Local Identity Theft Laws and
Your Rights Regarding Recovery
Security Freeze Law:
All District of Columbia consumers are allowed to place security freezes on their consumer credit reports to prevent new accounts from being opened in their names. Such a freeze enables the consumer to prevent anyone from looking at his/her credit file for the purpose of granting credit unless the consumer chooses to allow a particular business look at the information. To request a freeze, a consumer must request one in writing by certified mail. By January 31, 2009, the credit reporting agencies must make available an Internet-based method of requesting a security freeze and also accept requests by regular mail or telephone.
Consumer reporting agencies may charge a fee of $10 to place the original security freeze. However, victims of identity theft with a valid police report or investigative complaint may not be charged. The reporting agency must place the freeze within three business days after receiving the request, and within five days of placing the request, must send a written confirmation of the freeze and provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his credit for a specific party or period of time. Requests for a temporary unlocking of the freeze must be completed within three business days. Consumer reporting agencies must also develop the capacity and offer the option to the consumer of honoring a request for a temporary unlocking of the freeze through Internet and telephonic methods, within 15 minutes after the consumer’s request is received by the agency.
Mandatory Police Report Law for victims of IDENTITY theft:
The Metropolitan Police Department is required to make a report of each complaint of identity theft and provide the complainant with a copy of the report.
definition of identity Theft:
A person commits the offense of identity theft if that person knowingly uses personal identifying information belonging to or pertaining to another person to obtain, or attempt to obtain, property fraudulently and without that person’s consent; or obtains, creates, or possesses personal identifying information belonging to or pertaining to another person with the intent to:
- Use the information to obtain, or attempt to obtain, property fraudulently and without that person’s consent; or
- Give, sell, transmit, or transfer the information to a third person to facilitate the use of the information by that third person to obtain, or attempt to obtain, property fraudulently and without that person’s consent.
definition of personal identifying information:
“Personal identifying information” includes, but is not limited to, the following:
- Name, address, telephone number, date of birth, or mother’s maiden name;
- Driver’s license or driver’s license number, or non-driver’s license or non-driver’s license number;
- Savings, checking, or other financial account number;
- Social Security number or tax identification number;
- Passport or passport number; citizenship status, visa, or alien registration card or number;
- Birth certificate or a facsimile of a birth certificate;
- Credit or debit card, credit or debit card number, or credit history or credit rating;
- Personal identification number, electronic identification number, password, access code or device, electronic address, electronic identification number, routing information or code, digital signature, or telecommunication identifying information;
- Biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
- Place of employment, employment history, or employee identification number; and
- Any other numbers or information that can be used to access a person’s financial resources, access medical information, obtain identification, act as identification, or obtain property.
If the property obtained or the amount of financial injury is $250 or more, it is identity theft in the first degree, punishable by up to ten years in prison and/or a fine up $10,000, three times the value of the property obtained, or three times the amount of the financial injury, whichever is greatest. If the value is less than $250, it is identity theft in the second degree, punishable by up to 180 days in jail and/or a fine up to $1000.
Any person who commits the offense of identity theft against an individual 65 years of age or older may be punished by a fine of up to 1 ½ times the maximum fine and/or term of imprisonment otherwise authorized for the offense. It is an affirmative defense that the accused reasonably believed that the victim was not 65 years of age or older at the time of the offense or could not have determined the age of the victim because of the manner in which the offense was committed.
The offense of identity theft is deemed to be committed in the District of Columbia, regardless of whether the offender is physically present in the District, if the person whose personal identifying information is improperly obtained, created, possessed, or used is a resident of the District, or any part of the offense takes place in the District.
When a person is convicted of identity theft, the court may, in addition to any other applicable penalty, order restitution for the full amount of financial injury. This includes all monetary costs, debts, or obligations incurred by a person as a result of another person obtaining, creating, possessing, or using that person’s personal identifying information in violation of this subtitle, including, but not limited to: the costs of clearing the person’s credit rating, credit District of Columbia – 3 history, criminal record, or any other official record, including attorney fees; the expenses related to any civil or administrative proceeding to satisfy or contest a debt, lien, judgment, or other obligation of the person that arose as a result of the violation of this subtitle, including attorney fees; the costs of repairing or replacing damaged or stolen property; and lost time or wages, or any similar monetary benefit forgone while the person is seeking redress for damages.
When a person is convicted, adjudicated delinquent, or found not guilty by reason of insanity of identity theft, the court may issue such orders as are necessary to correct any District of Columbia public record that contains false information as a result of a violation of the offense. In all other cases, a person who alleges that he or she is a victim of identity theft may petition the court for an expedited judicial determination that a District of Columbia public record contains false information as a result of a violation of this subchapter. Upon a finding of clear and convincing evidence that the person was a victim of identity theft, the court may issue such orders as are necessary to correct any District of Columbia public record that contains false information as a result of a violation of this offense.
District law requires individuals and entities doing business in the district, which own or license computerized or other electronic data that includes personal information, to notify residents if a breach of security has compromised their personal information. A security breach is defined as “unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information.” Notice must be made without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
Personal information is defined as an individual’s first name or first initial and last name, or phone number or address, and any one or more of the following data elements: Social Security number; driver’s license number or District of Columbia Identification Card number; credit or debit card number, or any other number or code or combination of numbers of codes, such as account number, security code, access code, or password, that allows access to an individual’s financial or credit account. It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notification can be provided by mail or e-mail. If the cost of providing regular notice would exceed $50,000, the amount of people to be notified exceeds 100,000, or the business does not have sufficient contact information to provide written or electronic notice, substitute notice may be provided. When substitute notice is used, it must consist of all of the following, as applicable: e-mail notice, conspicuous posting on the business’s web site and notification to major local, and if applicable, national media. When a breach involves more than 1,000 people, the business must also notify the consumer reporting agencies.
A person commits the offense of credit card fraud, if with intent to defraud, that person obtains property of another by:
- Knowingly using a credit card, or the number or description thereof, which has been issued to another person without the consent of the person to whom it was issued;
- Knowingly using a credit card, or the number or description thereof, which has been revoked or cancelled;
- Knowingly using a falsified, mutilated, or altered credit card or number or description thereof; or
- Representing that he or she is the holder of a credit card and the credit card had not in fact been issued.
For the purpose of this section, the term “credit card” means an instrument or device, whether known as a credit card plate, debit card, or by any other name, issued by a person for use of the cardholder in obtaining property or services.
Any person convicted of credit card fraud will be imprisoned for up to ten years and/or fined up to $5000, if the value of the property obtained is $250 or more. If the value is less than $250, the offense is punishable by up to 180 days in prison and/or a fine up to $1000.
Please contact us if you need additional support.