Wednesday, March 26, 2008
Attorney General Abbott Reaches Agreement to Protect Pharmacy Customers from Identity TheftHOUSTON – Texas Attorney General Greg Abbott today reached an agreement with CVS Pharmacy, Inc. that will protect its Texas customers from identity theft. The settlement resolves the state’s April 2007 enforcement action against the nation’s largest retail pharmacy, which was charged with violating state laws that govern the disposal of customer records containing sensitive personal information.
Under an agreed final judgment obtained by the Attorney General, CVS will overhaul its information security program. The program must be fully documented in writing and contain administrative, technical and physical safeguards designed to protect the personal information of CVS customers. CVS also will pay $315,000 to the State of Texas, which will be appropriated for the investigation and prosecution of other identity theft cases, pursuant to the Identity Theft Enforcement and Protection Act.
Sample Documents in CVS Dumpster
(Personal info. dedacted by OAG)
View Video of News Conference
|Agreed Final Judgment against CVS Pharmacy, Inc.|
|Lawsuit Against CVS|
|Consumer Complaint Form|
“Recognizing that identity theft is one of the nation’s fastest growing crimes, the Texas Legislature passed laws to protect Texas consumers,” Attorney General Abbott said. “This agreement ensures that CVS will implement new procedures that will better safeguard their customers’ personal information. The Office of the Attorney General will continue aggressively enforcing laws that protect Texans from identity theft.”
Under the agreement with the state, CVS must implement a new training program to inform its Texas employees about the company’s enhanced information security procedures. The employee training program must provide employees with a review of CVS’ privacy procedures and a review of state laws governing the disposal of customer records. The training program also must explain identity theft, its costs to individual consumers and businesses, and the importance of abiding by the company’s disposal program.
The Office of the Attorney General took legal action against the defendant after hundreds of documents containing customers’ personal information were unlawfully dumped behind a CVS store in Liberty, Texas. The investigation subsequently revealed numerous credit card receipts containing customers’ complete credit card numbers and expiration dates as well as a handful of prescription sleeves that included dates of birth, type of medicine prescribed, insurance company, and prescribing physician.
Under the new procedures, CVS must designate an employee from its corporate office to oversee compliance with privacy protection laws. Store employees must be allowed to anonymously report any failures to comply with the program to a designated corporate-based employee or third party vendor. For five years, the compliance representative must forward a sworn statement to the Office of the Attorney General certifying that CVS has instituted and satisfied the required employee training.
To further assure that employees comply with the program, each CVS store must post signs explaining proper records storage and disposal procedures. The judgment further requires CVS to conduct unannounced compliance checks of at least three percent of its stores every six months.
Although the investigation revealed no confirmed incidents of personal information being misused, consumers who interacted with CVS’ Liberty location should carefully monitor bank, credit card and any similar financial statements for evidence of suspicious activity. All consumers should also annually obtain free copies of their credit reports to guard against this growing crime.
Today’s legal action is the latest in a series of efforts by Attorney General Abbott to combat identity theft in Texas, a state the FTC ranks as No. 4 per capita in the incidence of the crime. In 2007 and 2008, the Attorney General filed several enforcement actions against vendors that carelessly and unlawfully disposed of confidential records containing customers’ personal information. The state’s enforcement actions charged the defendants, including a national health services provider, with violating a 2005 law that requires vendors to protect records that might include Social Security and bank account numbers.
Anyone who encounters a business exposing records with personal information, such as Social Security numbers, may call the Attorney General’s toll-free complaint hotline at (800) 252-8011 or file a complaint online at www.texasattorneygeneral.gov.