If you like today’s post or any of my other series please “Subscribe” to this blawg to receive e-mail updates.  In addition, follow me on Twitter and “Like” me on Facebook.  If you need to contact me directly, please e-mail me at

For the past two Draw the Law posts I have focused on workplace privacy protections, which have included the following topics:

  1. Credit and background Checks and Surveillance and Electronic Monitoring
  2. Searching Personal Property and HIPAA Privacy

Today is the final day for the subject of dealing with sensitive or private information in the workplace.  I will be focusing on Job References, Social Security Numbers, and other kinds of Personal Information. Note that the last two types of information require businesses to protect them for not only employees, but people in general. This includes customers/clients/patients.  This is good because next week I will focus on legal issues with customers, and this is a nice segue into that series of posts.

Job References Immunity (HRS 663-1.95)

Suppose you let an employee go and a couple of weeks later another company calls you up asking about this former employee. If the former employee was decent or good you may consider giving them a reference or providing information to put them in a positive light. However, if they were terrible you may be inclined to be honest, as you do not want another employer to go through the headaches you did.

While, this is not privacy matter per se, it is a sharing of information about someone and in the State of Hawaii we give employers a “qualified immunity” for providing this information. If you provide a job reference about a current or former employee to a prospective employer you just need to act in good faith when you give this information (even if it may be negative.

Many times a former employee cannot get employed, and find out that a old boss is telling things that are brutal to their career. However, the employee has to prove in a court of law that what the former boss knows they saying false things or trying to mislead the asking employer.

While, you may have a defense against a former angry employee you might not want to say whatever you want, no matter how true the matter may be. The best strategy here is to develop a termination process, tell the employee (or wait for them to ask) that you can be used as a reference, and prepare a list of things to tell a prospective employer about them and keep it with the employees file.

Social Security Numbers (HRS 487J)

In the State of Hawaii we protect Social Security Numbers (SSN) .  More specifically, we prevent businesses from doing the following:

  1. printing an individual’s entire SSN on anything mailed to the individual, except in 2 situations: (a)what is being mailed is between employer-to-employee; or (b) the person requests that their entire SSN is sent;
  2. requiring people to give their SSN over the Internet, unless the connection is secure or the SSN is encrypted (thus job application forms on websites have those secure login protocols);
  3. requiring people to use their SSN to access an Internet website, except in the situation where a PIN or password is also required to access the website.

In general, if you do not have the sophisticated job application systems you probably want to avoid using SSNs and trying to gain more information through interviewing. SSN is sensitive information and the State takes it seriously. So much so for every violation the penalty is $2,500.

Personal Information (HRS 487R)

In addition to SSNs, other types of personal information are protected against unauthorized access and businesses that collect this information either for employment purposes or a customer database need to avoid disclosing this information. Basically, we have given people the right to be protected and safe knowing this information is being safeguarded by the entities we give them to.

What is Personal Information?

So “personal information” is a very specific set of information. Most of it you have memorized as you routinely use it to verify who you are whether it is for employment, getting benefit from the government or other instiutions, and for records purposes.

Personal information = person’s name + any of the following:

  1. SSN;
  2. Driver’s License Number;
  3. Financial Account number;
  4. a code that allows access to financial information.

How can a Business Take Reasonable Measures to Protect this Information?

The main goal is so that information cannot be read or reconstructed based on the medium it was recorded so any of the following methods is appropriate depending on the situation:

  1. Burning;
  2. Pulverizing
  3. Recycling;
  4. Shredding papers;
  5. Destroying electronic media;
  6. Erasing electronic media;
  7. Or finally a catch-all, a procedure relating to the adequate destruction of personal records as official policy in the writing of the business entity.

If you are a one-person shop, like I am. Invest in a good shredder.  If you are a larger business consider outsourcing to a professional information destruction service. However, before you sign that agreement with them make sure you review their policies and procedures, and insure that they are thorough because you are still responsible for any leaked information.

Similar, to the SSN situation you may be fined up to $2,500 per violation by the government. If you have a lot of workers and customers in your database and a fraction of that is leaked you could have a very expensive lawsuit.  In addition, to the government coming after you the person who’s information that you released by accident can also sue you.

Final Word: Record Retention and Destruction

In this age where we get an ID or number for everything we do we set-up databases to contain all that information and make it easy to sort through. However, those numbers represent people and the law has decided to protect that information. Therefore, a business needs to have a thorough record retention and destruction policy. In addition, it becomes key that the people who access this information (no matter how routine or mundane it may seem) are responsible. If you need to figure out how to handle sensitive information or need an update/review your procedures in this area contact a HR specialist or attorney to help your compliance steps.

