Despite innumerable benefits derived from living in an electronic age, inherent risks exist which can have profound and far-reaching consequences for all users of technology. With so much sensitive employee-related information now being stored electronically, employers need to be aware of the associated risks and take precautionary measures to secure employee data and protect employees. Moreover, employers should have a plan in effect to manage a breach in their system, should one occur, and to advise employees on what steps they should take independently in response to an emergency.
If an employer, or one of the employer’s contractors (such as a payroll company), becomes the unfortunate victim of theft of its employees’ personal identity data, the employer should first ascertain what type of information was stolen and then immediately notify all employees and company representatives of the theft in order to prevent, or at least limit, any losses to the employees. If any bank account information was stolen, the employees should be instructed to close their affected bank accounts immediately and open up new accounts to protect them from being victimized. Employees should also be advised to replace any bank or debit cards associated with those accounts and to change all passwords and PIN numbers. When creating new passwords or PIN numbers, employees need to be advised not to use their own name, city of residence, mother’s maiden name, birth date, last four digits of their SSN # or phone number, a series of consecutive numbers or any other readily obtainable information. If the stolen personal information included driver’s license information, social security number, or other information pertaining to alternate types of government-issued IDs, employers should guide employees to contact the Department of Motor Vehicles, local Social Security Administration agency or other appropriate governmental authority in order to place a fraud alert with those agencies so no third party will be able to obtain IDs in their name. If 401(k) account or other employee benefit information is stolen, employees should be advised to notify any named account beneficiaries of the theft so the beneficiaries can also take action to prevent any identity theft.

In the event of a security breach, employees should remain on guard and watch for any signs of identity theft, such as missing bills or inexplicable credit denials. They should also obtain free copies of their credit report as often as the law allows (which is once per year, within 60 days of a credit denial or at any time after a person becomes a victim of identity theft). Employees should also place a fraud alert with the three major credit reporting bureaus – Experian (888-397-3742), Equifax (800-525-6285) and Trans Union (800-525-7289). This fraud alert will inform any company opening an account in the person’s name to contact the person directly in order to verify his or her identity before issuing credit. If a person places a fraud alert with one credit reporting bureau, that bureau is legally required to notify the other two bureaus of the fraud alert. However, it is better for an employee to contact all three bureaus directly to be absolutely sure that the alert is placed in an expeditious manner. Employees may also consider placing a security freeze on their credit report, instead of a mere fraud alert. A fraud alert only lasts for 90 days (unless the individual can prove that he or she is a victim of ID theft) and it still allows businesses to access information from the credit report (although the businesses cannot open new accounts). A credit freeze is more secure because there is no time limitation and no entity is allowed to access any information from the credit report unless the individual temporarily lifts the freeze. The state of Connecticut allows individuals to place a freeze on their accounts (for a $12 fee plus an additional $10 every time the freeze is lifted). In addition to the cost, another drawback of the credit freeze is that it can take up to three days for a freeze to be lifted. The intention of the credit freeze process is to prevent instant credit decisions. Accordingly, for potential identity theft victims, the protection that a credit freeze provides will usually outweigh its drawbacks.

The Federal Trade Commission (FTC) also recommends filing a complaint with the FTC (since the federal government also has jurisdiction over these crimes) and a police report, even if the information has not yet been used to the individual’s detriment. The filing of these reports will facilitate communications with creditors, especially if the information is used to commit a crime months or years later. If the local police department will not prepare a crime report because it has no jurisdiction (or because a crime did not occur), the FTC recommends filing a miscellaneous incident report with the local or state police. If the stolen information is used to commit a crime against any employee, the Connecticut Attorney General’s Office also recommends that the identity theft victim contact its Hartford office (860-808-5318) for possible investigation. It is important for employees to record a written chronology of the incident and all personal actions taken. Detailed information of this nature is useful in the event that the incident results in a future crime.

Finally, in addition to notifying employees regarding the actions they should take, the employer should contact the relevant authorities to report the theft of its data. It should conduct an internal investigation to determine who stole the information and how the information was stolen. The employer should then implement reasonable safeguards and procedures to ensure that a theft will not occur again and that its employees’ personal information will not be compromised. Common sense steps may include using a randomly assigned employee identification number rather than social security numbers to identify its employees, and to limit the amount of personal information that the employer keeps in its files. The employer may also want to consider purchasing a credit monitoring service subscription and/or liability theft insurance on behalf of any affected employees in order to provide them with an extra layer of protection against potential identity theft.

For comprehensive information about this subject, please contact Barbara S. Miller at bmiller@brodywilk.com or Mark W. Klein at mklein@brodywilk.com.