It does not take much. A birth date. A Social Security number. A driver's license. Acts of identity theft start with the illicit acquisition of some of the most basic personal information.
Much of this information is located in the workplace. Over time, employers accumulate a significant amount of information about their employees, including Social Security number, driver's license information, benefits data, payroll records, identities of dependents and medical records. Employers also collect similarly personal information related to customer transactions, such as credit card numbers.
The effects of the misuse of personal information can be long-lasting. It can take years to clean up a victim's credit, bank or financial history.
Potential Employer Liability
The failure to carefully maintain and discard employee and customer personal information may result in employer liability in the form of negligence claims. This may arise when an employer fails to take reasonable measures to protect the information or when an employer hires or employs an individual for an information-sensitive position despite knowing that the individual previously had engaged in acts of fraud.
In addition, federal and state laws govern employers' disclosure of personal information.
For instance, at the federal level, employers must comply with the Federal Trade Commission's 'Disposal Rule,' which restricts the manner in which employers dispose of information contained in consumer reports (those reports obtained on applicants during the hiring process).
At the state level, Pennsylvania will soon join other states in limiting the use and disclosure of Social Security numbers. Pennsylvania's law on the confidentiality of Social Security numbers, effective at the end of December 2006, will restrict the manner in which they may be used in conducting certain transactions and has implications for their use in the workplace.
Measures To Protect Against Identity Theft
In light of the potential liability, concerned employers should examine their current practices to determine to what extent appropriate safeguards exist and where additional protocols should be implemented.
Establish sound hiring practices. One measure that may be taken to reduce (although not eliminate) the risk of a negligence claim is to conduct an appropriate background check on an applicant, particularly for security-sensitive positions. In doing so, an employer may be able to ascertain whether an applicant has been convicted of a job-related crime such as theft or fraud and, therefore, should not be hired or employed in that position.
Of course, any background check must be conducted in accordance with the Fair Credit Reporting Act (FCRA). Among other things, FCRA requires that an applicant be notified that a background check will be conducted and requires the applicant's prior authorization. In addition, FCRA imposes both pre-adverse notice as well as adverse notice obligations on an employer where a hiring decision is based in whole or in part upon information obtained through the consumer report. Finally, state law may impose additional limitations on what information may be used to deny employment as well as additional notice obligations when a decision not to hire an applicant is based upon a criminal conviction.
Protect information in the workplace. For many employers, implementing information security protocols to protect personal information is not a new obligation. These employers have already implemented appropriate procedures to protect individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In addition, financial institutions (defined broadly to include any business that is 'significantly engaged' in providing financial products or services) must comply with the Gramm-Leach-Bliley Act (GLB) by ensuring the security and confidentiality of their consumer information through the development and implementation of a written information security plan. This plan requires covered businesses to identify a security coordinator, identify and assess the risks to customer data, design and implement a safeguard program, select service providers who will comply with the GLB requirements, and periodically evaluate and monitor the safeguarding of this information.
Since much of the information protected by these two laws could also be utilized to commit identity theft, compliance with these laws will go a long way toward safeguarding employee and customer personal information and, therefore, reducing potential instances of identity theft. Some practices to implement include:
Designating a security coordinator to whom security breaches are reported.
Limiting access to hardcopy files to those who need to know, and storing hard-copy information in locked rooms and cabinets.
Requiring 'strong' passwords (comprised of numbers and both lowercase and uppercase letters) to be used to access personal information; prohibiting employees from sharing passwords, and requiring password-activated screensavers to prohibit individuals from easily accessing information on a coworker's computer.
Encrypting information transmitted electronically and with secure connections, and restricting access to computers to authorized personnel only and maintaining a record of maintenance and repair personnel.
Conducting periodic audits of security system.
Requiring third-party storage providers to comply with GLB (whereapplicable) and maintain specific levels of security, and periodically auditing storage providers.
