We tend to think of identity theft as something that only affects individuals who fail to safeguard their personal information, often the result of a compromised password or sensitive data pulled from the garbage. But businesses that collect personal information such as addresses, credit card numbers or even Social Security numbers have a great responsibility to prevent data breaches and protect their customers from identity theft.
This article covers the various types of business data breaches, including ways to minimize your risks and -- if a breach has occurred -- how to respond. See FindLaw's Internet and E-Commerce section for related articles.
Types of Business Data Breaches
Personal information potentially used to steal one's identity or illegally access financial accounts can be compromised in a number of different ways:
Not all data breaches result in identity theft. For example, stolen credit card numbers can be used until the customer cancels his or her account but generally don't give the thief access to one's identity (which typically requires an address, date of birth and Social Security number).
Contacting Law Enforcement
Notifying your local police department immediately after learning about a data breach of customer data is the best way to minimize the damage and also demonstrates a good faith effort to protect your customers. Most states have laws requiring businesses to notify the police, business partners and customers if their personal data has been compromised.
If your local police department is not experienced with identity theft or other information security matters, contact your local FBI or U.S. Secret Service office. For incidents involving mail theft, call the local office of the U.S. Postal Inspection Service.
Notifying Other Businesses
A data breach can sometimes affect banks, credit issuers, business partners or other affected organizations. If account information such as credit card or bank account numbers has been stolen, but you don't maintain those accounts, be sure to call the relevant financial institutions so they can monitor for fraudulent activity.
If names and Social Security number are stolen, contact one of the following main credit bureaus for assistance:
Notifying Customers & Other Individuals
Early response to a data security breach is the key to preventing, or minimizing the damage from, identity theft or other potential misuse of personal information. While most states require businesses to notify customers about known data breaches, a federal bill known as the Data Accountability and Trust Act is expected to pass soon.
The Federal Trade Commission recommends consulting with local law enforcement officials before releasing a notification so it doesn't impede the investigation. The FTC also suggests businesses designate a contact person to facilitate the notification process, using letters, web sites and toll-free numbers to communicate with affected individuals.
Your security breach notice should generally follow these guidelines:
Protecting Personal Information
It's in the best interests of every business to prevent data security breaches in the first place. The FTC suggests the following five principles for protecting the sensitive information of your customers and business partners:
Need Compliance Assistance? Contact an Attorney
As a business owner, you have certain responsibilities with respect to the privacy and handling of customer data. In addition to following the best practices discussed above, you also may want to speak with a business and commercial law attorney to ensure that you are in compliance with all applicable laws and regulations.