The issues pertaining to identity theft liability and compensation are something that varies from one country to the next. Fortunately, for those believing that they are victims to identity theft, there are now different legislations in most countries that can help them to seek remuneration.

Some of these legislative avenues of recompense come in the form of criminal law statutes while others are manifest through various aspects of privacy and freedom of information laws. Inconsistencies in these legislations, from one country or region to the next create the “unlevel playing field”.

Legislation

A number of recent identity related legislative changes in most countries do help to one extent or another. The difficulties lie in the variation and diversities of these legislations. On top of this, there are some very surprising aspects the implications of which we are yet to learn the full extent.

New laws tend not to reveal their full extent and granular implications immediately upon enactment. As to whether these new privacy and identity theft laws have any real “teeth”, well I guess in part we will just have to wait and see.

Legislative Inconsistencies

Not only do inconsistencies in privacy legislation and criminal law differ between countries they may also differ between various regions (state) within a country. The resultant confusion, particularly at the individual level, has proven to be very profitably exploitable by identity thieves.

In Australia we have numerous, often different and not always complimentary legislation at both the state and federal levels. The Australian Federal government has enacted privacy legislation (The Privacy Act) pertinent to privacy matters and personally identifiable information (PII) from their perspective. Some Australian states are yet to follow suit.

I am sure that those in the US will readily identify with this state of affairs since the same situation exists there. European countries (EU members in particular) also face regional anomalies in privacy legislation. The EU may have a set of overall regulations but some member countries have enacted extensions to these laws.

I will therefore address this issue from a general perspective while highlighting certain aspects of which general public awareness appears to be lacking. As always, when it comes to the law, the first issues that need addressing are interpretation of law and loopholes. Let us begin with issues related to loopholes.

Loopholes – After the Fact

Often those formulating the legislation find that their original intent and purpose applied or empowered through the courts in manners they could not possibly have foreseen. “Loop Holes” only become apparent and exploitable after the fact.

In general, legislators do not deliberately formulate law with a view to provisioning loopholes. Legislation once enacted becomes “open” to interpretation. Criminals are generally the first to test these waters. It is usually at this point that attorneys become active in the battle.

The battlegrounds will be our courts. The judiciary, no matter how well intended, have no option but to be the referees and arbitrators of the battle. The letter of the law may be clear but it is in the interpretation of the letter of the law that sees the true heat turned up and external pressures brought to bear.

Interpretation of Law

Interpretations of law that were in the best public interest fifty years ago may no longer be appropriate. The rapid pace at which technology is evolving places additional requirements meriting consideration when passing judgment based on interpretation of law.

Today we have a whole bunch of technologies, which identity thieves can exploit to their advantage. The Internet is but one. Many older laws make no provision for the Internet since it never existed at the time of formulation of the legislation. As a result considerable legal debate has occurred.

The judiciary for their part has little option but to pass judgment based on interpretation of existing law. At least until more appropriate amendments to existing law or new laws are drafted and enacted.

Health Related Information

Medical records attract special consideration and rightly so. In the USA, for example, your medical records and other health related details do have additional, stricter controls and protection afforded them under the current state and federal HIPPA regulations.

In Australia, very strict controls are now in place to regulate and protect your personal health information from random and casual disclosure by authorities and government bodies. All federal government agencies, bodies, departments and contractors must comply with federal privacy legislation.

The Australian Federal Government’s Privacy Act and subsequent amendments require specific minimal standards for all (organizations and individuals) who possess, handle, manage, store, access and dispose of health related information.

Unlike other areas of the Privacy Act there is no opt out provision. If you are involved in the health care industry in any manner, shape, or form you must comply with the health related provisions contained within the Privacy Act period.

The Australian Medical Association (AMA) has been very active in pursuing this aspect for a considerable time now. For members of the medical profession themselves they have gone even further in the extent of care by which your health related PII is treated, handled, managed and not readily disclosed.

Who is Responsible?

Answering this question depends on the circumstances surrounding each instance and therefore requires treatment on a per case basis. Never forget that culpability alone does not ensure successful litigation.

Recent legislative changes do help in providing the means by which one can seek compensation to one extent or another. The difficulties in actually succeeding with claims for compensation lie in the variation and diversities of these legislations.

In short, responsibility for ensuring the security of personal information lies with whoever is in possession of it or has access to it. Since you are in possession and ready access to your own personally identifiable information as well as other personal information, you ARE to some degree responsible for its security.

Other individuals and organizations holding or with access to your personal information ARE responsible for ensuring the security of that component of your personal information which they hold or share.

General Concerns and Public Awareness

The first point of general concern about which full public awareness and understanding is not what it should be is that organizations and individuals are obliged (responsible) to protect all personal information they hold. An organization or individual’s failure to do so is cause enough to warrant instigation of legal proceedings on the part of the victim.

The onus to ensure the security of personally identifiable information lies with its holder. If it is your own personal information then you do bear a large part of the responsibility for ensuring its security.

All elements that apply to business and other organizations such as the appropriate irrecoverable destruction of personal information that has passed its tenure apply to you. Shred any materials containing your personal information prior to committing them to the trash. For combustibles, burn them.

Institutions

Financial institutions and other organizations with access to your private data have a legal and ethical responsibility to assist you in preventing identity theft by incorporating certain methods to help minimize your exposure.

In practice, many of these methods will involve the question of accessibility. Regulation, regulatory compliance and tighter controls regarding access to personally identifiable information are the first and most obvious steps that need addressing in any effort pertaining to the security of personal information.

Liability

If an institution, organization, business or individual is conned into revealing your private information the question of liability becomes a little clouded. They are however, generally responsible for ensuring that this scenario (being conned) cannot take place. The onus for security of personal information is upon the holder of that information.

If an institution, organization, business or individual reveals any personal information as a result of error, accident, carelessness or inadequate security procedures e.g. failure to shred or otherwise destroy irrecoverably any personal information prior to its entry into the public domain as trash then they are most definitely responsible for the security breach. Instigation of litigation proceedings should commence immediately.

Whenever an institution, organization, business or individual fails to take adequate precautions to protect the personal information, which they hold or have access to or are a party to the disclosure of any personal information that they hold or have access to they are most definitely liable. Litigation should commence immediately.

In situations where an employee or contractor committed an illegal act in revealing personal information the employer still bears part of the responsibility. The onus for the securing of personal information lies with the holder of that information.

Legal Precedence

With legal precedence regarding organizational liability, arising out of the inappropriate or illegal release of personal information established victims of such occurrences of identity theft now have a firm legal basis for seeking compensation.

Trading Personally Identifiable Information (PII)

Organizations of all sizes and persuasions have an obligation in law to help you protect your private data. With that said, one remaining issue still of concern is the practice of selling or trading private information to legitimate inquirers for a profit.

Email address trading between business partners is probably the aspect of this trading or selling of personal information that is uppermost in then minds of most of us. For legitimate instances, we usually accept this.

However, when non related correspondence is involved we do find the results to be annoying, even downright invasive. You may need to supply a company with your email particulars in order to obtain something from them.

To illustrate let us say a digital camera. Receiving future emails pertaining to new aspects directly related to this camera may be acceptable. Receiving emails that are thinly disguised ads for other unrelated products such as Viagra or organ enlargement may not.

Conclusion

As far as your personal information (personally identifiable information) is concerned, you are ultimately responsible for ensuring its security.

Contact all parties, organizations and individuals that you believe to be holding your personal information and request details of their methods, procedures and capacity to comply with current legislation.

You are entitled to not only do this but can go even further by asking for proof of the trustworthiness of their procedures and to view the personal information which they hold about you.