Thursday, February 19, 2009

The Company

In my previous post I outlined who are the victims of identity theft, and what they might expect to encounter in resolving the fallout from being a victim. In this post let’s take a look at the companies responsible for protecting databases and files. The reason for this is to illustrate that the majority of the information that is stolen and used by identity thieves comes from data files. Either by way of insider theft or by accidental exposure of personal information, the end result is the same. I'm not forgetting that here are also a number of incidents of personal theft, “dumpster diving”, computer data theft, mailbox theft, and so forth. There are steps that everyone can take to reduce that kind of risk. I will address that later. Again, for the victim it is less important where the theft occurred, and more important how to recover.

Every business, college, state and county, hospital, non-profit, utility, frankly everyone keeps records. If not on clients then on personnel, and usually both. Names and addresses along with employee numbers, bank account numbers, SSNs, credit report files, health information, are typical and are considered non-public information. The information in those records by law needs to be protected. Over a number of years dozens of federal and state laws have been enacted that rightfully place the security responsibility on those that keep the records. When they lose that information no matter how it happens scenarios like the ones described in my Victim post can occur.

The fallout affects both the individual victim, their families, and of course the business. Several things can happen when a database is breached. First, the company will need to make a public notice to all potential victims that their information is at risk of identity theft. Statistics show that when that happens 40% of all clients will cease doing business with them, 20% will seriously consider it, and 5 to 10% will sue. I know I said I would refrain from stats but those numbers are staggering. That is just the beginning. The laws all have civil or criminal penalties, and individual and class actions could be likely.

What is a business to do?
There are a number of steps any business can take. Large and high tech companies have vast resources, and can take such steps as hiring permanent privacy and security officers to manage a data security program. Banks, S&Ls and lenders have certain extra responsibilities to insure the accounts they have are genuine and are not the result of stolen or falsified information.
Also encryption programs and procedures are required of insurance and financial organizations such as financial advisors, and accountancies. All businesses however, can take other reasonable steps given their individual resources.

These remaining reasonable steps revolve around awareness. Regardless of the size and nature of a business these are crucial in a "culture of security." Developing a written plan and strategy is the first step in any identity theft program. This policy once approved becomes the engine that drives the program. Next is naming the individuals responsible to implement the plan. Next and perhaps most importantly is to discuss the plan with all employees in general safety meetings, and make them aware of their responsibilities under the plan. This is also a good opportunity for feedback from the staff as to how the company might tighten security around record keeping and office procedures. Another important step needs to be taken in order for the plan to be effective. That is working with any contractor or service provider business to insure that the security practices of that company are of similar caliber. Lastly, make some sort of notification system available to clients and employees if possible identity theft episodes have occurred from any source, not just from the company. Any business that has performed these steps will be considered to have taken the reasonable steps required by the FTC to comply with the spirit and intention of the privacy legislation.

No comments: