Identity Theft and the Workplace: Your Employees, Your
Transcript of Identity Theft and the Workplace: Your Employees, Your
Identity Theft and the Workplace:
Your Employees,
Your Customers,
and Your Obligations
Daniel Andrews
Certified ID Theft Risk Management Specialist
President
Solutions On The Spot
Insurance and Consulting
http://www.linkedin.com/in/solutionsspot
888-860-1412
IDENTITY THEFT
“The fastest growing white-collar crime in America”
According to the FBI
Definitions #1
Data Security – Keeping Good Data In
ID Theft – Using stolen data to commit (or
attempt to commit) fraud of any sort, or, “Keeping
Bad (Fraudulent) Data Out”
Definitions #2
Privacy Policy: “How we intend to share your
data on purpose”
Security Policy: “How we intend to NOT share
your data by accident”
Who is being held responsible?
“A rise in identity theft is presenting
employers with a major headache:
They are being held liable for identity
theft in the workplace.”
Douglas Hottle, Meyer, Unkovic & Scott,
“Workplace Identity Theft: How to Curb an HR Headache”
BLR: Business & Legal Reports, September 19, 2006
Five Common Types of Identity Theft
Driver’s
License
Social
Security
Medical Character/
Criminal
Financial
There is now a possible
sixth type of Identity Theft…
Thieves will use portions of the different types
of Identity Theft to create a person who is not
real but has an “Identity.” We call this…
Synthetic Identity Theft
♦ Identity theft is not just about credit cards
♦ It is a legal issue!
♦ It is a national epidemic crime & access to
an attorney may be critical
The Cost to Business
♦ Employees can take up to 600 hours, mainly during business hours, to restore their identities
♦ “If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers.”*
♦ “When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”*
* CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006
Ask Yourself This Question…
Why should all businesses, corporations, schools, financial institutions, hospitals & governmental bodies be concerned about identity theft?
Answer: Potential liability, both civil & criminal
Important Legislation
♦ FACTA & FACTA Red Flag Rules
♦ Fair Credit Reporting Act
♦ HIPAA Security Rule
♦ Gramm, Leach, Bliley Safeguard Rules
♦ Individual State Laws regarding Privacy, Data Loss, & ID Theft Civil & Criminal liabilities can range from $1,000 – $1M in fines and penalties
which may include jail time up to 10 years for executives!
Be sure to check with your attorney on how these laws may specifically apply to you
Protecting Personal Information
A Guide for Business
Loss of Data Could Create Liability
This FTC Publication suggests that companies should:
“Create a culture of security by implementing a regular
schedule of employee training.” (pg 17)
“Make sure training includes employees at satellite offices,
temporary help, and seasonal workers.” (pg 17)
“Ask every employee to sign an agreement to follow your
company’s confidentiality and security standards for handling
sensitive data.” (pg 16)
“Before outsourcing any of your business functions – payroll,
webhosting, customer call center operations, data
processing, or the like – investigate the company’s data
security practices...” (pg 19)
“We’re not looking for a perfect system,” Broder says. “But
we need to see that you’ve taken reasonable steps to
protect your customer’s information.”
- “Stolen Lives”, ABA Journal, March 2006
Law Firms are Looking for Victims
“Instead of losing our identities one by one,
we’re seeing criminals grabbing them in
massive chunks – literally millions at a
time.”
“Do you suspect that a large corporation or
your employer has released your private
information (through an accident or
otherwise?) If you are one of many thousands
whose confidential information was
compromised, you may have a viable class
action case against that company. Contact an
attorney of the national plaintiffs’ law firm of
Lieff Cabraser to discuss your case. Lieff
Cabraser defends Americans harmed by
corporate wrongdoing.”
Identity Theft Resource Center, of the approximately 44 million Americans who have been the victims of identity theft at some point, each spent an average of 600 hours and $1,495 getting their finances straightened out. And, that doesn’t include attorney’s fees.
In 2004, identity theft cost financial institutions and businesses an estimated $52.6 billion,
An Overview of FACTA: • FACTA was signed by President Bush on December 4, 2003. • The provisions of the law have been phased in over the past few years, and all are now in effect.
