Employers are repositories of personal information about their employees. Job applications and personnel and payroll records can include such personally identifiable information (PII) as employees’ Social Security numbers, addresses and bank account numbers. According to a September 2002 report by credit information provider TransUnion, the leading source of PII used for identity theft is employer records. Not surprisingly, employers are facing increasing obligations to maintain the confidentiality of employee information, as well as potential exposure from theft of PII under employer control. But exactly how vulnerable are employers to lawsuits relating to identity fraud?
Around the country, employees are seeking to hold employers liable for the consequences of the employers’ failures to safeguard PII. A jury in Michigan recently awarded $275,000 to a group of employees who became the victims of identity theft after an employer disclosed Social Security numbers and pension account information in reports to the employees’ union. A relative of the treasurer of the union was arrested after using the PII contained in the reports to purchase goods in the employees’ names. In Minnesota, a group of employees sued an employer who disseminated the employees’ Social Security numbers to affiliated business sites. The employees claimed that they incurred costs to monitor their credit ratings and take preventative measures against identity theft because of the dissemination.
The litigation is not confined to instances of purposeful disclosure of PII by employers in the course of business. In California, pharmaceutical company employees sued their employer when personnel records kept in a storage area were accessed by an employee who used the PII from the records to set up fraudulent credit card accounts, rent apartments and open cellular telephone accounts. More than 30 employees were victims of the identity theft. The case settled out of court. In Iowa, an employee sued his former employer when a theft of the employee’s PII was traced to the IP address of a computer owned by the employer.
Litigation, however, is not the only source of a developing duty on the part of employers to safeguard information. The federal government and numerous states are creating new responsibilities for employers, and holding them accountable for safeguarding employees’ PII. For example, the federal Fair and Accurate Credit Transactions Act (FACTA) requires employers to shred, destroy or dispose of any employee credit reports obtained during hiring processes. Failure to comply with FACTA could result in civil liability of up to $1,000 per employee, plus actual damages if the employee’s identity is stolen as a result of the employer’s failure to protect the information. FACTA also allows for state and federal fines and class action liability.
In addition to the new federal government regulations for employers, Maryland has enacted its own legislation, the Social Security Number Privacy Act. The Act prohibits employers from posting or displaying an individual’s Social Security number and from printing an employee’s Social Security number on an access card. The Act also bars employers from requiring employees to transmit their Social Security numbers over the Internet unless the connection is secure or the number is encrypted.
Given the threat of litigation and the legislative activity on the issue, employers should take proactive steps to protect the PII of their employees. Some of the steps employers can take include:
- Developing policies and procedures to prevent identity theft in the workplace, including drafting an identity theft reporting policy and communicating it to employees. The policies should include details on proper destruction of documents containing employee PII.
- Discontinuing the use of Social Security numbers as employee identification numbers.
- Carefully screening all employees who have access to PII, including background checks when hiring human resources professionals.
- Securing all PII in locked cabinets. When storing personal information electronically, access should be limited to designated personnel. Some employers use monitoring software to track attempts to access electronic files containing employee PII.
- Providing training on data security and identity theft issues, including offering guidelines on retention and/or destruction of files with employee PII.
Comprehensive policies and procedures are an employer’s best defense to identity theft in the workplace. Developing strong internal controls will not only strengthen a company’s position in any litigation relating to identity theft, but also provide the best protection for the company’s employees.
Joyce E. Smithey is a partner with the law firm of Rifkin Weiner Livingston LLC in its Annapolis office. Her practice is concentrated in employment law.