Nearly 10 million people a year fall victim to identify theft. It’s so widespread that celebrities, senators and even Federal Reserve Chairman Ben Bernanke have been swindled. That’s bad news for consumers. But if your business is the source of the information those identity thieves are exploiting, it could be bad news for you too.

The Federal Trade Commission, which has jurisdiction over identity theft, already has penalized several major corporations for lax safety procedures, and class-action consumer suits are on the horizon, according to a report by Kirk J. Nahra, a Washington D.C. attorney who specializes in privacy and information security litigation. That’s only part of the problem for business owners.
“The FTC can sue you over compliance, but compliance is only one of your worries,” says Tyler Wildman, CEO of Identity Theft Countermeasures Group, an Orange Park company that helps companies protect their data and provides identity theft insurance for employees. “You’re going to have all these people whose information was misused who are going to come after you. It’s a very deep rabbit hole.”
Wildman conducts security audits of local businesses to check whether they’re susceptible to identity theft and he says he sees obvious mistakes all the time. “I was in a company recently and I walked out with 13 driver’s license numbers and six Social Security numbers in about 10 minutes,” Wildman says, “and I was in street clothes.”
To protect yourself and your business against identity theft, he and other safety experts recommend you take these basic steps:

• Lock sensitive information in a file cabinet each time you and your employees leave your desks.
• Password-protect all computers, and change the passwords periodically. Also, don’t leave your passwords in obvious spots where they can be stolen, such as taped to the computer itself or the underside of your keyboard.
• If you require visitors to your company to list their driver’s license number or other personal information in a logbook, don’t leave the logbook in plain sight where the next person coming in can steal it.
• Don’t leave outgoing mail in a common area where it can be stolen and mined for customer data.
• Buy a shredder and use it. “If I walk up to a copier and there’s no shredder near it, it means the people who work there probably are throwing sensitive information in the trash where thieves can find it,” Wildman says.
• Don’t store customer credit card numbers. That opens you up to liability if the numbers are stolen.
• If you sell off surplus computers and copiers, wipe the hard drives first. “Most people don’t realize that the average office copier has a hard drive in it,” Wildman says. “If you get rid of a copier, a thief could potentially search the hard drive and find things such as checks or credit card info you may have copied.”

Creating an ID Protection Plan
Identity theft can be a plague on personal finances, as news reports demonstrate every day. But changes in Federal Trade Commission regulations are now making it a problem that some small business owners must address as well.
Under the FTC’s Red Flags Rule, which was enacted in 2008, certain businesses have to create a written Identity Theft Protection Program and take specific steps to safeguard customer information. Banks, credit unions and utility companies are covered under the regulation, as you might expect. But the FTC argues that so too are physicians, attorneys, mortgage brokers, real estate agents, auto dealers, private schools and others who are considered creditors because they bill customers after their services are completed.
“Basically, the FTC says any business that acts as a creditor by deferring payment or offering layaway is covered,” says Tyler Wildman, CEO of Identity Theft Countermeasures Group in Orange Park. “There are very few companies I feel that don’t fall under the Red Flags Rule.”
To comply with the rule, business owners must develop and maintain a program to safeguard sensitive customer information, using these steps:

• Identify the warning signs that thieves might be using a stolen identity in interacting with your business. The FTC calls these “Red Flags” and says they vary by industry. A common example would be a person using some form of identification that looks like it was altered or forged.
• Set up a system to detect Red Flags in your day-to-day business.
• Take steps to prevent and mitigate identity theft, such as monitoring customers’ accounts for signs of identity theft, or changing customer account numbers to prevent misuse. 
• Periodically update your program to address new risks that may arise.
• Administer your program. Among other things, this means you should designate a high-level employee to oversee the program, and you should train your staff in how to spot and deal with identity theft.
• Ensure vendors have policies and procedures to screen their employees to reduce the risk that one of them will steal information from your company.
• There are no criminal penalties for failing to comply with the Red Flags rule, but setting up a plan could provide some protection if you are sued after a thief uses information stolen at your business.