Hand Over The Console: The Fake PS3 Theft And Other Crimes

When the new Play Station 3 came out, people were doing anything they could to get a unit for themselves. People were camping out all night, pre-ordering, looking online for deals, absolutely anything. They’d stop at nothing to lay their hands on a PS3 gaming console. Some have been known to resort to illegal means.

Take the case of two 19-year-old employees at a Gamestop in Elk Grove, a suburb of Sacramento, California. They grabbed four machines and then told the management that armed robbers had busted in and taken them. Of course they were caught, and now they are facing some serious charges: embezzlement, burglary, conspiracy and filing a false police report. Those turned out to be pretty expensive gaming consoles.

Here’s how it went down. The day before the PS3’s were to be released, the Gamestop employees called the police, saying that they’d been held up at gunpoint, and the robbers took the four coveted gaming consoles. The police won’t divulge any particular details, but someone tipped them off that the robbery was a conspiracy of some sort. Also, there was evidence that wasn’t consistent with their stories, indicating that they hadn’t planned things out as well as maybe they should have.

At first, the police suspected the guys knew the masked gunmen. Then, they figured out that there weren’t ever any masked gunmen at all, and that the two had simply taken the machines. They were arrested within a few days, but that didn’t stop all the game stores in the metro area and even beyond from hiring extra security to keep tabs on things.

What happened to the machines? They were probably sold on eBay. Nobody knows, actually, and probably nobody will ever know. They were gone instantly, and the perpetrators used the money to get themselves out on bail.

This isn’t the only PS3 theft. Here are some of the other stories of desperate people taking the law into their own hands, risking their freedom and livelihoods to get a free video game console:

-In Hawaii, a man in an SUV pulled up, got out, and hit a total stranger with a baseball bat, demanding that he turn over his PS3. The attack was unsuccessful, so the man got into his SUV and drove off.

-An 18-year-old in North Carolina stole two PS3’s from another student, and when confronted by the police, they shot and killed him! According to the official reports, the police shot his dog, too.

-In December 2006, robbers stole 180 PS3’s out of a warehouse in Nakashi, Japan. The theft occurred in the middle of the morning sometime and will cost Sony more than $80,000. The Japanese police are now investigating the theft, and trying to determine if it might have been an inside job.

-After a woman in Florida got her brand new PS3, a man followed she and her brother to her home and held them at gunpoint, demanding she hand over the console. She did what any reasonable person would do – she handed it over.

-Some hardcore thieves actually came into a gaming store by burrowing in the back way, and stole 13 consoles that turned out to be just display boxes. When they realized they had ripped off a bunch of empty boxes, they went back and grabbed some XBox 360’s.

In addition to these stories, there have been reports of muggings and robberies as people camped out to get their brand new PS3 units. The PS3 is expensive and a bit tough to get your hands on, but is it really worth the risk?

How Bad Is the Identity Theft Problem?

Armed robberies, car jackings and break-ins are serious crimes usually committed by a limited number of people. Identity theft is in a class by itself. A single individual can launch any number of attacks at anytime from anywhere and against virtually anyone.

The stealing of a person’s confidential information is a major national and international problem. One of the best (and most recent) resources describing the scope of the problem in the United States is a “lagging” Special Report produced by the Bureau of Justice Statistics entitled, “Victims of Identity Theft, 2008”.

More than 11.7 million people were affected by ID theft in the two year reporting period covered by the Department of Justice. The most commonly crime related to a person’s confidential information was illegal purchases having been made on the existing credit card accounts of victims. One of the more surprising facts is that nearly forty percent (40%) of the illicit credit card fraud is committed by someone who is known to the victim.

More than half of the victims of identity theft suffered fraud against their accounts that totaled more than 17 billion dollars in the two-year time period covered by the BJS report. Current law and practices, fortunately, help protect consumers who detect the identity theft early and move to fight it. Doing so makes it easier to prevent additional losses.

A relatively small percentage of victims, seventeen percent (17%), actually report an identity theft crime to law enforcement. This basic fact is surprising because to assure the maximum amount of consumer protection that the law provides, an identity theft victim must file a criminal report with a law enforcement agency and an Identity Theft Complaint form with the FTC.

