Employers are repositories of
personal information about their employees. Job applications and personnel
and payroll records can include such personally identifiable information (PII)
as employees’ Social Security numbers, addresses and bank account numbers.
According to a September 2002 report by credit information provider
TransUnion, the leading source of PII used for identity theft is employer
records. Not surprisingly, employers are facing increasing obligations to
maintain the confidentiality of employee information, as well as potential
exposure from theft of PII under employer control. But exactly how
vulnerable are employers to lawsuits relating to identity fraud?
Around the country, employees are seeking to hold employers liable for the
consequences of the employers’ failures to safeguard PII. A jury in Michigan
recently awarded $275,000 to a group of employees who became the victims of
identity theft after an employer disclosed Social Security numbers and
pension account information in reports to the employees’ union. A relative
of the treasurer of the union was arrested after using the PII contained in
the reports to purchase goods in the employees’ names. In Minnesota, a group
of employees sued an employer who disseminated the employees’ Social
Security numbers to affiliated business sites. The employees claimed that
they incurred costs to monitor their credit ratings and take preventative
measures against identity theft because of the dissemination.
The litigation is not confined to instances of purposeful disclosure of PII
by employers in the course of business. In California, pharmaceutical
company employees sued their employer when personnel records kept in a
storage area were accessed by an employee who used the PII from the records
to set up fraudulent credit card accounts, rent apartments and open cellular
telephone accounts. More than 30 employees were victims of the identity
theft. The case settled out of court. In Iowa, an employee sued his former
employer when a theft of the employee’s PII was traced to the IP address of
a computer owned by the employer.
Litigation, however, is not the only source of a developing duty on the part
of employers to safeguard information. The federal government and numerous
states are creating new responsibilities for employers, and holding them
accountable for safeguarding employees’ PII. For example, the federal Fair
and Accurate Credit Transactions Act (FACTA) requires employers to shred,
destroy or dispose of any employee credit reports obtained during hiring
processes. Failure to comply with FACTA could result in civil liability of
up to $1,000 per employee, plus actual damages if the employee’s identity is
stolen as a result of the employer’s failure to protect the information.
FACTA also allows for state and federal fines and class action liability.
In addition to the new federal government regulations for employers,
Maryland has enacted its own legislation, the Social Security Number Privacy
Act. The Act prohibits employers from posting or displaying an individual’s
Social Security number and from printing an employee’s Social Security
number on an access card. The Act also bars employers from requiring
employees to transmit their Social Security numbers over the Internet unless
the connection is secure or the number is encrypted.
Given the threat of litigation and the legislative activity on the issue,
employers should take proactive steps to protect the PII of their employees.
Some of the steps employers can take include:
-
Developing policies and procedures to prevent identity theft in the workplace, including drafting an identity theft reporting policy and communicating it to employees. The policies should include details on proper destruction of documents containing employee PII.
-
Discontinuing the use of Social Security numbers as employee identification numbers.
-
Carefully screening all employees who have access to PII, including background checks when hiring human resources professionals.
-
Securing all PII in locked cabinets. When storing personal information electronically, access should be limited to designated personnel. Some employers use monitoring software to track attempts to access electronic files containing employee PII.
-
Providing training on data security and identity theft issues, including offering guidelines on retention and/or destruction of files with employee PII.
Comprehensive policies and procedures are an employer’s best defense to
identity theft in the workplace. Developing strong internal controls will
not only strengthen a company’s position in any litigation relating to
identity theft, but also provide the best protection for the company’s
employees.
Joyce E. Smithey is a partner with the law firm of Rifkin, Livingston,
Levitan & Silver, LLC, in its Annapolis office. Her practice is
concentrated in employment law.
