Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Your phone rings. It’s Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers. Your mind begins to whirr. Are there other customers affected who haven’t been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit? You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys’ fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims’ time and you get $11,000 per case or $110 million in total even before fines and punitive damages are considered. And that’s on top of the potential impact on your company’s future sales. The nation’s fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies. Criminals have realized that stealing confidential personal information can be extremely profitable. Hard-core hackers, street criminals, and domestic and international organized crime rings have flocked to the high-reward, low-risk arena of personal data theft, with staggering results. According to the most recent data available from the Federal Trade Commission (FTC), U.S. businesses and financial institutions lost approximately $48 billion as a result of these crimes in 2002. The FTC estimates that over 24 million people in the United States have had their identity stolen. The $11,000 damage figure per case developed above, represents over $26 billion of potential liability if fault can be ascribed to the data holder. Customer and employee databases are prime targets for identity thieves because a single vulnerability in a company’s information security can yield access to personal data on thousands of persons. In addition to the growing threat of class action lawsuits, new laws are coming into effect to hold organizations responsible for securing personal data. Companies should evaluate this risk and consider taking action to reduce their potential liability. THIEVES FROM WITHOUT AND WITHIN Theft of personal information can be committed by hackers and other criminals outside your organization, or by employees, contractors and others working inside the company. Organized crime rings may bribe or threaten employees to get them to provide such data. They may even get a member or a friend hired into a position at an organization that will give them access to personal data. Consider the following recent examples: • A hacker broke into the customer database of an online retailer and demanded $100,000 in ransom for the stolen information. When the company refused, the hacker posted the credit card numbers of 25,000 customers on the Internet. • Two laptops were stolen from the car of a financial services company employee. They contained Social Security numbers, credit scores and other personal information on over 200,000 customers. •A computer helpdesk employee at a company that works with major credit databases stole passwords and access codes to download more than 30,000 consumer credit reports. He sold the information to identity thieves who used it to access the victims’ bank accounts and open credit card accounts in their names. Losses from the scheme are estimated at between $50 million and $100 million. POTENTIAL LIABILITY The Fair and Accurate Credit Transactions Act (FACT Act) was signed by President Bush on Dec. 4, 2003, and will affect virtually all companies in the U.S. Among its provisions, this law mandates that businesses must take reasonable measures to destroy information derived from consumer credit reports before discarding them, with effect from June 1, 2005. Shredding papers and wiping or destroying hard drives and backup media will be standard. From December 2006, merchants accepting credit cards must leave all but the last five digits off printed receipts. Other federal laws impose a duty to safeguard consumer information in certain areas. For example, under Title V of the Gramm-Leach-Bliley Act (GLB), financial institutions are required to take steps to protect their customers’ data, and face the possibility of fines or jail time for failure to comply. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict guidelines on healthcare plans and providers to guard against the disclosure of patient data. Aside from these statutes, there are a number of other theories under which liability can and has arisen over the disclosure of customer data. These typically focus on the failure to provide adequate security or the failure of companies to follow their own data security policies. Consider the following examples: • In 2003, Victoria’s Secret settled a deceptive advertising suit brought by the New York Attorney General after it was found that personal information of the company’s customers was inadvertently made accessible on the company’s Web site. This was contrary to the company’s Internet privacy policy, which stated that customer information was stored in private files on a secure server. • In 2003, Guess? Jeans settled charges brought by the Federal Trade Commission under Section 5(a) of the Federal Trade Commission Act for unfair or deceptive acts. A statement on the company’s Web site said that customer data was stored in an unreadable, encrypted format, but a hacker obtained access to approximately 200,000 credit card numbers in a clearly readable format. The FTC asserted that Guess?’s representation about encryption was false and misleading, and that the company had failed to implement reasonable security measures. • TriWest Healthcare Alliance, a private company that manages HMO programs for the Defense Department, currently faces a class action suit for negligence resulting from a burglary in which computer hard drives containing the names of over 500,000 military personnel were stolen. • Companies can also face liability for failing to notify customers when a security breach has occurred. In July 2003, California passed the Security Breach Information Act (CSBIA), which requires any person or business conducting business in California to disclose security breaches involving unencrypted personal data to any California resident whose information was or is believed to have been acquired by an unauthorized person. CSBIA was the first law in the U.S. expressly creating such liability. Several other states have laws relating to the disposal of records containing personal information. REASSESSING RISK AND SECURITY FOR PERSONAL DATA • Only hold personal data you need. Nonessential data can be a liability rather than an asset. Do you really need customers’ Social Security numbers? Do you have to store their credit card numbers forever? Avoid gathering nonessential personal data, archive it after use rather than storing it in readily accessible customer master files, and discard or archive data for inactive accounts. • Keep personal data secure. Store data securely, preferably in encrypted form. Avoid storing personal data on laptops, PDAs and other mobile devices. Limit access to only those who need it. Have a full audit trail of who accesses each record. Restrict large-scale downloads and monitor employees for unusual access volume or timing. Ensure good physical as well as information systems security over personal data. Consider the security aspects of how you transmit personal data to customers and employees. Sending thousands of letters or e-mails with such data is asking for trouble, as they may be intercepted. • Do what you say you’ll do. Only promise employees and customers a level of personal data security that you can deliver. Whatever you promise, ensure you adhere to it. • Make security a priority with your employees. Background checks are essential on all employees who will have access to personal information. This will not guarantee that you will be protected from employee theft — studies show that employees who commit white-collar crime tend to be first-time offenders — but it will help protect you from predatory employees. Also, in the event of a security breach by an employee, the fact that you conducted background checks will help demonstrate that you took reasonable precautions to guard against theft. In addition to background checks, employees should be required to sign non-disclosure agreements that prohibit them from misusing confidential data. More importantly, enlist all employees to help protect the security of sensitive personal data. Develop a written data security policy that clearly explains what data is considered confidential and what steps employees are expected to take to safeguard that data. Regularly train your employees on acceptable security practices and remind them of their legal obligation to protect customer information. Ensure they know that their access to such data is monitored and recorded to help prevent and detect data theft. Remind them that such theft is a crime and communicate your policy (if that is the case) of referring to the authorities all such cases for prosecution. • Don’t forget your vendors. If you use vendors to handle, process, or store personal data, ensure that their data security measures at least equal yours. Require those vendors to sign nondisclosure agreements to protect that data. Insist on periodic security audits and vulnerability assessments to make sure your data is being securely handled. • Test your plan. Once you’ve put in place appropriate measures, have internal auditors or independent data security experts test them periodically, looking for holes. It’s better that you find them before someone else does. • Plan for the worst. No matter how good your information security system is, there is always the potential for a breach. If a worst-case scenario occurs, be ready to deal with it quickly. Have a written response plan in place to deal with data recovery, customer notification, public relations, and legal issues. CONCLUSION Identity theft has evolved from a consumer fraud issue into a serious threat to corporate reputations and finances. Businesses need to recognize this new dynamic and ensure their business practices reflect the new risk/reward relationship for holding customer and employee personal data. Companies that fail to do so risk not only heavy short-term costs but also a loss of trust and future support that could be even more damaging. Toby J.F. Bishop is president and chief executive officer, and John Warren is general counsel, of the Association of Certified Fraud Examiners. They may be reached at 512-478-9000. Subscribe to The Corporate Counselor.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.