In our April 15 Alert, we discussed the Securities and Exchange Commission's and the Commodity Futures Trading Commission's new rules requiring certain entities regulated by the two agencies - including investment advisers, broker-dealers, mutual funds and commodity pool operators - to implement an identity theft prevention program. The program must include policies and procedures designed to identify and detect patterns and practices - known as "red flags" - that could indicate identity theft, and processes that respond appropriately to them once detected.
Identity theft is a serious threat. In 2012, more than 12.6 million adults became victims of identity theft in the U.S. And the costs have been astronomical. Data breaches cost companies an average of $6.75 million per incident, or $204 per compromised record. More importantly, the reputations of many companies have been damaged when sensitive customer information has been compromised, resulting in customers shopping around to do business with companies that have best practice identity theft prevention programs. Below are steps to designing a best practice program.
1. Conduct a data privacy and security risk assessment
- Risk assessment is the process of identifying and evaluating risks that can negatively impact the secure maintenance of confidential information. Such assessment also involves evaluating the controls (e.g., policies and procedures) put in place to mitigate those risks and monitoring the effectiveness of controls on an ongoing basis.
- Risk identification is a due diligence process focused on key interviews and document review aimed at surfacing risk activities. Interviews are likely to involve employees from information technology, human resources, internal audit, customer relations, legal and other groups that routinely handle confidential information.
- Risk evaluation is the process of analyzing and prioritizing risk activities. After enterprise risk activities have been identified, those risks must be prioritized based upon the likelihood and severity of a data breach.
- An adequate control environment contains many elements, including policies, procedures, standards, processes, audits, training, and seasoned employees. Controls need to be stress-tested through the application of plausible "what if" risk scenarios to determine whether there are control weaknesses. If control weaknesses are identified, the risk activities subject to control management should be placed on a priority list for corrective action.
- Since data privacy and security risks are ever changing, periodic monitoring of control effectiveness is necessary to address new and evolving threats. Monitoring also involves evaluation of changes to the business model, which could increase an entity's vulnerability to security threats.
2. Develop a written identity theft prevention program
After an entity has conducted a risk assessment, it will then have a handle on reasonably foreseeable internal and external risks to the security, confidentiality and integrity of records containing sensitive personal information. This information will enable the entity to design and implement a program that is appropriate to its size and the nature of its operations. A large company with several types of confidential customer accounts and employee files may need a complex program, while a small, low-risk business may be able to adopt a streamlined program. Regardless of the nature of a business, the program should include the following elements:
- Appointment of a program coordinator
- Process for identifying relevant patterns, practices and specific forms of activity that are red flags signaling possible identity theft (i.e., warning signs of people trying to get products or services who are not who they claim to be)
- Policies and procedures to detect identified red flags (e.g., process for verifying an account holder's identity or authenticating a customer's change-of-address request)
- Prevention and mitigation responses once red flags are detected (e.g., requesting another form of identification or reopening an account with a new number)
- Policies, procedures and processes addressing access, storage, transmission and transportation of sensitive customer and employee information
- Policies addressing the leakage of personal and proprietary information through employee use of social networking applications (e.g., Facebook, Twitter, LinkedIn)
- Procedures for the proper disposal of confidential information
- Ongoing employee privacy and security training, especially on computer security
- Disciplinary measures for employees who disregard or violate privacy and security policies
- Oversight of service providers (e.g., payroll vendors and insurance companies) given access to confidential information
- Safeguards to prevent terminated employees from accessing confidential information
- Secure user authentication protocols and access control measures to prevent unauthorized computer system access
- Up-to-date firewall and security patches, and malware protection and anti-virus software
- Encryption when appropriate and feasible
- Documentation of actions taken in response to data breaches
- Board of director or senior management approval of the security program
3. Conduct periodic program reviews
The program coordinator should re-evaluate the program at least annually.
- Review and update technical, physical and administrative safeguards for securing confidential and proprietary information
- Adjust the program to reflect changes in internal or external threats to information security and changes to the business model
- Document post-incident improvements to the program