The recent well-publicized security breaches involving consumer data - such as ChoicePoint's disclosure to identity thieves of personal information concerning 145,000 Americans - are leading businesses to evaluate their exposure to legal claims, and to re-evaluate their business practices concerning the protection of consumer data.
There Is No Across-The-Board Standard For DataOr Computer Security
Victims Of Crime NormallyNot Responsible For Criminal Acts
Normally, a company that is a victim of a crime is not responsible for losses to others. Identity theft, whether from computer hacking or otherwise, is a crime. But many believe that principle of immunity should be narrowed when the crime is foreseeable and preventable - their theory is a little like an apartment building owner being liable for attacks on his property when he knows criminals are lurking and knows how they get in to attack the tenants. Computer-using companies counter that it almost always is impossible to predict how hackers or scammers will attack, and therefore the companies should not have liability. But pleading ignorance of high-tech criminal techniques will only go so far as a defense.
Plaintiffs' Lawyers Are Employing Various Theories Of Liability
Private civil actions may create new law in the area of data security. Choicepoint itself has been sued, following the revelations of its massive personal data disclosures, for "willful noncompliance" with the Fair Credit Reporting Act (governing disclosures of consumer reports), for invasion of privacy and misappropriation, and for violations of California consumer protection statutes. All of the claims stem from Choicepoint's alleged negligence in failing to have proper safeguards against disclosure. Choicepoint also has been sued for securities fraud, for failing to reveal or misstating its data vulnerabilities.
Bank of America currently is being sued by a company that alleges inadequate security allowed thieves to steal funds from the company's online account with the bank.
As data disclosures become more notorious, creative plaintiffs' counsel will find new and untested ways to challenge the custodians of the data - companies with customer information in their computers and files. Virtually every company is a custodian of data, and a potential target for liability.
California Law Imposes A DutyTo Notify Persons Of Computer Security Breaches
In the meantime, as the theories of liability percolate, there is an important current California law applicable nationwide to companies holding data of California residents . Under California Civil Code § 1798.82, et seq ., companies must notify California residents if personal information maintained in computerized data files has been compromised by unauthorized access. Californians must be notified when their name is obtained illegitimately from a server or database with other personal information such as their social security number, driver's license number, account number, credit or debit card number, or security code or password for accessing an account. There are specific rules on how notice must be provided.
Congress Is Considering New Laws To Deal With Data Disclosures
The United States Congress currently is considering a federal notification standard modeled on the California law just mentioned. There also are proposals for regulation of credit bureaus such as Choice Point. And bills are pending that would ban the sale of social security numbers, which facilitates much identity theft.
What Should A Company Do While The Law Sorts Itself Out?
In light of the patchwork of actual or potential regulations, what should companies be doing to limit their exposure to liability if personal data in their possession leaks out through others' wrongdoing? At a minimum, we recommend the following:
For further information, contact Chris Wolf, Chair of the Proskauer Privacy and Security Practice Group, 202-416-6818, firstname.lastname@example.org. Chris advises and represents clients on international, federal and state privacy and data protection laws. He is a member of the New York and Washington Electronic Crimes Task Forces established by the United States Secret Service, and is an adjunct professor of Internet and Privacy Law at the Washington & Lee School of Law.