consumer privacy and identity theft
TRANSCRIPT
-
8/23/2019 Consumer Privacy and Identity Theft
1/161
ThetConsumerandPrivacy
A Summary o
Key Statutes and
Guide or Lawmakers
Caliornia Senate Ofce o Research
2008 Edition
-
8/23/2019 Consumer Privacy and Identity Theft
2/161
-
8/23/2019 Consumer Privacy and Identity Theft
3/161
Saskia Kim
Caliornia Senate Ofce o Research
Agnes Lee, Director n 3rd Edition n January 1, 2008
A Summary o Key Statutes and Guide or LawmakersThet
ConsumerandPrivacy
-
8/23/2019 Consumer Privacy and Identity Theft
4/161
-
8/23/2019 Consumer Privacy and Identity Theft
5/161
Contents
Introduction 7
The Constitution and General Privacy
Overview 11
Constitutional Right to Privacy 12
Constructive Invasion o Privacy 14
Invasion o Privacy: Common Law Tort . 14
Invasion o Privacy: Penal Code 15
Preemption 16
Credit Cards
Overview 21
Activation Process Required or Substitute Credit Cards 21
Change o Address and Credit Card Requests 22
Credit Card or Debit Card Numbers Printed on Receipts 24
Disclosure o Minimum Payment Amount 25
Fraudulent Use o Inormation (Skimming) 26
Preprinted Checks: Disclosures 26
Recording Credit Card Numbers on Checks 27
Recording Personal Inormation on Credit Card
Transaction Forms 27
Verication o Credit Applicants Address 27
Credit Reporting
Overview 33
Credit Reporting 34Investigative Consumer Reporting Agencies 37
Security Alerts 38
Security Freezes 40
-
8/23/2019 Consumer Privacy and Identity Theft
6/161
Data Security
Overview 43
Destruction o Business and Medical Records 44
Notication o Breach in Data Security 46
Personal Inormation: Reasonable Security Procedures 47
Financial Privacy and Related Issues
Overview 51
Account Numbers 52
Debt Collection 52
Financial Privacy . 53
Insurance Inormation and Privacy Protection Act 55
Insurers: Genetic Testing 56
Identity Thet
Overview 59
Crime o Identity Thet 60
Debt Collection Activities 61
Deceptive Identication Documents 61
Department o Justice Identity Thet Victim Database 62
Falsely Obtaining Department o Motor Vehicles Documents 62
Identity Thet Victims Right to Free Credit Reports 63Issuance o a Search Warrant 64
Judicial Determination o Innocence 64
Jurisdiction or Prosecuting Identity Thet Crime 64
Law Enorcement Investigation Required 65
Right to Bring Legal Action Against a Creditor 65
Right to Obtain Records o Fraudulent Transactions
or Accounts 66
Statute o Limitations 67
Youth in Foster Care: Request or Credit Report . 68
Marketing
Overview 71
Aliate Marketing 72
-
8/23/2019 Consumer Privacy and Identity Theft
7/161
Cell Phone Directory: Opt in Required 73
Credit Card Solicitations 73
Direct Marketing: Medical Inormation 73
Disclosure o Alumni Names and Addresses 74Disclosure o Personal Inormation to Direct Marketers 75
Marketing to Children Under 16 Years o Age 75
On-Campus Marketing: Credit Cards 76
Satellite and Cable Television Subscribers 76
Supermarket Club Card Disclosure Act o 1999 77
Telecommunications: Residential Subscriber Inormation 77
Telemarketing: Do Not Call Registry 78
Telephone Consumer Protection Act o 1991 . 79
Unsolicited Commercial E-mail Messages (Spam) 79
Unsolicited Text Messages 81
Medical Privacy
Overview 85
Medical Privacy 86
Oce o HIPAA Implementation 92
Patient Access to Medical Records 92
Retention o Patient Records 93
Online Privacy and Related Issues
Overview 97
Anti-Phishing Act o 2005 98
Childrens Online Privacy Protection Act 98
Computer Spyware 99
Online Privacy Policy 99
Posting Personal Inormation on the Internet 100
State Agency Collection o Personal Inormation
on the Internet 101
Unauthorized Access to Computers, Computer Systems,
and Data 101
-
8/23/2019 Consumer Privacy and Identity Theft
8/161
US SAFE WEB Act 102
Wireless Network Security 102
Public Records
Overview 105
Birth and Death Record Indices 106
Birth and Death Records: Condential Inormation 107
Birth and Death Records: Release o Records 107
Court Records: Personal Inormation o Victims
and Witnesses 108
Court Records: Sealing Inormation Regarding Financial
Assets and Liabilities 108
Department o Motor Vehicles Records 109
Drivers License Inormation: Swiping Licenses 110
Drivers Privacy Protection Act o 1994 110
Inormation Practices Act o 1977 111
Marriage License Inormation 112
Privacy Act o 1974 112
Public Records: Address Condentiality 112
Public Records Act 113
State Agencies: Mailing Personal Inormation 114
State Agencies Privacy Policies 114
State Agency Databases: Researcher Access 115
Voter Inormation 115
Voter Inormation: Outsourcing 117
Social Security Numbers
Overview 121
Condentiality 122County Recorders Records 123
Court Records 124
Drivers Licenses 124
Employee Compensation 125
-
8/23/2019 Consumer Privacy and Identity Theft
9/161
Family Court Records . 125
Franchise Tax Board Liens 125
Local Agencies Records 126
Powers o Attorney 126
Secretary o State Filings . 126
Use by Colleges and Universities 128
Use in Credit Reports 128
Other Key Statutes
Overview 131
Criminal Investigation Inormation 132
Eavesdropping on Condential Communications 132
Electronic Communications Privacy Act o 1986 133
Electronic Surveillance Technology: Rental Cars 133
Electronic Tracking Devices on Vehicles . 134
Identication Devices: Forced Human Implants 134
Oce o Inormation Security and Privacy Protection 134
Personal Inormation: Domestic Violence, Sexual Assault,
and Stalking 135
Personal Inormation: Inmate Access 136
Pretexting 137
Real ID Act o 2005 138
Student Records 141
Taxpayer Inormation 142
Unair Competition Law 142
Vehicle Event Data Recorders 143
Video Image Evidence: Parking Enorcement 143
Video Sale or Rental 144
Index 147
-
8/23/2019 Consumer Privacy and Identity Theft
10/161
-
8/23/2019 Consumer Privacy and Identity Theft
11/161
For the seventh year in a row, identity thet tops the Federal Trade
Commissions list o top 10 consumer complaints The most common orm oreported identity thet is credit card raud, ollowed by phone or utilities raud,
bank raud, and employment raud And among the 50 states, Caliornia ranks
third in identity thet victims per capita, ater Arizona and Nevada
Social security numbers are the most requently used recordkeeping numbers
in the nation, and because they can be used to assume another persons
identity, they are one o the three most sought ater pieces o inormation (in
addition to names and birth dates) by identity thieves
Both the US Supreme Court and Caliornia Supreme Court issued rulings in
2007 that aect consumers (and even state employees in particular, see Public
Records Act on page 113) and their privacy rights Federal agencies also
issued nal rules last year that implement consumer protection statutes
In Caliornia, lawmakers approved measures that, to highlight just a ew,
restrict how social security numbers are displayed in many public records;prohibit the orced human implantation o identication devices that can
transmit personal inormation; and extend the states rst-in-the-nation
breach-notication law, which now requires that a consumer must be notied
i his or her medical inormation has been breached
These and numerous other state and ederal laws are eatured in this years
edition oConsumer Privacy and Identity Thet (Readers are encouraged to
consult the statutory texts or more detail, and please note that all citations to
the Fair Credit Reporting Act include amendments to the act contained in the
Fair and Accurate Credit Transactions Act o 2003 [FACTA])
Consumers will begin to eel the impact o these new state and ederal laws
this year, as many went into eect on January 1, 2008
Introduction
-
8/23/2019 Consumer Privacy and Identity Theft
12/161
-
8/23/2019 Consumer Privacy and Identity Theft
13/161
The Constitution and
General Privacy
-
8/23/2019 Consumer Privacy and Identity Theft
14/161
-
8/23/2019 Consumer Privacy and Identity Theft
15/161
Overview
n Caliornia is one o only ten states whose state constitutions
expressly recognize a right to privacy1 The US Constitution,however, does not contain an explicit right to privacy; the US
Supreme Court has instead held that the ederal constitution
implicitly recognizes an individuals right to privacy with respect
to certain rights For example, the First Amendment saeguards an
individuals reedom o expression and association, and the Fourth
Amendment protects an individual against unreasonable search and
seizure Yet these rights only protect against intrusive governmental
activities Caliornias constitution, on the other hand, has beeninterpreted by the courts to protect against both governmental and
private entities
n In addition to constitutional protections, Caliornia has enacted
statutory provisions saeguarding the general privacy o individuals
For instance, Caliornia law provides or civil liability or the
constructive invasion o privacy and imposes criminal penalties or
certain kinds o privacy invasions, such as unauthorized wiretappingand electronic eavesdropping Caliornia courts have also recognized
the tort o invasion o privacy that allows an injured party to bring
a lawsuit seeking redress The Caliornia Supreme Court recently
considered this issue in a case in which an academic researcher
was alleged to have misrepresented her position to obtain sensitive
personal inormation
n The ability o states to act to protect privacy is also critical Preservingthe states long-standing ability to enact laws relating to consumer
privacy and identity thet has become a signicant issue as Congress
1 National Conerence o State Legislatures,Privacy Protections in State Constitutions, http://www.ncsl.org/
programs/lis/privacy/stateconstpriv03.htm.
