Identity theft is everywhere. It's the crime of the millennium; it's the scourge of the digital age. If it hasn't happened to you, it's happened to someone you know. Identity theft is any use of another person's identity to commit fraud.
The obvious example is using a stolen credit card to purchase items, but it also includes such activities as hacking corporate networks to steal enterprise information, paying for medical care using another person's insurance coverage, taking out loans and lines of equity on assets owned by someone else, using someone else's ID when getting arrested and much more. The cost to businesses continues to increase as thieves become increasingly sophisticated.
It's a brave new digital world, where every step requires instant authentication of your identity not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Your various digital IDs are accessible by all kinds of people, and this explains the huge and growing phenomenon of corporate data breaches. It's simple arithmetic combined with a financial incentive - a growing volume of identity data, accessible by many people, that has significant value.
The office is a veritable playground of databases with your most sensitive data. The HR database, the applicant tracking system, the payroll system, the benefits enrolment system and various corporate data warehouses each store many sensitive pieces of identifying data. Not to mention the facilities system, the security system, the performance management systems, your network login and email accounts and all of your job-specific system accounts.
Every outsourced system multiplies the risk; each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as the service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening the longer one follows the trail of data.
Once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. Identity theft can easily disrupt everything you do, and requires a massive effort to identify and plug every potential hole. Make no mistake; once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace that is extremely agile in adapting to any attempts to shut it down.
Taking on the Challenge
The good news is that at least this is a well-known problem. Identity theft is big news, and lots of folks have been trumpeting the alarm for years now. So you have permission to propose a reasonable way to address the problem, a serious, programmatic approach that will easily pay for itself in reduced corporate liability, as well as avoidance of bad publicity, employee dissatisfaction and lost productivity.
In general, I recommend that you approach identity theft prevention and management as a permanent initiative that is structured and managed just like any other serious corporate program. That means an iterative activity cycle, an accountable manager and real executive visibility and sponsorship. That means going through cycles of baselining, identification of key pain points and priorities, visioning a next-generation state and scope, planning and designing the modules of work, executing, measuring, assessing, tuning - and then repeating.
The most important step is to recognize and train a focus on the problem. Do as thorough a baseline review as you can, examine the company from the perspective of this substantial risk, engage your executive leadership and manage an ongoing improvement program. After a couple of cycles, you'll be surprised at how much better a handle you have on it.
Within the scope of your identity theft program, you will want to target the following primary objectives.
Prevention
From an enterprise perspective, you can't achieve identity theft prevention without addressing processes, systems, people and policy, in that order.
First, follow the processes and their data flows. Where does personal identity data go, and why? Eliminate it wherever possible. One can tightly limit what systems retain this kind of data, while still preserving required audit and regulatory reporting capability for those few who perform this specific function. Assigning or hiring someone to try to "social engineer" (trick) their way into your systems, as well as asking for employees to help identify all the little "under the covers" quick-and-dirty exposure points in your processes and systems, can be very effective in getting a lot of scary information quickly.
For those systems that do retain personal identity data, implement access controls and usage restrictions as much as possible. Remember, you are not tightening down data that drives business functions; you are merely limiting the access to and ability to extract your employees' personal, private information. The only ones who should have access to this are the employee themselves and those with specific regulatory job functions. Treat this data as you would treat your own personal and private assets.
Remember, it's not only those who are supposed to have access that are the problem; it's also those who are hacking. So part of your mission is to make sure that your network and system passwords and access controls are really robust. Multiple, redundant strategies are usually required: strong passwords, multi-factor authentication, access audits, employee training and employee security agreements, for example.
Train your people simply and bluntly that this data is personal, and not to be copied or used anywhere except where necessary. It's not the theft of laptops that's the big issue; it's that the laptops inappropriately contain employee's personal data. Give your people, including any contractors and outsourced providers, the guidance not to place this data at risk and the tools to use it safely: standardized computer system monitoring, encryption, strong password management on systems that contain this data, etc.
Develop policies for handling employee's private data safely and securely, and then hold your employees and service providers accountable and liable if they do not. Clearly, simply and forcefully communicate this policy and then reinforce it with messages and examples from senior executives. Make this especially clear to every one of your external service providers, and require them to have policies and procedures that duplicate your own safeguards, and to be liable for any failures. This may seem a daunting task, but you will find that you are not alone; these service providers are hearing this from many customers, and will work with you to establish a timetable to get there. If they don't get it, maybe that's a good signal to start looking for alternatives.
Minimize Your Corporate Liability
Minimizing corporate liability is all about having "reasonable safeguards" in place. You can't prevent everything and you're not required to, but if you have no passwords on your systems and no physical access control over your employee files, you're going to get nailed when there's a theft. So you need to do precisely the kind of review and controls that I've outlined above, and you also need to do it in a well-documented, measured and publicised way. That's the way legal liability works, and there's very good reason for this rigor. It ensures the kind of comprehensive and thorough results that you want.
This is why you want to make the effort to establish a formal program, benchmark what some other companies do, define a comprehensive plan and metrics after you complete your baselining and scoping steps and report results to your executives. Then you need to work for continuous improvement, because you need to know and show that you're doing all that could reasonably be expected to secure employees' personal data that is in your care.
Respond Effectively
Despite all your safeguards, the day will come when something goes wrong from an enterprise perspective. You absolutely can substantially reduce the probability, and the size of any exposure, but sooner or later, almost anyone's data can be compromised. When that happens, you need to shift on a dime into recovery mode, and be ready to roll into action fast. But your response must not just be fast; it must also be comprehensive and effective.
First of all, you must communicate clearly and proactively, first to employees, then to the public. The communication must say what happened, that a small, empowered task force has been marshalled, that temporary "lockdown" procedures are in place to prevent further similar exposure, that investigation is under way, that affected employees will be given recovery assistance and reimbursement of recovery expenses and that monitoring services are being used to prevent actual identity thefts using any compromised data.
Of course, all those statements need to be true, so:
A task force of HR, IT, security, and risk management professionals and managers must be identified and trained, and procedures for a "call to action" defined in advance.
They must be empowered to implement temporary lockdown procedures on employee personal data. Procedures for likely scenarios (laptop loss, backup tape loss, network login breach, theft of physical HR files, etc.) should be predefined.
Template communications to employees, partners and press should be drafted.
Qualified investigative services should be selected in advance.
Expert identity theft recovery assistance resources and identity theft threat monitoring services should be evaluated and selected in advance.
Nothing is more important to protect your company than a well-planned and effective response within the first 48 hours of an incident. If you're not prepared and practiced well in advance, this will be impossible. If you are, it can actually be a positive public relations experience, and will drastically reduce legal, financial and employee satisfaction impacts.
Identity theft is not a flash in the pan; it's built into the way the world now works, and this heightens not only the risk, but also the damage. Companies are at special risk, because by necessity, they expose their employee's data to other employees and to their providers and partners, and they bear responsibility for the risk that this creates. Those in human resources information systems, whose specific function is the management of "people data," must take ownership of this emerging liability, and ensure that their companies are as safe and as prepared as possible.
Peter Marshall has been a leader in HRIT and "workforce effectiveness" for almost two decades. Prior to his current role as CEO of the ID Theft Defense Center, he was director of consulting practices at KPMG Consulting and Siebel Systems, the co-founder and CTO of Cipient Networks and a long-term strategic advisor to major HR outsourcers, enterprise application vendors, and other Fortune 500 firms. Peter is an acknowledged expert on enterprise systems, identity theft, and workforce services. Visit the Identity Theft Defense Center at www.myidcenter.com.
By Peter Marshall
© Capital ME 2007
