Office of Privacy Protection

Tips for Business

How Small Business Can Help In The Fight Against ID Theft

How Small Business Can Help In The Fight Against ID Theft Fact Sheet  (3 page PDF)

It takes businesses and consumers working together to provide the greatest protection against identity theft.  When their customers' personal information is stolen, businesses may not only have legal obligations to help correct the problem, but also may be subject to financial losses themselves.

According to the Better Business Bureau, small businesses typically are not as focused on data security as are larger corporations. Some small business owners believe that locking up their storefront is sufficient protection against theft of important data. Others assume they are better protected than they really are while some may suspect they should be doing more, but do not know how.

The Federal Trade Commission cautions businesses that under the Fair Credit Reporting Act identity theft victims are entitled to get from businesses a copy of the application or other business transaction records relating to their identity theft free of charge.  Businesses must also provide these records to an investigating law enforcement agency. 

Finally, businesses that experience a data breach, no matter how that loss occurs, may lose their most valuable asset, the customers themselves.  As more and more consumers become victims of identity theft, they make their choice of where to do business dependent on what privacy protection assurances the business can offer.  For all these reasons, businesses can no longer afford to be lax about protecting their customers' personal information—and their own. 

If you don't need it, don't collect it 
Many businesses collect more information than they need, particularly when asking customers to fill out forms. Consider excluding the address, email and phone number if you need only a name. The Social Security number is a confidential number that is required only if a customer is earning income (either employment or investment) for tax reporting--it should not be collected otherwise.   When you order your next set of forms, eliminate all the information that you don’t really need.

Personal information is not for broadcast 
Can people standing in line at your office or store overhear others give your staff telephone numbers or account passwords? Instruct employees who need to collect personal information to talk in a discreet and quiet manner. Turn computer screens so they cannot be viewed by anyone other than the operator.

Protect customer cards
When customers are making purchases, ensure that they have sufficient privacy to securely enter their PINs. Place shields on point-of-service terminals and check the terminals regularly to verify that equipment has not been tampered with. Locate security video cameras so that they cannot record the entry of customer PINs.

Be card smart
Staff should verify that customers are who they say they are by checking signatures on cards and, as appropriate, photo IDs. Consider using equipment that truncates debit/credit card numbers (no more than five digits) when printing receipts to better protect consumers. Don't copy down any card number you don't need.

If you keep it, secure it 
Paper records with personal information should be locked, and computer terminals password-protected. Place the computer server(s) in a secure, controlled location, and keep other devices (e.g. back-up CDs) locked away. Physically lock up all laptops to prevent thieves from walking away with one.  Develop and implement policies about who and when can take laptops home, what security precautions should be taken when the laptop is away from the business (example – not keeping a laptop in a car whether locked or unlocked), and what access employees have to information while they are offsite.

Keep customers and other non-authorized personnel out of private and secure areas.

Instruct employees to save data to network drives where these are available and not to "C:" hard drives, which are much less secure. Should someone steal the hard drive, information stored on network drives remains protected.

Consider an alarm system, preferably one monitored by a security company. Your business insurer may be able to assist you with a security assessment of your operations. 

Prevent unauthorized photocopying.

Screen and train employees 
A significant number of identity thefts start with a dishonest employee who gives personal information to an identity thief.  To protect your business against internal fraud, consider background checks for employees who have access to personal information. There are companies who can complete these checks (including criminal background, references and education credentials) on your behalf. Consider conducting regular clearance checks for employees who access high-risk areas and information.

Make sure staff understands privacy information policies and how to ask customers for personal information, such as not asking for customer personal data in front of others, checking signatures, and keeping customer data under lock and key and in password-protected computer files.  All confidential waste, including credit card information and photocopied ID documents must be shredded, preferably with a cross-cut shredder, to prevent dumpster diving.

If information is compromised 
Create an action plan now for how to respond to a data breach.  If identity thieves strike, or if information goes missing, an action plan will be invaluable in responding quickly to the breach. Fast action can help reduce potential damage, and it may help your business or organization to maintain its good reputation and avoid liability in a civil action.

To respond to a data breach or loss of information, you need to follow two tracks at the same time: investigate the problem internally, and devise a plan for notifying people that a problem has occurred.  Determine what information was stolen, when and how it occurred, and what you need to do to ensure that no other data is stolen or lost. 

Timing is critical since prompt notification might help prevent identity theft or at least mitigate the damage.  If a small number of customers are affected, inform them in writing immediately.  If a larger number are affected, you may want to determine a more efficient method for advising potential victims quickly.

You should also notify law enforcement agencies as soon as you are aware of that information may have gone missing or has potentially been compromised.

Wisconsin Act 138 requires businesses to notify individuals in certain circumstances if their personal information has been lost, stolen or otherwise compromised.  For more information on this topic, see our fact sheet entitled “Wisconsin’s Data Breach Notification Law.”

Victim Rights
Business FCRA Requirement (2 page PDF)
Sample Letter for Victim  (5 page Word doc)

Business Resources

If you have any questions please contact the Office of Privacy Protection at (800) 422-7128 or e-mail us at  You can also visit our website for more information at