Introduced Version






HOUSE BILL No. 1121

_____


DIGEST OF INTRODUCED BILL



Citations Affected: IC 4-6; IC 24-4.9; IC 24-5-26; IC 35-32-2-6; IC 35-37-4-6; IC 35-40-14; IC 35-41-1-1; IC 35-43-5.

Synopsis: Identity theft. Creates the identity theft unit (unit) in the office of the attorney general. Specifies that the unit shall: (1) investigate consumer complaints related to identity theft; (2) assist victims of identity theft; (3) cooperate with law enforcement investigations related to identity theft; and (4) assist state and federal prosecutors in the investigation and prosecution of identity theft. Authorizes certain agencies to cooperate with the unit in investigating identity theft. Authorizes a prosecuting attorney to deputize the attorney general or a deputy attorney general to assist in the prosecution of an identity theft case. Provides that the unit may establish an educational program to inform consumers concerning identity theft. Requires the owner of a data base to notify the attorney general and the owner's regulator, if applicable, of a breach of the security of data. Specifies certain information that a data base owner must disclose if there is a breach of the security of data. Establishes a rebuttable presumption that failing to notify affected persons within 30 days after discovering a breach constitutes unreasonable delay, and requires a data base owner to take certain steps to safeguard data. Provides certain rights to the victims of identity theft. Increases the penalty for identity deception committed against a person's child to a Class C felony. Provides that unlawfully using information that identifies a person other than the person who is using the information but that does not belong in its entirety to any live or deceased person constitutes synthetic identity deception. Makes other changes and conforming amendments.

Effective: July 1, 2009.





Lawson L, Foley




    January 8, 2009, read first time and referred to Committee on Judiciary.







Introduced

First Regular Session 116th General Assembly (2009)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2008 Regular Session of the General Assembly.

HOUSE BILL No. 1121



    A BILL FOR AN ACT to amend the Indiana Code concerning criminal law and procedure.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 4-6-9-7.5; (09)IN1121.1.1. -->     SECTION 1. IC 4-6-9-7.5, AS ADDED BY P.L.136-2008, SECTION 1, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 7.5. The division may initiate and maintain an educational program to inform consumers of:
        (1) risks involved in a breach of the security of a system data; and
        (2) steps that the victim of a security breach should take to prevent and mitigate the damage from the security breach.
SOURCE: IC 4-6-13; (09)IN1121.1.2. -->     SECTION 2. IC 4-6-13 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]:
     Chapter 13. Identity Theft Unit
    Sec. 1. As used in this chapter, "unit" refers to the identity theft unit established under section 2 of this chapter.
    Sec. 2. The attorney general shall establish an identity theft unit to assist prosecuting attorneys in enforcing identity deception (IC 35-43-5-3.5) and related criminal statutes and to carry out this chapter.
    Sec. 3. (a) The unit shall do the following:
        (1) Investigate consumer complaints regarding identity theft, identity deception, fraud, deception, and related matters.
        (2) Assist victims of identity theft, identity deception, fraud, deception, and related crimes in obtaining refunds in relation to fraudulent or authorized charges or debits, canceling fraudulent accounts, correcting false information in consumer reports caused by identity deception, correcting false information in personnel files and court records, and related matters.
        (3) Cooperate with federal, state, and local law enforcement agencies in the investigation of identity theft, identity deception, fraud, deception, violations of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and related crimes. To the extent authorized by federal law, the unit may enforce compliance with the federal statutes or regulations described in this subdivision or refer suspected violations of the statutes or regulations to the appropriate federal regulatory agencies.
        (4) Assist state and federal prosecutors in the investigation and prosecution of identity theft, identity deception, fraud, deception, and related crimes.
    (b) The attorney general shall adopt rules under IC 4-22-2 to the extent necessary to organize the unit.
    Sec. 4. The attorney general may do any of the following when conducting an investigation under section 3 of this chapter:
        (1) Issue and serve a subpoena for the production of records, including records stored in electronic data processing systems, books, papers, and documents for inspection by the attorney general or the investigator.
        (2) Issue and serve a subpoena for the appearance of a person to provide testimony under oath.
        (3) Apply to a court with jurisdiction to enforce a subpoena described in subdivision (1) or (2).
    Sec. 5. (a) The following may cooperate with the unit to implement this chapter:
        (1) The bureau of motor vehicles.
        (2) The secretary of state.
        (3) The department of financial institutions.
        (4) The department of insurance.
        (5) The state police department.
        (6) The department of workforce development.
        (7) The department of state revenue.
        (8) A prosecuting attorney.
        (9) Local law enforcement agencies.
    (b) Notwithstanding IC 5-14-3, the entities listed in subsection (a) may share information with the unit.
    Sec. 6. The establishment of the unit and the unit's powers does not limit the jurisdiction of an entity described in section 5 of this chapter.
    Sec. 7. A prosecuting attorney may deputize the attorney general or a deputy attorney general for purposes of the prosecution of an identity deception offense or a related offense.
    Sec. 8. The unit may initiate and maintain an educational program to inform consumers of:
        (1) risks relating to identity deception and similar crimes;
        (2) steps consumers may take to minimize their risks of becoming a victim of identity deception;
        (3) methods to detect identity deception and similar crimes;
        (4) measures that identity deception victims may take to recover from the crime and to hold the perpetrator of the crime accountable in a court of law.

