The personal information of 26 million veterans is still at risk thanks to poor security procedures at the Veterans Administration. Unfortunately those veterans and other potential victims of identity theft have little recourse against inept handlers of private information, who despite being in the best position to stop identity theft have little incentive to improve protections. Elected officials, state and federal, should update current identity theft laws to make handlers of private information more responsible and more liable.
While the average bank robber steals $2,500 per heist, the average identity thief makes off with $20,000 to $30,000 per victim, and the problem is growing. Just consider the headlines. Last year Berkeley revealed the Social Security numbers of more than 98,000 students, alumni and past applicants were stolen when thieves snatched the laptop where the info was stored. In Ohio, a national tax company thought it was a good idea to toss thousands of customer’s tax returns into a dumpster. And in New York City, rental giant Blockbuster video took irresponsibility to new levels when they closed a store and dumped boxes of customer information — including Social Security numbers and birthdates — on a sidewalk. So long as the holders of private information can recklessly handle this information without fear of repercussions identity theft will continue at its current rate of 13 persons every minute. Legislators have tried to solve the problem, but their efforts, focusing mostly on penalties for thieves, are consistently misplaced. Penalties are important but form only one part of a solution. To fully address the problem, elected officials must put responsibility and liability squarely in the hands of the guardians of private information.
How? First, legislators must establish clear guidelines to protect people’s information. For example, in California, immediate notification in the case of disclosure is the law. Other provisions require companies to render sensitive information unreadable before disposing of either electronic or paper documents. New laws could also protect the confidentiality of Social Security numbers by further limiting their use and in particular their scope of dissemination. Such protective measures could have prevented the VA fiasco.
These protections provide a starting point, but legislators must go farther. To fully protect citizens, lawmakers should create a private cause of action allowing victims to sue entities whose poor procedures allow wrongful disclosure of private information.
Such suits would enlist individual citizens as “private attorneys general” similar to many consumer protection statutes. Allowing citizens to pursue legal remedies provides strong incentives for private parties to comply with standards to avoid litigation and bad publicity.
To assuage the fear of frivolous suits, the legislation allowing suits should include a presumption of compliance in favor of the private entities — so long as they meet certain minimum administrative, electronic and physical security standards. This would strike an appropriate balance between clear and updateable security standards for the guardians of private information and a means for victims to seek compensation.
Legislators need to shift their attention from punishing thieves and toward encouraging greater protective standards on the holders of personal information. Identity theft plagues our society and continues to grow daily because it is a crime of opportunity without clear protective standards for handlers of private information.
Implementing clear guidelines and providing legal redress to victims harmed by the disclosure of their information will go a long way toward solving the problem of identity theft. Our legislators should put these protections into effect immediately.
GREGORY S. MCNEAL
Senior Fellow in Terrorism and Homeland Security at the Case School of Law, Institute for Global Security Law and Policy