LOS ANGELES, CA—Identity theft is a growing concern as more personal data is placed at risk by
the advancement of new technologies and tools put in the hands of cyber criminals. Although
California has powerful laws to protect individuals and businesses, many lawyers remain
unaware of what these protections are and how to use them for their clients’ benefit.
Let’s start with the identity theft statute itself, which is found in the Penal Code:
Every person who willfully obtains personal identifying information, as defined in
subdivision (b) of Section 530.55, of another person, and uses that information for
any unlawful purpose, including to obtain, or attempt to obtain, credit, goods,
services, real property, or medical information without the consent of that person,
is guilty of a public offense, and upon conviction therefor, shall be punished by a
fine, by imprisonment in a county jail not to exceed one year, or by both a fine
and imprisonment, or by imprisonment pursuant to subdivision (h) of Section
1170.

Cal. Pen. Code § 530.5(a).

What does this mean? Essentially, subdivision (a) of the identity theft law imposes primary
liability on any person who willfully obtains personal identifying information and uses it for any
unlawful purpose. This bears repeating: any unlawful purpose.
What is personal identifying information? The identity theft law defines personal identifying
information broadly, and it means:
[A]ny name, address, telephone number, health insurance number, taxpayer
identification number, school identification number, state or federal driver's
license, or identification number, social security number, place of employment,
employee identification number, professional or occupational number, mother's
maiden name, demand deposit account number, savings account number,
checking account number, PIN (personal identification number) or password,
United States Citizenship and Immigration Services-assigned number,
government passport number, date of birth, unique biometric data including
fingerprint, facial scan identifiers, voiceprint, retina or iris image, or other unique
physical representation, unique electronic data including information
identification number assigned to the person, address or routing code,
telecommunication identifying information or access device, information
contained in a birth or death certificate, or credit card number of an individual
person, or an equivalent form of identification.

Cal. Pen. Code § 530.55(b).

Note that while the definition of personal identifying information is written to be exhaustive or
comprehensive, it contains items that are referred to illustratively. For instance, the definition
includes “unique biometric data.” That term is not defined in the statute and includes examples,
as well as a catch-all item “other unique physical representation.”
Note that elsewhere, California law includes a robust definition of “biometric information, which
means[A]n individual's physiological, biological, or behavioral characteristics, including
information pertaining to an individual's deoxyribonucleic acid (DNA), that is
used or is intended to be used singly or in combination with each other or with
other identifying data, to establish individual identity. Biometric information
includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand,
palm, vein patterns, and voice recordings, from which an identifier template, such
as a faceprint, a minutiae template, or a voiceprint, can be extracted, and
keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or
exercise data that contain identifying information.

Cal. Civ. Code § 1798.140(c).
Practitioners in the digital privacy space should continue to be mindful of the ways electronic
surveillance of behavior (like “keystroke patterns or rhythms”) that can be recorded, transmitted,
and monetized surreptitiously can bring their fact patterns within the purview of the identity theft
statute.

Beyond, primary liability under subdivision (a), the identity theft law also imposes indirect
liability under subdivisions (c) and (d):
Every person who, with the intent to defraud, acquires or retains possession of the
personal identifying information, as defined in subdivision (b) of Section 530.55,
of another person is guilty of a public offense, and upon conviction therefor, shall
be punished by a fine, by imprisonment in a county jail not to exceed one year, or
by both a fine and imprisonment.

Cal. Pen. Code § 530.5(c)(1).
Every person who, with the intent to defraud, sells, transfers, or conveys the
personal identifying information, as defined in subdivision (b) of Section 530.55,
of another person is guilty of a public offense, and upon conviction therefor, shall
be punished by a fine, by imprisonment in a county jail not to exceed one year, or
by both a fine and imprisonment, or by imprisonment pursuant to subdivision (h)
of Section 1170.

Cal. Pen. Code § 530.5(d)(1).

Every person who, with actual knowledge that the personal identifying
information, as defined in subdivision (b) of Section 530.55, of a specific person
will be used to commit a violation of subdivision (a), sells, transfers, or conveys
that same personal identifying information is guilty of a public offense, and upon
conviction therefor, shall be punished by a fine, by imprisonment pursuant to
subdivision (h) of Section 1170, or by both a fine and imprisonment.

Cal. Pen. Code § 530.5(d)(2).
While the statute itself does not set forth any particular remedies in the civil context, there
remain a number of ways in which civil litigants have successfully obtained civil remedies for
identity theft violations of Cal. Pen. Code § 530.5.
Astute practitioners should be mindful of the ways Cal. Pen. Code § 496’s powerful remedial
provisions can be used in conjunction with an identity theft claim. That provision states in
pertinent part:

Any person who has been injured by a violation of subdivision (a) or (b) may
bring an action for three times the amount of actual damages, if any, sustained by
the plaintiff, costs of suit, and reasonable attorney’s fees.

Cal. Pen. Code § 496(c).
Subdivision (a) of Cal. Pen. Code § 496 criminalizes the concealing, selling, withholding, or
receiving of property obtained in any manner constituting theft and/or the aiding of another who
conceals, sells, withholds, or receives property so obtained. Courts applying this provision have
held that conduct in violation of the identity theft statute, Cal. Pen. Code § 530.5, amount to the
type of conduct specified in subdivision (a).

