RAQs: Recently Asked Questions

Topic: Employee Identity Theft - 7/27/2020
I was recently contacted by my employer stating that someone had applied for unemployment benefits...
Posted: Monday, July 27, 2020 Permalink

MEMBER QUESTION

I was recently contacted by my employer stating that someone had applied for unemployment benefits using my Social Security number name and Job title. My employer notified me by email to be aware of this but stated that they conducted a security audit and found that there was no breach on their end and that the matter was currently being investigated by the department of labor and FBI. What responsibilities does an employer have to the employee when this happens? What should the employee do?

WNYLRC ATTORNEY'S RESPONSE

For this answer, we are again joined by Jessica Keltz, associate attorney at the Law Office of Stephanie Adams, PLLC.

This question takes us back to the SHIELD Act. Last discussed by Ask The Lawyer at the end of 2019 (https://www.wnylrc.org/ask-the-lawyer/raqs/100). The SHIELD Act requires businesses (and other entities that conduct business, such as, yes, libraries) that collect personal data to institute compliance measures including assessing security risks, implementing new data security measures, and securely destroying private information when it is no longer needed for business purposes.

We will take the two questions separately.

First, what responsibilities does an employer have to the employee when this happens?

If your library is not part of a large institution such as a university or a hospital, its compliance responsibilities likely fall under the SHIELD Act requirements for “small businesses.”

The act’s definition of a “small business” is:

"Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.

Compliance requirements for small businesses under the SHIELD Act are more generalized; they simply need to ensure that their data security safeguards are appropriate for their business’ size, complexity, scope of activities, and the sensitivity of the information the business handles.  Within those guidelines, libraries that fall under the “small business” requirements should have a data breach plan.

The event that the member described is certainly cause to be concerned that a data breach had occurred, and the library should have a plan to address it. What does addressing it look like? The most important elements are being able to evaluate whether a breach occurred (which it seems like the employer was able to do), and disclosing to the potential victim that a breach may have occurred (which the employer definitely did).

If the library had found that a data breach did occur, staff or a contract data security expert should re-evaluate the library’s security protocols to make sure to prevent the problem in the future; but in this case, as a breach did not occur, this may not be necessary.

In the case of a data breach or potential data breach (and this falls under “potential”), the employer is also required to disclose the concern to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. By notifying you this event occurred, the employer has complied with the requirement.

Meanwhile, what can an employee in this position do?

First: as soon as possible, the employee should consider involving their own attorney.  The risks posed by this situation are too critical.  For those who can’t afford an attorney, contact the local county bar association to learn about pro bono assistance in your region.

Second, assuming the employer has complied with their obligations under the SHIELD Act, since this involved a fraudulent claim for unemployment from the New York State Department of Labor (“NYSDOL”), the employee should work with the NYSDOL to learn all they can about the incident.

This starts with contacting NYSDOL’s fraud department at https://labor.ny.gov/agencyinfo/uifraud.shtm, to see what they can share about the abuse of your personal information.  Armed with whatever other information is gathered from NYSDOL, the employee (or their attorney) can then look at their own credit history and other uses of their identity for potential breaches (social media and e-mail accounts).

While this is going on, be extra-wary of any calls, emails, or other contact requesting any personal information.  Always require people to call back or write to you with any out-of-the-blue-seeming inquiry.  Make sure the people close to you know you are on heightened alert.  Consider changing all passwords (just make sure you keep a good record of the changes in a very secure place).

The Federal Trade Commission offers guidelines on when and how to place a “fraud alert” on your credit, to stop new accounts from being opened using your name and information.

https://www.consumer.ftc.gov/articles/0275-place-fraud-alert.  Any person who learns their information may have been illegally accessed should also request a free credit history from one of the three main credit bureaus, and review their credit report for any unexpected checks or accounts. Depending on what you find when you do so, consider freezing your credit and reporting the theft of your identity to the Federal Trade Commission.

And finally, if any employee has reason to believe their employer or a contract provider is at fault for a breach (even if the employer or contract provider denies it) it is even more critical that the employee consult their own attorney as soon as possible.  There are too many variables to give general guidance on this, but broadly speaking, the more you have at stake (employment-related information, direct deposit information, health and benefit-related information, and of course, a potential dispute with an employer) the more important it is to act quickly.

The scenario the member describes is nerve-wracking, and the member was right to reach out about it. Don’t go it alone!

Tags: COVID-19, Emergency Response, Security Breach, SHIELD Act, Employee Rights, Identity Theft

Year

0

2016 4

2017 24

2018 29

2019 42

2020 60

Topics

501c3 2

Academic Libraries 2

Accessibility 4

ADA 8

Association Libraries 2

Board of Trustees 4

Branding and Trademarks 1

Broadcasting 1

Budget 1

Circular 21 1

Contact tracing 1

CONTU 2

Copyright 69

COVID-19 43

CPLR 4509 3

Crafting 1

Criminal Activity 1

Data 2

Defamation 1

Derivative Works 3

Digital Access 9

Digital Exhibits 1

Digitization and Copyright 10

Disclaimers 3

Discrimination 1

Dissertations and Theses 1

DMCA 2

Donations 3

E-Books and Audiobooks 2

Ed Law 2-d 1

Education Law Section 225 1

Elections 2

Emergency Response 41

Employee Rights 8

Ethics 3

Executive Order 3

Fair Use 29

Fan Fiction 1

Fees and Fines 3

FERPA 5

First Amendment 1

First Sale Doctrine 3

Forgery and Fraud 1

Friends of the Library 2

Fundraising 1

Hiring Practices 1

Historic Markers 1

HRL 1

Identity Theft 1

IRS 1

Labor 3

Laws 18

LibGuides 1

Library Buildings 1

Library Programming and Events 8

Licensing 3

Local Organizations 1

Management 16

Meeting Room Policy 5

Memorandum of Understanding 1

Microfilm 1

Movies 5

Municipal Libraries 5

Music 11

Newspapers 3

Omeka 1

Online Programming 11

Open Meetings Law 1

Oral Histories 1

Overdrive 1

Ownership 1

Parodies 1

Personnel Records 1

Photocopies 15

Policy 32

Preservation 2

Privacy 11

Property 3

PTO, Vacation, and Leave 1

Public Access 1

Public Domain 7

Public Health 1

Public Libraries 9

Public Officers Law 1

Public Records 2

Quarantine Leave 2

Reopening policies 8

Retention 3

Retirement 1

Ripping/burning 1

Safety 3

Salary 2

School Ballots 1

School Libraries 5

Section 108 2

Section 110 2

Section 1201 1

Security Breach 2

Sexual Harassment 2

SHIELD Act 2

Smoking or Vaping 2

Social Media 4

SORA 1

Story time 3

Streaming 12

SUNY 1

Swank Movie Licensing 3

Taxes 4

Teachers Pay Teachers 1

Telehealth 1

Template 2

Textbooks 3

Umbrella Licensing 2

VHS 4

Voting 1

W3W 1

WAI 1

Work From Home 1

Yearbooks 2

Zoom 1

The WNYLRC's "Ask the Lawyer" service is available to members of the Western New York Library Resources Council. It is not legal representation of individual members.