured it was a swell idea to make it a regulation that banks needed to look out for signs of tax evasion. This BSA program exploded right after 911 when additional regulations for Know Your Customer and anti-terrorism funding regulations meant that banks everywhere suddenly beefed up their BSA/AML programs to a huge degree. This program looks for transactions that could be considered an evasion of tax reporting or terrorist financing and then writes SARs or Suspicious Activity Reports to the government. The government basically uses these as precedent for a warrant anytime they want, under the concept that a "lay person" considers the activity suspicious enough to report it to the government is a very, very powerful statement to make before a grand jury. No secrets here folks, read it all here and other government websites.
Except, that I'm afraid, I don't personally consider these people to be very "lay" in that they are actually pretty highly trained, often by law enforcement, to target very specific individuals depending on the particular political agenda at the time. In the Bush era whilst working for a bank in the AML program, we were given a day training by FBI agents on how to look for the evidence of the use of Hawala. Which, although discouraged in the US, is still very much legal. Later, under the Obama era, we were advised by auditors from a different agency that there was a 'rash' of people who were coverting their assets to gold, and putting the gold in safety deposits boxes. (Also perfectly legal itself) We were told we should report these people, and they were often associated with the Tea Party.
We would only have to assume, therefore, that there is a sort of feedback loop occurring here. The AML divisions of banks attend seminars by government agencies that educate them on the latest money laundering trends to look out for, the banks increasingly file on those trends which those agencies then use to justify the trend itself. If we were being told that certain behavior or association with political or religious parties often correlated with tax evasion, we reported more of that behavior as possible evidence of tax evasion. So of course the IRS must have a BOLO. And yes, these do go to the IRS among other agencies.
Before anyone freaks out and thinks this is a larger conspiracy at play- you know what the two things have in common? They are means of taking currency out of the banking system in a fashion that makes it easy to cheat on your taxes. This is what this entire BOLO list is about. The key words and groups they picked where ones they anticipated or have seen where historically submitted some questionable documentation. Medical Marijuana? There is a a huge mess around the tax situation for those organizations anyway; many of them having to turn to the guise of non-profit agencies that take "donations" just to confirm to a sensible code. Additionally, many normal business expenses cannot be written off, so I'm sure they get a lot of honest mistakes. Some people are just... gullible, or guilty of a urban legend. I think the Tea Party had a pretty good urban legend going about "legal" ways to avoid paying takes, and it got them attention.
Fox News
Does this excuse the behavior? Is any of the above ethical or justified? That's not what this article is about. That is a much bigger question for other articles. I simply purpose that I think there are many, many people who were not at all surprised by these announcements in the private sector banking. I'm surprised I have not heard more from them.
Philosophy on Information Security
These are some of the most valuable insights I've had, and the now make up the core of my guiding philosophy toward information security and compliance. Thank you to everyone who has contributed to forming these principles, and if you recognize one as your very own please feel free to take credit or email me and I'll include the credit to you. Its a compliment that these are so blended to my background and my mind that I no longer recognize the places where they originated, and not meant as any slight.
- Security decisions are, ultimately, business decisions. The unspoken second half of that is "... and you have to be ok with that." In other words, we can provide the best information possible to our bosses and the organizations we work for about the risks, methods of mitigation and recommended strategies, but ultimately the decision they make is a business decision and includes factors we're not privy to. In fact, we don't WANT to be privy to, often times being political in nature. Your work can be amazing, perfect and flawless and the company may still decide to go a different way. It is not a reflection on you or your work. This can be translated as, "learn to let go".
- Bring method to madness. Generally speaking, a lot of what we do as security professionals is bring a framework or method of approaching very large and complex problems. We're experts and taking things like NIST or ISO and using them as a roadmap to approaching a wide variety of IT problems. When you're faced with what seems like a uncoordinated, uncharted, and disorganized approach- find the method. Down to the basic scientific method approach to troubleshooting.
- Learn to be humble, ask for help and never pretend you know what you're doing. Having the pleasure of working with senior folks in the field, I can tell you they do not mind if you openly admit you do not know how to do something. They may be frustrated that they do not have the time to teach you under a deadline, but that is not ire directed at you. What will get you in trouble, get you fired, is if you fail to mention what you don't know and try to guess your way through it. You break something, and then they have to spend time not only fixing what you broke but training you anyway. Admit when you do not know.
- I know this is IT, but softskills are important too. I originally went into the field of forensics to become a medical examiner, and partway through the criminology and biology courses I discovered that whilst I had the stomach for gore, my nose was very sensitive. I wanted to be a medical examiner, not just because forensics fascinates me- but because, like many IT folks, I am happier in a less-social comfort zone. I thought computer forensics and infosec was a good choice, but I've found myself more than once asked to be "less intimidating". For someone who found themselves on the losing end of a bully's fist, this was a shock to my system. I read books on negtiation, joined something like a woman's 'toastmasters', and even found online webinars and seminars on project management, communication skills, negotiation and soft-skills. Be approachable, be open, learn consensus building.
- Never stop learning. No REALLY. I loved school. I thought IT would be a good field because when I talked to folks currently with a successful career, the one warning that was repeated over and over was "you never stop learning". School just doesn't cut it for this. It is not just that technology is changing so quickly that you have to keep up, it is the sheer inter-connected nature of the beast. You may go into security, but you will have to beef up on networking, then eventually databases, and one day you'll find yourself needing some scripting skills. You go into networking, you better believe you need server skills, which means eventually you'll get into databases. If you're any good at either you'll be into security as well... do you see what I mean? Be prepared for two full time jobs. One where you do your job and another where you are constantly learning how to do the job you need to do tomorrow.
- Take a moment to smell the roses, remember to play. Sometimes we get so caught up in whatever little small political or technological hurdle we are currently facing that we forget to stop and look around and remember "How freaking cool is my job?!" Take a moment to savor your accomplishments, your efforts in learning, your ability to explore a field of science many look to with feelings of magic and mystery. You help make people's lives better. Taking time away from what is frustrating you and just playing can be powerful in many ways. Play is key to problem solving, it can rejuvenate and revive you, and it can bring clarity in ways you never thought. Just take a moment.
Well, that is all for now. I have another post brewing on interview questions every Infosec / CISSP should be asking their prospective new employer!
Stay tuned.
Sunday, April 18, 2010
Business Identity Theft - A Comparison of State Law and Guide for Reform
Generally speaking, when most people discuss identity theft, they are referring to an individual using the personal identifying information of another individual, without their consent, to obtain some profit or advantage. Identity theft is largely viewed as a “people” problem, and for good reason- Most state and federal laws, websites, non-profit organizations and consumer advocacy groups tasked with the job of helping identity theft victims address the American consumer at large.
Working in this industry, I saw a gap in the services provided by these organizations. Although comprehensive when it came to personal identity solutions there was still a vulnerable segment: small and medium business owners. There are just not the same regulations and rules to protect these people and entities as there are the average individual. For instance, your credit report is considered private information. However, you can obtain any business’s credit report and typically for free. There is not even a legal requirement that you have a “need to know”. This report typically contains everything a motivated thief would need to open a store line of credit at a merchant such as Costco. And all they need is the company name and address to start with.
Let’s start with some historical and legal background. Small and medium sized businesses (SMBs) are an attractive target for identity thieves. According to the Institute of Consumer Financial Education (ICFE), SMBs usually qualify for larger lines of credit, “enjoy extended payment terms and less transactional scrutiny for large purchases or high value ticket items than individual customers.” They often have physical property such as computer equipment of value, or perhaps inexperienced employees that may be susceptible to phishing attempts or bribes. Many SMBs are located in shared business buildings, making it even easier to obtain credit cards and loans. All a criminal has to do is rent a small space or mailbox in your building- the address will verify as correct, and he’ll get the credit cards, loan documents, and bills instead of the business owner. Before the business even knows something is wrong, the criminal has skipped town without a trace- except for the damage to the business.
