What specific things can HR do to help protect employees’ private information from data breaches?
Quick Answer
Take a holistic approach that includes assessment of data, training of relevant personnel, and the development of programs and policies designed to prevent a breach and respond promptly and effectively in the event that a breach takes place.
Legal Perspective
Shipman & Goodwin
Hartford, Connecticut
Employment law attorney Daniel Schwartz (dschwartz@goodwin.com) of the firm Shipman & Goodwin LLP recommends that companies take the following steps:
- Make sure HR pros get trained in the basics of data security.
- Assess where your sensitive data is and who has access to it. Then ask, “Where could employee data be leaking?”
- Develop policies and a data privacy program, and assign people who’ll respond in the event of a breach.
- Create a sustained data privacy and protection training program – like your anti-harassment training.
- Make sure HR is at the table to discuss employee impact when a breach happens.
- Inform those affected, as well as government officials, when a breach happens
Relevant Case Law
Clemens v. ExecuPharm, Inc.
Data Systems Corp. v. Heinemann
Dittman v. UPMC
HR Insight
Rare Parts Inc.
Stockton, California
I think it starts with putting serious consideration into the vetting of who handles the data and works with the various HR software providers to make sure employees’ private information, like dates of birth and Social Security numbers, is blocked out when at all possible, says Chad Miranda, HR Manager at Rare Parts Inc.
In addition, documents containing sensitive info, i.e., payroll records, I-9s, etc., are behind lock and key. As a matter of standard procedure, I also try to shred any documents that may have sensitive information immediately after use. It’s important to remember that a data breach doesn’t necessarily have to be electronic; data breaches can be physical, too.
Alcoa Community FCU
Benton, Arkansas
Vetting the companies we work with is the first step, says Andrea Rose, an HR Specialist at Alcoa Community FCU.
We use use a reliable IT company to manage/monitor our data services and use reputable businesses for any online data management pertaining to employee information such as time sheets, payroll and elected benefits. Otherwise, it does not keep electronic records containing financial, medical or other personal info. If a paper copy must be retained, it is placed in a locked cabinet in the CEO or CFO’s offices – and no one else has a key.
The Cost of Noncompliance
Employer pays $2.65M in data breach case
Who was involved: The University of Pennsylvania Medical Center and 66,000 employees whose personal info was stolen in a 2014 data breach.
What happened: Hackers breached the medical center’s computer system and stole employees’ personal info, including names, addresses, social security numbers and bank info. Four years later, a suspect was arrested and confessed to selling the info on the Dark Web. The info was then used to file fake tax returns to collect fraudulent refunds. Seven employees filed a class-action lawsuit. The case reached the state’s highest court, which held the employer had a legal duty to exercise reasonable care to protect the workers’ personal info.
Result: After the state supreme court sided with the workers and remanded the case, the company agreed to pay $2.65 million to end the dispute.
Info: Multi-Million Dollar Settlement Reached for Employees in Data Breach Case, 8/9/21.
Data breach exposes thousands of employees’ personal info: Company pays $2.2M
Who was involved: Citrix, a cloud computing company, and 24,316 employees.
What happened: The FBI notified the company that international cybercriminals hacked into the company’s internal network. The company sent a notice to employees about the breach. Affected individuals included staff, contractors, interns, dependants and applicants. They filed a class-action lawsuit in a Florida federal court. (As an FYI, an FBI investigation later determined that “password spraying” – an attack that attempts to access a large number of accounts with a few commonly used passwords – was the likely method used to hack the system.)
Result: The company agreed to place $2.275 million into a fund for the benefit of class members in the following ways:
- Credit monitoring services.
- Identity theft recovery.
- Up to $15,000 in reimbursement for expenses and loss per claimant.
Info: Citrix Data Breach Litigation, 1/26/21.
Phishing attack targets employees’ W-2s: Employer pays $875K
Who was involved: Lincare, a Florida-based provider of home respiratory supplies with locations across the U.S., and an undisclosed number of employees.
What happened: In 2017, an HR professional fell victim to a phishing attack when a cybercriminal posed as a high-level company executive asking for employees’ W-2s. A group of employees filed a class-action lawsuit alleging the company failed to implement “the most basic security safeguards” to prevent a data breach.
Result: The company agreed to pay a total of $875,000. Of that amount:
- $550,000 is reserved to compensate class members who suffered an out-of-pocket loss, and
- The remaining $325,000 is reserved for class members who experienced an “eligible incident,” such as a fraudulent tax return, a fraudulent loan, or a fraudulent credit card.
Info: Lincare Settlement, 5/14/18.
Key Takeaways
- Restrict access to sensitive information to designated personnel.
- Notify employees of all data protection processes that are in place.
- Make sure all sensitive data is properly encrypted.
- Develop written policies and programs that specifically spell out the relative responsibilities of key personnel.
- Prepare a detailed response plan that can quickly be activated in the event of a breach.
- If applicable, make sure policies and programs address security implications that exist as a result of employee use of personal electronic devices for work purposes.