Identity Theft, Background Check Reports, and the Employer

By Kevin Klimas, bizAZ Magazine.

The crime of identity theft has reached epidemic proportions. According to the FBI, identity theft is the fastest growing white-collar crime in the United States and Arizona has the dubious honor of ranking first in the nation for the number of incidences per capita.

Identity theft occurs when personal information is obtained and then used for illegal purposes. While many of us think of identity theft as simply credit card fraud, it has in fact evolved beyond stealing credit card offers from the mailbox as criminals are becoming increasingly sophisticated in their methods for obtaining private information.

The Greatest Resource for Criminals 

Companies, by the mere nature of being in business, have a virtual goldmine of personal data (i.e. address, social security number, date of birth, etc.) on their employees and identity theft perpetrators are now finding it easier than ever to tap into this resource. One of the more common sources of this personal data is an applicant’s background check report (legally known as a consumer report).

While there are industry best practices for how to properly handle personnel files, including acquiring, storing and destroying consumer reports and other sensitive information, it is important to first understand ways in which criminals get their hands on employee records.

Obtaining Information is Easier Than Ever

Today’s criminals have numerous ways of obtaining information from businesses or other institutions, including:



With so many opportunities to steal this information, and so much at risk, businesses have an obligation to protect personal data from falling into the wrong hands.

Protecting Employees

What can employers do to protect their employees from becoming victims of identity theft?

Given the fact that other employees are often the source of an information breach, the first line of defense is to conduct background checks on all job applicants. Pre-employment screening including, but not limited to, criminal record searches and employment/reference verifications, can provide a clearer picture of your candidates and help protect against potential information leaks.

In addition to hiring candidates with integrity, employers also must put processes in place to control the flow of information. From the employment application to an employee’s departure, HR records, including consumer reports, must be closely guarded.

Following are important tips for Acquiring, Storing and Destroying this information.

Acquiring Information

When acquiring information on applicants from a third-party vendor, such as Clarifacts, the most important consideration is to protect your passwords. Keep in mind these simple guidelines:



Storing Information

Restricting access is the most important consideration when storing employee information. Following are three simple steps employers can take to securely store data:



Destruction of Information

The Federal Trade Commission (FTC) recently issued new regulations governing the proper disposal of consumer report information (which includes background check reports). The “Disposal Rule” under the Fair and Accurate Credit Transaction Act of 2003 (FACTA) went into effect June 1, 2005, and amends the Fair Credit Reporting Act (FCRA), which regulates the employment screening industry and the employers who use consumer report information.

The Disposal Rule requires businesses to adopt disposal practices that are reasonable and appropriate to prevent the unauthorized access to, or use of, information in a consumer report. The FTC standard for the proper disposal of information is flexible and allows organizations to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.

These “reasonable measures” could include, but are not limited to:



The Disposal Rule applies to every business, regardless of size or number of employees. When companies violate the Disposal Rule and compromise the personal information of employees, they are legally exposed. Depending on the type of action and whether the violation was willful or negligent, the FCRA provides for a range of civil liabilities and penalties, including actual damages, statutory damages up to $1,000 per violation, punitive damages and civil penalties up to $2,500 per violation – not to mention attorney’s fees and other costs.

If personal employee information has been compromised, the FTC recommends that you immediately notify law enforcement and the individuals that may be affected.

Help Stop Identity Theft in the Workplace

Being number one in the nation for identity theft is not a distinction any of us want for Arizona, and we certainly do not wish to see this crime proliferated in our own companies. As human resource professionals, business owners and managers, we must be diligent in recognizing identity theft opportunities within our own organizations, and in taking immediate steps to help secure employee information. By properly acquiring, storing and destroying sensitive data, businesses can make significant strides in preventing identity theft in the workplace.

Kevin Klimas is the founder and president of Clarifacts Inc, a privately held corporation focused exclusively on background screening services. Clarifacts provides nationwide service across a variety of industries including legal, healthcare, technology, manufacturing and non-profit just to name a few, with clients ranging from Fortune 500 companies to sole proprietorships. For more information visit