Anybody who has started a business will tell you it's not a cakewalk. Everything from financing to compliance with various laws, new businesses are usually a one man show. It may be some time before the company starts hiring employees. This is a mixed blessing, since it means help getting the work done, but also presents new problems for the owner to worry about. One risk management problem that is often overlooked is what happens if your employees become victims of identity theft, or even worse, directly involved with the data breach?
Traditionally, business owners haven't concerned themselves with their employees' personal affairs beyond how it impacts their job. (For example if an employee is sick, you have to figure out how to get their portion of work done while they're away from work.) But even with the news stories and articles about identity theft, this is generally a back–burner item. Most people still have the mindset the identity theft is not a concern, "Until it happens to me." But if you've been in business for any amount of time, you already know that mindset doesn't work if you want to stay in business.
As with any other business concern, there are a lot of "intangibles" – factors that you can't really assign definite numbers to. For example, it can take 400 or more hours to resolve an identity theft. Most of those hours will be spent during business time – filing reports, making phone calls, tracking down statements and receipts, talking with investigators, and jumping through legal hoops. And even if the employee is at work, they usually won't be focused on what they're doing. This means lower quality of work, mistakes, even safety issues. No matter how professional your organization is, lower morale is infectious, and poor attitudes leave customers wondering why they're doing business with you.
The Stolen Purse Problem
Some attorneys and law firms have started soliciting victims of identity theft within and goal of suing the employer. These lawsuits are based on various identity theft laws such as FACTA that require businesses to protect personal information. Since these laws require business owners (and other holders of personally identifying information) to protect the information through employee training, policies and procedures, as well as various Data Security requirements. But the FTC estimates less than 13% of all companies aren't even aware of these laws, much less in compliance with them.
In simpler terms, if Susie takes a smoke break and leaves her purse in the break room, anybody could walk by and steal her wallet, or maybe just her driver's license. Business owners can be found responsible for this, if they cannot show a policy or training that tells Susie she cannot leave her purse unattended while she's at work. Common sense tells us Susie should know better, but the law seems to be less and less about common sense, and more about placing blame.
The Stolen Data Problem
If your employees have access to confidential information that can be used for identity theft (credit cards, Social Security numbers, etc.) they may decide to use this information themselves to make purchases, or obtain other lines of credit. Again, if you haven't specifically told Susie not to steal your clients' information, you may be liable for the consequences – and theft from the workplace is not exactly an uncommon occurrence. )Most network administrators will admit the true danger to your data isn't hackers, but people who have a legitimate access to it.)
In this scenario, your company is looking at financial liability to a customer who was actually victimized, any professional organizations they may belong to, as well as Federal prosecution which can have a deep financial impact, cost you your company, or even land you in jail!
How to Protect Yourself
It would be unfair to bring up these points without providing some solution. As it turns out, there are some things you can do to help protect yourself.
You can protect yourself with policies and procedures. By having a written policy to address Data Security in your company, you will be able to show that you not only care about protecting sensitive information, but require your employees to do the same. Having guidelines on how this information is handled can keep your company out of the firing line.
Train your employees how to protect information. Make sure they know not to share their passwords to computer systems. Don't let them leave files open on their desk when they go to lunch. Make sure confidential documents you no longer need get destroyed.
Have a privacy officer to stay on top of these kinds of issues. This can be an extra role for an employee, or a full fledged position within the company depending on your needs. It is important to note that these first three steps are required for compliance with the various identity theft laws of the United States.
Offer your employees some sort of identity protection program. Not only does this help them see that you care what happens to them, but a good identity theft program will help relieve some of the "intangibles" mentioned above. More and more insurance and human resources professionals are recognizing that this isn't just a good benefit to offer the employees, but can be critical to the survival of the company.
Develop a culture of privacy awareness in your company. Articles in your company newsletter for employees, posters in the break room and workplace, having an expert talk to them at an employee meeting, even having an open forum discussion at one of your monthly meetings can help keep employees mindful of their risks of identity theft and how it can impact their job.