The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, December 05, 2005

Don't be liable for identity theft 

[A slightly edited version of the article below was just published in the December 2005 edition of Business Voice.]

Don't be liable for identity theft

Identity theft, we are told, is one of the fastest growing crimes in North America, claiming thousands of new victims every year. This crime most often involves using the personal information of unsuspecting victims to obtain goods and services, including credit, in the names of those victims. How the fraudsters obtain personal information varies and, unfortunately, their ingenuity apparently knows no bounds. Identity theft is obviously a problem for its victims but it also presents significant legal risk to businesses.

Every business in Atlantic Canada that handles customer information is subject to the Personal Information Protection and Electronic Document Act (“PIPEDA”). Among its many requirements, PIPEDA requires every business to implement safeguards to protect personal information against inappropriate use and disclosure. The form of safeguards depends upon the sensitivity of the information. If the misuse of the information could lead to fraud or identity theft, the safeguards must be appropriately robust.

Unfortunately businesses are often the weak link in the data protection chain, jeopardizing their customers and their own business reputations. In the first half of this year, the media reported on a series of incidents that resulted in the disclosure or theft of personal information of almost two million Americans. We are not immune here in Canada: Some may recall the attention given to the accidental faxing of the personal information of thousands of bank customers to a junkyard in the United States. More shocking was the discovery made by police in Alberta this past winter: piles of extremely sensitive information, including credit reports, on senior provincial public servants were found in a methamphetamine lab. Further investigations showed that drug addicts are being hired by identity thieves to steal personal information by a number of means, including “dumpster diving” in the trash receptacles and recycling bins of businesses. It would be foolish to assume that this does not occur in Atlantic Canada.

Businesses that do not adequately lock up personal information can find themselves legally and financially liable to the victims of identity theft and other forms of fraud. In April of this year, a number of identity theft victims in Michigan successfully sued a trade union because information of its members to be misused. The high profile misdirected faxes incidents spawned a class-action lawsuit in Ontario, alleging that the bank involved should have to pay compensation for the increased risk of identity theft, plus the actual cost of more vigilant credit monitoring. These lawsuits relate to inappropriate safeguards, but it will not be long before individuals whose identities are stolen will seek recourse against credit grantors and others who offered facilities to the impostors, arguing they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the costs of repairing their credit and, perhaps, opportunities they have lost due to an unfavourable credit rating. PIPEDA, to which all Atlantic Canadian businesses are subject, allows individuals to seek damages in the Federal Court for any harm they might have suffered, including any embarrassment that might have been caused by a leak of personal information.

So what does all this mean to businesses? Anybody in possession of personal information that would be useful to commit identity theft or the disclosure of which might be embarrassing to the individual has an obligation to protect that information against all risks. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that identity theft is not foreseeable.)

Business owners also need to be very careful to supervise employees. Significant portions of fraud committed can be traced to dishonest employees who misuse the information they have access to or even participate in activities such as “card skimming”, where information is taken from credit cards and debit cards. All employers need to be aware that the courts will generally hold them legally and financially responsible for the misdeeds of their employees.

Credit grantors in particular have to be even more vigilant in establishing the identities of those to whom they extend credit. This will not only protect against credit losses, but will reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws unfortunately pull businesses in two different directions. On one hand, credit grantors should clearly establish the identity of an applicant. On the other hand, the law says that they can only collect information that is reasonably necessary in the circumstances. To satisfy both, businesses need to establish reasonable policies and practices on how identity will be confirmed and how that information will be subsequently used. Doing so simply makes business sense in this legal climate.

While legal liability may appear remote to many businesses, a single incident can destroy your business reputation that you have worked years to develop. Surveys have shown that customers are increasingly concerned about their personal information and are making buying decisions based upon what businesses they trust. If word gets out that your business is not doing what is necessary to protect customer information, it can be shunned by consumers with dramatic effect on your bottom line.

Tips for Protecting Information

  • Only collect the minimum amount of information that is necessary for carrying on your business. The more information you have, the greater the likelihood of loss and the consequences such as fraud.
  • Information that is no longer required must be securely disposed of. This involves shredding all paper that contains personal information and making sure that all hard-drives of surplus computers are completely wiped clean of data.
  • Carefully screen all employees who will have access to personal information.
  • Carefully restrict employee access to personal information, on a need-to-know basis.
  • Carefully vet all service providers, such as cleaning companies and data processors, and require them to sign non-disclosure agreements and indemnities in case they misuse personal information or allow its disclosure.

Labels: , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs