1. 1
Your Client as Employer:Your Client as Employer:
Workplace Privacy andWorkplace Privacy and
Identity TheftIdentity Theft
Presented by:Presented by:
David E. CassidyDavid E. Cassidy
Norris McLaughlin & Marcus, P.A.Norris McLaughlin & Marcus, P.A.
2. 2
Tension Between Competing InterestsTension Between Competing Interests
• Employees’ RightEmployees’ Right
to Privacy ofto Privacy of
Personal,Personal,
Confidential andConfidential and
FinancialFinancial
InformationInformation
• Employers’ Right toEmployers’ Right to
Protect Assets,Protect Assets,
Promote TheirPromote Their
Business andBusiness and
Maintain SecureMaintain Secure
WorkplacesWorkplaces
vs.
3. 3
Personnel Files: A Fertile SourcePersonnel Files: A Fertile Source
For Identity ThievesFor Identity Thieves
Information contained in a company’sInformation contained in a company’s
personnel files, whether maintained in a filepersonnel files, whether maintained in a file
folder or electronically, is a fertile sourcefolder or electronically, is a fertile source
for identity thieves.for identity thieves.
4. 4
Identity Theft In The WorkplaceIdentity Theft In The Workplace
• Most identity theft is perpetrated by relatives, friendsMost identity theft is perpetrated by relatives, friends
or coworkers of victims.or coworkers of victims.
• Sophisticated computer hacking strategies can be usedSophisticated computer hacking strategies can be used
to access employee information.to access employee information.
• A large percentage of identity theft in the workplaceA large percentage of identity theft in the workplace
occurs through simpler, unsophisticated means such asoccurs through simpler, unsophisticated means such as
copying personnel files from an unlocked file room,copying personnel files from an unlocked file room,
downloading confidential information from adownloading confidential information from a
company’s network, or negligence.company’s network, or negligence.
5. 5
Examples of Security Breaches:Examples of Security Breaches:
• In December 2006, a Boeing Co. employee lost a laptop containingIn December 2006, a Boeing Co. employee lost a laptop containing
personal information on 382,000 workers and retirees, including theirpersonal information on 382,000 workers and retirees, including their
names, social security numbers, home addresses and other personalnames, social security numbers, home addresses and other personal
information.information.
• In November 2006, Chicago Teachers Union inadvertently mailed outIn November 2006, Chicago Teachers Union inadvertently mailed out
personal information including social security numbers of 1,700personal information including social security numbers of 1,700
former employees.former employees.
• In September 2006, four laptops containing personal information ofIn September 2006, four laptops containing personal information of
60,000 Starbucks employees were lost or stolen.60,000 Starbucks employees were lost or stolen.
6. 6
Thirty-Nine States Have StatutesThirty-Nine States Have Statutes
• Private right of action in many statesPrivate right of action in many states
• Most require documentation of stepsMost require documentation of steps
taken to implement data securitytaken to implement data security
practices (Policies and Procedures)practices (Policies and Procedures)
7. 7
New Jersey: Identity TheftNew Jersey: Identity Theft
Prevention ActPrevention Act
N.J.S.A.N.J.S.A. 56:11-4456:11-44 et seq.et seq.
Effective January 1, 2006Effective January 1, 2006
Public purpose to prevent identity theftPublic purpose to prevent identity theft
8. 8
The New Jersey Act DefinesThe New Jersey Act Defines
“Personal Information” as:“Personal Information” as:
• A person’s last name and first name (or initial)A person’s last name and first name (or initial)
• PLUSPLUS – One or more of the following:– One or more of the following:
– social security numbersocial security number
– driver’s license numberdriver’s license number
– state identification numberstate identification number
– account information related to debit or credit cards,account information related to debit or credit cards,
including any password or access codesincluding any password or access codes
9. 9
Mechanism:Mechanism:
New Jersey ActNew Jersey Act
– restricts a company’s use, retention andrestricts a company’s use, retention and
destruction of an individual’s personaldestruction of an individual’s personal
informationinformation
– establishes notice requirements applicable toestablishes notice requirements applicable to
employers when personal information isemployers when personal information is
improperly accessed or disclosedimproperly accessed or disclosed
10. 10
Broad Definitions, Broad ReachBroad Definitions, Broad Reach
• ““CustomerCustomer” includes any individual who” includes any individual who
provides personal information to a businessprovides personal information to a business
• ““BusinessBusiness” is a sole proprietorship,” is a sole proprietorship,
partnership, corporation, association, or anypartnership, corporation, association, or any
other entityother entity
11. 11
What Types of RecordsWhat Types of Records
Are Subject to the Act?Are Subject to the Act?
