Prevent Data Breaches Now

Have you ever wondered what happens to your personal information (PI) after you give it to a company? I’m very cautious about handing out my PI because of the threat of identity theft, so I decided to start asking questions of those businesses that require this information.

CASE NO. 1: RENTING MY IDENTITY? 

Recently, I needed to rent a piece of equipment, so I went to a rental store. The store required that I submit a copy of my driver’s license and my credit card. I asked the manager where he would secure my information. He opened an unlocked file cabinet and showed me a file in which he kept the customer data. This cabinet, which was behind the sales counter, was accessible to anyone who worked there, including the nightly cleaning crew. I couldn’t know if my PI was safeguarded or if the file cabinet was locked every night. Also, the same PI had been scanned into a computer, so it was now located in two places within the business. The manager couldn’t answer how long my PI would be kept by the company or how (or if) it would be destroyed when it was no longer needed.

I asked the manager if I could get the copy of my license back when I returned the equipment, but he said he had to keep it on file. 

CASE NO. 2: COUCHED IN DUBIOUS TERMS 

I went to a furniture company to purchase a sofa. The store was running a “six months, no interest” promotion on any purchase, but to be eligible I would have to fill out an application that required my name, address, telephone number, Social Security number, credit card number, etc.

The sofa manufacturer, not the local store, was offering this promotion, which meant that the application would be faxed to another company in a different state followed by the original documents sent through the mail. Certainly, this wasn’t a secure way of handling my PI, so I declined the offer and paid for the sofa up front. The safeguarding of my PI was more important to me than an extended payment plan.

These two examples were at small businesses. However, I wondered how large organizations handled their customers’ PI. So I did some research. What I found prompted me to write this column to offer insight and safeguarding measures to small and large companies that handle PI.

KEY QUESTIONS  

Almost every organization, of course, holds a wealth of PI that if breached could be damaging to the business, its employees, vendors and customers. The company potentially could suffer monetary consequences through investigations, fines or lawsuits. Customer confidence also might be strained. Employees and customers could be affected by identity theft.

Here are some of the key questions organizational leaders should ask themselves:

• What are the different kinds of PI the organization collects internally and externally?

• Where are current and inactive customer files containing PI kept?

• How secure are these files?

• How is this PI protected?

• Who has access to this PI?

• How is the PI disposed of when it’s no longer needed?

• What would happen if there was a security breach of this PI and how would it be handled?

We’ll first outline some of the different types of PI that organizations hold and how thieves could access this PI. We’ll give several examples of major data breaches and reasons why organizations need to protect this PI. We’ll conclude by reviewing the Federal Trade Commission’s (FTC) five key principles of a sound security plan.

Types of Sensitive Information

A business typically collects some or all of the following PI on its employees, business partners and customers:

• Employee, vendor and customer names and their addresses and phone numbers

• Employee ID numbers and vendor tax ID numbers

• Social Security numbers

• Direct-deposit account numbers (payroll purposes)

• Savings’ account numbers (payroll purposes)

• U.S. W-2s

• Mother’s maiden name

• Copies of checks (customer, vendor, employee)

• U.S. government forms such as 940s (annual federal unemployment tax returns) and 941s (quarterly federal tax returns)

• Credit card information

• Copies of drivers’ licenses (company policy or for U.S. Form I-9 – employment eligibility verification)

• Copies of U.S. Social Security cards (for Form I-9)

• Copies of credit reports

• Copies of police background checks

How Thieves Access It  

Thieves can access your company’s PI in many ways: from, simple but reliable, dumpster diving to sophisticated hacking into your company’s computer system and every method in between.

Sometimes a fraudster will use pretexting: posing as a government agent, landlord or other official and tricking employees into sharing PI. Con artists bribe employees to divulge PI. Fraudsters might steal files or laptops from cars in the company parking lot or break into the office or warehouse where files are stored. Remember that PI is like money – fraudsters will find creative ways to find it and make it theirs.

Major Data Breaches  

Some of the more notable data breaches in U.S. history include those at TJ Maxx/Marshalls, Wells Fargo, the U.S. Department of Veterans Affairs’ Medical Center, and, more recently, Hannaford Brothers Markets. The number of accounts exposed in these data breaches ranged from the thousands to millions.