The Constitution and General Privacy
-
8/23/2019 Consumer Privacy and Identity Theft
16/161
has increasingly included preemption provisions in proposed ederal
legislation Furthermore, ederal regulatory agenciessuch as the
Oce o the Comptroller o the Currency and the Oce o Thrit
Supervisionhave taken a broadly preemptive view o the powerso ederally chartered nancial institutions that has implicated
some privacy-related issues And both state and ederal courts have
invalidated some state laws on the basis that ederal law preempts
state action in various instances
n To provide a better understanding o the ramework in which state law
operates, this report outlines how specied ederal laws impact state
statutes, although it is important to note that whether a state law ispreempted by ederal law is ultimately an issue decided by the courts2
In some cases, courts have invalidated Caliornia law on the basis o
preemption; these instances are noted in this report In other cases,
although ederal law may contain provisions that arguably preempt
Caliornia law, the courts have yet to rule on the matter As a result,
the extent and practical eect o the particular preemption provision
is not yet known
2 Related to this point, the Caliornia Constitution prohibits state administrative agencies rom declaring a statute
unenorceable or reusing to enorce a statute on the basis that it is preempted by ederal law or ederal
regulations unless an appellate court makes a determination that the statute is preempted by ederal law or
regulations. [Caliornia Constitution, Article I, Section 3.5.]
Constitutional Right to PrivacyCalifornia Law
State law species in the Caliornia Constitution that all people have an
inalienable right to pursue and obtain privacy [Caliornia Constitution,
Article I, Section 1] The right o privacy was added to the constitution
by initiative (Proposition 11) in November 1972
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
17/161
Caliornias constitution gives Caliornians greater privacy protections than
those recognized by the US Constitution For example, whereas ederal
protections apply only to government action, Caliornias right to privacy
protects individuals rom actions by both the government and private entities
[See, eg, American Academy o Pediatrics v. Lungren(1997) 16 Cal 4th 307,
326, citing Hill v. National Collegiate Athletic Association(1994) 7 Cal 4th 1,
15-20]
The Caliornia Supreme Court has held that the Caliornia Constitution in and
o itsel creates a legal and enorceable right o privacy or every Caliornian
[White v. Davis(1975) 13 Cal 3d 757, 775] To successully assert a claim or
invasion o ones constitutional right to privacy, a plainti must establish
the ollowing three elements: (1) a legally protected privacy interest, (2) areasonable expectation o privacy in the circumstances, and (3) conduct by the
deendant that constitutes a serious invasion o privacy [Hill, 7 Cal 4th at 39-40;
Pioneer Electronics (USA), Inc. v. Superior Court(2007) 40 Cal 4th 360]
I a plainti establishes these three elements, the deendant may prove that the
invasion o privacy is justied because it urthers legitimate and important
competing interests [Hill, 7 Cal 4th at 38] In Hill, the Caliornia Supreme Court
explained this balancing test: Invasion o a privacy interest is not a violationo the state constitutional right to privacy i the invasion is justied by a
competing interest [Id]
Federal Law
Federal law does not contain an express right to privacy in the US
Constitution Instead, the US Supreme Court has recognized an individuals
right to privacy implicit in the constitution with respect to certain rights For
example, the Court has recognized First Amendment saeguards or reedom
o expression and association and Fourth Amendment protections against
unreasonable search and seizure [See, eg, Griswold v. Connecticut(1965)
381 US 479; Katz v. United States(1967) 389 US 347] The Court has also
recognized a limited constitutional right to inormational privacy [Whalen
The Constitution and General Privacy
-
8/23/2019 Consumer Privacy and Identity Theft
18/161
v. Roe(1977) 429 US 589] In these cases, individuals are protected against
intrusive governmental activities
Constructive Invasiono PrivacyCalifornia Law
State law provides civil liability or the constructive invasion o privacy when a
deendant attempts to capture, in a manner oensive to a reasonable person,
any type o visual image, sound recording, or other physical impression o an
individual engaging in a personal or amilial activity The individual must have
had a reasonable expectation o privacy in the circumstances, and the image,
recording, or impression must have been obtained through a visual or auditory
enhancing device and could not have been obtained without a trespass unless
the device was used [Caliornia Civil Code Section 17088(b)]
Invasion o Privacy:Common Law TortCalifornia Law
State law provides civil liability or invasion o privacy under the common
law While ull treatment o this common law tort is beyond the scope o this
overview, our types o activities are considered an invasion o privacy, giving
rise to civil liability:
1 Intrusion upon the plaintis seclusion or solitude or into his or her private
aairs;2 Public disclosure o private acts about the plainti;
3 Publicity that places the plainti in a alse light in the public eye; and
4 Misappropriation, or the deendants advantage, o a persons name or
likeness [William L Prosser, Privacy, 48 Cal L Rev 383, 389 (1960) See
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
19/161
also, Restatement (Second) o Torts, Sections 652A-652E and 5 Witkin,
Summary o Cal Law Torts (10th ed) Torts, Section 651]
However, not every kind o conduct appearing to all within one o the our
categories noted above gives rise to a common law cause o action or invasiono privacy Instead, courts generally consider whether the conduct in question
is highly oensive to a reasonable person, considering, among other
things, the degree o the intrusion, the context, conduct and circumstances
surrounding the intrusion, as well as the intruders motives and objectives,
the setting into which he [or she] intrudes, and the expectations o those
whose privacy is invaded [Hill, 7 Cal 4th at 25-26, citing Miller v. National
Broadcasting Co. (1986) 187 Cal App 3d 1463, 1483-1484]
An injured plainti may recover damages or an invasion o privacy violation
[Metter v. Los Angeles Examiner(1939) 35 Cal App 2d 304, 310]
In February 2007 the Caliornia Supreme Court considered an invasion
o privacy case in which an academic researcher was alleged to have
misrepresented her position to obtain sensitive personal inormation In this
case, the court held that the researcher could be held liable in an invasion-o-
privacy lawsuit or improperly intruding into private matters but dismissed theplaintis other privacy-related claims [Taus v. Lotus(2007) 40 Cal 4th 683]
Invasion o Privacy:Penal CodeCalifornia Law
State law prohibits the invasion o privacy with the intent to protect
Caliornians right to privacy [Caliornia Penal Code Section 630 et seq]
Among other things, these statutes contain criminal penalties or unauthorized
wiretapping, electronic eavesdropping, intercepting cellular telephone
communications, and electronic tracking o individuals, except as specied
The Constitution and General Privacy
-
8/23/2019 Consumer Privacy and Identity Theft
20/161
6
PreemptionFederal Law
The doctrine o ederal preemption provides that congressional action
pursuant to an enumerated, or specic, power may override state laws There
are three tests the courts reer to when deciding whether ederal regulation
preempts state law: (1) express preemption, in which Congress, through
explicit statutory language, restricts the ability o states and localities to
legislate in specic areas, (2) eld preemption, in which Congress occupies
the eld, and (3) confict preemption, in which it is impossible or an entity
to comply with both state and ederal law at the same time or where state law
stands as an obstacle to the congressional purpose o the ederal law [Gade v.National Solid Waste Management Association(1992) 505 US 88, 98]
Even where preemption is ound, the court must still determine the precise
extent o the preemption There has been heightened interest in the issue o
preemption in general, as Congress has increasingly included preemption
provisions in proposed ederal legislation, and ederal regulatory agencies
have also increasingly taken a broad view o the powers o ederally chartered
nancial institutions
For example, the Fair Credit Reporting Act (FCRA) preempts state action
in certain matters On this point it is important to note that the preemption
language included in FCRA, as amended by the Fair and Accurate Credit
Transactions Act o 2003 (FACTA), varies depending on the specic FCRA
provision, as FACTA introduced a dierent, and arguably narrower, orm o
preemption Some preemption provisions, or instance, arguably appear quite
narrow, only precluding states rom enacting requirements with respect to the
conduct required by specic provisions o FCRA [Fair Credit Reporting Act
Section 625(b)(5), 15 USC 1681t]
In other cases, states are preempted rom enacting any requirement or
prohibition with respect to any subject matter regulated under a specied
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
21/161
provision [Fair Credit Reporting Act Section 625(b)(1), 15 USC 1681t] While
the conduct required preemption standard appears to be narrower than the
subject matter regulated standard, it is important to note that the scope o
these preemption provisions has not yet been tested in court
Increasingly, some ederal regulatory agencies have also taken a broad
view o the powers o the ederally chartered entities they regulate, which
has implicated some privacy-related issues3 For example, the Oce o
the Comptroller o the Currency, which regulates national banks under the
