Identity Theft Laws That Business Owners Need To Know!
Due to the soaring cost to business of identity theft, our state and Federal legislatures have passed some VERY stringent laws that apply to all businesses with one or more employees. Non compliance could cost business owners personally or their business up to $1million in fines and up to 10 years in prison. Federal legislation as well as many state laws require business owners to secure all personal information (social security numbers, driver's license numbers, credit card numbers, date of birth, etc.) of their clients and employees. 87% of business are not aware these laws even exist. Non compliance could result in closing the business, fines, penalties, criminal and civil litigation. Identity Theft issues are expected to be THE next hot class action target.
Disgruntled workers with access to their employer's data files can make a lot of money selling little pieces of you. They can sell your Social Security number Identity for $100, they can sell your credit card info (financial identity) and they can also sell your driver's license identity which will have a negative impact on your character/criminal identity if they decide to rob a liquor store and get caught with "your" driver's license. Anyone who has been noticing, 3 of last year's Reader's Digest covers will already know the devastation caused by medical identity theft.
The Feds recently decided that the DMVs of each state needed to be able to recognize what the actual driver's licenses of all other states looked like. The Feds made up a little book with the EXACT specifications on each state's driver's license. About a week after that book was distributed, it was already being sold on the internet. A new and lucrative business has sprung up because of that book. All a criminal needs is a computer, printer, laminator and that book to have a prosperous criminal enterprise. Even trained authorities can't tell the difference between a "real" and fake license"real" license and the fake one. The authorities can't distinguish between the "data base you" and the you your friends know"data base you" and the you who is looking at yourself in the mirror. The data base you has gone on a crime spree and given the police a copy of a driver's license with YOUR number and another address on it. You never get the notice to appear and they sure aren't going to show up at your trail, so a bench warrant goes out in your name. The next time you are stopped for some routine traffic violation, the real you is going to jail. How many times do the criminals say, "OK, you got me." Isn't the regular drill something like, "You've got the wrong guy. It wasn't me." Except this time it WAS the data based you.
Only one in 700 criminals engaged in ID theft are caught. This crime wave has no end in sight. Employee absenteeism can really hurt the bottom line. The Federal Trade Commission estimates it takes 600 hours to restore your identity. That is 15 40 hour work weeks. Who has that kind of time? ALL the data leaks are coming from ignorance on the part of businesses or the government themselves. The Census Bureau is very proud that they have ONLY lost 1,200 lap top computers with millions of names and personal information on American citizens. Because the government can't do anything on the criminal front, they are clamping down on businesses.
The National Institute of Standards and Technology (NIST) identifies "unauthorized access" as a type of security breach that each business must address. That means each computer needs to be password protected and the password can't be put on a yellow sticky on the monitor. You need a clean desk policy at the end of each business day with ALL personal information locked up.
ID theft crime rings have set up "janitorial" businesses that come in at night and copy client and employee data files, go through unlocked file cabinets and trash looking for personal info, employment applications etc. Confidence men (women) can take jobs as low level temporary office employees and steal the data bases with all the information of the businesses clients.
In "The Coming Pandemic" (5/15/06 article in Chief Information Officer magazine) the writer says, "If you experience a security breach, 20% of your affected customer base will no longer do business with you. 40% will consider ending their relationship, and 5% will be hiring lawyers!" The author also stated, "When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim."
Here is an outline of the major laws that affect ID Theft and have led to absolute liability to businesses that have not secured their files.
ID Theft was finally recognized as a crime in 1998 when Congress passed the Identity Theft and Assumption Act and established the Federal Trade Commission as the lead agency to enforce and fine businesses for non compliance. The FTC says that each year since 1998 there has been twice as much ID theft reported than the year before and even though it is severely under reported it is estimated that as of July 2006 there have been over 88 million consumers affected by the reported breaches.
FACTA (Federal legislation in effect since June 2005) Grants additional rights to consumers and incorporates specific provisions designed to help victims of ID theft and fraud, mainly that they are entitled to one free credit report per year from each of the 3 reporting agencies due to the proliferation of ID theft that has only gotten worse. Gramm, Leach, Bliley Safeguard Rule (fed legislation since 1999) the compliance deadline was in 2001 GLB, has a broad spectrum of qualifications, requirements and regulating parties. Eight agencies and the states are charged with managing and enforcing the regulations.
GLB applies to a broad range of businesses that collect the personal financial information of their clients.The two regulations of GLB are the Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers' information while the Safeguard rule governs the processes and controls an organization's uses to protect customers' financial information.
The Safeguard Rule is enforced by the FTC. In addition to public embarrassment of non-compliance, organizations may be fined thousands of dollars a day while they are non-compliant.
GLB calls for businesses to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
In a nutshell, it requires that regulated companies do the following: Specify a person or group of people to be responsible for GLB compliance. Identify security risks involving customer information. Assess existing safeguards for protecting the privacy of customer information. Implement any additional safeguards that are needed. Monitor the effectiveness of safeguards. Ensure that service providers are able to meet the GLB requirements. Upgrade the organization's security program as necessary due to changing circumstances.
California SB 1386, effective 7/1/03 Data Breach Notifications ANY business having even 1 customer in California requires a PUBLIC disclosure of computer security breaches when personal information of any California customer is compromised. This law subjects a company to civil and class action lawsuits by any injured customer.
Betty Broder, who is the assistant director of the FTC's Division of Privacy and Identity Protection says, "You don't have to have a perfect plan, but you MUST have a written plan describing how customer and employee data will be protected and an officer on staff responsible for implementing that plan. We need to see that you've taken reasonable steps to protect your customer's info." (quote taken from American Bar Association 3/06 story, "Stolen Lives")
The 1/19/06 edition of Business and Legal Reports says, "One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance..."
By having a mandatory meeting the employees finally understand their responsibilities to protect the sensitive data of your client's business. This may be overwhelming BUT with a little help a business can develop an affirmative defense. Free federal compliance training is available for businesses who understand the importance of mitigating their damages and providing an affirmative defense.
Businesses with 10 or more employees may be able to get free Federal compliance training depending on their location. Contact the author for more information.
About the Author
Ms. Rachman has been an attorney since 1996 and became so intrigued with the issue of identity theft that she became a Certified Identity Theft Risk Management Specialist so she could advise business clients and individuals how to protect themselves from the #1 fastest growing crime in the world. For even more information, go to her site at http://www.idtheftspecialist.info
Tell others about
this page:
Comments? Questions? Email Here