Beyond GDPR: Why Every Employer Should Really Care About Data Privacy.
We've all heard a lot (probably too much) recently about the implications of the new GDPR regulations in HR and recruiting, but the fact of the matter is, not only is this legislation likely long overdue, but it's done something pretty important, precedent wise.
It's made HR leaders and talent practitioners aware, for maybe the first time, of the extreme implications involved in safeguarding personal data. This lesson comes not a moment too soon, considering that the personal information available in the average HRIS and ATS makes these systems something of a perfect target for one of the most common reasons Personally Identifiable Information (or PII, as it's commonly known) is compromised.
See, the information sitting in those systems: addresses, social security numbers, direct deposit information, dates of birth and benefits information, drivers license and credit card numbers, all the standard stuff employers keep on their workers as a matter of course (and compliance) is exactly the kind of information that's most commonly compromised by identity thieves.
Consider that in 2016 alone (the most recent year for which data exists), financial losses from identity theft reached a staggering $24.7 billion (that’s billion, with a B), according to estimates from the Associated Press. For context, that’s almost twice as much as the annual losses resulting from property crimes, or around the same amount as the entire GDP for the country of Ecuador. So, a boatload of cash, pretty much.
But while personal identity theft occupies a lion’s share of the coverage and conversation about this growing phenomenon, the fact is that consumers aren’t the only ones who suffer. The impact that this emerging epidemic can have on employers can be even more staggering.
In fact, while credit and financial fraud dominate the headlines, credit reporting firm Transunion estimates that these represent only about 28% of identity theft cases; turns out the majority are far more nefarious – and frightening.
For example, Forbes estimates that approximately 4 million fraudulent insurance accounts are opened every year using stolen personal information; the Department of Labor has estimated that around 2 million workers are currently employed through illegally obtained identities.
If you’re in HR, this should probably prove to be a pretty frightening phenomenon. If you're not scared, well, you probably should be - because your empest growing crime, claiming a new victim every two seconds.
The good news? There are a few simple steps you can take to make sure your organization and employees know the risks about identity theft, and how to minimize those risks if they suddenly find themselves victims of this increasingly common crime. Given the odds, it’s pretty likely that one of your coworkers, colleagues or candidates will have their identities stolen, statistically speaking.loyees (and their data) are at risk and in the crosshairs of the most sophisticated - and successful - hackers in the world.
What Every Employer Should Know About Identity Theft and Protecting PII.
The bad news is that if your systems are targeted or your employees subjected to identity theft, there’s probably nothing you can do to stop it – and will likely only find out about any fraud well after the fact. In fact, identity theft represents the nation’s fastest growing and most expensive crime. The problem is only getting worse, and the breaches are only getting more expensive.
HR or recruiting professionals are largely responsible for ensuring that sensitive employee information remains protected, and likely already have processes and controls in place to preempt potential breaches or misuse of employee data. It’s imperative to impart these policies to employees, and provide them with the tools and resources required to help them keep their personal information protected – particularly Social Security numbers.
At many organizations, social security numbers are also used as employee ID numbers or default passwords for accessing enterprise systems and software. These are the core currency required for identity theft, which is why employers must be proactive about minimizing the use of social security numbers as part of employee records or paperwork.
4 Key Steps for Protecting Employee Data.
If you’re looking for tips and tricks for safeguarding personal data, including common sense advice about locking up hard copies of sensitive documents and encrypting or password protecting electronic records. Most of the tips on there aren’t brain busters, and are simple, yet effective, ways to minimize the risk of identity theft.
- Ensuring each employee has a desk or cabinet with a lock where they are required to store purses, wallets, sensitive files and other documents with personal information. This should be reinforced through policy and reiterated in new hire orientation and in your employee handbook.
- Requiring employees to use a secure connection, like a VPN or enterprise firewall, before inputting any credit card or bank account information online. These should include corporate purchasing cards, direct deposit forms and invoicing information – all prime targets for identity thieves.
