Identity Theft Protection Strategies For The Workplace

Published May 10, 2005

Headlines broadcasting workplace identity theft keep piling one on top of the other. Several organizations, including a data broker and a well-known university, report that a total of 2.5 million individual identity breaches have occurred in their files. A major bank admits losing 1.2 million personnel files, and a major communications firm reports that 600,000 such files were lost in transport.

According to the Better Business Bureau, nearly 10 million Americans were victims of identity theft in 2004, and the Federal Trade Commission says such theft cost businesses better than $48 billion in losses.

Legal Protections

States and the courts are beginning to lay down the law requiring businesses to protect the personal data of their employees.

Several states, including Arizona, California, Missouri, and Oklahoma, have already started the protection ball rolling with regulations aimed at Social Security numbers (SSNs), one of the prime privacy points for identity theft. Michigan has also jumped on that bandwagon with its Social Security Number Privacy Act, which demands that any company that obtains SSNs in the course of business must create and publish in its employee handbook a privacy policy that:

• ensures the confidentiality of those numbers;
  
• prohibits unlawful disclosure;
  
• limits access to that info;
  
• mandates procedures for their disposal; and
  
• establishes penalties for violation of the policy.

Note: Even if you're not in Michigan, such a policy is a good starting place for erecting your own ID theft shield.

And it's more important now than ever for another reason: legal liability. A Michigan court awarded a group of employees $275,000 to assuage the disasters that befell them after a union neglected to appropriately safeguard their Social Security numbers and other personal data.

Practical Protections

So with the courts and state legislatures raising the ante, it's incumbent on employers to fortify their hands. An explicit policy is a good start. But there's more you can do.

• Look at your entire information collection system. Ask: Do you need all the data you collect? Do you acquire and store it in the safest manner possible?
  
• Look at your entire security system, both paper and electronic. Do you keep hard copy material under lock and key? Do you have password-protected computer files, with the passwords changed regularly? Do you encrypt data? Erect firewalls? 
  
• Look at your access standards. Are they limited, really limited, to only those with a need-to-know? Note: The Michigan case revolved around a secretary who took work home from the office and whose daughter gained access to employee files and went on a spending spree.
  
• Look at your disposal routines. Do you have a system for destroying data before disposal? Do you monitor it to ensure it's followed to the letter? Note: Remember that an amendment to the Fair and Accurate Credit Transactions Act went into effect June 1, 2005. It requires that all employers with at least one employee destroy personal information derived from a consumer report before disposing of it.
  
• Look at your approach to the use of SSNs. Have you eliminated their use altogether and set up an employee identification number system? Have you requested insurers not use Social Security numbers on insurance cards and claims forms? Have you deleted their use from paycheck stubs, time cards, parking permits, employee badges, etc.?

Related Topic(s): Record-Keeping Documents/Identity Theft