Protecting consumers’ personal information: A guide for business

This week, the Office of the Attorney General’s “Consumer Caution Corner” seeks to educate consumers and businesses about the substantial risks involved when businesses engage in the collection of consumers’ sensitive personal information and subsequently mishandle it resulting in hackers gaining cyber access and/or intruders/thieves gaining physical access. In either scenario, consumers, businesses, and the overall economy are all adversely impacted by the mishandling and theft of sensitive personal information.

How do data security breaches adversely impact consumers, businesses, and the overall economy?

• The Consumer: The consumer and her or his family will very likely become the victim(s) of identity theft (as detailed in previous weeks’ articles) or other fraudulent/blackmail behavior, which could lead to devastating financial loss and/or substantial damage to one’s credit score. The damage to the consumer’s credit score could frankly lead to incalculable damage, depending on how long the consumer was unaware of her or his identity being stolen. For example, when formally borrowing money from a lender, a consumer with a low credit score will typically pay higher interest rates than a consumer with a high credit score because the consumer with the low credit score is perceived by the lender as more prone to default, given their bad credit score.

• The Business: If the business does not have proper safeguards in place and/or mishandles the consumers’ personal information leading to a data breach, this can immediately threaten the livelihood of the business by subjecting it to substantial data breach costs, losing customers’ trust and business, hurting its goodwill, violations of state and federal law, and even private lawsuits brought by consumers.

• The Economy: Data security breaches leading to the theft of consumers’ personal information adversely impacts the overall economy as these acts of theft and fraud impose increased burdens on businesses to invest capital in security measures rather than the growth of the company. The unfortunate reality is that businesses that have to incur these additional costs are often forced to pass down these costs to consumers in the form of higher prices of products and services. To best avoid these issues, always have a security plan in place.

FTC’s five key principles to a sound data security plan?

For starters, the FTC takes the position that a sound data security plan is built on five key principles:

1) TAKE STOCK. Know what personal information you have in your files and on your computers.

a. Track personal information through your business by talking with your sales department, information technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of:

i. Who sends sensitive personal information to your business?

ii. How your business receives personal information.

iii. What kind of information you collect at each entry point.

iv. Where you keep the information you collect at each entry point.

v. Who has—or could have—access to the information.

b. Different types of information present varying risks. Pay particular attention to how you keep personally identifying information: Social Security numbers, credit card or financial information, and other sensitive data. That is what thieves use most often to commit fraud or identity theft.

2) SCALE DOWN. Keep only what you need for your business.

a. If you do not have a legitimate business need for sensitive personally identifying information, do not keep it. In fact, do not even collect it. If you have a legitimate business need for the information, keep it only as long as it is necessary.

3) LOCK IT. Protect the information that you keep.

a. What is the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it is stored. The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.

4) PITCH IT. Properly dispose of what you no longer need.

a. What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed.

5) PLAN AHEAD. Create a plan to respond to security incidents.

a. Taking steps to protect data in your possession can go a long way toward preventing a security breach. Nevertheless, breaches can happen. Always have a plan in place.

For the complete “Protecting Personal Information – A Guide for Business” FTC publication, please pick up a copy at the OAG (on Capital Hill) or request one by email from consumer_counsel@cnmioag.org. This publication and many other helpful FTC publications focused on educating businesses are available on the FTC’s website under the “Business Center” section accessible at https://www.ftc.gov/tips-advice/business-center/privacy-and-security.

Each week, the OAG’s Consumer Protection Education Program shares FTC publications that provide consumers and businesses with the “know-how” to identify and protect themselves from unfair trade practices and marketplace schemes.

If you would like to file a consumer complaint, please pick up a form at the OAG (ion Capital Hill) or request one by email from consumer_counsel@cnmioag.org. After completing the consumer complaint, please submit it by email or in-person.

We cannot act as your private attorney. If you need legal assistance, we will recommend that you contact a private attorney or legal aid organization. We cannot give legal advice or act as your private attorney.