Introduced Version
HOUSE BILL No. 1121
_____
DIGEST OF INTRODUCED BILL
Citations Affected: IC 4-6; IC 24-4.9; IC 24-5-26; IC 35-32-2-6;
IC 35-37-4-6; IC 35-40-14; IC 35-41-1-1; IC 35-43-5.
Synopsis: Identity theft. Creates the identity theft unit (unit) in the
office of the attorney general. Specifies that the unit shall: (1)
investigate consumer complaints related to identity theft; (2) assist
victims of identity theft; (3) cooperate with law enforcement
investigations related to identity theft; and (4) assist state and federal
prosecutors in the investigation and prosecution of identity theft.
Authorizes certain agencies to cooperate with the unit in investigating
identity theft. Authorizes a prosecuting attorney to deputize the
attorney general or a deputy attorney general to assist in the
prosecution of an identity theft case. Provides that the unit may
establish an educational program to inform consumers concerning
identity theft. Requires the owner of a data base to notify the attorney
general and the owner's regulator, if applicable, of a breach of the
security of data. Specifies certain information that a data base owner
must disclose if there is a breach of the security of data. Establishes a
rebuttable presumption that failing to notify affected persons within 30
days after discovering a breach constitutes unreasonable delay, and
requires a data base owner to take certain steps to safeguard data.
Provides certain rights to the victims of identity theft. Increases the
penalty for identity deception committed against a person's child to a
Class C felony. Provides that unlawfully using information that
identifies a person other than the person who is using the information
but that does not belong in its entirety to any live or deceased person
constitutes synthetic identity deception. Makes other changes and
conforming amendments.
Effective: July 1, 2009.
Lawson L, Foley
January 8, 2009, read first time and referred to Committee on Judiciary.
Introduced
First Regular Session 116th General Assembly (2009)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in
this style type, and deletions will appear in
this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in
this style type. Also, the
word
NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in
this style type or
this style type reconciles conflicts
between statutes enacted by the 2008 Regular Session of the General Assembly.
HOUSE BILL No. 1121
A BILL FOR AN ACT to amend the Indiana Code concerning
criminal law and procedure.
Be it enacted by the General Assembly of the State of Indiana:
SOURCE: IC 4-6-9-7.5; (09)IN1121.1.1. -->
SECTION 1. IC 4-6-9-7.5, AS ADDED BY P.L.136-2008,
SECTION 1, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 7.5. The division may initiate and maintain an
educational program to inform consumers of:
(1) risks involved in a breach of the security of a system data; and
(2) steps that the victim of a security breach should take to
prevent and mitigate the damage from the security breach.
SOURCE: IC 4-6-13; (09)IN1121.1.2. -->
SECTION 2. IC 4-6-13 IS ADDED TO THE INDIANA CODE AS
A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY
1, 2009]:
Chapter 13. Identity Theft Unit
Sec. 1. As used in this chapter, "unit" refers to the identity theft
unit established under section 2 of this chapter.
Sec. 2. The attorney general shall establish an identity theft unit
to assist prosecuting attorneys in enforcing identity deception
(IC 35-43-5-3.5) and related criminal statutes and to carry out this
chapter.
Sec. 3. (a) The unit shall do the following:
(1) Investigate consumer complaints regarding identity theft,
identity deception, fraud, deception, and related matters.
(2) Assist victims of identity theft, identity deception, fraud,
deception, and related crimes in obtaining refunds in relation
to fraudulent or authorized charges or debits, canceling
fraudulent accounts, correcting false information in consumer
reports caused by identity deception, correcting false
information in personnel files and court records, and related
matters.
(3) Cooperate with federal, state, and local law enforcement
agencies in the investigation of identity theft, identity
deception, fraud, deception, violations of the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.), and related crimes. To
the extent authorized by federal law, the unit may enforce
compliance with the federal statutes or regulations described
in this subdivision or refer suspected violations of the statutes
or regulations to the appropriate federal regulatory agencies.
(4) Assist state and federal prosecutors in the investigation
and prosecution of identity theft, identity deception, fraud,
deception, and related crimes.
(b) The attorney general shall adopt rules under IC 4-22-2 to the
extent necessary to organize the unit.
Sec. 4. The attorney general may do any of the following when
conducting an investigation under section 3 of this chapter:
(1) Issue and serve a subpoena for the production of records,
including records stored in electronic data processing systems,
books, papers, and documents for inspection by the attorney
general or the investigator.
(2) Issue and serve a subpoena for the appearance of a person
to provide testimony under oath.
(3) Apply to a court with jurisdiction to enforce a subpoena
described in subdivision (1) or (2).
Sec. 5. (a) The following may cooperate with the unit to
implement this chapter:
(1) The bureau of motor vehicles.
(2) The secretary of state.
(3) The department of financial institutions.
(4) The department of insurance.
(5) The state police department.
(6) The department of workforce development.
(7) The department of state revenue.
(8) A prosecuting attorney.
(9) Local law enforcement agencies.
