Due to the soaring cost to business of identity theft, our state and federal lawmakers have passed some VERY stringent laws that apply to all businesses with one
or more employees. Non-compliance could cost you, personally, or your business up to $1 million in fines and up to 10 years in prison. There are federal and state
laws requiring business owners to secure all personal information (Social Security numbers, driver's license numbers, credit card numbers, date of birth, etc.) of
their clients and employees. Some 87% of businesses are not aware that these laws effect them or that they even exist. Non-compliance could result in the closing
of the business, fines, penalties, criminal and civil litigation and, in fact, it is expected to be THE next hot class action target.
What is driving this crack down on business you may ask. Did you know that on July 1, 2006, 32 states passed laws that require business owners to see a
passport or Social Security card from each employee? The government admits that we have 10 million illegal aliens in the country, but business experts put that
number between 25 - 30 million. But just for argument's sake, let's assume 10 million: if each one of those folks paid just $10 in FICA withholding each week,
$100,000,000 would be going to the Social Security Administration on a weekly basis. Given they are $4 TRILLION in debt, they have NO incentive to let the
actual owner of the Social Security number know that another 10, 20, 80 people are using that same Social Security number since they only have to pay out to the
real owner. But the IRS is going to take a real interest when they see how much "you" earned at your 10, 20 or 80 different jobs but none of "you" did the proper
withholding. Some people think they will get extra money paid into their social security account – but that is not correct, since your payment is based solely on the
work that you personally have performed – the real concern is when the IRS notices that “you” did not pay the federal and state withholding taxes – the real “you”
will either hire an attorney to fight the IRS or you will just pay them because it is less expensive or easier or you may spend years trying to convince the IRS that
you didn’t earn that money
Disgruntled workers with access to the data files of their employer's clients or other company employees can make a lot of money selling little pieces of you. They
can sell your Social Security number identity, they can sell your credit card information or your financial identity, and they can also sell your driver's license identity
- which could have a negative impact on your character/criminal identity if someone decided to rob a liquor store and get caught with "your" driver's license. As for
the theft of your medical identity, three recent articles in the Reader's Digest detail the devastation that can be caused by medical identity theft.
The government recently decided that the employees at all Department of Motor Vehicles needed to be able to recognize what the driver's licenses of all the other
states looked like so that when a resident of Florida moves to California, the CA DMV can recognize a "real" Florida license. In order to assist these employees, the
federal government made up a little book with the EXACT specs on each state's driver's license. About a week after that book was mailed out to each state's DMV
it was already being sold on the internet, spawning a new and very lucrative business. All a criminal needs is a laptop computer, a printer, a laminator and that little
book, and they have themselves a very prosperous little criminal enterprise. The police cannot tell the difference between the "real" license and the fake one. In fact,
they can't tell the difference between the "database you" and the "Real You" that looks back at you from your mirror!
What if a "database you" goes on a crime spree, gets caught and gives the police a copy of a driver's license with YOUR number and some another address on it?
The Real You will never get the Notice to Appear, and the identity thief is certainly not going to show up at your trial. So a bench warrant goes out in your name,
and the next time you are stopped for some routine traffic violation, the Real You is going to jail.
How many times do the Bad Guys say, "OK, you got me"? Not often. It's more traditional to hear: "You've got the wrong guy. It wasn't me!" Except this time, it
WAS the "database you," even if it wasn't the Real You.
Database leaks stem primarily from a disbelief that Identity Theft is real - therefore, employers do not take the necessary precautions to protect your information.
The government is the enforcer, but their systems are antiquated and obsolete as well, take for example the Census Bureau, they are very proud that they have
ONLY lost 1,200 lap top computers each with millions of names and reams of personal information on American citizens. So the government is clamping down
HARD on businesses in part because they lack either the will or ability to police themselves, and have an even less impact on the criminal population.
The National Institute of Standards and Technology (NIST) clearly identifies “unauthorized access” as a type of security breach that each business must address.
That means each computer needs to be password protected and the password can't be on a yellow sticky on the monitor. You need a clean desk policy at the end
of each business day with ALL personal information locked up. ID theft crime rings have set up "janitorial" businesses that come in at night and copy client and
employee data files, go through unlocked file cabinets and trash looking for personal information, employment applications, etc. Confidence men and women can
take jobs as low level temporary office employees and steal databases with all your client information.
In "The Coming Pandemic" (5/15/06 Chief Information Officer magazine), the writer says, "If you experience a security breach, 20% of your affected customer
base will no longer do business with you. 40% will consider ending their relationship, and 5% will be hiring lawyers!" The author also stated, "When it comes to
cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim."
