This article was originally published in the Oct/Nov 2006 edition of The Agent Newsline, a publication of Westfield Insurance.
We all know about the rising threat of identity theft, and hear how it can affect a person's life. Along with businesses, legislatures around the country are also under a lot of pressure to do something about identity theft. Here are some tips to help you keep your customers' Social Security Numbers (SSNs) and your agency safe. It's not just a good practice - in almost all states, it's the law.
- If you don't absolutely need the SSN, don't ask for it. Take the field off forms unless it is absolutely necessary.
- If you only need the SSN once, use and destroy. Don't record a copy or make a note "just in case." If you must ask for the SSN, protect it carefully:
- Watch records that get posted on a web site. Be cautious of spreadsheets with SSNs, which can get found via a search engine. Keep documents with SSNs in secured folders.
- For log-ons to web sites, don't use the SSN unless the web site also requires a password or PIN for access.
- Several states explicitly ban the selling, renting, trading, etc. of any list containing the consumer's SSN, so don't give out a consumer's SSN to anyone.
- Only print or show the last four characters from the SSN.
- SSNs may not be printed on any ID card required for the individual to receive products or services. That means that SSNs generally may not be printed on the proof-of-insurance card. This includes embedding the SSN using a barcode, smart chip or magnetic strip.
- Unless the message is encrypted, don't request or send SSNs via e-mail.
- When sending mail, do not print the SSN on anything mailed to the individual unless required by law. The news tends to highlight the technology-based hacks and compromises but research continues to show that most identity theft is committed based on paper records and the largest single source of stolen SSNs is still physical mail theft. (The second source is trash.)
- If you do send a document with a SSN in the mail, be sure the SSN is not visible through the envelope. Also watch postcards, top-sealed mailers with open sides or envelope window openings.
- The "required by law" exception applies primarily to certain HR records like your W-2. There may be a few state laws requiring us to send SSNs by mail either to a state agency or to the individual but as a general rule, avoid putting any document with the consumer's SSN in the mail unless it is strictly required.
- Destroy everything when it is no longer necessary. As soon as that retention period runs out and the record is no longer necessary, make sure that it is properly destroyed.
- Paper documents should generally be destroyed by shredding. While the FACTA Disposal regulation allows other means of destroying paper documents, shredding is almost always the most reliable and cost-effective way.
- Make sure that all electronic media (hard-drives, floppy-disks, thumb-drives, CD-ROMs) get sent back to your IT department for wipe. Make sure that the data has been irrecoverably destroyed first before donating or throwing away.