Identity Theft and the Workplace
My business partner, John Gardner, a third-generation trial lawyer and former South Carolina legislator, has taken on the subject of identity theft as a cause ce'le`bre. The Databased You is the vehicle John uses to describe how identity theft most commonly occurs. It shows graphically how our personal information exists in a web-like network of thousands of both national and local databases.
These databases include:
- Our medical records database (MIB)
- Property and other public records (county and state)
- Military records and history (DOD and VA)
- All checking and credit accounts (repositories)
- Social Security information (SSA)
- Driver's license information (DMV)
Other repositories (called "Specialty Databases"), such as ChoicePoint and LexisNexis, regularly gather and provide our information to lenders, landlords, employers and so forth, for a fee.
The Databased You graphically demonstrates that, not only do these vast repositories of information exist, but also how they're difficult or even impossible to access. And if one database is corrupt with false or fraudulent information, it can update the others automatically, often by law, and just as often without cross-checks or verification, in order to "protect us."
If, for example, your identity is used illicitly to obtain medical treatment, your vital information relating to blood type, allergies, drug reactions and surgeries can be altered from an erroneous entry. Once altered, it's nearly impossible to correct. HIPAA regulations prevent you from accessing or altering your medical information database. If someone using your identity on a false driver's license commits a crime or gets a speeding ticket, your DMV database is changed. A simple traffic stop can result in your arrest. Our driver's licenses also serve as a national ID, so when we travel by air, NTSB agents compare our license against watch lists. These and other forms of ID theft affect an estimated 10 million Americans each year.
"First, we must get over the idea that we can somehow prevent identity theft. Preventing identity theft is like preventing fire," John says. "We can use safe building materials, install sprinkler systems, security cameras and alarms, but is any of that going to prevent fire? Certainly not."
Preventive measures, safety practices and common sense are very important in lowering our susceptibility, but it can still happen. In another example, the layers of firewalls, spyware, spamware and such will lower our risk from computer viruses, worms, phishing and so forth, but there's still a risk. Are passwords and encryption helpful? Absolutely! Do they prevent hacking? Certainly not. No system or solution is absolutely foolproof. Absolutes simply don't apply when someone wants to get our information.
We seem to act as amateur risk managers when it comes to our identity. I imagine that, like me, you don't regularly assess your own medical risk. You get routine check-ups, see the doctor when needed and, presumably, follow their advice. But most of us aren't in the habit of self-diagnosis. We leave that to the medical professionals. So why do we risk our next most precious asset, our good name and character?
We only get one identity. Our ability to find work, apply for credit, make purchases, receive medical care, vote and so on is tied to our identity. Our records, Social Security numbers and other sensitive data are stolen in reams each day and sold on the open market. They're sold to criminals, aliens seeking work in the United States, those with terminal illnesses or social diseases or those who, for whatever reasons, can't get jobs or medical care. And yes, they're sold to create credit accounts. It's a big profit maker for organized crime due to a relatively low risk. Identity theft has become fuel to fund international terrorism and the illicit drug trade. According to the U.S. Secret Service, identity theft has now surpassed illicit drug sales as the most profitable crime in the United States.
Schools, financial institutions, hospitals, businesses, municipalities, states and the U.S. government lose records to theft and negligence every day. These organizations and their officers are being held accountable for those losses. The FTC and individual state authorities aggressively prosecute these cases; (FTC v. BJ Wholesalers, in 2005, for unfair trade practices). Companies often find themselves, in addition to heavy fines and audits, being exposed to individual and class action lawsuits from victims---and often suffer from a loss of public confidence.
Solutions for business
The FTC now requires all U.S. employers to do a few simple and reasonable things to protect the information they keep on customers, vendors and employees:
- Have someone on staff named as Security Officer.
- Institute a written policy identifying nonpublic information and what the company expects from employees to protect it, then train all employees on that policy.
- Offer a voluntary identity theft service to employees. Identity theft services can be grouped into three categories: loss insurance, resolution and true restoration.
Loss insurance is underwritten and primarily covers actual financial losses, usually with a deductible of $500 or more. These services may or may not offer credit monitoring, and don't cover out-of-pocket expenses incurred in clearing up fraudulent entries. Also, claims are paid on a merit basis determined by the insurer.
Resolution is nothing more than services that issue credit freezes to the three major repositories, provide fraud packages to the victim and perform credit monitoring. These are all available free from the U.S. government.
True restoration provides monitoring and fraud resolution packages as well, but also provides licensed professionals to actually work on behalf of the victim to restore their identity to "pre-theft" status. True restoration services are by far the most comprehensive. An employer who offers restoration services to employees can be assured two things. The employee will not need to take work hours to restore his or her own identity theft issues, and the company will greatly reduce its exposure to liability from lawsuits resulting from a company breach.
Businesses that take these recommended measures will have significantly reduced the risk from lawsuits and set a standard of responsibility in the business community.
Back to article list | Top of page