Here is an overview of the major laws that affect ID theft and that have resulted in absolute liability to businesses that have not secured their files.
The "Identity Theft and Assumption Act" recognized identity theft as a crime in 1998. Congress passed this law and established the Federal Trade Commission as
the lead agency to enforce and fine business for non-compliance. The FTC says that each year since 1998, there has been twice as much ID theft reported than
previously reported and even though it is severely under-reported, it is estimated that as of July 2006, there have been over 88 million consumers affected by the
reported breaches.
FACTA (federal legislation in effect since June 2005), grants additional rights to consumers and incorporates specific provisions designed to help victims of ID
theft and fraud, mainly that they are entitled to one free credit report per year from each of the 3 reporting agencies due to the proliferation of ID theft that is
increasing steadily.
Gramm, Leach, Bliley Safeguard Rule (GLB), federal legislation since 1999, mandated a compliance deadline of 2001, and includes a broad spectrum of
qualifications, requirements and regulating parties. Eight federal agencies and individual states are charged with managing and enforcing these regulations.
GLB applies to "financial institutions," but financial institution is so broadly defined that it includes not just banks, credit unions, and securities brokers, but also real
estate appraisers, insurance companies, automobile sales and leasing companies, companies that operate travel agencies in connection with financial services,
retailers that issue their own credit cards directly to consumers, and any other entity that is "significantly involved in financial activities." The two regulations of
GLB are the Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers’ information,
while the Safeguard Rule governs the processes and controls an organizations uses to protect customers’ financial information.
The Safeguard Rule is enforced by the Federal Trade Commission. In addition to the public embarrassment of non-compliance, organizations may be fined
thousands of dollars per day while non-compliant.
GLB calls for businesses to:
1. Ensure the security and confidentiality of customer information
2. Protect against any anticipated threats or hazards to the security or integrity of such information and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
In a nutshell, it requires that companies do the following:
Specify a person or group of people to be responsible for GLB compliance. Identify security risks involving customer information. Assess existing safeguards for
protecting the privacy of customer information. Implement any additional safeguards that are needed. Monitor the effectiveness of safeguards. Ensure that service
providers are able to meet the GLB requirements. Upgrade the organization's security program as necessary due to changing circumstances.
Betty Broder, who is the assistant director of the FTC's Division of Privacy and Identity Protection says, "You don't have to have a perfect plan, but you MUST
have a written plan describing how customer and employee data will be protected, and [have] an officer on staff responsible for implementing that plan. We need to
see that you've taken reasonable steps to protect your customer's information." (Quote from American Bar Association 3/06 story, "Stolen Lives")
The 1/19/06 edition of Business and Legal Reports says, "One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer
some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection
available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health
insurance..."
By having a mandatory meeting the employees finally understand their responsibilities to protect the sensitive data of your business.
This issue and its ramifications can be overwhelming, BUT with a little help you can develop your own affirmative defense. As stated above, offering your
employees some sort of monitoring plan is just good business. The Kroll ID Theft Shield and Pre Paid Life Events Legal Plan are the fastest growing employee
benefits programs in the country.
The ID Theft Shield acts as an early warning detector for the employer because if several of your employees have been told they are victims, the company knows
the information leak is coming from the inside. The Shield takes care of the majority of the restoration so the employee is at work instead of trying to fix their ID
theft problem.
The Pre Paid Legal plan also helps the employer's bottom line by addressing the 50% of absenteeism due to personal problems. When the employee has a legal
issue, their lawyer can handle it minimizing employee stress, distraction and absenteeism.
Offering employees the Identity Theft Shield and Life Events Legal Plan as an employee benefit will focus their attention on the issue of ID Theft and why they
must be more careful with their employer's client's information - to say nothing of their own.
If you are interested in getting more information on the free federal compliance training that I can offer, please contact me. There are not enough certified experts
right now to do the employee compliance training for everyone who wants it, so first come first served. You will be given everything you need (the written plan,
the liability forms for the employees to sign, the mandatory educational meeting with the employees) for no cost to the business.
I have tried to outline the compliance steps necessary and some of them you can do yourself. Remember: your plan doesn't have to be perfect but you MUST have
a written plan in place or you are not in compliance.
Businesses interested in protecting themselves can contact me at the number below.
