IN THE WORKPLACE
FREQUENTLY ASKED QUESTIONS
Q: My health insurance provider insists on using my Social Security number (SSN) as my subscriber ID number. Is there a law that prohibits this?
A: Given the number of lost and stolen wallets, this practice places many of us at higher risk for identity theft. Some states have passed laws that prohibit the use of the Social Security number as a personal identifier. One thing you can do is photocopy your card, front and back, cut off the last 4 numbers of the Social Security Number from the copy and carry the copy with you on a daily basis. Employers can also request that their health providers use alternate subscriber numbers. By the way, Kaiser Permanente has never used the Social Security Number as a subscriber number.
Q: My employer posts our Social Security Number on our timecards. They can be seen by everyone who works there and are by the public restrooms. Could this put me in danger?
A: Anytime an employer places your Social Security Number on a timecard, document, report, purchase receipt or ID badge it adds to your risk factor. Another poor practice is the use of the Social Security Number as a password/computer login. You should request a change in policy. This could be considered negligent behavior and opens companies up for a potential lawsuit. Again, some states are passing laws that prohibit the public display of Social Security Number.
Q: The enrollment form our new school district uses requests my Social Security Number. Why would they need that? Do I have to give it to them?
A: It is always a good idea to ask why information is needed before providing it. The answer – it’s on the form – is not a valid answer. You need to find out the reason behind the request. If the child’s health insurance number is your Social Security Number then they might need it for emergency purposes. Otherwise, it doesn’t seem reasonable. ITRC has found several school districts that asked for that information. After questioning the practice, the parents were told that it was an optional field.
Q: I am a new victim of identity theft. I think the imposter works for the same company that I do. What do I do?
A: Since sensitive information including the Social Security Number and even bank account numbers are so accessible in the workplace, security breaches at work are a common way for identity thieves to gather information. ITRC advises companies to write a policy regarding workplace identity theft reporting and post it in a conspicuous spot. The policy should provide a way for any victim of identity theft, company-related or not, to confidentially report the crime. Since HR is where the most information is stored, and therefore an attractive spot for an identity thief, reports should be redirected to the Security, Operations or the Chief Privacy Officer. Since most victims don’t know how the thief got the information, this gives the company a chance to evaluate whether the crimes seem similar. If the crime is an internal theft, the company needs to notify the appropriate law enforcement authorities. Unless told otherwise by the authorities they should then notify affected employees and members of the public.
Q: Do you have a model policy letter that our company can use?
A: Yes. Feel free to modify it. You will find it in this section of our website: Workplace Model Letter
Q: What is the best way to convince the company that I work for that some of the things they do are placing employees and customers in danger of identity theft?
A: Many companies are reluctant to change old practices due to the cost involved but also because it might be construed as admitting they were negligent in some way. ITRC has found the best approach is to acknowledge that the world has changed, and therefore security measures must be updated accordingly.
Your company must be shown that the problem of identity theft has forced ALL of us to reconsider our information handling practices – consumer and corporations alike. ITRC has an excellent consulting service for companies that would like some guidance in assessing their identity theft weaknesses and strengths. Companies that take these steps are often able to show the public that they are a responsible, caring business with the best interests of employees and the public at heart.
Q: The Company that I work for tosses out old mortgage application forms in the trash. Is that safe or legal?
A: Several states have passed laws that now require paper documents with personal data on them to be rendered unreadable prior to disposal. Encourage your state representatives to pass similar laws. This is a dangerous practice. Unfortunately, many breaches begin with the theft of documents from trash bins in the alley behind companies. Companies that require you provide information need to be held accountable for safeguarding it, forever, or return it to the consumer/employee when they no longer need it. ITRC recommends that should you find documents sitting out in the trash or near a dumpster in the alley you should contact the local police and the county or city attorney to see if they will take action. Dumpster diving and document disposal are also favorite topics of television investigative reporters.
Q: Can a company require that I give them information in exchange for services?
A: Yes and no. That is called coercion. You always have the option to refuse to give information. The company, on the other hand, can also refuse to provide services. If you don’t agree, vote with your feet and take your business elsewhere.
Q: I am applying for a new job. The application requests my driver’s license and Social Security numbers. Due to the increasing amount of identity theft, I would rather not disclose that information until I am offered the job. Do you have a recommendation on how to handle this situation?
A: We asked several HR people for their answers:
- If a job applicant did not want to share their Social Security Number at the time of the interview, I would certainly understand, especially if they shared with me the reason why. If someone told me they had been a victim of identity theft, I would not press the issue nor would I reject their chance to be interviewed. I can't imagine any employer refusing an interview on that basis. If they do, then it may be a violation of "equal opportunity for employment" law. Due to tax laws, once chosen, the candidate would then have to submit his or her Social Security Number.
- Where it says Social Security Number, place "Available upon request" or "See below" and explain your reason at the bottom of the form. You may say that due to high incidence of identity theft crime, you prefer to provide it directly to the interviewer.
ITRC would like to believe that all employers are as forward thinking as the ones that responded. That is not true and this is a situation where consumers need to make a hard decision. The reality is, fair or not, your desire to protect your information could cost you employment.
Q: I am a victim of identity theft. I am still trying to remove the imposter’s actions from my credit reports and think he may have gotten a ticket in my name. What do I tell a potential employer since I know they will do a background search prior to hiring me?
A: If the company has shown some interest in hiring you (they don’t do background searches until then) then share that you are a victim of identity theft and that a background search may not be completely accurate. Explain that you are still working "on your own time" to remove his actions from your reports. Any police reports or official documents (statements from credit issuers) you have will help the interviewer understand the problem. Request that you have a chance to go over the results of the search to make sure it is accurate and reflects your true information. States are starting to pass laws that would require employers to share this information with you.
Copyright April 2007, Identity Theft Resource Center®, all rights reserved.
Created by ITRC
This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to ITRC.