Much of the legislation that has been put in place has helped address the safety of information in key market areas, but legislation can be criticized on two opposite fronts. In some instances, legislation is crafted to only address narrow circumstances, while in other cases legislation can lack the clarity or enforcement mechanisms that actually compel a company to shred its documents or to destroy its hard drives.
But the anything-goes nature of the civil legal system casts a wider net that can catch the attention of corporate executives much more quickly than legislation that may or may not be interpreted or enforced in ways that prompt a reaction.
THE WATERSHED
2005 may be considered a watershed year in terms of identity theft receiving national attention from both the public and the legal system.
In February of this year, the security breaches at information broker ChoicePoint LLC and at Bank of America made headlines, followed by a large-scale private information breach at retailer DSW Shoe Warehouse announced in March and the disclosure in May that personnel records for Time-Warner employees were possibly lost en route to a storage facility.
| Gone with the Wind |
|
An investigation into how personal health records ended up being strewn across the streets of downtown Toronto on Oct. 1 as a backdrop for a film production has resulted in a ruling by Information and Privacy Commissioner Ann Cavoukian that both a Toronto X-ray/ultrasound clinic and Paper Disposal Co., a company that provides shredding and recycling services, had breached Ontario’s Personal Health Information Protection Act. "The Order I released today – the first under the new Act – should be carefully reviewed by every health information custodian and paper disposal company in Ontario. Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated," Cavoukian said In her Order, Commissioner Cavoukian said that the personal health records were collected by a paper disposal company that engaged in both shredding and recycling activities. A portion of the personal health records picked up from the clinic were mistakenly believed to be intended for recycling. The records were subcontracted to another recycling company, which later sold them – intact – to the film company for use on its set. The Commissioner found the following:
The Commissioner also found that the paper disposal company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief that the records were intended for recycling, contravened the Act. Commissioner Cavoukian ordered the clinic to review its information practices to ensure that the location of all personal health information within its custody or control is documented, and that this personal health information is adequately secured. The Commissioner ordered the clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information. The agreement must set out the obligation for secure disposal and requires the agent to provide written confirmation once secure disposal has been carried out. "Secure disposal," the Commissioner said in her Order, "must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction." Similarly, the paper disposal company, which fell under PHIPA because it functioned as an agent, having been given personal health information directly by a health information custodian, was ordered by the Commissioner to put into place a written agreement that includes the requirement for the disposal company to engage in secure shredding and provide an attestation confirming destruction of records. Among other requirements, the Commissioner also ordered the paper disposal company to put procedures into place that will prevent paper designated for shredding from being mixed together with paper that is intended to be disposed of via recycling. This Order will establish the practice to be followed by all health information custodians and their agents in Ontario, with respect to the Commissioner’s expectations for the secure disposal of health information records under Ontario’s new Health Information Privacy law. |
The series of events caused not just elected officials and journalists to take notice, but also trial lawyers. It became clearer that identity theft was not a victimless crime, and that individuals were harmed financially, emotionally and via lost time and opportunities as they struggled to clear their names with the lending and credit industries.
Civil lawsuits are most attractive to attorneys when deep pockets can be accessed, and clearly some of the most noteworthy collectors and handlers of paper and electronic private financial information are multi-billion dollar lenders and retailers.
Whether subsequent lawsuits come in the form of a large class-action case or the one-by-one filings of individuals, companies who let personal information get into the wrong hands are facing expensive legal fees.
In the case of ChoicePoint, the company is now—much like an individual victim of identity theft—spending time, energy and opportunity costs to repair the damage stemming from its information breach.
In the financial quarter following the information breach at ChoicePoint, the company deducted $6 million, or 4 cents per share, from its earnings to cover its legal expenses and related fees to address the breach. And this was not a one-time charge, as the company subtracted another $4 million, or 3 cents per share, the following quarter.
