Seems like it’s in the news every couple of weeks... some company fesses up to having "lost" or compromised a mind-boggling amount of personal information about individuals ...sadly, most often its customers.  Usually what follows some time later is news of a class-action settlement running well into the millions of dollars.  You see these stories and think, “Boy, am I glad we’re not in banking or retail or any of those industries that have to collect personal information.

• And now for the bad news:  other than a matter of scale, you are in one of those industries ...as long as you have employees.  Why?  Because personal information (PI) is defined as an individual’s name, in combination with any of the following:
• social security number 
• state-issued ID number (such as a driver’s license number) 
• financial account number
• credit/debit card number

You’re required to collect and maintain several of those items for tax and other reasons;  and if you offer payroll direct deposit, then you have bank-account information as well.

Making matters worse... if you employ Massachusetts residents, you now have more to worry about than a class-action lawsuit from your employees.  A new Massachusetts law aimed at combating identity theft requires strict protection of personal information for residents of MA.  The law especially targets electronic information, but covers paper documents as well.  If your business holds, licenses, stores or maintains PI on any MA resident, it is covered under the law.  For HR, this includes I-9s and W-4s, plus insurance, retirement plan and direct deposit information.

Unlike many business regulations, this law has teeth!  Both civil and criminal penalties are provided for.  Civil penalties may include $5,000 per violation, and up to $50,000 for improper disposal of PI (old hard drives or paper documents).

What you need to do
The law’s compliance deadline was recently pushed back two months to March 1, 2010 ...but that will be upon us before we know it.  Here are the steps you need to take: 

• Develop and maintain a Written Information Security Plan (WISP). 
• Train employees;  define consequences for employees who do not adhere to the plan.
• Don't share passwords, and don't make them simplistic. 
• Encrypt any portable devices that contain personal information (laptops, PDAs, external hard drives, backup tapes, etc). 
• Don't transmit or receive data via unprotected email, websites or wireless. 
• Limit access to PI to people within your company with a genuine need to know. Keep written PI in locked file cabinets.

The WISP referenced in the first bullet above must address... 

• the measures adopted to safeguard information;
• designation of at least one person to manage the security program; 
• disciplinary measures imposed for violations of the program;
• how it will prevent terminated employees from accessing information;
• monitoring of electronic records for unauthorized access and security risks;
• documentation of incidents involving breach and resulting corrective actions;
• use of user ID / password protocols for electronic PI documents;
• access restriction to electronically stored information; and 
• upgraded safeguards and protection (firewalls, encryption software) as needed.

If 3rd parties that you do business with have access to your PI, "the new regulations require companies to take reasonable steps to ensure that their third-party service providers are capable of maintaining appropriate security measures," according to Management Moxie, a newsletter from Foley & Foley, PC.

Even if your company doesn’t employ Massachusetts residents, it’s probably a good idea to get out ahead of the curve on this issue;  because it’s fairly likely that your state(s) will implement similar regulations in the relatively near future.

Effective November 21, 2009, the Genetic Information Nondiscrimination Act of 2008 (GINA) was enacted in recognition of developments in the field of genetics. Genetic tests now exist that can indicate whether individuals may be at risk for developing a specific disease or disorder. The concerns focus on whether employees may be at risk of losing access to health coverage or employment if insurers or employers have their genetic information.

To address these concerns, GINA prohibits discrimination based on genetic information and restricts acquisition and disclosure of such information. Genetic information includes information about an individual's genetic tests, genetic tests of a family member, and family medical history. Genetic information does not include information about the sex or age of an individual, the individual's family members, information that an individual currently has a disease or disorder, and tests for alcohol or drug use.

GINA includes Title I and Title II amendments:

• Title I amends portions of the Employee Retirement Income Security Act (ERISA), the Public Health Service Act, and the Internal Revenue Code, and addresses the use of genetic information in health insurance.
• Title II applies to private, state, and local government employers with 15 or more employees, employment agencies, labor unions, and joint labor-management training programs. Title II also prohibits use of genetic information in making decisions related to any terms, conditions, or privileges of employment, prohibits covered entities from intentionally acquiring genetic information about applicants and employees, requires confidentiality with respect to genetic information (with limited exceptions), and prohibits retaliation.

"Covered entities" (subject to Title II as noted above) may not use genetic information in making employment decisions under any circumstances. The general rule states that covered entities may not request, require, or purchase genetic information with respect to an employee/applicant or family member of an employee/applicant. Covered entities in possession of genetic information about applicants or employees must treat it the same way they generally treat medical information. (Note: GINA also amends the privacy provisions of HIPAA to include genetic information in the definition of protected health information.) Covered entities also must keep the information confidential and, if the information is in writing, they must keep it apart from other personnel information in separate medical files. Employers need to exercise caution when it comes to the GINA law to avoid penalties.