Anderson & Associates Identity Theft Eduction Center
Due to the soaring cost to business of identity theft, our state and federal lawmakers have passed some VERY stringent laws that
apply to all businesses with one or more employees. Non-compliance could cost you, personally, or your business up to $1 million
in fines and up to 10 years in prison. There are federal and state laws requiring business owners to secure all personal information
(Social Security numbers, driver's license numbers, credit card numbers, date of birth, etc.) of their clients and employees. Some
87% of businesses are not aware that these laws effect them or that they even exist. Non-compliance could result in the closing of
the business, fines, penalties, criminal and civil litigation and, in fact, it is expected to be THE next hot class action target.
What is driving this crack down on business you may ask. Did you know that on July 1, 2006, 32 states passed laws that require
business owners to see a passport or Social Security card from each employee? The government admits that we have 10 million
illegal aliens in the country, but business experts put that number between 25 - 30 million. But just for argument's sake, let's
assume 10 million: if each one of those folks paid just $10 in FICA withholding each week, $100,000,000 would be going to the
Social Security Administration on a weekly basis. Given they are $4 TRILLION in debt, they have NO incentive to let the actual
owner of the Social Security number know that another 10, 20, 80 people are using that same Social Security number since they
only have to pay out to the real owner. But the IRS is going to take a real interest when they see how much "you" earned at your
10, 20 or 80 different jobs but none of "you" did the proper withholding. Some people think they will get extra money paid into
their social security account – but that is not correct, since your payment is based solely on the work that you personally have
performed – the real concern is when the IRS notices that “you” did not pay the federal and state withholding taxes – the real
“you” will either hire an attorney to fight the IRS or you will just pay them because it is less expensive or easier or you may spend
years trying to convince the IRS that you didn’t earn that money
Disgruntled workers with access to the data files of their employer's clients or other company employees can make a lot of money
selling little pieces of you. They can sell your Social Security number identity, they can sell your credit card information or your
financial identity, and they can also sell your driver's license identity - which could have a negative impact on your
character/criminal identity if someone decided to rob a liquor store and get caught with "your" driver's license. As for the theft of
your medical identity, three recent articles in the Reader's Digest detail the devastation that can be caused by medical identity theft.
The government recently decided that the employees at all Department of Motor Vehicles needed to be able to recognize what the
driver's licenses of all the other states looked like so that when a resident of Florida moves to California, the CA DMV can
recognize a "real" Florida license. In order to assist these employees, the federal government made up a little book with the
EXACT specs on each state's driver's license. About a week after that book was mailed out to each state's DMV it was already
being sold on the internet, spawning a new and very lucrative business. All a criminal needs is a laptop computer, a printer, a
laminator and that little book, and they have themselves a very prosperous little criminal enterprise. The police cannot tell the
difference between the "real" license and the fake one. In fact, they can't tell the difference between the "database you" and the
"Real You" that looks back at you from your mirror!
What if a "database you" goes on a crime spree, gets caught and gives the police a copy of a driver's license with YOUR number
and some another address on it? The Real You will never get the Notice to Appear, and the identity thief is certainly not going to
show up at your trial. So a bench warrant goes out in your name, and the next time you are stopped for some routine traffic
violation, the Real You is going to jail.
How many times do the Bad Guys say, "OK, you got me"? Not often. It's more traditional to hear: "You've got the wrong guy. It
wasn't me!" Except this time, it WAS the "database you," even if it wasn't the Real You.
Database leaks stem primarily from a disbelief that Identity Theft is real - therefore, employers do not take the necessary
precautions to protect your information. The government is the enforcer, but their systems are antiquated and obsolete as well,
take for example the Census Bureau, they are very proud that they have ONLY lost 1,200 lap top computers each with millions of
names and reams of personal information on American citizens. So the government is clamping down HARD on businesses in part
because they lack either the will or ability to police themselves, and have an even less impact on the criminal population.
The National Institute of Standards and Technology (NIST) clearly identifies “unauthorized access” as a type of security breach
that each business must address. That means each computer needs to be password protected and the password can't be on a
yellow sticky on the monitor. You need a clean desk policy at the end of each business day with ALL personal information locked
up. ID theft crime rings have set up "janitorial" businesses that come in at night and copy client and employee data files, go
through unlocked file cabinets and trash looking for personal information, employment applications, etc. Confidence men and
women can take jobs as low level temporary office employees and steal databases with all your client information.
In "The Coming Pandemic" (5/15/06 Chief Information Officer magazine), the writer says, "If you experience a security breach,
20% of your affected customer base will no longer do business with you. 40% will consider ending their relationship, and 5% will
be hiring lawyers!" The author also stated, "When it comes to cleaning up this mess, companies on average spend 1,600 work
hours per incident at a cost of $40,000 to $92,000 per victim."
