You lock the doors to your car and your home—why invite thieves to steal your car, your wallet or other personal belongings? But what about your company's doors, are they locked?

Most companies have many doors—seen and unseen. With each door, the potential for theft is great. In most cases, it's not even tangible property that's stolen, it's information—your employees' and customers' personal data.

Richard W. Gibson opened the door at the Seattle Cancer Care Alliance where he worked in 2003. During the day, he encountered many patients' personal information. One day, he left with the name, date of birth and Social Security number of a patient with whom he had worked. Four credit cards and $9,000 in bills racked up in the patient's name later, Gibson was arrested and abruptly lost his job. Last fall, he pleaded guilty to the identity theft, which according to some is the first privacy violation charged in regards to the Health Insurance Portability Accountability Act (HIPAA). He was sentenced to 16 months in federal prison.

With technology making data collection more streamlined and ports opening up computers to outside access, identity theft is the fastest growing crime in the United States, according to the nonprofit Identity Theft Resource Center. Approximately 7 million people became victims of identity theft between July 2002 and July 2003, according to studies by Gartner Research and Harris Interactive. That translates to 19,178 incidents each day, 799 per hour.

While individuals are encouraged to protect their information as much as possible, businesses also play an instrumental role in putting up barriers so thieves cannot access personal data and steal their employees' or their customers' identities.

"Small businesses are at a risk today more than ever before," says Jeff McCulloch, chief operating officer at Yeo & Yeo Computer Consulting LLC, a subsidiary of a Leading Edge Alliance firm member.

He notes that Fortune 1000 companies have increased their technological security, protecting their employees' and clients' information so identity thieves must prey on smaller companies with more accessible computers.

"Don't think, 'we're too small to tempt a hacker,'" McCulloch says. "That's the furthest thing from the truth."

Companies and individuals typically underreport identity theft and fraud incidents, and the arrest rate is low. Less than five percent of reported cases result in arrests, according to the Identity Theft Resource Center.

"An embezzler who stole from the company is more likely to get the publicity," McCulloch says. "ID theft is more secretive. Most companies withhold that information. They don't want everybody to realize they screwed up."

Companies need to understand that identity theft is a crime of opportunity. On one side, employees realize the vulnerabilities in your computer system. In some cases, the company's system is so outdated that most employees have more up-to-date technology in their homes. All it takes is a single employee taking advantage of that open door to steal client or employee information.

The second vulnerability is through your outside doors to the global technology world. Externally, thieves are testing the computer servers at business after business until they find one company that never locked the "doors" on its servers.

There are companies that provide "ethical hacking" services. With your knowledge and approval, they will intentionally try to break through your business' firewalls and access your servers. They will provide you data on where your firewalls are leaving doors open.

Perhaps a third opportunity for entrance into your business' system and for theft to occur happens with spam or "phishing" e-mails sent to employees. It takes only one instance when an employee opens an e-mail and clicks on the Web link to open your system to an intruder. Phishing is more realistic spam. These e-mails appear to come from reputable financial institutions asking for verification information. But when the user clicks to go to the site, he or she is taken to a "spoof" site and enticed to enter information for the "bank." With the click of the mouse, the thief now has that individual's valuable information.

Greg Piche, an attorney who specializes in identity theft at Holland & Hart, says employers are exposed to potential liability in two areas.

"The first is respondeat superior liability resulting from the responsibility of an employer for the actions of its employees," he says. For example, the theft of personal information occurred during the scope of the employee's work such as an employee who handles transactions using customers' credit cards.

"The second, and independent source of liability, would arise from the company's own negligence in the selection of the employee," Piche explains. These employer errors could include failing to do a background check on the employee, or not limiting or controlling access to sensitive or confidential information.

"If an employee were a single, rogue employee, acting strictly on his own, it is unlikely criminal responsibility would attach," Piche says. However, under egregious circumstances, criminal charges or punitive damages might be awarded against an employer for negligence, invasion of privacy, fraud, conversion or outrageous conduct, he noted.

Marshall Lehman of Lurie Besikof Lapidus and Company, LLP, a Leading Edge Alliance firm, says deterring theft starts with the company's personnel manual. The handbook should cover the business' policies on privacy of information, software loading and other related topics. "It is the company's first chance to communicate its expectations on protecting information to its employees, and the possible consequences for not following such policies," he notes.

McCulloch says that preventing ID theft is just being smart. In the past, being smart meant observing whether the file cabinet with the sensitive information was locked and if the lock had been tampered. "Today, it's even easier to watch an employee who might consider opening the file cabinets on your server," he says, explaining that most servers have tracking programs.

In addition to installing and updating firewalls and encryption programs, businesses that want to take responsibility for deterring identity thieves from making their clients and employees the next victims should consider in-house training to encourage employees to:

• Never click on Web links sent in e-mails. If they must link to the site, cut and paste the link directly into the Web browser.
• Never give personal or company information requested by a seemingly credible source without checking the Web site. Check the address in the Web browser to be certain the site really is what you thought it was.

"You can't get away from spam as long as people can do it for less than a penny and reach millions compared to the cost of mailing a direct marketing piece," McCulloch says.

Consider using a spam manager. While those who create spam strive to stay a step ahead of the blockers, a good spam manager still reduces the amount of enticing e-mails that reaches your employees. Securing the company's technology also is essential. "Without firewalls, antivirus, encryption, etc. you can be attacked," McCulloch says.

Tracking employees' actions through an existing program is only as good as the company's process for handling the monitored information. The company should check for patterns. For example, if Employee A is accessing the system after hours but always clocks out on time, a red flag should go up.

Independent and internal audits also are good ways to identify potential problem areas, McCulloch says. In addition, companies might consider background checks on employees who will access sensitive client or employee information through the computer.

"If you deter someone even a little bit, they'll go on to the next one," McCulloch says. e