As such, victims of identity theft can generally bring claims for the § 496 remedies so long as the
fact pattern meets the requirements of subdivision (a). Before discussing those requirements, I
will point out what those remedies are: “A plaintiff may recover treble damages and attorney’s
fees under section 496(c) when property has been obtained in any manner constituting theft.”
Siry Inv., L.P. v. Farkhondehpour, 13 Cal. 5th 333, 361, 513 P.3d 166, 184 (2022). These
remedies include treble damages, litigation costs, and attorney’s fees. See id.
So, how does identity theft meet the requirements of § 496’s subdivision (a)? The fact pattern
must present identity theft as a property crime and the “personal identifying information” can
constitute property: “Anything that could be the subject of a theft can also be property under
section 496.” Bell v. Feibush, 212 Cal. App. 4th 1041, 1049 (2013).
California courts have held that the kind of “personal identifying information” defined in Cal.
Pen. Code § 530.55 can be the object of theft. See, e.g., CTC Real Est. Servs. v. Lepe, 140 Cal.
App. 4th 856, 860, 44 Cal. Rptr. 3d 823, 825 (2006). In that the regard, the court in People v.
Kozlowski, held that intangible property, including “personal identification numbers,” is
“property” within the meaning of the Penal Code’s theft provisions. 96 Cal. App. 4th 853, 867,
117 Cal. Rptr. 2d 504, 516 (2002). Pleading the theft of “personal identifying information” as a
theft can trigger the civil remedies available via § 496(c). See, e.g., People v. Bommarito, No.
E036695, 2006 WL 763188, at *12 (Cal. Ct. App. Mar. 27, 2006).
While Cal. Pen. Code § 496(c) provides powerful remedies, it is important to consider also the
common law remedies available for the Penal Code in general. Recall that the Penal Code itself
states “[f]or every wrong there is a remedy.” Cal. Civ. Code § 3523. Courts interpreting this
provision have often found that “Civil actions lie in favor of crime victims.” Angie M. v. Superior
Ct., 37 Cal. App. 4th 1217, 1224, 44 Cal. Rptr. 2d 197, 202 (1995).
In accordance with that principle, “[t]he violation of a statute gives to any person within the
statute’s protection a right of action to recover damages caused by its violation.” Faria v. San
Jacinto Unified School Dist., 50 Cal.App.4th 1939, 1947 (1996) (quoting Palo Alto-Menlo Park
Yellow Cab Co. v. Santa Clara County Transit Dist., 65 Cal.App.3d 121, 131 (1976)); see also
County of Los Angeles v. City of Alhambra, 27 Cal.3d 184, 195 (1980). “[A]ny appropriate
common law remedy may be resorted to.” Palo Alto-Menlo Park Yellow Cab Co., supra, at 131.
“[The Penal Code] need not provide specifically for civil damages or liability.” Michael R. v.
Jeffrey B., 158 Cal. App. 3d 1059, 1067, 205 Cal. Rptr. 312, 318 (1984). “Violation of a statute
embodying a public policy is generally actionable even though no specific civil remedy is
provided in the statute itself. Any injured member of the public for whose benefit the statute was
enacted may bring the action.” Id.; see also Laczko v. Jules Meyers, Inc., 276 Cal.App.2d 293,
295, 80 Cal.Rptr. 798 (1969). See also Cal. Pen. Code § 9 (“The omission to specify or affirm in
this Code any liability to damages, penalty, forfeiture, or other remedy imposed by law and
allowed to be recovered or enforced in any civil action or proceeding, for any act or omission
declared punishable herein, does not affect any right to recover or enforce the same.”)
California courts have permitted common law remedies for violations of § 530.5. See, e.g., CTC
Real Est. Servs. v. Lepe, 140 Cal. App. 4th 856, 860, 44 Cal. Rptr. 3d 823, 825 (2006). As the
CTC court stated, “a victim of theft is entitled to recover the assets stolen or anything acquired
with the stolen assets, even if those assets have a value that exceeds the value of that which was
stolen.” Id.
Other courts have considered the issue somewhat differently, where the theft of personal
identifying information in violation of Cal. Pen. Code § 530.5 is actionable so long as cast as a
common law tort. This is exemplified in Fremont Indemnity Co. v. Fremont General Corp.,
where a cause of action for conversion was actionable even though it was stated as theft of
intangible personal property. 148 Cal.App.4th 97 (2007). “The basic elements of the tort are (1)
the plaintiff’s ownership or right to possession of personal property; (2) the defendant’s
disposition of the property in a manner that is inconsistent with the plaintiff’s property rights;
and (3) resulting damages.” Id. at119; accord, A & M Records, Inc. v. Heilman, 75 Cal.App.3d
554, 570 (1977). Moreover, “to the extent that any such intentional misconduct rose to the level
of ‘extreme and outrageous’ it would also entitle the victim to recover damages for any resulting
“severe emotional distress.” Unterberger v. Red Bull North America, Inc., 162 Cal.App.4th 414,
423 (2008).

Alternatively, the violation of Cal. Pen. Code § 530.5 can serve, in the right circumstances, as the
basis of a negligence claim using the identity theft law to impose a duty of care. See Sierra-Bay
Fed. Land Bank Assn. v. Superior Ct., 227 Cal. App. 3d 318, 333, 277 Cal.Rptr. 753 (Ct. App.
1991) (“The adoption of a statutory standard of conduct in a negligence action may well result in
the imposition of liability where none might otherwise be imposed ... it is the tort of negligence,
and not the violation of the statute itself, which entitles a plaintiff to recover civil damages.”).
See also .” J'Aire Corp. v. Gregory, 598 P.2d 60, 62 (Cal. 1979) (“[a] duty of care may arise
through statute or by contract.”). In the data privacy context, California federal courts have
routinely imposed a duty of care on holders of private personal information. See, e.g., Kirsten v.
California Pizza Kitchen, Inc., No. 221CV09578, 2022 WL 16894503, at *7 (C.D. Cal. July 29,
2022) (collecting cases).
In sum, while the identity theft law lacks a specific private civil enforcement mechanism, actions
that violate the statue can give rise to powerful civil remedies under and Civil Code § 496(c),
civil remedies framing the actions as other types of common law torts, and theories of
negligence.