You've already heard about thieves stealing credit card numbers, with the Target stores theft dominating the news headlines. But imagine what a thief could do with your company's payroll records. Those contain valuable information such as your Social Security number, date of birth, your address and how much you earn.
Gary Blatto-Vallee of Webster, N.Y., learned how damaging this type of data theft can be when he tried to submit his federal tax return. "We were alerted by our accountant that our e-filing for our taxes was denied because of one of our numbers had been used," he says.
Turns out this is a common scam — a thief steals your Social Security number, files a return and collects a refund. I should mention that Gary Blatto-Vallee is a friend of mine — one reason he's willing to talk about this experience. NPR talked with several people in this situation, but most are uncomfortable speaking publicly on issues concerning their employers.
A few days after Blatto-Vallee's tax return was rejected, he says his employer sent notice that its payroll system had been hacked. He works for Sorenson Communications, a company that provides services for people who are deaf. Because there's an investigation happening, the company declined NPR's interview request.
Blatto-Vallee says Sorenson offered him help, including credit monitoring services. And he expects to spend many hours over the next year monitoring accounts and sorting out his taxes with the IRS.
Other companies have had their payroll systems compromised recently too. Chicago-based Assisted Living Concepts, which recently changed its name to Enlivant, says 43,600 of its current and former employees were affected. "We've partnered with the IRS and the FBI and the investigation continues," says Monica Lang, vice president of corporate communications at the company.
The U.S. Department of Justice says 16.6 million people were victims of identity theft in 2012. It's not clear exactly how many were victims of payroll system data breaches, specifically. Experts consulted for this story believe it's a small percent. But the consequences can be very serious — not only can a thief buy things under your name, they can also get medical care, open new accounts or even commit crimes using your identity.
If you're worried about the security of your employer's payroll records ask questions, advises Eva Velasquez, president and CEO of Identity Theft Resource Center. If you're worried about offending your boss, Velasquez suggests mentioning this story and use that as a way to bring up the topic.
There are some laws designed to keep private data safe and notify victims when there's a breach. Some federal laws are specific to the type of data — medical records, for example. Forty-six states have their own laws with varying degrees of protection. That can be confusing for businesses that operate in more than one state.
The law firm Fox Rothschild LLP has developed an iPhone app to help businesses sort out the various requirements. Scott Vernick, a partner with the firm says most large companies would prefer one federal standard.
DAVID GREENE, HOST:
Several big retail stores have been hit by data breaches recently - Target, Neiman Marcus, Michael's. The list keeps growing as hackers continue to steal personal data and credit card information. The full extent of the damage to consumers is still unknown. But just imagine what a thief could do by digging into say, your company's payroll records. Those contain your Social Security number, your date of birth, how much you earn.
NPR's Jeff Brady reports that some people are finding out the hard way how damaging this sort of breach can be.
JEFF BRADY, BYLINE: Near Rochester, New York, a man named Gary Blatto-Vallo recently tried to submit his federal tax return.
GARY BLATTO-VALLO: We were alerted by our accountant that our e-filing for our taxes was denied because of one of our numbers had been used.
BRADY: Turns out it's a common scam. A thief steals your Social Security number then files a return and collects your refund. A few days later his employer notified its workers that someone hacked into the company's payroll system.
I should mention that Gary is a friend of mine, and that's probably one reason he's willing to talk about his experience. Many people in his situation are uncomfortable speaking publicly about a problem involving their employer. Gary works for Sorenson Communications, a company that provides services for people who are deaf. Because there's an investigation happening, the company declined NPR's interview request.
Meanwhile, Gary has signed up for credit monitoring services and contacted the IRS trying to sort out the mess.
BLATTO-VALLO: I'm sure I'll be spending tens and hundreds of hours on this stuff from here on out. And, who knows, this is going to be the next year of life.
BRADY: Gary is not alone. We talked with others around the country who also experienced similar problems. A Chicago company that operates assisted living facilities learned in February that its payroll system was compromised. Monica Lang is vice president of corporate communications for Assisted Living Concepts, which recently changed its name to Enlivant. She says more than 43,000 current and former employees were affected.
MONICA LANG: Names, addresses, birthdates, Social Security numbers and pay information were accessed by the unauthorized third parties.
BRADY: The U.S. Department of Justice says 16.6 million people in the U.S. were victims of identity theft in 2012. It's not clear exactly how many people are victims of payroll system data breaches. Experts consulted for this story believe it's a small percent. But the consequences can be very serious. Not only can a thief buy things under your name, they can also get medical care, open new accounts or even commit crimes using your identity.
Monica Lang says her company notified employees as soon as possible. She says already some are experiencing problems.
LANG: We've partnered with the IRS and the FBI and the investigation continues.
BRADY: In San Diego, at the Identity Theft Resource Center, president and CEO, Eva Velasquez helps victims every day. She says if you're worried about the security of your employer's payroll records, ask questions.
EVA VELASQUEZ: And then you can even use this program as the catalyst for that conversation, you know, hi, good morning Joe, I just heard on the radio this really scary program about this data breach for payroll records and it got me thinking: What do we do here to make sure that doesn't happen to us?
BRADY: Velasquez says current laws governing how companies store data and notify victims of breaches vary from state to state. So businesses that operate in multiple states have to figure out how to comply with all those laws.
Scott Vernick is a Philadelphia attorney who advises businesses on data security. His firm released an iPhone application that helps businesses navigate the 46 different state laws. He says most larger companies would prefer one federal standard.
SCOTT VERNICK: It's just much harder when you're responding to 46 different statutory schemes, as opposed to just one scheme.
BRADY: On Capitol Hill, a few lawmakers have repeatedly introduced bills to strengthen federal data privacy laws. With more attention on data breaches now, they hope a bill will pass this year.
Jeff Brady, NPR News. Transcript provided by NPR, Copyright NPR.