The Attorney General
provides alerts to inform the public of unfair, misleading, or deceptive business
practices, and to provide information and guidance on other issues of concern.
ID THEFT - TIPS FOR
SMALL BUSINESSES
This alert provides suggestions
for small businesses on collecting, handling, and disposing of sensitive information.
Legitimate businesses, especially
small businesses, pay a heavy toll in the battle against identity theft.
This includes:
Staggering direct losses
from fraudulent payments;
High costs of adopting security
and fraud-prevention measures;
Significant costs associated
with having their own proprietary information misused for fraudulent purposes
by business ID thieves.
Honest businesses and
consumers both lose. Fraud jeopardizes the financial health of companies,
and the high costs associated with fraud drive up retail prices for the consumer.
But
just as consumers can take steps to reduce their risk and react effectively
if ID theft strikes (see the Consumer Alert, "Identity
Theft Information for Michigan Consumers"), businesses can do the
same.
By
protecting sensitive information in the workplace, you can:
Reduce the risk
of ID theft for your business and customers;
Promote awareness
of informational security among employees;
Reduce your exposure
to liability for misuses of sensitive information;
Build trust among
customers, employees, and business partners.
Steps for Securing
Sensitive Information
Businesses
may wish to take the following steps to secure sensitive information.
1.Conduct
a security audit
Before considering what changes to make to your company's information practices,
review key factors, with an information technology professional if necessary.
Factors include:
The value of your data (including
commercial value, time, and cost of recovering information, etc.);
The information pathways
of who handles the more sensitive data your company creates or receives;
The type and amount of information
transmitted electronically both inside and outside the company;
Access policies (who has
access to different types of sensitive information, and for what purposes);
Security measures already
in place (physical workplace environment, electronic security, existence
and effectiveness of formal policies).
2.Do not collect more information than you need
After you have given your informational needs and practices some thought,
consider whether you are collecting too much.
Define purposes for collecting
information;
Identify information genuinely
needed for those purposes.
If you don't really need the information,
don't collect it. The
more information you retain, the greater the amount of information an identity
thief can steal, the higher the costs of secure retention and disposal,
and the greater potential for liability if disaster strikes.
3.Create a privacy policy that clearly discloses how your business will
handle sensitive information
If your business regularly collects personal
information from consumers, consider developing a privacy policy that explains
your information collection, storage, sharing, and disposal practices.
If you intend to notify persons and business partners in the event the confidentiality
of their information is breached, consider prominently disclosing this information;
strict information policies can be an effective marketing technique to differentiate
your company from your competitors. (The Attorney General's Office
has prepared a Guide
to Privacy Policies to help small companies create their own
online privacy statements.)
4.Create
(or revise) company-wide security and privacy policies for your firm.
Elements could include:
Software needed to protect
data and procedures to check for and install updates and patches;
How to safely handle unsolicited
e-mail (spam);
Who will have access to different
types of information;
Schedules for testing security
system and re-evaluating security needs;
Need for and protection of wireless computer communications;
Protection of data used in
telecommuting and other out-of-office settings.
5.Be
sensitive to information you ask for or display in public
Consumers
are (or should be) concerned if their personal information is not treated with
respect, and many businesses have faced lawsuits alleging breaches of confidentiality. Examples of steps businesses can take include:
Protect computer screens
displaying personal information from public view;
Ensure that no sensitive
information is displayed in envelope windows of outgoing mail; consider
using plain instead of window envelopes.
6.Securely
store retained personal information
Whether dealing with physical or electronic data, implement policies to
limit access to sensitive information to those key, trustworthy employees
who have a good business reason to work with the information.
Paper ? Maintain files with
sensitive information in a physically secure manner
Electronic--Use
passwords, data encryption, anti-virus and firewall programs, routine and
secure backup procedures, etc., and check frequently for software updates
and patches;
Consider Hacking
Insurance ? Analyze your company's exposure to hacking losses to determine
whether to shop for insurance. Does your company transact a substantial
amount of business online? Is sensitive personal information stored
electronically?
7.Secure
your physical workplace
A great number of ID thieves operate at the workplace, lifting mail out
of insecure mailboxes or personal items from unattended purses and desks.
Invest in locking mailboxes;
Furnish employees with locking
desks;
Secure the entire workplace
when unattended;
Make sure computer network
and individual stations are password protected;
Educate employees regarding
the importance of maintaining data security;
Create a secure information-handling
policy.
8.Coordinate
with vendors and associates to secure information
Business partners with access to corporate or customer information may be
undoing your hard work.
Contractually
restrict the permissible uses, disclosure, retention, and disposal of customer
and proprietary information to which business suppliers and business partners
have access;
Ensure practices are consistent
with corporate privacy policies.
9.Effectively
dispose of information when no longer needed
Your information handling protocol should include a policy for disposing
or purging information that is no longer needed.
Establish regular intervals
for purging categories of unneeded sensitive information your business has
collected.
The manner of disposal is
important:
Paper - Don't
throw personal information in the trash; use a shredder.
Electronic -
If erasing information from computers, be sure that files on hard drives,
magnetic tapes, etc. are completely erased or destroyed; never discard
or sell used hard drives ? remove hard drives or completely erase them using
a tested program designed for this purpose.
10.Check
with your financial service providers to see what protections are available
against fraudulent transactions
Different banks and different credit cards offer varying levels of protection
for merchants. Call banks, credit card companies, check verification services,
etc. and explore your options thoroughly to determine what type of arrangement
works best for your business.
11.Review credit reports
Credit reporting agencies maintain files on many small businesses, and small
business credit reports can affect the finances of small businesses just as
consumer credit reports determine an individual's creditworthiness.
Experian - 1-888-397-3742
Equifax - 1-800-525-6285
TransUnion - 1-800-680-7289
Innovis - 1-800-540-2505
(Innovis currently does not have business credit reports--only consumer
credit reports.)
Printer Friendly
Text Version
Twitter
Facebook
Yahoo
Google
Digg
reddit
Newsvine
StumbleUpon
Bookmark
Email Page