| FACTA
Revisited
Some news commentaries
about the disposal requirements imposed by the Fair and Accurate
Credit Transactions Act (FACTA) make it sound like all employers
and all aspects of employment records are impacted. Under this
law, any person who maintains or possesses "consumer
information" must be prepared to dispose of these records
in a way that ensures that the information will not be improperly
accessed or used. The Federal Trade Commission (FTC) issued a
rule explaining the disposal provisions that takes effect on June
1.
Unfortunately, many
of the media reports have overstated the significance of this
law for employers. Some assert that the rule covers every personnel
file, while others state simply that all employee information
is covered. If you read these articles, you might think you have
a legal obligation to shred all of your employment files.
In fact, however, the
rule is fairly limited in its scope. It only applies to certain
consumer information provided by outside consumer reporting agencies.
And, it only affects that information * when * you dispose of
it. It does not require you to secure the information prior to
disposal or even to dispose of it within a particular time frame.
That said, the law
properly focuses attention on a bigger problem you face –
how to protect sensitive employee identifying information. On
a daily basis, you legitimately collect personal information about
applicants and employees that can be used to steal their identities.
The FACTA
disposal rule provides some guidance on how to protect this sensitive
information, at least when you dispose of it.
However, FACTA only
applies to the disposal of narrowly defined consumer report information
obtained from third-party consumer reporting agencies. As a result,
just complying with the rule will not be enough to safeguard your
employees' personnel records. You still need to take additional
steps to protect your employees' personal information throughout
the employment relationship. This means that you should take affirmative
action to secure it, restrict access to it, and dispose of it.
*
FACTA Review *
Here's an overview
of the FACTA disposal rule. FACTA amended the Fair Credit Reporting
Act (FCRA), which is the federal law that governs consumer credit
reports and their use for
employment purposes.
FACTA added an additional
obligation to the FCRA ordering the Federal Trade Commission (FTC)
to issue regulations to require "any person that maintains
or otherwise possesses consumer information, or any compilation
of consumer information, derived from consumer reports for a business
purpose to properly dispose of any such information or compilation."
The FTC issued a final rule that addresses the disposal of consumer
report information and records. The new rule is designed "to
reduce the risk of consumer fraud and related harms, including
identify theft, created by improper disposal of consumer information."
*
Consumer Information Narrowly Defined *
In a nutshell, the
rule requires only the proper disposal of consumer information.
Specifically, you now must take "reasonable measures"
to protect against unauthorized access to, or use of, the information
when you dispose of it. The rule gives several examples of "reasonable
measures," including burning, pulverizing, and shredding
paper documents and erasing computer files containing protected
information or hiring a vendor to do the same.
How "consumer
information" is defined by the rule shows its narrow scope.
According to the rule,
"consumer information" includes any record about an
individual that is a consumer report or is derived from a consumer
report, as defined under the FCRA. It also includes any compilation
of these records. The FCRA defines a consumer report to include
any
written, oral, or other communication of any information by a
consumer reporting agency regarding a consumer's creditworthiness,
credit standing, credit capacity, character, general reputation,
personal characteristics, or mode of living which is used as a
factor to establish
the consumer's eligibility for employment.
So, for example, anytime
you use an outside agency to get a credit report, conduct a background
investigation, or perform a reference or drivers' record check,
that agency will provide you a consumer report covered by the
FACTA disposal requirements. In addition, if you incorporate information
from these outside reports into another record, such as by summarizing
the reports' findings in a memo recommending an applicant's hiring
or an employee's promotion, then that record is covered, too.
However, if you only
perform your own checks internally, the information you gather
is * not * covered by FACTA. Although much of it may contain personal
identifying information, it does not meet the definition of consumer
information for this rule if a third party does not provide it.
Further, other internal
records you create throughout the employment relationship that
contain personal identifying information such as Social Security
numbers, birth dates, and medical information, are not covered,
either. For example, application forms, payroll records, beneficiary
designations, emergency contact lists, and medical leave requests
generally are not considered "consumer information."
*
FACTA Covers Disposal, Not Maintenance *
Finally, the FACTA
rule only applies to the proper disposal of protected consumer
information. It does not regulate how the information should be
secured prior to disposal.
As a result, it does
not require you to restrict access to your consumer information
files or keep them locked up. Further, it does not stipulate when
information must be destroyed, so it does not affect any current
recordkeeping requirements imposed by other laws, such as Title
VII of
the Civil Rights Act or the Americans with Disabilities Act.
One point made by most
discussions of the FACTA disposal rule is not overstated –
the rule does subject you to the FCRA's fines and penalties, which
can be substantial if a large number of files are involved. Fortunately,
the rule provides examples showing how to dispose of the information
properly, and they are fairly simple to apply.
*
FACTA Lays Groundwork for Identity Theft Protection *
More importantly, perhaps,
the FACTA disposal rule raises, but does not address, a bigger
issue – namely, your responsibility to protect employees'
personal identifying information. Recently publicized incidents
of workplace-related identity theft have put employers on notice
that you could be liable if you are negligent with your employees'
files.
For example, several
employees sued a California-based pharmaceutical company, Ligand
Pharmaceuticals, after a coworker used information from unsecured
personnel files to rent apartments and purchase merchandise with
credit cards obtained using the employees' personal
information. The company reportedly settled the negligence suit
for a six-figure sum.
There are many different
legal theories that can be used against you, including respondeat
superior, general negligence, negligent hiring, negligent supervision,
negligent retention, and unreasonable disclosure of private facts.
And, a few states, including California, Georgia, and
Washington, impose liability on persons, such as employers, who
handle employment records improperly.
Clearly, the FACTA
disposal rule is just one of many legal concerns you should have
when it comes to protecting your employees' personal information.
So, you need to make sure that your organization has taken appropriate
actions not only to comply with FACTA, but also to safeguard
and dispose of all sensitive employment information in a proper
fashion.
Steps you can take
include securing employee personal information in locked file
cabinets, password protecting computer files, and limiting access
to sensitive information to those employees with a need to know.
In addition, you should perform background checks on employees
with access to these files. And, if you have not already done
so, you should
stop using Social Security numbers to identify employees. Of course,
you also should follow FACTA's disposal rule when you do get rid
of workers' files.
Finally, you should
consider how you will respond to identity theft if it happens
to any of your employees, even if it does not involve your employment
records. The FTC reports that identity theft is one of the fasting
growing consumer crimes, and one that can strike any of us no
matter how careful we are. The FACTA law may be more important
for the identity theft problem it highlights than for the immediate
impact it has on employer recordkeeping.
HR Matters
- http://ppspublishers.com/ez/html/051105txtb.html
Click
here to return to the E-zine and/or close this window
|
