Employee Privacy Rights and
Identity Theft
We live in a wonderful
age in which information
flows quickly and
abundantly, giving savvy businesses a better
chance to stay on top of things, effectively
manage change, and anticipate
future trends. Much of the improvement
in the speed and availability of information
is due to advances in computers and
to the growth of the Internet. However,
our information and technology resources
have a dark side that many do not yet realize
is there, an aspect that some are all too
willing and able to exploit. That aspect is
invasion of privacy, the potential for
which has never been greater than now
and can only grow in the future.
There are several areas of concern,
some of which have to do with privacy
issues in the workplace, some with privacy
in our personal lives, and some with both
our work and private lives. This article is
meant to introduce you to some of the
privacy issues that will be of increasing
importance to employers and employees.
First, we make a few assumptions that
we think are widely acknowledged.
Employers are custodians of a great
amount of personal and private information relating to their employees. A related
fact is that like it or not, employees
depend upon their employers to do the
right thing with that information. Finally,
there are many reasons why third parties
want to get at that information, some
bureaucratic, some financial, some nosy,
and some even downright dangerous.
In dealing with these realities, employers
should try their best to keep some
important basic principles in mind:
- Good starting point: all information
relating to an employee’s personal characteristics
or family matters is private
and confidential.
- Information relating to an employee
should be released only on a need-to-know
basis, or if a law or court requires
the release of the information.
- All information requests concerning
employees should go through a central
information release office within your
organization.
Common Misconceptions
Many employers and employees share
common misconceptions about privacy in
the workplace. One widely heard misconception
is that either the “Freedom of
Information Act” or the “Privacy Act” forbids
a company from releasing an employee’s
personal information, including a
Social Security number (SSN). In actuality,
those federal laws generally do not apply
to a private employer’s actions. They either
obligate federal government agencies to
release, or forbid them from releasing, certain
private information about citizens to
outside parties. Without significant exception,
employee information furnished by
employers to federal agencies, such as with
payroll information to the IRS, is exempt
from public disclosure.
What about Texas state law? The Texas
equivalent to the Freedom of Information
Act is the Public Information Act (PIA -
formerly known as the Open Records Act).
It, like the FOIA, applies only to government
agencies. Private employers are not
covered. Now, it is well known that
employers must furnish payroll information
to the TWC in the form of wage
reports. The private information, i.e.,
information tied to specific employees, is
exempt from disclosure under the PIA.
That means, among other things, that
TWC is not permitted to release sensitive
employee (or company) information to
the public.
Can private companies be forced to
reveal private information concerning
employees? Generally not, although under
certain circumstances, a company could
be ordered by a court to turn over certain
employee information to either the court
or to the other side in a lawsuit. Even with
that, your attorney would still be able to
argue for limitations on the release or use
of such information.
Where’s the Danger?
Most risk associated with invasion of privacy
stems from loose, ill-advised practices
on the part of an employer. Employers
sometimes pay much more attention to
protecting business secrets than they do to
protecting their employees’ privacy. In
reality, employees are among the greatest
assets of any company, and an employer
should put as much care into protecting
their privacy as it does into protecting its
trade secrets from disclosure.
The worst type of invasion of privacy is
probably “identity theft”, in which someone
else using a victim’s personal information
incurs obligations in the victim’s
name, leaving that person with a tangle of
financial problems to sort out. In a recent
incident, a dishonest former employee
found a box full of employee personnel
information lying completely open and
unattended in an ordinary company warehouse.
She took the information, mainly
name, address, birth date, next-of-kin, and
SSN records, and used it to apply for fake
credit cards and other credit applications
for herself and some like-minded cronies.
The company’s employees starting getting
collection calls from various credit
bureaus and stores, wanting to know why
bills they had never heard of had not been
paid. It took quite some time before the
affected employees even realized they were
all more or less in the same boat. After
much investigation, time, and trouble,
most of the credit problems were sorted
out, and the former employee was arrested.
However, many of the employees are
still having to explain the situation to
credit companies and banks.
A similar thing happened in the case of
an employee whose personal information
was given out over the phone to a caller
who claimed to be checking on a credit
report. That person sold the information
to a network of fraudulent operators, and
multiple bogus credit cards were issued in
the employee’s name to several different
people. The resulting credit card bill avalanche
is still being sorted out by civil and
criminal investigators in two states.
Much worse was the case of a person
who lost his driver’s license, reported in
the February 2000 issue of “HR News”,
the journal of the Society for Human
Resource Management. Apparently, a thief
picked the license up and used it to establish
a new identity. Somehow, it got associated
with the victim’s SSN, and after the
thief racked up some other criminal acts,
the victim’s identity was thoroughly tainted.
