Preventing Identity Theft: Protecting Customer and Employee Private Information by Donna Ray Chmura

Identity theft occurs when someone uses personally identifying information, such as Social Security numbers or credit card numbers, without permission, to commit fraud or other crimes. Thieves obtain this personally identifiable information by going through business trash, intercepting credit card information, “pretexting” or “phishing” to obtain personal information under false pretenses, or hacking into vulnerable computer systems.

Identity theft is serious. While some identity theft victims can resolve their problems quickly, others spend thousands of dollars and countless hours repairing damage to their good name and credit record. Some victims may lose out on jobs, or be denied loans because of negative information on their credit reports. In rare cases, they may even be arrested for crimes they did not commit. And the business that allows customer information to be compromised faces a significant customer relations problem.

Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. In addition, businesses collect and store a multitude of personal information from their employees as well. It is essential that businesses take adequate steps to safeguard this data, and to prevent identify theft.

Employers should keep employee personnel records under lock and key. These records contain names, addresses and Social Security numbers, as well as performance information and salary history. Stored separately, and also under lock and key, should be information relating to employee health information, including workers comp information, doctors’ notes, and leave requests.

These records should be taken out only when needed, and otherwise locked. Employees should not leave this information lying around. Rather, employees should secure such information if they need a bathroom break or are needed on the sales floor.

Protecting customer information is just as important.

First, be conservative in what information is collected in the first place. What is the minimum amount of information needed on each customer? Social Security numbers should be used only for reporting employee taxes and not as customer identification numbers.

Think about whether you should keep customer credit card numbers and expiration dates on file at all. Does it serve an important business function? Is the convenience to your customers of having this information on file important enough to justify the potential risks? Full credit card numbers should not be printed on receipts – use the last four digits only. Expiration dates should not be stored. Check the default settings on credit card processing machines and make sure they are not set to store this information permanently and are printing only the last four digits of the credit card number.

If you do need to keep private customer information for business reasons or to comply with the law, we recommend having a written document retention policy that sets forth how long you will keep the information, and how you will destroy it.

Paper records should be shredded so that they can’t be reconstructed. Media containing electronic records should be erased or destroyed so that records cannot be recovered or reconstructed.

Many of these records will be kept electronically. It is imperative that your computer have adequate firewalls and anti-virus protection. These programs should be updated regularly. Sensitive information should be kept in password protected files.

Sensitive information may also be stored in cash registers, inventory scanners or cell phones, and the security of these devices should be assessed as well. If possible, store sensitive information on a computer that does not have an Internet connection. Web applications, including those where you send information to vendors, are particularly vulnerable to hackers or security breaches.

If a computer is compromised, disconnect it immediately from Internet access. Investigate incidents immediately. You may be required by law to make certain notifications to customers, law enforcement, credit bureaus or your business partners (banks, credit card processors, etc). It is important to have a security plan in place.

The Federal Trade Commission has significant information on how to protect yourself and your customers from identity theft, as well as what to do if you’ve had a breach of security. For example:

About The Author

Donna Ray Chmura is a North Carolina attorney and works with business formations, contract drafting and purchase/sale of businesses. She is a member of the Business, Finance and Real Estate practice group. If you have additional questions, please contact Donna Chmura at

Finally, a Step by Step Blueprint to Identity Theft Protection Without Those Monthly Fees. CLICK HERE!

Technorati Tags:


Leave a Reply