Twenty three percent (23%) of identity theft victims suffered out-of-pocket expenses that averaged $788.00 per victim. The damages caused to the credit ratings of victims and the time lost in unraveling the fraud are difficult to measure. The obvious stress and inconvenience are also hard to determine. The effects of an identity theft crime against a victim tend to last for a while and disrupt the victim’s life.

The majority of the fraud perpetrated against individuals (53%) was committed against existing credit card accounts. The remainder of incidents was directed against bank accounts, telephone, insurance or online fraud. Thirty percent (30%) of the victims knew the identity thief.

Among the reasons that identity theft is prevalent is that it is relatively low-risk for the criminal. The actual crime(s) may already have been committed by the time the victim discovers the fraud. Complicating matters is that only a small amount of victims report the crime to law enforcement agencies as pointed out previously. Worse yet, a number of local law enforcement agencies across the country refuse to receive a criminal report related to identity theft. Those agencies are virtual havens in which identity thieves can set up “virtual dead drops” for stolen merchandise being delivered.

The burden of preventing ID theft is basically left on the shoulders of the individual citizen and private industry. The identity thieves know it and they look for vulnerabilities and opportunities. You can help deter identity theft by being vigilant with your personal digital profile and by reporting any identity theft fraud perpetrated against you. If your local law enforcement agency refuses to allow you to file a criminal report, insist upon filing a miscellaneous crime report.

Protecting Yourself From Identity Theft Today

Identity theft is one of the fastest growing crimes in the U.S. It occurs when someone steals your personal information, which can include your social security, driver’s license and credit card numbers and so on. Entities that have had their databases compromised include the Department of Veteran’s Affairs and University of Texas School of Business. The common fear among victims is that these thieves will use their personal data to access bank accounts, open new credit cards, obtain long distance calling accounts or take out loans.

In an effort to help fight identity theft, Congress added new sections to the federal Fair Credit Reporting Act (FCRA) when it passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Privacy, limits on information sharing, consumer rights to disclosure and accuracy are all addressed.

An Overview of FACTA:

o To self-monitor their credit history, consumers may obtain free copies of their credit report annually at http://www.annualcreditreport.com or by calling 877-322-8228.
o Businesses must leave off all but the final five digits of a credit card number on printed store receipts.
o Employers must destroy all information obtained from a consumer credit report before discarding it.
o Consumers who suspect they are the victims of identity theft need only to notify one of the three credit reporting services (Experian, TransUnion and Equifax) to initiate a nationwide fraud alert.
o Mortgage lenders must provide the credit score they use to determine a loan’s interest rate, regardless of loan approval.
o Companies must provide training for their employees and document when it was completed. It should outline what the consequences are for any violations.

Reasonable measures of destruction of personal information include:
o Burning, shredding or pulverizing documents so they become impossible to put back together or read.
o Erasing electronic files that contain any consumer reports so they cannot be recovered.

After reviewing company practices to ensure that they are designed to reasonably protect personal information, some companies are hiring outside firms that specialize in destroying personal records.

Penalties include:

o Civil liability – An employee can recover actual damages sustained if their identity is stolen from an employer. Or an employer could be liable for statutory damages up to $1,000 per employee.
o Class action lawsuits – If a large number of employees are impacted, they may be able to bring class action suits and obtain punitive damages from employers.
o Federal fines – An employer can be fined up to $2,500 per violation.

The law applies to any business that collects personal information or consumer reports about customers or employees to make decisions within their business. This most definitely applies to real estate brokerage offices. All records should be stored in a secure method so as to protect all personal data relating to agents and most definitely data pertaining to clients. Look at the next step in protecting your company from potential liability.

According to the FTC, a reasonable plan for a company to safeguard personal information includes:

o Designating an employee to coordinate and be responsible for the security program.
o Identifying material internal and external risks to the security of these personal data.
o Designing and implementing reasonable safeguards to control the risks identified in the risk assessment.
o Continually evaluating and adjusting the security plan in light of the results of ongoing monitoring and testing of the program, material changes to business arrangements.
o Creating a mitigation plan that kicks in when there is a privacy or security breach and there is a need to “repair it” immediately in the eyes of customers, government regulators and management.

