270 likes | 545 Views
New Jersey Identity Theft Prevention Act. Presented by: Annmarie Simeone. What is Identity Theft?. In general terms, identity theft is the misappropriation and fraudulent use of a person’s personal or confidential information.
E N D
New Jersey Identity Theft Prevention Act Presented by: Annmarie Simeone
What is Identity Theft? • In general terms, identity theft is the misappropriation and fraudulent use of a person’s personal or confidential information. • Examples of personal, confidential information are: SSN, drivers license number, names, addresses, dates of birth, credit card numbers, PINS, bank account numbers.
The NJ Act Refers to “Personal Information” and Defines it as: • A person’s last name and first name (or initial) • PLUS – One or more of the following: • social security number • driver’s license number • state identification number • account information related to debit or credit cards, including any password or access codes
Personnel Files A Ripe Source For Identity Thieves • What is clear is that “personal information” is the type of information contained in a company’s personnel files on its employees, which makes such records, whether maintained in a file folder or electronically, a ripe source for identity thieves.
The Statistics • Better Business Bureau report: 9.3 million Americans subject of identify theft in 2004 • “Identity Theft 911” (an independent company providing identity theft services) says NJ residents filed 6,530 identity theft complaints with the Federal Trade Commission in 2003 (up 36% from 2002) • Identify Theft Complaints filed with the FTC rose nationally from 162,000 in 2002 to 246,000 in 2004
The Statistics (cont’d) • The cost to businesses and banks was recently estimated at $48 billion • 33% to cover losses due to credit card fraud • more than 20% lost to bogus telephone and utility accounts* * NJ Record, November 27, 2005
Occurrences Of Identity Theft In The Workplace • Sophisticated computer hacking strategies can be used to access employee information. HOWEVER, • Reports suggest that the overwhelming majority of identity theft incidents in the workplace occur through simpler, unsophisticated means such as copying of personnel files from an unlocked file room or through an employee’s downloading confidential information from a company’s network.
Federal Laws • Electronic Fund Transfer Act – offers protections for persons using electronic means (such as a debit card) to debit or credit an account. • Fair Credit Reporting Act – requires that a person’s credit record only be provided for legitimate business needs • Health Insurance Portability and Accountability Act (HIPAA) – requires employers to protect confidential medical records which may contain an employee’s identifying information
Federal Laws (cont’d) • Identity Theft and Assumption Deterrence Act – makes it a crime to transfer or use another’s personal information with the intent to commit, aid or abet in any unlawful activity • Fair and Accurate Credit Transactions Act (FACTA) – requires employers to take reasonable measures in disposing of an employee’s credit report obtained as part of the employer’s hiring process. This can also include background checks on applicants which are obtained by the employer regarding the applicants and employees.
Goal of the NJ Act? How is the Goal Achieved? • Prevent new, and mitigate existing, identity theft • By: • restricting a company’s use, retention and destruction of an individual’s personal information • developing notice requirements applicable to employers when personal information is improperly accessed or disclosed, and • establishing a security freeze mechanism for use by individuals
Who Does the Act Regulate? • Any entity conducting business in New Jersey • sole proprietorships, partnerships, corporations, associations, and LLCs
Who Does the Act Protect? “Consumer” – “an individual;” “customers”: which means individuals who provide personal information to a business. This includes • job applicants, employees, temp staff, consultants, contractors, and agents
What Types of Records Are Subject to the Act? • Paper and electronic documents • In the workplace, common documents that would include personal information include: • job applications • health benefits forms/ID cards • retirement/401k account cards • I-9 Employment Eligibility Verification forms • direct deposit authorization forms
How Does the Act Work? • Limits Use and Display of Social Security Numbers • cannot be publicly posted or displayed (in full or any 4 or more consecutive numbers of the SSN) • cannot print the SSN on materials to be mailed to individual unless required by law • cannot print SSN on cards needed to access products or services provided by the business • cannot intentionally communicate or make available to the general public the individual’s SSN • cannot require an individual to use SSN to access website unless accompanied by a password.
How Does the Act Work? • Requires Timely and Complete Destruction of Records Containing “Personal Information” • Unreadable • Undecipherable • Nonreconstructable
How Does the Act Work? • Imposes Security Breach Notification Requirements on Businesses
Security Freeze • A consumer can limit access to his/her consumer report by requesting a “security freeze” • Definition: a notice placed in a consumer’s consumer report, at the request of the consumer…that prohibits the consumer reporting agency from releasing the report or any information from the report without the express authorization of the consumer. However, the freeze does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report.
Security Freeze (cont’d) • Request to institute the freeze must be in writing; • The credit agency has 5 business days to put the freeze into effect. Within 5 days of placing the freeze, the reporting agency has 5 days to send written confirmation to the consumer, and provide the consumer with a PIN or password to authorize release; • Request to lift freeze – must be in writing and regulations should establish procedures for quickly lifting freeze (within 15 minutes of the request); Currently have 3 days; max. $5 charge to lift freeze.
Security Freeze (cont’d) • If a third party requests access to a consumer report and is refused because of the freeze, and the consumer refuses to allow access to the third party, the third party may treat the application as incomplete. • The freeze will not apply to certain requesting parties, which are set forth in the Act.
Penalties for Non-Compliance • Consumer may be entitled to bring an action under the NJ Fair Credit Reporting Act or the NJ Consumer Fraud Act • Private Causes of Action – invasion of privacy; negligence
Suggestions for Compliance • Employers should update their internal policies and/or employee handbooks to comply with Act; • Establish a policy • prohibiting the dissemination of employee personnel files or other files containing personal information; • outlining the types of confidential information that actually are needed during the hiring process, and expressly forbidding the collection of confidential information that is not really necessary
Suggested for Compliance (cont’d) • Establish a confidentiality policy that limits employee access to personal information; • Store hard copies of records in a secure location with limited access (possibly monitored access); • Train employees with access to “personal information” about proper use and handling of the personal information; • Examine current computer system to protect against access to information by unauthorized individuals;
Suggestions for Compliance (cont’d) • Employers that store personal information in electronic format should examine their current computer system to protect against access to information by unauthorized individuals; • Implement appropriate software to protect against computer viruses, unauthorized access to a computer’s network, and similar on-line or electronic invasions of electronic data storage; encryption; • Adjust document retention policies; • Define and implement notice procedures in the event of security breach;
Suggestions for Compliance (cont’d) • Outsourcing – shredding companies –on-site; off-site; charge by the pound; • Continue compliance with state and federal records retention laws
Annmarie Simeoneamsimeone@nmmlaw.com Areas of Practice:Labor and Employment, Commercial Litigation Admitted to Practice in: New Jersey State and Federal Courts Education: J.D., Seton Hall University School of Law St. John’s University, B.A.,summa cum laude