One of the most common ways highly confidential information winds up in the wrong hands is that key documents aren't shredded when they're thrown away. Attorneys, insurance companies and others routinely hire "dumpster divers" to sift through mountains of paperwork and find key documents about employees whose cases they're involved with. Thieves also comb through trash to find Social Security numbers and financial records that can be used to fraudulently obtain credit cards and loans in someone else's name. And it isn't just paper-based documents that are a threat. Diskettes, data storage tapes and other forms of magnetic and optical media are just as big a threat. In many instances, it's necessary to completely demagnetize or reformat a disk to expunge the data.
Faxes, telephones and voicemail also pose a threat. If the recipient doesn't have private access to messages, it's possible that others will see or hear them. The Privacy Rights Clearinghouse suggests that anyone sending sensitive data determine if it's acceptable to leave a message on a person's answering machine or fax, verify the accuracy of the phone number and then check transmission reports—or better yet check with the recipient—to ensure the information was received. Cellular and cordless telephones require extra care because anyone with a radio scanner can listen in.
Record keeping is another troublesome area. Two-thirds of all companies use Social Security numbers to identify employees. All too often, the number is also displayed on time cards, parking permits, employee rosters and even mailing labels. But, "Social Security numbers are extremely sensitive, because they can be used for financial fraud and other invasions of privacy," says Don Harris, manager of HR Systems for the New York Times Co. and chair of the International Human Resources Information Management Association.
Harris also points out that employees sometimes pass out private information unwittingly. "If there's an illness or a holiday card list, home addresses and phone numbers may be circulated without checking with the individuals involved. The intent is positive, but someone might perceive it as an invasion of his or her privacy. There's also the possibility that someone outside the organization could get their hands on the information. In many cases, if someone perceives it's an invasion of privacy then their privacy has been invaded."
Personnel Journal, May 1996, Vol. 75, No. 5, p. 83.