September 22, 2021
Are Employers Responsible for Employee Identity Theft?
The answer is yes, which is why it’s important to practice good cyber risk management.
Cyber thieves love employee personnel records. With the information they steal from Social Security numbers, birth dates, work history, bank account information and health information, they can do a lot of harm and “earn” a lot of money.
As an employer, it’s your responsibility to protect this information. In fact, state and federal laws require employers to safeguard this data. If you don’t, you could be held liable when the information is stolen.
Employers need this information for background and credit checks. It therefore often falls to human resource (HR) departments to determine risks and figure out the best lines of defense.
What Thieves Target
It’s helpful to understand what types of information thieves are looking for. For instance, thieves can use stolen financial information to establish new accounts and use them to steal funds from the victim’s existing accounts. Employee information also can be sold to undocumented workers to provide a false work history.
Thieves will sometimes use email to pose as a company executive to request a copy of an employee’s W-2 form. If the employee receiving the request fails to verify the legitimacy of the request and forwards the W-2, the thief can use it to create and submit false tax returns or open lines of credit.
Internal Dangers
The Society for Human Resource Management (SHRM), a professional human resources membership association, reports that 30 to 50 percent of identity theft begins in the office. Numerous employees and management have access to HR records, making it more difficult to enforce proper security protocols. In addition, data stored in the cloud can be accessed if an employee uses an unsecure network or falls prey to a phishing scam. There is also the potential that a disgruntled employee might be enticed to sell password data.
Federal Laws
The Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act hold employers liable if their acts or omissions lead to identity theft. In addition, failure to adequately safeguard health-related information or medical records makes employers liable under the Americans with Disabilities Act or the Health Insurance Portability and Accountability Act.
However, there is no one federal law that covers identity theft. The law that applies depends on the type of crime committed.
State Laws
States have taken the lead in establishing employer liability laws, but there is no uniformity or consistency from state to state. Some states have data privacy legislation, while almost all states have data breach notification laws. These laws often impose additional requirements and restrictions on how employers use, store and transmit employee information.
Best Practices
The first step is to develop a comprehensive cybersecurity plan. Working with your IT department and management, craft a document that outlines the best policies for handling, storing and accessing the personal data of employees. You will need to address:
- How the company will encrypt files that contain sensitive data
- Where hard-copies can be stored safely — preferably in a locked location
- How and when you’ll conduct internal risk assessments
- What employee information should be stored on the network
- Who will be allowed to view or edit sensitive employee data
- Under what circumstances employee information can be shared
- How this data should be stored and encrypted
- Who will oversee training
- Whether to hire a consultant to assess your network vulnerabilities
- Who will be in charge of overseeing security and serve as the go to person for questions
- How the company will handle a breach if sensitive data is compromised.
Once you have a plan in place, train both your managers and your employees on the new procedures. It’s also important for employees to understand the various ways thieves can get their or the company’s information. For instance, a cybercriminal who gets control of a victim’s social media account can defame and slander an employer and defraud an organization’s customers, partners, vendors and clients.
Training should include the importance of:
- Understanding the tactics that cyber thieves use to attack employees and corporations, such as phishing emails
- Using stronger passwords and securing the information
- Alerting a manager, HR and IT immediately about potential data breaches
- Using more secure networks
- Not accessing company information from public Wi-Fi.
Finally, it’s an excellent idea for your firm to carry cyber liability insurance.