(b) Notwithstanding IC 5-14-3, the entities listed in subsection
(a) may share information with the unit.
Sec. 6. The establishment of the unit and the unit's powers does
not limit the jurisdiction of an entity described in section 5 of this
chapter.
Sec. 7. A prosecuting attorney may deputize the attorney
general or a deputy attorney general for purposes of the
prosecution of an identity deception offense or a related offense.
Sec. 8. The unit may initiate and maintain an educational
program to inform consumers of:
(1) risks relating to identity deception and similar crimes;
(2) steps consumers may take to minimize their risks of
becoming a victim of identity deception;
(3) methods to detect identity deception and similar crimes;
(4) measures that identity deception victims may take to
recover from the crime and to hold the perpetrator of the
crime accountable in a court of law.
SOURCE: IC 24-4.9-2-2; (09)IN1121.1.3. -->
SECTION 3. IC 24-4.9-2-2, AS AMENDED BY P.L.136-2008,
SECTION 2, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 2. (a) "Breach of the security of
a system" data"
means unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of personal information
maintained by a person. The term includes the unauthorized acquisition
of computerized data that have been transferred to another medium,
including paper, microfilm, or a similar medium, even if the transferred
data are no longer in a computerized format.
(b) The term does not include the following:
(1) Good faith acquisition of personal information by an employee
or agent of the person for lawful purposes of the person, if the
personal information is not used or subject to further unauthorized
disclosure.
(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored, if all personal information
on the device is protected by encryption and the encryption key:
(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who,
without authorization, acquired or has access to the portable
electronic device.
(c) If a data base owner discloses a breach under
IC 24-4.9-3-1(a), the data base owner shall also disclose the breach
to:
(1) the data base owner's primary regulator, if the data base
owner is regulated; and
(2) the attorney general.
SOURCE: IC 24-4.9-3-1; (09)IN1121.1.4. -->
SECTION 4. IC 24-4.9-3-1, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 1. (a) Except as provided in section 4(c), 4(d), and
4(e) of this chapter, after discovering or being notified of a breach of
the security of a system, data, the data base owner shall disclose the
breach to an Indiana resident whose:
(1) unencrypted personal information was or may have been
acquired by an unauthorized person; or
(2) encrypted personal information was or may have been
acquired by an unauthorized person with access to the encryption
key;
if the data base owner knows, should know, or should have known that
the unauthorized acquisition constituting the breach has resulted in or
could result in identity deception (as defined in IC 35-43-5-3.5),
synthetic identity deception (IC 35-43-5-3.8), identity theft, or fraud
affecting the Indiana resident.
(b) A data base owner required to make a disclosure under
subsection (a) to more than one thousand (1,000) consumers shall also
disclose to each consumer reporting agency (as defined in 15 U.S.C.
1681a(p)) information necessary to assist the consumer reporting
agency in preventing fraud, including personal information of an
Indiana resident affected by the breach of the security of a system.
SOURCE: IC 24-4.9-3-1.5; (09)IN1121.1.5. -->
SECTION 5. IC 24-4.9-3-1.5 IS ADDED TO THE INDIANA
CODE AS A NEW SECTION TO READ AS FOLLOWS
[EFFECTIVE JULY 1, 2009]: Sec. 1.5. A disclosure made under
section 1 of this chapter must include the following:
(1) A general description of the cause of the breach of the
security of data.
(2) The date on which the data base owner discovered or was
notified of the breach.
(3) The type or types of personal information that was subject
to unauthorized acquisition in connection with the breach.
(4) The period during which the Indiana resident's personal
information was subject to unauthorized acquisition in
connection with the breach.
(5) Information about persons who may have acquired,
viewed, or obtained an Indiana resident's personal
information in connection with the breach.
(6) Information about persons who may have used the Indiana
resident's personal information for unauthorized purposes.
(7) Steps that the data base owner has taken or plans to take
to prevent further unauthorized access to or dissemination of
the Indiana resident's personal information.
SOURCE: IC 24-4.9-3-3; (09)IN1121.1.6. -->
SECTION 6. IC 24-4.9-3-3, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 3. (a) A person required to make a disclosure or
notification under this chapter shall make the disclosure or notification
without unreasonable delay. For purposes of this section, a delay is
reasonable if the delay is:
(1) necessary to restore the integrity of the computer system;
(2) necessary to discover the scope of the breach; or
(3) in response to a request from the attorney general or a law
enforcement agency to delay disclosure because disclosure will:
(A) impede a criminal or civil investigation; or
(B) jeopardize national security.
(b) A person required to make a disclosure or notification under this
chapter shall make the disclosure or notification as soon as possible
after:
(1) delay is no longer necessary to restore the integrity of the
computer system or to discover the scope of the breach; or
(2) the attorney general or a law enforcement agency notifies the
person that delay will no longer impede a criminal or civil
investigation or jeopardize national security.
(c) Subject to the reasonable delays described in subsection (a),
there is a rebuttable presumption that failing to notify affected
persons within thirty (30) days after discovering or being notified
of a breach constitutes unreasonable delay.
