Looks like we have another example of data protection gone amiss. The City of Chicago Elections Board faces charges that it disclosed social security numbers and other confidential information belonging to over 1.3 million voters in late 2003 and 2004 when it distributed CD-ROM disks containing this confidential data to alderman and other members of local wards. In Chicago, election candidates are entitled to request and review various voter information. However, social security numbers were never supposed to be disclosed to any candidates for public office, member of the Board of Elections or local election ward member. In short, the Chicago Elections Board made a serious mistake allowing exposure to the public of confidential information on more than 1.3 million voters.
In October, 2006, the Chicago City Election Board web site also exposed the same confidential social security information and even allowed voters to access and edit social security numbers. The web site has since been repaired and the City has taken various preventative security steps to revamp its computer database. However, the CD ROM disks have apparently still not been recovered. If the City Elections Board recovered the disks and changed its web site, should it nevertheless be held accountable in civil litigation for its security problems? What are your thoughts?
In my opinion, cititzen data only needs to be compromised once to present privacy and confidentiality problems. Even if the City has now cleaned up its act, if the facts are proven as represented publicly, the City should probably be held accountable to each victim of possible identity theft leaving open the question about the appropriate level of damages. I also believe that the harm occurs once a person’s private data becomes exposed to the public and worsens when identity thieves actually use this personal sensitive information. Harm occurs first with exposure and not the actual use of confidential information because upon exposure, consumers usually must protect themselves by securing credit insurance, placing credit fraud alerts on credit records, and taking other reasonable precautionary steps. Consumers suffer additional harm when an identity thief actually uses their identity to open accounts and steal money. However, I believe that the harm starts once data has been compromised and worsens upon actual use. For this reason, I believe the City should be held accountable. Of course the question about the approrpriate measure of damages for allowing an unwarranted intrusion into private information remains for the fact-finder.
Periodically, I hear questions about why a corporation should be held accountable for the conduct of non-employee criminals accessing and attempting to use confidential information. Although the company may not have actually stolen information, in today’s technological environment, if it does not take all available reasonable precautions to protect confidential consumer data, identity theft will likely occur. Can you imagine a local branch of a bank not closing and locking its vaults at night? Would you ever use safety deposit boxes at this branch? Can you ever imagine the bank telling you first that it will protect your sensitive belongings in safety deposit boxes and later not locking these vaults at night? If a thief knew the bank did not secure its vaults at night and then stole items you placed in a safety deposit box, would you reject holding the bank accountable simply because a criminal and not the bank stole your belongings? You probably said that the bank has to share responsibility for its failure to secure its vaults at night. Well I view the obligation to protect sensitive social security numbers on a computer database much the same way as I view the obligation to secure a safety deposit box inside a bank. What do you think?