Thanks to Michael Fitzgibbon at Thoughts from a Management Lawyer for e-mailing me a link to the following article on the coming wave of civil liability related to identity theft. The article is a good read, not only talking about the threat of class action lawsuits, but also the damage to a corporation's reputation from privacy incidents and preparing for the worst.
Identity Theft: The Next Corporate Liability Wave:
"Your phone rings. It's Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers.
Your mind begins to whirr. Are there other customers affected who haven't been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?
You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys' fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims' time and you get $11,000 per case or $110 million in total even before fines and punitive damages are considered. And that's on top of the potential impact on your company's future sales.
The nation's fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies...."
Even without laws like PIPEDA, the courts are beginning to recognize that there is a duty of care in some circumstances that extends to taking reasonable measures to protect against facilitating indentity theft. (See HEALTH CARE ASSN WORKERS COMP FUND V BUREAU OF WORKERS DISABILITY from the Michigan Court of Appeals; We'll have to wait and see how the CIBC class action fares here in Canada). For those of us who advise corporations, this is certainly a risk to be aware of.