Pennsylvania State Victim Resources:
Phone: (717) 787-3391
Agencies that offer assistance to IDT victims:
Legal Aid of Southeastern Pennsylvania
Program Phone: (610) 275-5400
Legal Assistance: (610) 275-5400
MidPenn Legal Services, Inc.
Program Phone: (717) 234-0492
Legal Assistance: (717) 232-0581
Neighborhood Legal Services Association
Program Phone: (412) 586-6100
Legal Assistance: (412) 255-6700
North Penn Legal Services, Inc.
Program Phone: (610) 317-5308
Legal Assistance: (800) 982-4387
Northwestern Legal Services
Program Phone: (814) 452-6949
Legal Assistance: (800) 665-6957
Philadelphia Legal Assistance Center
Program Phone: (215) 981-3808
Legal Assistance: (215) 981-3800
Southwestern Pennsylvania Legal Services, Inc.
Program Phone: (412) 901-1672
Legal Assistance: (800) 846-0871
Security Freeze Law:
All Pennsylvania consumers are allowed to place security freezes on their consumer credit reports to prevent new accounts from being opened in their names. Such a freeze enables the consumer to prevent anyone from looking at his/her credit file for the purpose of granting credit unless the consumer chooses to allow a particular business look at the information. To request a freeze, a consumer must request one in writing by certified mail or through a secure Internet connection if such a connection is made available by the consumer reporting agency. Security freezes may remain in place for up to seven years.
Consumer reporting agencies may charge a fee of $10 to place or temporarily lift a security freeze. However, victims of identity theft with a valid police report or investigative complaint and people 65 years of age or older may not be charged. The reporting agency must place the freeze within five business days after receiving the request, and within ten days, must send a written confirmation of the freeze and provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his credit for a specific party or period of time. Requests for a temporary unlocking of the freeze must be completed within three business days.
Statute: 45 § 2503.
How to Place a Security Freeze in Pennsylvania:
Mandatory Police Report Law for Identity Theft Victims:
No State law at this time
Identity Theft Passport Law:
No State law at this time
Identity Theft Laws:
A person commits the offense of identity theft of another person if he possesses or uses, through any means, identifying information of another person without the consent of that other person to further any unlawful purpose. Identifying information is defined as "any document, photographic, pictorial or computer image of another person, or any fact used to establish identity, including, but not limited to, a name, birth date, Social Security number, driver's license number, non-driver governmental identification number, telephone number, checking account number, savings account number, student identification number, employee or payroll number or electronic signature."
The penalty for identity theft varies based on the value of the property or services obtained by means of the identifying information and the nature of the theft:
- If the total value involved is less than $2,000, the offense is a misdemeanor of the first degree, punishable by up to five years in prison and/or a fine up to $10,000.
- If the total value involved is $2,000 or more, the offense is a felony of the third degree, punishable by up to seven years in prison and/or a fine up to $15,000.
- Regardless of the total value involved, if the offense is committed in the furtherance of a criminal conspiracy, it is a third degree felony.
- Third or subsequent offenses, regardless of the total value involved, are second degree felonies, punishable by up to ten years in prison and/or a fine up to $25,000.
- If a person commits an offense against a victim 60 years of age or older or a care-dependent person, the grading of the offense will be one grade higher than generally specified.
Each time a person possesses or uses identifying information constitutes a separate offense. However, the total values involved in offenses under this section committed pursuant to one scheme or course of conduct, whether from the same victim or several victims, may be aggregated in determining the grade of the offense. The Attorney General has the authority to investigate and institute criminal proceeding for any identity theft violations.
Statute: 18 § 4120.
Any identity theft offense may be deemed to have been committed at any of the following: the place where a person possessed or used the identifying information of another without the other's consent to further any unlawful purpose; the residence of the person whose identifying information has been lost or stolen or has been used without the person's consent; or the business or employment address of the person whose identifying information has been lost or stolen or has been used without the person's consent, if the identifying information at issue is associated with the person's business or employment.
Statute: 18 § 4120.
