Most individuals would agree that identity theft is a large and increasing concern in the United States. The Federal Bureau of Investigation calls identity theft "a significant and growing crime problem"1 and an "increasingly insidious and pervasive problem"2 that can threaten virtually any American. More ominously, the FBI said identity theft "costs American businesses and consumers a reported $50 billion a year, causes untold headaches for an estimated 10 million U.S. victims annually, and even makes it easier for terrorists and spies to launch attacks against our nation."3
As identity theft continues to grow as a crime and a social, financial and security concern in the United States and beyond, questions of liability become more crucial. In light of the criminal and social considerations, the litigious environment in the United States, and existing and emerging laws concerning corporate responsibility for the protection of personal data, commercial entities have begun to take actions of their own to protect the data of their customers and, increasingly, their employees.
A closer examination of the personal impact of identity theft reveals why it is a growing concern among corporate risk managers.
A Staggering Personal Impact
Consider this scenario: an employee of a U.S. company is sent to Monterrey, Mexico by her company to study the capabilities of an IT service provider. While in Monterrey, she uses her company-issued credit card, tied to her personal Social Security number, to pay for her hotel, food and local transportation expenses. She also uses a personal credit card to purchase some gifts for her family back home. After her business in Mexico is completed, she returns to the United States. A month later, her credit card bills arrive and sit on her home desk for two weeks until she has time to address them. As she scans the charges from her trip, now six weeks in the past, she notes a $50 charge from a Monterrey financial institution with a name she does not recognize. Her personal credit card company advises her that it is probably a processing transaction related to a purchase from her recent trip but agrees to reverse the charge. She pays the bills and gets on with her busy life. On her next subsequent personal credit card bill, four mysterious charges from various Caribbean islands appear, totaling $800 dollars. Ten weeks after her trip to Mexico, she comes to terms with the fact that her identity has been stolen.
In this scenario, our hypothetical victim is fortunate. Her potential losses are only in the hundreds of dollars, and it took her just two and a half months to discover the theft. A more common scenario, according to a recent insurance industry study, would involve thousands of dollars and take five to six months to discover. More alarmingly, a typical identity theft victim will spend as much as 600 hours over the better part of a year working to resolve issues related to a single case of identity theft.
The customer service required to help consumers resolve issues related to identity theft is fairly sophisticated. Subsequently, many credit card companies and credit reporting agencies cannot provide these high-level services on a 24/7 basis. Therefore, individuals often must take time during their workdays to resolve these issues. This reality creates a connection between identity theft and employee productivity. Given the FBI´s estimate of 10 million U.S. identity theft victims each year and the workday time each of them will likely spend resolving their victimization, the potential productivity losses become significant. Productivity losses, however, are not the only concern related to identity theft among corporate risk managers.
An Inside Job
Personal data losses occur in a number of ways. Personal information can be stolen via the Internet when online transactions are made. Identity theft also can occur when there is some kind of personal connection between the thieves and their victims. For employers, a more critical concern is when identity theft can be tied to the action of employees, which one recent study said accounted for some 16 percent of identity theft cases.
Perhaps the best known case involved the loss of up to 26 million personal records from the U.S. Department of Veterans Affairs due to an employee improperly taking the records home on a laptop computer, which was subsequently stolen. Other cases involved government agencies including the U.S. Census Bureau and the National Oceanic and Atmospheric Administration. Private sector organizations that recently experienced data breaches at the hands of employees include Bank of America, Fidelity Investments, LexisNexis and DSW Shoe Warehouse. When employees mishandle personal data and losses occur, employers—whether private or public sector—are culpable.
States Begin to Regulate
A groundbreaking case in Michigan provides a sobering illustration of this culpability. Last year, Michigan became the first state to require by law that every employer establish a policy for keeping employee Social Security numbers secure. The law was passed at nearly the same time a Michigan appeals court allowed victims of identity theft to recover financial damages from organizations that did not adequately protect personal data that were subsequently used for identity theft. In the court case, a labor union employee took home documents showing union members´ names and Social Security numbers; the employee´s daughter stole the information and used it to engage in identity theft. The union was found legally and financially liable for the actions of its employee.
In addition to the above events in Michigan, a number of other data-protection initiatives are keeping legislators busy in Washington and in state capitals around the nation. California was the first state to pass a law requiring notification of all affected parties when a data security breach has occurred involving their personal information. According to the National Conference of State Legislatures, similar legislation was introduced in 31 states during 2006 and already has been enacted in at least 12 states. NCSL also says that 38 states have introduced legislation aimed specifically at protecting Social Security numbers (as in Michigan). The Information Technology Industry Council is calling for a federal breach notification law to preempt myriad state laws with varying requirements. ITIC also is calling for federal laws that go beyond breach notification to promoting industry-wide best practices that reduce the risk of breaches and provide harsh penalties for intentional acts of identity theft.
