Along the lines of yesterday's post I want to point out that when you (or anyone acting on your behalf), issues a fraud alert in your name with the credit bureaus you stand a good chance of lowering your score. By issuing such an alert you are saying that you believe you are at increased risk to identity theft. That consideration alone can lower your score as you are seen as a credit risk. Additionally, issuing a fraud alert also infers that as well as being a potential victim you might be a potential thief. Identity thieves have been known to issue alerts in the name of their victims in order to obfuscate the crime. They use it as a smokescreen to continue to use the stolen identification. The bureaus initially have no way of knowing which is the case.
Fraud alerts should be limited to the uses intended by the law, to provide an individual with a proactive tool to use in the event of identity theft. Any action taken with the credit bureaus can have an adverse effect on your scoring, just as an inquiry or late payment statement does.
Another tool we should never forget is http://www.annualcreditreport.com/ . You have the right to see each of your 3 national credit reports on an annual basis. This will not affect your score. Stagger them in order to have a fresh report every four months.
Friday, May 29, 2009
Thursday, May 28, 2009
Fraud Alert Services are Illegal
A federal judge last week decided that LifeLock's fraud monitoring practices violate California law, reports Wired. The identity-theft protection company was sued last year by one of the nation's three credit reporting bureaus for violating California's Unfair Competition Law. For a fee, LifeLock places fraud alerts on consumers' credit reports on their behalf. U.S. District Judge Andrew Guilford determined that the lawmakers writing the 2003 Fair and Accurate Credit Transactions Act (FACTA), which gave consumers the right to place free fraud alerts on their credit reports, did not intend for "companies and entities such as credit repair clinics," to be able to place the alerts. Full Story
I have been making this point now for several years. Fraud alert services are bogus attempts to get into a growing "industry". An industry in the most rare definition of the word that produces precious little but declares quite a lot. They simply took advantage of the rights we have under the FCRA, culled out one paragraph from that act and opened shop. This paragraph proposes that any entity that issues credit accounts must contact the individual or his/her designate prior to opening a new account if a fraud alert has been placed with the credit bureaus. The fact of the matter is that most creditors do not follow that practice. Add to that the irrefutable fact that credit related identity theft is less than 1/3rd of all identity theft and you are left with a highly ineffective service that in my opinion gives the public a false impression of identity theft and a false sense of confidence in the product to protect them. This is not about Experian nor any other entity this is about the truth. These companies will cook any statistic they can to assert their claims that they have effective services when in most professionals' opinion they offer little to no advantage for the client that the client cannot do for themselves at no cost.
Look at any other field such as law enforcement, medicine, engineering, and so on. Who are the people that own or manage the organizations? Are they marketing people or venture capitalists? No, they are professionals with experience in their field. When we began our Identity Theft Shield in 2003 those of us who were already seasoned fraud risk and privacy rights experts predicted that as the crime grew that opportunists would come along and try to take advantage of the increase in identity theft. And we also knew that they would be shaken out if their services did not offer true assistance and expertise.
The Internet is full of comparisons between the various services. You will almost always note one glaring exception, the Identity Theft Shield from Pre-Paid Legal and Kroll Fraud Solutions. There is only one reason for this omission, well two reasons. First we don't pay for comparisons, and secondly and most importantly, you cannot compare a professional service to these others that do either nothing to very little on behalf of the client but charge handsomely for the product. All of the above is of course my considered opinion.
As one very well respected identity theft expert once put it to me. "It's hard being right......early."
I have been making this point now for several years. Fraud alert services are bogus attempts to get into a growing "industry". An industry in the most rare definition of the word that produces precious little but declares quite a lot. They simply took advantage of the rights we have under the FCRA, culled out one paragraph from that act and opened shop. This paragraph proposes that any entity that issues credit accounts must contact the individual or his/her designate prior to opening a new account if a fraud alert has been placed with the credit bureaus. The fact of the matter is that most creditors do not follow that practice. Add to that the irrefutable fact that credit related identity theft is less than 1/3rd of all identity theft and you are left with a highly ineffective service that in my opinion gives the public a false impression of identity theft and a false sense of confidence in the product to protect them. This is not about Experian nor any other entity this is about the truth. These companies will cook any statistic they can to assert their claims that they have effective services when in most professionals' opinion they offer little to no advantage for the client that the client cannot do for themselves at no cost.
