ID THEFT: FALSE PRETENSES/INTERNET S.B. 945 (S-1) & 1191 (S-1):
ANALYSIS AS PASSED BY THE SENATE
[Please see the PDF version of this analysis, if available, to view this image.]
Senate Bill 945 (Substitute S-1 as passed by the Senate)
Senate Bill 1191 (Substitute S-1 as passed by the Senate)
Sponsor: Senator Bruce Patterson (S.B. 945)
Senator Mike Prusi (S.B. 1191)
Committee: Judiciary
Date Completed: 8-25-08
RATIONALE
The practice of "phishing" is a new twist on the existing and growing crime of identity theft. Phishing involves attempting to acquire, or acquiring, sensitive information such as on-line usernames or passwords, credit card numbers, or personal identifying information, by baiting computer users with false information that appears to be from a legitimate, trustworthy entity. In phishing scams, which typically are carried out by e-mail or instant messaging, on-line communications purporting to be from such entities as banks or other financial services websites, reservation and payment sites, or popular commercial or common-use websites, are commonly used to lure unsuspecting victims into linking to other websites and providing financial or personal identity information. Not all phishing requires the use of a fake website, though. Sometimes, messages that claim to be from a bank, for example, instruct users to dial a telephone number regarding problems with an account. When the phone number is called, voice prompts tell users to enter their account number or personal identification number (PIN). While public awareness, computer user training, and on-line security measures have been used to combat phishing scams, some people feel that the Identity Theft Protection Act should include specific prohibitions against, and harsh penalties for, attempting to obtain personal information through false pretenses.
CONTENT
Senate Bill 945 (S-1) would amend the Identity Theft Protection Act to do all of the following:
-- Prohibit communicating under false pretenses to request personal identifying information, creating or operating an unauthorized webpage to solicit personal identifying information, or altering a computer or software setting to solicit personal identifying information, with or without the intent to commit identity theft or another crime.
-- Increase the criminal penalty for certain violations and apply that penalty to a violation described above that included intent to commit identity theft or another crime.
-- Allow the Attorney General, or an interactive computer service provider, to bring a civil action against a person who committed a violation described above without intent to commit identity theft or another crime.
-- Exempt a law enforcement officer engaged in his or her official duties, or any other investigator engaged in a lawful investigation, from the proposed prohibition that would not include intent to commit identity theft or another crime.
-- Exempt an interactive computer service provider from liability under the Act for certain actions.
--
-- Expand the definition of "personal identifying information".
Senate Bill 1191 (S-1) would amend the Code of Criminal Procedure to revise the sentencing guidelines classification of certain identity theft violations.
The bills would take effect 90 days after their enactment. Senate Bill 1191 (S-1) is tie-barred to Senate Bill 945.
Senate Bill 945 (S-1)
Personal Identifying Information
The Act defines "personal identifying information" as a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person's financial accounts, including a person's name, address, telephone number, driver license or State personal identification card number, Social Security number, place of employment, employee ID number, employer or taxpayer ID number, government passport number, health insurance ID number, mother's maiden name, demand deposit account number, savings account number, financial transaction device account number, or the person's account password, stock or other security certificate or account number, credit card number, vital record, or medical records or information.
Under the bill, "personal identifying information" also would include any other account password in combination with sufficient information to identify and gain access to a person's financial account, and a person's automated or electronic signature or biometrics.
Criminal Prohibitions
The Act prohibits a person from doing any of the following:
-- Obtaining or possessing, or attempting to obtain or possess, personal identifying information of another person with the intent to use it to commit identity theft or another crime.
-- Selling or transferring, or attempting to sell or transfer, someone else's personal identifying information if the person knows or has reason to know that the specific intended recipient will use, attempt to use, or further transfer the information to another person for the purpose of committing identity theft or another crime.
-- Falsifying a police report of identity theft, or knowingly creating, possessing, or using a false police report of identity theft.
A violation is a felony punishable by up to five years' imprisonment and/or a maximum fine of $25,000.
The bill also would prohibit a person from doing any of the following with the intent to use the personal identifying information to commit identity theft or another crime:
-- Making any electronic mail or other communication under false pretenses purporting to be by or on behalf of a business, without its authority or approval, and using that electronic mail or other communication to induce, request, or solicit any individual to provide personal identifying information.
-- Creating or operating a webpage that represented itself as belonging to or being associated with a business, without the business's authority or approval, and inducing, requesting or soliciting any user of the internet to provide personal identifying information.
-- Altering a setting on a user's computer or similar device or software program through which the user could search the internet and causing the internet user to view a communication that represented itself as belonging to or being associated with a business, and that had been created or was operated without the authority or approval of that business, and inducing, requesting, or soliciting any internet user to provide personal identifying information.
A violation of the current and proposed prohibitions would be punishable by up to 10 years' imprisonment and/or a fine of not less than $5,000 or more than $500,000.
Under the bill, "false pretenses" would mean the representation of a fact or circumstance that is not true and is calculated to mislead.
"Webpage" would mean a location that has a uniform resource locator or URL with respect to the world wide web or another location that can be accessed on the internet.
"Interactive computer service" would mean an information service or system that enables computer access by multiple users to a computer server, including a service or system that provides access to the internet or to software services available on a server.
Civil Action
The bill would prohibit a person from taking an action that would be a criminal offense under the bill, but would not require intent to use the personal identifying information to commit identity theft or another crime.
The Attorney General or an interactive computer service provider harmed by a violation could bring a civil action against a person who violated the prohibition. A person bringing an action could recover one of the following:
-- Actual damages, including reasonable attorney fees.
