Whether it's a large, multi-national corporation or small neighborhood store, your business is the custodian of the personal information of your customers and the keeper of sensitive personal information about your employees. Large or small, your business can be the target of identity thieves who would like to steal that personal information - or, as we'll see, steal the identity of your company itself.

In The Beginning.
Before we get started, we suggest that you do two things (if you haven't already done them):

• Review the content for consumers, Protecting Your Identity -- In the Real World; and,
• Review the section on Protecting Your Identity -- In the Virtual World.

What Can Happen.
It’s been said that we learn best by experience. Hopefully, we can take advantage of someone else’s bad experiences for our lessons, instead of paying the painful price ourselves. What follows are just a few actual stories culled from the pages of recent news papers:

• Another man successfully installed "keylogging" software in 14 Kinko stores in the New York City area, without Kinko’s knowledge or permission. He was then able to capture customers’ usernames and passwords. - more -

• An Israeli man was arrested in Israel for hacking into a U.S. electronics company’s system and stealing the personal information (including credit card numbers) of 80,000 customers. – more –

• A former employee of Long Island software company Teledata Communications, was released on $500,000 bond after an appearance in Manhattan federal court. He was accused of stealing the credit histories of thousands of people. – more –

• An employee of the Temptation Restaurant in Boca Grande, was arrested after stealing the credit card number of at least 18 customers using an electronic devise to “skim” their credit cards. - more -

Basic Self-Defense for Your Business.
"Personal information" is information that allows you to identify an individual customer or employee. This might include such things as the individual's name, address, age, gender, identification numbers, income, employment, assets, liabilities, source of funds, payment records, personal references and health records.

If your business maintains people's personal information, you must protect that information from theft or misuse. Here are some basic rules:

• If you don't need it, don't collect it. This seems obvious, but many businesses collect more information than they need. Here's an example: Maybe your store wants to start emailing a newsletter to customers that have asked to receive it. So, you need each customer's email address. But someone suggests that - since customers are filling out a form anyway - maybe you should get their name, address and phone number as well. Then someone else suggests that getting customers' dates of birth would allow you to email a birthday card. So, instead of simply storing the information you currently need (the email address), you end up storing a lot more. The more you have, the more tempting it becomes to a thief and the more damaging it is to your customers if the information is stolen.

• If you need it once, don't save it longer. Companies sometimes collect information that's necessary to complete a single transaction, then compulsively file that information away (either in a paper file or in a computer file). For example, what happens to job applications for people you don't hire? These contain all sorts of personal information, including the all-important social security number. Again, if you aren't required by law to keep the information, and you seldom, if ever, use it, then get rid of it. If you don't keep it, it can't be stolen.

• If you've got it, but you don't need to save it, dispose of it carefully. As we've pointed out in our general advice to consumers, a good deal of identity theft happens in the trash barrel or dumpster. Even the smallest business can afford an inexpensive paper shredder. Make sure you use yours to destroy customer or employee records.

• If you have to keep it, think security. First, make sure those paper records that contain personal information are kept under lock and key when they aren't in use. Make sure computer terminals are password protected. Limit the eyeballs that have access to these records - only those who have an absolute need-to-know should have access to personal information. Don't allow customers or others to wander around the private areas of your business.

• Don't broadcast personal information. How often have you stood in line at an office or store behind someone who was being asked to give his/her social security number or telephone number or birth date? How many times have you watched a company's employee pull up personal information on a computer screen that was visible to other customers? Or seen personal information on a file that was left open on a desk or counter. Instruct your employees to be sensitive to these issues. Turn computer screens so they can't be viewed by anyone other than the operator. Instruct employees who need to have personal information to have customers jot that information down, not repeat it out loud where it can be overheard by others. Don't put personal information like account numbers in billings or letters where that information is visible through windows in the envelope.

• Don't use Social Security numbers as account numbers. While not common, this practice is just downright dangerous - to you and your customers.

• Don't give out employee or customer information to anyone whose identity can't be positively confirmed. Information thieves and stalkers tell authorities over and over how easily they were able to obtain all sorts of valuable information simply by calling small business owners or personnel departments and asking. Posing as government agencies or credit grantors or health insurance providers, these thieves have found that a well-crafted, believable story can often get past the best locking file cabinets or password-protected computers. Your organization should have very strict policies on when and how employee or customer information is shared.

• Locks and alarms are a real deterrent. If you've done everything we've suggested, you records -- and your customers -- will be more secure during business hours. Make sure you're at least as secure when your business is closed. Make sure all vital records and offices are locked during non-business hours. Exterior doors should have deadbolt locks. Hinges on exterior doors should be secured to prevent removal. Exposed windows should be protected with bars, screens or shatter-proof glass. The business' exterior should be adequately lighted from dark to dawn. Naturally, the business should be protected by an alarm system, preferably one that is monitored by the security company. Your business insurance company -- or, in some cases, your local police - may be able to assist you with a security assessment.