Same Name, Different Face –
Preventing Identity Theft in the Workplace

One sunny day in the summer of 2000, Jeanine Guilfoyle returned to her desk to discover that her purse was missing.  She immediately contacted the police department, her building’s security department, and her supervisor.  After assessing the contents of her purse, she breathed a sigh of relief.  Nothing sentimental or irreplaceable was stolen.  However, it turned out that the thief did steal something extremely valuable… her identity.        

Guilfoyle soon realized that canceling her credit cards was the least of her concerns, because tucked inside her wallet was her company issued health insurance card.  The membership ID number on the card was also her Social Security number, enabling the thief to easily assume Guilfoyle’s identity and open two Verizon Wireless cell phone accounts and numerous credit card accounts.  "I received letters from Sears, J. Crew, Macy’s, Bloomingdales, and Banana Republic," she explained. "When I opened them, I found new credit cards with my name on them that I never applied for. When I called to cancel the cards, I was told they had already been maxed out. Apparently, the thief applied for ‘instant credit' at the stores and immediately spent the limit." 

Repairing the damage wasn’t easy.  “I had to call each of the stores' fraud departments and the U.S. credit bureaus, get a new driver's license, and contact the Social Security office. It took months of paperwork, phone calls, and correspondence. I finally got things straightened out, but not before I was stressed to the point that I broke down."  Guilfoyle also had a fraud alert put on her credit which will stay in place until 2007.

Workplace identity theft can take on many forms.  Identity theft often occurs due to mishandling employee sensitive identifying information (EII).  As noted in the Boston Herald Business Today article, “Workplace Identity Theft”, “Identity thieves use a variety of methods to gain access to EII, including stealing records from the employer, bribing an employee who has access to these records, or hacking into the employer’s computer systems.”

Identity theft is one of the fastest growing crimes in the United States, with almost 10 million identity thefts reported each year.  It is estimated that approximately 700,000 of these thefts each year happen in the workplace. As noted in the article, “Incidence of Workplace Identity Theft Signals Need for Proactive Measures,” “While the damage to an employer from the unauthorized taking of personnel data could be significant, liability for the damage caused to individual employees when that information is used for fraudulent purposes poses an even greater risk.”    

Identity theft victims have the right to pursue damages.  As explained in the HR Matters article, “FACTA Revisited,” employers have a legal responsibility to secure and properly dispose of personal employee or applicant information.  If they don’t, they can be sued for general negligence, negligent hiring, supervision, and/or retention, not to mention unreasonable disclosure of private facts.     

The Fair and Accurate Credit Transactions Act (FACTA) requires that any person who maintains or possesses “consumer information,” which includes applicant and employee information, must be prepared to dispose of these records in a way that ensures that the information will not be improperly accessed or used.  On June 1, 2005, new disposal provisions go in effect which state that reasonable disposal measures such as shredding, burning, and pulverizing paper documents, and erasing confidential computer files, must be taken.

However, merely destroying confidential documents is not enough.  John Sweeney, GPHR, of the SHRM information Center, stresses that employers should review what employee information is maintained and how it is shared with others, both externally and internally.  “Concurrently, the audit should look at whether such employee information is really required for business operations or merely ‘nice to have.’  In the latter cases, employers should take every opportunity to eliminate information that is found to be unnecessary to the operating effectiveness of the organization,” said Sweeney.       

Donald Harris, president of HR Privacy Solutions, offers the following ways to help safeguard your employees’ personal information in the HR Magazine article, “Stolen Identity”:

·        Create a culture of privacy though policies, procedures, awareness, training, incentives, and strict security measures.

·        Keep all files securely locked and limit the number of people who have access. 

·        Never use Social Security numbers as I.D. numbers on employee badges, insurance cards, paycheck stubs, etc.    

·        Guard computer files by using password protection and encryption software.  Install firewall protection and frequently update virus protection.

Five years later, Guilfoyle’s experience has made her more aware of how her personal information is used.  "Employers and benefits companies should never risk their employees’ safety by using Social Security numbers as membership I.D. numbers.  Likewise, employees need to be aware of how their personal information is being handled," said Guilfoyle.  By taking the proper precautions, perhaps employers and employees together can win the battle against identity theft.     

For more information on identity theft, visit these websites:

Federal Trade Commission

 Identity Theft Resource Center