• In the workplace, common documents that wouldIn the workplace, common documents that would
contain personal information include:contain personal information include:
– job applicationsjob applications
– health benefits forms/ID cardshealth benefits forms/ID cards
– retirement/401k account cardsretirement/401k account cards
– I-9 Employment Eligibility Verification formsI-9 Employment Eligibility Verification forms
– direct deposit authorization formsdirect deposit authorization forms
– credit reportscredit reports
– background checksbackground checks
12. 12
How Does the Act Work?How Does the Act Work?
• Limits Use and Display of Social SecurityLimits Use and Display of Social Security
NumbersNumbers
– cannot publicly post or display a SSN (in full orcannot publicly post or display a SSN (in full or
any 4 or more consecutive numbers)any 4 or more consecutive numbers)
– cannot print a SSN on materials to be mailed tocannot print a SSN on materials to be mailed to
an individual unless required by lawan individual unless required by law
13. 13
How Does the Act Work?How Does the Act Work?
• Requires Timely Destruction of RecordsRequires Timely Destruction of Records
Containing “Personal Information” toContaining “Personal Information” to
render themrender them
– UnreadableUnreadable
– IndecipherableIndecipherable
– NonreconstructableNonreconstructable
14. 14
How Does the Act Work?How Does the Act Work?
• Imposes notification requirement if electronic filesImposes notification requirement if electronic files
containing personal information are breached:containing personal information are breached:
- To New Jersey State Police (before notice to- To New Jersey State Police (before notice to
customer/employee)customer/employee)
- To customers/employees who are New Jersey- To customers/employees who are New Jersey
residents who are affected by breachresidents who are affected by breach
- If > 1000 individuals are affected, to all- If > 1000 individuals are affected, to all
consumer reporting agenciesconsumer reporting agencies
15. 15
A Private Right of ActionA Private Right of Action
Willful failure to comply withWillful failure to comply with
restrictions on use of Social Securityrestrictions on use of Social Security
numbers actionable as an unlawfulnumbers actionable as an unlawful
practice under New Jersey’spractice under New Jersey’s
Consumer Protection StatutesConsumer Protection Statutes
(NJSA C.56:11-38 and 39)(NJSA C.56:11-38 and 39)
16. 16
Patchwork of State LegislationPatchwork of State Legislation
• Understanding the “Trigger Event” forUnderstanding the “Trigger Event” for
NotificationNotification
• ““Reasonable likelihood of harm or identityReasonable likelihood of harm or identity
theft” to the individuals whose personaltheft” to the individuals whose personal
information has been exposed?information has been exposed?
• Notice – “without unreasonable delay”?Notice – “without unreasonable delay”?
17. 17
New York: Confidentiality ofNew York: Confidentiality of
Social Security Account NumbersSocial Security Account Numbers
N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-dd§ 399-dd
Effective January 1, 2008Effective January 1, 2008
Public purpose to protect privacy andPublic purpose to protect privacy and
integrity of dataintegrity of data
18. 18
New York: Disposal of PersonalNew York: Disposal of Personal
Records LawRecords Law
N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-h§ 399-h
Effective December 4, 2006Effective December 4, 2006
Public purpose to protect personal andPublic purpose to protect personal and
confidential information by requiring properconfidential information by requiring proper
disposal of recordsdisposal of records
19. 19
OREGON’S LAWOREGON’S LAW
• Oregon’s new law requires businesses that maintainOregon’s new law requires businesses that maintain
personal information on Oregon residents to:personal information on Oregon residents to:
– Designate a security officerDesignate a security officer
– Conduct a risk assessment and train employees in security policiesConduct a risk assessment and train employees in security policies
and proceduresand procedures
– Require vendors and other service providers to maintain adequateRequire vendors and other service providers to maintain adequate
securitysecurity
– Update their security programs over timeUpdate their security programs over time
– Implement safeguards and properly dispose of personalImplement safeguards and properly dispose of personal
informationinformation
• Compliance will satisfy many other states laws.Compliance will satisfy many other states laws.
