The Threat Is Real
In 2004, 9.3 million Americans – or one in every 23 adults – were victims of identity theft. The dollar cost impact is gargantuan. Identity theft crimes tallied $52.6 billion in costs in 2004. This amounts to almost $200 for every man, woman, and child in the U. S. In five years, federal officials say people will be more likely to be a victim of this crime than not.
Identity theft wreaks significant damage on its victims. Out of pocket expenses related to identity theft have risen to $1,495, up from $808 in 2002, plus $16,000 in average lost wages. The average recovery time has spiked to 607 hours, up from 175 hours in 2002. While personal liability is low in the majority of cases, 16 percent of victims were forced to pay an average of $6,440 to cover thieves’ purchases. And victims remain vulnerable for the rest of their lives. Identity thieves are likely to use stolen data months or years later.
Online shoppers and banking customers are reducing their cyber activity because of privacy fears. A June survey found 40% of shoppers and 28% of online banking users are cutting back, Gartner said e-commerce revenue growth will slow by 1-3% by 2007 unless customer fears are alleviated. Nearly 40% of the banks participating in the American Banking Association's 2002 survey on fraud ranked identity theft as the No. 1 threat to the banking industry. Over 1 million consumers have been tricked into divulging their personal information to email fraud alone, with financial losses totaling nearly $1 billion. Al-Qaida cells even use identity theft to raise money. Imam Samudra, mastermind of the 2002 Bali bombings that killed over 200 people, wrote a jailhouse manifesto about funding terrorism through identity theft and computer fraud.
Despite years of media coverage and frequent dire warnings by consumer protection groups, identity theft is the fastest-growing crime in the United States. Identity theft has been the #1 complaint to the FTC for the last 3 years in a row – by far. Last year, identity theft represented 43% of all the complaints placed with the FTC. There have been at least 104 serious “data incidents" in the US so far in 2005, compromising the records of more than 56.2 million individuals. And a worldwide criminal identity marketplace has now matured. Credit card numbers, SSNs, and other personal data are commonly traded and sold in huge numbers.
Employers Have A Major Stake
The #1 underlying source of identity fraud is theft of employer records. 51% of all identity thefts occur in the workplace; usually perpetrated by people hired to perform low-level tasks, such as data entry. About 90% of business record thefts involve payroll or employment records; only about 10% are customer lists. Most businesses think of client records as the most valuable, but payroll records are more often what's stolen, with increasing frequency.
On June 1, 2005, a new provision of the Fair Access to Credit Transactions Act (FACTA) goes into effect. It says that any employer whose action or inaction results in the loss of employee information can be fined by federal and state government, and sued in civil court. An employee is entitled to recover actual damages sustained if their identity is stolen due to your inaction, or statutory damages up to $1,000 per employee. Employees may also bring class-action suits against employers for actual and punitive damages. In addition, federal fines of up to $2500 per employee, and state fines of up to $1000 per employee may also be levied.
A recent case in Michigan highlights another source of corporate liability. In the 2005 case of Audrey Bell et al vs. AFSME AFL-CIO Local 1023, the Michigan Appeals Court affirmed a jury award of $275,000 to AFSME members who had sued the union for failing to safeguard its members’ SSNs. It recognized a “special relationship” between the union and its employees, including a duty to protect them from identity theft by providing safeguards to ensure the security of their “most essential confidential identifying information, information which could be easily used to appropriate a person's identity.
The Bell case has national implications for employers. Arizona, California, Illinois, Texas, and other states have statutes that require an employer to restrict the use and disclosure of SSNs. While not as broad as Michigan's, they support the view that a “special relationship" exists between an employer and an employee whose data is stolen from the employer to commit identity theft. Even in jurisdictions with no statutes restricting employers’ use or disclosure of empoyee SSNs, the tide of legislation on identity theft may be sufficient to support a finding of the necessary “special relationship”. The Wall Street Journal recently predicted that there will be a flood of lawsuits by both consumers and businesses because of identity theft issues.
Employers also suffer other significant costs when their employees experience identity theft. Conservative calculations based on recent reports indicate that an employer with 1000 employees, who make an average of $40,000 salary per year, can expect to incur costs of well over $600,000 per year. Identity theft also threatens enterprise security, enabling corporate espionage and fraud, and theft of hard assets and intellectual property. Large scale or frequent identity thefts also results in significant negative publicity, impacting sales, partnerships, and employee recruiting and retention.
Protection As An Employee Benefit
The only solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of Identity Theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on Identity Theft and the protection you are making available, similar to what you probably do for health insurance. They may either elect or decline to have identity theft coverage.
If the employee has coverage, but becomes a victim, the employer gains: the employee will spend less time and money, and experience less frustration in restoring their identity. If the employee declines the coverage, and later claims their identity was stolen as a result of you or your company’s actions, the employer has signed proof that they attended the presentation and declined the coverage.
Identity theft protection employee benefits are a trend because employers are looking for ways to lower their costs. It's unique, it's hot in the marketplace, and it's inexpensive. A growing number of companies are offering identity theft coverage as an employee benefit, in part to reduce lost time when a worker becomes a victim. Greg Roderick, CEO of Frontier Management, says that his employees “feel like the company's valuing them more, and it's very personal. ” Matt Oros, CEO of Benelogic, adds “I think it's a tremendous value to protect someone's name. It is like a soft pillow at night that you can lay your head on and know that you're going to have an advocate. ” And Donald Harris, head of IHRIM’s Special Interest Group on Privacy & Security points out: “Privacy is like diversity in this regard: Done the right way, each involves respecting and empowering individuals, and reaping the business benefits that this can bring, rather than acting primarily to avoid risks and legal problems. ”
Do Your Homework
Caution – there is a significant difference between the programs that are available. Many new programs are now appearing on the market, to take advantage of the fear and confusion around identity theft. Many of them are very overpriced, and many do not provide the kind of protection necessary to really reduce risk, or to cover losses and speed recovery in the event of an identity theft incident.
Peter has been a leader in HRIT and “workforce effectiveness” for almost two decades. Prior to his current role as CEO of The Identity Guardian, he was Director of workforce solutions practices at KPMG Consulting and Siebel Systems, the co-founder and CTO of Cipient Networks, and a long-term strategic advisor to major HR outsourcers, enterprise application vendors, and other Fortune 500 firms. He also managed HRIS teams at Disney and FHP, and was Manager in KPMG’s Peoplesoft practice. Peter is an acknowledged expert on enterprise systems, identity theft, and workforce services, and brings this unique combination of expertise to this critical and timely topic.
The Identity Guardian provides in-depth corporate training and program development services, as well as a comprehensive and low-cost identity theft benefit program. For more information, visit our website at http://www.theidentityguardian.com, call us at (888) 7-ID GUARD, or email us at email@example.com.