Enough already! It seems like the issues of information security and protecting yourself against the risks of identity theft have been discussed to the point of overkill already. No one can blame you for tuning out every commercial about identity theft or changing the channel when those jingles about checking your credit report come on. Many people often overlook this topic as they think it would never happen to them. Worse, those who own or operate businesses may take the necessary steps to protect themselves but neglect their employees or customers.
But if identity theft can happen to the likes of Bill Gates, Tiger Woods and Oprah Winfrey, it can definitely happen to you. And if a company like American Express can experience a breach in their information security, so can your organization.
The effects of a data breach can range from simply embarrassing, at best, to crippling. Whenever client data is compromised, the company must at least inform each customer but may also need to publicly disclose it as well. In some instances, this occurrence can leave your company with a scarlet letter of sorts, leading to a lack of trust from current and prospective clients. For example, in August 2009, American Express was the victim of a security breach. One of their employees stole client credit card numbers. American Express had to send a letter to each customer who was possibly affected and also had to issue a public statement. Since then they’ve increased their protection efforts and internal controls. Don’t let it get to this point before you proactively begin securing your clients data.
Protecting personal identifiable information is neither expensive nor time-consuming, and may protect you from loss. Not only will implementing a privacy and security program put your business in compliance with federal and state law, it will also help develop a relationship of trust with your customers, which is an invaluable benefit.
What are the implications of ID theft?
As a business owner, you may be contributing to this epidemic. Under new laws already enacted and more in the works, you may be held responsible.
Identity theft victimizes approximately 15 million Americans every year. The financial damage caused directly by these incidents? $50 Billion! It’s one of the fastest growing crimes in America—it may soon overtake drug trafficking as the number one crime, according to the U.S. Department of Justice—and, if you’ve been a victim, you know just how painful it can be.
Victims of identity theft spend a significant amount of time and money cleaning up the mess that thieves make of their names and credit records. In the meantime, they may lose job opportunities, be refused loans for education, housing, or cars, and even get arrested for crimes they didn't commit, according to the Federal Trade Commission. Humiliation, anger, and frustration are among the feelings experienced as they navigate through the process of rescuing their identities. If your business is found liable for the loss of your customers’ data, in an effort to focus those negative emotions somewhere tangible, they’ll most likely turn to you.
As a company owner, what can you do to prevent ID theft?
With the volume of electronic transactions increasing dramatically, it is almost impossible to be in business and not collect or hold personal identifying information—names and addresses, Social Security numbers, credit card numbers, or other account numbers—about your customers, employees, business partners, students, or patients. The risk that personal identifiable information will be breached puts your customers at risk of identity theft.
Outside of regulatory compliance, it is a good business decision to protect personal identifiable information. A 2008 study conducted by the Ponemon Institute found that information privacy and security breaches can cost companies an average of $202 per compromised record and a total cost of $6.65 million. This extra expense doesn’t include the cost of the customers lost, or missed opportunities for future potential clients. It also doesn’t include damage to the organization’s brand and reputation. When a data breach occurs and the news breaks, consumers will blame the company.
What should you protect and how?
Here’s a step-by-step guide to developing a sound privacy and security program.
1. Collect. Review the specific laws that include the requirements relative to your company regarding keeping sensitive data secure. Analyze trends of how the client’s personal information flows in and out of your business. If you don’t have a business need to collect personally identifying information, don’t collect it.
2. Use, store and retain. Know what personal information you have in your files and on your computers. Determine who has access and who should not have access. Only keep information if you have a business need for it – otherwise discard it.
3. Protect. The combination of hardware and software will not prevent data breaches; technology is just one piece of security. Effective procedures and internal controls are required to ensure your data’s security. Proper training is critical as well. Conduct an information security audit to identify any gaps or inconsistencies in your network. Protection plans should address four key elements: physical security (building and computer room controls), electronic security (encryption, access controls), employee training (security awareness), and the security practices of contractors and service providers (data protection clauses in contracts, monitoring).
4. Dispose. Personal information should be properly disposed to ensure that it cannot be read or reconstructed. Leaving credit card receipts, papers, CDs, computers or back-up tapes with personally identifying information in a dumpster exposes your customers to the risk of identity theft.
5. Respond. Create a plan to respond to security incidents. This includes notifying your customers, law enforcement and other authorities, and improving your program to reduce the likelihood that a similar event will occur in the future.
When was the last time you conducted an information security audit or evaluated your privacy risks? Breaches can happen to anyone and no program is infallible. Take the necessary steps to ensure that your identity is protected and implement information security policies and procedures for your clients’ data as well. Preventing the loss of personal identifiable information will help you manage your business’ privacy risks, boost your bottom-line and develop trusting relationships with your customers.
About the Author:
Jorge Rey is an Information Security Manager at Kaufman, Rossin & Co, one of Florida’s largest independent accounting firms. He consults with businesses of all types and sizes, performing information risk assessments and implementing information security programs. He can be reached at email@example.com. For more information, please visit www.kaufmanrossin.com