Private individuals can take the following safeguard steps to protect their identity from theft:

o Burn or shred any financial papers, mail or credit reports that contain personal information. Never recycle that paper.
o Call 1-888-5OPT-OUT and request that credit card companies stop sending pre-approved credit card applications. Also, ask your credit card companies to stop sending you “convenience checks”. These are sent monthly by your credit card companies and your contact to cancel these will most realistically need to be a monthly phone call until the message is implemented. In other words, keep after them until you get resolution.
o Invest in a shredder that can destroy credit cards, CDs and staples.
o Delete any e-mail that asks for personal information and instruct your employees and family members to do the same.
o Hang up on any telemarketers who ask for your personal information. Instruct your family members to do the same.
o Limit the number of credit cards you hold, both business and personal. Review your monthly statements, financial records and bank statements as soon as they arrive. The sooner you report a suspicious incident the better.
o Companies should advertise their privacy policies on their website.
o Use credit cards instead of debit cards. $50 is your maximum liability for credit cards.

Food For Thought:

Statistics show that if there is a security breach, 20% of your customers will no longer do business with you, 40% consider not doing business with you and 5% hire an attorney to sue your company.

The Birth of Internet Crime

The birth of the internet has transformed the world as we know it. It has clearly grown to astronomic proportions since it became a household name in the mid 1990’s. If you were born before 1980, you have watched the world change from using rotary telephones to iPhones. These days nearly everything can be controlled by the touch of a button.

Bills can be paid online, movie tickets can be purchased online, you can talk to your loved ones online, and you can take a complete college course – without having to step foot on campus. The possibilities of the internet are endless – and technology is changing more rapidly than we can learn to understand it.

Today, teens and individuals in their twenties are grasping and exploiting computer technology like never before. Children are already known for their marked ability to learn and assimilate information at a very young age – absorbing and utilizing the internet and computer systems are no different than learning how to build a tree fort. For some families, their 13-year-old can build an entire computer system as his father built a model car the generation before.

With the advent of the internet, came an entirely new way to commit crimes. The terms internet crime, cybercrime and computer crime are used interchangeably. Simply put, internet crime or cybercrime is a form of crime where the internet or computers are used as a medium to commit crime.

Internet crimes are vast and expansive and can include anything from downloading illegal music files to stealing someone’s identity. Cybercrime can also include stealing millions of dollars from online bank accounts to distribution child pornography. One of the most common forms of internet crimes involves identity theft which is commonly done through phishing and pharming. These methods set up fake websites (that appear legitimate) to lure unsuspecting victims. People are asked to give out personal information such as name, address, phone numbers and bank accounts. Criminals then take this information and “steal” the person’s identity.

Internet crimes are not limited to targeting the consumer; cybercrimes have gone so far as to take on global proportions. Cybercrimes can also encompass criminal activities such as espionage, financial theft, and sabotage. In May 2010, the Pentagon established the new U.S. Cyber Command, which is headed by the director of the National Security Agency (NSA), to defend American military networks. It also serves to attack the computer systems of other countries.

Due to the fact that criminal activities have spread at a rate that law enforcement has had difficulty keeping up, entire task forces have been developed to crack down on internet and cybercrimes. There is a method called electronic discovery, or e-discovery, which is a type of cyber forensics. Electronic discovery is a process employed by law enforcement where they can obtain, secure, search and process any electronic data for use as evidence in a legal investigation. Electronic discovery can involve just a single computer or it can incorporate an entire computer network.

When you are facing allegations for internet or cybercrimes, it is essential that you seek the advice of a highly skilled attorney who you can trust. When your future is at stake – you need somebody who is familiar with both computer technology and the criminal justice system. You are urged to contact an experienced criminal defense lawyer who can help you learn more about what steps you can take to protect your legal rights and your future.

The Worker Identity Theft Crisis (And How You Will Save The Day)

The Price of Admission to the Digital Age

Identity theft is everywhere. It’s the crime of the millennium; it’s the scourge of the digital age. If it hasn’t happened to you, it’s happened to someone you know. Using Federal Trade Commission (FTC) data, Javelin Research estimates that about 9 million identity thefts occurred last year, which means that about 1 in 22 American adults was victimized in just one year. So far – knock wood – I’ve personally been spared, but in the course of running an enterprise identity theft solutions company, I’ve run across some amazing stories, including from close friends that I had not previously known were victims. One friend had her credit card repeatedly used to pay for tens of laptops, thousands of dollars of groceries, and rent on several apartments – in New York City, just prior to the 9/11 attacks. The FBI finally got involved, and discovered an insider at the credit card firm, and links to organizations suspected of supporting terrorists.

