Stolen identity - Cover Story - preventing identity theft

HR Magazine, Dec, 2002 by Susan J. Wells

"You have to show that the employer openly disregarded procedures that would protect the information and didn't exercise reasonable care," says Mathiason. "Unfortunately, it's not always a situation where you can draw a bright line. But wherever that magic line is, it's going up."

And because these types of claims are fairly new, legal observers say the true scope of liability could grow. That's troubling, given that Mathiason says "it's at a pre-epidemic or even near-epidemic stage now."

The Building Blocks of Prevention

Striking a balance between managing and maintaining the information HR needs and meeting employees' privacy and security needs is a big challenge--even for the most compliance-minded companies.

While no workplace can ever be 100-percent safe from the threat of identity theft, sound practices can do a lot to deter the crime. Even some of the most obvious and low-tech defenses return high-level protection.

Here are some important strategies that employers of all sizes should immediately review, implement and strengthen, experts say.

Have a written privacy policy. Employers need to get their privacy houses in order, says Donald Harris, president of HR Privacy Solutions, a New York-based consulting practice, and co-chair of the International Association for Human Resource Information Management's Privacy & Security Special Interest Group.

Harris says employers should identify how they currently handle personally identifiable information about applicants and employees, determine the risks these practices pose, and craft and implement policies. "This requires creating a culture of privacy throughout the organization" through appropriate policies and procedures, as well as through awareness, training, incentives and strict security measures, he says.

After you create a policy, give employees a copy and state that you're taking steps to safeguard their information to the best of your ability. "Make it a part of your new-employee orientation," recommends Littler Mendelson's Mathiason.

Lock up and limit access. Keep personnel files locked in a secure area and limit those who have access to them. Minimize the types and amounts of data you store on employees, dependents and customers.

Guard the SSN. Don't use SSNs as employee identifiers, or on insurance cards, claims forms, paycheck stubs, time-cards or timesheets, parking permits, staff badges, training program rosters, lists of who got promoted, monthly account statements or client reports. Use alternate, randomly assigned numbers and encrypt sensitive information when in transit.

Lawmakers are increasingly focused on making this practice a mandate. A new law in California, which took effect in July, strictly limits businesses' use of SSNs, and other states, including Arizona, Connecticut, Ohio, Pennsylvania and Vermont, are considering similar or identical legislation.

Plug the holes. Ensure that access to computer files is password-protected, and issue employees individual passwords that are regularly changed. Disable employee access to your company data immediately upon termination and audit access to data for suspicious activity. Use encryption software to protect electronic data that's sent and received and install adequate firewall protection to deter prying eyes.