Look at any other field such as law enforcement, medicine, engineering, and so on. Who are the people that own or manage the organizations? Are they marketing people or venture capitalists? No, they are professionals with experience in their field. When we began our Identity Theft Shield in 2003 those of us who were already seasoned fraud risk and privacy rights experts predicted that as the crime grew that opportunists would come along and try to take advantage of the increase in identity theft. And we also knew that they would be shaken out if their services did not offer true assistance and expertise.
The Internet is full of comparisons between the various services. You will almost always note one glaring exception, the Identity Theft Shield from Pre-Paid Legal and Kroll Fraud Solutions. There is only one reason for this omission, well two reasons. First we don't pay for comparisons, and secondly and most importantly, you cannot compare a professional service to these others that do either nothing to very little on behalf of the client but charge handsomely for the product. All of the above is of course my considered opinion.
As one very well respected identity theft expert once put it to me. "It's hard being right......early."
Wednesday, May 27, 2009
The Spector of Identity Theft at the Heart of the Matter
I didn't have time to comment on this but it was in todays privacy mail.
A Washington couple whose nephew spent a year cleaning up after his identity was stolen has "become very fussy" about protecting their privacy, reports the Yakima Herald. So when Aram and Marjorie Langhans noticed Aram's Social Security number (SSN) on a printout at the Yakima Heart Center recently, they requested its removal from the center's files. The center refused and denied treatment without the SSN. A center administrator said they collect patients' SSNs to help verify identity. But the Washington Attorney General's (AG) office said the Langhans were right to protect Aram's SSN. SSNs "have been compromised by employees in the healthcare sector...," said an AG spokesperson. "Anything a company can do to reduce access, we strongly encourage." Full Story
A Washington couple whose nephew spent a year cleaning up after his identity was stolen has "become very fussy" about protecting their privacy, reports the Yakima Herald. So when Aram and Marjorie Langhans noticed Aram's Social Security number (SSN) on a printout at the Yakima Heart Center recently, they requested its removal from the center's files. The center refused and denied treatment without the SSN. A center administrator said they collect patients' SSNs to help verify identity. But the Washington Attorney General's (AG) office said the Langhans were right to protect Aram's SSN. SSNs "have been compromised by employees in the healthcare sector...," said an AG spokesperson. "Anything a company can do to reduce access, we strongly encourage." Full Story
Thursday, May 21, 2009
New Data Initiatives Converge For Information Protection
Alert!
Health Information Technology for Economic and Clinical Health Act (HITEC) points to some substantial changes in the rules relating to the minimum necessary disclosures of personal health information, imposes additional notice requirements in the case of security breaches and grants new enforcement powers to the states.
The Health and Human Services Department, which enforces HIPAA security and privacy laws, recently released guidance on what counts as “unsecured” information and a request for comments on breach notification under HITECH.
For employers whose health plans must comply with HIPAA privacy and security rules, HITECH means they will have to review and update contracts with business associates to ensure that the documents reflect the new privacy and security laws.
The changes introduced by HITECH will have enormous consequences for third-party vendors, such as benefits brokers and consultants, that act as business partners for self-funded group health plans and large, experience-rated insured plans.
Such vendors will need to take steps to conform to the substance of the HIPAA security standards. Compliance will, at a minimum, entail the adoption of physical, administrative and technical safeguards. This will include implementing security polices and procedures.
In the case of business associates, HITECH makes the following changes:
• Business associates are now subject to the substantive provisions of the HIPAA security rules generally in the same manner and to the same extent as covered entities;
• Business associates must now enter into and abide by a business associate agreement (previously, the burden was on the covered entity to identify business associates and to obtain the necessary business associate agreements);
• Business associates are now subject to civil and criminal penalties for violation of these rules; and
• HHS is required to conduct periodic compliance audits of business associates as well as covered entities.
