Privacy Protection and Data Breaches: HR Tip of the Month
Identity theft is a major concern for employers who are routinely entrusted with private information of employees and customers, especially in the electronic age, where improper use of such data can have widespread ramifications. According to the Federal Trade Commission (FTC), each year as many as 9 million Americans have their identities stolen. Is your company prepared to address a data breach?
Federal law and many state laws require employers to safeguard private information. For instance, the Fair Credit Reporting Act requires companies to take appropriate measures to dispose of sensitive information derived from consumer reports. If a company becomes aware of a data breach, the FTC also instructs it to immediately report the breach to the local police department, the local office of the FBI, or the U.S. Secret Service, and then to provide notice to individuals whose information was compromised to allow those individuals to take steps to mitigate the misuse of their personal information. Many state laws also require that notice be provided upon discovery of a breach.
New Jersey has enacted the Identity Theft Prevention Act (ITPA), which requires any business that lawfully collects and maintains computerized records to disclose to the New Jersey State Police and to any New Jersey customer (broadly defined to include an individual who provides personal information to a business, including employees) when that customer’s personal information was or may have been accessed by an unauthorized person. In the case of a large scale breach, businesses are also required to report to consumer reporting agencies. In addition, the ITPA regulates the use of social security numbers as identifiers, prohibits the display and usage of social security numbers on printed materials except where required by law, and requires the destruction of records containing personal information when no longer needed.
Similarly, the New York State Information Security Breach and Notification Act requires companies who own or license computerized data to provide prompt notification following the discovery of a breach to any New York resident whose private information was, or may have been, acquired without authorization. The New York State Social Security Number Protection Law regulates the handling of social security numbers and requires covered persons and entities to provide safeguards “necessary or appropriate” to preclude unauthorized access to social security account numbers and to protect the confidentiality of such numbers.
Employers must be prepared to continuously protect information. Best practices dictate that employers prepare guidelines for safeguarding private information.
This Alert has been prepared by Sills Cummis & Gross P.C. for informational purposes only and does not constitute advertising or solicitation and should not be used or taken as legal advice. Those seeking legal advice should contact a member of the Firm or legal counsel licensed in their state. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. Confidential information should not be sent to Sills Cummis & Gross without first communicating directly with a member of the Firm about establishing an attorney-client relationship.