Does your business do background checks on applicants? What do you do with that information once an employment decision is made? A new regulation promulgated by the Federal Trade Commission under the Fair Credit Reporting Act sets out requirements for employers and others who gather such data, so now is the time to think these questions through.
The New Regulations. The regulations, found at 16 C.F.R. § 682 et. seq., apply to "consumer information," a category familiar to those who have encountered the Fair Credit Reporting Act before. "Consumer information" includes an individual's credit reports and scores, criminal background information, property holdings, and similar personal information. Many employers seek out such data from applicants, after obtaining permission to do so, either directly or through companies who specialize in conducting background checks.
The new rule requires that employers take "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." Examples include shredding paper documents, or erasing electronic data. If a contractor is used for disposal, the employer is responsible for ensuring that the contractor has appropriate policies for protecting information from unauthorized use.
Our Recommendations – Go Beyond the Regulations to Protect Against ID Theft. We recommend every company put in place a Confidential Employee/Applicant Information Policy that covers both information that is to be disposed of, and information that is to be retained. We recommend that the policy protect not only the "consumer information" specified in the new rule but all employee/applicant data, such as W-4 forms or other documents that contain Social Security numbers or other identifying data, to guard against ID theft.
The state of Michigan recently enacted a statute – the Social Security Number Act – that requires that all employers maintain a policy to safeguard Social Security Numbers. This law follows on the heels of a court decision in Michigan that found a union liable for hundreds of thousands of dollars because a union official mishandled union members' Social Security Numbers, allowing them to be stolen and used for identify theft. We consider it likely that other states will follow in passing laws requiring Social Security Numbers and other personal identification data to be safeguarded in specific ways.
In order to comply with the FTC rules and safeguard against ID theft, the policy should specify how applicant/employee information is to be stored, such as in a locked file cabinet with access limited to HR staff. The policy should also specify how information is to be disposed of, such as by shredding in the HR office. If information is retained electronically the policy should lay out who is authorized to access the information, and steps should be taken to create a "firewall" blocking others from the data. Also, electronic information should be destroyed before disposing of old computers. Employers commonly retain files and information on unsuccessful applicants and terminated employees as a risk-management measure, so all policies should apply equally to current employees, past employees, and applicants. All employees and applicants should be notified that the company is taking steps to safeguard their identities.
If you have any questions about your company's employee or applicant information retention policies, or other policies related to applicants or employees, please contact any member of our Employment Practice Group.