Identity theft occurs when unauthorized persons gain access to and use another person's personal information such as his or her name, Social Security Number, credit card or bank account number, or other identifying information to commit fraud or other crimes. Identity thieves gain access to personal information through a variety of sources such as lost or stolen credit cards, stolen paper mail, dumpster-diving, computer spyware or hacking, e-mail scam, or by accessing customer or employee records maintained by businesses. Instances of identity theft have increased dramatically over the last several years. In fact, according to the United States Federal Trade Commission (FTC), in 2011 identity theft was the nation's top consumer complaint for the twelfth year in a row. In 2011 alone, approximately 11.6 million adults became a victim of identity fraud in the United States, at a cost to the economy of approximately $54 billion. Because many instances of identity theft go unreported, the numbers are likely even higher.
Employer records are among the top sources of identity theft. Several recent high-profile examples of missing or stolen data, such as the theft of personal information concerning 50,000 to 2,000,000 consumers from Georgia-based transaction processor, Global Payments, and the ring of McDonald's employees that skimmed at least 282 customers' credit card numbers, demonstrate the vulnerability of the personal information that businesses maintain about their employees and customers.
Controlling the growing threat of identity theft presents significant challenges for employers. The vast amount of sensitive personal information maintained by employers about their employees and customers, including demographic information, personnel files, credit histories, background reports, Social Security numbers, benefits data, direct deposit information, and payroll and tax records, can be a virtual treasure trove for identity thieves.
When employees or customers become victims of identity theft, the employers ultimately may pay the price, especially if the employers' treatment of employee or customer information contributed to the problem. Employers may face legal risks when their customers' records are compromised by employees or third parties. In July 2007, the United States District Court for the Eastern District of Pennsylvania held that an employer could be held liable for identity theft committed by one of its employees using a customer's personal information. In Lukens v Dunphy Nissan, Inc., the defendant, a car dealer, hired a salesperson with a prior criminal record involving numerous forgeries and thefts by deception. The employee informed the defendant about his criminal history and was hired without further question. The day after his employment began, the employee, acting within the scope of his employment, obtained the plaintiff's credit report. He then used the personal information to open numerous fraudulent credit accounts in the plaintiff's name. The court denied summary judgment to the defendant employer finding that it could be found vicariously liable under the Fair Credit Reporting Act (FCRA) for the employee's unlawful use of the report. The court held that liability may attach to the employer under an agency theory because it was within the scope of the employee's job to access and to evaluate customer credit information and because the defendant disregarded the employee's relevant criminal history.
This case demonstrates that employers should exercise particular caution in selecting, training, and supervising employees who may have access to personal information concerning customers or co-workers, especially in states such as Tennessee where negligent hiring, supervision, and/or retention claims are recognized.
Strategies for Minimizing the Risk of Identity Theft
As identity theft continues to increase, it would be wise for employers to consider the following strategies:
- Develop a comprehensive information security policy that includes responsible information-handling practices for employee, customer, and other sensitive business records
- Keep hard-copy personnel and customer files under lock and key
- Restrict access to sensitive information to only those employees with a "need to know"
- Train employees with access to sensitive information on how to
- keep it secure
- Require employees with access to sensitive information to sign an acknowledgement that such
- information will be kept confidential and will be used only for business purposes
- Disable employee access to company records and computers immediately upon termination
- Do not use Social Security numbers as employee or customer identifiers
- Carefully screen third-party vendors and temporary agencies and restrict their access to sensitive information
- Offer some sort of identity theft protection as an employee benefit
- Consult with experienced employment counsel to discuss federal and state requirements concerning the handling of employee or customer information and for assistance in implementing comprehensive information security policies and procedures and contingency plans
- Consider conducting background checks for candidates and current employees who handle or have access to sensitive and confidential information.
Although no business can keep its records entirely secure from identity theft, adopting these strategies can help to protect employees and customers and to minimize a company's exposure from this growing threat.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.