If a company had every employee's personal and financial information stolen by a hacker, how long would the CEO keep his job? How many boards of directors are aware of what measures their companies are taking to protect employee information from being stolen? As Whitfield Diffie and Susan Landau point out in Privacy On The Line (MIT Press, 1998), "The security of information has become an end in itself rather than just a means for ensuring the security of people and prosperity." Strong cybersecurity has to begin with strong cyberleadership at the top. This means that employees have to be trained and protected, and security has to be integrated with the execution of every company obligation and objective.
In the past, cybersecurity wasn't high on the agenda at quarterly board meetings, mostly because security is a cost center, not a profit center. Moreover, it's not a particularly enthralling topic for a general management discussion. Today, however, society is information, and so more incidents of cybertheft are occurring. With threats against critical assets and employees mounting and with the federal government pushing for collaborative action, the issue is more visible and businesses and state and local governments take it more seriously. The California case thrusts identity theft forward as an additional priority.
With the private information that employers often hold, such as Social Security numbers and birth dates, criminals who steal that data can do almost anything: obtain credit cards and cell phones, or even open a bank account. This can ruin credit ratings, something many victims find out about much too late.
So far, prosecuting those who steal personal data hasn't appeared to deter continuing criminal activity. That's why information security as it relates to employees needs to be a strong management focus.
It's been reported that there are some 750,000 cases of identity theft each year in the United States. In the California case, if cybercriminals can steal this much personal and financial information from the state, one has to wonder what it will take to make strong security for stored employee information a common, expected part of business and governmental agency discussions at the highest levels of management.
In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act. The act makes it a federal crime when anyone "knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law." Even with this law in place, identity theft is still a growing problem, because tracking cybercriminals is very difficult and, before Sept. 11, cybercrime wasn't a major enforcement priority. Now it is.
The federal government is encouraging owners of private networks to create strategies to combat vulnerabilities, share information, and create best practices to better secure networks and information. Security is everyone's problem, but all employers -- public and private, for-profit and not-for-profit -- need to be aware that more than company information is at risk. Personal information of employees also may be a target. That means employers need to find ways to secure the information they hold on behalf of employees or risk potential liability. But beyond lawsuits, if companies don't wise up soon, how many employees will be willing to supply personal information in the future?
Global connectivity brings with it new benefits and responsibilities. One responsibility for businesses is the cybersecurity of all private employee information.
David Post is a Temple University law professor and senior fellow at the National Center for Technology and Law at the George Mason University School of Law. Reach him at [email protected]. Bradford C. Brown is chairman of the National Center for Technology and Law at the George Mason University School of Law. Reach him at [email protected].