The recent data breach at Equifax affecting 143 million Americans not only grabbed national headlines but also the attention of many employers. The alarming amount of personal information that was compromised over the several-month period highlighted just how vulnerable employers can be to an online intrusion from a hacker.
In fact, regardless of how big a data breach, the risks and liabilities to an employer remains the same – from losing consumer faith to facing class action lawsuits. Therefore, it’s critical to be aware of the practical and legal steps you can take to prevent and if necessary, respond to a data breach at your organization.
Know Your Legal Responsibilities
Given the patchwork of federal and state laws relating to data breaches and the protection of confidential and sensitive information, legal compliance may seem like a daunting task. However, it is critical to understand your legal obligations to avoid any liability in the event of a data breach. For example, most states, including the District of Columbia and certain US territories, legally require employers to notify affected individuals and entities after a breach.
Generally, data breach notification laws require employers to provide notice to those affected by the unauthorized acquisition of unencrypted personal information. In some states, the employer must also provide notice to the state attorney general and/or other national credit bureaus. Typically, the laws define personal information to include an individual’s first name or initial and last name along with a:
- Social Security number;
- Driver’s license and/or state ID number; or
- Credit or debit card number or bank account number in combination with a password.
It is also important to be aware of the laws that restrict your access to an individual’s private information. For instance, the Fair Credit Reporting Act (FCRA) permits employers to request credit reports on job applicants and existing employees after obtaining consent.
Specifically, the FCRA governs when and how an employer may use an individual’s credit information in making employment decisions. To safeguard an individual’s private information from a potential data breach, amendments to the FCRA also require the proper disposal of sensitive financial and personal information included in such background credit reports.
Audit and Safeguard Personal Employee Information
It is easy to lose track of the amount of information you may have on your employees, from the very commonly-requested Social Security numbers to bank routing numbers. One important step to protect confidential and sensitive information is to be aware of what information you actually have in your possession. For example, do you safeguard your employees’ I-9 forms, which may include their Social Security, passport or driver’s license number? Where do you keep the direct deposit authorization forms that include an employee’s bank account information?
You should review all your records to determine whether you keep confidential and private information in a secure area. Additionally, if you store personal data electronically, use firewalls and encryption technology to protect such information from hackers. For instance, consider encrypting Social Security numbers the same way you encrypt passwords.
An employer should also limit the amount of sensitive information it requests from employees as well as the individuals who have access to such information. Only employees who need access to the information to perform their job duties and responsibilities should be permitted to view it. It is also important to remember to urge third party vendors, partners or providers that you share an employee’s information with to take the same security measures to protect such information.
Employees should be trained on what kinds of information is considered confidential and private. This is especially true for those employees who regularly access records with private and highly sensitive information belonging to other employees, customers and third parties. Employees should also be instructed on how to safeguard their own information and the information of others from a potential online intrusion.
For example, caution employees on the risk of using personal email addresses for official work-related communications as well as using the same passwords for multiple online accounts. Tell employees to be wary of emails from unknown individuals that may be a “phishing” attempt to gain access to sensitive personal information.
Employees should also be trained on:
- Securing individual data files (both hard copy files and electronic ones);
- Record retention; and
- Destruction methods.
Throughout the training, consequences for both inadvertent and intentional data breaches should be addressed so that employees gain an awareness of the risk to their organization as well as themselves.