Data Breach Laws A Wake-up Call for HR
A significant new category of employment-related privacy legislation has burst upon the scene: data breach notification laws. Employers need to take data breach legislation as seriously as they take such data laws as FCRA and HIPAA.
However, many employers and HR staff have been slow to recognize that a significant new category of employment-related privacy legislation has burst upon the scene: data breach notification laws. At least 22 states and one municipality, New York City, have followed California’s lead by enacting laws requiring businesses to inform individuals of security breaches involving personal data particularly useful in ID theft and financial fraud. Employers need to take data breach legislation as seriously as they do their sensitive data predecessors, namely the FCRA, EEO and HIPAA laws.
Data breaches as an HR issue
Part of the reason for the slow uptake has been the misconception that data breach laws are consumer-focused. While a large majority of the 100-plus data breaches publicly reported during the past year have involved consumer data held by companies such as ChoicePoint, Bank of America, DSW, CitiFinancial and CardSystems, employee data has also figured prominently in many of the security lapses. At least 15 of the breaches involved employee records only. A listing of these breaches may be found in the chart below. Many additional breaches involved employee records only partially, or to an indeterminate degree.
Even where the affected individuals are consumers, mistakes and mishaps by employees are most commonly the root cause of the data breaches, providing another reason to view these breaches as an HR issue.
What do the laws require?
Data breach notification laws vary somewhat from state to state. The laws vary in regard to the categories of personal data covered, the definition of a breach, the threshold (if any) for harm to individuals that triggers requirements for notification, the timeliness and forms of notification, the involvement of law enforcement and oversight agencies, and penalties and legal recourse. These variations, which lead many companies to adopt a highest-common-denominator approach, are increasing the pressure for a single federal standard, which may be enacted later this year.
What a company should do
Implementing sound information security policies and practices that minimize the likelihood of data exposures is more important than dealing with the aftermath of breaches. Better data security should be the first priority of any organization handling personal data. That said, there are specific steps that organizations should take now, in advance of any compromises of personal data, to plan how they will comply with breach notification laws. For most organizations, the question is not whether data security breaches will occur, but when.
HR should act--on its own if necessary
Since breach notification laws apply to personal data held by organizations for any purpose, an enterprise-wide approach involving all functional areas holding covered data, such as IT, HR, legal and auditing staff, is best. If this is not feasible, HR needs to prepare its own response to potential breaches of employment-related personal data. Unlike breaches involving customer data, leakages of employee data will very quickly become an immediate and pressing HR issue by throwing into question the trust in management that is an essential part of good employee relations.
Understand the laws
One of the first things HR needs to do is to understand the requirements of breach notification laws. Some important scope- or boundary-setting aspects of these laws are worth noting:
The laws typically do not apply to all compromises of personal data, but only to those involving a very restricted set of data elements (such as Social Security numbers, driver’s license numbers, bank or credit card numbers, etc.).
The laws typically do not apply at all if the covered data elements were encrypted.
The laws apply equally to improper and unauthorized exposures outside the organization and those that occur internally.
Those who read the laws for the first time will be relieved to discover just how targeted and specific the laws are. An exception is what qualifies as a security breach, which typically is defined only in the broadest of terms.
Develop a contingency plan
There are a number of issues that HR must address in developing a contingency plan to comply with breach notification requirements in the event that qualifying personal data is compromised. These issues are presented in the form of a series of questions:
What is the distribution: by state of residence, of the various population groups HR deals with (i.e., employees, former employees, applicants, beneficiaries, dependents, etc.)?
Which of the states revealed by such geographic demographics has breach notification laws in place, or pending?
Is there a process in place to quickly identify security incidents that may involve qualifying data breaches? Is this process centralized or decentralized? Are staff aware of the existence of the process and the need to follow it?
Is there a process in place to immediately investigate what happened, how it happened, which population of individuals is potentially affected, and whether the breach is ongoing or contained?
