Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Information Technology articles
ID Theft: Is Your Workplace Safe?
November 01, 2005

Did you know that theft of employer records is the No. 1 source of private data used in credit-card scams and other forms of identity theft?

Obviously, this kind of workplace theft can have serious ramifications for employers as well as employees and customers who are identity-theft victims. Considering the wealth of personal information that organizations control, protecting privacy in the workplace is more important than ever.

A provision in the Fair and Accurate Credit Transactions Act (FACTA) makes businesses of any size liable for failing to properly dispose of personal data about their employees and customers. To comply, businesses must take “reasonable measures” to safely dispose of names, street and e-mail addresses, phone numbers, Social Security numbers, credit card numbers, account numbers, and other personal data about employees and customers.

It’s a serious measure. For each violation, the government can fine a business up to $2,500, and state governments can fine an additional $1,000. Plus, a business may be required to pay for any damages incurred by the victim, which is potentially the most expensive component of identity theft. Victims of identity theft spend an average of 600 hours trying to clear their names and correct their credit reports.

All of this means that protecting confidential files and information should be a high priority for any business.

1. Start with the obvious: employee HR files.

Safeguarding employee information requires a comprehensive approach against inappropriate internal and external access.

Office manila folders and databases house a wealth of information about employees. From job applications to personnel files to data used for health insurance and benefit administration, employers should perform a comprehensive audit of personnel data protection.

Consider this: Once inside a company, identity thieves usually have a fairly easy time obtaining enough information about employees to rent apartments, buy cars, and apply for credit cards using stolen information. Access to simple HR computer systems and manual files provide sufficient information to complete a fraudulent credit application.
 
2. Beef up your hiring and firing policies.

Background and criminal checks should always be conducted on prospective employees who will have access to personal information. Even temporary workers should be subject to background checks.

Organizations should have a standing rule to remove a departed employee's network access immediately. It’s an equally good idea to disconnect that employee's terminal from any form of external access, such as a dial-up modem connection.

3. Limit access to “need to know” information.

Staff with access to personal employee information should be properly trained on how to keep information secure. This includes keeping personal information in locked file cabinets and using password-protected computer files.

Consider which employees need access to what programs and databases containing sensitive information and password-protect these, granting access only on a need-to-know basis. Emphasize the need to lock cabinets at night and during lunch time and other periods of the day when staff members are not nearby.

4. Safeguard your computer systems.

Consult with security professionals to determine which vulnerabilities exist in your information systems. Among the considerations is the need to protect computer networks with firewalls making access to systems and databases more difficult for hackers. Firewalls protect networked computers by shutting out unauthorized users and letting others access only the areas for which they have privileges.

These efforts are only as good as the company-wide security policy that complements it. Educate employees about identity theft and data protection. This should include information on e-mail policies (such as what e-mail filters are in place and how to deal with suspicious e-mail), computer access, and how to report incidents.

5. Eliminate the paper trail.

Business records of any kind should never be tossed into the trash or recycling bin. The mantra should be, “Shred, shred, shred.” All business records no longer needed should be shredded. Purchase an inexpensive office shredder or contract with a shredding service to handle disposal.

This is of special importance to businesses that use consumer credit reports for business purposes, as they’re subject to the requirements of the FTC’s Disposal Rule. The rule requires the proper disposal of information in credit reports and records to protect against “unauthorized access to, or use of, the information.” How this is defined is left to businesses based on the costs and benefits of different disposal methods, the sensitivity of the information, and changes in technology.

Although this rule applies to consumer credit reports, the FTC encourages all businesses that dispose of records containing a consumer’s personal or financial information to take similar measures.