For ChoicePoint, these can be considered "upfront" expenses that do not necessarily address the variety of class action lawsuits that have been filed not only on behalf of those whose information was leaked, but also by shareholders who allegedly suffered from the timing and nature of media statements made by ChoicePoint executives when the breach was announced.
Clearly, for those in the information protection and destruction business, the example of ChoicePoint serves as a case study in how a corporation’s bottom line can suffer if it allows other people’s private information to get into the wrong hands.
BANKING ON TROUBLE
With even deeper pockets than ChoicePoint, Bank of America is also finding itself fending off lawsuits stemming from its information breach, such as one filed in New Jersey in June.
The case was filed as an individual suit with the intention of seeking class action status. "Bank of America has a fiduciary responsibility to protect clients’ confidential personal and account information and could have taken some reasonable steps to prevent these thefts," said Arthur Penn, a litigation attorney at the New Jersey law firm of Pellettieri, Rabstein & Altman, in a press release accompanying the filing.
The logic can apply to any company—large or small, lender or retailer—that finds its information in the wrong hands. "This is more than a story about the massive theft of customers’ personal financial data," added John Keefe Jr., a litigation attorney at the firm of Lynch Keefe Bartels. "This is also a story about the massive failure of the bank, or banks, to take reasonable actions to protect their customers’ personal financial information from identity theft."
Clearly, while criminals may play the active role in ferreting out and mis-using personal information, attorneys are going after the deep pockets by portraying companies as negligent if they do not properly protect and destroy their confidential information.
For marketers of shredding services, the selling of such civil liability pitfalls should provide a useful sales tool.
WARNING SIGNALS
The 2005 information leaks and subsequent lawsuits provide the ideal conditions for a major increase in corporate attention to the destruction of files, discarded paper and hard drives and storage media.
But media attention can be fleeting, and corporations not involved in the 2005 incidents could easily take the "it’s somebody else’s problem" approach.
But trade groups and individual information destruction companies are taking steps to ensure that their current and potential corporate customers are fully aware of the liability traps.
The National Association for Information Destruction (NAID) communicates to its members that most businesses in America maintain records that are potential targets for identity thieves—and thus they are potential customers for shredding firms.
"Every business is entrusted with information that must be kept private," NAID notes as the first of eight major points in the "Interesting Facts" portion of its Web site. "Employees and customers have the legal right to have this data protected," NAID states. "Any establishment that discards private and proprietary data without the benefit of destruction exposes itself to the risk of criminal and civil prosecution, as well as the costly loss of business."
Records management association ARMA International also stresses the need to reduce litigation risks. "Information is one of the most vital, strategic assets any organization possesses," the group’s Web site reads. "The ability to identify, organize, maintain and access needed information and properly dispose of the rest pays off in cost savings, efficiency, regulatory compliance and reduced litigation risk."
Some shredding and electronic media destruction company owners are already convinced that the civil litigation risk in particular may soon garner the attention of corporate CEOs and their legal counsel.
Angie Singer Keating, a co-owner of electronics recycling and information protection firm Reclamere Inc., Tyrone, Pa., says civil litigation will only increase as a factor. "Plaintiffs’ attorneys can be merciless," she notes. "If people want punitive damages for their medical or financial information getting out, that can be a real motivator."
While the legal system may have its critics, secure shredding firms are benefiting from the fear it is instilling in corporate board rooms.
The author is editor of Secure Destruction Business and can be contacted at btaylor@gie.net.
Explore the December 2005 Issue
Check out more from this issue and find your next story to read.
Latest from Recycling Today
- Tenamec adds Virginia dealership
- Thyssenkrupp Steel announces site closure and job cuts
- Tennessee Tech receives $4.8M grant to improve EV battery recycling
- Don’t Trash Glass partners with glass suppliers in Colorado and Kentucky
- ICCA releases Plastic Additives Database
- EMR adds electric material handler to its Becker, Minnesota, operations
- Greenwave Technology pares back losses in Q3
- Lindner shredders prepare Brazilian plastic for recycling
