Protect Your Employees’ Personal Information or You’re Putting Your Business at Risk

[audrey () riskbasedsecurity com (Audrey McNeil)]

http://www.jdsupra.com/legalnews/protect-your-employees-personal-46087/

For the past few years, data breaches have made news headlines and raised
awareness for data privacy and cybersecurity.  Some of the most well
publicized data breach stories have been the breaches of Sony, Target, Home
Depot, Neiman Marcus, and Anthem.  While the news coverage of these data
breaches has significantly raised awareness of data security and privacy
issues, it could also leave businesses with the impression that
cybersecurity is an issue primarily relevant only to multinational
companies, large retailers, and insurance companies.  That is not the case.

All employers, regardless of the nature of their business, should be
cognizant of cybersecurity issues, particularly as those issues relate to
employee personal information.  Most employers, through the usual course of
business, collect and maintain a tremendous amount of personal information
from their employees.  For example, an employer typically has access to and
maintains the following information about its employees:

- Social Security numbers;
- Contact information, such as postal address, email address, and phone
numbers;
- Financial information, such as bank routing numbers and 401(k) accounts;
- Health and medical information obtained in connection with workers’
compensation claims or disability or medical leaves of absence; and
- Medical, life, and other insurance information.

Depending upon the particular laws applicable to a given employer, some or
most of this information qualifies as Personally Identifiable Information
(PII) and is subject to data privacy protections and breach notification
obligations.  For example, in New Jersey, PII includes Social Security
numbers, driver’s license numbers, and financial account numbers in
combination with a required security code, access code or password.  New
York adds passwords, access codes, personal identification numbers (PINs),
and mother’s maiden names to the list of PII.

Given the vast amounts of PII that employers maintain, all employers should
review their data collection, storage, and security practices from both a
legal and technological perspective to ensure that the PII of their
employees is protected.  In addition to reviewing data security practices,
employers should familiarize themselves with applicable data breach
notification laws so as to be prepared in the event of a data breach, as
the triggering events and notice requirements vary from state to state.

Failure to provide reasonable protection for PII or to comply with breach
notification laws could result in government enforcement actions and
liability to affected individuals.

Future posts on this topic will delve in to further detail as to employee
monitoring and privacy rights and data breach notification obligations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160315/8135fb8e/attachment.html>