In 2016, U.S. private employers and government agencies reported more than 1,000 data security breaches, up 40 percent from 2015. Recent high profile examples include:
- 2014 theft of unencrypted laptops at Coca-Cola, which compromised sensitive data concerning 74,000 then-current and former employees;
- 2016 incident in which a Boeing employee sent personal data regarding 36,000 employees across a four-state area in a spreadsheet to his spouse; and
- 2017 breach that compromised data from 95,000 job applicants at McDonalds Canada.
Employers confronting the seemingly daunting task of protecting sensitive and private employee data may look to computer security expert Gene Spafford’s famous conclusion: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
But, in the real world, employers must power on their computer systems absent a protective concrete barrier and armed guards. What steps must employers take when the security of employee data is breached or an unauthorized access and compromise has occurred? Let’s take a look.
All states, except for Alabama and South Dakota and the District of Columbia, require notification to affected individuals when personal information regularly gathered and stored by employers, such as Social Security numbers and driver’s license information, is compromised. In the last few years, twelve states have reinforced data breach notification laws. Some notable examples include:
- Illinois – In 2016, Illinois amended its data breach notification law to expand the categories of protected data to include health insurance information, medical information, unique biometric data and an individual’s user name or email address, in combination with a password or security prompt and corresponding response that would permit access to an online account (for example, log-in credentials).
- Tennessee – In 2016, Tennessee amended its data breach notification law to define a breach as any “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.” The Tennessee law defines personal information to include an individual’s first name or first initial and last name, when combined with his or her (1) Social Security number, (2) driver’s license number or (3) information that would permit access to a financial account. Earlier this year, the Tennessee legislature clarified that its 2016 amendment does not apply to information encrypted pursuant to the Federal Information Processing Standard 140-2, so long as the encryption key is not obtained by an unauthorized person.
- Virginia – Last year, Virginia became the first state to expand its data breach notification law to specifically require employers and payroll service providers to notify the attorney general upon discovering “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer” where the employer or provider reasonably believes the breach “has caused, or will cause, identity theft or other fraud.” In an effort to thwart W-2 phishing scams, the attorney general’s office will notify the Department of Taxation of the compromised employer. The Department may, in turn, use that information to flag taxpayers whose W-2 information might be misused to obtain a false tax return.
As recent years demonstrate, data breach notification laws continue to develop as breach risks increase and data scammers adapt to changing laws. Employers seeking to manage and reduce their liability risk for data breaches can adopt certain practices as they monitor continuing state law developments:
- Exercise reasonable care when collecting and maintaining personal identification or other sensitive information regarding employees and applicants.
- Actively monitor applicable state law requirements in states where offices or other operations are maintained.
- Develop, review and revise as necessary administrative, physical and technical personal information safeguards.
- Develop, review and revise as necessary a security incident response plan in accordance with applicable breach response requirements.
- Develop and implement a security incident response team trained to comply with pertinent data breach notification laws.
- Develop relationships with identity protection services and vendors that support the security incident response plan.
- Conduct mock breach incident simulations/drills testing safeguard and incident response effectiveness.