In September of 2003 the Federal Trade Commission (the “FTC”) released the results of a survey indicating that over the five years preceding the survey 27.3 million persons were victims of identity theft, an average of approximately 5.5 million persons per year, resulting in billions of dollars in losses. In November of 2007, the FTC announced that in 2005 alone 8.3 million people discovered that they were victims of identity theft. For the period from March 2011 to February 2012, the FTC reported 287,232 complaints related to identity theft, representing 17% of total complaints received during that period. Statistics for 2012 indicate that 12 million people are affected by identity theft each year.
As a business owner if you collect personal information from customers or clients you not only have a professional obligation to protect such information but, depending on the nature of your business and the type of information collected, you may have a legal obligation to so under such statutes as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Federal Trade Commission Act. Additionally, during their 2012 legislative sessions, 34 states have introduced or have pending legislation related to identity theft.
Protecting such information is an important aspect of internal control and like other important aspects of internal control your processes related thereto should be well documented and carried out as a routine and continuous part of your operating procedures.
The FTC provides valuable guidance on protecting personal information. It delineates five key principles that should be the basis of a well-designed data security plan:
“1. Take stock. Know what personal information you have in your files and on your computers.
2. Scale down. Keep only what you need for your business.
3. Lock it. Protect the information that you keep.
4. Pitch it. Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.”
For more details on these principles, including a checklist to help you develop an effective plan see Protecting Personal Information, A Guide for Business.