Most of what you read and hear about identity theft relates to the extreme costs and hassles faced by individual victims. However, identity theft can also be devastating for companies.
Failure to protect customer data from identity thieves can result in long-lasting reputational damage, possible fines as well as legal liabilities. For each individual identity theft victim, there is usually a corresponding corporation, bank or government victim.
Manage Risk Through Preparation
Minimizing risks to your company from identity theft requires focus and preparation.
"It's much less costly to prepare properly run tests up front, conduct reviews and practice your reaction to risky situations than to spend the money on repairing damage after an identity theft incident," says Alan Brill, Senior Managing Director at New York-based Kroll Inc., a global risk consulting firm.
"Organizations that recognize the risks and plan accordingly tend to fare much better than those that have to learn crisis management in the middle of a crisis," Brill says.
Companies need to be prepared for a case of computer "hacking" or "phishing," physical theft of a computer or computers that contain sensitive personal information, or any other situation that could result in identity theft.
Phishing—where criminals entice your clients to give up their personal information through counterfeit e-mails or web sites—is increasingly common. A sound prevention practice is to adopt a policy that your company will never ask customers via e-mail for any personal or account information. You also want to make it easy for employees and customers to report suspicious e-mails or web sites.
Prevention Saves Money
Prevention begins with minimizing the data your company maintains. Review the customer information your organization collects and stores and ask: Do we actually use this data? Information that you collect but don't use creates needless risk.
For instance, some companies collect and store three-digit security codes on customer credit cards, even though industry regulations prohibit it. Some also keep certain data much longer than necessary.
A simple software patch or application of a few lines of firewall code can often prevent a painful, embarrassing and costly incident. For example, a recent case of hackers accessing a company's database servers through the Internet occurred because of a technical flaw, Brill says. Half a dozen lines of firewall code could have quickly, efficiently and effectively immunized the organization against that risk.
Other basic prevention steps include:
- Establishing company policies that restrict the transporting of customer data off site. At a minimum, companies should require strong encryption to secure all company laptop computers.
- Establishing policies aimed at ensuring password integrity (e.g., urging employees to select hard-to-guess passwords and not keep password lists in their desks).
- Implementing procedures to secure any customer information that is exchanged via e-mail or file transfer protocol (FTP).
If It Happens to You
If your company is victimized by identity theft, reduce potential damage by involving your general counsel immediately. More than 30 states have laws relating to notification in cases where personal information is released. "These laws are all somewhat different," Brill explains. "They each have their own triggers, reporting requirements and time frames. In dealing with people in multiple jurisdictions, you need good legal advice."
Planning well for identity theft also means using a team approach. You want to involve legal, internal audit, public affairs and even accounting and finance to expedite purchases and contracts that may be needed immediately to respond to cases of identity theft. Financial personnel should participate in planning too, since budget allocations may need to be adjusted to respond to a theft.
"Protecting your organization's reputation is vital," Brill says. "Act in a way that shows sensitivity, and follow a thoughtful and thorough plan if your company's information or that of your customers has been compromised."
No company or individual expects to be a victim of identity theft, but it truly can happen to anyone. So be prepared.