Identity Theft and Data Protection

Technology enables us to purchase the products we want at the lowest price without leaving our chairs.  The ease of everyday business is one of the great benefits of life in the 21^st century.  With this ease, however, comes a certain level of risk, since every transaction leaves a record of a buyer's personal information - information that is vulnerable to identity thieves.  Once thieves manage to acquire these details about others, they may use the data to assume someone else's identity and steal goods and services.  Identity theft has become a problem of near crisis proportions, creating havoc for individual consumers, financial hardship for many companies, and an overwhelming burden for law enforcement.  For that reason, businesses are now legally required to exercise precaution, both in protecting personal information so thieves don't obtain it in the first place, and in preventing thieves from buying goods with a stolen identity if they do. 

Legal and Industry Obligations Regarding Data-Security

Companies are increasingly at risk for the unintended disclosure of personal records in their possession, particularly those of customers and employees.  In 2010, 662 data breaches were reported to the Identity Theft Resource Center - a non-profit organization that works to prevent identity theft.  These breaches exposed over 16 million records to possibly fraudulent uses.  A data breach might be as simple as the loss of a laptop, or might involve a criminal ring that attacks a company's databases.

These breaches play a large part in the ability of identity thieves to operate.  With the right combination of identifying information, such as a name, social security and account number or mother's maiden name, a thief can fraudulently open new accounts in the victim's name and access existing ones.  The personal havoc that results in damaged credit histories is incalculable.  The financial and reputational damage to the company involved is higher than you want to know first hand.

Laws exist to protect personal data at both the state and federal level.  While the state laws vary considerably, many require that businesses holding personal information maintain reasonable security measures to protect that information.  Some states are stricter than others.  Massachusetts, for example, requires a Written Information Security Program ("WISP").  The Massachusetts law applies to any business, wherever located, that stores the personal information of a Massachusetts resident.  If a data breach does occur, almost all states require that affected individuals be notified.  Many laws also govern the disposal of personal information, requiring that paper records be shredded, and that devices containing personal information, such as a computer hard drive, be physically destroyed or demagnetized.

On the national level, the Federal Trade Commission takes the position that if a company has a privacy policy it is, in effect, a "promise."  The failure of a business to comply with its promise is an unfair or deceptive practice under Section 5 of the FTC Act.  The FTC has also taken the position that it is an unfair practice for a business to fail to maintain an information-security program - even if the company does not expressly promise to do so.  In addition, the federal Fair Credit Reporting Act requires every merchant to truncate credit card numbers and avoid the use of expiration dates on any electronic receipts.

Non-compliance with the state and federal laws described here exposes companies to regulatory fines and penalties.  Moreover, in the case of data breaches, a failure to comply with applicable regulations is often cited as evidence of inadequate security in lawsuits brought by affected consumers. 

In addition to government requirements, the credit card industry has voluntarily adopted data-protection standards which it privately enforces.  The Payment Card Industry Data Security Standard, or PCI DSS, was created by a consortium of companies, including American Express, Discover, MasterCard and VISA.  The specific requirements of PCI DSS are available for review at www.pcisecuritystandards.org.  If a business covered by PCI DSS is found to violate these requirements, it is subject to fines and restrictions, including loss of bankcard processing capability. 

Preventing Identity Thieves: the Red Flags Rule

As consumers and companies are learning, no data-security plan is perfect, and breaches do occur.  For that reason, a federal law, known as the "Red Flags Rule," requires that businesses be vigilant.  The goal of the law is to prevent an identity thief from fraudulently acquiring goods and services by requiring businesses to recognize and respond to the "red flags" that someone is using a stolen identity.  This Rule, derived from the Fair and Accurate Credit Transaction Act of 2003, requires that covered businesses implement a written Identity Theft Prevention Program. 

A company is covered by the law if it maintains accounts that are subject to a "reasonably foreseeable risk of identity theft."  These accounts include in-house credit accounts and branded-credit card accounts.  A company is not covered by the Rule simply because it accepts widely-used consumer credit cards such as MasterCard, Visa and American Express.  The penalties for non-compliance with the Rule include fines of up to $3,500 per violation.