The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, April 14, 2005

Forbes.com: Are Companies Liable For ID Data Theft? 

In the aftermath of the most recent incident involving Polo Ralph Lauren, Forbes Magazine is asking whether companies should be held liable for identity theft if their lax security is to blame.

Forbes.com: Are Companies Liable For ID Data Theft?:

"...

"A case could be made that [companies whose data is stolen] do have a responsibility," says Anita L. Allen, Henry R. Silverman professor of law at the University of Pennsylvania School of Law. Publicizing private facts about people is a tort, she says, and companies can be held liable even if the victim hasn't suffered a monetary loss. "If they recklessly failed to protect the information, that might be seen by a jury or judge as highly offensive conduct," she says.

...

Insecure databases of online retailers and information brokers are fueling the problem, providing huge batches of potential identities to steal. So consumers are increasingly asking that businesses be held responsible for securing the personal information they maintain.

In the wake of its security breach, ChoicePoint offered one year's worth of free credit monitoring to the consumers affected. But attorney Peter A. Binkow says consumers deserve more, even though most have not yet been the victim of fraud.

"While that might be a step in the right direction, our belief is that [ChoicePoint's offer] is not enough," he says. One year "is not enough time to see if someone has misused their information."

Binkow's firm, Glancy, Binkow & Goldberg, has filed a class-action suit against ChoicePoint on behalf of consumers who had their information exposed, and he plans to ask for an extension of the one-year monitoring, as well as for the establishment of a system to help consumers who do get hit by fraud. They may also seek monetary damages.

ChoicePoint became aware of the problem when Eileen Goldberg, the mother of one of the company's partners, received a letter from ChoicePoint saying that her personal information had been exposed. She didn't know what to do and took it to her son.

Binkow says ChoicePoint needs to take responsibility for the consumers who don't have those sorts of resources and will likely be confused about how to protect themselves. "I'm an attorney, and I'm fairly confused by this stuff," says Binkow. "If I found out my identity had been stolen, I wouldn't know where to start."

It's unlikely that a court would award monetary damages, unless a judge or jury wanted to make an example of the offending company, according to attorney Allen. But a court might well order remedies like added security precautions or help with credit monitoring.

Unlike ChoicePoint, retail businesses like DSW and Ralph Lauren Polo don't trade in sensitive information like Social Security numbers. But they still might be held responsible for exposing credit-card numbers, particularly if the breach occurred because of poorly implemented or maintained security technology.

Companies are free to establish their own privacy and security policies (most if not all online businesses, including Forbes.com, state their privacy policies online), but all are mandated by the U.S. Federal Trade Commission to follow their stated policies. If they do not, says Allen, they could be charged with fair trade violations. Beyond that, a court might force a company to pay damages if it's clear it didn't do everything it could to protect its customers.

"If some company is extremely negligent in the way they handle data, they could be liable for damages," says Allen. "Any business that exists online has to worry about this.""

Labels: , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs