Many victims of identity theft are individuals, but businesses can be victims as well, especially those in the financial services industries. The rate of company data breaches has grown significantly in the recent past. Exposures can be as simple as an employee losing a laptop or as complex as a security breach by hackers looking for sensitive files. No matter how simple or complex, potential losses due to identity theft have tremendous impacts on businesses as well as the customers the information belongs to.
Businesses have many important responsibilities in protecting the privacy and security of confidential customer information. Effective data security begins with assessing what information the business collects and stores, as well as who has access to the information. Understanding how the sensitive information moves into, through, and out of a business and who has, or could have, access to it is essential in evaluating security vulnerabilities.
Every business that collects and maintains any customer information should adopt a strict policy that covers the following information. For additional information, see visit our "Identity Theft Publications" in this site.
- Acquisition of customer information. Clear limits should be placed on the type of customer information that is necessary. For most businesses, there is no clear and compelling reason to collect social security numbers. Companies should review their data collection practices and eliminate the collection of all non-essential customer information.
- Use of social security numbers as employee or customer identifiers. Companies should avoid using social security numbers to identify customer accounts. Do not use social security numbers for employee or customer ID numbers. Do not print employee social security numbers on payroll checks. Use of social security numbers may be governed by § 6-1-715.
- Conduct regular background checks on ALL employees with access to identifying information. That should include even personnel assigned to company mailrooms, cleaning crews, temporary workers and computer or other information technology staff. Partial criminal background checks are available from the Colorado Bureau of Investigation. You can research Colorado criminal history online for a small fee. This will not include federal criminal history or criminal history from the other 49 states.
- Store all customer files in a safe and secure location. Companies need to evaluate all security measures surrounding the storage of confidential customer information. This includes both paper and electronic documents. Access should be strictly limited to essential personnel trained in handling and protecting such confidential information. Adequate electronic safeguards must be in place to protect against unauthorized access to computer files and back-up storage tapes. Authorized access to computers should be protected by secure log-on and password procedures.
- Provide customers with clear policies regarding privacy. All customers should be given a clear and understandable company policy regarding the treatment and handling of confidential information supplied by customers. That policy should clearly describe what information is collected, safety and security measures in place to protect that information, whether the company sells or otherwise shares such information with affiliates or third parties, and the company's policies and procedures on document (both paper and electronic) destruction.
- Immediately report any breach in security. In the event of any unauthorized access to documents containing confidential customer information, have policies and procedures in place to isolate the information that has been compromised and promptly notify all affected customers of the breach. Also, promptly notify the appropriate law enforcement office of the breach. Colorado’s notice of data breach law can be found at § 6-1-716.
- Dispose of customer information in a safe and secure manner. Companies are required by law, § 6-1-713, to have specific policies in place for the destruction and disposal of documents (paper and electronic) containing confidential customer information. Do not simply discard files into a dumpster or delete files off of a computer. Records should be shredded to prevent "dumpster diving” through the business’s trash. Electronic files must be rendered unreadable, undecipherable, and unrecoverable.
Colorado consumers have greater protections regarding the use of their Social Security Numbers under the Colorado Consumer Protection Act that a person or entity may not do the following:
- Publicly post or display in any manner an individual’s SSN
- Print an individual’s SSN on any card required for the individual to access products or services provided by the person or entity
- Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted
- Require an individual to use his or her SSN to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required
- Print an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires permits or authorizes the SSN to be mailed. NOTE: SSN’s may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the SSN. However, a SSN permitted to be mailed MAY NOT be printed, in whole or in part, on a postcard or other mailer not requiring an envelope or visible on the envelope or without the envelope having been opened.