Fighting Fraud

Feb 14, 2010

An employee takes a late-afternoon call from her favorite client. Realizing she’s running late, the employee writes the client’s name and credit-card information on a Post-it note, sticks it to her computer, then hurries out to make it home on time. When the employee calls in sick the following day, the busy company hires a temp to help assist with general day-to-day operations. During a lull, the temp pockets the Post-it note. The client, with her credit card still safely stored in her wallet, becomes another victim of identity theft with no idea as to how her personal information was tapped.

The above scenario is purely a work of fiction and, as they say in Hollywood, any resemblance to living persons is strictly coincidental. If, however, the scenario feels uncomfortably close to home, you are probably not alone.

It is hardly a secret that identity theft is on the rise. In 2009, 11.2 million cases of identity fraud were reported, reflecting a 13 percent increase over 2008, according to the 2010 Identity Fraud Survey Report — a report released by Javelin Strategy & Research, a research organization specializing in financial services. According to the report, nearly 5 percent of the entire U.S. population were victims of identity fraud last year with a total price tag amounting to a whopping $54 billion.

Especially troubling is that small business owners are more likely to be at risk for fraudulent activity.

“As small business operators, individual travel agency owners are 1½ times more at risk for identification fraud than all other U.S. adults and, therefore, they need to be on guard,” said James Van Dyke, president and founder of Javelin Strategy & Research.

Van Dyke and his organization have been studying identity theft since 2003. While the mean cost to the consumer is declining — last year it was at just $373 per incidence — the real cost can come to business owners who aren’t careful with their client’s data.

Improper handling of personal data, whether through a willfully criminal act or an unthinking action is, of course, not something that is specific to travel agents. Fitness centers have thrown their customers’ credit report information in the trash, bank tellers have unthinkingly left credit reports on bankers’ desks and even check-cashing centers have been cited for not destroying cashed checks.

But with the government becoming ever more focused on identity theft, there can be huge fines and penalties for businesses that improperly store or dispose of sensitive data.

The stiff fines that can and have been levied for what frequently have been unthinking acts, should serve as an incentive for travel agencies to remain especially vigilant when monitoring how their clients’ personal information is being handled. The penalties can be crippling for the small business owner. A small business in Texas, for example, was accused of improperly disposing of consumer records and ended up settling with the Texas Attorney General for $220,000.

Fair and Accurate Credit Transactions Act
Much of today’s discussion about data safety stems back to 2005, when the U.S. government passed the Fair and Accurate Credit Transactions Act (FACTA).

The same law that now allows consumers one free look at their credit report each year also mandates that financial organizations are required to safely dispose of personal information. Although the law, which is often referred to as the “Shredder Law,” tends to apply to consumer reports and information derived from consumer reports, the Federal Trade Commission (FTC) encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

Javelin’s Van Dyke agreed.

“As professionals who are entrusted with customers’ personal information — such as payment account numbers and dates when people will leave their homes vacant — travel agents must apply the same protection of personal data that other organizations are subject to, such as financial institutions. If such information is exposed, legal data breach provisions mig
ht apply, requiring embarrassing or otherwise costly administrative efforts,” said Van Dyke.

Create a Plan
So, what can agents do to ensure the protection of their clients’ data? The FTC offers a number of valuable resources for small business, including a free online guide , “Protecting Personal Information: A Guide for Business.”

The first step, suggests the FTC, is to take stock. Take a complete inventory to figure out where your company receives its sensitive data and where that data is stored. Also, determine who handles sensitive data and whether or not it is necessary for those personnel to have access.

Once you have a complete overview of what happens when personal data comes into the office, create a plan to scale it down. Don’t keep information you don’t need. In particular, the FTC recommends that you don’t keep credit-card information unless you have an essential need for it.

When you have figured out what information you need, secure it. The most effective data security plans, says the FTC, involve four components: physical security, electronic security, employee training and the security practices of contractors and service providers.

When it comes to destroying existing records, you must take the utmost efforts to burn, shred or pulverize the information. Merely throwing it in a trash bag is a big no-no.

