I’ve been M.I.A. for a few weeks dealing with life in general but also the unexpected theft of my identity. Yes, I am a victim of identity theft. For a few months there has been suspicious activity on various accounts but I was able to convince myself each time that they were isolated events and since I have fraud protection set up on those accounts there was no significant financial loss to me. That was until I got the text from my bank one Sunday night saying my account was thousands of dollars in he negative. Woah! I immediately called the bank and reported the activity. Thank goodness for 24/7 service. The next day, closed accounts… Opened new ones… Check credit reports… Blah blah blah. Again no significant financial loss but tons of hassle, missed time from work and lots of explanations and pleading for refunds of service fees for creditors whose automatic payments hit that Friday & Monday. Argh!
I was worried over the next few weeks because I couldn’t figure out how the thieves had gotten my information. It could be anywhere. A former employer? A purchase online that was hacked? Standing behind me at the ATM? Who knows?
Then just this past weekend, I opened mail that made my jaw drop. My doctor’s office had a break in where computers were stolen that housed unencrypted demographic information (name, address, phone, birth date, social security number etc) for everyone in my little family, including my kids! About 500 kids a year have their identity stolen and they won’t find out until they are trying to by thief first home or car maybe 20 years later. This is no laughing matter! Worse yet, this happened in July and they chose not to notify patients until September?!?!
Of course, this experience led me to explore an employer’s obligation to protecting employee information. What I found was actually surprising. One common misconception is that the Privacy Act of 1974 prevents employers from releasing personal employee information like their social security numbers. In actuality, the Privacy Act of 1974 does not specifically speak to the actions of private employers. In fact, most laws regarding the privacy or protection of employee demographic data only discuss government agencies or government contractors.
Fortunately, in response to the rise in identity theft, states have taken on the task of establishing statutes that dictate how employee personal information is handled. I live in the state of Illinois. As of July 1, 2010, the Identity Protection Act was established. Here is an excerpt.
(5 ILCS 179/10)
Sec. 10. Prohibited Activities.
a) Beginning July 1, 2010, no person or State or local government agency may do any of the following:
(b) Except as otherwise provided in this Act, beginning July 1, 2010, no person or State or local government agency may do any of the following:
(2) Require an individual to use his or her social security number to access an Internet website.
While we have very little regulating private employers on the federal level, states have taken steps to provide some guidance. Also, common law has established some guidance as well. Common law is what results when court decisions are made that establish a precedent by which other courts make rulings.
However misguided it may be, employees typically have an expectation of privacy whether or not there is a law that forces an employer to protect personally identifying information. If you haven’t recently, take the time to review how personal information such as social security numbers, birth dates, etc are collected and used in your organization. Then establish or enforce a set a best practices for your HR department to follow. Here are some ideas.
- Never use an employee’s social security number as an identification number anywhere in the organization. (Believe it or not, companies still do this. I recently worked for a company that did. Oy!)
- Before disposing of any computer erase all hard drives clean of any information contained on the hard drives that could potentially identify any employee.
- Operate on the principle that all employee information that could identify any personal characteristic or family information is private and confidential.
- All requests for employment verification should be in writing and information released should never include a social security number or birth date (if possible).
- Shred any paper records that no longer have to be maintained by law.
Overall, handle employee information with the utmost care. If you are not sure, err on the side of not releasing the information until you determine what your legal obligations may be. Employees depend on their employers to be good stewards of their personal information. It’s not like an employee has the option of refusing to provide the employer with a social security number because this is how way wages are reported to the IRS. So really, if a person has to work for someone other than themselves, they are forced, in a sense, to provide this very delicate information.
For the folks out there like me dealing with identity theft and keeping in mind that this could be you one day, when it comes to protecting employee demographic info, don’t drop the ball!