[in Your State]
State:
Category
Topic
Date Range (optional)
From: PopUp Calendar
To: PopUp Calendar
 (Example: 01/01/2007)
Quick Links
 
 Resources: Records
Time Savers:
Checklists (2)
Forms (3)
Policies (4)
News:
• HR Recordkeeping: Keeping What You Need for As Long As You Need It
• Employers Agree to Train on ID Theft
White Papers:
• The Fight to Keep Benefits, Payroll Data Confidential--Are You Winning?
• What's New About the New EEO-1
Related Topics:
Notices (Posting)
September 19, 2006
Workplace Identity Theft: How to Curb an HR Headache

By Douglas Hottle, Meyer, Unkovic & Scott

A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.

Identity theft is the misuse or fraudulent use of an individual's personal information. Unfortunately for employers, personal data, such as social security and bank account numbers, is precisely what is contained in HR personnel files, a goldmine for ID thieves.

Employers unwittingly aid ID thieves by misusing or mishandling employees' personal information. Consequently, employers are now facing considerable legal repercussions as the victims of such crimes are looking for restitution. For example, a Minnesota employer was recently sued for faxing a list of employees' names and social security numbers to different managers within the company.

Employers, however, can protect their employees and minimize the risk of theft and liability by eliminating some of the more frequent mistakes employers make, including:

  • Keeping files in accessible locations and often neglecting to secure file cabinets
  • Leaving original documents or facsimiles in all-access copiers
  • Placing social security numbers on assorted documents such as timecards, membership cards, paychecks, licenses or purchase receipts
  • Using social security numbers as health plan policy reference numbers.
Given the likelihood of liability when employees' records are misused or mishandled, employers should take steps to protect personal employee information and, indeed, are required to do so under state and federal statutes. In Pennsylvania, for example, recent legislation established standards for the printing and transmitting of social security numbers. The legislation prohibits employers from:
  • Publicly posting social security numbers
  • Printing a social security number on any card
  • Transmitting a social security number over the internet without the use of encryption technology
  • Requiring online users to access company websites with a social security number without password protection or other authentication technology
  • Printing a social security number on any materials that are mailed to an individual, except where required by federal or state law, such as a W-2 form.
Employers should also be aware of a recent amendment to the Fair and Accurate Credit and Transactions Act (FACTA) that requires employers to take reasonable measures to dispose of an employee's credit report obtained during the hiring process. Under the statute, reasonable measures may include implementing policies and procedures that require the destruction of all documents and electronic files containing personal information.

A FACTA provision states that any hard copy document containing sensitive data should be destroyed by burning or shredding to make certain that the documents can not be reconstructed.

Following these laws may raise challenges for employers routinely used to using social security information of their employees.

Beyond instituting state and federal regulations, there are other steps employers can take to protect the confidentiality of employees' personal information. Here are a few:

  • Employers should write an ID theft reporting policy and communicate about it frequently to employees. Employees should be encouraged to report any ID theft crimes to a company security or operations chief.
  • Carefully screen all employees who have access to personal data. Consider conducting background checks as well when you hire new HR staff.
  • Secure all personal data in locked cabinets. If the files are stored electronically, make certain they can only be accessed by appropriate personnel. Use an electronic monitoring system which allows employers to see who is attempting to access sensitive information.
  • Never use social security numbers as a reference number of any kind.
  • Train employees about ID theft. Provide instruction on how to secure, handle and destroy appropriate files. Include information on protecting personal items and areas, such as purses, wallets and lockers.
In an initiative announced last week, the American National Standards Institute (ANSI) and the Better Business Bureau system (BBB) are partnering with a cross-section of high-profile companies to create a single resource of standards and guidelines that businesses and other organizations can use to prevent and respond to identity theft and fraud.

Called the Identity Theft Prevention and Identity Management Standards Panel (IDSP), the initiative will have two main charges: It will endeavor to identify and catalogue in one place any existing, broadly-applicable identity theft and fraud prevention standards and guidelines. Second, it will identify areas where updated or new standards are needed.

The bottom line is this: If an ID thief is lurking in your workplace, the first line of defense is your company's policies and procedures. Employers should periodically review their policies to ensure accordance with state and federal law. Employers may also want to consider seeking legal help to ensure compliance.

Revising and strengthening company policies will go a long way to minimizing the potential for identity theft and limiting employers' liability if an ID thief strikes. Keep in mind, however, that adopting a comprehensive series of policies and procedures will not prevent every known type of identity theft (ID thieves are an industrious and resourceful lot) nor prevent every lawsuit. Having a policy and following the law, however, will strengthen a company's position in any litigation related to identity theft.


Douglas Hottle, an attorney with Meyer, Unkovic & Scott in Pittsburgh and Lancaster, PA, works primarily in the area of employment law.