According to a recently release
Commission survey, 27.3 Million US citizens have been victims of
identity theft in the past 5 years, including 9.9 million people
in the last year alone. These cases account for billions in losses for
both businesses and consumers.
Rent to Own companies that require personal
and confidential information on rental applications have a responsibility to
protect that information from misuse. A Des Moines Iowa woman
was searching for cans in the dumpster of a local rent to own
She found "thousands of files" containing social security
numbers, names, addresses, and copies of picture IDs that
had simply been thrown away. The incident reinforces the need to
safeguard information even after a customer pays out or returns
In many cases, a social security number, name
and address is all that is necessary for an identity thief to
acquire credit cards and other accounts. A victim of identity
theft can suffer for years before the problem is corrected.
The problem is so severe that states like Rhode Island have gone
so far as to bar some businesses from requesting social security
R.I. Gen. Laws Section
http://www.rilin.state.ri.us/Statutes/TITLE6/6-13/6-13-17.HTM This law states that unless required
by federal law, no person shall require that a
consumer of goods or services disclose a social
security number incident to the sale of consumer
goods or services; provided, however that:
insurance companies, health care, or
pharmaceutical companies may require the
consumer to furnish a social security number.
Also, a consumer may be required to furnish his
or her SSN when applying for a credit card.
The California Department of Consumer Affairs,
Office of Privacy Protection publishes helpful tips for
business titled "Recommended Practices for Protecting Social
California Department of Consumer Affairs
Recommended Practices for Protecting Social Security Numbers
The Office of Privacy Protection’s recommendations are
intended to serve as guidelines
to assist organizations in moving towards the goal of aligning
their practices with the
widely accepted fair information practice principles described
recommended practices address, but are not limited to, the
provisions of California Civil
Code section 1798.85.
The recommendations are relevant for private
and public sector organizations, and they
apply to the handling of all SSNs in the possession of an
organization: those of
customers, employees and business partners.
Reduce the collection of SSNs
Collect SSNs preferably only where required to do so by federal or state
When collecting SSNs as allowed, but not required, by law, do so only as
reasonably necessary for the proper administration of lawful
If a unique personal identifier is needed, develop your own as a
substitute for the
Inform individuals when you request their
Whenever you collect SSNs as required or allowed by law, inform the
of the purpose of the collection, the intended use, whether
the law requires the
number to be provided or not, and the consequences of not
providing the number.
If required by law, notify individuals (customers, employees, business
etc) annually of their right to request that you do not post
or publicly display their
SSN or do any of the other things prohibited in Civil Code
Eliminate the public display of SSNs
Do not put SSNs on documents that are widely seen by others, such as
identification cards, badges, time cards, employee rosters,
bulletin board postings,
and other materials.
Do not send documents with SSNs on them through the mail, except on
applications or forms or when required by law.13
When sending applications, forms or other documents required by law to
SSNs through the mail, place the SSN where it will not be
revealed by an
envelope window. Where possible, leave the SSN field on forms
blank and ask the individual to fill it in before returning
the form or application.
Do not send SSNs by email unless the connection is secure or the SSN is
Do not require an individual to send his or her SSN over the Internet or
unless the connection is secure or the SSN is encrypted.
Do not require individuals to use SSNs as passwords or codes for access to
Internet web sites or other services.
Control access to SSNs
Limit access to records containing SSNs only to those who need to see the
numbers for the performance of their duties.
Use logs or electronic audit trails to monitor employees’ access to
Protect records containing SSNs, including back-ups, during storage by
encrypting the numbers in electronic records or storing
records in other media in
Do not store records containing SSNs on computers or other electronic
that are not secured against unauthorized access.
Avoid sharing SSNs with other companies or organizations except where
If you do share SSNs with other companies or organizations, including
contractors, use written agreements to protect their
Prohibit such third parties from re-disclosing SSNs, except as required by
Require such third parties to use effective security controls on record
Hold such third parties accountable for compliance with the restrictions
impose, including monitoring or auditing their practices.
If SSNs are disclosed inappropriately and the individuals whose SSNs were
disclosed are put at risk of identity theft or other harm,
promptly notify the individuals potentially affected.
Protect SSNs with security safeguards
Develop a written security plan for record systems that contain SSNs.
Develop written policies for protecting the confidentiality of SSNs,
not limited to the following:
Adopt “clean desk/work area” policy requiring employees to properly secure
records containing SSNs.
Do not leave voice mail messages containing SSNs and if you must send an
SSN by fax, take special measures to ensure confidentiality.
Require employees to ask individuals (employees, customers, etc.) for
identifiers other than the SSN when looking up records for the
Require employees to promptly report any inappropriate disclosure or loss
records containing SSNs to their supervisors or to the
When discarding or destroying records in any medium containing SSNs, do so
in a way that protects their confidentiality, such as
Make your organization accountable for protecting SSNs
Provide training and written material for employees on their
Conduct training at least annually.
Train all new employees, temporary employees and contract employees.
Impose discipline on employees for non-compliance with organizational
and practices for protecting SSNs.
Conduct risk assessments and regular audits of record systems containing
Designate someone in the organization as responsible for ensuring
with policies and procedures for protecting SSNs.
When dealing with sensitive information use the Golden Rule;
"Safeguard your customers information as you would your own."
When in doubt...shred it.
maintains the nation’s primary identity theft Web site,
which provides critical resources for consumers, businesses, and
law enforcers at
RTO Online is the official channel for Rent-to-Own Industry News and the
only independent source of news for the rent-to-own, rental-purchase,
lease-purchase trade. RTO Online (Rent to Own Online) represents the choice
of the entire RTO Industry for trusted information, as it happens.
Tell us what you think
Rate the article at the top of this page