Are Your Employees Safe from ID Theft? by Katie Smith


If you are the owner of a business, don’t let workplace identity theft happen to your employees, because you could be held responsible for all their losses! Identity theft is now the USA’s number one consumer fraud concern. According to the the Federal Trade Commission, as many as nine million Americans have their identity stolen every year.

Identity theft is defined as the misuse or fraudulent use of an individual’s sensitive personal information. Now, employers are the prime target of identity thieves. Employee records held by the human resource and payroll departments are now being targeted.

It’s become a real honey pot to an identity thief. There is a wealth of personally identifiable information held about each employee, such as their social security number, birthday, driver’s license number, health and medical records, and payroll records, just to name a few. Human resource professionals must make a top priority the proper security, access, storage and disposal of their employee information.

The most common method of business identity theft is business record theft. This simply involves the theft of paper records. It may mean that a trusted employee has been bribed for access to files held within a business. Other low tech methods include going through the trash of a business to recover employee or customer records.

Business record theft can also be through high tech data theft where business computers are hacked. Sensitive data of customers and employees is electronically downloaded and stolen. A trusted employee or external hackers could commit the crime. High tech identity theft is very hard to trace and if the sensitive data is electronically removed from the country, it is very hard to recover.

There have been some major data breaches over the years such as:

  • On June 5, 2008, Stanford University administrators learned that a laptop computer had been stolen that contained the sensitive records of approximately sixty two thousand current and former employees. 
  • On June 7, 2008, New Mexico government officials acknowledged that sensitive state documents with employee names and Social Security numbers were thrown into a trash bin in an un-shredded state. The bin was located behind the state’s Department of Workforce Solutions office in Roswell. The sensitive documents were discovered by an employee of another organization in a nearby building. This person saw the papers flying out of the trash bin on a windy day. 
  • In another case, a Connecticut drug manufacturer reported a high number of computer laptop thefts. One laptop contained thirteen thousand sensitive employee records. 
  • In May 2008, five Internal Revenue Service employees in California were arrested for improperly accessing confidential taxpayer files.

In some cases, employers have been held liable for identity theft that occurs in the workplace. This is particularly true in cases where the employer has been found to be negligent. If you are an employer then you must properly follow state or federal laws that dictate how sensitive records are supposed to be stored, accessed, and disposed. These laws are designed to safeguard the sensitive personal information of your employees.

For example, the Health Insurance Portability and Accountability Act (HIPAA) requires employers maintain the security of their own health plans. Employers are required to physically separate and safeguard protected information in a group health plan. A notification requirement ensures that businesses notify each of the affected individuals whenever their personal information may have been compromised through a data breach. Heavy penalties apply to negligent employers when a data breach occurs.

The Fair and Accurate Credit Transactions Act (FACTA) of 2003 includes a disposal rule. This rule requires businesses and individuals take appropriate measures when disposing of sensitive employee information.

The Family and Medical Leave Act (FMLA) 1993 and the Americans with Disabilities Act 1990, both require employers to keep confidential medical records separate from personnel files.

In addition to federal laws, most states have passed data privacy and security laws to protect an employee’s personal information against unauthorized use.

When employees suffer from identity theft, employers also pay a high price in the form of negligence lawsuits from employees. In addition, they face crippling investigations, and heavy fines, from the Federal Trade Commission and other federal and state authorities. At the end of the day, they could be put out of business by a serious data theft.

No record keeping system can ever be 100 percent effective against unscrupulous individuals who are determined to get access to sensitive employee data. However, there are a number of best practices that human resources professionals must adopt to protect employee confidential data, if they don’t want to be found negligent by the authorities!

  1. First, your information security systems need to have access controls, encryption, firewalls, and intrusion detection elements in place. In addition to computer security, employers need to also ensure security of personnel and the physical security of the information itself. For example, are filing cabinets, drawers, etc. always kept locked when not in use? Are electronic records stored securely and is access to these records tightly controlled? 
  2. Second, effective staff communication is important when protecting employees from identity theft. Employers need to properly explain to their employees all the proper measures that are in place to protect their personal data. In addition, companies should consider having an ID theft reporting policy in place where employees are encouraged to report any ID theft crimes. 
  3. Third, employee awareness of privacy protection strategies is vital. Human resource professionals must ensure that employees receive adequate training so that they understand that widely accepted practices, like downloading file-sharing programs, is very risky and must not be allowed in the workplace. 
  4. Fourth, employers should provide instruction to employees on how to secure, handle and destroy appropriate files. This includes information on how employees can protect their personal items while at work also, such as purses, wallets, and lockers. 
  5. Fifth, safe disposal of employee records, both paper and electronic, is very important. Employers should always shred confidential papers or hire a company to shred their sensitive documents for them. All recoverable data from computers and disks should be completely erased before they are disposed of. 
  6. Finally, periodic audits of the processes and procedures in place should become part of the normal routine and should be performed on a regular schedule.


Although no system can ever completely prevent identity theft from happening, having a comprehensive series of policies and procedures goes a long way toward minimizing the potential for it to happen. And it also protects you if you are being sued for negligence! 

About the Author:
Katie Smith is an enthusiastic
woman. She loves writing about technology and lifestyle on Reviewmoon. 

August 31, 2017


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023