The final step is to plan ahead in case of a possible security breach. Designate a senior staff member who will coordinate possible response plans, which should include investigating possible breaches, as well as determining who to notify in the event that a breach is found.

Most of the fixes the FTC suggests won’t break the bank. Further, the FTC says “it’s cheaper in the long run to invest in better data security than to lose the goodwill of your customers, defend yourself in legal actions and face other possible consequences of a data breach.”

Some of the fixes, however, may be time consuming, and questions may still linger as to whether the right action steps have been taken. For agencies seeking outside help, there are organizations that specialize in assisting businesses with creating a data security plan.

Identity Theft 911 was the first identity-theft resolution company in the U.S. Now, Identity Theft 911 also helps small businesses create custom security solutions specific to their organization’s needs.The subject of identity theft can actually work to the travel agent’s advantage, according to Identity Theft 911, by giving them another level in which they can engage their clients.

“It’s essential that travel agents play a key role in reminding customers how to safeguard important travel documents and personal information in order to ensure a fun, yet safe, travel experience,” said Ondrej Krehel, information security officer at Identity Theft 911.

Agents who choose to go it alone can receive many recommendations on how to educate their customers on best practices for personal safety at the Javelin-run Web site, IDSafety.net. Van Dyke particularly recommended that travelers, or agencies on their behalf, use online channels to monitor existing accounts for unauthorized activity and shut off paper statements that could pile up in the mailbox while travelers are on the road.

Whether agents choose to go it alone or to enlist the aid of outside professionals, the reality is that identity theft will continue to be a pervasive part of doing business. Agencies that remain ahead of the curve can protect themselves from possible liability while also providing their clients with added peace of mind.

Only Online

Scroll down for tips on protecting your personal data.

Scroll down for more identity fraud resources.

Security Tips for Travelers

Ondrej Krehel, information security officer at Identity Theft 911, recommends that travel agents remind their clients of the following tips:

[1] Scan important travel documents and store them in your e-mail account — This allows you to easily access your passport, passport photos, visa, airline tickets, itinerary, etc., securely via e-mail.

[2] Pack only one or two credit cards — Decide on one or two credit cards that are accepted worldwide and leave all other cards at
home. Call the credit-card vendors and let them know which countries you will be going to and also the timeframe of your travel.

[3] Don’t pack your Social Security card or bank checkbook — A Social Security number (SSN)and address are the only information needed to steal an identity, and a stolen check is a gateway to a banking account. Leave behind any other cards or documents you may routinely carry that contain your SSN.

[4] Store valuables in the hotel safe — Valuables include your cash, credit cards and, especially, your passport. After all, what could be more valuable than your ability to return home?

[5] Avoid free wireless networks — Do not check your financial information, such as online banking activities, from street cafe computers or free wireless networks. There could be malicious software installed, and your account could be compromised.

[6] Safeguard documents not traveling with you — Leave the following documents in a safe deposit box or in a fireproof safe at home: Social Security card, birth certificate, copy of your passport, checkbook and deposit slips, bills and statements, medical cards, extra credit and ATM/debit cards and any other financial or identifiable documents.

Resources

Protecting Personal Information: A Guide for Business
This downloadable PDF guide gives businesses who wish to revamp their privacy policies and excellent overview and place to start.
www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf

Travel Cuts Privacy Policy
Travel Cuts, a student travel organization based in Canada, has created an excellent, transparent privacy policy. Agencies should provide a similar policy on their Web site or have one that is available to clients who ask.
www.travelcuts.com/us/Privacy%20Policy.asp

Consumer Sentinel Network Data Book for January – December 2008
The Consumer Sentinel Network is a massive database that allows law enforcement officers to access all identity theft and fraud complaints made to the FTC. Every year the Consumer Sentinel Network releases the Data Book, with an overview of number of occurrences and types of identity fraud for the previous year.
www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2008.pdf

7 Practices for Safer Computing
www.onguardonline.gov/pdfs/stopthinkclick.pdf

An Overview of the FTC’s Red Flag Rules
While this guide is primarily for financial institutions, low-risk companies such as small businesses would be wise to understand these regulations.
www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

Complying With the Red Flags Rule: A Do-It-Yourself Prevention Program
www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf