Identity theft is a multibillion-dollar problem affecting 8 million people ayear. But experts say it isn't just a consumer issue. In the thousandsof cases prosecuted by the U.S. Secret Service in the past six years,half of the time, it was businesses that provided the entry point forthieves, according to Sai Huda, CEO of Compliance Coach, makers ofWeb-based compliance tool CompliancePal.
Adds Tracy Coenen, a forensic accountant and certified fraud examinerfor
, "I get scared for small businessesbecause they are not thinking about this issue. I think they are morevulnerable because they're not taking any basic steps." Too often,businesses hire her to deal with fraud, not to prevent it.
So while all the attention has been paid to consumer identity theft,small businesses have become more attractive to identity thieves becausethe rewards are greater.
Here are eight steps you must take to protectyour customers, and yourself:
Adopt a Need to Know Policy
As you build up your customer base, collect information that is onlynecessary to conduct your business. That way, says Jay Foley, executivedirector of the nonprofit
, you can't be held responsible should theirinformation get stolen. So if you don't need someone's social securitynumber, don't ask for it.
If you must collect sensitive personal information, organize customerdata in such a way that only highly confidential information isprotected. Gary Nutbeam, owner of computer consulting firm Across theBig Pond, recommends creating three levels: unclassified (informationthat anyone can see), classified (semi-sensitive information like aninternal memo on benefits) and secret (data like customer contracts).
"It is impractical to fully protect everything," adds Nutbeam. "You cankeep costs down by putting your effort toward protecting the mostsensitive data."
Ask and Don't Tell
To further lower your liability, limit company access to customerinformation. It could be as simple as locking up confidential files ordatabases and giving one or two essential employees the key or their ownunique user I.D. "If a user I.D. is shared, it's impossible to know whoreally accessed the data," says Nutbeam.
Another important step: Have those employees change their password every45 days and have passwords contain both letters and numbers.
Get the Message Out
After you've set up safeguards, train your employees on company policyand procedure. They need to know the rules, the reasoning and, mostimportantly, the consequences should they be caught stealing clientinformation. According to Huda, 33% of identity theft iscommitted by an employee.
Check Up on Employees
We're not saying get a nanny cam. But close. Foley recommends havingbackground checks done periodically on employees. The person whom youhired 20 years ago isn't the same person today, explains Foley. Lifechanges like a divorce, a sick child or parent, or a new addiction canbe exploited by thieves, who want to gain access to your company files.
Know the Law
Laws are slowly changing to protect businesses as well as consumers. Soread up. For example, the new FACT Act Identity Theft Red Flags Rulerequires that businesses that offer credit must draft an identity theftprevention program, keep the program current and appropriately traintheir employees. The deadline is Nov. 1.
Get Thee a Shredder
Some states require that you shred customer data. So invest in a goodquality shredder or hire a shredding company with a solid reputation who shreds on location. When a company shreds at anothersite, it means people will be sortingthrough the paperwork, warns Foley.
Call in the Pros
If you're not sure where your security can be breached, get help. Askyour fellow business owners for referrals. Look for someone with aCertified Fraud Examiner accreditation. Identity Theft Resource Center'sFoley charges $2,500 for a presentation and up to $5,000 for one-on-onetraining. Compliance Coach's Web-based CompliancePal costs $295-$995 ayear.
Sure, it's not cheap, but the repercussions of stolen customerinformation will certainly be steeper.
Loss Can Be Hefty
You will certainly lose customers if you can't protect theirinformation. But more importantly, a small business can run into seriousfinancial trouble, even go under, if a customer's identity gets stolen.Just the cost of paying for a credit monitoring service to help mitigateany problems a client can face will cost $40 to $120 per hit. And ifyou're a business with 10,000 customers, can you afford, asks Foley, tospend $40,000 on credit monitoring?
That's just the tip of the iceberg, says Coenen, who is also author of
Essentials of Corporate Fraud
(Wiley). Hiring a lawyer, a consultant toplug your security holes and a consultant to recover lost data can runyou another $25,000.
If you have a story idea, email Lan.firstname.lastname@example.org.
Lan Nguyen is a freelance writer based in New York City. She has written for the New York Daily News, The Wall Street Journal, Worth magazine and Star magazine.