A Lesson in Both Cybersecurity and Responding to Requests for Employee Records
Posted on 06/22/2023 at 01:31 PM by Russell Samson
At the outset I acknowledge this blog post focuses on an odd piece of snail mail received by one of our firm’s clients—not an email. But, I suggest, the lessons we are being taught about phishing and other email scams may apply, with a little imagination.
It was a standard business size envelope. It was addressed to the employment records department of a small business. The envelope indicated it was “urgent.” It arrived via regular US mail on June 01, 2023. The Iowa client opened the envelope and inside were several pieces of paper.
The top sheet announced it is an “OFFICIAL REQUEST FOR EMPLOYMENT RECORDS.” To the immediate right is a bold-edged box reading:
RECORDS ARE NEEDED BY 05/23/2023
Outside the box, the recipient client is told: “Request sent 05/09/2023.” Oh, the urgency!
At the top left of this first page is the name of a business - and the name alone. But not a name the client recognized. If one “googles” the business name, a website pops up which states the following about the company:
Company X “is the easiest way to get and manage records. We help our clients retrieve records of all types – from medical to billing statements to employment to x-rays and scans. We are the premier source for nationwide record retrieval services.
The last sentence of the first page says if the requested is completed, “within the time frame, you will be entered into a monthly drawing for a gift card for you and/or your staff to enjoy. No limit on the number of entries.” Darn, not only did I miss the deadline, the USPS messed up my chances to win!
Imagine you received a standard email, instead of a paper letter. Imagine this email arrived in your Inbox from a person unknown to you, with the phrase “lawfirm” in their email address, and a subject line saying “Urgent! Employee Records Request.” Imagine the body of the email said you’d be entered into monthly drawing for a gift card if you opened the attachment. Would you click to open that attachment?
Continuing with the first page of the letter, it asks for “all employment records including . . . attendance records, payroll records, and any worker.Ā¢??s compensation claims filed.” What was that training about poor grammar or punctuation in fakes?
It goes on to say, typeface about four times that of the bulk of the letter, “WE WOULD PREFER TO RECEIVE DIGITAL RECORDS PLEASE.” In slightly smaller, but still large, typeface, the client is told to “UPLOAD RECORDS TO OUR SECURE HIPAA COMPLIANT PORTAL.” Yes, indeed, confidential medical information is requested. Via digital upload. But I can surely rely on the statement that it is HIPAA compliant, can’t I?
The next page of the letter is an “Employee’s Release of Information Authorization.” It indicates that the signer – whom you recognize as an actual former employee – has authorized release of their own employment information to a named attorney with an address in Wisconsin. (Again, the client is, and the records are, in Iowa.) The document appears to have been modified to add the name of Company X, at a suburban Minneapolis address, as a second party to who the requested documents are also to be produced. The former employee’s signature is one of those electronic signatures in a script font—not a reproduction of their actual signature.
The final page of the letter is titled, “Letter of Authorization for Collection of Records.” It says it is a, “Letter of Representation for record retrieval” between the Company X and an insurance company, or Insurer A (as I’ll refer to it here). This piece of paper recites that:
[Insurer A] authorizes [Company X] to act on their behalf for the sole and limited purpose of requesting and collecting records, including medical records, for the purpose of producing records to [Insurer A], its attorneys, staff, or designees.
This agreement may be presented to records facilities as evidence of the parties' intention that [Company X] is authorized to act on behalf of [Insurer A], unless otherwise directed.
This last page says this Letter of Authorization was “entered into as of 06/01/2022” and it is “. . . valid for a 1-year period.” Oh, the irony! The agreement for Company X to share with Insurer A the documents that might be produced expired, by its terms, on the date our client received the letter! And exactly where did the client’s former employee who signed the Release authorize the disclosure of any information to Insurer A? Is the last page of this bundle a “Letter of Authorization,” or a “Letter of Representation,” or an “Agreement?” One can’t help but believe that Insurer A – a large insurance company whose ads I see on television all the time – has a sizeable legal department? Would those lawyers permit such imprecision? Or are all of these issues signs of a potential scam?
The materials received by our client may have been legitimate. But my firm’s IT department has appropriately pounded into my brain how to look for hints that documents and emails might be less than they appear.
Indeed, tomorrow, I am going to law firm-mandated training on cybersecurity and how to avoid being taken in by email scams. I confess that – in the throes of looking for an email about a missing personal Priority Mail package – I clicked on an email at work that appeared to be from the Postal Service. (I swear it looked like and read like it was.) Instead, it was a test from my firm’s IT department. Thankfully, it was only a test, because I failed it.
What can be learned from this cautionary tale?
- As an employer (or even a friend), be careful, even suspicious, of requests for information about employees or former employees that come from unknown sources—no matter whether those requests are sent via email, snail mail, or any other form.
- Review (or adopt) policies about what employee information will be provided to outsiders, what kinds of outsiders can get employee / personnel information, and under what circumstances it will be provided. Be sure to check state laws applicable to personnel files and employment information that must be provided to current or former employees. For instance, under Iowa law, current employees are allowed view their personnel file (defined to include, at least, performance evaluations, disciplinary records, employer-employee relations information, but not written employment references) and get copies of documents they specify; but former employees have no such rights. See Iowa Code Section 91B.1. At the same time, Iowa Code Section 730.5(13) provides that all communications regarding drug testing are “confidential” and shall not be obtained in discovery or disclosed in any public or private proceeding except in very narrow circumstances.
- It would be wise for an employer’s policy to require the redaction of sensitive information from any documents produced, which would include Social Security numbers, dates of birth, driver’s license numbers, bank account numbers, and the like. I-9s are especially chock-full of sensitive personal information, and ripe for redactions before being produced.
- An employer should consider sending all requests for employee documents it receives to its employment counsel before responding. Even if that means losing out on a free gift. Your attorney can check the legitimacy of the request, which may include tracking down the attorney making the request to confirm it and understand what the information will be used for, and perhaps what information is really sought. (For example, what is encompassed by “all payroll records” – the FLSA time records, the check register, the check or remittance advice, reports to state and federal taxing authorities on income tax withheld, on unemployment contributions made, etc.?).
- An employer should consider requiring a valid subpoena before releasing any employee documents to outsiders. A properly issued subpoena adds a layer of protection one doesn’t have with a mere release (purportedly) signed by the employee/former employee. Your attorney will know the rules that apply to the subpoena to determine if it was validly issued. Attorneys also can advise you whether to object to the subpoena, or move to limit or quash it, under applicable rules of the court or agency. Your attorney can sometimes negotiate with the attorney who asked for the documents to have the subpoena limited or withdrawn.
- An employer should consider having its employment attorney gather and review all the documents it was asked to produce. One might be surprised what hidden errors the attorneys might find. Maybe papers for Employee 2 were misfiled in Employee 1’s file. Perhaps “confidential medical” information made it into the wrong file folder.
Regardless of what the current commentary may be in social media or in political discourse, subpoenas – be they issued in some private matter or on behalf of a governmental entity -- are legal documents with legal requirements and legal consequences. In Iowa, for example, our rules of civil procedure provide that a failure to comply with a subpoena may be punishable by contempt. A competent attorney can explain the requirements for responding to a subpoena. Not a bad investment, I shamelessly submit.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.