Additionally, many loan contracts and credit agreements may have fine print that could leave you high and dry. According to ICFE, “liability provisions in many cardholder agreements specifically exclude: unauthorized transactions involving business cards and cards used for business purposes…and instances where a transaction by an individual, who at some point was given permission to use the card by the cardholder, ‘exceeds authority’ given by the account owner.” Since insider threats are still the biggest concern when it comes to loss prevention, this particular fine print can mean a lot to a business owner. Perhaps most devastating: “Most loan documents contain a provision which states that if the lending bank ‘deems itself insecure’, repayment of the loan may be accelerated. If numerous fraudulent accounts have caused the bank to no longer be confident of the business’ long term viability, a business’ loans or credit lines may suddenly be called and most businesses would simply not have sufficient cash or liquid assets available to fully service the debt.”
In addition to being lucrative, small and medium size businesses are often careless with privacy and security because they are preoccupied with- well, running their business. According to the ICFE, “Many businesses do not regularly review their business credit report.. [or] ..always carefully scrutinize employee charge card billing statements before they are paid, particularly those accounts for which multiple cards are issued.” Additionally, a recent survey from security firm Panda Security shows SMBs in the United States are increasingly the victims of cybercrime, yet many do not take simple precautions to protect themselves. By the numbers:
* (44 percent) were hit by some form of cybercrime
* (10 percent) surveyed were hit so bad that they had to stop production -- worldwide, the average was 30 percent.
* (50 percent) of companies in the survey lost time or productivity as a result of being infected.
* (97 percent) of U.S. SMBs have installed anti-virus and (95 percent) claim their security systems are up to date. YET (29 percent) said they have no anti-spam in place, (22 percent) are without anti-spyware technology and (16 percent) do not have firewalls. (52 percent) said they have no web filtering solution in place. (39 percent) of respondents said that they have yet to be trained about IT threats.
Business information is easily obtained from a variety of offline and online sources. Business stationary and business cards are easy to obtain and duplicate, and since “most businesses are eager to open new accounts for other businesses, and the process can be quite simple- such as submitting a request on company letterhead along with the business license number and Tax ID.” (ICFE) Since most businesses display their business license on their wall (as many are required to by law), this theft is dangerously easy. Additionally, businesses may engage in high-risk sharing of their business information. Because many companies such as Costco require an EIN to give users status as a business, the EIN is tossed around a lot on documents and over the phone. Small business owners may even be using their own social security number in place of an EIN, increasing their risk and potential for damage
Further, state laws are ill equipped to deal with the problem. As pointed out in a recent article by Business Week, “While business identity theft can often be prosecuted under other statutes, like mail fraud or wire fraud, businesses victimized lose many of the protections afforded to consumers under identity theft laws, like access to information about their credit. Before California last year amended its 1997 identity theft law explicitly to include crimes targeting business entities, a business whose identity had been co-opted could not even get a police report. ‘We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes,’ California Deputy Attorney General Robert Morgester says.” (The state legislature amended the “person” in identity theft cases to encompass associations, organizations, partnerships, businesses, trusts, companies and corporations, in addition to logos and “photographic representation” as legally recognized personal ID data.) Yet, there are many other states that still do not recognize business identity theft as a separate crime at all. While there has been a little progress in this area, there are a lot of gaps. Visa, MasterCard, and American Express no longer distinguish between small business and individual credit card fraud, which helps companies to clear the purchases made by thieves. However, I wanted to look deeper into the complex laws in each state and really examine the landscape of business identity theft.
In conducting this research, I noted the ranking of each state by the number of identity theft complaints, the level of punishment that each state hand for the offenses, whether businesses were specified in the law, if the law was written to be able to include businesses or if the law seemed to exclude businesses. I also noted if there were separate laws that would cover a business, but not under normal identity theft laws. My theory was that the states that had the worst identity theft complaints would have the stiffest penalties and be more likely to cover businesses. I know that California ranks pretty high in identity theft, and they typically are the innovators of laws related to consumer protection.
I was actually quite shocked by the results. After reviewing legislation carefully, I split the states out into five groups. Group A, the largest group made of 20 states, are those states that have legally defined “person” or “identification information” in such a way to include businesses, tax id numbers or business license numbers.
Group B, made up of 7 states, are those states that do not cover business identity theft in their traditional identity theft laws, but have covered the offenses in other legislation such as criminal impersonation, falsifying business records or access device fraud.
Group C, second largest group with 11 states, are those governments which appear to specifically exclude business identity theft in all forms of legislation, and are the “worst offenders” in terms of leaving business owners vulnerable.
Group D, made up of 9 states, would be classified by states that seemed to have specifically addressed business identity theft in their legislation.
Finally, the last group, Group E, are four states whose laws are incredibly unclear and could be interpreted either way.
To really understand how this breaks down in terms of the ranking of these states in identity theft complaints, and where they fall on this continuum of business identity theft law, we can examine each group’s members based on ranking and focus on how some approaches are specifically addressed in legislative language.
First, we examine group A. I was surprised how many states defined person as a individual or entity, including corporations, partnerships and other businesses. A few states simple defined identity theft as the use of identification information, and when defining identification information used terms such as “tax identification number or social security number” or phrases like “information or numbers used to access financial resources or credit”. These states and their identity theft complaint rankings: Alabama (17); Alaska (38); Arkansas (33); Kentucky (42); Louisiana (28); Michigan (15); Minnesota (35); Missouri (21); Montana (44); Nebraska (40); Nevada (3); New Jersey (12); New Mexico (9); North Carolina (22); North Dakota (50); Ohio (27); South Dakota (49); Texas (4); West Virginia (46); Washington (13).
Group B requires a little more explanation. I actually expected this to be the largest group from my limited casual reading. Here, I feel it is important to show the state, ranking and then compare the identity theft law and the law which business identity theft would fall under to demonstrate the difference in language and punishment. I found it fascinating that overall, if there was a separate law regarding business identity theft it was a much more minor offense (misdemeanors versus felonies). These more minor offenses include criminal impersonation, access device fraud, and falsifying business records.
Connecticut (19)
Sec. 53a-129a. Identity theft: Class D felony. (a) A person is guilty of identity theft when such person intentionally obtains personal identifying information of another person without the authorization of such other person and uses that information for any unlawful purpose including, but not limited to, obtaining, or attempting to obtain, credit, goods, services or medical information in the name of such other person without the consent of such other person. As used in this section, "personal identifying information" means a motor vehicle operator's license number, Social Security number, employee identification number, mother's maiden name, demand deposit number, savings account number or credit card number.
Sec. 53a-130. Criminal impersonation: Class B misdemeanor. (a) A person is guilty of criminal impersonation when he: (1) Impersonates another and does an act in such assumed character with intent to obtain a benefit or to injure or defraud another; or (2) pretends to be a representative of some person or organization and does an act in such pretended capacity with intent to obtain a benefit or to injure or defraud another; or (3) pretends to be a public servant other than a sworn member of an organized local police department or the Division of State Police within the Department of Public Safety, or wears or displays without authority any uniform, badge or shield by which such public servant is lawfully distinguished, with intent to induce another to submit to such pretended official authority or otherwise to act in reliance upon that pretense.
Delaware (16)
§ 854. Identity theft; class D felony. (a) A person commits identity theft when the person knowingly or recklessly obtains, produces, possesses, uses, sells, gives or transfers personal identifying information belonging or pertaining to another person without the consent of the other person and with intent to use the information to commit or facilitate any crime set forth in this title.
§ 828. Possession of burglar's tools or instruments facilitating theft; class F felony. (4) The offense of identity theft, such as a credit card, driver license or other document issued in a name other than the name of the person who possesses the document.
…
(c) For the purposes of this section, "personal identifying information" includes name, address, birth date, Social Security number, driver's license number, telephone number, financial services account number, savings account number, checking account number, credit card number, debit card number, identification document or false identification document, electronic identification number, educational record, health care record, financial record, credit record, employment record, e-mail address, computer system password, mother's maiden name or similar personal number, record or information.
