16.08.2010
Identity theft
51.4 In the US, concerns about identity theft and identity fraud have been the main issues driving the development of data breach notification laws.[2] As discussed in Chapter 12, identity theft is a subset of the broad concept of ‘identity crime’ and is used to describe the illicit assumption of a pre-existing identity of a living or deceased person, or of an artificial legal entity such as a corporation.[3] A stolen identity can be used to commit ‘identity fraud’, which is where a fabricated, manipulated or stolen identity is used to gain a benefit or avoid an obligation. An example of identity fraud is using a stolen identity to make fraudulent purchases or steal money from a victim (known as ‘account takeover’).[4] Another example of identity fraud is where a criminal uses personal information about an identity theft victim to open new accounts in the name of the victim (sometimes called ‘true name fraud’).[5]
51.5 With advances in technology, agencies and organisations are storing vast amounts of identifying information electronically.[6] Any breach of the secure storage of this information can result in the release of personal, identifying information of an individual. That personal information may be sufficient to allow an unauthorised person to assume the identity of the victim and use that illicit identity to open, for example, new accounts in the victim’s name.
51.6 For these reasons, a security breach, resulting in unauthorised ‘leaks’ or acquisitions of information, is thought to contribute to the risk of identity theft, and the consequent risks of identity fraud.[7] By requiring notice to persons who may be affected adversely by a breach, data breach notification laws ‘seek to provide such persons with a warning that their personal information has been compromised and an opportunity to take steps to protect themselves against the consequences of identity theft’.[8] As one commentator explains:
Identity theft and identity fraud have emerged as serious crimes for consumers, citizens and business … Given the peculiar nature of this type of theft—namely, that it can be perpetrated by accessing information stored in places uncontrolled by the victim and in places of which the victim is often unaware—legislators have passed or are considering passing laws which require that the consumer be notified in the event of a data breach.[9]
51.7 Data breach notification laws are, therefore, based on the recognition that ‘individuals need to know when their personal information has been put at risk in order to mitigate potential identity fraud damages’.[10]
Lack of market incentives for notification
51.8 Some commentators suggest that the obligation to notify individuals of a data breach needs to be mandated legally because the market, by itself, may not provide sufficient incentives for organisations to take measures to notify individuals affected by the breach.[11] In particular, an organisation may not have an incentive to notify individuals affected by a security breach when the cost of the notification exceeds the expected damage to the organisation.[12]
51.9 The cost of notification does not just include the actual cost involved in notifying every individual affected by a security breach, although that, by itself, can be very expensive. Notifying customers of a security breach also gives rise to a real potential for market damage to the organisation, including reputational damage, lost customers and lost future profits. Notification also can expose an organisation to civil penalties from regulators and costly private litigation proceedings by individuals affected. If the organisation has a high profile or the security breach is large, notification also can result in negative publicity in the media. In these circumstances, an organisation may avoid reporting a security breach if it is not legally required to do so, as the cost to the organisation of notifying individuals significantly outweighs the costs caused by the actual breach. For these reasons, it has been observed that, in the absence of a legal requirement to notify, market forces may ‘undersupply notification’.[13]
Incentives to secure data
51.10 Given the reputational damage that can flow from having to disclose a security breach, it has been suggested that the existence of a data breach notification law provides commercial incentives for organisations to take adequate steps in the first place to secure data.[14] The purpose of the Delaware data breach notification legislation, for example, is to ‘help ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information’.[15] This is an important effect of data breach notification, particularly as organisations in the US may not be subject to data security obligations such as those in the Privacy Act.[16]
Increasing number of data breaches
51.11 The rapid growth in data breach notification laws in the US in the past few years is said to be a direct response to a series of high profile, well-publicised data breaches.[17] One of the most notorious data breaches was the disclosure by ChoicePoint, a large identification and credential verification organisation, of sensitive information it had collected on 145,000 individuals.
51.12 The Privacy Rights Clearinghouse maintains a Chronology of Data Breaches, which lists all breaches reported in the US that expose individuals to identity theft or breaches that qualify for disclosure under state laws. As at 28 April 2008, the total number of records containing sensitive personal information involved in security breaches was 226 million.[18] It also is important to note that not all data breach incidents have involved electronic records. For example, in Florida, the medical records of 27 hospital patients were discovered being used as scrap paper in a Utah primary school classroom.[19] Security breaches, therefore, are a concern in the US community.
51.13 There also have been high profile data breaches in the United Kingdom (UK). In 2007, the UK Government’s HM Revenue and Customs department, which is responsible for collecting tax revenue as well as paying tax credits and child benefits, lost two CDs containing confidential information—including the dates of birth, addresses, bank accounts and national insurance numbers—of over 25 million child benefit recipients. The entire child benefit database was sent by a junior official from a regional office to the National Audit Office in London via courier and without a registration or a tracking number.[20] Following the breach, the UK Government made a commitment to amend the Data Protection Act 1998 (UK) to allow the Information Commissioner to carry out inspections of organisations that collect and use personal information and provide new sanctions for breaches of the data protection principles.[21]
[2] See Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007), 1. Ch 12 discusses identity theft—and the related concepts of ‘identity crime’ and ‘identity fraud’—in more detail.
[3] Australasian Centre for Policing Research and Australian Transaction Reports and Analysis Centre Proof of Identity Steering Committee, Standardisation of Definitions of Identity Crime Terms: A Step Towards Consistency (2006), 15.
[4] See M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute, 2.
[5] See Ibid, 2.
[6] Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007), 1.
[7] See M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute; Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007).
[8] T Smedinghoff, Security Breach Notification—Adapting to the Regulatory Framework (2005) Baker & McKenzie <www.bakernet.com/ecommerce> at 31 July 2007, 1–2. See also M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute, 11; Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007), 1–2.
[9] M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute, 2.
[10] Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007), 2.
[11] M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute, 11–12.
[12] Ibid, 12.
[13] Ibid, 13.
[14] B Arnold, ‘Losing It: Corporate Reporting on Data Theft’ (2007) 3 Privacy Law Bulletin 101, 102. See also T Smedinghoff, The New Law of Information Security: What Companies Need to Do Now (2005) Baker & McKenzie <www.bakernet.com/ecommerce> at 31 July 2007; Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007), 22.
[15]Delaware Code , Synopsis. Similar comments are made in Arkansas Code § 4-110-102.
[16] Some of the data breach notification laws, however, also require regulated entities to implement and maintain reasonable security procedures and practices: see, eg, Arkansas Code § 4-110-104.
[17] See Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007), 1–2. See also T Smedinghoff, Security Breach Notification—Adapting to the Regulatory Framework (2005) Baker & McKenzie <www.bakernet.com/ecommerce> at 31 July 2007, 1.
[18] Privacy Rights Clearinghouse, A Chronology of Data Breaches—Updated to 28 April 2008 <www.privacyrights.org/ar/ChronDataBreaches.htm> at 29 April 2008.
[19] A Falk ‘Health Files are Sold as Scrap Paper to Utah’ Deseret Morning News (online), 10 March 2008, <www.deseretnews.com/article/1,5143,695260327,00.html>. The need for security and destruction requirements to extend to hard copies of documents is discussed in Ch 28.
[20] P Wintour, ‘Lost in the Post—25 Million at Risk after Data Discs go Missing’, The Guardian (online) 21 November 2007, <www.guardian.co.uk>.
[21] United Kingdom Information Commissioner’s Office, ‘Information Commissioner Welcomes Government’s Commitment to Strengthen the Powers of the ICO’ (Press Release, 17 December 2007).