Judith M. Collins - Preventing Identity Theft in Your Business

1. CHAPTER 9: SECURING THE PEOPLE FRONT: THE SECURITY JOB ANALYSIS
2. CHAPTER 16: THE PEOPLE FRONT: SOCIALIZING NEWCOMERS TO THE HONEST COMPANY CULTURE
3. CHAPTER 17: THE PEOPLE FRONT: APPRAISAL AND FEEDBACK FOR PERFORMANCE AND SECURITY
4. CHAPTER 19: THE PROPERTY FRONT: THE E-BUSINESS WEB SITE
5. APPENDIX C: STRUCTURED AND FORMAL BRAINSTORMING: STEP-BY-STEP INSTRUCTIONS
6. APPENDIX D: CAUSE AND EFFECT ANALYSIS: STEP-BY-STEP INSTRUCTIONS
7. APPENDIX I: THE INFORMATION PROCESS: DEFINITION, DESCRIPTION, AND ILLUSTRATION
8. APPENDIX J: THE PARETO ANALYSIS: DEFINITION, DESCRIPTION, AND ILLUSTRATION

Judith M. Collins

This book is printed on acid-free paper.

Copyright 2005 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the Web at .

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data

Collins, Judith M.

Preventing identity theft in your business : how to protect your business, customers, and employees / Judith M. Collins.

p. cm.

Includes index.

ISBN 0-471-69469-X (cloth)

1. Identity theftUnited StatesPrevention. I. Title.

HV6679.C653 2005

658.472dc22

2004022093

To victims of identity theft and employees who help prevent it

More than a faithful colleague and meticulous research assistant, Sandra Hoffman is a valued friend. As associate director, Sandra diligently, skillfully, and solely managed the bustling activities of Identity Theft Crime and Research Lab for three months so that I could write this book. I publicly acknowledge that without Sandra this book would not have been possible. With deep appreciation, I thank you, Sandra.

I also am indebted to my editor at John Wiley & Sons, Tim Burgard. Tim took the time to read my manuscript and recognized its potential importance for businesses. He provided the logistical and organizational support necessary to bring this book to fruition and along the way provided many constructive suggestions for improvements. Moreover, throughout the summer of 2004, Tim routinely and consistently prompted me for the next batch (of chapters). Because of Tim, this book moved from in progress to in production. Thank you, Tim, for the guidance youve given me and also for believing with me that this book can positively impact businesses and people.

With appreciation, I especially thank my son, Michael Collins. Michael read every word of every chapter and offered many recommendations for modifications. I made them all. I now find it difficult to adequately express my deep gratitude to Michael, who unselfishly shared with me considerable time and his intellectual talents in reviewing chapter writes and rewrites. Thank you, son, for your invaluable contributions.

And to Larry Collins, my husband, mentor, and enthusiastic supporter of each next project, thank you for being alongside me throughout these lifes adventures.

All companies that engage in financial transactions are bound by law to establish and enforce information security programs to prevent identity theft. Security standards are required by at least five federal laws, including the Fair Credit Reporting Act, the Federal Trade Commissions Privacy Rule, the Banking Guidelines, the Health Insurance Portability and Accountability Act, and the Gramm-Leach-Bliley Safeguards Rule. But there are problems. Nowhere do any of these laws describe how to develop, maintain, and enforce an information security program. In effect, the laws fail to stipulate what constitutes an information security program or standards for security.

Granted, the laws do specify information technology (IT) securitythe security of computers and networks. Indeed, the main theme at the September 2004 American Banking Associations Identity Theft Symposium was Technology to the Rescue. Bankers were informed of online products and protections and advised to prevent identity theft by using tools such as encryption, authentication, and software programs that guard against email and other computer fraud. But computers do not steal identities.

Rather, recent studies indicate that at least 50 percent or more of identity thefts are committed inside the workplace by a dishonest few employees who steal the Social Security, credit card, banking, or other numbers from their coworkers and customers. Federal laws fail, however, to cover people within businesses who have access to personal identities and the work processes used to manage and maintain such information.

The federal laws fall short. Computer security alone will not work. To secure company borders from the threat of identity theft requires an inclusive and exhaustive three-fold approach to secure people, processes, and the IT property. And the techniques used to develop, maintain, and enforce such an information security program would use universally established and widely documented methods known to be reliable and valid and that are inexpensive and accessible for all businesses, large and small. Fortunately, such methods exist and so, therefore, do the security solutions.

Preventing Identity Theft in Your Business shows how employee-manager teams can develop a set of Security Standards using step-by-step instructions written in lay language and using methods from industrial and organizational psychology, the management sciences, and the field of criminal justice. The methods are inexpensive, comprehensive, and universally applicable to all businesses regardless of size, type, or geographic location. Within six months or less, employees and their managers can bring any company into compliance with all current as well as any future-enacted laws.