Preventing Identity Theft in Your Business
Page 18
Your company’s program can use materials in already published documents, including the Guide but also others. As another alternative, for each of the eight steps, the project team can conduct an Internet search on that step’s topic to generate volumes of public domain literature on whom to contact, where, and what steps to take toward recovery. For example, the Federal Trade Commission (FTC)1 is an excellent resource. In the next chapter, customers learn to use your “best practices” to prevent identity theft.
CHAPTER 21
E-COMMERCE “BEST PRACTICES” FOR CUSTOMERS
Consumers are frustrated by the lack of protection of their personal information. Most companies will not acknowledge they have been victims of identity theft for fear they will lose customers. However, within the past year especially, the flag of identity theft awareness has been raised high, and consumers now know that no business is exempt. An open letter to acknowledge the threat of identity theft and inform consumers of your company’s Security Standards will impart the message that you care and have done something about it. In this chapter, the project team extends consumers an invitation to security using three practical, cost efficient, and easy to implement business approaches.
STANDARD 15. E-COMMERCE “BEST PRACTICES”
Goals: (1) Develop a list of e-shopping “best practices” for consumers, (2) compose “invitation to security” letters to consumers, (3) create a company Web page titled “E-Commerce Best Practices for Our Customers.”
Specific Objectives: The objectives for Standard 15 are to develop three marketing tools, or invitations to security. First, develop an exhaustive list of e-shopping “best practices” for security. Next, create a series of one-paragraph letters announcing how your company protects its customers and employees on four business fronts: people, process, property, and (thereby) proprietary information. Finally, use the letters and the list of security best practices for a Web page titled “E-Commerce Best Practices for Our Customers.”
Orientation
The three exercises for this Standard require structured and formal brainstorming followed by cause-and-effect analysis using the four M’s—manpower, method, machine, and materials. For efficiency in time and effect when conducting the exercises, continue to carefully follow the instructions for using these quality-to-security tools.
Exercise 1. Develop E-Commerce Best Practices
Estimated Time: Three Hours
In step 1 and using the team approach, conduct structured and formal brainstorming to generate a list of “best practices” for consumers when e-shopping. In step 2, review your company’s current Web site—in a subsequent exercise you will add the new “best practices” page. This list (created below in step 1) will be used for a series of letters in exercise 2 and for the creation of a Web page in exercise 3. The list also may be used later as a marketing tool for company newsletters, flyers, inserts for billing statements, and other business applications
Step 1. Use these points as a start for developing a list of e-shopping best practices.
Know the merchant. Otherwise, verify and confirm the merchant’s authenticity with the Better Business Bureau in that city or state.
Even if you know the merchant, be certain the Web site is secure. Look for a graphic, such as a lock, at the bottom right corner of your browser bar.
Before conducting business online, carefully read the company’s privacy policy. Beware if there is no privacy policy. You need to know how the company will use your personal information.
Never give bank account numbers or Social Security numbers to online merchants.
Shop with a low-limit credit card used only for online shopping.
What is the company’s return policy? Where are returns sent? Make sure the company Web site lists complete contact information: name, phone number, address, and the name of a contact person.
Does the company Web site provide a toll-free telephone number? Call this number to verify the authenticity of the contact information.
Shipping and handling charges vary widely from merchant to merchant. Verify these fees before ordering merchandise.
Be a comparison shopper. Visit several Web sites to compare prices and added fees.
Print a copy of the purchase order showing the confirmation number, in the event of lost merchandise.
Does the Web site display the “Seal of Information Security,” indicating consumer identities are protected by the Business Information Security Program (BISP) Security Standards?
Does the merchant’s Web site display the BBB OnLine Reliability Seal? Or the TRUSTe seal? Although these seals do not guarantee security, companies that purchase them are usually legitimate.
Now increment this list with additional ideas: visit the Federal Trade Commission’s Web site at www.ftc.gov/bcp/conline/pubs/online/cybrsmrt.htm and the American Bar Association’s Web site at www.safeshopping.org.
Next, can you generate some innovative, not-yet-published ideas based on your experiences as shoppers and also business employees? Use the quality-to-security tools—brainstorming and cause-and-effect analysis—to generate some unique ideas for safe and secure cybershopping. In the next step, peruse your own company’s Web site.
Step 2. Visit your own company’s Web site. Does it meet all of the above criteria? Be sure your company practices what it preaches. Recommend any necessary modifications be made before continuing to the next exercise.
Exercise 2. Create Letters to the Consumer
Estimated Time: Four Hours
It is time to brag about your safe and secure company. Using the e-shopping best practices list from exercise 1 together with details on the security standards your company provides for its customers and employees, create a series of one-paragraph letters to the consumer, for use in a series of newspaper advertisements, and meet with management to develop a time plan to integrate these letters into the company’s broad e-business marketing plan.
