“Texans expect their personal information to remain confidential. The Office of the Attorney General will take all necessary steps to protect consumers from identity thieves.”
– Texas Attorney General Greg Abbott
Last week the Texas Attorney General filed suit against yet another company that disposed of its customers’ confidential personally identifiable information in a publicly accessible trash dumpster. Minnesota-based Lifetime Fitness has been accused of “systematically exposing its customers to identity theft.”
The documents were discovered by a Dallas resident who was looking for empty boxes in trash dumpsters behind local businesses. Instead, the Dallasite found a plastic bag full of credit card receipts with corresponding driver’s license numbers, as well as complete credit card numbers. The concerned citizen reported the incident to the Dallas Police Department, who in turn visited the store manager to investigate the problem. The Lifetime Fitness store manager assured the Dallas Police Department and the concerned citizen that he would shred its customers’ confidential information and dispose of the material properly. The next day, the concerned citizen visited the same dumpster and found that the documents were not completely shredded properly and that he still could read confidential personally identifiable information. Upset that the Lifetime Fitness store manager had not kept his word, the concerned citizen then contacted a Dallas television station where the story aired that night.
According to the lawsuit filed by the Office of the Texas Attorney General, “Lifetime Fitness violated the law by repeatedly failing to protect customer records that contain sensitive personal information, including Social Security and credit card account numbers.” Even worse, the documents included the names and birth dates of children. Lifetime Fitness operates a short term child care as a service to its members. Lifetime Fitness is accused of violating the Texas Deceptive Trade Practices Act and the 2005 Identity Theft Enforcement and Protection Act. The Attorney General alleged that Lifetime Fitness violated the Texas Deceptive Trade Practices Act because it violated its own web-based Privacy Statement. According to the lawsuit, Lifetime Fitness misrepresented to its customers that “all of their employees who have access to personal data are obliged to respect the confidentiality of consumers’ personal information.” The Texas ITEP Act mandates that businesses have a legal duty to protect and safeguard sensitive personal information. Finally, the Texas Attorney General accused Lifetime Fitness of violating Chapter 35 of the Texas Business Commerce & Commercial Code which requires business to develop document retention and disposal procedures for their clients’ personal information.
If Lifetime Fitness is liable under Chapter 35 of the Texas Business Commerce & Commercial Code, a court could impose a civil penalty of up to $500 for each record. Section 48.201 mandates a civil penalty of at least $2,000 and up to $50,000 against each Defendant. Under the DTPA, civil penalties against each Defendant could reach up to $20,000 for each violation. If the customers whose nonpublic personal information was unlawfully dumped can be identified, those customers could be awarded damages of not less than the amount the consumer originally paid Lifetime Fitness. Finally, Lifetime Fitness could be liable for the State’s reasonable attorney’s fees, investigatory costs and court costs.