What do you think of when someone says IDENTITY THEFT?  Most people think of credit reports, credit cards and bank accounts. We see television commercials pushing “free credit reports” to solve the problem.  Banks and credit card companies are bragging about their theft deterrence systems and zero liability programs. There’s even one company that will “guarantee” your identity will not be stolen!

Unfortunately, it’s just not that simple. The fact is there is no realistic way to stop identity theft in the world we live in today. Here’s why.

FIRST, our personal information is already irretrievably “out there”, in the hands of dozens (maybe hundreds) of businesses, schools and government agencies. We are all literally at the mercy of those organizations (and their employees) to keep our information safe.  And the risks have increased enormously in just the past year. Every week, we now see extensive publicity surrounding substantial security breaches – in all kinds of industries - from small and large companies.

SECOND, while it can be devastating, financial Identity Theft is only a small part of the story.  Almost 75% of all Identity Theft is in other areas - your driver’s license, your Social Security number, your medical information (the fastest growing area of ID theft), and Criminal ID theft (crimes committed in your name). And many of the trends in today’s society (like terrorism, immigration, the weak economy, the credit crisis, and the health insurance crisis) are throwing gasoline on the Identity Theft fire.    

NEW RULES FOR DOING BUSINESS
But Identity Theft is not only affecting individuals. As awareness grows, organizations of all types across the country in virtually all industries are facing new laws and liability risks. That is because governments perceive the behavior of companies in protecting the personal information entrusted to them as the predominant identity theft risk, and the only area where they can force improvement. As the FTC Chairman recently stated;

“By now the message should be clear: companies that collect sensitive information have a responsibility to keep it secure.”  “Every business, large or small, must take reasonable and appropriate measures to protect sensitive consumer information, from acquisition to disposal.”

In the 1970s the government passed a law called OSHA (Occupational Safety and Health Administration) and businesses had no say-so, they had to implement the requirements. Then in the 1980s the ADA (American Disabilities Act) here again, businesses had to implement the requirements. The 1990s and HIPAA (Health Insurance Portability and Accountability Act), well today it’s legislation relating to Information Security and Identity Theft.

In 2005 the credit card issuing companies, including American Express, Visa Inc., & MasterCard Worldwide, created a set of security standards called PCI DSS – Payment Card Industry Data Security Standards.  The standard is designed to protect sensitive account data such as credit card numbers, customer names and contact information. Any organization that "stores, processes or transmits" card numbers must comply with PCI DSS. Organizations may keep certain data, such as account numbers, cardholder names and expiration dates, subject to specific conditions.

In 2008 we saw the first of the “Identity Theft” laws: the Red Flags Rule. This law went into effect on January 1, with mandatory compliance by November 1, 2008. The Red Flags Rule fights identity theft in its earliest stages and requires companies of all sizes to develop and deploy an Identity Theft Prevention Program that detects, prevents and mitigates Identity Theft. 

Here’s what the FTC is telling consumers: 
“Ask about information security procedures in your workplace or at businesses, doctor’s offices or other institutions that collect personally identifying information from you.    Find out who has access to your personal information and verify that it is handled securely.   Ask about disposal procedures for those records, as well.   Find out if your information will be shared with anyone else.     If so, ask if you can keep your information confidential.”      (MSNBC, March 7, 2008)

And whenever there are laws, there will be lawsuits!   Hundreds of lawsuits have been filed against companies, and industry experts anticipate a tidal wave over the next five years, as more laws are enacted and enforcement increases at the State level.

IT’S A PEOPLE THING
For any company in any industry that maintains information on employees or customers that could provide the basis for identity theft, it is critical to understand the problem of information security and to take steps NOW to reduce these risks as much as possible. All businesses need to be aware of their identity theft risks, and should be exploring all reasonable means of meeting their increased legal obligations in these areas. 

In order to minimize the chance of identity theft, and have a credible legal defense if a problem occurs, businesses must take proactive steps to change their company’s behavior regarding the handling of sensitive information.    The FTC says that companies must establish and maintain a “Culture of Security”.  Success factors include management commitment, physical security, electronic data security, disposal procedures and especially the “people factor”.   In other words, the success of your Information Security/Identity Theft Prevention Program will depend on the training and “buy-in” of the Board of Directors, Senior Management, your employees and even your contractors and service providers!

From a practical risk management standpoint, every business (and government entity) should take appropriate risk management actions and seek to meet the requirements and standards of consumer privacy and data security laws, whether or not it has a statutory obligation to do so.  Similarly, businesses and government entities should also not take "the easy way out" and seek to only protect that information which is specifically identified as protected under the strictest interpretations of the law.

There is a moral and ethical obligation that attaches to the use and possession of another's information. Many forward-thinking companies have recognized that information security and careful protection of confidential consumer information is not only an investment well worth making, but it can even provide a significant competitive advantage. Compliance is a choice, and in the Information Age, where confidential information is the currency of thieves, it is a choice that every entity should make - large or small, public or private."

So what should businesses do? You have three choices:

1. Ignore the problem and the laws… and hope for the best;
2. Tackle the problem yourself using your own time and money; or
3. Get help from the experts.

Compliance Assistance
IDT Consultants, LLC, a leading information risk management firm that specializes in data security, regulatory compliance, and industry certifications, assistance is based on FTC materials, guidelines, laws and requirements, that helps you identify the potential risk within your business, understand the liabilities you face, and begin the process of change required by the laws.  www.idtheft101.net

For more information,   ?  call Michael Hill at 404-216-3751 or email This e-mail address is being protected from spambots. You need JavaScript enabled to view it  

Michael Hill maintains an extensive Referral Program whereby qualified third parties can profit by helping spread the word about Identity Theft in the Workplace, and our compliance assistance.  For more information or to register for the Referral Program, please contact Mike Hill (404) 216-3751, This e-mail address is being protected from spambots. You need JavaScript enabled to view it