Identity Fraud & Your Business
Identity theft poses a threat to everyone, but business owners have more to lose than individuals because they are legally responsible for protecting not only their own identities but also those of their employees and clients as well. Depending on the nature of your business and the types of information you regularly collect from your customers, you might be legally bound (by laws like the Gramm-Leach-Billey Act, the Fair Credit Reporting Act or the Federal Trade Commission Act) to take extra precautions when it comes to the personal information you obtain and store. Because each business is different you are encouraged to visit http://www.ftc.gov/privacy to see how each of these laws affects you and/or your company.
Companies and business owners have two main responsibilities when it comes to identity theft: protecting other people’s information as if it were their own and properly handling any possible data breach their companies may encounter. In a technology driven business world your company may have access to the personal information of hundreds or even thousands of individuals. That’s why it is vitally important that you make sure you know what your company is doing with that information and who has access to it.
Safeguarding the Information Entrusted to You
Generally, when people apply for a job they give you their social security numbers without even thinking twice about it. When clients partner with you they give you even more information (bank account numbers, credit card numbers, pin codes, etc…) than your employees do. Just because they trust you doesn’t mean you don’t need to prove you are trustworthy. Should someone become a victim of identity theft because of your carelessness, your good name—and that of your business—could be ruined forever. According to the Federal Trade Commission (FTC) all responsible business owners will pay special attention to five key areas when it comes to protecting other people’s information.
1. Know what information you have on file and who has access to it.
Does your company have access to the social security numbers of your clients? What about bank account numbers or pin codes? How do you obtain this information—is it through written forms or online submissions through a website? Once you obtain this information how is it transported within your company? And when you are done with the information how do you store or dispose of it? The answers to these questions are important to know because they determine the odds of someone else’s personal information falling into criminal hands.
There are primarily three types of identity thieves business owners should be concerned with: dumpster divers who dig through trash and find information that wasn’t disposed of properly, employees who snoop around in files they don’t have access to in order to steal other people’s identities, and hackers who try to break into your electronic systems and steal information from your customers, clients or employees.
2. Keep only information that you need.
In an effort to protect your clients, employees and customers it’s important your company doesn’t ask for or retain information that isn’t necessary. If asking someone for his or her social security number isn’t necessary for business purposes, don’t ask for it. Then you don’t have to worry about that number being stolen from your possession and destroying someone’s credit and his or her life. After someone makes a purchase from you, avoid storing credit card information, pin codes, expiration dates and other pertinent information. Check all settings on your software systems to make sure information isn’t being stored by default. When employees leave your company, destroy documents containing their social security or bank account numbers since you will no longer need them for payroll purposes. The less information you have on hand, the less damage can be done if an identity thief infiltrates your system.
3. Lock up and protect information that has been entrusted to you.
It’s also important that all employees who have access to sensitive information pass higher level security and background checks and that their access to certain information is monitored. Sensitive information should always be kept behind locked doors or on firewall and password protected computers. And your employees with access to privy information should be reminded not to leave files open or lying around when they are on lunch breaks or in meetings.
Holding periodic and mandatory meetings on the company’s security standards is a good idea as people tend to grow lax once certain things become routine or specific policies aren’t strictly enforced. If your employees have the ability to access sensitive information from laptops or home computers, it’s a good idea to implement a system where that information can still be viewed (by tapping into a master computer’s server) but cannot be stored. This lessens the risk of a hacker being able to obtain private information, and it also limits the chances of one of your employees accidentally making sensitive information available to friends or family members who may be less than trustworthy.
4. Properly dispose of info you no longer need.
Because information may be collected and stored in various different ways, it is important that business owners properly dispose of all traces of information once they are done with it by shredding, pulverizing or burning all paper documents and by using inexpensive wiping software to make sure electronic information isn’t stored on hard drives even after it’s been deleted from computers.
It’s also a good idea to insure that sensitive information is removed from the home and laptop computers of former employees and that passwords they had access to are changed. Also make sure that all keys and security access cards are returned. Even if employees leave on good terms and you aren’t concerned with malicious behavior, it’s important to note that most people won’t be as careful about protecting information that is no longer important to them.
Having a Contingency Plan in Place in Case of a Security Breach
5. Plan ahead for how to respond to security breaches.
Despite your best efforts, even the finest security systems might be breached by a mastermind identity thief. Because technology is constantly changing and expanding, there are numerous new ways that thieves are learning to steal information each and every year. So, it’s important that you have a plan in place for how you would handle a security breach in the event that one happens. That way, you can implement the plan sooner and, hopefully, less damage will be done.
The first step in implementing a successful plan is assigning one contact person at your company to handle all matters pertaining to breached security. It may also be a good idea to have an 800 number and website ready to go live to help point your clients and/or employees in the right direction should security be breached.
Should you discover that information has been compromised or stolen, your first priority should be to contact local law enforcement and file a police report. Once your case has been assigned to a contact person, ask him or her about the best way to inform all affected parties about the incident without creating an atmosphere of widespread panic. If credit card, bank account or social security numbers have been stolen, you also need to contact the three major credit agencies (Experian, Equifax and TransUnion) and have them put fraud alerts on all affected accounts. By having you (or your company) contact the agencies, and by offering to send them a copy of the police report, you may be able to stop thieves from victimizing your clients and/or employees sooner.
It’s also a good idea to send out a uniform letter to all victims giving the name and contact number of the law enforcement representative handling your case, and informing people of exactly what information was stolen, how it happened and what the potential risk to them is (was it just one credit card number that’s been stolen or was it their social security number which will allow thieves to open new credit in their names?). As a means of assisting business owners who have been victimized, the FTC provides a sample letter that can be personalized and used to inform possible victims. That letter can be viewed at: http://www.ftc.gov/bcp/edu/microsites/idtheft/downloads/model-letter.doc.
Because your clients and employees are vital to the success of your business, it’s important that you are constantly looking out for their safety and wellbeing. Intrusion detection systems are the easiest way to determine whether or not electronic data has been stolen or compromised. Some of the top brands include Snort (http://www.snort.org), OSSEC (http://www.ossec.net/) and BASE (http://sourceforge.net/projects/secureideas/). Prices vary based per product, but it’s important to keep in mind that an intrusion detection system is an investment and not an expense. Protecting your employees and clients in an ever changing world is absolutely vital to your business’s success. By protecting their identities, you are essentially protecting you business and that’s definitely an asset you don’t want to lose.
