Employers have a duty to protect their employees from identity theft. That means making sure no unauthorized party can gain access to employees’ Social Security numbers, banking information (that might show up on direct-deposit authorizations, for example), dates of birth or any other data criminals could use to steal their money or compromise their privacy.
The federal Fair and Accurate Credit Transaction Act (FACTA) of 2003 says employers that negligently or purposely let employees’ personally identifiable data fall into the wrong hands can face fines of up to $2,500 per infraction. (FACTA applies to customer data, too.)
In addition, almost every state has its own law dealing with identity theft —and many hold employers to a higher standard than the federal law.
How to comply
Instead of attempting to interpret the crazy quilt of state laws, adopt a gold standard data-security policy that meets the most stringent requirements. Security experts suggest that employers chart the flow of personal information through their organizations and develop a protection strategy at each stage.
Here are six ways to do so:
1. Secure job applications, which contain sensitive information. Store paper applications in a locked area with limited access. Receive applications over the Internet only through encrypted web pages.
2. Require confidentiality agreements for employees who handle and process hiring or payroll information. Make it clear that employees selling, distributing or even negligently exposing personal information may be subject to criminal prosecution.
3. Run on staff who handle personal information.
4. Implement a data-removal policy that limits who can take sensitive information from your premises and how they must secure it. It’s best to make sure employee data stay within your walls. But if you do allow employees to remove personal data—say on laptops—make sure to password-protect and encrypt the data.
5. Don’t cover up breaches. Inform employees right away so they can work with financial institutions to limit the damage. Law enforcement officials may ask you to stay mum while they investigate, but most states require you to notify employees as soon as the police give the go-ahead.
6. Implement a document-destruction protocol. State laws generally don’t dictate when you should destroy old documents, but some dictate how. The strictest states require you to shred paper documents before discarding them. Electronic records must be erased completely, and all duplicate records destroyed.
ID theft online resources
- Pregnant Employees: Answers to Your 20 Toughest Legal Questions
- Good faith--not perfection--is standard for deciding if wrongdoing calls for discipline
- Let applicants respond to background-check results
- Employment laws: Which ones, who's covered
- Documenting 'In Case of Litigation' Isn't Proof of Job Bias