Workplace Information Protection and You

Businesses, small and large, have to deal with workplace information protection and privacy to some extent. The degree, to which these businesses and their management protect their confidential information including employee and client personal information, depends largely on a) their self-interest, b) the regulated environment in which they operate and must comply with, and c) their desire for good business practice.

 

 

Self Interest

 

 

Many businesses have trade secrets, which if stolen can provide competitive disadvantage and either end their business life, or if they’re lucky, just vanish their expansion and growth aspirations simply put. Therefore, they must protect that business confidential information at any price or they’ll disappear in no time.

 

 

Businesses spy on each other all the time for valuable trade secrets to help them gain competitive advantage over whether it’s the launch of a new product and service or improvement of existing processes to increase efficiency, productivity and client base. Each business must determine what information is important to them and place security controls around them to secure their business viability and future growth. This is what I mean by “self interest”, protecting something that’s important.

 

 

Other areas of self interest are financial fraud and to a lesser degree management attachment to the information protection field as certain key management members may be more security conscious than others, possibly due to their past professions and experiences, and therefore place importance on workplace information protection.

 

 

Regulations

 

 

Some businesses, depending on the nature of their business and industries in which they operate, have been scrutinized for many years and continue to be heavily regulated by the government such as financial institutions and healthcare companies. Businesses spend a lot of money just to keep up and comply with such regulations.

 

 

Although, we can always debate over the usefulness of these laws and whether they’re worth the cost companies have to pay in order to comply, there is no doubt that following many of the business scandals and loss of public confidence, the government had to do something to prevent another corporate financial disaster that wipes out people’s retirement accounts, or another personal data leak that leads to mass identity theft and identity fraud.

 

 

In my opinion, these laws, to some extent, help improve the corporate security controls by raising awareness, visibility, authority and oversight, and ensure confidentiality, integrity and availability of personal and financial data, but we need a national law, similar to the European Data Protection Directive, to address the corporate security issues in a consistent manner.

 

 

There are simply too many laws floating around, at the federal and state level, overlapping each other, which if consolidated can address most of the risks in a consistent manner. Right now, the laws are too scattered, and may or may not apply to certain industries or even address all workplace information protection risks. Below are a few of the laws that companies have to comply with:

 

 

The Gramm Leach Bliley Act or GLBA was created to modernize the financial institutions’ privacy law. In general GLBA relates to a “best practices” protection for an individuals’ banking statements, social security number, credit card numbers, tax information or other personally identifiable information (PII).

 

  

Health Insurance Portability and Accountability Act or HIPAA, which applies to practically all healthcare plans and providers, required improved efficiency in healthcare delivery by standardizing Electronic Data Interchange, and protection of confidentiality and security of health data through setting and enforcing standards.

 

 

The Sarbanes-Oxley Act was signed into law in 2002 to improve corporate governance and ensure integrity of financial data. It introduced stringent new rules to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.

 

 

The details behind some of these laws and others that impact identity theft and information security can be found in the identity theft laws section of a number of regulatory government websites [See Links and Useful Resources on our blog sidebar]. These regulations often require establishment of many security components such as policies, procedures, standards, and an executive security position for managing workplace information protection risks among others.

 

 

Good Business

 

 

 

Having adequate workplace information protection controls just makes good business sense and not only can it save money spent on endless investigations, public relations, consumer notification and recovery of lost data, but can also build consumer confidence. Would it not make sense to secure the online transactions and protect the business and client information at the same time?

 

 

Consumers are more reluctant to do business online as news of data leaks continue to emerge in the business sections of major newspapers almost weekly, but, would be more inclined to trust doing business online if businesses were able to buy their confidence back through their actions.

 

 

 

In future blog posts we will explore in detail 1) the scope of the information that needs protection, 2) the nature of the information to be protected, 3) rational for and extent of data protection, and 4) strategies for managing workplace information protection.