Remember that next week we will move out of human resource problems and move on to legal issues with customers. Also stay tuned a poll determining what the next subject of my talk at The Box Jelly, Hawaii’s first coworking space, will be going up soon.

Have an Aloha Friday!

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.  No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.  Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.

Business Owners: Document Management and Retention Policy

It is clear from the prior posts that lawyers are aware that there is a lot of evidence to be discovered from social media.  However, what does this mean the operations of a business?  In terms of the bottom line discovery will only complicate your day-to-day operations as you search for some blog post you put up two years ago.  Your social media should be added to the document management and retention policy, but it should be done efficiently as to minimize any future compliance or litigation action.

Consider this, that in 2010 FINRA issued guidance for blogs and social networking sites, and set forth the record keeping responsibilities in the financial broker-dealer business.

Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 ad 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110.

Why Have a Document Management and Retention Policy?

In general, you should always have a way of finding your files.  It will not only help comply with discovery requests, but for yourself it will help you find things for things such as regulator and tax requirements.  Not only will lawyers be grateful you can find your own files, but accountants and various consultants find it helpful as well.

Therefore, your business records policy should be aimed at three goals:

  1. Preserving until end of usefulness (both for legal and business reasons);
  2. A systematic approach to destruction, which explains why documents no longer exist;
  3. Limiting the number of areas that a discovery request will force you to search.

So basically, in your policy you have defined time, space, and existence.  It’s like having your own document universe where you get to control the rules.  In terms of legal considerations, and an attorney can help you with this part of the policy, but consider the following:

  1. litigation hold procedure if you anticipate any litigation or government investigation;
  2. how to handle the portability and backing up of data; and
  3. how to control non-company devices that access and use company data.

Incorporating Social Media

Now factoring in social media, you can kind of thing of it as it’s own galaxy in your document retention universe.  Due to its nature, and people’s perception of it you will have to a) think about how you want to archive it and b) train people to get used to organizing it.

As mentioned in the prior post you can download your Facebook data and get all your tweets in excel format.  For blog posts it depends on what service you are using, but some give you the option of backing up your blog.  You should also consider if you write in MS Word to draft the posts before hand of saving it in that format as well.

Finally, for your own sake and your lawyer’s sake be sure to digitally timestamp and signature the files.  This goes to authenticity of the evidence for a trial.  In addition, be sure to try and keep social media preserved in their native format.  Thus things like video or Flash files should be kept safe an the ability to replay is crucial because some regulatory situations will NOT accept screenshots.  Basically, you need to prove the exact contents and the manner it interacts with a user on any given date.

Training and Responding

Watch how people connected you talk about your products and services. Make sure employees and paid bloggers disclose anything you gave them in connection with touting your business's products and services.

Once you have set-up a document management and retention policy, concerning social media.  You have to train your employees to follow it.  It will give weight and credibility to why certain documents exist and others do not.  In terms of social media, when people use it they kind of think that what they post will not remain there and is only a flight of fancy.  So you are going to have to train against that mentality, as well as that social media posts are for company purposes and are a part of the company.  Followed by the fact that you will have to archive it like a library and you can see that training on social media retention is a little bit more complex.

If litigation does come knocking on your door, an attorney can help you strategize with a proper response.  Now that you have an efficient and searchable document management system it will be less of a nightmare.

Final Points: Centralize and Use Software

With social media and document retention centrality of the data/documents becomes a key issue.  Archiving and housing the data in all different manners and places is a real headache to sort later.  Put in the effort to centralize and organize in the beginning.  Lastly, while your business is small consider scalability of your document management system as it grows.   You may want to consider the use of specialized software.

As always if you like this post or any of my other series please Subscribe to this blawg to receive e-mail updates.  In addition, follow me on Twitter and “Like” me on Facebook.  If you need to contact me directly, please e-mail me at or leave a message at 808-944-8400.

*Disclaimer:  This post discusses general legal issues, but does not constitute legal advice in any respect.  No reader should act or refrain from acting based on information contained herein without seeking the advice of counsel in the relevant jurisdiction.  Ryan K. Hew, Attorney At Law, LLLC expressly disclaims all liability in respect to any actions taken or not taken based on the contents of this post.