GSB Vol. 11, No. 6, Pg. 27. THE GROWING THREAT OF IDENTITY THEFT AND ITS IMPLICATIONS FOR EMPLOYERS.

• Author: by Russell A. Jones

Georgia Bar Journal

Volume 11.

GSB Vol. 11, No. 6, Pg. 27.

THE GROWING THREAT OF IDENTITY THEFT AND ITS IMPLICATIONS FOR EMPLOYERS

GSB JournalVolume 11, No. 6April 2006THE GROWING THREAT OF IDENTITY THEFT AND ITS IMPLICATIONS FOR EMPLOYERSby Russell A. JonesIdentity theft occurs when thieves gain access to and use another person's personal information such as his or her name, Social Security number, credit card or bank account number, or other identifying information to commit fraud or other crimes.(fn1) Identity thieves gain access to personal information through a variety of sources such as lost or stolen credit cards, stolen paper mail, dumpster-diving, computer spyware or hacking, e-mail scams, or by accessing customer or employee records maintained by businesses.(fn2)

Across the United States, instances of identity theft have increased dramatically over the last several years. According to the United States Federal Trade Commission (FTC), in 2005 identity theft was the nation's top consumer complaint for the sixth year in a row.(fn3) In 2005 alone, approximately 8.9 million Americans were victims of identity theft, at a cost to the economy of approximately $56.6 billion.(fn4) Because many cases of identity theft go unreported, the numbers are likely even higher.

As identity theft continues to escalate, and legislators and litigators seek ways to address it, employers in Georgia and throughout the country face ever-increasing pressures to protect the personal information they collect and maintain concerning their employees and customers. Given the current legal climate, it is imperative that employers implement and update their data protection strategies not only to comply with state and federal laws, but also to minimize the risk that their employees and customers will become victims of identity theft and to reduce company exposure to liability.

Identity Theft in the Workplace

According to a September 2002 report by TransUnion, one of the three major U.S. credit bureaus, employer records are the largest single source of identity theft.(fn5) Several high-profile examples of missing or stolen data, such as the theft of personal information concerning 145,000 consumers from Georgia-based information broker, ChoicePoint, and Iron Mountain's loss of 40 backup tapes containing data on 600,000 current and former Time Warner employees, demonstrate the vulnerability of the personal information that businesses maintain about their employees and customers.

Controlling the growing threat of identity theft presents significant challenges for employers. The vast amounts of sensitive personal information maintained by employers about their employees and customers, including demographic information, personnel files, background reports, credit histories, Social Security numbers, benefits data, direct deposit information, and payroll and tax records, can be a virtual treasure trove for identity thieves. Moreover, the trend toward electronic storage of such records can result in quick access to massive amounts of sensitive informationwith only a few keystrokes.(fn6) The results of identity theft can be devastating to employees and customers alike, given that victims spend on average 40 hours - and often thousands of dollars - cleaning up the mess thieves have made of their identity and their credit records.(fn7) In addition to draining productivity and morale at work and straining relationships with customers, identity theft can rob victims of job or educational opportunities, loans, housing, automobiles, or even subject them to arrest for crimes they did not commit.

When employees or customers become victims of identity theft, the employers ultimately may pay the price, especially if the employers' treatment of employee or customer information contributed to the problem. In 2002, for example, an employee of a California company came across a box in a storage closet at work containing personnel records of 38 former employees of the company's predecessor. Using the information from those files, the employee and her acquaintances fraudulently rented three apartments, opened 20 cellular telephone accounts and set up more than 25 credit card accounts which they used to purchase upwards of $100,000 in goods. Fourteen of the 38 victims sued the employer for negligence, claiming that the crime would never have taken place if the company had taken better care of the personnel records.(fn8) The litigation settled out of court, and media reports claim that the employer paid out a "significant six-figure amount" to resolve the claims.(fn9)

In February 2005, in a case demonstrating the courts' willingness to hold organizations liable for failing to protect personal information, the Michigan Court of Appeals upheld a $275,000 jury award against a union whose members were victimized by identity theft.(fn10) In that case, the union's treasurer took home documents containing the name, job classification, social security number, and pension information of union members, a group of 9-1-1 operators. The jury found that the treasurer's daughter had stolen the information and had used it to perpetrate identity theft against the thirteen plaintiffs. The court upheld the jury determination that the union was negligent in adequately failing to safeguard the personal information from theft by the treasurer's daughter. In support of its holding, the court noted that the union had required no protections for the documents even though the possibility of identity theft was "far too commonplace."(fn11)

Employers face similar legal risks when their customers' records are compromised by employees or third parties. For example, in July 2004, The United States District Court for the Eastern District of Pennsylvania held that an employer could be held liable for identity theft committed by one of its employees using a customer's personal information.(fn12) In Lukens, the defendant, a car dealer, hired a salesperson with a prior criminal record involving numerous forgeries and thefts by deception. The employee informed the defendant about his criminal history but, nevertheless, he was hired without further question. The day after his employment began, the employee, acting within the scope of his employment, obtained the plaintiff's credit report and used the personal information to open numerous fraudulent credit accounts in the plaintiff's name. The court denied...