Here is an overview of the major laws that affect ID theft and that have resulted in absolute liability to businesses that have not
secured their files.
The "Identity Theft and Assumption Act" recognized identity theft as a crime in 1998. Congress passed this law and established
the Federal Trade Commission as the lead agency to enforce and fine business for non-compliance. The FTC says that each year
since 1998, there has been twice as much ID theft reported than previously reported and even though it is severely under-
reported, it is estimated that as of July 2006, there have been over 88 million consumers affected by the reported breaches.
FACTA (federal legislation in effect since June 2005), grants additional rights to consumers and incorporates specific provisions
designed to help victims of ID theft and fraud, mainly that they are entitled to one free credit report per year from each of the 3
reporting agencies due to the proliferation of ID theft that is increasing steadily.
Gramm, Leach, Bliley Safeguard Rule (GLB), federal legislation since 1999, mandated a compliance deadline of 2001, and includes
a broad spectrum of qualifications, requirements and regulating parties. Eight federal agencies and individual states are charged
with managing and enforcing these regulations.
GLB applies to "financial institutions," but financial institution is so broadly defined that it includes not just banks, credit unions,
and securities brokers, but also real estate appraisers, insurance companies, automobile sales and leasing companies, companies
that operate travel agencies in connection with financial services, retailers that issue their own credit cards directly to consumers,
and any other entity that is "significantly involved in financial activities." The two regulations of GLB are the Financial Privacy Rule
and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers’ information, while
the Safeguard Rule governs the processes and controls an organizations uses to protect customers’ financial information.
The Safeguard Rule is enforced by the Federal Trade Commission. In addition to the public embarrassment of non-compliance,
organizations may be fined thousands of dollars per day while non-compliant.
GLB calls for businesses to:
1. Ensure the security and confidentiality of customer information
2. Protect against any anticipated threats or hazards to the security or integrity of such information and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any
customer.
In a nutshell, it requires that companies do the following:
Specify a person or group of people to be responsible for GLB compliance. Identify security risks involving customer information.
Assess existing safeguards for protecting the privacy of customer information. Implement any additional safeguards that are
needed. Monitor the effectiveness of safeguards. Ensure that service providers are able to meet the GLB requirements. Upgrade
the organization's security program as necessary due to changing circumstances.
Betty Broder, who is the assistant director of the FTC's Division of Privacy and Identity Protection says, "You don't have to have
a perfect plan, but you MUST have a written plan describing how customer and employee data will be protected, and [have] an
officer on staff responsible for implementing that plan. We need to see that you've taken reasonable steps to protect your
customer's information." (Quote from American Bar Association 3/06 story, "Stolen Lives")
The 1/19/06 edition of Business and Legal Reports says, "One solution that provides an affirmative defense against potential fines,
fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or
not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft
and the protection you are making available, similar to what most employers do for health insurance..."
By having a mandatory meeting the employees finally understand their responsibilities to protect the sensitive data of your business.
This issue and its ramifications can be overwhelming, BUT with a little help you can develop your own affirmative defense. As
stated above, offering your employees some sort of monitoring plan is just good business. The Kroll ID Theft Shield and Pre Paid
Life Events Legal Plan are the fastest growing employee benefits programs in the country.
The ID Theft Shield acts as an early warning detector for the employer because if several of your employees have been told they
are victims, the company knows the information leak is coming from the inside. The Shield takes care of the majority of the
restoration so the employee is at work instead of trying to fix their ID theft problem.
The Pre Paid Legal plan also helps the employer's bottom line by addressing the 50% of absenteeism due to personal problems.
When the employee has a legal issue, their lawyer can handle it minimizing employee stress, distraction and absenteeism.
Offering employees the Identity Theft Shield and Life Events Legal Plan as an employee benefit will focus their attention on the
issue of ID Theft and why they must be more careful with their employer's client's information - to say nothing of their own.
If you are interested in getting more information on the free federal compliance training that I can offer, please contact me. There
are not enough certified experts right now to do the employee compliance training for everyone who wants it, so first come first
served. You will be given everything you need (the written plan, the liability forms for the employees to sign, the mandatory
educational meeting with the employees) for no cost to the business.
I have tried to outline the compliance steps necessary and some of them you can do yourself. Remember: your plan doesn't have
to be perfect but you MUST have a written plan in place or you are not in compliance.
Businesses interested in protecting themselves can contact me at the number below.
