The Web Site Assessment
We wish to create for our customers the most functional and secure Web site on the Internet. To do this, we seek your help. Our customers are in the best positions to give us their perceptions of privacy and security for conducting business online. For the list below, please select the number on the scale that best indicates the most or least sense of security you feel for each item.
Before beginning, review the list of items to determine which are more or less important to you. Then when completing the assessment, do not deliberate for any length of time on the rating for an item. Select the number on the scale that first comes to mind.
The Sense of Security Scale
1 = Low
2 = Moderately Low
3 = Indifferent
4 = Moderately High
5 = High
The Web Site Feature Feature Provides a Sense of Security
Select One
1. Testimonials from e-business customers 1 2 3 4 5
2. Pictures of company officers 1 2 3 4 5
3. Name and address of CEO 1 2 3 4 5
4. Security letter from CEO 1 2 3 4 5
5. Security letter from company employees 1 2 3 4 5
6. Seal of Information Security (the Standards) 1 2 3 4 5
7. Statement of Security Standard Compliance 1 2 3 4 5
8. Press release announcing the Security Standards 1 2 3 4 5
9. Better Business Bureau Online Reliability Seal 1 2 3 4 5
10. TRUSTe Seal 1 2 3 4 5
11. Privacy Policy 1 2 3 4 5
12. Return Policy 1 2 3 4 5
13. Picture of a lock at bottom of screen 1 2 3 4 5
. 1 2 3 4 5
.
.
We appreciate any comments you may offer in the space provided below.
Thank You!
When interpreting the results, watch for outliers—extreme scores that are either low or high. Outliers can be especially informative and therefore should be considered carefully. Consider also the open-ended responses customers may have provided at the end of the assessment. Customers who are willing to take the time may be offering particularly important suggestions.
Step 4. Follow up. Think about a performance appraisal of you or of someone you know after which no recognition was given or no changes were made in pay, promotion, or job situation, despite work well done. Apply the knowledge from these experiences to the Web site assessment. Whenever possible, make the improvements suggested by the customer assessments or comments. Be sure to conclude by sending an online coupon or some other form of compensation or recognition along with a personalized “thank you.”
Not only does this Web site security assessment provide your company with valuable information for encouraging new and continued e-business shopping practices by current customers, it also is a marketing tool that, when implemented, is sure to attract new customers. After all, your project team and your company’s employees created the innovative Web site features that produced the results, and the power and effectiveness of group synergy cannot be underestimated.
To summarize thus far: Between the two project teams, the personal identifying information of employees and customers has been secured on three fronts—people, processes, and property. In effect, the security of people, processes, and property—including information technology security (covered widely in other texts)—comprehensively secures the fourth front: the proprietary information. Now it is time to go beyond the competition.
PART III
MONITORING IDENTITY THEFT
Go beyond the competition.
—Judith’s Maxim
CHAPTER 20
THE CUSTOMER SECURITY PROGRAM
At the time this book was first drafted, no financial or other institution was known to offer customer assistance programs for customers who became victims of identity theft. Since then, and only in recent months, the nation’s largest banking institution, CitiCorp, launched its identity theft customer call center. As of this writing, Citi is blanketing the market with thoughtful and eye-catching identity theft advertisements.
The author spent some time at CitiCorp’s New York headquarters consulting on its identity theft program. I evaluated Citi’s customer call center protocol, reviewed the impressive Citi Tool Kit of helpful information for victims, and taped interviews for satellite announcements of Citi’s identity theft program. All businesses, regardless of size, type, or location, could follow Citi’s progressive lead, because identity theft is here to stay. But to be successful, not all programs must be as elaborate as Citi’s.
This chapter lays out a simple, inexpensive, and easy-to-implement eight-step customer security program that has a proven track record of success. The program is based on practices developed in the Identity Theft Lab at Michigan State University (MSU). The program evolved, since 1999, from experiences working with hundreds of identity theft victims and their families. These victims include company employees, corporate officers, college students, parents of younger children whose identities were stolen, young couples, retirees, elderly people, and people of many different races and ages, touching all walks of life, from across the United States and Europe.
The customer security program proposed here for your company is based on information compiled from these many interactions with victims, conducted by faculty and staff over countless hours in one-on-one sessions at the MSU Laboratory, over the telephone, and via U.S. and e-mail. From these many victims, we learned about the process of healing, which is applied as the basis for the customer security program.
The theory and practice of the process of healing is not new with this chapter. It was first published in Identity Theft First Responder Manual for Criminal Justice Professionals: Police Officers, Attorneys, and Judges 1 and is now used in police departments across the country to help officers understand and work with identity theft victims.
