Identity Theft Enforcement and Protection Act (ITEPA)

ITEPA Chapter 521 Business and Commerce Code www.jdfarris.com ITEPA

ITEPA

                                                          [1] Intent of Act Chapter 521 of the Business and Commerce Code is known as the Identity Theft Enforcement and Protection Act (ITEPA) [Tex. Bus. & Com. Code § 521.001]. According to the legislative history of the ITEPA, identity theft is the fastest growing crime in the country. In 2004, there were 635,173 consumer fraud and identity theft complaints in the United States. Texas has the fourth-highest rate of identity theft and ranks second, behind California, in the total number of identity thefts by state. Victims spend an average of 600 hours over two to four years and $1,400 to clear their names. In 2002, the cost to businesses was almost $50 billion and the cost to consumers was $5 billion [see Committee Report to S.B. 122 (2005); see also Acts 2005, 79th Leg., R.S., ch. 294]. The intent of the ITEPA is to [Committee Report to S.B. 122 (2005)]:

• Prevent identity theft by protecting consumers’ personal information. 

• Help victims recover from the offense. 

• Require businesses to report to consumers breaches in security involving consumers’ personal information. 


[2] Definitions The ITEPA applies to two types of information, “personal identifying information” and “sensitive personal information.” Personal identifying information means information that alone or in conjunction with other information identifies an individual. It includes an individual’s [Tex. Bus. & Com. Code § 521.002(a)(1)]: 

• Name, social security number, date of birth, or government-issued identification number. 

• Mother’s maiden name. 

• Unique biometric data, such as the individual’s fingerprint, voice print, and retina or iris image. 

• Unique electronic identification number, address, or routing code. 

• Telecommunication access device.   A telecommunication access device is a card, plate, code, account number, personal identification number, electronic serial number, mobile identification number, or other telecommunications service, equipment, or instrument identifier or means of account access that alone or in conjunction with another telecommunication access device may be used to either (1) obtain money, goods, services, or other thing of value; or (2) initiate a transfer of funds other than a transfer originated solely by paper instrument [Tex. Pen. Code § 32.51(a)(2)]. The ITEPA also applies to “sensitive personal information.” Sensitive personal information consists of an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted [Tex. Bus. & Com. Code § 521.002(a)(2)(A)]: 

• Social security number. 

• Driver’s license number or government issued identification number. 

• Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Sensitive personal information also includes information that identifies an individual and relates to the individual’s physical or mental health or condition, or the provision of or payment for the individual’s health care [Tex. Bus. & Com. Code § 521.002(a)(2)(B)]. The term does not include, however, publicly available information that is lawfully made available to the general public by the federal government or a state or local government [Tex. Bus. & Com. Code § 521.002(b)]. Additionally, the ITEPA defines victim as a person whose identifying information is used by an unauthorized person [Tex. Bus. & Com. Code § 521.002(a)(3)]. 


[3] Requirements and Prohibitions [a] Unauthorized Possession or Use of Personal Identifying Information The ITEPA bars a person from obtaining, possessing, transferring, or using personal identifying information of another person without the other person’s consent. The prohibition applies if the person acts with intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person’s name [Tex. Bus. & Com. Code § 521.051(a)]. It is a defense to an action under the ITEPA that a person’s act: (1) is covered by the Fair Credit Reporting Act [15 U.S.C. § 1681 et seq.]; and (2) is in compliance with that Act and related regulations [Tex. Bus. & Com. Code § 521.051(b)]. The prohibition does not apply to: (1) a financial institution as defined by the United States Code [see 15 U.S.C. § 6809] or (2) a covered entity as defined by the Texas Insurance Code [Tex. Bus. & Com. Code § 521.051(c); see Tex. Ins. Code §§ 601.001, 602.001]. [b] Obligation of Business to Protect Sensitive Personal Information Businesses are required to implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business [Tex. Bus. & Com. Code § 521.052(a)]. The business must destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business. This may be done by [Tex. Bus. & Com. Code § 521.052(b)]: 

• Shredding. 

• Erasing. 