SOURCE: IC 24-4.9-2-2; (09)IN1121.1.3. -->     SECTION 3. IC 24-4.9-2-2, AS AMENDED BY P.L.136-2008, SECTION 2, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 2. (a) "Breach of the security of a system" data" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
    (b) The term does not include the following:
        (1) Good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject to further unauthorized disclosure.
        (2) Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:
            (A) has not been compromised or disclosed; and
            (B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device.
     (c) If a data base owner discloses a breach under IC 24-4.9-3-1(a), the data base owner shall also disclose the breach

to:
        (1) the data base owner's primary regulator, if the data base owner is regulated; and
        (2) the attorney general.

SOURCE: IC 24-4.9-3-1; (09)IN1121.1.4. -->     SECTION 4. IC 24-4.9-3-1, AS ADDED BY P.L.125-2006, SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 1. (a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of a system, data, the data base owner shall disclose the breach to an Indiana resident whose:
        (1) unencrypted personal information was or may have been acquired by an unauthorized person; or
        (2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), synthetic identity deception (IC 35-43-5-3.8), identity theft, or fraud affecting the Indiana resident.
    (b) A data base owner required to make a disclosure under subsection (a) to more than one thousand (1,000) consumers shall also disclose to each consumer reporting agency (as defined in 15 U.S.C. 1681a(p)) information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of the security of a system.
SOURCE: IC 24-4.9-3-1.5; (09)IN1121.1.5. -->     SECTION 5. IC 24-4.9-3-1.5 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 1.5. A disclosure made under section 1 of this chapter must include the following:
        (1) A general description of the cause of the breach of the security of data.
        (2) The date on which the data base owner discovered or was notified of the breach.
        (3) The type or types of personal information that was subject to unauthorized acquisition in connection with the breach.
        (4) The period during which the Indiana resident's personal information was subject to unauthorized acquisition in connection with the breach.
        (5) Information about persons who may have acquired, viewed, or obtained an Indiana resident's personal information in connection with the breach.
        (6) Information about persons who may have used the Indiana resident's personal information for unauthorized purposes.
        (7) Steps that the data base owner has taken or plans to take to prevent further unauthorized access to or dissemination of the Indiana resident's personal information.

SOURCE: IC 24-4.9-3-3; (09)IN1121.1.6. -->     SECTION 6. IC 24-4.9-3-3, AS ADDED BY P.L.125-2006, SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 3. (a) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay. For purposes of this section, a delay is reasonable if the delay is:
        (1) necessary to restore the integrity of the computer system;
        (2) necessary to discover the scope of the breach; or
        (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:
            (A) impede a criminal or civil investigation; or
            (B) jeopardize national security.
    (b) A person required to make a disclosure or notification under this chapter shall make the disclosure or notification as soon as possible after:
        (1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or
        (2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.
     (c) Subject to the reasonable delays described in subsection (a), there is a rebuttable presumption that failing to notify affected persons within thirty (30) days after discovering or being notified of a breach constitutes unreasonable delay.
SOURCE: IC 24-4.9-3-3.5; (09)IN1121.1.7. -->     SECTION 7. IC 24-4.9-3-3.5 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 3.5. (a) A data base owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner.
    (b) A data base owner shall not dispose of records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable.
    (c) A person that fails to comply with any provision of this

chapter commits a deceptive act that is actionable only by the attorney general under this chapter.
    (d) The attorney general may bring an action under this chapter to obtain any or all of the following:
        (1) An injunction to enjoin further violations of this section.
        (2) A civil penalty of not more than five thousand dollars ($5,000) per deceptive act.
        (3) The attorney general's reasonable costs in:
            (A) the investigation of the deceptive act; and
            (B) maintaining the action.

