Allstate Identity Protection is proudly compliant with the new California Consumer Privacy Act. View our privacy policy here.
Employers | 20 min read

The HR Guide to Employee Data Protection and Identity Theft Prevention


Get more Allstate Identity Protection news

Chapter 1: HR’s responsibility to protect sensitive data
Chapter 2: Major costs associated with data breaches and loss of employee data
Chapter 3: Steps HR can take to protect employee data
Chapter 4: How does identity protection differ from traditional credit monitoring services?
Chapter 5: Identity protection improves corporate security
Chapter 6: Identity protection ranks as top employee benefit
Chapter 7: Selecting the right identity protection service for your employees
Chapter 8: Additional resources

We’ve reached the conclusion of our first blog series dedicated to HR professionals, and to better assist you in your crusade to protect employees’ personal data, we’re putting our helpful content in one place: this blog. In the coming weeks and months, we’ll be updating this page with related material and resources you can use at your company, so be sure to bookmark it.

Additionally, you can subscribe to our blog for the most up-to-date content and alerts. Just enter your email address in the box on the upper-right side of this page, and click subscribe.

Chapter 1: HR’s Responsibility to Protect Sensitive Data

HR professionals have many responsibilities, but none quite as important as their duty to protect employees and their company. In today’s digital world, that means they must take on a much different role than in years past — they must become cyberwarriors.  

Knowledgeable and proactive HR managers are our best line of defense against phishers, identity thieves, hackers, and all the other crooks who are increasingly targeting businesses and their employees. Every day, HR managers face risks they may not even know exist. Here are just a few of the challenges they must continually overcome.

HR data is like gold to identity thieves

Local and federal laws, as well as corporate policies, often require HR departments to collect, handle, and store a tremendous amount of personal data about employees. If thieves can access your HR records, then they’ve struck gold — making off with employees’ names, addresses, Social Security numbers, past work experience, and more.

Many workers have access to HR records

Other members of management often have access to HR records, making it much harder to ensure everyone follows proper security protocol. If your company stores this data in the cloud, this problem is further exacerbated, as managers can potentially access sensitive information from insecure networks or engage in other forms of risky behavior.

Disgruntled employees may take action against a company

Disgruntled employees are far more powerful than ever before, and if left unchecked, they can create havoc at your organization. In fact, a 2016 study found that 27 percent of U.S. office workers at large companies would willingly sell password data to outsiders, and some would do it for as low as $100.

Identity theft frequently begins in the workplace

As much as 30 to 50 percent of identity theft begins at the office. While this occurs through a variety of means, the most popular method is via phishing. In 2016, AlienVault surveyed more than 300 security professionals to determine how successful attacks like these are. An astonishing 37 percent of respondents revealed that executives within their organization had fallen victim to targeted phishing scams, like CEO fraud, where an email appears to come directly from their CEO.

Chapter 2: Major Costs Associated With Data Breaches and Loss of Employee Data

If your company experiences a data breach or your employees have their personal information compromised, your business will likely take a huge financial hit. It’s not all government fines and lawsuits either; many of the costs aren’t as clear-cut as you might imagine. Here are just a few ways security breaches and the loss of employee data can impact your bottom line.

Reputation damage

If a data breach occurs in your organization, everyone takes notice. Current clients could jump ship, prospective clients might turn to the competition, and you could wind up losing some of your best employees in the process. It can also drastically inhibit your ability to attract and retain top industry talent in the future. Did we mention it’s also a PR nightmare?

Regulation costs  

In the U.S., federal laws like the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA) regulate the protection of your customers’ and employees’ confidential information. Failure to comply with these standards can result in major penalties.

Laws protecting employees and customers are even more strict outside of the U.S. In the UK and EEA states, failure to comply with the General Data Protection Regulation (GDPR) — legislation aimed at protecting the personal data of citizens — can spell big problems for any company. After the law takes effect in May, businesses that fail to properly disclose breaches within 72 hours will result in fines up to €2 million or 4 percent of annual turnover, whichever is more. These rules are also extended to any U.S.-based company that manages the personal data of any UK or EU national.

