Criminalizing the Overseas Sale of Stolen U.S. Financial Information

In the last of our series on the need for limited updates to laws enhancing cybersecurity while protecting individual rights, this post will describe a proposal that is geared toward shutting down the international black market for Americans’ stolen financial information.  One of the most common motivations for hacking is the theft of financial information.  In recent years, organized, multinational criminal enterprises have arisen to steal large volumes of credit card numbers and other personally identifiable information.  Middlemen then sell the stolen data to the highest bidder, often using underground “carding” forums.  The amendments are aimed at making sure that these middlemen — those who profit from the sale of stolen financial data of Americans — can be brought to justice even if they are operating outside of the United States.

Here is the problem.  Current law makes it a crime to sell “access devices” such as credit card numbers.  The law allows the government to prosecute offenders located outside the United States if the credit card number involved in the offense was issued by an American company and meets a set of additional requirements.  In the increasingly international marketplace for stolen financial information, however, these requirements have proved increasingly  unworkable in practice.  The government has to prove either that an “article” used in committing the offense moved though the United States, or that the criminal is holding his illicit profits in an American bank.  But when you steal only digital data, it’s not clear what “article” could be involved.  And of course, foreign criminals generally move their money back to their home country.

The upshot is that these requirements unduly limit the Department of Justice’s ability to prosecute criminals residing outside of the United States who commit crimes that harm Americans.  Indeed, law enforcement agencies have identified foreign-based individuals holding for sale vast quantities of credit card numbers issued by American financial institutions where there is no evidence that the person selling the numbers is the one who stole them, and no evidence of “articles” in the United States.  The United States has a compelling interest in prosecuting such individuals because of the great harm they cause to U.S. financial institutions and citizens.

That’s why we’ve proposed an amendment that would strike the unnecessary language in the current statute.  It would permit the United States to prosecute anyone possessing or trafficking in credit card numbers with intent to defraud if the credit cards were issued by a United States financial institution, regardless of where the possession or trafficking takes place.  This kind of jurisdiction over conduct that occurs abroad is fully consistent with international norms and other criminal laws aimed at protecting Americans from economic harm.  Moreover, in an era of global cybercrime where criminals steal Americans’ financial information so that they can traffic it abroad, it is necessary to prevent criminals from victimizing our citizens with impunity.