These days, it is almost impossible to be in business and not collect or hold personally identifying information — names and addresses, Social Security numbers, credit card numbers, or other account numbers — about your customers, employees, business partners, students, or patients. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.
Still, not all personal information compromises result in identity theft, and the type of personal information compromised can significantly affect the degree of potential damage. What steps should you take and whom should you contact if personal information is compromised? Although the answers vary from case to case, the following guidance from the Federal Trade Commission (FTC), the nation's consumer protection agency, can help you make smart, sound decisions. Check federal and state laws or regulations for any specific requirements for your business.
When the compromise could result in harm to a person or business, call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police are not familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service. Check the blue pages of your telephone directory or an online search engine for the number of the nearest field office.
Information compromises can have an impact on businesses other than yours, such as banks or credit issuers. If account access information — say, credit card or bank account numbers — has been stolen from you, but you do not maintain the accounts, notify the institution that does so that it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of any information compromise, as well.
If names and Social Security numbers have been stolen, you can contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts for their files. Your notice to the credit bureaus can facilitate customer assistance.
Equifax
U.S. Consumer Services
Equifax Information Services, LLC.
Phone: 678-795-7971
Email: businessrecordsecurity@equifax.com
Experian
Experian Security Assistance
P.O. Box 72
Allen, TX 75013
Email: BusinessRecordsVictimAssistance@experian.com
TransUnion
Phone: 1-800-372-8391
If the information compromise resulted from the improper posting of personal information on your Web site, immediately remove the information from your site. Be aware that Internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they do not archive personal information that was posted in error.
Generally, early notification to individuals whose personal information has been compromised allows them to take steps to mitigate the misuse of their information. In deciding if notification is warranted, consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from misuse. For example, thieves who have stolen names and Social Security numbers can use this information to cause significant damage to a victim's credit record. Individuals who are notified early can take some steps to prevent or limit any harm.
When notifying individuals, the FTC recommends that you:
It is important that your notice:
This model letter is provided as an example of how businesses might notify people whose names and Social Security numbers have been stolen. In cases of stolen Social Security numbers, it is important that people place a fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with stolen information because it is a signal to creditors to contact the consumer before opening new accounts or changing existing accounts. Potential victims of a theft also should review their credit reports periodically to keep track of whether their information is being misused. For some victims, weeks or months may pass between the time the information is stolen and the time it is misused.
This publication provides general guidance for an organization that has experienced an information compromise. If you would like more individualized guidance, you may contact the FTC at idt-brt@ftc.gov. Please provide information regarding what has occurred, including the type of information taken, the number of people potentially affected, your contact information, and contact information for the law enforcement agent with whom you are working. The FTC can prepare its Consumer Response Center for calls from the people affected, help law enforcement with information from its national victim complaint database, and provide you with additional guidance as necessary. Because the FTC has a law enforcement role with respect to information privacy, if you prefer to seek guidance anonymously, you may do so.
The FTC works for the consumer to provide information on identity theft. To file a complaint or to get free information on ID theft issues, visit www.ftc.gov/idtheft or call toll-free 1-877-IDTHEFT (877-438-4338). The FTC enters identity theft complaints into the Identity Theft Data Clearinghouse, a secure online database available to law enforcement agencies.
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.
Hot Links
Use Our Materials In Your Community
The President's Identity Theft Task Force
2006 Identity Theft Survey Report
Test Your Knowledge about Identity Theft – Take the OnGuard Online Quiz
Key Publications
Fighting Fraud with the Red Flags Rule: A How-to Guide for Business (PDF 22MB)
Seeing Through Stimulus Scams (PDF 126KB)
How To Plan and Host Protect Your Identity Days Kit (PDF 6MB)
To Buy or Not To Buy: Identity Theft Spawns New Products and Services To Help Minimize Risk (PDF 229KB)
Take Charge: Fighting Back Against Identity Theft
(PDF 4.9MB)
Information Compromise and the Risk of Identity Theft: Guidance for Your Business
(PDF 152KB)
Protecting Personal Information: A Guide for Business (PDF 3.47MB)