§ 907. Criminal impersonation; class A misdemeanor. A person is guilty of criminal impersonation when the person:
(1) Impersonates another person and does an act in an assumed character intending to obtain a benefit or to injure or defraud another person; or (2) Pretends to be a representative of some person or organization and does an act in a pretended capacity with intent to obtain a benefit or to injure or defraud another person; or (3) Pretends to be a public servant, or wears or displays without authority any identification, uniform or badge by which a public servant is lawfully distinguished or identified. Criminal impersonation is a class A misdemeanor. § 871. Falsifying business records; class A misdemeanor. A person is guilty of falsifying business records when, with intent to defraud, the person: (1) Makes or causes a false entry in the business records of an enterprise; or (2) Alters, erases, obliterates, deletes, removes or destroys a true entry in the business records of an enterprise; or (3) Omits to make a true entry in the business records of an enterprise in violation of a duty to do so which the person knows to be imposed by law or by the nature of the person's position; or (4) Prevents the making of a true entry or causes the omission thereof in the business records of an enterprise. Falsifying business records is a class A misdemeanor.
Illinois (11)
(720 ILCS 5/16G‑15) Sec. 16G‑15. Identity theft. (a) A person commits the offense of identity theft when he or she knowingly:
(1) uses any personal identifying information or personal identification document of another person to fraudulently obtain credit, money, goods, services, or other property, or
(2) uses any personal identification information or
personal identification document of another with intent to commit any felony theft or other felony violation of State law…
Statute: §720 ILCS 250/13 A person who receives money, goods, property, services or anything else of value obtained fraudulently, knowing that it was so obtained, is guilty of a Class A misdemeanor if the valuedoes not exceed $150 in any six-month period, and a Class 4 felony if it exceeds that amount.
Massachutes (23)
Mass. Gen. Laws ch. 266, § 37E False Impersonation and Identity Fraud (b) Whoever, with intent to defraud, poses as another person without the express authorization of that person and uses such person's personal identifying information to obtain or to attempt to obtain money, credit, goods, services, anything of value, any identification card or other evidence of such person's identity, or to harass another shall be guilty of identity fraud and shall be punished by a fine of not more than $5,000 or imprisonment in a house of correction for not more than two and one-half years, or by both such fine and imprisonment.
Chapt 397: "Personal identifying information", any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual, including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, credit card number or computer password identification.
Chapter 266: Section 37B. Whoever, with intent to defraud, (a) makes or causes to be made, either directly or indirectly, any false statement as to a material fact in writing, knowing it to be false and with intent that it be relied on, respecting his identity or that of any other person, or his financial condition or that of any other person, for the purpose of procuring the issuance of a credit card, or (b) takes a credit card from the person, possession, custody or control of another without the cardholder’s consent by any conduct which would constitute larceny, or who, with knowledge that it has been so taken, receives the credit card with intent to use it or to sell it, or to transfer it to a person other than the issuer....
Mississippi (32)
SEC. 97-19-85. Fraudulent use of identity, social security number or other identifying information to obtain thing of value.
(1) Any person who shall make or cause to be made any false statement or representation as to his or another person's identity, social security account number or other identifying information for the purpose of fraudulently obtaining or with the intent to obtain goods, services or any thing of value, shall be guilty of a misdemeanor and upon conviction thereof shall be fined not more than Five Thousand Dollars ($5,000.00) or imprisoned for a term not to exceed one (1) year, or both.
(2) A person is guilty of fraud under subsection (1) who:
(a) Shall furnish false information wilfully, knowingly and with intent to deceive anyone as to his true identity or the true identity of another person;
(b) Wilfully, knowingly, and with intent to deceive, uses a social security account number to establish and maintain business or other records; or
(c) With intent to deceive, falsely represents a number to be the social security account number assigned to him or another person, when in fact the number is not the social security account number assigned to him or such other person; or
(d) Knowingly alters a social security card, buys or sells a social security card or counterfeit or altered social security card, counterfeits a social security card, or possesses a social security card or counterfeit social security card with intent to sell or alter it.
SEC. 97-19-83. Fraud by mail or other means of communication.
(1) Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money, property or services, or for unlawfully avoiding the payment or loss of money, property or services, or for securing business or personal advantage by means of false or fraudulent pretenses, representations or promises, or to sell, dispose of, loan, exchange, alter, give away, distribute, supply, or furnish or procure for unlawful use any counterfeit or spurious coin, obligation, security or other article, or anything represented to be or intimated or held out to be such counterfeit or spurious article, for the purpose of executing such scheme or artifice or attempting so to do, transmits or causes to be transmitted by mail, telephone, newspaper, radio, television, wire, electromagnetic waves, microwaves, or other means of communication or by person, any writings, signs, signals, pictures, sounds, data, or other matter across county or state jurisdictional lines, shall, upon conviction, be punished by a fine of not more than Ten Thousand Dollars ($10,000.00) or by imprisonment for not more than five (5) years, or by both such fine and imprisonment.
SOURCES: Laws, 1988, ch. 511, Sec. 3, eff from and after July 1, 1988. SEC. 97-19-11. Credit cards; procuring issuance by false statements.
Any person who makes or causes to be made either directly or indirectly any false statement in writing with intent that it be relied upon with respect to his identity or that of any other person, firm or corporation, for the purpose of procuring the issuance of a credit card is guilty of a misdemeanor.
New York (6)
§ 190.77 Offenses involving theft of identity; definitions.
For the purposes of sections 190.78, 190.79, 190.80 and 190.80-a and 190.85 of this article "personal identifying information" means a person's name, address, telephone number, date of birth, driver's license number, social security number, place of employment, mother's maiden name, financial services account number or code, savings account number or code, checking account number or code, brokerage account number or code, credit card account number or code, debit card number or code, automated teller machine number or code, taxpayer identification number, computer system password, signature or copy of a signature, electronic signature, unique biometric data that is a fingerprint, voice print, retinal image or iris image of another person, telephone calling card number, mobile identification number or code, electronic serial number or personal identification number, or any other name, number, code or information that may be used alone or in conjunction with other such information to assume the identity of another person.
§ 175.00 Definitions of terms.
The following definitions are applicable to this article:
"Enterprise" means any entity of one or more persons, corporate or otherwise, public or private, engaged in business, commercial, professional, industrial, eleemosynary, social, political or governmental activity.
"Business record" means any writing or article, including computer data or a computer program, kept or maintained by an enterprise for the purpose of evidencing or reflecting its condition or activity.
"Written instrument" means any instrument or article, including computer data or a computer program, containing written or printed matter or the equivalent thereof, used for the purpose of reciting, embodying, conveying or recording information, or constituting a symbol or evidence of value, right, privilege or identification, which is capable of being used to the advantage or disadvantage of some person.
§ 190.25 Criminal impersonation in the second degree.
A person is guilty of criminal impersonation in the second degree when he: Impersonates another and does an act in such assumed character with intent to obtain a benefit or to injure or defraud another; or Pretends to be a representative of some person or organization and does an act in such pretended capacity with intent to obtain a benefit or to injure or defraud another…
Criminal impersonation in the second degree is a class A misdemeanor.
§ 175.05 Falsifying business records in the second degree.
A person is guilty of falsifying business records in the second degree when, with intent to defraud, he:
1. Makes or causes a false entry in the business records of an enterprise; or
2. Alters, erases, obliterates, deletes, removes or destroys a true entry in the business records of an enterprise; or
3. Omits to make a true entry in the business records of an enterprise in violation of a duty to do so which he knows to be imposed upon him by law or by the nature of his position; or
4. Prevents the making of a true entry or causes the omission thereof in the business records of an enterprise.
Falsifying business records in the second degree is a class A misdemeanor.
Oregon (20)
165.800 Identity theft. (1) A person commits the crime of identity theft if the person, with the intent to deceive or to defraud, obtains, possesses, transfers, creates, utters or converts to the person’s own use the personal identification of another person.
165.072 Definitions for ORS 165.072 and 165.074. (8) “Person” does not include a financial institution or its authorized employee, representative or agent.
165.800 Identity theft. (4) As used in this section:
(a) “Another person” means a real person, whether living or deceased, or an imaginary person.