SOURCE: IC 24-4.9-3-3.5; (09)IN1121.1.7. -->
SECTION 7. IC 24-4.9-3-3.5 IS ADDED TO THE INDIANA
CODE AS A
NEW SECTION TO READ AS FOLLOWS
[EFFECTIVE JULY 1, 2009]:
Sec. 3.5. (a) A data base owner shall
implement and maintain reasonable procedures, including taking
any appropriate corrective action, to protect and safeguard from
unlawful use or disclosure any personal information of Indiana
residents collected or maintained by the data base owner.
(b) A data base owner shall not dispose of records or documents
containing unencrypted and unredacted personal information of
Indiana residents without shredding, incinerating, mutilating,
erasing, or otherwise rendering the personal information illegible
or unusable.
(c) A person that fails to comply with any provision of this
chapter commits a deceptive act that is actionable only by the
attorney general under this chapter.
(d) The attorney general may bring an action under this chapter
to obtain any or all of the following:
(1) An injunction to enjoin further violations of this section.
(2) A civil penalty of not more than five thousand dollars
($5,000) per deceptive act.
(3) The attorney general's reasonable costs in:
(A) the investigation of the deceptive act; and
(B) maintaining the action.
SOURCE: IC 24-4.9-3-4; (09)IN1121.1.8. -->
SECTION 8. IC 24-4.9-3-4, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 4. (a) Except as provided in subsection (b), a data
base owner required to make a disclosure under this chapter shall make
the disclosure using one (1) of the following methods:
(1) Mail.
(2) Telephone.
(3) Facsimile (fax).
(4) Electronic mail, if the data base owner has the electronic mail
address of the affected Indiana resident.
(b) If a data base owner required to make a disclosure under this
chapter is required to make the disclosure to more than five hundred
thousand (500,000) Indiana residents, or if the data base owner
required to make a disclosure under this chapter determines that the
cost of the disclosure will be more than two hundred fifty thousand
dollars ($250,000), the data base owner required to make a disclosure
under this chapter may elect to make the disclosure by using both of the
following methods:
(1) Conspicuous posting of the notice on the web site of the data
base owner, if the data base owner maintains a web site.
(2) Notice to major news reporting media in the geographic area
where Indiana residents affected by the breach of the security of
a system reside.
(c) A data base owner that maintains its own disclosure procedures
as part of an information privacy policy or a security policy is not
required to make a separate disclosure under this chapter if the data
base owner's information privacy policy or security policy is at least as
stringent as the disclosure requirements described in:
(1) sections 1 through 4(b) of this chapter;
(2) subsection (d); or
(3) subsection (e).
(d) A data base owner that maintains its own disclosure procedures
as part of an information privacy, security policy, or compliance plan
under:
(1) the federal USA Patriot PATRIOT Act (P.L. 107-56);
(2) Executive Order 13224;
(3) the federal Driver's Privacy Protection Act (18 U.S.C. 2781 et
seq.);
(4) the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(5) the federal Financial Modernization Act of 1999 (15 U.S.C.
6801 et seq.); or
(6) the federal Health Insurance Portability and Accountability
Act (HIPAA) (P.L. 104-191);
is not required to make a disclosure under this chapter if the data base
owner's information privacy, security policy, or compliance plan
requires that Indiana residents be notified of a breach of the security of
a system data without unreasonable delay and the data base owner
complies with the data base owner's information privacy, security
policy, or compliance plan.
(e) A financial institution that complies with the disclosure
requirements prescribed by the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice or the Guidance on Response Programs for
Unauthorized Access to Member Information and Member Notice, as
applicable, is not required to make a disclosure under this chapter.
(f) A person required to make a disclosure under this chapter may
elect to make all or part of the disclosure in accordance with subsection
(a) even if the person could make the disclosure in accordance with
subsection (b).
SOURCE: IC 24-4.9-4-1; (09)IN1121.1.9. -->
SECTION 9. IC 24-4.9-4-1, AS ADDED BY P.L.125-2006,
SECTION 6, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 1. (a) A person that is required to make a
disclosure or notification in accordance with IC 24-4.9-3 and that fails
to comply with any provision of this article commits a deceptive act
that is actionable only by the attorney general under this chapter.
(b) A failure to make a required disclosure or notification in
connection with a related series of breaches of the security of a system
data constitutes one (1) deceptive act.
SOURCE: IC 24-5-26; (09)IN1121.1.10. -->
SECTION 10. IC 24-5-26 IS ADDED TO THE INDIANA CODE
AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]:
Chapter 26. Identity Theft
Sec. 1. As used in this chapter, "identity theft" means:
(1) identity deception (IC 35-43-5-3.5);
(2) synthetic identity deception (IC 35-43-5-3.8); or
(3) a substantially similar crime committed in another
jurisdiction.
