Identity Theft from Businesses

How secure is the personal information of your customers?
Identity Theft from Business

Contrary to popular assumption, most identity theft is not taken from individuals. The theft is from companies doing business with individuals, such as employers, retailers, insurance companies and others who hold personal information for their customers. Companies have a responsibility to secure and protect individual credit and identity information just as they would any other valuable property.

Fraud, secondary to impersonation, is a somewhat new—and national—problem

Identity theft is actually a misnomer; you cannot actually steal a person’s identity. You can only steal their information and fraudulently use it to impersonate, cheat, defame, or steal. However, people have come to call it identity theft so that’s what we will call it. Identity theft is the fastest growing crime in the United States, according to President George W. Bush, when he introduced the Identity Theft Penalty Enhancement Act enacted in July, 2004. In his presentation before signing the bill, President Bush stated:

“Last year alone, nearly 10 million Americans had their identities stolen by criminals who rob them and the nation's businesses of nearly $50 billion through fraudulent transactions . . . . The crime of identity theft undermines the basic trust on which our economy depends. When a person takes out an insurance policy, or makes an online purchase, or opens a savings account, he or she must have confidence that personal financial information will be protected and treated with care. Identity theft harms not only its direct victims, but also many businesses and customers whose confidence is shaken. Like other forms of stealing, identity theft leaves the victim poor and feeling terribly violated.”

Before 1998, identity theft was not identified as a crime. In the last four years, in spite of the new federal law, countless state laws, the numerous implementations of awareness programs and protection efforts, there has been very little change in the incidence of crimes (still over 10 million victims per year) or the dollars involved (still over $50 million a year). In the same four-year period, Arizona has held the number one position in the nation for crimes related to identity theft.

How do you view the personal information you store for employees and clients?

For a moment, pretend that your business is in the business of furnishing safety deposit boxes. Each one of your employees is given a box in which they entrust you to keep a diamond. Each employee gives you a diamond and you place it in one of the boxes. How would you manage the boxes? Would you simply have a doorknob on the box anyone could open? Would you have a lock and key for each box but give out a key to any of your employees including contract and temporary ones who need easy access? Would you give keys only to trusted employees or just one to the employee himself? Would only the key executive in charge of diamond storage have the key? How you store the employee’s personal data should be given the same thought and care you would give to those who entrust you with their diamonds.

Most stolen personal information does not come from a person

Somewhat surprisingly to the public, most identity theft does not come from the theft of individual information directly from the individual. The vast bulk of identity theft comes from raiding company files of employees and clients. According to the Federal Trade Commission about 90% of information thefts from businesses entail employee records—especially payroll records. From those records the identity thief can hone in on an individual and decimate reputation, credit, and all facets of an identity that a victim may never be able to overcome—even through legal name changes and other drastic measures. Also according to the FTC, the identity thief in such cases is most likely to be a fellow employee—one you may have provided a key to care for the diamonds.

No individual has much power to protect personal information from theft

Although rarely included in the list of actions a person can do to protect his or her identity, the securing of company employee data is crucial in preventing the painful and debilitating crimes related to identity theft. Most advisories and articles focus on what you can personally do to protect your personal data. The problem with employee information theft from employers is that it can involve thousands of people and an individual may not even know the information is out there among the thieves until something bad happens. Consumers have very little choice and very few options in what information they must give to their employers. The same is true for consumers in dealing with the businesses. When they give their personal information, they have given their diamond for your protection.

The onus is on the companies to protect data. The company involved in the theft of a computer that started the thousands of credit watch service subscriptions has a state-of-the-art data center with a server farm covering acres of floor space, protected by every conceivable firewall and encryption scheme. It is guarded and access—even to the building that houses the servers—is kept to trusted employees with a need-to-access protocol. It is the envy of information technology protection. Yet, the theft came from a hard drive, stored in a contractor’s laptop that was left unattended long enough to be stolen. A box of diamonds was left on the table. Acres of server farms need to be managed, but also access to the servers as well as downloaded copies used in the process of conducting business must be protected just as securely. In short, whether the diamonds are in the lock box or outside the box being inspected, they must remain fully secured.

There a several things information technology specialists do to protect data.

Encrypt data so it can only be viewed on one computer by one person

Adopt a policy on which employees can view such data and stick to it

Automate physical security systems surrounding remote access to data

Remote access of data only through secured, Virtual Private Network (VPN) encryption

Additionally, external drive technology has become so enhanced in the past few years that terabytes of data can be stored on USB-accessed external drives of all types and sizes. Software is available to make USB access by password only so no one can casually add external storage to a computer without proper permission.

The bulk of the problem comes from company data; the bulk of the solution is in the company

Because companies are a primary target for identity theft and fraud, all companies must give their maximum effort in protecting employee and client information whether stored in paper files or on electronic media. Most employees and clients do have the ability and knowledge to protect their own personal information stored with an employer or business. That is the most maddening part of this infuriating crime to the individual victim when the focus is personal data at a company. Companies may be wealthy enough, and generous enough, to buy their clients credit watch alert subscriptions but having to do so is closing the vault after the diamonds are gone. Whether a loss comes from the theft of a computer, hacking into a system, or just a stupid oversight by an otherwise responsible employee, it is still a loss, as another diamond rolls out of your vault.

CBR is named the first PEO in Arizona to be honored as a BBB Ethics Award Finalist for 2006 and 2007. This award applauds employers as they strive to ensure that ethics remains a driving force in their business.