Business Data Breach & Customer ID Theft
We tend to think of identity theft as something that only affects individuals who fail to safeguard their personal information, often the result of a compromised password or sensitive data pulled from the garbage. But businesses that collect personal information such as addresses, credit card numbers or even Social Security numbers have a great responsibility to prevent data breaches and protect their customers from identity theft.
Types of Business Data Breaches
Personal information potentially used to steal one's identity or illegally access financial accounts can be compromised in a number of different ways:
- Unintended Disclosure - Information is mistakenly disclosed online or sent to the wrong party via email, fax or other means.
- Hacking or Malware - An outside party gains electronic entry, either directly or through malware (i.e. spyware or trojan horses).
- Payment Card Fraud - A thief uses a skimming device or other method to obtain credit card numbers at a retail counter.
- Insider - An employee, contractor or other individual with legitimate access intentionally breaches otherwise secure data.
- Physical Loss - Lost, stolen or discarded paper documents with sensitive customer data are obtained by identity thieves.
- Portable Device - Lost or stolen computer, smartphone, memory device, CD or hard drive falls into the wrong hands.
Not all data breaches result in identity theft. For example, stolen credit card numbers can be used until the customer cancels his or her account but generally don't give the thief access to one's identity (which typically requires an address, date of birth and Social Security number).
Contacting Law Enforcement
Notifying your local police department immediately after learning about a data breach of customer data is the best way to minimize the damage and also demonstrates a good faith effort to protect your customers. Most states have laws requiring businesses to notify the police, business partners and customers if their personal data has been compromised.
If your local police department is not experienced with identity theft or other information security matters, contact your local FBI or U.S. Secret Service office. For incidents involving mail theft, call the local office of the U.S. Postal Inspection Service.
Notifying Other Businesses
A data breach can sometimes affect banks, credit issuers, business partners or other affected organizations. If account information such as credit card or bank account numbers has been stolen, but you don't maintain those accounts, be sure to call the relevant financial institutions so they can monitor for fraudulent activity.
If names and Social Security number are stolen, contact one of the following main credit bureaus for assistance:
- TransUnion: 1-800-719-1636; DataBreach@transunion.com
- Equifax: 1-800-685-1111; BusinessRecordSecurity@equifax.com
- Experian: 1-888-EXPERIAN (397-3742); BusinessRecordsVictimAssistance@experian.com
Notifying Customers & Other Individuals
Early response to a data security breach is the key to preventing, or minimizing the damage from, identity theft or other potential misuse of personal information. While most states require businesses to notify customers about known data breaches, a federal bill known as the Data Accountability and Trust Act is expected to pass soon.
The Federal Trade Commission recommends consulting with local law enforcement officials before releasing a notification so it doesn't impede the investigation. The FTC also suggests businesses designate a contact person to facilitate the notification process, using letters, web sites and toll-free numbers to communicate with affected individuals.
Your security breach notice should generally follow these guidelines:
- Describe clearly what is known about the compromise, including how it happened, what data was taken and (if possible) how information has been used by thieves and what actions have been taken to remedy the situation.
- Explain how people should respond to the data breach, including the contact information of appropriate organizations and agencies.
- Include current information about identity theft in general: www.ftc.gov/idtheft.
- Provide contact information for law enforcement officers working on the case, making sure to inform the officers that you have shared their contact information.
- Encourage victims of identity theft to file a complaint with the FTC at www.ftc.gov/idtheft or by calling 1-877-ID-THEFT.
Protecting Personal Information
It's in the best interests of every business to prevent data security breaches in the first place. The FTC suggests the following five principles for protecting the sensitive information of your customers and business partners (more detailed information can be found here):
- Take Stock: Know what personal information is in your organization's files and computers. This includes smart phones, removable flash drives and information that may be shared with other organizations.
- Scale Down: If you don't need it, it's a potential liability and should be securely disposed of. As a rule thumb, only keep personal information for which there is a legal or business necessity.
- Lock It: Make sure all personal information is both physically and electronically secure, which includes knowing exactly where all sensitive data is stored. Remember that any security system is only as strong as its weakest link.
- Pitch It: Use wipe utility programs to thoroughly erase any possible personal data from all decommissioned computers and make sure you shred paper records before recycling them. Identity thieves often find valuable information in the garbage.
- Plan Ahead: Devise a plan for responding to security breaches before they happen. A swift and professional response is key to recovering from a potentially damaging data security breach.