Why banks need digitalme
Bank Is Sued
Over Theft
Of Private Data
----
By Rob Eure
What happened to Stanley Stevens isn't uncommon: A ne'er-do-well with a similar name got hold of his Social Security number and used it to rack up $50,000 in debt.
But Mr. Stevens and his wife, Harriett, took an unusual step when they sued the California bank with which they had entrusted the information -- and which hired the man who ended up filching it.
The Portland, Ore., couple's case was dismissed at the trial-court level, but the Stevenses have taken it up to the Oregon Court of Appeals, which will hear oral arguments later this month. The case is among the first to present a court with this question: Is a financial institution responsible if an employee, acting on his own, abuses information to which his job gives him access?
"This is a new kind of case," says Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, an advocacy group for victims of identity theft. What makes the Stevens lawsuit stand out, she says, is that it seeks "to hold the institution responsible" for protecting confidential information.
The Stevenses sued Los Angeles-based First Interstate Bank of California -- since purchased by Wells Fargo & Co., San Francisco -- in Multnomah County, Ore., circuit court in April 1997. The suit charged that in giving Stanley Stevenson a job before completing a background check on him, First Interstate breached its duty to keep personal data on its clients confidential. Mr. Stevenson worked in the Visa credit-card-collections division in Los Angeles for three months in 1994 before First Interstate learned he had been convicted of grand theft in California in 1981.
The bank quickly fired Mr. Stevenson, but not before he had used the Stevenses' confidential information to obtain credit cards and take out high-interest-rate loans. Mr. Stevenson used the Stevenses' address, and for one loan even listed their house as collateral, says Mr. Stevens, a salesman at Thermo By Products Co., an automotive-parts warehouse in Portland.
The experience has cost the Stevenses about $5,000 in legal fees and court costs. They did not have to pay the bogus charges made in their names, but they say their credit record has been all but ruined.
"Once this happens to you, it never goes away," says Mrs. Stevens, a registered nurse. Even now, she says, when she hands her credit card over to pay for a purchase, "they have to call the store manager and they ask us to step out of line. Everyone looks at you. I just generally don't buy that way any more."
The Stevenses' suit -- which also named Mr. Stevenson as a defendant -- asked for $150,000 to compensate them for "emotional distress, humiliation, embarrassment and loss of self-esteem."
But First Interstate argued that it wasn't responsible for what Mr. Stevenson did, because it complied with the Federal Deposit Insurance Corp. regulations in probing his background and fired him as soon as it discovered his criminal record. (The FDIC requires background checks, but the bank says it interprets the rules as allowing it to complete such a probe after an employee starts work.)
The bank also argued that in any event, the Stevenses should not be compensated for emotional suffering, because any duty the bank had to protect Mr. Stevenses' Social Security number was a contractual obligation, and such awards aren't allowed for breach of contract. (Damages beyond economic loss -- such as punitive awards or compensation for emotional distress -- are generally awarded only for tort claims.)
Multnomah County Circuit Court Judge William J. Keys disagreed with the Stevenses' argument that the bank had a duty to protect their confidentiality, and dismissed the case in March 1998. He ruled that the Stevenses had "a decent claim for negligence" -- but negligence, like breach of contract, is not enough to win emotional damages under Oregon law.
Judge Keys did enter a default judgement against Mr. Stevenson, who didn't appear in court, ordering him to pay the Stevenses $106,000 in compensatory and punitive damages. But Mr. Stevenson hasn't paid up, and the Stevenses' Portland lawyer, Phil Goldsmith, says "we consider that money uncollectable." (On the criminal side, Mr. Stevenson was convicted of grand theft in 1997 for his crime against the Stevenses, according to the San Bernardino County District Attorney's Office -- though it is unable to determine whether he served his 365-day sentence.)
The Stevenses appealed the dismissal of the case against the bank, carrying forward their argument that when a financial institution allows a thief access to its confidential customer records, it runs afoul of its responsibility to its customers.
Banks "are responsible for what they do with confidential information, and responsible for paying full damages if they misuse it," Mr. Goldsmith says. "Certainly if the bank had done what it was supposed to do, and not hired Mr. Stevenson without first checking his record, we would not have a case."
First Interstate responded in a brief to the appeals court that it "cannot be held to have breached a duty of confidentiality" because it "did not disclose to a third party any information about plaintiffs, and it did not use or appropriate any information about plaintiffs for its own benefit or to plaintiff's detriment."
Mr. Stevenson, the bank noted, was "not acting in the course of his employment" when he charged the $50,000 in the Stevenses' name.
Thomas Sondag, First Interstate's Portland lawyer, says bank policy forbids him to comment on pending litigation.
Shawn Newman, a public-interest lawyer in Olympia, Wash., says that as technology has made the sharing of the information about individuals easier than ever before, there has been more debate over how far a financial institution should go to protect client confidentiality.
"It seems clear to me that just as a lawyer has a duty of confidentiality to his clients, the bank has a duty of confidentiality to its customers," Mr. Newman says.
Mr. Newman says most identity cases against banks center on selling the information to or sharing it with telemarketers or solicitors. "The issue is boiling down to who really owns a customer's private information," he says. "Is it yours or is it the property of the institution?"
California was among the first states to make identity theft a felony, and this year lawmakers in Oregon and Washington followed suit. But Ms. Givens of the Privacy Rights Clearinghouse says those laws don't give victims the ammunition to convince prosecutors to take action "against the entity whose sloppy handling of their confidential information resulted in the theft."
This year, a Santa Rosa jury awarded Steve Shatnawi $10,000 in emotional damages from his health club, the 25 Hour Club, for negligence in hiring an employee who stole Mr. Shatnawi's credit identity. Mr. Shatnawi's lawyer, Brett McKague of San Francisco, says he knows of no other case like it in the state.
Identity-theft complaints account for about one of every three calls Ms. Givens's agency receives, she says. The Clearinghouse is fighting the problem by campaigning for the credit industry to tighten its controls on issuing credit cards.
As for Stanley and Harriett Stevens, they've purchased a paper shredder and reduced their use of credit, but still have a card issued by Wells Fargo. Mr. Stevens says he intends to pay off the last debt on the card this week.
"I want my business with them over," says Mr. Stevens. He adds that he was irritated to learn that after he and his wife refinanced their home loan, "I got a notice that the loan was sold to Wells Fargo. I can't believe it."
Mr. Stevens says he is willing to pursue the case all the way to the Oregon Supreme Court, and not just on the chance they might be awarded the financial damages they're seeking.
"We have been dealing with this for five years now, and, as amazing as it seems, when we talk to police they don't consider us victims," says Mrs. Stevens. "We just want somebody to say that the bank has some responsibility for allowing this to happen."
|