Sec. 2. A person shall not do any of the following in the conduct
of trade or commerce:
(1) Deny credit or public utility service to or reduce the credit
limit of a consumer solely because the consumer was a victim
of identity theft, if the person had prior knowledge that the
consumer was a victim of identity deception or synthetic
identity deception. A consumer is presumed to be a victim of
identity theft for purposes of this subdivision if the consumer
provides the following to the person:
(A) A copy of a police report evidencing the claim of the
victim of identity theft.
(B) Either:
(i) a properly completed copy of a standardized affidavit
of identity theft developed and made available by the
Federal Trade Commission under 15 U.S.C. 1681g; or
(ii) an affidavit of fact that is acceptable to the person for
that purpose.
(2) Solicit to extend credit to a consumer who does not have
an existing line of credit, or has not had or applied for a line
of credit within the preceding year, through the use of an
unsolicited check that includes personal identifying
information other than the recipient's name, address, and a
partial, encoded, or truncated personal identifying number.
In addition to any other penalty or remedy under this chapter
or under IC 24-5-0.5, a credit card issuer, financial institution,
or other lender that violates this subdivision, and not the
consumer, is liable for the amount of the instrument if the
instrument is used by an unauthorized user and for any fees
assessed to the consumer if the instrument is dishonored.
(3) Solicit to extend credit to a consumer who does not have a
current credit card, or has not had or applied for a credit
card within the preceding year, through the use of an
unsolicited credit card sent to the consumer. In addition to
any other penalty or remedy under this chapter or under
IC 24-5-0.5, a credit card issuer, financial institution, or other
lender that violates this subdivision, and not the consumer, is
liable for any charges if the credit card is used by an
unauthorized user and for any interest or finance charges
assessed to the consumer.
(4) Extend credit to a consumer without exercising reasonable
procedures to verify the identity of that consumer.
Compliance with regulations issued for depository
institutions, and to be issued for other financial institutions,
by the United States Department of Treasury under Section
326 of the USA PATRIOT Act, 31 U.S.C. 5318, is considered
compliance with this subdivision. This subdivision does not
apply to a purchase of a credit obligation in an acquisition, a
merger, a purchase of assets, or an assumption of liabilities or
any change to or review of an existing credit account.
Sec. 3. A person who knowingly or intentionally violates this
chapter commits a deceptive act that is actionable by the attorney
general under IC 24-5-0.5-4 and is subject to the penalties and
remedies available to the attorney general under IC 24-5-0.5. This
section does not affect the availability of any civil remedy for a
violation of this chapter, IC 24-5-0.5, or any other state or federal
law.
SOURCE: IC 35-32-2-6; (09)IN1121.1.11. -->
SECTION 11. IC 35-32-2-6, AS ADDED BY P.L.125-2006,
SECTION 7, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 6. (a) Subject to subsection (b), a person who
commits the offense of identity deception or synthetic identity
deception may be tried in a county in which:
(1) the victim resides; or
(2) the person:
(A) obtains;
(B) possesses;
(C) transfers; or
(D) uses;
the information used to commit the offense.
(b) If:
(1) a person is charged with more than one (1) offense of identity
deception or synthetic identity deception, or if a person is
charged with both identity deception and synthetic identity
deception; and
(2) either:
(A) the victims of the crimes reside in more than one (1)
county; or
(B) the person performs an act described in subsection (a)(2)
in more than one (1) county;
the person may be tried in any county described in subdivision (2).
SOURCE: IC 35-37-4-6; (09)IN1121.1.12. -->
SECTION 12. IC 35-37-4-6, AS AMENDED BY P.L.99-2007,
SECTION 207, IS AMENDED TO READ AS FOLLOWS
[EFFECTIVE JULY 1, 2009]: Sec. 6. (a) This section applies to a
criminal action involving the following offenses where the victim is a
protected person under subsection (c)(1) or (c)(2):
(1) Sex crimes (IC 35-42-4).
(2) Battery upon a child (IC 35-42-2-1(a)(2)(B)).
(3) Kidnapping and confinement (IC 35-42-3).
(4) Incest (IC 35-46-1-3).
(5) Neglect of a dependent (IC 35-46-1-4).
(6) Human and sexual trafficking crimes (IC 35-42-3.5).
(7) An attempt under IC 35-41-5-1 for an offense listed in
subdivisions (1) through (6).
(b) This section applies to a criminal action involving the following
offenses where the victim is a protected person under subsection (c)(3):
(1) Exploitation of a dependent or endangered adult
(IC 35-46-1-12).
(2) A sex crime (IC 35-42-4).
(3) Battery (IC 35-42-2-1).
(4) Kidnapping, confinement, or interference with custody
(IC 35-42-3).
(5) Home improvement fraud (IC 35-43-6).
(6) Fraud (IC 35-43-5).
(7) Identity deception (IC 35-43-5-3.5).
(8) Synthetic identity deception (IC 35-43-5-3.8).
(8) (9) Theft (IC 35-43-4-2).
(9) (10) Conversion (IC 35-43-4-3).
(10) (11) Neglect of a dependent (IC 35-46-1-4).
(11) (12) Human and sexual trafficking crimes (IC 35-42-3.5).
