This blog is a mix of facts, predictions, and yes, my opinions. I have never been accused of a lack of opinion. All of us have opinions but few of us have the temerity to state them. Going on record with your opinion will give away your real position and in a classic debate that could amount to capitulation, but in my blog I get to say what I feel.
Identity theft. That is the reason I began this column. I chose to approach the subject from the standpoint of the effects on business. But just as importantly, how a business should look at identity theft in my opinion, from a responsible and moral standpoint as well as a practical one.
When we are entrusted with something of value it should follow that we will do everything reasonable to protect it. If your next door neighbor asks you to look after his house, water the plants, bring in the mail, and feed the dog while he is away for a two week vacation, do you decide later on that only some of that matters? Is the dog not worthy of your attention, and maybe the neighbor won't mind if the plants die. Well, I hope you don't live next to me if you do. We all know the right position. If it matters to the neighbor we should have enough respect for him to pay equal attention to everything as though it was ours. That is the right thing to do. Now, if you go away would you then ask your neighbor to do the same for you? Of course. And you would expect him to be just as responsible as you were in protecting his home.
Can you see where this is headed? What is the difference between protecting your next door neighbors' assets and those of the people who work for you? Too many businesses think of identity theft in terms of protecting the intellectual property of the business. There is an entire legal industry surrounding IP (intellectual property). That is a subject for another day, and yes I have an opinion on that too.
While a company, or county, utility, university, etc. is caught up in covering it's rear end from computer fraud and data theft some hourly employee has posted all of the employees' Social Security numbers and home addresses in an email. Did that company take care of business? Absolutely not. Oh sure, they threw the IT Dept at it with a too small budget to install the data security program du jour around the servers, but have they trained the staff to never send sensitive and personally identifiable information in emails? Have they established a written policy delineating what constitutes sensitive information and making clear what the companies' procedures are to safeguard it? Not likely. A one hour staff training might have avoided that fateful email, or a host of other far too common errors in judgement that result in fines, audits, lawsuits, and even criminal prosecution. Can any business endure the public loss in confidence that will result from losing personal information? How about the sheer cost of litigation?
What if someone on staff experiences personal identity theft? Lets' say someone working in the county records office stole a few hundred records and among others they got one of your employees' personal information. Over the weekend they trundle down to the local flea market and sell their data loot for a couple of grand. The next week the buyers begin opening cell phone accounts, using the stolen SSN to obtain health insurance, employment, maybe a traffic ticket or two using your employees' ID. Has the company considered that the average identity theft victim spends an average of 15 work/weeks to clear up the fallout on their own? That's from from the FTC, who keeps track of such things. What does 15 work/weeks mostly during business hours away from the job look like to the company? What if ten of the employees are affected? How about twenty? Lets' see, what is twenty times 15 work/weeks?
Have you provided your employees with access to a serious identity theft program for themselves as a benefit? You see identity theft happens from all fronts. Don't forget what happens to your employees away from work can affect your business too. When you protect the personal information your company keeps you are protecting someone else, get it? When another company does it they are protecting you. But, hey that server is safe!
Have a great Holiday season, and do the right thing.