Friday, March 20, 2009

Identity Theft Policy and Your Rights.

I imagine that by now you have heard a great deal about steps all of us can take to prevent identity theft. Indeed there are things we can and should do to reduce our exposure to information theft. Shred credit card offers and bill statements before tossing them out in the trash. Check your bank and credit card statements as soon as they arrive in the mail, and report any suspicious items to the bank immediately. Don’t carry your Social Security card in your wallet or purse. Check your credit report often, or better yet have an identity theft monitoring service so you will know your credit report status at all times. If you use a computer then you face another set of privacy issues. You need sturdy firewall software protection. Never open suspicious emails, especially ones containing attachments. These are just a few of the measures we all need to take and are a critical part of our culture of personal security. The sooner these kinds of activity become part of our routine the better off we are.

But when was the last time anyone spoke to you about your legal rights to have your personal information protected by someone like your Alma Mater or your County clerk?

It has been a while since I wrote about all of the databases and lists where your personal information is kept. The bank comes to mind as a perfect example. Certainly they have some pretty personal stuff about your financial status and probably your SSN, home address, phone number, etc. How would you feel if they lost it to thieves? Well, there are literally thousands of places where your personal information is held. From your high school, college, medical records, property deeds, Human Resources files at your work, the federal government, to your county records. The list is almost endless. So called specialty databases like the Casualty and Loss databases kept by Choicepoint track every insurance claim made in your name. What if those entries are the result of identity theft? These and many other databases are kept on all of us, and the accuracy of those records is absolutely crucial. The problem is that databases are hacked and stolen constantly. These businesses that hold your information are supposed have procedures in place to protect that data from being lost, published, corrupted, or stolen. The problem is that a lot of them are not adhering to the government guidelines. A promise, a wink, and really good IT guy are no longer sufficient. There are no excuses for poor or even non-existent identity theft policies and practices on the part of any company. The government, by way of the FTC and other agencies has the power to prosecute the companies who have shirked their responsibilities.

Back in 2008 a new law went into effect that required all banks, S&Ls and Credit Unions in the United States to adopt written policy guidelines and response plans regarding data loss and identity theft. It outlines very specific procedures to be on the lookout for that might indicate possible identity theft. It is hard to say whether all banks have successfully completed that compliance or not. But we have the right to ask the bank to show us that policy, and the bank is obligated to produce it. It would certainly be among the first questions I would ask when shopping for a new bank. I would strongly advise everyone to exercise that right before doing business with any financial institution. Your personal data is at risk and you have the right to see that they are taking appropriate steps to protect it. Make them prove it to you.

As of May 1st of 2009 most every other business in the US will also have to adopt a similar identity theft prevention plan as called for in the 2007 FACTA red flags rule amendment. This would pertain to utility companies, accountants, real estate agencies, doctors’ and dentists’ offices, attorneys, universities, private and public school districts, local government authorities, department stores, medical clinics, any company that maintains a payroll, and anywhere you might have any sort of payment plan. Again, I strongly urge everyone to ask for that policy before entrusting your personal information to that business if at all possible. It is your right, and it is their obligation to produce the documents after May 1st.

Identity theft is now the most reported white-collar crime in the world. In the US alone we see an estimated 8 to 10 million victims each year. The great majority of the identity thefts are the results of data taken from databases, and to a lesser degree from personal theft. So it is incumbent on all business to comply with the governments’ mandated guidelines for the safekeeping of all personal information held on clients and employees alike.

The next time you consider any new business relationship or to check on the businesses that you currently have relationships with, please exercise that right to know how your personal information is being treated. Ask to see the policy document, they must show it to you. And for business owners, it is equally important for you to examine the identity theft prevention policy of any other business with whom you share data, such as HR or payroll services, accountancies, even office cleaning services for example.

Only by participation in such compliance on the part of every business can we begin to turn the tide of this rampant theft and sale of personal information. The formula is very simple, there is very little cost for most businesses, and can only result in a decrease in crime and a lowered risk for businesses and their executives.

Wednesday, March 18, 2009

Google?

The Electronic Privacy Information Center epic.org yesterday asked the U.S. Federal Trade Commission to investigate the privacy and security safeguards of Google's cloud computing services, reports the New York Times. The formal complaint requests that the commission look into Google Docs, Gmail and other cloud services offered by the company. The filing cites a breach earlier this month involving Google Docs. "We think the time is right for the FTC to look more closely at cloud computing services," said EPIC executive director Marc Rotenberg. A Google spokesperson said: "We are highly aware of how important our users' data is to them and take our responsibility very seriously."