(b) “Personal identification” includes, but is not limited to, any written document or electronic data that does, or purports to, provide information concerning:
(A) A person’s name, address or telephone number;
(B) A person’s driving privileges;
(C) A person’s Social Security number or tax identification number;
(D) A person’s citizenship status or alien identification number;
(E) A person’s employment status, employer or place of employment;
(F) The identification number assigned to a person by a person’s employer;
(G) The maiden name of a person or a person’s mother;
(H) The identifying number of a person’s depository account at a “financial institution” or “trust company,” as those terms are defined in ORS 706.008, or a credit card account;
(I) A person’s signature or a copy of a person’s signature;
(J) A person’s electronic mail name, electronic mail signature, electronic mail address or electronic mail account;
(K) A person’s photograph;
(L) A person’s date of birth; and
(M) A person’s personal identification number. [1999 c.1022 §1; 2001 c.870 §3; 2007 c.583 §1]
165.080 Falsifying business records. (1) A person commits the crime of falsifying business records if, with intent to defraud, the person:
(a) Makes or causes a false entry in the business records of an enterprise; or
(b) Alters, erases, obliterates, deletes, removes or destroys a true entry in the business records of an enterprise; or
(c) Fails to make a true entry in the business records of an enterprise in violation of a known duty imposed upon the person by law or by the nature of the position of the person; or
(d) Prevents the making of a true entry or causes the omission thereof in the business records of an enterprise.
(2) Falsifying business records is a Class A misdemeanor. [1971 c.743 §163]
165.055 Fraudulent use of a credit card. (1) A person commits the crime of fraudulent use of a credit card if, with intent to injure or defraud, the person uses a credit card for the purpose of obtaining property or services with knowledge that:
(a) The card is stolen or forged;
(b) The card has been revoked or canceled; or
(c) For any other reason the use of the card is unauthorized by either the issuer or the person to whom the credit card is issued.
(2) “Credit card” means a card, booklet, credit card number or other identifying symbol or instrument evidencing an undertaking to pay for property or services delivered or rendered to or upon the order of a designated person or bearer.
(3) The value of single credit card transactions may be added together if the transactions were committed:
(a) Against multiple victims within a 30-day period; or
(b) Against the same victim within a 180-day period.
(4) Fraudulent use of a credit card is:
(a) A Class A misdemeanor if the aggregate total amount of property or services the person obtains or attempts to obtain is less than $1,000.
(b) A Class C felony if the aggregate total amount of property or services the person obtains or attempts to obtain is $1,000 or more. [1971 c.743 §160; 1973 c.133 §7; 1987 c.907 §11; 1993 c.680 §26; 2009 c.16 §7]
As you can see, the various ways that business could be excluded from rights that are designated for victims of identity theft are quite extensive. Sometimes they can be excluded because the information needed to open business lines of credit with merchants such as Costco does not require any private information, or personal information about the business owner. Other times it would not be included because the account isn’t held at a financial intuition, or because the crime could have been committed by an insider.
Group C those governments which appear to specifically exclude business identity theft in all forms of legislation, are worth carefully examining as well. For this purpose, I actually included the District of Columbia as part of the “worst offenders” in terms of leaving business owners vulnerable. Some of the rankings in this area actually shocked me, and some of the specific wording to exclude business were surprising as well- just take Florida as an example. It ranks fifth in identity theft complaints, but it specifically excludes businesses as a “person” under their identity theft laws.
A breakdown of Group C:
DC (n/a)
D.C. Code § 22-3227.01 (2004) § 22-3227.02. Identity theft.
A person commits the offense of identity theft if that person knowingly:
(1) Uses personal identifying information belonging to or pertaining to another person to obtain, or attempt to obtain, property fraudulently and without that person's consent; or
(2) Obtains, creates, or possesses personal identifying information belonging to or pertaining to another person with the intent to:
(A) Use the information to obtain, or attempt to obtain, property fraudulently and without that person's consent; or
(B) Give, sell, transmit, or transfer the information to a third person to facilitate the use of the information by that third person to obtain, or attempt to obtain, property fraudulently and without that person's consent.
(2) "Person" means an individual, whether living or dead.
(3) "Personal identifying information" includes, but is not limited to, the following:
(A) Name, address, telephone number, date of birth, or mother's maiden name;
(B) Driver's license or driver's license number, or non-driver's license or non-driver's license number;
(C) Savings, checking, or other financial account number;
(D) Social security number or tax identification number;
(E) Passport or passport number;
(F) Citizenship status, visa, or alien registration card or number;
(G) Birth certificate or a facsimile of a birth certificate;
(H) Credit or debit card, or credit or debit card number;
(I) Credit history or credit rating;
(J) Signature;
(K) Personal identification number, electronic identification number, password, access code or device, electronic address, electronic identification number, routing information or code, digital signature, or telecommunication identifying information;
(L) Biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(M) Place of employment, employment history, or employee identification number; and
(N) Any other numbers or information that can be used to access a person's financial resources, access medical information, obtain identification, act as identification, or obtain property.
(4) "Property" shall have the same meaning as provided in § 22-3201(3) and shall include credit.
Florida (5)
817.568 Criminal use of personal identification information.
(d) "Individual" means a single human being and does not mean a firm, association of individuals, corporation, partnership, joint venture, sole proprietorship, or any other entity.
Title XLVI Chapter 817 FRAUDULENT PRACTICES (2)(a) Any person who willfully and without authorization fraudulently uses, or possesses with intent to fraudulently use, personal identification information concerning an individual without first obtaining that individual's consent, commits the offense of fraudulent use of personal identification information, which is a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
817.03 Making false statement to obtain property or credit.--Any person who shall make or cause to be made any false statement, in writing, relating to his or her financial condition, assets or liabilities, or relating to the financial condition, assets or liabilities of any firm or corporation in which such person has a financial interest, or for whom he or she is acting, with a fraudulent intent of obtaining credit, goods, money or other property, and shall by such false statement obtain credit, goods, money or other property, shall be guilty of a misdemeanor of the first degree, punishable as provided in s. 775.082 or s. 775.083.
Idaho (36)
18-3124.Fraudulent use of a financial transaction card or number. It is a violation of the provisions of this section for any person with the intent to defraud:
(1) To use an FTC or FTC number to knowingly and willfully exceed the actual balance of the demand deposit account or time deposit account;
(2) To use an FTC or FTC number to willfully exceed an authorized credit line in the amount of one thousand dollars ($1,000) or more, or fifty percent (50%) of such authorized credit line, whichever is greater;
(3) To willfully deposit into his account or any other account by means of an automatic banking device, any false, forged, fictitious, altered or counterfeit check draft, money order, or any other such document;
(4) To knowingly sell or attempt to sell credit card sales drafts to an authorized credit card merchant or any other person or organization, for any consideration whether at a discount or otherwise, or present or cause to be presented to the issuer or an authorized credit card merchant, for payment or collection, any credit card sales draft, or purchase or attempt to purchase any credit card sales draft for presentation to the issuer or an authorized credit card merchant for payment or collection if:
(a) Such draft is counterfeit or fictitious;
(b) The purported sale evidenced by such credit card sales draft did not take place;
(c) The purported sale was not authorized by the card holder;
(d) The items or services purported to be sold as evidenced by such credit card sales draft are not delivered or rendered to the card holder or person intended to receive them; or
(e) If purportedly delivered or rendered, such goods or services are of materially lesser value or quality from that intended by the purchaser, or are materially different from goods or services represented by the seller or his agent to the purchaser, or have substantial discrepancies from goods or services impliedly represented by the purchase price when compared with the actual goods or services purportedly delivered or rendered.
(5) To knowingly keep or maintain in any manner carbon or other impressions or copies of credit card sales drafts, and to use such impressions or copies for the purpose of creating any fictitious or counterfeit credit sales draft, or to engage in any other activity prohibited in this section.
§ 18-3125
Criminal possession of financial transaction card, financial transaction number and FTC forgery devices. It is a felony punishable as provided in subsection (3) of section 18-3128, Idaho Code, for any person:
(1) To acquire an FTC or FTC number from another without the consent of the card holder or the issuer, or to, with the knowledge that it has been so acquired, receive an FTC or FTC number with the intent to use to defraud, or to sell, or to transfer the FTC or FTC number to another person with the knowledge that it is to be used to defraud;
(2) To acquire an FTC or FTC number that he knows to have been lost, mislaid, or delivered under a mistake as to the identity or address of the card holder, and to retain possession with the intent to use to defraud or to sell or transfer to another person with the knowledge that it is to be used to defraud;
(3) To, with the intent to defraud, knowingly possess a false, fictitious, counterfeit, revoked, expired or fraudulently obtained FTC or any FTC account number;
(4) To, with the intent to defraud, knowingly obtain or attempt to obtain credit or purchase or attempt to purchase any goods, property or service, by use of any false, fictitious, counterfeit, revoked, expired or fraudulently obtained FTC or FTC account number;
(5) To, with the intent to defraud, knowingly produce to another person or procure, a false, fictitious, counterfeit, revoked, expired or fraudulently obtained FTC or any FTC account number;
(6) To, with the intent to defraud and while making an application for an FTC to an issuer, knowingly make or cause to be made, a false written or oral statement or representation respecting his name, personal identifying information, occupation, financial condition, assets, or to materially undervalue any indebtedness for the purpose of influencing the issuer to issue an FTC.
