Three things we hear a lot about these days: the FTC, Twitter, and data security. This past June, a settlement brought the three together in what was the FTC’s first consent agreement with a social networking company involving allegations of inadequate protection of customer data.
The FTC placed specific focus on two security lapses that occurred in 2009 when hackers were able to take administrative control of a micro-blogging site by obtaining weak administrative passwords. As a result, users’ private data was accessed and a few fake “tweets” were sent, including a message from Fox News and then president-elect President Obama. (If you are on Twitter and follow President Obama, you may recall receiving the message about a chance to win $500 in free gasoline.) The settlement prevents Twitter from misleading users over its data security policy for 20 years and requires an independent audit every other year for the next 10 years. You can read more about the Twitter settlement here.
When most people think of data security breaches their mind instantly paints a picture of a hacker–some person sitting somewhere in the world surrounded by a dozen computer monitors working feverishly to guess passwords. While some data breaches do happen that way, such as what happened with Twitter, companies who think that investing in a strong firewall is enough to keep the bad guys out have already missed the boat. Not that there is anything wrong with a strong firewall, it’s just that some bad guys might already be inside. While it has been over a decade since some of the initial privacy laws like GLBA and HIPAA were enacted, there is still much cause for concern, especially when it comes to employees who may not have the knowledge, or heart, to comply with data security rules and regulations.
Guess The Year
Look at the following data breaches as reported by the Identity Theft Resource Center. Can you guess the correct year that these breaches occurred? Was it 1997, 2006, or 2010?
- An employee used a skimming device to scan the magnetic strip from the credit cards of nearly a dozen customers.
- A call center employee for one of the nation’s leading banks stole account holders’ names, dates of birth, and addresses and tried to sell the information.
- A social services worker used the personal information over more than 150 clients to obtain $1 million in improper tax refunds.
- The owners of a New York company used the identities of more than 100 ex-employees to get nearly $100,000 worth of illegal unemployment benefits.
- At least two employees provided customer credit card information to a scammer who was posing as a police officer.
- Boxes containing hundreds of personal records were left outside a doctor’s office.
- An email containing private data was accidently sent to the wrong recipient.
- A man stole information from customers at his mother’s dry cleaning shop.
- Social security numbers were included on address labels affixed to letters.
- A medical center employee accessed social security numbers of fellow employees to receive hundreds of vouchers for use on Amazon.com.
What do all these 10 breaches have in common? First, they were all reported in 2010, so if you guessed any other year, sorry but you missed the mark. Second, not one of these breaches involved a hacker breaking through a company firewall. You will also notice that each of these breaches fell into one of two categories: Malicious intent (theft, forgery, etc.) or accidental disclosure (lack of knowledge or simple human error).
Making Headlines
Picture a company making the following headline in a national newspaper: Employee at XYZ Collection Agency Steals Credit Card Information from 1,000 Customers.
Now ask yourself these three questions:
1. How would clients view this?
2. How would the public view this?
3. How would competitors view this?
Most would probably wonder, “What kind of people are they hiring over there?” or “Why did it take so long to catch on?”
Obviously, employee theft and dishonesty can have a damaging effect on a company’s bottom-line, but it can also cripple its reputation. By creating a comprehensive strategy, one that addresses a screening process for potential bad apples and also includes an educational component, companies can reduce risk associated with employee dishonesty and lack of knowledge.
Screening For Bad Apples
Barring strip searches on the way in and out of the office, it may be impossible to prevent all data security breaches. We have all read the news story about the employee with a 20-year tenure who suddenly goes "bad" and embezzles thousands from company coffers; even the federal government recently had tens of thousands of classified documents leaked by a member of the military. While that may be true, one of the best ways to deter employee theft and dishonesty is to prevent a bad apple from being hired in the first place.
Here are a few tips to consider:
Verify Past Employment History – Many candidates stretch employment dates to show stability and hide gaps in work history. They also tend over-inflate responsibilities and titles. Some candidates even go so far as to list companies that they never even worked for. Always call those references, and always verify employment history.
Conduct a Criminal Background Check – For a reasonable fee, agencies can easily obtain a candidate’s criminal history. If the candidate has had prior convictions for theft, forgery, or fraud, there is an increased risk of a repeat offense. In fact, some clients require background checks on their third-party agencies’ employees. Beware: Some states are adopting a “ban the box” law which removes the criminal conviction question from the application. It does not mean that the conviction is swept under the rug, but it does mean that candidates with convictions will have a chance to explain themselves in more detail.
Pull a Credit Report – The information contained in a credit report can be an indicator of a candidate’s level of responsibility, however, some state laws have stipulations on accessing credit reports for employment purposes.
Double Check Those Credentials – Did the candidate actually receive his or her college degree? With more and more employers requiring a degree, more and more candidates are lying on their resumes.
Put it in Your Ad – If the company conducts drug or background screening, it is a wise idea to say so in the job posting. It will prevent many bad apples from trying to get in the basket.
When putting together a screening strategy make sure it is consistent from one candidate to the next to prevent any claim of discrimination. A good human resources attorney can help set up a proactive offense while reducing your risk of being sued in the process. You might also consider reviewing the SCORE article How to Prevent Employee Theft for additional tips.
Tying It All Together
Certainly there is a price tag attached to using these tools, and accessing them may require the candidate’s consent, but can companies really afford not to do some type of preliminary screening given the heightened security requirements and scrutiny on the industry? Are companies so desperate to fill seats with any warm body that walks through our door that they will risk their company’s brand and put clients at risk?
Accidental Disclosure
You are probably wondering about the accidental breaches that occur as the result of a knowledge gap or honest human error, right? That topic will be covered in the upcoming webinar The Perfect Storm Part 1 – Regs and Red Tape Trends Vital to the Success of Your Business. The webinar will feature data security expert Todd Langusch of TechLock and will cover a variety of topics to help keep debt collection agencies safe and secure. For more information, please click here.