Since January of 2005, in 940 separately reported incidents of data breaches, 226, 955,128 records of personal information i.e. social security information, credit card numbers and/or other types of information were lost, stolen or compromised.[1]These thefts included the highly publicized breaches at grocer Hannaford Brothers Co. (4.2 million customers debit and credit card numbers compromised), clothing retailer TJ Maxx/Marshalls (45.7 million customer debit and credit card numbers compromised), and credit card processor Cardsystems, Inc. (40 million credit card numbers compromised).  Out of these 940 reported incidents, 175 list the number of records compromised as ‘unknown,’ so the real number of consumer records breached may be significantly higher.  And, of course it is unknown how many breaches go unreported by companies who chose to “roll the dice” and hope they don’t get caught for not reporting breaches.

The Federal Trade Commission (FTC) is the government agency charged with protecting sensitive consumer data.  Their level of responsibility as listed on their website states:

The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy, including the security of personal information. Under the FTC Act, the Commission guards against unfairness and deception in companies’ privacy promises about how they collect, use and secure consumers’ personal information. Under the Gramm-Leach-Blilely Act, the Commission has implemented rules concerning financial notices and the administrative, technical and physical safeguarding of personal information, and it aggressively enforces against pretexting. The Commission also protects consumer privacy under the Fair Credit Reporting and the Children’s Online Privacy Protection Act ……

                 Here is a recent statement from the Bush appointed Federal Trade Commission chairman Deborah Platt Majoras:

“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” said FTC Chairman Deborah Platt Majoras. “These cases bring to 20 the number o f complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America.”[i]

In other words, from January 2005, until May 2008, the FTC had brought enforcement action for negligence in the protection of sensitive consumer information (as covered by the financial privacy mandate) in 1.8% of reported data breaches.  And, ironically, Deborah Platt Majoras was actually a victim of identity theft herself when she bought shoes at shoe retailing giant DSW.

In addition, data-breach litigation is not proving much of a deterrent to persuade companies to protect consumer information as the courts have readily been dismissing suits where plaintiffs had not yet been victims of any identity fraud.  For example, in Guin v. Brazos Higher Education Service Corporation Inc. after a negligence suit was brought against Brazos (due to the theft of a laptop containing personal information for 550,000 customers); the court granted summary judgment in favor of Brazos determining that the company had no duty of protection under the Gramm-Leach-Bliley Act and that Brazos acted with reasonable care in handling the consumer information that was housed on the laptop.   Using similar reasoning, the U.S. Court of Appeals for the Seventh Circuit recently dismissed another suit in Pisciotta v.Bancor.  In this case the court held that open-ended damages for fraud and other costs were not supported by state breach notifications laws. The court also held that Indiana’s state-data-breach- notification law only creates a duty to disclose and places enforcement in the hands of the Attorney General, private individuals cannot file suit.[2]

                Clearly neither the federal nor judicial arms of our government are interested in protecting the public from identity theft and other crimes against personal privacy.

[1][1] http://www.privacyrights.org/ar/ChronDataBreaches.htm – 5/19/2008

---

[i] http://www.ftc.gov/opa/2008/03/datasec.shtm

 

 

[2][2] http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202421396867  5/15/2008