Individuals Aren't The Only Targets For Identity Theft
If you lose any of your employees or customers information, your business is likely to become a target as well.
Businesses Will Be Held Responsible
The first thing businesses need to understand is how likely they are to lose data. Many businesses do not know all the places that confidential information resides within their network or operating systems. Copiers, printers, lap tops and portable storage devices are all huge risks for data loss. Federal regulations and legislations require businesses and organizations to implement identity theft prevention programs. This makes businesses responsible for taking reasonable steps to prevent identity thieves from stealing information with the intent of committing fraud. Reports show that identity theft is on the rise, both as a result of the economy, as well as negligence with private, personal information. Because many of the laws are relatively new and the government cannot possibly monitor all of our identities and any suspicious activity that may occur, much of the precautionary measures are the responsibility of individuals and business owners.
There are three federal laws and regulations that are of vital interest to business owners. The Fair and Accurate Trade Act (FACTA) holds businesses responsible for any data loss and subsequent identity theft that may occur. It applies to every business that collects consumer information for business purposes (so basically every business owner). In the event that any employee or customer information is lost, the business is held responsible and liable for “per occurrence” or “per person” fines, which average from $1,000 - $2,500. Additionally, the company is responsible for any monetary losses incurred by the individual, with an average of $93,000 charged per victim. Businesses can not afford to ignore the threat of data loss and identity theft. These figures do not take into account any lawsuits that may be brought on by victims. FACTA has resulted in the recently published Red Flags Rule that requires most businesses to implement an identity theft risk management program.
The second piece of legislation that is crucial for business owners is Health Information Portability and Accountability Act (HIPAA). If medical data is lost, the cost can be $250,000 per occurrence and up to 10 years in jail for corporate officers.
The third law that is important for business owners is the Gramm, Leach, Bliley Safeguard Rule (GLB). GLB is for financial institutions what HIPAA is for the medical sector. The law ensures financial privacy. Although this may seem confined to banking institutions, the law has been liberally interpreted to include any company that provides a banking services for another entity, mean businesses that allow companies or individuals to pay after 90 days could be held responsible because it may be considered lending.
How Can Businesses Take Control?
There is a new generation of laws starting to appear that deal with data protection. At least five states have already put these laws into effect, with Massachusetts being the first. These laws provide stringent requirements for the protection and, in most cases, encryption of sensitive information. One requirement, proving to be difficult for businesses to put into effect, is cutting off access of information to employees.
There are two ways to look at these requirements. First, you could see them as compliance programs that should be put in place. This is what most businesses are able to do, but rarely does it make a difference in how businesses actually operate. It doesn’t create the necessary synergy it was intended to facilitate. Besides, when was the last time you went to an interesting or thought provoking compliance training session?
A much better option is to use these requirements to help create a ‘Culture of Protection’ for sensitive information. There are several steps to take to make this happen. First, companies must develop simple and easily understood policies and procedures. There are many examples of how this can be done (the Federal Trade Commission is making a model for financial institutions), but if a sixth-grader can’t understand it, it is too complicated.
Next, you must educate your employees on what identity theft is and why they should care. Policies will most likely never be able to cover every situation, so educating employees about the ‘why’ as opposed to the ‘what’ is the best way to help them act beyond the policies while not taking any short cuts. The employees who are lowest on the managerial scale are often the ones with the greatest responsibility to protect businesses from identity theft. A little care can go a long way. The following five tips are a good start to protecting computer data:
- Encrypt all data on computers and mobile devices carrying agency information
- Control remote access with two-factor authentication where one device is separate from the computer providing access
- Use a “time-out function” requiring re-authentication after 30 minutes of inactivity
- Log all computer-readable extracts from databases holding sensitive information and verify each extract, including whether sensitive data has been erased within 90 days
- Ensure all individuals with access to client and business information sign a document clearly describing their responsibilities
Finally, providing better protection for your customers and employees’ information can stimulate greater loyalty amongst the two. Small and inexpensive changes can make a major transformation in helping your business avoid these pitfalls. You don’t necessarily need to buy the latest products or software, the latest research shows more than 88% of lost data last year was due to simple negligence. With many companies experiencing layoffs, the risk of employees leaving with private data is on the rise, both intentionally and unintentionally. Isn’t it worth your time to make sure that your business isn’t held legally or financially responsible for data loss and identity theft?
James McCartney is an Identity Management and Privacy Consultant for BearingPoint. He is a coauthor of the book If You Are Me, Then Who Am I – Why Identity Theft Matters to Consumers and Businesses.