Litigation costs

Although laws in the U.S. don’t provide as many protections as other countries, that hasn’t stopped cities and states from taking matters into their own hands. When Uber revealed a previously undisclosed data breach in late 2017, the city of Chicago and the attorney general for the state of Washington each filed lawsuits against the popular ride service, citing company misconduct. Additionally, courts are increasingly ruling in favor of employees who had their personal data exposed, even in the absence of laws specifically requiring them to do so.

Employee disengagement

If the loss of employee data leads to identity theft, your team can become incredibly distracted in the workplace. And, if that workplace distraction turns into disengagement, your company is going to take a tremendous hit.

Gallup’s annual State of the American Workplace 2016 report found that companies with low levels of engagement, when compared to companies with high levels of engagement, experience:

    • 20 percent lower sales
    • 17 percent less productivity
    • 21 percent lower profitability
    • Between 24 and 59 percent higher turnover
    • 70 percent more employee safety incidents

Costs associated with malware attacks

When employees fall victim to scams like phishing, they may compromise more than their personal data. In addition to stealing confidential information about the employee and their business, phishing attacks may install malware on the company’s network.

Ransomware, one form of attack, cost businesses over $1.5 billion last year. These attacks, which completely hijack a victim’s computer, charge users a significant bounty to regain access to their equipment. In 2016, the average ransom cost around $1,000 per device.

In addition to the charges companies must pay to regain control of their equipment, productivity and sales come to a screeching halt. Twenty-two percent of small businesses (less than 1,000 employees) that experienced ransomware attacks in 2016 had to stop operations immediately, and one in six companies reported that the attacks delayed business operations by 25 hours or more.

Chapter 3: Steps HR Can Take to Protect Employee Data

The good news is that HR has the power to protect their employees’ personal data and the company’s bottom line. While this does require considerable time, energy, and effort, the results will be well worth it.

Step one: Provide thorough and continuous training

The risks of identity theft and security breaches

When educating your employees, begin by conveying the risks that identity theft and security breaches pose. Explain that these violations don’t just cost the company a fortune; they can also have a tremendous impact on employees. If team members have their identities compromised, it can take hundreds of hours and months of the victim’s life to fully repair.

How to handle personal data

Working with your IT department and senior members of management, craft a document that outlines the best policies for handling, storing, and accessing the personal data of employees.

A few items to consider might include:

  • What information about employees should be stored on the network
  • Who should be allowed to view or edit sensitive employee data
  • How, and under what circumstances, this data should be shared
  • Where it is acceptable to access this information and where is it not (ex: public WiFi)
  • How this data should be stored and encrypted
  • What steps to take if sensitive data is compromised

Recognizing and preventing various cyberattacks

Train your employees on how to identify and avoid cyberattacks, especially phishing emails. If you spot the signs below, chances are the email is actually part of a phishing scam:

  • Misspellings and grammatical errors throughout
  • Missing or incorrect contact details in the signature line
  • The email doesn’t sound as if the sender wrote it
  • The salutation is oddly worded or contains vague terms like “employee”  
  • When you hover over a link, it reveals a different URL than stated
  • A request for large amounts of private data from a company executive that seems oddly timed or out of place
  • Something just feels off

If an employee encounters any of the above issues, they should contact their manager, along with HR and IT immediately.

Warning: When checking email with your phone, you need to be especially careful. Typically, people are more distracted when using a mobile device versus a desktop, and it’s also much harder to hover over a link before clicking it and to thoroughly check for misspellings. Make it a practice to always exercise more caution on your phone.

Step two: Develop a comprehensive cybersecurity plan

Work alongside your IT department to create a robust cybersecurity plan. While there are many questions you must answer, here are a few fundamentals you should consider when developing your strategy:

  • How will you encrypt files that contain sensitive data, like employee records and all other confidential data?
  • How will you conduct internal risk assessments?
  • Who will oversee continued training for employees and managers?
  • Should you hire an outside team to assess your network vulnerabilities?
  • Who will compose your in-house team to address security issues?
  • How should you structure an incident response policy?
  • What will the plan be if employee or customer personal data is exposed?

Step three: Offer identity protection services as an employee benefit

The chance your employees may become victims of identity theft is staggering, and that can translate to a lot of lost productivity, missed work hours, and a huge financial loss. However, providing your employees with an identity protection service can help your workers tremendously and insulate your company from many associated risks.

For more information on selecting a comprehensive identity protection plan, you can jump to Chapter 5.

