Prevent ID Theft! Business Compliance is the Law.

8,000 Patients at Risk of Identity Theft

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sun, 23 Sep 2007 13:06:00 +0000

A temp worker of Texas Health Resources, based in Arlington, Texas steals the identity of 8,000 patients. The temp had been working in the THR Dallas business office since May 2007. Over the past 5 months, this worker was pilfering patient identities. On September 5, THR's compliance hotline was notified of a patient's unauthorized use of their credit card. As a result of further investigation, Garland police arrested the alleged identity thief, identified as Kristina Renee Garcia, 31, of Garland. Garcia has been charged with two counts of credit card abuse, one count of forgery and one count of fraudulent use/possession of identifying information, according to police.

THR should be commended for their quick action in this case. Within 24 hours, police were notified of the breach and Garcia was escorted from the THR facility and placed under arrest. In addition, all patients which may have been effected were sent notices.

Elaine Anderson, senior vice president and chief compliance officer for THR, stated, "At this time, we do believe that this is an isolated incident," she added. "We are reviewing everything. If we find opportunities to strengthen our processes we will obviously do so. We believe we have strong processes in place. We take the safeguarding of our patient information as one of our highest priorities."

Texas Health Resources is a non-profit health care company. Its system includes 13 affiliated hospitals including Harris Methodist Hospitals, Arlington Memorial Hospital and Presbyterian Healthcare System.

Identity Theft Is a Major Life Event and Legal Resources are a Daily Need

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Tue, 18 Sep 2007 03:19:00 +0000

Let’s face it, if anyone in this country faces a major medical emergency and they go to an emergency room, they will get the help they need – even without health insurance. However, if anyone in this country has their identity stolen – driver’s license, social security number, medical insurance information, or character – this major life event is not something that can be “passed on” to other taxpayer’s for resolve. Identity theft protection, like auto insurance, is not something employees can live without. A preventative solution not only provides economic value to the employee, but most importantly, it provides an affordable way to obtain a service that would otherwise be too expensive at the individual rate. Hence, good business practices which incorporate benefits that cost businesses absolutely nothing to provide, but create tremendous value for the employee, help attract and retain quality employees. In addition, these services may help prevent companies from defensive losses by way of notice and acknowledgment of a breach, if several employees are notified in real-time of an attempted attack on their identities, helping to discover where the breach originated and proactively closing the gap on the loophole.

In a country where our children are taught to recite and believe in a mantra that ends in, “liberty and justice for all”, it’s a shame that as adults, 90% of us cannot afford to retain a lawyer, making it almost impossible for employees to feel like they deserve justice in their everyday lives – having a will, resolving a debt that isn’t theirs, signing contracts, being bullied by landlords, debt collectors, merchants, and the list goes on. Access to legal services empowers employees to make better, smarter decisions, thereby making better, smarter workers.

For companies, it’s cost-effective, lowers the overall liability of the business, and dramatically reduces non-productivity when employees don’t need to take off of work for identity theft/legal related issues. So remember, life matters – value your employees.

OOPS, They Did It Again! Third Breach for Pfizer, Inc.

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Fri, 07 Sep 2007 13:19:00 +0000

Perhaps the pharmaceutical giant’s single-minded goal - your health - would explain why they’ve had three security breaches in the past three months and unfortunately this is becoming all too common for companies.

This isn’t to say that Pfizer isn’t cooperating with authorities, but like so many other companies, they’re just too busy with the work at hand; they don’t prioritize their time to ensuring there are processes in place to protecting and securing what they’ve worked so hard to build. First and foremost, training of employees, particularly sales reps, who are constantly on the road and most susceptible to the loss of data, need to know how to handle the data they obtain and have access to.

Connecticut’s Attorney General, Richard Blumenthal, made this statement in a phone interview with one of the state’s newspapers, The Day:

"This is part of a pattern that is unacceptable and which the company should find intolerable," Blumenthal said in a phone interview Tuesday. "We are alerting criminal authorities, specifically the U.S. Attorney's Office, as to the possibilities of criminal wrongdoing."

This latest breach has exposed 34,000 to possible identity theft and the previous breach exposed 17,000 current and former employees, as well as, healthcare workers and other individuals when confidential information was “wrongfully removed…from a Pfizer computer system”.

It wasn’t until this latest breach, which appears to be an apparent and intentional abuse by a now former employee, that a Pfizer spokesperson said that the company has now turned its focus to protecting the security of employees' personal information and that various policies and procedures are currently under review. Although it’s unknown, at this time, whether this potential for criminal activity has affected anyone who’s personal information was stolen, the company has voluntarily provided an identity theft solution for those involved in hopes of avoiding federal charges.

