These days, it is almost impossible to be in business and not collect or hold personally identifying information such as names and addresses, Social Security numbers, credit card numbers, or other account numbers about your customers, employees and business partners. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.
Still, not all personal information compromises result in identity theft, and the type of personal information compromised can significantly affect the degree of potential damage. What steps should you take and whom should you contact if personal information is compromised? Although the answers vary from case to case, the following guidance from the Federal Trade Commission (FTC), the nation's consumer protection agency, can help you make smart, sound decisions. Check federal and state laws or regulations for any specific requirements for your business.
Notify the Proper Authorities
When the compromise could result in harm to a person or business, call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police are not familiar with investigating information compromises, contact the local office of the FBI or the US Secret Service. For incidents involving mail theft, contact the US Postal Inspection Service. Check the blue pages of your telephone directory or an online search engine for the number of the nearest field office.
Notify Affected Parties
If names and Social Security numbers have been stolen, you can contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts for their files. Your notice to the credit bureaus can facilitate customer assistance.
Generally, early notification to individuals whose personal information has been compromised allows them to take steps to mitigate the misuse of their information. In deciding if notification is warranted, consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from misuse. For example, thieves who have stolen names and Social Security numbers can use this information to cause significant damage to a victim's credit record. Individuals who are notified early can take some steps to prevent or limit any harm.
Information compromises can have an impact on businesses other than yours, such as banks or credit issuers. If account access information — say, credit card or bank account numbers — has been stolen from you, but you do not maintain the accounts, notify the institution that does so that it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of any information compromise, as well.
FTC recommendations for notifying individuals
Consult with your law enforcement contact about the timing of the notification so it does not impede the investigation.
Designate a contact person within your organization for releasing information. Give the contact person the latest information about the breach, your response, and how individuals should respond. Consider using letters, websites, and toll-free numbers as methods of communication with those whose information may have been compromised.