New Jersey Identity Theft New Jersey Identity Theft Prevention ActPrevention Act

Presented by:Presented by:

Annmarie SimeoneAnnmarie Simeone

What is Identity Theft?What is Identity Theft?

• In general terms, identity theft is the In general terms, identity theft is the misappropriation and fraudulent use of a person’s misappropriation and fraudulent use of a person’s personal or confidential information.personal or confidential information.

• Examples of personal, confidential information Examples of personal, confidential information are: SSN, drivers license number, names, are: SSN, drivers license number, names, addresses, dates of birth, credit card numbers, addresses, dates of birth, credit card numbers, PINS, bank account numbers.PINS, bank account numbers.

The NJ Act Refers to “Personal The NJ Act Refers to “Personal Information” and Defines it as:Information” and Defines it as:

• A person’s last name and first name (or initial)A person’s last name and first name (or initial)• PLUS PLUS – One or more of the following:– One or more of the following:

– social security numbersocial security number

– driver’s license numberdriver’s license number

– state identification numberstate identification number

– account information related to debit or credit cards, account information related to debit or credit cards, including any password or access codesincluding any password or access codes

Personnel Files A Ripe Source Personnel Files A Ripe Source For Identity ThievesFor Identity Thieves

• What is clear is that “personal information” What is clear is that “personal information” is the type of information contained in a is the type of information contained in a company’s personnel files on its employees, company’s personnel files on its employees, which makes such records, whether which makes such records, whether maintained in a file folder or electronically, maintained in a file folder or electronically, a ripe source for identity thieves.a ripe source for identity thieves.

The StatisticsThe Statistics

• Better Business Bureau reportBetter Business Bureau report: 9.3 million : 9.3 million Americans subject of identify theft in 2004Americans subject of identify theft in 2004

• ““Identity Theft 911” Identity Theft 911” (an independent company (an independent company providing identity theft services) says NJ residents providing identity theft services) says NJ residents filed 6,530 identity theft complaints with the Federal filed 6,530 identity theft complaints with the Federal Trade Commission in 2003 (up 36% from 2002)Trade Commission in 2003 (up 36% from 2002)

• Identify Theft ComplaintsIdentify Theft Complaints filed with the FTC rose filed with the FTC rose nationally from 162,000 in 2002 to 246,000 in 2004nationally from 162,000 in 2002 to 246,000 in 2004

The Statistics The Statistics (cont’d)(cont’d)

• The cost to businesses and banks was recently The cost to businesses and banks was recently estimated at $48 billion estimated at $48 billion

• 33% to cover losses due to credit card fraud33% to cover losses due to credit card fraud

• more than 20% lost to bogus telephone and more than 20% lost to bogus telephone and utility accounts*utility accounts*

* NJ Record, November 27, 2005* NJ Record, November 27, 2005

Occurrences Of Identity Occurrences Of Identity Theft In The WorkplaceTheft In The Workplace

• Sophisticated computer hacking strategies can be used Sophisticated computer hacking strategies can be used to access employee information.to access employee information.

HOWEVER,HOWEVER,• Reports suggest that the overwhelming majority of Reports suggest that the overwhelming majority of

identity theft incidents in the workplace occur through identity theft incidents in the workplace occur through simpler, unsophisticated means such as copying of simpler, unsophisticated means such as copying of personnel files from an unlocked file room or through personnel files from an unlocked file room or through an employee’s downloading confidential information an employee’s downloading confidential information from a company’s network.from a company’s network.

Federal LawsFederal Laws

• Electronic Fund Transfer ActElectronic Fund Transfer Act – offers protections for – offers protections for persons using electronic means (such as a debit card) to persons using electronic means (such as a debit card) to debit or credit an account.debit or credit an account.