So what is this big scary threat, is it for real, and is there anything one can do other than install anti-virus software, check credit card statements, put your social security card in a safe deposit box, and cross one’s fingers? And perhaps even more important for the
corporate audience – what’s the threat to corporations (oh, yes, there’s a major threat) and what can be done to keep the company and its employees safe?

First, the basics. Identity theft is – as the name implies – any use of another person’s identity to commit fraud. The obvious example is using a stolen credit card to purchase items, but it also includes such activities as hacking corporate networks to steal enterprise information, being employed using a fraudulent SSN, paying for medical care using another person’s insurance coverage, taking out loans and lines of equity on assets owned by someone else, using someone else’s ID when getting arrested (so that explains my impressive rap sheet!) and much more. In the late 90s and early 2000s, identity theft numbers skyrocketed, but they have plateaued in the last 3 years at around 9-10 million victims per year – still an enormous problem: the most common consumer crime in America. And the cost to businesses continues to increase, as thieves become increasingly sophisticated – business losses from identity fraud in 2005 alone were a staggering $60 billion dollars. Individual victims lost over $1500 each, on average, in out of pocket costs, and required tens or even hundreds of hours per victim to recover. In about 16% of cases, losses were over $6000 and in many cases, the victims are unable to ever fully recover, with ruined credit, large sums owed, and recurring problems with even the simplest of daily activities.

The underlying cause of the identity theft crime wave is the very nature of our digital economy, making it an extremely difficult problem to solve. Observe yourself as you go through the day, and see how many times your identity is required to facilitate some everyday activity. Turn on the TV – the cable channels you receive are billed monthly to your account, which is stored in the cable company’s database. Check your home page – your Google or Yahoo or AOL account has a password that you probably use for other accounts as well, maybe your financial accounts or your secure corporate login. Check your stocks – and realize that anyone with that account info could siphon off your money in seconds. Get into the car – you’ve got your drivers license, car registration, and insurance, all linked to a drivers license number which is a surrogate national ID, and could be used to impersonate you for almost any transaction. Stop for coffee, or to pick up some groceries, and use one of your many credit cards, or a debit card linked to one of your several bank accounts – if any of those are compromised, you could be cleaned out in a hurry.

And in the office – a veritable playground of databases with your most sensitive data! The HR database, the applicant tracking system, the Payroll system, the Benefits enrollment system, and various corporate data warehouses – each one stores your SSN and many other sensitive pieces of identifying data. Also the facilities system, the security system, the bonus and commission and merit increase and performance management systems, your network login and email accounts, and all of your job-specific system accounts. Not to mention all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel provider’s systems? And let’s not forget how every outsourced system multiplies the risk – each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.

It’s a brave new digital world, where every step requires instant authentication of your identity – not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs – your drivers license number, your SSN, your userids and passwords, your card numbers – have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (FACTA) went into effect that imposed significant penalties on any employer whose failure to protect employee information – either by action or inaction – resulted in the loss of employee identity data. Employers may be civilly liable up to $1000 per employee, and additional federal fines may be imposed up to the same level. Various states have enacted laws imposing even higher penalties. Second, several widely publicized court cases held that employers and other organizations that maintain databases containing employee information have a special duty to provide safeguards over data that could be used to commit identity fraud. And the courts have awarded punitive damages for stolen data, over and above the actual damages and statutory fines. Third, several states, beginning with California and spreading rapidly from there, have passed laws requiring companies to notify affected consumers if they lose data that could be used for identity theft, no matter whether the data was lost or stolen, or whether the company bears any legal liability. This has resulted in vastly increased awareness of breaches of corporate data, including some massive incidents such as the infamous ChoicePoint breach in early 2005, and the even larger loss of a laptop containing over 26 million veteran’s IDs a couple of months ago.

