Feature Article
Mark Pribish
Small Business ID Theft is an Emerging Risk Management Issue
By Mark Pribish
Vice President and ID Theft Practice Leader

Preface: Understanding that our ID Theft Newsletter is written to educate consumers about the consumer risks related to identity theft and data breach events, it has come to our attention that a number of our readers are entrepreneurs and small business owners. Therefore, our July issue has a different educational slant - and that is how small business identity theft has become an emerging risk management issue affecting consumers and small businesses alike.

Most people believe ID Theft is only a problem for the individual consumer.

However, based on the growing number of small business data breaches in the news - small business identity theft and fraud has become a new risk management issue.

That said, let's begin with what we know including:

  • Small Businesses handle sensitive customer and employee information including social security numbers, bank/credit card/loan account information, driver's license numbers, birth dates, etc.
  • Small Businesses use e-mail, computerized accounting, electronic procurement, and/or store electronic employee and customer information

Now here is some information you may not know:

  • A Third of Global Targeted Attacks are Aimed Against Small Business, Yahoo Finance - July 12, 2012
  • Cyber Attacks Targeting More Small, Midsize Businesses, Business Insurance - April 16, 2012
  • The Total Cost of a Data Breach is $194 Per Compromised Record, PC World - March 20, 2012

The facts are that criminals are more likely to target smaller businesses since most small business owners do not have the time, knowledge and/or resources to appropriately protect employee and customer data.

To make matters worse, Verizon found that nearly three-quarters of data breaches in 2011 were businesses of 100 employees or less.

So there are three things small business owners need to know to protect themselves including (1) understanding the risk (2) understanding regulatory and data laws and (3) understanding enterprise risk management:

Understanding Small Business ID Theft Risks where the loss of business account information such as the Employer Identification Number (EIN) or business bank account information along with employee or customer data (e.g. credit card number, checking account number, social security number, driver's license number).

This sensitive information can be used to initiate unauthorized activities that appear to be in the name of the business and/or employee and customers. It is quite similar in concept to personal identity theft except that small businesses DO NOT receive the same consumer protections as individual consumers.

Understanding the Regulatory and Data Security Laws including the FACT Act Red Flags Rule, the HIPPA HITECH data breach requirements and the 46 State Security Breach Notification Laws.

If your small business experiences a data breach, you will most likely have to respond to one or all of the above state and federal laws. Failure to comply is illegal and can result in fines and penalties negatively affecting your business.

Understanding Enterprise Risk Management. Whether you are a one person company or a 10 person company, your legal and financial liability - in the event of a data breach - could be the same as a Fortune 500 company.

That said, basic risk management action items that can support your company's enterprise risk management objectives include:

  • Increase employee awareness of information security/governance
  • Increase awareness of ID Theft related events/trends
  • Understand what type of customer and employee data is being collected and stored
  • Implement baseline safeguards and controls
  • Vigilance – including annual Pre-employment Screening

To conclude, implementing an enterprise risk management approach can protect your small business and implementing a consumer risk management approach can protect you and your family.

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


Scam Central

Door-to-Door Security Alarm Pitches. Sound the Alarm!

When it comes to feeling safe in your own home, almost anyone with a home security system would gladly tell you they feel more secure knowing that if someone were to attempt to break into the house, the alarm would at least sound and the company monitoring their home would send emergency services as quickly as possible. There is comfort in knowing that someone or something, even if it is only an electronic sensor, is keeping an eye on the place - especially while you and your family are sleeping or away.

Security alarm systems are just one of the many options to choose from when you have a new home built. For those who move into existing housing, or for those who chose to skip an alarm system in favor of a home theater when their house was originally built, the ability to have a security system installed later is a convenient option. There are plenty of companies eager to sell and install their security systems, but be vigilant when purchasing your security system. There are just as many scam artists and deceptive sales people out there that either want a piece of the action, or want to sell you something you do not need, something that does not work, or something that is not worth what you will pay for it. All this, while starting with a pitch at your door!

How It Works:

A salesperson knocks on your door looking to sell you a new home security system, or an upgrade to your existing security system. They may explain that your equipment needs to be changed because your current one is out-of-date or is no longer covered under your monitoring plan, when in actuality, it works fine and is still covered. This is merely an aggressive sales tactic from a person trying to make a sale.

With a new system installation pitch, you may find that you will not have to pay for the installation or the equipment, but you will have to sign a long-term monitoring contract. This is another aggressive tactic. What the sales person will fail to tell you is that this long-term contract is expensive and not worth the monitoring coverage you will receive.

But the real problem is, this sales person may not represent a home security system company at all. They may be an opportunistic scam artist pretending to setup the sale with a promised installation date later. When the day arrives and no installation technician shows up, you call the number on the contract only to find out it is not a valid number or is no longer in service. Or you may learn from the company that the individual you just gave money to does not work for the company at all. He has used some invoices and fake documents to scam you into signing up and handing him a check or credit card number.

Your Defense:

Before you allow anyone into your home to make a sales pitch, do not be afraid to say ask for identification. Companies often outsource their sales to contractors who do the door-to-door approach and make the initial sell. These individuals will receive a percentage of the sale so the more they sell the more they make. Do not be afraid to say no, or to ask someone to leave your home, property or doorway if you are not interested. If you are interested, but feel apprehensive about potentially being scammed, do not be afraid to arrange for a later appointment once you have verified the individual or the company's credentials.

Do not fall for pressure or scare tactics from an aggressive sales person. You are well within your rights to ask questions and refuse service or further solicitation from any company or contracted solicitor. If an aggressive sales person refuses to leave your home, call the police and have them removed, forcibly if needed.

If someone claims that they need to replace your security equipment, call your monitoring company immediately and verify the necessity of the update. More often than not, a company will call you well ahead of time or inform you by mail of any necessary equipment changes and setup an appointment with you for the equipment switch. It is unlikely that they will just show up on your doorstep, unannounced, and surprise you with changes you did not expect.

Home security systems can increase the value of your home and provide a sense security at the same time. Just make sure you purchase your system or upgrade from a qualified and legitimate company that is not out to rip you off.

If you believe your identity has been stolen, call 866.SMART68 today.