Workplace theft has long been an employer concern, but many of today’s workplace thieves are stealing not cash and merchandise but rather coworkers’ identities.

Privacy and security experts say workplace identity thieves often come from the HR department, where employee information is easy to come by.

The U.S. Secret Service, said identity information often is stolen electronically but also can be obtained with more low-tech methods. “Dumpster diving” – retrieving information from the garbage-stealing personal mail, and simply looking over an individual’s shoulder at his or her credit card or phone card are other methods of identity theft.

When identity theft happens in the workplace, the organization faces incredible liability, according to Garry G. Mathiason, an attorney with Littler Mendelson in San Francisco. The key issue, he said, is “whether the employer was negligent in the storing of the information.”

Employer liability is increasing as a result of state and federal statutes requiring protection of specific information, the eagerness of plaintiffs’ attorneys to file privacy lawsuits, and the “growing trend of the cybercriminal.”

Employers should protect their online data just as they do for physical properties, utilizing risk management and risk mitigation techniques.
All employees should be made aware of the consequences of inappropriately using protected information.

Employees should be educated about data security and also about company policies, including the “hows and whys.” Employees also need to be trained in how to spot and respond to security breaches.

The most important step employers can take is thorough background screening of employees that will have access to personnel data.