K.J, Anderson III
191 Peachtree Street, 22nd Floor
Atlanta, GA 30303
404.474.2273
KJ3rd@KJ3rd.com
or more employees. Non-compliance could cost you, personally, or your business up to $1 million in fines and up to 10 years in prison. There are federal and state
laws requiring business owners to secure all personal information (Social Security numbers, driver's license numbers, credit card numbers, date of birth, etc.) of
their clients and employees. Some 87% of businesses are not aware that these laws effect them or that they even exist. Non-compliance could result in the closing
of the business, fines, penalties, criminal and civil litigation and, in fact, it is expected to be THE next hot class action target.
What is driving this crack down on business you may ask. Did you know that on July 1, 2006, 32 states passed laws that require business owners to see a
passport or Social Security card from each employee? The government admits that we have 10 million illegal aliens in the country, but business experts put that
number between 25 - 30 million. But just for argument's sake, let's assume 10 million: if each one of those folks paid just $10 in FICA withholding each week,
$100,000,000 would be going to the Social Security Administration on a weekly basis. Given they are $4 TRILLION in debt, they have NO incentive to let the
actual owner of the Social Security number know that another 10, 20, 80 people are using that same Social Security number since they only have to pay out to the
real owner. But the IRS is going to take a real interest when they see how much "you" earned at your 10, 20 or 80 different jobs but none of "you" did the proper
withholding. Some people think they will get extra money paid into their social security account – but that is not correct, since your payment is based solely on the
work that you personally have performed – the real concern is when the IRS notices that “you” did not pay the federal and state withholding taxes – the real “you”
will either hire an attorney to fight the IRS or you will just pay them because it is less expensive or easier or you may spend years trying to convince the IRS that
you didn’t earn that money
Disgruntled workers with access to the data files of their employer's clients or other company employees can make a lot of money selling little pieces of you. They
can sell your Social Security number identity, they can sell your credit card information or your financial identity, and they can also sell your driver's license identity
- which could have a negative impact on your character/criminal identity if someone decided to rob a liquor store and get caught with "your" driver's license. As for
the theft of your medical identity, three recent articles in the Reader's Digest detail the devastation that can be caused by medical identity theft.
The government recently decided that the employees at all Department of Motor Vehicles needed to be able to recognize what the driver's licenses of all the other
states looked like so that when a resident of Florida moves to California, the CA DMV can recognize a "real" Florida license. In order to assist these employees, the
federal government made up a little book with the EXACT specs on each state's driver's license. About a week after that book was mailed out to each state's DMV
it was already being sold on the internet, spawning a new and very lucrative business. All a criminal needs is a laptop computer, a printer, a laminator and that little
book, and they have themselves a very prosperous little criminal enterprise. The police cannot tell the difference between the "real" license and the fake one. In fact,
they can't tell the difference between the "database you" and the "Real You" that looks back at you from your mirror!
What if a "database you" goes on a crime spree, gets caught and gives the police a copy of a driver's license with YOUR number and some another address on it?
The Real You will never get the Notice to Appear, and the identity thief is certainly not going to show up at your trial. So a bench warrant goes out in your name,
and the next time you are stopped for some routine traffic violation, the Real You is going to jail.
How many times do the Bad Guys say, "OK, you got me"? Not often. It's more traditional to hear: "You've got the wrong guy. It wasn't me!" Except this time, it
WAS the "database you," even if it wasn't the Real You.
Database leaks stem primarily from a disbelief that Identity Theft is real - therefore, employers do not take the necessary precautions to protect your information.
The government is the enforcer, but their systems are antiquated and obsolete as well, take for example the Census Bureau, they are very proud that they have
ONLY lost 1,200 lap top computers each with millions of names and reams of personal information on American citizens. So the government is clamping down
HARD on businesses in part because they lack either the will or ability to police themselves, and have an even less impact on the criminal population.
The National Institute of Standards and Technology (NIST) clearly identifies “unauthorized access” as a type of security breach that each business must address.
That means each computer needs to be password protected and the password can't be on a yellow sticky on the monitor. You need a clean desk policy at the end
of each business day with ALL personal information locked up. ID theft crime rings have set up "janitorial" businesses that come in at night and copy client and
employee data files, go through unlocked file cabinets and trash looking for personal information, employment applications, etc. Confidence men and women can
take jobs as low level temporary office employees and steal databases with all your client information.
In "The Coming Pandemic" (5/15/06 Chief Information Officer magazine), the writer says, "If you experience a security breach, 20% of your affected customer
base will no longer do business with you. 40% will consider ending their relationship, and 5% will be hiring lawyers!" The author also stated, "When it comes to
cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim."