(c) As used in this section, "protected person" means:
(1) a child who is less than fourteen (14) years of age;
(2) an individual with a mental disability who has a disability
attributable to an impairment of general intellectual functioning
or adaptive behavior that:
(A) is manifested before the individual is eighteen (18) years
of age;
(B) is likely to continue indefinitely;
(C) constitutes a substantial impairment of the individual's
ability to function normally in society; and
(D) reflects the individual's need for a combination and
sequence of special, interdisciplinary, or generic care,
treatment, or other services that are of lifelong or extended
duration and are individually planned and coordinated; or
(3) an individual who is:
(A) at least eighteen (18) years of age; and
(B) incapable by reason of mental illness, mental retardation,
dementia, or other physical or mental incapacity of:
(i) managing or directing the management of the individual's
property; or
(ii) providing or directing the provision of self-care.
(d) A statement or videotape that:
(1) is made by a person who at the time of trial is a protected
person;
(2) concerns an act that is a material element of an offense listed
in subsection (a) or (b) that was allegedly committed against the
person; and
(3) is not otherwise admissible in evidence;
is admissible in evidence in a criminal action for an offense listed in
subsection (a) or (b) if the requirements of subsection (e) are met.
(e) A statement or videotape described in subsection (d) is
admissible in evidence in a criminal action listed in subsection (a) or
(b) if, after notice to the defendant of a hearing and of the defendant's
right to be present, all of the following conditions are met:
(1) The court finds, in a hearing:
(A) conducted outside the presence of the jury; and
(B) attended by the protected person;
that the time, content, and circumstances of the statement or
videotape provide sufficient indications of reliability.
(2) The protected person:
(A) testifies at the trial; or
(B) is found by the court to be unavailable as a witness for one
(1) of the following reasons:
(i) From the testimony of a psychiatrist, physician, or
psychologist, and other evidence, if any, the court finds that
the protected person's testifying in the physical presence of
the defendant will cause the protected person to suffer
serious emotional distress such that the protected person
cannot reasonably communicate.
(ii) The protected person cannot participate in the trial for
medical reasons.
(iii) The court has determined that the protected person is
incapable of understanding the nature and obligation of an
oath.
(f) If a protected person is unavailable to testify at the trial for a
reason listed in subsection (e)(2)(B), a statement or videotape may be
admitted in evidence under this section only if the protected person was
available for cross-examination:
(1) at the hearing described in subsection (e)(1); or
(2) when the statement or videotape was made.
(g) A statement or videotape may not be admitted in evidence under
this section unless the prosecuting attorney informs the defendant and
the defendant's attorney at least ten (10) days before the trial of:
(1) the prosecuting attorney's intention to introduce the statement
or videotape in evidence; and
(2) the content of the statement or videotape.
(h) If a statement or videotape is admitted in evidence under this
section, the court shall instruct the jury that it is for the jury to
determine the weight and credit to be given the statement or videotape
and that, in making that determination, the jury shall consider the
following:
(1) The mental and physical age of the person making the
statement or videotape.
(2) The nature of the statement or videotape.
(3) The circumstances under which the statement or videotape
was made.
(4) Other relevant factors.
(i) If a statement or videotape described in subsection (d) is
admitted into evidence under this section, a defendant may introduce
a:
(1) transcript; or
(2) videotape;
of the hearing held under subsection (e)(1) into evidence at trial.
SOURCE: IC 35-40-14; (09)IN1121.1.13. -->
SECTION 13. IC 35-40-14 IS ADDED TO THE INDIANA CODE
AS A
NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]:
Chapter 14. Rights of Victims of Identity Deception
Sec. 1. As used in this chapter, "identity theft" means:
(1) identity deception (IC 35-43-5-3.5);
(2) synthetic identity deception (IC 35-43-5-3.8); or
(3) a substantially similar crime committed in another
jurisdiction.
Sec. 2. (a) A person who has learned or reasonably suspects that
the person has been the victim of identity theft may contact the
local law enforcement agency that has jurisdiction over the
person's residence. The local law enforcement agency shall take an
official report of the matter and provide the complainant with a
copy of that report. Even if jurisdiction lies elsewhere for
investigation and prosecution of a crime of theft, the local law
enforcement agency shall take the complaint and provide the
person with a copy of the complaint. The law enforcement
authority may refer the complaint to a law enforcement agency in
a different jurisdiction.
(b) This section does not affect the discretion of a local law
enforcement agency to allocate resources for investigation of
crimes. A complaint filed under this section is not required to be
counted as an open case for purposes of compiling open case
statistics.
Sec. 3. (a) A person who is injured by a crime of identity theft or
who has filed a police report alleging commission of an offense of
identity theft may file an application with the court in the
jurisdiction where the person resides for the issuance of a court
order declaring that the person is a victim of identity theft. A
person may file an application under this section regardless of
whether the person is able to identify each person who allegedly
obtained, possessed, transferred, or used the person's identifying
information in an unlawful manner.