K.J, Anderson III Is Your Business
191 Peachtree Street, 22nd Floor
Atlanta, GA 30303
404.474.2273
KJ3rd@KJ3rd.com
apply to all businesses with one or more employees. Non-compliance could cost you, personally, or your business up to $1 million
in fines and up to 10 years in prison. There are federal and state laws requiring business owners to secure all personal information
(Social Security numbers, driver's license numbers, credit card numbers, date of birth, etc.) of their clients and employees. Some
87% of businesses are not aware that these laws effect them or that they even exist. Non-compliance could result in the closing of
the business, fines, penalties, criminal and civil litigation and, in fact, it is expected to be THE next hot class action target.
What is driving this crack down on business you may ask. Did you know that on July 1, 2006, 32 states passed laws that require
business owners to see a passport or Social Security card from each employee? The government admits that we have 10 million
illegal aliens in the country, but business experts put that number between 25 - 30 million. But just for argument's sake, let's
assume 10 million: if each one of those folks paid just $10 in FICA withholding each week, $100,000,000 would be going to the
Social Security Administration on a weekly basis. Given they are $4 TRILLION in debt, they have NO incentive to let the actual
owner of the Social Security number know that another 10, 20, 80 people are using that same Social Security number since they
only have to pay out to the real owner. But the IRS is going to take a real interest when they see how much "you" earned at your
10, 20 or 80 different jobs but none of "you" did the proper withholding. Some people think they will get extra money paid into
their social security account – but that is not correct, since your payment is based solely on the work that you personally have
performed – the real concern is when the IRS notices that “you” did not pay the federal and state withholding taxes – the real
“you” will either hire an attorney to fight the IRS or you will just pay them because it is less expensive or easier or you may spend
years trying to convince the IRS that you didn’t earn that money
Disgruntled workers with access to the data files of their employer's clients or other company employees can make a lot of money
selling little pieces of you. They can sell your Social Security number identity, they can sell your credit card information or your
financial identity, and they can also sell your driver's license identity - which could have a negative impact on your
character/criminal identity if someone decided to rob a liquor store and get caught with "your" driver's license. As for the theft of
your medical identity, three recent articles in the Reader's Digest detail the devastation that can be caused by medical identity theft.
The government recently decided that the employees at all Department of Motor Vehicles needed to be able to recognize what the
driver's licenses of all the other states looked like so that when a resident of Florida moves to California, the CA DMV can
recognize a "real" Florida license. In order to assist these employees, the federal government made up a little book with the
EXACT specs on each state's driver's license. About a week after that book was mailed out to each state's DMV it was already
being sold on the internet, spawning a new and very lucrative business. All a criminal needs is a laptop computer, a printer, a
laminator and that little book, and they have themselves a very prosperous little criminal enterprise. The police cannot tell the
difference between the "real" license and the fake one. In fact, they can't tell the difference between the "database you" and the
"Real You" that looks back at you from your mirror!
What if a "database you" goes on a crime spree, gets caught and gives the police a copy of a driver's license with YOUR number
and some another address on it? The Real You will never get the Notice to Appear, and the identity thief is certainly not going to
show up at your trial. So a bench warrant goes out in your name, and the next time you are stopped for some routine traffic
violation, the Real You is going to jail.
How many times do the Bad Guys say, "OK, you got me"? Not often. It's more traditional to hear: "You've got the wrong guy. It
wasn't me!" Except this time, it WAS the "database you," even if it wasn't the Real You.
Database leaks stem primarily from a disbelief that Identity Theft is real - therefore, employers do not take the necessary
precautions to protect your information. The government is the enforcer, but their systems are antiquated and obsolete as well,
take for example the Census Bureau, they are very proud that they have ONLY lost 1,200 lap top computers each with millions of
names and reams of personal information on American citizens. So the government is clamping down HARD on businesses in part
because they lack either the will or ability to police themselves, and have an even less impact on the criminal population.
The National Institute of Standards and Technology (NIST) clearly identifies “unauthorized access” as a type of security breach
that each business must address. That means each computer needs to be password protected and the password can't be on a
yellow sticky on the monitor. You need a clean desk policy at the end of each business day with ALL personal information locked
up. ID theft crime rings have set up "janitorial" businesses that come in at night and copy client and employee data files, go
through unlocked file cabinets and trash looking for personal information, employment applications, etc. Confidence men and
women can take jobs as low level temporary office employees and steal databases with all your client information.
In "The Coming Pandemic" (5/15/06 Chief Information Officer magazine), the writer says, "If you experience a security breach,
20% of your affected customer base will no longer do business with you. 40% will consider ending their relationship, and 5% will
be hiring lawyers!" The author also stated, "When it comes to cleaning up this mess, companies on average spend 1,600 work
hours per incident at a cost of $40,000 to $92,000 per victim."
