Signed into law on March 18, 2013, Virginia Code § 40.1-28.7:4 provides additional safeguards against the dissemination of personal information of employees to third-parties. Specifically, the statute provides that “[a]n employer shall not, unless an exemption . . . applies, be required to release, communicate, or distribute to a third party any current or former employee’s personal identifying information.” “Personal identifying information” is defined to include “the following items of information about a current or former employee: home telephone number, mobile telephone number, email address, shift times, or work schedule.”
There are four express exemptions in the statute. Specifically, the statute does not “apply to a release, communication, or distribution of personal identifying information that is:
- Required pursuant to any applicable provision of federal law that preempts the provisions of this section or of state law that requires an employer to release, communicate, or distribute personal identifying information;
- Ordered by a court of competent jurisdiction;
- Required pursuant to a warrant issued by a judicial officer; or
- Required by a subpoena issued in a pending civil or criminal case, or by discovery in a civil case.”
Importantly, the statute is not an express prohibition against an employer’s disclosure of personal identifying information of its employees. By using the language “shall not … be required to release,” the statute gives an employer a safe harbor against releasing such information to someone that is requesting it (including, for example, a former employee that requests his or her own information to initiate litigation against the former employer). However, employers who choose to voluntarily disclose personal identifying information of current or former employees do so at their own risk, as such practices may be prohibited under other state or federal laws and regulations. It is recommended, therefore, that companies operating in Virginia be sure to review current employee manuals, privacy practices and human resource policies to ensure that personal identifying information of employees is not being disclosed to third-parties save for in instances set out in the exemptions identified above.