Identity theft law may target innocent acts
Christopher Guly for The Lawyers Weekly
December 18, 2009
While recent Criminal Code amendments addressing identity theft include provisions to help stop fraud before the crime is committed, they could also end up either targeting innocent acts or failing to capture all of the guilty players involved in fraudulent actions, according to lawyers who have reviewed the new legislation.
Under s. 402.1 of Bill S-4, which received royal assent in late October, identity information, "used alone or in combination with other information to identify or purport to identify an individual," includes name, address, date of birth and driver's licence number.
"That may be too broad, and I would have hoped that it would have been restricted to government identification, such as social insurance or passport numbers," says Neil Abbott, a partner in the financial services department in the Toronto office of Gowling Lafleur Henderson LLP. Abbott explains that lawyers regularly rely on such basic identity information as names and addresses to locate people and initiate civil actions or enforce judgments.
The new law makes it illegal to transmit, make available, distribute, sell or offer for sale another person's identity information, or possess such information for any of those purposes, "knowing that or being reckless as to whether the information will be used to commit an indictable offence that includes, fraud, deceit or falsehood as an element of the offence."
While Bill S-4's prime targets are organized criminals involved in possessing or trafficking in identity information, the legislation might also be sending a message to companies and retailers that offer credit to customers, says Abbott, who chairs Gowlings' recovery services national practice group in Toronto.
He explains that once a credit card is issued, the person holding it almost never has to show additional ID, such as a driver's licence, before using the card to make a purchase. That could lead to a shopping bonanza for someone in possession of a stolen or falsely obtained credit card, and the merchant or third-party credit provider that fails to verify the identity of the individual could face consequences for such recklessness under the new law, argues Abbott.
"Negligence is not a defence to fraud."
Before the bill was passed, the Canadian Bar Association expressed concern over use of the word "reckless," which it said "has been open to some interpretive difficulty."
Bill S-4 has "raised a red flag" for companies and organizations that store identity information and use it for non-criminal purposes, says Mark Morrison, a partner in the Calgary office of Blake, Cassels & Graydon LLP, and a member of the litigation group, whose practice includes a focus on white-collar crime.
"The legislation is aimed at fraudsters out there trying to sell people's information, but there is concern that companies dealing with information in the normal course of business could be impacted inadvertently if they don't have appropriate due-diligence procedures on how to handle identity information," he explains.
"The legislation places a proactive obligation on organizations to ensure they're not releasing this information to the wrong people."
But Bill S-4 might not be comprehensive enough to target all the players involved in fraud schemes, particularly in real estate transactions where such professionals as lawyers and accountants willingly participate without "doing their homework" about their clients or the information they possess, worries Toronto criminal defence lawyer Alex Ejsmont, who often deals with identity theft-related cases.
"The issue of identity theft is so complex and often involves so many parties that I wonder whether the language in the law ultimately imposes liability on people who not only knowingly obtain or possess someone else's identity information with criminal intent, but also on those who voluntarily enter into a transaction for their own financial gain in cases where they may suspect identity theft or fraud may be at play," he says.
Following the Bill S-4 amendments, s. 56.1 of the Criminal Code makes it an offence to make, possess, transfer, sell or offer for sale an identity document "that relates, or purports to relate, in whole or in part, to another person." It also outlines exceptions, such as if a person had such information for genealogical purposes, or had the consent of the person to whom the identity document relates.
"But often when police lay charges, they don't contemplate the defences available to the person - and as a criminal defence lawyer, my advice to clients is, 'Don't say anything,'" says Ejsmont. "As a result, I anticipate there will be an increase in the number of charges brought against people - probably as tack-on charges if the police are investigating something else - but we will also see an increase in the charges that fall apart because of the defences available."
For Ejsmont, the one glaring gap in the legislation is that it does not specifically address the growing incidence of identity theft in cyberspace.
"There is so much fraudulent activity on the Internet, and it's not just strictly financial. It includes people hacking into Facebook and other accounts, and posing as other people," says Ejsmont, who adds that in certain U.S. jurisdictions, police are laying criminal charges against people impersonating someone else online.
His concern is that the courts might end up having to determine whether the law applies to identity-theft activities on the web - "heavy lifting that should have been at the front end" when the legislation was drafted.
"If you're going to amend the Criminal Code to reflect the reality of living in society today, you should make sure the amendments adequately capture all the shenanigans that are going on electronically."
But Morrison believes the wording of the law is broad enough to capture the deceptive, dishonest or fraudulent use of identity information or government-issued ID documents - and extends antifraud legislation by catching criminals before they use, sell or transfer such information.
"If someone has collected passport or credit-card information that they're not entitled to, you might not be able to prove that person has engaged in fraud - but you can hammer him for possessing that information with the intent of using it to commit fraud."
Adds Abbott: "This is prospective legislation dealing with the collection, possession and trafficking of personal information by identity thieves, which is a pretty significant change by imposing penalties for future criminal use. As such, it addresses organized crime since the person going out and making purchases with stolen ID is not always the person behind the scam."
"This is going up the ladder to the source - the masterminds or ringleaders of these criminal operations."
Abbott says that among the other welcome features of the legislation are its forward-looking provisions. It accommodates any government ID document that might be issued in the future as well as the emergence of new identification technology. Under s. 342 of the bill, credit card data includes "personal authentication information," which means a personal identification number "or any other password or information that a credit card holder creates or adopts to be used to authenticate his or her identity in relation to the card."
Bill S-4 also extends Criminal Code provisions regarding mail-related offences to deal with theft of an item sent by post not only after it is deposited at a post office and before it is delivered, but now also after it is delivered, though before it is in the possession of the addressee (pilfered from someone's mailbox). As well, it now will be a crime to fraudulently redirect mail and make a copy of a Canada Post mailbox key with the intent to commit a mail-related offence.
"This closes the loopholes fraudsters seem to find in the way credit cards are delivered," says Abbott.