AllBusiness.com’s Paul Kilduff discusses ID theft prevention with Certified ID Theft Risk Management Specialist Joanna Medin.

Paul Kilduff: You’re listening to the AllBusiness podcast. I’m Paul Kilduff. If you’re getting this through iTunes, an RSS feed, or online streaming-media player, you can hear interviews with other experts at Allbusiness.com.

Kilduff: We are joined today by Joanna Medin, a certified identity theft risk management specialist. Joanna works with Pre-Paid Legal Services. They set up subscription legal plans that protect companies from among other things, ID theft liability issues. Joanna, ID theft is a hot topic these days. One out of eight Americans were affected by it in 2007. What are business owners’ responsibilities when it comes to protecting credit card and social security numbers and other sensitive information?

Joanna Medin: Businesses need to be aware of their responsibility to protect consumer information. In other words, when a consumer comes in and uses their credit card, when a consumer provides their social security number if they’re opening a new account, it is their responsibility to protect that data.

Kilduff: And how do they go about doing this?

Medin: Well, the best ways they can do it is to train and educate their employees on the responsibilities. For example, if someone takes a credit card in a restaurant or someone takes a credit card in a retail store, that credit card should be in their hand the entire time they’re using it. When it’s handed back to them, perhaps taking their thumb and putting it over a few of those numbers before they give it back to the consumer. After they process that information, making sure that that credit card slip is stored in a safe location. So employee education is huge in elevating awareness and helping to protect both your business as a small business owner and your consumers.

Kilduff: Can you give me some examples of ID thefts from companies and how the companies responded, what they did?

Medin: Sure. A moving company in Florida, personal files with tax information were found in a dumpster in the back of their building. How did it get there? Pure carelessness. Employee said, “Okay, here are some boxes. We need to get rid of it; I’ll just throw out the information.” It was not shredded. It was not noted as personal information therefore it was disposed by randomly. Another example, and this was an unfortunate event that happened in the month of May. Lunardi’s Supermarket in Los Gatos, California. A credit card reader in a checkout aisle was switched. Definitely an inside job. Now, about 1200 people, I believe, were affected by that event. Was Lunardi’s aware it happened? Absolutely not. But that information is now out there so what can a retail store or a business owner do in the event that that information goes out to the public? The first thing they need to do, there’s probably about 14 states that require businesses to send letters to individuals where there has been a breach, where their name has gotten out in a potential identity theft. The letters go out and they are now made aware that there has been an issue within their place of business. So what does that mean? Twenty percent of those consumers are going to stop doing business with that shop, about 5% are going to go to their attorneys and say, “How am I going to...what I am going to do about this? Is there a responsibility? Do I file a lawsuit?” And about 40% are going to consider not doing business with that store anymore. Elevating the awareness of employees, I will continue to emphasize that throughout the broadcast.

Kilduff: And how do you do that? I mean, do employees just not necessarily take these issues seriously? How do you educate them?

Medin: There are a couple of ways to do it. One, there’s a new piece of legislation called the red flag rule. And the red flag rule went into effect in January with mandatory compliance for business owners of all sizes by November of 2008 and what it says is that any business that provides credit or allows payments or transactions by consumers has to establish reasonable procedures to deter and detect identity theft. So what does that mean in a nutshell? It means that they’re responsible for putting a plan in place so that their employees can see this is what our responsibilities are; this is how you protect consumer data. Is it an end-all, solve-all? Absolutely not. Is the FTC going to come knocking on your door and say, “Hey, do you have a plan in place?” They’re not. But liability follows the data so if it’s traced back that something got out from your place of business, the fines can range anywhere from 25 hundred up to a million dollars. So, it is really critical that businesses are aware of this new legislation and take action on it. So how do they do that? One way is to bring someone like me in who does the training and can talk to the employees about the different types of identity theft. Identity theft is about more than credit cards. There are actually five common areas of identity theft and I can educate employees on those areas and then talk to them about measures that they can put in place in the workplace so that they have less liability and their employer is more protected.

