RISKVUE ARCHIVE | RISK BITES

Employee Identity Theft:
Employers Beware

By Mary Hughes

Most employers have probably heard that a new federal rule recently went into effect requiring businesses and individuals to take appropriate measures when disposing of certain employee information. Employers are also likely aware that this new rule is designed to help deter and prevent identity theft, which is arguably one of the fastest increasing crimes in the United States. Many employers, however, may not realize the depth of their responsibility under federal law or that further obligations may arise under state law.

The new disposal rule is part of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), Public Law 108-159, 117 Stat. 1952, which was signed into law on December 4, 2003. FACTA directed the Federal Trade Commission (“FTC”) and certain other agencies to adopt comparable and consistent rules regarding the disposal of sensitive consumer report information. The FTC’s disposal rule became effective on June 1, 2005, and requires “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose[,] properly dispose of any such information or compilation.”1

How Does FACTA Apply to Employers?

At first glance, employers may think that FACTA’s disposal rule does not apply to them. Indeed, FACTA amends the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1561, et seq., which leads one to think an act seemingly dedicated solely to credit issues would not apply employers. However, making such an assumption can be costly for employers because FACTA’s disposal rule addresses much more than credit issues.

As an initial matter, although FACTA only applies to “persons” who maintain or possess consumer information, the definition of “persons” includes individuals, partnerships, corporations, associations, governmental subdivisions or agencies.2 There is no limitation as to the size of the entity or the industry involved. Accordingly, numerous small and large employers in almost any industry may be subject to FACTA’s disposal rule.

Moreover, FACTA’s disposal rule applies to employers as a result of its expansive definition of “consumer reports” and “consumer information.” The disposal rule involves consumer information derived from consumer reports for a business purpose. FACTA defines the term “consumer information” as any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report.3 “Consumer information” also means a compilation of such records, though it does not include information that does not identify individuals, such as aggregate information or blind data.4 The definition of “consumer report” is taken from FCRA and includes information obtained from a “consumer reporting agency” that is used, or expected to be used, in establishing a consumer’s eligibility for employment, among other things.5

Thus, to be a “consumer report” the information must be furnished by a “consumer reporting agency.” However, this should not be construed as a limitation on the information covered because the term “consumer reporting agency” is broadly defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”6

All of these definitions may leave employers wondering exactly what it means for them. In short, consumer reports will include credit reports or other reports employers receive with information relating to employment background, medical history or background checks. When an employer retains a third party to conduct a background check or credit check on an applicant, it is likely receiving a consumer report. Interestingly, during preliminary discussions prior to implementation of the rule, many organizations suggested imposing a “knowledge” or “knowing” requirement to the rule because recipients of information about consumers may not necessarily know whether the information received was derived from a consumer report or a consumer reporting agency. However, in the legislation that was ultimately passed, knowledge is not a requirement to the duty to comply with the disposal rule.

What Are an Employer’s Obligations?

If a covered employer has received consumer information for business purposes, such as when hiring a new employee, the employer must dispose of consumer information in a manner that is reasonable and appropriate to prevent unauthorized access to or use of the information in a consumer report.7 The disposal rule only addresses the mechanisms by which an employer must dispose of the information. The stated purpose of the disposal rule is to “reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.”8 In other words, it does not address the maintenance of such information, which is governed by other laws.

“Disposal” includes the discarding or abandonment of consumer information, as well as the sale, donation or transfer of any medium, including computer equipment, upon which consumer information is stored.9 This means that employers who obtain personal information about their employees from referral services or credit reports, among other things, must be careful when disposing of or discarding the information. They must do so in a manner that reasonably protects the sensitivity of the information. The disposal rule lists a number of illustrative, non-exclusive examples of appropriate disposal, including burning, pulverizing or shredding papers to that the information cannot be read or reconstructed.10

Electronic information is covered, as well, which has far-reaching implications for employers. For example, employers who donate old computers to non-profit entities have an obligation to ensure that any consumer information on those computers is disposed of properly. Examples of appropriate disposal of electronic information include destroying or erasing electronic files so that the information cannot be reconstructed.11

The disposal rule also permits employers to hire a document destruction contractor to dispose of material. However, employers are under an obligation to conduct due diligence into the company retained, which may include reviewing an independent audit of a its operations or compliance with the disposal rule, receiving information from several references or requiring that the company be certified by a recognized trade association, or reviewing its security policies.12

What Is an Employer’s Exposure for Failing to Comply?

Employers whose employees’ identities are stolen may be responsible for actual damages to the employee.13 Additionally, FACTA provides for statutory damages of up to $1,000 per employee and civil fines of up to $2,500 per employee. FACTA also permits recovery of attorneys fees. Employers must also consider that they may be responsible to employees under other laws, as well. The disposal rule does not “alter of affect any requirements imposed under any other provision of law to maintain or destroy [any record pertaining to a consumer].”14 Accordingly, there may be state common law principles, such negligence, that impose responsibility on employers and expose employers to even greater liability. Although the disposal rule only applies to consumer reports or information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

Many employers are likely already complying with the requirements of FACTA’s disposal rule, at least in part, by following industry best practices, which may include disposing of documents through shredders or other confidential disposal methods. However, employers can and should use the recent implementation of FACTA’s disposal rule as an opportunity to review their practices regarding disposal of consumer information and to educate and train employees on proper disposal methods in an effort to ensure compliance and reduce exposure under FACTA’s disposal rule.

Notes
(1) 15 U.S.C. § 1681w(a)(1).
(2) 15 U.S.C. § 1681a(b).
(3) 16 C.F.R. § 682.1(b).
(4) Id.
(5) 15 U.S.C. § 1681a(d)(1)(B).
(6) 15 U.S.C. § 1681a(f).
(7) 16 C.F.R. § 682.3(a).
(8) 16 C.F.R. § 682.2.
(9) 16 C.F.R. § 682.1(c).
(10) 16 C.F.R. § 682.3(b).
(11) Id.
(12) Id.
(13) 15 U.S.C. § 1681n(a).
(14) 16 C.F.R. § 682.4(b).

ABOUT THE AUTHOR

Mary Hughes is a member at Nexsen Pruet, LLC. Her practice includes labor and employment, general business litigation, and insurance litigation.

This article is for informational purposes only. Nothing in this article should or can be construed as legal advice. If you have a question regarding your responsibility under FACTA or FCRA, consult your legal counsel.

riskVue | The webzine for risk management professionals
September 2005