Download - Responding to Victims of Identity Crime
Responding to Victims of Identity Crime: A Manual for Law Enforcement Agents, Prosecutors and Policy-Makers
Presentation by: Matthew Kwong
Background Information
– Published by the International Centre for Criminal Law Reform and Criminal Justice Policy (ICCLR)
– Manual meant to assist law-enforcement personnel with responding to identity crime
– Contains information on what is legally required of victims, institutions and law-enforcement in the case of identity crime
Actors Involved in Identity Crime
– Individual victims – may be victimized directly or indirectly through a compromised institution
– Institutional victims – includes government and financial agencies
– Law enforcement – includes police, various legal agencies and prosecutors
– Other – a catch-all term for everyone else who may be involved, including service providers, debt collectors and financial institutions (when not directly targeted by the crime)
Individual Victims
– Responsible for notifying all relevant financial institutions – banks, credit bureaus, creditors, etc – about occurrence of fraud
– Cancel all compromised payment cards– Obtain credit reports and monitor accounts to
prevent future fraud– Responsible for re-establishing identity by
obtaining new documents– Pursue compensation for damages under civil law
if possible – assuming perpetrator is caught
In Other Words...
– Individuals have primary responsibility for detecting, mitigating and seeking compensation for damages
– Also have responsibility for restoring reputation to pre-crime status
– Institutions and law enforcement may provide information to individual victims, but are not required to provide assistance
Institutional Victims
– Have a right to sue for damages if an institutional trademark is used fraudulently – considered intellectual property crime
– Responsible for taking immediate measures to prevent further damages from identity crime
– Generally responsible (depends on jurisdictional legislation) for notifying individuals who were affected by a security breach
– When the individual victim is not responsible for damages, release individual from liability
– Reporting to and cooperating with law enforcement
A Conflict of Interest
– Institutions are often reluctant to release specific information regarding the crime to law enforcement and individual victims
– They may however have a legal responsibility to disclose information
– Such information may include IP addresses, telephone numbers, transaction documents and any other relevant records
Law Enforcement
– Keep a record of all reported cases of identity crime and input the information into appropriate databases
– If possible, investigate the crime and gather evidence from victims, witnesses, etc
– Cooperate with other law enforcement agencies to investigate cross-jurisdictional identity crime and other ongoing investigations
– Provide information to victims on how to mitigate damages from crime and their rights in the situation (in the case of a prosecutor)
– Refer victim to a victim support center for assistance
Police Complications
– Law enforcement assistance to victims is mostly restricted to providing information – i.e. this manual
– Crime investigation and victim assistance becomes more complex when involving multiple jurisdictions
– Jurisdictions need to be determined, the appropriate agencies contacted and coordination maintained between multiple agencies
Other (Private Sector)
– Be proactive – monitor accounts for suspicious activity and notify affected individuals as appropriate
– Take necessary precautions when approving credit applications
– If there is reason to believe that identity fraud has occurred, do not hold victims responsible for incurred debt
– Provide victims with information on how to mitigate damages and secure new identity documents
– Cooperate with law enforcement by providing all relevant information on the fraudulent transaction as well as any other assistance
A Legal Grey Area
– The private sector is encouraged to help mitigate damages to a victim’s credit rating and monitor for suspicious activity
– Nonetheless there is no clearly defined legal requirement for corporations to do so
– Responsibilities for the private sector is centered on due diligence and mostly reactionary in nature
Pursuit of Liability
– There is no Canadian legislation which protects individual victims from liability in the case of fraud
– Canadian credit card companies have no liability for electronic transactions and limited liability elsewhere
– Banks are encouraged not to hold consumers liable for fraudulent transactions under the Canadian Code of Practice for Consumer Debit Card Services, but are not required to do so
– In contrast, the US has legislation which protects or limits individual victims from liability, depending on how promptly the fraud is reported
Double Victimization
– Recovering from identity crime is difficult because victims must convince others that a fraud has occurred
– Canadian legislation governing debt collectors is restricted to preventing over-harassment of debtors, not outright preventing it
– There is no legal requirement for debt collectors to cease trying to collect funds even after a fraud has been discovered
– In the US, legislation mandates that credit bureaus minimize damages to victims by notifying companies that fraud may potentially have occurred
Recovery Process for Victims
– Victims in Canada generally do not have a right to access documents regarding fraudulent transactions
– There is no formal program for repairing a victim’s reputation after identity crime
– Generally credit bureaus in Canada are required to provide notification of inaccurate information resulting from fraud, but this can take anywhere from 2 months to a year
– US legislation allows victims the right to access records to transactions
– Credit bureaus in the US are required to erase fraudulent records if conditions are met
Detecting and Mitigating Damages
– Under PIPEDA, companies are required to “safeguard” private and sensitive information
– Actual requirements are vague – institutions may or may not be required to detect and report fraud
– Laws are inconsistent across the country – credit bureaus under duty to report accurate information but not specifically to combat fraud
– US law mandates that institutions notify affected parties in the event of a data security breach
– Individual victims in US have the right to voluntarily place fraud alerts and credit freezes on credit files, but in Canada this right exists only in two provinces
Restitution
– Criminal injuries compensation applies to violent crime, not identity crime
– Victims may claim restitution for expenses incurred to re-establish identity, but only in the minority of cases where prosecution and conviction occurs
– PIPEDA allows damages to be rewarded for privacy violations in rare instances
– Generally there is no right of action for lawsuits – even if successful, compensation may or may not be able to cover legal expenses
– Identity crime victims in US have a right of action to civil suits and may receive increased compensation
Criminal Sanctions
– If prosecution occurs, victims have the right to information regarding proceedings and to file a victim impact statement to the court (s.722)
– The Criminal Code carries a maximum sentence of 5 years for identity theft (s. 402.2)and 10 years for identity fraud (s.403)
– US law features stricter punishments for identity crime, ranging from 10 to 20 years
– Identity criminals in the US must serve multiple sentences consecutively and may not apply for parole
In Conclusion...
– Canadian legislation surrounding identity crime is vague and convoluted
– Legislation varies widely between provinces, creating various jurisdictional problems
– Victims do not have a legal right to protection and institutions are not legally required to act
– This means that the recovery process is difficult and institutions are reluctant (and not obligated) to take responsibility
– Law reform is still required in this area
And this concludes my presentation, Thank You for your Attention