[Editor’s note: We handle large identity theft cases with a loss of $5 million or more, corporate identity theft where a business partner illegally “steals” or takes over a business and whistleblowers who wish to report identity theft at their workplace. Although we do not handle individual consumer cases, we have published this post to help everyone.]
Identity theft refers to crimes in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception. It is almost always done for economic gain. Identity theft is a crime. People stealing your identity can be sent to prison but that rarely helps the victim.
In this post we will answer the question, “How do I sue for identity theft?”
When a thief gets enough of your personal data, they can use it to commit a wide range of identity theft crimes. Typical examples include:
- Applying for loans and credit cards in the victim’s name,
- Withdrawals from the victim’s bank accounts,
- Fraudulently accessing online accounts, or
- Using information to obtain false identification.
- Using the victim’s information to obtain drugs or medical treatment
Not only can the victim lose his or her life savings, their credit can be ruined and sometimes if the identity thief is successful in obtaining a phony ID, the victim could find a bench warrant in his name for a crime he never committed.
Criminal Statutes Dealing with Identity Theft
There are a number of state and federal laws that make identity theft a crime. At the federal level there is the Identity Theft and Assumption Deterrence Act. This law created a new offense of identity theft, which prohibits “knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.” 18 U.S.C. § 1028(a)(7). Violators can be sent to prison for up to 15 years.
Other federal identity theft laws include identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344). If a bank is the victim the wrongdoer can get up to 30 years in prison.
All fifty states have similar laws.
If the person is caught and prosecuted – big “if’s”, a court could order restitution. Of course, the restitution order only works if the person convicted is able to get a decent job. (No job, no money for restitution.)
Today, many of the identity theft cases are caused by sophisticated hackers and organized crime. Worse, many of the bad actors are overseas or work for hostile nation – states.
So, How Do I Sue for Identity Theft?
The real question is “who” can you sue!
We know the thief can always be sued but that is only if he or she is caught, convicted and has money. Look no further than Paige Thompson, the person arrested in the Capital One data breach during the summer of 2019. She allegedly accessed sensitive data belonging to 106,000,000 Capital One credit card applicants and users. She wasn’t using the card data directly but was selling it on the dark web.
She is broke and in jail. Suing her is meaningless.
The real deep pockets in large identity theft cases are the banks or holders of the data. They didn’t steal it but may a legal responsibility to keep that data safe.
The “who” with deep pockets are typically anyone who had possession of the information. This typically includes:
- Credit card issuers
- Merchants who processed credit transactions
- Credit bureaus (TransUnion, Equifax, and Experian)
- Employers (if your employer was responsible for the identity theft or data breach)
Theories of Liability (How Do I Sue for Identity Theft)
There are multiple ways to sue for identity theft.
These include fraud, negligence, breach of fiduciary duty, invasion of privacy, intentional infliction of emotional distress, and conversion (use of victim’s information without permission).
Banks and credit card issuers that process fraudulent transactions can be sued if it is shown they owe a duty of care to the victim. The duty they owe is even greater if the bank improperly allows money to be withdrawn from a victim’s account.
Several states have established their own identity theft laws making it easier for victims to sue. For example, California enacted a law to protect victims who now find themselves with debts or bills that someone took out in their name. As we said earlier, the nightmare doesn’t end when your money is lost, it can get worse if the identity thief takes out credit in your name.
Under California Civil Code section 1798.93:
“A person who proves that he or she is a victim of identity theft shall be entitled to a judgment providing all of the following, as appropriate:
(1) A declaration that he or she is not obligated to the claimant on that claim.
(2) A declaration that any security interest or other interest the claimant had purportedly obtained in the victim’s property in connection with that claim is void and unenforceable.
(3) An injunction restraining the claimant from collecting or attempting to collect from the victim on that claim, from enforcing or attempting to enforce any security interest or other interest in the victim’s property in connection with that claim, or from enforcing or executing on any judgment against the victim on that claim…
(5) Actual damages, attorney’s fees, and costs, and any equitable relief that the court deems appropriate. In order to recover actual damages or attorney’s fees in an action or cross-complaint filed by a person alleging that he or she is a victim of identity theft, the person shall show that he or she provided written notice to the claimant that a situation of identity theft might exist, including, upon written request of the claimant, a valid copy of the police report or the Department of Motor Vehicles investigative report promptly filed at least 30 days prior to his or her filing of the action, or within his or her cross-complaint pursuant to this section.
