HR is a goldmine for confidential personal information that’s often the target of identity thieves. Anyone working in the HR department needs to be careful about keeping that data safe. The first step: secure passwords.

Some tips for passwords that are tough for hackers to break:

1. Use at least 8 characters, with a mix numbers and upper and lowercase letters. When a password’s only made  up of five letters, there are 11.9 million possible combinations. Sound pretty safe? Not when you consider that a password with eight mixed characters has 899.2 trillion possibilities.
2. Come up with nonsense. Many people create passwords out of actual words or phrases, because they’re easy to remember. But those are also easier for hackers to find out.
3. Change it up. Everyone in the HR department should come up with a new password once a month. One tip: Load monthly reminders on your and staffers’ computers.
4. Log off. The best password in the world doesn’t do any good if the user stays logged in constantly. When working with sensitive information, it’s important to log when stepping away even briefly. Otherwise, any passer-by should find a screen full of valuable info.

After the presidential election was over, John McCain’s team sought to recoup some costs by selling used laptops, BlackBerries and other equipment used by campaign workers.

The problem: At least one of the devices still contained information that should have been deleted beforehand.

Investigative reporters in Arlington, VA, purchased a BlackBerry from the team. When they charged the phone and turned it on, they a list of about 50 donors’ private phone numbers, as well as hundreds of e-mails between campaign employees and volunteers.

Companies can face similar problems when they dispose of old computers and other equipment. That’s why it’s important to have procedures in place to make sure all data is properly wiped.

One example: New Jersey’s Identity Theft Prevention Act. Passed in 2005, the law requires businesses to notify individuals if their personal data has been compromised and limits the ways business can use or collect social security numbers.

Now, the state has proposed new regulations clarifying the steps employers must take to prevent identity theft. Under the new regs, employers will be required to:

• develop a “comprehensive written information security program” to protect against unauthorized access of personal information
• regularly test their security procedures to make sure the info continues to be safe
• ensure that all applicable vendors maintain information security standards, and
• inform state police — as well as the individuals who could be affected — if any confidential information is lost or stolen.

Other states have passed similar laws in the past few years. Check the regulations in your state to make sure your company is following all the rules.

Read the facts of this real-life case and decide: Who won?

The facts:

A vice president was fired by the bank he was working for. Disgruntled, he uploaded some confidential company documents to a public site designed to leak private government and corporate information, allegedly to expose illegal activity. The company sued the owners of the site to get the documents removed and the site shut down.

The employer said:

Leaving the info posted violated the law – the former VP had signed a confidentiality agreement and the documents contained private information about the company and its customers.

Who won? The owners of the Web site.

Why: Shutting the site down would violate the First Amendment, the judge said. Also, it’d be unlikely to protect the company, since once documents become public they can easily be re-posted to other sites.

The Internet is creating a fierce battleground for employers and employees. Many employers have strict policies to keep employees from talking about the company or their co-workers online. But once someone leaves the company, what can you do? Not much, especially because once something goes public, you can’t stop people from re-posting it.

People have always been able to complain about places they used to work – technology’s just made it a lot easier to find an audience. In the end, its really just another incentive to keep positive employee relations and try to mitigate damage during termination meetings.

Do you have any thoughts on how companies can protect their reputations? Share with us in the comments section.

Cite: Bank Julius Baer & Co. Ltd v. Wikileaks

Roughly 637,000 laptops are lost at the country’s airports each year, according to recent study by the Ponemon Institute. That’s about 12,250 every week. About 65% of them are reclaimed, said the survey of airport officials.

That’s scary news, especially since most employer-owned laptops contain some kind of confidential data about the company, its customers, its employees or all three.

What’s the solution? Your company’s IT department can take steps to protect the data so it can’t be accessed by just anyone who comes across the computer.

Also, a little reminder about the basics before employees leave for a trip (i.e., “Don’t forget your laptop at the security checkpoint”) can go a long way.

What’s the latest method fraudsters have for extracting victims’ personal information?

Pretending to be the IRS.

A rash of phony e-mails have been appearing lately that claim to be from the tax agency. Typically they ask the recipients for Social Security numbers or bank account info, saying they need it to properly process refund checks.

Other scams tell readers they’re being investigate for tax fraud and ask them to click a link for more information — but doing so installs a virus on the victim’s computer.

The government warns people to be suspicious of all e-mails claiming to be from the IRS, because

1. the agency doesn’t typically commuting through unsolicited e-mails, and
2. they wouldn’t ask taxpayers for secret, personal information.

The IRS asks that phony e-mails be forwarded to phishing@irs.gov

The facts: An employee quit a job at one company to go work for a competitor. Before he left, he copied a bunch of computer files, including a database of the company’s clients. At his new job, he used that information to turn some of those clients into customers for the competitor.

The employer said: Copying the database violated the Computer Fraud and Abuse Act (CFAA). The company lost business when the employee used information he was no longer authorized to access to help a competitor gain an unfair advantage.

Who won? The employee.

Why: The company had no basis for suing under CFAA, since that law requires a plaintiff to show it suffered a financial loss and that the violation caused actual damage to the company’s information system. It met the first requirement because of the customers it lost, but the computer system remained in tact, so the company had no claim.

(Note: The company can still try to sue in state court, because the employee broke a non-compete agreement he had signed. But the court in this case had no jurisdiction over that claim.)

While the human element will always be hard to control, IT departments can take steps to try and prevent these kinds of problems before a court visit becomes necessary. That includes:

• Limiting access to certain files to just those employees that really need them
• Disabling CD writers and USB ports, if employees have no business use for them, and
• Tightening those precautions once it’s known an employee is leaving the company