Firms mandated to protect data

BY JOHN REID BLACKWELL
Media General News Service

Published: August 27, 2008

If they haven’t done so already, businesses should start thinking about whether they are protecting customers’ and employees’ personal information from identify theft.
By Nov. 1, many businesses need to be in compliance with new federal “red flag” rules, which require them to have a plan to prevent, detect and mitigate identify theft. Businesses will face fines if they don’t take precautions and then lose sensitive employee or customer information such as credit card and bank account numbers, birth dates, Social Security and driver’s license numbers.
Not every business has to comply with the rules — they apply to financial institutions and businesses that regularly extend credit such as automobile dealers, mortgage brokers, health-care providers and utility companies. But all businesses need to take preventive measures, an identify-theft prevention specialist said yesterday.
“It is better to be proactive than reactive” to the threat of identity theft, said Laura Millen, a risk management specialist and co-owner of Peak Performance Group in Chesterfield County. Millen spoke at a Retail Merchants Association meeting in Richmond yesterday.
A federal law passed in 2003 makes businesses responsible for securing personal information of customers and employees. Under the new regulations, certain businesses must adopt a written plan to protect the information. They also must train employees to know what information is sensitive and how to protect it.
Training employees is important, Millen said, because 50 percent of data breaches are the result of human error or malicious activity within a company. Businesses can buy software to keep computers hackers at bay, but “they can’t buy software that stops a dumb mistake like throwing customer
records out in the trash.“
Under the new Federal Trade Commission regulations, a business could be fined $2,500 for each instance of data loss if it fails to take preventive steps. Yet the costs could far exceed the fines, Millen said.
One study by the Ponemon Institute showed that the average cost of data breaches to businesses in 2007 was $6.3 million. Another study showed that companies might lose 20 percent of their customers after suffering a breach. The cost of losing employees’ personal information could be 600 hours of lost productivity per employee, Millen said.
The Federal Trade Commission has identified certain red flags that businesses should watch for signaling attempted identity theft, such as suspicious documents and unusual use of accounts.
Consumers might notice businesses being more cautious about potential red flags such as damaged documents, and Millen said customers should be wary of businesses that don’t follow precautions.
Contact John Reid Blackwell at (804) 775-8123 or .