The Identity Theft Risk Assessment
Risk is the possibility of something adverse happening. The process of identity theft risk management is identifying risks related to sensitive and non-public information, assessing the likelihood of their occurrence, and then taking steps to reduce the risk to an acceptable level. The identity theft risk assessment process begins with determining the area(s) to be assessed, identifying the type(s) of information circulating the area(s), reviewing the day-to-day business operations that may put information at risk and then making formal recommendations of the controls needed to lower the likelihood of an identity theft occurrence.
The primary function of identity theft risk management is the identification of appropriate controls. The goal of controls is not to have 100% security; total control would mean zero productivity for your company. Controls must never lose sight of your objective or mission and should be easy to implement.
Performing a risk assessment is the first step in identifying vulnerable areas but that alone will not reduce the risk of identity theft. Employees have a huge role to play in detecting, preventing and responding to signs or “Red Flags” associated with identity theft. Once risks or vulnerabilities are identified, the recommended controls are written into an Identity Theft Prevention Program (ITPP) policy. The policy must then be submitted to your Board for approval. Upon Board approval, the success of your ITPP depends on one very critical factor, staff training. Training staff to adhere to the policies and procedures within your Program is the most critical step in a successful Identity Theft Prevention Program. If your staff has not been trained on the policies within your Program, it is highly unlikely that they will adhere to your new policy or are even aware that your policy exists.
In addition, your company’s security practices depend on the people who implement them, including independent agents and service providers. Before you outsource or subcontract any part of your business functions, investigate the company’s data security practices and compare their standards to yours. If possible visit their facilities. Select service providers that are “qualified” to maintain appropriate safeguards and make sure your contract requires them to adhere to the identity theft privacy laws.
An annual update to your Program is the minimum requirement to ensure that you keep current with new identity theft risks. Factor in your own identity theft experiences, new methods of detection, changes in accounts you offer, changes in your business model or arrangements with service providers. Include your staff in the annual update process. Conducting periodic risk assessments will help you determine if there have been changes in your process for handling sensitive information. Include the risk assessment and staff training in your annual update process, together they are the best defense against identity theft and data breaches. .