SOURCE: IC 24-4.9-3-4; (09)IN1121.1.8. -->     SECTION 8. IC 24-4.9-3-4, AS ADDED BY P.L.125-2006, SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 4. (a) Except as provided in subsection (b), a data base owner required to make a disclosure under this chapter shall make the disclosure using one (1) of the following methods:
        (1) Mail.
        (2) Telephone.
        (3) Facsimile (fax).
        (4) Electronic mail, if the data base owner has the electronic mail address of the affected Indiana resident.
    (b) If a data base owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the data base owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the data base owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:
        (1) Conspicuous posting of the notice on the web site of the data base owner, if the data base owner maintains a web site.
        (2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.
    (c) A data base owner that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under this chapter if the data base owner's information privacy policy or security policy is at least as stringent as the disclosure requirements described in:
        (1) sections 1 through 4(b) of this chapter;
        (2) subsection (d); or
        (3) subsection (e).
    (d) A data base owner that maintains its own disclosure procedures

as part of an information privacy, security policy, or compliance plan under:
        (1) the federal USA Patriot PATRIOT Act (P.L. 107-56);
        (2) Executive Order 13224;
        (3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et seq.);
        (4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
        (5) the federal Financial Modernization Act of 1999 (15 U.S.C. 6801 et seq.); or
        (6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data base owner's information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of a system data without unreasonable delay and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
    (e) A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.
    (f) A person required to make a disclosure under this chapter may elect to make all or part of the disclosure in accordance with subsection (a) even if the person could make the disclosure in accordance with subsection (b).

SOURCE: IC 24-4.9-4-1; (09)IN1121.1.9. -->     SECTION 9. IC 24-4.9-4-1, AS ADDED BY P.L.125-2006, SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 1. (a) A person that is required to make a disclosure or notification in accordance with IC 24-4.9-3 and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general under this chapter.
    (b) A failure to make a required disclosure or notification in connection with a related series of breaches of the security of a system data constitutes one (1) deceptive act.
SOURCE: IC 24-5-26; (09)IN1121.1.10. -->     SECTION 10. IC 24-5-26 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]:
     Chapter 26. Identity Theft
    Sec. 1. As used in this chapter, "identity theft" means:
        (1) identity deception (IC 35-43-5-3.5);
        (2) synthetic identity deception (IC 35-43-5-3.8); or
        (3) a substantially similar crime committed in another jurisdiction.
    Sec. 2. A person shall not do any of the following in the conduct of trade or commerce:
        (1) Deny credit or public utility service to or reduce the credit limit of a consumer solely because the consumer was a victim of identity theft, if the person had prior knowledge that the consumer was a victim of identity deception or synthetic identity deception. A consumer is presumed to be a victim of identity theft for purposes of this subdivision if the consumer provides the following to the person:
            (A) A copy of a police report evidencing the claim of the victim of identity theft.
            (B) Either:
                (i) a properly completed copy of a standardized affidavit of identity theft developed and made available by the Federal Trade Commission under 15 U.S.C. 1681g; or
                (ii) an affidavit of fact that is acceptable to the person for that purpose.
        (2) Solicit to extend credit to a consumer who does not have an existing line of credit, or has not had or applied for a line of credit within the preceding year, through the use of an unsolicited check that includes personal identifying information other than the recipient's name, address, and a partial, encoded, or truncated personal identifying number. In addition to any other penalty or remedy under this chapter or under IC 24-5-0.5, a credit card issuer, financial institution, or other lender that violates this subdivision, and not the consumer, is liable for the amount of the instrument if the instrument is used by an unauthorized user and for any fees assessed to the consumer if the instrument is dishonored.
        (3) Solicit to extend credit to a consumer who does not have a current credit card, or has not had or applied for a credit card within the preceding year, through the use of an unsolicited credit card sent to the consumer. In addition to any other penalty or remedy under this chapter or under IC 24-5-0.5, a credit card issuer, financial institution, or other lender that violates this subdivision, and not the consumer, is liable for any charges if the credit card is used by an unauthorized user and for any interest or finance charges assessed to the consumer.
        (4) Extend credit to a consumer without exercising reasonable procedures to verify the identity of that consumer. Compliance with regulations issued for depository institutions, and to be issued for other financial institutions, by the United States Department of Treasury under Section 326 of the USA PATRIOT Act, 31 U.S.C. 5318, is considered compliance with this subdivision. This subdivision does not apply to a purchase of a credit obligation in an acquisition, a merger, a purchase of assets, or an assumption of liabilities or any change to or review of an existing credit account.
    Sec. 3. A person who knowingly or intentionally violates this chapter commits a deceptive act that is actionable by the attorney general under IC 24-5-0.5-4 and is subject to the penalties and remedies available to the attorney general under IC 24-5-0.5. This section does not affect the availability of any civil remedy for a violation of this chapter, IC 24-5-0.5, or any other state or federal law.

