04/ 20/ 2007
by Beth Gaudio, NFIB Legal Foundation
Identity theft is an ever-present danger to Americans across the country, since we all live in an increasingly digital world. This nightmare scenario requires, at the least, canceling accounts and repairing credit reports. Common sense counsels you to protect yourself by shredding bills and other documents before you throw anything away, but if you're a small-business owner, you must be equally as careful with employees' confidential information. Your employees' Social Security numbers are the penultimate example of information that must be kept under lock and key.
Social Security numbers serve as an all-purpose, one-stop shopping identifier for almost every transaction in the United States. Even though there have been extensive limitations placed on various government agencies as to when and how to store these numbers, the private sector faces no such legal restrictions on the collection of Social Security numbers. Because it's been estimated that 75 percent of employees steal--and employee theft increasingly includes personal information (identity theft) as well as money--small businesses need to take the initiative to protect employees' privacy to avoid costly litigation.
By protecting the confidentiality of your employees' Social Security numbers, you, in fact, protect your own business interests. Employee lawsuits can arise against your business if you fail to take reasonable steps to safeguard these numbers. Take the following precautions to deal with some of these issues:
- Always keep employees fully informed. When you request Social Security numbers, inform employees of the exact purpose for asking, the intended uses of the numbers, whether the law requires employees to provide the numbers to employers in the particular context and the consequences of not doing so. Devise a company policy concerning Social Security numbers, and make sure employees are aware of the terms. If a security breach of employee information occurs, notify both affected and unaffected employees immediately.
- Reduce the use of Social Security numbers in your workplace. Only display Social Security numbers on business forms or documentation when legally required to do so. If you only need an internal tracking system for your employees, then an employee identification number might be more appropriate. Generate individualized employee codes for identification purposes rather than using Social Security numbers. This way, any sensitive documents containing the numbers can be kept with the confidential employee files in a secure location--ideally a locked area with restricted access.
- Restrict access. You should carefully screen employees with access to confidential employee files. Employees working with documents containing Social Security numbers should have private offices with locking doors. If this is not possible, keeping these employees secluded from everyone else will be essential in maintaining the privacy of Social Security numbers. Regardless, make sure you have a company policy in place for how to access and handle any sensitive documents, such as keeping access logs and requiring return of the files, even during short breaks and lunches. Enforce the policy on everyone with no exceptions.
- Security policies. Whenever you need to send employee Social Security numbers outside of the company, make sure to send them as securely as possible. When using the postal mail system, make sure that such information cannot be viewed through the envelope window. Encrypt or password protect e-mails containing Social Security numbers. Make sure when relaying the numbers over the telephone that the telephone is in a private area, where such information cannot be overheard. If transferring files, shred old paper records and permanently remove electronic records from computer systems. Hitting the “delete” button is not enough.
- Damage control. As soon as a leak is detected, take steps to remedy the problem. You can start by paying for your employees to get copies of their credit reports and assist those that are adversely affected in any way possible. A showing of goodwill on your part can go a long way.
A final warning to employers: Check your local rules and regulations for any additional demands on how to maintain confidential employee information. Privacy and identity theft legislation is a hot-button issue for the government, which is experimenting with how to craft adequate compliance measures. Stay up to date, so you can stay out of court.
