HR’s Guide to Protecting Employees

Why privacy and identity theft protection as an employee benefit matters

The virtual world has become our real world, both at work and at home. From Zoom calls to telemedicine to Facebook posts, we are a digital-first society. In fact, nearly 30% of Americans are online almost all the time.

Our online activity generates massive amounts of personal data, a virtual trail that can be used to identify us—what’s called a digital footprint. Our digital footprint includes:

• Basic information, like name, date of birth, and Social Security number
• Geolocation data like a home address and current location
• Email address and password
• Financial information, like bank accounts and credit card numbers
• Healthcare records, including health insurance numbers and medical history
• Shopping preferences
• Social media profiles
• Employment history
• Friends and family members

All this personal data can be exposed, whether we share it, hackers steal it, or tech giants track it. Such exposure creates identity and privacy risks for employees and cyber-risks for the companies they work for.

In this guide, we'll take a look at these risks and what HR can do to protect both the business and employees. We'll also share what to look for in privacy and identity protection for your employees and how you can offer it as a benefit.

Let's start with a discussion about the top three threats to personal information: data breach, identity theft, and data privacy risks.

The rising risk of a data breach

A data breach occurs when sensitive personal information is improperly exposed due to a cyberattack, a system failure, or simply human error. For example, a cyberattack caused Equifax's massive data breach that exposed 143 million consumer records containing Social Security numbers, birth dates, street addresses, and, in some instances, driver's license numbers.

In the last decade, there have been over 10 thousand data breaches in the United States, and these breaches exposed more than 1.4 billion records of personal information between 2010 and 2020. It’s estimated that in 2019 alone, the average American had their personal information exposed four times in the year.

Not only are data breaches common, but they are also expensive. According to the IBM Cost of a Data Breach Report 2021, the average cost of a data breach in the United States was $9.05 million in 2021, an increase of almost 5% year over year. However, one survey found that 42% of businesses may not have enough insurance to cover the average cost of an attack.

How data breaches affect your employees

Data breaches can result in identity theft, a crime that occurs every 2 seconds. Thieves will use personal information that has been exposed during a breach to commit all types of identity crimes, such as:

• Financial fraud. Criminals use stolen credit cards or card numbers to purchase goods and services. If undetected, credit card fraud can damage a victim's credit rating, wipe out their accounts, and affect their ability to take out auto, home, or college loans.
• Medical identity theft: When a criminal steals health insurance information for their own use, the victim may be financially responsible for medical services they never received or be denied future coverage. Even worse, the thief's medical diagnosis and treatment could be added to the victim's healthcare record, leading to dangerous misdiagnosis or mistreatment.
• Employment fraud. Fake or stolen IDs are sometimes used to get jobs by those with a criminal history that would show up in a background check. Victims learn about this kind of theft when they receive a W-2 from an unknown employer or a Social Security statement that doesn’t match their employment history. Criminals also file unemployment claims with stolen Social Security numbers or other personal information.

In 2020, consumers lost more than $3.3 billion to identity theft and fraud, up from $1.9 billion in 2019, according to the Federal Trade Commission. Employees are no strangers to identity crime–one in five workers say they've been identity theft victims.

The Identity Theft Resource Center found that of cases reported before the pandemic in 2020, 41% have not been fully resolved and 13% of individuals spent 2 – 3 years dealing with their incident. Of pandemic-related identity fraud cases in 2020, only 25% were reported resolved by April of 2021.

Resolving an identity theft or fraud incident includes calls to banks, credit card companies, and other places that are only open during business hours, which means employees are understandably focused on anything but work.

Identity theft also causes emotional stress and undue burdens. During the pandemic, victims of unemployment, stimulus, and pandemic-related fraud reported being more stressed than usual, were not able to pay routine bills, and some were even unable to get a temp or permanent job.

How privacy threats put your employees at risk

Privacy is the ability to control how our personal information is gathered, used, and shared. It's also the power to choose who can contact us—such as through unsolicited emails—and who can watch us.

Sometimes we may feel we have no choice over our privacy. The websites we visit, the apps we use, and the digital companies we do business with collect our personal information. And even though companies like Google and Facebook claim to not sell our data, they certainly know how to monetize and exploit it. It's no wonder, then, that nearly three in four consumers say they have little control over the personal information collected on them, according to a 2020 IDX survey.

