Have an affirmative defense and mitigate your damages!
Due to the prevalence of identity theft, our state and federal lawmakers have passed some very stringent laws that apply to all businesses with one or more employees. Non-compliance could cost a business owner or a company up to $1 million in fines and up to 10 years in prison.
There are federal and state laws requiring business owners to secure all personal information (Social Security numbers, driver's license numbers, credit card numbers, date of birth, etc.) of their clients and employees. Some 87 percent of businesses are not aware that these laws effect them or that they even exist. Non-compliance could result in the closing of the business, fines, penalties, and criminal and civil litigation. It is expected to be the next hot class action target.
What is driving this crackdown on business?
On July 1, 2006, 32 states passed laws that require business owners to see a passport or Social Security card from each employee. The U.S. government admits there are 10 million illegal immigrants in the country. Business experts put that number between 25 million and 30 million.
Attorney Belinda Etezad Rachman
Assuming there are 10 million illegal immigrants, about $100 million would be going to the Social Security Administration on a weekly basis if each paid just $10 in FICA withholding each week. Given the $4 trillion deficit, there is no incentive to let the actual owner of the Social Security number know that another 10, 20 or 80 people are using that same Social Security number, since the government only has to pay out to the real owner. But the IRS is going to take a real interest when they see how much "you" earned at your 10, 20 or 80 different jobs without the proper withholding.
Some people incorrectly think they will get extra money paid into their Social Security account; however, payment is based solely on the work that you personally have performed. The real concern is when the IRS notices that "you" did not pay the federal and state withholding taxes -- the real "you" will either hire an attorney to fight the IRS or you will just pay them because it is either less expensive or easier than spending years trying to convince the IRS that you didn’t earn that money.
Disgruntled workers with access to the data files of their employer's clients or other company employees can make a lot of money selling little pieces of you. They can sell your Social Security number identity, they can sell your credit card information or your financial identity, and they can also sell your driver's license identity - which could have a negative impact on your character/criminal identity if someone decided to rob a liquor store and get caught with "your" driver's license.
As for the theft of your medical identity, three recent articles in the Reader's Digest detail the devastation that can be caused by medical identity theft.
The government recently determined that employees at all Department of Motor Vehicles must be able to recognize what the driver's licenses of all the other states looked like so that when a resident of Florida moves to California, the California DMV can recognize a "real" Florida license.
In order to assist these employees, the federal government distributed a book with the exact specifications on each state's driver's license. About a week after that book was mailed to each state's DMV, it was already being sold on the Internet, spawning a new and very lucrative business.
All a criminal needs is a laptop computer, a printer, a laminator, that little book, and they have themselves a very prosperous criminal enterprise. The police cannot tell the difference between the "real" license and the fake one. In fact, they can't tell the difference between the "database you" and the "Real You" that looks back at you from your mirror!
What if a "database you" goes on a crime spree, gets caught and gives the police a copy of a driver's license with your number and some other address on it? The "Real You" will never get the Notice to Appear, and the identity thief is not going to show up at your trial. A bench warrant goes out in your name, and the next time you are stopped for a routine traffic violation, the "Real You" is going to jail.
Database leaks stem primarily from a disbelief that identity theft is real. Therefore, employers do not take the necessary precautions to protect your information.
The government is the enforcer, but its systems are antiquated. Take, for example, the Census Bureau, an agency that says it has ONLY lost 1,200 laptop computers each with millions of names and reams of personal information on U.S. citizens. In turn, the government is clamping down on businesses in part because they lack either the will or ability to police themselves, and have an even less impact on the criminal population.
The National Institute of Standards and Technology (NIST) clearly identifies "unauthorized access" as a type of security breach that each business must address. That means each computer needs to be password protected and the password can't be on a yellow sticky on the monitor. You need a clean desk policy at the end of each business day with all personal information locked up. ID theft crime rings have set up "janitorial" businesses that come in at night and copy client and employee data files, go through unlocked file cabinets and trash looking for personal information, employment applications, etc. Men and women can take jobs as low level temporary office employees and steal databases with all your client information.
In "The Coming Pandemic" (Chief Information Officer magazine, 5/15/06), the writer says, "If you experience a security breach, 20% of your affected customer base will no longer do business with you. 40% will consider ending their relationship, and 5% will be hiring lawyers!" The author also stated, "When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim."