You can readily and easily adapt a customer security program for your company from methods that now are used successfully by hundreds of police officers and other criminal justice professionals. Reinvention is unnecessary. The eight steps in the customer security program proposed here adapt materials from the First Responder text, which is recommended as your resource for Standard 14.
STANDARD 14. CUSTOMER SECURITY PROGRAM
Goal: To adapt the methods described in the Identity Theft First Responder Manual to a customer security program for your company.
Specific Objectives: To provide employees, customers, and their families who have become victims of identity theft with: (1) needed resources for the first four crucial steps to recover financially, (2) instructions for collecting information that will help the investigation, and (3) practical steps toward the process of healing.
Orientation
The customer security program consists of eight steps of instructions that a company victim advocate would follow in instructing victims on a series of exercises to perform to help in the recovery from identity theft. These eight steps also can be used for seminar presentations, company workshops, community awareness programs presented for public service by your company, or an online customer security program. Before using this program, it is helpful to be aware of the reactions of victims upon learning of the theft of their identities.
Research on Victims of Identity Theft
The MSU Identity Theft Partnerships for Prevention recently conducted focus group interviews with male and female executives whose identifying data were stolen from a company’s payroll records. Using the executives’ identities, the perpetrators created bogus checks and credit cards, which they used to purchase a wide variety of goods and services from companies across the United States.
In addition to these executive data, the partnership faculty also collected data on the emotional health of male and female identity theft victims ranging in age from 23 to 76 years. The identity theft victims consistently reported a number of common emotions.
The majority of
victims were fearful when they first learned of the identity theft. Fearing the unknown, these victims did not yet know the extent of the crime or whether the perpetrator had also victimized a spouse, children, parents, or other family members. Females frequently, and males less often, expressed an offensive and repugnant feeling of being personally violated by some unknown person, somewhere.2
These expressions of personal intrusion often were followed with feelings of despair and helplessness: There was little the victim could do, and law enforcement would not help. (In recent years, law enforcement, though lacking resources, has begun to take identity theft complaints.) As a result of the feeling of helplessness and the related sense of having no control over the situation, victims commonly become frustrated—an emotion often exacerbated by difficulties victims encounter when trying to resolve credit issues with insensitive company representatives. Anger can develop from unrelieved frustration, and anger is a precursor to depression. In the MSU Identity Theft Lab, we have seen victims at all stages of emotions, including individuals suffering from clinical depression.
Additionally, most victims reported a lack of trust—for coworkers, friends, and acquaintances and for companies where they had used their personal information. They also reported distrust of using personal information for future purchases of goods and services.
We learned from our work that although victims commonly suffer similar emotions, they do not suffer them to the same extent. While the common emotions are the same for most, recovery depends on the type of crime that was committed using the stolen identity, the extent of financial loss to the victim, and individual differences in psychological “hardiness” whereby some victims recover more quickly than others.
We later discovered an interesting phenomenon. Victims who began working on the exercises given them in the ID Theft Lab (subsequently reported in the First Responder Manual) circumvented the experienced emotions, usually at the point of helplessness. Although many of these individuals became frustrated and angry at the situation, and sometimes at insensitive company representatives, we have since seen no extreme cases of psychological distress for victims we have assisted. Although this revelation occurred over time, it was not surprising. Considerable research in social psychology indictates that people need a sense of control over their destinies and even the moment, in anticipation of how to act or react to a person or an event. When we aided victims to gain control through exercises to help resolve their identity theft issues and uncover relevant information for law enforcement investigations, these individuals no longer felt helpless. To help them avoid frustration, we now even alert victims to what they might expect when trying to resolve a credit issue with some company’s uncaring employee. By eliminating antecedent emotions, the others on the continuum, ranging from the initial fear to helplessness, anger, and depression, can be mitigated if not prevented.
Ultimately, most, if not all, victims of identity theft reach the acceptance stage. That is, they come to accept that, although someone still may have their identifying information and someday they may be victimized again, these victims have performed the exercises for protection, and there is no longer a need for fear. Here is how the advocacy process works for each victim.
Eight-Step Customer Security Program
Estimated Time: 30 Minutes per Victim
The process of healing, and the customer security program, is comprised of a series of exercises that victims must perform on their own. Your company’s victim advocate must:
Listen to the victim’s story.
Express concern.
Provide brief instructions for the eight steps the victim must take to protect the future flow of personal information.
From experience with hundreds of victims, we know that this meeting with a victim can take from 15 to 20 minutes and can be conducted online, over the phone, by e-mail or U.S. mail, or in person on a one-to-one basis.
