Companies that accept and extend credit need to protect themselves.

In 2003, Suzanne Sloane was admitted to Prince William County Hospital for the birth of her second son. Events during that hospital stay caused her to file a $12.35 million lawsuit against the hospital and resulted in her receiving a settlement from the hospital of more than $500,000. It was not what you think.

A hospital employee in the billing department used Ms. Sloane’s personal information to open several credit card accounts and enjoyed a $35,000 spending free before she was caught and jailed. The hospital had a strong incentive to settle this case. During litigation, it was discovered that the thief, a former felon, had been hired by the hospital without a background check. Additionally, the hospital billing department had no systems in place for protecting a patient’s financial information.

Identity theft is rising at rapid rates, and liability for compromised information is growing greater and more costly. As contractors, there are various facets of your business that may lead to identity-theft liability. The most prevalent is the practice of processing credit cards. Credit card processing exposes employers to the risk of misappropriated or stolen information. There are several steps that you can take to protect against identity theft and to insulate yourself from liability. If a breach occurs, and you do not have appropriate safeguards in place, the liability could ruin you.

Protecting Customer Information

Ms. Sloane’s case is not unusual. The leading underlying cause of identity fraud is theft of employer records. Usually, employees hired to perform low-level tasks, such as data entry, commit the crime. Therefore, the first step to minimizing your liability is to ensure that your business is staffed and maintained by employees that will act responsibly when dealing with clients’ credit card and other personal information. We strongly recommend criminal background checks on prospective employees.

Second, consider whether you can limit employees’ access to confidential customer information. For example, if financial and credit card information is stored on your computers, the information should be encrypted and password-protected so it is not accessible to employees who do not need access to the information.

This is not just a good business practice, it probably is your contractual obligation. Businesses that process credit cards must comply with the merchant guidelines provided by credit card companies. For example, merchant guidelines published by both Visa and MasterCard require a business to encrypt customer credit card databases and to discard verification numbers after using them in a transaction. The requirements of the guidelines vary by credit card company, and you need to be familiar with them. Contractual penalties for violating them can be as high as $500,000 per incident.

For the same reason, you should be cautious when disposing of and storing receipts, credit card numbers, and other personal information. One reason that many businesses have gone “paperless” is that it is generally believed to be easier to safeguard electronic information than it is paper records. This may be an option for you. And if you do not have a shredder, get one. Paper receipts with credit card numbers should never be tossed in the trash.

Employee Records Need Protection As Well

A few years ago, a group of emergency dispatch operators working for the city of Detroit were the victims of identity theft. They successfully sued their union for damages for not safeguarding their personal information. In this case, membership in the union was mandatory. The city provided the union with a quarterly report of all personnel who were members of the union. The union treasurer then compared that report against the union’s records to ensure accuracy. The report included each employee’s job classification, Social Security number, and pension number.

During the course of the criminal investigation, it was determined that the treasurer’s daughter had engaged in identity theft. She was found with a notebook containing the names and Social Security numbers of all of the union workers, apparently copied from the reports that her mother was responsible for reviewing. The court held the union liable, stating that while there is generally no duty to protect employees against the acts of a third person, that duty does arise in connection with the employment relationship, where the employee has entrusted private information to the employer.

Recent legislation makes employers and business owners liable for any act or omission that compromises any employee’s personal information and leads to identity theft. Under the Fair and Accurate Credit Transactions Act, any employer that causes the loss of an employee’s data can be fined by federal and state government and sued civilly. Employees can recover actual damages or statutory damages up to $1,000. Class actions are another option, with potential fines of up to $2,500 per employee, and state fines of up to $1,000 per employee.

New Rules From the FTC

To further prevent identity theft and increase accountability for breaches, the Federal Trade Commission (FTC) has issued a set of regulations, known as the “Red Flags Rule,” requiring businesses to develop and implement written identity-theft prevention and detection programs. Compliance becomes effective as of June 1, 2010. There are no criminal penalties for failing to, but companies that are subject to the Rule and are found to have violated them could be subject to civil monetary penalties of up to $2,500 per violation. 

The Rule applies to “creditors.” This is a broad category and includes any business that regularly defers payments for goods or services and bills customers or clients at a later date. This definition also includes anyone who regularly grants loans, or extends credit, or makes credit decisions. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. Unless you always collect payment at the time of service, you should assume that you are a creditor. (However, if you are a business that accepts credit cards, but this is the only type of potential covered account you maintain, you are probably not covered by the Rule.)

Once you conclude that the Red Flags Rule applies to you and your business, you must determine whether you have any “covered accounts.” This determination looks at both existing accounts and new ones. There are generally two categories of accounts that are covered. The first is a consumer account that you offer to customers or clients that’s primarily for personal, family, or household purposes that is designed around or permits multiple payments or transactions. The second kind of covered account is any account maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the business from identity theft.

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their identity-theft prevention programs. Your program must include four basic elements:

1. Identifying Red Flags:

The first step is for your program to include reasonable policies and procedures to identify the red flags of identity theft that you may run across in the day-to-day operation of your business. A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Red flags generally fall within one of the following categories:

i. Suspicious documents;

ii. Suspicious personal identifying information;

iii. Suspicious or unusual use of covered account; and

iv. alerts from others (e.g. customer, identity theft victim, or law enforcement)

2. Detecting and Addressing Red Flags:

Secondly, your program must be designed to detect the red flags you’ve identified. For example, if you’ve identified credit card payments with multiple addresses for billing as a red flag, you must have procedures in place to check for matching billing information and refuse payments on credit cards with billing addresses that do not match the customers’ known address.

3. Procedures:

Your program must also spell out appropriate actions you will take when you detect red flags. For example, your program should indicate if one person will be responsible for handling all detected red flags and if so, all employees should be aware of that person and be able to contact that individual easily to report red flags.

4. Evaluate and Update:

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your program periodically, generally at least once annually, to reflect new risks.

There are also some specific steps that must be taken in order to implement and maintain your Red Flags program. The company is responsible for implementing and administering the program. An office manager or other employee can be delegated as the Program Administrator so long as the company exercises oversight of the program.

The Program Administrator should be notified when any Red Flags are detected and oversee the appropriate response. A log describing and documenting responses to detected Red Flags should be kept.
All employees should be trained to carry out the Red Flags Rule program. The training program should cover the topics tailored for the needs and experience of the particular practice. It should explain the purpose of the program, the relevant Red Flags, and the procedures for responding to them.

All employees should be given a copy of the program document, and should sign a written acknowledgement that they have read it and been given the opportunity to ask questions about it. Keep copies of the acknowledgements in the office administrative files.

With the exception of the Red Flags Rule requirements, prevention of identity theft is a fairly simple and intuitive process that is necessary to ensure protection from liability. Contractors should be using available preventative tools and techniques. The processing of credit cards creates an additionally high risk of identity theft, so the appropriate safeguards must be developed to protect such information.

If the Red Flags Rule applies to your business, it is vital that you implement a written plan. Doing so will not only avoid government-imposed penalties, but will also provide the necessary safeguards to insulate your business from excessive liability for identity theft.

Additional Information

The FTC has information regarding identity theft issues for businesses posted on its Web site at http://www.ftc.gov. The Web site advises notifying the appropriate law enforcement agency and affected businesses. It also recommends consulting law enforcement prior to notifying individuals so as to not impede any investigation. If appropriate, identify affected individuals as quickly as possible so they may avoid any further misuse of the information.

Michael P. Coyne is a founding partner of the law firm, Waldheger Coyne, located in Cleveland, Ohio. For more information on the firm, visit: www.healthlaw.com or call 440-835-0600.