Here is an overview of the major laws that affect ID theft and that have resulted in absolute liability to businesses that have not secured their files.
The "Identity Theft and Assumption Act" recognized identity theft as a crime in 1998. Congress passed this law and established the Federal Trade Commission as the lead agency to enforce and fine business for non-compliance. The FTC says that each year since 1998, there has been twice as much ID theft reported than previously reported and even though it is severely under-reported, it is estimated that as of July 2006, there have been over 88 million consumers affected by the reported breaches.
FACTA (federal legislation in effect since June 2005), grants additional rights to consumers and incorporates specific provisions designed to help victims of ID theft and fraud, mainly that they are entitled to one free credit report per year from each of the three reporting agencies due to the proliferation of ID theft that is increasing steadily.
Gramm, Leach, Bliley Safeguard Rule (GLB), federal legislation since 1999, mandated a compliance deadline of 2001, and includes a broad spectrum of qualifications, requirements and regulating parties. Eight federal agencies and individual states are charged with managing and enforcing these regulations.
GLB applies to every business!
The two regulations of GLB are the Financial Privacy Rule and the Safeguards Rule. The Financial Privacy Rule addresses the collection and dissemination of customers’ information, while the Safeguard Rule governs the processes and controls an organizations uses to protect customers’ financial information.
The Safeguard Rule is enforced by the Federal Trade Commission. In addition to the public embarrassment of non-compliance, organizations may be fined thousands of dollars per day while non-compliant.
GLB calls for businesses to:
1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and, 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
In a nutshell, it requires that companies do the following:
Specify a person or group of people to be responsible for GLB compliance. Identify security risks involving customer information. Assess existing safeguards for protecting the privacy of customer information. Implement any additional safeguards that are needed. Monitor the effectiveness of safeguards. Ensure that service providers are able to meet the GLB requirements. Upgrade the organization's security program as necessary due to changing circumstances.
California SB 1386, effective July 1, 2003 Data Breach Notifications -- Any business having even one customer in California requires a public disclosure of computer security breaches when personal information of any California customer is compromised. This law subjects a company to civil and class action lawsuits by any injured customer.
Betty Broder, who is the assistant director of the FTC's Division of Privacy and Identity Protection says, "You don't have to have a perfect plan, but you must have a written plan describing how customer and employee data will be protected, and [have] an officer on staff responsible for implementing that plan. We need to see that you've taken reasonable steps to protect your customer's information." (Quote from American Bar Association March 2006 story, "Stolen Lives")
The Jan. 19, 2006 edition of Business and Legal Reports says, "One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance..."
By having a mandatory meeting the employees finally understand their responsibilities to protect the sensitive data of your business.
This issue and its ramifications can be overwhelming, but with a little help you can develop your own affirmative defense. As stated above, offering your employees some sort of monitoring plan is just good business. The Kroll ID Theft Shield and Pre Paid Life Events Legal Plan are the fastest growing employee benefits programs in the country.
The ID Theft Shield acts as an early warning detector for the employer because if several of your employees have been told they are victims, the company knows the information leak is coming from the inside. The Shield takes care of the majority of the restoration so the employee is at work instead of trying to fix their ID theft problem.
The Pre Paid Legal plan also helps the employer's bottom line by addressing the 50 percent of absenteeism due to personal problems. When the employee has a legal issue, their lawyer can handle it minimizing employee stress, distraction and absenteeism.
Offering employees the Identity Theft Shield and Life Events Legal Plan as an employee benefit will focus their attention on the issue of ID Theft and why they must be more careful with their employer's client's information - to say nothing of their own.
If you are interested in getting more information on the free federal compliance training that I can offer, please contact me. There are not enough certified experts right now to do the employee compliance training for everyone who wants it, so first come first served. You will be given everything you need (the written plan, the liability forms for the employees to sign, the mandatory educational meeting with the employees) for no cost to the business.
I have tried to outline the compliance steps necessary and some of them you can do yourself. Remember: your plan doesn't have to be perfect but you must have a written plan in place or you are not in compliance.
Businesses interested in protecting themselves can contact me at the number below.
Nov. 20, 2009, 5 p.m. -- San Diego's web video news: Today's breaking major business events, economic, and financial announcements from the Daily Transcript/San Diego Source newsroom.
Print
E-Mail
