Good morning all. I have been noticeably absent from my column duties while I took care of some other projects, and fitting in a short vacation.
Identity Theft policy addresses the area of PII data loss, a definition of what is considered by the company to be PII, the various forms the company uses to store and use PII, and finally the procedure a company has put into place to respond to breaches and to protect the individuals who might be affected and are at increased risk of identity theft resulting from a company breach. This policy must address not only the data it keeps on its clients but also of the employees personnel records, and also must address the identity theft policies of any contractor or service provider who might have access to that information. Vendors can include not only outsourced HR, payroll, insurance and Benefits brokers, but also cleaning services, construction contractors, and even parking services, any business that has the potential of obtaining PII.
It isn’t my intention to delineate what the law is or provide legal advice in these areas but instead to provoke thought on the part of businesses. With new legislation such as GLB, FACTA, and now the Red Flags Rule under FACTA, the banking regulators and the FTC have made it clear that in order to stem the tide of identity theft and the company data breaches that result in the majority of identity theft, business needs to take certain steps proactively to prevent breaches and to respond quickly and effectively when they do occur.
Every company is different and therefore needs to take the steps that are most effective for that organization. It all begins with an honest risk assessment on the part of each company to find the weak links in information security, and to train the staff on their responsibilities. Establishing a clear identity theft policy is the roadmap every responsible business uses to lay out everyone’s duties, and how the business will handle data breaches. The FTC auditors investigating companies who have experienced these breaches are most interested in seeing what a business did to protect the information before the breach. A proactive identity theft policy is good policy, and good business.