X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
No technology issue concerns — or should concern — businesses, individuals and government regulators more than Internet identity theft. The statistics are staggering. Just recently, for example, LexisNexis reported that unauthorized individuals apparently took personal information on more than 30,000 Americans from its database by stealing logins and passwords of legitimate customers. Another data broker, ChoicePoint Inc., recently reported a possible theft of similar data from as many as 145,000 people. But those numbers look small (except, of course, to the affected individuals) when compared with the identity theft problem acknowledged recently by Bank of America — involving about 1.2 million federal employees. [FOOTNOTE 1] Indeed, reports suggest that Americans are the victims of identity theft every 10 seconds, totaling about 3.2 million incidents per year. [FOOTNOTE 2] Last year, according to a report by Consumer Sentinel, the complaint database developed and maintained by the Federal Trade Commission [FOOTNOTE 3], the New York-Northern New Jersey-Long Island metropolitan area ranked 20th for identity theft-related complaints among major metropolitan areas with a population of 1 million or more (the Phoenix-Mesa-Scottsdale metropolitan area ranked first). New York ranked seventh among the states with 92 identity-theft victims per 100,000 population. Admittedly, a good portion of these occurrences do not involve the Internet or technology at all, but rather result from more “typical” acts such as the simple theft of a wallet or purse, “dumpster diving,” where criminals pull confidential papers from garbage cans, or even sending a change of address form to the postal service so a homeowner’s mail is directed elsewhere and the information misappropriated. Much identity theft, however, is committed through the Internet, by methods ranging from hacking into online databases to “phishing,” a fraud where Web surfers are tricked into providing confidential information to con artists who copy legitimate Web site designs and logos. [FOOTNOTE 4] The newest ruse is “pharming,” that is spoofing a domain name registered by a legitimate company so that it is reassigned, without the registrant’s knowledge or consent, to a different Internet Protocol address, where a fake Web site has been created. In phishing, an affirmative action in response to an e-mail is required and it can usually be detected by the intended victim if he looks at the URL that appears after clicking on the e-mail link. By contrast, a pharming victim is unlikely to be aware that he has been directed to a fake site because the URL displayed in the browser will display the correct information. [FOOTNOTE 5] Once the fake Web site is accessed by the user, it is a simple matter to collect information voluntarily provided by that user in reliance on what is believed to be a legitimate Web site. The information obtained by the thieves can be used to empty bank accounts, obtain services, get loans, file for benefits and enter into leases and other contractual agreements. How brash are some Internet identity thieves? In February, the Internet Fraud Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, advised that the FBI had become aware of spam e-mail fraudulently claiming to be from the complaint center that was intended to entice the recipient to open the e-mail attachment containing a W32/Mydoom virus. [FOOTNOTE 6] WHAT BUSINESSES CAN DO It is almost impossible for businesses to operate and not collect or hold personally identifying information — names and addresses, Social Security numbers, credit card or other account numbers — about customers, employees or business partners. When this information falls into the wrong hands, it could put these individuals at risk for identity theft and the companies at risk for lawsuits. Not all personal information can lead to identity theft, and thus businesses do not have to treat all personal information the same. Still, there are some important steps that companies should take that will have the dual benefit of protecting this information and limiting their potential liability in the event the wrong people were to gain access to it. Most importantly, businesses should take steps to protect information before there has been access, including limiting their use of sensitive information, such as Social Security numbers, to true necessity rather than mere convenience, protecting the integrity of their computer Internet and intranet resources and maintaining vigilance for early detection of problems. [FOOTNOTE 7] When a company discovers that information has been stolen that could result in harm to a person or business, the company should contact its counsel and the local police to explain the situation and the potential risk for identity theft. Additionally, because local police are often unfamiliar with investigating information compromises — and it is often a problem of national, if not international, scope — the company should probably contact the local FBI office or the local U.S. Secret Service office. Where mail theft is involved, the U.S. Postal Inspection Service should be called. A company that suffers a theft of confidential information can find that it might have an impact on other businesses, such as banks or credit issuers. If a company discovers that account access information such as credit card or bank account numbers has been stolen, it should notify the institutions that maintain the accounts. By the same token, when a business that collects or stores personal information on behalf of other companies discovers a security breach, it should notify those businesses for which it handles that data. The major credit bureaus — Equifax, Experian and Trans Union — should be contacted if names and Social Security numbers are stolen. It may be appropriate to have the credit bureaus inform the individuals whose information has been lost that they can request fraud alerts for their files. Where an information compromise results from the improper posting of personal information on a