All Employers Must Comply with New Identity Theft Precautions

Measures To Combat Identity Theft Go Into Effect On November 1, 2008 and January 1, 2009:  Are You Ready?

On both the federal and state level, new measures will be going into effect shortly to combat identity theft.  The new requirements will affect all Massachusetts employers.  What do you need to do to be in compliance?

Changes to Federal Fair Credit Reporting Act Require Employers Who Use Consumer Reports to Develop Policies to Respond to Notices of Address Discrepancies

New requirements will go into effect on November 1, 2008, which affect companies that use “consumer reports” from a national consumer reporting agency (“NCRA”) to screen individuals for employment purposes. 

A “consumer report” is a report by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used, among other things, for employment purposes.

To be in compliance with section 315 of the Fair and Accurate Credit Transactions Act (FACTA), the regulations require companies obtaining consumer reports to put procedures in place to deal with situations where a NCRA notifies the company of a discrepancy between the address that a company provided for a consumer and the address in the NCRA’s files for that consumer.  In particular, companies are required to:

  • Develop and implement reasonable policies and procedures designed to enable the employer, after receiving a notice of address deficiency, to form a "reasonable belief" that the consumer report relates to the consumer about whom the report was requested.  This can be accomplished by:
    • Comparing the information in the consumer report to information the company maintains in its records or obtains from third-party sources, or
    • Verifying information in the consumer report with the consumer.

Employers who regularly furnish information to the NCRA also need to develop and implement policies and procedures for supplying a confirmed address to the NCRA in situations where the employer establishes a continuing relationship with the consumer and forms a reasonable belief that the report relates to the consumer.

Accordingly, all employers who use consumer reports to screen applicants or employees for employment purposes must develop and implement written policies that describe the steps to be followed after receiving a notice of address discrepancy.

Changes to Massachusetts Law Require the Development and Implementation of Comprehensive Written Information Security Programs

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has issued “Standards for The Protection of Personal Information of Residents of the Commonwealth” (“Standards”), 201 C.M.R.

17.00. The Standards, which go into effect on January 1, 2009, require any entity that has personal information about a Massachusetts resident to take specified precautions to protect that information. 

“Personal information” refers to: “a  Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following: (a)  Social Security number; (b)  driver’s license number or state-issued identification card number; or (c)  financial account number, or credit or debit card number.”

To safeguard this personal information, companies need to develop and implement (1) written information security programs and (2) security requirements for computer systems. 

The OCABR has posted the following information on its website, www.mass.gov/consumer, to help small businesses comply with the new standards: 

  • 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth
  • Frequently Asked Questions Regarding 201 CMR 17.00
  • Small Business Guide for Formulating a Comprehensive Written Information Security Program
  • 201 CMR 17.00 Compliance Checklist

These materials lay out what employers need to do to be in compliance and provide a model policy that can be adapted.  The website also includes information on what employers need to do where there is a breach in security. 

If you would like more information about these new requirements  or have questions about how to comply, please contact Laurie F. Rubin, the author of this Alert, at 617 456 8020 or lrubin@princelobel.com.