Indentity Theft Through County Public Records

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sun, 26 Aug 2007 15:59:00 +0000

Though I would agree that sometimes access to county public records helps to locate vital information, such as the name and address of a landlord, for which a property manager may refuse to provide, but is this access an open market to identity thieves?

I recently did some research to see what kind of personal data I could get from a search on the Bexar County Clerk's website, as a result of a news story that aired in Illinois about a man who is convinced that his identity was stolen based on personal data that was posted to his county clerk's website. As it turned out, I was able to get names, addresses, date of births, digital signatures, marriage certificates, employer IDs, and Social Security numbers just by putting in a date range and specific documents to review. Examples of documents that are scanned and posted are Land Records, Assumed Names, UCC Records, Marriage Licenses, and Foreclosure Notices. What I found most appalling was the release of social security numbers for those individuals who owed back child support. In addition, it seems ironic that there are state and federal laws that are supposed to protect us from having such personal data accessible by the public and yet most cities have government websites where this information is publicly attainable. However, you do have the right to require them to remove social security numbers and driver’s license numbers from any document where the original document includes this information. Unfortunately, in this day and age, that might not be enough.

Attention: CPAs and Attorneys

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sat, 25 Aug 2007 00:57:00 +0000

I don't know if it's called "pass the buck", but many of the company's I speak with think YOU are the ones responsible, hence assuming liability, for ensuring business compliance regarding identity theft for their companies. We'd like the opportunity to remove that assumption from your commercial clients thoughts by putting that responsibility on our company. We have the ability to help you save time, money, and assure your commercial clients are protected and compliant. We know how busy you are multitasking your client's needs. In return, your clients will save money and will lower their company's liability by using our no cost service. Your referral will not only help your client but it'll remove the assumption that you are the liable party for their compliance issues. We work with many CPAs and Attorneys and know that this is a win/win for all parties, especially when introduced to our products and services. You may view our profile on MerchantCirle.com, join our network of business partners, find new clients, contact us to set up an appointment, or leave a message.

We look forward to working with you!

This has been a PSA post brought to you by:

Attention: Parents, Partners and Spouses!

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sat, 18 Aug 2007 16:37:00 +0000

They don’t care about your age, gender or necessarily if you have money in the bank, the violation caused by identity theft can wreak havoc on your entire family. Good Housekeeping’s Amy Engeler shares the stories of two families who have experienced identity theft at a whole new level.

The ID Theft You Haven't Heard of...Yet

They're not just going on shopping sprees anymore. Now thieves are using our personal info (or your child's) to get a job, buy a house, and have major surgery — which wrecks not just your bank account but also your medical records.

Do You Treat Your Employees As An Asset to Your Business?

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sat, 18 Aug 2007 15:43:00 +0000

It’s a perfunctory question in this day and age of Enrons and businesses looking to cut costs from their bottom lines. I am of an age where I remember companies used to treat their loyal employees with respect and had sincere concern for their welfare. Employment contracts used to exist where today most states take the At Will approach. Nowadays, the average stay with an employer is 5 years. I remember when employees worked for companies for 20, 30, even 40 years and then were able to retire because their company believed they earned their right to do so for their efforts, where as today, loyalty doesn’t exist. Companies offer minimum wage or below average earnings and take no interest if their employee’s are unable to afford healthcare, insurance, or even a lawyer. I know that many small businesses survive because there is a more personable relationship with their employees and a greater concern for their wellbeing. However, with small businesses, I’m concerned that there is a greater risk for liability among their employees. An assumption of common sense, following of policies and procedures, and law practices are befallen by employers who lack the budget for proper training and education of their staff. State and federal laws protect some employees with regard to these points of action, but the greater concern is the personal consequences these employees may face because their employer is not truly apprehensive as to their practices. As an example, which I used in my last posting, if you hire based on a background check and/or credit check, your practices are only subjugated toward the worthiness of an individual from a personal standpoint. If, however, your practices also issued social security verification, you are proactively taking measures to protecting your company and employees from illegal immigration, terrorism, and identity theft. When statistics show that 70% of all identity theft happens in the workplace, it proves that there are two dynamics happening in this country, 1) employees are unable to afford the basic necessities to survive and, 2) there is a significant rise in illegal employment.

If from reading this, you still choose not to incorporate social security verification into your policies, do you believe you treat your employees as an asset to your business? Before you answer, let me put it another way. If as a result of not incorporating social security verification into your processes, one or more employees had their identity stolen, do you believe they would be able to afford restoring their identity, short of suing the company? If the average employee makes $35,000 or less, a lawyer costs $200-300 an hour, with a significant retainer up front, and the employee has to spend an average of 600 hours and $1600 trying to restore their name and/or financial records, are they treated as an asset?

