Identity Theft and Fraud: Evaluating and Managing Risk

Chapter 9: Employee Responsibility for Risks to Identity Assets

187 “Hard work never killed anyone but why take a chance?” —Edgar Bergen Are employees responsible for identity theft risks? Organizations are the sites of identity information collection, use and storage, and employees are involved in all the stages of the identity management lifecycle. How they deal with information at hand will have a major impact on information security and ultimately identity theft. To answer the above question, we examine in this chapter the role of employees in identity theft problems. We identify and analyze those factors that could influence employee mishandling of information. Finally, we make some recommendations that organizations may implement to prevent employees from mishandling critical identity information. Employee Mishandling of Identity Information As discussed in Chapter 2, combating identity theft involves multiple stakeholders, including identity owners, identity issuers , identity checkers and identity protectors (Wang, Yuan et al. 2006). In Chapter 8, we examined the risk of theft at each stage of the identity management lifecycle and recommended some countermeasures that each stakeholder may implement to prevent and detect identity theft. The holistic analysis presented an overall picture of identity theft risks. Chapter 9 Employee Responsibility for Risks to Identity Assets 188 | Identity Theft and Fraud In this chapter, we turn to organizational stakeholders and focus specifically on the role of their internal employees. ‘Organizations ,’ in this context, refers to identity issuers and checkers defined by Wang et al. (2006). Organizations are the sites of identity use (and misuse) and are central to the detection of identity theft (Lacey and Cuganesan 2004). Identity thefts happen when identity issuers issue identities to the wrong people or identity checkers fail to detect false identities. Indeed, identity theft problems are “in the hands of organizations” (Cavoukian 2005) and the primary institutional responsibility for identity theft prevention rests in organizations (Hemphill 2001). Organizations may contribute to identity theft risks at all stages of the ID management lifecycle described in detail in Chapter 8: issuance, usage and maintenance. At each of the stages, internal employees play an important role in protecting identity information . After all, it is employees who handle these processes in an identity management lifecycle. Employee mishandling of identity information will therefore have an impact on identity theft. At the issuance stage, where identities are established or issued to identity owners, employees may fail to authenticate properly and check the eligibility of individuals who apply for an identity. Such failures will ultimately result in the possession by identity thieves of valid identities, such as credit cards being issued to identity thieves under victim names. At the usage stage, where the right service should be provided to the right and eligible person (identity owner), organizations are identity checkers that verify a person’s identity before providing any services. The key factor that contributes to the identity theft problem at this stage is that organizations (and thus their employees ) often do not put sufficient effort into verifying customer identities and detecting possible fraud. For example, businesses rarely verify whether a customer is the true owner of the credit card with which she or he makes a purchase. Only a handful of businesses, like Best Buy, require customers to show a photo ID, and only when the purchases are over a certain amount. Employee Responsibility for Risks to Identity Assets | 189 At the maintenance stage, the integrity of identity information is maintained. The responsibility for safeguarding identity information rests largely with organizations, including identity issuers and identity checkers. Poor information management practice by organizations is arguably the single largest cause of identity theft (Cavoukian 2005). Organizations should enforce policies and implement proper internal control to secure identity information. However, organizations often fail either to implement or to enforce these controls. As a result, there has been an outbreak of high-profile security breaches that have exposed the personal information of millions of individuals (discussed in detail in Chapter 5). According to the Identity Theft Resource Center (ITRC), a not-for-profit identity theft tracking website in the United States, in 2010 there were 662 reported security breaches that exposed more than sixteen million records (Identity Theft Resource Center 2010). Many of the breaches can be traced to internal employees where, for example, laptops are lost that hold large volumes of unencrypted personal information, where there are failures to safeguard passwords and where insider theft occurs, among other threats. We classify employee behaviours causing identity theft into three categories: intentional theft and...