In the aftermath of the most recent incident involving Polo Ralph Lauren, Forbes Magazine is asking whether companies should be held liable for identity theft if their lax security is to blame.
Forbes.com: Are Companies Liable For ID Data Theft?:
"A case could be made that [companies whose data is stolen] do have a responsibility," says Anita L. Allen, Henry R. Silverman professor of law at the University of Pennsylvania School of Law. Publicizing private facts about people is a tort, she says, and companies can be held liable even if the victim hasn't suffered a monetary loss. "If they recklessly failed to protect the information, that might be seen by a jury or judge as highly offensive conduct," she says.
Insecure databases of online retailers and information brokers are fueling the problem, providing huge batches of potential identities to steal. So consumers are increasingly asking that businesses be held responsible for securing the personal information they maintain.
In the wake of its security breach, ChoicePoint offered one year's worth of free credit monitoring to the consumers affected. But attorney Peter A. Binkow says consumers deserve more, even though most have not yet been the victim of fraud.
"While that might be a step in the right direction, our belief is that [ChoicePoint's offer] is not enough," he says. One year "is not enough time to see if someone has misused their information."
Binkow's firm, Glancy, Binkow & Goldberg, has filed a class-action suit against ChoicePoint on behalf of consumers who had their information exposed, and he plans to ask for an extension of the one-year monitoring, as well as for the establishment of a system to help consumers who do get hit by fraud. They may also seek monetary damages.
ChoicePoint became aware of the problem when Eileen Goldberg, the mother of one of the company's partners, received a letter from ChoicePoint saying that her personal information had been exposed. She didn't know what to do and took it to her son.
Binkow says ChoicePoint needs to take responsibility for the consumers who don't have those sorts of resources and will likely be confused about how to protect themselves. "I'm an attorney, and I'm fairly confused by this stuff," says Binkow. "If I found out my identity had been stolen, I wouldn't know where to start."
It's unlikely that a court would award monetary damages, unless a judge or jury wanted to make an example of the offending company, according to attorney Allen. But a court might well order remedies like added security precautions or help with credit monitoring.
Unlike ChoicePoint, retail businesses like DSW and Ralph Lauren Polo don't trade in sensitive information like Social Security numbers. But they still might be held responsible for exposing credit-card numbers, particularly if the breach occurred because of poorly implemented or maintained security technology.
Companies are free to establish their own privacy and security policies (most if not all online businesses, including Forbes.com, state their privacy policies online), but all are mandated by the U.S. Federal Trade Commission to follow their stated policies. If they do not, says Allen, they could be charged with fair trade violations. Beyond that, a court might force a company to pay damages if it's clear it didn't do everything it could to protect its customers.
"If some company is extremely negligent in the way they handle data, they could be liable for damages," says Allen. "Any business that exists online has to worry about this.""