(b) A person is presumed to be a victim of identity theft under
this section if another person is charged with and convicted of an
offense of identity theft for unlawfully obtaining, possessing,
transferring, or using the person's identifying information.
(c) After notice and hearing, if the court is satisfied by a
preponderance of the evidence that the applicant has been injured
by a crime of identity theft, the court shall enter an order
containing:
(1) a declaration that the person filing the application is a
victim of identity theft resulting from the commission of a
crime of identity theft;
(2) any known information identifying the violator or person
charged with the offense;
(3) the specific personal identifying information and any
related document or record used to commit the alleged
offense; and
(4) information identifying any financial account or
transaction affected by the alleged offense, including:
(A) the name of the financial institution in which the
account is established or of the merchant or creditor
involved in the transaction, as appropriate;
(B) any relevant account numbers;
(C) the dollar amount of the account or transaction
affected by the alleged offense; and
(D) the date or dates of the offense.
(d) An order issued under this section must be sealed because of
the confidential nature of the information required to be included
in the order. The order may be opened and the order or a copy of
the order may be released only:
(1) to the proper officials in a civil proceeding brought by or
against the victim arising or resulting from the commission of
a crime of identity theft, including a proceeding to set aside a
judgment obtained against the victim;
(2) to the victim for the purpose of submitting the copy of the
order to a governmental entity or private business to:
(A) prove that a financial transaction or account of the
victim was directly affected by the commission of a crime
of identity theft; and
(B) correct any record of the entity or business that
contains inaccurate or false information as a result of the
offense;
(3) on order of the judge; or
(4) as otherwise required by law.
(e) A court at any time may vacate an order issued under this
section if the court finds that the application or any information
submitted to the court by the applicant contains a fraudulent
misrepresentation or a material misrepresentation of fact.
(f) A copy of the order provided to a person under subsection
(d)(2) must remain sealed throughout and after the civil
proceeding. Information contained in a copy of an order provided
to a governmental entity or business under subsection (d)(1) is
confidential and may not be released to another person except as
otherwise required by law.
SOURCE: IC 35-41-1-1; (09)IN1121.1.14. -->
SECTION 14. IC 35-41-1-1, AS AMENDED BY P.L.125-2006,
SECTION 8, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 1. (a) As used in this section, "Indiana" includes:
(1) the area within the boundaries of the state of Indiana, as set
forth in Article 14, Section 1 of the Constitution of the State of
Indiana;
(2) the portion of the Ohio River on which Indiana possesses
concurrent jurisdiction with the state of Kentucky under Article
14, Section 2 of the Constitution of the State of Indiana; and
(3) the portion of the Wabash River on which Indiana possesses
concurrent jurisdiction with the state of Illinois under Article 14,
Section 2 of the Constitution of the State of Indiana.
(b) A person may be convicted under Indiana law of an offense if:
(1) either the conduct that is an element of the offense, the result
that is an element, or both, occur in Indiana;
(2) conduct occurring outside Indiana is sufficient under Indiana
law to constitute an attempt to commit an offense in Indiana;
(3) conduct occurring outside Indiana is sufficient under Indiana
law to constitute a conspiracy to commit an offense in Indiana,
and an overt act in furtherance of the conspiracy occurs in
Indiana;
(4) conduct occurring in Indiana establishes complicity in the
commission of, or an attempt or conspiracy to commit, an offense
in another jurisdiction that also is an offense under Indiana law;
(5) the offense consists of the omission to perform a duty imposed
by Indiana law with respect to domicile, residence, or a
relationship to a person, thing, or transaction in Indiana;
(6) conduct that is an element of the offense or the result of
conduct that is an element of the offense, or both, involve the use
of the Internet or another computer network (as defined in
IC 35-43-2-3) and access to the Internet or other computer
network occurs in Indiana; or
(7) conduct:
(A) involves the use of:
(i) the Internet or another computer network (as defined in
IC 35-43-2-3); or
(ii) another form of electronic communication;
(B) occurs outside Indiana and the victim of the offense
resides in Indiana at the time of the offense; and
(C) is sufficient under Indiana law to constitute an offense in
Indiana.
(c) When the offense is homicide, either the death of the victim or
bodily impact causing death constitutes a result under subsection
(b)(1). If the body of a homicide victim is found in Indiana, it is
presumed that the result occurred in Indiana.
(d) If the offense is identity deception or synthetic identity
deception, the lack of the victim's consent constitutes conduct that is
an element of the offense under subsection (b)(1). If a victim of identity
deception or synthetic identity deception resides in Indiana when a
person knowingly or intentionally obtains, possesses, transfers, or uses
the victim's identifying information, it is presumed that the conduct that
is the lack of the victim's consent occurred in Indiana.
SOURCE: IC 35-43-5-1; (09)IN1121.1.15. -->
SECTION 15. IC 35-43-5-1, AS AMENDED BY P.L.181-2005,
SECTION 5, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 1. (a) The definitions set forth in this section apply
throughout this chapter.