SOURCE: IC 35-32-2-6; (09)IN1121.1.11. -->     SECTION 11. IC 35-32-2-6, AS ADDED BY P.L.125-2006, SECTION 7, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 6. (a) Subject to subsection (b), a person who commits the offense of identity deception or synthetic identity deception may be tried in a county in which:
        (1) the victim resides; or
        (2) the person:
            (A) obtains;
            (B) possesses;
            (C) transfers; or
            (D) uses;
        the information used to commit the offense.
    (b) If:
        (1) a person is charged with more than one (1) offense of identity deception or synthetic identity deception, or if a person is charged with both identity deception and synthetic identity deception; and
        (2) either:
            (A) the victims of the crimes reside in more than one (1) county; or
            (B) the person performs an act described in subsection (a)(2) in more than one (1) county;
the person may be tried in any county described in subdivision (2).
SOURCE: IC 35-37-4-6; (09)IN1121.1.12. -->     SECTION 12. IC 35-37-4-6, AS AMENDED BY P.L.99-2007, SECTION 207, IS AMENDED TO READ AS FOLLOWS

[EFFECTIVE JULY 1, 2009]: Sec. 6. (a) This section applies to a criminal action involving the following offenses where the victim is a protected person under subsection (c)(1) or (c)(2):
        (1) Sex crimes (IC 35-42-4).
        (2) Battery upon a child (IC 35-42-2-1(a)(2)(B)).
        (3) Kidnapping and confinement (IC 35-42-3).
        (4) Incest (IC 35-46-1-3).
        (5) Neglect of a dependent (IC 35-46-1-4).
        (6) Human and sexual trafficking crimes (IC 35-42-3.5).
        (7) An attempt under IC 35-41-5-1 for an offense listed in subdivisions (1) through (6).
    (b) This section applies to a criminal action involving the following offenses where the victim is a protected person under subsection (c)(3):
        (1) Exploitation of a dependent or endangered adult (IC 35-46-1-12).
        (2) A sex crime (IC 35-42-4).
        (3) Battery (IC 35-42-2-1).
        (4) Kidnapping, confinement, or interference with custody (IC 35-42-3).
        (5) Home improvement fraud (IC 35-43-6).
        (6) Fraud (IC 35-43-5).
        (7) Identity deception (IC 35-43-5-3.5).
         (8) Synthetic identity deception (IC 35-43-5-3.8).
        
(8) (9) Theft (IC 35-43-4-2).
        (9) (10) Conversion (IC 35-43-4-3).
        (10) (11) Neglect of a dependent (IC 35-46-1-4).
        (11) (12) Human and sexual trafficking crimes (IC 35-42-3.5).
    (c) As used in this section, "protected person" means:
        (1) a child who is less than fourteen (14) years of age;
        (2) an individual with a mental disability who has a disability attributable to an impairment of general intellectual functioning or adaptive behavior that:
            (A) is manifested before the individual is eighteen (18) years of age;
            (B) is likely to continue indefinitely;
            (C) constitutes a substantial impairment of the individual's ability to function normally in society; and
            (D) reflects the individual's need for a combination and sequence of special, interdisciplinary, or generic care, treatment, or other services that are of lifelong or extended duration and are individually planned and coordinated; or
        (3) an individual who is:


            (A) at least eighteen (18) years of age; and
            (B) incapable by reason of mental illness, mental retardation, dementia, or other physical or mental incapacity of:
                (i) managing or directing the management of the individual's property; or
                (ii) providing or directing the provision of self-care.
    (d) A statement or videotape that:
        (1) is made by a person who at the time of trial is a protected person;
        (2) concerns an act that is a material element of an offense listed in subsection (a) or (b) that was allegedly committed against the person; and
        (3) is not otherwise admissible in evidence;
is admissible in evidence in a criminal action for an offense listed in subsection (a) or (b) if the requirements of subsection (e) are met.
    (e) A statement or videotape described in subsection (d) is admissible in evidence in a criminal action listed in subsection (a) or (b) if, after notice to the defendant of a hearing and of the defendant's right to be present, all of the following conditions are met:
        (1) The court finds, in a hearing:
            (A) conducted outside the presence of the jury; and
            (B) attended by the protected person;
        that the time, content, and circumstances of the statement or videotape provide sufficient indications of reliability.
        (2) The protected person:
            (A) testifies at the trial; or
            (B) is found by the court to be unavailable as a witness for one (1) of the following reasons:
                (i) From the testimony of a psychiatrist, physician, or psychologist, and other evidence, if any, the court finds that the protected person's testifying in the physical presence of the defendant will cause the protected person to suffer serious emotional distress such that the protected person cannot reasonably communicate.
                (ii) The protected person cannot participate in the trial for medical reasons.
                (iii) The court has determined that the protected person is incapable of understanding the nature and obligation of an oath.
    (f) If a protected person is unavailable to testify at the trial for a reason listed in subsection (e)(2)(B), a statement or videotape may be admitted in evidence under this section only if the protected person was