• Otherwise modifying the sensitive personal information in the records to make the information unreadable or undecipherable through any means. For purposes of these requirements, a nonprofit athletic or sports association constitutes a business [Tex. Bus. & Com. Code § 521.052(d)]. These requirements do not, however, apply to a financial institution as defined by the United States Code [Tex. Bus. & Com. Code § 521.052(c); see 15 U.S.C. § 6809]. [c] Notification of Security Breach Breach of system security means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person or business for the purposes of the person is not a breach of system security unless the sensitive personal information is used or disclosed by the person in an unauthorized manner [Tex. Bus. & Com. Code § 521.053(a)]. A person that conducts business in Texas and owns or licenses computerized data that includes sensitive personal information must disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made as quickly as possible or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system [Tex. Bus. & Com. Code § 521.053(b) (as amended by Acts 2011, 82d Leg., R.S., ch. 1126)]. If the person to be notified is a resident of another state that also requires notification, the notice may be provided either under that state’s law, or as required by Section 521.053(b) [Tex. Bus. & Com. Code § 521.053(b–1) (as amended by Acts 2013, 83d Leg., R.S., ch. 1368)]. Failure to provide any required notice subjects the person to civil penalties [Tex. Bus. & Com. Code § 521.151(a–1) (added by Acts 2011, 82d Leg., R.S., ch. 1126)]. Any person that maintains computerized data including sensitive personal information that the person does not own, must notify the owner or license holder of the information of any breach of system security immediately after discovering the breach. This must be done if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person [Tex. Bus. & Com. Code § 521.053(c)]. This obligation to provide notice of a security breach applies not only to private entities, but also to state agencies [Tex. Gov’t Code § 2054.1125(b) (added by Acts 2009, 81st Leg., R.S., ch. 419, and applicable only to breach of security system occurring on or after Sept. 1, 2009)] and local government units [Tex. Local Gov’t Code § 205.010(b) (added by Acts 2009, 81st Leg., R.S., ch. 419, and applicable only to breach of security system occurring on or after Sept. 1, 2009)]. A person may delay providing either of these notices at the request of a law enforcement agency if the notification will impede a criminal investigation. Nevertheless, notice must be given as soon as the law enforcement agency determines that it will not compromise the investigation [Tex. Bus. & Com. Code § 521.053(d)]. A person may generally give either written notice at the individual’s last known address or electronic notice, provided that the electronic notice complies with federal standards [Tex. Bus. & Com. Code § 521.053(e)(1), (2) (as amended by Acts 2013, 83d Leg., R.S., ch. 1368); see 15 U.S.C. § 7001]. If the person or business demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information, the notice may be given by [Tex. Bus. & Com. Code § 521.053(f)]: 

• Electronic mail, if the person has an electronic mail address for the affected persons. 

• Conspicuous posting of the notice on the person’s website; or 

• Notice published in or broadcast on major statewide media.   If a person is required to notify at one time more than 10,000 persons of a breach of system security, the person must also notify, without unreasonable delay, all consumer reporting agencies [see 15 U.S.C. § 1681a], that maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices [Tex. Bus. & Com. Code § 521.053(h)]. A person that maintains its own notification procedures as part of an information security policy for the treatment of sensitive personal information complies with the ITEPA if the person notifies affected persons in accordance with that policy [Tex. Bus. & Com. Code § 521.053(g)]. 


[4] Enforcement and Remedies [a] Generally

 A person injured by identity theft is given the right to obtain a court order declaring that person is a victim of identity theft [Tex. Bus. & Com. Code § 521.101(a)]. The person may obtain the declaration regardless of whether the person is able to identify each person who allegedly transferred or used the person’s identifying information in an unlawful manner [Tex. Bus. & Com. Code § 521.101(b)]. The declaration is generally intended for use in civil proceedings brought by or against the victim, for submission to a governmental entity or a private business to prove that a financial transaction or account was directly affected by identity theft, or to correct records that contain inaccurate or false information as a result of the identity theft [see Tex. Bus. & Com. Code § 521.104(a)]. The requirements for obtaining such an order are discussed in § 335A.20[4][b]–[d]. A form of a petition seeking the order is set out in § 335A.100, while a form for the order itself is provided in § 335A.101. A violation of the ITEPA concerning unauthorized use or possession of personal identifying information [see Tex. Bus. & Com. Code § 521.051(a)] is a deceptive trade practice actionable under the DTPA [Tex. Bus. & Com. Code § 521.152; see Tex. Bus. & Com. Code § 17.41 et seq.]. The requirements for an action under that statute are discussed in Ch. 220, Deceptive Trade Practices [see § 335A.102 (form of petition including DTPA allegations)].   In addition to private enforcement by the victim of identity theft, the ITEPA also provides for enforcement by the Texas Attorney General. A civil penalty of at least $2,000 but not more than $50,000 may be imposed for each violation [Tex. Bus. & Com. Code § 521.151(a)]. Additional penalties may be imposed for the failure to provide notice of a security breach as required by the statute [Tex. Bus. & Com. Code § 521.151(a-1) (added by Acts 2011, 82d Leg., R.S., ch. 1126)]. If it appears to the attorney general that a person is engaged in, has engaged in, or is about to engage in conduct in violation of the ITEPA, the attorney general may bring an action to restrain or enjoin the violation [Tex. Bus. & Com. Code § 521.151(b)], or to obtain other equitable remedies to either prevent further harm to any victim of identity theft, or to satisfy any judgment against the violator [Tex. Bus. & Com. Code § 521.151(e)]. The attorney general must file suit in a district court in Travis County, in any county in which the violation occurred, or in the county in which the victim resides [Tex. Bus. & Com. Code § 521.151(c)]. [b] Right to Declaration of Identity Theft The “Identity Theft Declaration” procedure established by the ITEPA is a tool for victims of identity theft to use in avoiding the consequences of identity theft. The victim may seek a court order declaring that the person is in fact a victim of identity theft, and specifying affected accounts or information. A person is entitled to file an application if either [Tex. Bus. & Com. Code § 521.101(a)]: 

