Identity theft is one the fastest growing crimes in the Unites States. It occurs when a person's identifying information, such as name, address, birth date, social security number or any account number, is used or transferred by another person for unlawful purposes. Recent reports show that there are currently seven to ten million identity theft victims each year.
A prime target for identity theft is employee sensitive identifying information (EII) maintained by employers in their human resources and payroll departments. Indeed, according to the Federal Trade Commission (FTC), about 90 percent of business-record thefts (one of the leading causes of identity fraud today) involves payroll or employment records. Skilled identity thieves use a variety of methods, both low and high tech, to gain access to EII, including stealing records from the employer, bribing an employee who has access to these records, or hacking into the employer's computer systems. Identity thieves also rummage through trash, in a practice known as "dumpster diving." Employers and employees are increasingly becoming the victims of identity theft perpetrated not only by outsiders, but also by employees themselves. Identity thieves at work are particularly dangerous when they work in the human resources or information technology departments. Employees who are about to be laid off and outsourcing vendors also pose a threat as potential identity thieves.
Employers should take a proactive approach by managing EII cautiously and with heightened sensitivity in order to minimize the risk of identity theft. To this end, employers should audit their internal policies and procedures governing the collection, use and protection of EII. Where such policies and/or procedures are lacking or deficient, new ones should be formulated and implemented, and security measures should be undertaken periodically to evaluate the managing and safeguarding of EII.
What follows are some suggested steps to be taken by employers to reduce the chances of workplace identity theft and to minimize possible liability. These suggestions are not, however, intended to be exhaustive. Indeed, EII management policies and procedures should be customized, with the assistance of the company's legal counsel, to meet the unique needs and the legal requirements of the employers' specific industry and activities, at both the federal and state level.
- Establish a security and privacy policy. Develop a policy that identifies the circumstances under which sensitive identifying information may be collected from job applicants and employees, the types of information to be collected, and how and when the employer may use and disclose the information. This policy must comply with applicable federal and state laws governing the security and privacy of EII, including health information. The policy should limit the collection, use and disclosure of sensitive identifying information to the minimum necessary for the intended purpose and eliminate all unnecessary collection, uses and disclosures. Employers should look, for example, at how and when they collect and use employee's Social Security numbers (SSN), especially when coupled with other identifying information (i.e., name and address) and consider alternative identification descriptors randomly assigned to replace the use of SSNs. SSNs should not be used as employee identifiers, or on insurance cards, claim forms, paycheck stubs, timecards or timesheets. Audit EII currently maintained and determine if all information collected is absolutely essential for business or government reporting purposes. When necessary, discontinue collecting and properly discard or dispose of any information that is not essential.
- Review the security measures currently in place. Ensure that adequate protective measures are being taken to protect the company computer and filing systems, including the company intranet. Keep operating systems security patches current. Update virus protection software regularly, or when a new virus alert is announced. Computer viruses can have damaging effects, including introducing program codes that cause the computer to send out files or other stored information. In addition, install, maintain and monitor firewalls and intrusion detection systems. Without a firewall, hackers can take over computer system and access sensitive information. Review the company's electronic communications policy to ensure that employees know what policies and procedures they are required to follow in order to avoid security breaches. Train employees on how they can identify and report possible security breaches.
- Review how EII may be minimized or segregated in the HRIS used by the company. Human Resources Information Systems (HRIS) let employers keep track of all employees in a database or, more often, in a series of inter-related databases. HRIS includes, among other things, the employee name, SSN, home address, date of birth, and contact information. Some HRIS systems are interfaced to payroll or other financial systems, all of which are subject to infiltration. Employers and HR managers must understand the risks of HRIS and take effective steps to secure vulnerable networks. Such steps may include working with information technology to develop security strategies.
- Restrict, control and monitor access to EII. All employee (and job applicant) records should be kept in locked and secured areas. Those with access to such records should be clearly identified and should have completed training on identity theft and document handling practices. Responsibilities for maintaining the security of EII should be assigned. Computers used by employees with access to EII should automatically lockdown if unused for a designated period of time. Computer printers and fax machines for employees who use and disclose EII as part of their job functions and responsibilities should be maintained in controlled areas. EII should be encrypted while being transmitted electronically. Storing EII or other critical or sensitive files on laptops or other computers readily available to employees should be avoided. Indeed, downloading EII to laptops or to any other media, such as a computer disk or CD Rom, should be prohibited except with prior high-level approval. Background checks should be conducted for all employees who have access to EII. Upon terminating an employee with authorized access to EII, promptly change all passwords and security codes available to the terminated employee and require the return of all company property, including any computer disks, keys, laptops, etc. Temporary employees and vendors should be barred from sensitive identifying information, except when absolutely necessary and only after an appropriate background check has been conducted.
- Review the company's record retention and disposal policies. Outdated hard copy records that contain EII should never be merely discarded, but should be shredded internally or by an outside bonded vendor after an appropriate check has been conducted. Proven shredding or wipe software should be used when disposing of computer files, diskettes, hard drives or any other media where EII was stored. To the extent applicable to the EII information at issue, disposal should be done in compliance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA) requiring the proper destruction of "consumer information" (i.e., any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report (also known as a credit report)). FACTA requires any person or company that possesses or maintains such information to "take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." Businesses must come into compliance by June 1, 2005 by both adopting and implementing their own document destruction policies or by contracting with a document shredding company or other data destruction company to do so. Penalties for violations include actual damages, statutory damages up to $1,000 punitive damages per violation (with no cap on class action damages), attorneys' fees, and civil penalties up to $2,500.
- Develop a contingency plan to address security breaches. The contingency plan should not only address how the company will deal with security breaches internally, but should address how to assist affected employees in protecting themselves. Employees should be made aware of resources and information available to assist in combating identity theft, such as the FTC's website, http://www.consumer.gov/idtheft, which not only provides useful information but also has links to additional information from federal agencies, states and consumer organizations.
- Stay up to date with new developments affecting EEI. Keep informed of changes in the law and governmental efforts, at both the federal and state level, that may impact the collection, use, storage and/or disposal by employers of EII.
While the damage to an employer from the unauthorized use of EII could be significant, liability for the damage caused to individual employees when that information is used for fraudulent purposes poses an even greater risk. Accordingly, employers need to be proactive in taking preventive measures against workplace identity theft. The appropriate policies and procedures need to be developed, established and implemented in order to reduce potential exposure to liability from identity theft. Failure to do so, may subject employers to costly consequences.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
|
