Identity Theft Guide: Keeping the Company and Customers Safe
As a records manager (or business leader), efficient records management and consumer privacy are prerequisites for successful business practices. But chances are, you’re only thinking about the company’s compliance in terms of regulatory rules and fines.
But what about your consumers? Their data is in your hands, and it’s your job to keep their personal information private and safe, even from identity theft.
Yes, records managers, you got that right, even from identity theft.
Identity theft is happening in real time, and the reverb is major. It can lead to financial losses, hefty fines—and perhaps, worst of all, reputational damage. Hands down, every business must ensure their records are secure, and their customers’ personal information is protected. Period.
What Is Identity Theft?
Here are the cold, hard facts: Identity theft is when someone steals personal information like your name, Social Security number, or financial account number and uses it illegally. Identity theft is one of the fastest-growing crimes in the United States.
In 2021, the Federal Trade Commission (FTC) received 2.8 million fraud reports, and roughly 1.4 million consumers were victims of identity theft, a number which is likely to rise yearly.
In California, identity theft is a crime. According to Penal Code section 530.5, identity theft is defined as: “Any person who willfully obtains personal identifying information of someone, and uses it for any unlawful purpose, including to obtain, or an attempt to obtain, credit, goods, services, real property, or medical information without consent.”
What Does Identity Theft Have to Do With Businesses?
When a company experiences a data breach, either through a cybersecurity crime or hard drives that the company did not destroy properly, identity theft can occur and can have crippling effects on businesses.
Case in point. In 2021, Morgan Stanley was ordered by the SEC to pay a $35 million fine to settle allegations that it failed to ensure the proper disposal of hard drives containing personally identifiable information for 15 million customers.
But what’s important to note here regarding identity theft is that a separate $60 million breach settlement was filed on behalf of Morgan Stanley’s consumers in addition to compliance-related regulatory fines.
The scary fact is, cybersecurity crimes continue to rise—and are just getting started. According to Cybersecurity Ventures, global cybercrime costs will grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.
Which is why protecting personal data is so important.
At the very least, trust is the foundation of any business relationship. Read: Anyone working with or doing business with a company of any kind needs to trust their information is safe—and understand how it’s being kept secure.
Businesses need to be aware of where those fraud reports received by the FTC are coming from. There are federal resources for consumers to report incidences of fraud against scams, companies, or unwanted calls—which is even more so why businesses should have proper privacy protection practices in place.
Responsibility to protect consumer data
With deep-seated consumer security concerns, California enacted new privacy laws to protect personal information. GDPR, passed in 2018, initiated change in how much control consumers have over their data, where it’s stored, if at all, and how it’s used. In addition, California passed CCPA and CPRA, laws that further define and regulate personal data management and consumer rights.
Yet, what’s still getting lost in the shuffle is onus. It’s a business’s responsibility to protect consumer data.
California businesses are legally obligated to know and abide by the laws and take measures to protect consumer data. Implementing best practices is essential for storing sensitive personal information about customers or employees.
Suppose an unauthorized party gains access to company data through on-premise or third-party cloud-based storage services and identity theft incidents occur. In that case, the company will be subject to costly legal fees and lengthy lawsuits.
Responsibility to protect against schemes
Not only do businesses have a responsibility to keep consumers’ data safe, they also have a duty to ward against purchase and shopping scams.
Having security measures in place to spot identity theft schemes is crucial. How will you respond if a consumer finds out somebody used their credit to place an order through your company? While they may not be a current customer, how the company responds affects its reputation.
There is such a thing as business identity theft
Identity theft doesn’t stop at consumers. Business identity theft happens when thieves access the business’ bank accounts and credit cards or by stealing sensitive company information, such as the tax identification number (TIN) and the owners’ personal information.
Thieves, posing as owners, officers, or employees, open up lines of credit or get business loans based on the business’ identity and creditworthiness. The thieves typically cash out quickly, and the theft goes unnoticed until the affected company gets bills and collection notices. In their wake are debts, damaged credit, and a destroyed reputation.
If any of these three areas are compromised, the long-term effects of identity theft can significantly impact a business’s operational and financial stability.
What Can Businesses Do to Prevent Identity Theft?
Protection from identity theft isn’t just a suggested practice. In addition to consumer privacy and identity theft laws, the Identity Theft Protection Act requires businesses to protect their customers’ personal information.
That’s because if sensitive data falls into the wrong hands, it can result in identity theft, fraud, and more. Having a solid security plan to collect only what you need, keep data and documents safe, and dispose of them securely can help keep data secure.
Follow this simple plan to protect your business and consumers and ensure compliance and security.
First, scale back on what data is collected
Many businesses must collect personal information for customer transactions, like credit card numbers or social security numbers.
- If you can’t determine a business need to keep personal information, let it go (like Marie Kondo).
- If there is a business requirement, hold onto it only for as long as necessary.
- Adhere to data subject access requests from consumers if they ask you to delete or limit the use of their data.
- Scale down the number of people who have access to personal data.
- Have a chain of custody—a precise record of who has handled or stored these records and where.
- Develop a written retention policy that outlines information for keeping records (including length of time), how to secure them, and how to dispose of them.
Follow best records management practices
There are five key elements of data security: physical security, electronic security, physical and electronic data destruction, team training, and best practices for contractors and service providers.
- Physical Security: Often, data breaches happen with lost or stolen paper documents. Basic measures like keeping documents and files in a locked room or location and limiting access can go a long way to protecting them. Require employees to learn best practices for secure document storage.
- Electronic Security: Many businesses have someone on staff to oversee IT security, like an information manager, whether in-house or from an external company. As a general practice, don’t store sensitive consumer data on any hard drive or media unless it’s essential for business. And if you’re sending sensitive information over public networks or to third parties, make sure it’s encrypted and install and maintain anti-malware programs.
- Dispose of unnecessary information: Keeping unnecessary documents filled with sensitive information around the office is the best way to become a victim of identity theft. Implement a disposal practice for both paper and digital files to prevent data breaches. Paper shredding, document storage, and media data destruction are important components of a disposal policy.
Be prepared with action and training
Protecting the identity of your employees, clients, patients, and more is a critical job of any organization. The penalties and damage to a firm that fails can be staggering. However, with appropriate security policies and training, you can set your business up for success.
If you do experience a breach, make sure you have a response plan.
- Employee Training: The security of your business data is only as strong as the employees who manage it. Set up trainings so employees understand current privacy and security policies.
- Contractors and Service Providers: Before you outsource any of your business functions, ensure the company you work with has data security protection and practices in place. Document, in writing, your security expectations and compliance rules.