If your organization hasn't taken identity theft seriously, here are two good reasons to start now: Starting June 1, federal law requires you to properly dispose of-check information that you gather for employment-screening purposes. Plus, a first-of-its-kind court ruling places new legal responsibilities on you to safeguard employees' personal data, particularly Social Security numbers (SSNs).
New federal "disposal rule." Last year's Fair and Accurate Credit Transactions Act included the so-called "disposal rule," which requires your organization to properly dispose of "any record about an individual, whether in paper, electronic or other form that is a consumer report or is derived from a consumer report" that can identify that person individually.
The law doesn't mandate any specific type of "proper" disposal method, but suggests shredding paper files, erasing electronic files or some other "reasonable" means. The new rule applies to every business, regardless of size or number of employees. Fines are stiff: Employers whose employees' identities are stolen can be subject to actual damages, civil fines of up to $2,500 per employee and class-action lawsuits. To read more on the rule, see the Federal Trade Commission's site at www.ftc.gov/os/2004/11/041118disposalfrn.pdf.
Court ruling: Meanwhile, the Michigan Court of Appeals recently became the first court to allow employees who are identity-theft victims to recover damages from an employer. The case dealt with a supervisor who took employee data home. His daughter stole the data and used it to commit identity theft. Employees sued the company for negligence and won. (Bell v. Michigan Council 25 AFSCME)
That court won't be the last to act; its ruling could become a benchmark for courts around the nation. Plus, many states are adding new laws that add to your liability burden.
What must you do now? Write a stricter policy detailing how your company safeguards, stores and discards employees' identifying information.
To comply with the new federal rule, ensure that documents containing personal information are being properly shredded or erased. If you outsource the task to a third party, you also need to confirm that your vendor complies with the law.
It's also not enough to issue a policy saying documents containing SSNs must be protected. Instead, detail how to carry out the proper safeguarding and destruction of personal data.
Explain that employees with access to information containing SSNs must shred those documents when discarding them. And clearly state who has access to such documents and where and when that access should occur.
Even better: As we've advised before, avoid using SSNs on employee documents whenever possible.