Two Tasks to Help Navigate the Maze of Data Security LawsData Privacy & Security
During a speech at the Federal Trade Commission on January 12, 2015, President Obama proposed a new federal law to replace what he referred to as a “patchwork” of state laws regarding data security.
For employers with employees in more than one state, this patchwork of state data security laws is only the tip of the iceberg. In addition to the various state laws, numerous federal laws address the question of data security, but are not necessarily consistent regarding exactly what data is protected or to what extent it must be protected.
Employers are required to collect confidential information from employees (and customers, in some fields), such as Social Security Numbers, and are then required to ensure that the information remains confidential. The 1970 Fair Credit Reporting Act, the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act) and the 2003 Fair and Accurate Credit Transactions Act (FACTA) are just some of the groundwork for this maze of data security requirements.
Additional laws governing the disclosure of private information are in force in at least 47 states, the District of Columbia, Puerto Rico, the Virgin Islands and Guam.
Different types of private information collected by employers may require different levels of confidentiality and compliance with different reporting requirements.
A number of sources suggest that employers may want to maintain as many as four sets of files for each employee.
Task 1: Maintain four types of files separately
#1 – Payroll Files
Payroll files would include the employee’s compensation history, including records of any garnishments, loans, job titles and departments.
#2 – Personnel Files
Personnel files would include the original employment application and resume, any disciplinary history, family emergency contact form, employee handbook receipt signoff and other related non-financial paperwork.
#3 – Medical Files
An Employee Medical file is, exactly as one would suspect from the name, for any medical information relating to an employee, including such items as drug screening results, and should be subject to the highest level of security and confidentiality.
#4 – I-9 Documents
Finally, I-9 files should house I-9 records for all employees separately from all other employee records. This serves the dual purpose of maintaining confidentiality from government officials and other entities authorized to view employee information from which the I-9 records are excluded and centralizes the information for easy access in the event of an I-9 audit.
Task 2: Learn about State specific requirements
States laws may be more or less strict than federal laws regarding maintaining confidentiality and may impose more or less harsh penalties for security breaches. Where federal and state law differ, whichever is more strict usually prevails.
Some examples by state:
State of Connecticut
Connecticut law requires businesses protect personal information, including Social Security numbers, driver’s license numbers, account numbers for insurance policies, credit card numbers and bank accounts. The penalty for intentionally failing to protect this information is $500.00 per violation, up to $500,000.00 per event.
State of California
California law protects more categories of information and does not limit liability to penalties for “intentional” failures to protect information. “Personal Information” is defined as “any information that identifies, relates to, describes, or is capable of being associated with a particular individual.” In fact, the California Department of Justice has a special Privacy Enforcement and Protection Unit, showing just how seriously that state takes the security of private information.
State of Idaho
Under Idaho’s Public Records Act, the disclosure of private information in violation of the law is subject to criminal, as well as civil, penalties.
State of Oregon
Oregon’s Consumer Identity Theft Protection Act requires that any person or business that comes into possession of a person’s personal information, which the act defines in detail, “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including the disposal of data.”
State of Nevada
In Nevada, any organization in possession of an individual’s personal data that releases that data to a third party with a legitimate need for it is obligated to ensure that the third party also “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.”
In summary, any person or business that collects and retains any person’s private information, including that person’s employer, has a legal and ethical requirement to ensure that the private information stays private and the responsible parties must be familiar with the entire scope of privacy laws; federal, state and possibly local, and to ensure compliance with all of the applicable laws.
NOTE: The author of this article is not an attorney and nothing contained herein should be treated as legal advice.