This document discusses protecting businesses from identity theft and fraud, which is described as the greatest threat of the 21st century. It notes that identity theft directly impacts businesses through their customers and employees. Businesses must comply with various federal and state regulations regarding privacy and security of personal and financial information. The document outlines how identity theft can occur and have devastating consequences for businesses through lost customers, damaged reputation, stolen money, and high costs of recovery. It recommends businesses take administrative, technical, and policy measures to protect against threats and comply with relevant laws.

1. Protecting Your
Business
from the
Single Greatest Threat
of the 21st Century
Presented by:
Mack Jackson
MJ Computer Concepts Inc.

2. Identity Theft
 Is the fastest growing crime of the 21st
century
 Something few people know about, and
even fewer know what to do about it
 It directly affects you, your customers and
your employees
 There are new federal, state and industry
regulations that require you to take action

3. Knowledge is Power
 Protect your business – and keep out of
legal trouble
 Gain the trust, loyalty of your customers
 Protect your employees
 Set yourself apart from your competitors

4. Digital Connected World
• Computers, Internet, smart phones
• Amazing technologies, opportunities
• Exciting age of information and
communication

5. With the amazing
technology,
comes the bad people…
 The “Cyber Criminal”
 Crooks have adapted
 The new threats we face are devastating
 The unprepared and complacent are being
victimized

6. The Crime:
Identity Theft and Fraud
Personal
Financial
Medical
Criminal

7. Identity Theft
and Fraud
 Confidential information is the new currency
of thieves
 Sophisticated under ground market for
stolen personal and financial information
 Old school theft
 Today’s Cyber Criminal
 Doctor’s Office
 Family Members

8. Why should you be concerned
as a business owner
or manager?

9. Businesses:
The main source of stolen
identities, cyber-crime and fraud in
America.

10. The Problem:
Exposure, Loss
or Theft of…
 Customer information
 Employee information
 Business information
 Financial information
Photo Copiers
NY Cyber Ring Bust

11. The Problem:
 Over 500 million customer/employee
records lost or stolen since 2005 (Privacy Rights
Clearinghouse)
 Up to 88% of lost or stolen records is due to
employee negligence or fraud. (Ponemon
Institute, 2009)

12. Small Businesses:
The Target
 85% of fraud occurs
in small businesses.
(VISA Security Summit,
International Council for Small Business)
 $54 billion in damages to
SMB’s in 2009 – up 12.5%
(Javelin Research)
 Small business owners
identity stolen 1.5 times
more than others (Javelin Research)

13. How it Happens:
 Employees/Insiders
 Hackers/Criminals

14. How it Happens:
 Viruses, spyware, keyloggers
 Social engineering, phishing
 Computer hi-jacking
 “Dumpster-divers”

15. What’s at Stake?
Devastating consequences
with a data breach!

16. Lost CUSTOMERS
 Lost trust and loyalty
 After a data breach:
 40% will consider ending the
relationship
 20% will no longer do business
with you
 5% are considering legal action
(CIO Magazine)

17. Damaged IMAGE
 Your personal and
business reputation is at
stake

18. Stolen Money
 Global cyber-crime rings
stealing money directly
from business bank
accounts

19. Recovery COSTS
 Disruption of business
 Financial damages
 Customer reparations
 Restore image

20. BUSINESSES now bear the
biggest liability and the greatest
financial risk from identity theft
and fraud

21. Major Federal Laws
Red Flags Rule
Applies to anyone who arranges for or extends credit
or payment terms, or who provides products or
services and bills or invoices the customer.
GLBA (Gramm-Leach-Bliley Act)
Applies to any business or organization that handles
personal financial related information (such as banks,
insurance/securities agencies, lenders, accountants & tax
preparers, real estate professionals, and others).
HIPAA / HI-TECH (Health Insurance Portability and
Accountability Act)
Applies to anyone who handles personal health
information and health insurance information - as well as
those who service or support healthcare organizations.

22. State Laws
48 states now have one or more laws
that hold businesses responsible for
protecting the customer information
they collect.
State laws are also interstate laws.
Businesses typically must comply with
laws in states where any of their
customers reside.

23. State Laws
Nevada State Law
( NRS 603A.010 Breach Notification Law)

24. Industry Regulations
PCI Compliance (Payment Card Industry)
Applies to anyone who accepts credit cards
Enforced by the PCI Standards Council
and all merchant banks that handle card
processing

25. Who Must Comply?
Does your business collect, process or store:
 Any personally identifiable information for
your CUSTOMERS?
 Name, address, social security number, driver's license
number, birth dates, maiden name, etc.
 Any financial information for your
CUSTOMERS?
 Checking/bank accounts, loans, insurance, credit reports,
taxes, accounting, investments, debts, collections, real
estate information, etc.

