Home > RSM Resources > Articles > Advantage > Operations > Take steps now to comply with new identity-theft law
 
Take steps now to comply with new identity-theft law

The cost of being careless with employee records,customer credit reports and other private information in your files has gone up, thanks to a new federal law that targets crime’s top growth industry:identity theft in the workplace.

Effective June 1, a provision added to the Fair and Accurate Credit Transactions Act (FACTA) — the same law that allows you to request a free credit report — makes businesses of any size liable for failing to properly dispose of personal data. This is the kind of information that hackers, dumpster divers and disgruntled employees used to extract more than$50 billion from U.S. victims in 2004 alone, according to the Federal Trade Commission.

Theft of employer records is the number one underlying source of credit-card scams and other forms of identity fraud, according to a study by the TransUnion credit bureau, and experts say most businesses are susceptible.

"Records that every company has, like payroll and benefits, are a gold mine for identity thieves," says Jay Foley, executive director of the Identity Theft Resource Center.

To comply with the new FACTA rules, businesses must take "reasonable measures" — such as shredding paper documents and erasing or destroying electronic records — to dispose of names, street and e-mail addresses, phone numbers, Social Security numbers and other personal data.

Tossing a stack of job applications into the recycling bin or trash, for example, does not satisfy the FACTA requirements and could leave you liable if a theft occurs, says Stacey DiPiazza, owner of Infoshred, a document-destruction company in South Windsor, Conn. For each violation, the federal government can levy fines of up to $2,500, and states can add on another $1,000. You could also be required to pay for any damages incurred by the victim.

How can you comply with the law and protect the people you work with from identity theft? Experts say your first steps should be:

  • Determine what confidential information your company maintains and which departments generate it, then develop a written policy for segregating it from common office trash and destroying it.
  • Invest in quality cross-shredders that destroy CDs, DVDs and other electronic media (which are covered by the new rules) if you handle disposal yourself.
  • Check to ensure that if you outsource information disposal — or contract out human resources tasks such as payroll and benefits administration — that your vendors are also in compliance with the new regulations.

Data stored in your computer systems also needs to be accounted for and destroyed if necessary.

"In one recent case, a hospital got in trouble when it donated used computer equipment to a charity, without wiping some files containing private data off the hard drive," Foley says.

He and other experts recommend that business owners treat the FACTA requirements as a good start, rather than a comprehensive solution, in combating the problem of identity theft.

Partly that’s because more regulation is likely on the way. California, for example, has already passed laws that place a greater burden on businesses to protect personal data and notify people if their information is lost. Congress is also looking at adopting more stringent identity theft precautions— spurred on by ChoicePoint, LexisNexis and other recent high-profile identity-theft cases — just as Enron-type scandals drove the passage of the Sarbanes-Oxley Act of 2002.

Plus, the threat is increasing. With the incidence of identity theft going up (10 million cases annually and rising) and law enforcement struggling to keep pace (currently 1 of every 700 cases is prosecuted, according to one survey), the onus is on companies to protect themselves through measures such as:

Conducting a security risk assessment. Assign a team, or bring in an outside consultant, to spend a few days assessing your computer security, as well as physical security measures such as locks and visitor-entry procedures. Look at key issues such as:

  • Are your computer safeguards — from firewalls to data encryption to anti-virus software — updated and operating as intended? Are passwords assigned to each user, then changed regularly?
  • Are confidential files kept in locked cabinets in restricted-access areas?
  • Do you keep the minimal amount of information needed about your employees and customers, and destroy it once it’s no longer of use?
  • When employees leave or are re-assigned to other departments, are procedures in place for cutting off or adjusting their network connection and other access privileges?

And in the event information is stolen, do you have a plan for notifying law enforcement, and assisting your employees or customers in recovering from the theft? A survey conducted by the Privacy Rights Clearinghouse and the California Public Interest Research Group found that on average, identity-theft victims spend more than 100 hours researching and tracking the crime, and nearly two years correcting credit reports.

Eliminate weak links. Companies err by focusing heavily on technological issues while ignoring more mundane flaws in their corporate security, according to Foley.

"It’s important to invest in advanced computer security tools," he says, "but if there aren’t procedures in place for handling and destroying records once they’ve been printed, for example, it’s wasted money."

With all the attention given to online crime, it’s important to note that only a small percentage of identity theft occurs via the Internet — and that 70 percent of identity theft is perpetrated by corporate "insiders," according to a Michigan State University survey.

To minimize your risk of someone walking out the door with confidential records, for example, experts recommend conducting background checks on all new hires — and working with vendors that do the same; avoiding the use of temporary workers in sensitive departments like human resources, and restricting their access to passwords and keys; and carefully vetting service technicians and other outside staff working on-site.

Train and test. While most companies stress good service and "going the extra mile" for the customer, fewer train employees to be suspicious of requests that are out of place and may violate corporate policies. Experts recommend that you educate your staff about some of the tricks used by identity thieves — such as "phishing," the use of deceptive, official-looking e-mails to solicit information — and consider bringing in an outside consultant to periodically test your computer networks and day-to-day office security.

What’s clear is that identity theft is no longer a problem that only banks and big financial institutions have to worry about. A recent FBI report found that one in five victims is a small business. With the risk going up and new regulations to consider, being proactive now could help your business avoid headaches down the road.

 

 
RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978