Self-storage businesses accumulate a variety of personal information about customers, including driver’s license, Social Security and credit card numbers, addresses and phone numbers. Keeping this data poses a potential problem: If we don’t take steps to protect it, we risk theft or loss, which could prove disastrous for our customers and businesses. If you’ve ever had your identity stolen or know someone who has, then you know how terrible an experience it is for the victim.
When a customer shares identification with us, it’s an expression of trust. We have a responsibility to live up to that trust and do everything possible to protect that information. Besides risks to customers, what about your business? You could hold financial liability if stolen identities are used, criminal liability for failure to report the loss of identity information (in most states), loss of revenue if stolen identities are used in rentals, negative publicity as cases of identity theft are always big news stories, and loss of your credit card merchant account, eliminating your ability to accept credit cards.
I'm not a legal or insurance professional, but I believe general liability policies for self-storage facilities do not normally include any protection against these risks. What is required is a special type of Errors and Omissions Policy specifically protecting against these risks. I recommend checking with your insurance professional about this.
Create policies and procedures to destroy unneeded information, including shredding paper information (such as photocopies of driver's licenses) and deleting personal information from computer records (Social Security numbers, for example).
Most states have passed laws regulating how and when business owners must report the loss-of-identity information to the authorities. Check to see if your state has passed such a law by searching the Internet for “identity theft law” with your state’s name tagged at the end.
Strive to prevent the use of stolen identity in the rental of units by taking reasonable steps to verify customer identities, training staff to carefully compare photos and physical descriptions with the actual person. If necessary, take appropriate action when a discrepancy is suspected (such as asking for another form of identification).
If you accept credit cards, you’re required to comply with the rules and regulations issued by the primary card-processing companies: VISA, MasterCard, American Express and Discover. As a group, they have created the Payment Card Industry Data Security Standard. In addition, each company has its own set of rules, but many merchants use Visa’s rules, referred to as the Cardholder Information Security Program (CISP). You can view them at http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_
CISP sets the standards that merchants must follow to guard customers’ information. Up until now, Visa and other companies have been lax in determining whether merchants are following requirements, but this is changing and it will soon be common for companies to be audited by the credit card companies. Unfortunately, most merchants don’t know these requirements and frequently break the rules.
One of the most common violations is the practice of photocopying a card and/or saving the three- or four-digit CVV number. It’s against the rules to store this number anywhere; it may only be used for an immediate transaction.
If you currently have this information, destroy it. If you use it regularly—for recurring payments as an example—to benefit from a better rate, be aware that you’re in violation and are risking your merchant status. Delete these numbers from your computer as well.
Visit the CISP site listed above and check out individual card companies for more information regarding credit card rules:
- Visa— http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
- MasterCard— http://www.mastercard.com/us/sdp/merchants/index.html
- American Express— http://www125.americanexpress.com/merchant/oam/ns/USEng/FrontServlet?request_type=navigate&page=dataSecurityRequirements
- Discover— http://www.discovernetwork.com/resources/data/data_security_overview.html
Officially Speaking …
The United States Cyber Consequences Unit (US-CCU) is a government agency that deals with business policies to protect customers’ personal data. It has published a report, the Cyber Security Checklist (http://www.selfstorage.org/PDF/US-CCU-Cyber-SecurityCheckList2007.pdf).
Michael Richards is the president and founder of HI-TECH Smart Systems Inc., which has provided management software to the self-storage industry for more than 20 years. The company’s flagship product, RentPlus, is in use in thousands of facilities in more than 20 countries. Mr. Richards has been involved in the self-storage industry since 1980. For more information, call 800.551.8324; visit www.hitechsoftware.com.