Worker records especially at risk
by Stephanie Armour
     
 

The theft of employee records is a top cause of identify fraud, and concerns about how to safeguard such information is growing after the theft of personal information on 26.5 million U.S. veterans.

Personnel files, benefits data, payroll and tax data all are vulnerable. Often it's an inside job: An employee with access to records may take the information and set up credit cards or commit other crimes. Identity theft is the top consumer fraud complaint filed with the Federal Trade Commission; more than 20 million Americans have been victims.

STORY: VA computer disk stolen

"It is a major area of vulnerability," says Beth Givens, director of Privacy Rights Clearinghouse, a non-profit consumer advocacy group based in San Diego. "Many employers are not up to speed on safeguarding employees' records."

Veterans Affairs said earlier this week that personal data on millions of veterans was stolen from an employee's home in what appeared to be a burglary. The material included the veterans' Social Security numbers and dates of birth.

In the private sector, information may be lost when workers or contractors with access to files swipe records from human resource offices. Sometimes, it's far simpler - an employee may steal credit card receipts off a co-worker's desk.

Some companies now are taking action to prevent theft, including running privacy audits, encrypting data, locking file cabinets and using truncated Social Security numbers.

But there is little they are required to do under federal law. There is no federal law requiring employers to take specific safeguards, although FTC spokeswoman Betsy Broder says the agency could conceivably use its authority to take action against a company that failed to protect data. No such action has ever occurred.

"It's a question of raising people's awareness," Broder says.

Cases of lost employee information have occurred: Time Warner made headlines in 2005 when it reported that the personal information of 600,000 current and former employees went missing after boxes containing the data were shipped by truck. The boxes contained computer tapes with Social Security numbers and other information. Time Warner says the information has never been used and that safeguards adopted since then include encrypting data saved to backup tapes.

Employers can be vulnerable to lawsuits claiming negligence if data are lost or stolen, says Bill Nolan, a data-privacy expert and employment lawyer in Columbus, Ohio.

"This (veterans) case illustrates the importance of the employees who have control of the data," Nolan says. "Some companies are more proactive than others. The more of these horror stories you see, the more you'll see companies get in front of this."

Abe Kleinfeld, president of nCircle, a San Francisco-based network security firm, says laptops are being stolen to get data, and companies aren't doing a good enough job of protecting employee information. Sensitive data, he says, shouldn't be kept on laptops, and encryption should be used.

"Obviously, employers are not doing a very good job. We're doing a pretty lousy job," Kleinfeld says. "Organizations don't do a very good job of educating employees or take it seriously enough."

The top cause of identify fraud is theft of records from employers or other businesses that have records on many individuals, according to a 2002 TransUnion study.


  Copyright © 2006 USA TODAY,  
  View this article in its original format