National Bank Act (12 USC 21 et seq), issued a nal rule in 2004 identiying
the types o state laws that are preempted with respect to ederally chartered
banks and their operating subsidiaries4 The rule provides that, except where
made applicable by ederal law, state laws that obstruct, impair, or condition
a national banks ability to ully exercise its lending or deposit-taking powers
are preempted Under the rule, a state law does not apply to a national bank i
the law obstructs, impairs, or conditions the banks ability to ully exercise its
powers to conduct ederally authorized activities [12 CFR Parts 7 and 34]
The nal rule issued by the Oce o the Comptroller o the Currency also
identies those state laws that are not preempted with respect to a national
banks deposit-taking, lending, or other powers granted to it by ederal law
These include state laws regarding contracts, rights to collect debt, torts, and
property transers to the extent that they only incidentally aect the exercise
o a national banks power in the area The Oce o the Comptroller o the
Currency retains the ability to determine whether a particular state law is
preempted (and thereore does not apply to a national bank or its operating
subsidiaries) on a case-by-case basis [12 CFR Parts 7 and 34]
3 Federal regulations within the power o the issuing agency may preempt state law; the U.S. Supreme Court
has stated that ederal regulations have no less pre-emptive eect than ederal statutes. [Fid. Fed. Sav. &
Loan Assn v. de la Cuesta(1982) 458 U.S. 141, 153.] The Court also noted: Pre-emption may result not onlyrom action taken by Congress itsel; a ederal agency acting within the scope o its congressionally delegated
authority may pre-empt state regulation. [La. Public Serv. Com v. FCC (1986) 476 U.S. 355, 369.]4 In April 2007 the U.S. Supreme Court held that state laws do not apply to a national banks mortgage lending
activities, whether those activities are conducted by the bank itsel or the banks operating subsidiary. [Watters
v. WachoviaBank, N.A. (2007) 127 S. Ct. 1559, 1564.] Instead, national banks and their operating subsidiaries
such as mortgage companies that operate as subsidiaries o national banksare subject to exclusive regulation
by the Oce o the Comptroller o the Currency and not to the licensing, reporting, and visitorial regime o
the state in which the subsidiary operates. [Id. at 1564-1565.] The Court noted that certain state laws that do
not confict with the purpose o the National Bank Act are applicable to national banks. These include state laws
regarding usury, contracts made by national banks, and acquisition and transer o property by national banks.
[Id. at 1567.]
The Constitution and General Privacy
-
8/23/2019 Consumer Privacy and Identity Theft
22/161
8
The Oce o Thrit Supervision, which regulates ederal savings associations
under the Home Owners Loan Act o 1933 (12 USC 1461 et seq), has also
promulgated regulations that preempt state law purporting to address the
subject o the operations o a Federal savings association [12 CFR Part
5452] Regulations issued by the Oce o Thrit Supervision urther state thatthe oce occupies the entire eld o lending regulation or ederal savings
associations [12 CFR Part 5602]
The regulations issued by the Oce o the Comptroller o the Currency and the
Oce o Thrit Supervision have both been interpreted to preempt Caliornia
Civil Code Section 174813, which requires credit card issuers to include
a warning statement and other specied inormation regarding minimum
payments in billing statements provided to cardholders [American Bankers
Association v. Lockyer(2002) 239 F Supp 2d 1000]
None o the above-described regulations are directed specically to a states
ability to enact laws protecting consumer privacy or addressing identity thet
issues, nor do the regulations appear grounded in hostility toward the states
interest in these areas Instead, they deal more generally with the powers
o a ederally chartered institution The regulations may, however, have a
preemptive eect i state laws regarding consumer privacy or identity thet are
ound to interere improperly with the operations o the ederally chartered
institutions regulated by these agencies
Other ederal agencies also take an active role in consumer privacy and identity
thet protections For example, the Federal Trade Commission (FTC) is charged
with preventing unair methods o competition and unair or deceptive acts or
practices in interstate commerce [15 USC 45 et seq] Several other statutes
also orm the basis or the FTCs authority in protecting consumers, including
the GrammLeachBliley Act (15 USC 6801 et seq), Fair Credit Reporting Act(15 USC 1681 et seq), and Childrens Online Privacy Protection Act (15 USC
6501 et seq)
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
23/161
Credit Cards
-
8/23/2019 Consumer Privacy and Identity Theft
24/161
-
8/23/2019 Consumer Privacy and Identity Theft
25/161
Activation Process Requiredor Substitute Credit CardsCalifornia Law
Under state law, a credit card issuer may not issue a substitute credit card
unless the cardholder is required to contact the issuer to activate the credit
card beore using it [Caliornia Civil Code Section 174705]
Overview
nBoth state and ederal law regulate credit cards In 2003, or example,
Congress passed the Fair and Accurate Credit Transactions Act
(FACTA), which amended the Fair Credit Reporting Act (FCRA) FACTA
contains provisions relating to requirements that a credit card issuer
must meet when responding to a request or a change o address
And ederal agencies recently issued a nal rule implementing these
requirements Caliornia law also contains similar provisions
nWhile both FACTA and FCRA contain provisions preempting state
action, the specic preemption language varies and, in several cases,
ederal regulations are necessary beore ederal law may be ully
implemented Furthermore, whether or not these provisions preempt
state law has yet to be tested in court As a result, the exact reach o
FACTA and FCRA preemption is not yet known
Credit Cards
-
8/23/2019 Consumer Privacy and Identity Theft
26/161
Change o Address and CreditCard Requests
California LawState law requires a credit card issuerwhen the issuer receives a change-o-
address request rom a cardholder as well as a replacement credit card request
within 60 daysto send a change-o-address notice to the cardholder at his or
her previous address This notice must be sent within 30 days in other specied
instances [Caliornia Civil Code Section 17991b(a)]
The notice may be given by telephone or e-mail communication i the credit
card issuer reasonably believes it has the current telephone number or e-mail
address o the cardholder who requested the address change I the notication
is provided in writing, however, it may not include the cardholders account
number, social security number, or other personal identiying inormation
although it may contain the cardholders name, previous address, and new
address o record [Caliornia Civil Code Section 17991b(c)]
When a credit card issuer receives a request to change a cardholders billing
address and a request or an additional credit card within 10 days, the issuing
company is prohibited rom activating the card or mailing a new card until it
has veried the address change [Caliornia Civil Code Section 174706(c)]
Federal Law
The ederal Fair Credit Reporting Act (FCRA), as amended by the Fair and
Accurate Credit Transactions Act o 2003 (FACTA), required the Federal Trade
Commission, National Credit Union Administration, and specied nancial-
institution agencies to issue regulations on this matter [Fair Credit Reporting
Act Section 615(e), 15 USC 1681m] In July 2006 the agencies issued
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
27/161
proposed regulations and a nal rule was issued in October 20075 The nal
rule is eective January 1, 2008, and covered nancial institutions and other
entities must be in compliance by November 1, 2008
The nal rule includes Red Flag regulations, which are intended to identiypatterns, practices, and specic orms o activity that indicate the possible
existence o identity thet
The nal rule requires specied nancial institutions and creditors to
implement a written Identity Thet Prevention Program, which must contain
policies and procedures to detect, prevent, and mitigate identity thet related
to the opening o an account or any existing account These policies and
procedures must: (1) identiy relevant Red Flags and incorporate them into the
program, (2) detect Red Flags that have been incorporated into the program,
(3) respond appropriately to any Red Flags that are detected to prevent and
mitigate identity thet, and (4) ensure the program is updated periodically to
refect changes in identity thet risks
Under the nal rule, i a credit card or debit card issuer receives notication
o an address change or an existing account and receives a request or an
additional or a replacement card or the same account within at least 30
days ater the change-o-address notication is received, the card issuer maynot issue the replacement or the additional card until the issuer noties the
cardholder or has otherwise assessed the validity o the change o address
in accordance with the policies and procedures established under its Identity
Thet Prevention Program
Any written or electronic notication given by the card issuer pursuant to
these requirements must be clear and conspicuous and provided separately
rom other regular correspondence with the cardholder And a card issuer
must provide a cardholder with a reasonable means or promptly reporting
incorrect address changes when the issuer noties the cardholder o the
request or an additional or replacement card
5 Identity Thet Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act o 2003,
12 C.F.R. Part 41, 12 C.F.R. Part 222, 12 C.F.R. Parts 334 and 364, 12 C.F.R. Part 571, 12 C.F.R. Part 717, and 16
C.F.R. Part 681 (2007).
