September 5, 2005
Slash and burn | Maine companies should be aware of a new federal law requiring that employee information be protected
By Jeffrey Bouley
Rita Bubar, corporate human resources manager at Cianbro Corp. in Pittsfield, manages personnel records for thousands of employees.
"We're a fairly large construction company, employing anywhere from 1,500 to 2,200 people up and down the eastern seaboard in 15 different states. We also have fairly high turnover, with new hires of between 500 and 1,000 people each year, since not everyone wants to move to the next big job in another area," she says. "At the same time, we want to have a good database from which to pull people when we come back to an area. So we don't really throw out records."
Keeping that employee information private has been a major concern for Bubar and her staff. Back when HR records were held in paper files, Bubar made sure that shredding was a common occurrence. (These days, the employee records have been transitioned to a Web-based system, and the shredders see perhaps 10% of the action they did a few years ago, according to Bubar.)
Cianbro also has a policy in place to use personal information on printed records as little as possible. Social Security numbers, for example, are typically left off forms when possible, with employee identification numbers being used instead. Personal health information, such as documentation of physicals for work readiness and participation in company wellness programs, is handled by a third party, and only general pass/fail or aggregate group information is shared with Cianbro.
All of those policies, which were finalized about two years ago after a three-year effort to upgrade the record-keeping system, ended up putting Cianbro ahead of the game in complying with the Fair and Accurate Credit Transactions Act of 2003, or FACTA. The law has received a fair amount of coverage since the Federal Trade Commission began implementing the "disposal rule" portion of the act on June 1. But what many companies don't know is that it's not just credit reporting firms, credit providers or other financial- and credit-oriented companies that are held to account under FACTA.
FACTA's disposal rule calls for the destruction ˆ usually by burning or shredding ˆ of what it calls "consumer reports" that are used, or expected to be used, in establishing a consumer's eligibility for credit, employment or insurance, among other purposes. (See "FACTA facts" on p. 33 for more on what constitutes a consumer report.)
It's the "employment" part that a lot of companies need to key in on, says John Coolong, manager of information technology consulting for Portland-based business consulting and accounting firm Baker, Newman and Noyes. Because even though the FTC isn't actively pursuing violations now, no company can be sure when it might be in the crosshairs.
"Frankly, I don't think very many companies that aren't in the credit business will know FACTA is out there," Coolong says. "Much like with HIPAA [the Healthcare Information Portability and Accountability Act] and Sarbanes-Oxley when they came out with policies on document handling, some companies may vaguely know about the law. But even if they do, they don't know what kind of teeth it will have, or what kind of impact. Some won't even know it affects them."
Complacence vs. compliance
Katherine Armstrong, an attorney in the FTC's Division of Financial Practices, says that at this point the agency hasn't begun enforcing FACTA's document destruction rules. "We don't kid ourselves that everyone is in compliance," she says. "We know that plenty of companies aren't doing what they should. But as of yet, there's no pattern of behavior that we've seen and acted on. Furthermore, we're not going to be going out and policing companies or checking them out to see if they're in compliance."
However, Armstrong does caution companies against getting complacent. Even though the FTC will not audit companies in the same way that the government audits Medicare records for health care institutions, for example, companies can still get in trouble if someone reports them or if patterns of behavior becomes obvious. An insider at a company might tell the FTC of a violation, for example, or someone in the agency could see a news story about employees' personal records turning up intact in a dumpster. These and other such leads would be enough to spur the FTC to action, Armstrong says. FTC fines can be as high as $2,500 per violation, and companies also can be open to punitive damages from class-action lawsuits if a large number of employees are affected.
Cianbro's Bubar is confident that her company is in the clear. And, with so much of Cianbro's recordkeeping now electronic, she doesn't expect the arrival of FACTA to spur an increase in the company's shredder purchases. Most other companies probably won't be rushing out to the stores or clicking through online catalogs to do that, either.
Craig Church, owner of Church Office Equipment in Portland, hasn't seen any noticeable up-tick in shredder sales since June, in part because companies that will be affected by FACTA probably have at least enough document destruction equipment to get them started. While that's good news for employers, it's not particularly helpful for Church's business.
"Now with HIPAA, that was a different story," he says. "That affected a lot of companies in health care that weren't used to being told how to handle and destroy documents. The year HIPAA came out, our sales of shredders were so good that we had our largest sales increase for a single-line product ever."
