Security, Identity Theft and Credit Professionals

David T.S. Fraser†

The credit industry in North America has recently found itself both in the spotlight and the legal crosshairs, primarily due to two factors: privacy laws and identity theft. Both demand increased vigilance on the part of credit grantors to protect both their customers and complete strangers from identity theft.

In March of this year, the spotlight turned to the industries that rely on or traffic in personal information. A number of high profile personal information leaks wound up on the front pages of newspapers in Canada and the United States. In the US, scammers gained access to the personal information of 310,000 individuals via a Lexis-Nexis subsidiary, Seisint.[1] One of the largest American data aggregators, ChoicePoint, was similarly scammed, leading to the disclosure of personal information on 1.2 million Americans.[2] The Bank of America lost a set of backup tapes containing sensitive credit information of thousands of US government employees.[3] In Canada, we have had similar information breaches; the highest profile being the accidental faxing of information from CIBC branches to a junkyard in West Virginia. [4] In addition, police in Alberta this past winter were shocked to discover piles of credit reports on senior provincial bureaucrats at a methamphetamine lab, leading to the finding that drug addicts are being hired by identity thieves to “dumpster dive” for such information. [5] Hand in hand with these incidents, the crime of identity theft[6] continues to increase. This species of fraud is said to be the fasted growing crime on the continent.

The result of this has been significantly increased customer awareness of industries that otherwise operated in the background. Also, lawmakers have turned their legislative agendas toward increased regulation and accountability in this area. A number of remedial bills are currently pending before the U.S. Congress while commentators have suggested that Canada’s private sector privacy laws are not up to the task of dealing with incidents such as this. A private member’s bill introduced in the Ontario legislature would require companies to notify all individuals whose information is inappropriately accessed. [7] Stronger remedies will likely be on the agenda when the Personal Information Protection and Electronic Documents Act comes up for review in Parliament next year.

Class action lawyers and the courts are not waiting for the legislators to catch up to the current situation. In April, the Michigan Court of Appeals upheld a class action lawsuit that found a trade union liable for inappropriate security of personal information after the information was used for identity theft. [8] Class action lawyers have commenced litigation against CIBC as a result of the faxing incidents[9]. The Michigan case related to actual identity theft that had occurred. The CIBC case alleges that the bank should be responsible for the increased vigilance required to protect the individuals against identity theft and for the increased likelihood that they may be subject to identity theft. It will not be long before individuals whose identities are stolen will seek recourse against the credit grantors who offered facilities to the impostors, arguing that they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the cost of repairing their credit, which can run pretty steep.

What does this all mean to credit grantors? Anybody in possession of information that would be useful to commit identity theft has an obligation to protect it from being inappropriately used or otherwise compromised. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that it is not foreseeable.)

Custodians of personal information may have a legal duty to inform individuals if their information is compromised. This obligation may be statutory if the private members bill in Ontario becomes law, or may be imposed by the courts if a duty of care and a standard of care in negligence is established. Individuals whose information is compromised should be given the opportunity to keep a watch on their credit reports. If they are not informed of the situation, they will have no such warning.

Finally, credit grantors have to be even more vigilant in establishing the identities of those to whom they extend credit. This is not only to protect against credit losses, but to reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws pull credit grantors in two different directions. On one hand, grantors should clearly establish the identity of any applicant. On the other hand, they can only require information that is reasonably necessary for the articulated purpose. To satisfy both, credit grantors should establish clear and reasonable policies related to how they will verify identity. Requiring two pieces of government issued identification, with at least one or both containing the applicant’s current address and photo would appear to be reasonable. The adoption of privacy best practices, including greater security and identify verification, can decrease the legal and credit risk faced by credit grantors. The courts and the legislators see that custodians of sensitive information are part of the problem. Being part of the solution makes business sense as well.