Credit Cards
-
8/23/2019 Consumer Privacy and Identity Theft
28/161
Congress preempted states rom enacting any requirement or prohibition
with respect to the conduct required by these specic provisions [Fair Credit
Reporting Act Section 625(b)(5)(F)] This provision thereore preempts state
laws only to the extent o the conduct required The scope o this preemption
language as applied to the nal rule has yet to be tested in court As a result,
the extent and practical eect o the preemption provision is not yet known
Credit Card or Debit CardNumbers Printed on ReceiptsCalifornia Law
Under state law, any person who accepts credit cards or debit cards or
payment may not print more than the last ve digits o the credit card or
debit card account number or the expiration date on a receipt provided to
the cardholder The prohibition applies only to electronically printed receipts
and does not apply to transactions in which the sole means o recording the
persons credit card number is by handwriting or an imprint or copy o the
card Beginning January 1, 2009, these restrictions are extended to any receipt
retained by the business as well [Caliornia Civil Code Section 174709]
Federal Law
Federal law contains a similar provision under the Fair Credit Reporting Act
(FCRA), as amended by the Fair and Accurate Credit Transactions Act o 2003
(FACTA) Specically, ederal law requires businesses to truncate credit card
and debit card numbers on electronic receipts issued at the point o sale Like
Caliornia law, FCRA prohibits the printing o more than the last ve digits
o the card number or expiration date on receipts provided to the cardholderThe ederal law also applies only to electronically printed receipts and does
not apply to transactions in which the sole means o recording the number
is by handwriting or an imprint or copy o the card [Fair Credit Reporting Act
Section 605(g), 15 USC 1681c(g)]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
29/161
FCRA preempts state law requirements on this issue with respect to the
conduct required by the provision [Fair Credit Reporting Act Section
625(b)(5)(A), 15 USC 1681t]
Disclosure o MinimumPayment AmountCalifornia Law
While this state law is no longer enorceable, as described below, credit card
issuers were required to include a warning statement and other specied
inormation regarding minimum payments in billing statements provided to
cardholders [Caliornia Civil Code Section 174813] The warning statement
must say: Minimum Payment Warning: Making only the minimum payment
will increase the interest you pay and the time it takes to repay your balance
[Caliornia Civil Code Section 174813(a)(1)] The statute also requires credit
card issuers to provide inormation in billing statements regarding the length
o time it will take to pay o various balances i a cardholder pays only the
minimum amount [Caliornia Civil Code Section 174813(a)(2)]
These provisions were challenged by the American Bankers Association and
various banks on the basis that they were preempted by ederal banking laws
In American Bankers Association v. Lockyer, the trial court held that Caliornias
law was preempted in its entirety with respect to ederally chartered savings
and loans by the Home Owners Loan Act and related regulations issued by the
Oce o Thrit Supervision
As applied to national banks and ederal credit unions, the court ound that
mostbut not allo Caliornias law was preempted by the National Bank
Act, Federal Credit Union Act, and related regulations Specically, the
court ound that the minimum payment warning itsel [Caliornia Civil Code
Section 174813(a)(1)] was likely not preempted because it did not impose a
signicant burden on credit card issuers (any burden imposed was likely to be
de minimus)
Credit Cards
-
8/23/2019 Consumer Privacy and Identity Theft
30/161
6
However, the court could not sever this provision so that it applied only to
national banks and ederal credit unions and not to ederally chartered savings
and loans regulated under the Home Owners Loan Act and Oce o Thrit
Supervision The court also ound that severing this provision would, in
eect, require it to rewrite the statute, thereby impermissibly intruding ona legislative unction As a result, the court held that the statute in its entirety
could not be enorced against ederally chartered credit card issuers [American
Bankers Association v. Lockyer(2002) 239 F Supp 2d 1000] Pursuant to
stipulation, the court later ordered that the statute also would not be enorced
against nonederally chartered credit card issuers [American Bankers
Association v. Lockyer(2003) 2003 US Dist LEXIS 4320]
Fraudulent Use o Inormation(Skimming)California Law
State law provides that any person who intends to deraud and knowingly and
willully uses a scanning device to access, read, obtain, memorize, or store
inormation encoded on the magnetic strip o a credit card, debit card, or other
payment card is guilty o a misdemeanor [Caliornia Penal Code Section 5026(a)]
Preprinted Checks: DisclosuresCalifornia Law
State law requires a credit card issuer who extends credit to a cardholder using
a preprinted check to disclose that the cardholders account will be charged i
the check is used; in addition, the issuer must indicate the annual percentage
rate and the nance charges that will be incurred and whether the nancecharges will be triggered immediately upon using the check [Caliornia Civil
Code Section 17489] In Rose v. Chase Manhattan Bank USA, N.A., the trial
court held that this provision was preempted by the ederal National Bank Act
(12 USC 21 et seq) and as a result cannot be enorced against national banks
[Rose v. Chase Manhattan Bank USA, N.A. (2005) 396 FSupp 2d 1116]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
31/161
Recording Credit CardNumbers on Checks
California LawState law prohibits retailers, when a consumer pays or goods or services by
check, rom: (1) requiring the consumer to provide a credit card as a condition
o accepting the check, or (2) recording the credit cards number [Caliornia
Civil Code Section 1725]
Recording Personal
Inormation on Credit CardTransaction FormsCalifornia Law
Under state law, any person who accepts a credit card or payment may not
record the consumers personal identication inormation on the credit card
transaction orm, except as specied [Caliornia Civil Code Section 174708]
Verifcation o CreditApplicants Address
California Law
State law requires a credit card issuer who mails a credit card solicitation and,
in response, receives a completed credit card application that lists an address
dierent rom the one on the solicitation, to veriy the change o address bycontacting the person to whom the solicitation was mailed [Caliornia Civil
Code Section 174706(a)]
Under Caliornias Consumer Credit Reporting Agencies Act, any person who
uses a consumer credit report to extend credit must take reasonable steps to
Credit Cards
-
8/23/2019 Consumer Privacy and Identity Theft
32/161
8
6 Identity Thet Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act o 2003,
12 C.F.R. Part 41, 12 C.F.R. Part 222, 12 C.F.R. Parts 334 and 364, 12 C.F.R. Part 571, 12 C.F.R. Part 717, and 16
C.F.R. Part 681 (2007).
Consumer Privacy and Identity Thet
veriy the accuracy o the consumers personal inormation i the rst and last
name, address, or social security number provided on the credit application
does not match, within a reasonable degree o certainty, the inormation listed
on the credit report [Caliornia Civil Code Section 1785203(a)]
Federal Law
Federal law contains related provisions under the ederal Fair Credit Reporting
Act (FCRA) Under FCRA, as amended by the Fair and Accurate Credit
Transactions Act o 2003 (FACTA), nationwide consumer reporting agencies
are required to notiy the requester o a credit report when the consumers
address contained in the request diers substantially rom the addresses in the
consumers le [Fair Credit Reporting Act Section 605(h), 15 USC 1681c]
FACTA required the Federal Trade Commission, National Credit Union
Administration, and specied nancial-institution agencies to issue regulations
providing guidance on reasonable policies and procedures a user o credit
reports should employ when the user receives a notice o an address
discrepancy In July 2006 the agencies issued proposed regulations and a nal
rule was adopted in October 20076 The nal rule is eective January 1, 2008,
and covered nancial institutions and other entities must be in compliance byNovember 1, 2008
The nal rule requires a credit report user to develop and implement
reasonable policies and procedures designed to enable the userwhen
a notice o an address discrepancy has been received by the userto orm
a reasonable belie that a consumer report relates to the consumer in question
The rule provides examples o reasonable policies and procedures, such as
-
8/23/2019 Consumer Privacy and Identity Theft
33/161
9
comparing inormation contained in the report with inormation the user has
obtained and used to veriy the consumers identity in accordance with the
requirements o the Customer Identication Program (CIP) rules pursuant to
the USA PATRIOT Act [31 USC 5318(l)]
Although many FCRA provisions preempt the states only with respect to the
conduct required by specic provisions o the act, the preemption standard
or this provision is somewhat dierent: specically, states are preempted rom
imposing any requirement or prohibition with respect to any subject matter
regulated by FCRAs Section 605 regarding inormation contained in consumer
reports State laws in eect on September 30, 1996, are exempt [Fair Credit
Reporting Act Section 625(b)(1)(E), 15 USC 1681t]
Although the subject matter regulated standard would appear to be a
preemption standard with broader reach than the conduct required standard,
whether it preempts the above-described state law regarding verication o a
credit applicants address is ultimately a matter to be decided by the courts
At this time, the extent o this preemption provision has not yet been tested
in a court o law, thereore the preemptive eect o this FCRA provision is not
yet known
Credit Cards
-
8/23/2019 Consumer Privacy and Identity Theft
34/161
-
8/23/2019 Consumer Privacy and Identity Theft
35/161
Credit Reporting
-
8/23/2019 Consumer Privacy and Identity Theft
36/161
-
8/23/2019 Consumer Privacy and Identity Theft
37/161
Overview
nA credit report is a credit history about a particular consumer and
contains a great deal o inormation, including annual income;
outstanding debt; bill-paying history; the number, types, and age o
the accounts; current and previous addresses; social security number;
date o birth; telephone number; and, in some cases, employment
history, bankruptcies, oreclosures, and tax liens
nCredit reports are compiled by credit reporting agencies with
inormation rom various sources, such as utility or telephone
companies, banks, and companies that have granted credit to the
consumer There are dierent types o credit reporting agencies:
nationwide credit bureaus, such as Equiax, Experian, and TransUnion,
and specialty consumer reporting agencies, which compile reports
about consumers medical conditions, residential or tenant history,
check-writing history, employment history, and insurance claims The
companies sell the inormation contained in these reports to creditors,
insurers, employers, landlords, and other businesses with a legitimate
business need, as specied7 Credit reports are used by these entities
to evaluate a consumers application or credit, insurance, employment,
or a lease8
nA credit report can play an important role in determining whether
a consumer is able to obtain credit, secure employment, rent an
apartment, or acquire insurance As a result, both state and ederal
law regulate credit reporting agencies
nCredit reports also help guard against identity thet because they
oer consumers a way to monitor their credit histories and look or
7 See Fair Credit Reporting Act, 15 U.S.C. 1681b, or additional discussion.8 See Federal Trade Commission, Building a Better Credit Report, June 2006, http://www.tc.gov/
bcp/edu/pubs/consumer/credit/cre03.pd, and Privacy Rights Clearinghouse, How Private is My Credit Report?
