Safeguarding Non-Public Information
Why should all businesses, corporations, schools, financial institutions, hospitals, municipalities and non-profits be concerned about identity theft, FACTA, HIPPA and GLB?
Answer: Liability, both civil and criminal.
In the March 2006, ABA Journal article titled "Stolen Lives", Betsy Broder, of the FTC, made the statement that "The FTC will act against companies that don't protect customers' data."
In that article, she goes on to state "..all businesses should look to the law for guidance on how to protect consumer data. At a basic level, she says, that means businesses need to have a plan in writing describing how customer data is to be secured and an officer on staff responsible for implementing that plan.
Many large businesses entrust such planning and execution to a chief technical officer or chief privacy officer. Broder says she understands that most small businesses cannot be expected to hire a full-time privacy specialist, but she adds that all businesses must be able to show they have a security plan in place.
'We're not looking for a perfect system,' Broder says. 'But we need to see that you've taken reasonable steps to protect your customers' information.'"
In his May 2007, White Papers article titled "Your Growing Exposure for Identity Theft Risks", Kirk Nahra, a partner with Wiley Rein & Fielding, LLP, in Washington, D.C., states that identity theft is not only an issue affecting individual consumers. As awareness of identity theft grows, companies across the country, in virtually all industries, are facing significant regulatory and liability risks related to identity theft because the behavior of companies in protecting information entrusted to them is perceived as a major cause of identity theft risks. As the Federal Trade Commissions has stated, these days, it is almost impossible to be in business and not collect or hold personally identifying information - names and addresses, social security numbers, credit card numbers, or other account numbers - about your customers, employees, business partners, students, or patients. If this information falls into the wrong hands, it could put these individuals at risk for identity theft. Accordingly for any company that maintains information on employees or customers - information that could provide the basis for identity theft - it is critical to understand the problem of identity theft and to begin to take steps to reduce these risks now, as much as possible."
Nahra indicates that "the FTC's suggestions for "reasonable security practices" for non-public information include:
-
Designation of a security officer or director;
-
Identification of risks to security, including employee training on prevention and detection;
-
Reasonable safeguards to control the identified risks;
-
Evaluation of the program and on-going monitoring; and
-
A mitigation plan."
Everyday it seems that we hear something in the news about identity theft. The problem is growing and the threat of losing, in some manner, a person's personal data, be it customer or employee, looms over every business in America. Until reading this article, you may not have been aware of it, but safeguarding non-public information and complying with current and emerging laws is one of the biggest challenges facing all businesses today. For that reason, I strongly suggest that all business owners seek professional guidance on safeguarding issues, including having safeguarding policies and documents reviewed by qualified legal counsel.
To illustrate the magnitude of this growing problem, go to www.privacyrights.org and review the Chronological List of Data Breaches since January 10, 2005, as reported by The Privacy Rights Clearing House, a non-profit consumer information and advocacy organization.
Todd W. Meyer is a Certified Identity Theft Risk Management Specialist and heads the Consulting Division of MMI Financial Group, Inc. The Certified Identity Theft Risk Management Specialist (CITRMS) cirriculum is the nation's only professional certification program specifically developed to train and equip professionals to understand identity theft and related fraud. The comprehensive CITRMS cirriculum addresses risks and issues for consumers, employees and businesses/professional practices.