Protect Your Business - Protect Your .PROTECT YOUR CUSTOMERS PROTECT YOUR. ... Only Collect the Data

download Protect Your Business - Protect Your .PROTECT YOUR CUSTOMERS PROTECT YOUR. ... Only Collect the Data

of 23

  • date post

    05-Jun-2018
  • Category

    Documents

  • view

    213
  • download

    0

Embed Size (px)

Transcript of Protect Your Business - Protect Your .PROTECT YOUR CUSTOMERS PROTECT YOUR. ... Only Collect the Data

  • BUSINESS

    IDENTITYTHEFT

    PROTECTYOUR

    CUSTOMERS

    PROTECTYOUR

  • Identity Theft Kit for Business

    IDENTITY THEFT:

    Recognize it.

    Report it.

    Stop it.

    For more advice and tools on

    ID theft visit cmcweb.ca/idtheft

    Produced by the Federal-Provincial-TerritorialConsumer Measures Committee

  • Cat. No. Iu23-7/2005E-PDFISBN 0-662-39361-954238X

  • This Kit is provided for general information only, and is intended to emphasize the need foreffective personal information policies and practices. Nothing in this Kit should be construed aslegal advice. For your legal rights and obligations, you should consult the relevant legislation,regulations and your solicitor.

    1) IDENTITY THEFT:A CONSUMER ISSUE FOR BUSINESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    What is Personal Information? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Why Do Businesses Have to Protect It? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    Increased Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Customer Trust and Loyalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    2) TIPS FOR REDUCING THE RISK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    Assess Your Business Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Collection of Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Data Security & Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Employees and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Evolve Your Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    3) WHAT TO DO WHEN A THIEF STRIKES . . . . . . . . . . . . . . . . . . . . . . . . 12

    Steps to Take When Information is Compromised . . . . . . . . . . . . . . . . . . . . . . . . 12Investigating the Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Informing Customers and Outside Organizations . . . . . . . . . . . . . . . . . . . . . . . . 12Dealing with the Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    4) TOOLS: WHAT & HOW TO TELL CUSTOMERSABOUT A BREACH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Sample Notification Letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15What to Say & How to Respond When a Thief Strikes:Sample Questions and Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    iiiIDENTITY THEFT

  • 1. IDENTITY THEFT: A CONSUMER ISSUEFOR BUSINESS

    Law enforcement agencies describe identity theft as the fastest growing crime thatbusiness, consumers, and governments face.Inside jobs are on the rise, as thievesincreasingly steal clients personal information from within organizations. Businesses cansafeguard their reputation and avoid financial damages by planning and implementingpolices to protect customers personal information.

    Most companies collect and retain personal information, but how many have implementeda plan for collecting and keeping it safe? Does your business? Consider that:

    A single computer can hold records for thousands of clients.

    An unlocked filing cabinet may contain the access codes, account or licensenumbers that a company shares with its partners, suppliers or vendors.

    Outside contractors hired to build and manage databases can view andcopy information about a companys clients, including credit card andsometimes drivers licence numbers.

    Privacy legislation requires that all businesses put systems in place to ensure thatcustomer information is secure, accurate, gathered with consent and not used beyond astated purpose.The federal Personal Information Protection and Electronic Documents Act(PIPEDA) applies to businesses operating in provinces and territories that do not havesubstantially similar legislation. Quebec, British Columbia and Alberta have similarlegislation.This guide will help you create a plan to avoid the theft of information, and itprovides advice on what to do if your information is stolen.

    Identity Theft:Recognize it.

    Report it.Stop it.

    1IDENTITY THEFT

  • What is Personal Information?

    Any factual or subjective information, recorded or not, about an identifiable individual ispersonal information. This might include such things as the individuals name, address,age, gender, identification numbers, credit card numbers, income, employment, assets,liabilities, payment records, personal references and health records. Personalinformation does not generally include employees contact information at their place ofwork but may include the employees e-mail address. In general, data you collect fromcustomers or employees must be used only for the purpose for which it was collected,or for an additional purpose to which the person has consented.

    What is Identity Theft (Fraud)?

    Obtaining anothers personal information and using it without his/her knowledge orconsent to commit fraud for financial gain or for another criminal purpose.

    A thief does not need much information to steal and seriously disrupt someones life: oftena name, address, and date of birth are enough to get started.

    Why Do Businesses Have To ProtectPersonal Information?

    Increased Risks. Identity theft is growing rapidly. Each year thousands of victims havetheir personal information used by criminals to commit financial fraud such as creatingfalse accounts in anothers name. These crimes are growing because more personalinformation is collected and retained than ever before, and the risks of theft multiplyevery time that information is transmitted or retained or disposed of in an unsafemanner. A disturbing number of cases are inside jobs conducted by individuals whohave access to an organizations sensitive data.

    2IDENTITY THEFT

  • Customer Trust and Loyalty.Consumers are becoming wary ofgiving out information, and arelearning more about their right toprivacy every day. Increasingly, theyare holding organizationsresponsible for protection of theirpersonnel information not justthrough the law but also throughthe marketplace. If businesses loseconsumer confidence and goodwill,it is their bottom lines that will suffer.

    3IDENTITY THEFT

    Managing Against Inside Jobs *

    Hundreds of unsuspecting customers of a localgas station on Vancouver Island who used theirdebit cards to pay for gas were shocked to learnthat their PIN and card number were recordedtwice: once for the transaction, once for a thief.

    When the police caught him, a former employeewas charged with 178 charges of fraud using carddata for over $200,000. He had been copyingdebit card information as he swiped customerscards.

    In accordance with the Canadian Code of Practicefor Consumer Debit Card Services, victims werereimbursed by their financial institution. The gasbar was warned that if they did not applyappropriate security measures their access to theonline payment service would be discontinued.

    To guard against future thefts, the ownerimplemented new procedures: he tightenedscreening and background checks when hiringemployees, and he began checking his equipmentto ensure no one tampered with it.

    * All the sidebar stories in this document are based on actualbreaches, but all names, places and other details depicted arefictitious.

  • 2. TIPS FOR REDUCING THE RISK

    Assess Your Business

    Every organization should manage its own personal information life cycle. Theft canoccur when outsiders gain access to your information, but it can also occur throughinternal theft.A good security strategy has to address both possibilities.

    Devote time to information privacy concerns. Appoint someone, or assume theresponsibility yourself, to oversee the management and security of information youcollect.

    The individual in charge of privacy/security should assess:

    Your processes for gathering, handling, storing and disposing of electronicand paper data.

    The protection of your information technology systems, such as firewallsand audit trails.

    The role and level of security of individuals who have access to personneland customer information.

    How to communicate with clients and the public about your policies andwhat to say in the case of a breach.

    Gathering and using personal information usually involves five major aspects for abusiness: Collection, Use, Disclosure, Data Security and Storage, and Disposal.

    Collection

    Find out what you are collecting and why. Survey all of the personal informationthat your organization collects during the course of transactions and at other times. Doyou gather data on clients? Identify the purpose(s) for which the information iscollected, inform customers accordingly and obtain their consent. Ensure that staff canexplain the purpose as they are collecting the information.

    4IDENTITY THEFT

  • If you dont need it, dontcollect it. Many businesses collectmore information than the