I’m certainly not saying that social security verification is the only safeguard that companies need to have in place, but I am saying that safeguards need to have serious consideration even if not mandated by law, in order to protect not just your bottom line but your employees’.

Other options to consider are identity theft monitoring/restoration and pre-paid legal benefits, as a payroll deduction, which actually lowers your company’s liability if a security breach were to happen and shows the employee that you value their service and understand their vulnerabilities.

Social Security Numbers Fraud on the Rise

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Fri, 10 Aug 2007 18:34:00 +0000

Identity theft and illegal immigrant workers are becoming an increasing trend in the war against fraud. As these illegal aliens become more desperate to obtain citizenship, knowing the risks of immigration reform are on the way, these folks are willing to do whatever it takes to “appear” as American citizens.

Houston is the leading city for Social Security numbers theft in the U.S. These illegals learn quickly that if they obtain a Social Security number, they can easily obtain other personal information in order to get a drivers license, a checking account, loans, medical insurance, etc. at the expense of someone else’s identity.

Late last year in December, as part of a massive raid on Swift & Company, a meat plant in Cactus, Texas, about an hour outside Amarillo, 1,282 natives of Mexico and Guatemala were arrested for allegedly working in this country illegally. The raid, which also took place at Swift’s headquarters in Greeley, CO and 4 other states, resulted in 219 employees facing state and federal charges. The Social Security numbers that these Union employees were using actually belonged to American citizens who had no direct relationship to Swift’s plant. This was one of the largest raids regarding immigrants since Congress began discussions of Immigration Reform.

The dynamics of this raid involved at least 5 government agencies. Not only was theft and fraud involved, but many of these illegal immigrants had children who were born in this country and therefore citizens. So, children placed in the foster care system were a huge issue. Then you have the fact that these illegals were unable to work while their cases were under investigation. Then, of course, you have the costs of deportation.

In addition to the estimated $30 million it will cost Swift & Company to replace lost workers, they are facing federal charges for non-compliance and certainly could have reduced the effects of the raid, which created such controversy, had they used a Social Security number verification service to ensure that these Spanish speaking folks were working in this country legally.

The bottom line is that Congress has been working toward a solution on this issue as empathetically as possible, considering the long and timely neglect of securing our borders and American companies neglecting their ethical obligations to ensure they hire persons who have a right to work here. It’s not going to be an easy resolution by any means. The Immigration Reform Act of 2007 will continue to require evaluation and modification. Congress is currently discussing whether Social Security numbers should no longer be a requirement for use on the internet, on checks, and other areas of vulnerability.

Businesses should take heed now. Employers should proactively pursue using a Social Security number verification service in addition to any other background checks they perform during the hiring process, especially in the fields of manual labor where hiring of illegal aliens may be susceptible. The law is coming - be prepared now.

Dumpster Diving for Punishable Intent

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sun, 05 Aug 2007 20:17:00 +0000

Instead of dumpster diving for malicious intent, Texas' most famous dumpster diver, AG Greg Abbott, is diving for punishable intent. The Attorney General’s latest undercover rampage has been posed on Lifetime Fitness. Out of the 11 Minnesota-based health spas located in Texas, Plano, Allen, Flower Mound, Colleyville, Dallas and Garland were all allegedly involved in disposing of personal information in dumpsters outside each of their gyms. This is just the lastest of a dozen or so businesses which have been sued for mishandling non-public information. Lifetime Fitness faces charges of $25,000 per violation of the Deceptive Trade Practices-Consumer Protection Act (DTPA) for repeatly negating training of their employees on the proper procedures for handling consumer information. In addition, Lifetime Fitness faces federal charges of up to $50,000 per violation of the President’s Identity Theft Enforcement and Protection Act.

Consumers of these locations are urged to monitor their bank accounts closely, however, other personal records may also be at risk, such as DMV records. You may also want to file a complaint with the Texas Attorney General’s office at (800) 252-8011 or do so online. For other alternative measures, you may also contact me at the email address above.

Local T.V News Investigators Bust School for Breaking the Law

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Wed, 01 Aug 2007 07:46:00 +0000

It’s a very sad story, but it may not be over just yet. San Antonio’s KSAT 12 Defenders went to an auction and bought 100 computers that had belonged to several campuses within SAISD. One of the computers contained personal information, such as a teacher’s address and phone number. These computers never had a process for disposal in place and indirectly exposed the information to potential thieves. The question is - will Texas government charge SAISD with breaking the law by not having a compliance policy in place, at each offending campus. Though they could be charged by the State for not complying with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), they probably won’t be charged for a federal crime. However, Texas is a test state for charging the most serious offenders. So, by next year, if your organization is involved in a security breach, your company may just find themselves in Federal court.

