Privacy Rights Clearinghouse
Posted: March 2004
Updated June 2009
By Beth Givens, Director
Privacy Rights Clearinghouse
Most guides on preventing identity theft focus on steps consumers can take, such as shredding their trash and protecting their SSN. But realistically, while these steps reduce the risk of becoming a victim, there is little individuals can do to actually prevent identity theft.
True prevention resides in two arenas - the adoption of more effective application-screening procedures by the credit industry and the implementation of responsible information-handling practices by employers. This article focuses on the latter.
Experts in identity theft report that an increasing number of cases can be traced back to dishonest employees in the workplace who obtain the sensitive personal information of employees and customers and disclose it to identity thieves.
One of the keys to preventing identity theft, therefore, is to safeguard personal information within the workplace, whether it's a business, government agency, or nonprofit. Targets for identity thieves include SSNs, driver's license numbers, financial account numbers, PINs, passcodes, and dates of birth.
Workplace Information-Handling Practices
- Implement a written Identity Theft Prevention Program to detect the warning signs - or “red flags” - of identity theft. A "how-to" guide for companies that are considered a "low risk" for identity theft is provided by the Federal Trade Commission. See the Resources section at the end of this guide.
- Store sensitive personal data in secure computer systems. Encrypt! And make sure your wireless network is protected with the proper security settings. Store physical documents in secure spaces such as locked file cabinets. Data should only be available to qualified persons.
- Dispose of documents properly, including shredding paper with a cross-cut shredder, ìwipingî electronic files, destroying computer drives and CD-ROMs, and so on. Comply with California's document destruction law, Civil Code 1798.80-1798.84, and the federal Fair Credit Reporting Act FACTA provision on document disposal, section 216. (See Resources.)
- Build document destruction capabilities into the office infrastructure. Place shredders around the office, near printers and fax machines, and near waste baskets. Use cross-cut (confetti) shredders rather than strip-shredders. Make sure dumpsters are locked and inaccessible to the public.
- Conduct regular staff training, including new employees, temporary employees, and contractors.
- Conduct privacy ìwalk-throughsî and make spot checks on proper information handling. Reward employees and departments for maintaining ìbest practices.î
- Put limits on data collection to the minimum information needed. For example, is SSN really required? Is complete date of birth needed, or would year and month be sufficient?
- Put limits on data display and disclosure of SSN. Do not print full SSNs on paychecks, parking permits, staff badges, time sheets, training program rosters, lists of who got promoted, on monthly account statements, on customer reports, and so on. Do not print SSNs on mailed documents or require that they be transmitted via the Internet unless allowed by law. In compliance with California law, do not use SSN as customer number, employee ID number, health insurance ID card, and so on. (California Civil Code 1798.85-86 and 1786.6) See Resources.
- Restrict data access to staff with legitimate need to know. Implement electronic audit trail procedures to monitor who is accessing what. Enforce strict penalties for illegitimate browsing and access.
- Conduct employee background checks, especially for individuals who have access to sensitive personal information. Screen cleaning services, temp services, and contractors.
- Safeguard mobile devices that contain sensitive personal data, such as laptops, Blackberries, PDAs, and mobile phones. These are a favorite target of thieves.
- Notify customers and/or employees of computer security breaches involving sensitive personal information. More than 30 states have adopted security breach notice laws. (See Resources.) Also notify individuals when security breaches involve paper records, outside the scope of most laws.
- Develop a crisis management plan to be used if sensitive employee or customer data is lost, stolen, or acquired electronically. The plan should include instructions to prevent identity theft if SSNs and/or financial account numbers are obtained illegitimately.
- Regularly audit compliance with all information-handling practices and privacy policies.
In summary, everyone from the mail clerk to the CEO must make it their business to handle personal information responsibly in the workplace. Don't make the workplace a breeding ground for identity theft.
- "Fighting Fraud with the Red Flags Rule: A How-To Guide for Business," (a do-it-yourself program for businesses at low risk for identity theft), Federal Trade Commission ( March 2009), www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm 
- Checklist of Responsible-Information Handling Practices, PRC Fact Sheet 12, www.privacyrights.org/fs/fs12-ih2.htm 
- FACTA: the Fair and Accurate Credit Transactions Act, PRC Fact Sheet 6a, www.privacyrights.org/fs/fs6a-facta.htm#2g 
- Business Identity Theft Risk Test, Identity Theft Resource Center, www.idtheftcenter.org/busrisktest.shtml 
- Lists of security breach notice laws in U.S.: PIRG: www.pirg.org/consumer/credit/statelaws.htm . Consumers Union: www.consumersunion.org/campaigns/Breach_laws_May05.pdf 
- Recommended Practices for Protecting the Confidentiality of Social Security Numbers, California Office of Privacy Protection, www.privacy.ca.gov/recommendations/ssnrecommendations.pdf 
- Recommended Practices on Notification of Security Breach Involving Personal Information, California Office of Privacy Protection, www.privacy.ca.gov/recommendations/secbreach.pdf 
- A California Business Practices Handbook, California Office of Privacy Protection, www.privacy.ca.gov/business/ca_business_privacy_hb.pdf .
- Guide for Small Businesses by Better Business Bureau, "Security & Privacy Made Simpler," www.bbb.org/securityandprivacy