Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace

Testimony by Beth Givens, Director
Chairman's Conference on Identity Theft
Chairman Greg Cox and the San Diego Board of Supervisors
With San Diego District Attorney Bonnie Dumanis


Discussions on preventing identity theft often focus on steps consumers can take, such as shredding their trash and restricting access to their Social Security number (SSN). But realistically, while such measures can reduce the odds of becoming a victim, there is little individuals can do to actually prevent identity theft. The keys to prevention are two-fold, involving the credit industry and the workplace:

  1. The credit issuing industry must drastically improve procedures for assessing the legitimacy of credit applications. The credit reporting industry must be required to notify individuals when fraud-related indicators are noted on their credit reports.
  2. Employers and businesses must establish responsible information-handling practices involving sensitive personal information such as Social Security numbers and account information.

My remarks focus on the second of these recommendations, workplace information-handling practices. Experts in identity theft report that an increasing number of cases can be traced back to dishonest employees in the workplace or computer hackers who obtain Social Security numbers (SSNs) of employees and customers and disclose that information to individuals involved in crime rings or other identity theft schemes.

One of the keys to preventing identity theft, therefore, is to safeguard sensitive personal information within the workplace, whether that workplace is a government agency, private business, or nonprofit organization. Everyone must get involved in protecting personal information such as SSNs, financial account numbers, dates of birth - in other words, the information used by identity thieves to impersonate individuals in the marketplace.

Workplace Information-Handling Practices

  • Adopt a comprehensive privacy policy that includes responsible information-handling practices. Appoint an individual and/or department responsible for the privacy policy, one who can be contacted by employees and customers with questions and complaints. (See Resources below, Checklist of Responsible-Information Handling Practices.)
  • Store sensitive personal data in secure computer systems. Store physical documents in secure spaces such as locked file cabinets. Data should only be available to qualified persons.
  • Dispose of documents properly, including shredding paper with a cross-cut shredder, "wiping" electronic files, destroying computer diskettes and CD-ROMs, and so on. Comply with California's document destruction law, Civil Code 1798.80-1798.84.
  • Conduct regular staff training, including new employees, temporary employees, and contractors. Conduct privacy "walk-throughs" and make spot checks on proper information handling. Reward employees and departments for maintaining "best practices."
  • Put limits on data collection to the minimum information needed. For example, is the SSN really required? Is complete date of birth needed, or would year and month be sufficient?
  • Put limits on data display and disclosure of SSN. Do not print SSNs on paychecks, parking permits, staff badges, time sheets, training program rosters, lists of who got promoted, on monthly account statements, on customer reports, etc. Do not print SSN on mailed documents or require that it be transmitted via the Internet unless allowed by law. In compliance with California law, do not use SSN as customer number, employee ID number, health insurance ID card, etc. Comply with California Civil Code 1798.85-86 and 1786.6. See Resources below.
  • Restrict data access to staff with legitimate need to know. Implement electronic audit trail procedures to monitor who is accessing what. Enforce strict penalties for illegitimate browsing and access.
  • Conduct employee background checks, especially for individuals who have access to sensitive personal information. Screen cleaning services, temp services, contractors, etc.
  • In compliance with California law, notify customers and/or employees of computer security breaches involving sensitive personal information, Civil Code 1798.29 and 1798.82-1798.84.