Here is an overview of the major laws that affect ID theft and that have resulted in absolute liability to businesses that have not secured their files.
The "Identity Theft and Assumption Act" recognized identity theft as a crime in 1998. Congress passed this law and established the Federal Trade Commission as
the lead agency to enforce and fine business for non-compliance. The FTC says that each year since 1998, there has been twice as much ID theft reported than
previously reported and even though it is severely under-reported, it is estimated that as of July 2006, there have been over 88 million consumers affected by the
reported breaches.
FACTA (federal legislation in effect since June 2005), grants additional rights to consumers and incorporates specific provisions designed to help victims of ID
theft and fraud, mainly that they are entitled to one free credit report per year from each of the 3 reporting agencies due to the proliferation of ID theft that is
increasing steadily.
Gramm, Leach, Bliley Safeguard Rule (GLB), federal legislation since 1999, mandated a compliance deadline of 2001, and includes a broad spectrum of
qualifications, requirements and regulating parties. Eight federal agencies and individual states are charged with managing and enforcing these regulations.
GLB applies to "financial institutions," but financial institution is so broadly defined that it includes not just banks, credit unions, and securities brokers, but also real
estate appraisers, insurance companies, automobile sales and leasing companies, companies that operate travel agencies in connection with financial services,
retailers that issue their own credit cards directly to consumers, and any other entity that is "significantly involved in financial activities." The two regulations of
GLB are the Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers’ information,
while the Safeguard Rule governs the processes and controls an organizations uses to protect customers’ financial information.
The Safeguard Rule is enforced by the Federal Trade Commission. In addition to the public embarrassment of non-compliance, organizations may be fined
thousands of dollars per day while non-compliant.
GLB calls for businesses to:
1. Ensure the security and confidentiality of customer information
2. Protect against any anticipated threats or hazards to the security or integrity of such information and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
In a nutshell, it requires that companies do the following:
Specify a person or group of people to be responsible for GLB compliance. Identify security risks involving customer information. Assess existing safeguards for
protecting the privacy of customer information. Implement any additional safeguards that are needed. Monitor the effectiveness of safeguards. Ensure that service
providers are able to meet the GLB requirements. Upgrade the organization's security program as necessary due to changing circumstances.
Betty Broder, who is the assistant director of the FTC's Division of Privacy and Identity Protection says, "You don't have to have a perfect plan, but you MUST
have a written plan describing how customer and employee data will be protected, and [have] an officer on staff responsible for implementing that plan. We need to
see that you've taken reasonable steps to protect your customer's information." (Quote from American Bar Association 3/06 story, "Stolen Lives")
The 1/19/06 edition of Business and Legal Reports says, "One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer
some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection
available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health
insurance..."
By having a mandatory meeting the employees finally understand their responsibilities to protect the sensitive data of your business.
This issue and its ramifications can be overwhelming, BUT with a little help you can develop your own affirmative defense. As stated above, offering your
employees some sort of monitoring plan is just good business. The Kroll ID Theft Shield and Pre Paid Life Events Legal Plan are the fastest growing employee
benefits programs in the country.
The ID Theft Shield acts as an early warning detector for the employer because if several of your employees have been told they are victims, the company knows
the information leak is coming from the inside. The Shield takes care of the majority of the restoration so the employee is at work instead of trying to fix their ID
theft problem.
The Pre Paid Legal plan also helps the employer's bottom line by addressing the 50% of absenteeism due to personal problems. When the employee has a legal
issue, their lawyer can handle it minimizing employee stress, distraction and absenteeism.
Offering employees the Identity Theft Shield and Life Events Legal Plan as an employee benefit will focus their attention on the issue of ID Theft and why they
must be more careful with their employer's client's information - to say nothing of their own.
If you are interested in getting more information on the free federal compliance training that I can offer, please contact me. There are not enough certified experts
right now to do the employee compliance training for everyone who wants it, so first come first served. You will be given everything you need (the written plan,
the liability forms for the employees to sign, the mandatory educational meeting with the employees) for no cost to the business.
I have tried to outline the compliance steps necessary and some of them you can do yourself. Remember: your plan doesn't have to be perfect but you MUST have
a written plan in place or you are not in compliance.
Businesses interested in protecting themselves can contact me at the number below.
K.J, Anderson III
191 Peachtree Street, 22nd Floor
Atlanta, GA 30303
404.474.2273
KJ3rd@KJ3rd.com
| What Business Owners Can Do to Protect Their Most Valuable Asset and Why Its So Important |
 |  |  |  |  |  |