Though the detail of the information that was found was not disclosed, it may open SAISD for civil liabilities by the individuals whose information was at risk. And if this information fell into the hands of identity thieves, which results in a victim of ID theft, the lives of those individuals may be devastated.

The Spokesperson for SAISD, Carmen Vasquez-Gonzalez, said, "it should have never happened". But it did. And it won't be until tonight when SAISD discusses this matter at their board meeting. The agenda is to discuss using a vender to destroy all computers before disposal, in the future.

The San Antonio Police Department report that identity theft is up 10%, from last year.

Compliance: Can We Be Honest Here?

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Sat, 28 Jul 2007 13:49:00 +0000

In talking with businesses every day, attempting to educate them on the risks of ID theft and the vulnerabilities their businesses face, I hear how overwhelmed they are, with an urgency to get off the phone. I often hear one of two responses:

“We have our policies in place and don’t need further assistance.”
OR
“We’re not interested.”

So, let’s be honest here. “If your business has a good set of policies and procedures, and operates in an ethical and efficient manner… sorry, that’s not good enough”, writes Alan Zeichick of InfoWorld, in a 2005 compliance guide, in response to the preparation for new regulatory laws about securing data and non-public information. Here we are in 2007, and the lack of urgency about needing to understand these federal laws is past due. Many company contacts often convey to me that those issues fall on someone else’s head, i.e. our IT department, our lawyers, our PEO, but if we’re being honest, the law requires your company to have a Security Compliance Officer - a single individual who enforces your companies policies, in addition to, ensuring that all departments understand how to comply with those policies. So, when I hear the above responses, and they don’t identify having a Security Compliance Officer that handles their training, education, and plan of action, I know that these companies are not conforming to the current laws and these are the businesses that need my help the most.

If companies continue to take the, “a security breach won’t ever happen to us” attitude, the costs to their bottom line may just put them out of business. Fines, penalties, civil damages, and liabilities are increasing in every state. Although this may seem unfair, if we’re being honest, the reasons these actions are taking place is because state and federal funds are required to pursue the criminals of reported breaches and are rarely caught, so someone’s bottom line must pay the price.

Your company’s compliance issues aren’t a particularly difficult proposition, but they certainly must be a priority.

Identity Theft Enforcement and Restitution Act of 2007

noreply@blogger.com (A. Van Gogh, Licensed Associate) — Fri, 20 Jul 2007 14:27:00 +0000

The federal government is proposing an additional resolution to combat identity theft in both private and public sectors. Today, the Department of Justice handed over to Congress their proposed legislation for a revised "Identity Theft Enforcement and Restitution Act of 2007". This plan, adding to the arsenal of already tough laws in place to combat the increasingly expensive white collar crime, was a recommendation from the contents of the President’s Task Force on Identity Theft, released in April 2007.

In addition to helping victims recover more quickly from the significant time and cost involved in restoring their identity, The Department of Justice states, “The new legislation would also close gaps in the current identity theft, and aggravated identity theft statutes. Both of these statutes are limited to stealing the identity of an individual, and do not specifically address the misuses of identification of a corporation or organization.”

As thieves become more sophisticated and technology driven businesses become increasingly more vulnerable to attack, these laws may prove more costly for small and medium-sized businesses then for the consumer. Though most companies are aware of the compliance issues they face, many companies are willing to risk the relative costs, averaging $160,000, to comply with the now two-year-old laws currently in effect. If the “Identity Theft Enforcement and Restitution Act of 2007” doesn’t encourage businesses to act now, they might just be facing stronger penalties if caught. Although, it may not be a matter of if, but when!

Texas Attorney General Greg Abbott, at the forefront of the identity theft pandemic, stated, “The Office of the Attorney General will take all necessary steps to ensure that consumers are protected from identity thieves.” These steps proved punishment for RadioShack, on April 2, 2007, for violating FACTA laws, “requiring businesses to protect any consumer records that contain sensitive information.” The charges were penalties of up to $50,000 per violation and may face additional civil penalties. Fines for companies who are either caught for non-compliance or have suffered a security breach, could shell out hundred of thousands more dollars and possible imprisonment.

Attorney General Abbott’s crack down on non-compliant companies, has proved steep for the bottom line of many companies in recent months; On Track Modeling, a North Carolina-based talent agency, Easy Pawn, and Jones Beauty College in Dallas.