MDD

News & Events

Forensic Insight

October 2010

The Pitfalls and Legal Implications of Identity Theft and Data Breach

David Speciale, J.D., CITRMS, Identity Theft 911 LLC

Every three seconds, a new victim falls prey to the fastest-growing white-collar crime in the country. In 2009, this crime had eleven million victimsi -nearly five percent of the U.S. population-and it topped the list of consumer complaints to the Federal Trade Commission for ten consecutive years ii. This crime doesn't only affect individuals; it also hurts companies, costing them millions of dollars every year.

The crime is identity theft, and yes, everyone can fall prey to it.

When someone steals non-public personal information, such as names, addresses, credit card or Social Security numbers, and uses it to assume an identity, they can then use that identity to commit fraud or receive goods and services in exchange for payment on false credit. In the U.S., total annual fraud costs increased last year by 12.5 percent to $54 billioniii -that's three times the total losses of $17.2 billion for all property crimes.

Identity theft goes hand-in-hand with data breach, the release of secure information to an outside environment. Breaches can happen for many reasons, such as employee negligence, malicious act, or the simple loss of a computer containing unencrypted information. No matter how they happen, breaches have serious and expensive implications for the businesses involved. The average total per-incident cost of a data breach in 2009 was $6.75 millioniv -a 49 percent increase over the previous five years.

But the cost isn't just financial; from 2005 to 2010, nearly 350 million records were exposed, and statistics show that a significant percentage of victims will stop doing business with the company that suffered the breach; many will retain lawyers.

Clearly it's not just the person whose information has been compromised who suffers; the company providing the credit and, often, the goods or services supplied in exchange for delayed payment-payment that will never come-is hurt in many ways.

Recent Data Breaches in the News

A fraudster can do a lot of damage with just a Social Security number and a name. In these recent instances, much more than that fell into the wrong hands.

  • In early 2010, the Massachusetts Secretary of State's office accidentally released the Social Security numbers, dates and locations of birth, height, weight, hair and eye color of 139,000 investment advisers registered with the state. The data was mistakenly sent to an investment industry publication that had requested a list of registered investment companies, which is public information, from the Securities Division.
  • This spring, a hacker in India breached the databases of Digital River Inc, a Minnesota-based e-commerce company, leaving 200,000 customer records compromised. To make matters worse, an American teenager somehow got his hands on the data and attempted to sell it to a Colorado marketing firm for $500,000. According to news reports, Digital River suspects that a contractor working for them aided in the theft.
  • Last year, an organized crime ring targeted a high-volume Redondo Beach, CA, Arco gas station. The crime ring assigned a low-level person to infiltrate the business and waited eight months while he worked himself into a position that allowed him to plant a high-tech device skimmer, which gathered customers' credit information. More than 1000 customers were affected.

Data breaches can happen in a variety of ways, some intentional, some accidental. Regardless of how each of these incidents occurred, the organizations whose data were attacked are responsible for cleaning up the mess. In 2009, U.S. companies spent $204 per compromised customer record, which included costs for: damage assessment; legal and administrative services; customer notification; media relations; forensic assistance; customer loss and resolution services, such as customer hotlines and credit monitoring subscriptions. Notification alone was estimated at $15 per record, while the cost of lost business was estimated at $135 per record v.

Legislation

In the event of a data breach, a company is not only responsible to its customers, but also, increasingly, to the government. Federal regulations, as well as regulations in 47 states, the District of Columbia, Puerto Rico, the Virgin Islands and New York City (the only municipality), require that individuals be notified if their confidential or personal data has been lost, stolen, or compromised.

Some legislation also allows for the imposition of fines, management changes and even prison sentences. Additional state and federal laws are being developed and will be enacted in the near future; some states, such as Massachusetts and Nevada, have established particularly stringent rules. In Massachusetts, for example, it's not just unencrypted electronic (digital) information that's protected; it's a much broader range of material, including physical data, such as written, film and paper records. And it's not just companies working from the Commonwealth that must adhere to the regulations-it's any company doing business with a Massachusetts resident.

As the legislation expands, so does enforcement. Attorneys general in several states are more carefully investigating breached companies, searching for signs of negligence. These AGs have imposed harsh consequences on companies in their jurisdiction, such as hefty fines and regular audits for as long as 10 or 20 years.

For the most part, existing legislation calls for companies to have a written plan in place to prevent data breaches and identity theft. These regulations are not asking for a perfect plan or record; rather, they are requiring a reasonable approach to safeguarding non-public personal information.

Current Regulations

While this information is not intended as legal advice, current regulations that can directly affect organizations or service providers are as follows:

The Fair and Accurate Credit Transactions Act (FACT Act) of 2003/Identity Theft Red Flag Provisions pertain to businesses and individuals who collect public information for the purpose of doing business (namely credit-related data). The Red Flags Rule requires all financial institutions (effective 11/1/08) and all nonfinancial institutions (effective date 12/31/10) with "covered accounts" (credit accounts) to have a written plan to recognize the warning signs of fraud and identity theft. Lost consumer information could mean federal and state fines and civil liability.

The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) and HIPAA Breach Notification Provisions pertain to any company or individual who holds or collects health information. Lost or stolen medical information may result in fines and or imprisonment.

The Gramm-Leach-Bliley Safeguards Rule mandates that financial institutions properly safeguard their customers' financial information, design a written policy, and hold training for employees with access to customer information. Information lost or stolen may result in fines, imprisonment and removal of management.

The Federal Trade Commission (FTC) has increased its enforcement efforts on how businesses approach privacy, handle confidential consumer data and deal with identity theft and has its own general enforcement powers when it comes to data protection. Its ability to bring enforcement actions under Section 5 of the FTC Act for the mere hint of a privacy violation - which the FTC categorizes as a "deceptive act or practice in or affecting commerce," - can easily lead a company into seven or eight figures' worth of legal and compliance costs.

Conclusion

When it comes to identity theft and data breach, no company-no matter how careful or thorough-is exempt from risk. These days, it's not a question of if, but of when. Just one data breach can cost an organization big money and have serious long-term effects.

About the Author

David Speciale, J.D., CITRMS (Certified Identity Theft Risk Management Specialists), is director of business development at Identity Theft 911 LLC, a leader in identity theft and data breach management, remediation and resolution services. David has held senior management positions throughout the United States with Allstate Insurance Company. While with AIG as vice president for South East Asia he lived in Japan for 10 years. Upon his return to the U.S. with AIG, his responsibilities included international operations. David has written and lectured extensively on identity theft and data security. Identity Theft 911 maintains offices in Providence, R.I., and a fraud resolution call center in Scottsdale, AZ.

iDanielle Miceli and Rachel Kim, "The 2010 Identity Fraud Survey Report," Javelin Strategy & Research, February 2010, p. 5
iiFederal Trade Commission
iii"The 2010 Identity Fraud Survey Report," Javelin Strategy & Research, https://www.javelinstrategy.com/news/831/92/Javelin-Study-Finds-Identity-Fraud-Reached-New-High-in-2009-but-Consumers-are-Fighting-Back/d,pressRoomDetail
iv"The Fifth Annual U.S. Cost of Data Breach," The Ponemon Institute, January 2010, p. 14
v"The Fifth Annual U.S. Cost of Data Breach," The Ponemon Institute, January 2010, p. 15
Search MD&D



Switch Countries




   
© 2012. Matson, Driscoll & Damico. All rights reserved.

Home | Insurance | Litigation | News | Contact | Legal | Site Map

Web Site by AirTight Design