|
|
Plugging data security leaksBusiness responsibility to protect customer and employee data increasing next monthStory by John R. IngrisanoSecurity problems multiplying
These are just some of the thousands of horror stories about identity theft and security breaches, explained Paula Biewer of Fond du Lac, president of data security consulting firm Biewer & Associates and an independent associate with Pre-Paid Legal Services. “In 2005, the Web site at www.privacyrights.org listed six pages of security problems,” Biewer said. “Today, it has over 100 pages, and ID theft is the number one complaint.”
The two biggest culprits, especially with small businesses, are indifference – the notion that “it’s not my problem” – and ignorance – the idea of “I don’t see a problem.”
These days, neither argument is good enough. Under the latest regulations issued under the Congressionally-legislated Fair and Accurate Credit Transaction Act, or FACTA for short, nearly everyone who deals with sensitive information must take basic security steps, and they must do so by Nov. 1 of this year. Failure to comply with FACTA carries the threat of wildly severe penalties: fines up to $1 million, up to 10 years of jail time, and company executives can be charged both criminally and civilly, said Michael J. Pulvermacher, president and founder of Web marketing firm eBizResults, LLC, in Oshkosh, which works with its clients to ensure the customer and employee data stored on its servers meets security guidelines.
Still, while virtually all businesses need to take steps to get their data security ducks in a row, there is no need to panic. In general, while the rules apply to pretty much everyone who handles personal information from customers and employees, the stiff penalties are intended to keep major providers such as financial institutions and credit card issuers on the straight and narrow.
Nonetheless, you need to be aware of what is expected as a business owner or manager, as well as what you need to do to protect yourself, your customers and your staff. After all, you could be held liable for security breaches at your business. Above that, it just makes good business sense to provide quality security as a service for your customers.
The data security problem
Perhaps the most significant problem with data security is that the bad news is getting to be old news, even as hackers continue to get more sophisticated and each security slip leads to more and more devastating consequences.
The problem keeps growing because selling personal data is highly profitable, explained Biewer.
“Personal information is worth anywhere from a few dollars to a few hundred dollars per record on the black market. This is a huge incentive. Add to this that, under existing rules and laws, the penalty is usually a slap on the wrist,” Biewer said. “From the criminal mind, it is more worthwhile to rob data from a bank than to actually rob the bank itself.”
When a business is involved, everyone gets hurt.
“A data breach,” added Biewer, “hurts a business in other ways as well.” On average, when a business is hit, “20 percent of their customers will take their business elsewhere.”
Common security mistakes
The irony is that most security errors can be easily avoided. Many of the consultants we spoke with pointed out that most breaches were the result of mundane mistakes and oversights, such as…
• Not realizing that most email are not secure. “I have had people email me their credit card numbers and account passwords,” said Pulvermacher. “This includes accounting firms sending their customers’ files.”
• Businesses setting up do-it-yourself Web sites. This can be a real problem, added Pulvermacher, especially when they build in “credit card payment options that do not comply with DSS (Data Security Standards), thereby putting all their customers’ information at risk.”
• Not concealing sensitive information. Some merchants still have their customers’ entire credit card number and expiration number printed on their receipts, pointed out Brad Palubiak, president of Oshkosh-based Cornerstone Payment Systems, Inc.
• Not storing information properly. Sometimes it’s a matter of just leaving paperwork lying out in the open on a desk. “You wouldn’t leave a pile of cash on your desk,” said Biewer, “but people leave sensitive and valuable information lying around all the time.”
The FACTA factor
The federal government has been attempting to tighten up these security problems since it first passed FACTA in 2003. The most recent round of regulations – which go into effect this Nov. 1 – added several specific compliance areas, most of which apply to credit reporting agencies and financial companies. However, small businesses also need to listen up.
The biggest issue with the new regulations is what are called “red flags.” Kristine Cleven, assistant vice president-legal, with the Wisconsin Bankers’ Association explained, “These require anyone who deals with credit and/or personal information (from auto dealerships to utilities to cell phone companies to any business handling credit cards) to watch for certain situations.”
These red flags include being alert for discrepancies in addresses and following up to verify data. “This may be as simple as comparing signatures on the back of a credit card and shredding paperwork as a means of disposal,” explained Bob Eichel, compliance consultant for CitizensFirst Credit Union in Oshkosh. “It also means looking for such red flags as address change requests, especially when followed shortly by a request for a new card.”
What to do in your business
Most security issues are basic and can require little effort to address. Here are the steps you need to take now, and some ideas on how to do it.
• Create a credit policy, and put it in writing, said Pulvermacher. This should include how data is collected, handled, stored and disposed of.
• Train your employees about the security weaknesses with email, as well as how to handle secure information, added Pulvermacher. Make them aware of how to protect data.
• If you set up an e-commerce Web site, use programmers who have experience and know Web site security. “A lot of companies doing Web site design are not meeting compliance requirements,” said Palubiak. “You need to work with a company that has good staff and that is well-educated on these issues.”
• Do not store credit card numbers or other sensitive information on your Web server. This makes it vulnerable to hackers.
• Utilize Web programs that are written with security in mind, so your Web site will be less vulnerable to hackers.
• Monitor all transactions for fraud. This often requires little more than verifying signatures and checking a second piece of identification.
How can you become compliant and not get in trouble under the new FACTA regulations? Fortunately, many security and data-management companies offer boilerplate security programs. Additionally, it would be wise to invest some time at the Federal Trade Commission Web site (www.ftc.gov) to learn more about how to protect yourself, your business, your customers and your employees from the theft of personal information.
Just as you would not leave your doors unlocked overnight or leave your own credit card sitting out in the open, accept that you must be ever and always vigilant against hackers and other data thieves. It’s not just the law these days. It’s also good business sense.
John Ingrisano is a Wisconsin-based marketing strategist and business journalist and a regular contributor to NEW North B2B. His latest book, The Back to Basics Book of Selling, is available by contacting John at john@TheFreestyleEntrepreneur.com.
|
