Protecting the Workplace Against Identity Theft

By Adam Levin of Identity Theft 911

Keeping customer data and employee information private and secure in a real-world can be a challenge, even for the most compliance-minded companies. While it may not be possible for any workplace to be 100 percent safe from the threat of data breach and identity theft, there's a lot you can do to keep data safer.

Here are some proven principles for defending data against would-be identity thieves.

Develop a written privacy policy.
Take a good look at how you handle data, including information provided by job applicants — then determine the risks and craft policies to control them. This requires creating a culture of privacy throughout the organization through appropriate policies and procedures, awareness programs, training, incentives, and strict security measures. Give employees a copy of your policy, preferably at their initial orientation. And once you have a privacy policy, enforce it.

Lock up data and limit access.
Keep files locked in a secure area, and restrict access to the smallest possible pool of employees. Minimize the types and amounts of data you store on employees, dependents, and customers.

Protect that SSN.
Don't use Social Security numbers (SSNs) as employee identifiers — nor on insurance cards, claims forms, paycheck stubs, timecards or timesheets, parking permits, staff badges, training program rosters, lists of employee promotions, monthly account statements, or client reports. Use randomly assigned numbers, and encrypt SSNs (along with other sensitive information) whenever they are sent or stored.

Plug holes.
Password-protect access to computer files, and give employees individual passwords that change regularly. Disable employee access to company data immediately upon termination, and audit data access for suspicious activity. Encrypt all data sent and received electronically, and install adequate firewall protection to deter prying eyes.

Avoid casual information-sharing.
Don't put employees' names, email addresses, or pictures on your external web site. Instruct employees that giving away seemingly innocuous information about the company and its employees — in chat rooms, for instance — is against your privacy policy.

Shred, shred, shred.
Destroy discarded documents that contain account numbers or personal identifiers — and have a written policy in place to regulate destruction of customer records and employee data. If your firm outsources document destruction, make the contractor provide documentary evidence of employee screening, appropriate insurance, written procedures, access prevention, monitoring and alarm systems, specific particle size, and a custodial audit trail.

Know your employees.
Know the identities of the people working for you and conduct background screening and criminal checks for employees with access to personnel data, and require confidentiality agreements. Stay attuned to changes in your employees' lives, and know what's happening between employees in the workplace.

Communicate and collaborate.
Reinforce security practices with employees, and make sure they know what to do if their data is compromised. Understanding essential first steps can help employees report problems faster and thwart additional fraud.

Scrutinize third-party vendors.
Outsourcing vendors can increase your company's risk. Employers that contract out functions increase the number of people with access to company data. To reduce the risk, make sure vendors are as committed to protecting confidential information as you are. Audit their security procedures. Use temporary workers only in areas where they won't have access to confidential data. If necessary, ask other departments to shift an existing employee (someone your company has screened fully) to fill that temporary need, and let the temp worker fill the less sensitive position.

Leverage compliance programs.
Emphasize the need to limit access to sensitive third-party personal data. While job responsibilities give certain employees a "need to know," authorized personnel should periodically be reminded of company policies against divulging such information without a legitimate business reason or for personal gain. Enforcement and documentation of such provisions can limit problems and help provide employers with a viable defense in case of litigation.

Seize the opportunity.
The employers that tackle information privacy and security issues most effectively are those that move beyond viewing privacy protection as a necessary annoyance.