OPINION
Identity Theft: Are Organizations Obliged To Notify Clients?

When a company or even a not-for-profit organization collects, uses and/or deals with personal information, it might be legally required to immediately notify individuals whose information it is handling if there is a security breach relating to that information.

Apart from specific local laws that might require such notification, in both the U.S. and Canada there is a trend in legal jurisprudence and industry standards towards such an obligation based on concerns over the issue of identify theft.

Choicepoint, LexisNexis

Although identity theft is not a new offense, the Internet has provided perpetrators with new means to misappropriate personal data. An ever-increasing number of people are using the Internet to disclose personal information, which in turn gives rise to significant risks related to identity theft and privacy breaches.

Identity theft has been a growing concern among consumers and organizations across North America. Choicepoint and LexisNexis are examples of companies that have recently been victims of stolen personal information.

Legislation in almost all jurisdictions in the U.S. and Canada generally requires companies to adopt security safeguards to protect personal information of their customers. However, recent developments might make it mandatory for some organizations, such as banks, to inform their customers when there has been a suspected case of identity theft.

Specifically, recently, the U.S. Federal Deposit Insurance Corporation (FDIC) voted in favor of requiring banks to warn customers of suspected cases of identity theft.

Although the new rule has to be approved by the Federal Reserve Board, if approved, it would require banks to disclose to customers when they find out that sensitive customer information has been accessed and there is a reasonable possibility it has been misused. The notice will have to describe the incident and the measures taken to protect customers, as well as providing phone numbers for further information.

'Sensitive Customer Information'

The type of information covered by the new rule is "sensitive customer information," which is defined as a customer's name, address or phone number, in conjunction with social security or driver's license numbers, account, credit or debit card numbers, or an identification number that permits access to an account.

On the legal front, on Feb. 15, the Michigan Court of Appeals ruled that under negligence principles, unionized 911 operators who were victims of identity theft were owed a duty of care by the union that held their personal information. The union was aware that confidential member information was being removed from its premises but did not develop procedural safeguards to ensure the security of the information.

The Court determined that it was foreseeable that the information could be misused and union members would suffer harm. Accordingly, the Court concluded that a special relationship existed between the union and its members, such that the union owed its members a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information, which could easily be used to appropriate a person's identity.

Implicit in this decision is the argument that there is a legal obligation on organizations collecting personal information to notify clients within a reasonable time (often times immediately) if there has been a privacy breach.

In Canada, a class action lawsuit was recently launched against one of Canada's leading banks, the Canadian Imperial Bank of Commerce (CIBC), over its alleged failure to safeguard its clients' personal information. In this case, after the bank was informed of the unauthorized disclosure, it allegedly failed to warn its customers that such unauthorized disclosure took place.

Customer Alerts

Although Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires such organizations to adopt security safeguards when handling personal information, there is no explicit requirement in PIPEDA that requires an organization to disclose that there has been a security breach.

This is in contrast to California, where California law requires companies to disclose to their customers when there has been a privacy breach.

The results of the Michigan decision and the CIBC case might form the foundation for the creation of a positive duty on the part of organizations to warn their customers when there has been a privacy breach. Even if such obligation does not arise out of a court decision, it is safe to say the publicity surrounding high-profile cases such as this one will reinforce the argument that an organization should notify its clients of a security breach immediately as a matter of good industry practice, if not a legal obligation.

Although both existing and proposed legislation in many jurisdictions imposes a legal duty on organizations to warn individuals when there has been a privacy breach or a suspected case of identity theft, it also makes good sense for organizations to disclose privacy breaches based on concerns over PR-related concerns.

Breaches that are unreported and undisclosed to customers but which are known to the organization might seem to have the short-term benefit of avoiding a problem, but such breaches will likely surface in the long-term to the detriment of the organization's reputation, especially when the organization knew of the breach and chose not to disclose it.