Publication Date: January 01, 2006
By Kevin Klimas, bizAZ Magazine.
The crime of identity theft has reached epidemic proportions. According to the FBI, identity theft is the fastest growing white-collar crime in the United States and Arizona has the dubious honor of ranking first in the nation for the number of incidences per capita.
Identity theft occurs when personal information is obtained and then used for illegal purposes. While many of us think of identity theft as simply credit card fraud, it has in fact evolved beyond stealing credit card offers from the mailbox as criminals are becoming increasingly sophisticated in their methods for obtaining private information.
The Greatest Resource for Criminals
Companies, by the mere nature of being in business, have a virtual goldmine of personal data (i.e. address, social security number, date of birth, etc.) on their employees and identity theft perpetrators are now finding it easier than ever to tap into this resource. One of the more common sources of this personal data is an applicant’s background check report (legally known as a consumer report).
While there are industry best practices for how to properly handle personnel files, including acquiring, storing and destroying consumer reports and other sensitive information, it is important to first understand ways in which criminals get their hands on employee records.
Obtaining Information is Easier Than Ever
Today’s criminals have numerous ways of obtaining information from businesses or other institutions, including:
- Employees stealing records or information while they are on the job
- Bribing employees who have access to these records
- Conning information out of employees
- Hacking into electronic records
- Rummaging through a company’s garbage (a practice known as “dumpster diving.”)
- Theft by non-personnel while on your premises
With so many opportunities to steal this information, and so much at risk, businesses have an obligation to protect personal data from falling into the wrong hands.
What can employers do to protect their employees from becoming victims of identity theft?
Given the fact that other employees are often the source of an information breach, the first line of defense is to conduct background checks on all job applicants. Pre-employment screening including, but not limited to, criminal record searches and employment/reference verifications, can provide a clearer picture of your candidates and help protect against potential information leaks.
In addition to hiring candidates with integrity, employers also must put processes in place to control the flow of information. From the employment application to an employee’s departure, HR records, including consumer reports, must be closely guarded.
Following are important tips for Acquiring, Storing and Destroying this information.
When acquiring information on applicants from a third-party vendor, such as Clarifacts, the most important consideration is to protect your passwords. Keep in mind these simple guidelines:
- If using a secure Internet site or some type of software system, make sure your user names and passwords are embedded or “hidden.”
- Restrict access to user names and passwords to only a few key personnel and assign a unique password to each user.
- Have a designated fax machine where personal information will be sent back and forth with the information vendor and place the machine in a secure location rather than in a generally populated area of the office.
- Do not discuss user names or passwords by telephone with any unknown caller, even if he or she claims to be from a familiar company or vendor.
Restricting access is the most important consideration when storing employee information. Following are three simple steps employers can take to securely store data:
- Place any computers or servers that contain employee records in a secure location within the office. Physical access to these devices should be difficult for unauthorized personnel.
- Electronic files should be password protected and restricted to key staff members only.
- All hard copy information should be stored in a secure area within locked file cabinets. These cabinets should always be locked when not in use and after normal business hours.
Destruction of Information
The Federal Trade Commission (FTC) recently issued new regulations governing the proper disposal of consumer report information (which includes background check reports). The “Disposal Rule” under the Fair and Accurate Credit Transaction Act of 2003 (FACTA) went into effect June 1, 2005, and amends the Fair Credit Reporting Act (FCRA), which regulates the employment screening industry and the employers who use consumer report information.
The Disposal Rule requires businesses to adopt disposal practices that are reasonable and appropriate to prevent the unauthorized access to, or use of, information in a consumer report. The FTC standard for the proper disposal of information is flexible and allows organizations to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
These “reasonable measures” could include, but are not limited to:
- Burning, pulverizing or shredding documents and destroying or erasing electronic files or media containing consumer report information so that the information cannot be read or reconstructed.
- Conducting due diligence when hiring a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule.
The Disposal Rule applies to every business, regardless of size or number of employees. When companies violate the Disposal Rule and compromise the personal information of employees, they are legally exposed. Depending on the type of action and whether the violation was willful or negligent, the FCRA provides for a range of civil liabilities and penalties, including actual damages, statutory damages up to $1,000 per violation, punitive damages and civil penalties up to $2,500 per violation – not to mention attorney’s fees and other costs.
If personal employee information has been compromised, the FTC recommends that you immediately notify law enforcement and the individuals that may be affected.
Help Stop Identity Theft in the Workplace
Being number one in the nation for identity theft is not a distinction any of us want for Arizona, and we certainly do not wish to see this crime proliferated in our own companies. As human resource professionals, business owners and managers, we must be diligent in recognizing identity theft opportunities within our own organizations, and in taking immediate steps to help secure employee information. By properly acquiring, storing and destroying sensitive data, businesses can make significant strides in preventing identity theft in the workplace.
Kevin Klimas is the founder and president of Clarifacts Inc, a privately held corporation focused exclusively on background screening services. Clarifacts provides nationwide service across a variety of industries including legal, healthcare, technology, manufacturing and non-profit just to name a few, with clients ranging from Fortune 500 companies to sole proprietorships. For more information visit www.clarifacts.com.