Remember, the Red Flags Rule ammendment to FACTA also calls for changes in the contracts with service providers and third party vendors. Under law the changes must include an understanding of that vendors’ policy concerning information security and identity theft prevention. A lot of companies are not used to this kind of oversight, and might not understand their responsibility regarding sensitive information policy.
On August 1 of 2009 the FTC will begin the enforcement phase of the Red Flegs Rule meaning that since the law went into effect on January 1st of 2008, different industry sectors have been on notice to implement a program to address identity theft and how to respond in the event of a breach of information. Now enforcement in the form of audits and possible fines and prosecution will begin for businesses who have ignored or skirted the law as it applies to them. For more information on the Red Flags Rule see the link in my column to the Red Flags Rule.
When a medical facility, Human Resources contractor, or benefits broker applies the newest rules of HITEC with regard to medical information security they will not be precluded from adherence to FACTA as well. HIPAA and its initiatives only address the security of medical data not other types of personally identifiable information such as employee files or financial information. A recent case in January of this year involving the theft of 30,000 personnel files from the Kaiser Medical facilities in Oakland California points out graphically that compliance with one law doesn’t necessarily cover the business regarding the other, even though both laws address information security. Compliance for both inititiaves do have common ground however. A written policy is essential as a starting point to establish the culture of security from the Board down. Training, as I mention here as often as I can is next. I can’t over emphsize the importance of onging training of all staff. Contractor oversight is another common point. Without that the system cannot work effectively. It isn’t as important for one company to adhere to a good security program as it is for all the companies that share the information to do so.
It has also come to my attention that enforcement of the HITEC initiatives will be transferred to the FTC, and not be enforced by HSS as previously thought. Although oversight will remain with HSS, the FTC has a track record of enforcement of consumer protection regulations.
Health Information Technology for Economic and Clinical Health Act (HITEC) points to some substantial changes in the rules relating to the minimum necessary disclosures of personal health information, imposes additional notice requirements in the case of security breaches and grants new enforcement powers to the states.
The Health and Human Services Department, which enforces HIPAA security and privacy laws, recently released guidance on what counts as “unsecured” information and a request for comments on breach notification under HITECH.
For employers whose health plans must comply with HIPAA privacy and security rules, HITECH means they will have to review and update contracts with business associates to ensure that the documents reflect the new privacy and security laws.
The changes introduced by HITECH will have enormous consequences for third-party vendors, such as benefits brokers and consultants, that act as business partners for self-funded group health plans and large, experience-rated insured plans.
Such vendors will need to take steps to conform to the substance of the HIPAA security standards. Compliance will, at a minimum, entail the adoption of physical, administrative and technical safeguards. This will include implementing security polices and procedures.
In the case of business associates, HITECH makes the following changes:
• Business associates are now subject to the substantive provisions of the HIPAA security rules generally in the same manner and to the same extent as covered entities;
• Business associates must now enter into and abide by a business associate agreement (previously, the burden was on the covered entity to identify business associates and to obtain the necessary business associate agreements);
• Business associates are now subject to civil and criminal penalties for violation of these rules; and
• HHS is required to conduct periodic compliance audits of business associates as well as covered entities.
Remember, the Red Flags Rule ammendment to FACTA also calls for changes in the contracts with service providers and third party vendors. Under law the changes must include an understanding of that vendors’ policy concerning information security and identity theft prevention. A lot of companies are not used to this kind of oversight, and might not understand their responsibility regarding sensitive information policy.
On August 1 of 2009 the FTC will begin the enforcement phase of the Red Flegs Rule meaning that since the law went into effect on January 1st of 2008, different industry sectors have been on notice to implement a program to address identity theft and how to respond in the event of a breach of information. Now enforcement in the form of audits and possible fines and prosecution will begin for businesses who have ignored or skirted the law as it applies to them. For more information on the Red Flags Rule see the link in my column to the Red Flags Rule.
