Back to Insights

Protecting Employee and Customer Data

By: Mike Meltser, Attorney

Every Texas employer is legally required to protect data employees (and customers) provide. This article provides a list of Texas and federal laws employers are expected to know and follow. Each law will be briefly summarized.

Texas Laws

Confidentiality of Social Security numbers – Employers generally cannot print an individual’s social security number on any material sent by mail. There are exceptions for mailing IRS- and TWC-related forms (for example: W-2s) and government forms that require the employer to include Social Security numbers.

Texas Identity Theft Enforcement and Protection Act – All businesses must implement reasonable procedures to protect from disclosing sensitive personal information collected by the business in the regular course of business. The business must destroy customer records that contain sensitive personal information.

“Sensitive personal information” means an individual’s first name or last name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:

  • social security number;
  • driver’s license number or government-issued identification number; or
  • account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

or information that identifies an individual and relates to:

  • the physical or mental health or condition of the individual;
  • the provision of health care to the individual; or
  • payment for the provision of health care to the individual.

When a business discovers a breach, the business must notify any individual whose personal information was acquired by an unauthorized person no later than 60 days after the discovery of the breach.

If the breach involves at least 250 Texas residents, there is an additional requirement to notify the Texas Attorney General by providing a detailed description of the breach, the number of residents affected, measures taken in response to the breach, and information regarding whether law enforcement is investigating the breach.

Biometric Identifiers – Texas prohibits the capture of a biometric identifiers (retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) for a commercial purpose without informed consent.

Biometric identifiers must be stored and protected from disclosure using reasonable care, and biometric identifiers must be destroyed within a reasonable time.

Business Records – When a business disposes of business records that contain personal identifying information of a customer of the business, the business must shred the information so that it becomes unreadable.

“Personal identifying information” means an individual’s first name or initial and last name in combination with one or more of the following: (a) date of birth; (b) social security number or other government-issued identification number; (c) mother’s maiden name; (d) unique biometric data, including the individual’s fingerprint, voice data, or retina or iris image; (e) unique electronic identification number, address, or routing code; (f) telecommunication access device as defined by Section 32.51 of the Penal Code, including debit or credit card information; or (g) financial institution account number or any other financial information.

Genetic Information – Texas prohibits the disclosure of genetic information unless an individual or the individual’s legal representative provides written authorization.

“Genetic information” means information that is (a) obtained from or based on a scientific or medical determination of the presence or absence in an individual of a genetic characteristic; or (b) derived from the results of a genetic test performed on, or a family health history obtained from, an individual.

Federal Laws

HIPAA – This law primarily deals with covered entities (health care providers, health plans, and health care clearinghouses). However, employers that provide self-insured health plans for employees or act as intermediaries between employees and health care providers must be cognizant that they abide by the requirements to ensure the privacy of personally-identifiable health information (PHI). Generally, employers should keep PHI as private and confidential as possible and ask for the advice of counsel when dealing with HIPAA issues.

ADA – Employers with 15 or more employees must keep all medical information separate from general personnel files and treat the information as a confidential medical record.

GINA – This law prohibits the use of genetic information in employment decisions. Under this law, employers must keep any genetic information they acquire about job applicants or employees confidential. Like the ADA, employers must keep genetic information separate from personnel files. Employers may keep genetic information about employees in the same file as medical information kept subject to the ADA.

“Genetic information” includes:

  • information about an individual’s genetic tests;
  • genetic tests of an individual’s family members;
  • information about the manifestation of a disease or disorder in an individual’s family members (i.e. family medical history);
  • an individual’s request for, or receipt of, genetic services;
  • participation in clinical research that includes genetic services by the individual or a family member of the individual;
  • genetic information of a fetus carried by an individual or by a pregnant woman who is a family member of the individual;
  • genetic information of an embryo legally held by the individual or family member using an assisted reproductive technology.

FMLA – This law requires that records and documents created for the purposes of FMLA that contain family medical history or genetic information be maintained in accordance with GINA. Employers must keep this information separate from personnel files.

FCRA – This law requires employers who acquire credit or criminal background reports from a company in the business of compiling background information to tell the applicant or employee that the employer might use the information for decisions about his or her employment. This notice must be in writing and in a stand-alone format. The notice cannot be in the employment application itself. Employers must also obtain the applicant’s or employee’s written permission to do the background check.

Employers may discover information in a background check that leads them to not want to hire an applicant or terminate an employee. Before making an adverse employment decision, the employer must give the applicant or employee a notice that includes a copy of the report relied on to make the decision. The employer must also enclose a summary of the applicant or employee’s rights under the FCRA. After taking an adverse employment decision, the employer must tell the applicant or employee that he or she was rejected because of information in the report. The employer must also provide information about the company that sold the report, that the company selling the report did not make the decision, and that he or she has a right to dispute the accuracy or completeness of the report.