Archived — Tips For Reducing the Risk

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Business Identity Theft Checklist

Previous | Menu | Next

Tips for reducing the risk

Assess Your Business

Every organization should manage its own personal information "life cycle." Theft can occur when outsiders gain access to your information, but it can also occur through internal theft. A good security strategy has to address both possibilities.

Devote time to information privacy concerns
Appoint someone, or assume the responsibility yourself, to oversee the management and security of information you collect.
The individual in charge of privacy/security should assess:
  • Your processes for gathering, handling, storing and disposing of electronic and paper data.
  • The protection of your information technology systems, such as firewalls and audit trails.
  • The role and level of security of individuals who have access to personnel and customer information.
  • How to communicate with clients and the public about your policies and what to say in the case of a breach.

Gathering and using personal information usually involves five major aspects for a business:

Collection

Find out what you are collecting and why
Survey all of the personal information that your organization collects during the course of transactions and at other times. Do you gather data on clients? Identify the purpose(s) for which the information is collected, inform customers accordingly and obtain their consent. Ensure that staff can explain the purpose as they are collecting the information.
If you don't need it, don't collect it
Many businesses collect more information than they need, particularly when asking customers to fill out forms. Consider excluding the address, email and phone number if you only need a name. The Social Insurance Number (SIN) is a confidential number that is only required if a customer is earning income (either employment or investment) for tax reporting - it should not be collected otherwise.
Personal information is not for broadcast
Can people standing in line at your office or store overhear others give your staff telephone numbers or account passwords?
Instruct employees who need to collect personal information to talk in a discreet and quiet manner. Turn computer screens so they cannot be viewed by anyone other than the operator.
Protect customer cards
When customers are making purchases, ensure that they have sufficient privacy to securely enter their PINs. Place shields on point-of-service terminals and check the terminals regularly to verify that equipment has not been tampered with. Locate security video cameras so that they cannot record the entry of customer PINs.
Be card smart
Staff should verify that customers are who they say they are by checking signatures on cards, and, as appropriate, photo ID. Consider using equipment that truncates debit/credit card numbers when printing receipts (i.e. does not print the whole card number) to better protect consumers. Don't copy down any card number you don't need.
Watch for credit changes
If you are issuing credit, watch for discrepancies or recent changes in applicants' addresses. Take extra measures to ensure the identity of the person, for example, by asking for additional identification. If there is a fraud alert on the customer's credit report, credit reporting agencies will provide you with the consumer's confirmed phone number to allow you to verify the validity of the application.
Secure online sales.
There are risks associated with online transactions:
  • Viruses can steal data transmitted.
  • "Brand spoofing" can occur when the identities of legitimate organizations are used to create fake Web sites or "spoof" emails, to trick customers into providing their personal and financial information. Using "spoof" emails to commit this kind of fraud is sometimes called "phishing."
Best Practices for combating these risks include:
  • Minimizing fraud when requesting credit card payments by using encryption software recommended by experts who know the best technologies and devices. Post your privacy policy, encryption levels, and other security features on your Web site.
  • Informing customers as to exactly what information the company will, and will not ask for, on Web sites or via e-mail.
  • Providing customers with information on inquiring about or reporting suspicious e-mails and Web sites.
  • Ensuring that you are listed as the registrant and responsible entity for your corporate Web site, rather than the Web designer.
  • Clearly advertising your valid Web site addresses on all communication.
  • Registering variations of your corporate Web site domain URLs to keep others from using them.
The Canadian Code of Practice for Consumer Protection in Electronic Commerce provides good business practices for merchants conducting commercial activities with consumers online.

Use

Limit Use
Data should be used only for the purposes stated publicly to consumers.
Limit access
Once you have taken an inventory of the data you collect, decide who should have the rights to access it. Limit access to a "need-to-know" basis and require passwords. Only let your system administrator handle back-up and other tasks that touch the company's network. Block access to idle computers with automatic locks or screensavers that require a password from an authorized user.
Encrypt your data
Stand-alone encryption packages can work with individual applications, and good software is available commercially. Should an intruder break through a firewall, network data has a better chance of staying safe if it is encrypted. Encrypt company laptops and devices used from remote locations, such as wireless devices (e.g. Blackberries). Remember to upgrade your encryption applications over time. Check the merchant agreements your company signs with payment card issuers for any encryption requirements. Where possible, avoid using communal computers and generic or group log-on identification numbers.
Passwords are essential
Require that employees use a combination of upper and lower case letters, numbers and symbols. Passwords should be changed regularly (e.g. every 90 days).
Check for suspicious activity online and offline
Almost all firewalls, encryption programs, and password schemes include audit functions that record activities on the network. Check logging data and audit trails for unusual or suspicious activity, e.g. employees accessing data that is not relevant to daily business transactions.

