Stolen identity - Cover Story - preventing identity theft

HR Magazine, Dec, 2002 by Susan J. Wells

Close external loopholes that can cause trouble and invite crime, says Sajay Rai, partner in the security and technology solutions practice at professional services firm Ernst & Young LLC in New York. "Don't put employees' names, e-mail addresses or pictures on your external web site," he says, and instruct employees that giving away seemingly innocuous information about the company and its employees--like in chat rooms--is against your privacy policy."

Shred it. Always destroy any discarded documents that contain personal identifiers and account numbers. If your firm outsources document destruction, require the contractor to give you evidence of employee screening, appropriate insurance, written procedures, access prevention, monitoring and alarm systems, specific particle size and a custodial audit trail, advises the National Association for Information Destruction Inc. in Phoenix.

Check backgrounds. Require background screening and criminal checks of employees who will have access to personnel data. "Make sure you know the identities of the people working for you," says Mathiason. "There's no tolerance in the legal community for anything less."

Require such employees to sign confidentiality agreements.

Toughen scrutiny of third-party vendors and temps. Outsourcing vendors also can be a source of identity theft, as employers that contract out their HR functions to a third party are increasing the number of people who will have access to company personnel data. To cut the risk, make sure vendors are just as committed to protecting confidential information as you are.

Consider using temporary workers only in areas of the company where they won't have access to confidential data. Instead, ask other departments to shift an existing employee (someone your company has fully screened) to that temporary need-and let the temp worker fill the existing employee's position, suggests Jay Foley, director of consumer and victim services at the Identity Theft Resource Center, a nonprofit organization in San Diego.

Communicate and collaborate. Regularly remind employees of security practices. And let them know what they should do if they believe their personal identifying information has been compromised.

According to a June 2002 General Accounting Office report on identity theft, 35 percent of victims who called the FTC's ID Theft Clearinghouse hadn't yet notified any credit bureau at the time they contacted the FTC, 46 percent hadn't notified any of the financial institutions involved and 54 percent hadn't contacted their local police department.

By advising your employees on how to take these critical steps as soon as they suspect potential trouble, you can help them report problems faster and thwart additional fraud. (See "When Identity Theft Strikes," on page 36.)

Recognize the employee-relations benefits. Employers that are most effective in tackling information privacy and security issues are those that move beyond viewing privacy protection simply as "something they had better do or else," HR Privacy Solutions' Harris says.