According to a recently release Federal Trade Commission survey, 27.3 Million US citizens have been victims of identity theft in the past 5 years, including 9.9 million people in the last year alone. These cases account for billions in losses for both businesses and consumers.

Rent to Own companies that require personal and confidential information on rental applications have a responsibility to protect that information from misuse. A Des Moines Iowa woman was searching for cans in the dumpster of a local rent to own store. She found "thousands of files" containing social security numbers, names, addresses, and copies of picture IDs that had simply been thrown away. The incident reinforces the need to safeguard information even after a customer pays out or returns merchandise.

In many cases, a social security number, name and address is all that is necessary for an identity thief to acquire credit cards and other accounts. A victim of identity theft can suffer for years before the problem is corrected.

The problem is so severe that states like Rhode Island have gone so far as to bar some businesses from requesting social security numbers.

Rhode Island
R.I. Gen. Laws Section 6-13-17 http://www.rilin.state.ri.us/Statutes/TITLE6/6-13/6-13-17.HTM This law states that unless required by federal law, no person shall require that a consumer of goods or services disclose a social security number incident to the sale of consumer goods or services; provided, however that: insurance companies, health care, or pharmaceutical companies may require the consumer to furnish a social security number. Also, a consumer may be required to furnish his or her SSN when applying for a credit card.

The California Department of Consumer Affairs, Office of Privacy Protection publishes helpful tips for business titled "Recommended Practices for Protecting Social Security Numbers."

California Department of Consumer Affairs Recommended Practices for Protecting Social Security Numbers
Printer Freindly
The Office of Privacy Protection’s recommendations are intended to serve as guidelines to assist organizations in moving towards the goal of aligning their practices with the widely accepted fair information practice principles described below. These recommended practices address, but are not limited to, the provisions of California Civil Code section 1798.85.

The recommendations are relevant for private and public sector organizations, and they apply to the handling of all SSNs in the possession of an organization: those of customers, employees and business partners.

1. Reduce the collection of SSNs
   Collect SSNs preferably only where required to do so by federal or state law.  When collecting SSNs as allowed, but not required, by law, do so only as reasonably necessary for the proper administration of lawful business activities.  If a unique personal identifier is needed, develop your own as a substitute for the SSN.
    

2. Inform individuals when you request their SSNs
   Whenever you collect SSNs as required or allowed by law, inform the individuals of the purpose of the collection, the intended use, whether the law requires the number to be provided or not, and the consequences of not providing the number.  If required by law, notify individuals (customers, employees, business partners, etc) annually of their right to request that you do not post or publicly display their SSN or do any of the other things prohibited in Civil Code Section 1798.85(a).
    

3. Eliminate the public display of SSNs
   Do not put SSNs on documents that are widely seen by others, such as identification cards, badges, time cards, employee rosters, bulletin board postings, and other materials.  Do not send documents with SSNs on them through the mail, except on applications or forms or when required by law.13  When sending applications, forms or other documents required by law to carry SSNs through the mail, place the SSN where it will not be revealed by an envelope window. Where possible, leave the SSN field on forms and applications blank and ask the individual to fill it in before returning the form or application.  Do not send SSNs by email unless the connection is secure or the SSN is encrypted.  Do not require an individual to send his or her SSN over the Internet or by email, unless the connection is secure or the SSN is encrypted.  Do not require individuals to use SSNs as passwords or codes for access to Internet web sites or other services.
    

4. Control access to SSNs
   Limit access to records containing SSNs only to those who need to see the numbers for the performance of their duties.  Use logs or electronic audit trails to monitor employees’ access to records with SSNs.  Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.  Do not store records containing SSNs on computers or other electronic devices that are not secured against unauthorized access.  Avoid sharing SSNs with other companies or organizations except where required by law.  If you do share SSNs with other companies or organizations, including contractors, use written agreements to protect their confidentiality.  Prohibit such third parties from re-disclosing SSNs, except as required by law.  Require such third parties to use effective security controls on record systems containing SSNs.  Hold such third parties accountable for compliance with the restrictions you impose, including monitoring or auditing their practices.  If SSNs are disclosed inappropriately and the individuals whose SSNs were disclosed are put at risk of identity theft or other harm, promptly notify the individuals potentially affected.
    

5. Protect SSNs with security safeguards
   Develop a written security plan for record systems that contain SSNs.  Develop written policies for protecting the confidentiality of SSNs, including but not limited to the following:  Adopt “clean desk/work area” policy requiring employees to properly secure records containing SSNs.  Do not leave voice mail messages containing SSNs and if you must send an SSN by fax, take special measures to ensure confidentiality.  Require employees to ask individuals (employees, customers, etc.) for identifiers other than the SSN when looking up records for the individual.  Require employees to promptly report any inappropriate disclosure or loss of records containing SSNs to their supervisors or to the organization’s privacy officer.  When discarding or destroying records in any medium containing SSNs, do so in a way that protects their confidentiality, such as shredding.
    

6. Make your organization accountable for protecting SSNs
   Provide training and written material for employees on their responsibilities in handling SSNs. Conduct training at least annually.  Train all new employees, temporary employees and contract employees.  Impose discipline on employees for non-compliance with organizational policies and practices for protecting SSNs.  Conduct risk assessments and regular audits of record systems containing SSNs.  Designate someone in the organization as responsible for ensuring compliance with policies and procedures for protecting SSNs.

When dealing with sensitive information use the Golden Rule; "Safeguard your customers information as you would your own." When in doubt...shred it.

The FTC maintains the nation’s primary identity theft Web site, which provides critical resources for consumers, businesses, and law enforcers at www.consumer.gov/idtheft.