From OST
Jump to: navigation, search
                                            Identity Theft Regulation


This research is related to identity theft laws in Florida state. These laws are, according with Florida Statutes, current year : 817.568 Criminal uses of personal identification information and the federal ID Theft Law – Identity Theft and Assumption Deterrence Act of 1998. USC 1028 Identity Theft and under 18 USC § 1029, Fraud Activity Associated with Access Devices. These laws will be discussed what is the effect on organizations. How should an organization address theft? Are there any notification aspects? How is an organization supposed to protect personal data? “ The Identity Theft and Assumption Deterrence Act of 1998 amended 18 U.S.C. § 1028(a)(7). This offense, in most circumstances, carries a maximum term of 15 years' imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense. Schemes to commit identity theft or fraud may also involve violations of other statutes such as identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344). Each of these federal offenses is felonies that carry substantial penalties ¬ in some cases, as high as 30 years' imprisonment, fines, and criminal forfeiture.”(U.S. Department of Justice, 2009) The majority of states passed a legislation concerning identity theft where it is a major issue of concern. The effect of these laws on an organization The effect of these laws on any organization is considered a crime, and it has been grown very fast. Florida state has fought against computer-based crime. Today, Florida state passed an act where is recognized the “computer related crime an emerging and dangerous problem in society.” For example recently in Florida’s has been conducted an investigation and concluded that the data breach has not result in harm to individuals whose personal information has been acquired and accessed according to federal, state and local law enforcement. Organizations suffer a data breach must notify, in writing, by e-mail, the affected individuals before it prescribes by its statutes. On the other hand, data breach statute has some administrative penalties of $ 1,000 a day for 30 days and up to $ 500,000 if the individuals are not notified by the company during the 180 days. In this case, organizations must be prepared for this problem, and must consider “deploying encryption software for encrypting personal data with no comprise the personal information. Encrypt personal data is the only way for preserving or protecting consumers. Criminal use of personal identification information, according with, Florida state has the highest number of victims. For example University of Florida as well other universities in Florida state cannot give personal data information of students as well staff such social security number. Staffs who infringe these internal statutes are penalized under statutes and laws of universities and Florida laws. Another example of identity thief is Social Security Administration, this organization protects and keeps confidentially the social security number.

How should an organization address theft? An organization should address theft protecting the personal data information, for example some recent cases occurred in Middle and Southern Florida where one was charged on bank fraud, for obtaining names, addresses, and social security numbers. This person obtained from the website when the victim applied for loans over the Internet. The second case a woman was involved in obtaining a fraudulent driver’s license. Also, the woman used the victim’s bank account, and obtained credit cards charging $ 4,000 on the cards. Today, many people around the world are victim of fraud or identity theft. Criminals can obtain personal data such as hacking, dumpster diving. Nowadays with the increase of use of the Internet people are most exposed to be a victim. Organizations give tips to consumers or clients for minimizing or reducing the risk of becoming a victim of fraud or identity theft. Are there any notification aspects? Further, organizations advice to call the credit report companies (Equifax, Experian, and Trans Union) for reporting fraud as well contact all creditors as financial institutions. When organizations have a conflict of interest where its internal security is vulnerable, and compromise the data in order to determine who is responsible, the company must notify its customers or affected victim the problem succinct with the protected data. Under the Florida Legislature to conduct an appropriate investigation is not contemplate by it. How is an organization supposed to protect personal data? An organization is supposed to protect personal data using encryption. Also, organizations had had to evaluate data breach. Investigation or audit should help to obtain evidence. Digital forensics will be one way for investigating a data breach, because examining computers it can determine when and what occurred. Digital evidence will be a crucial evidence when is investigating any organization for finding illegal activity, failures or forensic evidence. Lesemann (2008) explained in the article about forensic evidence can prevent an organization to take legal action under the Florida statute. Lesemann (2008) illustrated that under the Florida’s statute, if any organization has encrypted the personal information is not necessary to report a data breach.

On the other hand, if organizations decide that data breach is not resulting in harm “to the affected victims,” then; the Florida statute obliges to maintain the finding documentation for five years and fines up to $ 50, 000. On the contrary, the organization is unsuccessful to notify Florida residents the fine will up $ 500,000. The solution for organizations is encrypting personal data, as well IT department is responsible for maintaining safety the data. If organizations prepare the network system, and mitigate the costs as well penalties, it cannot encounter problems. In summary, Florida statutes regarding data breach, is a big issue among companies and lawyers, because “expose organization to millions of dollars in fines and civil liability if obligations are ignored, misunderstood” (Lesemann, 2008). Today, organizations and companies are working for offering a more secure data to customers. In addition, these organizations educate to public, but on the other side are impossible to stop this type of crime. This research focused on Florida state and federal identity thief laws where statutes and laws address problems associated with this type of crime. This research topic need further investigation, especially in encryption must investigate more and seek for a strong algorithm for protecting customers their private personal data from these thieves.


Lesemann, D.J. (2008) It’s Not the Breach, It’s the Cover-Up Using Digital Forensics to Mitigate Losses and Comply With Florida’s Data Breach Notification Statute. Retrieved August 8, 2009 from Office of the Attorney General of Florida, McCollum, B. (2009).Federal ID Theft Law. Identity Theft and Assumption Deterrence Act of 1998. Retrieved August 8, 2009 from (2008). Identity Theft. Retrieved August 8, 2009 from The Florida Senate (2009). The 2009 Florida Statutes Title XLVI, Chapter 817: 817.568 Criminal use of personal identification information Retrieved August 8, 2009 from United States Department of Justice (2009). Identity Theft. Retrieved August 7, 2009 from

Christine Stagnetto-Sarmiento©2009