Identity fraud is a crime that has had a devastating effect on individuals and businesses in recent years. It affects more than 11 million people — or approximately 4.8 percent of the adult population of the United States — and costs victims in excess of $50 billion annually at nearly $5,000 per victim.
Identity fraud is synonymous with identity theft. Identity theft refers to your personal information being taken by another person without your explicit permission. Identity fraud is the illegal use of someone else’s personal information (such as a Social Security number) in order to obtain money or credit. And each can cause catastrophic problems for those victimized.
Though identity theft refers to stealing another individual’s identity, businesses — particularly small and mid-sized ones — have to be doubly vigilant in protecting both their company “identity” as well as that of their customers. Businesses that take precautions ahead of time can help prevent such fraud from taking place.
Let’s examine a hypothetical scenario. Let’s say an employee, an insurance salesman, leaves the office after a long work week on Friday and meets up with some friends for happy hour. Happy hour evolves into three hours and when the employee leaves, he finds his car window smashed and his company issued laptop stolen. In a state of panic, he realizes that sensitive, unencrypted customer information was stored on the computer. Now what?
Connecticut state law requires any person in possession of personal information of another person to safeguard the data from misuse by third parties. Violators of this provision are subject to a $500 civil penalty for each violation, with a $500,000 cap for any single event.
Consider the preceding example and consider the size of an individual business. For simplicity, let’s say a business has 500 customers and $25 million in revenue. According to state law, at $500 per violation, the fines could reach $250,000. What’s more, monitoring costs for two years to foster goodwill with existing potential customers could cost between $60,000 and $180,000, which means that, excluding potential lawsuits, the company is already facing upwards of $430,000 to combat the data breach. This is nearly two percent of a company’s top-line revenues and could have a devastating impact on a business of that size.
On top of that, the bad publicity, additional scrutiny and damage to the business’ reputation could be immeasurable and take several years to recover, assuming the business does survive the existing crisis at hand.
So with such a foreboding scenario in mind, how can a business guard against being a victim of identity fraud? Here are some key steps:
Take inventory of personal information. This means all company files and computers should have all sensitive information catalogued by type and location, as well as an inventory of all computers, laptops, flash drives and other such items to find out where the company stores sensitive data.
Keep only essential information needed for your business. This means Social Security numbers should not be used unnecessarily, customer credit card information should not be kept unless there is a business need for it and a records retention policy should be developed immediately.
Lock it up. A company should maintain sensitive information using proper physical security measures — such as locked file cabinets — and should implement strong information technology controls, such as general network security, data encryption, password management, firewalls, wireless/remote access, detecting security breaches and laptop security.
Dispose of items properly. It is important to have a shredder available before discarding paper records and, if disposing old computers or storage devices, be sure to wipe utility programs.
Create a disaster plan. This is a plan to enable a business to respond to security incidents. It’s also wise to designate a senior staff member to head the response plan.
Upfront costs spent preventing identity theft will significantly reduce a company’s exposure to identity fraud-related monetary loss — it is indeed a worthwhile investment. The costs of identity fraud can be enough to damage your business beyond repair. And a proactive approach to combating identity fraud sends a message both internally and externally that identity fraud will not be tolerated.
Michael D. Frenza, CPA, CFE, is a senior consultant with BlumShapiro’s Business Consulting Division. BlumShapiro is one of the largest regional accounting, tax and business consulting firms in New England, with offices in West Hartford, Shelton, Westport, Waterbury, and New York City.
