Ontario's information and privacy commissioner has a message for Ontario businesses: Start shredding, start encrypting and start taking more responsibility for identity theft.
Identity theft is the fastest-growing crime in North America and is costing business millions of dollars each year. But the reality is the problem isn't on the radar for many companies or they would start tackling the problem.
"Maybe this isn't a big enough cost to business, but it sure is for consumers," Ann Cavoukian says. "Business is foolish to minimize the impact on their customers through the time and hassle to clear someone's name. When data begins leaking due to a company's negligence, it is consumers who suffer the most, in the form of financial losses, identity theft, poor credit ratings and personal frustration."
But, Cavoukian says, despite the prevailing messages in the media, "Individual consumers cannot do much to protect themselves."
Identity theft is all too often a cost externalized by businesses, leaving the victims to clean up the messes that were created through no fault of their own. Businesses need to take more responsibility for identity theft, because it is all too often a result of sloppy information management, says Cavoukian, whose office released a report earlier this fall titled Identity Theft Revisited: Security is Not Enough.
PhoneBusters, which collects information on identity theft in Canada, says there were more than 9,000 reported victims of identity theft, totalling $7.2 million in losses from January to October.
"We are doing this as a wakeup call to business," Cavoukian says. "There is no excuse not to encrypt your data, not to shred records - really simple measures that could make a big difference.
"Enough of 'consumers can protect themselves,' " Cavoukian says. "Consumers can take some steps clearly to minimize the possibility of becoming a victim, but even if they did everything the correct way, they couldn't protect their information that resides in hundreds of databases in businesses. And, of course, they have to give it to businesses."
Unlike British Columbia, Alberta and Quebec, Ontario has no legislation covering the private sector to deal with the problem. And none of the four provinces have "breach-notification legislation" that requires people to be told when personal information is leaked or stolen from a private business.
Cavoukian is pushing for legislation in Ontario and wants it to be next generation that goes beyond B.C., Alberta and Quebec and includes breach-notification legislation.
As recently as February, California was the only state that had a breach-notification law requiring businesses to notify customers if personally identifiable information had been compromised.
The situation changed quickly when ChoicePoint Inc. began notifying customers in California that identity thieves had gained access to their personal information and attorneys general in other states discovered the leak was nationwide and that about 145,000 files had been stolen.
Because ChoicePoint was not required to notify residents of any state other than California, it did not. Since then 21 states have enacted breach-notification legislation and 13 more have pending legislation.
In Canada, no province nor the federal government has similar breach-notification legislation. The only breach-notification law in Canada is in Ontario, but it only pertains to medical information.
While victims of identity theft go through enormous hassles to clear up their credit records and reputations, many are surprised to learn they don't have to pay back the money. That means millions of dollars in losses are absorbed by credit-granting companies.
Cavoukian says she believes that businesses that do address the problem of safeguarding against identity theft will be ahead of the curve since it is only a question of when the legislation will come.
"If you treat privacy as a business issue and think about it strategically, you will go much further to discovering a competitive advantage," Cavoukian writes in her report.
Cavoukian is not alone in her criticism of the situation in which victims bear the brunt of a problem that is often the result of poor information management practices on the part of corporations, organizations and governments.
A group of consumer organizations that came together under the name of the Canadian Consumer Initiative (CCI) earlier this year also is calling on the government to enact legislation to protect consumers.
CCI co-ordinator Peter Bleyer says that the costs of taking measures to prevent identity theft are high and businesses have managed to create the impression that it isn't their problem.
"There is such a commercial interest in externalizing the costs of identity theft," Bleyer says. "Let's actually punish companies and governments who fail to protect their clients and their consumers appropriately."
John Lawford of the Public Interest Advocacy Centre - one of the member organizations of the CCI - agrees.
"It would be really helpful to have just a couple of legislative requirements to scare people into doing something about it," Lawford says. "If they blow it and lose a whole database, they should be made to tell those 100,000 people - which tends to get their attention."
But the president of one of the major credit bureaus, Equifax Canada, doesn't think more legislation is the answer. Rick Cleary says that most identity theft is a result of old-fashioned dumpster diving.
"I don't know that it is necessarily the fault of companies and businesses," Cleary says.
"At the end of the day, it is criminals."
Cavoukian doesn't disagree that dumpster diving may be a major source of identity theft, but says if businesses weren't throwing files with personally identifiable information into dumpsters, it wouldn't be a problem.
"You could eliminate all dumpster-diving problems if you didn't throw out the data - if you shred it - but people aren't doing that," she says.
Businesses in the United States and Canada are starting to deal with the issue of identity theft in other ways, however.
Credit bureau TransUnion Canada offers a service for $22.95 quarterly that monitors a customer's credit, as well as providing quarterly reports and weekly e-mail updates. Equifax and TransUnion offer similar services in the United States.
Identity Guard offers a number of credit-watching services in Canada and the United States.
For about $16 a month, it provides a comprehensive credit report, monitors credit and provides quarterly updates. It also offers identity-theft insurance of up to $2,500 (with a $250 deductible) per year for certain expenses and access to a consumer fraud and identity theft recovery resource centre.
"One cannot escape the irony," Cavoukian says. "But nonetheless I'm pleased that they are introducing those privacy protective services after the fact. I think they'll be helpful to consumers."
* See the Destroyit shredders for solid industrial line of shredders.