available for cross-examination:
        (1) at the hearing described in subsection (e)(1); or
        (2) when the statement or videotape was made.
    (g) A statement or videotape may not be admitted in evidence under this section unless the prosecuting attorney informs the defendant and the defendant's attorney at least ten (10) days before the trial of:
        (1) the prosecuting attorney's intention to introduce the statement or videotape in evidence; and
        (2) the content of the statement or videotape.
    (h) If a statement or videotape is admitted in evidence under this section, the court shall instruct the jury that it is for the jury to determine the weight and credit to be given the statement or videotape and that, in making that determination, the jury shall consider the following:
        (1) The mental and physical age of the person making the statement or videotape.
        (2) The nature of the statement or videotape.
        (3) The circumstances under which the statement or videotape was made.
        (4) Other relevant factors.
    (i) If a statement or videotape described in subsection (d) is admitted into evidence under this section, a defendant may introduce a:
        (1) transcript; or
        (2) videotape;
of the hearing held under subsection (e)(1) into evidence at trial.

SOURCE: IC 35-40-14; (09)IN1121.1.13. -->     SECTION 13. IC 35-40-14 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]:
     Chapter 14. Rights of Victims of Identity Deception
    Sec. 1. As used in this chapter, "identity theft" means:
        (1) identity deception (IC 35-43-5-3.5);
        (2) synthetic identity deception (IC 35-43-5-3.8); or
        (3) a substantially similar crime committed in another jurisdiction.
    Sec. 2. (a) A person who has learned or reasonably suspects that the person has been the victim of identity theft may contact the local law enforcement agency that has jurisdiction over the person's residence. The local law enforcement agency shall take an official report of the matter and provide the complainant with a copy of that report. Even if jurisdiction lies elsewhere for investigation and prosecution of a crime of theft, the local law

enforcement agency shall take the complaint and provide the person with a copy of the complaint. The law enforcement authority may refer the complaint to a law enforcement agency in a different jurisdiction.
    (b) This section does not affect the discretion of a local law enforcement agency to allocate resources for investigation of crimes. A complaint filed under this section is not required to be counted as an open case for purposes of compiling open case statistics.

     Sec. 3. (a) A person who is injured by a crime of identity theft or who has filed a police report alleging commission of an offense of identity theft may file an application with the court in the jurisdiction where the person resides for the issuance of a court order declaring that the person is a victim of identity theft. A person may file an application under this section regardless of whether the person is able to identify each person who allegedly obtained, possessed, transferred, or used the person's identifying information in an unlawful manner.
    (b) A person is presumed to be a victim of identity theft under this section if another person is charged with and convicted of an offense of identity theft for unlawfully obtaining, possessing, transferring, or using the person's identifying information.
    (c) After notice and hearing, if the court is satisfied by a preponderance of the evidence that the applicant has been injured by a crime of identity theft, the court shall enter an order containing:
        (1) a declaration that the person filing the application is a victim of identity theft resulting from the commission of a crime of identity theft;
        (2) any known information identifying the violator or person charged with the offense;
        (3) the specific personal identifying information and any related document or record used to commit the alleged offense; and
        (4) information identifying any financial account or transaction affected by the alleged offense, including:
            (A) the name of the financial institution in which the account is established or of the merchant or creditor involved in the transaction, as appropriate;
            (B) any relevant account numbers;
            (C) the dollar amount of the account or transaction affected by the alleged offense; and


