Businesses can be victims of identity theft, especially in the financial services industries. A Federal Trade Commission survey, published in September 2003, estimated that the total loss to businesses, including financial institutions, was $50 billion last year alone.
In addition to potential losses due to identity theft, businesses have important responsibilities in protecting the privacy and security of confidential customer information. Every business that collects and maintains any customer information should adopt a strict policy that covers the following:
- Acquisition of customer information. Clear limits should be placed on the type of customer information that is necessary. For most businesses, there is no clear and compelling reason to collect social security numbers. Companies should review their data collection practices and eliminate the collection of all non-essential customer information.
- Use of social security numbers as employee or customer identifiers. Companies should avoid using social security numbers to identify customer accounts. Do not use social security numbers for employee or customer ID numbers. Do not print employee social security numbers on payroll checks.
- Conduct regular background checks on ALL employees with access to identifying information. That should include even personnel assigned to company mailrooms, cleaning crews, temporary workers and computer or other information technology staff. Partial criminal background checks are available from the Colorado Bureau of Investigation (a $6.85 charge will apply). You can research Colorado criminal history online. This will not include federal criminal history or criminal history from the other 49 states.
- Store all customer files in a safe and secure location. Companies need to evaluate all security measures surrounding the storage of confidential customer information. This includes both paper and electronic documents. Access should be strictly limited to essential personnel trained in handling and protecting such confidential information. Adequate electronic safeguards must be in place to protect against unauthorized access to computer files and back-up storage tapes. Authorized access to computers should be protected by secure log-on and password procedures.
- Provide customers with clear policies regarding privacy. All customers should be given a clear and understandable company policy regarding the treatment and handling of confidential information supplied by customers. That policy should clearly describe what information is collected, safety and security measures in place to protect that information, whether the company sells or otherwise shares such information with affiliates or third parties, and the company's policies and procedures on document (both paper and electronic) destruction.
- Immediately report any breach in security. In the event of any unauthorized access to documents containing confidential customer information, have policies and procedures in place to isolate the information that has been compromised and promptly notify all affected customers of the breach. Also, promptly notify the appropriate law enforcement office of the breach.
- Dispose of customer information in a safe and secure manner. Companies should have specific policies in place for the destruction and disposal of documents (paper and electronic) containing confidential customer information. Do not simply discard files into a dumpster or delete files off of a computer. Records should be shredded to prevent "dumpster diving” through the business’ trash. Electronic files must be rendered unreadable, undecipherable, and unrecoverable.
Effective January 1, 2007, Colorado consumers will have greater protections regarding the use of their Social Security Numbers. On March 31, 2006, Governor Owens signed into law House Bill 06-1156, amending the Colorado Consumer Protection Act and providing that a person or entity may not do the following:
- Publicly post or display in any manner an individual’s SSN
- Print an individual’s SSN on any card required for the individual to access products or services provided by the person or entity
- Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted
- Require an individual to use his or her SSN to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required
- Print an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires permits or authorizes the SSN to be mailed. NOTE: SSN’s may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the SSN. However, a SSN permitted to be mailed MAY NOT be printed, in whole or in part, on a postcard or other mailer not requiring an envelope or visible on the envelope or without the envelope having been opened.