The Privacy Commissioner of Canada and the New York Consumer Protection Board have both issued privacy guides for businesses.
The New York Consumer Protection Board’s “Business Privacy Guide” (pdf) explains “how to handle personal identifiable information and limit the prospects of identity theft.” The guide notes that, “After California, New York leads the nation in the number of data breach incidents each year. And, New York is 6th per-capita in identity theft complaints.” The guide also explains how identity theft affects businesses’ bottom lines.
In 2007, identity theft alone cost businesses over 40 billion. The average data breach today will cost your business $192 per-incident. According to a Ponemon Institute study, almost 33% of customers surveyed stated that they would cut ties with a company that had a data breach. It is not only good business sense for your organization to safeguard personal information, but it should be a core value to promote and retain business. A business plan might not stop data breach and identity theft, but good privacy practice will help to limit its adverse effects and to protect your business from potential liability.
The board also released the “Identity Theft Red Flag Rules Business Alert” (pdf), “a fact sheet for business covering promulgated rules to safeguard data and help banks and financial institutions protect customers against identity theft.” What are red flag rules?
The red flag rules require any financial institution or creditor with “covered accounts” or other accounts for which there is a reasonably foreseeable risk of identity theft, to formulate and implement an identity theft program. Each institution’s program must include policies and procedures for detecting, preventing and mitigating identity theft. Further, the program must set forth a list of red flag activities that signal possible identity theft, and a response plan for when a flag is raised.
New York been tackling the identity theft issue in several ways this year. In July, New York passed legislation to strengthen protections against identity theft and legislation making it a crime to impersonate someone on the Internet.
The Privacy Commissioner of Canada has released “Privacy and Your Business: Privacy Breach Handbook.” The guide explains what a data breach is and then details why affected individuals should be notified and what to do after a breach (containment, risk assessment, etc.). The guide also sets out 10 privacy principles. “These principles define fundamental privacy rights for individuals and obligations for business. The best way to prevent a privacy breach is to adopt these principles and implement fair information practices into your everyday business.” The principles track the Fair Information Practices and OECD Guidelines in urging openness, data minimization, accuracy, and accountability.