Saturday, July 19, 2008

Legislating an Employee Data Protection Policy - an Idea for Indiana

I vote yes, it would. With only two states doing this - so far - I cannot see Indiana being an early adopter (but then when do we adopt something early?)

Take a look at the following from Connecticut Becomes Only the Second State to Mandate an Employee Data Protection Policy:

Employers Must Create and Post a Social Security Number Policy. The Act requires the creation of a "a privacy protection policy" by any entity that collects SSNs in the course of its business. The Act does not limit this requirement to the collection of SSNs from any particular category of individuals, such as customers, patients, or insureds. The Act, therefore, necessarily encompasses the collection of SSNs from employees. Consequently, the Act requires employers to promulgate a policy that, at a minimum, (1) protects the confidentiality of SSNs; (2) prohibits unlawful disclosure of SSNs; and (3) limits access to SSNs.


Enforcement by Agencies. For persons holding a license, registration or certification issued by agencies other than the Department of Consumer Protection, only the licensing agency will enforce the Act. For all other businesses, the Department of Consumer Protection will enforce the Act. While the Act does not authorize a private right of action for violations, the Act's requirements arguably establish a standard of care that could be used to support a negligence lawsuit against an employer who fails to adequately safeguard personal information.

Fines Imposed, but Not for Unintentional Violations. Significantly, the Act specifically excludes unintentional violations from its purview. Intentional violations, however, can result in a civil penalty of $500 per violation, not to exceed $5,000 dollars per single event. Although the Act requires the depositing of any fine into a specific Privacy Protection Guaranty and Enforcement Account, the bill proposing the creation of such account did not pass into law. Such fines, therefore, likely will be deposited into the General Fund.
Thanks to Workplace Privacy Counsel blog for this one.