December is not only the shop ‘til you drop season, it’s also National Identity Theft Prevention and Awareness month, reminding retailers and businesses that they need to not only protect themselves from a data breach but also make their employees aware of identity fraud scammers who target seasonal help. According to the Federal Trade Commission, identity theft is the number one type of consumer fraud in the U.S., resulting in about 9 million people annually having their identity stolen. In 2011, eight percent of reported identity theft incidents were employment-related. Thieves usually exploit their victims by impersonating them after stealing their Social Security number and credit card information or worse, selling valuable Social Security numbers on the black market.
Companies need to protect themselves from an identity theft “double whammy” in which cyber thieves attack hiring employers and job applicants at the same time through online job scams. Fraudsters will first pose as a representative of a legitimate business and list fake job listings, sometimes even going so far as to create bogus websites in order to steal personal information of potential employees. Cyber thieves take advantage of the fact that many times, job seekers are desperate for work and will give out personal information willingly in exchange for potential employment.
Here are some tips for employers to minimize data breaches when hiring:
- Avoid using Social Security numbers to identify applicants.
- Collect only essential personal information needed for the job application.
- Shred unnecessary documents on non-hired applicants and former employees, including temps and contract workers.
- For existing employees, do not keep medical records, EEO data, immigration forms and background check information in personnel files.
- Have a data breach response and notification plan in place. Act quickly if a data breach occurs.
Data security experts warn that simply having data protection and security policies are not enough. The policies need to be taken seriously by everyone at the company and the regulations need to be firmly enforced. In addition, the repercussions and cost of a data breach need to be explained to employees on every level since companies can be held liable for negligence in handling personal data and fined by the FTC and other government agencies. All departments, including human resources and accounting should be well-trained in protection from identity theft procedures and data security information policies. Employees who have access to personnel data should be carefully screened and pass a security clearance. Businesses should also periodically review their data storage processes and determine whether or not to keep the information and how to keep it protected.