§ 18-3125A
Unauthorized factoring of credit card sales drafts. It is unlawful for any person to knowingly and with intent to defraud, employ, solicit or otherwise cause an authorized credit card merchant, or for the authorized credit card merchant itself, to present to the issuer for payment any credit card sales draft pertaining to any sale or purported sale of goods or services which was not made by such authorized credit card merchant in the ordinary course of business, except with the express authorization of the issuer.
§ 18-3126
Misappropriation of personal identifying information. It is unlawful for any person to obtain or record personal identifying information of another person without the authorization of that person, with the intent that the information be used to obtain, or attempt to obtain, credit, money, goods or services without the consent of that person.
§ 18-3126A
Acquisition of personal identifying information by false authority. It is unlawful for any person to falsely assume or pretend to be a member of the armed forces of the United States or an officer or employee acting under authority of the United States or any department, agency or office thereof or of the state of Idaho or any department, agency or office thereof, and in such pretended character, seek, demand, obtain or attempt to obtain personal identifying information of another person.
§ 18-3127
Receiving or possessing fraudulently obtained goods or services. It is unlawful for any person to receive, retain, conceal, possess or dispose of personal property, cash or other representative of value, who knows or has reason to believe the property, cash or other representative of value has been obtained by fraud as set forth in sections 18-3123, 18-3124, 18-3125A and 18-3126, Idaho Code.
§ 18-3128
Penalty for violation. (1) Any person found guilty of a violation of section 18-3124, 18-3125A or 18-3127, Idaho Code, is guilty of a misdemeanor. In the event that the retail value of the goods obtained or attempted to be obtained through any violation of the provisions of section 18-3124, 18-3125A or 18-3127, Idaho Code, exceeds three hundred dollars ($300), any such violation will constitute a felony, and will be punished as provided in this section. Any person found guilty of a violation of section 18-3125, 18-3126 or 18-3126A, Idaho Code, is guilty of a felony.
(2) For purposes of this section, the punishment for a misdemeanor shall be a fine of up to one thousand dollars ($1,000) or up to one (1) year in the county jail, or both such fine and imprisonment.
(3) For purposes of this section, the punishment for a felony shall be a fine of up to fifty thousand dollars ($50,000) or imprisonment in the state prison not exceeding five (5) years, or both such fine and imprisonment.
(3) "Card holder" means any person or organization named on the face of a financial transaction card to whom, or for whose benefit, a financial transaction card is issued by an issuer.
(4) "Credit card sales draft" means:
(a) Any sales slip, draft, voucher or other written or electronic record of a sale of goods, services or anything else of value made or purported to be made to or at the request of a card holder with a financial transaction card, financial transaction card account number or personal identification code; or
(b) Any evidence, however manifested, of any right or purported right to collect from a card holder funds due or purported to be due with respect to any sale or purported sale. (10) "Personal identifying information" means the name, address, telephone number, driver’s license number, social security number, place of employment, employee identification number, mother’s maiden name, checking account number, savings account number, financial transaction card number, or personal identification code of an individual person, or any other numbers or information which can be used to access a person’s financial resources.
Indiana (26)
Sec. 8. (a) A person who knowingly executes, or attempts to execute, a scheme or artifice:
(1) to defraud a state or federally chartered or federally insured financial institution; or
(2) to obtain any of the money, funds, credits, assets, securities, or other property owned by or under the custody or control of a state or federally chartered or federally insured financial institution by means of false or fraudulent pretenses, representations, or promises; commits a Class C felony.
Iowa (48)
Sec. 8. (a) A person who knowingly executes, or attempts to execute, a scheme or artifice:
(1) to defraud a state or federally chartered or federally insured financial institution; or
(2) to obtain any of the money, funds, credits, assets, securities, or other property owned by or under the custody or control of a state or federally chartered or federally insured financial institution by means of false or fraudulent pretenses, representations, or promises; commits a Class C felony.
For purposes of this section, "identification information" means the name, address, date of birth, telephone number, driver's license number, nonoperator's identification number, social security number, place of employment, employee identification number, parent's legal surname prior to marriage, demand deposit account number, savings or checking account number, or credit card number of a person.
Kansas (29)
21-3830. Dealing in false identification documents; vital records identity fraud related to birth, death, marriage, and divorce certificates.
(a) Dealing in false identification documents is reproducing, manufacturing, selling or offering for sale any identification document which:
(1) Simulates, purports to be or is designed so as to cause others reasonably to believe it to be an identification document; and
(2) bears a fictitious name or other false information.
(b) As used in this section, "identification document" means any card, certificate or document or banking instrument including, but not limited to, credit or debit card, which identifies or purports to identify the bearer of such document, whether or not intended for use as identification, and includes, but is not limited to, documents purporting to be drivers' licenses, nondrivers' identification cards, certified copies of birth, death, marriage and divorce certificates, social security cards and employee identification cards.
(c) Dealing in false identification documents is a severity level 8, nonperson felony.
(d) Vital records identity fraud related to birth, death, marriage and divorce certificates is:
(1) Willfully and knowingly supplying false information intending that the information be used to obtain a certified copy of a vital record;
(2) making, counterfeiting, altering, amending or mutilating any certified copy of a vital record:
(A) Without lawful authority; and
(B) with the intent to deceive; or
(3) willfully and knowingly obtaining, possessing, using, selling or furnishing or attempting to obtain, possess or furnish to another for any purpose of deception a certified copy of a vital record.
(e) Vital records identity fraud is a severity level 8, nonperson felony.
(f) The prohibitions in subsections (a) and (b) do not apply to:
(1) A person less than 21 years of age who uses the identification document of another person to acquire an alcoholic beverage, as defined in K.S.A. 8-1599, and amendments thereto;
(2) a person less than 18 years of age who uses the identification documents of another person to acquire:
(A) Cigarettes or tobacco products, as defined in K.S.A. 79-3301, and amendments thereto;
(B) a periodical, videotape or other communication medium that contains or depicts nudity;
(C) admittance to a performance, live or film, that prohibits the attendance of the person based on age; or
(D) an item that is prohibited by law for use or consumption by such person.
(g) This section shall be part of and supplemental to the Kansas criminal code.
21-4018. Identity theft; identity fraud. (a) Identity theft is knowingly and with intent to defraud for any benefit, obtaining, possessing, transferring, using or attempting to obtain, possess, transfer or use, one or more identification documents or personal identification number of another person other than that issued lawfully for the use of the possessor.
(b) "Identification documents" has the meaning provided in K.S.A. 21-3830, and amendments thereto.
(c) Except as provided further, identity theft is a severity level 8, nonperson felony. If the monetary loss to the victim or victims is more than $100,000, identity theft is a severity level 5, nonperson felony.
(d) Identity fraud is:
(1) Willfully and knowingly supplying false information intending that the information be used to obtain an identification document;
(2) making, counterfeiting, altering, amending or mutilating any identification document:
(A) Without lawful authority; and
(B) with the intent to deceive; or
(3) willfully and knowingly obtaining, possessing, using, selling or furnishing or attempting to obtain, possess or furnish to another for any purpose of deception an identification document.
(e) Identity fraud is a severity level 8, nonperson felony.
(f) This section shall be part of and supplemental to the Kansas criminal code.
Maryland (10)
A person may not knowingly, willfully, and with fraudulent intent possess, obtain, or help another to possess or obtain any personal identifying information of an individual, without the consent of the individual, in order to use, sell, or transfer the information to get a benefit, credit, good, service, or other thing of value in the name of the individual.
