Identity Theft Header

Identity Theft: How the Employer Can Limit Liability

 

The workplace is now ranked as the number one source of identity theft. And, with the new FACTA laws, your company’s exposure to fines and lawsuits has significantly increased. What follows is just how you can protect yourself and your company.

Current Statistics for Identity Theft
In 2005, one in very 25 adults was a victim of ID theft according to a report by the BBB and Javelin Research. The Federal Trade Commission (FTC) estimated that ID theft crimes tallied $52.6 billion in fraud that year, or almost $200 for every man, woman, and child in the US. There’s no doubt that identity theft is the fastest-growing crime in America, and the FTC predicts that in five years, the majority of Americans will have been victimized by some form of identity theft. ID theft is expected to grow twenty-fold within the next 24 months.

What happens to a victim of ID theft and to their employer? Most recent figures from the Identity Theft Resource Center (ITRC) report that out-of-pocket expenses related to ID theft have risen to $1,495, up from $808 in 2002, plus $16,000 in lost wages.

On average, it takes 607 hours for victims to recover from ID theft (up from just 175 hours in 2002). A survey for Nationwide Insurance revealed that 16% of victims are forced to pay an average of $6,440 to cover the thieves’ purchases. Perhaps the greatest long-term impact is that victims remain vulnerable for the rest of their lives. In some cases, their identities are never fully restored.

Employers Have a Major Stake

A Michigan State University study discovered the 51% of ALL identity thefts occur in the workplace. The number one target of thieves is employee records. According to the FTC, approximately 90% of business record thefts involve payroll or employment records, with 10% involving customer lists.

On June 1, 2005, a new provision of the Fair and Accurate Credit Transactions Act (FACTA) took effect and now any employer whose action or inaction results in the loss of employee information can be fined by federal and state government and sued in civil court. An employee is entitled to recover actual damages sustained if their identity is stolen due to an employer’s inaction, or statutory damages up to $1,000. Employees may also bring a class-action suit against employers for actual and punitive damages. In addition, federal fines of up to $2,500 per employee, and state fines up to $1,000 per employee, may be levied.

A recent Michigan case highlights another source of corporate liability. In the 2005 case of Audrey Bell et al vs. AFSME AFL-CIO Local 1023, the Michigan Appeals Court affirmed a jury award of $275,000 to AFSME members who had sued the union for failing to safeguard is member’s social security numbers. It recognized a special relationship between the union and its employees, including a duty to protect them from identity theft by providing safeguards to ensure the security of their most essential confidential identifying information which could easily be used to appropriate a person’s identity.

The Bell case has national implications for employers. Arizona, California, Illinois, Texas and other states all have statutes that require an employer to restrict the use and disclosure of social security numbers. While not as broad as Michigan’s law, they support the view that a “special relationship” exists between an employer and an employee whose data is stolen from the employer to commit identity theft.

Employers also suffer other significant costs when their employees experience identity theft. Conservative calculations based on current ID theft figures indicate that an employer with 1,000 employees, who make an average of $40,000 in salary per year, should expect to incur productivity losses of more than $600,000 per year. ID theft also threatens enterprise security, enabling corporate espionage and fraud, and theft of hard assets and intellectual property. Large scale or frequent identity thefts also result in significant publicity (remember the Choicepoint scandal?) that impacts sales, partnerships as well as employee recruiting and retention.

Protection as an Employee Benefit

One solution that provides an affirmative defense against potential fines, fees and lawsuits is to offer some sort of identity theft protection as an employee benefit. The employer can choose whether or not to pay for any or part of this benefit. The key is to make the protection available through a mandatory meeting.

Employees can elect either to accept or decline to have ID theft coverage. Should employees elect to have coverage and they then become a victim of identity theft, the employer gains by:

* The victimized employees spends significantly less amounts of time and money, and experiences less frustration in restoring their identity.

* If the employee declines coverage and later claims their identities were stolen as a result of the company’s actions, the employer has signed proof that this employee attended the presentation and declined coverage.

How could work ID theft protection work as an early warning system for your company? Let’s say one of your employees has ID theft monitoring and restoration services. Suddenly they are notified that their bank account information has been stolen and unauthorized withdrawals have happened. Immediately the employee is able to stop further transactions, and the theft is traced back to your company’s payroll records having been hacked into. Now you are in a position to stop the breach and prevent any further leaks from happening. Without this kind of protection, you would have been unaware of the problem until way too late quite possibly costing your company tens or hundreds of thousands of dollars in lawsuits.

How Can Companies Further Protect Themselves?

Most ID theft experts say it’s not just a matter of if we will become victims of ID theft, for a majority of us; it’s a matter of when.

While we can’t totally prevent identity theft due to the human element of this crime there are other steps a company can take to minimize risk factors. Safe information handling practices are the key to keeping identifying information out of the hands of thieves. These are some of the questions to ask yourself:

* Information Acquisition
Do you have a good reason for requesting the information that you gather? Are you acquiring it in a safe manner so that it cannot be overhead or seen by others?

* Storage
What computer security measures have been placed around the systems storing personal data? Is the data considered highly classified and not common access?

* Access
Is personal identifying information available only to limited staff? Is database access audited or password controlled?

* Disposal
What is in your dumpster? Is it a treasure chest for thieves? Are electronic/paper documents and databases containing personal information rendered unreadable prior to disposal?

* Distribution
Are personnel trained in the proper procedures regarding information disclosure? Do you publicly display, use or exchange personal information (especially Social Security numbers) in your workplace? This includes employee or membership cards, timecards, work schedules, licenses or permits and computer access codes.

* Personnel
Do you conduct regular background checks on ALL employees with access to identifying information? That might also include mailroom staff, cleaning crews, temp workers and computer or hotline service techs.

Businesses need to step up to the plate and become an ally in this war that is only increasing. How you protect yourself is truly your first line of defense.

For more information about identity theft prevention contact Cathy at 949 635-4923

 

 

Identity Theft Articles

Privacy Policy

Copyright Creative Communications 2008