Other Related Laws:
A report to a law enforcement agency by a person stating that the person's identifying information has been lost or stolen or that the person's identifying information has been used without the person's consent shall be prima facie evidence that the identifying information was possessed or used without the person's consent.
Statute: 18 § 4120.
Victims of identity theft may file a civil action to obtain actual damages arising from the incident or $500, whichever is greater, to cover loss of money, reputation or property, whether real or personal. The court may award up to three times the actual damages sustained, but not less than $500. Victims may also seek reasonable attorney fees and court costs and any additional relief that court deems necessary and proper. The plaintiff must file suit within four years of the date of the offense or from the date of the discovery of the identity theft.
Statute: 42 § 8315.
An access device is defined as any card, including, but not limited to, a credit card, debit card and automated teller machine card, plate, code, account number, personal identification number or other means of account access that can be used alone or in conjunction with another access device to obtain money, goods, services or anything else of value or that can be used to transfer funds. Access device fraud includes using an access device to obtain or in an attempt to obtain property or services with knowledge that: the access device is counterfeit, altered or incomplete; it was issued to another person who has not authorized its use; it has been revoked or canceled; or for any other reason his use of the access device is unauthorized by the issuer or the device holder.
The punishment for violations varies based on the value of the property or service obtained or sought to be obtained by means of the access device: If the value is $500 or more, the offense is a third-degree felony; if the value is $50 or more but less than $500, it is a misdemeanor of the first degree; and if it is less than $50, it is a misdemeanor of the second degree (punishable by up to two years in prison and/or a fine up to $5,000). Amounts involved in unlawful use of an access device pursuant to a scheme or course of conduct, whether from the same issuer or several issuers, may be aggregated in determining the classification of the offense.
It is third-degree felony to publish, make, sell, give, or otherwise transfer to another, or offer or advertise, or aid and abet any other person to use an access device knowing that it is counterfeit, altered or incomplete, belongs to another person who has not authorized its use, has been revoked or canceled or for any reason is unauthorized by the issuer or the device holder.
Possessing an access device knowing that it is counterfeit, altered, incomplete, or belongs to another person who has not authorized its possession is a third-degree misdemeanor, punishable by up to one year in prison.
For the purposes of these provisions, an actor is presumed to know an access device is counterfeit, altered or incomplete if he has in his possession or under his control two or more counterfeit, altered or incomplete access devices. Any access device fraud offense may be deemed to have been committed at either the place where the attempt to obtain property or services is made, at the place where the property or services were received or provided, or at the place where the lawful charges for said property or services are billed.
Statute: 18 § 4106.
A person commits the offense of unlawful use of a computer if he intentionally and knowingly and without authorization gives or publishes a password, identifying code, personal identification number, or other confidential information about a computer, computer system or database, web site, or telecommunication device. Violations are a third-degree felony.
Statute: 18 § 7611.
A person commits the offense of computer trespass if he knowingly and without authority or in excess of given authority uses a computer or computer network with the intent to effect the creation and or alteration of a financial instrument or an electronic transfer of funds. Violations are a third-degree felony.
Statute: 18 § 7615.
State law requires state and local governments and individuals and businesses doing business in the state to notify consumers when their unencrypted and un-redacted personal information was or is reasonably believed to have been compromised during a security breach, putting them at risk of identity theft. A security breach occurs upon "unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of the Commonwealth."
An entity must disclose provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key. Notice must be made without unreasonable delay, consistent with the needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Personal information is defined as an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the name and data elements are not encrypted: Social Security number; driver's license number or state identification card number; or a financial account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notification can be provided by mail, e-mail, or telephone. If the cost of providing regular notice would exceed $175,000, the amount of people to be notified exceeds 100,000, or the business does not have sufficient contact information to provide written or electronic notice, substitute notice may be provided. When substitute notice is used, it must consist of all of the following, as applicable: e-mail notice, conspicuous posting on the business's web site, and notification to major statewide media. When a breach involves more than 1,000 people, the entity must also notify the consumer reporting agencies.
Statute: 73 § 2302.