HR Specialist: Employment Law

Clear, common-sense employment law advice that cuts directly to the bottom line. An attorney may say what the law is – but the monthly issues of HR Specialist: Employment Law and its related weekly e-letters explain what managers and human resource professionals should do that is both safe and practical in the real world of business. Learn more about HR Specialist: Employment Law and the two free reports you'll get when you subscribe...

Employers have a duty to protect their employees from identity theft. That means making sure no unauthorized party can gain access to employees’ Social Security numbers, banking information (that might show up on direct-deposit authorizations, for example), dates of birth or any other data criminals could use to steal their money or compromise their privacy.

The federal Fair and Accurate Credit Transaction Act (FACTA) of 2003 says employers that negligently or purposely let employees’ personally identifiable data fall into the wrong hands can face fines of up to $2,500 per infraction. (FACTA applies to customer data, too.)

In addition, almost every state has its own law dealing with identity theft —and many hold employers to a higher standard than the federal law.

How to comply

Instead of attempting to interpret the crazy quilt of state laws, adopt a gold standard data-security policy that meets the most stringent requirements. Security experts suggest that employers chart the flow of personal information through their organizations and develop a protection strategy at each stage.

Here are six ways to do so:

1. Secure job applications, which contain sensitive information. Store paper applications in a locked area with limited access. Receive applications over the Internet only through encrypted web pages.

2. Require confidentiality agreements for employees who handle and process hiring or payroll information. Make it clear that employees selling, distributing or even negligently exposing personal information may be subject to criminal prosecution.

3. Run background checks on staff who handle personal information.

4. Implement a data-removal policy that limits who can take sensitive information from your premises and how they must secure it. It’s best to make sure employee data stay within your walls. But if you do allow employees to remove personal data—say on laptops—make sure to password-protect and encrypt the data.

5. Don’t cover up breaches. Inform employees right away so they can work with financial institutions to limit the damage. Law enforcement officials may ask you to stay mum while they investigate, but most states require you to notify employees as soon as the police give the go-ahead.

6. Implement a document-destruction protocol. State laws generally don’t dictate when you should destroy old documents, but some dictate how. The strictest states require you to shred paper documents before discarding them. Electronic records must be erased completely, and all duplicate records destroyed.

ID theft online resources

• FACTA information: www.privacyrights.org/fs/fs6a-facta.htm
• State laws: www.ncsl.org/?tabid=12538