(c) A person may not knowingly and willfully assume the identity of another:
(1) to avoid identification, apprehension, or prosecution for a crime; or
(2) with fraudulent intent to:
(i) get a benefit, credit, good, service, or other thing of value; or
(ii) avoid the payment of debt or other legal obligation.
§8–303.
“Personal identifying information” includes a name, address, telephone number, driver’s license number, Social Security number, place of employment, employee identification number, mother’s maiden name, bank or other financial institution account number, date of birth, personal identification number, credit card number, or other payment device number.
(a) In this section, “government identification document” means one of the following documents issued by the United States government or any state or local government:
(1) a passport;
(2) an immigration visa;
(3) an alien registration card;
(4) an employment authorization card;
(5) a birth certificate;
(6) a Social Security card;
(7) a military identification;
(8) an adoption decree;
(9) a marriage license;
(10) a driver’s license; or
(11) a photo identification card. http://mlis.state.md.us/asp/web_statutes.asp?gcr&8-303
New Hampshire (37)
638:26 Identity Fraud.
I. A person is guilty of identity fraud when the person:
(a) Poses as another person with the purpose to defraud in order to obtain money, credit, goods, services, or anything else of value;
(b) Obtains or records personal identifying information about another person without the express authorization of such person, with the intent to pose as such person;
(c) Obtains or records personal identifying information about a person without the express authorization of such person in order to assist another to pose as such person; or
(d) Poses as another person, without the express authorization of such person, with the purpose of obtaining confidential information about such person that is not available to the general public.
II. Identity fraud is a class A felony.
III. A person found guilty of violating any provisions of this section shall, in addition to the penalty under paragraph II, be ordered to make restitution for economic loss sustained by a victim as a result of such violation.
638:25 Definitions. – In this subdivision:
I. ""Personal identifying information'' means any name, number, or information that may be used, alone or in conjunction with any other information, to assume the identity of an individual, including any name, address, telephone number, driver's license number, social security number, employer or place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, credit card number, debit card number, personal identification number, account number, or computer password identification.
II. ""Pose'' means to falsely represent oneself, directly or indirectly, as another person or persons.
III. ""Victim'' means any person whose personal identifying information has been unlawfully obtained or recorded or any person or entity that provided money, credit, goods, services, or anything of value and has suffered financial loss as a direct result of the commission or attempted commission of a violation of this subdivision.
Pennsylvannia (14)
18 § 4120
Offense defined.--A person commits the offense of identity theft of another person if he possesses or uses, through any means, identifying information of another person without the consent of that other person to further any unlawful purpose.
Identifying information is defined as “any document, photographic, pictorial or computer image of another person, or any fact used to establish identity, including, but not limited to, a name, birth date, Social Security number, driver's license number, nondriver governmental identification number, telephone number, checking account number, savings account number, student identification number, employee or payroll number or electronic signature.”
South Carolina (30)
§16-13-510. "Financial identity fraud" and "identifying information" defined; penalty and restitution.
(A) It is unlawful for a person to commit the offense of financial identity fraud or identity fraud.
(B) A person is guilty of financial identity fraud when he, without the authorization or permission of another person and with the intent of unlawfully appropriating the financial resources of that person to his own use or the use of a third party knowingly and wilfully:
(1) obtains or records identifying information which would assist in accessing the financial records of the other person; or
(2) accesses or attempts to access the financial resources of the other person through the use of identifying information as defined in subsection (D).
(C) A person is guilty of identity fraud when he uses identifying information, as defined in subsection (D), of another person for the purpose of obtaining employment or avoiding identification by a law enforcement officer, criminal justice agency, or another governmental agency including, but not limited to, law enforcement, detention, and correctional agencies or facilities.
(D) "Personal identifying information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted:
(1) social security number;
(2) driver's license number or state identification card number issued instead of a driver's license;
(3) financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or
(4) other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
(E) A person who violates the provisions of this section is guilty of a felony and, upon conviction, must be fined in the discretion of the court or imprisoned not more than ten years, or both. The court may order restitution to the victim pursuant to the provisions of Section 17-25-322.
Tennessee (24)
§ 39-14-150. Identity theft victims' rights. — a) This section shall be known and may be cited as the “Identity Theft Victims' Rights Act of 2004.” b) A person commits the offense of identity theft who knowingly obtains, possesses, buys, or uses, the personal identifying information of another: (1) With the intent to commit any unlawful act including, but not limited to, obtaining or attempting to obtain credit, goods, services or medical information in the name of such other person; and (2) (A) Without the consent of such other person; or (B) Without the lawful authority to obtain, possess, buy or use that identifying information.
(3) For purposes of the offense of identity theft, an activity involving a possession, use or transfer that is permitted by the Tennessee Financial Records Privacy Act, codified in title 45, chapter 10; Title V of the Gramm-Leach-Bliley Act, Pub. L. No. 106-102; or the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactional Act, (15 U.S.C. § 1681 et seq.) shall not be considered an “unlawful act”. (c) (1) A person commits the offense of identity theft trafficking who knowingly sells, transfers, gives, trades, loans or delivers, or possesses with the intent to sell, transfer, give, trade, loan or deliver, the personal identifying information of another: (A) With the intent that the information be used by someone else to commit any unlawful act including, but not limited to, obtaining or attempting to obtain credit, goods, services or medical information in the name of the other person; or (B) Under circumstances such that the person should have known that the identifying information would be used by someone else to commit any unlawful act including, but not limited to, obtaining or attempting to obtain credit, goods, services or medical information in the name of the other person; and (C) The person does not have the consent of the person who is identified by the information to sell, transfer, give, trade, loan or deliver, or possess with the intent to sell, transfer, give, trade, loan or deliver, that information; and (D) The person does not have lawful authority to sell, transfer, give, trade, loan or deliver, or possess with the intent to sell, transfer, give, loan or deliver, the personal identifying information.
(e) As used in this section, “personal identifying information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including:
(1) Name, social security number, date of birth, official state or government issued driver license or identification number, alien registration number, passport number, employer or taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, routing code or other personal identifying data which enables an individual to obtain merchandise or service or to otherwise financially encumber the legitimate possessor of the identifying data; or
(4) Telecommunication identifying information or access device.
§39-16-301
A person commits the offense of criminal impersonation when he, with intent to injure or defraud another person, assumes a false identity; pretends to be a representative of some person or organization; pretends to be an officer or employee of the government; or pretends to have a handicap or disability. This is a class B misdemeanor, punishable by six months in jail and/or a $500 fine.
Indiana fraud law only covers credit cards and the identity theft law only covers banks. Business accounts such as those that would be opened at Costco are completely ignored. Idaho has some of the longest and most numerous identity theft laws, but they are totally ill-equipped to address business identity theft. Others, like Maryland, are just too brief to be useful while some are too long and specific about the information that must be used (social security number, driver’s license) that they both result in the same problem- they are not flexible enough to include business identity theft.
Our next group is the set I’m most excited about. In Group D, these states show exceptional legislative talent and appear specifically designed to address business identity theft. We already addressed California, whose ranking is number two in the nation for identity theft complaints. They made specific changes to their law to protect businesses and allow them the same rights (such as a police report) in regards to identity theft. Here is a closer examination of similar states, important elements are highlighted in yellow:
Arizona (1)
§13-105. Definitions 29. "Person" means a human being and, as the context requires, an enterprise, a public or private corporation, an unincorporated association, a partnership, a firm, a society, a government, a governmental authority or an individual or entity capable of holding a legal or beneficial interest in property.
§13-2008. Taking identity of another person or entity; knowingly accepting identity of another person; classification
A person commits taking the identity of another person or entity if the person knowingly takes, purchases, manufactures, records, possesses or uses any personal identifying information or entity identifying information of another person or entity, including a real or fictitious person or entity, without the consent of that other person or entity, with the intent to obtain or use the other person's or entity's identity for any unlawful purpose or to cause loss to a person or entity whether or not the person or entity actually suffers any economic loss as a result of the offense, or with the intent to obtain or continue employment.
