Managing identity theft risks is a priority for many organizations because identity theft incidents can often have devastating consequences for companies and their customers.
Many factors contribute to our identity theft risk management practices and decisions including fraud losses, disclosure of private information, tarnished consumer credit, bad business reputation and loss of customers, competitive disadvantage, wasted resources, opportunity costs, lawsuits, and penalties from regulatory violations such as fines and jail time. These identity theft risks can be ignored, transferred to third parties or dealt with in accordance with our risk tolerance, assigned priorities, budgets and resources.
As companies prioritize the identity theft risks that they want to manage, they must have adequate plans, management oversight, financial resources, and qualified identity theft experts to mitigate the risks. As mentioned, there are many drivers that shape company plans for managing identity they risks, however, not all companies and their management are sensitive to all the identity theft risks that their companies face. For example, some companies may be concerned about the loss of their customers or bottom line if an identity theft case is publicized, while others may be more concerned about regulatory compliance.
The regulatory compliance landscape is constantly changing and companies are rightfully more nervous about the new regulations which not only have stiff penalties but are also very hard to implement. Consider for example the European Union’s General Data Protection Regulation or GDPR. This data protection regulation has many requirements that require many groups within a company to coordinate their efforts in order to efficiently and effectively address all the requirements. Some groups that need to be involved include Legal, Communication, Privacy, Compliance, and Information Technology. The Data Protection Officer which is also one of the requirements, may be placed in one of the groups mentioned earlier, however, this will not minimize the need for enterprise-wide coordination to secure consumer data, deal with breach incidents, and comply with various regulations.
Employee training and education is one of the most important tasks when managing identity theft risks. A dynamic team comprised of qualified identity theft and data protection experts can help with risk assessment, compliance program, mitigation plan, and strategy.