Identity Theft Print

At the Second Annual Identity Theft Summit held in Los Angeles, over a thousand representatives of law enforcement, the financial services industry, consumer groups and state and local government participated in the effort to find solutions to the growing crime of identity theft. Speakers, including Governor Schwarzenegger and Deborah Platt Majoras, Chairman of the Federal Trade Commission, took the podium to talk about the growing business necessity to protect confidential and sensitive customer data. Their messages were clear: (1) consumer concerns about the security of their sensitive personal data and the risks of identity theft are at an all time high; and (2) businesses must take reasonable measures to protect sensitive consumer data.

The growing concerns about identity theft are understandable. Nearly 10 million people in the United States are victims of identity theft each year. In 2005, this crime cost businesses and financial institutions more than $57 billion nationwide. As the damages caused by identity theft grow, so, too, have enforcement actions. The Federal Trade Commission has brought more than a dozen security cases against household names, like Microsoft, DSW Shoe Warehouse, BJ’s Wholesale Club and Choicepoint, for failing to take reasonable steps to protect sensitive consumer information. Perhaps the most well known enforcement action involved Choicepoint. The Federal Trade Commission obtained $10 million in civil penalties – the highest civil penalty ever levied in a consumer protection case – with $5 million in consumer redress for identity theft victims and significant injunctive provisions that require Choicepoint to implement a variety of new data security measures.

Another high profile data breach involved the theft of 40 million confidential customer records from CardSystems, a credit card processor. In this case, the Office of the Comptroller of the Currency (OCC) has taken formal actions against two banking employees–barring them from banking–for violating security requirements under the Gramm-Leach-Bliley Act by emailing confidential customer information to a third party1. Another bank in Missouri is under investigation for sending confidential customer information via unencrypted network communications to a programmer. The lesson for corporate America is that reasonable security measures and safeguards must be implemented to protect sensitive consumer data.

Civil penalties and legal actions are only part of the damages that businesses can face for failing to implement reasonable security measures. Companies that suffer security breaches and the loss of consumer data also face:

  • Expensive litigation, threats of class actions and significant clean-up costs
  • Significant damage to corporate brand (estimated to range from 3% to 7% of the responsible company’s market capitalization)
  • Loss of customer and employee trust
  • Loss of shareholder value
  • Damage to personal and professional reputations