Identity Theft and the Workplace:

Your Employees,

Your Customers,

and Your Obligations

Daniel Andrews

Certified ID Theft Risk Management Specialist

President

Solutions On The Spot

Insurance and Consulting

SolutionsOnTheSpot@gmail.com

http://www.linkedin.com/in/solutionsspot

888-860-1412

IDENTITY THEFT

“The fastest growing white-collar crime in America”

According to the FBI

Definitions #1

Data Security – Keeping Good Data In

ID Theft – Using stolen data to commit (or

attempt to commit) fraud of any sort, or, “Keeping

Bad (Fraudulent) Data Out”

Definitions #2

Privacy Policy: “How we intend to share your

data on purpose”

Security Policy: “How we intend to NOT share

your data by accident”

Who is being held responsible?

“A rise in identity theft is presenting

employers with a major headache:

They are being held liable for identity

theft in the workplace.”

Douglas Hottle, Meyer, Unkovic & Scott,

“Workplace Identity Theft: How to Curb an HR Headache”

BLR: Business & Legal Reports, September 19, 2006

Five Common Types of Identity Theft

Driver’s

License

Social

Security

Medical Character/

Criminal

Financial

There is now a possible

sixth type of Identity Theft…

Thieves will use portions of the different types

of Identity Theft to create a person who is not

real but has an “Identity.” We call this…

Synthetic Identity Theft

♦ Identity theft is not just about credit cards

♦ It is a legal issue!

♦ It is a national epidemic crime & access to

an attorney may be critical

The Cost to Business

♦ Employees can take up to 600 hours, mainly during business hours, to restore their identities

♦ “If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers.”*

♦ “When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”*

* CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

Ask Yourself This Question…

Why should all businesses, corporations, schools, financial institutions, hospitals & governmental bodies be concerned about identity theft?

Answer: Potential liability, both civil & criminal

Important Legislation

♦ FACTA & FACTA Red Flag Rules

♦ Fair Credit Reporting Act

♦ HIPAA Security Rule

♦ Gramm, Leach, Bliley Safeguard Rules

♦ Individual State Laws regarding Privacy, Data Loss, & ID Theft Civil & Criminal liabilities can range from $1,000 – $1M in fines and penalties

which may include jail time up to 10 years for executives!

Be sure to check with your attorney on how these laws may specifically apply to you

Protecting Personal Information

A Guide for Business

Loss of Data Could Create Liability

This FTC Publication suggests that companies should:

“Create a culture of security by implementing a regular

schedule of employee training.” (pg 17)

“Make sure training includes employees at satellite offices,

temporary help, and seasonal workers.” (pg 17)

“Ask every employee to sign an agreement to follow your

company’s confidentiality and security standards for handling

sensitive data.” (pg 16)

“Before outsourcing any of your business functions – payroll,

webhosting, customer call center operations, data

processing, or the like – investigate the company’s data

security practices...” (pg 19)

“We’re not looking for a perfect system,” Broder says. “But

we need to see that you’ve taken reasonable steps to

protect your customer’s information.”

- “Stolen Lives”, ABA Journal, March 2006

Law Firms are Looking for Victims

“Instead of losing our identities one by one,

we’re seeing criminals grabbing them in

massive chunks – literally millions at a

time.”

“Do you suspect that a large corporation or

your employer has released your private

information (through an accident or

otherwise?) If you are one of many thousands

whose confidential information was

compromised, you may have a viable class

action case against that company. Contact an

attorney of the national plaintiffs’ law firm of

Lieff Cabraser to discuss your case. Lieff

Cabraser defends Americans harmed by

corporate wrongdoing.”

Identity Theft Resource Center, of the approximately 44 million Americans who have been the victims of identity theft at some point, each spent an average of 600 hours and $1,495 getting their finances straightened out. And, that doesn’t include attorney’s fees.

In 2004, identity theft cost financial institutions and businesses an estimated $52.6 billion,

An Overview of FACTA: • FACTA was signed by President Bush on December 4, 2003. • The provisions of the law have been phased in over the past few years, and all are now in effect.

