BEWARE THE USE OF SOCIAL SECURITY NUMBERS IN EMPLOYMENT SETTINGS

Effective October 1, 2007, the Oregon Consumer Identity Theft Protection Act requires businesses to safeguard the personal information of any “resident of this state” or “consumer,” which in most cases will mean a business’s employees and customers.  In general, the Act protects information sufficient to permit identity theft against the employee or customer whose information was compromised, e.g., financial information and social security, driver’s license, and passport numbers.  A $1,000 fine is assessed for each violation.  To avoid such penalties, employers must abide by the three requirements imposed by the Act.

First, the Act requires employers to notify an employee or customer if personal information is disclosed for other than legitimate business reasons. 

Second, the Act prohibits employers from publicly posting or displaying an employee’s or customer’s social security number, and from printing that person’s social security number on any materials that are mailed to the person unless (i) requested by the employee or (ii) the information is part of the documentation of a transaction or service requested by the person.  Further the employer cannot print the employee’s social security number on any card required for the employee to access products or services provided by the employer. 

Finally, the Act requires employers to “develop, implement and maintain reasonable safeguards” to protect the security, confidentiality and integrity of employee and customer personal information, including its disposal.