The HR Professional’s Role in the Implementation of the New Identity Theft Regulations

Consider for a moment this scenario:  One of your employees, who is a real go-getter, decides to take some work home from the office.  To transport her work, she uses a USB 4-gigabyte flash drive.  The documents stored on the flash drive contain sensitive information about other employees, clients and certain business dealings of the company.  On the employee’s way home, she decides to stop by a coffee shop and, without noticing, she drops the flash drive, leaving it behind on the ground.  For HR professionals, why should this matter?            

The new identity theft regulations, which take effect on January 1, 2010 and protect personal information, would impose significant penalties on an employer should the above scenario occur.  These new regulations, which are quite comprehensive, place onerous obligations on employers to safeguard personal information and severe penalties on employers for breaches.  In order to comply with the regulations and otherwise reduce the risk of facing steep penalties in the event of a breach, employers must audit their policies and practices regarding storage, transport, access, retention and destruction of personal information.             

Step One: Locate and secure personal information

The first step to take in planning for compliance is to locate all personal information.  The regulations define personal information as a combination of name, along with social security number, bank account number or credit card number and apply to both electronically stored information as well as paper files.  Take time to identify all paper, electronic, and other records and computing systems, including laptops, electronic storage media, and other portable devices to determine whether they contain personal information.  All personal information must, if in paper form, be kept under lock and key.  If it is stored on portable devices, such as laptops, PDAs and flash drives, or transmitted over wireless networks, it must be encrypted. 

Step Two: Develop a comprehensive information security program

The second step to take in planning for compliance is to develop an information security program.  The regulations require the development of a written, comprehensive program that identifies and assesses reasonably foreseeable internal and external security risks, designates an employee to oversee it, limits access to personal information to only those employees who need to know it, imposes discipline for any violations and terminates employee access to personal information immediately if the employee is discharged. The program must be monitored and evaluated at least annually and employers are required to train all employees who have access to personal information on the program. 

Step Three: Develop a Plan to Deal with Breaches

The third step to take in planning for compliance is to develop a plan should a breach occur.  As an HR professional, imagine the moment when the employee from the scenario above comes to you and informs you that the flash drive is missing and is likely in the hands of someone not authorized to have access.  You must have a plan in place to deal with such a situation and, in fact, the regulations require such a plan.  In fact, employers must develop policies for employees that take into account how they should be allowed to keep, access, and transport records containing personal information outside business premises.  If employees can access personal information remotely or otherwise transport it, employers must plan and implement safeguards to ensure the security of the network over which this information travels.  Additionally, employers must provide prompt notice of any breach to the person or persons affected, the Attorney General’s Office and the Director of Consumer Affairs and Business Regulations. 

Step four: Other considerations including third-party vendors, firewalls and encryption.

Employers must take reasonable steps to verify that any third-party providers with access to personal information have implemented safeguards to protect such information that are at least as stringent as required by the regulations.  The regulations also have special requirements relative to electronically stored files.  Indeed, the regulations require that employers maintain a security system that secures user ids and passwords, blocks access after multiple, unsuccessful attempts to log in, encrypts records traveling across public networks and transmitted wirelessly, and encrypts personal information stored on laptops.  Additionally, the regulations require that the security system must have reasonably up-to-date firewall protection for files containing personal information on a system that is connected to the internet, that there is reasonably up-to-date malware, and that employees be educated and trained on the proper use of the computer security system and the importance of personal information security. 

There are numerous possible negative consequences that could flow from breaches to a business’ data sites.  Such adverse consequences include negative publicity, loss of customers and clients and, most importantly, exposure to civil liability.  Though the new regulations may seem daunting to implement, the cost of non-compliance is much greater.  The bottom line: employers simply cannot afford to ignore these regulations and should not go it alone.  Working hand-in-hand with your employment counsel and your IT professional is a must.  Because the law is so onerous, you should start planning compliance now, beginning with an audit of your business practices by counsel. 
Amy B. Royal, Esq. is a partner in the law firm Royal & Klimczuk, LLC. She focuses her practice in management-side labor and employment law and can be reached at (413) 586-2288 or aroyal@rkesq.com