Last year, a computer hacker broke into the Rancho Cordova-based Stephen P. Teale Data Center, a California personnel database. The hacker gained access to the names, Social Security numbers, and payroll information of over 200,000 state government employees. Unfortunately, this wasn’t an isolated occurrence—identity theft incidents are making the headlines almost daily.
According to the Federal Trade Commission, identity theft complaints nearly doubled last year, representing 43 percent of complaints made to the FTC. The main target of identity theft was business records—and 90 percent of those were of payroll or employment records. Sadly, the thief is often a worker in the payroll or human resources department.
We’ll explain some recent identity theft protections in California and suggest ways you can safeguard personnel records and other employee data.
400+ pages of state-specific, easy-read reference materials at your fingertips—fully updated! Check out the Guide to Employment Law for California Employers and get up to speed on everything you need to know.
Legislature Targets Identity Theft
California, which ranks second in the nation for identity theft complaints, has taken steps to help curb this ever-growing problem. One new law, S.B. 168, in effect since July 2002, prohibits California businesses from publicly displaying Social Security numbers (SSNs) of new customers or employees. In particular, you can’t: 1) post SSNs, publicly display SSNs, or print SSNs on identification cards; 2) require individuals to transmit SSNs over the Internet unless the connection is secure or the number is encrypted; or 3) print SSNs on anything mailed to an individual unless you are required to by law or the document is a form or application.
The law permits you to continue to use SSNs (but not for employees hired after July 2002) if: 1) your use was continuous and began before July 2002; 2) you provided an annual notice explaining to employees that they have the right to stop any prohibited usage; and 3) you stop such use within 30 days of receiving a written request to do so.
Other new legislation, S.B. 1386, which will take effect in July 2003, requires businesses to inform individuals when an unauthorized person has accessed their name—along with either their Social Security number, driver’s license number, or credit card or debit account number in combination with security or access codes. Federal legislation mirroring the new California laws has been proposed.
Negligence Liability
You can also get hit with a negligence lawsuit if you don’t adequately protect the privacy of your employee information. Recently, for example, a group of employees sued San Diego-based Ligand Pharmaceuticals after a co-worker allegedly used personnel information to obtain credit cards and rent apartments. The thief had found the personnel records in a workplace storage area. Ligand settled the case for an undisclosed sum.
Practical Steps to Take
Here are measures you can take to help avoid identity theft in your workplace:
- Screen all workers. The best place to start is to weed out potential thieves before they come work for you. Conduct background checks on new hires. Make sure any temporary or contract workers, including, for example, workers on a cleaning crew, have been thoroughly screened.
- Restrict use of SSNs. One of the most common ways for identity theft to occur is through the use of Social Security numbers. You can lower this risk by implementing your own unique identification system for workers. Remove SSNs from workers’ badges, time cards, and paychecks. And don’t post SSNs on bulletin boards, employee rosters or other materials that could be widely seen by co-workers or the public.
- Protect records. Not only do you have to worry about your employees’ wandering eyes but also those of anyone else who has access to your workplace building, such as a cleaning or construction crew, vendors, and clients. Prohibit employees from leaving documents on their desk containing personnel or customer information. Consider shredding all sensitive documents such as these before disposal. And always keep file cabinets locked.
- Control access to online information. Employee information that’s stored on computer or online should be password protected, encrypted, and available only to those who need access for business reasons. You should also have procedures in place to immediately terminate access when necessary. For example, if an employee is discharged, immediately notify your computer administrator to stop the former employee’s computer access.