 

 

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

About the Author:  Wilma Colon Ariza is a Certified Identity Theft Risk Management Specialist (CITRMS), Certified HIPAA Security Specialist (CHSS), Certified Security Compliance Specialist (CSCS), Business and Employee Data Security and Privacy Law Compliance Consultant offering Federal and State ID Theft Law Workshops and Seminars. Member in good standing of The National Association of Professional Women [NAPW] and The League of United Latin American Citizens [LULAC]. She is an active Identity Theft Victims Rights Advocate, Public Speaker and Blogger.

 
 

[Ms. Ariza is a former Prepaid Legal Services Inc., Independent Associate]

 

28.542000 -81.374000

Identity Theft, Fraud and Data Security: Workplace Facts and Statistics

Identity theft affects both the consumer and the business community in a multitude of ways. The impact of this crime clearly touches business at all levels and from many directions. Included below are some of the statistics that demonstrate areas of concern for members of the business community.

Cost to Business:

Studies on the total cost of identity theft vary. One study said that identity theft cost U.S. businesses and consumers $56.6 billion back in 2005 that number is confirmed to have increased by 70% in the past year.  According to one expert, the loss or theft of just one laptop can cost a company as much as $90,000 or more in fines, credit monitoring for victims, public relations damage control, and class action litigation.

According to the U.S. Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation and is in fact the fastest growing international crime. A preliminary study done by The Identity Theft Resource Center shows that the majority of id theft criminals are repeat offenders. Other convictions include substance abuse, narcotic trafficking, violent crime, robbery, and immigration issues.

According to the Aite Group LLC, in a March survey 21 of the top 100 U.S. retail financial institutions reported that 39% of responders indicated an increase in online banking and bill-payment losses over the past year.  A Zogby study reports that 91% of Americans are now concerned about identity theft and expressed concern that legitimate retailers would sell their information without consent. 83% are specifically worried that information will wind up in the hands of a third party.

In that same study 50% of respondents did not think retailers are doing a good job of protecting their personal data, compared to 28% who felt companies protect data adequately. A Unisys survey reported by Internet Retailer said that 30% of respondents have stopped shopping online because the process requires a bank card, citing fear of card fraud and theft.

Cost in tax dollars:

A GAO study on identity theft (GAO-02-363, issued way back in March 2002) discussed costs to federal agencies – The executive office for U.S. Attorneys estimated cost of prosecuting a white-collar crime case was $11,443. That number has also risen by about 80% as cyber criminals and identity theft syndicates become more and more sophisticated in both technology.  The Secret Service estimates the average cost per financial crime investigation is $ 35,000. The FBI estimates the average cost per financial crime investigation can reach up  $50,000 or more per case!

Date breach losses:

The Unisys’ study also reported that 69% of those survey said they would stop using a site that lost their personal information. Forrester Research Firm did a study entitled “Calculating the cost of a security breach.” iv In this study the following data was reported:  Of 83 corporate IT managers, 28 acknowledged having to cope with a data breach.  The costs of a data breach vary widely ranging $90 to $305 per custom  er record, depending on whether the breach is “low-profile” or “high-profile” and the company is in a non-regulated or highly regulated area, such as banking.

In counting up costs, Forrester estimated the cost at $50 for the discovery, notification and response that brings in unexpected expenses associated with legal counsel, call centers and mail notification. It also noted a lost employee productivity that would range from $20 to $30 per customer record. It is proven that the negative effects of identity theft or a breach of information to a business can have long term and far reaching ramifications.

It should be a priority for business owners and executives to heighten their awareness of identity theft, and the financial and image costs of a data loss. It is apparent that the misuse or loss of information is a concern for over 80 percent of the consumer base. The focus of the consumer is both on their own security as well as the actions and activities of the businesses that they use.

How does your business measure up?  My company and freelance services under Identity Law Resources  has provided consultation servicesn small  businesses, non-profits, selft employed professionals and entrepreneurs as well as private citizens and civic groups on the prevention of identity theft and data loss.

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

About the Author: Wilma Colon Ariza is a Certified Identity Theft Risk Management Specialist (CITRMS), Certified HIPAA Security Specialist (CHSS), Certified Security Compliance Specialist (CSCS), Business and Employee Data Security and Privacy Law Compliance Consultant offering Federal and State ID Theft Law Workshops and Seminars. Member in good standing of The National Association of Professional Women [NAPW] and The League of United Latin American Citizens [LULAC]. She is an active Identity Theft Victims Rights Advocate, Public Speaker and Blogger.