Is there a process in place to determine what can be done immediately to counter or limit the effects of the breach upon individuals whose data has been exposed?
Is there a process in place to determine whether company policies and procedures for handling personal data have been violated and whether disciplinary action may be warranted?
Who will determine whether a breach that has been identified and investigated is covered by one or more applicable breach notification laws?
Who will determine if notification should be extended to all individuals in the affected population(s), as opposed to only those individuals entitled to receive notification under applicable law(s)?
Who will determine how quickly notice should be provided and which media will be used for notifications?
Who will determine whether credit monitoring and other ID theft services (such as insurance or resolution assistance) will be provided on a cost-free basis to affected populations and for how long?
Are notification templates drafted and ready for use with information describing the breach, what the organization is doing about it, what the organization is doing to prevent future breaches of this type, standard advice and resources for potential victims of ID theft (such as from theID Theft Resource Center or the FTC, services being provided and a point of contact for further questions?
Who will determine whether a press release should be issued in conjunction with the notifications?
Is there a process in place to use the breach as a means of identifying and implementing improvements that may be needed in the handling of personal data, technical safeguards, policies or training of staff?
As daunting as this list of questions may appear, it is only an overview of those that will arise should a significant breach occur. By working through these issues in advance, and having a documented approach to addressing them in hand should a data breach occur, organizations can lessen both the negative impact and the anxieties associated with compromises of personal data.
Organizations that experience data breaches will readily confirm the wisdom of the old adage that an ounce of prevention is worth a pound of cure. The costs of responding to a breach, in terms of staff time and energy, legal assistance, credit monitoring and related services for affected individuals, bad press, adverse employee relations and potential legal exposure, can be profound--not to mention the new dread of another breach and what that would bring. Second-guessing, along the lines of "If only we had … (encrypted the backup tapes, kept tighter controls on access, ensured that all data on laptops is encrypted, etc.)," becomes unavoidable.
Rather than assuming, naively, that "it will not happen to us," employers should recognize that it is highly likely that a data breach will happen unless something is done about it. Besides improving data security generally, there are a number of specific steps that should be taken to either avoid the applicability of breach notification laws or minimize the likelihood that qualifying breaches will occur:
To the extent possible, don’t collect or store data elements specified in breach notification laws. For example, don’t collect driver’s license numbers from California or other residents if you don’t have to. Such fields, which are useful to identity thieves, were always sensitive, but now they have been branded as the legal equivalent of radioactive.
If it is necessary to collect and store covered data elements, such as Social Security numbers, segregate such data from other data sets. Strictly limit access to the data to those with an uncontestable need to know, screen those individuals carefully, audit access to this data, and store and transmit the data in an encrypted format.
Avoid using covered data fields as employee identifiers, key fields in files and systems, parts of user IDs, on badges or in mailings. Use of the last four digits of the Social Security numbers, or parts of other covered data elements, as an employee authenticator should also be avoided; these data elements carry too much baggage.
Don’t store covered data elements any longer than they are needed for the purposes for which they were collected, and destroy them in a secure manner when they are no longer needed.
Scrutinize the entire life cycle of covered data elements--including collection, storage, transmission, disclosure and destruction--to identify any security vulnerabilities requiring remediation.
Make sure your current policies, training and confidentiality agreements address the particular risks and legal obligations involved in handling data elements covered by breach notification laws.
Include third parties acting as agents in your preventive review, since you will be held responsible if they are the source of the data breach.
Data breaches can happen to any organization--even those that have significant HR privacy programs, such as Eastman Kodak and the Boeing Co. All that it takes could be an accidental e-mailing of a file to the wrong party, a break-in and snatch committed by a common thief or a failure by one staff member to follow policy at just the wrong time. Prudent organizations, however, concerned about the impact of identity theft on both individuals and their own reputation, will do what they can to minimize the likelihood of data breaches, and to prepare for them should they nevertheless materialize.