Employee Identity Theft Becomes a Growing Concern for Employers

Reginald Jones
November 21, 2005 — 2,650 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

A few years ago, identity theft was an occasional topic of conversation in the national press as a relatively rare criminal activity largely left to the attention of state and local law enforcement authorities. Today, the subject is everywhere in the media; it's a felony under the federal Identity Theft and Assumption Deterrence Act of 1998; and it ranks as the nation's top consumer fraud complaint, according to the Federal Trade Commission (FTC). In 2001, the FTC's Identity Theft Data Clearinghouse received more than 117,000 complaints of identity theft. In 2002 that number exceeded 279,000. The most notable aspect of these numbers is that they are incomplete because no one single source captures all incidents of identity theft. As a result, the true frequency of the crime is probably even higher than the numbers reflect. What is clear, however, is that employers are involved. The No. 1 underlying source of identity fraud is theft of employer records, according to a September 2002 report by TransUnion, one of the nation's three credit bureaus.

The issue of who bears the liability for the results of identity theft was at the center of a recent case in Michigan. There a group of employees broke new legal ground when a jury awarded them $275,000 for the financial chaos that entered their lives when their union neglected to safeguard their Social Security and driver’s license numbers. The verdict against Michigan Council 25 of the American Federation of State, County, and Municipal Employees (AFSCME) is the first in the nation to find that a custodian of employee information has a duty to guard the data with scrupulous care.

As the incidents continue to escalate and the number of identity theft victims burgeons, the question arises whether courts across the nation are poised to find employers liable for the consequences of their failures to keep personal data private. Moreover, the Federal government and many states are starting to create new duties for employers, making them responsible for safeguarding sensitive information.

Federal. As of June 1, 2005, the FTC has promulgated a “Disposal Rule” that requires all employers in the U.S., regardless of size, to shred or effectively destroy any document or other media containing personal information derived from a consumer report before discarding it. The Disposal Rule comes from the federal Fair and Accurate Credit Transactions (FACT) Act, which was passed in December 2003, and is enforced by the FTC.

According to an “FTC Business Alert,” the Disposal Rule applies to people and both large and small organizations that use consumer reports. Among those who must comply with the Rule are:

  • Consumer reporting companies
  • Lenders
  • Insurers
  • Employers
  • Landlords
  • Government agencies
  • Mortgage brokers
  • Automobile dealers
  • Attorneys or private investigators
  • Debt collectors
  • Individuals who obtain a credit report on prospective nannies, contractors, or tenants
  • Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule.

Personal information includes telephone numbers, addresses, Social Security numbers, credit card numbers, other account numbers etc. More generally, the Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act (FCRA) defines the term consumer report to include information obtained from a consumer reporting company that is used, or expected to be used in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. The standard for the proper disposal of information derived from a consumer report is flexible, and allows those covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

Failure to comply with the new regulations could result in civil liability of up to $1,000 per employee plus actual damages if their identities are stolen as a result of the company’s failure to protect the information. Federal/state fines of $2,500/$1,000 and class action liability are also possibilities.

Michigan. The Social Security Number Privacy Act (MCL §445.81 et seq. 2005) requires any company that obtains Social Security numbers in the course of business to create, and publish in its employee handbook, a privacy policy that:

• Ensures their confidentiality.

• Prohibits unlawful disclosure.

• Limits access to the information.

• Mandates procedures for disposal.

• Establishes penalties for violations.

It also bars employers and others from using more than four digits of a Social Security number and from sending anything through the mail on which a Social Security number is visible from outside the envelope.

California. California Civil Code §1798.81.5, which took effect on January 1, 2005, is similar to the new Michigan law in that it requires businesses that own or license personal information about California residents to implement and maintain reasonable security procedures to protect the information from unauthorized access, use or disclosure. The term “personal information” includes an individual’s first name or first initial and last name, in combination with a Social Security number, driver’s license number, California identification card number, account number, or credit or debit card number. Another California law, Civil Code §1798.29, enacted in 2002, requires public and private employers that own, license or maintain computerized data that includes personal information to disclose any security breach to any California resident whose information was acquired by an unauthorized person. Finally, California Labor Code §226(a), will require by January 1, 2008, that when employers furnish employees with itemized earnings statements, they do so giving only the last four digits of the Social Security number.

Arizona. Beginning January 1, 2009, Arizona Revised Statutes §44-1373.02 will bar employers and others from using or printing more than five numbers that are reasonably identifiable as being part of a Social Security number. While the statute on its face does not impose a duty to safeguard the information, it is possible that courts would interpret it as implying a special relationship making an employer liable for negligent handling of personal data.

New York. A legislative proposal in the state of New York (A. 4254) would require any state agency or private business that owns or licenses a computerized database that includes vulnerable personal information to disclose any security breaches to residents of the state. This follows the model of the 2002 California law.

Texas. S.B. 122, also modeled on California’s law, cleared the Senate and went to the House in April. It requires businesses to report security breaches involving consumers’ personal information and implement and maintain procedures for protecting the information.

Maryland. Companion bills H.B. 56 and S.B. 280 were signed into law by the governor on March 26, 2005. They bar employers from posting, displaying, or printing Social Security numbers and/or requiring people to transmit their Social Security numbers over the Internet. Another Maryland proposal, H.B. 818, setting up a task force to study identity theft, was signed by the governor on April 26.

NB: As a central repository of employee data, the HR and legal departments are particularly vulnerable to potential security breaches. Given the legislative activity noted above and that which is likely to follow, employers would be well advised to develop protocols for managing the threat of identity theft; eliminate the use of Social Security numbers altogether, perhaps setting up a separate employee identification number system; and consider implementing policies similar to those that Michigan employers are now required to develop, including details on how documents should properly be destroyed.

Reginald Jones

DLA Piper Rudnick Gray Cary US LLP