What do you think of when someone says "Identity Theft"?
Most people think of credit reports, credit cards and bank accounts. We see television commercials pushing "free credit reports" to solve the problem. Banks and credit card companies are bragging about their theft deterrence systems and zero liability programs. There's even one company that will "guarantee" your identity will not be stolen!
Unfortunately, it's just not that simple. The fact is there is no realistic way to stop identity theft in the world we live in today. Here's why:
FIRST, our personal information is already irretrievably "out there", in the hands of hundreds (maybe thousands) of businesses, schools, healthcare providers and government agencies. We are all literally at the mercy of those organizations to keep our information safe.
SECOND, while financial Identity Theft can be devastating, it's only a small part of the story. Almost 75% of all Identity Theft is in other areas- your driver's license, your Social Security number, your medical information (the fastest growing area of ID theft), and Criminal ID theft (crimes committed in your name). And many of the trends in today's society (like immigration, the weak economy, the credit crisis, and the health insurance crisis) are throwing gasoline on the Identity Theft fire.
IDENTITY THEFT AT WORK
But Identity Theft is not only an issue affecting individuals. As awareness grows, companies across the country in virtually all industries are facing new laws and liability risks. With over 51% of data breaches occurring in the workplace, the FTC perceive the behavior of companies in protecting the personal information entrusted to them as the predominant cause of identity theft risk, and the only area where they can force improvement.
Identity Theft is not just about someone else. It is about a company, their employee's and their customer's DATA. It is about a problem that has gone ballistic. And the government has said, since they can't stop it, employers must now become responsible for the data they handle. It is the fastest growing white collar crime in America and is now more profitable than illegal drug trafficking. Every week, we now see extensive publicity surrounding substantial security breaches - in all kinds of industries - from small and large companies.
Just this year, the law of identity theft changed dramatically - and we can expect more laws to continue and expand. One such law went into effect on Jan. 1, 2008 with mandatory compliance by August 1, 2009. This law, the FACTA Red Flag Rule, is a provision of the Fair and Accurate Credit Transaction Act of 2003. The Red Flag Rule is designed to strike at identity theft in its earliest stages and requires virtually every company to develop and deploy an Identity Theft Prevention Program that detects, prevents and mitigates Identity Theft. Plus, the law directs that businesses be sure that the companies they do business with; also have a plan in place. That's why everyone will soon be hearing about the rules.
In order to have a credible legal defense, business owners must educate themselves and their employees on the applicable data breach & identity theft laws and take proactive steps to change the behavior of their company and their employees regarding the handling of sensitive information.
YOUR AFFIRMATIVE DEFENSE
1. Appoint, re-appoint, in writing, an Information Security Officer
2. Develop a written plan and policy to protect all non-public information for employees and customers including identity theft red flags
3. Hold mandatory training meetings for all employees
4. Oversee service provider arrangements - before outsourcing any of your business functions - payroll, web hosting, data processing, insurance, cleaning company, CPA, attorney, BA's, etc, - investigate the company's data security practices. Your liability follows your data.
5. Mitigation plan for employees and/or customers
Michael Hill is a Certified Identity Theft Risk Management Specialist, Privacy Professional and a professional speaker where he specializes in assisting businesses with compliance obligations in these areas. You may contact him at (404) 216-3751 or by email at mhill@databreachexperts.com; WWW.IDTHEFT101.NET; Twitter - @idtexpert