What businesses can do to reduce the risk of identity theft

Identity theft refers to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. According to a survey by the Javelin Research, identity theft losses to businesses and financial institutions in 2010 totaled nearly $37 billion. The "2011 Identity Fraud Survey Report" also found that 8.1 million Americans had been victims of identity fraud in 2010. Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. The Federal Trade Commission (FTC) provides the following information to help businesses reduce their risk of identity theft.

Managing cyber security

Keep valuable customer data, such as credit card or bank account numbers, in a secure location that it is not readily visible to others who may have access to the premises.
Shred or destroy paperwork no longer needed, such as bank machine receipts, receipts from electronic and credit card purchases, utility bills, and other documents from customer transactions that contain personal and/or financial information.
If part of the business involves online transactions, check regularly to see whether someone has set up a "spoof site" in the name of the business. If a spoof site is found, identify the web hosting service or Internet service provider the spoof site is using, and contact that service or provider immediately.
If the business has a website that customers can use to order merchandise or enter personally identifiable information, have your information technology staff check regularly to ensure that there are no security "holes" through which others can improperly access customer data. This includes all upgrades of software used on your site. Security holes are sometimes inadvertently created as current programs are upgraded or patched but may expose customer data for long periods of time if they are not found and fixed promptly.
Implement a fraud prevention and detection program. Online businesses, which often depend on credit cards for payment, should consult the financial institutions with which they have merchant relationships, and the major payment card associations as appropriate, to learn what programs or mechanisms may be most suitable for their businesses.
Online merchants should be especially vigilant because when they handle "card-not-present" transactions, they may be held financially responsible for a fraudulent transaction even when the card issuer has approved that transaction.
Merchants who conduct business face-to-face with their customers should establish a policy of requiring more than one form of identification when a customer is paying by check or credit card. In any event, all card-present merchants need to take all necessary steps to ensure, for each consumer transaction involving a payment card, that the card, the cardholder, and the transaction are legitimate.

If the business has become a victim of identity theft, take three immediate steps. First, contact the financial institution with which there is a merchant relationship. Second, report the matter to the local police. Police authorities often will take reports even if the crime ultimately may be investigated by another law enforcement agency. In addition, the police report may be useful in dealing with your financial institution or other businesses about the identity theft. Third, report the identity theft case immediately to the appropriate government organization, such as the Federal Trade Commission (FTC), and the fraud department of any of the three major credit bureaus (i.e., Equifax, Experian, or Trans Union).

At least 46 states have enacted legislation requiring customer notification of security breaches involving personal identification. The FTC also requires that certain businesses report data breaches. Businesses should comply with these requirements. See NCSL's State Security Breach Notification Laws. Also, the Better Business Bureau offers Data Security Made Simple.

Copyright ©2012, ISO Services, Inc. CH-20-25 1/20/12

This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

LC 13-119