When a medical facility, Human Resources contractor, or benefits broker applies the newest rules of HITEC with regard to medical information security they will not be precluded from adherence to FACTA as well. HIPAA and its initiatives only address the security of medical data not other types of personally identifiable information such as employee files or financial information. A recent case in January of this year involving the theft of 30,000 personnel files from the Kaiser Medical facilities in Oakland California points out graphically that compliance with one law doesn’t necessarily cover the business regarding the other, even though both laws address information security. Compliance for both inititiaves do have common ground however. A written policy is essential as a starting point to establish the culture of security from the Board down. Training, as I mention here as often as I can is next. I can’t over emphsize the importance of onging training of all staff. Contractor oversight is another common point. Without that the system cannot work effectively. It isn’t as important for one company to adhere to a good security program as it is for all the companies that share the information to do so.
It has also come to my attention that enforcement of the HITEC initiatives will be transferred to the FTC, and not be enforced by HSS as previously thought. Although oversight will remain with HSS, the FTC has a track record of enforcement of consumer protection regulations.
Wednesday, May 20, 2009
No State Secrets Lost This Time, Just (maybe) Yours!
The FBI is investigating the loss of a computer hard drive from the National Archives record center, reports the New York Times. The drive contains a terabyte of data, including the personal information of individuals affiliated with the Clinton presidency. A National Archives statement said the drive houses "an as-yet unknown amount of personally identifiable information of White House staff and visitors." Social Security numbers, home addresses and security procedures, but no classified information, are believed to be on the drive. Authorities confirmed the breach in April. Analysts are still reviewing the drive's content.
No system or method of safekeeping of yours and my information will ever be completly fraud proof, nor will your information, which resides in everything from your elementary school records, your dentists' office, military records, to your County recorders' office, so on and so on, be safe from thieves. The opportunity for theft is too vast, and methods of theft too varied for any combinations of methodology to be effective.
This column is maintained to provide some insight for businesses and other enterprizes which maintain personal information. The fact of the matter is that unless we as individuals engage our own identity theft service we are at the mercy of data thieves and imperfect systems everywhere.
No system or method of safekeeping of yours and my information will ever be completly fraud proof, nor will your information, which resides in everything from your elementary school records, your dentists' office, military records, to your County recorders' office, so on and so on, be safe from thieves. The opportunity for theft is too vast, and methods of theft too varied for any combinations of methodology to be effective.
This column is maintained to provide some insight for businesses and other enterprizes which maintain personal information. The fact of the matter is that unless we as individuals engage our own identity theft service we are at the mercy of data thieves and imperfect systems everywhere.
Tuesday, May 19, 2009
A Matter of Value
I would like to step back from identity theft for a moment. The main business of Taylor and Associates is to offer certain benefits to employees in all types and sizes of organizations. The company that I represent, Pre-Paid Legal Services Inc is the only underwriter of legal services plans and identity theft restoration services in America. We are growing in public acceptance precisely because of the immediate and practical value our clients receive from the benefit. That is the topic of this column, value.
The services we represent are divided into seven separate areas of coverage. In 2008 our law firms were able to save or recover for our clients $21.9 million within just one benefit area alone! Unlike EAP programs which have limited legal services built in, our services are comprehensive and are not so severely limited. In fact the popularity of EAP programs is based partly on the demonstrated need for legal services. The majority of the legal needs of a family are completely covered by the membership without spending additional money. When you combine our legal plans with our identity theft program administered by Kroll Fraud Solutions for us, the employee has unparalleled coverage for the two biggest problems Americans face, access to quality private law firms for any and all legal needs, and full protection and restoration from any type of identity theft. According to the U.S. Secret Service identity theft has surpassed the international drug trade as the most profitable crime in the world. The legal plans were designed to address the areas that families encounter the most. Things like traffic court representation to keep auto insurance costs under control, or contract review when refinancing or making purchases, to consumer issues and product liability, estate planning, IRS audit help, and more. As a victim of massive identity theft in 2000 I was first advised to retain counsel. Because I didn't have the services of Pre-Paid at the time that became a $26,000 dollar episode for me. Remember, an identity theft episode is a legal situation.
