|Buy HRCI Recertification|
Earn 34.25 HRCI recertification
credits. Self-paced online courses
Learn to conduct investigations w/ an
online course. Get 2.0 HRCI credits
You obtain your employees’ social security and driver’s license numbers to determine employment eligibility and conduct background checks. Customers provide credit and debit card numbers, as well as their passwords, to make payments. All of this information becomes part of your business’s electronic data.
Whether it is a social security, driver’s license, credit card, or bank account number, identities are defined by these numbers. If a thief gains access to them, the consequences can be devastating for both individuals and businesses.
Identity theft occurs when someone uses another’s personally identifying information to commit fraud or other crimes. Identity thieves may rent an apartment, obtain a credit card, or establish a telephone account in a victim’s name. In a relatively short time, victims may find that they have lost what took years to accumulate: their assets, credit, and reputation. They may lose out on job opportunities, be denied loans for education, housing, or cars, or even be forced to declare bankruptcy. In rare cases, victims have been arrested for crimes committed under their names.
And undoubtedly identity theft is well on its way to becoming one of the most serious financial crimes of the 21st century: The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year.
Although identity thieves may still use traditional methods of obtaining personally identifying information, including dumpster diving or mail theft, many have shifted to more hi-tech methods, targeting businesses that maintain such computerized information in their databases.
ChoicePoint, Inc., a national provider of identification and credential verification services, was victimized by a well-organized group of criminals who obtained personal information on almost 140,000 consumers. An even bigger theft occurred more recently when TJX Companies Inc., which operates the national chain stores T.J. Maxx and Marshalls, was the victim in the largest computer data breach in corporate history: Thieves stole the credit and debit card numbers of more than 45 million consumers.
Based in large part on such incidents of identity theft, more than half of the states have enacted some version of a security-breach notification law. The federal government is also considering similar legislation in the form of Senate Bill 239, the Notification of Risk to Personal Data Act of 2007, currently on the Senate’s legislative calendar. The purpose of these breach notification laws is to give timely notice to individuals whose information has fallen into the wrong hands so that they may take whatever precautions necessary to protect themselves from the harmful consequences of identity theft.
These laws typically state that those who maintain computerized data that includes personally identifying information shall disclose any breaches of security involving such information to the individual(s) whose information was compromised by the breach. Many notification laws, including those of California, Florida, and New York, apply to any business or any person conducting business in their state. Thus, businesses cannot claim that they are too small to be responsible for data breaches.
Personally identifying information typically includes social security numbers, driver’s license numbers, passwords, and various financial institution account numbers. The duty to disclose breaches of such information is triggered when the person or business discovers, or reasonably believes, that the information was acquired by a person without valid authorization. The amount of time given to make the disclosure varies by jurisdiction: Some states require disclosure within a specified period of time (45 days in Florida), while others require disclosure “in the most expedient time possible and without unreasonable delay” (California).
The consequences for failure to notify affected individuals of the security breach can be severe. Florida law calls for an administrative fine in the amount of $1,000 for each day the breach goes undisclosed after the initial 45-day period, with a $500,000 maximum. Michigan law imposes a civil fine of up to $250 for each failure to provide notice, with an aggregate liability maximum of $750,000.
Given the growing threat to the security of computerized personally identifying information and exposure to significant legal penalties, businesses should make every effort to prevent security breaches from happening at all and to comply with applicable notification laws when they do. Here are some suggestions:
1. Encrypt all computerized personally identifying information.
Encryption, which uses an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key, may limit an organization’s obligation to notify affected individuals of a security breach.
2. Whenever possible, limit the collection of personally identifying information.
If social security numbers or driver’s license numbers are not necessary to conduct business, then such information should not be solicited from clients or customers.
3. Keep personally identifying information secure.
Firewalls, password protection, and other technological security devices should be used to protect the information.
4. Limit access to personally identifying information.
Such information should not be available to anyone who has access to a company computer network or server. Access should be limited to only those who need it. Also make sure that those who need it are responsible and trustworthy enough to have it.
5. Do not let computerized personally identifying information out of the office.
Many businesses use laptops or other remote devices to allow employees to work when away from the office. Sensitive information should not be kept on these devices. When a U.S. Department of Transportation agent’s laptop was stolen from a parked car, the social security numbers of approximately 133,000 Florida residents were taken with it.
6. Check your data storage policies and procedures for vulnerabilities.
If personally identifying information is collected and forgotten, it is difficult, if not impossible, to keep it protected. Make sure such information never ends up in a vulnerable location.
7. In the event of a breach, notify the affected individuals.
Different states may have different notification procedures or methods. In the event of a breach, make sure that any required notifications are made in accordance with applicable law.
8. Consider insurance coverage.
Some insurance companies offer policies that cover situations involving breaches of computerized personally identifying information.
Exposure to security breaches is an ever-present risk in today’s business world. However, in the context of laws that address such security breaches, it is important to remember that it is the failure to disclose a breach that is the punishable event. As is often the case, the violation occurs in the cover-up, not the breach itself. Therefore, in the event that there is a data breach in your organization, a licensed professional should be consulted immediately to ensure compliance with any applicable notification laws.
Taking the proper safeguards to protect the personal information your business collects can spare your employees, customers, and business crushing losses.