Neither the Fair Credit Reporting Act (FCRA) nor Massachusetts law dictates exactly how an employer must store consumer reports. However, given that there is potential liability for disclosing such information, the credit report should be kept separate from the employee’s general employment file and access them should be limited to those who need the information to make employment decisions.
Additionally, employers are reminded that Massachusetts law now requires all businesses to take reasonable steps to protect the personal information of Massachusetts residents by May 1, 2009. “Personal information” includes, but is not limited to, the first and last name of a Massachusetts resident or the resident’s first initial and last name, in combination with the individual’s social security number. Such information is commonly found on consumer reports.
Because all businesses have records of their employees’ name and social security number, every employer of Massachusetts residents is subject to the new requirements. The failure to property protect personal information may result in sanctions imposed by the Massachusetts Attorney General’s Office.
Disposing of Credit Reports
The FCRA regulations provide that employers must properly dispose of consumer reports by taking reasonable measures to protect against unauthorized access to the information in connection with its disposal. The regulations further suggest that an employer implement policies and procedures whereby such reports are either (1) physically destroyed (i.e. shred, burned, pulverized) so that they are illegible; (2) if stored electronically, erased or destroyed so that they cannot practicably be read or destroyed; or (3) after due diligence, utilizing the services of a business that engages in record destruction.
Given the potential for liability under both federal and state law, employers are urged to contact an employment attorney to ensure adequate compliance.