The series of exercises and all instructional information are based on material previously published in the First Responder Manual and its small paperback companion, The Victims’ Assistance Guide, and cannot be reprinted here.3 However, the exercises and the process of healing is so effective for victims that it can become the standard for customer security for every company willing to provide victim advocacy and to obtain the Victim’s Guide from Amazon.com or direct from Looseleaf Law Publications (1-800-647-5547). The list price is $3.95. Purchased in bulk to provide copies for victims (or for customers to avoid becoming victimized), the Guide can be obtained for nominal cost.
The effort and expense is negligible relative to the potential loss of even one customer who has been victimized and who may otherwise close all business accounts, including yours. Moreover, your company also may wish to invest in a marketing plan to attract new e-shopping as well as in-store customers by proactively promoting your new Customer Security Program.
Since the material cannot be republished here, I urge the project team to obtain and use the Guide to create a standardized document for working with victims of identity theft.
Eight-Step Customer Security Program: A Standardized Document
Step 1. First, listen to the victim’s story. Victims of identity theft often suffer equally as much as do victims of other types of crimes. By simply listening and informing the victim that help is available, the advocate conveys a message of concern.
Step 2. Spend a few minutes reviewing the first few paragraphs that provide the instructions for the “Process of Healing” (found on p. 5 in the Guide). Inform victims that the exercises that will help reconcile and resolve the financial, emotional, and other losses may take as many as 40 hours or more, but that each exercise is important for recovery. Recommend that victims purchase a notebook before beginning the journey, to record information they uncover through the exercises and to make notes on potential evidence for the police investigation.
Step 3. Instruct victims that, if they have not already done so, they should perform the next tasks as soon as possible and in the following order:
File a complaint with the police department: Identity theft is a crime.
Contact each of the credit bureau agencies: TransUnion, Equifax, and Experian. (Complete contact information is given in the Guide.)
Contact the bank and place a password on all banking and other financial accounts. (The Guide gives specific instructions on passwords.)
Contact credit card and all other businesses they have accounts with, placing passwords on those accounts as well.
Step 4. Discuss with victims the findings of the MSU Identity Theft Lab that show that most victims experience the same continuum of emotions to one degree or another. Emphasize also that such emotions can be short-lived for victims who become actively involved in their own financial and emotional recovery.
Step 5. The Guide lists dozens of other contacts victims may need to make depending on the type of identity crime. For instance, if the crime involved fraudulent or stolen checks, check verification companies should be notified. If the crime involved securities transactions, the U.S. Securities and Exchange Commission (SEC) must be informed. If the perpetrator used a driver’s license with the victim’s name, the state department of motor vehicles must be contacted. Victims should make these and/or many other contacts listed in the Guide.
Step 6. Inform victims of the importance of obtaining a credit report every six months for at least the next two years, from each of the credit reporting agencies—each report may contain different information. Describe how information on a credit report can be a tip-off for identity theft. For most identity crimes, the present address on a victim’s credit report is the perpetrator’s post office box or other mailing address where the fraudulently ordered credit card or merchandise is to be delivered. The Guide contains all information on how to read and interpret credit reports, so advocates need not review that material with victims.
Step 7. Victims should be advised to write many letters: to correct personal information on cre
dit reports, request businesses remove fraudulent charges from accounts, dispute fraudulent charges with credit bureaus, and so forth. Each of these letters requires victims to submit specific information, and the Guide provides a form for each letter.
Step 8. Finally, when all stops have been put in place to prevent further victimization, victims can begin collecting information to assist the police in an investigation. Police departments, due to lack of resources, often do not investigate identity thefts. However, from considerable experience, the author knows that if the police are provided with enough pertinent information that leads to a suspect or ties the case to another, the chances are good for an investigation. This is where victims become invaluable to investigators, by recording information about the identity theft, including: when the theft was first discovered; how it was discovered; recent phone calls, e-mails, or other contacts in which victims disclosed identifying information; when victims last used a health card, driver’s license, and other pertinent identification.
The First Responder Manual includes a section on the types of background information needed for an identity theft investigation. An important note, however: Victims must not engage in self-help by making phone calls or other contacts with individuals suspected of the identity theft. This is police work. The victims’ role is to assist the police investigation, not to operate it. Emphasize to victims the array of ways identities are susceptible to theft. The Guide provides victims with an exhaustive checklist of preventive security precautions.
CONCLUSION
A customer security program need not require a phone bank or call center, or the development of an expensive portfolio of bound brochures or slick documents. All that is necessary is the implementation of a simple eight-step program to help guide victims to help themselves.
Preventing Identity Theft in Your Business Page 17