Preventing Identity Theft In The Workplace

Robert G. Chadwick, Jr., Labor-Employment Lawyer for Management.

In a January 2005 report, the Better Business Bureau said that 9.5 million Americans were the victims of identity theft in 2004. A significant percentage directly impacted employers.

WHAT IS IDENTITY THEFT? Identity theft occurs when someone appropriates another person’s identifying information (name, Social Security number, credit card number, etc.) to commit fraud or theft.

“CORRUPT EMPLOYEES”: According to the Better Business Bureau Report, 8.7% of identity thefts were attributed to a “corrupt employee who had access to the information.” The identifying information which can be compromised by a corrupt employee includes information entrusted to the employer by job applicants and co-employees.

EMPLOYMENT-RELATED FRAUD: A February 1, 2005 report of the Federal Trade Commission noted that 13% of all complaints of identity theft in 2004 were for employment-related fraud. Employment-related fraud occurs when a thief appropriates the identity of another to obtain employment. Such fraud is generally perpetrated by an applicant who has a criminal history or who is not eligible to work in the United States.

POTENTIAL LIABILITY OF EMPLOYERS: Several states have enacted legislation with the goal of safeguarding information from identity theft. In Texas a new law, which became effective on January 1, 2005, makes it unlawful for any person, including an employer, to intentionally communicate or otherwise make available to the general public an individual’s social security number. Similar legislation has been enacted in Arizona, California and Illinois.

The most ambitious statute governing employee social security numbers became effective in Michigan on March 1, 2005. The law requires employers to adopt a written policy for securing the confidentiality of employee social security numbers. Other states are expected to follow Michigan’s lead.

In the meantime, employers in all 50 states face potential claims of negligence in the hiring and retention of “corrupt” or unqualified employees. As demonstrated by a $275,000 verdict against a Michigan union whose membership information was stolen, employers also face negligence claims if sensitive information regarding employees falls into the wrong hands. See Bell v. Michigan Council 25 AFSCME, 2005 WL 356306 (Mich.App. 2005).

THE I-9 TWIST: The Immigration Reform Control Act of 1986 both empowers and limits the ability of employers to seek identifying information from new hires. The Act mandates that new hires produce one or more documents from approved lists which establish their identity and employment eligibility. The employee has the option of which document from each approved list to produce. Although an employer must complete an I-9 Form which certifies under penalty of perjury that, to the best of his knowledge, (1) the employee is eligible to work in the U.S. and (2) the documents presented are genuine and relate to the employee, he cannot specify which documents it will accept from a new hire.

THE KEYS TO AN EFFECTIVE PRIVACY POLICY: A privacy policy which includes the following key components can go a long way in minimizing the risk of identity theft in the workplace and liability for negligence:

• The information collected from an applicant should be limited to that which is needed to make a hiring decision. An applicant’s social security number is irrelevant to such a decision.
• The data obtained from employees should be limited to that which is needed to comply with applicable laws, make employment decisions or administer compensation and benefit programs.
• Grouping sensitive information with other information should be avoided.
• Internal access to sensitive applicant and employee information should be limited to those who have a legitimate business need for such information. Security protocols which prevent access by unauthorized persons should be implemented, monitored and updated.
• Sensitive data regarding an employee should be disclosed to third parties only when authorized by the employee or required by law. Security protocols which ensure that only the intended recipient gets the data should be implemented, monitored and updated.
• A procedure should be adopted and implemented for the supervised destruction of outdated information. Applicable laws should be consulted for record retention requirements.
• Procedures should be adopted for addressing possible security breaches. Such procedures should include notification guidelines whereby an employee can report or be informed of a suspected breach. An employer should also be prepared to conduct investigations of potential breaches. Since polygraph examinations are regulated by federal law, they should generally be avoided.
• Although an employer cannot specify the documentation needed to complete an I-9 Form, it can take lawful measures to determine the fitness of an applicant or employee for employment. Such measures are especially important for positions which have access to sensitive information. The list of lawful precautionary measures includes several which are regulated by federal and state privacy laws, such as honesty and personality tests, criminal, credit and employment background investigations, interceptions of communications, video surveillance, searches, interrogations and drug tests. A hiring and retention policy, therefore, should only be implemented with the advice of legal counsel.
• Employees should be trained in the proper administration of a privacy policy. Those who violate the policy should be appropriately disciplined.