Identity Theft as a Business Liability

Are you protecting your customers?  If not your business could be at risk.

Identity theft increased more than 50 percent between 2003 and 2006 according to a Gartner Group study[1] released in March with approximately 15 million Americans victimized in a twelve month period ending in mid-2006. It’s one of the fastest growing crimes in America and if you’ve been a victim you know just how painful it can be.

As a business owner you may be contributing to this epidemic. Under new laws already enacted and more in the works you may be held responsible.

Victims of identity theft can spend months or years and thousand of dollars cleaning up the mess the thieves have made of their good names and credit records. In the meantime they may lose job opportunities be refused loans for education housing or cars and even get arrested for crimes they didn’t commit according to the Federal Trade Commission.   Humiliation anger and frustration are among the feelings victims experience as they navigate through the process of rescuing their identities.

With the volume of electronic transactions increasing dramatically it is almost impossible to be in business and not collect or hold personal identifying information — names and addresses Social Security numbers credit card numbers or other account numbers –- about your customers employees business partners students or patients. The risk that personal identifiable information will be breached puts your customers at risk of identity theft.

To encourage businesses to address these risks several federal and state laws have been enacted and new laws are currently being considered. Penalties range from fines of $100 per violation to loss of federal funding. Federal laws include
·         the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which protects the privacy of health-related information
·         the Financial Modernization Act of 1999 also known as the “Gramm-Leach-Bliley Act” or GLB Act which governs financial institutions
·         the Fair Credit Reporting Act which covers consumer reporting agencies
·         the Children’s Privacy and Protection Act of 1998 (COPPA) which regulates operators of websites collecting children’s information and
·         the Family Educational Rights and Privacy Act (FERPA) which regulates educational information collected by institutions which receive federal education funding.

Outside of regulatory compliance it is a good business decision to protect personal identifiable information. A recent study found that information privacy and security breaches can cost companies an average of $182 per compromised record a 31 percent increase from 2005. This might not sound a big expense; however when you think about the thousands or hundreds of thousands of records a business might hold it really adds up. Typical costs to recover from a data breach range from $226000 to $22 million. This cost does not include damage to the organization’s brand and reputation.   When a data breach occurs and the news breaks consumers will blame the organization.

Protecting personal identifiable information is neither expensive nor time-consuming and may protect you from loss. Implementing a privacy and security program will do more than put your business in compliance with federal and state law. It will help develop a relationship of trust with your customers a benefit that is invaluable.

How And What To Protect?
You don’t need to be a privacy expert to protect your customers’ information. Here’s a step-by-step guide to developing a sound privacy and security program.

1.  Collect. Find out which laws require your company to keep sensitive data secure. Understand how personal information flows through and out of your business. If you don’t have a business need to collect personally identifying information don’t collect it.

2.  Use store and retain. Know what personal information you have in your files and on your computers. Determine who has access and who should not have access.  Only keep information if you have a business need for it – otherwise discard it.
3.  Protect.   The combination of hardware and software will not prevent data breaches; technology is just one piece of security. Effective procedures with proper training are critical as well.

Protection plans should address four key elements: physical security (building and computer room controls) electronic security (encryption access controls) employee training (security awareness) and the security practices of contractors and service providers (data protection clauses in contracts monitoring).

4.  Dispose. Personal information should be properly disposed to ensure that it cannot be read or reconstructed. Leaving credit card receipts papers CDs computers or back-up tapes with personally identifying information in a dumpster exposes your customers to the risk of identity theft.

5.  Respond. Create a plan to respond to security incidents. This includes notifying your customers law enforcement and other authorities and improving your program to reduce the likelihood that similar event will occur in the future.

Breaches can happen and no program is infallible.   But instituting a privacy and security program to protect personal identifiable information will help you manage your business privacy risks protect your bottom-line and develop the most cost-effective ways to protect sensitive information.

Jorge Rey is an Information Security Manager at Kaufman Rossin one of Florida’s largest independent accounting firms. He consults with businesses of all types and sizes performing information risk assessments and implementing information security programs. He can be reached at jrey@kaufmanrossin.com.

“