Web site, the company should immediately remove the information from the site. It is important to understand, too, that Internet search engines store, or cache, information for a period of time. Search engines can be contacted to ensure that they do not archive personal information that was posted in error. Another step that companies can take following an information breach is to notify the affected individuals — the earlier, the better. Doing so can allow them to take steps to minimize the misuse of information. Not every loss of data should necessarily lead to such notification. To determine whether to notify individuals, a company should consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from misuse. A theft of stolen names and Social Security numbers can be used to cause significant damage to a victim’s credit record; a phone number can be a different matter altogether. The FTC recommends that, when notifying individuals, a company: � consult with law enforcement about the timing of the notification so it does not impede the investigation; � designate a contact person within the company to release information and provide the contact person with the latest information about the breach, the company’s response, and how individuals should respond; � consider using letters, Web sites, and toll-free numbers as methods of communication with those whose information may have been compromised; � explain the responses that may be appropriate for the type of information taken, such as the need to ask credit bureaus that fraud alerts be placed on credit reports when Social Security numbers have been stolen; [FOOTNOTE 8] � provide current information about identity theft; [FOOTNOTE 9] and � provides contact information for the law enforcement officer working on the case (as well as the case report number, if applicable) for victims to use. LEGISLATION Few statutes govern issues that can arise from Internet identity theft. California requires that, in certain situations, consumers must be notified when the security of their personal data has been breached. [FOOTNOTE 10] The New York legislature is considering legislation similar to the California statute. Assembly bill 4254 and Senate bill 2161 would require any state agency or business that owns or licenses a computerized database that includes “vulnerable personal information” [FOOTNOTE 11] to disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person. Significantly, they allow for recovery of damages by victims of such an attack. Another bill, A. 5487, the “Personal Information Protection Act,” would require disclosure by businesses of breaches of security of data systems to affected persons; provide for administration by the department of state; require use of best available technology to detect breaches of security; and provide for a private right of action. Laws being considered in other states — including Florida, Texas and Washington — may apply to New York businesses and should not be ignored. There also may be legislation passed by Congress that would provide authority to the FTC to oversee companies that collect and sell information on consumers. [FOOTNOTE 12] It is important for companies to remain vigilant in their efforts to protect confidential information, even in the absence of governing legislation, as a way of minimizing litigation exposure and as a matter of good business policy. Shari Claire Lewis is a partner at Uniondale’s Rivkin Radler, where she specializes in litigation in the areas of Internet, domain name and computer law as well as professional liability and medical device and product liability. ::::FOOTNOTES:::: FN1 See Data broker reports breach; 32,000 personal records vulnerable. Multiple individual and class actions have been filed against ChoicePoint in connection with the theft of the personal information and in connection with the decline in ChoicePoint stock. See, e.g., ChoicePoint Class Suit. FN2 See Gary Rivlin, “Purloined Lives,” New York Times, March 17, 2005, at C1. FN3 See National and State Trends in Fraud & Identity Theft, January-December 2004. FN4 See Shari Claire Lewis, “Phishing,” NYLJ, Nov. 9, 2004 at 5; see also FTC, Justice Department Halt Identity Theft Scam, (press release reporting on actions brought by FTC and Justice Department “to shut down a spam operation that hijacked logos from AOL and Paypal to con hundreds of consumers into providing credit card and back account numbers”). FN5 See William Jackson, Is a new ID theft scare in the wings?, Government Computer News, Jan. 14, 2005; See, also, Robert Vamosi, Alarm over pharming attacks; Identity theft made even easier, CNET Reviews, Feb. 18, 2005. FN6 See ATTENTION — FRAUDULENT FBI.GOV SPAM E-MAIL!!!. The New York Times has reported that 19,000 people who had signed up for a newsletter for the Broadway musical “Spamalot” may have had their names and postal and e-mail addresses exposed, possibly leading to their becoming recipients of spam. See David F. Gallagher, What to Expect of ‘Spamalot’? A Lot of SpamNew York Times, March 12, 2005. FN7 See an FTC report, Information Compromise and the Risk of Identity Theft: Guidance for Your Business; see also this BBBOnline listing, providing suggestions for businesses to incorporate to guard their computer system against hackers, from limiting access to use of firewalls and regularly checking for suspicious activity. FN8 For information on appropriate follow-up after an information compromise, see ID Theft. FN9 Identity theft resources are available at a variety of Web pages, including ID Theft, FDIC Consumer Alerts, Identity Theft & Fraud, Identity Theft & Your Social Security Number and Identity Theft: What To Do If You’ve Been Victimized. FN10 See California S.B. 1386. FN11 Under the bill, “personal information” means any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person. “Vulnerable personal information” personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. “Vulnerable personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records. FN12 See S. 500 and H.R. 1080

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.