20. 20
Suggestions for ComplianceSuggestions for Compliance
– Employers should update their internal policies and/orEmployers should update their internal policies and/or
employee handbooks to comply with relevant statutesemployee handbooks to comply with relevant statutes
– Publish a policy prohibiting dissemination of personalPublish a policy prohibiting dissemination of personal
informationinformation
– Define confidential information and forbid collection ofDefine confidential information and forbid collection of
confidential information that is unnecessaryconfidential information that is unnecessary
21. 21
Suggestions for ComplianceSuggestions for Compliance
(cont’d)(cont’d)
– Establish a confidentiality policy that limits employeeEstablish a confidentiality policy that limits employee
access to personal information to those with a need toaccess to personal information to those with a need to
knowknow
– Store hard copies of personnel records in a secureStore hard copies of personnel records in a secure
location with limited access, ideally monitored accesslocation with limited access, ideally monitored access
– Train employees who have access to personalTrain employees who have access to personal
information about proper use and handling of suchinformation about proper use and handling of such
informationinformation
22. 22
Suggestions for ComplianceSuggestions for Compliance
(cont’d)(cont’d)
-- Examine current computer systems and installExamine current computer systems and install
safeguards to protect against access to information bysafeguards to protect against access to information by
unauthorized individualsunauthorized individuals
– Implement appropriate software/encryption to protectImplement appropriate software/encryption to protect
against computer viruses, unauthorized access toagainst computer viruses, unauthorized access to
computer networks, and similar on-line or electroniccomputer networks, and similar on-line or electronic
invasions of electronic data storageinvasions of electronic data storage
– Review and modify document retention policies asReview and modify document retention policies as
appropriateappropriate
23. 23
Suggestions for ComplianceSuggestions for Compliance
(cont’d)(cont’d)
– Establish and implement notice procedures in the eventEstablish and implement notice procedures in the event
of a security breachof a security breach
– Consider outsourcing to shredding companies with aConsider outsourcing to shredding companies with a
written contractwritten contract
24. 24
Union IssuesUnion Issues
• Employers must be careful not to draft overbroadEmployers must be careful not to draft overbroad
privacy and confidentiality policiesprivacy and confidentiality policies
• Employers have a duty to provide a Union withEmployers have a duty to provide a Union with
requested information that is necessary to fulfill itsrequested information that is necessary to fulfill its
duty as a bargaining representativeduty as a bargaining representative
• Confidentiality Agreements and negotiation ofConfidentiality Agreements and negotiation of
samesame
25. 25
Jane Doe v. XYC CorporationJane Doe v. XYC Corporation
New Jersey Appellate DivisionNew Jersey Appellate Division
December 2005December 2005
• Employees’ known or suspected illegalEmployees’ known or suspected illegal
activities impose new duty on employers:activities impose new duty on employers:
– IInvestigatenvestigate
– AAct to stop conductct to stop conduct
– RReport conduct to the authoritieseport conduct to the authorities
– PPrevent harm to third partiesrevent harm to third parties
26. 26
FactsFacts
• Somerset County employer with 250 employeesSomerset County employer with 250 employees
• Computer specialists discover employee accessingComputer specialists discover employee accessing
pornographic websites with company computerpornographic websites with company computer
• No further investigation done over two year periodNo further investigation done over two year period
• Complaints from supervisors and co-workersComplaints from supervisors and co-workers
• IT Manager confirms employee’s access, including oneIT Manager confirms employee’s access, including one
site with name suggesting child pornography, but does notsite with name suggesting child pornography, but does not
access those sitesaccess those sites
• Employee instructed to stop unauthorized actionsEmployee instructed to stop unauthorized actions
27. 27
FactsFacts (Cont’d)(Cont’d)
• Supervisor discovers renewed activities but takesSupervisor discovers renewed activities but takes
no actionno action
• Employee arrested on child pornography chargesEmployee arrested on child pornography charges
• Videotape and photos of 10 year old stepdaughterVideotape and photos of 10 year old stepdaughter
recently had been transmitted to childrecently had been transmitted to child
pornography website from company computerpornography website from company computer
• More than 1,000 pornographic imagesMore than 1,000 pornographic images
downloaded to company computerdownloaded to company computer
28. 28
Lawsuit Against EmployerLawsuit Against Employer
• Employee’s wife, and mother of child, files suit againstEmployee’s wife, and mother of child, files suit against
employer in February 2004, claiming:employer in February 2004, claiming:
– EmployerEmployer knew or should have knownknew or should have known of employee’s conductof employee’s conduct
– Employer had aEmployer had a dutyduty to report actions to authorities for workplaceto report actions to authorities for workplace
crimescrimes
– EmployerEmployer breachedbreached that duty, enabling employee to continuethat duty, enabling employee to continue
activitiesactivities
– StepdaughterStepdaughter harmedharmed by resultant molestation and photographyby resultant molestation and photography
– MoneyMoney damagesdamages for resulting harm (treatment and care)for resulting harm (treatment and care)
29. 29
Appellate Division AnalysisAppellate Division Analysis
• Did the employer have theDid the employer have the abilityability to monitorto monitor
its employee’s use of the Internet?its employee’s use of the Internet?