October 2006, http://www.privacyrights.org/s/s6-crdt.htm.
Credit Reporting
-
8/23/2019 Consumer Privacy and Identity Theft
38/161
potentially raudulent accounts Accordingly, both state and ederal
law provide consumers with access to their credit reports Most
recently, the Fair and Accurate Credit Transactions Act o 2003 (FACTA)
gave consumers the right to obtain one ree credit report rom each
nationwide credit reporting agency every year
nCaliornia was the rst state to give consumers the right to place a
security reeze on their credit reports, which blocks access to their
personal credit inormation This provision helps prevent identity thet
because credit cannot be extended without the consumers permission
Consumer Privacy and Identity Thet
Credit ReportingCalifornia Law
Caliornias Consumer Credit Reporting Agencies Act, the states counterpart
to the ederal Fair Credit Reporting Act (FCRA), regulates consumer credit
reporting agencies [Caliornia Civil Code Section 17851 et seq] Among other
things, the statute requires every consumer credit reporting agency to allow
a consumer, upon request and with proper identication, to visually inspect
all les pertaining to him or her that the agency maintains at the time o the
request The agency must identiy recipients who obtained the consumers
credit report within specied time periods, and disclose a record o all inquiries
within the preceding 12 months that identied the consumer in connection with
a credit transaction not initiated by the consumer [Caliornia Civil Code Section
178510]
A consumer may request that his or her name and address be excluded
rom any list provided by a credit reporting agency or rm oers o credit
[Caliornia Civil Code Section 178511(d)(1)] Similarly, a consumer may
also request that his or her name and address be removed rom lists that a
consumer credit reporting agency urnishes or credit card solicitations, and
-
8/23/2019 Consumer Privacy and Identity Theft
39/161
this direction must be honored or a minimum o two years [Caliornia Civil
Code Section 1785118]
Existing state law also permits consumers to dispute inaccurate inormation
and requires a consumer credit reporting agency to reinvestigate disputed
inormation without charge [Caliornia Civil Code Section 178516]
A consumer credit reporting agency must delete rom a consumers credit
report all inquiries that the agency has veried were the result o identity
thet [Caliornia Civil Code Section 1785161] I a consumer submits a copy
o a valid police report or investigative report rom the Department o Motor
Vehicles, the agency must block inormation appearing on the consumer credit
report that is a result o identity thet [Caliornia Civil Code Section 178516(k)]
Caliornia law also places requirements on users o consumer credit reports:
any person who uses a consumer credit report to extend credit must take
reasonable steps to veriy the accuracy o the consumers personal inormation
i the rst and last name, address, or social security number provided on the
credit application does not match, within a reasonable degree o certainty,
the inormation listed on the credit report [Caliornia Civil Code Section
1785203(a)]
I the user o the consumer credit report has been notied that the applicant
has been a victim o identity thet, he or she may not lend money or extend
credit without taking reasonable steps to veriy the consumers identity and
conrm that the application is not the result o identity thet [Caliornia Civil
Code Section 1785203(b)]
Federal Law
The ederal Fair Credit Reporting Act (FCRA) provides consumers with one ree
credit report rom each nationwide consumer reporting agency in a 12-month
period, upon request [Fair Credit Reporting Act Section 612(a),15 USC 1681j,
Credit Reporting
-
8/23/2019 Consumer Privacy and Identity Theft
40/161
6
as amended by the Fair and Accurate Credit Transactions Act o 2003 (FACTA),
Pub L 108-159, 117 Stat 1952]
Except as specied, ederal law requires a consumer reporting agency to
clearly and accurately disclose to a consumer:
1 All inormation in his or her le at the time o the request;
2 The sources o the inormation;
3 Identication o each person who obtained a consumer report during the
previous two years i the report was procured or employment purposes,
or the previous year i procured or any other purpose;
4 The dates, original payees, and amounts o any checks upon which an
adverse characterization o the consumer is based;
5 A record o all inquiries received by the credit reporting agency during the
preceding one-year period in which the consumer was identied with a
credit or insurance transaction that he or she did not initiate; and
6 A notice that the consumer also may request his or her credit score, i the
consumer originally only requested a copy o his or her credit le .
[Fair Credit Reporting Act Section 609(a), 15 USC 1681g]
Generally, a consumer is entitled to a notice when a company takes an adverse
action against the consumer, based on inormation contained in his or her
credit report [Fair Credit Reporting Act Section 615, 15 USC 1681m(a)] A
recent US Supreme Court decision sought to clariy this notice requirement
In Saeco Insurance Co. o America v. Burr; Geico General Insurance Co. v.
