Understanding the Importance of US Privacy and Identity Theft Laws

It is essential for IT experts and practitioners to be aware of and understand privacy laws as there are increasing global cybersecurity incidents. There are various overlapping international laws that have attempted to address cybersecurity and privacy. The US government actively collects personal information due to national security concerns. For example, it has implemented the Planning Tool for Resource Integration, Synchronization, and Management (PRISM) computer network to secretly gather information from the Internet by collaborating with major Internet service providers. As such, the US Foreign Intelligence Surveillance Act (FISA) courts were established to oversee surveillance requests and issue warrants. Now, personal information can be collected through voluntary disclosures, cookies, website bugs, tracking software, malware (e.g., worms, trojans, spyware) and phishing. In many cases, proper disclosure must be used to collect information (e.g., tracking software). However, criminals do not follow the rules and have access to the tools and techniques to extract personal information without authorization.

Applicable Identity Theft Laws

Personal information is valuable to criminals who are seeking to misuse it for nefarious purposes. The criminals who surreptitiously obtain personal information typically intend to profit from identity theft, online impersonation or other criminal activities. Identity theft can cause significant damage. As such, there are US state and federal laws that prohibit identity theft in every jurisdiction. The US National Conference of State Legislatures provides a comprehensive list of these laws. In the US State of California, the following laws prohibit identity theft:

• California Penal Code Section 368—Prohibits identity theft against older adults and people with disabilities¹
• California Penal Code Section 530—Prohibits false impersonation of another person²
• California Penal Code Section 530.5-530.8—Prohibits trafficking of personal information³
• Penal Code Section 1202.4—Authorizes the court to order restitution⁴

The US federal government has passed the following laws in an effort to battle identity theft:

• Identity Theft and Assumption Deterrence Act—Amended 18 US Code Section 1028 to prohibit identity theft and make it a separate crime against the victims. It also increased the penalties for identity theft and fraud by allowing a maximum penalty of 15 years in prison.⁵
• Identity Theft Penalty Enhancement Act—Prohibits aggravated identity theft (i.e., using someone else’s identity to commit felony crimes such as immigration violations, Social Security benefits theft and domestic terrorism)⁶
• Identity Theft Enforcement and Restitution Act—Amended 18 US Code Section 3663(b) to clarify restitution-related issues and allow the courts to reimburse victims for the time spent to remediate the harm⁷
• Fair Debt Collection Practices Act—Codified under 15 US Code Sections 1692, et seq. and prohibits debt collectors from engaging in unfair and deceptive practices⁸
• Fair Credit Reporting Act—Ensures the accuracy and privacy of credit reports that consumer reporting agencies collect and share with third parties such as financial institutions and other creditors. It allows consumers to dispute incorrect information on their accounts and place fraud alerts or security freezes to prevent identity theft.⁹

From a practical perspective, it is crucial for IT experts to know how criminals circumvent security measures on, for example, firewalls, network routers or smart devices, to effectively strengthen security.

Criminals have used several methods to engage in identity theft such as watching victims from a close distance when they are entering credit card or bank account information. Criminals may intercept a victim’s electronic messages to extract personal information or send spam (i.e., unsolicited emails) and request personal information. From a practical perspective, it is crucial for IT experts to know how criminals circumvent security measures on, for example, firewalls, network routers or smart devices, to effectively strengthen security. Also, IT experts must comply with the applicable laws to avoid government enforcement actions. For example, the US Federal Trade Commission (FTC) may instigate a legal action for failing to carry out the promise of safeguarding a consumer’s personal information.¹⁰

Applicable Privacy Laws

The US Constitution has granted privacy rights to people through the Fourth Amendment, which prohibits unreasonable searches and seizures by the government. In essence, the main objective of the Fourth Amendment is to protect people’s privacy rights. There are legal cases that have helped determine the definition of unreasonable searches and seizures. In fact, some courts have stated that website monitoring programs that reveal Internet Protocol (IP) or email addresses do not implicate the Fourth Amendment. The US federal privacy laws that have been promulgated include:

