Are you a victim of identity theft when your personally identifiable information is stolen?  Is the theft alone, and the risk that your information may be misused, sufficient?  Does your information have to be misused in some fraudulent manner before you can be considered a victim?

A federal appellate court recently weighed in on these issues and decided that the theft of personally identifiable information, and even the sale of personally identifiable information, are not enough for someone to be considered a “victim” under criminal sentencing guidelines.

In U.S. v. Hall, No. 11-14698 (11^th Cir. Jan. 16, 2013), the United States Court of Appeals for the Eleventh Circuit addressed the issue of what it means to be an identity theft victim.  The criminal defendant in Hall was an office assistant at a gynecological and obstetric health care office.  As part of her job, she was authorized to access patient files and copy patient information to fulfill her job duties.  Sensitive information in the files included patient names, dates of birth, social security numbers, and medical information.  The defendant provided this information via text messages to unauthorized individuals who in turn provided the information to organizers of the criminal scheme.  The defendant was promised $200 for each individual’s information or $1,000 if the information was successfully used to create a fraudulent account.  In total, the defendant received only $200, but she provided information about 65 to 141 individuals.  The defendant pled guilty to conspiracy to commit bank fraud, conspiracy to commit identity theft and access device fraud, and wrongfully obtaining and transferring individually identifiable health information for personal gain.

At sentencing, the District Court increased the defendant’s sentence because it found that the offense involved more than 50 victims.  The court rejected the defendant’s argument that the mere transfer or sale of the identifying information did not equate to the actual “use” of the information, so there were only 12 victims.

On appeal, the Eleventh Circuit reversed the District Court and held that while the 12 individuals whose information was used to obtain fraudulent credit cards are victims, the remaining individuals whose information was merely transferred or sold but not actually used for fraudulent purposes were not victims.  The court recognized a “paucity of helpful case law” on the issue.  Nevertheless, the court interpreted the term “use” to require the type of “action and implementation” that did not occur in this case.  Here, the mere sale of the information to the co-conspirators did not implement the purpose of the conspiracy (to obtain cash advances and purchase items by using fraudulent credit cards).  Accordingly, the court ruled that “[t]he personal identifying information was not used, as that term is ordinarily understood, until [the defendant’s] co-conspirators secured the fraudulent credit cards.  At that point, the 12 individuals whose personal information was compromised became victims.”  The sentence imposed by the District Court was therefore reversed.

What Are The Takeaways?

A few important takeaways should be drawn from this decision:

• The underlying facts are a reminder that employee misconduct continues to be a significant point of exposure for companies that maintain sensitive information.  The sale of personally identifiable information on the black market can be a lucrative incentive for some employees to misuse their access to sensitive information.  Shore up your administrative and technical safeguards!

• The decision may be used to support the proposition that, at least within the Eleventh Circuit, the mere access, acquisition, transfer, or sale of your personally identifiable information does not make you an identity theft victim.  It is the use of the information for fraudulent purposes that makes you an identity theft victim.  Keep in mind, however, this interpretation is for the sole purpose of defining the term “identity theft victim” for sentencing guideline purposes.

• Finally, it will be interesting to see what impact, if any, the Eleventh Circuit’s definition of identity theft victim has on the issue of what constitutes cognizable harm for civil litigation purposes?  (The Eleventh Circuit recently allowed this data breach class action to proceed).

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.