Edo, (2007) 127 S Ct 2201, the Court held that a consumers credit report
must have been a necessary condition or the higher rate oered (the adverse
action) Furthermore, the Court permitted a rst-time applicant or credit or
insurance to sue a company under the FCRA when the company must send the
consumer an adverse action notice and does not do so The Court also ruledthat companies may be held liable or willul violations o the FCRA when they
recklessly disregard the law
The FACTA amendments to FCRA permit a consumer to dispute inaccurate
inormation directly with the entity that urnished the inormation to the
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
41/161
consumer reporting agency; it also requires the entity to investigate the
disputed inormation in some circumstances [Fair Credit Reporting Act
Section 623(a)(8),15 USC 1681s-2]
I an entity determines that it provided inaccurate or incomplete inormation to
a consumer reporting agency, it must promptly notiy the agency and provide
accurate and complete inormation The entity also is required to notiy all
consumer reporting agencies that received the inormation o the correction
[Fair Credit Reporting Act Section 623(a)(2), 15 USC 1681s-2]
Federal law requires that, i the consumers le contains inormation
that resulted rom an alleged identity thet and the consumer provides
documentation supporting this claim, the consumer reporting agency isrequired to block the reporting o that inormation within our business days
and notiy the entity that supplied the inormation related to the identity thet,
as specied [Fair Credit Reporting Act Section 605B, 15 USC 1681c-2]
Additional signicant provisions o FCRA, as amended by FACTA, are described
in other summaries throughout this report
Investigative ConsumerReporting AgenciesCalifornia Law
State law regulates investigative consumer reporting agencies [Caliornia
Civil Code Section 1786 et seq] These agencies are dened as any person,
corporation, or other entity that collects, reports, or transmits inormation
concerning consumers or the purpose o providing investigative consumer
reports to third parties, as specied [Caliornia Civil Code Section 17862]
Investigative consumer reports may be given only to third parties the agency
believes is using the inormation or (1) employment purposes, (2) determining
Credit Reporting
-
8/23/2019 Consumer Privacy and Identity Theft
42/161
8
a consumers eligibility or insurance, (3) leasing a residential unit, or (4) other
specied reasons [Caliornia Civil Code Section 178612]
Security AlertsCalifornia LawUnder state law, consumers may place a security alert on their credit reports
noting that their identity may have been used without consent to raudulently
obtain goods or services in the consumers names A consumer credit reporting
agency must place a security alert on the consumers credit reports within
ve business days ater receiving a request The agency must also notiy each
person who requests the credit inormation about the existence o the alert
The alert remains in place or at least 90 days, and consumers may renew the
alert Any person who uses the consumers credit report to approve credit and
who receives notice o the security alert may not lend money, extend credit, or
complete the purchase, lease, or rental o goods or services without rst taking
reasonable steps to veriy a consumers identity to ensure that the application is
not the result o identity thet [Caliornia Civil Code Section 1785111] See the
ederal discussion on page 39 or details on the possible preemptive eect o
FCRA
Federal Law
Federal law contains related provisions under the Fair Credit Reporting Act
(FCRA), as amended by the Fair and Accurate Credit Transactions Act o 2003
(FACTA), regarding nationwide consumer reporting agencies These provisions
permit a consumer to place one o three kinds o alerts on their credit les
maintained by nationwide agencies: (1) a raud alert, (2) an extended raud alert,
or (3) an active-duty alert The three alerts dier by what is required to initiate
them, the length o time they are imposed, and the limits that are imposed on
those who use a consumers report However, the consumer reporting agency
that receives any one o the three alerts must orward the pertinent inormation
to the other nationwide consumer reporting agencies This requirement allows
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
43/161
9
consumers to place an alert on their les with a call to only one nationwide credit
reporting agency [Fair Credit Reporting Act Section 605A, 15 USC 1681c-1]
A ederal raud alert lasts or 90 days, and consumers may place one on their
credit le i they suspect they areor are about to becomea victim o raudor a related crime, including identity thet Extended raud alerts remain in place
or seven years, and to place such an alert on their le, consumers must submit
an identity thet report Active-duty military personnel also may place alerts on
their credit reports or 12 months; pursuant to a rule issued by the Federal Trade
Commission, this period may be renewed i an individual receives an extended
deployment [Fair Credit Reporting Act Sections 605A(a)-(c), 15 USC 1681c-1;
Federal Trade Commission, 16 CFR Parts 603, 613, and 614]
All three ederal alerts must state that the consumer does not authorize
new credit, the issuance o an additional credit card, or any increase in a
credit limit on an existing account For raud and active-duty alerts, persons
or businesses who use the consumers report must utilize reasonable
policies and procedures to orm a reasonable belie that the user knows
the identity o the person making the request They may either contact the
consumer at a designated telephone number or take reasonable steps to
veriy the consumers identity and conrm that the application is not the
result o identity thet For an extended alert, however, they must contactthe consumer in person or use another method designated by the consumer
to conrm that the application is not the result o identity thet [Fair Credit
Reporting Act Section 605A(h), 15 USC 1681c-1]
Federal law regarding security alerts contains preemption provisions
Specically, Congress preempted states rom enacting any requirement or
prohibition with respect to the conduct required by the ederal security alert
provisions described above [Fair Credit Reporting Act Section 625(b)(5)(B),
15 USC 1681t] This provision may arguably preempt Caliornias security
alert law to the extent that it relates to the same conduct required under
ederal law However, states may be able to act where ederal law does not
impose a specic requirement While the scope o this preemption standard
has yet to be tested in court, in those areas where ederal law is silent with
respect to conduct required, a state remains ree to act
Credit Reporting
-
8/23/2019 Consumer Privacy and Identity Theft
44/161
0
Security FreezesCalifornia Law
Under state law, a consumer may place a security reeze on his or her credit
report, which prohibits credit reporting agencies rom releasing the consumers
credit report or any inormation rom it without the consumers authorization 9
Certain specied entities may access a consumers credit report even i a
security reeze is in place, including law enorcement acting pursuant to a court
order or warrant, a child support agency, or the Franchise Tax Board
A consumer credit reporting agency must place a security reeze on a
consumers credit report within ve business days ater receiving a request;
the security reeze remains in place until the consumer requests its removal
Credit reporting agencies must send consumers a written conrmation o
the reeze and provide them with a unique personal identication number or
password to use to request the release o their credit inormation The reeze
may be temporarily lited by a consumer to grant access to the credit report by
a specic party or or a particular period o time
Credit reporting agencies may charge a consumer no more than $10 or each
security reeze, removal o the reeze, or a temporary lit o the reeze or a
specic time period, and no more than $12 or a temporary lit o the reeze or
a specic party; no ee may be charged to a victim o identity thet, as specied
[Caliornia Civil Code Section 1785112]
9 This provision was invalidated by the Court o Appeal, Second Appellate District, on First Amendment grounds as
applied to U.D. Registry (a credit reporting agency that provides consumer credit reports to landlords) becauseits reports are materially drawn rom public records. While the court ruled that Caliornia Civil Code Section
1785.11.2 was unconstitutional as applied to U.D. Registry (and could not be enorced against the company), the
court reused to hold that the statute was unconstitutional on its ace (which would have limited enorcement
against other credit reporting agencies). [U.D. Registry, Inc. v. State of California(2006) 144 Cal. App. 4th 405.]
U.D. Registry petitioned the Caliornia Supreme Court to grant review o the decision. This petition was rejected.
[U.D. Registry, Inc. v. State of California2007 Cal. LEXIS 3098 (Cal. Feb. 7, 2007).] In 2007 the Legislature
amended the statute to address the issues raised in U.D. Registry, Inc. v. State of Californiaby providing that a
credit reporting agency may disclose public record inormation it obtains lawully rom an open public record to
the extent permitted by law. [Caliornia Civil Code Section 1785.11.2(n).]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
45/161
Data Security
-
8/23/2019 Consumer Privacy and Identity Theft
46/161
-
8/23/2019 Consumer Privacy and Identity Theft
47/161
Overview
nIn 2003 Caliornia became the rst state in the nation to require
companies and government agencies to notiy consumers when
there is a breach in the security o their personal inormation Since
that time, 37 other states and the District o Columbia have ollowed
Caliornias lead and enacted breach notication statutes10 Congress
is also considering whether to mandate that consumers must be
notied when the security o their personal inormation has been
breached
nAccording to the Privacy Rights Clearinghouse, more than 217 million
records containing sensitive personal inormation have been involved
in security breaches since February 200511
nNotiying consumers when the security o their personal inormation
has been breached can play an important role in identity thet
prevention For example, a consumer can decide to place a raud alert
or security reeze on his or her credit report, depending on the type o
inormation that was breached and who obtained access to it Such
quick action could prevent an identity thie rom obtaining new credit
in the consumers name
nCaliornias law requiring notication o security breaches has also
resulted in the publicsand lawmakersheightened interest in data
security For instance, both state and ederal law impose security
requirements on businesses when they destroy customer records
Caliornia law also requires businesses to implement and maintain
reasonable security procedures to protect the personal inormation
they own or license
10 Consumers Union, Notice o Security Breach State Laws, August 21, 2007, http://www.consumersunion.
org/campaigns/Breach_laws_May05.pd.11 For a listing o data breaches, see Privacy Rights Clearinghouse, A Chronology o Data Breaches,
http://www.privacyrights.org/ar/ChronDataBreaches.htm. This listing is updated regularly.
