In the process of recruiting, hiring, firing and just running a business, employers accumulate a large amount of personal data from applicants, employees and business associates.
Prior to the computer age, this information sat harmlessly collecting dust in file cabinets. But there is no dust in cyberspace. And all the locked cabinets in the world won’t keep determined hackers out of company computers.
How must you respond? Florida law requires employers to take reasonable steps to safeguard such personal data. You also must report any security breaches to the affected individuals and credit reporting companies once a breach is discovered.
On the federal level, the four-year-old Fair and Accurate Credit Transactions Act (FACTA) says businesses that negligently or purposely allow an employee’s or customer’s personal data to fall into the wrong hands can face fines of up to $2,500 per infraction. This may seem like a small amount, but the law considers each identity stolen as an infraction.
Notify about breaches quickly
State law requires “any person who conducts business” in Florida and “maintains computerized data … that includes personal information” to “provide notice of any [security] breach of the system.”
No unreasonable delay will be tolerated. At most, state law allows 45 days from the time the breach is discovered to report it to credit-reporting agencies.
Failure to comply results in $1,000- a-day fines for the first 30 days and $50,000 for each 30 days after that, up to 180 days. Fines are capped at $500,000. Unlike federal law, the fines are assessed for each breach, regardless of how many individuals’ data were compromised.
For purposes of the law, “personal information” is defined as an individual’s name with any of the following:
- An unencrypted Social Security number;
- A driver’s license number or Florida Identification Card number;
- An account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the individual’s account.
Information that already is legally available to the public is not considered personal information. If the employer can demonstrate that the cost of notifying all the necessary parties would exceed $250,000 or if the number of people affected is 500,000 or more, the employer can send e-mail notices to those for whom the employer has valid e-mail addresses, post a notice on the company Web site and notify major statewide media.
Prevention is the best cure
Employers can best protect themselves by adopting a gold standard of data security. Data security experts advocate that businesses chart the flow of personal information through their business and develop a protection strategy at each station.
For instance, employment applications contain very sensitive information. Paper applications should be stored in a locked area with limited access. Applications received over the Internet should be accepted only through encrypted Web pages.
Require employees who handle and process this sensitive information for hiring or payroll purposes to read and sign confidentiality agreements. Those agreements should make clear that employees selling, distributing or even negligently exposing personal information may be subject to criminal prosecution and/or civil litigation.
Employers should protect themselves by tightly screening employees who handle personal information. Thorough background checks can go a long way toward protecting employers.
Several recent high-profile losses of personal information have occurred when employees have taken the data out of the office on disks or laptops. If you are going to allow such behavior, the data must be password-protected and encrypted. Preferably, the data should never leave its snug home in the employer’s place of business.
When not to destroy records
In the post-Enron world, the rules are different. After that company and others held all-night shred-fests ahead of government investigators, Congress passed the Sarbanes-Oxley law.
Sarbanes-Oxley, or “SOX” as it is widely known, requires companies to retain all records that could possibly be subpoenaed in future civil or criminal litigation.
That means records must be maintained until all pertinent statutes of limitations have run out under various federal and state employment laws. In addition, new federal court rules dictate how businesses must keep electronic records that may be pertinent to litigation. Employers should develop their document-destruction and retention polices in consultation with an experienced attorney.
Like what you've read? ...Republish it and share great business tips!
Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...
We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.
The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.
" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/2483/how-far-must-you-go-in-florida-to-protect-employees-data "