Kilduff: What are some of these measures like; don’t take the laptop with everybody’s personal information, all your customers’ personal information, social security numbers, credit card numbers home with you? Would that be one thing that you would suggest?

Medin: I’m not sure that’s realistic. People work at home. People work 80 hours a week and typically they’re not in the office those 80 hours a week; however, they can when they do take the laptops out of the office, make sure it is in their possession at all time, make sure the sensitive information perhaps not all of that information needs to come home with them. Maybe just the file that they’re working on and not the social security numbers, health information, addresses of all the customers and all the employees are not residing on that laptop. So take what you need and take a piece of the pie, not the whole pie.

Kilduff: Some of this stuff seems pretty obvious though because like in the examples that we’re aware of, there are social security numbers, credit card numbers that have been thrown into the dumpster behind a store, for instance and not shredded. I mean, who’s doing that? I mean, in this day and age that they’re not aware that they need to be up on that one?

Medin: It’s not intentional. I think that small business owners are very overloaded with so many different areas they need to focus on. It’s that extra step of someone coming in and saying, “Hey, these are things you need to do. When a customer comes in and applies for an account and they’re entering all their personal information, what are you doing with that piece of paper? Do you need to keep that piece of paper or now that it’s in your database, can you shred that piece of paper?” And it’s just training them to change their thought process a little bit. Another area that business owners need to be more aware of is we protect our social security number. We see that all the time. Their tax ID number is as important as their social security number. So if you want to protect your business, you have to also protect that tax ID number. If not, what can happen? Someone takes that, creates a purchase order, orders $50,000 worth of supplies on your tax ID with your address because it’s been readily available. So it’s raising awareness to things that are obvious but we all need to be conscious of on a daily basis.

Kilduff: Getting back to the retail setting for customers, should businesses encourage customers to use a debit card or a credit card? I hear it both that one is safer than the other. Is there a rule of thumb on that?

Medin: Well, when you’re using a credit card, you’re not putting in your pin numbers so there is less chance of someone looking over your shoulder. However, once it’s in a database, if the database is going to get hacked into, it’s going to get hacked into. All of our personal information resides on databases. So it’s how we protect that information when it gets input, where are those laptops going, where are those disks going, have computer security expert available to you that can help you encrypt that information and give yourself another layer of protection from that perspective. But more so, on a day-to-day basis, again it’s what’s going on in your shop, whether you have a retail outlet or you’re a business owner with employees whose papers are all over their desks with employee information and with customer information. It’s the same issue. It’s how do I protect that data?

Kilduff: So literally, you gave the example to me earlier of walking into a bank and one of the employees had sensitive information just sitting on a desk and you had to go in and tell the president of the bank to shape up. What happened there?

Medin: I walked by and there’s a tax return sitting on a desk that actually a customer had walked by and put on a desk but not mentioned it to someone. So my walking by and seeing it could have been anyone. Just say, “Hey, they are social security information, income information, address information.” I had a client who, it takes a driver’s license to open a bank account, and someone gotten his personal information, gone to Florida, opened up a bank account and wire transfer $120,000 out of his line of credit account. So the information’s out there but it’s up to us to watch it on a daily basis. One of the other things that business owners need to be aware of is when you have employees, by having a plan in place it can become an early warning system that there maybe something going on in your shop. For example, I have a small business owner, 15 employees and they have an identity theft plan in place for their company. Over the course of a weekend, when they came in on Monday morning, three of those fifteen employees had gotten notification that there had been activity on their credit account. By that happening, they were able to sit down and go, “Okay, that’s very unusual for three out of fifteen people to have activity. Where could the common link be?” When they traced that back, it was a former employee who had that information and had taken that and tried to open bank accounts with their information. So by having a plan in place, it can help them mitigate those damages.

Kilduff: And when you say plan in place with the rogue in play, what does that mean? Screening and bringing the FBI, what are we talking about?

