It can take an employee who has been the victim of an ID theft roughly 600 hours to repair the damage of lost identity and exploited bank accounts and credit cards. In wake of a string of recent data breaches, ID theft protection is slowly becoming a popular workplace benefit — but it’s not always good enough or understood by the employers who offer them. Employee Benefit Adviser spoke with Rose Barker, a certified risk management specialist for Harvard Risk Management, a consultancy based in Portland, Oregon, about where ID protection plans fall short and how to make them better.
This interview has been condensed and edited for clarity.
EBA: What’s the main way benefit advisers and employers are falling short on protecting employees from identity theft?
Rose Barker: Companies have heard that [ID theft protection] is the current “it” voluntary benefit offering. They know clients want this but they don’t see how ID theft and data breaches can affect them as a company. They typically want to appease their employees. They usually have some third-party offering but they don’t know the details of the plan. They know that a service offers ID theft monitoring, and it sounds like what employees are asking for.
EBA: It sounds like they are checking off a box.
Barker: Exactly. They want to be a good employer and offer something to protect them. When I call a benefits administrator to follow up from one of my SHRM workshops (Barker speaks at events sponsored by the Society for Human Resource Management in the Pacific Northwest to discuss the ID theft plans with benefit advisers and employers),more than half the time they say they were just starting to talk about offering these benefits. They’re starting to take action after talking to their CEO. I tell them that most ID theft plans are like hospital gowns — you only think you’re covered. Just because a plan has an ID theft title, it doesn’t always mean much.
EBA: What should an ID protection plan offer?
Barker: It must offer comprehensive monitoring. Employees and employers will be informed when someone steals employee data but before the data is used to commit fraud. This is what we call “pre-theft status” when your information is stolen and it’s being bought and sold in Europe, for example. After the initial theft, a new crime where the ID is used has not been committed yet but we know there is the potential brewing. Employees can be informed by e-mail and then take actions to close down any new accounts.
EBA: What type of ID protection plans are benefit firms offering?
Barker: Some benefit advisers are offering “restoration plans” and we believe that having a comprehensive restoration plan is the best for an employer as well as the employee. A true restoration plan offers an employee a limited power of attorney that’s put in place with a company and the attorney will assign someone on your behalf to do all of the ID restoration work for you. This is where the value comes in because your employees aren’t taking hundreds of hours off the clock to fix this. The attorney will contact banks, Social Security and any state agencies on your behalf to fix the aftermath of an ID theft.
This is emotionally stressful and it leaves people feeling vulnerable and it really wreaks havoc on their personal life so the restoration service is the sweet spot for making sure employees get back to work.
EBA: What other steps should employers take?
Barker: Some companies are hiring what we call “good guy hackers” who create a series of tailored phishing e-mails to send to clients. They create statistics on which employees are clicking on which e-mail because they create messages that are relevant to their workplace.
One head of a credit union says these test e-mails are hyper detailed and specific to their client’s workplace. Employers print out these reports and train their employees on what to look for in e-mails. Testing your employees to make sure they are following protocols is imperative.