Here is an overview of the major laws that affect ID theft and that have resulted in absolute liability to businesses that have not
secured their files.
The "Identity Theft and Assumption Act" recognized identity theft as a crime in 1998. Congress passed this law and established
the Federal Trade Commission as the lead agency to enforce and fine business for non-compliance. The FTC says that each year
since 1998, there has been twice as much ID theft reported than previously reported and even though it is severely under-
reported, it is estimated that as of July 2006, there have been over 88 million consumers affected by the reported breaches.
FACTA (federal legislation in effect since June 2005), grants additional rights to consumers and incorporates specific provisions
designed to help victims of ID theft and fraud, mainly that they are entitled to one free credit report per year from each of the 3
reporting agencies due to the proliferation of ID theft that is increasing steadily.
Gramm, Leach, Bliley Safeguard Rule (GLB), federal legislation since 1999, mandated a compliance deadline of 2001, and includes
a broad spectrum of qualifications, requirements and regulating parties. Eight federal agencies and individual states are charged
with managing and enforcing these regulations.
GLB applies to "financial institutions," but financial institution is so broadly defined that it includes not just banks, credit unions,
and securities brokers, but also real estate appraisers, insurance companies, automobile sales and leasing companies, companies
that operate travel agencies in connection with financial services, retailers that issue their own credit cards directly to consumers,
and any other entity that is "significantly involved in financial activities." The two regulations of GLB are the Financial Privacy Rule
and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers’ information, while
the Safeguard Rule governs the processes and controls an organizations uses to protect customers’ financial information.
The Safeguard Rule is enforced by the Federal Trade Commission. In addition to the public embarrassment of non-compliance,
organizations may be fined thousands of dollars per day while non-compliant.
GLB calls for businesses to:
1. Ensure the security and confidentiality of customer information
2. Protect against any anticipated threats or hazards to the security or integrity of such information and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any
customer.
In a nutshell, it requires that companies do the following:
Specify a person or group of people to be responsible for GLB compliance. Identify security risks involving customer information.
Assess existing safeguards for protecting the privacy of customer information. Implement any additional safeguards that are
needed. Monitor the effectiveness of safeguards. Ensure that service providers are able to meet the GLB requirements. Upgrade
the organization's security program as necessary due to changing circumstances.
Betty Broder, who is the assistant director of the FTC's Division of Privacy and Identity Protection says, "You don't have to have
a perfect plan, but you MUST have a written plan describing how customer and employee data will be protected, and [have] an
officer on staff responsible for implementing that plan. We need to see that you've taken reasonable steps to protect your
customer's information." (Quote from American Bar Association 3/06 story, "Stolen Lives")
The 1/19/06 edition of Business and Legal Reports says, "One solution that provides an affirmative defense against potential fines,
fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or
not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft
and the protection you are making available, similar to what most employers do for health insurance..."
By having a mandatory meeting the employees finally understand their responsibilities to protect the sensitive data of your business.
This issue and its ramifications can be overwhelming, BUT with a little help you can develop your own affirmative defense. As
stated above, offering your employees some sort of monitoring plan is just good business. The Kroll ID Theft Shield and Pre Paid
Life Events Legal Plan are the fastest growing employee benefits programs in the country.
The ID Theft Shield acts as an early warning detector for the employer because if several of your employees have been told they
are victims, the company knows the information leak is coming from the inside. The Shield takes care of the majority of the
restoration so the employee is at work instead of trying to fix their ID theft problem.
The Pre Paid Legal plan also helps the employer's bottom line by addressing the 50% of absenteeism due to personal problems.
When the employee has a legal issue, their lawyer can handle it minimizing employee stress, distraction and absenteeism.
Offering employees the Identity Theft Shield and Life Events Legal Plan as an employee benefit will focus their attention on the
issue of ID Theft and why they must be more careful with their employer's client's information - to say nothing of their own.
If you are interested in getting more information on the free federal compliance training that I can offer, please contact me. There
are not enough certified experts right now to do the employee compliance training for everyone who wants it, so first come first
served. You will be given everything you need (the written plan, the liability forms for the employees to sign, the mandatory
educational meeting with the employees) for no cost to the business.
I have tried to outline the compliance steps necessary and some of them you can do yourself. Remember: your plan doesn't have
to be perfect but you MUST have a written plan in place or you are not in compliance.
Businesses interested in protecting themselves can contact me at the number below.
K.J, Anderson III Is Your Business
191 Peachtree Street, 22nd Floor
Atlanta, GA 30303
404.474.2273
KJ3rd@KJ3rd.com
 | |  | |  | |  | |  | |  |
| What Business Owners Can Do to Protect Their Most Valuable Asset and Why Its So Important |