The www.privacyrights.org website reported that in January 2007, TJ Maxx/Marshalls experienced a data breach when someone hacked into its computer system and “accessed customer transactions, which included credit and debit cards, checks, and merchandise return information.” The website also reported that recent court filings showed that approximately 100 million accounts were exposed by this breach, and that it was estimated the company incurred millions in expenses.

Jaikumar Vijayan, senior editor of Computerworld, reported in a Sept. 1, 2006, story that Wells Fargo has had a number of data breaches. In 2003, the bank reported that computers with PI were stolen. In 2004, a laptop containing PI was stolen from the car of a Wells Fargo employee. According to Vijayan’s report, this particular breach exposed approximately 35,000 bank customers to possible fraud. And according to a September 2006 chronology of data breaches posted on www.privacyrights.org, there was yet another breach when a computer containing bank personnel PI was stolen from the car of a Wells Fargo auditor.

Privacyrights.org also reported in 2006 that PI on 26.5 million veterans was breached from the U.S. Department of Veterans Affairs when it was stolen from an employee’s home. The website also documented that, in February 2007, a second breach occurred when an employee reported a portable hard drive stolen. It’s estimated that approximately 535,000 veterans and 1.3 million doctors were exposed by that breach, which was estimated to have cost the veterans affairs office more than $20 million to date.

More recently, in March 2008, Hannaford Brothers Markets, a supermarket chain, announced a data breach of approximately 4.2 million credit and debit card numbers, all of which were stolen during the card authorization process. I happened to be one of the cardholders who might have been affected by this data breach. I cancelled my debit card the next day after hearing about the breach on the local news. We haven’t yet seen the full fallout from this data breach because allegedly lawsuits are pending.

Privacyrights.org published a review of breaches from January 2007 to March 2008, which included reasons for these breaches that I’ve compiled in a list. (See “Reasons for Breaches of Company Data” at the bottom.)

Based on this list, it’s clear that organizations need to have policies in place to protect PI they collect. As instances of identity theft increase, customers are becoming more concerned about their privacy and how their PI is safeguarded. When organizations have a data breach and it’s publicized, customers might avoid doing business with those companies. Those companies then have to spend time and money rebuilding customer confidence. Safeguarding PI also is important to preventing lawsuits that might be filed in the aftermath of a data breach. Companies need to consider that the costs of paying legal damages and rebuilding customer confidence can outweigh the costs of preventing data breaches. Also, federal and state laws might require companies to implement certain security practices to protect consumer information.

How to Protect Your Data  

The U.S. Federal Trade Commission (FTC) has outlined five key principles of a sound security plan in its brochure, “Protecting Personal Information: A Guide for Business”: 1) Take stock. 2) Scale down. 3) Lock it. 4) Pitch it. 5) Plan ahead.

Taking stock refers to tracing the flow of PI through your organization. How do you collect it? Where is it stored? Where are the backups? Who has access to it?

Next, scale down by only collecting PI that’s necessary for the operation of your business. If you don’t need a particular piece of PI, then don’t collect it. Don’t collect Social Security numbers unless they’re absolutely necessary. More importantly, they shouldn’t be used as customer identification numbers. Develop records retention policies that outline the collection, security and disposal practices of company files.

Lock all PI at all times; access to it should be limited. PI shouldn’t be left out on desks when not in use or when the employee with designated custody of that PI isn’t present in the room. Write protocols for visitor access to the building to minimize potential PI theft. Protect all computerized PI through appropriate security measures. Write policies on how to handle PI when it’s being taken off the premises via laptops, compact discs, memory sticks, smartphones, Mp3 players and other devices.

Typical ways to dispose of records include burning, shredding or pulverizing them. When you dispose of electronic PI ensure that all files have been deleted completely. The FTC recommends using computer hard-drive wipe utility programs for this purpose.

Organizations should prepare by developing an action plan on responding to a data breach.

Protecting Invaluable Information 

Organizations collect and store many different types of PI on employees, vendors and customers. A data breach could damage customer confidence in the organization, attract lawsuits, result in fines – or perhaps even more damaging – lead to identity theft.

No doubt, your organization in the past has digested PI-protection methods from the main office, government agencies and consumer groups. However, one more review could remind you to install extra preventative measures that could save your company loss of reputation, customers, and profits.

Diane L. Boone, DBA, Educator Associate Member, is an associate professor of business administration at the University of Maine at Augusta and owner of DLB Consulting.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to:FraudMagazine@ACFE.com .