News Article

One photo says it all to John Pueschel.

The news photo shows a common trash dumpster containing scrap boards, an old mattress, a warped bicycle wheel—and the personal tax files of Duke basketball coach Mike Krzyzewski. The files contained the legendary coach’s social security number and other personal information, ready for the taking of any would-be identity thief.

Identity theft is the nation’s fastest-growing crime, with an estimated 25 million victims since 2000. The resulting fraud has cost businesses more than $50 billion. Not surprisingly, state and federal lawmakers are putting increasing pressure on companies to keep customer and employee information confidential.

Pueschel, a Womble Carlyle labor and employment attorney and an authority on identity theft and data protection issues, led an October 10 roundtable discussion for North Carolina business leaders on complying with tougher new data protection laws and protecting themselves, their customers and their employees from identity theft. The discussion was organized by Wake Forest University’s Family Business Center, which works with family-owned businesses. The roundtable was held at Womble Carlyle’s Piedmont Room in Winston-Salem, while business owners in the Triangle area joined in via video conference at the firm’s Research Triangle Park office.

Identity thieves work in a variety of ways, Pueschel said: "phishing," or sending phony e-mails to solicit personal information; hacking computers; intercepting wireless communication; stealing mail; using a bogus identity to request phone records; and stealing laptop computers, which he said is the number one identity theft risk.

In response to these rising threats, Congress has enacted a number of measures designed to protect privacy and improve data security, including the Fair Credit Reporting Act to protect consumer rights, HIPAA to protect health information and Gramm-Leach-Bliley, which governs financial institutions.

North Carolina has enacted its own Identity Theft Protection Act, which Pueschel said is as strong as any identity theft law in the country and a good basis for a company to set a policy.

"It’s the highest burden you’ll have to meet," he said. In all, about half the states have identity theft laws, with other states considering them.

The North Carolina law applies to all businesses and places a specific obligation on companies to protect employee data as well as customer data. Companies must have a written policy on record retention. The law specifies how confidential personal information should be disposed of and says businesses can be held liable if they inadvertently disclose employee or customer information. Violators may have to pay treble damages and attorney fees.

"I think this has the potential to drive additional litigation," Pueschel said.

So how should businesses respond? Pueschel says business leaders need to consider a number of key questions in crafting a data protection and identity theft policy:

• Do we need this information? Private information shouldn't be collected unless it is vital.
• How is this information stored? This applies to both paper and electronic data.
• Who is able to access this confidential information? Businesses should not only make data secure from other employees who have no legitimate need for the information, but also contractors and customers. For example, personnel or payroll information, such as time cards, should not be left where customers or visitors can see them.
• How do you transmit data? Again, businesses should consider both electronic and paper documents.
• What are the security procedures to access confidential information? All electronic data should be protected by passwords, encryption or other security measures.

Pueschel recommends that companies perform a comprehensive internal audit to answer these questions. That process should include people from all across the company such as IT, human resources and customer service employees, not just upper management. In addition, he said a company needs to designate a point person to oversee compliance with this policy and should draft an action plan to deal with any security breaches.

"Identity theft and data security are everyone’s concerns," Pueschel said. "At the end of the day, the identity and information you protect may be your own."