-- In lieu of actual damages, reasonable attorney fees plus the lesser of $5,000 per violation or $250,000 for each day that a violation occurred.
The prohibition would not apply to a law enforcement officer engaged in the performance of his or her official duties or any other individual authorized to conduct lawful investigations, while engaged in a lawful investigation.
Any damages collected by the Attorney General would be credited to him or her for the costs of investigating, enforcing, and defending the Act.
Attorney General Investigation
The bill would authorize the Attorney General to investigate a person's business transactions if the Attorney General had reason to believe that the person had committed one of the proposed violations, with or without intent to commit identity theft or another crime. The Attorney General could require the person to appear, at a reasonable time and place, to give information under oath and to produce documents and evidence necessary to determine whether the person was in compliance with the requirements.
Liability Exemption
Under the bill, an interactive computer service provider could not be held liable under any provision of Michigan law for removing or disabling access to an internet domain name controlled or operated by the registrar or by the provider, or to content that resided on an internet website or other online location controlled or operated by the provider, that the provider believed in good faith was used to engage in a violation the Act.
The bill specifies that the Act would not apply to a telecommunications provider's or internet service provider's good faith transmission or routing of, or intermediate temporary storing or caching of, personal identifying information.
Senate Bill 1191 (S-1)
Currently, a violation of Section 7 of the Identity Theft Protection Act (which provides for the criminal offense described in Senate Bill 945 (S-1)) is a Class E felony against the public order, with a statutory maximum sentence of five years' imprisonment. Under the bill, the offense would be a Class D felony against the public order, with a statutory maximum sentence of 10 years' imprisonment.
The Code describes the offense as to obtain, possess, sell, or transfer personal identifying information of another or falsify a police report with intent to commit identity theft. The bill also would refer to "solicit".
MCL 445.63 et al. (S.B. 945)
777.14h (S.B. 1191)
ARGUMENTS
(Please note: The arguments contained in this analysis originate from sources outside the Senate Fiscal Agency. The Senate Fiscal Agency neither supports nor opposes legislation.)
Supporting Argument
Those who practice phishing, or "phishers", send an e-mail or instant message that claims to be from a business or organization with which the recipient may have dealings, according to OnGuard Online (http://onguardonline.gov, a website maintained by the Federal Trade Commission to provide practical tips from the Federal government and the technology industry to help guard against internet fraud and protect personal information). The phishers' message may ask the recipient to update, validate, or confirm account information, perhaps even warning of dire consequences for failure to reply. Typically, the message directs the computer user to a website that appears to be legitimate but actually is a counterfeit whose sole purpose is to trick the person into divulging personal information so the phishers can run up financial charges or commit crimes in the name of the phishing scam victim.
The nature of phishing scams, i.e., using electronic communication to target victims, makes it a particularly efficient method for perpetrators to secure personal identifying information in order to commit identity theft. Obtaining or attempting to obtain this information through phishing techniques should be specifically prohibited and subject to criminal penalties and civil remedies. According to the National Conference of State Legislatures (NCSL), antiphishing legislation was introduced in at least 11 states (including Michigan) and enacted in two (Illinois and Montana) in 2007 and, as of March 24, 2008, at least nine states had antiphishing laws on the books. Senate Bills 945 (S-1) and 1191 (S-1) would provide for Michigan to join those states by prohibiting communicating under false pretenses to request personal identifying information, creating or operating an unauthorized webpage to solicit personal identifying information, or altering a computer or software setting to solicit personal identifying information. The bills would help to combat identity theft in this era of increased use of electronic communication.
Supporting Argument
Senate Bill 945 (S-1) would encourage internet service providers (ISPs) to assist in the fight against phishing by providing that an ISP could not be held liable for removing or disabling access to an internet site that the provider believed in good faith was used to engage in a violation of the Identity Theft Protection Act.
Supporting Argument
In addition to protecting against identity theft through phishing scams, Senate Bill 945 (S-1) would acknowledge the use of similar techniques in legitimate investigations by law enforcement agencies or private investigators. The bill specifies that the prohibitions would not apply to a law enforcement officer engaged in the performance of official duties or any other individual authorized to conduct lawful investigations while that individual was engaged in such an investigation.
Legislative Analyst: Patrick Affholter
FISCAL IMPACT
Senate Bill 945 (S-1) would result in some staffing costs to the Office of Attorney General associated with bringing civil actions against and/or investigating the business transactions of people violating the proposed prohibitions. The majority of these costs, however, would be recovered by any damages collected by the Attorney General's office.
Senate Bills 945 (S-1) and 1191 (S-1) would have an indeterminate fiscal impact on State and local government. In 2005, 92 offenders were convicted under the Identity Theft Protection Act. Of these offenders, 16 were sentenced to prison, 65 were sentenced to probation, eight were sentenced to jail, and three were sentenced to other types of sentences such as delayed and suspended sentences or Holmes Youthful Trainee Act probation. An offender convicted of the Class D offense under the bills would receive a sentencing guidelines minimum sentence range of 0-6 months to 43-76 months. Currently, an offender convicted of the Class E offense would receive a sentencing guidelines minimum sentence range of 0-3 months to 24-38 months. To the extent that the bills would result in increased convictions or incarceration time, local governments would incur the costs of incarceration in local facilities, which vary by county. The State would incur the cost of felony probation at an annual average cost of $2,000, as well as the cost of incarceration in a State facility at an average annual cost of $33,000. Additional penal fine revenue would benefit public libraries.
Fiscal Analyst: Joe Carrasco
Lindsay HollanderAnalysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent. sb945&1191/0708