How to Safeguard Employee Data

Employers should be aware of the rapid growth of data privacy and security laws, which may affect their methods of conducting business and handling personal employee information. The new laws carry with them a private right of action in some cases, civil penalties as much as $500,000 and in some states, administrative investigations.

Privacy is a hot-button issue. Since January 2005, nearly 246 million records containing personal information have been compromised. See http://www.privacyrights.org/ar/ChronDataBreaches.htm. (Web site last viewed on Feb. 5, 2009). In 2008, the Federal Trade Commission (“FTC”) reported that for the eighth year in a row, identity theft topped the list of consumer fraud complaints. See http://www.ftc.gov/opa/2008/02/fraud.shtm (Web site last viewed on Feb. 5, 2009). According to the FTC, victims of identity theft spend 175 hours and approximately $800 to clear their names and restore their credit following theft of their identity, depending on how soon they discover the theft. See Id.

Employers have an inherent need to obtain and maintain personal information about employees and applicants for employment, including for purposes of identification and verification of employment status, background checks, benefits and leave administration, contact information, and simply for running their businesses. The prevalence of security breaches exposing personal information has led to legislation in many states addressing how employers use and maintain personal information. Actions, including those innocent in nature, which have triggered personal data leaks include:

• Employee e-mailing personal data from a protected workplace computer to a non-protected personal computer to perform work at home.
• Sending personal data to unverified e-mail addresses for purposes of administering employee benefits programs.
• Employee payroll information intercepted en route to employer's payroll processor.

State Laws

At least two states, Connecticut and Michigan, have laws that specifically apply to employers' maintenance of employees' personal information. Despite its title, the Connecticut law, “An Act Concerning the Confidentiality of Social Security Numbers,” effective Oct. 1, 2008, also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Other states, including California, Nebraska, New York, Michigan, and Oklahoma, have recently passed laws prohibiting employers from using employees' Social Security numbers for identification purposes, including printing the complete Social Security number on paychecks, direct deposit notices, and cards or tags required for the individual to access products, services, or benefits, or requiring the employee to use his/her Social Security number to access Web sites (unless a password or other authentication device is also required). In most instances, an employer may use four digits of the Social Security number, as opposed to the full nine-digit number.

Many other states, including Massachusetts, Maryland, Oregon, Nevada, Minnesota, and Washington, have more general laws requiring individuals and businesses alike to protect the security and confidentiality of personal information in their possession. Massachusetts and Nevada have laws requiring the encryption of sensitive electronic personal information. At least 44 states, the District of Columbia, and Puerto Rico have enacted legislation requiring notification of security breaches involving personal information.

What Constitutes Personal Information

Although the laws vary from state to state, personal information generally includes an employee's first and last name, or first initial and last name, in combination with his or her Social Security number, driver's license number, passport number, financial account number, credit or debit card number, health insurance identification number, or other United States-issued identification number. Arkansas and Delaware include medical information within their definition of personal information, whereas Georgia includes telephone records within its definition. Massachusetts' regulations define personal information to include financial account numbers, credit or debit card numbers, with or without any required security code, PIN, or password. In contrast, Oregon's “Consumer Identity Theft Protection Act” defines “personal information” to include financial account information together with password or security code information.

Data Security Plans

Even employers that operate in states that do not have laws dictating how they must safeguard personal employee information, should implement an employee data security plan. For example, effective May 1, 2009, or in some cases, Jan. 1, 2010, Massachusetts' law will require that all individuals, corporations, associations, partnerships, and other entities that own, license, store, or maintain personal information about a resident of Massachusetts develop, implement, maintain, and monitor a comprehensive written “Information Security Program” that: 1) is consistent with industry standards; and 2) applies to any records containing personal information. As part of the Information Security Program, the entity must:

• Implement administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. In addition, the safeguards must be consistent with existing state and federal law requirements for protection of information “of a similar character.” (for example, HIPAA);
• Designate an employee who is responsible for maintaining the Information Security Program;
• Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of records containing personal information, and evaluate and improve, where necessary, the effectiveness of current safeguards for limiting such risks;
• Train employees on information security, and discipline them for violating the Information Security Program rules; and
• Supervise and vet service providers, which includes acquiring a written certification from each service provider that it has a written information security program that satisfies Massachusetts law.