When we work with employee groups the very first thing we do is to hold a Will Workshop with all of our new clients to get them started on a will along with the advance medical directive and durable POA, for each of them and their partners. I want them to receive a benefit the very first day they have our membership. I encourage them to use their services as often as possible simply because it can be a value benefit but only if they take advantage of what it can do for them. In this current economic crisis our attorney firms are making a real difference for people who are in danger of losing their homes to foreclosure, and along the Gulf Coast thousands of families have been helped in the aftermath of the devastating hurricanes. All of the law firms in our proprietary network also have privacy specialists on staff to directly handle identity theft issues. This fact has not been lost on the fifty sitting Attorneys General who have recognized us as a force for equal justice in America. The cost of these services is far less than a dollar a day for everything combined, and as we want to earn the business of each client monthly we never engage in long-term contracts.
After 37 years of continued growth Pre-Paid Legal Services is the pioneer and leader in this industry. Our position on the NYSE shows continuous growth in a volatile market. At Taylor and Associates we take great pride in delivering more value to our clients throughout the country than we receive in money from them. A benefit that people can use is a valued benefit.
I've spoken about the value we bring to employers in the past, but it does bear repeating that by offering the services of trained identity theft risk specialists and the compliance documentation we provide, there is an additional value to the company. Whether legal issues or identity theft, or both, the value to the employee cannot be calculated in simple dollar savings alone but also in terms of a peace of mind that family issues are being handled by professionals with the clients' best interest in mind. The value to the employer besides what I just mentioned is in the ongoing training and assistance we provide to help with an identity theft program as required by law for most employers. No other firm has all three components in place, identity theft protection services for the employee, comprehensive legal service plans for employees, and a program for the company to reduce its' risk from data breach and the fallout from identity theft episodes. All in all the value of the combination of these programs has a proven 37 year track record with over 35,000 employers in every type of business, local government, and non-profit. Value is at the core of how the plans are devised. Pre-Paid Legal Services has ammassed what I believe is the largest database of actuarial data in existence to bear this out.
The services we represent are divided into seven separate areas of coverage. In 2008 our law firms were able to save or recover for our clients $21.9 million within just one benefit area alone! Unlike EAP programs which have limited legal services built in, our services are comprehensive and are not so severely limited. In fact the popularity of EAP programs is based partly on the demonstrated need for legal services. The majority of the legal needs of a family are completely covered by the membership without spending additional money. When you combine our legal plans with our identity theft program administered by Kroll Fraud Solutions for us, the employee has unparalleled coverage for the two biggest problems Americans face, access to quality private law firms for any and all legal needs, and full protection and restoration from any type of identity theft. According to the U.S. Secret Service identity theft has surpassed the international drug trade as the most profitable crime in the world. The legal plans were designed to address the areas that families encounter the most. Things like traffic court representation to keep auto insurance costs under control, or contract review when refinancing or making purchases, to consumer issues and product liability, estate planning, IRS audit help, and more. As a victim of massive identity theft in 2000 I was first advised to retain counsel. Because I didn't have the services of Pre-Paid at the time that became a $26,000 dollar episode for me. Remember, an identity theft episode is a legal situation.
When we work with employee groups the very first thing we do is to hold a Will Workshop with all of our new clients to get them started on a will along with the advance medical directive and durable POA, for each of them and their partners. I want them to receive a benefit the very first day they have our membership. I encourage them to use their services as often as possible simply because it can be a value benefit but only if they take advantage of what it can do for them. In this current economic crisis our attorney firms are making a real difference for people who are in danger of losing their homes to foreclosure, and along the Gulf Coast thousands of families have been helped in the aftermath of the devastating hurricanes. All of the law firms in our proprietary network also have privacy specialists on staff to directly handle identity theft issues. This fact has not been lost on the fifty sitting Attorneys General who have recognized us as a force for equal justice in America. The cost of these services is far less than a dollar a day for everything combined, and as we want to earn the business of each client monthly we never engage in long-term contracts.
