Employers, You May Have to Shred That!

Good employers do what they can to protect their employees’ personal information from identity theft, but smart employers do what is now required by law to save themselves from potentially thousands of dollars in fines.

If you are an employer, you will need to make sure that your human resources staff is up-to-date on the new federal requirements for destroying personal information gained by a consumer reporting agency in the process of taking on new hires.

Employers must shred or “otherwise destroy” particular pieces of personal information, referred to in the law as “consumer report[s],” about employees they hire — but only for information obtained by a consumer reporting agency. “Consumer report” information on employees you hire includes, but is not limited to:

• current address and address history
• name and former names used
• date of birth
• Social Security number
• driving records
• check writing history
• employment history
• health records
• history of insurance claims, and
• criminal records

As part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) — other pieces of which we reported on in earlier issues of this newsletter — employers are required to take “reasonable measures to protect against unauthorized access to or use” of consumer information, whether retained in paper or electronic format.

To meet the federal requirements, you may have to shred these materials yourself or ensure that the company you hire to shred does so in a non-negligent manner. The law provides various examples of how to ensure third party disposal of employees’ information. If this information was collected electronically, employers must properly dispose of that material in a way that is compliant with the law (for example, by using appropriate software to erase the employee data).

The penalties can add up

You must destroy your employees’ personal information properly, or else be potentially liable for “negligent destruction” under the law, which is not clearly defined. This means that you will also be liable for personal information that is merely “lost.” If a charge is leveled against you, it is your company’s burden to prove that it did not destroy the information negligently.

Each violation can result in employers paying a federal fine of up to $2,500 per occurrence. Employees can also bring suits against their employers to recover actual damages they suffer as a result of improper disposal of their private information. Business owners, if found liable for an employee’s stolen identity, can rack up rather hefty fines if, for example, a batch of employee Social Security numbers or addresses are taken from the workplace and this act leads to identity theft of the employees. The business owner would be held liable for each occurrence plus each successful individual suit for damages. We don’t need to show you the math to illustrate how costly this mistake could be.

Note: This article is displayed by permission of the CPA Client Bulletin. The Bulletin carries no official authority. Its contents should not be acted upon without specific professional advice from a certified accountant. Copyright © 2006, American Institute of Certified Public Accountants, Inc.