Identity Theft in the Workplace: The Insider Threat

Recent headlines have shed light on a growing problem, people retrieving and selling personal information that a company has collected for legitimate reasons. Consider the following:

o A former help desk worker used his position with a credit checking company to obtain the personal information of thousands of people. The worker allegedly conspired to make a profit to sell the victims’ credit reports to an identity theft ring. The ring provided the couple with the name and social security numbers of the people whose identities they wanted to steal. The worker, who left the company in 2000, allegedly used codes he had obtained as an employee to access credit reports. He was also charged with providing access codes and passwords to at least one cohort who then used the codes to obtain consumer credit reports.

o A network of identity thieves targeted a group of high-ranking executives. A temporary employee working at the company’s world headquarters obtained personal information about company executives and then sold it. The information, including social security numbers and birth rates, was used to obtain credit cards. Police estimated that around $100,000 was charged to the cards.

o A former insurance company employee stole a database containing 60,000 personnel records and sold some of the private information over the Internet. The suspect posted a message on an electronic bulletin board announcing that he had thousands of names and social security numbers for sale. Further investigation revealed that he had also posted the credit card number of a former supervisor. At the same time, he allegedly created fake email addresses and sent harassing messages to his colleagues.

So how does this happen? A person can do everything right, from shredding documents containing sensitive personal information to monitoring credit reports, but the reality is that his personal information is only as safe as the organization that protects it.

Identity theft occurs when someone uses another person’s identifying information, such as a name or social security number, to commit fraud or participate in other illegal activities. While there are many variations of the crime, an identity thief can fraudulently use personally identifiable information to, among other things:

o	Open new credit card accounts;

o	Take over existing credit card accounts;

o	Apply for loans;

o	Rent apartments;

o	Establish services with utility companies;

o	Write fraudulent checks;

o	Steal and transfer money from existing bank accounts;

o	File bankruptcy; and

o	Obtain employment using the victim's name.

Identity theft rings have been known to recruit people who work within an organization or seek employment themselves into positions where they have access to personnel records, credit reports, or other sources of personal information. Identity theft rings pay people between $20 and $60 per identity.

A major problem with incidents of this nature is that some organizations try to avoid potential embarrassment and negative publicity by failing to inform employees or customers that their personal information may have been compromised.

When entire groups of people are victimized, there are more clues.

In one case, a high school teacher complained to a colleague when bill collectors began calling him at work. Another teacher who had also been victimized heard him. When they began to investigate, they soon discovered that several other teachers had also been victims of identity theft.

After checking credit records, four teachers discovered that they had the same fraudulent address on their credit reports. Identity thieves had also applied for the same card in nearly every teacher’s registry.

Times have changed and organizations can no longer take a head-in-the-sand approach when it comes to identity theft.

Organizations can implement the following security measures to prevent identity theft in the workplace:

o Properly dispose of personal information and other sensitive material. This could be achieved by shredding documents. Do not allow intact documents containing personal information to be thrown away.

o Perform background checks on all individuals with access to personal and/or sensitive information, including housekeeping and temporary service.

o Limit the number of temporary employment agencies your company uses. If possible, keep the services of a reputable firm.

o Develop guidelines to safeguard personal and/or sensitive information; the guidelines should address issues such as practices for the responsible handling of such information.

o Train staff on information security issues and include information on the subject in orientations for new employees. Educate them on why certain information needs protection and procedures on how to protect it.

o Limit the use of social security numbers in the workplace. Don’t use the number on items like employee ID cards, time cards, or paychecks for everyone to see. Use alternate numbers.

o Control access to personal information and limit it to those employees who have a legitimate reason to access. Audit who sees what personal information.

o Secure employee personal information in a locked filing cabinet or other secure area. Confidential files stored on the computer must be password protected and encrypted.
o Implement and enforce password security procedures for all computer users. Passwords must be changed periodically.

There are numerous opportunities to educate employees about identity theft prevention and steps to take if they become a victim: new employee orientations, annual staff orientations, training conferences, workshops, and departmental meetings are just a few. Casual lunch training sessions have also been found to be helpful.

Security awareness could also be increased through the use of posters, newsletter articles, emails, video presentations, and other promotional vehicles such as brochures or booklets that address identity theft. Store relevant publications and audiovisual programs and make them available to company executives and employees.

Identity theft is a crime of opportunity. Vigilance and awareness are essential to combat rapidly growing non-discriminatory crime.