HR is a goldmine for confidential personal information that’s often the target of identity thieves. Anyone working in the HR department needs to be careful about keeping that data safe. The first step: secure passwords.

Some tips for passwords that are tough for hackers to break:

1. Use at least 8 characters, with a mix numbers and upper and lowercase letters. When a password’s only made  up of five letters, there are 11.9 million possible combinations. Sound pretty safe? Not when you consider that a password with eight mixed characters has 899.2 trillion possibilities.
2. Come up with nonsense. Many people create passwords out of actual words or phrases, because they’re easy to remember. But those are also easier for hackers to find out.
3. Change it up. Everyone in the HR department should come up with a new password once a month. One tip: Load monthly reminders on your and staffers’ computers.
4. Log off. The best password in the world doesn’t do any good if the user stays logged in constantly. When working with sensitive information, it’s important to log when stepping away even briefly. Otherwise, any passer-by should find a screen full of valuable info.

One example: New Jersey’s Identity Theft Prevention Act. Passed in 2005, the law requires businesses to notify individuals if their personal data has been compromised and limits the ways business can use or collect social security numbers.

Now, the state has proposed new regulations clarifying the steps employers must take to prevent identity theft. Under the new regs, employers will be required to:

• develop a “comprehensive written information security program” to protect against unauthorized access of personal information
• regularly test their security procedures to make sure the info continues to be safe
• ensure that all applicable vendors maintain information security standards, and
• inform state police — as well as the individuals who could be affected — if any confidential information is lost or stolen.

Other states have passed similar laws in the past few years. Check the regulations in your state to make sure your company is following all the rules.

Francis Janosko, a former inmate at the Plymouth County Correctional Facility in Massachusetts, was recently arrested by the FBI for stealing confidential information about the prison’s employees.

While serving his time, Janosko was given access to a computer for legal research. The FBI says he found a way to access blocked parts of the prison’s server.

Allegedly he stole the Social Security numbers of more than 1,000 current and former prison employees, as well as other data. He faces charges of identity theft and intentional damage to a protected computer. If convicted, he could serve up to 12 more years in jail and pay a fine up to $250,000.

They’ll likely keep him away from confidential prison records this time around.

There are four big types of HR info criminals would love to get their hands on, according to Michael Hall, who spoke at a recent Society for Human Resources Management conference in Atlanta.

Here’s what to keep a close eye on:

• Financial info, like bank account numbers for direct deposit
• Driver’s licenses and other forms of ID employers needed for I-9 verification
• Social Security Numbers, and
• Medical information contained in health insurance documents.

How HR can help

Hall recommends working closely with IT to make sure all electronically stored information is safe from outsiders, as well as inside threats.

Also, companies should train employees — especially HR staffers — on how to protect data from being lost or stolen.

The company, Howard Industries, was the target of the largest immigration raid at a single location in U.S. history — despite using E-Verify for new hires, as mandated by state law.

How could so many undocumented workers have been hired? One big explanation could be the timing. The investigation started two years ago, before the company was using E-Verify.

Also to blame might be the fact that E-Verify doesn’t do much to prevent identity theft. If an undocumented employee uses another person’s name and social security number, the system won’t tell employers that — it only matches names and SSNs.

E-Verify is set to expire in November, unless Congress approves an extension. The House of Representatives passed a bill to extend the program for five more years, but the Senate has yet to take action.

Experts say situations like Howard’s are likely to up the ante in the debate on whether to scrap it, keep it as a voluntary or make it mandatory for employers. We’ll keep you posted.

A lot of new Web sites claiming to collect money for hurricane victims starting springing up last week, security researchers said.

Nearly 100 domain names with words like “Gustav,” “charity” and “relief” have appeared, according to security training firm the SANS Institute. Many lead to legitimate relief efforts, though a similar domain push occurred after Hurricane Katrina three years ago, with many phony sites set up to steal donors’ money.

The Louisiana Attorney General’s office has also warned about an e-mail scam asking for credit card donations, allowing the scammers to steal people’s card numbers and other personal information.

To stay safe, experts recommend never responding to unsolicited e-mails that ask for credit card info, bank account numbers, etc.

In a recent court case, one company that thought it was buttoned-up against ID theft ended up paying $550K to employees because of a security breach. That’s just one example of how new data security laws are raising the stakes for HR and IT.

The potential costs of an HR data breach are huge. The loss of customer information has gotten most of the attention lately, but employee data is causing its own share of problems, too.

For example, Union Pacific Railroad recently made headlines after data about many of its current and former employees was stolen. Last December, the company was ordered to pay $550,000 to recover the money they lost due to identity theft.

Look out for new laws

Employers are already familiar with the Health Insurance Portability and Accountability Act (HIPAA), which requires them to protect employees’ medical info. But the threat of identity theft has resulted in a new type of legislation that’s popping up across the country: data breach notification laws. So far there are no federal regs about what employers need to do if information is compromised, but states are filling in the holes themselves.

Thirty-eight states have laws on the books right now, and more state legislatures are considering them. The specifics vary from state to state, but typically, the rules cover specific types of data (such as social security numbers, bank account info, etc.) and require companies to notify the victims of a breach within a certain amount of time.

Generally, if a company breaks the law, people whose data is lost can sue – sometimes even if they don’t lose any money because of the breach.

(To read about the laws, state-by-state, go here.)

Plan Ahead

Of course, the best way to avoid going to court under one of those laws is to keep breaches from happening in the first place.

The key is cooperation between HR and IT. Here are some things both departments can do to limit the risk as much as possible:

• Encrypt HR data. Many of the breach laws give employers a safe harbor if data is lost or stolen, but is encrypted so criminals can’t access it.
• Don’t collect info you don’t need. And don’t keep any sensitive stuff around for longer than you have to (for example, unnecessary information about employees who’ve left the company). Store the sensitive data separate from the rest and make sure access is only given to employees who need it.
• Hire the right people. Many data thefts are inside jobs; others are caused accidentally by negligent employees. Extensive background checks when hiring employees who will deal with sensitive data can help keep the human factor in check.
• Don’t use the data the wrong way. One common practice is to use part of a SSN to form an employee ID number. Even using the last four digits and sticking it on an employee’s ID badge creates an unnecessary risk.
• Keep the non-tech stuff safe, too. It’s easy to forget, but paper records need protection just as much as computer files. Make sure file cabinets are locked and documents are shredded when you no longer need them.

It’s called “spear phishing,” and it’s a new, more targeted version of a phishing scam. In the old version, you get an e-mail that says it’s from a bank, insurance company, etc. – and for some stated reason, they need you to give them your account number and other personal information again.

Scams like that are still causing problems, but they’ve also gotten more complicated. This time around, criminals are targeting specific organizations and claiming to be specific people.

So instead of a mass e-mail sent to thousands of people, employees at a certain company might get an e-mail claiming to be from the HR manager that asks for bank account information to set up direct deposit, or a home address, Social Security number, etc.

How you can help

Huge corporations and government bodies are most at risk, but all employers should be aware of the threat and take preventive action. For security reasons, you probably don’t want to ask for sensitive information via e-mail, and employees should know that you won’t.

Also, most employees should use a refresher on basic e-mail security: Be wary of addresses you don’t already know and trust, be careful with attachments, and always make sure you’re connected to a secure Web site if you do enter personal data. Those tips will cut down on the risk of spear phishing, too.