by Nick Fishman

FCRA guru Pam Devata, Labor and Employment Attorney for Seyfarth Shaw, was kind enough to draft an exclusive article for employeescreen University about the new FACT Act regulations aimed at curbing the affects of identity theft. While many of the regulations are aimed at the Big Three Credit Bureaus, Experian, Trans Union and Equifax, there are some compliance issues that will affect employers and other financial institutions. See excerpt from the article below:

Users of Consumer Reports Have New Responsibilities As of November 1, 2008 Under the Federal Trade Commission’s Identity Theft Red Flag Regulations

It is no secret that identity theft has become a problem for consumers in recent years, costing millions of dollars in fraudulent purchases, credit fixes and litigation. As a result, the legislature and many government agencies including the Federal Trade Commission have taken measures to curb this rising trend. Indeed, recent regulations issued by the FTC and mandated by The Fair and Accurate Credit Transactions Act of 2003 (FACTA) have specific directives for users of consumer information that are aimed at uncovering and preventing incidents of identity theft. These new regulations go into effect on November 1, 2008 and require the creation of a number of new policies and procedures for specified entities. Some of the regulations apply to all users of consumer reports, where others are specific to financial institutions and creditors.

The Law
FACTA or the FACT Act as it is sometimes referred to went into effect in December 2003 and amended the federal Fair Credit Reporting Act (FCRA) in a number of ways. As it relates to identity theft prevention, FACTA instituted a procedure to help users of consumer reports combat identity theft by creating a notion of “red flags” when identity theft was suspected. In FACTA, a “Red Flag” is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft. A “user” of a consumer report includes entities such as employers who obtain consumer reports for the purpose of making employment (hiring, promotion, firing, etc.) decisions, as well as financial institutions, and granters of credit who use the information contained in consumer reports to issue credit cards, loans or mortgages, and other such activities.

FACTA’s identity theft prevention sections require various federal agencies to implement regulations describing exactly what users must do to comply with the law. Two sections of the Act, 15 U.S.C. § 1681m (FACTA section 114), and 15 U.S.C. 1681c (FACTA section 315), refer specifically to the creation of such regulations. FACTA section 114, which addresses procedures users must implement in the case of an address discrepancy between themselves and a consumer reporting agency (CRA), applies to all users. FACTA section 315, which requires the implementation of an Identity Theft program pursuant to the Red Flags rule, is applicable only to financial institutions and creditors, as described below.

Because the law itself does not provide a lot of guidance on exactly what users need to do to be in compliance with the identity theft red flags, employers and other users should be aware of their responsibilities under these new regulations.

Click here to view the full article

by Nick Fishman

This just in from our friends at Seyfarth Shaw: New York Employers Face Penalties if The Fail To Secure Employee Social Security Numbers. This law new law affects New York employers who collect Social Security Numbers on their job applicants and employees; in other words, every New York employer. Employers obviously need this information for a variety of reasons including its importance when conducting background checks. This article references a rather shocking stat: “In a 2006 survey conducted by the Identity Theft Resource Center (ITRC), a not-for-profit organization which provides information and support to identity theft victims, 12% of those surveyed reported that their personal information had been stolen at the workplace.”

We took this off the State of New York’s website:

Confidentiality of Social Security Numbers – General Business Law §399-DD
Places limits on the use and dissemination of Social Security Numbers (SSN) beginning January 1,
2008. The law prohibits the intentional communication of an individual’s SSN to the general public;
restricts businesses’ ability to print a SSN on mailings or on any card or tag required to access
products, services or benefits; prohibits businesses from requiring an individual to transmit his or her
unencrypted SSN over the Internet; and requires businesses possessing SSN to implement safeguards
and limit unnecessary employee access to the data.

According to Seyfarth Shaw, the New York Social Security New York Protection Law (NY Gen. Bus. § 399-dd) prohibits the following:

• Intentionally communicating an employee’s social security number to “the general public or otherwise make [it] available to the general public”;
• Printing an employee’s social security number on any card or tag required to access services or benefits provided by the employer;
• Requiring an employee to transmit his or her social security number over the Internet unless “the connection is secure or the social security account number is encrypted”;
• Requiring an employee to use his or her social security number to access an Internet web site unless “a password or unique personal identification number or other authentication device is also required to access the Internet website”;
• Printing an employee’s social security number on any materials to be mailed unless state or federal law requires that this information be on the document.

Seyfarth offers the following compliance tips:

• Have a written privacy policy (that includes disposal procedures that are consistent with accepted industry practice and satisfy legal requirements);
• Lock up and limit access to employee personal information;
• Conduct background checks on employees who will have access to personal information;
• Limit retention of personal information to only that which is essential;
• Train employees on privacy and document disposal policies;
• Encourage employees to report any possible security breaches;
• Avoid using or disclosing an employee’s social security number for any purpose other than that required by law or legitimate and necessary business purpose; and
• Take proper security precautions when terminating employees who have access to personal information (e.g., changing computer access codes).

Read the full article here . . .

I definitely can’t and won’t argue that this is a bad law. In fact, it’s probably good for both employers to have some direction on how to comply and for consumers to have this protection. However, those performing background checks in New York have had a lot on their plate lately with the increase in the OCA fee.

by Nick Fishman

The on-again off-again drama with the DHS No Match initiative continues according to this legislative update from Seyfarth Shaw.

On Friday, November 23, the Department of Homeland Security (DHS) requested that a federal judge stay the litigation regarding its new Social Security “no match” rule. Rather than proceed with the litigation, DHS plans to revise the rule to address the court’s concerns about the rule’s legality. DHS intends to begin a new rulemaking process in December. More

Will this political game of hot potato ever end?

by Nick Fishman

Last month Seyfarth Shaw updated us with The Department of Homeland Security’s Immigration and Customs Enforcement agency (ICE) efforts to crack down on employers who received mismatch letters from the Social Security Administration and didn’t act upon them. Enforcement was to begin on September 14th, but a federal judge in California issued a temporary ruling which prohibits the Social Security Administration from sending the letters and DHS from acting on them.

Again, Seyfarth has provided us with a full breakdown of these events. See link below. Do you think the government will ever figure this thing out?

Lawsuit Halts DHS Crackdown on Unauthorized Workers

by Nick Fishman

Check out this update from Seyfarth Shaw concerning a recent rule established by ICE concerning tougher enforcement of Social Security Mismatch Numbers.

Social Security Mismatch Letters: New ICE Rule Increases Risk to Employers

Employers that don’t properly follow up on and resolve errors stemming from workers with social security numbers that come back as mismatches now face greater risk. If the government actually follows through on this employers should take note.

There are some affective tools out there for proactively determining an employee’s right to work status. One such tool is the Electronic I-9 Process which has developed by experts to allow employers to fill out a “smart” electronic I-9 form and submit it to the Social Security Administration and Department of Homeland Security for instant status. They then can electronically archive the report and the results. It’s a great solution to handle the I-9 process, but until the federal government enacts and enforces legislation my experience is that employers aren’t going to bite.

by Nick Fishman

Many of you may be aware of the law firm Seyfarth Shaw LLP. They are one of the country’s largest labor and employement firms and widely respected as a foremost expert in such matters. employeescreenIQ is proud to be a client of this esteemed firm and as such get regular legislative updates from them concerning employment topics that can affect all of us.

Seyfarth had been kind enough to allow us to post such updates in this blog, so beginning today we will screen these updates for information that might be of interest to our loyal blog readers.

Just another opportunity for us all the learn together.