State laws and their impact on electronic records management

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

Electronic records management has been dramatically effected by state laws on notification and disclosure.

Over 35 states have breach notification laws on the books. The number will probably increase to over 40 by 2009. As of February 2008, four more states are currently considering breach notification laws. We’re really at the stage where nearly every state either it has an existing law about electronic records management or security or it’s working on developing such a law. Now the key thing to know about these breach notification laws is that they are based where the individual lives not based on where the company is located or where the breach occurred.

In most cases, a single breach incident in your electronic records management will trigger notice obligations under multiple state laws and that is one of the complexities of this area of the law. So even if you’re based in one of the handful of states that doesn’t yet have a breach notification law, you still need to know about these laws.

State breach notification laws apply to all sizes of companies.
We usually only hear in the paper, on the TV about breaches at large companies because that’s what gets the media attention. But they apply equally to breaches in electronic records management policy at smaller companies. And these breaches can have equally terrible consequences for small companies.

Electronic records management and social security numbers
Beyond the breach notification laws, you should also be aware that there are an ever-increasing number of laws regulating the use of Social Security numbers.

Trying to sum them up briefly, they regulate specific types of practices with electronic records management. For instance, many of the laws regulate when you can require an individual to transmit a Social Security number online.

They also regulate printing Social Security numbers on cards required to access, some facilities or services. For instance, ID badges. They also regulate printing Social Security numbers on documents being mailed to employees.

Now for instance, California’s law says you can only print Social Security numbers on documents mailed to employees if that is required by law, for instance, for tax reporting purposes. And even if you’re doing that, you have to make sure that the Social Security numbers are enclosed in the mailing in a way they’re visible from the outside. So, you’re seeing that this is really focused on preventing identity theft using Social Security numbers.

These laws generally prohibit any public posting or public display of Social Security numbers. So the best practice here which you already know is not to use Social Security numbers as employee identification numbers, even internally.

Breach notification triggers in an electronic records management policy
This really plays into the breach notification issue as well because Social Security numbers trigger a breach notification obligation in a lot of cases. So it’s far better to assign a random number that doesn’t have the same risk either of security breach notification or of identity theft to the employee.

And I’ll mention as well that many states or at least several states have started already passing general data security laws. California has a very general law on the books that any company that maintains personal information needs to take reasonable measures to protect it.

Nevada has passed a law, which takes effect this October, that actually requires encryption of customer information in electronic transmission in your electronic records management policy. And that’s is a really significant development because up until now, encryption has been rewarded but not required but we may be seeing that starting to change where states require this as part of an electronic records management policy.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.