            (D) the date or dates of the offense.
    (d) An order issued under this section must be sealed because of the confidential nature of the information required to be included in the order. The order may be opened and the order or a copy of the order may be released only:
        (1) to the proper officials in a civil proceeding brought by or against the victim arising or resulting from the commission of a crime of identity theft, including a proceeding to set aside a judgment obtained against the victim;
        (2) to the victim for the purpose of submitting the copy of the order to a governmental entity or private business to:
            (A) prove that a financial transaction or account of the victim was directly affected by the commission of a crime of identity theft; and
            (B) correct any record of the entity or business that contains inaccurate or false information as a result of the offense;
        (3) on order of the judge; or
        (4) as otherwise required by law.
    (e) A court at any time may vacate an order issued under this section if the court finds that the application or any information submitted to the court by the applicant contains a fraudulent misrepresentation or a material misrepresentation of fact.
    (f) A copy of the order provided to a person under subsection (d)(2) must remain sealed throughout and after the civil proceeding. Information contained in a copy of an order provided to a governmental entity or business under subsection (d)(1) is confidential and may not be released to another person except as otherwise required by law.

SOURCE: IC 35-41-1-1; (09)IN1121.1.14. -->     SECTION 14. IC 35-41-1-1, AS AMENDED BY P.L.125-2006, SECTION 8, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 1. (a) As used in this section, "Indiana" includes:
        (1) the area within the boundaries of the state of Indiana, as set forth in Article 14, Section 1 of the Constitution of the State of Indiana;
        (2) the portion of the Ohio River on which Indiana possesses concurrent jurisdiction with the state of Kentucky under Article 14, Section 2 of the Constitution of the State of Indiana; and
        (3) the portion of the Wabash River on which Indiana possesses concurrent jurisdiction with the state of Illinois under Article 14, Section 2 of the Constitution of the State of Indiana.
    (b) A person may be convicted under Indiana law of an offense if:
        (1) either the conduct that is an element of the offense, the result that is an element, or both, occur in Indiana;
        (2) conduct occurring outside Indiana is sufficient under Indiana law to constitute an attempt to commit an offense in Indiana;
        (3) conduct occurring outside Indiana is sufficient under Indiana law to constitute a conspiracy to commit an offense in Indiana, and an overt act in furtherance of the conspiracy occurs in Indiana;
        (4) conduct occurring in Indiana establishes complicity in the commission of, or an attempt or conspiracy to commit, an offense in another jurisdiction that also is an offense under Indiana law;
        (5) the offense consists of the omission to perform a duty imposed by Indiana law with respect to domicile, residence, or a relationship to a person, thing, or transaction in Indiana;
        (6) conduct that is an element of the offense or the result of conduct that is an element of the offense, or both, involve the use of the Internet or another computer network (as defined in IC 35-43-2-3) and access to the Internet or other computer network occurs in Indiana; or
        (7) conduct:
            (A) involves the use of:
                (i) the Internet or another computer network (as defined in IC 35-43-2-3); or
                (ii) another form of electronic communication;
            (B) occurs outside Indiana and the victim of the offense resides in Indiana at the time of the offense; and
            (C) is sufficient under Indiana law to constitute an offense in Indiana.
    (c) When the offense is homicide, either the death of the victim or bodily impact causing death constitutes a result under subsection (b)(1). If the body of a homicide victim is found in Indiana, it is presumed that the result occurred in Indiana.
    (d) If the offense is identity deception or synthetic identity deception, the lack of the victim's consent constitutes conduct that is an element of the offense under subsection (b)(1). If a victim of identity deception or synthetic identity deception resides in Indiana when a person knowingly or intentionally obtains, possesses, transfers, or uses the victim's identifying information, it is presumed that the conduct that is the lack of the victim's consent occurred in Indiana.
SOURCE: IC 35-43-5-1; (09)IN1121.1.15. -->     SECTION 15. IC 35-43-5-1, AS AMENDED BY P.L.181-2005, SECTION 5, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 1. (a) The definitions set forth in this section apply

throughout this chapter.
    (b) "Claim statement" means an insurance policy, a document, or a statement made in support of or in opposition to a claim for payment or other benefit under an insurance policy, or other evidence of expense, injury, or loss. The term includes statements made orally, in writing, or electronically, including the following:
        (1) An account.
        (2) A bill for services.
        (3) A bill of lading.
        (4) A claim.
        (5) A diagnosis.
        (6) An estimate of property damages.
        (7) A hospital record.
        (8) An invoice.
        (9) A notice.
        (10) A proof of loss.
        (11) A receipt for payment.
        (12) A physician's records.
        (13) A prescription.
        (14) A statement.
        (15) A test result.
        (16) X-rays.
    (c) "Coin machine" means a coin box, vending machine, or other mechanical or electronic device or receptacle designed:
        (1) to receive a coin, bill, or token made for that purpose; and
        (2) in return for the insertion or deposit of a coin, bill, or token automatically:
            (A) to offer, provide, or assist in providing; or
            (B) to permit the acquisition of;
        some property.
    (d) "Credit card" means an instrument or device (whether known as a credit card or charge plate, or by any other name) issued by an issuer for use by or on behalf of the credit card holder in obtaining property.
    (e) "Credit card holder" means the person to whom or for whose benefit the credit card is issued by an issuer.
    (f) "Customer" means a person who receives or has contracted for a utility service.
    (g) "Drug or alcohol screening test" means a test that:
        (1) is used to determine the presence or use of alcohol, a controlled substance, or a drug in a person's bodily substance; and
        (2) is administered in the course of monitoring a person who is:
            (A) incarcerated in a prison or jail;


