Washington has the 13th highest rate of identity theft in the nation, according to the most recent data from the Federal Trade Commission Identity Theft Clearinghouse, and a three-year study completed in 2006 by the Council for Better Business Bureaus shows the cost of identity theft nationally is $56.6 billion per year.
To combat identity theft, lawmakers are adopting stricter laws governing how personal and confidential information is handled, with the potential for fines or civil liabilities for those who do not comply.
In this climate, it is essential that businesses keep up to date on the laws governing customer personal information.
Most businesses collect personal information from their customers, from names, addresses or telephone numbers to sensitive bank and credit card account information, income and credit histories and Social Security numbers.
The Federal Gramm-Leach-Bliley Act governs disclosure of nonpublic personal information by financial institutions to protect the security and confidentiality of this type of information. However, what constitutes a financial institution is broadly defined – it covers all businesses, regardless of size, that are significantly engaged in providing financial products or services, including check-cashing businesses, payday lenders, mortgage brokers, lenders, personal property or real estate appraisers, professional tax preparers and courier services.
Such businesses are required to develop safeguards, and ensure their affiliates and service providers safeguard customer information in their care. They must develop a written information security plan to protect customer information, and that plan must be appropriate to the business’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.
As part of the plan, each financial institution must:
Designate one or more employees to coordinate its information security program.
Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate effectiveness of current safeguards for controlling those risks.
Design and implement a safeguard program and regularly monitor and test it.
Select service providers that can maintain appropriate safeguards, make sure their contract requires them to maintain safeguards and oversee handling of customer information.
And modify the program in light of changes in the firm’s business or operations, or the results of security testing and monitoring.
In addition to the security plan, financial institutions must take steps to secure the customer’s personal and confidential information. In order to protect such information, the FTC recommends businesses:
Take Stock Know what personal information is in files and on computers.
Scale Down Keep only the information that is needed for business.
Lock It Protect information kept through physical and electronic security and employee training.
Pitch It Properly dispose of information that is no longer needed.
Plan Ahead Create a plan to respond to security breaches.
In addition to the federal act, Washington’s Identity Theft Act requires businesses to cooperate with victims of identity theft. If a business has information relating to violations of the Identity Theft Act, it must provide copies of all application and transaction information relating to the theft upon request of the victim. A business that refuses to provide the required information faces liability under Washington’s Consumer Protection Act.
The federal act and Washington’s theft act are not the only laws that potentially govern customer personal information retained by businesses – your business may also be regulated by the Fair Credit Reporting Act or Oregon’s new act.
It is essential for every business to re-examine its policies to ensure compliance, at risk of fines or civil liabilities.
John R. Bachofner is a shareholder in the Vancouver office of Bullivant, Houser, Bailey PC. Bachofner’s practice emphasizes business, commercial litigation, insurance coverage and creditor’s rights law. He can be reached at (360) 906-6340 or john.bachofner@bullivant.com.