- Educate your employees about ways to recognize potential ID theft. Proactively add perks such as credit monitoring and annual credit reporting as part of your standard benefits package – enterprise subscriptions to these services are generally inexpensive (as anyone who has run a credit check on a candidate can attest), but this perk will inevitably pay off – if for nothing more than giving you and your employees peace of mind. Which is always worth it.
- Provide your employees with instructions on what they should do, and who they should contact, if they find themselves the victims of identity theft. Make sure HR is immediately informed about any workplace breach and that all employees must work directly with their business partner to resolve, recover and remediate these incidents.
Sharing this information through your company’s intranet, employee newsletter or even LMS is also a great way to ensure employee awareness and accountability; make sure a copy of your company policy is readily available and accessible on internal networks or in your employee handbook so that workers always have easy access to this information.
You never know when they might need it most.
What To Do When Identity Theft Happens at Work.
Chances are, you’re probably more on top of fraud prevention and risk mitigation than most of your employees. By providing resources instead of red tape, your HR department will be better equipped to not only preempt future identity theft, but also to help employees recover if they become victims.
One of the most common ways that people discover that they have, in fact, had their identities stolen is through the IRS, which has many controls in place to notify taxpayers directly when discrepancies arise, such as the filing of duplicate tax returns or documentation using the same Social Security number.
A job seeker attempting to verify work eligibility or obtain employment using a stolen SSN might get caught by the IRS as part of the e-Verify process, or get red flagged during a pre-employment credit check.
The IRS or background screening provider will notify the employer submitting this information directly when these situations arise, but it’s your responsibility to double check any inaccuracies or discrepancies to ensure that the identities of potential new hires are valid and have not been compromised.
Make sure to contact any potential new hire whose credit check is red flagged before summarily disqualifying them (if applicable); negative results might not be their fault at all. If their identity has been stolen, than they’ve already paid enough – this crime shouldn’t cost them a job, too.
If an existing employee finds out their personal information has been compromised, they’re likely to be emotionally distraught or extremely upset, and rightfully so. That’s why it’s essential to treat these incidents not as an employee relations crisis, but rather, as a kind of employee assistance program designed to help the employee – and company – recover with minimal damage. Have available resources on hand to provide straightforward advice and simple steps about what to do when personal information has been stolen, including the key email and phone numbers they’ll need to report the theft and hopefully, seek remediation.
5 Key Steps for Stopping Identity Theft.
An additional strategy for preempting identity theft is through training that can be administered in the classroom or on demand through an LMS (many providers already have existing modules covering this content).
Effective training should include presenting employees with various identity theft scenarios they might encounter as well as what should be done in each case when data is compromised.
Training materials or employee resources should also provide a template for employees to utilize when cleaning up the mess caused by fraud.
These steps include:
- Immediately contacting financial institutions like banks and credit card issuers to remove fraudulent charges and cancel any compromised accounts.
- Contacting credit reporting agencies to correct any errors; provide an alternative account or payment method to employers if enrolled in direct deposit and alert them to immediately suspend any transactions to a compromised account.
- Changing all computer passwords and clearing browsers of any cached information or cookies that might be responsible for current or potential breaches. Passwords for accessing company systems or technology should be changed every 90 days at a minimum to ensure continued data integrity.
- Auditing any outstanding expenses like company purchasing card balances, invoices for temp, consulting or contingency labor and or travel reimbursement submissions to ensure that corporate systems or records remain uncompromised and unaffected.
- Providing access to an employee assistance program (EAP), third party financial services providers like personal financial planners or plan administrators to minimize the emotional and financial impact common among identity theft victims.
If you’re spending your time worrying about stuff like how to institute the Genetic Information Non-Discrimination Act (GINA) or monitoring employee social media usage for potential policy violations, you’re likely overlooking the biggest threat – and biggest liability – currently facing HR and recruiting professionals today.
While you can’t prevent identity theft, you can at least be prepared when one of your employees (or your employer) has their personal or sensitive information compromised. And since there have been about 1000 new victims of identity fraud reported in the time it took you to read this article alone, it’s not a matter of “if,” but “when.”