            (B) placed in a community corrections program;
            (C) on probation or parole;
            (D) participating in a court ordered alcohol or drug treatment program; or
            (E) on court ordered pretrial release.
    (h) "Entrusted" means held in a fiduciary capacity or placed in charge of a person engaged in the business of transporting, storing, lending on, or otherwise holding property of others.
    (i) "Identifying information" means information that identifies an individual, a person, including an individual's a person's:
        (1) name, address, date of birth, place of employment, employer identification number, mother's maiden name, Social Security number, or any identification number issued by a governmental entity;
        (2) unique biometric data, including the individual's person's fingerprint, voice print, or retina or iris image;
        (3) unique electronic identification number, address, or routing code;
        (4) telecommunication identifying information; or
        (5) telecommunication access device, including a card, a plate, a code, a telephone number, an account number, a personal identification number, an electronic serial number, a mobile identification number, or another telecommunications service or device or means of account access that may be used to:
            (A) obtain money, goods, services, or any other thing of value; or
            (B) initiate a transfer of funds.
    (j) "Insurance policy" includes the following:
        (1) An insurance policy.
        (2) A contract with a health maintenance organization (as defined in IC 27-13-1-19) or a limited service health maintenance organization (as defined in IC 27-13-1-27).
        (3) A written agreement entered into under IC 27-1-25.
    (k) "Insurer" has the meaning set forth in IC 27-1-2-3(x). The term also includes the following:
        (1) A reinsurer.
        (2) A purported insurer or reinsurer.
        (3) A broker.
        (4) An agent of an insurer, a reinsurer, a purported insurer or reinsurer, or a broker.
        (5) A health maintenance organization.
        (6) A limited service health maintenance organization.
    (l) "Manufacturer" means a person who manufactures a recording. The term does not include a person who manufactures a medium upon which sounds or visual images can be recorded or stored.
    (m) "Make" means to draw, prepare, complete, counterfeit, copy or otherwise reproduce, or alter any written instrument in whole or in part.
    (n) "Metering device" means a mechanism or system used by a utility to measure or record the quantity of services received by a customer.
    (o) "Public relief or assistance" means any payment made, service rendered, hospitalization provided, or other benefit extended to a person by a governmental entity from public funds and includes township assistance, food stamps, direct relief, unemployment compensation, and any other form of support or aid.
    (p) "Recording" means a tangible medium upon which sounds or visual images are recorded or stored. The term includes the following:
        (1) An original:
            (A) phonograph record;
            (B) compact disc;
            (C) wire;
            (D) tape;
            (E) audio cassette;
            (F) video cassette; or
            (G) film.
        (2) Any other medium on which sounds or visual images are or can be recorded or otherwise stored.
        (3) A copy or reproduction of an item in subdivision (1) or (2) that duplicates an original recording in whole or in part.
    (q) "Slug" means an article or object that is capable of being deposited in a coin machine as an improper substitute for a genuine coin, bill, or token.
     (r) "Synthetic identifying information" means identifying information that identifies a person other than the person who is using the information but that does not belong in its entirety to any live or deceased person.
    (r) (s) "Utility" means a person who owns or operates, for public use, any plant, equipment, property, franchise, or license for the production, storage, transmission, sale, or delivery of electricity, water, steam, telecommunications, information, or gas.
    (s) (t) "Written instrument" means a paper, a document, or other instrument containing written matter and includes money, coins, tokens, stamps, seals, credit cards, badges, trademarks, medals, retail sales receipts, labels or markings (including a universal product code

(UPC) or another product identification code), or other objects or symbols of value, right, privilege, or identification.

