Thursday, May 17, 2012
  • Twitter
  • Facebook
  • Google+
  • LinkedIn

Identity theft: Minimizing risk for employees

by on February 8, 2012 9:00am
in Centerpiece,HR Management,Human Resources,Office Management,Records Retention

Identity theft is one of the fastest-growing crimes in the U.S., and much of it revolves around the workplace. The federal government has taken a stand by passing the Fair and Accurate Credit Transactions Act and the Identity Theft and Assumption Deterrence Act.

But employers must react similarly by erecting legal defenses, including safeguarding personnel files that contain such information as employees’ Social Security numbers, as prescribed by many state statutes.

FAQs about identity theft

1. How can an employer protect employee records from the threat of identity theft?

Here are some steps you should take to secure employee records and minimize identity theft risk factors.

  • Conduct background checks. To prevent insiders from stealing information, it is important that all applicants for positions that have access to employee records be subject to criminal or civil background checks.
  • Secure data. Lock personnel files and limit access to the keys. Password-protect computer files and change passwords regularly. Encrypt all data sent and received electronically. Install adequate firewall protection.
  • Limit access. Restrict access to the smallest possible pool of employees. Disable employee access to company data immediately upon termination.
  • Protect Social Security numbers. Request that insurers not use SSNs as employee identifiers on insurance cards and claims forms. Don’t use SSNs on paycheck stubs, timecards or timesheets, parking permits, employee badges, training program rosters, promotion lists, monthly account statements and client reports.
  • Audit data access for suspicious activity.
  • Destroy sensitive information before disposing. Shred documents that contain account numbers or personal identifiers. 
  • Raise awareness. Write and distribute a privacy policy that includes procedures for the safe handling of information. Train employees. Warn employees against inadvertently divulging sensitive information without a legitimate business reason or making information vulnerable (e.g., failing to immediately file and lock up personnel files after use).
  • Scrutinize third-party vendors. Audit their security procedures.
2. What additional steps can an employer take to keep employee Social Security numbers confidential?

A number of states have enacted statutes designed to protect Social Security numbers (SSNs). Such statutes require employers to establish policies that ensure the confidentiality of SSNs; prohibit unlawful disclosure of SSNs; limit who has access to information or documents containing SSNs; mandate procedures for disposal of documents containing personal information; bar employers from using more than four digits of an SSN; and establish penalties for policy violations.

Although your state may not have a law on the books right now, more and more states are expected to jump on the Social Security number privacy protection bandwagon. Be prepared by implementing the following practices for protecting the confidentiality of SSNs.

  • Develop a unique personal identifier system instead of using SSNs.
  • Do not put SSNs on documents to be mailed (or e-mailed).  Exceptions: applications, forms, or when required by law. (Then, check that the SSN does not show in the envelope window.)
  • Make sure documents containing SSNs are accessed only by those who need to see the numbers for the performance of their job duties. Use logs or electronic audit trails to monitor access to records.
  • Remember to secure any backups or copies made of print and electronic records that contain SSNs.
  • Avoid leaving voice-mail messages or sending faxes containing SSNs.
  • Properly and immediately secure records containing SSNs when not in use.
  • Take care when discarding records containing SSNs (e.g., use a shredder).
  • Require employees to promptly report when SSNs have been compromised.
3. What can an employer do to monitor its data destruction procedures?

Although it may seem like you’re defeating the purpose of setting up a system to purge company records by creating more records, play it legally safe and document this procedure. The goal of the documentation: to be able to show that records were not arbitrarily destroyed; that legitimate business reasoning dictated your actions. 

You should document how you established retention periods, the provisions of your record-keeping policy or record-management system, and perhaps even an inventory of documents and the proper authorization for disposal. Make it a routine. Otherwise, a sudden decision to “clean house” could be perceived as suspicious.

The best way to make sure that sensitive data that needs to be disposed of doesn’t fall into the wrong hands is to prevent it from falling into anyone’s hands by destroying it. How you dispose of confidential records is just as important as how you stored them when they were current. Simply placing them in the trash is just as risky as leaving them in unlocked files.

Conduct the following audit before selecting the data-destruction technology you need.  Answers to these questions will help you decide by what means the records should be destroyed and by whom.

  1. Do you have a high volume of records that needs to be destroyed? Is there a high percentage that contains confidential information?
    You have many data-destruction options to choose from, including desktop/personal shredders to disintegrators to outside disposal services.
  2. How sensitive is the data? How vulnerable would the company be if it fell into the wrong hands?
    Ribbon-cut shredders are adequate for disposal of general records and other data that is not critically sensitive. However, cross shredding may be a better solution for disposing of records that contain confidential or proprietary information.
  3. Who is to have access to the data-shredding equipment? Only employees with a need-to-know, who already have access to the information, should be in charge of destroying it.

