Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace

Posted: March 2004
Updated June 2009


By Beth Givens, Director
Privacy Rights Clearinghouse


Most guides on preventing identity theft focus on steps consumers can take, such as shredding their trash and protecting their SSN. But realistically, while these steps reduce the risk of becoming a victim, there is little individuals can do to actually prevent identity theft.


True prevention resides in two arenas - the adoption of more effective application-screening procedures by the credit industry and the implementation of responsible information-handling practices by employers. This article focuses on the latter.


Experts in identity theft report that an increasing number of cases can be traced back to dishonest employees in the workplace who obtain the sensitive personal information of employees and customers and disclose it to identity thieves.


One of the keys to preventing identity theft, therefore, is to safeguard personal information within the workplace, whether it's a business, government agency, or nonprofit. Targets for identity thieves include SSNs, driver's license numbers, financial account numbers, PINs, passcodes, and dates of birth.


Workplace Information-Handling Practices

  • Adopt a comprehensive privacy policy that includes responsible information-handling practices. Appoint an individual and/or department responsible for the privacy policy -- someone who can be contacted by employees and customers with questions and complaints. (See Resources below, Checklist of Responsible-Information Handling Practices.)
  • Implement a written Identity Theft Prevention Program to detect the warning signs - or “red flags” - of identity theft. A "how-to" guide for companies that are considered a "low risk" for identity theft is provided by the Federal Trade Commission. See the Resources section at the end of this guide.
  • Store sensitive personal data in secure computer systems. Encrypt! And make sure your wireless network is protected with the proper security settings. Store physical documents in secure spaces such as locked file cabinets. Data should only be available to qualified persons.
  • Dispose of documents properly, including shredding paper with a cross-cut shredder, ìwipingî electronic files, destroying computer drives and CD-ROMs, and so on. Comply with California's document destruction law, Civil Code 1798.80-1798.84, and the federal Fair Credit Reporting Act FACTA provision on document disposal, section 216. (See Resources.)
  • Build document destruction capabilities into the office infrastructure. Place shredders around the office, near printers and fax machines, and near waste baskets. Use cross-cut (confetti) shredders rather than strip-shredders. Make sure dumpsters are locked and inaccessible to the public.
  • Conduct regular staff training, including new employees, temporary employees, and contractors.
  • Conduct privacy ìwalk-throughsî and make spot checks on proper information handling. Reward employees and departments for maintaining ìbest practices.î
  • Put limits on data collection to the minimum information needed. For example, is SSN really required? Is complete date of birth needed, or would year and month be sufficient?
  • Put limits on data display and disclosure of SSN. Do not print full SSNs on paychecks, parking permits, staff badges, time sheets, training program rosters, lists of who got promoted, on monthly account statements, on customer reports, and so on. Do not print SSNs on mailed documents or require that they be transmitted via the Internet unless allowed by law. In compliance with California law, do not use SSN as customer number, employee ID number, health insurance ID card, and so on. (California Civil Code 1798.85-86 and 1786.6) See Resources.
  • Restrict data access to staff with legitimate need to know. Implement electronic audit trail procedures to monitor who is accessing what. Enforce strict penalties for illegitimate browsing and access.
  • Conduct employee background checks, especially for individuals who have access to sensitive personal information. Screen cleaning services, temp services, and contractors.
  • Safeguard mobile devices that contain sensitive personal data, such as laptops, Blackberries, PDAs, and mobile phones. These are a favorite target of thieves.
  • Notify customers and/or employees of computer security breaches involving sensitive personal information. More than 30 states have adopted security breach notice laws. (See Resources.) Also notify individuals when security breaches involve paper records, outside the scope of most laws.
  • Develop a crisis management plan to be used if sensitive employee or customer data is lost, stolen, or acquired electronically. The plan should include instructions to prevent identity theft if SSNs and/or financial account numbers are obtained illegitimately.
  • Regularly audit compliance with all information-handling practices and privacy policies.

In summary, everyone from the mail clerk to the CEO must make it their business to handle personal information responsibly in the workplace. Don't make the workplace a breeding ground for identity theft.