Identity theft is one of the fastest growing white-collar crimes in America. It is one of the few crimes where individual victims not only must prove that they have been harmed, but are also responsible for reclaiming their stolen identity.
Businesses can also be the victims of identity theft, and like individuals, businesses can take steps ahead of time to prevent identity theft, including taking risk management steps that can reduce their exposure to liability related to identity theft, and obtaining coverages that can properly insure for losses related to identity theft.
A THIEF IN EVERY DUMPSTER
Nearly every day, there is a news article relating to identity theft. For the past five years, identity theft has reportedly been the No. 1 consumer complaint reported to the Federal Trade Commission. According to the "2005 Identity Fraud Survey Report" conducted by Javelin Strategy & Research, 9.3 million adult Americans were victims of identity theft in 2004. Each victim spent an average of $750 and 28 hours to resolve issues related to identity theft, causing a total of approximately $52.6 billion in damages.
The federal government has passed various laws and taken other action in the last few years to stem the rising tide of identity-theft losses. In October 1998, Congress enacted the Identity Theft and Assumption Deterrence Act that makes identity theft a federal crime. Several states passed similar legislation in an effort to reduce the impact of this crime.
High-profile computer-database breaches and identity theft from seemingly secure large U.S. companies that hold personal data created interest in such preventive solutions but also indicate that information protection is difficult at best.
Recently, Time Warner Inc. revealed that backup tapes containing personal information on more than 600,000 current and former employees were lost and that the data on the tapes was not encrypted. It is unclear whether this loss will lead to liability for Time Warner.
But identity theft is not just a problem for individuals and large companies. Every business, regardless of size, that collects and stores personal information on its customers and its employees has potential liability related to identity theft and data loss. For instance, California recently passed a law that requires any company doing business in the state to disclose the loss of personal information. Beyond being required to protect personal information, businesses may be exposed to lawsuits alleging liability for losses related to the failure to protect such information.
Surprisingly, it's more likely for an employee to steal a colleague's information at the work site than it is for a customer to have her information snatched. The FTC found that in cases of business-record theft, 90 percent of cases pertain to employee information, versus 10 percent for consumer information. Additionally, a 2002 study by the credit information provider TransUnion found that the top cause of identity fraud is the theft of information by employees; it outranked the theft of credit cards, purses and other personal items.
IDENTIFYING THE RIGHT INSURANCE
Many insurers in the United States, and more recently in the U.K., now offer identity-fraud protection to individuals and corporations, as well as to the corporation's employees. The insurance protection for identity-fraud victims can cover, among other things, the costs of clearing the victims' name, correction of their financial records and reimbursement for certain types of expenses that they may incur while trying to fix their credit (e.g., attorney's fees, lost wages, long-distance phone calls to clear up credit fraud, certified mail postage and notary fees, and even costs related to wrongful incarceration resulting from the identity theft).
Given the time and money it can take for victims to resolve identity-theft issues, it can become a personnel problem for businesses that translates into lost revenue. Businesses also face significant exposure to liability from identity theft, including liability for third-party claims, which can be covered with the appropriate insurance.
The risk of third-party claims against companies related to identity theft and lost data are being addressed in the insurance industry. These claims can arise from damage caused by e-business activities, such as when an employee who uses the interconnectivity between the company and another party steals the other party's data. It can also occur during performance of professional services, such as when a company designs a computer-related network with flawed security attributes.
Although older, general commercial liability policies arguably covered most, if not all, of the third-party data risks for businesses, which is not necessarily the case with newer, general commercial liability policies.
Newer policies have modified versions of the definition of "property damage," which expressly state that for purposes of the definition, "data" is not "tangible property," thereby limiting coverage for third-party liability claims involving lost or stolen data.
Businesses should consider buying insurance that expressly covers the risk of third-party liability for stolen data. If businesses perform any professional services to others or are media companies, they should also consider buying some type of errors and omissions insurance that covers data theft. Another important risk transfer/financing strategy for such risk is to address it in indemnity and insurance provisions in contracts.
Given society's increasing use of and reliance on computers and other devices that use data to operate, as well as the increasing use of the Internet, the liability risks arising out of lost or stolen data for businesses will only grow in relevance.
These new risks require businesses to actively consider risk management and insurance strategies. While general commercial liability insurance and other insurance products may cover a business against lawsuits for failure to properly protect personal information, risk management is the key to avoiding liability. It is critical that businesses focus on taking steps to protect customer and employee personal information.
SCOTT CASHER is a senior associate in the New York and Stamford, Conn., offices of the national law firm of Edwards & Angell. He concentrates his practice in commercial litigation and insurance/reinsurance disputes.
December 1, 2005
Copyright 2005© LRP Publications