Security breach and identity theft are not the same thing under records and information management laws

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

State records and information management laws have differing disclosure notifications

An important distinction here, when you hear security breach, there’s often the idea that a security breach and identity theft are sort of the same thing in records and information management. But they’re actually different. Not all security breaches result in identity theft. And in fact, studies show that most breaches do not result in identity theft. You can be required to provide notification under the breach notice sections of state records and information management laws even if there seems to be no realistic risk of identity theft. So, when we’re talking about breach, we’re talking about something beyond just identity theft.

Learning lessons in records and information management

ChoicePoint is the landmark cautionary tail in the area of data security. Data brokers collect data and improves data and cleans up data; it’s used for consumer report and background checks.

Now, a few years ago, ChoicePoint was the victim of a rather elaborate hoax in which a criminal ring posed as a legitimate company saying, “Well, we need to buy this information from you for our loan processing business.” It turns out the information was actually used for a massive identity theft scam. Now, what was already a bad situation because there are millions of affected consumers became worst? Because ChoicePoint originally only provided notice of the breach in their records and information management system in the states where a notice was legally required and at that point in time, it was just California.

ChoicePoint had the state attorney generals of other states knocking on its door saying, “Are you saying that there are no effect to consumers on my state?” Well, it turned out there were effects to consumers in many other states. That just made the matters worst because there was a significant delay on providing notice to those other individuals.

One point here is really think about consistency in providing notification of a breach particularly if it’s a major breach of your records and information management system. Because the fact of the matter is it’s likely to come out if other individuals in other states where affected. If they’re not treating it uniformly, that can give rise to a whole separate set of issues.

As of 2008, ChoicePoint has already paid tens of millions of dollars in the direct damages. And it’s also suffered significant damage to its business reputation that it’s still working to fix.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.