26. Who Must Comply?
Does your business:
 Extend credit or payment terms?
 Invoice or bill your customers?
 Accept credit cards?
 Share customer or employee information
with third parties?

27. Who Must Comply?
Does your business collect, process or store:
 Any health related information?
 Medical records, treatment, health insurance, billing, etc.
 Any personal information about your
EMPLOYEES?
 Name, address, social security number, birth date, health
insurance, spouse/family, tax information, 401K, etc.

28. If you answered “YES” to any of these
questions –
…You are held liable under one or
more federal and state law or industry
regulation.

29. Fines, Penalties, Liabilities…
Payment Card Industry (PCI)
 High transaction fees
 $10,000 fine on first violation
 Account termination
Civil or Criminal Action
 Individual and class action lawsuits
 Punitive damages, possible imprisonment for
reckless or negligent disclosure

30. Fines, Penalties, Liabilities…
Federal
 Starts at $2,500 - $3,500 fine per record lost or
stolen
 Up to millions per violation or incident
 Owners and officers can be held personally liable
States
 Fines and penalties ranging from $500 to $5,000
per record lost or stolen

31. Non-Compliance Risks:
Fines, Penalties, Liabilities
In the event of a breach…
Heavy fines and penalties for negligence can be
assessed against your business, and owners can be
held personally liable.

32. Serious Threat…
Serious Consequences…

33. How to:
PROTECT your customers,
employees, and your business.
Get COMPLIANT with all the laws
and regulations.

34. “Reasonableness” Standard
(It doesn’t have to be
complex and expensive…)
“In our investigations, we look at the overall
security the firm has implemented and its
reasonableness… I emphasize that the
standard is “reasonableness”, not perfection.”
(FTC Chairman, Deborah Platt Majoras)

35. Top 10 recommendations
1. Administrative Safeguards
2. Technical Safeguards
3. Breach Response Plan
4. Certification
5. Customer Privacy A ssurance
6. Cybercrime Insurance Policy
7. Online Reputation Management
8. Check Y Credit Report
ou
9. Use Only Secured Credit Cards
1 0. Work with a Certified Information Secrutiy Advisor

36. Protection & Compliance
1. Administrative Safeguards:
(“P eopl and “P aper”)
e”
 Information Security Policy
 Privacy Notice for customers
 Compliance A dministrator training
 Employee Training program
 Regular compliance updates

37. Protection & Compliance
2. Technical Safeguards:
 Computer Security
 Professional grade security software
 Quarterly security checkups on every computer
 Vulnerability Management
 Penetration testing
 Microsoft, other software security patches/
fixes
 Data Encryption Software
 Secure Data Disposal – computers, hard drives, copiers, etc.

38. Protection & Compliance
3. Breach Response Plan:
 Breach Response
 Discovery
 Investigation – find out what happened
 Reporting to proper authorities
 A ssistance with criminal prosecution
 Policy Review / Update
 Closing security holes & revising your policies & procedures
 Public Relations / Compliance
 Help with letters/
communications to customers
 Help with remediation (ID theft protection) for victims
 Help dealing with the press

39. Protection & Compliance
4. Certification:
 Y Business Certified
our
 Y business meets or exceeds minimum requirements in federal,
our
state and industry regulations for protecting customers and employees
against ID theft and fraud.
 “Good Housekeeping” seal of approval that your business is a safe
place to do business.
 Ongoing Certification
 Monthly/
Quarterly/ nnually
A
 Legal Validation
 Back you up should legal problems arise
 “Safe Harbor” status

40. 5. Customer Privacy Assurance
> > Increase customer trust and loyalty.
> > Increase customer referrals, new customers.
 Certification seal
 For your website, office, etc.
 Customer Notification
 Letter, announcement
 Press Release

41. 6. Cyber Insurance Policy
 Business insurance policy, E & O may not protect
you from fines and penalties
 Cyber insurance policy can protect you by data
breaches within your company

42. 7. Online Reputation Management:
 Online social media networking protection
 Creating good press about your name and business
 Press Releases
 Moving bad press to the back on search engines

43. 8. Check Y Credit Report
ou
 Check your credit report 4 times a year
 A your young family members
lso

44. 9. Use Secured Credit Cards
 Avoid using credit cards with the WiFi sign on the
back of the card.
 Have your bank reissue a new card.

45. 1 0. Work with a CISA consultant
 Certified Information System Advisor

46. For more information on upcoming
seminars on compliance and
regulations protection contact us at
702-868-0808
MJ Computer Concepts Inc.
Thank you!