Don't be liable for identity theft

Don't be liable for identity theft

[A slightly edited version of the article below was just published in the December 2005 edition of Business Voice.]

Don't be liable for identity theft


Identity theft, we are told, is one of the fastest growing crimes in North America, claiming thousands of new victims every year. This crime most often involves using the personal information of unsuspecting victims to obtain goods and services, including credit, in the names of those victims. How the fraudsters obtain personal information varies and, unfortunately, their ingenuity apparently knows no bounds. Identity theft is obviously a problem for its victims but it also presents significant legal risk to businesses.

Every business in Atlantic Canada that handles customer information is subject to the Personal Information Protection and Electronic Document Act (“PIPEDA”). Among its many requirements, PIPEDA requires every business to implement safeguards to protect personal information against inappropriate use and disclosure. The form of safeguards depends upon the sensitivity of the information. If the misuse of the information could lead to fraud or identity theft, the safeguards must be appropriately robust.

Unfortunately businesses are often the weak link in the data protection chain, jeopardizing their customers and their own business reputations. In the first half of this year, the media reported on a series of incidents that resulted in the disclosure or theft of personal information of almost two million Americans. We are not immune here in Canada: Some may recall the attention given to the accidental faxing of the personal information of thousands of bank customers to a junkyard in the United States. More shocking was the discovery made by police in Alberta this past winter: piles of extremely sensitive information, including credit reports, on senior provincial public servants were found in a methamphetamine lab. Further investigations showed that drug addicts are being hired by identity thieves to steal personal information by a number of means, including “dumpster diving” in the trash receptacles and recycling bins of businesses. It would be foolish to assume that this does not occur in Atlantic Canada.

Businesses that do not adequately lock up personal information can find themselves legally and financially liable to the victims of identity theft and other forms of fraud. In April of this year, a number of identity theft victims in Michigan successfully sued a trade union because information of its members to be misused. The high profile misdirected faxes incidents spawned a class-action lawsuit in Ontario, alleging that the bank involved should have to pay compensation for the increased risk of identity theft, plus the actual cost of more vigilant credit monitoring. These lawsuits relate to inappropriate safeguards, but it will not be long before individuals whose identities are stolen will seek recourse against credit grantors and others who offered facilities to the impostors, arguing they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the costs of repairing their credit and, perhaps, opportunities they have lost due to an unfavourable credit rating. PIPEDA, to which all Atlantic Canadian businesses are subject, allows individuals to seek damages in the Federal Court for any harm they might have suffered, including any embarrassment that might have been caused by a leak of personal information.

So what does all this mean to businesses? Anybody in possession of personal information that would be useful to commit identity theft or the disclosure of which might be embarrassing to the individual has an obligation to protect that information against all risks. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that identity theft is not foreseeable.)

Business owners also need to be very careful to supervise employees. Significant portions of fraud committed can be traced to dishonest employees who misuse the information they have access to or even participate in activities such as “card skimming”, where information is taken from credit cards and debit cards. All employers need to be aware that the courts will generally hold them legally and financially responsible for the misdeeds of their employees.

Credit grantors in particular have to be even more vigilant in establishing the identities of those to whom they extend credit. This will not only protect against credit losses, but will reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws unfortunately pull businesses in two different directions. On one hand, credit grantors should clearly establish the identity of an applicant. On the other hand, the law says that they can only collect information that is reasonably necessary in the circumstances. To satisfy both, businesses need to establish reasonable policies and practices on how identity will be confirmed and how that information will be subsequently used. Doing so simply makes business sense in this legal climate.

While legal liability may appear remote to many businesses, a single incident can destroy your business reputation that you have worked years to develop. Surveys have shown that customers are increasingly concerned about their personal information and are making buying decisions based upon what businesses they trust. If word gets out that your business is not doing what is necessary to protect customer information, it can be shunned by consumers with dramatic effect on your bottom line.

Tips for Protecting Information


  • Only collect the minimum amount of information that is necessary for carrying on your business. The more information you have, the greater the likelihood of loss and the consequences such as fraud.

  • Information that is no longer required must be securely disposed of. This involves shredding all paper that contains personal information and making sure that all hard-drives of surplus computers are completely wiped clean of data.

  • Carefully screen all employees who will have access to personal information.

  • Carefully restrict employee access to personal information, on a need-to-know basis.

  • Carefully vet all service providers, such as cleaning companies and data processors, and require them to sign non-disclosure agreements and indemnities in case they misuse personal information or allow its disclosure.
at 7:14 AM
Labels: , , , ,

0 comments:

Post a Comment

  • Health Care Reform Explained from B... Dan Roam at the Back of the Napkin Blog sums up the current health care reform effort in this four part health care series, Healthcare Napkins All. Great back of the...
  • Why We Need A Health Care Revolutio... Dr. Val Jones' road to revolution provides her personal perspective on the current state of our health care system and why we all need to work for change.Don't miss the...
  • The important lesson from sandcastl... As I return to West Virginia after a week spent at the beach -- this post by Jim Carrol, Futurist, Trends & Innovation Expert, caught my attention. Much of my week on...
  • A little Nick: I'm a liberal an... Law blogger posts online: Don't miss reading this post by my favorite hospital blogging CEO, Nick Jacobs over at Nick's Blog. Much of what Nick has to say strikes a chord with me and this post is...
  • Executive Order Impacts Health Care... Law blogger posts online: President Bush signed an Executive Order on August 22 requiring federal agencies to do more to inform public health care consumers about the cost and quality of health...
  • eHealthWV: West Virginia EHR Public... Law blogger posts online: As a part of West Virginia's participation in the Health Information Security and Privacy Collaborative (HISPC), West Virginia Medical Institute and its partners launch...
  • Physicians vs. Patient: Rating-Perm... Interesting post from the WSJ Health Blog on Medical Justice's new ratings-permission contracts (press release on service).This new service offered by Medical Justice...
  • Just when you thought it was safe: ... Law blogger posts online: I’ve blogged previously about just how much I hate browser toolbars and nothing much has changed in the four years that have passed. Call me nosey, but when I’m...
  • Governor Manchin Approves Cardiac C...The West Virginia Health Care Authority website indicates today that Governor Manchin approved the final revised certificate of need Cardiac Catheterization Standards.
  • A Law Actually Interview with… Litt... Next up in the interview chair is Gemma from Little Tiny Pieces. Little Tiny Pieces is an interesting name?  What it inspired it; does it have any hidden meanings?...
  • Let the voting commence!... Law blogger posts online: Yes, after two long weeks of nominations, the shortlist for the 2010 Blawggies has been decided and voting for the awards can officially begin! The polls will remain...
  • Is blogging good for your health?... Law blogger posts online: Is blogging good for your health?This Boston Globe article, Cancer blogs become part of treatment, indicates that blogging about your condition has a positive impact.The...
  • ADVANCE Magazine - Article on EHRs ... Recently I was interviewed for an article looking at the legal issues involved in the developing world of EHRs and PHRs written by Beth Walsh for ADVANCE Magazine. The...