Identity theft is a growing crime in this country and the liability risk of employers is increasing along with it. The reason is all the sensitive personal information collected from employees, job applicants, customers, independent contractors, business partners, patients and others.
The Federal Trade Commission reports that every year, millions of Americans fall victim to identity theft. And according to some studies, improperly handled employee records were the greatest contributor to identity theft in the workplace.
Companies must keep personal information about employees, customers and others confidential and secure – or risk liability for negligence.
Employers Caught in Identity Theft Schemes
A pharmaceutical company in San Diego was sued by some of its former staff members after an employee stole a box of old personnel records found in a storage closet. Information from the records (including names and Social Security numbers) was used to rent apartments, set up cell phone service and open credit card accounts. The victims argued the crime would have never happened if the employer had taken proper care of their records. The ID thief was eventually convicted and the pharmaceutical company settled the case out of court.
An Alabama Hospital employee stole personal information about child patients. The names, birth dates and Social Security numbers were later used by someone else to claim false child exemptions on federal income tax returns that resulted in fraudulent refunds. The hospital employee was paid $100 for each name successfully used in the scheme, according to the Justice Department.
Temporary employees hired by an Arkansas Hospital were charged with stealing information from employee records. They allegedly took the names, birth dates and Social Security numbers of six hospital employees and used the information to set up store credit accounts.
Police say the identity theft was part of a broader operation where the thieves sought temporary jobs in order to gain access to employer personnel records.
To protect your business, strive to take as many of the following 10 steps as possible:
1. Collect only the information necessary from applicants, employees and customers. For example, do you need to have all job applicants put Social Security numbers (SSNs) on their applications? If you need the numbers for background checks, obtain them only after applicants become finalists.
2. Use numbers other than the SSNs as employee identification numbers.
3. Rigorously enforce the confidentiality of employees’ personal information, including their SSNs and ID numbers. This means adopting and enforcing a policy that only persons with a need to know have access to the information.
4. Safeguard sensitive information, especially SSNs. In other words, keep documents locked up. Take all security precautions with data kept on computers. Allow only authorized persons access to records.
5. Do background checks on all prospective employees’ backgrounds before hiring them.
6. Destroy employee records when they’re no longer needed. Make electronically stored records unreadable. Use crosscut paper shredders on paper documents. This is not merely a good business practice. The Fair and Accurate Credit Transaction Act requires employers and others to destroy all paper documents and computer disks containing consumer information before discarding them. That means it’s a violation of the law to simply throw out documents such as employee application forms with names, SSNs and credit histories listed on them. Consumer information is defined by the Federal Trade Commission as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.”
7. Don’t post or display employee SSNs where other people can view them. Do not put the numbers on ID badges, timecards, work schedules or lists distributed to employees. SSNs should never be used as a computer password or login. (Also, don’t publicly display other personal information, such as employees’ home addresses, phone numbers, or drivers’ license numbers.)
8. Encourage employees to keep the personal information they bring with them to the workplace (such as Social Security cards, drivers’ licenses, and credit cards) in locked desk drawers, locked cabinets or lockers.
9. Tell employees not to place personal mail containing checks, SSNs or financial account information in unlocked outgoing mailboxes or mail trays in the workplace.
10. Adopt a written policy on identity theft and distribute it to employees in your employee handbook. Include in your policy a way for employee victims of identity theft to report it to management in confidence. This is important so that your company can investigate whether the crime originated in your workplace.