Friday, February 27, 2009

A Culture of Compliance or a Culture of Security?

In 2007 the Federal Trade Commission published a small booklet called Protecting Personal Information, a Guide for Business. It lays out steps any business should look at to improve its internal security practices. One of the paragraphs begins, "Create a Culture of Security". That term stuck with me and has become part of my personal lexicon when I talk about data loss in a business setting.

GLB and the new Red Flags Rule lay out in pretty specific terms a short list of simple steps every business needs to adopt across the board regardless of the industry. There are fundamental file types shared by all businesses like payroll and HR records, receivable accounts, and so forth that need to be safeguarded. Add to that client personal information, patient records for medical organizations, company intellectual property and strategies, and then the access other businesses have to that information by way of contract arrangements, and you have quite a lot to keep track of. Therefore, whether a business is an accountancy covered by GLB, or a bank subject to FACTA Red Flags, or any other business type, a written identity theft prevention and response policy adopted by a board or owners is the basic element. From that policy flows company-wide training, and documentation. Next, oversight into the identity theft prevention policies of the other businesses that can access the information makes sense to tie the program together.

Whether it is apparent or not every business looking into adopting an identity theft strategy has two basic choices in philosophy as to how they will approach their program.

First is what I call a Culture of Compliance. A culture of compliance is simply that. Looking at the letter of law and taking the traditional step by step route of signing off on each point of compliance. Now, this business might well be concerned about losing valuable information, and implementing their program for all the right reasons, but is their goal more skewed to compliance and business liability, or to lowering the risk of identity theft? The reason I say that is not to impugn anyone’s compliance program but to point out a subtle difference that can make a very large difference in how effective the program will be when it is put to the test. Compliance is almost always a top down policy adopted by management, explained in some detail to department heads and managers, and then finally presented to the rank and file as the new way to perform certain tasks. Employees are then instructed to sign off that they understand the new procedures, and that’s pretty much it.

Now on to the second choice a business has, a Culture of Security. In this mindset the policy begins in much the same way by being adopted by the board and then explained in detail to department heads, etc. Here is where the different mindset comes into play. It needs to be understood that no matter how simple or extensive a program it is the employee that protects the information, not management or department heads. While ultimately responsible management doesn’t necessarily handle the data personally. So it is essential to thoroughly educate the staff. Not just the IT or records keeping personnel but all staff.
Identity theft is a real crime with real victims. I don’t know anyone that doesn’t at least know one victim of identity theft. It touches all of us in some way. I hear devastating stories from victims all the time. This is at the heart of why a company needs such a policy. Certainly the business logic of preventing data loss is key to survival. I don’t want to minimize that, but I also don’t want to minimize the risk to the employees themselves, or the individual client. Their lives can be ruined by identity thieves in a number of ways. That can have a serious impact on the business too, from lost work-time to loss of public confidence and potential loss of clientele.
Training the employees, and I mean all employees, needs to include a solid awareness of the crimes of identity theft and how they themselves can learn to mitigate their personal risk as well as that of the clients. Those trainings are also an opportunity for the employees to offer their own solutions to how office flow might be tightened up and certain procedures changed to increase security. I have not visited a business yet that did not have issues that need improvement. That not only has the net effect of helping the staff but also sensitizing them as to the risk to the client. If you make the staff a part of the solution you have a much more effective program that grows away from management and takes on a culture of security. "When you protect the information you keep on others you are protecting them. When someone else does it they are protecting you." It is also imperative to offer the entire staff a mitigating identity theft service. It is not a matter of whether the company pays for that or if it is an employee option. It will have the net effect of protecting the company and the employee, and saving both money and time.

Which method will you choose for your business?

Wednesday, February 25, 2009

Another Payment Card Processor Breached

Computerworld reports that another payment processor has been rocked by a security breach. Details are few and the affected company has not been identified, but according to reports, attackers breached a U.S.-based company, uncovering the account numbers and expiration dates of payment cards used in card-not-present transactions between February 2008 and January 2009. It is the third breach incident involving a payment processor since December, coming on the heels of Heartland Payment Systems' breach announcement just weeks ago. Visa Inc. and MasterCard International Inc. have begun notifying banks and credit unions of the compromise. Some fraudulent transactions have been reported as a result of this latest breach.

