I was recently contacted by my employer stating that someone had applied for unemployment benefits using my Social Security number name and Job title. My employer notified me by email to be aware of this but stated that they conducted a security audit and found that there was no breach on their end and that the matter was currently being investigated by the department of labor and FBI. What responsibilities does an employer have to the employee when this happens? What should the employee do?
For this answer, we are again joined by Jessica Keltz, associate attorney at the Law Office of Stephanie Adams, PLLC.
This question takes us back to the SHIELD Act. Last discussed by Ask The Lawyer at the end of 2019 (https://www.wnylrc.org/ask-the-lawyer/raqs/100). The SHIELD Act requires businesses (and other entities that conduct business, such as, yes, libraries) that collect personal data to institute compliance measures including assessing security risks, implementing new data security measures, and securely destroying private information when it is no longer needed for business purposes.
We will take the two questions separately.
First, what responsibilities does an employer have to the employee when this happens?
If your library is not part of a large institution such as a university or a hospital, its compliance responsibilities likely fall under the SHIELD Act requirements for “small businesses.”
The act’s definition of a “small business” is:
"Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.
Compliance requirements for small businesses under the SHIELD Act are more generalized; they simply need to ensure that their data security safeguards are appropriate for their business’ size, complexity, scope of activities, and the sensitivity of the information the business handles. Within those guidelines, libraries that fall under the “small business” requirements should have a data breach plan.
The event that the member described is certainly cause to be concerned that a data breach had occurred, and the library should have a plan to address it. What does addressing it look like? The most important elements are being able to evaluate whether a breach occurred (which it seems like the employer was able to do), and disclosing to the potential victim that a breach may have occurred (which the employer definitely did).
If the library had found that a data breach did occur, staff or a contract data security expert should re-evaluate the library’s security protocols to make sure to prevent the problem in the future; but in this case, as a breach did not occur, this may not be necessary.
In the case of a data breach or potential data breach (and this falls under “potential”), the employer is also required to disclose the concern to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. By notifying you this event occurred, the employer has complied with the requirement.
Meanwhile, what can an employee in this position do?
First: as soon as possible, the employee should consider involving their own attorney. The risks posed by this situation are too critical. For those who can’t afford an attorney, contact the local county bar association to learn about pro bono assistance in your region.
Second, assuming the employer has complied with their obligations under the SHIELD Act, since this involved a fraudulent claim for unemployment from the New York State Department of Labor (“NYSDOL”), the employee should work with the NYSDOL to learn all they can about the incident.
This starts with contacting NYSDOL’s fraud department at https://labor.ny.gov/agencyinfo/uifraud.shtm, to see what they can share about the abuse of your personal information. Armed with whatever other information is gathered from NYSDOL, the employee (or their attorney) can then look at their own credit history and other uses of their identity for potential breaches (social media and e-mail accounts).
While this is going on, be extra-wary of any calls, emails, or other contact requesting any personal information. Always require people to call back or write to you with any out-of-the-blue-seeming inquiry. Make sure the people close to you know you are on heightened alert. Consider changing all passwords (just make sure you keep a good record of the changes in a very secure place).
The Federal Trade Commission offers guidelines on when and how to place a “fraud alert” on your credit, to stop new accounts from being opened using your name and information.
https://www.consumer.ftc.gov/articles/0275-place-fraud-alert. Any person who learns their information may have been illegally accessed should also request a free credit history from one of the three main credit bureaus, and review their credit report for any unexpected checks or accounts. Depending on what you find when you do so, consider freezing your credit and reporting the theft of your identity to the Federal Trade Commission.
And finally, if any employee has reason to believe their employer or a contract provider is at fault for a breach (even if the employer or contract provider denies it) it is even more critical that the employee consult their own attorney as soon as possible. There are too many variables to give general guidance on this, but broadly speaking, the more you have at stake (employment-related information, direct deposit information, health and benefit-related information, and of course, a potential dispute with an employer) the more important it is to act quickly.
The scenario the member describes is nerve-wracking, and the member was right to reach out about it. Don’t go it alone!