Blog

How to Protect Your Company From Falling Victim to Identity Theft

October 31, 2018 | Debbie Caporusso

As an employer, it’s not enough to be concerned about identity theft whether your company or your employee population is at risk. Your company’s liability under federal law will depend on the type of information breached.  Under the Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act, employers may be liable if their acts or omissions lead to identity theft.

These laws are designed to protect consumer information—including data collected for employment background checks. Additionally, failure to adequately safeguard health-related information or medical records may create liability under the Americans with Disabilities Act or the Health Insurance Portability and Accountability Act.

Corporate Cybersecurity and Legal Risks

In February, the Securities and Exchange Commission voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission Statement and Guidance on Public Company Cybersecurity Disclosures provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and selective disclosure prohibitions in the cybersecurity context.

From the statement: “We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

How to Protect Your Organization

As identity theft capabilities expand, realistically no business can completely eliminate the risk of data breaches that may compromise employee or consumer information. However, taking reasonable measures to prevent foreseeable breaches can decrease the risk of breach, as well as the risk of liability in the event of a breach.

These reasonable measures are ways for employers to anticipate threats taking a preventative approach to protecting your organization. This proactive approach can prove invaluable in protecting employees as well as customers and mitigating risk. Like Cisive’s IDVerityTM solution, TSA recently announced the use of new technology to improve security at airports with adding facial recognition to their security checkpoint processes.

Similar to TSA’s new biometric security screening, IDVerity forensically authenticates a candidate’s identity by validating the authenticity of their government ID and then compares it to the candidate’s self-photograph taken from their mobile device. This technology can be used as part of the hiring and candidate verification process.

What to Include in Your Organization’s Data Protection Plan

As stated in the SEC guidance, having a policy and plan in place to protect your company from data breaches is imperative, as is frequent assessment of your policy. As technology evolves, so do the methods hackers use to attack your data. At the minimum, your plan should include:

  • Staff training on data protection and data security best practices. It’s helpful to provide simulations to protect against the ever-changing use of phishing and hacking occurrences and strategies.
  • Ensure that your data is secure whether online or in person. Ask technology providers and vendors about their data protection policies and make sure every vendor you work with has a layer of security to protect your company.
  • Follow established employee termination process and protocols, including removing access to protected databases and technologies such as an ATS, online portals, and other SaaS services.
  • Leverage artificial intelligence HR  technologies like IDVerity as a form of live detection in your candidate selection process

Additionally, any paper records should be maintained in a secure—preferably locked—location. For information and records are maintained electronically, appropriate measures should be put in place to ensure data security, such as password protection and data encryption.

An article from the Forbes Finance Council says that 2017 was marred by a new cybersecurity breach virtually every week and came to be known as the “year of the data breach.” Even the largest companies (Target, Uber, Equifax) can be hacked. The most useful thing you can do as a company is educate your leadership and staff on recent incidents and make sure the correct protection is in place to prevent the possibility of a similar data breach.

To learn more about issues involved with identity fraud and cutting edge identity authentication technology available to protect your company, download Cisive’s White PaperThe Case for Identity Verification in the Hiring Process.

Subscribe to the Cisive Newsletter