| Anderson & Associates Identity Theft Education Center |
Employers and Identity theft; What is the Liability?
The FBI has identified the crime of identity theft as a significant, growing, crime problem. As a
result, State and Federal laws are cracking down on not only the thieves, but businesses and
organizations that fail to protect personal identity information. These laws make employers who
collect personal information of customers and employees subject to fines, penalties, and civil liabilities
in the event that information is stolen.
Employers store a surprisingly large amount of personal information contained on I-9s, W-4s, W-2s,
insurance applications, and 401k applications. Many times, particularly for a small business, this
information is stored on a single computer or in a single file cabinet. Employers large and small must
understand their liability and implement measures to both protect this information and limit liability if
the information is stolen.
Civil Liability Under FACTA
In June of 2005, a provision of the federal Fair and Accurate Credit Transactions Act (“FACTA”)
went into effect which permits entities that collect personal information, including employers who
collect employee personal information, to be held civilly liable to individuals whose personal identity is
stolen as a result of the employer’s action or inaction. FACTA requires employers to take “reasonable
measures” to protect against unauthorized access to or use of information contained in consumer
reports. Such information includes names, addresses, social security numbers and credit card
numbers. Failure to do so can lead to liabilities and fines.
For example, under FACTA, an employer that fails to adequately protect employee personal
information can be fined up to $2,500 per violation, or $1,000 per employee, from the Federal Trade
Commission. FACTA also provides that an employer may be civilly liable to the employee for the
actual damages the employee suffers as a result of the stolen identity. Finally, employers could be
subject to class action lawsuits if multiple employees are affected by the employer’s failure to protect
their identity.
FACTA requires that employers implement and monitor policies and procedures that protect against
disclosure of such information, including the destruction of papers containing such information and
policies and procedures that require monitoring and destruction of all media containing such
information. This may include the shredding of documents or destroying diskettes or other electronic
storage media.
While there is a great potential for liability under FACTA, note that FACTA only requires employers
to implement “reasonable measures”. In determining what measures are “reasonable”, the FACTA
takes into account the sensitivity of the information; the nature and size of the entity’s operations; the
cost and benefit of different disposal methods; and relevant technological changes. Importantly,
FACTA provides employers with an affirmative defense to liability if the employer offers its
employees the opportunity to receive identity theft protection.
The States
Similarly, a number of states have also passed laws requiring entities which collect any personal
information, including employers which collect employee personal information, to take measures to
protect such information.
State laws may also impose penalties and allow the individual who has his or her identity
compromised to seek redress of damages in court.
Steps to Prevent Identity Theft and Potential Liability
Given the potential for liability under both FACTA and state law, how can you protect against
liability? First, establish policies and procedures concerning the maintenance and destruction of
personal information. Since much personal information is electronically stored, develop security
measures and procedures for the protection and destruction of such electronic information. Once the
policies are in place, monitor those policies to ensure that they are effectively being implemented and
that access to such information is appropriately limited. Additionally, train those employees who will
need access to personal information. Background checks may be necessary to ensure that individuals
with access to this information are trustworthy.
Because you may be required to provide employee records during the course of litigation, be aware
of your obligations under FACTA and applicable State law when you receive a subpoena or are asked
to produce employee records in discovery. Before releasing any employee record containing personal
information to a third party, consult legal counsel to make sure you don’t compromise personal
information and be sure all personal information has been redacted or removed before any records
containing personal information are disclosed.
You should offer your employees identity theft protection as an employee benefit. Identity theft
protection products or policies are generally available at relatively low cost and you can choose to
pass all or part of the cost on to the employee. Indeed, the relatively low cost of identity theft
protection policies far outweighs the risk of fines, penalties, and potential liability. Identity theft
protection policies will serve to minimize the employee’s potential damages if their identity is
compromised and provide you with an affirmative defense, in case you are sued by an employee
whose identity is compromised.
What Employers Should Do When the FACTA or a State Law is Violated
Unfortunately, despite any policies you have in place, you may find yourself facing a violation of
FACTA or other statute. For example, if your new employee “downloads” or steals the personal
information of thousands of individuals, including other employees, or if a computer is stolen that
contains such information, then you must take immediate steps to mitigate losses. This includes
making all employees aware of the situation, notifying authorities and providing employees with the
time off necessary to protect against identity theft issues, either actual or potential. Security
standards need to be developed to safeguard against theft of this information, and you can provide
identity theft protection to employees, but you will need to address any issues quickly with legal
counsel and technology professionals
| For What we can do to help you, your company and your employees Click Here |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |