Same Name, Different Face –
Preventing Identity Theft in the Workplace
One sunny day
in the summer of 2000, Jeanine Guilfoyle
returned to her desk to discover that her purse
was missing. She immediately contacted the
police department, her building’s security
department, and her supervisor. After assessing
the contents of her purse, she breathed a sigh
of relief. Nothing sentimental or irreplaceable
was stolen. However, it turned out that the
thief did steal something extremely valuable…
her identity.
Guilfoyle
soon realized that canceling her credit cards
was the least of her concerns, because tucked
inside her wallet was her company issued health
insurance card. The membership ID number on the
card was also her Social Security number,
enabling the thief to easily assume Guilfoyle’s
identity and open two Verizon Wireless cell
phone accounts and numerous credit card
accounts. "I received letters from Sears, J.
Crew, Macy’s, Bloomingdales, and Banana
Republic," she explained. "When I opened them, I
found new credit cards with my name on them that
I never applied for. When I called to cancel the
cards, I was told they had already been maxed
out. Apparently, the thief applied for ‘instant
credit' at the stores and immediately spent the
limit."
Repairing
the damage wasn’t easy. “I had to call each of
the stores' fraud departments and the U.S.
credit bureaus, get a new driver's license, and
contact the Social Security office. It took
months of paperwork, phone calls, and
correspondence. I finally got things
straightened out, but not before I was stressed
to the point that I broke down." Guilfoyle also
had a fraud alert put on her credit which will
stay in place until 2007.
Workplace
identity theft can take on many forms. Identity
theft often occurs due to mishandling employee
sensitive identifying information (EII). As
noted in the Boston Herald Business Today
article, “Workplace
Identity Theft”, “Identity thieves use a
variety of methods to gain access to EII,
including stealing records from the employer,
bribing an employee who has access to these
records, or hacking into the employer’s computer
systems.”
Identity theft
is one of the fastest growing crimes in the
United States, with almost 10 million identity
thefts reported each year. It is estimated that
approximately 700,000 of these thefts each year
happen in the workplace. As noted in the
article, “Incidence
of Workplace Identity Theft Signals Need for
Proactive Measures,” “While the damage to an
employer from the unauthorized taking of
personnel data could be significant, liability
for the damage caused to individual employees
when that information is used for fraudulent
purposes poses an even greater risk.”
Identity theft
victims have the right to pursue damages. As
explained in the HR Matters article, “FACTA
Revisited,” employers have a legal
responsibility to secure and properly dispose of
personal employee or applicant information. If
they don’t, they can be sued for general
negligence, negligent hiring, supervision,
and/or retention, not to mention unreasonable
disclosure of private facts.
The
Fair and Accurate Credit Transactions Act
(FACTA) requires that any person who maintains
or possesses “consumer information,” which
includes applicant and employee information,
must be prepared to dispose of these records in
a way that ensures that the information will not
be improperly accessed or used. On June 1,
2005, new disposal provisions go in effect which
state that reasonable disposal measures such as
shredding, burning, and pulverizing paper
documents, and erasing confidential computer
files, must be taken.
However,
merely destroying confidential documents is not
enough. John Sweeney, GPHR, of the
SHRM information Center, stresses that
employers should review what employee
information is maintained and how it is shared
with others, both externally and internally.
“Concurrently, the audit should look at whether
such employee information is really required for
business operations or merely ‘nice to have.’
In the latter cases, employers should take every
opportunity to eliminate information that is
found to be unnecessary to the operating
effectiveness of the organization,” said
Sweeney.
Donald Harris,
president of HR Privacy Solutions, offers the
following ways to help safeguard your employees’
personal information in the HR Magazine article,
“Stolen
Identity”:
·
Create a culture of privacy though policies,
procedures, awareness, training, incentives, and
strict security measures.
·
Keep all files securely locked and limit the
number of people who have access.
·
Never use Social Security numbers as I.D.
numbers on employee badges, insurance cards,
paycheck stubs, etc.
·
Guard computer files by using password
protection and encryption software. Install
firewall protection and frequently update virus
protection.
Five years
later, Guilfoyle’s experience has made her more
aware of how her personal information is used.
"Employers and benefits companies should never
risk their employees’ safety by using Social
Security numbers as membership I.D. numbers.
Likewise, employees need to be aware of how
their personal information is being handled,"
said Guilfoyle. By taking the proper
precautions, perhaps employers and employees
together can win the battle against identity
theft.
For
more information on identity theft, visit these
websites:
Federal Trade Commission
Identity Theft Resource Center