However, these new provisions also create serious new responsibilities – and potential liabilities – for businesses nationwide. Simply put, if data aiding an identity theft originates from a security breach at your company, you could be sued, fined, or become a defendant in a class-action lawsuit by affected employees whose personal information has somehow gotten out.

• Civil liability. An employee could be entitled to recover actual damages sustained if their identity is stolen from an employer. Or, an employer could be liable for statutory damages for up to $1,000 per employee. • Class action lawsuits. If large numbers of employees are impacted, they may be able to bring class action suits and obtain punitive damages from employers. • Federal fines. The federal government could fine a covered business up to $2,500 for each violation.

This law applies to any business, regardless of size, that collects personal information or consumer reports about customers or employees to make decisions within their business (including names, credit card numbers, birthdates, home addresses and more).

Who Does FACTA

Affect?

……all businesses must be able to show that they have a security plan in place.

In order to comply with FACTA, Betsy Broder, the Assistant Director of that FTC division, was quoted in the March 2006 American Bar Association Journal saying that means businesses need to have a written plan describing how customer data will be safeguarded and a staff member or company officer designated to be responsible for implementing that plan. Broder went on to say, “We’re not looking for a perfect system. But we need to see that you’ve taken responsible steps to protect your customers’ information.”

Now What? It’s Time

to Develop a Plan!

According to the FTC, a “reasonable” plan to safeguard personal information includes:

• Designating an employee (or employees) to coordinate and be responsible for the security program.

• …..including employee training….

• Continually evaluating and adjusting the security plan…..

• Creating a mitigation plan…..This mitigation plan should kick in when there is a privacy or security breach and there is a need to “repair it” immediately in the eyes of customers, government regulators, and management.

A sensible and effective program will go a long way towards reducing the risk of federal government enforcement, even if the security policy should fail in a particular situation and a security breach results.

Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business

Education

New ‘Red Flag’ Requirements for Financial Institutions

and Creditors will Help Fight Identity Theft

……requiring financial institutions and creditors to develop

and implement written identity theft prevention programs, as

part of the Fair and Accurate Credit Transactions (FACT) Act of

2003. The programs must be in place by November 1, 2008,

and must provide for the identification, detection, and response to

patterns, practices, or specific activities — known as “red flags” —

that could indicate identity theft.

…a financial institution is defined as a state or national bank, a

state or federal savings and loan association, a mutual savings bank,

a state or federal credit union, or any other entity that holds a

“transaction account” belonging to a consumer. A

transaction account is a deposit or other account from which the

owner makes payments or transfers.

PG. 1

Financial institutions and creditors soon will be required to implement a program to

detect, prevent, and mitigate instances of identity theft.

Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business

Education

New ‘Red Flag’ Requirements for Financial Institutions

and Creditors will Help Fight Identity Theft

PG. 2

A creditor is any entity that regularly extends, renews, or continues credit; any entity that

regularly arranges for the extension, renewal, or continuation of credit; or any

assignee of an original creditor who is involved in the decision to extend, renew, or continue

credit.

Creditors include finance companies, automobile dealers,

mortgage brokers, utility companies, and

telecommunications companies. Where non-profit and

government entities defer payment for goods or services,

they, too, are to be considered creditors.

A covered account is an account used mostly for personal,

family, or household purposes, and that involves multiple

payments or transactions. A covered account is also an account

for which there is a foreseeable risk of identity theft.

Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business

Education

PG. 3

Federal Trade Commission

June 2008

For The Consumer

ftc.gov

1-877-FTC-HELP

Complying with the Red Flag Rules

The program must also describe appropriate responses that

would prevent and mitigate the crime…..

The program must be managed by the Board of Directors

or senior employees

…include appropriate staff training, and provide for

oversight of any service providers.

Under the Red Flags Rules, financial institutions and creditors must develop a written

program that identifies and detects the relevant warning signs — or “red flags” — of identity theft.

Daniel Andrews

Certified ID Theft Risk Management Specialist

SolutionsOnTheSpot@gmail.com

http://www.linkedin.com/in/solutionsspot

888-860-1412