Identity Theft: Keeping the Public Informed

Indiana House Enrolled Act 1101 ("HEA 1101") was signed into law on March 21, 2006 and will go into effect on July 1, 2006. The Act provides that a person that owns or licenses certain unredacted or unencrypted personal information concerning Indiana residents within a computerized database, including the unauthorized acquisition of computerized data that have been transferred to another medium, must disclose to those Indiana residents without unreasonable delay, a security breach in the database.

"Personal information" can be:

· a social security number that is not encrypted or redacted, or

· a person's first and last names, or first initial and last name, but only if the name information is accompanied by one or more of the following:

· Driver's license number;

· State identification card number;

· A credit card number;

· A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.

The law also specifies that a database owner who is required to make a disclosure concerning a security breach to more than 1,000 persons, must also notify each credit reporting bureau of the security breach. A person that maintains a computer database but does not own or license the personal information contained in the database, must notify the database owner if there is a security breach in the system.

HEA 1101 provides that a person who disposes of a customer's unencrypted, unredacted personal information without first shredding, incinerating, mutilating, or erasing the personal information commits a Class C infraction. It enhances the offense to a Class A infraction for a second or subsequent offense, or if the person has unlawfully disposed of the personal information of more than 100 customers. It includes as personal information certain information collected as part of a license or permit application.

A person who unlawfully obtains the identifying information of a deceased person commits identity deception. HEA 1101 makes identity deception a Class C felony if a person unlawfully obtains the identities of more than 100 persons or the fair market value of the fraud or harm caused by the identity theft is at least $50,000.

The Act makes possession of a card skimming device with the intent to commit identity deception or fraud a Class D felony and a Class C felony if the device is possessed with the intent to commit deception.

HEA 1101 permits a court to enter a restitution order requiring a person convicted of identity deception to reimburse the victim for additional expenses that arise or are discovered after sentencing or after the entry of a restitution order. It grants a court a five year period in which to order a person convicted of identity deception to pay additional restitution and provides that a person who commits the offense of identity deception may be tried in any county in which any element of the offense occurs. It also provides that jurisdiction for cases of identity deception lies in Indiana if the victim resides in Indiana.

HEA 1101 does not apply to a person who maintains and complies with a disposal program under the federal USA Patriot Act, the federal Driver Privacy Protection Act, the federal Fair Credit Reporting Act, and the federal Health Insurance Portability and Accountability Act.

For further information, please contact Tom Walsh, Brad Williams or Mark Shublak.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.