You may not realize it, but your organization may be contributing to identity theft by failing to safeguard personal information such as employees’ names, addresses, birth dates and Social Security numbers.
Any one of those breaches could violate the North Carolina Identity Theft Protection Act (NCITPA). The law makes it illegal for businesses to “intentionally communicate or otherwise make available to the general public an individual’s social security number.”
As the following case shows, it may be a violation just to put something on a company bulletin board that might be seen by members of the general public or others who have no need for the information.
Recent case: A group of employees sued their employer and labor union after a spreadsheet containing their names and Social Security numbers was sent via e-mail and then printed out. The company posted the information (which listed union membership cancelations) on a bulletin board in the hallway. Although it was an official bulletin board, it was also accessible by members of the general public.
The employees claimed posting the information in a way that allowed members of the public to see it violated the NCITPA.
The court said the case could go forward. The judge noted that it did not matter whether the public had actually seen the information, only that they might have. (Fisher, et al., v. Communications Workers of America, et al., No. 08-CVS-3154, North Carolina Superior Court, 2008)
Final note: The NCITPA makes it illegal to disseminate Social Security numbers, but the law doesn’t require that the dissemination be for fraudulent purposes or even that someone who had no right to the information actually saw, downloaded or otherwise made use of it. What matters is that the information could reasonably have been seen or accessed by unauthorized persons. Check how you handle such sensitive information.