In addition to the above, Massachusetts law requires businesses that store or transmit personal information electronically to establish user authentication protocols; maintain current operating system security patches, firewalls, anti-malware programs and virus definitions; ensure that password location does not compromise the security of the data it protects; restrict access to active users, and block access after multiple unsuccessful attempts; and engage in periodic system monitoring for signs of unauthorized use or access.

Employer compliance with stringent and comprehensive safeguards, such as those contained in the Massachusetts regulations, should result in employee privacy protection. Employers should consult with legal counsel in the states in which they have employees to ensure that they are compliant with their governing law(s). The general principles, however, are the same from state to state. Employers must: 1) analyze how they use and store personal information; 2) examine the exposure risks associated with how they do so; and 3) develop a program to minimize the unintended release of personal information in their possession.

Be Mindful of Breach Notification Requirements

While the majority of states have promulgated laws to safeguard personal information, nearly all states have laws regarding what employers must do when a security breach occurs. Generally speaking, the obligations are twofold: First, employers should notify those whose personal information may have been impacted by the security breach. Second, employers should provide those affected by the breach with information such as: 1) the incident in general terms; 2) the type of personal information that was subject to unauthorized access and acquisition; 3) the general acts of the business to protect the personal information from further unauthorized access; 4) contact information for further information and assistance; and 5) advice that directs the person to remain vigilant about reviewing accounting statements and monitoring credit reports. As with its personal information protection law, Massachusetts law goes a step further and requires that the business/person who experienced a security breach also notify the Attorney General and Director of Consumer Affairs.

It is also common for employers who experience a security breach to provide those affected with a paid subscription to a credit-monitoring agency. Some credit monitoring agencies specifically target employers and provide group services at reduced rates.

Conclusion

In light of the developments in privacy law, prospectively, employers should avoid collecting personal information that is not reasonably necessary to conduct business. Employee disgruntlement over a breach of personal information can result not only in legal liability for employers, but also a costly loss of productivity. Employers can reduce their potential liability by consulting with legal counsel in their respective state(s) and carefully planning and drafting compliant security policies and procedures.

Rosanna Sattler, a member of this newsletter's Board of Editors, is Co-Chair of Posternak, Blankstein & Lund LLP's Employment Law Group and Litigation Department. Nancy J. Puleo is an associate in the department.

Employers should be aware of the rapid growth of data privacy and security laws, which may affect their methods of conducting business and handling personal employee information. The new laws carry with them a private right of action in some cases, civil penalties as much as $500,000 and in some states, administrative investigations.

Privacy is a hot-button issue. Since January 2005, nearly 246 million records containing personal information have been compromised. See http://www.privacyrights.org/ar/ChronDataBreaches.htm. (Web site last viewed on Feb. 5, 2009). In 2008, the Federal Trade Commission (“FTC”) reported that for the eighth year in a row, identity theft topped the list of consumer fraud complaints. See http://www.ftc.gov/opa/2008/02/fraud.shtm (Web site last viewed on Feb. 5, 2009). According to the FTC, victims of identity theft spend 175 hours and approximately $800 to clear their names and restore their credit following theft of their identity, depending on how soon they discover the theft. See Id.

Employers have an inherent need to obtain and maintain personal information about employees and applicants for employment, including for purposes of identification and verification of employment status, background checks, benefits and leave administration, contact information, and simply for running their businesses. The prevalence of security breaches exposing personal information has led to legislation in many states addressing how employers use and maintain personal information. Actions, including those innocent in nature, which have triggered personal data leaks include:

• Employee e-mailing personal data from a protected workplace computer to a non-protected personal computer to perform work at home.
• Sending personal data to unverified e-mail addresses for purposes of administering employee benefits programs.
• Employee payroll information intercepted en route to employer's payroll processor.

State Laws

At least two states, Connecticut and Michigan, have laws that specifically apply to employers' maintenance of employees' personal information. Despite its title, the Connecticut law, “An Act Concerning the Confidentiality of Social Security Numbers,” effective Oct. 1, 2008, also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Other states, including California, Nebraska, New York, Michigan, and Oklahoma, have recently passed laws prohibiting employers from using employees' Social Security numbers for identification purposes, including printing the complete Social Security number on paychecks, direct deposit notices, and cards or tags required for the individual to access products, services, or benefits, or requiring the employee to use his/her Social Security number to access Web sites (unless a password or other authentication device is also required). In most instances, an employer may use four digits of the Social Security number, as opposed to the full nine-digit number.

