Identity Theft Guide: Keeping the Company and Customers Safe

As a records manager (or business leader), efficient records management and consumer privacy are prerequisites for successful business practices. But chances are, you’re only thinking about the company’s compliance in terms of regulatory rules and fines.

But what about your consumers? Their data is in your hands, and it’s your job to keep their​​ personal information private and safe, even from identity theft.

Yes, records managers, you got that right, even from identity theft.

Identity theft is happening in real time, and the reverb is major. It can lead to financial losses, hefty fines—and perhaps, worst of all, reputational damage. Hands down, every business must ensure their records are secure, and their customers’ personal information is protected. Period.

What Is Identity Theft?

Here are the cold, hard facts: Identity theft is when someone steals personal information like your name, Social Security number, or financial account number and uses it illegally. Identity theft is one of the fastest-growing crimes in the United States.

In 2021, the Federal Trade Commission (FTC) received 2.8 million fraud reports, and roughly 1.4 million consumers were victims of identity theft, a number which is likely to rise yearly.

In California, identity theft is a crime. According to Penal Code section 530.5, identity theft is defined as: “Any person who willfully obtains personal identifying information of someone, and uses it for any unlawful purpose, including to obtain, or an attempt to obtain, credit, goods, services, real property, or medical information without consent.”

What Does Identity Theft Have to Do With Businesses?

When a company experiences a data breach, either through a cybersecurity crime or hard drives that the company did not destroy properly, identity theft can occur and can have crippling effects on businesses.

Case in point. In 2021, Morgan Stanley was ordered by the SEC to pay a $35 million fine to settle allegations that it failed to ensure the proper disposal of hard drives containing personally identifiable information for 15 million customers.

But what’s important to note here regarding identity theft is that a separate $60 million breach settlement was filed on behalf of Morgan Stanley’s consumers in addition to compliance-related regulatory fines.

The scary fact is, cybersecurity crimes continue to rise—and are just getting started. According to Cybersecurity Ventures, global cybercrime costs will grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.

Which is why protecting personal data is so important.

At the very least, trust is the foundation of any business relationship. Read: Anyone working with or doing business with a company of any kind needs to trust their information is safe—and understand how it’s being kept secure.

Businesses need to be aware of where those fraud reports received by the FTC are coming from. There are federal resources for consumers to report incidences of fraud against scams, companies, or unwanted calls—which is even more so why businesses should have proper privacy protection practices in place.

What Can Businesses Do to Prevent Identity Theft?

Protection from identity theft isn’t just a suggested practice. In addition to consumer privacy and identity theft laws, the Identity Theft Protection Act requires businesses to protect their customers’ personal information.

That’s because if sensitive data falls into the wrong hands, it can result in identity theft, fraud, and more. Having a solid security plan to collect only what you need, keep data and documents safe, and dispose of them securely can help keep data secure.

Follow this simple plan to protect your business and consumers and ensure compliance and security.

First, scale back on what data is collected

Many businesses must collect personal information for customer transactions, like credit card numbers or social security numbers.

• If you can’t determine a business need to keep personal information, let it go (like Marie Kondo).
• If there is a business requirement, hold onto it only for as long as necessary.
• Adhere to data subject access requests from consumers if they ask you to delete or limit the use of their data.
• Scale down the number of people who have access to personal data.
• Have a chain of custody—a precise record of who has handled or stored these records and where.
• Develop a written retention policy that outlines information for keeping records (including length of time), how to secure them, and how to dispose of them.

Follow best records management practices

There are five key elements of data security: physical security, electronic security, physical and electronic data destruction, team training, and best practices for contractors and service providers.

1. Physical Security: Often, data breaches happen with lost or stolen paper documents. Basic measures like keeping documents and files in a locked room or location and limiting access can go a long way to protecting them. Require employees to learn best practices for secure document storage.
2. Electronic Security: Many businesses have someone on staff to oversee IT security, like an information manager, whether in-house or from an external company. As a general practice, don’t store sensitive consumer data on any hard drive or media unless it’s essential for business. And if you’re sending sensitive information over public networks or to third parties, make sure it’s encrypted and install and maintain anti-malware programs.
3. Dispose of unnecessary information: Keeping unnecessary documents filled with sensitive information around the office is the best way to become a victim of identity theft. Implement a disposal practice for both paper and digital files to prevent data breaches. Paper shredding, document storage, and media data destruction are important components of a disposal policy.

Be prepared with action and training

Protecting the identity of your employees, clients, patients, and more is a critical job of any organization. The penalties and damage to a firm that fails can be staggering. However, with appropriate security policies and training, you can set your business up for success.

If you do experience a breach, make sure you have a response plan.

4. Employee Training: The security of your business data is only as strong as the employees who manage it. Set up trainings so employees understand current privacy and security policies.
5. Contractors and Service Providers: Before you outsource any of your business functions, ensure the company you work with has data security protection and practices in place. Document, in writing, your security expectations and compliance rules.