Chapter 4: How does identity protection differ from traditional credit monitoring services?

Identity protection should not be confused with traditional credit monitoring services. While credit monitoring is an important part of any identity protection benefit, it represents just one small portion of a holistic system designed to protect an employee’s identity, privacy, and finances.

An identity protection benefit should also perform the following core actions, which are not included in traditional credit monitoring services.

Analyzes more than an employee’s credit-based accounts

It’s imperative to track an employee’s credit report and score, but that’s just the beginning. Your identity protection benefit should also monitor an employee’s non-credit based accounts, password resets, high-risk financial transactions, and other sensitive data that likely isn’t reported to a credit bureau.

Traditional credit monitoring services fail to take into account these factors. And as a result, they miss many of the red flags that are commonly associated with identity theft. Identity thieves can ruin a victim’s life without exploiting accounts that are directly tied to the victim’s credit profile.

We see this far too frequently when it comes to medical identity theft. Fraudsters can use a victim’s personal information to receive healthcare, fill prescriptions, and even undergo costly surgeries.

For these reasons and many others, it’s imperative an identity protection provider monitors more than just credit-based accounts.

Sends urgent notices in a timely fashion

Traditional credit monitoring services only reveal important updates and alerts to users on regularly scheduled time intervals. That means users must wait a week, a month, or — for some key features — a year to discover any unusual activity. When it comes to mitigating the damage of identity theft, every second matters!

This is why it’s crucial to work with a trusted identity protection provider that sends alerts as soon as they detect suspicious activity. Be certain to ask any prospective benefit provider about their alert speed. If their alerts don’t occur in near-real time, you should consider working with another provider.

Provides identity restoration assistance

A quality identity protection service won’t stop at alerting users to potential threats. To be effective, the provider must also take action. That’s why every PrivacyArmor® plan InfoArmor offers comes standard with highly-experienced Privacy Advocates®.

Available 24 hours a day, seven days a week, our trained and certified team is here to help your employees day and night. If an employee’s identity becomes compromised, our Privacy Advocates will handle the most time-consuming and tedious aspects of identity restoration.

This leaves your employees with time to focus on what really matters: their career, family, and loved ones.

Offers identity theft insurance

In addition to providing restoration services at no additional cost, a quality identity protection plan will include a generous identity theft insurance policy. This should cover the out-of-pocket costs associated with identity theft, including lost wages, legal fees, medical records request fees, CPA fees, child care fees, and more. It’s equally important for a benefit to replace stolen funds and provide tax refund advances in cases of tax fraud.

Remember that identity theft-related costs can quickly add up. Therefore, your plan should come standard with at least $1 million in coverage. Be certain the provider has partnered with a reputable insurance firm, such as AIG. If the benefit provider uses an insurance company you’ve never heard of, it’s a good idea to look for solutions elsewhere.

Three powerful benefits

There are far too many differences between traditional credit monitoring services and identity protection to outline in this guide. You can read more about these features on our official PrivacyArmor page.

In addition to the benefits we outlined above, there are three so important they deserve their own sections:

  • The first is that identity protection helps reduce the significant costs associated with data breaches and employee data loss, which you can read about in Chapter 2.
  • Second, identity protection helps improve corporate security. You can read about this in the following section, Chapter 5.
  • Finally, providing identity protection as an employee benefit significantly improves a company’s ability to attract and retain top talent — a subject you can read about in Chapter 6.

Chapter 5: Identity protection improves corporate security

Industry experts have long recognized employee identity protection for its ability to attract and retain top talent, boost a company’s bottom line, and combat turnover and disengagement. However, there is one benefit identity protection offers that often gets overlooked — and it’s critical to bolstering corporate security. Here are a few examples of how a quality identity protection benefit can create a more secure work environment.

Protecting employees’ social media accounts

Although the connection may not be immediately clear, protecting an employee’s social media account also protects their employer’s reputation and bottom line. That’s because cybercriminals are increasingly using complex paths to compromise a business and its employees.

One of the most effective means of achieving this is by hijacking an employee’s social media account. When a cybercriminal has control of a victim’s account, they can use it to phish the victim’s co-workers, defame and slander their employer, and even defraud an organization’s customers, partners, vendors, and clients.

