“We are required to notify you of a security breach in which your name, address, social security number, date of birth and medical history may have been released.”

How would you like to send this notice to your 450,000 customers, the state’s consumer protection agency and your shareholders? 

CBS news recently bought four used copier machines to see what was on the hard drives.  CBS then downloaded a forensic software program from the Internet to “read” the hard drives of the copiers: 

The results were stunning: from the [Buffalo, NY police department] sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.

The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.

But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

Although many copiers have features to encrypt or erase scanned images, they often are not used, leaving companies at risk of releasing confidential information. As a result of the CBS reporting, a New York insurance company had to notify its insured and regulators that it had potentially revealed customer medical records.  Other companies are at risk. 

The Federal Trade Commission, the federal consumer watchdog, is going to investigate security breaches of this sort. Here are some tips for dealing with data breaches.  If your business has been hacked or otherwise released private information, contact your business attorney to determine if you have any mandatory reporting obligations. 

And when you are replacing a copier or scanner, contact an IT professional to “scrub” the hard drive.

Educational Credit Management Corp (“ECMC“), a large guarantor of federal student loans, recently reported the theft of stored confidential information, allegedly by an employee who is now in custody.  This information included names, Social Security Numbers, date of birth and address of people who have student loans. 

ECMC notified approximately 3.3 million people that their information may have been compromised and is offering to pay for a year of credit monitoring services for those affected. 

These types of notices shake people up; they are unsure whether this information has been used or sold to scammers and they are equally unsure how to find the truth. 

If you believe you are the victim of identity theft, here are the Federal Trade Commission’s immediate steps.  If your business handles personally identifying information, here are some guidelines for protecting that information.

It is no surprise that when the economy is on the decline that business fraud will rise.  Franchised business opportunities are being strongly marketed as a way to beat the recession, as are a number of business opportunity scams.  The Federal Trade Commission has issued a new warning video to help prospective business owners separate the scams from the legitimate opportunities. 

FTC Fraud Alert on Work From Home Scans (video)

The best advice I can give in evaluating business opportunities is:

• If it sounds too good to be true, it probably is.  There are no easy ways to make money and there are no businesses with guaranteed results. 
• This is a good time to have an attorney and accountant on your team to help you evaluate the opportunity.
• Ask for a disclosure document, which should be filed with either the FTC or the North Carolina Secretary of State. This will list company information, a list of previous purchasers of the opportunity and a list of lawsuits filed against the company. 
• If there are any representations about earnings, get these in writing.  This is usually a separate document from the disclosures.
• Interview previous purchasers in person, even if they work from home.  Scam opportunities give you references who are part of the scam.  You need to look them in the eye and evaluate their trustworthiness.
• Resist high-pressure sales tactics.  Scammers will often say there are limited opportunities in your market, this offer is only good for a short time, there are other people who are serious and who won’t waste their time investigating.  Does it really sound reasonable to respond to an internet ad, television ad or email, talk to someone for 30 minutes about your business and financial security, call some people recommended by this person, and write a check for $50,000?
• If you are suspicious, contact the FTC, the Secretary of State, the Better Business Bureau and research the company extensively online. 

WASHINGTON – The U.S. Small Business Administration issued a scam alert last week to small businesses, warning them not to respond to letters falsely claiming to have been sent by the SBA asking for bank account information in order to qualify them for federal tax rebates.

The fraudulent letters were sent out with what appears to be an SBA letterhead to small businesses across the country, advising recipients that they may be eligible for a tax rebate under the Economic Stimulus Act, and that SBA is assessing their eligibility for such a rebate.  The letter asks the small business to provide the name of its bank and account number.

These letters have not been sent by or authorized by the SBA, and all small businesses are strongly advised not to respond to them.

The scheme is similar in many ways to e-mail scams often referred to as “phishing” that seek personal data and financial account information that enables another party to access and individual’s bank accounts or to engage in identity theft.

The SBA is working with the SBA Office of Inspector General to investigate this matter. The Office of Inspector General asks that anyone who receives such a letter report it to the OIG Fraud Line at 1 (800) 767-0385, or e-mail at OIGHotline@sba.gov.

It should be second nature by now, but here are some tips from the Federal Trade Commission to protect yourself against phishing:

• If you get an email or pop-up message that asks for personal or financial information, do not reply. And don’t click on the link in the message, either. Legitimate companies don’t ask for this information via email.
• Area codes can mislead. Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a “refund.” Because they use Voice Over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. In any case, delete random emails that ask you to confirm or divulge your financial information.
• Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge.
• Don’t email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
• Review credit card and bank account statements as soon as you receive them to check for unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
• Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
• Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.
• If you believe you’ve been scammed, file your complaint at ftc.gov, and then visit the FTC’s Identity Theft website at www.consumer.gov/idtheft. Victims of phishing can become victims of identity theft. While you can’t entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit bureaus. See www.annualcreditreport.com for details on ordering a free annual credit report.