– YES because:YES because:
• Employer had already conducted limited investigationEmployer had already conducted limited investigation
of activitiesof activities
• Employer had software that allowed regular monitoringEmployer had software that allowed regular monitoring
• Employer could have kept a log of sites visited by theEmployer could have kept a log of sites visited by the
employeeemployee
30. 30
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Did the employer have theDid the employer have the rightright to monitorto monitor
his activities?his activities?
– Yes, because:Yes, because:
• Written company policy permitted itWritten company policy permitted it
• Employee had no reasonable expectation of privacyEmployee had no reasonable expectation of privacy
31. 31
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Did the employerDid the employer know, or should it haveknow, or should it have
known,known, that the employee was using its equipmentthat the employee was using its equipment
for an illegal purpose?for an illegal purpose?
– Yes, because:Yes, because:
• Employees complained of activitiesEmployees complained of activities
• Supervisory personnel confirmed access to pornSupervisory personnel confirmed access to porn
sitessites
• More thorough investigation would uncover childMore thorough investigation would uncover child
pornography accesspornography access
32. 32
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Did the employer haveDid the employer have responsibilityresponsibility for employee’sfor employee’s
conduct outside the scope of employment?conduct outside the scope of employment?
– Yes: Employer can be held responsible for damagesYes: Employer can be held responsible for damages
caused by criminal conduct if:caused by criminal conduct if:
1)1) the employee engages in the conduct on the employer’sthe employee engages in the conduct on the employer’s
premisespremises
2)2) the employee uses the employer’s equipmentthe employee uses the employer’s equipment
3)3) the employer has the ability to control the conductthe employer has the ability to control the conduct
4)4) the employer knows or should know there is a reason tothe employer knows or should know there is a reason to
exercise controlexercise control
33. 33
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Where did XYC Corp. go wrong?Where did XYC Corp. go wrong?
– Should have conducted immediate and thoroughShould have conducted immediate and thorough
investigationinvestigation
– Could have terminated the employeeCould have terminated the employee
– Should have reported activities to law enforcementShould have reported activities to law enforcement
authoritiesauthorities
– Breached dual duties:Breached dual duties:
• public policy against possession or viewing child pornographypublic policy against possession or viewing child pornography
• obligation as employer to prevent its employee fromobligation as employer to prevent its employee from
intentionally harming others or creating unreasonable risk ofintentionally harming others or creating unreasonable risk of
bodily harm to thembodily harm to them
34. 34
Policy Drafting ConsiderationPolicy Drafting Consideration
• Employers should warn employees thatEmployers should warn employees that
their electronic communications may betheir electronic communications may be
disclosed to law enforcement authorities ifdisclosed to law enforcement authorities if
they create a suspicion of criminal conductthey create a suspicion of criminal conduct
35. 35
Other Privacy Issues:Other Privacy Issues:
• Searches in the workplaceSearches in the workplace
• CEPA – public policyCEPA – public policy
• FACTA and background checksFACTA and background checks
• ADA and medical informationADA and medical information
• Negligent Hiring & Negligent ReferencesNegligent Hiring & Negligent References
36. 36
What Privacy?What Privacy?
Personal ConductPersonal Conduct
• Executives Resigning over PersonalExecutives Resigning over Personal
Conduct ViolationConduct Violation