Hackers also love to violate our privacy. It was reported in early 2021 that both Facebook and LinkedIn had data breaches that exposed over 500 million each. These breaches left millions of users at risk of a variety of threats. Some of the most common social media threats include:

• Phishing scams, in which users are tricked into clicking on infected links or scams
• Malware
• Account takeover
• Bots used to steal data or send spam on social media
• Social media impersonation, in which someone creates a fake social media account in another user’s name

Phishing and other social engineered scams are becoming a bigger threat to users. The Verizon 2021 Data Breach Investigations Report found phishing scams to be one of the rising data breach threats. Of confirmed data breaches, 36% involved phishing, up from 25% in 2019.

Employees care a lot about their data privacy; nearly 90% of consumers say it is a human right. They're also worried: the IDX survey found two-thirds of consumers (68%) are more concerned about the privacy and security of their personal information than they were three years ago. Research has also found that employees who are kept informed about the data collected as well as the privacy protection in place are willing to work harder for their company.

And while they want to protect their personal information, employees don't know how to do it–and they lack the right tools to do so. That's where HR can help.

With the right tools and knowledge, employees can be the best guardians of their personal information. Privacy and identity protection—the most-requested voluntary benefits—empowers employees to keep their sensitive data safe from the latest cyber threats, scams, and even human error. Protecting employee information also adds a layer of defense against data breach risks.

Here are three reasons offering privacy and identity protection as an employee benefit makes good sense:

1. Reduces privacy and data breach risks for your employees

   More employees are working from home than ever before, a less-than-secure environment that puts both personal and company data at risk for data breaches. In 2021, 45% of full-time employees were working partly or fully remote with nine out of ten of these individuals wanting to maintain some degree of remote work permanently. Sophisticated phishing scams lure employees into clicking on malicious links that infect company systems with malware. Cyber-criminals mine employees' social media profiles for personal information that can be used to infiltrate systems and steal sensitive data.

   Remote work has presented a new challenge to employers and employees alike when it comes to data protection. In 2020, over 90% of businesses experienced a data breach via outbound email. Stressed, tired employees accounted for four in ten of the most severe data breach incidents. Rushed employees are more likely to open spam attachments or click on links in phishing emails.

   Proactively arming your employees with privacy and identity protection helps a company defend the database of sensitive employee information, including names of family members, home addresses, Social Security numbers, financial data, health insurance numbers, and more. Employees are alerted to questionable activity involving that information and can act quickly before a problem escalates. Privacy and identity protection as a benefit can also raise awareness among your employees and foster a culture of security in the organization – no matter where they are working or who they are.

2. Eases stress and elevates peace of mind for employees concerned about privacy and identity theft risks

   As the recent pandemic proves, life is full of unexpected risks and unwelcome surprises. In 2020, half of identity theft and fraud victims reported they were more stressed than usual or felt violated because of the incident. More than 40% felt helpless or powerless because of their identity being misused.

   While we can't anticipate life's every curveball, we can prepare. Offering privacy and identity protection can help ease your employees' tension by:

   • Lessening the likelihood of becoming a victim of identity theft or fraud. Your employees are promptly notified of suspicious activity so they act quickly before a problem escalates, such as setting credit freezes or fraud alerts.
   • Offering complete recovery if they do become an identity theft victim. Recovery experts act on your employees’ behalf to restore their identities to pre-theft status.
3. Enhances employee financial wellness

   A PricewaterhouseCoopers (PwC) survey found that 50% of employees who are stressed about finances say money worries distract them at work. A very real financial concern is identity theft. The most recent Identity Theft Resource Center survey found that:

   • 40% of victims were not able to pay their routine bills
   • 33% did not have enough money to buy food or pay utilities
   • 21% of victims say they lost more than $20,000 to identity criminals

   More than ever, employees highly value financial wellness benefits, and a well-rounded financial wellness package will include privacy and identity protection to:

   • Offer income protection from losses due to identity theft.
   • Help protect against privacy compromises such as fraudulent and account takeover activity, including social media accounts. Active social media users have a 30% higher risk of becoming fraud victims, according to Javelin.
   • Give employees the tools to detect and remedy the numerous types of identity theft and fraud—including medical, synthetic, employment, and child.
   • Provide increased protection to help avoid identity theft with tools like password managers, scanners of data-brokerage sites, and dark web scanners so employees can be proactive about their data.
   • Enhance core benefit offerings and ancillary insurance like supplemental health and life plans, accidental death and dismemberment coverage, long-term care, disability and life products—all of which have become table stakes for talent management.