Step 1. Divide the team into groups and work together to create 10 letters—5 per team. The guidelines for the format of the letters are:
Each letter is to be no more than one paragraph in length and consist of no more than five short sentences.
Each letter is to be complete with date, salutation (to our customers and employees), and signature (company chief executive officer).
Each letter is to follow from the previous letter, so that the letters can be published sequentially.
There are two guidelines for the content of each letter:
In three to four sentences, tell a short story about how your company protects its people (hint: think about a Security Standard).
In one to two sentences, give customers a helpful tip or two for safe cybershopping.
When creating these one-paragraph letters, incorporate the term “identity theft.” After all, that is what this is all about
Step 2. Now implement the plan. Working as a team, discuss, decide, and set a calendar—time, date, and place—for unrolling the series of letters. Then meet with management to propose and integrate the plan into the existing marketing program.
Exercise 3. Create a Web Page
Estimated Time: Three Hours
The project team now has all the necessary content material to design a creative Web page titled “E-Commerce Best Practices for Our Customers.” To create this page, work together as a team using the items generated in exercise 1 together with the brief paragraphs created in exercise 2. Create a “clean” and easy-to-read page for current and potential customers by interspersing the brief paragraphs on how your company employs the BISP Security Standards for their protection. For emphasis, use bullet points for items that provide tips for safe e-shopping.
In summary, the project team, and your company, has gone beyond the competition in two important ways. First, you have proactively confronted identity theft by promoting the security standards for prevention, and, second, your open letters to consumers and the Web page for customers communicate the positive messag
e that consumers wish to hear: Your company cares. Monitoring identity theft continues in the next chapter with legislative controls that prevent identity theft but that do not jeopardize a company’s budget or operations.
CHAPTER 22
THE LEGISLATIVE PROCESS
Financial and other institutions must take a stand on identity theft legislation before others take a stand against them. That is, some legislation could be enacted that would require cost prohibitive measures for compliance that, for some companies, could jeopardize the ability to compete and contribute to the overall economy of the United States.
Unfortunately, legislation is not always based on firsthand information. Financial institutions, which are closer to the identity theft problem, and other businesses are in positions of authority when it comes to identity theft legislation. Further, employees of those businesses are in the best position of all to influence enactment of cost-effective and preventive legislation that will not simultaneously impede the firms’ ability to do business. This chapter discusses identity theft on the legislative front.
STANDARD 16. IDENTITY THEFT LEGISLATIVE PROCESS
Goals: Design, propose, and prepare a press release announcing proactive legislation in identity theft prevention.
Specific Objectives: The majority of legislation on identity theft is reactive; that is, legislation enacted as a reaction to a crime already committed. Examples abound in numerous laws passed in the name of consumer protection. Reactive legislative is important. More important, however, is legislation that proactively prevents identity crimes from occurring in the first place.
At the same time, lawmakers who propose such laws may be unaware that many bills could potentially restrict business practices—the laws may require expensive methods for prevention or in other ways interfere with, or go beyond, a company’s financial capability.
Business has the best perspective from which to craft identity theft legislation. The objectives for Standard 16 therefore are to design preventive legislation that also is not prohibitively restrictive.
Orientation
To take a stand on identity theft legislation, the project team must, first, be aware of already enacted and proposed legislation. In preparation for completing Standard 16, carefully read the descriptions of federal and state legislation that has been enacted and proposed, beginning with the Identity Theft Act of 1998.1
Federal legislation makes the theft or criminal use of personal information a crime through the enactment of the Identity Theft and Assumption Deterrence Act of 1998 (Public Law 105-318). The act criminalizes fraud in connection with the unlawful theft and misuse of personal identifying information (i.e., name; address; mother’s maiden name; and Social Security, driver’s license, credit card, and other financial account numbers). A previous provision (Section 1028) dealt only with the transfer of personal information as it appears or is used in documents. The 1998 act amended now toughens the penalty provisions of Section 1028. With some exceptions, violators are generally subject to a fine and/or imprisonment of up to 15 years.
Section 3 of the act amends 18 United States Code Section 1028 by, among other things, adding a new subsection to establish an offense by anyone who “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”
“Means of identification” has been amended to include “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual.” Specific examples include an individual’s name; Social Security number; date of birth; driver’s license; unique biometric data, such as fingerprints or iris image; and unique electronic identification number and telecommunication identifying information or access device, such as an access code or personal identification number.