• Driver's Privacy Protection Act—Governs the privacy and disclosure of personal information gathered by US state departments of motor vehicles¹¹
• Electronic Communications Privacy Act—Protects wire, oral and electronic communications while those communications are being made, are in transit and are being stored on computers. This federal statute applies to electronic messages, phone conversations and stored electronic information. ¹²
• Family Educational Rights and Privacy Act—Governs access to educational information and records by public entities such as potential employers, publicly funded educational institutions and foreign governments¹³
• Fair Credit Reporting Act—Promotes the accuracy, fairness and privacy of consumer information contained in the files of consumer reporting agencies¹⁴
• Fair Debt Collection Practices Act—Prohibits debt collection enterprises from using abusive, unfair or deceptive practices to collect debts¹⁵
• Privacy Act—Establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies¹⁶
• Gramm-Leach-Bliley Act—Requires financial institutions to explain how they share and protect their customers' private information¹⁷
• Video Privacy Protection Act—Grants consumers the right to opt out from disclosure of their personal information and file a legal action if their rights are violated.¹⁸
• Federal Identity Theft and Assumption Deterrence Act—Prohibits the production and possession of false or unauthorized documents or the use of another person’s identity¹⁹

The US State of California Constitution grants California citizens an inalienable right to pursue and obtain privacy. Therefore, the rules (e.g., Penal Code Section 1546, et seq.) require the government to obtain a search warrant prior to accessing data on an electronic communication device. California has passed the following laws to protect online privacy:

• The Anti-Phishing Act—Prohibits phishing attacks²⁰
• Consumer Protection Against Computer Spyware Act—Makes it illegal for anyone to install malware on another person’s computer²¹
• Education Code Sections 32261, 32265, 32270, 48900—Anticyberbullying laws that prohibit cyberbullying, sexual harassment, hate violence, harassment or intimidation²²
• Penal Code Sections 502, 647, 647.8, 786, and Civil Code Section 1708.85—Anticyberexploitation laws prohibiting revenge porn²³

The US State of California Consumer Privacy Act (CCPA) grants consumers the right to access, delete and opt out of data processing at any time. However, unlike the EU General Data Protection Regulation (GDPR), it does not grant the right to correct errors in personal information.²⁴ It also requires that a privacy notice be posted on websites to inform consumers about their opt out rights.

The US Constitution has not expressly mentioned the right to privacy. However, the California Constitution mentions the “inalienable right to privacy” that is applicable to the government and private individuals. In fact, the courts have confirmed this fundamental right. For example, in Hill vs. National Collegiate Athletic Association, the Supreme Court outlined the following framework to decide whether a constitutional violation has occurred:²⁵

• There must be a legally protected privacy interest.
• There must a reasonable expectation of privacy.
• There must be a serious invasion of privacy interest.

There have been a number of class action lawsuits in reference to online privacy and unauthorized tracking mechanisms. For example, in Re DoubleClick Privacy litigation, consumers alleged that DoubleClick, which was one of the largest providers of online advertising products and services in the world, was using unauthorized tracking mechanisms to follow consumers’ online activities.²⁶ The plaintiffs alleged that DoubleClick violated their rights under the state and federal constitutions and, as a result, they suffered from damages. The class action eventually was settled and the defendant was required to pay significant attorney’s fees and costs.

In the United States, various jurisdictions have promulgated rules and regulations to ensure consumer protection by regulating data breach notification protocols. However, culprits have succeeded in gaining unauthorized access to third-party organizations’ network servers. They have been able to extract personal information from network computers without authorization and use that information to make a profit. Therefore, it is important to implement data breach notification protocols.

