Workplace Identity Theft: What Employers Need to Know

By: Quinn A. Johnson, Esquire qaj@muslaw.com
Douglas M. Hottle, Esquire dmh@muslaw.com

As is evident from recent newspaper headlines, identity theft has become a more common occurrence in the American workplace as thieves have begun to target the treasure trove of information that employers retain in the personnel files of their employees, i.e. social security numbers, names, addresses and bank account numbers. The victims of these workplace identity thefts are seeking restitution and other damages from the companies from which the information was stolen. Employers should be aware of the issues surrounding workplace identity theft, including the methods by which such theft can occur, laws regarding the protection of personal information and what employers can do to both prevent identity theft and mitigate potential liability.

In general, identity theft is defined as the misappropriation and fraudulent use of a person’s personal information. Unfortunately for employers, this kind of information is, of course, exactly the type of information contained in a company’s personnel files. Indeed, many workplace identity thefts occur through the simple photocopying of personnel files or through the downloading of confidential information from a computer. In Bodah v. Lakeville Motor Express, Inc., for example, an employer was sued for faxing a list of employees’ names and social security numbers to different managers within the company.

In light of the possibility of liability, employers should take steps to protect personal employee information and are required to do so under state and federal statutes. In Pennsylvania, recent legislation signed by Governor Rendell on June 29, 2006 prohibits employers, with certain exceptions, from publicly posting social security numbers, printing a social security number on any card, requiring an individual to transmit a social security number over the internet, (unless the transmission is encrypted), requiring an individual to use a social security number to access a website (unless a password or other unique personal identification number is also required), and from printing a social security number on any materials that are mailed to an individual, except where required by federal or state law (such as a W-2 form).

Employers should also be aware of an amendment to the Fair and Accurate Credit and Transactions Act (FACTA), which requires an employer to take reasonable measures to dispose of an employee’s credit report obtained as part of the hiring process. Under the statute, reasonable measures may include implementing policies and procedures that require the destruction of documents containing consumer information, including the destruction of electronic information.

Employers should review their policies and procedures to ensure compliance with the above statutes and to otherwise establish policies prohibiting the distribution of personnel files, limiting access to confidential information and providing for the prompt and proper disposal of confidential information. Although these policies and procedures cannot prevent any and all lawsuits or protect against all identity theft, they are a valuable aid in averting identity theft and limiting an employer’s liability if an identity theft occurs.

For more information on identity theft prevention, contact Quinn A. Johnson at qaj@muslaw.com or 412-456-2524 or Douglas M. Hottle at dmh@muslaw.com or 412-456-2809.