• The person has been injured by a violation of Business and Commerce Code Section 521.051 [see § 335A.20[3][a]]. 

• The person has made a criminal complaint alleging commission of an offense under Section 32.51 of Penal Code [see Tex. Code Crim. Proc. art. 2.29 (peace officer required to make written report of complaint and provide copy to victim on request)]. An application for the declaration may be filed whether or not the applicant is able to identify each person who allegedly transferred or used the person’s identifying information in an unlawful manner [Tex. Bus. & Com. Code § 521.101(b)]. The need to ensure the protection of the information used to substantiate the identity theft affects the drafting of the application, which should not contain confidential information. The application, if successful, will result in an order that will be sealed to preserve the confidential information the order must include [Tex. Bus. & Com. Code § 521.104; see § 335A.101 (form of order)]. [c] Procedure: Notice and Hearing After notice and hearing, if the court is satisfied by a preponderance of the evidence that an applicant has been injured by a violation of Section 521.051 or is the victim of an offense under Section 32.51 of the Penal Code, the court must enter an order declaring that the applicant is a victim of identity theft [Tex. Bus. & Com. Code § 521.103(a)]. If the alleged violator is convicted of the Penal Code offense, however, there is a presumption that the applicant is a victim of identity theft [Tex. Bus. & Com. Code § 521.102]. Although the ITEPA requires notice and a hearing, it does not detail the exact procedures to be followed. Service and notice issues are discussed in the procedural guide and forms sections of this chapter. [d] Form and Use of Order An “Identity Theft Declaration” comes in the form of an order that is sealed to protect the confidential information concerning the applicant’s identity that must be included in the order. The order may be opened and the order or a copy of the order may be released only as follows [Tex. Bus. & Com. Code § 521.104(a)]: 

• To the proper officials in a civil proceeding brought by or against the victim arising or resulting from a violation of ITEPA, including a proceeding to set aside a judgment obtained against the victim. 

• To the victim for the purpose of submitting the copy of the order to a governmental entity or private business to either prove that a financial transaction or account of the victim was directly affected by a violation of ITEPA or the commission of an offense under the Penal Code. 

• To the victim to use to correct any record of the entity or business that contains inaccurate or false information as a result of the violation or offense. • On order of the judge. 

• As otherwise required or provided by law. A copy of an order provided to officials in a civil proceeding must remain sealed throughout and after the civil proceeding [Tex. Bus. & Com. Code § 521.104(b)]. Information contained in a copy of an order that the victim provided to a governmental entity or business is confidential and may not be released to another person except as otherwise required or provided by law [Tex. Bus. & Com. Code § 521.104(c)]. [e] Vacation of Order A court may vacate an identity theft declaration at any time, if the court finds that the application or any information submitted to the court by the applicant, contained a fraudulent misrepresentation or a material misrepresentation of fact [Tex. Bus. & Com. Code § 521.105]. 


[5] Other Statutes Other provisions of the Texas Business and Commerce Code also protect privacy and hinder identity theft. For example, Chapter 501 of the Code provides for confidentiality of driver’s license and social security numbers [see Tex. Bus. & Com. Code § 501.001, et seq.]. Chapter 502 addresses the confidentiality and security of financial information such as credit card and debit card numbers and access [see Tex. Bus. & Com. Code § 502.001, et seq.]. Chapter 503 provides protection from unconsented commercial use or sale of biometric identifiers [see Tex. Bus. & Com. Code § 503.001, et seq.]. Chapter 72 provides protection of personal identifying information contained in business records and regulates retention and disposal of such records [see Tex. Bus. & Com. Code § 72.001, et seq.]. Chapter 523 provides some additional protections to victims of identity theft with respect to credit applications and checking accounts [see Tex. Bus. & Com. Code § 523.001, et seq.].