(b) "Claim statement" means an insurance policy, a document, or a
statement made in support of or in opposition to a claim for payment
or other benefit under an insurance policy, or other evidence of
expense, injury, or loss. The term includes statements made orally, in
writing, or electronically, including the following:
(1) An account.
(2) A bill for services.
(3) A bill of lading.
(4) A claim.
(5) A diagnosis.
(6) An estimate of property damages.
(7) A hospital record.
(8) An invoice.
(9) A notice.
(10) A proof of loss.
(11) A receipt for payment.
(12) A physician's records.
(13) A prescription.
(14) A statement.
(15) A test result.
(16) X-rays.
(c) "Coin machine" means a coin box, vending machine, or other
mechanical or electronic device or receptacle designed:
(1) to receive a coin, bill, or token made for that purpose; and
(2) in return for the insertion or deposit of a coin, bill, or token
automatically:
(A) to offer, provide, or assist in providing; or
(B) to permit the acquisition of;
some property.
(d) "Credit card" means an instrument or device (whether known as
a credit card or charge plate, or by any other name) issued by an issuer
for use by or on behalf of the credit card holder in obtaining property.
(e) "Credit card holder" means the person to whom or for whose
benefit the credit card is issued by an issuer.
(f) "Customer" means a person who receives or has contracted for
a utility service.
(g) "Drug or alcohol screening test" means a test that:
(1) is used to determine the presence or use of alcohol, a
controlled substance, or a drug in a person's bodily substance; and
(2) is administered in the course of monitoring a person who is:
(A) incarcerated in a prison or jail;
(B) placed in a community corrections program;
(C) on probation or parole;
(D) participating in a court ordered alcohol or drug treatment
program; or
(E) on court ordered pretrial release.
(h) "Entrusted" means held in a fiduciary capacity or placed in
charge of a person engaged in the business of transporting, storing,
lending on, or otherwise holding property of others.
(i) "Identifying information" means information that identifies
an
individual, a person, including
an individual's a person's:
(1) name, address, date of birth, place of employment, employer
identification number, mother's maiden name, Social Security
number, or any identification number issued by a governmental
entity;
(2) unique biometric data, including the
individual's person's
fingerprint, voice print, or retina or iris image;
(3) unique electronic identification number, address, or routing
code;
(4) telecommunication identifying information; or
(5) telecommunication access device, including a card, a plate, a
code, a telephone number, an account number, a personal
identification number, an electronic serial number, a mobile
identification number, or another telecommunications service or
device or means of account access that may be used to:
(A) obtain money, goods, services, or any other thing of value;
or
(B) initiate a transfer of funds.
(j) "Insurance policy" includes the following:
(1) An insurance policy.
(2) A contract with a health maintenance organization (as defined
in IC 27-13-1-19) or a limited service health maintenance
organization (as defined in IC 27-13-1-27).
(3) A written agreement entered into under IC 27-1-25.
(k) "Insurer" has the meaning set forth in IC 27-1-2-3(x). The term
also includes the following:
(1) A reinsurer.
(2) A purported insurer or reinsurer.
(3) A broker.
(4) An agent of an insurer, a reinsurer, a purported insurer or
reinsurer, or a broker.
(5) A health maintenance organization.
(6) A limited service health maintenance organization.
(l) "Manufacturer" means a person who manufactures a recording.
The term does not include a person who manufactures a medium upon
which sounds or visual images can be recorded or stored.
(m) "Make" means to draw, prepare, complete, counterfeit, copy or
otherwise reproduce, or alter any written instrument in whole or in part.
(n) "Metering device" means a mechanism or system used by a
utility to measure or record the quantity of services received by a
customer.
(o) "Public relief or assistance" means any payment made, service
rendered, hospitalization provided, or other benefit extended to a
person by a governmental entity from public funds and includes
township assistance, food stamps, direct relief, unemployment
compensation, and any other form of support or aid.
(p) "Recording" means a tangible medium upon which sounds or
visual images are recorded or stored. The term includes the following:
(1) An original:
(A) phonograph record;
(B) compact disc;
(C) wire;
(D) tape;
(E) audio cassette;
(F) video cassette; or
(G) film.
(2) Any other medium on which sounds or visual images are or
can be recorded or otherwise stored.
(3) A copy or reproduction of an item in subdivision (1) or (2)
that duplicates an original recording in whole or in part.
(q) "Slug" means an article or object that is capable of being
deposited in a coin machine as an improper substitute for a genuine
coin, bill, or token.
(r) "Synthetic identifying information" means identifying
information that identifies a person other than the person who is
using the information but that does not belong in its entirety to any
live or deceased person.
(r) (s) "Utility" means a person who owns or operates, for public
use, any plant, equipment, property, franchise, or license for the
production, storage, transmission, sale, or delivery of electricity, water,
steam, telecommunications, information, or gas.
(s) (t) "Written instrument" means a paper, a document, or other
instrument containing written matter and includes money, coins,
tokens, stamps, seals, credit cards, badges, trademarks, medals, retail
sales receipts, labels or markings (including a universal product code
(UPC) or another product identification code), or other objects or
symbols of value, right, privilege, or identification.
