As an employer, it’s not enough to be concerned about identity theft whether your company or your employee population is at risk. Your company’s liability under federal law will depend on the type of information breached. Under the Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act, employers may be liable if their acts or omissions lead to identity theft.
These laws are designed to protect consumer information—including data collected for employment background checks. Additionally, failure to adequately safeguard health-related information or medical records may create liability under the Americans with Disabilities Act or the Health Insurance Portability and Accountability Act.
In February, the Securities and Exchange Commission voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission Statement and Guidance on Public Company Cybersecurity Disclosures provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and selective disclosure prohibitions in the cybersecurity context.
From the statement: “We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”
As identity theft capabilities expand, realistically no business can completely eliminate the risk of data breaches that may compromise employee or consumer information. However, taking reasonable measures to prevent foreseeable breaches can decrease the risk of breach, as well as the risk of liability in the event of a breach.
These reasonable measures are ways for employers to anticipate threats taking a preventative approach to protecting your organization. This proactive approach can prove invaluable in protecting employees as well as customers and mitigating risk. Like Cisive’s IDVerityTM solution, TSA recently announced the use of new technology to improve security at airports with adding facial recognition to their security checkpoint processes.
Similar to TSA’s new biometric security screening, IDVerity forensically authenticates a candidate’s identity by validating the authenticity of their government ID and then compares it to the candidate’s self-photograph taken from their mobile device. This technology can be used as part of the hiring and candidate verification process.
As stated in the SEC guidance, having a policy and plan in place to protect your company from data breaches is imperative, as is frequent assessment of your policy. As technology evolves, so do the methods hackers use to attack your data. At the minimum, your plan should include:
Additionally, any paper records should be maintained in a secure—preferably locked—location. For information and records are maintained electronically, appropriate measures should be put in place to ensure data security, such as password protection and data encryption.
An article from the Forbes Finance Council says that 2017 was marred by a new cybersecurity breach virtually every week and came to be known as the “year of the data breach.” Even the largest companies (Target, Uber, Equifax) can be hacked. The most useful thing you can do as a company is educate your leadership and staff on recent incidents and make sure the correct protection is in place to prevent the possibility of a similar data breach.
To learn more about issues involved with identity fraud and cutting edge identity authentication technology available to protect your company, download Cisive’s White Paper, The Case for Identity Verification in the Hiring Process.