Protecting Your Employees from Identity Theft
February 2004
Theft of information by employees is the top
cause of identity fraud. Conducting an audit of how personnel information is
stored and used can reveal gaps in controls.
by Kara Spooner, edited
by Gary E. Clayton
www.privacycg.com
Picture an identity thief. What image comes to mind? When asked to visualize
identity theft in action, many people tend to think of a mischievous hacker
trying to break into a server full of customer information, or an evil criminal
lurking by the dumpster just waiting for an unshredded credit card bill or other
personal document to come their way.
Surprising to many, identity theft as the result of employee information
stolen in the workplace by a fellow employee is a much more likely case. Information
collected through job applications, maintained in personnel files, or used to
administer healthcare benefits is more susceptible to theft then information
provided by customers to purchase products and services. In the mad scramble
to ensure customer information affecting the bottom line is secured, properly
guarding employee data sources is almost an afterthought. Employee records are
therefore an attractive target for thieves—who may very well work in the cubicle
down the hall.
The higher risk associated with personnel data theft is beginning to be more
heavily researched and documented. The Federal Trade Commission (FTC) has found
that in cases of business record theft, 90 percent of cases pertain to employee
information, versus 10 percent for consumer information. Additionally, a 2002
study by the credit information provider TransUnion found that the top cause
of identity fraud is the theft of information by employees; outranking the theft
of credit cards, purses, and other personal items.
Methods of Stealing Identities
Once inside a company, identity thieves appear to have a fairly easy time
obtaining enough information about employees to rent apartments, buy cars, and
apply for credit cards. And these perpetrators do not necessarily have to be
in highly trusted management positions in the company to have access to information
that may be very sensitive, such as Social Security numbers. Regular access
to human resources computer systems and manual files provides more than enough
information to complete a fraudulent credit application.
One of the most common methods to obtain access to employee data files is
to seek employment as a temporary worker. These positions last just long enough
to grab the data and disappear, hopefully forgotten. The applicants are unknown
to the company and are given access to company systems without the background
checks or other controls used in hiring permanent employees. For example, in
a case in 2002, two temporary workers at Children's Hospital of Arkansas were
charged with the theft of employee records. These individuals were found to
be part of a larger identity theft ring.
Other perpetrators in employee data theft cases include disgruntled former
employees who leave the company intending to do harm, or current employees with
access to electronic and manual files that are left unsupervised for long periods
of time. Even cleaning crews have been found to rummage through desks and trashcans
after hours, searching for receipts, bills, and other information. Employees
at third-party vendors providing services relating to the human resource function
also pose a threat.
Addressing the Issue
It is the corporation's responsibility to protect employee information from
thieves, as there is little that employees can do to protect their own personnel
records—especially from fellow employees. And many organizations may find it
in their own best interests to take precautions by establishing adequate controls.
The Identity Theft Resource Center found in their 2003 study that victims of
identity theft spend an average of 600 hours trying to clear their names and
correct their credit reports. It is doubtful that the amount of work associated
with identity theft would all be completed in nonbusiness hours. In addition,
the emotional toll of having one's identity stolen provides a cumbersome distraction
for workers, dealing with the frustration and personal violation felt by many
victims trying to reclaim their lives.
The unsavory fallout of not protecting employee information may provide incentive
for some organizations to take a closer look at their personnel data protection
efforts. In addition to negative media attention, companies found to be negligent
in securing employee information may be held responsible for any damages incurred
through identity theft. Just recently, 14 former employees of the pharmaceutical
company Ligand reached a confidential settlement after Ligand's negligence in
securing personnel records led to a lab technician stealing and then selling
enough personal information to lead to identity theft.
However, putting adequate protection in place for personnel data may not
be optional for much longer. In response to this growing problem, as well as
demands made by victim's rights groups, state governments have begun assessing
the need for requirements for organizations to adequately protect their employees'
data. Georgia and Wisconsin have taken the first step, requiring companies to
destroy documents containing the personal information of their employees while
California companies are barred from using Social Security numbers for purposes
other then administrative functions or uses required by law. It is likely that
over time, many more states will follow suit in their requirements for the protection
of employee information.
Taking Steps To Protect
Many organizations are beginning to take notice of the issue and are finding
ways to identify and correct their weaknesses. Conducting an audit of how personnel
information is stored and used is a way to take a comprehensive look at gaps
in controls. Just last year, the governor of Illinois requested a review of
personnel information after a worker in the Human Services Division of the Illinois
government stole thousands of Social Security numbers and charged hundreds of
thousands of dollars in employees' names. The results of the review will be
used to analyze and make changes at many of the government's agencies.
Organizations can take several other steps to protect the confidentiality
of their employees' information, including the following.
- Conduct background and criminal checks on prospective employees who
will have access to personal information
- Only hire temporary workers that have had background checks
- Restrict access to personal information to those employees with a business
need-to-know
- Closely manage temporary workers' activities
- Provide cross-cutting shredders for employees to dispose of personal,
customer, and fellow employee information
- Use numbers other than Social Security numbers to identify employees
in the computer systems
- Require health plans to use numbers other than Social Security numbers
to identify plan participants
- Train staff with access to personal information about keeping that information
secure
- Keep personal information in locked file cabinets and password protected
computer files
Appropriate system and manual file access controls in the human resources
department can mitigate some of the risks posed by identity thieves. Of greater
importance, the ability to quickly identify when a breach has occurred and alert
those individuals whose information may have been viewed will limit the amount
of damage to the victim. In the event that personnel information was compromised,
immediate notification of the affected employees is crucial to minimize losses
for both the employee and the organization.
Conclusion
It is of utmost importance for companies to take a proactive approach to
the identity theft of their employees. Raising awareness, especially among those
with access to personal information will create an environment of monitoring
where employees are easily alerted to suspicious activity. An environment of
awareness and procedures and proper oversight and controls in place will protect
the most sensitive of employee information, which could lead to an ill-meaning
party to assume their identity and do them harm.
Kara Spooner,
CPA, CISA, is a senior consultant with Privacy Council, an international privacy
consulting and technology firm, where she assists clients in a number of industries
in assessing privacy risks for legislative compliance and best practices and
implementing comprehensive solutions using web technologies and policy and procedure
development. She has also developed privacy focused client information management
processes such as privacy policy reviews, data information flows mapping and
gap analysis. A Certified Public Accountant and Certified Information Systems
Auditor, she is a graduate of Texas A&M University, College Station with a BS
and MS in Accounting Information Systems. Ms. Spooner can be reached at this kara.spooner@privacycouncil.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.