• Fair Credit Reporting ActFair Credit Reporting Act – requires that a person’s – requires that a person’s credit record only be provided for legitimate business credit record only be provided for legitimate business needsneeds

• Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act (HIPAA)(HIPAA) – requires employers to protect confidential – requires employers to protect confidential medical records which may contain an employee’s medical records which may contain an employee’s identifying informationidentifying information

Federal Laws Federal Laws (cont’d)(cont’d)

• Identity Theft and Assumption Deterrence ActIdentity Theft and Assumption Deterrence Act – makes – makes it a crime to transfer or use another’s personal information it a crime to transfer or use another’s personal information with the intent to commit, aid or abet in any unlawful with the intent to commit, aid or abet in any unlawful activityactivity

• Fair and Accurate Credit Transactions Act (FACTA)Fair and Accurate Credit Transactions Act (FACTA) – – requires employers to take reasonable measures in requires employers to take reasonable measures in disposing of an employee’s credit report obtained as part disposing of an employee’s credit report obtained as part of the employer’s hiring process. This can also include of the employer’s hiring process. This can also include background checks on applicants which are obtained by background checks on applicants which are obtained by the employer regarding the applicants and employees.the employer regarding the applicants and employees.

How is the Goal Achieved?How is the Goal Achieved?• By: By:

– restricting a company’s use, retention and destruction restricting a company’s use, retention and destruction of an individual’s personal informationof an individual’s personal information

– developing notice requirements applicable to employers developing notice requirements applicable to employers when personal information is improperly accessed or when personal information is improperly accessed or disclosed, anddisclosed, and

– establishing a security freeze mechanism for use by establishing a security freeze mechanism for use by individualsindividuals

Goal of the NJ Act?Goal of the NJ Act?• Prevent new, and mitigate existing, identity theftPrevent new, and mitigate existing, identity theft

Who Does the Act Regulate?Who Does the Act Regulate?

• Any entity conducting business in New Any entity conducting business in New Jersey Jersey – sole proprietorships, partnerships, sole proprietorships, partnerships,

corporations, associations, and LLCscorporations, associations, and LLCs

Who Does the Act Protect?Who Does the Act Protect?

““Consumer”Consumer” – “an individual;” “customers”: – “an individual;” “customers”: which means individuals who provide which means individuals who provide personal information to a business. This personal information to a business. This includes includes – job applicants, employees, temp staff, job applicants, employees, temp staff,

consultants, contractors, and agentsconsultants, contractors, and agents

What Types of Records What Types of Records Are Subject to the Act?Are Subject to the Act?

• Paper Paper andand electronic documents electronic documents• In the workplace, common documents that In the workplace, common documents that

would include personal information include:would include personal information include:– job applicationsjob applications– health benefits forms/ID cardshealth benefits forms/ID cards– retirement/401k account cardsretirement/401k account cards– I-9 Employment Eligibility Verification formsI-9 Employment Eligibility Verification forms– direct deposit authorization forms direct deposit authorization forms

How Does the Act Work?How Does the Act Work?• Limits Use and Display of Social Security Limits Use and Display of Social Security

NumbersNumbers• cannot be publicly posted or displayed (in full or any 4 or more

consecutive numbers of the SSN)• cannot print the SSN on materials to be mailed to individual unless required by law• cannot print SSN on cards needed to access products or services

provided by the business• cannot intentionally communicate or make available to the general

public the individual’s SSN• cannot require an individual to use SSN to access website unless

accompanied by a password.

How Does the Act Work?How Does the Act Work?

• Requires Timely and Complete Destruction Requires Timely and Complete Destruction of Records Containing “Personal of Records Containing “Personal Information”Information”

•Unreadable

•Undecipherable

•Nonreconstructable

How Does the Act Work?How Does the Act Work?

• Imposes Security Breach Notification Imposes Security Breach Notification Requirements on BusinessesRequirements on Businesses

Security FreezeSecurity Freeze

• A consumer can limit access to his/her consumer report by A consumer can limit access to his/her consumer report by requesting a “security freeze”requesting a “security freeze”

• DefinitionDefinition: a notice placed in a consumer’s consumer report, : a notice placed in a consumer’s consumer report, at the request of the consumer…that prohibits the consumer at the request of the consumer…that prohibits the consumer reporting agency from releasing the report or any information reporting agency from releasing the report or any information from the report without the express authorization of the from the report without the express authorization of the consumer. However, the freeze does not prevent a consumer consumer. However, the freeze does not prevent a consumer reporting agency from advising a third party that a security reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report.freeze is in effect with respect to the consumer report.