[Ms. Ariza is a former Prepaid Legal Services Inc., Independent Associate]

28.542000 -81.374000

Employment Scams A Growing ID Theft Threat

In December of 2008, the unemployment rate rose to 7.2 percent—The highest rate it’s been at in a number of years. The economy is down, people are losing jobs, and identity thieves are praying on those who are in the bleakest spots. Yep, identity thieves. The only thing that an increased unemployment rate and decreased economy mean to them is additional targets for their scams.

Employment and unemployment identity theft scams aren’t new. They’ve been around as long as identity theft has, but they’re becoming more common as the economy flounders. These scams target two groups of people: those looking for jobs, and those who are employed.

Those who are employed can fall victim to identity theft when a person from their employer takes advantage of access to personal information. It happens more often than most people realize. Your employer fires someone who has access to personnel records, and that person steals the information in those records in retaliation. The information can then be sold to criminals who resell it to illegal aliens, or it can be used to apply for (and receive) government benefits.

For those who are unemployed, the dangers are equal if not greater. Scammers don’t care if you’re already down on your luck. What they’re concerned about is gaining access to your personal information. So it’s not at all uncommon to for scammers to place ads for jobs that don’t exist and then try to coerce job searchers to provide personal and even financial information under the guises of getting what sounds like a great job.

It’s tough to protect yourself from data breaches, but you can protect yourself from employment scams if you’re actively seeking a job. Be cautious, as always. And understand how to protect your identity. Here are some tips to help you avoid employment and unemployment scams that can lead to identity theft:

• Guard your social security number. One employment scam that’s often seen is when job seekers are asked to provide their social security number before an interview so the company can do a preliminary background check. If this happens to you, politely refuse. Not only is this something that should immediately cause concern for you, but it’s illegal. Legitimate employers cannot do a background check until after they have interviewed you.

• Never provide financial information. If a potential employer requests credit or bank account information for the purposes of doing a credit check, beware. A credit check can be completed with your name, address, and a social security number. It’s not necessary for you to provide any account information at all.

• Be attentive when applying for jobs online. Much communication passes between employers and potential employees online these days. Unfortunately, identity thieves know that and they’re using this opportunity to steal identities. Always pay attention to the email addresses of the people you’re communicating with. Usually, official communications come from company email addresses, not personal email addresses. A personal email address could be an indicator that you’re being scammed.

• Use caution when filling in online forms. Online forms are the perfect place for an identity thief to steal your personal information. These forms usually request private information such as driver’s license number and Social Security Numbers. If you’re filling out an application online (or even if you’re just sending a resume online) be certain you’re on a legitimate web site and that the site is secure. If you’re not sure of that, find out if the information can be sent directly to the company.

• Beware of companies that request your direct deposit information before you’re formally hired. A scam that’s common in the work-from-home arena is companies that promise simple jobs with big pay. All you have to do to get paid is provide direct deposit information. This information, however, gives them access to your bank account. Not a good idea. If you’re not completely comfortable with a company, and if the company doesn’t have a good reputation then don’t give out that account access. If you do, you could find your bank account empty.

• It’s bad enough when you lose your job. But to add identity theft on top of it makes it much worse. Use caution when you’re searching for a job. And always remember that if something seems to good to be true or too easy, then it probably is.

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.

About the Author: Wilma Colon Ariza is a Certified Identity Theft Risk Management Specialist (CITRMS), Certified HIPAA Security Specialist (CHSS), Certified Security Compliance Specialist (CSCS), Business and Employee Data Security and Privacy Law Compliance Consultant. Member in good standing of The National Association of Professional Women [NAPW] and The League of United Latin American Citizens [LULAC]. She is an active Identity Theft Victims Rights Advocate, Public Speaker and Blogger.

[Ms. Ariza is a former Prepaid Legal Services Inc., Indepenpent Associate]

28.542000 -81.374000