Employers May be Liable for Worker Identity Theft
Patchwork of laws restricts how employers use, store and transmit information
Businesses store a wealth of employee personal information, which makes them tempting targets for identity thieves. Therefore, it is critical for employers to safeguard such data, particularly because businesses could be held liable when information is stolen.
"For employers, a primary source of exposure can be the theft or release of personnel records," said Kristin Story, an attorney with Lewis Roca Rothgerber Christie in Phoenix. These records can contain personally identifiable information, such as Social Security numbers, birth dates, bank account information, and sometimes health or other biometric information for employees and their relatives.
Furthermore, employers may collect substantial personal information from employees and applicants to conduct background investigations and credit checks.
This kind of information can be used for many unauthorized purposes including gaining access to financial accounts and establishing new ones, Story said. The information may also be sold to undocumented workers to use for employment authorization.
[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]
Thieves also target W-2 forms. It is becoming more common for a bad actor to send a forged e-mail to a company's HR staff member that appears to be from a company executive, said Patrick Fowler, an attorney with Snell & Wilmer in Phoenix. The scammer may ask the staff member to send a copy of all or some employee W-2s.
If the HR staff member fails to verify the legitimacy of the request and simply forwards the W-2s to the e-mail sender—who then uses the information to create and submit false tax returns or open lines of credit—the company may be liable for the resulting identity theft.
Businesses have a duty to advise employees in a timely and legally compliant manner about data breaches, Fowler added. He suggests that employers review their employee handbooks and consider language that might limit their potential contractual liability for data breaches.
"Diligence is key," Story noted. As identity theft capabilities expand, realistically no business can completely eliminate the risk of data breaches that may compromise their employees' sensitive information. But undertaking reasonable measures to prevent foreseeable breaches can decrease the risk of breach, as well as the risk of liability in the event of a breach.
Employers may want to review the U.S. Securities and Exchange Commission's 2015 update to its cybersecurity guidance. The guidelines are applicable today and are part of an emerging cybersecurity "standard of care" for organizations to meet, Fowler noted.
Federal Laws
What federal laws impose employer liability for identity theft? "There is no single, all-encompassing federal data breach/identity theft law that covers all situations," Fowler said.
Story noted that liability under federal law will depend on the type of information breached. For example, under the Fair and Accurate Credit Transactions Act and the Fair Credit Reporting Act, employers may be liable if their acts or omissions lead to identity theft. These laws are designed to protect consumer information—including data collected for employment background checks.
In addition, failure to adequately safeguard health-related information or medical records may create liability under the Americans with Disabilities Act or the Health Insurance Portability and Accountability Act.
State Laws
State laws are the primary source of potential identity-theft liability for employers. "State laws in this area are a patchwork collection and are neither uniform nor completely consistent," Fowler said.
California and Massachusetts have been more active than other states in passing data privacy legislation, but virtually all of the states have data breach notification laws at this point, he noted.
These state laws can impose additional requirements and restrictions on how employers use, store and transmit employee information, Story said.
A recent trend in state law is to expand the definition of "personal information." For example, new laws in Maryland and Delaware have broadened the types of protected personal data to include personal health information, biometric data, passport numbers and more.
Arizona has statutes explicitly limiting the manner and extent to which businesses may require and transmit personally identifying information, Story said.
Best Practices
The first thing employers should do is establish, publish and enforce clear policies and procedures concerning storage, use and access to sensitive information, Story suggested. "It should be clear to the organization that personnel data and, in particular, those records containing sensitive information are confidential and that unauthorized access, use or disclosure of that information is strictly prohibited."
Hard-copy records should be maintained in a secure—preferably locked—location. If information and records are maintained electronically, appropriate measures should be put in place to ensure data security, such as password protection and data encryption. "Access to this kind of data and information—including the locations where it is stored—should be limited to persons who have a legitimate need to use and access that information," Story added.
She noted that employers should adhere to a strict record retention schedule. State and federal law may require preservation of certain types of records for prescribed periods. "Once those time periods expire, however, those records should be destroyed in order to limit and decrease the amount of sensitive data employers have on hand," she said.
"Hackers are creative, persistent and smart, and they will constantly probe companies to find weaknesses to exploit in cybersecurity, social engineering, physical security and administrative safeguards," Fowler said. "Data security should be viewed as an ongoing business risk that requires constant monitoring and management."
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.