The federal Fair and Accurate Credit Transaction Act (FACTA) of 2003 says businesses that negligently or purposely allow employees’ or customers’ personally identifiable data to fall into the wrong hands can face fines of up to $2,500 per infraction. The law considers each identity stolen as an infraction, so that fine could add up fast.
But FACTA may be a slap on the wrist compared with the various state laws signed in recent years.
In the past four years, 45 states and the District of Columbia have enacted a total of 169 separate laws dealing with identity theft. Many of those hold employers to a higher standard than the federal law. And those laws often protect state citizens regardless of where they work or where their data are stored. Some recent examples:
New Jersey’s Identity Theft Prevention Act requires employers to notify all affected consumers of any security breach that may have exposed their identifying information. Failure to do so is punishable by a $3,000 perviolation fine. Again, one person equals one violation. New Jersey also requires employers to destroy unneeded information in a timely fashion.
Pennsylvania’s Breach of Personal Information Notification Act, like other state laws, lists the specific personal information items that employers must protect, including Social Security numbers, credit card numbers and driver’s license numbers.
Arizona’s new law prohibits anyone from requiring personal information to be transmitted over the Internet in an unencrypted form.
Texas now requires bars and restaurants to post signs warning employees that it’s a felony to use customers’ credit card numbers without their approval.
How to comply
Employers can attempt to interpret the crazy quilt of state laws, or they can adopt a gold standard data-security policy that meets the most stringent standards. Security experts suggest that employers chart the flow of personal information through their organization and develop a protection strategy at each station.
For example, employment applications contain sensitive information. Employers should store paper applications in a locked area with limited access. Receive applications over the Internet only through encrypted Web pages.
Employees who handle and process hiring or payroll information should read and sign confidentiality agreements. The agreement should make it clear that employees selling, distributing or even negligently exposing personal information may be subject to criminal prosecution and/or civil litigation.
Protect your organization by tightly screening employees who handle personal information. Thorough background checks can go a long way.
Another risk: removing data from your building. In May, the theft of a Veterans Affairs Department laptop compromised the personal data of 26 million U.S. veterans.
It’s best to make sure employee data stay within your walls. But if you do allow employees to remove personal data—say on laptops—make sure to password-protect and encrypt the data.
If a security breach does occur, don’t try to hide it.
Most state laws say public release of the breach can be delayed if law enforcement officials think it’s best for their investigation.
But most states require you to notify affected employees or customers as soon as law enforcement gives you the green light.
Finally, state laws generally don’t dictate when you should destroy old documents. But some dictate how. The most stringent state laws require that you shred paper documents before discarding them. Electronic records must be erased completely and all duplicate records destroyed.
Example of potential risk: A Los Angeles social services agency was cited for leaving employee records unattended in a public area before disposing of them.
Online resources: Identity theft FACTA: www.privacyrights.org/fs/fs6a-facta.htm. State laws and legislation: www.ncsl.org/programs/lis/privacy/idtheft.htm.
Like what you've read? ...Republish it and share great business tips!
Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...
We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.
The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.
" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/2703/identity-theft-how-far-must-you-go-to-protect-workers-data "