By Lan Nguyen
Identity theft is a multibillion-dollar problem affecting 8 million people a year. But experts say it isn’t just a consumer issue. In the thousands of cases prosecuted by the U.S. Secret Service in the past six years, half of the time, it was businesses that provided the entry point for thieves, according to Sai Huda, CEO of Compliance Coach, makers of Web-based compliance tool CompliancePal.
Adds Tracy Coenen, a forensic accountant and certified fraud examiner for Sequence Inc., “I get scared for small businesses because they are not thinking about this issue. I think they are more vulnerable because they’re not taking any basic steps.” Too often, businesses hire her to deal with fraud, not to prevent it.
So while all the attention has been paid to consumer identity theft, small businesses have become more attractive to identity thieves because the rewards are greater.
Here are eight steps you must take to protect your customers, and yourself:
Adopt a Need to Know Policy
As you build up your customer base, collect information that is only necessary to conduct your business. That way, says Jay Foley, executive director of the nonprofit Identity Theft Resource Center, you can’t be held responsible should their information get stolen. So if you don’t need someone’s social security number, don’t ask for it.
If you must collect sensitive personal information, organize customer data in such a way that only highly confidential information is protected. Gary Nutbeam, owner of computer consulting firm Across the Big Pond, recommends creating three levels: unclassified (information that anyone can see), classified (semi-sensitive information like an internal memo on benefits) and secret (data like customer contracts).
“It is impractical to fully protect everything,” adds Nutbeam. “You can keep costs down by putting your effort toward protecting the most sensitive data.”
Ask and Don’t Tell
To further lower your liability, limit company access to customer information. It could be as simple as locking up confidential files or databases and giving one or two essential employees the key or their own unique user I.D. “If a user I.D. is shared, it’s impossible to know who really accessed the data,” says Nutbeam.
Another important step: Have those employees change their password every 45 days and have passwords contain both letters and numbers.
Get the Message Out
After you’ve set up safeguards, train your employees on company policy and procedure. They need to know the rules, the reasoning and, most importantly, the consequences should they be caught stealing client information. According to Huda, 33% of identity theft is committed by an employee.
Check Up on Employees
We’re not saying get a nanny cam. But close. Foley recommends having background checks done periodically on employees. The person whom you hired 20 years ago isn’t the same person today, explains Foley. Life changes like a divorce, a sick child or parent, or a new addiction can be exploited by thieves, who want to gain access to your company files.
Know the Law
Laws are slowly changing to protect businesses as well as consumers. So read up. For example, the new FACT Act Identity Theft Red Flags Rule requires that businesses that offer credit must draft an identity theft prevention program, keep the program current and appropriately train their employees. The deadline is Nov. 1.
Get Thee a Shredder
Some states require that you shred customer data. So invest in a good quality shredder or hire a shredding company with a solid reputation who shreds on location. When a company shreds at another site, it means people will be sorting through the paperwork, warns Foley.
Call in the Pros
If you’re not sure where your security can be breached, get help. Ask your fellow business owners for referrals. Look for someone with a Certified Fraud Examiner accreditation. Identity Theft Resource Center’s Foley charges $2,500 for a presentation and up to $5,000 for one-on-one training. Compliance Coach’s Web-based CompliancePal costs $295-$995 a year.
Sure, it’s not cheap, but the repercussions of stolen customer information will certainly be steeper.
Loss Can Be Hefty
You will certainly lose customers if you can’t protect their information. But more importantly, a small business can run into serious financial trouble, even go under, if a customer’s identity gets stolen. Just the cost of paying for a credit monitoring service to help mitigate any problems a client can face will cost $40 to $120 per hit. And if you’re a business with 10,000 customers, can you afford, asks Foley, to spend $40,000 on credit monitoring?
That’s just the tip of the iceberg says Coenen, who is also author of Essentials of Corporate Fraud (Wiley). Hiring a lawyer, a consultant to plug your security holes and a consultant to recover lost data can run you another $25,000.