Medin: No, an identity theft protection plan in place and very important for business owners to understand the differences there too because there is credit monitoring which is going to help their employees. When an employee has an identity theft issue, it doesn’t just affect them. It affects everyone around them and it affects absenteeism and productivity in the workplace as well. Because when you’re talking by that coffeemaker, everyone gets involved. So productivity in the office goes down. When you have to deal with the driver’s license bureau, banks, county offices, they’re open between 9 and 5. Those are business hours. You want employees to be on the job and working during those hours and not necessarily dealing with those agencies. Having the right type of plan in place can create a situation where you have experts working on rectifying that situation instead of your employee on the phone trying to do it themselves.

Kilduff: But are most of the issues that we’re dealing as far as ID theft, are they inside jobs primarily?

Medin: Not necessarily. I mean a lot, again I walk by another store and out by their dumpster was a set of checks. So I walked by and picked up the checks, I walked into the business and I said, “Hey, these are by your dumpster. You know, these are old checks. They should have been destroyed in a more protective manner. You should have shredded these.” I handed them to the employee and they went, “Oh!” I mean, it wasn’t even a long conversation. It went right over his head as to, “Well, not my check. Not my money.” So employees need to buy into their responsibility to help protect the business owners. They’re front people, the people that are dealing with the public on a daily basis are usually those employees.

Kilduff: So the last word on this, should you get a cross-cut shredder or just the old regular strip shredder? Does it make a difference?

Medin: Cross-cut shredder.

Kilduff: Definitely.

Medin: Definitely cross-cut shredder.

Kilduff: Okay, is there anything better than that? I mean, do they fine tune it beyond that or is that state of the art?

Medin: That’s pretty standard.

Kilduff: Cross cut, okay, all right. Well, let’s say you’re your company is the victim of ID theft. What do you do? What kind of attorney do you call?

Medin: That’s a good question and the problem with that and law enforcement actually is quite frustrated because this is not a local crime. Usually when it happens, it starts out in your business and it ends up at another part of the country or another part of the world. So it’s really important to work with a company where you have national access to attorneys, where it can be managed by one location versus if you have an identity theft in California and they end up using that information in a store or to purchase a home in Maryland, you’re stuck. You need to be able to have access to an attorney in Maryland but you want one company to be able to manage the process. And that’s actually why as an independent identity theft expert, I associated with Pre-Paid Legal and Kroll because they have national investigative and legal service access.

Kilduff: And Kroll is again, we didn’t mention Kroll at the beginning but Kroll is?

Medin: Kroll is the partnership company with Pre-Paid Legal. I came to Pre-Paid Legal a few years ago because they have the investigative network, worldwide actually, they’re another 30-year-old public company with the largest risk management consulting firms in the world and they partner with Pre-Paid.

Kilduff: And so for a pretty nominal fee, depending on the size of your company, you can have these subscription legal services. What are the fees? What are the ranges?

Medin: The range for employees runs between $12.95 a month and $26 including legal and identity theft protection and restoration. And again, restoration is key here. Resolution services are the most typical out on the market right now. That’s what most of the banks do, credit monitoring. Well what resolution means is someone is going to call you and say, “I’m going to hold your hand through this whole process and I’m going to tell you how to fix it.” Restoration is when someone takes that process over for you and Kroll, because they have licensed investigators and they’ve been around so long, are the experts in that field and they can provide, they can take over about 90% of that process.

Kilduff: And so, if you hired a lawyer in a state that you’re not even in or if it was a local, it doesn’t matter, I mean you would be looking at 300 bucks an hour possibly?

Medin: You would versus $12 to $26 a month for legal service access, not just on identity theft but across the board.

Kilduff: And is that just for the employees or for the company as a whole?

Medin: For the company, there are plans available for legal service protection as a company that range from $75 to $125 a month. The identity theft portion has to be on an individual basis. So that runs anywhere from $12 to $26 a month.

Kilduff: Wow! That sounds like…

Medin: Per family.

Kilduff: Well, it sounds like a prudent way to deal with issue. Joanna, I want to thank you for joining us. You’ve been listening an AllBusiness podcast with certified identity theft risk management specialist, Joanna Medin. Send your feedback on this show and suggestions for topics and guests to podcasts@allbusiness.com. I’m Paul Kilduff, thanks for listening.