Privacy, Identity Theft and Data Security Breaches
Today's technology provides us with extraordinary benefits. It has given us the ability to conduct business online, share information about ourselves with those who live thousands of miles away and access information at the "speed of light." Unfortunately, it has also provided the same benefits to identity thieves who use someone else's personal financial information to access bank accounts and obtain credit, often destroying the life savings and good credit history of innocent victims.
As our access to information increases, our concerns about financial privacy should increase as well. Identity theft has increased so dramatically that the Federal Trade Commission has listed it as the top fraud-related consumer complaint for the past five years, with consumers reporting million of dollars lost to fraud. Millions of people are potentially at risk for identity theft. The following is provided to help you protect your financial privacy and the steps to follow if you have become an identity theft victim.
Everyone has personal information (such as credit card numbers, bank account numbers, and social security numbers) that can be misused when in the wrong hands. A scam artist who learns any of your personal information can potentially use that to learn more of your personal information and eventually make purchases in your name. Learn how to protect yourself from identity theft.
What to do if you're a victim of Identity Theft
Identity theft is a crime which generally results in fraud. If you believe you have become a victim of identity theft, you must act immediately to minimize the damage and to secure your legal rights. Fighting identity theft can be frustrating and time-consuming, but resources exist to help you.
Data Security Breaches – Information for Consumers
The "Privacy Rights Clearinghouse" has put together some very helpful information titled "How to Deal with a Security Breach," which can be found at the following link: http://www.privacyrights.org/fs/fs17b-SecurityBreach.htm. Maine law not only authorizes the placement of a fraud alert, but also permits consumers to "freeze" their credit reports. http://www.mainelegislature.org/legis/statutes/10/title10sec1313-C.html
Under Maine law, a company must notify you if it believes that computerized personal information about you has been lost or stolen from their files (or from the files of a subcontractor working for them). http://www.mainelegislature.org/legis/statutes/10/title10ch210-Bsec0.html. Companies may also be required to report those breaches to a regulator or the Attorney General. The next section has more information about those reporting requirements.
Data Security Tips for Small Businesses
In Maine, if you are a company that has experienced a computerized data security breach and are required to report the breach to the Attorney General, you can use this Maine Security Breach Reporting Form
The Federal Trade Commission has a great deal of helpful guidance for businesses to help with the task of keeping customer information secure, including a brochure “Protecting Personal Information: A Guide for Businesses,” http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business. Companies should plan ahead before there is a problem and follow 5 key principles:
- Take stock.
- Know what information you have and where you have it. Inventory
- Paper in your desks and file cabinets and
- electronic data on storage devices, e.g. computers, storage discs or tapes, flash drives, Blackberries, computerized phone systems,
- every entry point where you may receive personal information from employees or customers.
- Also figure out who has access to that information currently and decide whether they really need it.
- Know what information you have and where you have it. Inventory
- Scale down. Keep only what you need for your business.
- Don’t collect and use info you don’t need, e.g. SSNs for account numbers.
- Don’t keep credit card information longer than you have to.
- Develop a record retention policy that helps employees know what they need to keep and for how long, and that they shouldn’t be keeping anything else.
- Lock it. Protect the information that you keep.
- Physical security,
- electronic security
- Assess the vulnerability of those connections. Depending on sophistication of your systems could mean off the shelf security software, or a professional security audit.
- Don’t store sensitive info on computers with internet connections
- Don’t store sensitive info on laptops
- Regularly run anti-spyware and anti-virus programs
- Encrypt sensitive data you send to outside entities and consider encrypting data you store (might still get hacked, but hacker can’t use data)
- Require employees to use passwords and make sure they are strong passwords, and always change default passwords when you get new software
- Use Firewalls to protect your computers while they are connected to the internet
- Employee background checks and training and good exit procedures when an employee leaves (e.g. terminating their passwords and collecting ID cards)
- Understand your outside vendors and contractors security policies if they handle sensitive information from you or for you and consider requiring them to follow the same practices.
- This is not an exhaustive list and what is best for your business will depend on your business, but these are some of the things to be thinking about that may be useful for your business.
- Pitch it. Properly dispose of what you no longer need.
- Shred paper documents, make shredders easily available.
- Use wipe utility programs when discarding old computers or storage devices
- FTC Disposal Rule specific to consumer credit reports requires organizations that obtain consumer credit reports to “properly dispose” of that sensitive information.
- Plan ahead for a breach. Even if you do everything right, breaches can happen.
- Create a plan for responding to security incidents, which will include investigating the cause and scope of the breach, securing data and possibly certain notifications of affected persons, government officials and others.
- Designate a senior member of the business to coordinate a response plan in the event of a breach.
MAINE LAW on electronic data breaches:
- requires people who maintain computerized personal data (such as SSNs, Drivers license or state ID numbers, Account, credit and debit card numbers) who become aware of a security breach to “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused”
- certain NOTIFICATION requirements:
- Any other business maintaining personal info must notify residents whose personal data has been misused or it is reasonably possible that it may be misused.
- Consumer reporting agencies aka Credit Bureaus (Equifax, Experian, TransUnion). If a breach requires notice to more than 1,000 people, the business has an obligation to notify the credit bureaus.
- Regulators. If the business whose data was breached is regulated by an agency of Maine’s Dept of PFR, then that agency must be notified (e.g. an insurance company doing business in Maine and licensed by the Maine Bureau of Insurance would have to notify the Bureau of Insurance).
- Attorney General If you are not regulated by one of those agencies, then you must notify the AG
These notifications must be made “as expediently as possible and without unreasonable delay,” but you should consult with law enforcement if a criminal investigation is opened to make sure the notice won’t interfere with the investigation. Then within 7 days after law enforcement determines that notification will not compromise any criminal investigation.