After 37 years of continued growth Pre-Paid Legal Services is the pioneer and leader in this industry. Our position on the NYSE shows continuous growth in a volatile market. At Taylor and Associates we take great pride in delivering more value to our clients throughout the country than we receive in money from them. A benefit that people can use is a valued benefit.
I've spoken about the value we bring to employers in the past, but it does bear repeating that by offering the services of trained identity theft risk specialists and the compliance documentation we provide, there is an additional value to the company. Whether legal issues or identity theft, or both, the value to the employee cannot be calculated in simple dollar savings alone but also in terms of a peace of mind that family issues are being handled by professionals with the clients' best interest in mind. The value to the employer besides what I just mentioned is in the ongoing training and assistance we provide to help with an identity theft program as required by law for most employers. No other firm has all three components in place, identity theft protection services for the employee, comprehensive legal service plans for employees, and a program for the company to reduce its' risk from data breach and the fallout from identity theft episodes. All in all the value of the combination of these programs has a proven 37 year track record with over 35,000 employers in every type of business, local government, and non-profit. Value is at the core of how the plans are devised. Pre-Paid Legal Services has ammassed what I believe is the largest database of actuarial data in existence to bear this out.
Tuesday, May 12, 2009
A Culture of Security
I read a lot of technical papers and discussions on methodology of data security, and the philosophy of a security minded culture. A lot of very intelligent people are diligently looking for better and more efficient ways to move data around an enterprise and still maintain a modicum of security. Data is after all the engine that runs modern business. Whether it is described as proprietary information (IP), or developmental operating infrastructure, or a software product, our service-based society is run on data. This intellectual property stuff if compromised, can mean ruining a companies’ ability to maintain a competitive position.
There is even an industry whose whole purpose is to aggregate, sort, re-sort, and sell data. See axciom , choicepoint. or MIB for good examples of that sort of company. These “specialty database” companies have the additional burden of compiling the personally identifiable information of people who are not their clients but instead comprise the very commodity that the business trades in, data.
In my previous career in engineering we were always developing techniques, specialized machines, or circuit designs that would help not only to propel our industry but also to attract customers to our business in particular. Innovation is essential to any industry. Maintaining the security or even secrecy of those innovations is paramount. In order to do that everyone involved must be clear on the concept. Unfortunately when I talk to people in the IT or IS fields protecting trade secrets is usually the kind of data protection that comes to mind. Now and again I meet IT pros, especially in accounting, financial advisory or mortgage firms, who are aware of the importance of protecting the clients personal files. Technical managers are by in large vaguely aware that personnel information is also at stake but that concept is usually rather abstract to them. They are more focused on the throughput of data, encryption algorithms, and the models that contain sufficient justified loops that will safeguard company data files from inadvertent loss or hacked from outside source, while being highly efficient and serving the enterprise more effectively. When I illustrate a case of an unhappy employee that has walked out of the building with the HR employee records on a flash drive to sell it at the local flea market, eyes will glaze over. That doesn’t compute in a technically focused infrastructure. Short of freezing everyone out of the records access there is no working model that will prevent that from occurring. And that is the point. Information that has value, to anyone, can and will be stolen and misused for personal gain. The solutions cannot be simply technical, but instead have to include employee training and awareness. That is why the recommendations within every federal identity theft prevention law include employee training.
It is also critical that companies understand that just as a loss of intellectual property can cripple a company so can the loss of personal information. In fact the loss of personal information has far reaching consequences that extend beyond the incident, and into the realm of public perception. When a company loses the confidence of the general public whether deserved or not, it becomes harder to maintain customers, attract new ones, operating capital is harder to get, and so forth. People believe that when a business is entrusted with their personal information that the company has a moral responsibility as well as a legal one to make every effort to protect it from thieves or accidental leaks.