Monday, February 23, 2009

An Identity Theft Risk Management Program

In the last four posts I have described the fundamentals of a good identity theft program that takes into account the basic requirements for all parties. There are also additional compliance requirements placed on specific industries such as healthcare, banking and so forth. But it is very important to have all of the fundamentals in place so the program will be more effective. Let me introduce you to the Affirmative Defense Response System offered to businesses from Pre-Paid Legal Services Inc..

First, we covered The Victim and the effects different forms of identity theft might have. We talked about the laws enacted to protect individuals from having their information stolen from databases, company spreadsheets, or HR files and used by thieves.

In The Company I described briefly that entities that keep information for business purposes have a legal responsibility to try and safeguard it. We then outlined the basic procedures that any business can undertake as the foundation of an identity theft prevention program. It is important to remind the reader that without these basics all of the higher order compliance procedures are much less effective.

Documentation Without documentation the company cannot mitigate its exposure to liabilities such as litigation, fines, prosecution, and damaged public relations.

There are companies that provide services to assist with portions of these necessary steps. Some offer training programs, some identity theft products for the employee or client. Some companies provide a complete response package of notification to potential victims, and forensic services to the affected business. In other words there are a number of companies that offer a lot of services to the business. The ones I have looked at are very good at what they do. They are also specifically in the business of providing only these types of compliance services.

Here’s why Pre-Paid Legal Services is unique and very effective. We are the only company in the field that not only offers a highly effective identity theft product to protect from all forms of identity theft, not simply from financial crime, regardless of how and where the crime occurs. It is also the only product that provides complete restoration of the victims’ identity again regardless of the nature. Restoration means no matter what records are affected, Kroll Fraud Solutions has licensed forensic investigators on staff to fully manage all of the restoration processes on behalf of the victim. We also offer the largest and most mature network of major law firms in each state and four provinces of Canada that will represent the client for all forms of identity theft if needed, with 24/hour access to their firm in emergencies, from anywhere in North America. For the 62% of all identity theft victims who have warrants issued in their name that can be very reassuring. (Sorry for the stat). Moreover the entire family has the services of their law firm for all of their life’s legal events such as mortgage contract help, help with estate planning, tax law help, representation in civil court, criminal court, and traffic court, and many other areas of law that otherwise most everyone cannot afford to use an attorney for. You should know that between these two public companies we have amassed over 70 years of experience in our fields. Pre-Paid Legal is celebrating it's 37th year of business this year. We don't do anything else. Those are very briefly our products. No other company in the world offers comprehensive identity theft and comprehensive legal services together as a suite of coverage.

Now on to identity theft help for a business. You recall that the first essential step is to enact a company policy illustrating the company’s position and procedures to protect information. We provide that written policy to the business at no cost. This document is the product of our Advisory Council and is current with the laws including all of the 26 red flags specified in the latest FACTA legislation. The Advisory Council is comprised of three former states Attorneys General, and the General Counsel of one of the nation’s largest energy companies. Each company is encouraged to make whatever changes to customize the policy to the nature of their industry. Next is employee training on the new policy, and a general awareness discussion of identity theft as it affects millions of Americans every day. A key reason for hands on meetings is the interchange if ideas, and the problem solving unique to every business. Very important is documentation of those meetings too. We also provide that hands on training and proof of training documents at no cost. In fact we provide all of the documents the business will need including letters notifying contractors and service providers of the policy. Once those are sent we can then follow up with each contracting company regarding their policy.

We have taken into account the needs of
· The client company by providing an entire package of identity theft prevention services at no cost to the company. Remember Kaiser? As I said before if they had provided the level of awareness training to all staff they might have avoided the recent breach of employee data. That is a very real advantage, and at no cost.
· We have offered all of the employees services that will greatly reduce their family risk while providing much needed help for the family in a number of areas. These voluntary benefits are typically paid for by the individual employee on a month-to-month basis.
· This, by the way also has the effect of limiting the company liability if an internal breach were to occur, since a mitigating service has previously been offered.
· Companies such as financial advisors, accountancies, banks and other financial services can optionally make this available also to clients, which will provide an early warning and restoration of possible identity theft episodes from any source.

Have I left out anyone? I believe not. I can provide all of the above for your company at no direct cost to the business, and provide substantial benefits to the staff that they can use from day one to help with all of the families' identity theft and legal issues they might be facing.