Conclusion

It is imperative to prepare for privacy violations; they have proven to be inevitable. IT experts should consider the steps that can be taken to mitigate the risk. For example, training employees on a regular basis is crucial because it can locate the proverbial weakest link. In fact, testing employees by sending fake or fabricated emails to see if they open attachments is an effective training tool. Security measures should be implemented on the network by installing firewalls and utilizing encryption technologies. A virtual private network (VPN) should be used for sensitive communications and 2-factor authentication should be implemented to enhance security. Finally, and most important, it is imperative to understand and comply with state, federal and international laws to avoid unnecessary complications.

Endnotes

¹ California State Legislature, Cal. Penal Code Section 368, Crimes Against Elders, Dependent Adults, and Persons With Disabilities, USA, 2010
² California State Legislature, Cal. Penal Code Section 530, False Personation and Cheats, USA, 1872
³ California State Legislature, Cal. Penal Code Section 530.5-530.8, False Personation and Cheats, USA, 1872
⁴ California State Legislature, Cal. Penal Code Section 1202.4, The Judgment, USA, 1872
⁵ Federal Trade Commission, Identity Theft and Assumption Deterrence Act, USA, 1998
⁶ United States Congress, Identity Theft Penalty Enhancement Act, HR 1713, 20031, USA, 2004
⁷ United States Congress, Identity Theft Enforcement and Restitution Act, HR 6060, USA, 2008
⁸ Federal Trade Commission, Fair Debt Collection Practices Act, Pub. L. 95-109; 91 Stat. 874, 15 U.S. Code Section 1692–1692p, USA, 2010
⁹ Federal Trade Commission, Fair Credit Reporting Act, 15 U.S. Code Section 1681, et seq., USA, 1970
¹⁰ Federal Trade Commission, "Privacy and Security Enforcement"
¹¹ Electronic Privacy Information Center, "The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record"
¹² US Department of Justice, Office of Justice Programs, Bureau of Justice Assistance, Electronic Communications Privacy Act of 1989 (ECPA), 18 U.S. Code Sections 2510-2523, USA, 1989
¹³ US Department of Education, Family Educational Rights and Privacy Act (FERPA), USA, 1974
¹⁴ Op cit Fair Credit Reporting Act
¹⁵ Op cit Fair Debt Collection Practices Act
¹⁶ US Department of Justice, "Overview of the Privacy Act of 1974," 2015
¹⁷ Federal Deposit Insurance Corporation (FDIC), Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information), USA, 2000
¹⁸ Electronic Privacy Information Center, "Video Privacy Protection Act"
¹⁹ US Congress, HR 3601 Identity Theft and Assumption Deterrence Act, USA, 1998
²⁰ California Business and Professions Code, Anti-Phishing Act, USA, 2005
²¹ California Business and Professions Code, Consumer Protection Against Computer Spyware Act, USA, 2004
²² State of California Department of Justice, "Cyberbullying"
²³ State of California Department of Justice, "Cyberexploitation—Law Enforcement FAQs"
²⁴ Intersoft Consulting, General Data Protection Regulation, Belgium, 2018
²⁵ Supreme Court of California, Hill v. National Collegiate Athletic Association, 7 Cal.4^th 1 , 26 Cal.Rptr.2d 834; 865 P.2d 633, USA, 1994
²⁶ United States District Court for the Southern District of New York, In Re DoubleClick Privacy Litigation, 154 F. Supp.2d 497, USA, 2001

Salar Atrizadeh, JD

Is an attorney with an extensive background in technology and is licensed to practice law in US state and federal courts. He has conducted seminars on artificial intelligence, augmented and virtual reality, privacy, cloud computing, cybersecurity, crowdfunding, cyberpiracy, cyberespionage, digital currencies, ecommerce transactions, electronic discovery, Internet of Things, online sales tax laws and online banking fraud. Atrizadeh has been interviewed by local, national and international news and media outlets. He has also served as a legal expert on various panels and educated the public on the importance of privacy, security and regulation. Please visit atrizadeh.com for more information.