Labor E-Bulletin - Workplace Identity Theft Crimes and Prevention Laws
April 4, 2005
Employers’ databases can be a goldmine for identity thieves. The databases often contain information that allows a thief to open a checking account or credit card with little difficulty.
The federal government passed a law called the Fair and Accurate Credit Transactions Act (“FACTA”), in part, to address the recent increase in identity theft. Under FACTA’s disposal provisions, which go into effect June 1, 2005, if an employer decides to dispose of an applicant or employee’s “consumer information,” the employer must, at the time of disposal, destroy that information. Consumer information is defined, in part, as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” FACTA regulations list shredding as an acceptable method for destroying consumer information. If an employer contracts with an outside business to dispose of the information, the employer must perform due diligence, such as reviewing an independent audit report on the disposal company’s operations and/or its compliance with FACTA’s disposal provisions. Employers who are non-compliant with FACTA regulations will be liable to the employee or applicant in an amount equal to the person’s “actual damages” plus attorney’s fees. Punitive damages are available for “willful” violations.
Michigan and California are among the states whose legislatures have been active:
Employers can limit their liability for identity theft related claims by establishing and enforcing policies and rules that limit the individuals who are privy to sensitive information; reduce the number of documents, including electronic documents, that contain sensitive information; establish a document destruction protocol; and provide for document security.
Please let us know if we can assist in developing these types of policies or otherwise complying with these laws.
The federal government passed a law called the Fair and Accurate Credit Transactions Act (“FACTA”), in part, to address the recent increase in identity theft. Under FACTA’s disposal provisions, which go into effect June 1, 2005, if an employer decides to dispose of an applicant or employee’s “consumer information,” the employer must, at the time of disposal, destroy that information. Consumer information is defined, in part, as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” FACTA regulations list shredding as an acceptable method for destroying consumer information. If an employer contracts with an outside business to dispose of the information, the employer must perform due diligence, such as reviewing an independent audit report on the disposal company’s operations and/or its compliance with FACTA’s disposal provisions. Employers who are non-compliant with FACTA regulations will be liable to the employee or applicant in an amount equal to the person’s “actual damages” plus attorney’s fees. Punitive damages are available for “willful” violations.
Michigan and California are among the states whose legislatures have been active:
In March 2005 Michigan passed a law that requires employers to establish a policy that limits who has access to information or documents containing social security numbers; ensures to the extent practicable the confidentiality of social security numbers; prohibits unlawful disclosure of social security numbers; establishes a document destruction protocol; and requires a penalty for those who violate the policy.Employers are also being sued under traditional state law theories. In one case, several pharmaceutical company employees whose personal information was stolen and used by a co-employee to obtain credit cards sued their employer for negligence, claiming that the company had not taken proper steps to secure their personnel files. In another case, several employees sued their employer for invasion of privacy after their social security numbers were mistakenly released in a memo to company managers of 16 trucking terminals in six states.
California passed a law that limits employers’ use and display of social security numbers.
Employers can limit their liability for identity theft related claims by establishing and enforcing policies and rules that limit the individuals who are privy to sensitive information; reduce the number of documents, including electronic documents, that contain sensitive information; establish a document destruction protocol; and provide for document security.
Please let us know if we can assist in developing these types of policies or otherwise complying with these laws.