Designating a company official to respond to requests for information from third parties such as creditors, mortgage or car loan companies, or subsequent employer references, and responding to written inquiries only (not verbal inquiries over the phone), where the identity of the requesting party can be confirmed and only with the employee's consent.
Social Security numbers. Social Security numbers are one of the key pieces of information used to commit identity theft. Particular attention should be paid to protecting this piece of information.
Upon the effective date (end of December 2006) of Pennsylvania's new law protecting Social Security numbers, businesses may not publicly post or display Social Security numbers; may not require a customer to use a Social Security number to access the business's products or services; may not require the transmittal of a customer's Social Security number unless it is encrypted, and may not require a customer to use a Social Security number to access its website unless a password is also required. There are additional limitations on printing Social Security numbers on certain mailed materials. Other state laws may have additional requirements.
It should be expected that these state laws will have an impact on the use of employee Social Security numbers in the workplace. Therefore, Social Security numbers should not be used as a personal identifier to access an employer's computer system and should not be written on paychecks, health insurance or other benefit cards, building or parking access cards, or on employee ID badges.
Develop appropriate personnel policies. Employers should also review existing personnel policies to support the safeguarding of personal information.
A confidentiality policy should define employer 'confidential information' to include actual and potential customer and employee data. Employees should be prohibited from using or disclosing confidential information during and after employment, unless in conjunction with the employee's job responsibilities.
Computer-use policies should restrict employee access to customer and employee information. In addition, subject to applicable state privacy laws, a business shouldexpressly reserve the right to monitor, block or copy any information or data that was sent, stored or received by an employee, either in real time or after the fact, and whether accessed by the employee at the worksite or remotely. A strong provision with respect to monitoring will reduce an employee's 'right to privacy' claim with respect to his or her workplace activities and will enable an employer to periodically monitor employees as well as investigate a specific security breach.
Employee cell phones and PDAs are common in the workplace. However, because these devices may be used to record personal information, employees should be prohibited from using their recording or copying functions in the workplace, unless related to performing their jobs.
Report/investigate security breaches. Upon learning of an incident of identity theft or similar security breach, employers should react promptly and thoroughly.
Employers should establish a point person for notification of security breaches. The Federal Trade Commission recommends that several steps be taken, including filing a report with local police and notifying local businesses and individuals. Affected individuals should be encouraged to report the breach to the national credit bureaus and place a fraud alert on potentially affected accounts.
State and federal laws also impose reporting obligations. Pennsylvania's Breach of Personal Information Notification Act, for instance, requires a covered business to provide written notice to affected individuals (as well as other businesses whose information is stored) in the event unencrypted and unredacted personal information has been compromised or believed to be compromised. If the breach is widespread (more than 1,000 persons), the notice obligations are more expansive.
In addition, the Fair Credit Reporting Act entitles victims of identity theft to ask businesses for a copy of any transaction records that related to identity theft.
Properly dispose of personal information. Finally, because personal information can be easily retrieved from a garbage can, employers should implement reasonable practices for disposing such information.
The FTC's 'Disposal Rule' mandates that reasonable and appropriate measures be taken to properly dispose of any sensitive information derived from consumer reports. Such measures include shredding hard-copy documents, removing data from computer hard drives, destroying or erasing storage devices, and taking measures to ensure that any third-party data destruction company utilizes appropriate disposal practices. Although limited to information obtained from consumer reports, the Disposal Rule may be relied upon by courts as to what constitutes 'reasonable efforts' by an employer to properly dispose of personal information. Some states, such as New York, have also enacted laws requiring employers to implement certain disposal procedures.
Identity theft in the workplace is a real, not imagined, threat. Businesses should examine their existing security and personnel policies to address and resolve to the greatest extent possible the potential security breaches that could result in the improper disclosure of personal information. This should be done not only to reduce potential legal exposure from information breaches, but because it is sound business practice.
Published November 1, 2006.