At the same time, the problem of employee data security is getting exponentially harder. The ongoing proliferation of outsourced workforce services – from background checks, recruiting, testing, payroll, and various benefit programs, up to full HR Outsourcing – makes it ever harder to track, let alone manage all of the potential exposures. Same thing for IT Outsourcing – how do you control systems and data that you don’t manage? How do you know where your data is, who has access, but shouldn’t, and what criminal and legal system governs any exposures occurring outside the country? The ongoing trend toward more remote offices and virtual networks also makes it much harder to control the flow of data, or to standardize system configurations – how do you stop someone who logs in from home from burning a CD full of data extracted from the HR system or data warehouse, or copying it to a USB drive, or transferring it over an infrared port to another local computer? And recent legislative minefields, from HIPAA to Sarbanes Oxley, not to mention European and Canadian data privacy regulations, and the patchwork of fast-evolving US federal and state data privacy legislation, have ratcheted up the complexity
of control, perhaps past the point of reasonability. Who among us can say that they understand all of it, let alone fully comply?

The result: a perfect storm – more identity data losses and thefts, much greater difficulty at managing and plugging the holes, much greater visibility to missteps, and much greater liability, all boiling in the cauldron of a litigious society, where loyalty to one’s employer is a bygone concept, and all too many employees look at their employer as a set of deep pockets to be picked whenever possible.

And it’s all about “people data” – the simple two-word phrase right at the heart of the mission of Human Resources and IT. The enterprise has a problem – its people data is suddenly high value, under attack, and at escalating risk – and they’re looking at you, kid.

The good news is that at least it’s a well-known problem. Indeed, although I hope I’ve done a good job of scaring you into recognizing that identity theft is not all hype – that it’s a genuine, long-term, big-deal problem – the reality has a hard time keeping up with the hype. Identity theft is big news, and lots of folks, from solution vendors to media infotainment hucksters of every stripe have been trumpeting the alarm for years now. Everyone from the boardroom on down is aware in a general way of all the big data thefts, and the problems with computer security, and the hazards of dumpster divers and so on. Even the Citibank ads have done their part to raise awareness. So you have permission to propose a reasonable way to address the problem – a serious, programmatic approach that will easily pay for itself in reduced corporate liability, as well as avoidance of bad publicity, employee dissatisfaction, and lost productivity.

The Journey of a Thousand Miles

In general, what I recommend is simply that you do, indeed, approach identity theft prevention and management as a program – a permanent initiative that is structured and managed just like any other serious corporate program. That means an iterative activity cycle, an accountable manager, and real executive visibility and sponsorship. That means going through cycles of baselining, identification of key pain points and priorities, visioning a next generation state and scope, planning and designing the modules of work, executing, measuring, assessing, tuning – and then repeating. Not rocket science. The most important step is to recognize and train a focus on the problem – put a name and a magnifying glass to it. Do as thorough a baseline review as you can, examine the company from the perspective of this substantial risk, engage your executive leadership, and manage an ongoing improvement program. After a couple of cycles, you’ll be surprised how much better a handle you have on it.

Within the scope of your identity theft program, you will want to target the following primary objectives. We’ll examine each one briefly, and outline the critical areas to address and some key success factors.

1) Prevent actual identity thefts to the extent possible

2) Minimize your corporate liability in advance for any identity thefts (not the same thing as #1 at all)

3) Respond effectively to any incidents, to minimize both employee damage and corporate liability

From an enterprise perspective, you can’t achieve identity theft prevention without addressing processes, systems, people, and policy, in that order.

o First, follow the processes and their data flows. Where does personal identity data go, and why? Eliminate it wherever possible. (Why does SSN have to be in the birthday tracking system? Or even in the HR system? One can tightly limit what systems retain this kind of data, while still preserving required audit and regulatory reporting capability for those few who perform this specific function). And by the way, assigning or hiring someone to try to “social engineer” (trick) their way into your systems, and also asking for employees to help identify all the little “under the covers” quick-and-dirty exposure points in your processes and systems can be very effective ways to get a lot of scary information quickly.

o For those systems that do retain this data, implement access controls and usage restrictions to the extent possible. Remember, you are not tightening down data that drives business functions; you are merely limiting the access to and ability to extract your employee’s personal, private information. The only ones who should have access to this are the employee themselves and those with specific regulatory job functions. Treat this data as you would treat your own personal and private assets – your family heirlooms. Strictly limit access. And remember – it’s not only those who are supposed to have access that are the problem, it’s also those who are hacking – who have stolen one employee’s ID in order to steal more. So part of your mission is to make sure that your network and system passwords and access controls are really robust. Multiple, redundant strategies are usually required – strong passwords, multi-factor authentication, access audits, employee training, and employee security agreements, for example.

