Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Collapse Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Hacking, Malware, and Social Engineering Threats (January 2012)
SEC Issues Guidance on Cybersecurity and Cyber Incident Disclosure (December 2011)
The Militarization of Cyber Space and the Risks for U.S. Businesses (November 2011)
SEC Requires Disclosure of Cyber Attacks (October 2011)
Massachusetts Enacts Privacy Regulations (September 2011)
Avoiding Privacy Risks: Smile! You're on the Web Camera! (March 2010)
The Developing Legal Standards for Data Security (August 2008)
Privacy and Security Litigation and Enforcement: Growing Risks for Businesses? (May 2007)
Deflecting and Responding to Data Security Breaches (February 2006)
"Media Liability" Coverage in Tech/Media/eBusiness Policies (February 2006)
Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies (January 2006)
Insuring Liability for Third-Party Claims Seeking Lost Profits (November 2005)
Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective (July 2005)
Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective (May 2005)
Storing Liability: The Increasing Risks of Off-Site Data Storage (May 2005)
Privacy: Outsourcing and the Need for a Vendor Compliance Strategy (March 2005)
E-mail Privacy: Does Your E-mail Take a Pit Stop? (September 2004)
Indemnity and Insurance Provisions in E-Business Contracts (July 2004)
Protecting Data Assets: Not Just a Cyberspace Issue (June 2004)
New Liability Forms and Media, Tech, and E-Business Risks (May 2004)
Protecting Your Employees from Identity Theft (February 2004)
Creating a Privacy Policy Compliant with the New Online Privacy Protection Act (December 2003)
Tech E&O—A Primer for Risk Managers (November 2003)
Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law (September 2003)
Cyber Liability Insurance Market Update (August 2003)
Security Requirements in a Privacy World (June 2003)
The Growing Privacy Risk and the Insurance Industry (February 2003)
Insuring First-Party Cyber Risk for Fortune 1000 Companies (November 2002)
Stand-Alone E-Business Insurance: Who's Buying, Selling, and Why? (September 2002)
The End of Computer Virus Coverage as We Know It? (May 2002)
You Say Professional Services, I Say B2B Activities (January 2002)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 1 (August 2001)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 2 (November 2001)
E-Commerce Insurance Issues: A Year in Review (June 2001)
New Stand-Alone E-Commerce Insurance for First-Party Risks? (February 2001)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 1) (December 2000)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 2) (December 2000)
Third-Party Liability E-Commerce Risks and Traditional Insurance Programs (August 2000)
First-Party E-Commerce Risks (June 2000)
Insurance Issues for E-Commerce Activities (May 2000)
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Protecting Your Employees from Identity Theft

February 2004

Theft of information by employees is the top cause of identity fraud. Conducting an audit of how personnel information is stored and used can reveal gaps in controls.

by Kara Spooner, edited by Gary E. Clayton
www.privacycg.com

Picture an identity thief. What image comes to mind? When asked to visualize identity theft in action, many people tend to think of a mischievous hacker trying to break into a server full of customer information, or an evil criminal lurking by the dumpster just waiting for an unshredded credit card bill or other personal document to come their way.

Surprising to many, identity theft as the result of employee information stolen in the workplace by a fellow employee is a much more likely case. Information collected through job applications, maintained in personnel files, or used to administer healthcare benefits is more susceptible to theft then information provided by customers to purchase products and services. In the mad scramble to ensure customer information affecting the bottom line is secured, properly guarding employee data sources is almost an afterthought. Employee records are therefore an attractive target for thieves—who may very well work in the cubicle down the hall.

The higher risk associated with personnel data theft is beginning to be more heavily researched and documented. The Federal Trade Commission (FTC) has found that in cases of business record theft, 90 percent of cases pertain to employee information, versus 10 percent for consumer information. Additionally, a 2002 study by the credit information provider TransUnion found that the top cause of identity fraud is the theft of information by employees; outranking the theft of credit cards, purses, and other personal items.

Methods of Stealing Identities

Once inside a company, identity thieves appear to have a fairly easy time obtaining enough information about employees to rent apartments, buy cars, and apply for credit cards. And these perpetrators do not necessarily have to be in highly trusted management positions in the company to have access to information that may be very sensitive, such as Social Security numbers. Regular access to human resources computer systems and manual files provides more than enough information to complete a fraudulent credit application.

