In the past year, more than 88 million Americans have had their identity endangered as the result of data breaches according to the Privacy Rights Clearinghouse. Topping the list: a case at the Veterans Administration, where an unidentified analyst took the employee information of 26 million veterans home in a laptop computer that was then burglarized from his home.
A recent report authored by Dr. Doug Jacobson, director of the Iowa State University’s Information Assurance Program, finds that the biggest risk of data breaches or theft comes from careless employees or consultants who don’t properly secure the data they are entrusted with. The report audited 126 companies who suffered a data loss and found that more than 54 percent of lost data was the result of employee error, with only 34 percent being due to outside hackers.
“Over the past couple of years, thefts of consumers’ personal information have been caused by trusted employees and consultants who don’t risk the same security barriers as hackers do from outside the company,” said Dr. Doug Jacobson, “All of sudden, employers are realizing that the biggest security threat they face to the sensitive data they are storing and/or sending is now coming from employees who can’t get caught by the millions of dollars of security technology designed to prevent the bad guys from getting in.”
Steven Hastert, president of ShredNations.com, says that there are some simple steps that every company should take to help keep their employees information safe from identity theft.
Human resources departments should have security procedures for storing private employee information. Lock up all employee files, both active and terminated in a secure area. More importantly, make sure that only authorized personal have access to the key.
Employee information stored in databases should also be secured. It is amazing how many employee files are open to any employee just clicking through the company network on their lunch break. Sensitive employee data should not be stored on mobile storage devices, including lap top computers and USB thumb drives. The human resources department should be the only people with access to employee files, paper or electronic.
Usually, the weakest link in the security chain is the person trying to be helpful to someone on the phone. Unless an officer of the court provides your company with a subpoena, you should have a strict policy to never release employee information to any individual or organization except to the employee him/herself. This rule should also apply to all consultants.
For tax purposes it is impossible to avoid using social security numbers but they don’t need to be printed on every document. Mask the first five digits of the social security number on pay stubs and other documentation not submitted to the IRS. This is more important for documents sent through the mail.
Implement a clean desk rule at your company? It is an easy way to increase your company’s information security from unauthorized eyes. This requires every employee who deals with sensitive information to clear their desk whenever they leave their office. Sensitive information should either be filed and locked or placed in a locked shredding bin.
When through processing paperwork containing sensitive information that does not need to be stored, it should be shredded. A shredding service not only makes secure disposal easy but they will provide free locked containers to store the material in until it is shredded. This helps employees focus on their core responsibilities, comply with the clean desk policy and documents the shredding program for legal compliance. Best of all a shredding service is cheaper than paying your employees to do the job with an office shredder.