Phishing, pharming and other means of ID theft

June 13, 2008

The statistics on identity theft are staggering. Recent surveys estimate that on average, there are between 9 million and 10 million victims of identity theft each year. On average, identity theft costs each victim $6,383 and 600 hours restoring his or her name and credit.

It’s so prevalent that TV commercials now joke about it.

For those not fully in the know, identity theft refers to any situation in which a person’’s means of identification is exploited for an unlawful purpose. Specifically, there are four kinds of identity theft:

* Financial identity theft, which is using someone else’’s name and Social Security number to obtain goods and services;

* Criminal identity theft, which involves giving another person’’s name and ID when apprehended for a crime;

* Identity cloning, which is assuming someone else’’s identity in daily life; and

* Business/commercial identity theft, in which one uses another’’s business name to obtain credit.

While individuals become more savvy about protecting their credit card information, employers have not kept up. Surprisingly, 90 percent of all record thefts involve payroll or employment records. In fact, USA Today reported in January 2003 that employment records are such a lucrative resource for those engaged in fraudulent activity, thieves sometimes take jobs as temporary workers to get into a company for the sole purpose of absconding with employee data.

Not all crimes are so spectacular, however. The same report indicated that identity theft in the workplace can be perpetrated by third-party vendors handling corporate credit accounts or providing janitorial services. Sometimes, it’’s as simple as a dishonest co-worker stealing information from an employee’’s purse.

Whether it’’s information about customers or information about employees, identity theft frequently becomes an HR problem. Employers, therefore, should take steps to ensure the information they obtain from and about employees is kept secure and to ensure that their employees (and others) are not improperly accessing or using information they obtain in the workplace for unlawful purposes.

Yet, as employers take steps to protect employee information, they are likely to encounter unexpected day-to-day management issues for which they may not be prepared. Among them:

How secure is the company’’s intranet?

Is it practical to forbid employees from taking files — whether paper or electronic — home?

Can we monitor our employees” computer usage, even if the employees are offsite?

How can we secure information remotely accessed by an employee using either company or personal equipment?

How can we secure information on a laptop if it’’s offsite?

What do we do when a laptop gets stolen?

How can we ensure that third-party vendors and contractors adequately protect the information provided by us?

There are several statutes relating to ID theft that employers should be aware of.

Although the Fair Credit Reporting Act (FCRA) was passed to regulate consumer reporting agencies and the users of consumer reports, employers must comply with its regulations when obtaining consumer information/background investigations, and/or taking adverse employment action based on such information.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) establishes disposal standards for the destruction of consumer information. The Act’’s Sect. 216 mandates disposal standards for any consumer information derived from a consumer report and maintained for a business purpose. While this standard only applies to that information obtained from a consumer report, the FTC encourages all businesses to adopt this standard for the disposal of any document containing personal information about either customers or employees. Also, Sect. 216 requires any person who maintains or otherwise possesses consumer information for a business purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

Practical measures and policies

How do companies, as employers, limit their exposure? Although there is no single policy that will protect identify theft from occurring, there are several steps that an employer can take.

First, know who is working for you. The law generally allows an employer to perform comprehensive background checks on applicants so long as the employer has obtained the appropriate waivers and does not discriminate in the equal enforcement of the policy. Employers should use the application process to their advantage and look for anything in the application or resume that might raise a red flag as it relates to fraud, theft and/or forgery.

Next, know your technology. Employers have been drafting technology use policies for a long time, often struggling to keep up with the ever-changing and expanding types of technology. Employers may have started with a policy prohibiting the personal use of the company’’s telephone — only to be confronted with the question of what to do with the fax machine, then the cell phone, then quickly came e-mail, instant messaging, and blogging.

Employers must be cognizant that their technology-use policies are not simply to ensure productivity by keeping slackers off the Internet. They also provide protection to their own data and network. When an employee uses company equipment to connect to unauthorized Web sites, the employee exposes the employer’’s computer system and the data kept on it to attack. We are now faced with such things as:

Phishing. The criminal use of e-mail and Web sites to deceive internet users into disclosing their personal information. When combined with computer viruses and worms, employees who open one of these fraudulent links may also be opening up the employer’’s entire network to external sources.

Pharming. A virus or other malicious program is planted in a computer’’s Web browser. The program diverts users away from the legitimate typed address and takes the user to a fake copy of the Web site. Information then entered can be stolen.

Smishing. Phishing done through text messaging on a smart phone.

Vishing. Phishing using a telephone and/or voice mail.

Skimming. The electronic “bugging” of ATMs or site of purchase credit/debit card readers, whereby card numbers and PINs are electronically recorded and retrieved.

Also, know your options and draft appropriate policies. Because of the changing nature of technology, electronic communication policies should be written to cover all forms of electronic media and services accessed on or from company premises; all electronic media accessed using company equipment or company paid access; and all electronic media used in a manner that identifies the individual with the company.

These policies should address ownership of electronic messages and include a statement clarifying that there is no expectation of privacy in any electronic communication. Policies should also define what password protections are required as well as what activities are prohibited. Employers should require the frequent changing of passwords. The policies should also discuss who can use the company equipment, whether it can be taken offsite, and how it will be protected, especially since laptops can be easily stolen.

Keeping information safe

Finally, know your data. Employers should review their existing practices, and only collect information for which they have a justifiable need.

Employers can take several measures in the way documents are maintained. Depending on the size of the company, the nature of its business, the location of its employees and any other number of unique factors, any of the following may prove beneficial:

* Appoint a privacy or security officer.

* Update security continuously and change passwords frequently.

* Store sensitive data in a password-protected area of the computer system, and grant access on a need-only basis.

* Store paper documents in locked cabinets, which are in turn located in a secure area.

* Train staff in the privacy policies of the office.

* Limit data display and disclosures.

* Actively secure mobile devices that contain sensitive information.

* Put glare guards on laptops and computer screens.

* Encrypt any wireless network connections.

* Build and use virtual privacy networks into office computers.

* Consult with IT about the use of laptop security software.

* Do not forget the photocopier. Today’’s digital copiers contain the same type of data storage mechanism that computers have.

Linda G. Burwell and Terry W. Bonnette practice law in Detroit with Nemeth Burwell PC, a firm that specializes in employment litigation, traditional labor law and management consultation for private and public-sector employers.

Written by Linda G. Burwell and Terry W. Bonnette  |  Filed Under Technology 

Comments

Got something to say?