Identity theft liabilities Featured

11:12am EDT March 22, 2006
It’s all over the news: computer hacking thieves using new and inventive techniques to “steal identities.” These identity thieves gather personal information on their victims to open credit card accounts, buy expensive merchandise on credit, or simply empty a bank account and disappear. Sometimes, it may take months or years for a victim to discover the unauthorized use of his identity. Today, with a name and Social Security number, a thief can do thousands of dollars of damage to the victim in a matter of minutes.

Most people envision the identity thief is a dark stranger — someone who looks over your shoulder at the checkout line or some computer genius who hacks into some unseen vast database. However, the typical identity thief may be working in your office, sitting in the next cubical or emptying your trash can. A company’s filing cabinets and electronic files contain vast amounts of information on its employees — never mind on its clients and customers — and every person who has access to that information is a potential thief.

Indeed, every employer is required to keep a treasure trove of personal information on its employees. A basic resume contains name, address, phone number, e-mail addresses and employment history. Once hired, the employee must give the employer a Social Security number so that Uncle Sam gets a cut of every paycheck. The employee must give his or her bank account information to direct deposit the rest of that paycheck. If the employer provides insurance coverage, the employee might even provide private information on the spouse, children and other beneficiaries. The forms and applications an employer relies upon to fulfill its obligations to its employees, insurance companies, and government agencies form a gold mine for an identity thief.

Of course, it is a crime under many federal and state laws to use the identification of another person to commit unlawful activity, i.e. theft by deception, fraud, etc. And, if the criminal is identified and caught, a victim can file a lawsuit against the thief. However, in many cases, the criminal is never unmasked, and even if a lawsuit suit against him is successful, the thief probably has no assets to satisfy a judgment. The fruits of his crime have disappeared.

Your fault?

So victims of identity theft are now looking to someone else for compensation. For example, if the thief used information he or she got from an employer’s files, an employee who’s become a victim might look to that company for redress. If a thief takes information from an employee’s personnel file, the employee may seek to hold the employer liable for the damages, because the employer failed to safeguard the file despite knowing that it contained private, confidential information.

Although most states do not have statutes creating a specific cause of action, the employee might sue the employer under common-law theories of invasion of privacy or simple negligence. The employee would argue that the employer has the duty to take reasonable measure to keep the information private, and that its breach of that duty enabled the thief to swoop in.

In such a case, an employer can face tremendous liability, depending on the damage done by the thief. Given the relatively recent explosion of identity theft cases, there are few cases in the United States holding a third party responsible for the damages caused by an identity thief. However, rather than waiting for a lawsuit, employers should minimize the potential liability now.

How to avoid liability

  • Establish a written policy prohibiting the distribution of employee information, whether in paper and electronic form. Like policies against sexual harassment, if the employer makes it clear that certain behavior is not acceptable, it goes a long way to helping an employers’ defense.
  • Establish a separate written policy limiting co-employees’ access to that confidential information. For example, the payroll clerk may need access to the social security numbers, but the receptionist does not.
  • Maintain a separate filing system for files containing confidential employee information, again whether it is in paper or electronic form. Lock the cabinet housing the personnel files and password protect electronic payroll files.
  • Protect your computer systems with appropriate software to protect against viruses and unauthorized access from inside and out.
  • Most importantly, follow through and enforce these policies!! Safeguard your employees’ confidential information as if it were your own. Remember, the thief might even decide to go after the employee with the highest credit card limit: the CEO or managing partner!

Jessica A. Ryan is an associate in the Atlanta office of Gambrell & Stolz LLP. Her areas of practice are commercial litigation, contract disputes and toxic tort. Reach her at (404) 221-6511 or