According to the Federal Bureau of Investigation (FBI), “Identity theft involves the misuse of another individual's personal identifying information for fraudulent purposes.” The FBI Web site also states that, “Identity theft is one of the fastest growing crimes in the U.S., claiming more than 10 million victims a year.”
Employers are stewards of employee personal information. With the growing concern over identity theft and related liabilities, employers must take every precaution to earn and keep employee trust. Michael Hall, a certified identity risk management specialist, recently told a human resources conference audience that the workplace is the site for more than half of all identity thefts.
It’s not all about the technology; it’s all about the people
The Internet and other technological advances have dramatically increased efficiencies, but technology is a double-edged sword. Technology has also brought unprecedented security and privacy challenges.
What kinds of employee personal information are employers entrusted with? In addition to the employee name, personal information includes the following:
- Address
- Social security number
- Date of birth
- Driver’s license information
- Health records
- Bank account information
Employers must take steps to protect employee personal information – which may extend beyond the above categories, depending on applicable law – from leaking to either any unauthorized company personnel or any outside sources. Both employee records and other personal information, including both electronic and hard copies, must be kept in a locked and secured location.
Obviously you don’t want just anyone in the organization rummaging through an employee’s personal records file. There are a limited number of people, however, who will have legitimate business reasons and can be authorized to access this information. You will want to keep an updated list of these individuals.
In addition, you will want to work with your staff so they understand the seriousness of handling employee personal information in a competent and secure manner. This includes issuing and regularly updating a related employee data security policy that clearly defines the restricted scope of access to such information and overall use of the same. It also is important to regularly audit your process and procedures, as well do the following.
- Emphasize the importance of keeping all employee records updated.
- Include a policy in your employee handbook: Remind employees to communicate or update their personal information and explain the business reasons behind this request (how this information can impact insurance benefits, etc.).
- Marital status
- Address
- Beneficiaries
- Phone numbers
Some organizations sponsor an intranet site where this information can be maintained on a secure online location. Normally, employees log in with a password and they can conveniently access and update their personal information.
While storing employee personal data online is recognizably more efficient and convenient, it is also a major cause for concern because of the potential for identity theft. This issue is not only an IT problem. Employers can be potentially held liable should employee personal information get in the wrong hands. Again, identity theft has become the country’s number one fraud issue, and it is a felony.
Applicable State Legislation Also Must be Considered
There is a current trend of states adopting new and/or stricter guidelines in order to protect employee personal information. Several states have recently developed stricter laws in the area of employee identification protection. For example, New York has new legislation (effective January 2009) that will regulate the internal use and external distribution of personal identifying information, including social security numbers and derivatives thereof. For employers in New York, this will necessitate a review of current employee data security practices to ensure compliance with the new law. Hopefully, though, most employers are already engaging in prudent practices that do not run afoul of state legislation, such as not posting social security numbers on employees’ paychecks or paystubs as payroll numbers.
In addition, some states are mandating that security measures be put in place to protect any social security numbers stored on applicant tracking systems, or in files. For instance, the state of Massachusetts has developed legislation that will be effective May 1, 2009 (originally set to be effective January 2009). Massachusetts regulations require that businesses take a number of measures including encrypting wireless-transmitted data, utilizing up-to-date firewall protection and only permitting authorized users to have access to or to transmit data, according to its Office of Consumer Affairs and Business Regulation (OCABR). Taking into consideration the economic uncertainties that businesses are facing, the OCABR said it recognizes that additional time may be needed to comply with the new regulations, considered by many to be the most strict data security law in the United States.
A Stand-Alone Policy
As mentioned above, there is also a need for employers to generate and disseminate a related stand-alone policy to employees. Due to the importance of the secure maintenance of employee records and other employee personal information, employers should consider implementing a stand-alone policy regarding employee access, use and protection of employees’ personal information.
At minimum, employers should provide employee training and set strict policies for keeping employee personal information secure and protected. Whether thieves are going through your trash dumpsters or hacking through an employee’s laptop, or an unauthorized employee gains inadvertent access to another employee’s personal information and improperly divulges that information to another third party, the incentive to protect employee personal information should remain strong. The bottom line is, you want to do all that you can at the outset to prevent personal information from getting into the wrong hands or being used in the wrong ways.
Resource for Massachusetts information:
http://www.scmagazineus.com/Massachusetts-data-security-law-rule-extended-four-months/article/121208/
Resource for New York information:
http://www.backtrackerblog.com/2008/08/new-york-bill-for-employee.html