Data Security
-
8/23/2019 Consumer Privacy and Identity Theft
48/161
Destruction o Businessand Medical Records
California Law
State law requires businesses, when disposing o customer records, to take all
reasonable steps to destroy personal inormation in the records by shredding,
erasing, or otherwise modiying the personal inormation so it is unreadable or
undecipherable The law denes customer as an individual who provides
personal inormation to a business or the purpose o purchasing or leasing
a product or obtaining a service rom the business [Caliornia Civil Code
Sections 179880 and 179881]
Under the statute, personal inormation is dened broadly to mean any
inormation that identies, relates to, describes, or is capable o being
associated with a particular individual In this instance, personal inormation
includes the individuals name, signature, social security number, physical
characteristics or description, address, telephone number, passport number,
driver's license or state identication card number, insurance policy number,
education, employment, employment history, bank account number, credit cardnumber, debit card number, or any other nancial inormation [Caliornia Civil
Code Section 179880]
Caliornias Condentiality o Medical Inormation Act also contains provisions
saeguarding the destruction and disposal o medical records The act requires
health care providers, health care service plans, pharmaceutical companies,
and contractorswhen destroying or disposing o medical recordsto do so in
a manner that preserves the condentiality o the inormation contained in the
records [Caliornia Civil Code Section 56101]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
49/161
Federal Law
Federal law includes provisions relating to the destruction o business records,
but more narrowly addresses the issue As described on the opposite page,
Caliornia law concerns all personal inormation contained in customer records
Yet ederal law only relates to consumer reports or inormation derived rom
such reports or a business purpose, and its requirements are imposed only on
users o those reports
Under the ederal Fair Credit Reporting Act (FCRA) and a related nal rule
issued in June 2005 by the Federal Trade Commission, businesses and
individuals must properly dispose o such inormation by taking reasonable
measures to protect against unauthorized access to, or use o, the inormation
when it is disposed The law applies to anyone who uses consumer reports and
applies to inormation obtained rom a consumer reporting agency that is used,
or is expected to be used, in establishing a consumers eligibility or credit,
employment, or insurance, among other things, as dened under FCRA [Fair
Credit Reporting Act Section 628, 15 USC 1681w; Federal Trade Commission,
16 CFR Part 682]
FCRA preempts state law requirements with respect to the conduct required
by its document-destruction provision [Fair Credit Reporting Act Section
625(b)(5)(I), 15 USC 1681t]
Under FACTA, Congress preempted states rom enacting any requirement
or prohibition regarding the conduct required by specic provisions This
language arguably allows states to act where ederal law does not impose a
specic requirement The extent and practical eect o the FACTA preemption
provisions are not yet known It also is noteworthy that because Caliornia
law is broaderapplying to more than just inormation obtained rom credit
reports and more than just persons or entities who use these reportsthe
preemptive eect o FCRA on the state law described on the opposite page
may be limited
Data Security
-
8/23/2019 Consumer Privacy and Identity Theft
50/161
6
Consumer Privacy and Identity Thet
Notifcation o Breachin Data Security
California LawState law requires state agencies and businesses that own or license
computerized data containing personal inormation to disclose any breach
o the systems security to a Caliornia resident whose unencrypted personal
inormation was, or is reasonably believed to have been, acquired by an
unauthorized person The disclosure must be made in the most expedient
manner and without unreasonable delay (although the notication may be
delayed i a law enorcement agency determines it will impede a criminal
investigation)
State agencies and businesses that maintain, but do not own, computerized
data that includes personal inormation are required to notiy the owner or
licensee o the inormation o any data security breach immediately ollowing
the discovery i personal inormation was, or is reasonably believed to have
been, acquired by an unauthorized person
The statutes dene personal inormation to mean an individuals rst name
or rst initial and last name in combination with one o the ollowing, when
either the name or the data elements are not encrypted: (1) social security
number, (2) drivers license or Caliornia identication card number,
(3) account, credit, or debit card number in combination with a security code or
password that would permit access to the individuals nancial account,
(4) medical inormation, or (5) health insurance inormation Personal
inormation does not include inormation publicly available rom ederal, state,
or local government records State agencies and businesses must provide
-
8/23/2019 Consumer Privacy and Identity Theft
51/161
notice to consumers using either written notice, electronic notice, or substitute
notice, as specied12 [Caliornia Civil Code Sections 179829 and 179882]
Personal Inormation:Reasonable Security ProceduresCalifornia Law
Under state law, a business that owns or licenses personal inormation about
a Caliornia resident must implement and maintain reasonable security
procedures and practices appropriate to the nature o the inormation to protect
the inormation rom unauthorized access, destruction, use, modication, or
disclosure Similar requirements apply when a business discloses inormation
about a Caliornia resident pursuant to a contract with a nonaliated third
party [Caliornia Civil Code Section 1798815]
The statute denes personal inormation to mean an individuals rst name
or rst initial and last name in combination with one o the ollowing, when
either the name or the data elements are not encrypted: (1) social security
number, (2) drivers license or Caliornia identication card number, (3) account,
credit, or debit card number in combination with a security code or password
that would permit access to the individuals nancial account, or (4) medical
inormation Personal inormation does not include inormation that is publicly
available rom ederal, state, or local government records The section does not
apply to nancial institutions, health care providers, or other specied entities
[Caliornia Civil Code Section 1798815]
Data Security
12 Although there is no ederal statutory law specically on this issue, several ederal agencies have issuedguidance on security breaches under the Interagency Guidance on Response Programs or Unauthorized
Access to Customer Inormation and Customer Notice. The guidance is intended to clariy the responsibilities
o nancial institutions under ederal laws and interpret requirements o GrammLeachBliley. The guidance
addresses unauthorized access to, or use o, customer inormation that could result in substantial harm or
inconvenience to a customer. The guidance also includes standards or when a nancial institution should
provide notice to customers when sensitive inormation is accessed without authorization. State laws not
inconsistent with GrammLeachBliley are not preempted. [Oce o the Comptroller o the Currency, 12 C.F.R.
Part 30; Federal Reserve System, 12 C.F.R. Parts 208 and 225; Federal Deposit Insurance Corporation, 12 C.F.R.
Part 364; and Oce o Thrit Supervision, 12 C.F.R. Parts 568 and 570, http://www.occ.treas.gov/consumer/
Customernoticeguidance.pd.] GrammLeachBliley generally provides that state laws that are more protective
o consumers privacy are not inconsistent. [15 U.S.C. 6807.]
-
8/23/2019 Consumer Privacy and Identity Theft
52/161
-
8/23/2019 Consumer Privacy and Identity Theft
53/161
Financial Privacyand Related Issues
-
8/23/2019 Consumer Privacy and Identity Theft
54/161
-
8/23/2019 Consumer Privacy and Identity Theft
55/161
Overview
nCaliornia led the nation in enacting the Financial Inormation
Privacy Act, which gives consumers more control over their personal
nancial inormation than what is currently granted by ederal law
The act gives consumers the ability to control the sharing o their
nonpublic personal inormation by requiring a nancial institution
to obtain a consumers consent beore it may share the inormation
with a nonaliated third party This is commonly known as an
opt in because a nancial institution may not share a consumers
inormation unless he or she opts to share it Federal law, however,
subjects the sharing o personal inormation with nonaliated
third parties to an opt out so that, as long as the consumer does
not opt out, a nancial institution may share his or her inormation
with nonaliated third parties Federal law allows states to provide
consumers with greater privacy protections; thereore, with respect
to sharing with nonaliated third parties, Caliornia law controls
nCaliornia law also subjects the sharing o nonpublic personal
inormation with aliates to an opt out, whereas ederal law does not
place restrictions on aliate sharing The validity o this section o
Caliornias nancial privacy law is presently beore the courts and
is described in more detail on page 53
nBoth state and ederal law regulate the practice o debt collection and
impose restrictions on threatening or harassing behavior
Financial Privacy and Related Issues
-
8/23/2019 Consumer Privacy and Identity Theft
56/161
Account Numbers California Law
State law prohibits a nancial institution rom reusing a checking or savingsaccount number until at least three years have passed since a previous account
using that same number was closed [Caliornia Financial Code Section 4100]
Debt CollectionCalifornia Law
Caliornias Rosenthal Fair Debt Collection Practices Act regulates third-partydebt collectors in a manner similar to the ederal law described below State
law also prohibits any threats, harassment, or various alse or misleading
representations, and limits the amount o inormation about a debtor that a
collector may reveal to a third party Furthermore, the act allows debtors to
bring an action or actual damages against a debt collector who has violated
the statute The protections o this act also apply to businesses [Caliornia Civil
Code Section 1788 et seq]
Federal Law
The business practices o third-party debt collectors are regulated under the
ederal Fair Debt Collection Practices Act Among other things, the act requires
a debt collector to make an initial disclosure to the debtor that the collector is
attempting to collect a debt and that any inormation obtained will be used or
that purpose Federal law also prohibits any threats, harassment, or various
alse or misleading representations, and limits the amount o inormation about
a debtor that a collector may reveal to a third party The ederal act specically
allows or state regulation regarding debt collection practices, provided that
state laws are not inconsistent with ederal law State laws may give consumers
greater protection than ederal law [Fair Debt Collection Practices Act, 15 USC
1692 et seq]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
57/161
13 For descriptions o opt in and opt out, see page 51.14 The restriction on sharing with aliates was challenged by the American Bankers Association, Financial
Services Roundtable, and Consumer Bankers Association on the basis that it was preempted by the Fair Credit
Reporting Act (FCRA). The U.S. Court o Appeals or the Ninth Circuit agreed and directed the U.S. District Court
to determine the scope o the preemption. [Am. Bankers Assn v. Gould, 412 F.3d 1081.] In October 2005 the
district court issued its ruling that no part o this provision survives preemption and enjoined the state rom
enorcing the aliate-sharing restrictions to the extent they are preempted by FCRA. The court made clear in
its ruling, however, that other provisions o Caliornias nancial privacy law still stand. [Am. Bankers Assn v.
Lockyer, 2005 U.S. Dist. LEXIS 22437.] In November 2005 the attorney generals oce led a notice o appeal
with the U.S. Court o Appeals or the Ninth Circuit. This appeal is pending.
