DAVID GREENE, HOST:
Several big retail stores have been hit by data breaches recently - Target, Neiman Marcus, Michael's. The list keeps growing as hackers continue to steal personal data and credit card information. The full extent of the damage to consumers is still unknown. But just imagine what a thief could do by digging into say, your company's payroll records. Those contain your Social Security number, your date of birth, how much you earn.
NPR's Jeff Brady reports that some people are finding out the hard way how damaging this sort of breach can be.
JEFF BRADY, BYLINE: Near Rochester, New York, a man named Gary Blatto-Vallo recently tried to submit his federal tax return.
GARY BLATTO-VALLO: We were alerted by our accountant that our e-filing for our taxes was denied because of one of our numbers had been used.
BRADY: Turns out it's a common scam. A thief steals your Social Security number then files a return and collects your refund. A few days later his employer notified its workers that someone hacked into the company's payroll system.
I should mention that Gary is a friend of mine, and that's probably one reason he's willing to talk about his experience. Many people in his situation are uncomfortable speaking publicly about a problem involving their employer. Gary works for Sorenson Communications, a company that provides services for people who are deaf. Because there's an investigation happening, the company declined NPR's interview request.
Meanwhile, Gary has signed up for credit monitoring services and contacted the IRS trying to sort out the mess.
BLATTO-VALLO: I'm sure I'll be spending tens and hundreds of hours on this stuff from here on out. And, who knows, this is going to be the next year of life.
BRADY: Gary is not alone. We talked with others around the country who also experienced similar problems. A Chicago company that operates assisted living facilities learned in February that its payroll system was compromised. Monica Lang is vice president of corporate communications for Assisted Living Concepts, which recently changed its name to Enlivant. She says more than 43,000 current and former employees were affected.
MONICA LANG: Names, addresses, birthdates, Social Security numbers and pay information were accessed by the unauthorized third parties.
BRADY: The U.S. Department of Justice says 16.6 million people in the U.S. were victims of identity theft in 2012. It's not clear exactly how many people are victims of payroll system data breaches. Experts consulted for this story believe it's a small percent. But the consequences can be very serious. Not only can a thief buy things under your name, they can also get medical care, open new accounts or even commit crimes using your identity.
Monica Lang says her company notified employees as soon as possible. She says already some are experiencing problems.
LANG: We've partnered with the IRS and the FBI and the investigation continues.
BRADY: In San Diego, at the Identity Theft Resource Center, president and CEO, Eva Velasquez helps victims every day. She says if you're worried about the security of your employer's payroll records, ask questions.
EVA VELASQUEZ: And then you can even use this program as the catalyst for that conversation, you know, hi, good morning Joe, I just heard on the radio this really scary program about this data breach for payroll records and it got me thinking: What do we do here to make sure that doesn't happen to us?
BRADY: Velasquez says current laws governing how companies store data and notify victims of breaches vary from state to state. So businesses that operate in multiple states have to figure out how to comply with all those laws.
Scott Vernick is a Philadelphia attorney who advises businesses on data security. His firm released an iPhone application that helps businesses navigate the 46 different state laws. He says most larger companies would prefer one federal standard.
SCOTT VERNICK: It's just much harder when you're responding to 46 different statutory schemes, as opposed to just one scheme.
BRADY: On Capitol Hill, a few lawmakers have repeatedly introduced bills to strengthen federal data privacy laws. With more attention on data breaches now, they hope a bill will pass this year.
Jeff Brady, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.