A CVS pharmacy employee threw prescription forms in the dumpster behind the store in Houston. A Radio Shack worker in Corpus Christi dumped customer credit applications. EZPAWNS employees throughout Texas threw away customers’ bank statements. And the Levelland police found more than 4000 customer records in the garbage containers behind Select Physical Therapy. These were not isolated incidents, because according to the Federal Trade Commission, Texas ranks fourth in the nation in identity theft.

The Texas Attorney General, Greg Abbott, was not pleased by these incidents and has started prosecuting these businesses and others under Texas’ new Identity Theft Enforcement Act and other recently-enacted laws to protect people from identity theft. Businesses like yours can be fined between $500 and $50,000 for improperly disposing or disclosing sensitive customer information, such as

• Credit and debit card numbers
• Social Security numbers
• Bank account information
• Mother’s maiden name or other personal identifying information
• Tax forms
• Passwords
• Dates of Birth
• Account numbers

These types of information often appear on receipts, applications, bank statements, checks, personnel files, medical forms, and in discarded computers.

What should you do to protect your business from identity theft exposure? As I often say in this blog and in my training presentations to businesses throughout the Panhandle of Texas, as with most legal problems in your business, you have to take four steps to avoid litigation and prosecution for identity theft exposure:

• Adopt a written policy that addresses clearly with your employees how they are to protect sensitive data, whether that is by retaining certain records under lock and key, shredding, carefully encrypting and protecting company laptops with which employees travel, professionally wiping an old computer hard drive completely clean, or destroying unused floppy disks, data CDs, flash drives or other electronic storage. What you need to specifically say in your policy depends on what kind of data your business collects, but suffice it to say, allowing your employees to put information into the dumpster behind the office is never the solution.
• Train your employees on the policy and the acceptable methods in your business for disposing of sensitive data and remind them at regular intervals about what is required.
• Monitor your workplace so that you know whether each of your employees is following the policy. Carefully document what is being done with data retention or destruction. Also document that your employees have been trained and monitored on this issue. This requires regular oversight of your employees and is one of those times when absentee or absent-minded management just isn’t going to work.
• Consistently discipline any employee who violates your policy regardless of whether it is your favorite assistant or your best salesman.