Preventing Identity Theft In The Business
Identity Theft And How To Prevent It In the Business
- How to define identify theft and its causes;
- What impact identity theft and identify crime have;
- What eight steps you can take to prevent identity theft in your business;
- How to avoid becoming a victim of identity theft; and
- How to help identity-theft victims.
- Most identity thefts occur in the workplace.
- Identity theft is not the same as identity crime.
- Identity theft is the misappropriation of an identity; identity crime is using the stolen identity to perpetrate a theft or other crime.
- Federal laws require businesses to implement security programs.
- The Health Insurance Portability and Accountability Act (HIPAA) aims to protect individuals’ personal information, but it may make it even less secure.
- To prevent identity theft, address both people and processes.
- Company culture is a critical component of identity-theft prevention programs.
- Victims of identity theft need help and consolation.
- Consumers should know the online merchants with whom they deal.
- Never give your bank account or government identification number, such as a Social Security number, to online vendors.
Identity Theft and Identity Crime
Most identity thefts occur in the workplace. Relatively few involve dumpster diving or burglary. Although personal identity theft has made headlines, businesses can be victims of identity theft – they can also be unwitting accomplices. However, identity theft is preventable. Federal legislation now mandates that all businesses adopt security measures to protect their customers’ personal information, although it does not tell them how to do it.
Identity theft and identity crime are not synonymous. Identity theft is the misappropriation of someone else’s personal or business information, such as name, residential address, workplace location, identification number (such as Social Security number), bank account numbers and mother’s maiden name.
“Financial institutions, retail businesses and service providers bear…the costs for fraudulently purchased merchandise or services using the stolen identity of an employee, customer or patient.”
Identity theft is often the precursor to identity crime – the use of misappropriated information to purchase goods and services, apply for credit or commit other crimes.
“Identity thefts and concomitant crimes [have increased because] investigations are particularly costly and local law enforcement has been stripped of crime-fighting resources.”
Identity crimes have ripple effects on their victims. If the “primary” fraud involves buying things on credit, a “secondary” fraud may involve renting post office boxes in the victim’s name to receive delivery of the fraudulently purchased material.
Outsourced operations are tempting targets for identity thieves, because outsourced credit card operations and other transactions can involve transmitting data to unsecured locations or Web sites in developing countries where people believe all Westerners are wealthy. Problems of jurisdiction, constraints on police resources and the absence of antitheft legislation contribute to these unsafe environments.
“The term ’identity’ is commonly used arbitrarily and imprecisely in popular media and literature.”
Identity theft is an important technological tool for terrorism. Terrorists trained in Afghanistan received as many as five fraudulent identities and directions on how to use them.
“The terms ’identity theft’ and ’identity crime’ are frequently used interchangeably.”
The Consequences of Identity Fraud
Identity theft victims experience three kinds of harm:
- Financial losses – Many people discover that they are victims of identity theft and crime only when they receive a call from a credit or collection agency. They find unauthorized telephone calls on their bills or discover that thieves have drained their bank accounts.
- Emotional losses – Identity-theft victims experience feelings similar to those of rape victims: a sense of personal violation, fear, shock, helplessness, loss of control, frustration, depression and anger.
- Time losses – Victims must spend time putting their affairs back in order, resulting in loss of productivity at work, paranoia, relationship difficulties and loss of trust for co-workers, who may have perpetrated the theft.
“Identity theft, however, is to be distinguished from identity crimes – those offenses committed using stolen personal or business identifying information – or ’identities’.”
Identity theft also has a three-pronged impact on businesses victims:
“Phishing [is] the fraudulent cloning of a legitimate business Web site and sending a fake e-mail letter requesting personal information under the auspices of updating company records.”
- Costs – Perpetrators purchase goods or services, or fraudulently obtain credit in the company’s name.
- Fraud – Perpetrators defraud individuals and companies.
- Deception – Perpetrators misappropriate a business identity to deceive other victims. For example, in so-called “phishing” scams, perpetrators imitate a business’s Web site to collect information from its customers and other stakeholders.
The Legal Requirements
U.S. law requires financial services institutions to take these steps to prevent identity theft and crime:
“The primary asset of every business is people: the employees…the customers…and the suppliers, vendors, contractors, shareholders and other stakeholders, any of whom may have access to employee or customer identities.”
- They must offer privacy notices to customers. Customers must have the option of refusing to allow the institution to share their information with other parties.
- They must not release information to unauthorized recipients.
- When they do release information, they must ensure that it is accurate.
- They must disclose the recipients of information.
- They must identify security risks, both internally and externally.
- They must adopt information security programs.
“Although thefts do occur from…homes, cars and persons, the majority of identity thefts are committed inside the workplace by a relatively few dishonest employees who steal the personal identification data of a company’s most valued assets: customers and co-workers.”
Health care providers also face U.S. legal requirements. Ironically, the Health Insurance Portability and Accountability Act (HIPAA), which was supposed to ensure patients’ privacy, created a massive database that contains information on everyone in the United States who has health insurance or has received medical care. This database will almost certainly become a tempting target for identity thieves.
