State keeps shorter leash on businesses to protect you and your money
By: Hilary Parker
They are in the Dumpsters and rummaging through recycling bins.
They are hacking into the computer systems of multibillion-dollar global corporations.
They are identity thieves, and they are making a fortune.
A fortune that often brings with it heavy financial burdens for the individuals whose identities were stolen. Since Jan. 1, when the New Jersey Identity Theft Protection Act went into effect, the stealing of personal information is no longer just a personal problem.
Now, businesses that reasonably suspect that secure information has been accessed by an unauthorized individual must step up to the plate to notify and assist any customers affected by the security breach.
"This idea of trying to steal people’s identities through technology or out of trash cans is just an epidemic," said H. Jay Sexton, a shareholder emeritus of WithumSmith+Brown in West Windsor and chairman of the Health Affairs Committee of the New Jersey Business and Industry Association. "This legislation is an attempt to intervene, or at least reduce it."
According to Leonard Bernstein, a partner at the Plainsboro office of Reed Smith and chair of the Consumer Financial Services Practice Group, the legislation affects any businesses that keep computerized records of individuals, such as financial institutions and medical billers. While it applies to all businesses equally, it may be harder on some than others.
"It could be harder on the smaller companies," Mr. Bernstein said. "If it turns out that notice will be required, that administration takes time and effort."
With similar legislation in place in more than 20 states, Mr. Bernstein explained that companies that do business in multiple states, or on the national level, now have to be prepared to respond to a mosaic of security breach laws.
For instance, in New Jersey, any consumer has the right to bring a private code of action against a company that did not disclose a security breach under the state Consumer Fraud Act.
In neighboring Pennsylvania, however, enforcement is limited to the attorney general, which means businesses don’t have to face the prospect of a multitude of individual lawsuits or a large class action suit.
"Overall, I think most businesses feel it would be better for Congress to act (on a national level), especially for many businesses that operate on a multi-state level," Mr. Bernstein said, noting that bills have been introduced and moved through committee, but have not yet been enacted.
"This is one of the challenges that we have as lawyers, when you counsel clients that do business in multiple states," echoed Scott Vernick, the managing partner of the Philadelphia office of Fox Rothschild, which provides legal counsel to clients in the electronic payments and financial services industries. Regardless of whether it’s on the state or federal level, however, Mr. Vernick believes that legislation is necessary to quell the flood of identity thefts. Fox Rothschild’s local office is in West Windsor.
"By and large, legislation that requires businesses to notify consumers I really think is good government," he said. "Businesses are in the best position to know when something has gone wrong. This problem is a cost of doing business in the 21st century. I think businesses say, ‘Look, it’s an increased cost of business,’ and try to turn it into a positive by assuring consumers that they’re taking positive safeguards."
In speaking to the epidemic of identity theft, Mr. Vernick cited the Jan. 27 issue of "American Banker," which cited a Federal Trade Commission report that 37 percent of the more than 686,000 complaints it received last year were identity theft complaints, a 3.5-percent increase from the previous year. To help to identify and avoid potential security breaches, Mr. Vernick advises clients to be vigilant in three key areas when it comes to data management.
"One is very basic you have to be more careful about how you transport the data," he said, noting the stories of back-up data tapes falling off truck beds or getting lost en route via airplane. Once the data makes it safely to its destination, though, companies still need to be on guard when it comes to disposing of it.
"You can’t take thousands of computer printouts, throw them in a green trash bag and put it in a Dumpster behind the building," he continued. "Dumpster diving is a common way that people get this information."
Finally, companies need to assess their computer system infrastructure to secure any weak points of access, particularly with respect to third-party vendors who install computer systems and might maintain access to the systems on an ongoing basis. "You have to strike the right balance about doing business and protecting your customers," he said.
In addition to requiring businesses to notify appropriate law enforcement agencies and customers, the state Identity Theft Protection Act carries with it two other provisions. The first requires businesses to destroy personal information properly, either through shredding paper documents or erasing electronic data. The second allows individuals to place a security freeze on their credit reports, which could impact companies.
"It could have an impact on the finance industry, because the entities use credit reports," Mr. Bernstein said, noting that any employers that use credit reports to make employment decisions could find their hiring processes slowed down if the security freeze method becomes widely used.
From online mortgage payment information to Medicare files, identity thieves will do everything they can to obtain crucial personal information to use for their own purposes.
And, until now, it’s been relatively easy.
"They’ve been able to stay one step ahead of the controls and they can steal an awful lot before people become aware of it," Mr. Sexton said. With ever-increasing awareness and governmental measures including the state Identity Theft Protection Act, though, he is hopeful that the days of easy identity theft soon will be a thing of the past.
"Certainly, public awareness can help stem the tide," he said. "If people just pay more attention and take precautions we can start making inroads to slow it down."