Warning: Don’t forget about back-up files and individual files kept by employees. Track those down and destroy them, too. Their existence can also do your company legal harm.

Finally, remember that not all records may be kept on paper. Diskettes and microfilm can hold much more information in less space; if your entire company isn’t using the same format, remember that individual managers or departments might have a stash of information in a completely different medium. You are responsible for their accuracy and privacy as well.

Note: Effective June 1, 2006, the Fair and Accurate Credit Transactions Act (FACTA) requires all employers with at least one employee to destroy personal information derived from a consumer report before disposing of it.

FACTA aims to eliminate the chance of an identity thief rummaging through your company’s trash and scoring personal employee information.  The act defines destroying as “shredding or burning” or “smashing or wiping” paper or computer disks containing the protected information.

Consumer reports routinely contain information related to a credit, criminal, or background check, but they can also contain information on an individual’s character, general reputation, personal characteristics, or mode of living.

Save on Delicious
Email

Like what you've read? ...Republish it and share great business tips!

Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...

We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.

The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.

" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/19711/identity-theft-minimizing-risk-for-employees "

Related Articles...

{ 4 comments… read them below or add one }

Mark Badham February 9, 2012 at 2:52 am

None of this seems to mention that most data today is stored electronically (eg PCs, servers, printers – even tablets and smartphones), not just on paper. So it’s really important to properly erase confidential data from your electronic assets when you no longer need it – like when upgrading to new IT assets. You don’t want your old computers and staff smartphones being reused with your data still accessible on them. After all, your delete button won’t actually get rid of your data – people can still find it. That’s how many data breaches happen. And it CAN be avoided. A good website is http://www.dataerasure.com or check “data erasure” on Wikipedia. There’s also a free webinar on basic data erasure on 23 Feb (https://student.gototraining.com/r/6127765558366401280)
and 24 Feb (https://student.gototraining.com/r/1542200637680068608).

Reply

Chad Gammage February 8, 2012 at 6:06 pm

You are partially right. Annualcreditreport.com is not sponsored by the 3 bureaus out of kindness instead they’re required to provide this. The 3 bureaus also don’t want you to know about the benefits afforded to every American consumer via the FCRA because when they’re utilized they have a negative impact on their revenue streams ie; selling your information to 3 parties and selling to consumers expensive credit related monthly services (because you won’t need them.)

If you read the FCRA you will find the benefits I already spelled out for you. If you visit idSafeUSA.com you will also see the slide-show is a legitamte tool to assist you in obtaining these (free) benefits from Experian. No registration or obligation and feel free to use every 90 days.

Try it before you deny it. And since you’re a smart guy you can probably navigate the process for the other bureaus on your own. And if you’re a real smart guy you will probably realize membership in idSafeUSA.com will save you a ton of time and is well worth the $19.95 annual (not monthly) fee. Membersihip covers the entire family and No Personal Information, Financial Information or Power of Attorney needed. Super Affordable, Easy enough for kids, 100% Safe and works everytime.

You should also know idSafeUSA.com is all the talk in law enforcement circles as the real solution to ID Crime. And we teach this to kids via the non profit I started – YIPPedu.org.

Try it for your self and if the slide-show is not helpfull I will eat my words but I don’t think that will be neccessary. Afterall kids get it.

Reply

Steve Hastert February 8, 2012 at 5:11 pm

The official site sponsored by the three credit agencies is: https://www.annualcreditreport.com. Any other site is trying to sell you something.

Reply

Chad Gammage February 8, 2012 at 4:57 pm

Or…
You can have your employees (every American) order Free ID Protection & ID Reports (credit report minus the score) from each credit/reporting burea every 90 days and not worry about ID Crime all together.

The FCRA (2003) gave these tools to every American for this reason. Free ID Protection renders your ID useless to anyone but you and works 100% of the time. When your ID is used in an application processa and credit report is pulled, you get a phone call (list your cell phone) to verify if its your application. If its not you the company/merchant is obligated to contact law enforcement to report a felony in progress.

The Free ID Reports (20 per year/each family member) allow you to monitor your ID for unauthorized activity and changes (ie: address)

A slide-show demonstration is avaialble for you to follow along with. In just a few minutes you will have Free ID Protection and a copy of your Free ID Report from Experian.

Visit http://www.idsafeusa.com to see for your self and for more helpful information. It’s Free, Easy, Safe and works perfectly.

Reply

Leave a Comment

 
Save on Delicious
submit to reddit
Email