Stolen Identity

The trouble started when a laboratory employee at Ligand Pharmaceuticals Inc. in San Diego came across a box in a storage closet; inside she found the personnel records of 38 former employees of Glycomed Inc., a company that Ligand had acquired in 1995.

Using the information from those filesincluding names, addresses, Social Security numbers (SSNs), birth dates and other data the lab worker and her acquaintances fraudulently rented three apartments, opened 20 cellular telephone accounts and set up more than 25 credit card accountswhich they used to purchase $100,000 in goods.

The worker was eventually caught, convicted and sentencedbut not soon enough for 14 of the 38 victims, who sued Ligand for negligence, claiming the crime would never have taken place if the company had taken better care of their personnel records.

Ligand settled out of court, and while lawyers declined to discuss the settlement, recent news reports claim the company paid out a significant six-figure amount. A Ligand spokesperson did not return phone calls seeking comment.

The case is a classic example of what can go wrong when employers dont know whats happening with all the information they possess, says Margaret Byrne, a partner at Bacalski, Byrne, Koska & Ottoson (BBK&O), the San Diego law firm that handled the case for the plaintiffs.

Ironically, Ligand had a strict policy safeguarding data pertaining to current employees, but Byrne contends the firm didnt apply that same standard of protection to the files it received through its acquisition of Glycomed.

The events at Ligand highlight the dramatic risks employers can face from identity theft in the workplace. But they only begin to scratch the surface of showing how devastating identity theft can be to employees and employers alikeor how common such theft is becoming.

A Fast-Moving Trend

Four years ago, identity theft wasnt even designated a crime; today, its a felony under the federal Identity Theft and Assumption Deterrence Act of 1998 and ranks as the nations top consumer fraud complaint, according to the Federal Trade Commission (FTC) in Washington, D.C. In 2001, the FTCs Identity Theft Data Clearinghousea help desk, databank and law-enforcement aidreceived roughly 85,000 complaints of identity theft, beating out all other categories.

The rapid growth of identity theft is perhaps best illustrated by the rising number of individuals who call the clearinghouse seeking to lodge complaints or gather information. In its first month of operation, December 1999, the clearinghouse received 445 calls per week. Today, on average, more than 3,000 calls pour into the clearinghouse each week, which projects to more than 150,000 per year.

While these numbers are instructive, they aren’t complete: There are no comprehensive statistics on the prevalence of identity theft no one single source captures the full pictureso the true frequency of the crime is likely higher than the numbers reflect.

What is clear, however, is that employers are involved. The No. 1 underlying source of identity fraud is theft of employer records, according to a September 2002 report by TransUnion, one of the nations three credit bureaus.

And the number of identity theft cases that have their roots inside businesses is rising, says Beth Givens, founder and director of the Privacy Rights Clearinghouse (PRC), a nonprofit privacy-advocacy group based in San Diego.

The bait drawing such crime to the workplace includes personnel files, benefits data, and payroll and tax recordsall of which typically reside in the HR department and can be a goldmine for identity thieves. And as employers increasingly store personnel files electronically, the theft of that information is likely to increase.

HR is a big target, says BBK&Os Byrne. When someone steals a wallet, they get one name, one SSN. When they steal personnel files, they get away with 10, maybe 100 names and numbers.

A Drain on More Than Wallets

In addition to crippling financial effects and the potential for serious criminal abuse, identity theft can be devastating to a victims daily lifeand a drain on employee productivity and morale as well.

On average, victims of identify theft and fraud spend 175 hours researching and tracking the crime, 23 months correcting credit reports and $800 in out-of-pocket expenses to restore their financial standing, according to a joint study of victims experiences by the PRC and the California Public Interest Research Group.

Tracey Thomas, a software engineer in California, estimates she missed about 300 hours of work after an emergency-room receptionist took her name, birth date and SSN from her insurance information, then used it to rent an apartment and open fraudulent credit accounts.

Its unfathomablethe amount of personal time and effort it takes, Thomas says. If somebody breaks into your house, you can change the locks. But if someone takes your identity, there simply is no quick fix.

In fact, one incident of identity theft can essentially last for life, experts say. Because thieves tend to work in groups and because stolen information can easily be spread online, victims must regularly monitor their financial accounts for years, looking for evidence of repeat fraud and associated crimes.

Its almost undoable, Thomas says.

Developing a Response Plan

So what can employers do to help mitigate the damage? If the worst happens, it pays to be prepared.

As in any kind of crisis situation, HR should be ready and in a position to act quickly with a plan based on firm knowledge of the issue, says Givens of the PRC.

The value of Givens advice is borne out by a situation that took place in California earlier this yearand that demonstrates the value of a prompt response: Thieves broke into a state government computer database and accessed the names, addresses, SSNs and payroll information of virtually all of the states 265,000 employees, ranging from office workers to the governor.

The states Department of Consumer Affairs Office of Privacy Protection scrambled to arrange toll-free phone lines exclusively for state employees to contact the nations three major credit bureaus: Equifax, Experian and TransUnion. The dedicated phone lines allowed employees to quickly place fraud alerts on their accounts, protect against the unauthorized issuance of new credit and request credit reports to check for fraud.

At the same time, employees received special information packets detailing ways to battle identity theft. The packetswhich were sent by certified mail to employees homesincluded the special phone numbers for the credit bureaus, details on privacy-protection steps, instructions on how to read credit reports, explanations of how a fraud alert on a credit file works and other tips.

The state also held workshops for employees at one site, distributed a video workshop to departments in other parts of the state, and launched a new web page for employees to visit.

While some labor groups criticized the state for not notifying employees sooner, privacy advocates cited the states response as an example of the fast action employers should take when employees personally identifying information is threatened.