When you provide your employees with a quality identity protection benefit, your employees will be alerted in near-real time of any suspicious activity. In addition to receiving notifications about password resets, they’ll also be alerted to potentially damaging posts that might include profanity, violence, or other questionable behavior. This ensures employees can catch — and fix — the issue in the shortest possible time.

Identity protection provider should offer ongoing education

A good identity protection benefit will also provide employees with continual education and timely updates about a wide range of security-related issues. This should include, in part:

In addition to providing ongoing education, the provider should also offer a dedicated account manager to learn your business’ unique needs, share important employee usage metrics, and answer any questions you may have. 

Protecting corporate credit cards, usernames, and passwords

Protecting an employee’s identity means protecting their wallet as well — especially if it might contain a business card.

When an employee registers important financial and personal materials — like their credit card or a driver’s license — the identity protection provider should begin scouring the dark web immediately. This should also include your employees’ usernames and passwords, even for accounts that aren’t work-related. After all, many employees use the same password for both their personal and professional logins. This can make it very easy for cybercriminals to access sensitive corporate data.

If any sensitive data is found on the dark web, the identity protection provider should immediately alert the employee and work to resolve the scenario as quickly as possible.

Keeping security top of mind

One of the reasons identity protection is so successful at improving corporate security is because it keeps security top of mind. If an employee is alerted to potential hijacking or learns he or she may be the victim of identity theft, their overall level of security awareness is heightened. This isn’t limited to personal privacy and security matters.

That’s because informed employees begin making better decisions regarding their professional security management as well. This includes:

  • Using stronger passwords
  • More easily identifying phishing scams
  • Using more secure networks
  • End the sharing of passwords

Chapter 6: Identity Protection Ranks as Top Employee Benefit

Considering American consumers lost $16 billion to identity theft in 2016, it should come as no surprise that BenefitsPro recently named identity protection the number one voluntary benefit for 2018. And, with Americans at a higher risk of identity theft than ever before, HR managers are taking notice.

In fact, a recent survey found that 68 percent of HR professionals believe identity protection benefits are growing in importance. Further, nearly 70 percent of HR executives are considering offering identity protection as a means to compete in hiring and retaining professional talent.

Identity protection as a benefit helps employees and their companies

Did you know that Americans now rank criminal hacking as the number one threat to their health, safety, and prosperity? When employees are worried about their privacy, identity, and finances, it becomes difficult to perform in the workplace. But, when an employee is offered comprehensive identity protection, they are provided much-needed peace of mind.   

Employees aren’t the only ones to benefit when a company offers identity theft protection as a benefit — their employers also prosper. According to Forbes, providing identity protection is one of the best ways to attract and retain top talent.

In addition to attracting and retaining some of the top talent in their industry, businesses are also safeguarding productivity. Considering identity theft can take hundreds of hours and many months to repair, that can amount to a lot of lost productivity in the workplace, time spent away from the office, and inability to focus.

This process can be shortened dramatically when employees have the proper identity protection service in place.  

Chapter 7: Selecting the Right Identity Protection Service for Your Employees

With so many identity protection services on the market, selecting the right one for your organization can be tricky. You’ll need to pick a service that provides your business with comprehensive support and your employees with state-of-the-art identity protection features.

When comparing plans, you shouldn’t settle for any service that doesn’t include the following features, all of which come standard with InfoArmor’s PrivacyArmor®:

  • Dedicated customer support for your organization
  • Scalable and flexible payment models
  • Comprehensive product education and a dedicated account manager
  • Proactive alerts that notify employees on applications for credit cards, wireless carriers, utility accounts, and non-credit accounts
  • Monitoring of high-risk identity activity such as employee password resets, fund transfers, unauthorized account access, compromised credentials, address changes, and public record alerts
  • Tools to monitor and preserve an employee’s reputation across social networks
  • A dedicated advocate to guide and manage an employee’s full recovery process, restoring credit, identity, accounts, finances, and their sense of security in the event identity theft does occur
  • Identity theft insurance to cover your employee’s lost wages, legal fees, medical records request fees, CPA fees, child care fees, and more

For a complete list of features your identity protection benefit should include, click here. If you need immediate assistance or have questions about how InfoArmor can help protect your employees, contact us today.

Chapter 8: Additional Resources

Looking for additional tools, resources, or information? The following list of resources may be of assistance:


Ebooks and SlideShare:


New Call-to-action