Masters of disguise are using others’ identities to support lavish lifestyles. Using one or two verifiable pieces of data identity, thieves construct a life for themselves and commit someone else’s money to supporting it. Armed with name, address, Social Security number, credit cards and PINs (personal identification numbers) stolen from personnel files, office waste baskets and electronic databases, thieves are racking up thousand of dollars against other people’s business accounts.
Professional thieves hit hard and fast. Many of them have inside contacts who gather data on current and past employees for a price. These staffers might be someone in senior management, clerks or counselors in HR department, clerical floats or temporary staff. Motivated by making a quick buck, the thrill of getting away with something or getting back at someone, they hand over another’s identity to criminals. But none of their reasons for engagement protect the organization should the person whose identity was stolen decide to come after the nonprofit for negligence. What can serve in a nonprofit’s defense are strong internal controls that show the nonprofit is fulfilling its duty of care in protecting personal information gathered from employees and volunteers. The first thing to do to make the workplace safer is to make a list of whose information is collected:
Analyze the result to discover where the holes are and plug them. Simply make the identity theft less easy to accomplish, or “harden the target.” Balancing the needs and rights of a nonprofit against its employees and volunteers can be tricky. Create use policies, educate people on their existence and chastise those who break a policy. And keep in mind that the greatest security risk a nonprofit faces is from disgruntled insiders—not the contract person cleaning the office in the evening or a teenage hacker seeking access to your systems for the thrill factor.
To protect against the theft of employees’ and volunteers’ personal information from the workplace:
Create a policy to protect paid and unpaid staff identity from theft in all forms (file cabinets, network databases, Web sites, wastepaper, and such financial documents as receipts or 1099 forms. Examine policy violations carefully to determine whether the nonprofit can take any steps to prevent future violations.
Keep the organization’s systems secure. Never leave current or former personnel files in an unlocked cabinet or on desktops where they could be perused or stolen. Change system passwords on a regular basis (every 60 to 90 days), and keep regular audit trails of information accessed on your database. When telecommuting employees leave the organization, change the access phone numbers into your system to prevent unauthorized entry.
Carefully guard documents that contain personal data about employees. If these documents are not to be saved under the organization’s document retention policy, they should be destroyed by shredding. Never discard these materials intact.
Review the storage of personal information on the organization’s networked computers to make certain that any sensitive files are password protected. Remember that passwords for these documents, as well as other passwords used to restrict access, should be changed at least every six months.
Remember to consider the organization’s Web site. If the organization collects personal employee and volunteer information through its Web site, develop a statement that addresses how the organization protects the security and confidentiality of this information.
Discuss information security with all vendors that have access to employee information to make certain that protecting personal information against theft is a top priority of those companies.
Restrict access to sensitive online and paper files by employees who are about to be terminated. Include a provision in the organization’s personnel policies indicating that employees are strictly prohibited from attempting to open or access restricted files that contain personal information about other employees or clients unless access to such information is part of an employee’s job responsibilities. Employees who violate this rule will be subject to discipline, up to and including termination.
Articulate your nonprofit’s policy concerning employee and volunteer privacy. Provide periodic updates to paid and volunteer staff in order to keep all personnel abreast of changes in record keeping and documents destruction policies.
Develop an information sheet to distribute to employees who believe they are the victim of identity theft. The material should contain the telephone numbers of the fraud departments for the major credit bureaus, and tips for reporting suspected identity theft to the local police, Federal Trade Commission (1-877-382-4357), banks, and credit bureaus. The document should emphasize the importance of prompt action by employees to prevent further theft. Suggest that employees also complete the FTC’s Identity Theft Affidavit.
Promptly investigate any allegations that staff privacy has been compromised, and document these investigations. Report identity theft. Contact the nonprofit’s legal counsel when it is believed privacy has been compromised, and seek independent advice in conducting an investigation.
ID Theft Affidavit Form to download