Many other states, including Massachusetts, Maryland, Oregon, Nevada, Minnesota, and Washington, have more general laws requiring individuals and businesses alike to protect the security and confidentiality of personal information in their possession. Massachusetts and Nevada have laws requiring the encryption of sensitive electronic personal information. At least 44 states, the District of Columbia, and Puerto Rico have enacted legislation requiring notification of security breaches involving personal information.

What Constitutes Personal Information

Although the laws vary from state to state, personal information generally includes an employee's first and last name, or first initial and last name, in combination with his or her Social Security number, driver's license number, passport number, financial account number, credit or debit card number, health insurance identification number, or other United States-issued identification number. Arkansas and Delaware include medical information within their definition of personal information, whereas Georgia includes telephone records within its definition. Massachusetts' regulations define personal information to include financial account numbers, credit or debit card numbers, with or without any required security code, PIN, or password. In contrast, Oregon's “Consumer Identity Theft Protection Act” defines “personal information” to include financial account information together with password or security code information.

Data Security Plans

Even employers that operate in states that do not have laws dictating how they must safeguard personal employee information, should implement an employee data security plan. For example, effective May 1, 2009, or in some cases, Jan. 1, 2010, Massachusetts' law will require that all individuals, corporations, associations, partnerships, and other entities that own, license, store, or maintain personal information about a resident of Massachusetts develop, implement, maintain, and monitor a comprehensive written “Information Security Program” that: 1) is consistent with industry standards; and 2) applies to any records containing personal information. As part of the Information Security Program, the entity must:

• Implement administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. In addition, the safeguards must be consistent with existing state and federal law requirements for protection of information “of a similar character.” (for example, HIPAA);
• Designate an employee who is responsible for maintaining the Information Security Program;
• Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of records containing personal information, and evaluate and improve, where necessary, the effectiveness of current safeguards for limiting such risks;
• Train employees on information security, and discipline them for violating the Information Security Program rules; and
• Supervise and vet service providers, which includes acquiring a written certification from each service provider that it has a written information security program that satisfies Massachusetts law.

In addition to the above, Massachusetts law requires businesses that store or transmit personal information electronically to establish user authentication protocols; maintain current operating system security patches, firewalls, anti-malware programs and virus definitions; ensure that password location does not compromise the security of the data it protects; restrict access to active users, and block access after multiple unsuccessful attempts; and engage in periodic system monitoring for signs of unauthorized use or access.

Employer compliance with stringent and comprehensive safeguards, such as those contained in the Massachusetts regulations, should result in employee privacy protection. Employers should consult with legal counsel in the states in which they have employees to ensure that they are compliant with their governing law(s). The general principles, however, are the same from state to state. Employers must: 1) analyze how they use and store personal information; 2) examine the exposure risks associated with how they do so; and 3) develop a program to minimize the unintended release of personal information in their possession.

Be Mindful of Breach Notification Requirements

While the majority of states have promulgated laws to safeguard personal information, nearly all states have laws regarding what employers must do when a security breach occurs. Generally speaking, the obligations are twofold: First, employers should notify those whose personal information may have been impacted by the security breach. Second, employers should provide those affected by the breach with information such as: 1) the incident in general terms; 2) the type of personal information that was subject to unauthorized access and acquisition; 3) the general acts of the business to protect the personal information from further unauthorized access; 4) contact information for further information and assistance; and 5) advice that directs the person to remain vigilant about reviewing accounting statements and monitoring credit reports. As with its personal information protection law, Massachusetts law goes a step further and requires that the business/person who experienced a security breach also notify the Attorney General and Director of Consumer Affairs.

It is also common for employers who experience a security breach to provide those affected with a paid subscription to a credit-monitoring agency. Some credit monitoring agencies specifically target employers and provide group services at reduced rates.

Conclusion

In light of the developments in privacy law, prospectively, employers should avoid collecting personal information that is not reasonably necessary to conduct business. Employee disgruntlement over a breach of personal information can result not only in legal liability for employers, but also a costly loss of productivity. Employers can reduce their potential liability by consulting with legal counsel in their respective state(s) and carefully planning and drafting compliant security policies and procedures.

Rosanna Sattler, a member of this newsletter's Board of Editors, is Co-Chair of Posternak, Blankstein & Lund LLP's Employment Law Group and Litigation Department. Nancy J. Puleo is an associate in the department.