Recent headlines have shed light on a growing problem, individuals who retrieve and sell personal information that a business has collected for legitimate reasons. Consider the following:
o A former help desk worker used his position at a credit checking company to obtain the personal information of thousands of individuals. The worker allegedly conspired with an accomplice to sell the victims’ credit reports to an identity theft ring. The ring supplied the pair with the name and social security numbers of the individuals whose identities they wanted to steal. The worker, who left the company in 2000, allegedly used codes he had obtained as an employee to access credit reports. He was also accused of providing access codes and passwords to at least one cohort who then used the codes to obtain consumer credit reports.
o A ring of identity thieves targeted a group of high-ranking executives. A temporary employee working at the company’s world headquarters obtained personal information about company executives and then sold it. The information, including social security numbers and birthrates was used to obtain credit cards. The police estimated about $100,000 was charged to the cards.
o The former employee of an insurance company stole a database containing 60,000 personnel records and sold some of the private information over the Internet. The suspect posted a message on an electronic bulletin board announcing that he had thousands of names and social security numbers for sale. Further investigation revealed he had also posted the credit card number of a former supervisor. At the same time, he allegedly created false e-mail addresses and sent harassing messages to colleagues.
So how does this happen? An individual can do everything right, from shredding documents containing sensitive personal information to monitoring credit reports but the reality is your personal information is only as safe as the organization protecting it.
Identity theft occurs when someone uses the identifying information of another person, such as name or social security number to commit fraud or engage in other unlawful activities. While numerous variations of the crime exist, an identity thief can fraudulently use personal identifying information to, among other things:
o Open new credit card accounts;
o Take over existing credit card accounts;
o Apply for loans;
o Rent apartments;
o Establish services with utility companies;
o Write fraudulent checks;
o Steal and transfer money from existing bank accounts;
o File bankruptcy; and
o Obtain employment using the victim's name.
Identity theft rings have been known to recruit individuals who work within an organization or they seek employment themselves in positions where they have access to personnel records, credit reports or other sources of personal information. Identity theft rings pay individuals anywhere from $20-60 an identity.
One major problem with incidents of this nature is some organizations try to avoid potential embarrassment and negative publicity by not informing employees or customer that their personal information may have been compromised.
When whole groups of people are victimized, there are more clues.
In one case, a teacher at a middle school complained to a colleague when bill collectors started calling him at work. Another teacher who had also been victimized overheard him. When they began to inquire they soon found out various other teachers had also been the victims of identity theft.
After checking credit records four teachers found they had the same fraudulent address on their credit reports. The identity thieves had also applied for the same card on almost every teachers record.
Times have changed and organizations can no longer take a head in the sand approach when dealing with identity theft.
Organizations can implement the following safeguards to prevent identity theft in the workplace:
o Properly dispose of personal information and other sensitive material. This could be accomplished by shredding documents. Do not allow intact documents containing personal information to be thrown in dumpsters.
o Conduct background checks on all individuals with access to personal and/or sensitive information, including cleaning and temporary service.
o Limit the number of temporary agencies your company uses. If possible, maintain the services of one trusted firm.
o Develop guidelines to safeguard personal and/or sensitive information; the guidelines should address issues such as practices for handling such information responsibly.
o Train staff on information security issues and include information on the topic in new employee orientations. Educate them on why certain information needs protection and procedures on how to protect it.
o Limit the use of social security numbers in the workplace. Don’t use the number on items such as employee identification badges, time cards or paychecks for the whole world to see. Use alternative numbers.
o Control access to personal information and limit it to those employees who have a legitimate reason for access. Audit who looks at what personal information.
o Secure employees’ personal information in a locked file cabinet or other secure area. Sensitive files stored on the computer should be password protected and encrypted.
o Implement and enforce password security procedures for all computer users. Passwords should be changed on a regular basis.
There are numerous opportunities to educate employees on identity theft prevention and the steps to take if they become victims: new employee orientations, annual staff orientations, training conferences, workshops, and departmental meetings are just a few. Brown-bag lunch training sessions have also been found to be helpful.
Security awareness could also be increased through the use of posters, newsletter articles, e-mails, video presentations and other promotion vehicles such as brochures or booklets that address identity theft. Stock relevant publications and audio-visual programs and make them accessible to company executives and employees.
Identity theft is a crime of opportunity. Vigilance and awareness is essential in combating the fast growing non-discriminatory crime.