ID thefts have been and are a relevant and serious issue. They have been increasing in number each year. It is the most rapidly spreading crime area of the 21st century. Criminals are becoming more and more industrious; they find new ways to get information, their crimes get more sophisticated all the time. There is no concept of identity theft established in Lithuania and no sanctions for this specific act. Identity theft usually is understood as the use of the data identifying another person for criminal purposes. Not all cases of unlawful or improper processing, provision and obtaining of data could be called identity theft. Quite often they are misdemeanours with elements of administrative violations rather than criminal offences, however, such violations need to be prevented as well.
It should be admitted that in order to reduce the risk of this rapidly expanding crime area, it should be achieved that the use of stolen personal data rather than their stealing should be made difficult. This objective, however, is even more difficult and it will certainly have to be dealt with.
Let us briefly discuss the legal aspects of identity thefts in Lithuania:
- Article 2.20(1) of the Civil Code of the Republic of Lithuania provides that it shall be prohibited to gain rights and assume obligations under the cover of other person’s name. Article 2.23(3) of the Civil Code establishes that it shall be prohibited to collect information on another person’s private life in violation of law. Public announcement of facts of private life, however truthful they may be, in violation of law as well as other unlawful acts infringing the right to privacy shall form the basis for bringing an action for the compensation of property and non-pecuniary damage incurred by the said acts.
- It is established in Article 1(1) of the Law on Legal Protection of Personal Data of the Republic of Lithuania (hereinafter – LLPPD) that the purpose of this Law shall be safeguarding of the inviolability of an individual’s private life in the course of processing personal data. It should be noted that processing of personal data is considered lawful only when it is in compliance with the requirements of Articles 3 and 5 of LLPPD and, in relation to personal ID numbers, also with the requirements of Article 7 of LLPPD, i.e. personal data are provided for specified and legitimate purposes only to the extent necessary to achieve this purpose and only when there is at least one of the lawful processing criteria provided for in paragraphs 1 and/or 2 of Article 5 of LLPPD. Persons in breach of LLPPD are liable under the procedure prescribed by laws (administrative liability).
- It is specified in Article 69(1) of the Law on Electronic Communications of the Republic of Lithuania (hereinafter – LEC) that the use of electronic communications services, including electronic mail, for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent. This provision of LEC is applied not only in the case when direct marketing offers or spam of any other nature are sent by e-mail but also by SMS. It should be noted that, following Article 23(1)(1) of LLPPD, you have the right to get information from the data controller from what sources your personal data have been collected and what personal data have been collected.
- In accordance with Article 69(3) of LEC, it shall be prohibited to send electronic mail for the purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease. Not to get any more of direct marketing offers, you should inform the sender accordingly. Following Article(27)(3) of LLPPD, you have the right to object to the processing of your personal data without providing reasons for such objection where the data are or are intended to be processed for the purposes of direct marketing. In this case, the sender of direct marketing must suspend processing of personal data without delay and free of charge, and duly notify the data recipients.
- LEC also sets on obligation on providers of public communication networks and/or public electronic communication services to implement appropriate technical and organisational measures to safeguard the security and integrity of their services.
- There is no effective Law on Cyber-Security in Lithuania in the meantime. However, the draft Law on Cyber-Security of the Republic of Lithuania No 14-2440 has been drafted in 2014. It is available at www.lrs.lt. This Law will establish the system for ensuring cyber security in Lithuania. An information network of cyber security will be developed. It will be a safe platform for information exchange in order to share information about potential and actual incidents of cyber security, provide recommendations, instructions, technical solutions and other measures to ensure cyber security and co-operation among the network members in the area of cyber security. More favourable conditions for ensuring cyber security in Lithuania will be undoubtedly created.
- There are many articles in the Code of Administrative Offences of the Republic of Lithuania (hereinafter – CAO) providing for liability for administrative offences which are closely related to identity thefts, for example: Article 154 “Violation of the Terms and Rules of Installation, Use and Protection of the Electronic Communication Infrastructure”, Article 214(14) “Unlawful Personal Data Protection”, Article 214(15) “Unlawful Processing of Information Systems Data of the State”, Article 214(23) “Unlawful Processing of Personal Data and Violation of Privacy Protection in the Area of Electronic Communication”, Article 214(24) “Violation of Legal Acts Regulating the Activities of Certification Service Providers Issuing Qualified Certificates”, etc.
- The Criminal Code of the Republic of Lithuania (hereinafter – CC) does not provide for any sanctions for identity theft in the electronic and non-electronic space. This act has not been criminalised in Lithuania in general. Usually, an identity theft is a constituent element of other dangerous acts. The opinion prevailing in Lithuania is that the identity theft as such is not a separate violation – separate episodes of the identity theft may be treated as breaches of privacy, security or financial violations, as a preparation or attempt to commit such violations. CC provides for liability for: Article 167 “Unlawful Collection of Information about a Person’s Private Life”, Article 168 “Unauthorised Disclosure or Use of Information about a Person’s Private Life”, Article 182 “Swindling”, Article 196 “Unlawful Influence on Electronic Data”, Article 197 “Unlawful Influence on an Information System”, Article 198 “Unlawful Interception and Use of Electronic Data”, Article 198(1) “Unlawful Connection to an Information System”, Article 198(2) “Unlawful Disposal of Installations, Software, Passwords, Login Codes and Other Data”, and other Articles 207, 214, 215, and 300. In the cases when criminal liability may not be applied, administrative liability applies.
Identity thieves are on the alert. If you have any suspicions that your personal data have been or are likely to be lost, take care of your data protection: change your documents, create a new e-mail inbox, change passwords and login names, if possible, install new security measures. You can really protect or change some of the data but not all. For example, Article 8(3) of the Law on the Population Register of the Republic of Lithuania establishes that the personal ID number conferred to a person is unique and cannot be changed. It is one more reason to take all possible precautions and security measures on your own.