FEBRUARY 27, 2006
In today’s era it is almost impossibleto be in business and not collect confi-dential customer informa-tion – names andaddresses, telephonenumbers, Social Securitynumbers, credit cardnumbers, or other accountnumbers. At the sametime, however, identitytheft has become anincreasing concern. Thereare approximately 9.3million identity theftvictims each year resultingin about $53 billion inlosses. In fact, major corporations are experiencing datasecurity breaches of epidemic propor-tions. Hardly a day goes by withoutanother news story of a data security breach exposing thousands or evenmillions of customers’personal informa-tion to unauthorized third parties. Major companies involved in the recent waveof high profile data security breachesinclude Bank ofAmerica, Choice Point,DSW Inc., JetBlueAirways, Lexis- Nexis, and Marriot. Most recently,MasterCard International revealed thatdatabases of CardSystems, Inc., acompany that services credit cards for MasterCard, Visa and other brands, had been compromised, poten-tially exposing informationabout more than 40 millioncardholders.In response to theincreasing threat of datasecurity breaches, federal andstate legislatures have passednew laws requiring busi-nesses to take steps to protectcustomer information. Many business owners and execu-tives are unaware of thesenew laws and unprepared to bring their companies into compliance.Failure to comply, however, can becostly. Violators may be held liable for civil damages in significant and expen-sive class actions lawsuits. Businessesalso may face injunctions and significantstatutory fines. ChoicePoint provides themost recent demonstration of theimportance of compliance. ChoicePointrevealed last year that thieves hadaccessed ChoicePoint’s data manage-ment systems, potentially compromisingthe personal information of 145,000individuals. As a result, the FTCannounced on January 26, 2006 thatChoicePoint will pay $15 million tosettle charges that its security andrecord-handling procedures violatedconsumers’privacy rights and federallaws. ChoicePoint also is a defendant ina number of consumer lawsuits and thesubject of several additional investiga-tions by government agencies.The California legislature hasenacted a number of statutes to protect personal information. Under Title 1.81of the California Civil Code, “personalinformation” includes a first name or initial and last name in combinationwith any one or more of the following:(1) social security number; (2) driver'slicense or California Identification Cardnumber; or (3) account number, creditor debit card number in combinationwith any required security code, accesscode, or password. Most businessesthat store customer information arerequired to implement “reasonablesecurity procedures and practices” to protect personal information fromunauthorized access. Before sharing personal information with nonaffiliatedthird parties, businesses also arerequired to enter into contracts with
Continue On Page 2
Customer Information: What You Know Can Hurt You!
Protecting Privacy in the Age of Identity Theft
is a shareholder in the Litigation Department at Stradling Yocca Carlson & Rauth. His practice concentrates in complex business litigation in Federal and State courts. Marc regularly advisesclients on protecting customer privacy issues. Marc earned his law degree from New York UniversitySchool of Law in New York City. Marc can be reached by phone at (949) 725-4137 or by email at firstname.lastname@example.org.