Small Lapses Can Lead to Identity Theft

Firewalls may not be enough to prevent identity theft.
Jim Stickley steals employee and client information for a living. But you won’t find his name in recent news stories about ChoicePoint, Bank of America or LexisNexis.

Instead of trying to get him arrested, the companies Stickley pilfers willingly pay him for his stealth and trickery. As co-founder and chief technology officer of Baton Rouge,Louisiana-based TraceSecurity, Stickley gains entry to corporate offices and steals confidential records in order to expose security breaches.

One of his favorite methods is pretending to be an exterminator. Stickley will create an e-mail address that appears to belong to an employee at the company and then send a message to real employees, alerting them to a call they will get from "pest control," arranging for a bug inspection in their offices.

Once in the facility, Stickley says it’s easy to be left alone in rooms where confidential information is stored. "I would say 20 percent of the time they come with us into the server rooms, but even then it’s easy for us to come up with a reason to leave us alone." Stickley then takes the data and the company often won’t even realize it is missing, he says.

While companies tend to spend thousands of dollars on firewalls and security software, it’s simple things they fail to do to protect confidential data that make their employees and clients vulnerable to identity theft, Stickley says.

"They leave Social Security information in unlocked desk drawers or corporate card information in locked rooms that aren’t hard to access," he says. "Everything we do comes down to a breakdown in policy or a lack of policy altogether."

Such breakdowns have hit the headlines lately, causing many companies to question their own policies and procedures regarding identity theft prevention. The most notable of these episodes occurred at ChoicePoint, a Georgia-based data aggregator where a Nigerian con artist posed as several small businesses and got access to the personal information of 145,000 people.

A few weeks later, Bank of America disclosed that it lost backup tapes containing personal financial information and credit card data of more than 1 million government employees, including U.S. senators. In a third incident, Reed Elsevier announced that its LexisNexis subsidiary had identified a number of incidents in which customer information was compromised. As a result of such incidents, the Senate Banking Committee held hearings to discuss ways to better protect people's personal data. A number of proposals are under consideration.

Also in response to news of these breakdowns and break-ins, more companies are conducting audits of their data security policies, according to Mike Rosen, executive vice president at Kroll Background America, which provides such audits. While in the past Kroll received requests for audits largely after a breach had occurred, more companies are now trying to be proactive.

Although testing the firewalls and security software is an important part of what Kroll does, checking whether there are policies in place to protect employee and client information is a priority, says Alan Brill, senior managing director at Kroll Ontrack, the technology services unit of Kroll.

"When we go into a company, one of the first things we do is talk to the human resources manager and ask what their policies are and what are they doing to communicate those policies to employees," Brill says. "You want to make sure that people understand who gets to see what data."

This is particularly important given that "the substantial majority of these incidents come from the inside," he says. While background checks are a good starting point to prevent identity theft within the company, employers need to review their systems and policies on a periodic basis and educate employees on these guidelines, Brill says. According to a 2004 poll conducted by the Society for Human Resource Management, half of employers conduct background checks, but only 23.5 percent educate employees about what measures they should take to protect employee information and guard against identity theft.

Many companies are appointing chief privacy officers to oversee all personnel and client data. "The chief privacy officer tries to understand what data is being held by whom and makes sure that the organization is following best practices," Brill says. "This person serves as management’s point of contact for understanding whether appropriate controls and audits are in place."

Companies also need to make sure that the vendors they use have appropriate controls in place to prevent identity theft. Payroll administrators and benefits providers in particular have access to personal information that needs to be protected.

"If those companies want to do business with you, you can set up requirements that they have to meet," says Jordana Beebe, communications director at the Privacy Rights Clearinghouse, a San Diego-based nonprofit organization. The requirements should include a provision ensuring that vendor companies conduct background checks of all of their employees and periodically audit their systems.

In the end, simple things will help prevent identity theft, consultants say. For example, using Social Security numbers as employee identification numbers doesn’t make sense when that information is all a thief would need to steal a person’s identity, Brill notes. California, for instance, has passed a law, which will take effect in 2008, requiring employers to use only truncated Social Security numbers on paychecks. "The time has come to think of alternatives," Brill says. "Every one of us is a potential victim of identity theft."