o Train your people – simply and bluntly – that this data is personal, and not to be copied or used anywhere except where necessary. It’s not the theft of laptops that’s the big issue; it’s that the laptops inappropriately contain employee’s personal data. Give your people – including any contractors and outsourced providers that serve you – the guidance not to place this data at risk, and where necessary, the tools to use it safely: standardized computer system monitoring, encryption, strong password management on systems that contain this data, etc.

o Develop policies for handling employee’s private data safely and securely, and that hold your employees and your service providers accountable and liable if they do not. Clearly, simply, and forcefully communicate this policy and then reinforce it with messages and examples from senior executives. Make this especially clear to every one of your external service providers, and require them to have policies and procedures that duplicate your own safeguards, and to be liable for any failures. This may seem a daunting task, but you will find that you are not alone – these service providers are hearing this from many customers, and will work with you to establish a timetable to get there. If they don’t get it, maybe that’s a good signal to start looking for alternatives.

Minimizing corporate liability is all about having “reasonable safeguards” in place. What does that mean in practice? – no one knows. But you’d better be able to pass the reasonability “smell test”. Just like obscentity, judges will know “reasonable safeguards” when they see them – or don’t. You can’t prevent everything and you’re not required to, but if you have no passwords on your systems and no physical access control over your employee files, you’re going to get nailed when there’s a theft. So you need to do precisely the kind of review and controls that I’ve outlined above, and you also need to do it in a well documented, measured, and publicized way. In short, you need to do the right thing, and you need to very publicly show that you’re doing it. It’s called CYA. That’s the way legal liability works, kids. And in this case, there’s very good reason for this rigor. It ensures the kind of comprehensive and thorough results that you want, and it will assist you greatly as you iterate the cycles of improvement.

This is why you want to make the effort to establish a formal program, and benchmark what some other companies do, and define a comprehensive plan and metrics after you complete your baselining and scoping steps, and report results to your executives, and iterate for continuous improvement. Because you need to both know and show that you’re doing all that could reasonably be expected to secure employee’s personal data which is in your care.

And yet, despite all your safeguards, the day will come when something goes wrong from an enterprise perspective. You absolutely can substantially reduce the probability, and the size of any exposure, but when over 90 million records were lost or stolen from thousands of organizations in just the last 18 months, sooner or later almost everyone’s data will be compromised. When that happens, you need to shift on a dime into recovery mode, and be ready to roll into action fast.

But not just fast – your response must be comprehensive and effective, specifically including the following:

o Clear, proactive communication – first to employees, then to the public.

o The communication must say what happened, that a small, empowered task force has been marshaled, that temporary “lock down” procedures are in place to prevent further similar exposure, that investigation is under way, that affected employees will be given recovery assistance and reimbursement of recovery expenses, and monitoring services to prevent actual identity thefts using any compromised data.

o Of course, all those statements need to be true, so:

o A task force of HR, IT, Security, and Risk Management professionals and managers must be identified and trained, and procedures for a “call to action” defined – in advance.

o They must be empowered to implement temporary lock down procedures on employee personal data. Procedures for likely scenarios (laptop loss, backup tape loss, network login breach, theft of physical HR files, etc.) should be predefined.

o Template communications – to employees, partners, and press – should be drafted.

o Qualified investigative services should be selected in advance

o Expert identity theft recovery assistance resources and identity theft threat monitoring services should be evaluated and selected in advance.

Nothing is more important to protect your company than a well-planned and effective response within the first 48 hours of an incident. If you’re not prepared and practiced well in advance, this will be impossible. If you are, it can actually be a positive public relations experience, and will drastically reduce legal, financial, and employee satisfaction impacts.

Identity theft is not a flash in the pan – it’s built into the way the world now works, and this heightens not only the risk, but also the damage. Companies are at special risk, because by necessity, they expose their employee’s data to other employees and to their providers and partners, and they bear responsibility for the risk that this creates. Those in HRIS, whose specific function is the management of “people data”, must take ownership of this emerging liability, and ensure that their companies are as safe and as prepared as possible.