(6) A civil penalty, in addition to any other damages, of up to thirty thousand dollars ($30,000) if the victim establishes by clear and convincing evidence all of the following:
(A) That at least 30 days prior to filing an action or within the cross-complaint pursuant to this section, he or she provided written notice to the claimant at the address designated by the claimant for complaints related to credit reporting issues that a situation of identity theft might exist and explaining the basis for that belief.
(B) That the claimant failed to diligently investigate the victim’s notification of a possible identity theft.
(C) That the claimant continued to pursue its claim against the victim after the claimant was presented with facts that were later held to entitle the victim to a judgment pursuant to this section.
Many identity theft victims automatically believe that the bank / store / credit card issuer is always liable. That simply isn’t true and is why you need an experienced identity theft lawyer to assist you in recovering back your money. Banks are often victims as well but that doesn’t mean they can’t be held liable for your losses.
Many times, sophisticated criminals will target a specific business. We have seen cases where hundreds of thousands of dollars and more were taken in a single fraudulent wire or forged check.
[Our practice is primarily focused on large embezzlement and identity theft cases with a loss of $5 million or more. We handle consumer cases as class actions – although a few hundred or thousand dollars means a lot to you and us, it simply isn’t economically feasible to handle a single case.]
I Sued for Identity Theft? What Are My Damages?
There are three types of damages that may be available in identity theft case:
- Compensatory damages
- Punitive damages
- Injunctive relief
Compensatory damages are designed to make you whole. They can include any monies wrongfully taken from you, interest and other financial losses. If you suffered anxiety you may be able to get compensation as well.
Punitive damages are a available in some states but often not against the bank or business who facilitated the theft. The purpose of punitive damages is to punish the wrongdoer and deter future bad conduct.
Certainly, the thief would be subject to punitive damages but as we discussed, collecting from someone in jail is nearly impossible. In many identity theft cases it isn’t even possible to figure out who hacked an account or breached a merchant’s database.
In the business theft cases we often see, the culprit is known to us. It is often a minority shareholder or partner who steals money or trade secrets in order to steal the business. In those cases, it may be possible to successfully sue the individual but even then, collectability is often an issue.
Injunctive relief is often critical in identity theft cases. That can include a court order declaring that are not legally responsible for debts created in your or your business’ name. In consumer cases, it can mean orders to help clean up your credit.
Class Actions and Consumer Identity Theft Cases
There is so many corporate data breaches today that it is often impossible to know who may be responsible for losses that you may have incurred.
Let’s say you have bank accounts and credit cards at both Capital One and Chase, you stayed at a Marriott while on a business trip, visited a small retailer who process credit card payments through Heartland Payment Systems and bought some clothes at Target. You went to these stores while traveling by using Uber. A year later your identity is stolen and your bank accounts drained.
Who is responsible? All of the above companies have admitted to being the victims of large scale data breaches. Hundreds of millions of records were taken. Maybe the hack of Uber didn’t get your social security number but one of the other hacks did.
Today identity thieves share their information on the dark web. You can even buy information about specific people so that you can assemble enough to secure a fake ID or open an account or convince AT&T to port your SIM card to a new phone. The list of permutations is endless.
The point is that in the large data breach cases, you might not suffer a loss for years. Sometimes
the statute of limitations has expired before the loss even occurs.
In corporate identity theft cases, we handle those individually. Consumer level cases are a different story. Those are best handled in a class action.
Seeking Business Owners Who Are Victims of Identity Theft
This post began with the question, How do I sue for identity theft? If you lost $5 million or more in a sophisticated identity theft, we can help. We also help business owners who lost their company because of the illegal activity of others.
For more information, contact us online, by email or by phone 202-800-9791. Cases accepted nationwide. All inquiries kept completely confidential.
Whistleblowers (Insiders) Who Wish to Report Data Breaches
Sadly, many companies do not report data breach cases. There is widespread belief that Uber waited a year before reporting their data breach. When companies delay, consumers and others are hurt. Prompt reporting of a breach not only is right, it’s the law.
People with inside information about data breaches may be eligible for large cash whistleblower rewards. If the company is a public company (even foreign) there may be rewards available under the SEC Whistleblower Program. And the best news is that you can report and remain anonymous.
If the company is a bank or credit card issuers / processor there may be cash rewards of up to $1.6 million available under the FIRREA bank fraud statute.
If the company is a government contractor and the hacked data potentially includes government data, there are rewards available under the False Claims Act.
Sometimes, whistleblowers have information yet no rewards are possible. Let’s say the company that was hacked is a large private hospital not owned by a public company. Even if there are no rewards, we will help you stop the fraud. It’s the right thing to do.
For more information, contact attorney Brian Mahany online, by email or directly 414-704-6731. As noted above, all inquiries are protected by the attorney – client privilege and kept confidential.