Masters of disguise are using others’ identities to support lavish lifestyles. Using one or two verifiable pieces of data identity, thieves construct a life for themselves and commit someone else’s money to supporting it. Armed with name, address, Social Security number, credit cards and PINs (personal identification numbers) stolen from personnel files, office waste baskets and electronic databases, thieves are racking up thousand of dollars against other people’s business accounts.
Professional thieves hit hard and fast. Many of them have inside contacts who gather data on current and past employees for a price. These staffers might be someone in senior management, clerks or counselors in HR department, clerical floats or temporary staff. Motivated by making a quick buck, the thrill of getting away with something or getting back at someone, they hand over another’s identity to criminals. But none of their reasons for engagement protect the entity should the person whose identity was stolen decide to come after the public entity for negligence. What can serve in a entity’s defense are strong internal controls that show the entity is fulfilling its duty of care in protecting personal information gathered from employees.
The first thing to do to make the workplace safer is to make a list of whose information is collected:
Analyze the results to discover where the holes are and plug them. Make the identity theft less easy to accomplish, or “harden the target.” Balancing the needs and rights of a entity against its employees and others with whom it does business can be tricky. Create use policies, educate people on their existence and chastise those who break a policy. And keep in mind that the greatest security risk a public entity faces is from disgruntled insiders—not the contract person cleaning the office in the evening or a teenage hacker seeking access to your systems for the thrill factor.
To protect against the theft of employees’ personal information from the workplace:
Create a policy to protect employees identity from theft in all forms (file cabinets, network databases, Web sites, wastepaper, and such financial documents as receipts or 1099 forms. Examine policy violations carefully to determine whether the public entity can take any steps to prevent future violations.
Keep the entity’s systems secure. Never leave current or former personnel files in an unlocked cabinet or on desktops where they could be perused or stolen. Change system passwords on a regular basis (every 60 to 90 days), and keep regular audit trails of information accessed on your database. When telecommuting employees terminate their employment with the entity, change the access phone numbers into your system to prevent unauthorized entry.
Carefully guard documents that contain personal data about employees and contractors. If these documents are not to be saved under the entity’s document retention policy, they should be destroyed by shredding. Never discard these materials intact.
Review the storage of personal information on the entity’s networked computers to make certain that any sensitive files are password protected. Remember that passwords for these documents, as well as other passwords used to restrict access, should be changed at least every six months.
Remember to consider the entity’s Web site. If the entity collects personal employee information through its Web site, develop a statement that addresses how the public entity protects the security and confidentiality of this information.
Discuss information security with all vendors that have access to employee and contractor information to make certain that protecting personal information against theft is a top priority of those companies.
Restrict access to sensitive online and paper files by employees who are about to be terminated. Include a provision in the entity’s personnel policies indicating that employees are strictly prohibited from attempting to open or access restricted files that contain personal information about other employees or clients unless access to such information is part of an employee’s job responsibilities. Employees who violate this rule will be subject to discipline, up to and including termination.
Articulate your entity’s policy concerning employee privacy. Provide periodic updates to staff members in order to keep all personnel abreast of changes in record keeping and documents destruction policies.
Develop an information sheet to distribute to employees who believe they are the victim of identity theft. The material should contain the telephone numbers of the fraud departments for the major credit bureaus, and tips for reporting suspected identity theft to the local police, Federal Trade Commission (1-877-382-4357), banks, and credit bureaus. The document should emphasize the importance of prompt action by employees to prevent further theft. Suggest that employees also complete the FTC’s Identity Theft Affidavit.
Promptly investigate any allegations that staff privacy has been compromised, and document these investigations. Report identity theft. Contact the entity’s legal counsel when it is believed privacy has been compromised, and seek independent advice in conducting an investigation.