To close this window, press the ESC key or click the close button in the top corner of this window.
Does your business have something that identity thieves want to steal? The answer is simple: It's the personal, financial, business, or medical information that you manage on employees, customers, and contractors. Once this data is lost or stolen there are serious consequences for an unprepared company.
Most identity theft scrutiny in the public arena has concentrated on financial data loss, and of that, credit cards have been made the most visible. But businesses are less aware of non-financial data that is in their possession that is just as protected as credit card numbers. In fact, the concentration over the last few decades on credit card account theft has led to the Federal and State governments scrutinizing other forms of consumer data losses to build public awareness of the wide spectrum of identity theft as a whole.
In 1998, the Identity Theft Assumption and Deterrence Act defined identity theft as a crime. The Act criminalized the knowing transfer or use, without lawful authority, of “a means of identification of another person” with the intent to commit, or to aid or abet, any violation of federal law. 18 U.S.C. §1028(a) (7).
“As a fundamental principle, even before reaching theories applicable to information security, parties are generally responsible under the common law of torts to use due care in handling the information regarding others,” (Thomas P. Vartanian, Mark Fajfar, and Robert H. Ledig, Electronic Banking Law and Commerce Report, June 2005). Businesses that do not take reasonable steps to protect information could be held civilly liable for criminal acts committed by others with the stolen information. This was the outcome of Bell v. Michigan Council 25 of the AFSCME, 2005 Mich. App. LEXUS 353(Mich. Ct. App. Feb. 15, 2005).
Currently 43 states have enacted laws regarding requirements for the notification of victims in the event of a loss or breach of information from a business. In addition to notification laws, all states have legislation that pertains to fraud and theft.
Additionally, there are several federal statutes that expose businesses to civil and criminal liability for not taking appropriate measures to safeguard information. They include, but are not limited to:
Perhaps the greatest impact to business in the event of a breach is negative publicity and loss of trust among employees and consumers. As you can see from the article below, the loss of information leads to loss of business, loss of revenue, and class action lawsuits.
Study Reveals 63 Percent of Consumers Dissatisfied With Data Breach Notification and Response Methods
TRAVERSE CITY, MI--(Marketwire - April 15, 2008) - A new study conducted by the Ponemon Institute shows that consumers are dissatisfied with the notification process used by companies following a data breach affecting their personal information. Sponsored by ID Experts, the Consumer's Report Card on Data Breach Notification revealed 63 percent of survey respondents said notification letters they received offered no direction on the steps the consumer should take to protect their personal information. As a result, 31 percent said they terminated their relationship with the organization. In addition, 26 percent of respondents took no action after being notified and 57 percent said they lost trust and confidence in the organization.
“From an organization's perspective, people include employees, customers, third parties, and business partners. All of these people are vital to the organization's survival and are privy to the organization's information in varying degrees through different means. As a result, all of these people represent risk. Well aware that infrastructures and perimeters have been fortified, today's sophisticated crooks no longer batter the fortress directly – they take a subtler approach through its people.” — Deloitte 2007 Global Security Survey: The Shifting Security Paradigm