WORKPLACE LAW -
Identity Theft

Question:

I hear a lot about identity theft in the news these days and wonder if there is anything I should or should not be doing as an employer to protect my employees’ personal information?

Answer:

Identity theft is indeed a serious problem today. According to the Federal Trade Commission (FTC), a report released in 2007 revealed that 8.3 million American adults were victims of identity theft in 2005, while subsequent reports showed that identity theft increased by 21% in 2008.  The Commission’s 2003 estimate was that identity theft accounted for some $52.6 billion of losses in the preceding year alone, and affected more than 9.91 million Americans.

The improper use of Social Security numbers has played a major role in identity theft crimes in recent years. In one California case, a woman pleaded guilty to federal charges of using a stolen Social Security number to obtain thousands of dollars in credit and then filing for bankruptcy in the name of her victim. In another California case, two individuals pleaded guilty to identity theft, bank fraud,  and related charges for their roles in a scheme to open bank accounts with both real and fake identification documents (including stolen Social Security numbers), to deposit U.S. Treasury checks that were stolen from the mail, and to then withdraw funds from those accounts.

The FTC has identified the sale of Social Security numbers by so-called “data miners” as a serious source of identity-related crimes. Poor stewardship of personal data by employers may result in unauthorized access to sensitive data, which in turn can expose individuals to the risk of identity theft. The Privacy Rights Clearinghouse has documented over 900 individual data breaches by U.S. companies and government agencies since January 2005, involving over 200 million total records containing sensitive personal information, including Social Security numbers.

Some practices employers can employ to safeguard the storage and use of this type of information include the following:

• shred confidential information before throwing it into dumpsters;
• do not store sensitive employee information in files that are readily accessible;
• ensure adequate computer network security; and
• do not share or sell personal information to other businesses without ensuring that the purchaser maintains adequate security controls.

In light of the seriousness of the problems and the costs associated with identity theft, the law in this area is strict and contains potentially severe consequences for offenders. For example, the 1998 Federal Identity Theft and Assumption Deterrence Act makes the possession of any “means of identification” to “knowingly transfer, possess, or use without lawful authority” a federal crime. Punishment can be up to 30 years in federal prison, plus fines, depending on the underlying crime. In addition, California is one of two states that has created an Office of Privacy Protection to assist its citizens in avoiding and recovering from identity theft.

In a further effort to reduce identity theft crimes, California law now contains specific protections with regard to the use of an individual’s Social Security number. These protections apply to employers, and should be kept in mind when collecting and storing personal information about employees. For instance, under California Civil Code Section 1798.85, an employer is barred from “publicly” posting or displaying an employee’s Social Security number. Employers therefore cannot use an employee’s Social Security number on his or her work identification card, and cannot make the number his or her login password for any unsecured network. An employer also may not require an individual to transmit his or her Social Security number over the Internet (unless the connection is secure or the Social Security number is encrypted), and likewise cannot require an individual to use his or her Social Security number to access an Internet website unless a password or unique personal identification number or other authentication device is also required to access the site.

Employers may not print an individual’s Social Security number on any materials that are mailed to the individual, unless state or federal law requires the Social Security number to be on the document to be mailed. However, the law does permit an employer to print a truncated Social Security number on a document to be mailed to an individual; in such instances, only the last four digits of the number should be displayed, e.g., XXX-XX-1234. Similarly, under California Labor Code Section 226, an employer may only display the last four digits of an employee’s Social Security number on any pay stub or payment statement.

More information about privacy laws and what employers can do to protect themselves and their employees can be found at the California Office of Privacy Protection’s website at the following address: http://www.privacy.ca.gov/
- - - - - - - - - - - - - - - - - - - - - - - - - -
Back to Menu- Work Place Law 2010 Articles

• Work Place Law
• Current
• Archives
• Legal Commentary
• Legal Links