Identity theft is one of the fastest-growing crimes in the United States according to the State of New Jersey’s Division of Consumer Affairs. Much of the financial burden of identity theft can fall to businesses that fail to comply with the laws dictating the handling of their customers’ personal information such as the New Jersey Identity Theft Prevention Act (The Act). As a result, any entity conducting business in New Jersey is well-advised to understand the specifics of this law. The Act:

• requires businesses to destroy records containing personal information including a social security number, driver’s license, or state identification card as well as any account, credit, or debit card number combined with a security code or password linked to an individual’s name;

• prohibits displaying a social security number, or any four consecutive numbers of one, on materials sent through the mail or via the web;

• allows consumers to place a “security freeze” on their accounts, thereby prohibiting a consumer reporting agency from releasing any information without their permission;

• requires that security breaches be disclosed “in the most expedient time possible and without unreasonable delay.”

Although this all sounds like common sense, the prevalence of identity theft says otherwise. Within that context, the Federal Trade Commission developed a set of guidelines to provide a blueprint on how companies deal with their customers’ personal information.
Taking Stock means knowing what information businesses have on file or on computers and where it is located. This requires a full inventory of computers, flash drives, disks and other places where sensitive data may be stored.

Scaling Down deals with the process of getting rid of any personal information businesses do not really need including credit card details. Social security numbers should not be used as identification numbers for employees or customers. Speaking of numbers, businesses using electronically printed credit or debit card receipts should not include more than the last five digits or the expiration date.

Locking It concerns protecting the information that is retained and ensuring that any personally identifiable information is stored in a locked file or room with limited access. Electronic security is as crucial as physical security. To that end, it is critical to conduct an assessment of a computer system’s vulnerability and to encrypt all sensitive information before sending it on any public network such as the internet.

Pitching It refers to implementing systems for the disposal of sensitive information. That means shredding all paper documents and using software programs to assure that all information is deleted before disposing of old computers and storage devices.
While there is no guarantee that following these guidelines will protect companies from a security breach and the possibility of liability, they can be sure that they have taken every reasonable step to prevent an incident. Business owners are well-served to communicate this commitment to employees, consumers and suppliers alike.