IDENTITY THEFT, Are You In Compliance Or Are You Part Of The Problem?
Due to the soaring cost to business of identity theft, our
state and Federal legislatures have passed some VERY
stringent laws that apply to all businesses with one or
more employees. Non compliance could cost business owners
personally or their business up to $1million in fines and
up to 10 years in prison. Federal legislation as well as
many state laws require business owners to secure all
personal information (social security numbers, driver's
license numbers, credit card numbers, date of birth, etc.)
of their clients and employees. 87% of business are not
aware these laws even exist. Non compliance could result in
closing the business, fines, penalties, criminal and civil
litigation. Identity Theft issues are expected to be THE
next hot class action target.
Disgruntled workers with access to their employer's data
files can make a lot of money selling little pieces of you.
They can sell your Social Security number Identity for
$100, they can sell your credit card info (financial
identity) and they can also sell your driver's license
identity which will have a negative impact on your
character/criminal identity if they decide to rob a liquor
store and get caught with "your" driver's license. Anyone
who has been noticing, 3 of last year's Reader's Digest
covers will already know the devastation caused by medical
identity theft.
The Feds recently decided that the DMVs of each state
needed to be able to recognize what the actual driver's
licenses of all other states looked like. The Feds made up
a little book with the EXACT specifications on each state's
driver's license. About a week after that book was
distributed, it was already being sold on the internet. A
new and lucrative business has sprung up because of that
book. All a criminal needs is a computer, printer,
laminator and that book to have a prosperous criminal
enterprise. The police can not tell the difference between
the "real" license and the fake one. In fact they can't
tell the difference between the "data base you" and the you
who is looking at yourself in the mirror. The data base you
has gone on a crime spree and given the police a copy of a
driver's license with YOUR number and another address on
it. You never get the notice to appear and they sure aren't
going to show up at your trail, so a bench warrant goes out
in your name. The next time you are stopped for some
routine traffic violation, the real you is going to jail.
How many times do the criminals say, "OK, you got me."
Isn't the regular drill something like, "You've got the
wrong guy. It wasn't me." Except this time it WAS the data
based you.
Only one in 700 criminals engaged in ID theft are caught.
This crime wave has no end in sight. As more and more
employees fall victim, it will hurt the bottom line of
their employer since the Federal Trade Commission says that
on average, it takes 600 hours to restore your identity.
That is 15 40 hour work weeks. Who has that kind of time?
ALL the data leaks are coming from ignorance on the part of
businesses or the government themselves. The Census Bureau
is very proud that they have ONLY lost 1,200 lap top
computers with millions of names and personal information
on American citizens. So the government is clamping down
HARD on businesses because they can't do a thing on the
criminal front.
The National Institute of Standards and Technology (NIST)
identifies "unauthorized access" as a type of security
breach that each business must address. That means each
computer needs to be password protected and the password
can't be put on a yellow sticky on the monitor. You need a
clean desk policy at the end of each business day with ALL
personal information locked up.
ID theft crime rings have set up "janitorial" businesses
that come in at night and copy client and employee data
files, go through unlocked file cabinets and trash looking
for personal info, employment applications etc. Confidence
men (women) can take jobs as low level temporary office
employees and steal the data bases with all the information
of the businesses clients.
In "The Coming Pandemic" (5/15/06 article in Chief
Information Officer magazine) the writer says, "If you
experience a security breach, 20% of your affected customer
base will no longer do business with you. 40% will consider
ending their relationship, and 5% will be hiring lawyers!"
The author also stated, "When it comes to cleaning up this
mess, companies on average spend 1,600 work hours per
incident at a cost of $40,000 to $92,000 per victim."
Here is an outline of the major laws that affect ID Theft
and have led to absolute liability to businesses that have
not secured their files.
ID Theft was finally recognized as a crime in 1998 when
Congress passed the Identity Theft and Assumption Act and
established the Federal Trade Commission as the lead agency
to enforce and fine businesses for non compliance. The FTC
says that each year since 1998 there has been twice as much
ID theft reported than the year before and even though it
is severely under reported it is estimated that as of July
2006 there have been over 88 million consumers affected by
the reported breaches.
FACTA (Federal legislation in effect since June 2005)
Grants additional rights to consumers and incorporates
specific provisions designed to help victims of ID theft
and fraud, mainly that they are entitled to one free credit
report per year from each of the 3 reporting agencies due
to the proliferation of ID theft that has only gotten
worse. Gramm, Leach, Bliley Safeguard Rule (fed legislation
since 1999) the compliance deadline was in 2001 GLB, has a
broad spectrum of qualifications, requirements and
regulating parties. Eight agencies and the states are
charged with managing and enforcing the regulations.
GLB applies to a broad range of businesses that collect the
personal financial information of their clients.The two
regulations of GLB are the Financial Privacy Rule and the
Safeguards Rule. The Financial Privacy Rule addresses the
collection and dissemination of customers' information
while the Safeguard rule governs the processes and controls
an organization's uses to protect customers' financial
information.
The Safeguard Rule is enforced by the FTC. In addition to
public embarrassment of non-compliance, organizations may
be fined thousands of dollars a day while they are
non-compliant.
GLB calls for businesses to: 1. Ensure the security and
confidentiality of customer information; 2. Protect against
any anticipated threats or hazards to the security or
integrity of such information; and 3. Protect against
unauthorized access to or use of such information that
could result in substantial harm or inconvenience to any
customer.
In a nutshell, it requires that regulated companies do the
following: Specify a person or group of people to be
responsible for GLB compliance. Identify security risks
involving customer information. Assess existing safeguards
for protecting the privacy of customer information.
Implement any additional safeguards that are needed.
Monitor the effectiveness of safeguards. Ensure that
service providers are able to meet the GLB requirements.
Upgrade the organization's security program as necessary
due to changing circumstances.
California SB 1386, effective 7/1/03 Data Breach
Notifications ANY business having even 1 customer in
California requires a PUBLIC disclosure of computer
security breaches when personal information of any
California customer is compromised. This law subjects a
company to civil and class action lawsuits by any injured
customer.
Betty Broder, who is the assistant director of the FTC's
Division of Privacy and Identity Protection says, "You
don't have to have a perfect plan, but you MUST have a
written plan describing how customer and employee data will
be protected and an officer on staff responsible for
implementing that plan. We need to see that you've taken
reasonable steps to protect your customer's info." (quote
taken from American Bar Association 3/06 story, "Stolen
Lives")
The 1/19/06 edition of Business and Legal Reports says,
"One solution that provides an affirmative defense against
potential fines, fees, and lawsuits is to offer some sort
of identity theft protection as an employee benefit. An
employer can choose whether or not to pay for this benefit.
The key is to make the protection available, and have a
mandatory employee meeting on identity theft and the
protection you are making available, similar to what most
employers do for health insurance..."
By having a mandatory meeting the employees finally
understand their responsibilities to protect the sensitive
data of your client's business. This may be overwhelming
BUT with a little help a business can develop an
affirmative defense. Free federal compliance training is
available for businesses who understand the importance of
mitigating their damages and providing an affirmative
defense.
Businesses with 10 or more employees may be able to get
free Federal compliance training depending on their
location. Contact the author for more information.
----------------------------------------------------
Ms. Rachman has been an attorney since 1996 and became so
intrigued with the issue of identity theft that she became
a Certified Identity Theft Risk Management Specialist so
she could advise business clients and individuals how to
protect themselves from the #1 fastest growing crime in the
world. For even more information, go to her site at
.