Security Freeze Security Freeze (cont’d)(cont’d)

• Request to institute the freeze must be in writing;Request to institute the freeze must be in writing;• The credit agency has 5 business days to put the freeze The credit agency has 5 business days to put the freeze

into effect. Within 5 days of placing the freeze, the into effect. Within 5 days of placing the freeze, the reporting agency has 5 days to send written confirmation reporting agency has 5 days to send written confirmation to the consumer, and provide the consumer with a PIN to the consumer, and provide the consumer with a PIN or password to authorize release;or password to authorize release;

• Request to lift freeze – must be in writing and Request to lift freeze – must be in writing and regulations should establish procedures for quickly regulations should establish procedures for quickly lifting freeze (within 15 minutes of the request); lifting freeze (within 15 minutes of the request); Currently have 3 days; max. $5 charge to lift freeze. Currently have 3 days; max. $5 charge to lift freeze.

Security Freeze Security Freeze (cont’d)(cont’d)

• If a third party requests access to a consumer report and is If a third party requests access to a consumer report and is refused because of the freeze, and the consumer refuses to refused because of the freeze, and the consumer refuses to allow access to the third party, the third party may treat the allow access to the third party, the third party may treat the application as incomplete.application as incomplete.

• The freeze will not apply to certain requesting parties, which The freeze will not apply to certain requesting parties, which are set forth in the Act.are set forth in the Act.

Penalties for Non-CompliancePenalties for Non-Compliance

• Consumer may be entitled to bring an action under Consumer may be entitled to bring an action under the NJ Fair Credit Reporting Act or the NJ the NJ Fair Credit Reporting Act or the NJ Consumer Fraud ActConsumer Fraud Act

• Private Causes of Action – invasion of privacy; Private Causes of Action – invasion of privacy; negligencenegligence

RegulationsRegulations

Suggestions for ComplianceSuggestions for Compliance

– Employers should update their internal policies and/or Employers should update their internal policies and/or employee handbooks to comply with Act;employee handbooks to comply with Act;

– Establish a policy Establish a policy • prohibiting the dissemination of employee personnel files or prohibiting the dissemination of employee personnel files or

other files containing personal information;other files containing personal information;

• outlining the types of confidential information that actually are outlining the types of confidential information that actually are needed during the hiring process, and expressly forbidding the needed during the hiring process, and expressly forbidding the collection of confidential information that is not really collection of confidential information that is not really necessarynecessary

Suggested for Compliance Suggested for Compliance (cont’d)(cont’d)

– Establish a confidentiality policy that limits employee Establish a confidentiality policy that limits employee access to personal information;access to personal information;

– Store hard copies of records in a secure location with Store hard copies of records in a secure location with limited access (possibly monitored access); limited access (possibly monitored access);

– Train employees with access to “personal information” Train employees with access to “personal information” about proper use and handling of the personal about proper use and handling of the personal information;information;

– Examine current computer system to protect against Examine current computer system to protect against access to information by unauthorized individuals;access to information by unauthorized individuals;

Suggestions for Compliance Suggestions for Compliance (cont’d)(cont’d)

– Employers that store personal information in electronic Employers that store personal information in electronic format should examine their current computer system format should examine their current computer system to protect against access to information by unauthorized to protect against access to information by unauthorized individuals;individuals;

– Implement appropriate software to protect against Implement appropriate software to protect against computer viruses, unauthorized access to a computer’s computer viruses, unauthorized access to a computer’s network, and similar on-line or electronic invasions of network, and similar on-line or electronic invasions of electronic data storage; encryption;electronic data storage; encryption;

– Adjust document retention policies;Adjust document retention policies;– Define and implement notice procedures in the event of Define and implement notice procedures in the event of

security breach;security breach;

Suggestions for Compliance Suggestions for Compliance (cont’d)(cont’d)

– Outsourcing – shredding companies –on-site; off-site; Outsourcing – shredding companies –on-site; off-site; charge by the pound;charge by the pound;

– Continue compliance with state and federal records Continue compliance with state and federal records retention lawsretention laws

Annmarie SimeoneAnnmarie Simeoneamsimeone@nmmlaw.com amsimeone@nmmlaw.com

Areas of Practice:Labor and Employment, Commercial Litigation

Admitted to Practice in: New Jersey State and Federal Courts

Education:J.D., Seton Hall University School of Law

St. John’s University, B.A., summa cum laude