Identity theft has been making the news this year, and is affecting consumers in alarming numbers. According to a report recently released by the Federal Trade Commission, identity theft accounted for 43 percent of all fraud complaints lodged in the FTC’s Consumer Sentinel database in 2002.

As we become more aware of the threat of identity theft and take safeguards to protect our individual data from falling into the wrong hands, businesses also must take appropriate steps to prevent this fraud from occurring in the workplace. A study by TransUnion, a major credit information provider, indicated that the top cause of credit fraud and identity theft is theft of records from employers or other businesses that keep records on multiple individuals.

Employers who do not take reasonable steps to protect employee records may incur legal liability. For example, Ligand Pharmaceuticals, Inc., a San Diego biotechnology firm, was sued for negligence after an employee found a box in a storage closet with the personnel records of 38 former employees. Using the names, addresses, social security numbers and other information contained in these records, the employee fraudulently opened multiple credit card accounts used to purchase goods worth $100,000, numerous cellular phone accounts and leased three apartments.

The Ligand suit, which was settled last year for an undisclosed amount, was based on the claim that if Ligand had taken proper care of its employee records, the fraud would not have taken place. States are starting to consider and enact laws regarding the proper handling and destruction of worker information, and setting limits on company use of information such as Social Security numbers.

In order to minimize potential liability, it is critical that companies have adequate procedures for storing, protecting and disposing of their sensitive employee data. At a minimum, companies should incorporate the following procedures as standard practices:

Establish a privacy policy. Look at your current practices for handling employee information and determine whether they create a risk of misuse. If you do not have the internal capabilities to conduct this review, consider hiring an outside auditor. Tighten procedures where needed, and communicate the privacy policy to employees throughout the organization.

Shred documents that are no longer needed. If discarded records contain Social Security numbers, bank account numbers or other identifying information, make sure they are completely destroyed. Do not give thieves the opportunity to find this information in wastebaskets or dumpsters.

Restrict access. Keep employee records in a locked, secure area. Limit access to employee confidential information to those with a “need to know.” Provide training to employees who use this information to teach them to properly handle this data and about the potential consequences of carelessness. Consider conducting background checks of employees with access to identifying information. Do not use temporary workers to fill positions where they will come in contact with employee records or other sensitive data.

Limit use of Social Security numbers. Do not use employee Social Security numbers as identifiers on I.D. badges, time cards, paycheck stubs, account statements or as computer passwords.

Educate Employees. Teach employees about the proper actions to take if they do become the victims of identity theft. Helping your workforce to spot potential problems early on will not only help prevent additional fraud, but may also work to maintain productivity levels. Workers victimized by identity theft will generally spend significant time and emotional resources clearing up their records.

If, despite your best efforts, identity theft does occur in your company, do not attempt to cover it up. Notify affected employees immediately so they can take proactive steps such as canceling credit cards or notifying credit reporting agencies. Work with victimized employees to help them clear up any financial or credit problems that the fraud has caused.