Colorado (8)
§18-5-902. Identity theft. (1) A person commits identity theft if he or she: (a) Knowingly uses the personal identifying information, financial identifying information, or financial device of another without permission or lawful authority to obtain cash, credit, property, services, or any other thing of value or to make a financial payment; (b) Knowingly possesses the personal identifying information, financial identifying information, or financial device of another without permission or lawful authority, with the intent to use or to aid or permit some other person to use such information or device to obtain cash, credit, property, services, or any other thing of value or to make a financial payment; (c) With the intent to defraud, falsely makes, completes, alters, or utters a written instrument or financial device containing any personal identifying information or financial identifying information of another; (d) Knowingly possesses the personal identifying information or financial identifying information of another without permission or lawful authority to use in applying for or completing an application for a financial device or other extension of credit; (e) Knowingly uses or possesses the personal identifying information of another without permission or lawful authority with the intent to obtain a government-issued document; or (f) Attempts, conspires with another, or solicits another to commit any of the acts set forth in paragraphs (a) to (e) of this subsection (1). (2) Identity theft is a class 4 felony.
Georgia (7)
§16-9-125.
The General Assembly finds that identity fraud involves the use of identifying information which is uniquely personal to the consumer or business victim of that identity fraud and which information is considered to be in the lawful possession of the consumer or business victim wherever the consumer or business victim currently resides or is found. Accordingly, the fraudulent use of that information involves the fraudulent use of information that is, for the purposes of this article, found within the county where the consumer or business victim of the identity fraud resides or is found. Accordingly, in a proceeding under this article, the crime will be considered to have been committed in any county where the person whose means of identification or financial information was appropriated resides or is found, or in any county in which any other part of the offense took place, regardless of whether the defendant was ever actually in such county.
§16-9-121
A person commits the offense of identity fraud when without the authorization or permission of a person with the intent unlawfully to appropriate resources of or cause physical harm to that person, or of any other person, to his or her own use or to the use of a third party he or she:
(1) Obtains or records identifying information of a person which would assist in accessing the resources of that person or any other person; or
(2) Accesses or attempts to access the resources of a person through the use of identifying information.
Article 8: (2) 'Business victim' means any individual or entity that provided money, credit, goods, services, or anything of value to someone other than the intended recipient where the intended recipient has not given permission for the actual recipient to receive it and the individual or entity that provided money, credit, goods, services, or anything of value has suffered financial loss as a direct result of the commission or attempted commission of a violation of this article.
Hawaii (39)
§ 708-839.6-8
(1) A person commits the offense of identity theft in the first degree if that person makes or causes to be made, either directly or indirectly, a transmission of any personal information [of another] by any oral statement, any written statement, or any statement conveyed by any electronic means, with the intent to:
(a) Facilitate the commission of a murder in any degree, a class A felony, kidnapping, unlawful imprisonment in any degree, extortion in any degree, any offense under chapter 134, criminal property damage in the first or second degree, escape in any degree, any offense under part VI of chapter 710, any offense under section 711-1103, or any offense under chapter 842; or
(b) Commit the offense of theft in the first degree [from the person whose personal information is used, or] from any [other] person or entity."
§708-800 ""Personal information" means information associated with [an actual] a real person, alive or dead, other than the person transmitting the information, or a fictitious person that is a name, an address, a telephone number, an electronic mail address, a driver's license number, a social security number, an employer, a place of employment, information related to employment, an employee identification number, a mother's maiden name, an identifying number of a depository account, a bank account number, a password used for accessing information, or any other name, number, or code that is used, alone or in conjunction with other information, to confirm the identity of an actual or a fictitious person."
Main (45)
§905-A. Misuse of identification 1. A person is guilty of misuse of identification if, in order to obtain confidential information, property or services, the person intentionally or knowingly:
A. Presents or uses a credit or debit card that is stolen, forged, canceled or obtained as a result of fraud or deception; [1999, c. 190, §3 (NEW).]
B. Presents or uses an account, credit or billing number that that person is not authorized to use or that was obtained as a result of fraud or deception; or [1999, c. 190, §3 (NEW).]
C. Presents or uses a form of legal identification that that person is not authorized to use. [1999, c. 190, §3 (NEW).][ 1999, c. 190, §3 (NEW) .]
Oklahoma (25)
§21-1515.
Any individual, corporation, or other person, who, with intent to defraud or to aid and abet another to defraud any individual, corporation, or other person, of the lawful charge, in whole or in part, for any telecommunications service, shall avoid or attempt to avoid or shall cause or assist another to avoid or attempt to avoid any such charge for such service:
(a) by charging such service to an existing account, or using such
services from an existing account, telephone number or credit card number without the authority of the subscriber thereto or the legitimate holder thereof; or
(b) by charging such service to a nonexistent, false, fictitious, orcounterfeit account, telephone number or credit card number or to a suspended, terminated, expired, cancelled or revoked telephone number or credit card number; or
(c) by use of a code, prearranged scheme, or other similar strategem or device whereby said person in effect sends or receives information; or
(d) by rearranging, tampering with or making connection with any facilities or equipment of a telephone or other communications company, whether physically, inductively, acoustically, or electrically, or by utilizing such service, having reason to believe that such rearrangement, connection, or tampering existed or occurred;
shall be guilty of a misdemeanor, and shall, upon conviction thereof, be imprisoned not exceeding one (1) year or fined not exceeding One Thousand Dollars ($1,000.00), or both, in the discretion of the court.
Rhode Island (34)
§11-49.1-3. Identity fraud. -- Any person who shall:
(1) Knowingly and without lawful authority produce an identification document or a false identification document; or
(2) Knowingly transfer an identification document or a false identification document knowing that such document was stolen or produced without lawful atuhority; or
(3) Knowingly possess with intent to use unlawfully or transfer unlawfully five (5) or more identification documents (other than those issued lawfully for the use of the possessor) or false identification documents; or
(4) Knowingly possess an identification document (other than one issued lawfully for the use of the possessor) or a false identification document, with the intent such document be used to defraud the United States, the State of Rhode Island , any political subdivision thereof or any public or private entity; or
(5) Knowingly produce, transfer, or possess a document-making implement with the intent such document-making implement will be used in the production of a false identification document or another document-making implement which will be so used; or
(6) Knowingly possess an identification document that is or appears to be an identification document of the United States, the State of Rhode Island or any political subdivision thereof or any public or private entity which is stolen or produced without lawful authority knowing that such document was stolen or produced without such authority; or
(7) Knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitues a violation of federal, state or local law; shall be guilty of a felony and shall be subject to the penalties set forth in section 11-49.1-4.
(2) "Identification document" means a document made or card issued by or under the authority of the United States Government, a state, political subdivision of a state, a foreign government, political subdivision of a foreign government, an international governmental or an international quasi-governmental organization which, when completed with information concerning a particular individual, is of a type intended or commonly accepted for the purpose of identification of individuals;
(3) "Means of identification" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any:
(a) name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(b) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(c) unique electronic identification number, address, or routing code; or
(d) telecommunication identifying information or access device as defined in 18 U.S.C. 1029(e).
Wisconsin (15)
§ 943.203
Unauthorized use of a business’s identifying information.
It is unlawful to use identifying information of a person that is not an individual, such as a business, charity, labor union, or any other organization, without that person’s consent to:
* Obtain credit, money, goods, services, employment, or any other thing of value or benefit.
* Harm the reputation, property, person or estate of the individual.
This law prohibits the unauthorized use of information that can be associated with a person through one or more identifiers and any document, card or plate containing this information, such as:
* Name, address or telephone number.
* Employer identification number.
* Depository account number, credit card number, ATM card password, telephone service identifier, or any other account number, password or electronic identifier that can be used to obtain money, goods, services, an account transfer, or anything else of value or benefit.
Violation of this law is a class H felony including up to 6 years in jail and a $10,000 fine.
If a person reports to its local law enforcement agency that the person’s identity has been stolen in violation of this law, the agency shall prepare a report. If the agency concludes it does not have jurisdiction to prosecute the crime, it shall inform the person which law enforcement agency has jurisdiction.
As you can see, the laws in this area are actually quite impressive. I was amazed to find that the identity theft ranking really didn’t seem to have any correlation in this specific area. Some of the states mentioned here, with exceptionally clear laws addressing business identity theft, rank pretty low in identity theft complaints. Yet- Arizona and California, ranking first and second respectively, certainly fall into this category.