SOURCE: IC 35-43-5-3.5; (09)IN1121.1.16. -->     SECTION 16. IC 35-43-5-3.5, AS AMENDED BY P.L.125-2006, SECTION 9, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 3.5. (a) Except as provided in subsection (c), a person who knowingly or intentionally obtains, possesses, transfers, or uses the identifying information of another person, including the identifying information of a person who is deceased:
        (1) without the other person's consent; and
        (2) with intent to:
            (A) harm or defraud another person;
            (B) assume another person's identity; or
            (C) profess to be another person;
commits identity deception, a Class D felony.
    (b) However, the offense defined in subsection (a) is a Class C felony if:
        (1) a person obtains, possesses, transfers, or uses the identifying information of more than one hundred (100) persons; or
        (2) the fair market value of the fraud or harm caused by the offense is at least fifty thousand dollars ($50,000); or
        (3) a person obtains, possesses, transfers, or uses the identifying information of the person's child.

    (c) The conduct prohibited in subsections (a) and (b) does not apply to:
        (1) a person less than twenty-one (21) years of age who uses the identifying information of another person to acquire an alcoholic beverage (as defined in IC 7.1-1-3-5);
        (2) a minor (as defined in IC 35-49-1-4) who uses the identifying information of another person to acquire:
            (A) a cigarette or tobacco product (as defined in IC 6-7-2-5);
            (B) a periodical, a videotape, or other communication medium that contains or depicts nudity (as defined in IC 35-49-1-5);
            (C) admittance to a performance (live or film) that prohibits the attendance of the minor based on age; or
            (D) an item that is prohibited by law for use or consumption by a minor; or
        (3) any person who uses the identifying information for a lawful purpose.
    (d) It is not a defense in a prosecution under subsection (a) or (b) that no person was harmed or defrauded.
SOURCE: IC 35-43-5-3.8; (09)IN1121.1.17. -->     SECTION 17. IC 35-43-5-3.8 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS

[EFFECTIVE JULY 1, 2009]: Sec. 3.8. (a) A person who knowingly or intentionally obtains, possesses, transfers, or uses the synthetic identifying information of another person:
        (1) with intent to harm or defraud another person;
        (2) with intent to assume another person's identity;
        (3) with intent to profess to be another person; or
        (4) with intent to conceal the person's actual identity;
commits synthetic identity deception, a Class D felony.
    (b) The offense under subsection (a) is a Class C felony if:
        (1) a person obtains, possesses, transfers, or uses the synthetic identifying information of more than one hundred (100) persons; or
        (2) the fair market value of the fraud or harm caused by the offense is at least fifty thousand dollars ($50,000).
    (c) The conduct prohibited in subsections (a) and (b) does not apply to:
        (1) a person less than twenty-one (21) years of age who uses the synthetic identifying information of another person to acquire an alcoholic beverage (as defined in IC 7.1-1-3-5); or
        (2) a minor (as defined in IC 35-49-1-4) who uses the synthetic identifying information of another person to acquire:
            (A) a cigarette or tobacco product (as defined in IC 6-7-2-5);
            (B) a periodical, a videotape, or other communication medium that contains or depicts nudity (as defined in IC 35-49-1-5);
            (C) admittance to a performance (live or on film) that prohibits the attendance of the minor based on age; or
            (D) an item that is prohibited by law for use or consumption by a minor.
    (d) It is not a defense in a prosecution under subsection (a) or (b) that no person was harmed or defrauded.

SOURCE: IC 35-43-5-4.3; (09)IN1121.1.18. -->     SECTION 18. IC 35-43-5-4.3, AS ADDED BY P.L.125-2006, SECTION 10, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]: Sec. 4.3. (a) As used in this section, "card skimming device" means a device that is designed to read information encoded on a credit card. The term includes a device designed to read, record, or transmit information encoded on a credit card:
        (1) directly from a credit card; or
        (2) from another device that reads information directly from a credit card.
    (b) A person who possesses a card skimming device with intent to

commit:
        (1) identity deception (IC 35-43-5-3.5);
         (2) synthetic identity deception (IC 35-43-5-3.8);
        
(2) (3) fraud (IC 35-43-5-4); or
        (3) (4) terroristic deception (IC 35-43-5-3.6);
commits unlawful possession of a card skimming device. Unlawful possession of a card skimming device under subdivision (1), or (2), or (3) is a Class D felony. Unlawful possession of a card skimming device under subdivision (3) (4) is a Class C felony.

SOURCE: ; (09)IN1121.1.19. -->     SECTION 19. [EFFECTIVE JULY 1, 2009] IC 35-43-5-3.8, as added by this act, and IC 35-43-5-3.5 and IC 35-43-5-4.3, both as amended by this act, apply only to crimes committed after June 30, 2009.