by Renee Mielnicki, Esq.
Sony Pictures Entertainment recently learned a tough lesson that all employers would be wise to heed. As you may know, last month, Sony was set to release the movie, The Interview, a comedy starring Seth Rogan and James Franco. The plot features Rogan and Franco as journalists instructed by the CIA to assassinate North Korean leader, Kim Jong-un. After a group known as Guardians of the Peace posted threats to the safety of Americans online, Sony decided not to release the movie in theaters. Rather, the movie was made available only online and on demand. Around this same time, hackers were able to breach Sony’s computer systems and obtain the personal information of its employees which was then released online for the world to access. The information released included names, addresses, dates of birth, social security numbers, passports, visas, medical information, and other personal identifiers. According to the FBI, the Guardians of Peace were responsible for this hack.
I, myself, did watch The Interview over the holidays out of curiosity. While I am not a movie critic, I can tell you the buzz surrounding its controversy is much greater than the movie itself since it’s a bit juvenile and unrealistic. In any event, this fiasco again reminds us of our duty as employers to protect the personal information of our employees since the risk of being hacked remains a very real threat.
Sony is currently being sued in several class action lawsuits by its former and current employees alleging that it failed to protect their personal information. The argument, of course, is that with personal identifiers, such as those released online, these employees could have, or maybe have already been, victims of identity theft. Identify theft can take many forms. Perpetrators have been successful at filing fraudulent tax returns to obtain refund checks owed by the government to their victims. Others focus on debit and credit cards to obtain money. More recently, they provide police the personal information of their victims when arrested which creates a criminal record for the victim, rather than themselves, and can also be quite the nightmare to correct.
Interestingly, these Sony employees have alleged in their lawsuits that Sony was aware of security issues that made their employees susceptible to this type of risk in the past but failed to take appropriate actions to minimize these risks. This may make a difference in the outcome of some of these lawsuits which will be interesting to see.
Guardians of Peace, whose name is ironic given their threats of bodily injury and hacking job at Sony, do remind us as employers once again to take our duty to protect employee information seriously. If you are a regular follower of our blog, you might recall an earlier post from September titled, “Private Eyes are Watching You” concerning this same subject. While some of this post is duplicative, duplicity doesn’t seem like such a bad thing at the time given yet another breach and resulting lawsuits against a large employer like Sony.
Beyond the loss of customer confidence and resulting loss of profits for customer data breaches (Target and Home Depot are examples of that), there can be civil penalties for data breaches that involve your employee’s personal information. At least 47 states have what is generally known as a notification law which requires a company to notify individuals whose personal information (i.e. name in combination with social security number, financial account number and/or address) has been accessed electronically by an unauthorized user. Depending on state law, failure to notify can result is civil causes of action being brought by either the individual whose information was accessed or the State Attorney General to recover civil penalties or damages.
For some reason, most state notification laws pertain only to electronic data theft. Only seven states, including Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina and Wisconsin, address theft of data stored in paper files. However, if a breach involves an employee or customer who lives in a state with a notification law that includes paper records, the duty to notify may still be triggered despite the employer being situated in a state whose law pertains only to electronic breaches.
In an effort to standardize requirements, President Obama recently proposed the Personal Data Notification and Protection Act. This federal legislation, if passed, would require businesses to notify their customers within 30 days of discovering a breach of personal information.
Here are some best practices to follow to protect the personal information of your employees that you store in both paper and electronic format:
● Social Security numbers are the most key piece of information used by hackers. On paper form, they may appear on personnel or payroll files. Tax forms, such as W-2s and W-4s also contain social security numbers. This information should only be accessible to your Human Resources Professional and the Controller or payroll/benefits coordinator and stored in a separate, locked cabinet. The same is true of benefit election forms. Most contain social security numbers as well and should be stored in a separate medical file locked and accessible only by those with a legitimate business purpose. Lastly, never ask for a social security number on a job application. These forms often change hands between many people in the company, exposing you to unnecessary risk.
● Copies of driver’s licenses should be stored in a secure file as well since there numbers are often used by hackers.
● Direct deposit forms will have bank account information. They should be kept under lock and key by the Controller or payroll processer.
● Any personal information that is stored electronically should be encrypted and redacted (i.e. only the last four numbers of a social security number, driver’s license number or bank account number should appear).
● Develop policies pertaining to use of company equipment and personal equipment used for business purposes that address use of a required password, use by those other than the employee and the requirement to report a theft or loss of the equipment.
● Consult with a technology and/or forensic expert about potential areas of exposure, compliance and security of electronic data.
If you have questions about any of your company policies, we would be happy to help. Send us your question at firstname.lastname@example.org.
Disclaimer: The information provided on this web site is for informational purposes only and not for the purpose of providing legal advice. Use of and access to this Web site do not create an attorney-client relationship between East Coast Risk Management or our employment law attorney and the user or browser.