Its just as important to trust certain employees as it is to have technical safeguards in place. Any culture of security has to have a balance of common sense, technical procedures, and individual education and training. Treat your employees with respect by educating them on the realities of what identity theft can do to a person. With an average of 10 million U.S. victims annually there is no shortage of real life stories of individual ruin from identity theft. If a business can manage to do that kind of training alone then the employees gain a knowledge to not only protect themselves and their families but also an insight and incentive to safeguard the personal information they handle on a daily basis at work. A business must sensibly bring the employees into the solution for data loss by training and education. An informed and empowered employee can very well be the best asset a company can have in stemming the tide of data losses of any kind within the enterprise. I’m sure your employees know what to do in the event of fire, but do they know what to do if they discover that information has been stolen or compromised? That critical path alone can make the difference in whether an attacker gets away with valuable information from your company or not. Don’t rely on the TV ads promising to “stop identity theft before it happens”, or other wild claims to train your staff. Thats kind of like relying on the teenagers in the neighborhood to teach the children about love and relationships, hardly what you want them to learn. Those ads are misleading and have little to do with the realities of identity theft in the every day world.
There is even an industry whose whole purpose is to aggregate, sort, re-sort, and sell data. See axciom , choicepoint. or MIB for good examples of that sort of company. These “specialty database” companies have the additional burden of compiling the personally identifiable information of people who are not their clients but instead comprise the very commodity that the business trades in, data.
In my previous career in engineering we were always developing techniques, specialized machines, or circuit designs that would help not only to propel our industry but also to attract customers to our business in particular. Innovation is essential to any industry. Maintaining the security or even secrecy of those innovations is paramount. In order to do that everyone involved must be clear on the concept. Unfortunately when I talk to people in the IT or IS fields protecting trade secrets is usually the kind of data protection that comes to mind. Now and again I meet IT pros, especially in accounting, financial advisory or mortgage firms, who are aware of the importance of protecting the clients personal files. Technical managers are by in large vaguely aware that personnel information is also at stake but that concept is usually rather abstract to them. They are more focused on the throughput of data, encryption algorithms, and the models that contain sufficient justified loops that will safeguard company data files from inadvertent loss or hacked from outside source, while being highly efficient and serving the enterprise more effectively. When I illustrate a case of an unhappy employee that has walked out of the building with the HR employee records on a flash drive to sell it at the local flea market, eyes will glaze over. That doesn’t compute in a technically focused infrastructure. Short of freezing everyone out of the records access there is no working model that will prevent that from occurring. And that is the point. Information that has value, to anyone, can and will be stolen and misused for personal gain. The solutions cannot be simply technical, but instead have to include employee training and awareness. That is why the recommendations within every federal identity theft prevention law include employee training.
It is also critical that companies understand that just as a loss of intellectual property can cripple a company so can the loss of personal information. In fact the loss of personal information has far reaching consequences that extend beyond the incident, and into the realm of public perception. When a company loses the confidence of the general public whether deserved or not, it becomes harder to maintain customers, attract new ones, operating capital is harder to get, and so forth. People believe that when a business is entrusted with their personal information that the company has a moral responsibility as well as a legal one to make every effort to protect it from thieves or accidental leaks.
Its just as important to trust certain employees as it is to have technical safeguards in place. Any culture of security has to have a balance of common sense, technical procedures, and individual education and training. Treat your employees with respect by educating them on the realities of what identity theft can do to a person. With an average of 10 million U.S. victims annually there is no shortage of real life stories of individual ruin from identity theft. If a business can manage to do that kind of training alone then the employees gain a knowledge to not only protect themselves and their families but also an insight and incentive to safeguard the personal information they handle on a daily basis at work. A business must sensibly bring the employees into the solution for data loss by training and education. An informed and empowered employee can very well be the best asset a company can have in stemming the tide of data losses of any kind within the enterprise. I’m sure your employees know what to do in the event of fire, but do they know what to do if they discover that information has been stolen or compromised? That critical path alone can make the difference in whether an attacker gets away with valuable information from your company or not. Don’t rely on the TV ads promising to “stop identity theft before it happens”, or other wild claims to train your staff. Thats kind of like relying on the teenagers in the neighborhood to teach the children about love and relationships, hardly what you want them to learn. Those ads are misleading and have little to do with the realities of identity theft in the every day world.
Subscribe to:
Posts (Atom)
