A rise in identity theft is presenting employers with a major headache. They are being held liable for identity theft that occurs in the workplace.
Identity theft is the misuse or fraudulent use of an individual's personal information. Unfortunately for employers, personal data, such as Social Security and bank account numbers, is precisely what is contained in HR personnel files. These files can be goldmines for ID thieves.
Employers unwittingly aid ID thieves by misusing or mishandling employees' personal information. Consequently, employers are now facing considerable legal repercussions as the victims of such crimes are looking for restitution. For example, a Minnesota employer was recently sued for sending by FAX a list of employees' names and Social Security numbers to different managers within the company.
Employers, however, can protect their employees and minimize the risk of theft and liability by avoiding some of the more frequent mistakes employers make, including:
Keeping files in accessible locations and often neglecting to secure file cabinets.
Leaving original documents or facsimiles in all-access copiers.
Placing Social Security numbers on assorted documents such as timecards, membership cards, paychecks, licenses, or purchase receipts.
Using Social Security numbers as health plan policy reference numbers.
Given the likelihood of liability when employees' records are misused or mishandled, employers should take steps to protect personal employee information and, indeed, are required to do so under state and federal statutes. In Pennsylvania, for example, recent legislation established standards for the printing and transmitting of social security numbers. The legislation prohibits employers from:
Publicly posting Social Security numbers.
Printing a Social Security number on any card.
Transmitting a Social Security number over the internet without the use of encryption technology.
Requiring online users to access company websites with a Social Security number without password protection or other authentication technology.
Printing a Social Security number on any materials that are mailed to an individual, except where required by federal or state law, such as a W-2 form.
Employers should also be aware of a recent amendment to the Fair and Accurate Credit and Transactions Act, or FACTA, which requires employers to take reasonable measures to dispose of an employee's credit report obtained during the hiring process. Under the statute, reasonable measures may include implementing policies and procedures that require the destruction of all documents and electronic files containing personal information.
A FACTA provision states that any hard copy document containing sensitive data should be destroyed by burning or shredding to make certain that the documents can not be reconstructed.
Following these laws may raise challenges for employers routinely accustomed to using employees' Social Security information.
Beyond instituting state and federal regulations, there are other steps employers can take to protect the confidentiality of employees' personal information. Here are a few:
Employers should write an ID theft reporting policy and communicate about it frequently to employees. Employees should be encouraged to report any ID theft crimes to a company security or operations chief.
Carefully screen all employees who have access to personal data. Consider conducting background checks as well when you hire new HR staff.
Secure all personal data in locked cabinets. If the files are stored electronically, make certain they can only be accessed by appropriate personnel. Use an electronic monitoring system which allows employers to see who is attempting to access sensitive information.
Never use Social Security numbers as a reference number of any kind.
Train employees about ID theft. Provide instruction on how to secure, handle and destroy appropriate files. Include information on protecting personal items and areas, such as purses, wallets and lockers.
The bottom line is this: If an ID thief is lurking in your workplace, the first line of defense is your company's policies and procedures. Employers should periodically review their policies to ensure accordance with state and federal law. Employers may also want to consider seeking legal help to ensure compliance.
Revising and strengthening company policies will go a long way to minimizing the potential for identity theft and limiting employers' liability if an ID thief strikes. Keep in mind, however, that adopting a comprehensive series of policies and procedures will not prevent every known type of identity theft (ID thieves are an industrious and resourceful lot) nor prevent every lawsuit. Having a policy and following the law, however, will strengthen an employer's position in any litigation related to identity theft.