"We're a fairly large construction company, employing anywhere from 1,500 to 2,200 people up and down the eastern seaboard in 15 different states. We also have fairly high turnover, with new hires of between 500 and 1,000 people each year, since not everyone wants to move to the next big job in another area," she says. "At the same time, we want to have a good database from which to pull people when we come back to an area. So we don't really throw out records."
Keeping that employee information private has been a major concern for Bubar and her staff. Back when HR records were held in paper files, Bubar made sure that shredding was a common occurrence. (These days, the employee records have been transitioned to a Web-based system, and the shredders see perhaps 10% of the action they did a few years ago, according to Bubar.)
Cianbro also has a policy in place to use personal information on printed records as little as possible. Social Security numbers, for example, are typically left off forms when possible, with employee identification numbers being used instead. Personal health information, such as documentation of physicals for work readiness and participation in company wellness programs, is handled by a third party, and only general pass/fail or aggregate group information is shared with Cianbro.
All of those policies, which were finalized about two years ago after a three-year effort to upgrade the record-keeping system, ended up putting Cianbro ahead of the game in complying with the Fair and Accurate Credit Transactions Act of 2003, or FACTA. The law has received a fair amount of coverage since the Federal Trade Commission began implementing the "disposal rule" portion of the act on June 1. But what many companies don't know is that it's not just credit reporting firms, credit providers or other financial- and credit-oriented companies that are held to account under FACTA.
FACTA's disposal rule calls for the destruction ˆ usually by burning or shredding ˆ of what it calls "consumer reports" that are used, or expected to be used, in establishing a consumer's eligibility for credit, employment or insurance, among other purposes. (See "FACTA facts" on p. 33 for more on what constitutes a consumer report.)
It's the "employment" part that a lot of companies need to key in on, says John Coolong, manager of information technology consulting for Portland-based business consulting and accounting firm Baker, Newman and Noyes. Because even though the FTC isn't actively pursuing violations now, no company can be sure when it might be in the crosshairs.
"Frankly, I don't think very many companies that aren't in the credit business will know FACTA is out there," Coolong says. "Much like with HIPAA [the Healthcare Information Portability and Accountability Act] and Sarbanes-Oxley when they came out with policies on document handling, some companies may vaguely know about the law. But even if they do, they don't know what kind of teeth it will have, or what kind of impact. Some won't even know it affects them."
Complacence vs. compliance
Katherine Armstrong, an attorney in the FTC's Division of Financial Practices, says that at this point the agency hasn't begun enforcing FACTA's document destruction rules. "We don't kid ourselves that everyone is in compliance," she says. "We know that plenty of companies aren't doing what they should. But as of yet, there's no pattern of behavior that we've seen and acted on. Furthermore, we're not going to be going out and policing companies or checking them out to see if they're in compliance."
However, Armstrong does caution companies against getting complacent. Even though the FTC will not audit companies in the same way that the government audits Medicare records for health care institutions, for example, companies can still get in trouble if someone reports them or if patterns of behavior becomes obvious. An insider at a company might tell the FTC of a violation, for example, or someone in the agency could see a news story about employees' personal records turning up intact in a dumpster. These and other such leads would be enough to spur the FTC to action, Armstrong says. FTC fines can be as high as $2,500 per violation, and companies also can be open to punitive damages from class-action lawsuits if a large number of employees are affected.
Cianbro's Bubar is confident that her company is in the clear. And, with so much of Cianbro's recordkeeping now electronic, she doesn't expect the arrival of FACTA to spur an increase in the company's shredder purchases. Most other companies probably won't be rushing out to the stores or clicking through online catalogs to do that, either.
Craig Church, owner of Church Office Equipment in Portland, hasn't seen any noticeable up-tick in shredder sales since June, in part because companies that will be affected by FACTA probably have at least enough document destruction equipment to get them started. While that's good news for employers, it's not particularly helpful for Church's business.
"Now with HIPAA, that was a different story," he says. "That affected a lot of companies in health care that weren't used to being told how to handle and destroy documents. The year HIPAA came out, our sales of shredders were so good that we had our largest sales increase for a single-line product ever."
Most Recent
Most Recent
Comments