Thursday, February 9, 2012

Identity theft: Minimizing risk for employees - Business Management ...

Identity theft is one of the fastest-growing crimes in the U.S., and much of it revolves around the workplace. The federal government has taken a stand by passing the Fair and Accurate Credit Transactions Act and the Identity Theft and Assumption Deterrence Act.

But employers must react similarly by erecting legal defenses, including safeguarding personnel files that contain such information as employees? Social Security numbers, as prescribed by many state statutes.

FAQs about identity theft

1. How can an employer protect employee records from the threat of identity theft?

Here are some steps you should take to secure employee records and minimize identity theft risk factors.

  • Conduct background checks. To prevent insiders from stealing information, it is important that all applicants for positions that have access to employee records be subject to criminal or civil background checks.

  • Secure data. Lock personnel files and limit access to the keys. Password-protect computer files and change passwords regularly. Encrypt all data sent and received electronically. Install adequate firewall protection.

  • Limit access. Restrict access to the smallest possible pool of employees. Disable employee access to company data immediately upon termination.

  • Protect Social Security numbers. Request that insurers not use SSNs as employee identifiers on insurance cards and claims forms. Don?t use SSNs on paycheck stubs, timecards or timesheets, parking permits, employee badges, training program rosters, promotion lists, monthly account statements and client reports.

  • Audit data access for suspicious activity.

  • Destroy sensitive information before disposing. Shred documents that contain account numbers or personal identifiers.?

  • Raise awareness. Write and distribute a privacy policy that includes procedures for the safe handling of information. Train employees. Warn employees against inadvertently divulging sensitive information without a legitimate business reason or making information vulnerable (e.g., failing to immediately file and lock up personnel files after use).

  • Scrutinize third-party vendors. Audit their security procedures.

2. What additional steps can an employer take to keep employee Social Security numbers confidential?

A number of states have enacted statutes designed to protect Social Security numbers (SSNs). Such statutes require employers to establish policies that ensure the confidentiality of SSNs; prohibit unlawful disclosure of SSNs; limit who has access to information or documents containing SSNs; mandate procedures for disposal of documents containing personal information; bar employers from using more than four digits of an SSN; and establish penalties for policy violations.

Although your state may not have a law on the books right now, more and more states are expected to jump on the Social Security number privacy protection bandwagon. Be prepared by implementing the following practices for protecting the confidentiality of SSNs.

  • Develop a unique personal identifier system instead of using SSNs.

  • Do not put SSNs on documents to be mailed (or e-mailed).? Exceptions: applications, forms, or when required by law. (Then, check that the SSN does not show in the envelope window.)

  • Make sure documents containing SSNs are accessed only by those who need to see the numbers for the performance of their job duties. Use logs or electronic audit trails to monitor access to records.

  • Remember to secure any backups or copies made of print and electronic records that contain SSNs.

  • Avoid leaving voice-mail messages or sending faxes containing SSNs.

  • Properly and immediately secure records containing SSNs when not in use.

  • Take care when discarding records containing SSNs (e.g., use a shredder).

  • Require employees to promptly report when SSNs have been compromised.

3. What can an employer do to monitor its data destruction procedures?

Although it may seem like you?re defeating the purpose of setting up a system to purge company records by creating more records, play it legally safe and document this procedure. The goal of the documentation: to be able to show that records were not arbitrarily destroyed; that legitimate business reasoning dictated your actions.?

You should document how you established retention periods, the provisions of your record-keeping policy or record-management system, and perhaps even an inventory of documents and the proper authorization for disposal. Make it a routine. Otherwise, a sudden decision to ?clean house? could be perceived as suspicious.

The best way to make sure that sensitive data that needs to be disposed of doesn?t fall into the wrong hands is to prevent it from falling into anyone?s hands by destroying it. How you dispose of confidential records is just as important as how you stored them when they were current. Simply placing them in the trash is just as risky as leaving them in unlocked files.

Conduct the following audit before selecting the data-destruction technology you need.? Answers to these questions will help you decide by what means the records should be destroyed and by whom.

  1. Do you have a high volume of records that needs to be destroyed? Is there a high percentage that contains confidential information?
    You have many data-destruction options to choose from, including desktop/personal shredders to disintegrators to outside disposal services.

  2. How sensitive is the data? How vulnerable would the company be if it fell into the wrong hands?
    Ribbon-cut shredders are adequate for disposal of general records and other data that is not critically sensitive. However, cross shredding may be a better solution for disposing of records that contain confidential or proprietary information.

  3. Who is to have access to the data-shredding equipment? Only employees with a need-to-know, who already have access to the information, should be in charge of destroying it.

Warning: Don?t forget about back-up files and individual files kept by employees. Track those down and destroy them, too. Their existence can also do your company legal harm.

Finally, remember that not all records may be kept on paper. Diskettes and microfilm can hold much more information in less space; if your entire company isn?t using the same format, remember that individual managers or departments might have a stash of information in a completely different medium. You are responsible for their accuracy and privacy as well.

Note: Effective June 1, 2006, the Fair and Accurate Credit Transactions Act (FACTA) requires all employers with at least one employee to destroy personal information derived from a consumer report before disposing of it.

FACTA aims to eliminate the chance of an identity thief rummaging through your company?s trash and scoring personal employee information.? The act defines destroying as ?shredding or burning? or ?smashing or wiping? paper or computer disks containing the protected information.

Consumer reports routinely contain information related to a credit, criminal, or background check, but they can also contain information on an individual?s character, general reputation, personal characteristics, or mode of living.

Source: http://www.businessmanagementdaily.com/19711/identity-theft-minimizing-risk-for-employees

turbotax woolly mammoth whale shark whale shark rick santorum meredith vieira josh hamilton

Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)