Coinciding with the widespread adoption of computer technology and the use of the internet to conduct business, identity theft is the fastest growing crime in the country. According to federal statistics, more than 20,000 Texas families file identity theft complaints each year – and that number reflects only those who know they were victimized. For many, it takes months or years to discover they have been victimized, and by that point they have been substantially harmed. Nationally, it is estimated that identity theft drains at least $50 billion from our economy – most of these losses are absorbed by businesses when identity thieves run up huge lines of credit and make purchases under the names of their victims.
Reacting to this problem, new Texas laws have reinforced the need for businesses to handle and dispose of their customers’ personal information with care. Exposing your customer’s information to the risk of identity theft can carry hefty penalties, even when the information does not end up in the wrong hands.
Businesses commonly mishandle sensitive information by failing to shred receipts and other documents with customers’ personal data before throwing them into the trash. According to the Texas Attorney General’s office, State investigators conduct routine spot-checks as part of ongoing enforcement efforts, and the Texas Attorney General’s office has brought several legal actions against large companies that have improperly disposed of records with information such as credit card and Social Security numbers.
Several new laws can result in fines for businesses that mishandle information. New provisions of Chapter 35 of the Business and Commerce Code require businesses to develop retention and disposal procedures for their clients’ personal information. The law provides for fines of up to $500.00 for each record that could potentially land in the wrong hands. The new Identity Theft Enforcement Act can mean fines of up to $50,000.00 – even for a single record. Additionally, businesses that give consumers specific reassurances about how their privacy will be protected and subsequently fail to live up to those promises could face penalties of up to $20,000.00, per violation.
In light of the potential for fines imposed by the State and lawsuits from affected customers, businesses should carefully review their practices and put into place necessary measures that will prevent clients’ personal information from ending up in the wrong hands.
Credit and employment applicationsThe following are some of the types of customer information most susceptible to being mishandled or improperly discarded by businesses:
Credit and debit card numbers
Social Security numbers
Bank account information
Mother’s maiden names
Dates of birth
Account numbers within the business (i.e. membership number).
This information commonly appears in the following paper documents and electronic files:
Checks / money orders
Sweepstakes entry forms
Email / hard copy correspondence
Disks, magnetic tape, and all other data storage devices
As an initial part of any business’ plan to protect its customer’s information, businesses should develop a list of all the types of information they handle, who handles it, where that information is maintained and how it is disposed of when it is no longer needed. Once the flow of customer information is understood, businesses should create written protocols about how to properly handle that information and how to dispose of it. These protocols could include shredding applicable paper documents, permanently deleting electronic files, and properly destroying / wiping old computers and data storage devices.
Businesses should be particularly careful when disposing of storage devices and old computers. Simply hitting the “delete” button seldom erases data from a disk or hard drive. Ideally, computers should be professionally “wiped” before they are discarded.
Businesses that obtain consumers’ personal information through websites, such as accepting credit cards to purchase goods and services, must be careful that those pages are properly safeguarded. Because of the constantly changing nature of the internet and the tactics used by hackers, businesses should review and update security measures for their websites and internal systems on a regular basis.
Computer technology and the internet have opened up new lines of business and streams of customers for many businesses, and have improved the efficiency and productivity of most. Unfortunately, at the same time, new opportunities have been created for theft. New Texas laws highlight that it is no longer good enough for businesses to enjoy the benefits of new technologies without accepting the responsibility of taking reasonable steps to protect their customer’s information. Businesses must be proactive about understanding their responsibilities and taking steps to meet them.
Sam Burke is board certified by the Texas Board of Legal Specialization in Civil Trial Law and can be reached at email@example.com and www.dentonlaw.com.