Employees – they're an organization's greatest asset and,sometimes they're also the greatest liability.

Employers have an obligation to keep their employees' bestinterests top of mind, but they also need to keep a watchful eye onthem. This can be particularly true when it comes to identitytheft.

We've all seen the screaming headlines on high-profile cyberbreaches. Typically, these events are focused on financial datastored by big retailers (which is why they're big news) and areoften the result of mysterious hackers working halfway around theglobe.

However, cyber breaches aren't always the stuff of movies or thetrending topic of the day. Frequently a breach is far more mundane,and very often employees are at the center of these breaches,whether as victims or perpetrators.

A duty to protect employees

Everyone understands that employers must protect personal data.Typically the focus is on customer data, however employee data isjust as important and just as vulnerable.

Identity theft is on the rise and the human resources departmentis a logical target for would-be identity thieves because it's atreasure trove of personal data: social security numbers, homeaddresses, bank account numbers and other confidential information.Data theft does not have to be a cybercrime; it could be a matterof a file cabinet not being secured and a lot of paper-basedconfidential employee information can be found sitting in adrawer.

When a breach occurs and an employee has her identity stolen,there is almost always a corresponding drop in productivity as sheputs her life back together. The identity theft victim has to dealwith credit card companies, banks, organizations where she hasmemberships, social media platforms… the list can be shockinglylong.  

Employees also cause risk

While there are significant incentives for employers to protectemployees from the possibility of identity theft, it's also vitallyimportant to protect the organization from employees.

Frequently, theft comes from an otherwise trusted employee.According to the Association of Certified Fraud Examiners, the moresenior an employee is in a company, the greater organizationallosses tend to be. There's some logic to this since these areprofessionals with access to information. When you add thepressures of high-level positions with the typical bumps andbruises of life—divorce, mounting bills, and the like—thetemptation to pilfer personal information can become too great forsome people to resist.

Employee negligence can also lead to data breaches and identitytheft. They may not mean any harm, but employees can be careless.They can lose their business smartphone, laptop or other equipment.Maybe they always choose 123ABC as their device password. Greatercare needs to be taken with equipment and passwords to protectinformation.

What employers can do

It's dangerous for employers and employees to think they knoweverything about protecting personal information. Employers shouldbe actively and continually engaged in a conversation aboutsecurity. Many companies require employees to sign an employmentagreement that makes it clear that the business owns allwork-related data and that employees must be careful. However, thatis frequently the end of the conversation.

Employers must educate their workforce on an ongoing basis. Byraising awareness of the employees' responsibilities and thesusceptibility to identity theft, employers can create a moresecure environment.

It begins with having better paper security because not all datatheft is cyber theft. Employees, especially those in HR, mustunderstand the importance of locking file drawers and not leavingpersonal information out in the open. There should also be a policyfor shredding documents and it must be enforced.

Employers must also have clear cut rules about securing personaldevices. Personal laptops, tablets and smartphones are often filledwith work-related information, and employees must be vigilant aboutsafeguarding these devices. Employees have a tendency to ignoresecurity measures (like using passcodes) because they view them asinconvenient. An ongoing conversation should address the criticalnature of this so-called inconvenience. Reinforce the need toreport a loss or theft immediately so that data loss can beminimized. Also, set rules for social media to prevent employeesfrom inadvertently sharing confidential information online.

Finally, employers have to do more than talk the talk on datasecurity – they need to set an example and invest in securitymeasures that help keep information protected as tightly aspossible.

Mindi Hirsch, CPCU, ARM, has expertise in coverage analysis,renewal strategy and carrier negotiations. She brings 20 years ofexperience in the insurance field to her role as senior accountexecutive for Corporate Synergies' Property & Casualtypractice.