Don't be liable for identity theft

[A slightly edited version of the article below was just published in the December 2005 edition of Business Voice.]

Don't be liable for identity theft

Identity theft, we are told, is one of the fastest growing crimes in North America, claiming thousands of new victims every year. This crime most often involves using the personal information of unsuspecting victims to obtain goods and services, including credit, in the names of those victims. How the fraudsters obtain personal information varies and, unfortunately, their ingenuity apparently knows no bounds. Identity theft is obviously a problem for its victims but it also presents significant legal risk to businesses.

Every business in Atlantic Canada that handles customer information is subject to the Personal Information Protection and Electronic Document Act (“PIPEDA”). Among its many requirements, PIPEDA requires every business to implement safeguards to protect personal information against inappropriate use and disclosure. The form of safeguards depends upon the sensitivity of the information. If the misuse of the information could lead to fraud or identity theft, the safeguards must be appropriately robust.

Unfortunately businesses are often the weak link in the data protection chain, jeopardizing their customers and their own business reputations. In the first half of this year, the media reported on a series of incidents that resulted in the disclosure or theft of personal information of almost two million Americans. We are not immune here in Canada: Some may recall the attention given to the accidental faxing of the personal information of thousands of bank customers to a junkyard in the United States. More shocking was the discovery made by police in Alberta this past winter: piles of extremely sensitive information, including credit reports, on senior provincial public servants were found in a methamphetamine lab. Further investigations showed that drug addicts are being hired by identity thieves to steal personal information by a number of means, including “dumpster diving” in the trash receptacles and recycling bins of businesses. It would be foolish to assume that this does not occur in Atlantic Canada.

Businesses that do not adequately lock up personal information can find themselves legally and financially liable to the victims of identity theft and other forms of fraud. In April of this year, a number of identity theft victims in Michigan successfully sued a trade union because information of its members to be misused. The high profile misdirected faxes incidents spawned a class-action lawsuit in Ontario, alleging that the bank involved should have to pay compensation for the increased risk of identity theft, plus the actual cost of more vigilant credit monitoring. These lawsuits relate to inappropriate safeguards, but it will not be long before individuals whose identities are stolen will seek recourse against credit grantors and others who offered facilities to the impostors, arguing they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the costs of repairing their credit and, perhaps, opportunities they have lost due to an unfavourable credit rating. PIPEDA, to which all Atlantic Canadian businesses are subject, allows individuals to seek damages in the Federal Court for any harm they might have suffered, including any embarrassment that might have been caused by a leak of personal information.

So what does all this mean to businesses? Anybody in possession of personal information that would be useful to commit identity theft or the disclosure of which might be embarrassing to the individual has an obligation to protect that information against all risks. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that identity theft is not foreseeable.)

Business owners also need to be very careful to supervise employees. Significant portions of fraud committed can be traced to dishonest employees who misuse the information they have access to or even participate in activities such as “card skimming”, where information is taken from credit cards and debit cards. All employers need to be aware that the courts will generally hold them legally and financially responsible for the misdeeds of their employees.

Credit grantors in particular have to be even more vigilant in establishing the identities of those to whom they extend credit. This will not only protect against credit losses, but will reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws unfortunately pull businesses in two different directions. On one hand, credit grantors should clearly establish the identity of an applicant. On the other hand, the law says that they can only collect information that is reasonably necessary in the circumstances. To satisfy both, businesses need to establish reasonable policies and practices on how identity will be confirmed and how that information will be subsequently used. Doing so simply makes business sense in this legal climate.

While legal liability may appear remote to many businesses, a single incident can destroy your business reputation that you have worked years to develop. Surveys have shown that customers are increasingly concerned about their personal information and are making buying decisions based upon what businesses they trust. If word gets out that your business is not doing what is necessary to protect customer information, it can be shunned by consumers with dramatic effect on your bottom line.

Tips for Protecting Information

• Only collect the minimum amount of information that is necessary for carrying on your business. The more information you have, the greater the likelihood of loss and the consequences such as fraud.
• Information that is no longer required must be securely disposed of. This involves shredding all paper that contains personal information and making sure that all hard-drives of surplus computers are completely wiped clean of data.
• Carefully screen all employees who will have access to personal information.
• Carefully restrict employee access to personal information, on a need-to-know basis.
• Carefully vet all service providers, such as cleaning companies and data processors, and require them to sign non-disclosure agreements and indemnities in case they misuse personal information or allow its disclosure.