Financial Privacy and Related Issues
Financial PrivacyCalifornia Law
Caliornias Financial Inormation Privacy Act places restrictions on the sharingo consumers nonpublic personal inormation by nancial institutions
Nonpublic personal inormation does not include publicly available
inormation; it is dened as personally identiable nancial inormation that is:
1 Provided by a consumer to a nancial institution;
2 The result o a transaction with a consumer or a service perormed
or a consumer; or
3 Otherwise obtained by a nancial institution
[Caliornia Financial Code Section 4052(a)]
A nancial institution must rst obtain a consumers consent beore it may
disclose or share the consumers nonpublic personal inormation with any
nonaliated third party (an opt in)13 [Caliornia Financial Code Section
4053(a)(1)] Beore disclosing nonpublic personal inormation to an aliate, a
nancial institution must give a consumer an opportunity to direct that his or
her inormation may not be disclosed (an opt out) [Caliornia Financial Code
Section 4053(b)(1)] The preemptive eect o the Fair Credit Reporting Act on
this restriction is a matter currently beore the courts14
Provided that the consumer has not opted out, a nancial institution may share
the consumers personal inormation with another nancial institution when
they enter into a joint marketing agreement to oer a nancial product or
service that meets specied requirements [Caliornia Financial Code Section
4053(b)(2)] The unrestricted sharing o nonpublic personal inormation
-
8/23/2019 Consumer Privacy and Identity Theft
58/161
between a nancial institution and its wholly owned nancial-institution
subsidiaries in the same line o business also is permitted, irrespective o any
consumer choice, provided that specied requirements are met [Caliornia
Financial Code Section 4053(c)]
Caliornia law contains a statutory orm that a nancial institution may use
to oer consumers an opportunity to communicate their privacy choices A
nancial institution that uses the statutory orm is deemed to have complied
with the notice requirements; a nancial institution also may use an alternate
orm subject to specied limitations [Caliornia Financial Code Section
4053(d)]
Federal LawFederal law prohibits a nancial institution, under the GrammLeachBliley Act
(GLB) o 1999 (Pub L 106-102, 113 Stat 1338), rom disclosing a consumers
nonpublic personal inormation to a nonaliated third party unless the
nancial institution (1) provides the consumer with a clear and conspicuous
disclosure o the nancial institutions specied privacy policies and practices,
(2) gives the consumer the opportunity to stop the disclosure beore the
inormation is initially disclosed (an opt out), and (3) provides the consumer
with an explanation o how to exercise his or her right to opt out [15 USC
6802(b)(1)] The act contains specied exceptions [15 USC 6802(e)]
Under GLB, nancial institutions are permitted to disclose personal inormation
to a third partyeven i a consumer has opted outi the disclosure is to
enable the third party to perorm services or or unctions on behal o the
nancial institution, including the marketing o the institutions own products or
services, or products or services oered jointly between two or more nancial
institutions that comply with GLBs provisions (oten reerred to as a joint
marketing agreement) In this case, the nancial institution must enter into
a contractual agreement with the third party that requires the third party to
maintain the condentiality o the inormation [15 USC 6802(b)(2)]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
59/161
GLB also specically invites states to enact greater privacy protections than
those contained in the ederal act [15 USC 6807]
In 2006 Congress passed the Financial Services Regulatory Relie Act o 2006
(Pub L 109-351, 120 Stat 1966), which amended GLB to require ederal
agencies to jointly develop a model privacy orm or nancial institutions to
use or GLB-required disclosures to consumers The act requires the agencies
to develop a orm that is succinct and comprehensible and allows consumers
to easily identiy and compare the sharing and privacy practices o nancial
institutions Under the act, a nancial institution that uses the model orm is
deemed to have satised the notice requirements o GLB (a sae harbor)
In March 2007, pursuant to the act, eight ederal regulators issued a notice o
proposed rulemaking regarding a model privacy orm15 Public comments weredue by May 29, 2007 A nal rule has not yet been issued
Insurance Inormation andPrivacy Protection ActCalifornia Law
State law governs the collection, use, and disclosure o inormation gathered in
connection with insurance transactions The act generally limits disclosure o
personal inormation by insurers and agents without the written consent o the
individual [Caliornia Insurance Code Section 791 et seq]
Financial Privacy and Related Issues
15 Interagency Proposal or Model Privacy Form Under the GrammLeachBliley Act, 72 Fed. Reg. 14940 (2007) (to
be codied at 12 C.F.R. Part 40, 12 C.F.R. Part 573, 12 C.F.R. Part 216, 12 C.F.R. Part 332, 12 C.F.R. Part 716, 16
C.F.R. Part 313, 17 C.F.R. Part 160, and 17 C.F.R. Part 248) (proposed March 29, 2007).
-
8/23/2019 Consumer Privacy and Identity Theft
60/161
6
Insurers: Genetic TestingCalifornia Law
State law prohibits insurers rom requiring a genetic test or the purpose o
determining insurability, except or policies contingent on review or testing
or other diseases or medical conditions I an insurer requires a genetic test
to determine insurability, the insurer must comply with inormed consent
and privacy protection rules, as specied [Caliornia Insurance Code Section
10148]
Civil penalties may be assessed or the willul or negligent disclosure o genetic
test results i those results are disclosed in a manner that identies or provides
identiying characteristics about the subject o the test Any person who
negligently or willully discloses the results is also liable or actual damages,
including damages or resulting economic, bodily, or emotional harm
[Caliornia Insurance Code Section 101491]
Consumer Privacy and Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
61/161
Identity Theft
-
8/23/2019 Consumer Privacy and Identity Theft
62/161
-
8/23/2019 Consumer Privacy and Identity Theft
63/161
9
Overview
n For the seventh year in a row, identity thet topped the Federal
Trade Commissions list o top 10 consumer complaints in 200616 O
the 674,354 complaints led with the commission during that year,246,035or 36 percentrelated to identity thet17 The most common
orm o reported identity thet was credit card raud (25 percent o
complaints), ollowed by phone or utilities raud (16 percent), bank
raud (16 percent), and employment raud (14 percent)18
Among the 50 states, Caliornia ranked third in identity thet victims
per capita, ater Arizona and Nevada19 Five o the top 10 major
metropolitan areas with the highest per capita rates o reported
identity thet were in Caliornia: Napa, Madera, Yuba City,HanordCorcoran, VallejoFaireld20
n Many Americans are concerned about the threat o identity thet
In a poll by Zogby International conducted on March 2326, 2007,
91 percent o nationwide respondents said they are concerned their
identity could be stolen and used to make unauthorized purchases
One in three surveyed said they are not condent that retailers, banks,
and credit card companies are taking sucient steps to saeguard
their personal inormation21
nOver the years, both Caliornia and Congress have enacted various
statutes relating to identity thet State and ederal law, or example,
both impose criminal penalties or the crime o identity thet
Caliornia law also allows an identity thet victim to petition a court or
a nding o innocence when an identity thie has committed crimes in
the victims name And Caliornia recently enacted a statute requiring
county welare departments to obtain a credit report on behal o
oster-care children to determine whether they have been a victim oidentity thet
16 Federal Trade Commission, FTC Issues Annual List o Top Consumer Complaints, February 7, 2007,
http://www.tc.gov/opa/2007/02/topcomplaints.shtm.17 Federal Trade Commission, Consumer Sentinel and Identity Thet Data Clearinghouse, Consumer Fraud and
Identity Thet Complaint Data, JanuaryDecember 2006, February 2007, p. 5, http://www.consumer.gov/
sentinel/pubs/Top10Fraud2006.pd.18 Id., p. 13.19 Id., p. 18.20 Id., p. 17.21 Zogby International, Zogby Poll: Most Americans Worry About Identity Thet, April 3, 2007.
Identity Thet
-
8/23/2019 Consumer Privacy and Identity Theft
64/161
60
Crime o Identity ThetCalifornia Law
Under state law, it is unlawul to willully use someone elses personalidentiying inormation or an unlawul purpose, including to obtain or attempt
to obtain credit, goods, services, or medical inormation in the name o the
other person without that persons consent [Caliornia Penal Code Section
5305(a)]
State law also prohibits acquiring or retaining possession o personal
identiying inormation with the intent to deraud [Caliornia Penal Code
Section 5305(c)] Additional penalties are imposed i the violator haspreviously been convicted o identity thet or possesses the personal
inormation o 10 or more people [Caliornia Penal Code Sections 5305(c)(2)
and (c)(3)] Also prohibited is the sale, transer, or conveyance o personal
identiying inormation with actual knowledge that it will be used to commit
identity thet [Caliornia Penal Code Section 5305(d)(2)]
Personal identiying inormation includes, among other things, name,
address, telephone numbers, social security number, drivers license number,
mothers maiden name, checking or savings account numbers, unique
biometric data (such as a ngerprint), or credit card numbers [Caliornia
Penal Code Section 53055]
Federal Law
Federal law makes it a crime to knowingly transer, possess, or use another
persons means o identication with the intent to commit, aid, or abet an
unlawul activity that violates ederal law or constitutes a elony under state
law [18 USC 1028(a)(7)] Federal