He first noticed problems when applying
for another job – an employer that
seemed very interested suddenly refused to
return his calls. Persisting, he was finally
told to never contact the company again,
since he was an “unsavory character”.
Even after years of trying to set things
straight, even with a letter from the police
stating that he had committed no crime,
he still could not get a job.
Texas employers need to be aware of a
new statutory provision that became law in
2003 and took full effect on January 1,
2006, having to do with use of social security
numbers as employee identifiers.
Texas Business & Commerce Code §
35.58(a, b) are the most relevant provisions,
generally prohibiting an employer
from printing employee SSNs on any
materials sent by mail, which of course
includes paychecks sent by mail. There is a
“safe harbor” for printing the SSN on paychecks
if 1) that was the practice prior to
January 1, 2005, and 2) the employer
makes an annual disclosure to the employee
that upon the employee’s written
request, the SSN will no longer be included
on the paychecks. An exception also
exists for the mailing of IRS- and TWCrelated
forms, such as W-2s and quarterly
wage reports, and any other official government
forms that require the employer
to include SSNs.
Identity theft is a federal crime, regarded
as a felony offense and punishable by a
fine, time in prison, and/or restitution to
the victim. Any suspected misuse of personal
data should be reported to the Federal
Trade Commission (FTC) at 1-877-
438-4338 (toll-free call) for assistance.
Among the best ways to avoid such
problems are the following:
- Using up-to-date digital and/or hardware-
based methods, thoroughly wipe
all data from the hard drive and
removable magnetic media of any
obsolete computers discarded or sold
by the company, and physically destroy
any data CDs or DVDs containing
company and employee information. If
necessary, hire an outside data security
company to ensure that this gets done.
- Shred and securely dispose of any
paper records containing sensitive
company and employee information.
- Do not use social security numbers as
employee identifiers. Rather, use random
identifiers and keep the SSNs as
narrowly distributed as possible.
Job Reference and Employment Verification Calls
In general, it is not recommended that
employers give out any information about
current or former employees to callers
seeking information about specific individuals,
such as full name, date of birth,
SSN, address, pay level, or work schedule,
since there is no way for a business to
know who the caller really is. The caller
could be a prospective new employer genuinely
seeking job reference information,
or a bank seeking to verify employment
for your employee’s loan application, but
could just as easily be a private investigator
or a debt collector attempting to harness
the business into making their own job
easier, or else someone with ill intentions,
such as a disgruntled neighbor or relative,
or, even worse, a stalker or identity thief.
For that reason, it is advisable to adopt as
a general practice a three-pronged procedure:
- Have the person who receives the call
route the call to a designated company
official, such as the owner, a specific
manager, or the HR department, i.e.,
someone who is presumably aware of
the importance of safeguarding information
about employees;
- Document the call as to time, date,
identity of the caller, and purpose of
the call; and
- In the event that the person handling
the matter does not know with certainty
who is calling and why, give the
caller a standard response such as “I’m
sorry - we don’t give out information
about our current or former employees
over the phone, but if you forward to
us a written authorization signed by
your applicant that allows us to do so,
we’ll give you any information that the
form authorizes us to release.”
It goes without saying that the individual
employees should be trained not to casually
give out such information, as employees
often do over the phone or in person (and
as is well-known among identity thieves,
private investigators, and debt collectors,
among others). Rather, the company
should stress point 1 listed above regarding
proper routing of such calls or in-person
inquiries.
Other Forms of Privacy Invasion
Employers must also be concerned with
newer technology such as camera phones
(also known as cell phone cameras), digital
cameras, and digital movie recorders.
In just a few seconds, offensive pictures of
coworkers in private, embarrassing, or
intimate situations can be taken and sent
via e-mail or the World Wide Web to
other people and locations. Similarly, such
technology can be used to quickly and efficiently
conduct industrial espionage.
Many employers are now banning the use
of such devices in the workplace unless the
employee has been given express permission
by the Company to use them. Prohibiting
such devices and their use can be
one tool in preventing harassment claims
from employees who feel their privacy has
been invaded. Employees should also be
warned that they may face both civil and
criminal liability for misuse of imaging
devices against coworkers and the Company.
For an example of how such a policy
might be worded, see the sample policy
titled “Internet, E-Mail, and Computer
Usage Policy” in the companion book “The
A-Z of Personnel Policies.”
Reprinted with permission from the book
Especially for Texas Employers, a free publication
(http://www.twc.state.tx.us/
news/efte/tocmain.html) of the Texas
Workforce Commission.
|