In short, all three branches of government, at both the state and federal levels, are focused on identity theft to some degree. The net result will be increased statutory, regulatory and legal pressure on corporations to protect personal data and to protect their businesses from subsequent financial and productivity losses.
A Tall Order
Undeniably, corporations have increasing liability for the security of employee and customer information and personal data, and a justified concern for protecting all parties from this rising risk. An increase in security breaches involving lost or stolen personal data has accentuated the need for a solution, leading to lawsuits and the implementation of related laws and regulations across the country.
So what must corporations and their risk managers consider when developing their data protection/identity theft strategies? The list is significant:
• What types of policies must corporations implement to ensure customer and employee data protection?
• What types of protocols and procedures must be in place to minimize risks related to employee actions that lead to data/security breaches?
• What alerting systems can be established to identify breaches as early as possible?
• How will breach notifications be handled so they comply with extant and emerging laws?
• How can the exposure of customer and employee Social Security numbers be minimized?
• What can be done to maintain appropriate levels of productivity among employees who have become victims of identity theft?
The answers likely will involve everything from audits determining what employees have access to what data, stricter pre-employment background checks, document destruction policies and procedures to employee educations programs.
A Nagging Issue of Productivity
While many of the above initiatives must be viewed by employers as important business activities, one issue emerges as a potential "third rail," an unwieldy exposure, the impact of which is as potentially staggering as it is difficult to manage. How can companies manage productivity losses related to employees who themselves have become identity theft victims?
Remember, FBI estimates say that 10 million Americans become identity theft victims every year. While that number represents roughly 4 percent of the general population, it is likely to represent a much greater percentage of the working population given current numbers of children, students and retirees. Ten percent of the full-time workforce is probably a fair number.
Each individual employee victimized likely will spend some 600 hours over the course of a year resolving issues related to identity theft. Given the current state, many of those hours will have to be spent during the typical workday—when credit card companies and credit reporting agencies offer this high level of customer service. Assume an employee strives to minimize work time spent on such matters, keeping it to only a couple hours per week for a year-long total of just 100 of the 600 hours. Against a typical 40-hour week across a 50-week year (allowing for two weeks of vacation), this represents a 5 percent productivity loss per affected employee with the very real possibility of 1 in 10 employees being affected.
The potential costs of these productivity losses can be staggering, especially when considered along with related regulatory compliance costs and potential legal liabilities. While the compliance costs likely lie in the realm of the chief operations officer and the potential legal liabilities are the concern of the general counsel, the risk manager may well be the executive called upon to mitigate these kinds of productivity losses.
A Risk Management Solution
Over the past few years, the risk management industry has developed insurance products that assist corporations in minimizing certain losses related to identity theft.
For example, Worldwide Assistance´s Data Breach Response Service helps corporations protect themselves, their customers and their employees from the negative impact of breached data and identity theft. Should a breach occur, affected customers and/or employees can be notified in a timely manner through the service. The related ID Theft Resolution Services, often added to a company´s package of employee benefits, help victims quickly and easily recover from identity theft. The services include a specially trained coordinator who personally assists the victim by doing the necessary paperwork—making appropriate phone calls and completing other restoration activities, such as credit report reviews, account cancellations, disputed items removal and more—on behalf of the victim. The work is done by a trained specialist and the employee is freed up to focus on work instead of restoring his or her good name.
Lost employee productivity is just one aspect of the corporate impact of identity theft. While it is not an insignificant one, it is one that can be managed using available solutions.
A Closing Consideration
Chances are any one of us knows at least a few persons who have been victimized by identity theft. Among working Americans, it is likely that 1 in 10 persons have had their identities stolen. The financial losses notwithstanding, restoration of a person´s good name and credit is a daunting task. Additionally, the companies those individuals work for are becoming increasingly culpable in the estimated 10 million cases of identity theft that occur in the United States each year. And the threat is said by authorities to be a growing one.
Many of the corporate risks associated with identity theft can be mitigated by the development and implementation of sound policies, systems and procedures. Others will ultimately become matters for the courts. Those risks that flow from the affected individual, however, must be managed using available tools and products that both support the individual and protect the employer. In the absence of a solid risk management plan for identity theft, the potential losses are nearly unlimited.
Guillaume Deybach leads Worldwide Assistance, part of the multinational Europ Assistance Group, which offers identity theft resolution services, travel assistance, emergency medical evacuation and repatriation, medical referrals, case monitoring and international claims management. More information can be found at www.worldwideassistance.com. Contact Mr. Deybach at gdeybach[at]worldwideassistance.com or by telephone at 202-331-1609.
1: April 13, 2005, testimony of FBI Criminal Investigative Division Assistant Director Chris Swecker before the U.S. Senate Judiciary Committee.
2: From "Protecting Your Identity: New Partnership Targets Data Theft," June 28, 2006, fbi.gov.
3: Ibid.