Dozens of companies provide identity theft protection, an umbrella term covering a wide category of services such as credit monitoring, identity monitoring, identity restoration, and insurance. Each of these is an important aspect, but they don't offer a complete picture. To truly support your employees, it's important to understand the full range of products and services available:

Monitoring and Alerts

Identity protection includes monitoring to quickly alert employees if their identity is at risk. Early detection helps prevent identity theft from becoming a problem–or at least lessening the damage if it does occur. It is also important to consider plans that have proactive privacy protection. An identity and privacy protection plan should include:

• Credit monitoring with at least one of the three major credit bureaus, to alert consumers of changes in their credit profile that might indicate criminal activity.
• Change of address monitoring to warn individuals if someone's having their mail redirected.
• Social Security fraud monitoring alerts consumers when their Social Security number has been exposed.
• Data monitoring and auto-removal of personal profiles with continuous scanning of data broker websites to ensure personal data is protected from public information websites.
  
• Dark web monitoring warns consumers if their passwords, account numbers, Social Security number, or other personal information are posted on the dark web for criminals to use.
• Social media monitoring to scan social media profiles and connections, alerting individuals to malicious content or links, account impersonation or takeover, scams, fraud, and inappropriate content.
• Password manager that allows users the ability to securely save passwords as well as easily create strong unique passwords for any account.
  

If something is wrong, employees will receive fraud alerts via email or mobile apps and be advised on what actions to take–such as placing a credit freeze.

Identity Recovery

Privacy and identity protection should also include identity recovery, the most important part of this benefit. An employee victimized by identity theft needs fast, expert help to minimize damage and prevent further problems. Trained recovery advocates know who to contact and how to work with law enforcement, government, medical providers, and businesses to shut down fraudulent accounts and transactions, clean up records, and clear a victim's name. An advocate committed to completely restoring a victim's identity can help prevent significant losses and eliminate the need to file an insurance claim and wait for payment.

Reimbursement Insurance

Most identity protection plans offer insurance–usually up to $1 million–to cover any out-of-pocket expenses related to identity recovery. While typical out-of-pocket recovery expenses are in the hundreds of dollars, the extra coverage offers employees peace of mind.

Once you've signed the services agreement, the provider will offer a step-by-step plan for implementation. The rollout should include communication tools, such as an 800 number and a website for easy enrollment, and a support team to answer questions.

Once they've signed up, an employee logs into their online account via an app or browser. From their account dashboard, they can:

• Select which monitoring alerts they want.
• Protect their identity and privacy, such as block a compromised account or remove inappropriate content.
• Lock or unlock credit.
• Check passwords.
• Access support to answer questions.

With an experienced provider, your benefit could go "live" within 30 days of signing up.

Choosing the best option for your employees may seem overwhelming, but it doesn't have to be. While sifting through product descriptions, customer satisfaction ratings, and pricing plans, consider:

1. Platform security: Look for a solution that's built to the most rigorous security standards, including NIST, FISMA, and HIPAA. If you're not sure, review the provider's client list. If it includes government agencies and Fortune 500 companies, you're in good hands. These entities all have rigorous security standards and will only use top providers.
2. Level of engagement: The best privacy and identity protection is personalized to the employees it's meant to serve. Every touchpoint–from onboarding to monitoring to identity recovery–should inspire your employees to take ownership for the safety and security of their identity. For some employees, that means starting small, such as monitoring their email on the dark web. They can easily add identity attributes later on.
3. Employee communication. Identity and privacy protection can help build employee trust and credibility. Co-branded employee communications–including apps or digital dashboards–reinforces the message that you're there to help protect them.
4. Continuing education. Often, cybersecurity training falls to overworked security or IT teams. In smaller companies where IT is outsourced to third parties, HR departments may have limited resources for cybersecurity training. Top identity and privacy protection providers offer articles and other content customized for its members, including news of the latest risks, best practices, and expert advice.
5. Implementation: Adding identity and privacy protection as a paid or voluntary benefit should be easy and tailored to fit your needs. A step-by-step roll-out plan and seamless integration with your existing benefits platform eliminate any heavy lifting on your end.
6. Service. Whether they have a simple question or need full identity recovery, employees deserve a trusted, go-to source for all their identity needs. Look for the hallmarks of excellent service, such as providing the same dedicated agent for each incident and high satisfaction ratings.
7. Flexibility. You get to call the shots with identity and privacy protection benefits. Offer it to your employees any time of year, not just during Open Enrollment. And you can determine whether it's a paid benefit or provided at a discount–whichever model works with your budget.

The need for privacy and identity protection benefits has never been greater. Remote work increases cyber risks for your company, and fast-emerging identity and privacy threats are overwhelming your employees' ability to keep their personal data safe.

As an employee benefits manager, you can empower your people to take back control of their privacy. Discover how with IDX, the only consumer privacy platform built for agility in the digital age.