Disclosure

Know who you are talking to
Convicted thieves tell authorities how easily they can obtain valuable information just by asking for it. Posing as government officials or credit grantors, thieves concoct believable stories, call businesses and get staff to disclose information that they are otherwise careful to keep in locked file cabinets and password-protected computers.
Authority
If your organization discloses personal information to someone other than the owner, be sure that you have the legal authority to do so. Draft simple, strict policies telling employees how and when to disclose information.
Third parties
Ensure that organizations with whom you share client information (suppliers, contractors, clients, etc.) protect their data, and that you have the proper legal authority (i.e. client consent) to share data with them.
Be open about your policy and practices
Under privacy legislation, you are required to make your policies and practices readily available for anyone who requests them. Tell consumers about the steps your organization takes to protect their information. You can also refer them to the Consumer Identity Theft Kit.

Data Security and Storage

If you keep it, physically secure it.
  • Paper records with personal information should be locked, and computer terminals password-protected.
  • Place your computer server(s) in a secure, controlled location, and keep other devices (e.g. back-up CDs or tape drives) locked away.
  • Physically lock up all laptops to prevent thieves from walking away with one.
  • Keep customers and other non-authorized personnel out of private and secure areas.
  • Instruct employees to save data to network drives where these are available and not to "C:" hard drives, which are much less secure. Should someone steal the hard drive, information stored on network drives remains protected.
  • Do not copy whole databases to devices when a partial list will do.
  • Do not put modems/local area network (LAN) cards in computers that do not need them.
  • Consider an alarm system, preferably one monitored by a security company. Your business insurer may be able to assist you with a security assessment of your operations.
  • Prevent unauthorized photocopying.
Virus Protection
Install anti-virus protection software on all computers, and scan your systems for viruses regularly. Never disable anti-virus software, and update it frequently.
Firewalls
Firewalls should be installed at every point where the computer system touches other networks - including the Internet, a customer's system or a telephone company switch. They protect against unauthorized access to information. Ask your Internet Service Provider about other filters that can be used.
Install security "patches"
Most software manufacturers release updates and patches to their software to fix bugs that can allow would-be attackers to gain access to your computer. Check with the manufacturer for new patches or to install automated patching features.

Disposal

Know which documents to shred
When obtaining information (paper or electronic) for a single transaction or temporary use, separate it from other files and safely destroy it. For example, resumes from applicants not hired contain many details that should be shredded. ID thieves know there's valuable information in paper bins and dumpsters. Ensure employees know which material is sensitive and needs to be shredded. Companies can be hired to shred disposed paper, or office shredders can be purchased inexpensively. "Cross-cut" shredders do the best job.
Destroying Data
Establish a timetable for retention of data based on legal, contractual or any redress requirements. Destroy data accordingly, erase files, remove copies from all databases and network directories, and be sure they are permanently deleted with "scrubbing" software (scrubbing minimizes the risk that residual data is left in the system). When disposing of equipment, it may be best to physically destroy the hard drive, CDs, tapes, diskettes, etc. or hire a company that specializes in destroying this type of equipment.

Employees and Information Security

Screen employees
To protect your business against internal fraud, consider background checks for employees who have access to sensitive information. There are companies who can complete these checks (including criminal background, references and education credentials) on your behalf. Consider conducting regular clearance checks for employees in high-risk areas (e.g. with employees' annual performance review) to ensure staff remain free of criminal records.
Train employees
Ensure staff understands privacy information policies and how to ask customers for personal information. Post the following requirements as a checklist recommending that everyone:
  • Log-on to computers using alphanumeric passwords, and change them regularly.
  • Don't ask for customers' personal data in front of others, and ensure they have privacy when entering PINs.
  • Check signatures and verify that customers are who they say they are.
  • If there has been tampering with terminals or databases, inform management.
  • Keep customer information under lock and key.
  • Shred all confidential waste, including payment card information and photocopies of ID documents.
  • Clean desk tops every night.
  • Only access databases when authorized.
  • Lock systems when not in use.
Monitor threats
Have your information officer or a key employee track potential security threats and technology updates and report these to employees and managers as needed.
fraudulent document training
Train employees how to detect fraudulent identity documents.
Network access
Only give access to networks to employees on a need-to-know basis. When an employee leaves, remove their network access immediately.

Evolve Your Practices

Over time, the information your business collects will change. So will your computer technology, databases and personnel. Ensure that you consider how any changes in your operations will affect your management of personal information.

* Sidebar stories in this document are based on actual breaches, but all names, places and other details depicted are fictitious.

Identity Theft

  • Recognize it.
  • Report it.
  • Stop it.

Previous | Menu | Next