Tom Ryan

Wednesday, 22 March 2006 11:12

Identity theft liabilities

It’s all over the news: computer hacking thieves using new and inventive techniques to “steal identities.” These identity thieves gather personal information on their victims to open credit card accounts, buy expensive merchandise on credit, or simply empty a bank account and disappear. Sometimes, it may take months or years for a victim to discover the unauthorized use of his identity. Today, with a name and Social Security number, a thief can do thousands of dollars of damage to the victim in a matter of minutes.

Most people envision the identity thief is a dark stranger — someone who looks over your shoulder at the checkout line or some computer genius who hacks into some unseen vast database. However, the typical identity thief may be working in your office, sitting in the next cubical or emptying your trash can. A company’s filing cabinets and electronic files contain vast amounts of information on its employees — never mind on its clients and customers — and every person who has access to that information is a potential thief.

Indeed, every employer is required to keep a treasure trove of personal information on its employees. A basic resume contains name, address, phone number, e-mail addresses and employment history. Once hired, the employee must give the employer a Social Security number so that Uncle Sam gets a cut of every paycheck. The employee must give his or her bank account information to direct deposit the rest of that paycheck. If the employer provides insurance coverage, the employee might even provide private information on the spouse, children and other beneficiaries. The forms and applications an employer relies upon to fulfill its obligations to its employees, insurance companies, and government agencies form a gold mine for an identity thief.

Of course, it is a crime under many federal and state laws to use the identification of another person to commit unlawful activity, i.e. theft by deception, fraud, etc. And, if the criminal is identified and caught, a victim can file a lawsuit against the thief. However, in many cases, the criminal is never unmasked, and even if a lawsuit suit against him is successful, the thief probably has no assets to satisfy a judgment. The fruits of his crime have disappeared.

Your fault?

So victims of identity theft are now looking to someone else for compensation. For example, if the thief used information he or she got from an employer’s files, an employee who’s become a victim might look to that company for redress. If a thief takes information from an employee’s personnel file, the employee may seek to hold the employer liable for the damages, because the employer failed to safeguard the file despite knowing that it contained private, confidential information.

Although most states do not have statutes creating a specific cause of action, the employee might sue the employer under common-law theories of invasion of privacy or simple negligence. The employee would argue that the employer has the duty to take reasonable measure to keep the information private, and that its breach of that duty enabled the thief to swoop in.

In such a case, an employer can face tremendous liability, depending on the damage done by the thief. Given the relatively recent explosion of identity theft cases, there are few cases in the United States holding a third party responsible for the damages caused by an identity thief. However, rather than waiting for a lawsuit, employers should minimize the potential liability now.

How to avoid liability

  • Establish a written policy prohibiting the distribution of employee information, whether in paper and electronic form. Like policies against sexual harassment, if the employer makes it clear that certain behavior is not acceptable, it goes a long way to helping an employers’ defense.
  • Establish a separate written policy limiting co-employees’ access to that confidential information. For example, the payroll clerk may need access to the social security numbers, but the receptionist does not.
  • Maintain a separate filing system for files containing confidential employee information, again whether it is in paper or electronic form. Lock the cabinet housing the personnel files and password protect electronic payroll files.
  • Protect your computer systems with appropriate software to protect against viruses and unauthorized access from inside and out.
  • Most importantly, follow through and enforce these policies!! Safeguard your employees’ confidential information as if it were your own. Remember, the thief might even decide to go after the employee with the highest credit card limit: the CEO or managing partner!

Jessica A. Ryan is an associate in the Atlanta office of Gambrell & Stolz LLP. Her areas of practice are commercial litigation, contract disputes and toxic tort. Reach her at (404) 221-6511 or

Monday, 25 April 2005 10:05

Web approach

While many business owners recognize the need for having a Web site, most don't have a clear strategy. Instead, they see their site as a simple electronic brochure where prospective buyers can learn about their business, but a Web site should be much more -- it should be designed as part of your business' online strategy.

E-commerce has too often been viewed as a separate marketplace. It was that view that resulted in the wild run-up of stock prices for Internet-based companies before the dot-com crash. Since the implosion, many business owners have been confused about the importance of the Internet.

The best business strategy to emerge has been forged by large companies that have recognized the value of a multifunctional Web site. These companies have built sites that complement their bricks-and-mortar businesses, viewing the Web as simply another market. And for good reason. The growth in e-commerce has more than doubled the regular economy. In the second quarter of 2004, e-commerce sales reached $15.7 billion, a growth rate of 23.1 percent, while total retail sales for the same period grew by only 7.8 percent.

Today's business leader needs an online business strategy to produce a site where potential customers can get information and transact business. Several things are needed to accomplish this goal.

First, Web sites, by themselves, do not attract new customers. If your Web site does not show up on the first few pages in a keyword search, your chances of being seen are slim to none. Web sites need to be registered with search engines and designed so that key search words can find your site.

The most effective way for a business to get a first page ranking is to pay for placement. Several organizations offer bundled packages of services that include search engine registration, paid-for placement submissions, optimization and inclusion in Internet yellow pages.

Second, Web sites should be designed so that visitors can either place an order or transact business. That transforms your site into a fully-functional e-commerce store on the Web, with payment gateways for credit card transactions.

Third, Web sites need to have customer service functions integrated into the design, with database look-ups to access information and forms to request information while capturing e-mails.

Fourth, your site should be designed to play an active role in your business, with things such as a marketing program that creates a campaign to stay in contact with customers with things such as e-mailed newsletters and special discount offers. The cost of generating additional business from an existing customer is significantly cheaper than finding a new one.

Business owners who have a big picture view of their Web site will see that developing an online business strategy can both increase revenues and lower costs while expanding the marketplace of the business without a major outlay of capital.

Tom Ryan is director of sales development for International Profit Associates. IPA's 1,700 employees offer consulting services to businesses throughout the United States, including Alaska and Hawaii, as well as Canada. Reach Ryan at at or (800) 531-7100.