Finally, the last group were four states which I felt the laws were very vague and unclear. I was unable to find court rulings or definitions that clarified if businesses were included in the laws. Two are from the bottom half of the rankings, two from the top half. Much to my surprise, rank here does not seem to make a difference in the even the clarity of these laws.
Utah (31)
§ 76-6-1105. Unlawful possession of another's identification documents.
(1) For purposes of this section "identifying document" means:
(a) a government issued identifying document;
(b) a vehicle registration certificate; or
(c) any other document containing personal identifying information as defined in Subsections § 76-6-1102(1)(d) through (k).
(2) (a) Notwithstanding the provisions of Subsection 76-6-1102(3), a person is guilty of a class A misdemeanor if he:
(i) obtains or possesses an identifying document with knowledge that he is not entitled to obtain or possess the identifying document; or
(ii) assists another person in obtaining or possessing an identifying document with knowledge that the person is not entitled to obtain or possess the identifying document.
(b) A person is guilty of a third degree felony if he:
(i) obtains or possesses multiple identifying documents with knowledge that he is not entitled to obtain or possess the multiple identifying documents; or
(ii) assists another person in obtaining or possessing multiple identifying documents with knowledge that the person is not entitled to obtain or possess the multiple identifying documents.
(c) For purposes of Subsection (2)(b), "multiple identifying documents" means identifying documents of two or more people.
§ 76-6-1102. Identity fraud crime.
(1) As used in this part, "personal identifying information" may include:
(a) name;
(b) birth date;
(c) address;
(d) telephone number;
(e) drivers license number;
(f) Social Security number;
(g) place of employment;
(h) employee identification numbers or other personal identification numbers;
(i) mother's maiden name;
(j) electronic identification numbers;
(k) electronic signatures under Title 46, Chapter 4, Uniform Electronic Transactions Act; or
(l) any other numbers or information that can be used to access a person's financial resources or medical information, except for numbers or information that can be prosecuted as financial transaction card offenses under Sections 76-6-506 through 76-6-506.4.
(2) (a) A person is guilty of identity fraud when that person:
(i) obtains personal identifying information of another person whether that person is alive or deceased; and
(ii) knowingly or intentionally uses, or attempts to use, that information with fraudulent intent, including to obtain, or attempt to obtain, credit, goods, services, employment, any other thing of value, or medical information.
§ 76-6-506. Financial transaction card offenses -- Definitions.
As used in this part:
(1) "Authorized credit card merchant" means a person as defined in Section 68-3-12 who is authorized by an issuer to furnish money, goods, services, or anything else of value upon presentation of a financial transaction card by a card holder and to present valid credit card sales drafts to the issuer for payment.
(2) "Automated banking device" means any machine which, when properly activated by a financial transaction card or a personal identification code, may be used for any of the purposes for which a financial transaction card may be used.
(3) "Card holder" means any person or organization named on the face of a financial transaction card to whom or for whose benefit a financial transaction card is issued.
Vermont (47)
§ 2030. Identity theft
(a) No person shall obtain, produce, possess, use, sell, give, or transfer personal identifying information belonging or pertaining to another person with intent to use the information to commit a misdemeanor or a felony.
(b) No person shall knowingly or recklessly obtain, produce, possess, use, sell, give, or transfer personal identifying information belonging or pertaining to another person without the consent of the other person and knowingly or recklessly facilitating the use of the information by a third person to commit a misdemeanor or a felony.
(c) For the purposes of this section, "personal identifying information" includes name, address, birth date, Social Security number, motor vehicle personal identification number, telephone number, financial services account number, savings account number, checking account number, credit card number, debit card number, picture, identification document or false identification document, electronic identification number, educational record, health care record, financial record, credit record, employment record, e-mail address, computer system password, or mother's maiden name, or similar personal number, record, or information.
(d) This section shall not apply when a person obtains the personal identifying information belonging or pertaining to another person to misrepresent the person's age for the sole purpose of obtaining alcoholic beverages, tobacco, or another privilege denied based on age.
(e) It shall be an affirmative defense to an action brought pursuant to this section, to be proven by a preponderance of the evidence, that the person had the consent of the person to whom the personal identifying information relates or pertains.
(f) A person who violates this section shall be imprisoned for not more than three years or fined not more $5,000.00, or both. A person who is convicted of a second or subsequent violation of this section involving a separate scheme shall be imprisoned for not more than 10 years or fined not more than $10,000.00, or both. (Added 2003, No. 155 (Adj. Sess.), § 4, eff. June 8, 2004.)
Virgina (18)
§ 18.2-186.3. Identity theft; penalty; restitution; victim assistance.
A. It shall be unlawful for any person, without the authorization or permission of the person or persons who are the subjects of the identifying information, with the intent to defraud, for his own use or the use of a third person, to:
1. Obtain, record or access identifying information which is not available to the general public that would assist in accessing financial resources, obtaining identification documents, or obtaining benefits of such other person;
2. Obtain money, credit, loans, goods or services through the use of identifying information of such other person;
3. Obtain identification documents in such other person's name; or
4. Obtain, record or access identifying information while impersonating a law-enforcement officer or an official of the government of the Commonwealth.
B. It shall be unlawful for any person without the authorization or permission of the person who is the subject of the identifying information, with the intent to sell or distribute the information to another to:
1. Fraudulently obtain, record or access identifying information that is not available to the general public that would assist in accessing financial resources, obtaining identification documents, or obtaining benefits of such other person;
2. Obtain money, credit, loans, goods or services through the use of identifying information of such other person;
3. Obtain identification documents in such other person's name; or
4. Obtain, record or access identifying information while impersonating a law-enforcement officer or an official of the Commonwealth.
C. As used in this section, "identifying information" shall include but not be limited to: (i) name; (ii) date of birth; (iii) social security number; (iv) driver's license number; (v) bank account numbers; (vi) credit or debit card numbers; (vii) personal identification numbers (PIN); (viii) electronic identification codes; (ix) automated or electronic signatures; (x) biometric data; (xi) fingerprints; (xii) passwords; or (xiii) any other numbers or information that can be used to access a person's financial resources, obtain identification, act as identification, or obtain money, credit, loans, goods or services.
Wyoming (17)
§ 6-3-901. Unauthorized use of personal identifying information; penalties; restitution.
(a) Every person who willfully obtains personal identifying information of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services or medical information in the name of the other person without the consent of that person is guilty of theft of identity.
(b) As used in this section "personal identifying information," means the name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, tribal identification card number, mother's maiden name, demand deposit account number, savings account number, or credit card number of an individual person.
(c) Theft of identity is:
(i) A misdemeanor punishable by imprisonment for not more than six (6) months, a fine of not more than seven hundred fifty dollars ($750.00), or both, if no economic benefit was gained or was attempted to be gained, or if an economic benefit of less than one thousand dollars ($1,000.00) was gained or was attempted to be gained by the defendant; or
(ii) A felony punishable by imprisonment for not more than ten (10) years, a fine of not more than ten thousand dollars ($10,000.00), or both, if an economic benefit of one thousand dollars ($1,000.00) or more was gained or was attempted to be gained by the defendant.
As you can see, this final group was difficult to categorize. Even after consulting a former attorney and current legal process specialist for a major bank, I was unable to appropriately place them in the other groups. Finally, I created a group just for these four states and attempted to provide all the relevant legislation I could find so that other identity theft risk management specialists may refer to them in hopes of navigating this murky landscape.
Although my theory regarding the number of identity theft complaints and the likelihood of a state to have a specific identity theft law was not spot on; I was pleasantly surprised by the number of states that seemed able to address identity theft because of existing definitions of the word “person”. I also have great hope that by grouping the information together in this format will provide a reference tool for those who are interested in this legislation and reforming it.
The results of the analysis of these groups is incredibly helpful: I composed an excel file containing the applicable links, law summaries, definitions and rankings for reference. As far as I have been able to determine this is the first comprehensive study of its kind, and will hopefully be a resource to allow advocates and investigators better anticipate each state’s legislative challenges and resources when handling this emerging crime.