Title: An act relating to protecting financial information and means of identification stored on portable electronic data storage devices.

Brief Description: Protecting financial information and means of identification stored on portable electronic data storage devices.

Sponsors: Representatives Williams, Morris, Moeller and Simpson.

Hearing Date: 2/9/07

Staff: Anne Woodward (786-7119).

Background:

In 1999 the Legislature enacted laws designed to address the problem of identity theft and related crimes involving the improper use or acquisition of personal financial information. Among the identity crimes identified by the Legislature as harmful to a person's privacy, financial security, and other interests are the crimes of identity theft and improperly obtaining financial information.
   
Identity theft is defined as using or transferring another person's means of identification or financial information with the intent to commit or aid any unlawful activity harming or intending to harm the person whose identity is used. "Means of identification" means any information, not describing finances or credit, that is personal to or identifiable with an individual. Examples include: current or former name; telephone number; electronic address or identifier; social security number; driver's license number; tax identification number; and biometric data. "Financial information" refers to information identifiable to the individual that concerns the individual's assets, liabilities, or credit. Examples include: account numbers, transactional information, passwords, and social security numbers. Identity theft is punishable as a class B or a class C felony, depending on the severity of the offense.

A second type of identity crime makes it a class C felony for a person to wrongfully obtain, attempt to obtain, or request another person to obtain financial information from a financial information repository, financial services provider, merchant, corporation, trust, partnership, or unincorporated association. A financial information repository is any person engaged in the business of providing services to customers who have a credit, deposit, trust, stock, or other financial account or relationship with the person. There are exceptions to this crime, such as for law enforcement and for agents of financial information repositories working in conjunction with law enforcement.

In addition to the applicable criminal penalties, a person who commits one of these two identity crimes is civilly liable for a specified amount ($500 or $1000, depending on the type of identity crime) or actual damages, including costs to repair the person's credit record, whichever is greater, and reasonable attorneys' fees.
   
A person who commits identity theft or improperly obtains financial information is also subject to civil liability under the Washington Consumer Protection Act (Act), which declares that unfair and deceptive practices in trade or commerce that harm the public interest are illegal. The Act gives the Office of the Attorney General the authority to bring lawsuits against businesses, and to ask the court for injunctions and restitution for consumers. It also allows individuals to hire their own attorneys to bring consumer protection lawsuits. If the consumer wins in court, the law allows the court to award treble damages, up to $10,000, as well as attorneys' fees.

Recently there have been incidences of identity crimes resulting from wrongful access to unencrypted financial information or means of identification on portable electronic data storage devices that have been removed from the workplace by employees and are subsequently stolen.

Summary of Bill:

Civil liability under the Washington Consumer Protection Act is imposed on persons, associations, partnerships, corporations, and organizations whose employees remove a portable electronic device with unencrypted personal information from the premises of the business or organization, and where the information is then wrongfully accessed and used to commit an identity crime.

It is a Consumer Protection Act violation, for which a person is liable, if:

• a person, through the nature of the business, has access to financial information or the means of identification of one hundred or more persons;
• a person, or his or her employee, removes a portable electronic data storage device from the premises of the business or organization containing the financial information or means of identification of one hundred or more people;
• the financial information or means of identification on a portable electronic data storage device is then wrongfully accessed and used to improperly obtain financial information or to commit identity theft; and
• the financial information or means of identification on the portable electronic data storage device was unencrypted at the time it was wrongfully accessed.

"Portable electronic data storage device" is defined as any portable electronic device capable of storing information, which includes, but is not limited to, a laptop, personal data assistant, portable hard drive, or flash memory drive. "Person" means any natural person, association, partnership, corporation, or organization.

Any person who violates this section is subject to civil liability under the Washington Consumer Protection Act. Under this section, an employer is subject to civil liability if unencrypted financial information or means of identification is wrongfully accessed from a portable electronic data storage device that is removed from the premises by an employee.

Appropriation: None.

Fiscal Note: Not requested.

Effective Date: The bill takes effect 90 days after adjournment of session in which bill is passed.