"Identity Theft” – few words strike greater fear into the heart of corporate America. There have been several high profile breaches involving theft of customer data which have made news headlines recently (such as the recently reported cases involving ChoicePoint, shoe retailer DSW and Bank of America). And, in one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, recently announced that a box of computer tapes containing information on 3.9 million customers was lost by UPS last month, while in transit to a credit reporting agency.
Obviously, theft of customer and vendor data is becoming a large concern for corporate America. In addition to that sort of identity theft, increasingly personal information of a company’s employees has become a prime target for identity thieves. For example, in May 2005, Time Warner, the world's largest media company, announced that 40 computer tapes with personal information of 600,000 current and former employees had been lost. Closer to home, in April 2005, Carnegie Mellon University’s Tepper School of Business notified 19,000 students, alumni, faculty and staff that their personal data may have been compromised due to a security breach.
Employee-victims have not sat idly while their personal information has been compromised in the workplace. In San Diego, employees sued Ligand Pharmaceutical for negligently maintaining records that contained personal information. In the Ligand case an employee discovered a box of employee data including birthdates and Social Security numbers left in a storage area and then took the information of more than 30 employees to run up credit card bills and rent apartments. Similarly, employees at a Minnesota trucking company sued their employer for failing to take adequate precautions when it sent a fax, which listed 200 employees’ Social Security numbers. These reports, as well as a recent PriceWaterhouse survey, indicate that the majority of employee data identity theft incidents in the United States do not involve unlawful infiltration from third parties. While it may come as a great surprise to many companies, company employees are among the biggest causes of identity theft in the workplace. Businesses need to be proactive and take steps to protect employee personal data. This article provides a practical guide to avoid becoming tomorrow's news by addressing information security of one of a company’s most important assets – its employees. Leading Causes of Unauthorized Employee Access to Personal Information One of the primary causes of unauthorized access to personal information in the workplace is a limited understanding of the importance of complying with existing information security protocols. Many companies have implemented security policies intended to protect confidential employee data. However, if employees do not follow or are unaware of fundamental policies (such as document encryption and password protection), these policies will have little, if any, impact on the actual protection of such data.
For example, an HR employee is assigned a project to create a list of 1,000 employees, which contains the Social Security number, address and birth date of each individual. The company policy requires encryption of the document. The employee ignores that policy and does not encrypt. He then inadvertently forwards the list to another employee who, in turn, provides the data to a third party. The risks associated with this situation could have been greatly reduced simply by following the stated policy and encrypting the document.
Another frequent cause of unauthorized access is the failure to adequately limit and monitor access to confidential information. By way of example, take the situation of an employee who works in the HR department and has access to sensitive data regarding employee salaries. The employee then changes departments, yet no one at the company changes his access abilities. The employee later brings a discrimination suit using documents from the HR department's files that he accessed after he changed jobs. Again, this is a situation that could have been addressed had the company taken steps to ensure that access rights were updated when employees transfer within and among departments and job categories.
A third common cause of unauthorized access arises from the lack of accountability for information security. If the company creates a culture where adherence to information security policies is not a prominent part of each employee's job, the company will remain vulnerable to security breaches. Employees need to know that their own job security depends on adhering to those policies.
While there are legal steps, which can be implemented after the fact to address identity theft, there are ways to reduce the risk of theft in the first place. In order to reduce the risk of unauthorized access to employer personal information, businesses can take some of the basic steps described below:
Development or Review of an Information Security Policy
It is imperative to information security to have a comprehensive policy designed to protect employee data. Even if your company has a policy in place, it is important to revisit the policy and make sure that, among other things, the policy identifies when sensitive data will be collected from job applicants and employees, the types of data that will be collected, how the employer will use the data and how access to the data will be controlled.
The company's information security policy should be an integral part of the training of new hires and part of any updated training for current employees. All employees and independent contractors should understand the full security capabilities available within the company's computer systems. Training can take on a variety of forms, including regular reminders of the need to adhere to the policy; checklists of what every employee should do to protect data; on-line self-guided training; and formal training from supervisors. Including a compliance with information security element as part of employee’s annual review will make the company’s commitment to the process abundantly clear. Regular audits of compliance with information security also must become a central part of any data security policy.
Limiting Access to Confidential Information
Many of the internal problems discussed in this article could have been minimized if companies eliminated the use of Social Security numbers as the primary identifier in the workplace.
There also are a myriad of technological solutions designed to protect employee data that are beyond the scope of this article. Some of the more basic solutions include: (1) implementing print and forwarding restrictions on sensitive documents; (2) requiring encryption and password protection for confidential data; and (3) developing a role- based information access system. Any technological fixes should be the result of a carefully integrated approach combining technology, HR and professional staff of your company to customize the policy to meet the company's specific needs. Even after implementing changes to a data security policy, it still is critical to develop an action plan in the event that employee data is somehow compromised. Prompt notice and action can, at the very least, minimize some of the great anxiety associated with a theft of personal information.
As identity thieves become more and more emboldened, personal data at companies will become an increasingly desirable and lucrative target. Businesses need to take steps to protect their employees' data through comprehensive training and implementation of technological solutions or face the ominous specter of protracted employee litigation and negative publicity.