Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Information Technology articles

ID Theft: Tips for Businesses
July 01, 2007

These days, it’s almost impossible to conduct business and not collect personal information – including names and addresses, Social Security numbers, credit card numbers, and other account numbers – about your customers, employees, business partners, students, or patients. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.

However, it’s important to note that not all information breaches result in identity theft, and the type of information compromised has a major impact on the degree of potential damage.

What steps should your organization take if personal information is ever compromised? Although the answers vary from case to case, the following guidance from the Federal Trade Commission (FTC), the nation's consumer protection agency, can get you started. Wipfli’s IT compliance consultants can help you check federal and state laws or regulations for any specific requirements for your business.

Notify law enforcement.

When a compromise might result in harm to a person or business, call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns of the theft, the more effective they can be.

If your local police are not familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service, the law enforcement arm of the USPS.

Notify affected businesses.

Information breaches can impact businesses other than yours, such as banks or credit issuers. If account access information has been stolen, such as credit card or bank account numbers, and you do not maintain the accounts, notify the institution that does so that it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of any information compromise as well.

If names and Social Security numbers have been stolen, you can contact the major credit bureaus for additional information or advice. If the compromise involves a large group of people and you are recommending that they request fraud alerts for their files, advise the credit bureaus. Your notice to the bureaus can facilitate appropriate customer assistance.

If the compromise resulted from the improper posting of personal information on your website, immediately remove the information from your site. Be aware that Internet search engines store, or “cache,” information for a period of time. You can contact search engine providers to ensure that they do not archive any personal information posted in error.

Notify affected individuals.

Early notification to individuals whose personal information has been compromised allows them to take steps to mitigate the misuse of their information. In deciding if notification is warranted, consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from misuse.

For example, thieves who have stolen names and Social Security numbers can use this information to cause significant damage to a victim's credit record. Individuals who are notified early can take steps to prevent or limit any harm.