While identity theft is often blamed on the victim’s careless behavior, in a large number of cases, the crime occurs because someone else made a mistake that revealed the victim’s personal data. And that someone else, unfortunately, is often the victim’s employer. Employers collect and store reams of personal data about their employees — data that is more than just a little bit attractive to identity thieves.
Not only is it possible that you could be held liable if an identity theft is traced back to your company, it is also costly in terms of productivity: The average theft leads to $16,000 in lost wages as victims take time away from work to investigate and correct their records. So even if you think that you have top-notch security and that no one has access to employee records that shouldn’t, you might want to think again. You might be putting your workers at risk for identity theft and not even realize it.
Sign #1: You Don’t Have a Culture of Privacy Awareness
Considering that 54 percent of network intrusions are attributable to employee errors, it’s important that you develop a culture of privacy awareness and privacy protection in order to keep data safe. This means educating employees at all levels about the importance of maintaining network security and data privacy, developing — and enforcing — clear and strict policies regarding information protection, and instituting protocols for handling sensitive data. It also means showing your employees that you are serious about protecting their privacy by offering identity theft protection as an employee benefit, and assistance should they fall victim to theft.
Sign #2: You Don’t Have an “Information Lockdown” Policy
When employees leave their desks for a break, a meeting, or even just to run to the copy room, how do they leave their desks? Those who work with sensitive information, including job applications, personnel files, payroll information, etc., should have to adhere to an “information lockdown” or “clean desk” policy. This means that before they leave their workstations for any length of time, they must properly secure all items containing personal information, including their computers to prevent someone else from walking by and stealing information.
Sign #3: You Don’t Have a BYOD Policy
More than half of all organizations are now allowing employees to use their personal mobile devices for work. While this has great benefits in terms of productivity and employee satisfaction, it also presents some security risks. A lost or stolen phone containing corporate information or log-ins could give a criminal an entry point into your networks, where he or she could steal employee and customer data. The solution is a comprehensive Bring Your Own Device (BYOD) security policy that governs how employees can use their devices, procedures regarding lost and stolen devices, and guidelines for acceptable use designed to prevent malware that could lead to a data breach.
Sign #4: You’re Using Social Security Numbers as Identifiers
While a “full” identity containing name, address, birthdate, and Social Security number might only sell for about $5 on the black market, capturing someone’s Social Security number is still a major coup for an identity thief. With those nine digits, they can open new accounts, file taxes in someone else’s name — basically wreak havoc for the victim. Unfortunately, some companies still put Social Security numbers at risk by using them as employee ID numbers, printing them on badges, or using them for logins. Never use a Social Security number as an ID; if any of your vendors, such as health insurance providers, do so, request that alternate numbers be used to protect your employees.
Sign #5: Not Conducting Background Checks
Most companies conduct background checks on employees who handle financial transactions. However, you should also be investigating employees who will deal with personal information to ensure there is no history of criminal activity involving identity theft. Doing your due diligence not only helps protect your employees, but can also help protect your company in the event a data breach occurs.
Sign #6: You Don’t Conduct Privacy Training
Some organizations are bound by federal law to provide annual privacy and data protection training to certain employees. However, it’s better to go beyond the minimum, and offer the training to all employees. This goes back to creating a culture of privacy: When everyone receives the same training and understands the importance of protecting personal information, it’s more likely that the information won’t fall into the wrong hands.
Employers have a responsibility to protect their employees’ personal information from identity thieves. By taking steps to create a culture of privacy and locking down common sources of leaks, you can prevent losing time and employee productivity as employees repair the damage if their identities are compromised.
By Tanya Oliver