Expert Commentary

Protecting Your Employees from Identity Theft

Theft of information by employees is the top cause of identity fraud. Conducting an audit of how personnel information is stored and used can reveal gaps in controls.


Cyber and Privacy Risk and Insurance
February 2004

Picture an identity thief. What image comes to mind? When asked to visualize identity theft in action, many people tend to think of a mischievous hacker trying to break into a server full of customer information, or an evil criminal lurking by the dumpster just waiting for an unshredded credit card bill or other personal document to come their way.

Surprising to many, identity theft as the result of employee information stolen in the workplace by a fellow employee is a much more likely case. Information collected through job applications, maintained in personnel files, or used to administer healthcare benefits is more susceptible to theft then information provided by customers to purchase products and services. In the mad scramble to ensure customer information affecting the bottom line is secured, properly guarding employee data sources is almost an afterthought. Employee records are therefore an attractive target for thieves—who may very well work in the cubicle down the hall.

The higher risk associated with personnel data theft is beginning to be more heavily researched and documented. The Federal Trade Commission (FTC) has found that in cases of business record theft, 90 percent of cases pertain to employee information, versus 10 percent for consumer information. Additionally, a 2002 study by the credit information provider TransUnion found that the top cause of identity fraud is the theft of information by employees; outranking the theft of credit cards, purses, and other personal items.

Methods of Stealing Identities

Once inside a company, identity thieves appear to have a fairly easy time obtaining enough information about employees to rent apartments, buy cars, and apply for credit cards. And these perpetrators do not necessarily have to be in highly trusted management positions in the company to have access to information that may be very sensitive, such as Social Security numbers. Regular access to human resources computer systems and manual files provides more than enough information to complete a fraudulent credit application.

One of the most common methods to obtain access to employee data files is to seek employment as a temporary worker. These positions last just long enough to grab the data and disappear, hopefully forgotten. The applicants are unknown to the company and are given access to company systems without the background checks or other controls used in hiring permanent employees. For example, in a case in 2002, two temporary workers at Children's Hospital of Arkansas were charged with the theft of employee records. These individuals were found to be part of a larger identity theft ring.

Other perpetrators in employee data theft cases include disgruntled former employees who leave the company intending to do harm, or current employees with access to electronic and manual files that are left unsupervised for long periods of time. Even cleaning crews have been found to rummage through desks and trashcans after hours, searching for receipts, bills, and other information. Employees at third-party vendors providing services relating to the human resource function also pose a threat.

Addressing the Issue

It is the corporation's responsibility to protect employee information from thieves, as there is little that employees can do to protect their own personnel records—especially from fellow employees. And many organizations may find it in their own best interests to take precautions by establishing adequate controls. The Identity Theft Resource Center found in their 2003 study that victims of identity theft spend an average of 600 hours trying to clear their names and correct their credit reports. It is doubtful that the amount of work associated with identity theft would all be completed in nonbusiness hours. In addition, the emotional toll of having one's identity stolen provides a cumbersome distraction for workers, dealing with the frustration and personal violation felt by many victims trying to reclaim their lives.

The unsavory fallout of not protecting employee information may provide incentive for some organizations to take a closer look at their personnel data protection efforts. In addition to negative media attention, companies found to be negligent in securing employee information may be held responsible for any damages incurred through identity theft. Just recently, 14 former employees of the pharmaceutical company Ligand reached a confidential settlement after Ligand's negligence in securing personnel records led to a lab technician stealing and then selling enough personal information to lead to identity theft.

However, putting adequate protection in place for personnel data may not be optional for much longer. In response to this growing problem, as well as demands made by victim's rights groups, state governments have begun assessing the need for requirements for organizations to adequately protect their employees' data. Georgia and Wisconsin have taken the first step, requiring companies to destroy documents containing the personal information of their employees while California companies are barred from using Social Security numbers for purposes other then administrative functions or uses required by law. It is likely that over time, many more states will follow suit in their requirements for the protection of employee information.

Taking Steps To Protect

Many organizations are beginning to take notice of the issue and are finding ways to identify and correct their weaknesses. Conducting an audit of how personnel information is stored and used is a way to take a comprehensive look at gaps in controls. Just last year, the governor of Illinois requested a review of personnel information after a worker in the Human Services Division of the Illinois government stole thousands of Social Security numbers and charged hundreds of thousands of dollars in employees' names. The results of the review will be used to analyze and make changes at many of the government's agencies.

Organizations can take several other steps to protect the confidentiality of their employees' information, including the following.

  • Conduct background and criminal checks on prospective employees who will have access to personal information
  • Only hire temporary workers that have had background checks
  • Restrict access to personal information to those employees with a business need-to-know
  • Closely manage temporary workers' activities
  • Provide cross-cutting shredders for employees to dispose of personal, customer, and fellow employee information
  • Use numbers other than Social Security numbers to identify employees in the computer systems
  • Require health plans to use numbers other than Social Security numbers to identify plan participants
  • Train staff with access to personal information about keeping that information secure
  • Keep personal information in locked file cabinets and password protected computer files

Appropriate system and manual file access controls in the human resources department can mitigate some of the risks posed by identity thieves. Of greater importance, the ability to quickly identify when a breach has occurred and alert those individuals whose information may have been viewed will limit the amount of damage to the victim. In the event that personnel information was compromised, immediate notification of the affected employees is crucial to minimize losses for both the employee and the organization.

Conclusion

It is of utmost importance for companies to take a proactive approach to the identity theft of their employees. Raising awareness, especially among those with access to personal information will create an environment of monitoring where employees are easily alerted to suspicious activity. An environment of awareness and procedures and proper oversight and controls in place will protect the most sensitive of employee information, which could lead to an ill-meaning party to assume their identity and do them harm.


Kara Spooner, CPA, CISA, is a senior consultant with Privacy Council, an international privacy consulting and technology firm, where she assists clients in a number of industries in assessing privacy risks for legislative compliance and best practices and implementing comprehensive solutions using web technologies and policy and procedure development. She has also developed privacy focused client information management processes such as privacy policy reviews, data information flows mapping and gap analysis. A Certified Public Accountant and Certified Information Systems Auditor, she is a graduate of Texas A&M University, College Station with a BS and MS in Accounting Information Systems. Ms. Spooner can be reached at this


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More