Securing Your Business
Company culture is the most important constituent of an identity-theft prevention program. A culture of integrity creates the context for information security. To secure your business, evaluate the following four factors:
“Security, [like] quality, must center on both ’people’ and ’work processes’.”
- People – Find out who has access to sensitive business information. Analyze all jobs, including their “internal” and “external” functions. When you recruit and hire staff, the applicants’ ability to handle security responsibilities should be as important as their motivation.
- Processes – Select a project team of three to five members from various backgrounds, including at least one manager. The team will identify sources of identity information, map the flow of information through the company, identify points of vulnerability and develop security approaches. It can assess information risk using such techniques as cause-and-effect analysis, flowcharts and Pareto charts, which show the relative importance of various factors.
- Property – Proprietary information and other intangibles are probably your most valuable assets.
- Customers – Customers use Web sites whose security they trust. Supplement your own brainstorming and analyses with surveys of customers and potential customers. Assess their perceptions of your security measures. Make sure your customers understand your security measures.
“For information security, an honest company culture is vital.”
Use “Best Practices” to Protect Your Customers and Yourself
Educate yourself, your staff and your customers about the following “best practices” you – and they – can use to avoid becoming victims of identity theft and crime:
- Know your vendors – Check their credentials with a business monitoring agency, such as the Better Business Bureau in the U.S, especially if you are doing business with them for the first time.
- Make sure the Web site is secure – Before making an online purchase, look for a security icon, usually a padlock, on your browser bar.
- Never share sensitive personal information online – Keep identifiers such as your bank account or Social Security number to yourself.
- Use a credit card with a low limit – Obtain one specifically for online transactions.
- Check the company’s return policy – You should be able to return any products that are unsatisfactory.
- Check contact information – Look for a toll-free telephone number on the Web site.
- Understand shipping and handling charges – These can add up quickly.
- Comparison shop – Check several Web sites to compare costs.
- Save your receipt – Print out the purchase order that shows your confirmation number in case something goes wrong with your order.
- Make sure the Web site shows the “Seal of Information Security” – This attests that the vendor protects consumers using Business Information Security Program standards.
- Check consumer information – Look for the Better Business Bureau OnLine Reliability Seal or the TRUST e-seal.
“For purposes of information process security, the place in the process having the most potential threats is also the most important problem…to be secured.”
Eight Steps toward Healing
In a study of identity-theft victims, researchers found numerous emotional consequences. Women, in particular, often experienced the theft as a personal violation. Most people’s first reaction to the theft was fear, followed by despair and a sense of helplessness. Victims lost trust in their co-workers and in the companies with which they had shared personal information. The following inexpensive, eight-step program can help advocates provide victims of identity theft with the resources they need to recover financially and heal emotionally:
“Inform victims of the importance of obtaining a credit report every six months for at least the next two years, from each of the (U.S.) credit reporting agencies – each report may contain different information.”
- Listen – You convey the message that the theft is serious simply by listening to the victim’s story. Show your concern.
- Explain – Tell victims what to expect emotionally and financially. Suggest that they buy a notebook and keep a record of any information they discover about the theft.
- Recommend action – Victims should file police complaints, contact credit agencies and arrange password protection for bank accounts, credit cards and business accounts.
- Reassure – If victims are engaged in recovery actively, the emotional damage will be less severe and will last for a shorter time.
- Refer to The Victim’s Assistance Guide – This guide, based on research by the Michigan State University laboratory, lists useful contacts for victims.
- Educate victims about credit reports – Victims should check their credit reports at least twice a year for two years. The Victim Assistance Guide teaches victims how to read credit reports.
- Correct fraudulent information – Victims should report erroneous information on credit reports and fraudulent charges on accounts. The Victim Assistance Guide provides forms they can use to report security breaches.
- Gather information – Police departments often lack the resources to give identity crimes the attention they deserve. Victims can gather and provide useful information to police investigators.
Legislation and Advocacy
Business leaders should develop a legislative agenda for preventing identity theft. Financial institutions and others agencies have first-hand knowledge of identity theft, bear the costs of theft and will undoubtedly bear the costs of legislative compliance. But legislation is not necessarily based on good information and sound analysis. Therefore, business must ensure that any legislation addressing identity theft solves the problem and does not merely raise compliance costs.
Legislation should be preventative but not unduly constraining. Laws that merely react to crimes are not as useful as laws that proactively prevent them. The following bills will have a great effect on the business climate in the United States if they pass:
- Senate Bill 125 – Requires disclosure to victims of identity theft about the use of their identities.
- Senate Bill 168 – Prohibits businesses from printing Social Security numbers on certain materials.
- Senate Bill 222 – Requires the establishment of identity theft units by the Office of Criminal Justice Planning.
- Senate Bills 661 and 766 – Mandate biometric identifiers on drivers’ licenses and require people to apply in person for duplicate licenses.
Bills in various state assemblies would mandate identification verification for applications for driver’s licenses and credit cards. Others would criminalize the disclosure of driver’s license information by government employees, prohibit certain disclosures by financial institutions, redefine the rules of the game for prosecuting identity theft and mandate notice to consumers of frequent credit inquiries.