About PBA         Fastcase         Pennsylvania Bar Institute         Pennsylvania Bar Foundation         Calendar Calendar                
For Lawyers                          For the Public                          Events & Education                          News & Publications                          Get Involved
Impact of Identity Theft on Businesses Is Focus of Newspaper Article

(This article was provided to editors of Pennsylvania business journals as part of the statewide identity theft prevention campaign of the Pennsylvania Bar Association and more than 30 local bar association across the state.)

Identity Theft Is Causing Big Problems For Businesses of All Sizes
By G. Clinton Kelley, Esquire

Humorous commercials now appearing on television screens across the country make the point that credit card thieves steal "identities" to buy merchandise and pocket large cash advances. These thefts are a big (and growing) problem for consumers and businesses, but, unfortunately, are just a fraction of the identity theft problem.

Identity thieves also are on the prowl for drivers' license numbers, social security numbers and medical identification numbers - all of which act as "keys" to steal identities of unwitting victims.

Whether you are a sole proprietor or part of a large corporation, identity theft needs to be on your radar screen.

Companies of all sizes are now required to take good faith measures to comply with two recently-enacted federal privacy laws and a related statute to safeguard non-public information about customers, patients, clients and employees. Failing to do so can subject businesses, as well as their executives, to massive civil and criminal penalties for non-compliance.

Of the three laws recently enacted or broadened to combat this growing problem, the Gramm-Leach-Bliley "Safeguard Rule" carries the stiffest penalties for business owners and executives. This law applies to any organization that maintains personal financial information about clients and customers. Non-public financial information (including credit card numbers and bank account information) lost under the wrong set of circumstances will subject the organization to up to $1 million in fines per occurrence, 10 years of jail for executives and removal of management. Executives also can be held personally liable for civil and criminal penalties.

The Fair and Accurate Credit Transaction Act (FACTA) applies to every business and individual who possesses or maintains consumer information for a business purpose. Lost employee or customer information exposes the business to federal and state fines of up to $2,500 per occurrence, civil liability of $1,000 per occurrence and class action lawsuits with no statutory limitation. The business also takes responsibility for the actual financial losses suffered by the victim.

The scope of Health Insurance Portability and Accountability Act (HIPAA) was recently broadened to include any organization or individual collecting or maintaining health-related information. Such information lost under the wrong set of circumstances can result in up to $250,000 in fines per occurrence and up to 10 years in jail for executives.

Employers are now required to take steps to comply with theses laws. A recommended action plan includes appointing an information security officer, developing a non-public information policy, and holding mandatory meetings with employees who come in contact with confidential information. According to a recent American Bar Association Journal, the Federal Trade Commission will act against businesses that are not safeguarding customers' confidential data. In realizing that big businesses and smaller ones will have different resources at their disposal relative to compliance, the FTC appears to be looking for assurances that reasonable steps are in place to protect confidential information. Helpful information about identity theft safeguards and reporting are included on the FTC's Web site at www.ftc.gov.

In addition to legal and financial consequences, ID theft hurts a business' long-term prospects. CIO Magazine reports that following ID theft data breaches, 20 percent of the affected customer base will no longer do business with the company, 40 percent will consider ending the business relationship, and five percent will hire a lawyer. Businesses will spend between $40,000 and $92,000 cleaning up after the data breach, and they will invest an average of 1,600 hours of employee time to help fix the problem.

Identity theft problems are far-reaching and both time-consuming and expensive to fix. Be vigilant in complying with these federal laws so that you are protecting personal information in your business' possession, and do all you can to keep identity thieves out of your business.

G. Clinton Kelley is a Pittsburgh-based attorney who counsels businesses on identity theft issues. He writes on behalf of the Pennsylvania Bar Association, which provides information about identity theft protection for individuals on its Web site at www.pabar.org.