Mutual respect is the key
Identity theft has many forms and many victims – 11.6 million adults in 2011 alone, according to Javelin Strategy & Research . In the workplace, identity theft due to careless handling of sensitive data can affect either employees or customers – and, in both cases, the employer.How data breaches hurt employers
Exposure of sensitive information in the workplace is the leading cause of identity theft , while employees are the leading cause of data breaches . Both situations carry severe implications and costs for the employer, either in the form of lost employee productivity, FACTA violation fines, data breach remediation costs, lawsuits, or damage to brand reputation (see below for a tally of these costs).
To turn this losing proposition into a win-win situation, you must create a corporate culture that fosters a mutually beneficial focus on privacy. By showing employees you value the privacy of their personal information; you encourage them to protect corporate data in return.
What employers can do
For employers, this means safeguarding employee data – including Social Security numbers, payroll routing information, medical insurance numbers, retirement fund accounts, employment records, home addresses, and other personal information. FACTA regulations now recognize the responsibility that employers have to protect their employees’ personal information, and call for stiff penalties for violators.
Even when the employer is not responsible for the identity fraud, it costs them dearly. When employees fall victim to identity theft, they undergo severe stress and lose productivity – an averaging up to 141 hours -- while they attempt to resolve the fraud.
It is vital for employees to understand and respect for the need to protect proprietary company information and customer data. A Forrester Research study found that employees were responsible for the majority of data breaches, although generally due to loss or accident, not malicious intent.
How employees cause data breaches
Lost USB drives (also known as “thumb drives” or “memory sticks”) are a common way employees lose large amounts of company data – losses that have been estimated by the Ponemon Institute to cost organizations as much as $2.5 million . And yet the National CyberSecurity Alliance found two-thirds of small businesses allow the use of USB drives.
Exposure can come from low-tech means as well. The Fellowes’ Workplace Data Security Report found that while 81% of employees can access paper documents containing sensitive workplace information, they unintentionally expose the information by leaving sensitive paper documents on top of their desks (25%) or even throwing sensitive paper documents in the trash (15%).
This type of mishandling can expose confidential employee, client, or corporate information, and in the end the employer winds up bearing the brunt of the costs.
Do your employees know your privacy policy?
Creating a privacy policy is not enough – the same Forrester study found that only 56% of information workers in North America and Europe were aware of their organizations’ security policies. This is unsurprising, considering 75% of small businesses surveyed by the National Cyber Security Alliance said their employees receive less than three hours of network and mobile device security training in the past year, and 47% reporting their employees do not receive any security training.
With such serious implications for both employers and employees, any measures that address identity theft create a clear win-win. Because it is impossible to completely prevent identity theft, the key is to limit exposure and raise awareness. Both of these goals can be reached through creating a culture of privacy, which both generates and is based upon mutual respect.
Top 10 recommendations for fostering privacy in the workplace:
1. Inform employees of policies & safeguards in place protect their confidential employment information, such as encrypting Social Security numbers. Even prospective employees should be assured that their resumes and job applications will be protected, establishing your corporate commitment to privacy from the outset.2. Ask for employee input on security measures to ensure you are hitting all the bases and empower them to take ownership of privacy.
3. Assess what data your company is currently protecting. This is an essential first step in a data breach plan, which creates a blueprint to your privacy needs, policies & responses.
4. Schedule regular privacy training sessions. This not only keeps an emphasis on the need for privacy, but gives you a chance to review what new privacy needs or tools should be incorporated into your data breach plan.
5. Provide identity theft protection as an employee benefit. Group coverage is available as an affordable and highly appreciated addition to your benefit package. Plans that include recovery services can also benefit employers by greatly reducing the stress and time needed to resolve identity theft.
6. Examine the risks of using employee-owned devices at work (BYOD). Allowing employees to use their own computers, tablets and mobile devices may seem like a cost-saver, but can lead to costly breaches if they are not held to corporate security standards. Nearly half of companies that permit BYOD reported experiencing a data or security breach as a result of an employee owned device accessing the corporate network.
7. Provide the tools employees need to protect data. From high-tech encryption and anti-virus software to low-tech shredders at each desk, make sure each employee has – and knows how to use—the tools that support your policies.
8. Recognize and reward employees who take extra steps to protect client data. Ask them what more they can do, and they may surprise you with the response.
9. Establish policies for temporary workers. Consider what access you allow or what background screenings you require.
10. Be aware of corporate identity theft risks. Protect your Tax ID number, licenses, and lines of credit.
11. Bonus tip: Let employees know how they can (confidentially) report security lapses. Whether an employee is simply forgetting to follow procedures, or is actively committing fraud, their co-workers are likely going to be the first to know. They should also be aware of the proper reporting procedure for any data security issue – once law enforcement or the customer is informed, you lose the ability to control the situation.
Costs of a Data Breach
> A data breach will diminish your brand value by 21%; and cost one year to repair your damaged reputation. (Source: "Reputation Impact of a Data Breach," Ponemon Institute, October 2011)
> Certain types of identity theft takes victims an average of 141 hours to resolve if unassisted – identity theft recovery services can be a valuable employee benefit to reduce this type of “presenteeism.” (Source: "Aftermath 2009, Identity Theft Resource Center)
> 41% of respondents to a data breach survey said the total cost of the breach was $500,000 or more. (Source: “Perceptions about Network Security,” Ponemon Institute, June 2011)
> FACTA penalities can be as much as $2500 on the Federal level and $1000 at state – per record.
Data breach litigation can add an average of $582,000 in legal defense costs and $2.1 million in settlements. (Source: “Cyber Liability & Data Breach Insurance Claims — A Study of Actual Payouts for Covered Breaches,” NetDiligence)
Helen Newling Lawson is a marketing communications consultant for CORE ID Services, LLC, an identity theft protection company specializing in helping organizations meet data privacy needs. CORE ID assists companies in developing data breach response plans and provides ARX-ID, an identity theft protection plan suited for employee benefit and other group coverage plans.
Additional sources:
http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html
http://www.pcworld.com/article/237600/companies_lose_2_5_million_from_missing_memory_sticks_study_says.html
Visa/National Cyber Security Alliance National Small Business Study, www.staysafeonline.org
http://www.businessinsurance.com/article/20121009/NEWS07/121009907
