Of Council

Identity Theft and Business

by Scott Claassen


Protecting the personal information of your customers and employees deserves your attention.

Identity theft is the fastest-growing crime in the United States, according to the National Crime Prevention Council, and results in loss to businesses of almost $50 billion annually. Most media reports of identity theft focus on the dangers presented by computer spyware, viruses, hackers or phony e-mails. But a significant and growing percentage of data thefts are the result of misappropriation by employees with access to personal information.

A business is the custodian of the personal information of its customers and the keeper of sensitive personal information about its employees, including Social Security numbers and credit card numbers. There are a number of basic steps a business can take to limit the risk of theft or misuse of personal information:

• Avoid collecting personal information that isn’t necessary. Don’t ask for a customer’s date of birth, e-mail address or Social Security number if it’s not a critical part of the transaction.

• Securely dispose of personal information that is no longer needed. This includes job applications of people who weren’t hired, or the credit card numbers of former customers.

• Limit access to the personal information that is collected to those who need to use it. Paper records should be kept under lock and key and computer records should be password-protected and maintained on a system that is not accessible to all employees.

• Maintain strict policies on when and how employee and customer information is shared. Data thieves often call businesses posing as representatives of government agencies or financial institutions. Require employees to positively confirm the identity of anyone seeking personal information for any reason.

The recently-enacted Fair and Accurate Credit Transaction Act contains a number of provisions that affect how a business treats the personal information of its customers and employees.

• By December 2006, merchants must omit the expiration date and all but the last five digits of a credit or debit card number on electronically printed store receipts.

• Beginning June 1, 2005, businesses must destroy all paper or computer media containing personal information derived from a credit report before discarding it. This includes all information originally derived from a credit report.

• A business that provides credit or products and services to a person who fraudulently uses another person’s identity must provide, without charge, copies of documents, such as credit applications, to the victim and to any law-enforcement agency that the victim specifies within 30 days of the victim’s written request. The request may be refused only if the organization cannot establish the true identity of the person requesting the information with a high degree of confidence, or the request is based on a misrepresentation of fact.

The Federal Trade Commission recommends that a business take certain steps if it believes that any personal information has been compromised. First, notify the local police department or the local office of the FBI or U.S. Secret Service immediately. If account information, such as credit card or bank account numbers, has been stolen, notify the financial institutions so that they can monitor the accounts for fraudulent activity. If names and Social Security numbers have been stolen, contact the major credit bureaus for advice.

In some instances, it may be appropriate to notify the individuals whose personal information has been compromised to allow them to take steps to lessen the impact of the misuse of their information. Before taking this step, however, a business should consider the nature of the compromise, the type of information taken, the likelihood of misuse and the potential damage arising from the misuse, and should consult with the law-enforcement agency involved so the notification does not impede any ongoing investigation.

Protecting the personal information of your customers and employees deserves your attention.

 

Scott Claassen is an associate in the Business Law division of Shook, Hardy & Bacon. He can be reached at 816.559.2451 or via e-mail at sclaassen@shb.com.