Ken Paxton

Protecting Consumers' Personal Data

New Texas laws underscore the need for businesses to be extremely careful when handling and disposing of their customers’ personal information. Simply exposing the information to the risk of identity theft carries some hefty penalties, irrespective of whether the information ended in the wrong hands.

Some of the most common ways in which businesses mishandle sensitive information is by failing to shred receipts and other documents with customers’ personal data before throwing them into the trash. Several large companies which have improperly disposed of records with information such as credit card and Social Security numbers faced swift legal action by the Attorney General. Our investigators conduct routine spot-checks around the state as part of ongoing enforcement efforts. This office also investigates other types of neglect by businesses, such as improperly safeguarded databases or Web pages through which consumers submit personal information.

Penalties against businesses who violate Texas’ identity theft provisions are substantial. For example, New provisions of Chapter 35 of the Business and Commerce Code require businesses to develop retention and disposal procedures for their clients’ personal information. The law provides for fines of up to $500 for each record that could potentially land in the wrong hands. And the new Identity Theft Enforcement Act could mean fines of up to $50,000 for each similar violation – even for a single record. Additionally, businesses that give consumers specific reassurances about how their privacy will be protected could face penalties of up to $20,000 per violation if they fail to live up to those promises.

The reason for these strict new laws is clear: They help protect millions of Texans from becoming the next victims of identity theft. The laws also help safeguard the business community at large, which is facing mounting losses as a result of identity theft.

Identity theft is the fastest growing crime in the country. According to federal statistics, more than 20,000 Texas families file identity theft complaints each year – and that number simply reflects those who are aware they are victims. For many consumers, it takes months or even years to discover they have been victimized, and by that point the harm against them is substantial. Nationally, it is believed that identity theft drains at least $50 billion from our economy – most of it attributed to losses businesses must absorb when identity thieves run up huge lines of credit and make other purchases under the name of their victims.

For consumers, becoming the victim of identity theft is an emotional nightmare. They often face countless hours filing police reports and communicating with merchants, credit card companies and credit bureaus to clear up their name. They must often defer important plans, such as purchasing a home or new car, and will find it exceedingly difficult to obtain lines of credit for months or even years.

Businesses are hit hard, too. With just a few pieces of a consumers’ personal information some criminals have been able to secure high-limit credit cards and even buy cars or homes under their victims’ names. Not only does this hurt the bottom line of the business community at large, but could ruin a small business if it extends large lines of credit to even a single identity thief.

Businesses understandably want to know what they can do to help prevent identity theft. Since a business’ size and the types of data it handles can vary widely, each business should carefully review its practices and put in place necessary measures that will prevent clients’ personal information from ending up in the wrong hands.

The following are some of the types of client information most susceptible to being mishandled or improperly discarded by businesses:

  • Credit and debit card numbers
  • Social Security numbers
  • Bank account information
  • Mother’s maiden names
  • Passwords
  • Dates of birth
  • Account numbers within the business (i.e. membership number)

This information commonly appears in the following paper documents and electronic files:

  • Receipts
  • Refund forms
  • Credit and employment applications
  • Bank statements
  • Checks / money orders
  • IRS-related documents
  • Personnel files
  • Medical records
  • Sweepstakes entry forms
  • Email / Hard copy correspondence
  • Disks, magnetic tape, and all other data storage devices
  • Discarded computers

It’s important to note that Texas law does not take the age of the documents or information in question into account. For example, even if a credit card slip improperly thrown into the trash shows the number of an expired card, the business could still be liable under the law. Some businesses sued by the Attorney General erroneously thought that by purging documents that were many years old there was no risk to consumers. But when those files were shown to reveal full Social Security numbers, which are assigned for the life, it is clear that even “old” files can create new harm. Likewise, expired credit cards are often reissued under the same number, but with a different expiration date that an identity thief can figure out quickly through trial and error.

Each business should develop a thorough list of all the types of information it handles, who handles it, where that information is maintained and how it is disposed of when it is no longer needed. There should be clear written protocols about how to properly handle that information and how to dispose of it, which could mean:

Shredding applicable paper documents Permanently deleting electronic files Properly destroying / wiping old computers and data storage devices

Businesses should be particularly careful when disposing of storage devices and old computers. Simply hitting the “delete” button seldom erases data from a disk or hard drive permanently – savvy identity thieves can easily retrieve that information. Businesses should rely on their internal computer experts or consult with an outside vendor to explain proper permanent deletion of electronic files. It might be necessary to ask the vendor to professionally “wipe” or remove and destroy a hard drive before getting rid of an old computer or server.

Similarly, businesses that obtain consumers’ personal information through Web sites, such as accepting credit cards to purchase goods and services, should be especially careful that those pages are properly safeguarded. Because of the constantly changing nature of the Internet and the tactics used by hackers, it’s a good idea for businesses to review and update security measures for their Web sites and internal systems on a regular basis.

Businesses should constantly remind their employees and new hires about proper handling of their customers’ personal information. For example:

Restaurant waitstaff should be instructed to keep their eyes on customers’ credit cards and related receipts at all times, and not let these linger on an unattended table or bar.

Employees working for businesses that send this type of data electronically to colleagues should be reminded to double-check recipient’s address before clicking “send” on an email, to make sure they are not unintentionally sending sensitive information to the wrong people.

The threat of identity theft should be particularly impressed upon employees who travel with laptops, ensuring that the computers and disks are secure at all times, and any theft or other suspected breach should be immediately reported to management.

All businesses handling hard copies with any information that could be useful to an identity thief should keep those discarded documents in a safe place and shred them before throwing them into a publically accessible dumpster.

If in doubt, shred it. It’s going into the trash anyway.

It is also a good idea to send periodic reminders to employees, such as through email, newsletters, and clearly displayed signs. For example, some businesses that faced legal action from the Attorney General for improper document disposal agreed to send protocol reminders to all employees by periodically including corresponding notes in their paychecks.

The scenarios through which consumers’ information could end up in the wrong hands are clearly limitless, and the above are simply some examples and common-sense suggestions. Each business should develop procedures according to their size and type of information handled, and update those protocols the moment they realize new ways in which their customer’s sensitive data could fall into the wrong hands. Employees should therefore be encouraged to immediately alert management whenever they come across a situation that could put this information at risk.

The Office of the Attorney General encourages all Texans, individual consumers and businesses alike, to contact us if they discover a business that is not taking proper care of their clients’ information by calling us at 1-800-252-8011.