They tried to provide a lot of help, which surely helped limit the potential for damage, says Givens. Contrary to popular belief, theres a lot an employer can do.

Adds attorney Byrne: The goal of any employer is to take a pre-emptive strike. You dont want to ever be in a position to have to say We didnt have a policy or plan in place, she says.

Taking Reasonable Care

And that gets to the heart of protecting against legal liability in cases of workplace-based identity theft.

The issue of employer liability centers on a legal standard of reasonable care, says Garry Mathiason, senior partner of Littler Mendelson P.C., an employment and labor law firm in San Francisco. Compare two personnel files that are stolen: One had been left in the open, the other was stored in a locked file cabinet. The former could show neglect, while the latter probably would not.

You have to show that the employer openly disregarded procedures that would protect the information and didnt exercise reasonable care, says Mathiason. Unfortunately, its not always a situation where you can draw a bright line. But wherever that magic line is, its going up.

And because these types of claims are fairly new, legal observers say the true scope of liability could grow. Thats troubling, given that Mathiason says its at a pre-epidemic or even near-epidemic stage now.

The Building Blocks of Prevention

Striking a balance between managing and maintaining the information HR needs and meeting employees privacy and security needs is a big challengeeven for the most compliance-minded companies.

While no workplace can ever be 100-percent safe from the threat of identity theft, sound practices can do a lot to deter the crime. Even some of the most obvious and low-tech defenses return high-level protection.

Here are some important strategies that employers of all sizes should immediately review, implement and strengthen, experts say.

Have a written privacy policy. Employers need to get their privacy houses in order, says Donald Harris, president of HR Privacy Solutions, a New York-based consulting practice, and co-chair of the International Association for Human Resource Information Managements Privacy & Security Special Interest Group.

Harris says employers should identify how they currently handle personally identifiable information about applicants and employees, determine the risks these practices pose, and craft and implement policies. This requires creating a culture of privacy throughout the organization through appropriate policies and procedures, as well as through awareness, training, incentives and strict security measures, he says.

After you create a policy, give employees a copy and state that youre taking steps to safeguard their information to the best of your ability. Make it a part of your new-employee orientation, recommends Littler Mendelsons Mathiason.

Lock up and limit access. Keep personnel files locked in a secure area and limit those who have access to them. Minimize the types and amounts of data you store on employees, dependents and customers.

Guard the SSN. Dont use SSNs as employee identifiers, or on insurance cards, claims forms, paycheck stubs, timecards or timesheets, parking permits, staff badges, training program rosters, lists of who got promoted, monthly account statements or client reports. Use alternate, randomly assigned numbers and encrypt sensitive information when in transit.

Lawmakers are increasingly focused on making this practice a mandate. A new law in California, which took effect in July, strictly limits businesses use of SSNs, and other states, including Arizona, Connecticut, Ohio, Pennsylvania and Vermont, are considering similar or identical legislation.

Plug the holes. Ensure that access to computer files is password-protected, and issue employees individual passwords that are regularly changed. Disable employee access to your company data immediately upon termination and audit access to data for suspicious activity. Use encryption software to protect electronic data thats sent and received and install adequate firewall protection to deter prying eyes.

Close external loopholes that can cause trouble and invite crime, says Sajay Rai, partner in the security and technology solutions practice at professional services firm Ernst & Young LLC in New York. Dont put employees names, e-mail addresses or pictures on your external web site, he says, and instruct employees that giving away seemingly innocuous information about the company and its employeeslike in chat roomsis against your privacy policy.

Shred it. Always destroy any discarded documents that contain personal identifiers and account numbers. If your firm outsources document destruction, require the contractor to give you evidence of employee screening, appropriate insurance, written procedures, access prevention, monitoring and alarm systems, specific particle size and a custodial audit trail, advises the National Association for Information Destruction Inc. in Phoenix.

Check backgrounds. Require background screening and criminal checks of employees who will have access to personnel data. Make sure you know the identities of the people working for you, says Mathiason. Theres no tolerance in the legal community for anything less.

Require such employees to sign confidentiality agreements.

Toughen scrutiny of third-party vendors and temps. Outsourcing vendors also can be a source of identity theft, as employers that contract out their HR functions to a third party are increasing the number of people who will have access to company personnel data. To cut the risk, make sure vendors are just as committed to protecting confidential information as you are.

Consider using temporary workers only in areas of the company where they wont have access to confidential data. Instead, ask other departments to shift an existing employee (someone your company has fully screened) to that temporary needand let the temp worker fill the existing employees position, suggests Jay Foley, director of consumer and victim services at the Identity Theft Resource Center, a nonprofit organization in San Diego.

Communicate and collaborate. Regularly remind employees of security practices. And let them know what they should do if they believe their personal identifying information has been compromised.

According to a June 2002 General Accounting Office report on identity theft, 35 percent of victims who called the FTCs ID Theft Clearinghouse hadnt yet notified any credit bureau at the time they contacted the FTC, 46 percent hadnt notified any of the financial institutions involved and 54 percent hadnt contacted their local police department.

By advising your employees on how to take these critical steps as soon as they suspect potential trouble, you can help them report problems faster and thwart additional fraud. (See When Identity Theft Strikes, on page 36.)

Recognize the employee-relations benefits. Employers that are most effective in tackling information privacy and security issues are those that move beyond viewing privacy protection simply as something they had better do or else, HR Privacy Solutions Harris says.

Privacy is like diversity in this regard: Done the right way, each involves respecting and empowering individuals, and reaping the business benefits that this can bring, he says, rather than acting primarily to avoid risks and legal problems.

Susan J. Wells is a business journalist based in the Washington, D.C., area with more than 17 years of experience covering business news and workforce issues.