SOURCE: IC 35-43-5-3.5; (09)IN1121.1.16. -->
SECTION 16. IC 35-43-5-3.5, AS AMENDED BY P.L.125-2006,
SECTION 9, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 3.5. (a) Except as provided in subsection (c), a
person who knowingly or intentionally obtains, possesses, transfers, or
uses the identifying information of another person, including the
identifying information of a person who is deceased:
(1) without the other person's consent; and
(2) with intent to:
(A) harm or defraud another person;
(B) assume another person's identity; or
(C) profess to be another person;
commits identity deception, a Class D felony.
(b) However, the offense defined in subsection (a) is a Class C
felony if:
(1) a person obtains, possesses, transfers, or uses the identifying
information of more than one hundred (100) persons; or
(2) the fair market value of the fraud or harm caused by the
offense is at least fifty thousand dollars ($50,000); or
(3) a person obtains, possesses, transfers, or uses the
identifying information of the person's child.
(c) The conduct prohibited in subsections (a) and (b) does not apply
to:
(1) a person less than twenty-one (21) years of age who uses the
identifying information of another person to acquire an alcoholic
beverage (as defined in IC 7.1-1-3-5);
(2) a minor (as defined in IC 35-49-1-4) who uses the identifying
information of another person to acquire:
(A) a cigarette or tobacco product (as defined in IC 6-7-2-5);
(B) a periodical, a videotape, or other communication medium
that contains or depicts nudity (as defined in IC 35-49-1-5);
(C) admittance to a performance (live or film) that prohibits
the attendance of the minor based on age; or
(D) an item that is prohibited by law for use or consumption by
a minor; or
(3) any person who uses the identifying information for a lawful
purpose.
(d) It is not a defense in a prosecution under subsection (a) or (b)
that no person was harmed or defrauded.
SOURCE: IC 35-43-5-3.8; (09)IN1121.1.17. -->
SECTION 17. IC 35-43-5-3.8 IS ADDED TO THE INDIANA
CODE AS A
NEW SECTION TO READ AS FOLLOWS
[EFFECTIVE JULY 1, 2009]: Sec. 3.8. (a) A person who knowingly
or intentionally obtains, possesses, transfers, or uses the synthetic
identifying information of another person:
(1) with intent to harm or defraud another person;
(2) with intent to assume another person's identity;
(3) with intent to profess to be another person; or
(4) with intent to conceal the person's actual identity;
commits synthetic identity deception, a Class D felony.
(b) The offense under subsection (a) is a Class C felony if:
(1) a person obtains, possesses, transfers, or uses the synthetic
identifying information of more than one hundred (100)
persons; or
(2) the fair market value of the fraud or harm caused by the
offense is at least fifty thousand dollars ($50,000).
(c) The conduct prohibited in subsections (a) and (b) does not
apply to:
(1) a person less than twenty-one (21) years of age who uses
the synthetic identifying information of another person to
acquire an alcoholic beverage (as defined in IC 7.1-1-3-5); or
(2) a minor (as defined in IC 35-49-1-4) who uses the synthetic
identifying information of another person to acquire:
(A) a cigarette or tobacco product (as defined in
IC 6-7-2-5);
(B) a periodical, a videotape, or other communication
medium that contains or depicts nudity (as defined in
IC 35-49-1-5);
(C) admittance to a performance (live or on film) that
prohibits the attendance of the minor based on age; or
(D) an item that is prohibited by law for use or
consumption by a minor.
(d) It is not a defense in a prosecution under subsection (a) or
(b) that no person was harmed or defrauded.
SOURCE: IC 35-43-5-4.3; (09)IN1121.1.18. -->
SECTION 18. IC 35-43-5-4.3, AS ADDED BY P.L.125-2006,
SECTION 10, IS AMENDED TO READ AS FOLLOWS [EFFECTIVE
JULY 1, 2009]: Sec. 4.3. (a) As used in this section, "card skimming
device" means a device that is designed to read information encoded on
a credit card. The term includes a device designed to read, record, or
transmit information encoded on a credit card:
(1) directly from a credit card; or
(2) from another device that reads information directly from a
credit card.
(b) A person who possesses a card skimming device with intent to
commit:
(1) identity deception (IC 35-43-5-3.5);
(2) synthetic identity deception (IC 35-43-5-3.8);
(2) (3) fraud (IC 35-43-5-4); or
(3) (4) terroristic deception (IC 35-43-5-3.6);
commits unlawful possession of a card skimming device. Unlawful
possession of a card skimming device under subdivision (1), or (2), or
(3) is a Class D felony. Unlawful possession of a card skimming device
under subdivision (3) (4) is a Class C felony.
SOURCE: ; (09)IN1121.1.19. -->
SECTION 19. [EFFECTIVE JULY 1, 2009]
IC 35-43-5-3.8, as
added by this act, and IC 35-43-5-3.5 and IC 35-43-5-4.3, both as
amended by this act, apply only to crimes committed after June 30,
2009.