One of the most common methods to obtain access to employee data files is to seek employment as a temporary worker. These positions last just long enough to grab the data and disappear, hopefully forgotten. The applicants are unknown to the company and are given access to company systems without the background checks or other controls used in hiring permanent employees. For example, in a case in 2002, two temporary workers at Children's Hospital of Arkansas were charged with the theft of employee records. These individuals were found to be part of a larger identity theft ring.

Other perpetrators in employee data theft cases include disgruntled former employees who leave the company intending to do harm, or current employees with access to electronic and manual files that are left unsupervised for long periods of time. Even cleaning crews have been found to rummage through desks and trashcans after hours, searching for receipts, bills, and other information. Employees at third-party vendors providing services relating to the human resource function also pose a threat.

Addressing the Issue

It is the corporation's responsibility to protect employee information from thieves, as there is little that employees can do to protect their own personnel records—especially from fellow employees. And many organizations may find it in their own best interests to take precautions by establishing adequate controls. The Identity Theft Resource Center found in their 2003 study that victims of identity theft spend an average of 600 hours trying to clear their names and correct their credit reports. It is doubtful that the amount of work associated with identity theft would all be completed in nonbusiness hours. In addition, the emotional toll of having one's identity stolen provides a cumbersome distraction for workers, dealing with the frustration and personal violation felt by many victims trying to reclaim their lives.

The unsavory fallout of not protecting employee information may provide incentive for some organizations to take a closer look at their personnel data protection efforts. In addition to negative media attention, companies found to be negligent in securing employee information may be held responsible for any damages incurred through identity theft. Just recently, 14 former employees of the pharmaceutical company Ligand reached a confidential settlement after Ligand's negligence in securing personnel records led to a lab technician stealing and then selling enough personal information to lead to identity theft.

However, putting adequate protection in place for personnel data may not be optional for much longer. In response to this growing problem, as well as demands made by victim's rights groups, state governments have begun assessing the need for requirements for organizations to adequately protect their employees' data. Georgia and Wisconsin have taken the first step, requiring companies to destroy documents containing the personal information of their employees while California companies are barred from using Social Security numbers for purposes other then administrative functions or uses required by law. It is likely that over time, many more states will follow suit in their requirements for the protection of employee information.

Taking Steps To Protect

Many organizations are beginning to take notice of the issue and are finding ways to identify and correct their weaknesses. Conducting an audit of how personnel information is stored and used is a way to take a comprehensive look at gaps in controls. Just last year, the governor of Illinois requested a review of personnel information after a worker in the Human Services Division of the Illinois government stole thousands of Social Security numbers and charged hundreds of thousands of dollars in employees' names. The results of the review will be used to analyze and make changes at many of the government's agencies.

Organizations can take several other steps to protect the confidentiality of their employees' information, including the following.

  • Conduct background and criminal checks on prospective employees who will have access to personal information
  • Only hire temporary workers that have had background checks
  • Restrict access to personal information to those employees with a business need-to-know
  • Closely manage temporary workers' activities
  • Provide cross-cutting shredders for employees to dispose of personal, customer, and fellow employee information
  • Use numbers other than Social Security numbers to identify employees in the computer systems
  • Require health plans to use numbers other than Social Security numbers to identify plan participants
  • Train staff with access to personal information about keeping that information secure
  • Keep personal information in locked file cabinets and password protected computer files

Appropriate system and manual file access controls in the human resources department can mitigate some of the risks posed by identity thieves. Of greater importance, the ability to quickly identify when a breach has occurred and alert those individuals whose information may have been viewed will limit the amount of damage to the victim. In the event that personnel information was compromised, immediate notification of the affected employees is crucial to minimize losses for both the employee and the organization.

Conclusion

It is of utmost importance for companies to take a proactive approach to the identity theft of their employees. Raising awareness, especially among those with access to personal information will create an environment of monitoring where employees are easily alerted to suspicious activity. An environment of awareness and procedures and proper oversight and controls in place will protect the most sensitive of employee information, which could lead to an ill-meaning party to assume their identity and do them harm.

Kara Spooner, CPA, CISA, is a senior consultant with Privacy Council, an international privacy consulting and technology firm, where she assists clients in a number of industries in assessing privacy risks for legislative compliance and best practices and implementing comprehensive solutions using web technologies and policy and procedure development. She has also developed privacy focused client information management processes such as privacy policy reviews, data information flows mapping and gap analysis. A Certified Public Accountant and Certified Information Systems Auditor, she is a graduate of Texas A&M University, College Station with a BS and MS in Accounting Information Systems. Ms. Spooner can be reached at this .

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.