Are companies required to protect consumers from identity theft?

If you’re hoping to get on board with the fastest growing crime in the country, you should learn more about identity theft. If, like most of us, you’re just looking to avoid being another statistic, you should definitely learn more about identity theft.

With an increase of over 25% from the year before, 2014 became the year with the most data breaches in history. A 2014 Justice Department report estimated that 7% of American households reported some type of identity theft in 2013. That’s over 16.6 million people in one year.

At the Center for Identity, I recently collaborated with a team of designers and programmers to develop PrivacyCheck, an online tool for helping you make informed decisions about your personal information. Later this week I'll discuss how PrivacyCheck works, but first, let’s talk about which laws regulate businesses and in their collection and use of your personal information.

While there are many existing federal and state privacy-related laws that regulate the collection and use of personal data, the United States has no single, comprehensive law. Instead, we have many overlapping federal and state laws and regulations that often contradict one another, creating a serious challenge for companies operating at a national level to negotiate the requirements within each state.

Not only are there legal statutes to confront, but companies can’t cut costs by damaging the consumer. The FTC Act gives the Federal Trade Commission authority to prosecute businesses for “unfair or deceptive acts or practices.” The idea is that not properly protecting citizen’s data is unfair and/or deceptive when due to a company’s negligence.

On top of that, there are each state’s own consumer protection statutes, with the most important difference being that most states provide a private right of action and fewer limitations for filing suit than FTC standards. Additionally, states have common law causes of action for negligence and breach of contract that are used for claims relating to data privacy.

Governmental agencies and industry groups have also developed best practices and guidelines. Payment card processors, online advertisers, and others have implemented their own standards for protection of Personally Identifiable Information (PII).

Over the last few years, we have seen developments in data privacy law and regulation at both the state and federal level. California, always on the forefront of state regulation of data privacy, enacted the first Security Breach Notification Law back in 2002. The vast majority of states have adopted similar statutes in the years since. In fact, only three states — Alabama, New Mexico and South Dakota — haven’t followed suit. In recent years, bills have failed to pass in both Alabama and New Mexico.

California is also one of only a handful of states to create an Office of Privacy Protection. The California Online Privacy Protection Act (CalOPPA) requires a commercial website that collects consumers’ PII to post a privacy policy describing its data handling procedures. The Act was amended in early 2012 to include mobile apps, and again in 2013 to add strict requirements for websites directed at minors.

Other states have specific requirements for data protection and privacy policies as well. For example:

  • An act requires any Utah business collecting PII from its residents with intent to sell it to provide notice before a consumer agrees to provide the information.
  • Connecticut requires safeguarding of all personal information as well as providing a published privacy policy when Social Security numbers are collected.
  • A regulation in Massachusetts prescribes in extensive detail required security protocols that affected companies must follow.
  • At least 29 states have enacted laws that require entities to destroy, dispose of, or otherwise make personal information unreadable or undecipherable.

The result is patchwork system of data privacy laws, regulations and guidelines. Overlapping federal and state laws and regulations often contradict one another, which poses significant challenges for companies operating at a national level.

Look for part two of this post next week.

Sign Up for CID News