Since the 1998 Act and in response to an explosion in identity theft crimes in California, lawmakers in that state have led the way in identity theft legislation. For example, U.S. Senator Dianne Feinstein proposed legislation for speedier prosecution and tougher prison sentences for thieves who steal identities and use them to create fraudulent driver’s licenses, credit cards, passports, and other identifying documents. California also has many other proposals under review (or already enacted) that can be used as models for business-proposed legislation in other states. However, implementing and enforcing some proposed legislation may be cost prohibitive, especially for smaller companies.
Step 1. As a team, and in preparation for recommending legislation, review some laws enacted or proposed. Consider how some of the existing bills from other states may be useful in your state and for your company. Consider as well how some of those bills may serve to either impede or promote a company’s financial ability to compete. Knowledge of current federal and state laws may also trigger ideas for their amendments for extensions or other modifications, or for new laws that would serve your company (and society) by helping to foster a corporate environment of both security and economic growth. From these perspectives, therefore, read and discuss as a team the following summary statements from Senate Bills (SB) and Assembly Bills (AB):
Senate Bill 125, Alpert: Requires credit card companies, financial organizations, lenders, and consumer utility companies to give identity theft victims information about attempts to use their identities.
Senate Bill 168, Bowen: Prohibits any business or government agency from printing an individual’s Social Security number on any card required for the individual to access products or services.
Senate Bill 168, Bowen: Prohibits printing an individual’s Social Security number on any materials that are mailed to the individual, unless required by state or federal law.
Senate Bill 222, Torlakson: Requires the Office of Criminal Justice Planning to establish regional identity theft units. The units would investigate and prosecute identity theft suspects, conduct a public awareness campaign about identity theft, and act as regional information clearinghouses for victims, law enforcement, and media.
Senate Bill 661, Dunn: Requires the Department of Motor Vehicles (DMV) to create a biometric identifier from a driver’s license applicant’s thumbprint or fingerprint and ensure that each individual is issued only one driver’s license or identification card. The bill would prohibit the department from providing any information collected under these provisions to a third party.
Senate Bill 766, Karnette: Requires a person requesting a duplicate driver’s license to apply in person. The bill would require the Department of Motor Vehicles to compare all photographs and information on file to the likeness and information obtained from a person requesting the duplicate.
Assembly Bill 468, Cohn: Requires a person who is requesting a duplicate driver’s license or identity card to provide photographic proof of identity.
Senate Bill 1050, Torlakson: Requires the Department of Consumer Affairs to report to the legislature on a system to permit retailers to verify identification when a customer uses a check or credit card, and on a system to ensure that businesses comply with the law that prohibits printing more than the last five digits of a credit card number on receipts.
Assembly Bill 60, Cedillo: Requires every driver’s license application to contain the applicant’s Social Security number, but specifies that it shall not be included on any driver’s license, identification card, registration, certificate of title, or any other DMV document.
Assembly Bill 245, Wyland: Redefines the crime of identity theft to eliminate the requirement that the prosecutor must prove that a perpetrator obtained the victim’s identifying information without authorization.
Assembly Bill 371, Koretz: Requires a consumer credit-reporting agency to notify a consumer when the agency has received five credit inquiries in a 60-day period or has received a report that would add negative information to the consumer’s file. The reporti
ng agency then would be required to give the consumer a free copy of his or her file on request.
Assembly Bill 488, Kehoe: Gives a consumer the right to request and receive a record of all inquiries to a consumer credit reporting agency resulting in the provision of information about the consumer in the year preceding the consumer’s request, and would require a consumer credit reporting agency to disclose, upon request of the consumer, the credit inquirers’ customer service addresses and telephone numbers.
Assembly Bill 655, Wright: Allows a consumer to request his or her name be removed from lists that a consumer credit reporting agency furnishes for credit card solicitations, and would require the agency to inform a consumer of this.
Assembly Bill 1155, Dutra: Makes it a felony-misdemeanor for a government employee, as part of an identity theft criminal conspiracy, to give a driver’s license, identification card, vehicle registration, or other DMV document to a person who is not entitled to the document.
Assembly Bill 1289, Florez: Prohibits a financial institution from disclosing or making an unrelated use of a consumer’s personal information without the consumer’s prior written consent The bill also would prohibit a business, private organization, or state or local agency from using a person’s Social Security number to identify the person as an employee or client.
Assembly Bill 1474, Briggs: Requires the DMV to create a fingerprint identification system to be funded from the fees charged for driver’s licenses and identification cards.
In addition to the above proposed or enacted legislation, U.S. Senators Dianne Feinstein (D-Calif.), Jon Kyl (R-Ariz.), and Chuck Grassley (R-Iowa) have introduced legislation that would require credit bureaus to inform a consumer if someone applied for a credit card in their name from an address other than the one the bureaus have on file.