404 Not Found

Not Found

The requested URL /esi/header.html was not found on this server.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees.  Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees.  New York adopted a similar statute.  Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context.

Companies should check whether they have a written policy concerning the use and disclosure of protected employee personal information.  If they do not, they should confirm that none of the states in which they operate currently require such a policy or are planning to do so through new legislation.


The number of states that have enacted statutes that may require employers to create employee privacy policies.1


The fine that can be assessed under New York’s statute to employers who unlawfully disseminate an employee’s SSN.2


The damages awarded to a group of Michigan employees who sued their union after it failed to safeguard their SSN.3


What to think about when drafting or reviewing an employee privacy policy:

  1. Does the privacy policy capture the main ways in which your organization collects personal information from its employees?
  2. Does the privacy policy discuss the confidentiality of employee SSN and other personal information?
  3. Does the privacy policy explain how employee SSN and other personal information are protected?
  4. Does the privacy policy limit who has access to information or documents that contain employee SSN and other personal information?
  5. Does the privacy policy describe how to properly dispose of documents that contain employee SSN and other personal information?
  6. Does the privacy policy describe the disciplinary measures that may be taken for violations?
  7. How will the policy be distributed to each employee?
  8. Can the average employee understand the policy?
  9. Does the privacy policy use terms that might be misunderstood or misinterpreted by a regulator or a plaintiff’s attorney?
  10. Does the privacy policy comply with the laws in each jurisdiction in which your organization is subject?

1. These states are: Connecticut (Conn. Gen. Stat. § 42-471), Massachusetts (201 Mass. Code Regs. 17.03), Michigan (Mich. Comp. Laws § 445.84), New York (N.Y. Lab. Law § 203-d), and Texas (Tex. Bus. & Com. Code Ann. § 501.052).

2. N.Y. Lab. Law § 203-d(3).

3. John F. Buckley & Ronald M. Green, State by State Guide to Human Resources Law § 1.36 (2015).