Small Businesses are Particularly Vulnerable to Identity Theft
Identity theft is the misuse or fraudulent use of an individual's personal information. The risk of theft is significant because employers retain sensitive personal data, such as social security and bank account numbers, in HR personnel files which can be targets of ID thieves. Identity theft affects consumers and businesses in a variety of ways. Not only do businesses suffer direct loss due to this crime but inadequate security and poor business practices may open a company up to liability suits, fines and loss of clientele. While no one can totally prevent identity theft due to the human element of this crime there are steps that a company can take to minimize risk factors.
The National Small Business Association reports that nearly 50 percent of all small business owners have been a victim of fraud three or more times. Forty percent of those who have been victimized report losses of $50,000 in the last five years. The most troubling fact is that customers and employees compromise the groups of people that most frequently commit fraud against small businesses, followed by suppliers/vendors and business partners.
“The principal security threat faced by small businesses comes internally from employees,” says Steve Cox, vice president for communications at the Arlington, VA-based Better Business Bureau. Those threats emanate from two factors: deliberate criminal acts by employees who steal a company’s data; and negligence because companies haven’t safeguarded or secured its financial information or owner’s personal data.
So what can you do to prevent identity theft? Cox recommends strengthening internal financial controls. He suggests having two people regularly review financial data, one internally who looks for unusual activity—such as unauthorized purchases—and an outside accountant to review your internal bookkeeping activities. That sets up a control to minimize the chances of your accountant committing or missing any wrongdoing.
An effective risk management policy should include the following internal controls:
- Information acquisition — Make sure that you have a good reason for requesting the information that you gather and gather it in a safe manner so others cannot overhear conversations or see how you gather the information.
- Storage — Develop computer security measures around the systems including storing personal data.
- Access — Limit access only to those who need to know; establish passwords that are frequently changed; and audit the information gathering, processing, and storing systems.
- Disposal — Be careful what you put in the dumpster. There are “dumpster divers out there. Shred sensitive documents before disposing of it.
- Distribution — Establish protocols for information disclosure. Limit the public display, use or exchange of personal information in your workplace including social security numbers, employee or membership cards, timecards, work schedules, licenses or permits and computer access codes.
- Personnel —Train personnel in the proper procedures regarding information disclosure.
A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace. Employers unwittingly aid ID thieves by misusing or mishandling employees' personal information. Consequently, employers are now facing considerable legal repercussions as the victims of such crimes are looking for restitution. For example, a Minnesota employer was recently sued for faxing a list of employees' names and social security numbers to different managers within the company.
Employers, however, can protect their employees and minimize the risk of theft and liability by eliminating some of the more frequent mistakes employers make, including:
- Keeping files in accessible locations and often neglecting to secure file cabinets
- Leaving original documents or facsimiles in all-access copiers
- Placing social security numbers on assorted documents such as timecards, membership cards, paychecks, licenses or purchase receipts
- Using social security numbers as health plan policy reference numbers.
Given the likelihood of liability when employees' records are misused or mishandled, employers should take steps to protect personal employee information and, indeed, are required to do so under state and federal statutes. In Pennsylvania, for example, recent legislation established standards for the printing and transmitting of social security numbers. The legislation prohibits employers from:
- Publicly posting social security numbers
- Printing a social security number on any card
- Transmitting a social security number over the internet without the use of encryption technology
- Requiring online users to access company websites with a social security number without password protection or other authentication technology
- Printing a social security number on any materials that are mailed to an individual, except where required by federal or state law, such as a W-2 form.
Employers should also be aware of a recent amendment to the Fair and Accurate Credit and Transactions Act (FACTA) that requires employers to take reasonable measures to dispose of an employee's credit report obtained during the hiring process. Under the statute, reasonable measures may include implementing policies and procedures that require the destruction of all documents and electronic files containing personal information.
The first line of defense against identity theft is your company's policies and procedures. Employers should periodically review their policies to ensure accordance with state and federal law. Employers may also want to consider seeking legal help to ensure compliance. The bottom line is we cannot dictate [legislate] ethical behavior in the workplace any more than we can in life. No company policy is a substitute for hiring honest employees by doing thorough background checks and personally speaking to previous employers. An ethical tone at the top must be set by management that employee theft or the misuse of sensitive, personal information will not be tolerated. The penalties for wrongdoing must fit the crime and be applied evenly. Finally, the confidentiality of employee and customer data must be safeguarded at all costs. Remember, it takes a long time to build a reputation of trust in business but not very long to break it down.
Blog posted by Steven Mintz, aka Ethics Sage, September 21, 2011