Identity Theft Prevention

The Federal trade Commission (FTC) has advised that “information security should be a priority for every business in America.”

A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.

The FBI has identified the crime of identity theft as a significant, growing, crime problem. As a result, State and Federal laws are cracking down on not only the thieves, but businesses and organizations that fail to protect personal identity information. These laws make employers who collect personal information of customers and employees subject to fines, penalties, and civil liabilities in the event that information is stolen.

Employers unwittingly aid ID thieves by misusing or mishandling employees' personal information. Employers store a surprisingly large amount of personal information contained on I-9s, W-4s, W-2s, insurance applications, and 401k applications. Consequently, employers are now facing considerable legal repercussions as the victims of such crimes are looking for restitution. Many times, particularly for a small business, this information is stored on a single computer or in a single file cabinet. Employers large and small must understand their liability and implement measures to both protect this information and limit liability if the information is stolen.

Identity Theft in the Workplace

The workplace is the site of more than half of all identity thefts, according to Michael Hall, a certified identity risk management specialist. Because the workplace is an increasingly common site for identity theft, “executives must stop thinking about data protection as solely an IT problem,” he advised. The problem goes beyond the data; the five main causes of data breaches at work are:

• Disgruntled or dishonest staff
• Untrained or careless employees
• Lost or stolen laptops
• Service providers, contractors and visitors
• Hackers

Perhaps the best known case involved the loss of up to 26 million personal records from the U.S. Department of Veterans Affairs due to an employee improperly taking the records home on a laptop computer, which was subsequently stolen. Other cases involving other government agencies include the U.S. Census Bureau and the National Oceanic and Atmospheric Administration (NOAA). Private sector organizations that recently experienced data breaches at the hands of employees include Bank of America, Fidelity Investments, LexisNexis and DSW Shoe Warehouse. When employees mishandle personal data and losses occur, employer-whether private or public sector-are culpable.

For example, a Michigan jury awarded employees $275,000 after it found that their union neglected to safeguard their Social Security and driver's license numbers. How often does identity theft really happen? A lot. According to a September 2002 report by TransUnion, one of the nation's three credit bureaus, the number one underlying source of identity fraud is theft of employer records.

Stricter laws are being implemented that require employers to protect private information. California Civil Code [section] 1798.81.5 requires businesses that own or license personal information about California residents to implement and maintain reasonable security procedures to protect the information from unauthorized access, use or disclosure. The term "personal information" includes an individual's first name or first initial and last name, in combination with a Social Security number, driver's license number, California identification card number, account number, or credit or debit card number. Additionally, as of January 1, 2008, California Labor Code [section] 226(a) requires employers to display no more than the last four (4) digits of the employee's Social Security number on the employee's wage statement.

Impact of Identity Theft

Each individual employee victimized will likely spend significant work-time hours over the course of a year resolving issues related to identity theft. According to a survey conducted by the non-profit Identity Theft Resource Center,victims spent an average of 97 hours repairing the damage done by identity theft to an existing account used or taken over by the thief. In cases where a new account was created, respondents in the 2006 study reported an average of 231 hours to clean up the mess. In some cases, respondents used such expressions “eight years and still working on it,” “too many to count” or “endless.” Respondents spent an average of $1,884 dollars in out-of-pocket expenses for damage done to an existing account only. These expenses include: postage, photocopying, childcare, travel, purchasing police or court records. In reference to new accounts, respondents spent an average of $1,342 for out-of-pocket expenses which included: postage, photocopying, childcare, travel, purchasing records, legal help and investigators.

Prevention Strategies

Striking a balance between managing and maintaining the information HR needs and meeting employees privacy and security needs is a big challenge even for the most compliance-minded companies. While no workplace can ever be 100-percent safe from the threat of identity theft, sound practices can do a lot to deter the crime; even some of the most obvious and low-tech defenses return high-level protection. Here are some important strategies that employers of all sizes should immediately review, implement and strengthen, experts say.

Have a written privacy policy. Employers need to get their privacy houses in order, says Donald Harris, president of HR Privacy Solutions, a New York-based consulting practice, and co-chair of the International Association for Human Resource Information Managements Privacy & Security Special Interest Group. Harris says employers should identify how they currently handle personally identifiable information about applicants and employees, determine the risks these practices pose, and craft and implement policies. This requires creating a culture of privacy throughout the organization through appropriate policies and procedures, as well as through awareness, training, incentives and strict security measures, he says.

After you create a policy, give employees a copy and state that you’re taking steps to safeguard their information to the best of your ability. Make it a part of your new-employee orientation, recommends Littler Mendelson P.C, an employment and labor law firm in San Francisco.

Lock up and limit access. Keep personnel files locked in a secure area and limit those who have access to them. Minimize the types and amounts of data you store on employees, dependents and customers.

Guard the SSN. Don’t use SSNs as employee identifiers, or on insurance cards, claims forms, paycheck stubs, timecards or timesheets, parking permits, staff badges, training program rosters, lists of who got promoted, monthly account statements or client reports. Use alternate, randomly assigned numbers and encrypt sensitive information when in transit.

Plug the holes. Ensure that access to computer files is password-protected, and issue employees individual passwords that are regularly changed. Disable employee access to your company data immediately upon termination and audit access to data for suspicious activity. Use encryption software to protect electronic data thats sent and received and install adequate firewall protection to deter prying eyes.

Close external loopholes that can cause trouble and invite crime, says Sajay Rai, partner in the security and technology solutions practice at professional services firm Ernst & Young LLC in New York. Don’t put employees names, e-mail addresses or pictures on your external web site, he says, and instruct employees that giving away seemingly innocuous information about the company and its employees like in chat rooms is against your privacy policy.

Shred it. Always destroy any discarded documents that contain personal identifiers and account numbers. If your firm outsources document destruction, require the contractor to give you evidence of employee screening, appropriate insurance, written procedures, access prevention, monitoring and alarm systems, specific particle size and a custodial audit trail, advises the National Association for Information Destruction Inc. in Phoenix.

Check backgrounds. Require background screening and criminal checks of employees who will have access to personnel data. Make sure you know the identities of the people working for you, says Mathiason. There’s no tolerance in the legal community for anything less. Require such employees to sign confidentiality agreements.

Toughen scrutiny of third-party vendors and temps. Outsourcing vendors also can be a source of identity theft, as employers that contract out their HR functions to a third party are increasing the number of people who will have access to company personnel data. To cut the risk, make sure vendors are just as committed to protecting confidential information as you are.

Consider using temporary workers only in areas of the company where they won’t have access to confidential data. Instead, ask other departments to shift an existing employee (someone your company has fully screened) to that temporary need and let the temp worker fill the existing employees position, suggests Jay Foley, director of consumer and victim services at the Identity Theft Resource Center, a nonprofit organization in San Diego.

Communicate and collaborate. Regularly remind employees of security practices. And let them know what they should do if they believe their personal identifying information has been compromised.

Many of the corporate risks associated with identity theft can be mitigated by the development and implementation of sound policies, systems and procedures. Others will ultimately become matters for the courts. Those risks that flow from the affected individual, however, must be managed using available tools and products that both support the individual and protect the employer. In the absence of a solid risk management plan for identity theft, the potential losses are nearly unlimited.

Sources: “Stolen Identity,” by Susan Wells, HR Magazine ; “Identity Theft and Employer Liability,” by Guillaume Deybach, Risk Management ; “Employers Are Stung with a Hefty Price When Employees Suffer an Identity Theft,” Stephanie Shapson, Supervision; “Employers Face Liability for Five Kinds of Identity Theft,” by Joanne Deschenaux, SHRM