However, these new provisions also create serious new responsibilities – and potential liabilities – for businesses nationwide. Simply put, if data aiding an identity theft originates from a security breach at your company, you could be sued, fined, or become a defendant in a class-action lawsuit by affected employees whose personal information has somehow gotten out.
• Civil liability. An employee could be entitled to recover actual damages sustained if their identity is stolen from an employer. Or, an employer could be liable for statutory damages for up to $1,000 per employee. • Class action lawsuits. If large numbers of employees are impacted, they may be able to bring class action suits and obtain punitive damages from employers. • Federal fines. The federal government could fine a covered business up to $2,500 for each violation.
This law applies to any business, regardless of size, that collects personal information or consumer reports about customers or employees to make decisions within their business (including names, credit card numbers, birthdates, home addresses and more).
Who Does FACTA
Affect?
……all businesses must be able to show that they have a security plan in place.
In order to comply with FACTA, Betsy Broder, the Assistant Director of that FTC division, was quoted in the March 2006 American Bar Association Journal saying that means businesses need to have a written plan describing how customer data will be safeguarded and a staff member or company officer designated to be responsible for implementing that plan. Broder went on to say, “We’re not looking for a perfect system. But we need to see that you’ve taken responsible steps to protect your customers’ information.”
Now What? It’s Time
to Develop a Plan!
According to the FTC, a “reasonable” plan to safeguard personal information includes:
• Designating an employee (or employees) to coordinate and be responsible for the security program.
• …..including employee training….
• Continually evaluating and adjusting the security plan…..
• Creating a mitigation plan…..This mitigation plan should kick in when there is a privacy or security breach and there is a need to “repair it” immediately in the eyes of customers, government regulators, and management.
A sensible and effective program will go a long way towards reducing the risk of federal government enforcement, even if the security policy should fail in a particular situation and a security breach results.
Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business
Education
New ‘Red Flag’ Requirements for Financial Institutions
and Creditors will Help Fight Identity Theft
……requiring financial institutions and creditors to develop
and implement written identity theft prevention programs, as
part of the Fair and Accurate Credit Transactions (FACT) Act of
2003. The programs must be in place by November 1, 2008,
and must provide for the identification, detection, and response to
patterns, practices, or specific activities — known as “red flags” —
that could indicate identity theft.
…a financial institution is defined as a state or national bank, a
state or federal savings and loan association, a mutual savings bank,
a state or federal credit union, or any other entity that holds a
“transaction account” belonging to a consumer. A
transaction account is a deposit or other account from which the
owner makes payments or transfers.
PG. 1
Financial institutions and creditors soon will be required to implement a program to
detect, prevent, and mitigate instances of identity theft.
Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business
Education
New ‘Red Flag’ Requirements for Financial Institutions
and Creditors will Help Fight Identity Theft
PG. 2
A creditor is any entity that regularly extends, renews, or continues credit; any entity that
regularly arranges for the extension, renewal, or continuation of credit; or any
assignee of an original creditor who is involved in the decision to extend, renew, or continue
credit.
Creditors include finance companies, automobile dealers,
mortgage brokers, utility companies, and
telecommunications companies. Where non-profit and
government entities defer payment for goods or services,
they, too, are to be considered creditors.
A covered account is an account used mostly for personal,
family, or household purposes, and that involves multiple
payments or transactions. A covered account is also an account
for which there is a foreseeable risk of identity theft.
Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business
Education
PG. 3
Federal Trade Commission
June 2008
For The Consumer
ftc.gov
1-877-FTC-HELP
Complying with the Red Flag Rules
The program must also describe appropriate responses that
would prevent and mitigate the crime…..
The program must be managed by the Board of Directors
or senior employees
…include appropriate staff training, and provide for
oversight of any service providers.
Under the Red Flags Rules, financial institutions and creditors must develop a written
program that identifies and detects the relevant warning signs — or “red flags” — of identity theft.
Daniel Andrews
Certified ID Theft Risk Management Specialist
http://www.linkedin.com/in/solutionsspot
888-860-1412