by Bent Ericksen and Tim Twigg
For more on this topic, go to www.dentaleconomics.com and search using the following key words: identity theft, protecting information, employee documentation.
Having your identity stolen is one of the more terrifying events that can happen to any individual. And sadly, identity theft is becoming a more common and serious issue.
The impact of identity theft can be financial, emotional (a sense of violation), and time-consuming to replace and/or fix the damage. Identity theft can also seriously affect a person's reputation.
For employers, the rise in identity theft presents concerns about protecting information (personnel records and employee personal belongings) that could be the target of identity thieves. Studies have shown that 50% to 70% of identity theft occurs in the workplace — and therein lies a liability for employers.
All personnel records and employee documentation serve an important purpose. In most cases, these records are required for employers to have and keep. Equally, if not more important, is ensuring that employees do not find themselves in a horrible financial downward spiral because the employer didn't take proper care of that information.
Simply put, identity theft is when your personal information is stolen and used without your knowledge, often resulting in fraudulent acts and/or other criminal activities.
Identity thieves use a variety of methods to obtain your personal information, including:
- Searching through trash to find bills or other paper with your personal information on it.
- Stealing credit/debit card numbers when processing your card.
- Sending spam or pop-up messages to get you to reveal your personal information.
- Completing a "change of address" form to another location.
- Stealing wallets and purses; mail, including bank and credit card statements; preapproved credit offers; and new checks or tax information.
- Stealing other employees' confidential personnel information.
- Stealing or misusing patients' confidential information.
- Bank account number
- Social Security number
- Personal password to enter computer files
- Medical information covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Disabilities
- Physical examination results
- Insurance claims records
- Drug testing results
- Conviction and arrest records
- Credit records
- Legal claims and charges
- Security and criminal investigation information
- Describe, in general, the incident that occurred causing confidential information to be accessed inappropriately
- Outline the areas of personal information that were or were not compromised
- Detail the steps taken to end the security problem and how you will prevent recurrence
- Offer assistance to the employee(s), such as identity recovery services
- Explain some ways the employee(s) can help him/herself, such as getting a free copy of his/her credit report
- Provide a person the employee(s) can contact for more information
A notice containing all of the above will cover the security breach notice requirements for most states; however, some, such as Massachusetts, compel employers to also provide information about the right to receive a police report and how to place a security freeze.
The notice to both present and past employees, once the employer is aware that a security breach has occurred, should be provided within 45 days from the discovery of the breach. Although other forms of notification are allowable, mailing the notice is the most common and more than likely the most effective.
Destruction
Personnel records and employer documentation do not have to be kept forever. As a result, many employers take the time every now and then to clean out their records and purge them. In this day and age, it’s not as easy as tossing them in the wastebasket. Federal and state laws impose a higher standard in order to prevent the information from getting into the hands of the wrong people.
Employers are required to take "all reasonable steps possible" to ensure unauthorized access to or use of employees' personal data. Paper information should be shredded or burned. As for electronic data, smash or magnetically swipe a disk before throwing it away to ensure information is not retrievable.
Conclusion
Given increasing rates of identity theft, new legal requirements, and the fact that most identity theft happens in the work environment, employers today face increasing liability risks. It is important to increase your awareness, ensure adequate precautions, safeguards, and procedures to protect information, and advise employees of the responsibilities and policies governing information protection.
Bent Ericksen is the founder and Tim Twigg is the president of Bent Ericksen & Associates. For more than 25 years, the company has been a leading authority in human resources and personnel issues, helping dentists successfully deal with the ever-changing and complex labor laws. Both authors are members of the Academy of Dental Management Consultants. To receive a complimentary copy of the company's quarterly newsletter or to learn more about their services, contact them at (800) 679-2760 or at www.bentericksen.com.
Types of information that constitute personal or confidential information include:
Since much of this information can be in an employee's personnel file or personal belongings while at work, it is important to ensure proper safeguards to minimize identity theft risks. This should include reviewing, establishing, or reestablishing procedures that protect targeted information. Implementing these safeguards against identity theft in your workplace is not just an act of goodwill, it is a federal and, in some cases, state law that you do so.
The federal Fair and Accurate Credit Transaction Act (FACTA) of 2003 states that businesses cannot negligently or purposely allow employees' or customers' personally identifiable data to fall into the wrong hands. Employers who fail to keep information safe can face up to a $2,500 fine per each identity that is stolen.
Since the enactment of FACTA, 45 states plus the District of Columbia have passed identity theft protection laws and, in some cases, hold employers to a much higher standard. For example, several states significantly restrict the use of employee Social Security numbers on employer documentation such as paycheck stubs and applications.
In general, all of the laws appear to have three major components: security, notification, and destruction. The degree to which an employer has to manage these three components is highly dependent upon the specific state law. It is recommended that you check your state's law to ensure compliance, but here we will provide important basic information that will help you have a better understanding of these three components.
Security
The privacy of personnel records must be secure at all times. The physical safeguards should include locked files with very limited access to only authorized personnel. Computers should be equipped with access codes or passwords that are changed periodically, data that is sent or received electronically should be encrypted, and firewalls installed.
In addition, include a confidentiality and nondisclosure policy in your personnel policy manual. The policy should outline what information is considered confidential, how employees are to handle such confidential information, as well as the consequences for not adhering to the policy. An acknowledgement form should be signed by each employee indicating that he or she has read, understands, and agrees to adhere to the policy (call our office if you would like a complimentary sample acknowledgement form). Then take appropriate, possibly legal, action if confidentiality is breached.
Allow only authorized management personnel who have an employment-related need to know to inspect the personnel records. In a small practice, this is usually only the doctor and the spouse, if applicable. In a large practice, this could include a bona fide practice administrator. Be sure the administrator has been fully informed of the confidentiality requirements.
Employees' relatives are not permitted access to personnel records. Under certain conditions, present or former employees have the right to inspect their own files. Attorneys who have a court order have access to personnel records, and so may the Department of Labor inspectors.
Notification
When confidential information is acquired by someone who isn’t authorized, the employer is obligated to notify employees that a security has been breached.
The following information should be included in a security breach notice to employees:
