by Renee Mielnicki, Esq.
Let’s face it. Modern technology has seriously reshaped our workplace. Communication in today’s day and age is much more simplistic with email which allows users to reach many recipients in a matter of seconds. Virtual meetings save travel costs and increase mobility by eliminating geographic challenges. Administrative duties are easier with programs that allow for electronic storage and sending and receiving of data. Accounting software allows for fast data entry which can then be compiled, analyzed and quickly spit out into a report with the click of a few buttons.
Unfortunately, the benefits we have gained as a workforce due to technological advances are not without associated risks. As employers, we store a multitude of personal information pertaining to both our employees and our customers. For instance, most businesses have access to financial account numbers, social security numbers and the names and addresses of those they service. Take a look at Home Depot. The company just confirmed a data breach of its payment security system which could affect all of its 2,200 stores. Some reports speculate that Home Depot’s breach may be even larger than the one suffered by retail giant Target last year. In that breach, hackers stole 40 million payment credit card numbers and 70 million other pieces of customer data.
This problem is not unique to our customers. You may recall the data breach at UPMC (a large healthcare provider based in Pittsburgh, PA) which is now reported to possibly affect all 62,000 of its employees. The most unfortunate employees may be those who were victims of a fraudulent tax return scheme or those who had bank accounts opened in their names. These headliners remind us of the data breach risks associated with the modern workplace.
Hackers and data breachers steal customer and employee information such as credit and debit cards numbers, social security numbers, driver licenses and addresses. With this type of information, it’s easy for hackers to commit financial fraud and identity theft for their own personal gain. At first blush, it may seem the casualties are owned only by the victims. Consider, though, the damage to your company’s reputation if it were your system that was compromised. Negative publicity has been costly for Target to diffuse even now, almost a year later.
Beyond the loss of customer confidence and resulting loss of profits for customer data breaches, there can be civil penalties for data breaches that involve your employee’s personal information. At least 47 states have what is generally known as a notification law which requires a company to notify individuals whose personal information (i.e., name in combination with social security number, financial account number and/or address) has been accessed electronically by an unauthorized user. Depending on state law, failure to notify can result in civil causes of action being brought by either the individual whose information was accessed or the State Attorney General to recover civil penalties or damages.
Interestingly, several states, such as Pennsylvania, Ohio, Florida, Georgia and North Carolina, have what is known as a safe harbor exception to their notification law. The safe harbor may provide that the duty to notify is not triggered if the data breached was encrypted (an algorithmic process that is supposed to lower the risk of a hacker being able to determine the meaning of the data stored electronically). However, some states, like Pennsylvania, make an “exception to the exception” where there is reason to believe that the hacker accessed the information even in encrypted form.
For some reason, most state notification laws pertain only to electronic data theft. Only seven states, including Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina and Wisconsin, address theft of data stored in paper files. However, if a breach involves an employee or customer who lives in a state with a notification law that includes paper records, the duty to notify may still be triggered despite the employer being situated in a state whose law pertains only to electronic breaches.
Here are some best practices to follow to protect the personal information of your employees that you store in both paper and electronic format:
● Social Security numbers are the most key piece of information sought by hackers. On paper form, they may appear on personnel or payroll files. Tax forms, such as W-2s and W-4s also contain social security numbers. This information should only be accessible to your Human Resources Professional and the Controller or payroll/benefits coordinator and stored in a separate, locked cabinet. The same is true of benefit election forms. Most contain social security numbers as well and should be stored in a separate medical file locked and accessible only by those with a legitimate business purpose. Lastly, never ask for a social security number on a job application. These forms often change hands between many people in the company, exposing you to unnecessary risk
● Copies of driver’s licenses should be stored in a secure file as well since their numbers are often used by hackers.
● Direct deposit forms will have bank account information. They should be kept under lock and key by the Controller or payroll.
● Any personal information that is stored electronically should be encrypted and redacted (i.e. only the last four numbers of a social security number, driver’s license number or bank account number should appear).
● Develop policies pertaining to use of company equipment and personal equipment used for business purposes that addresses use of a required password, use by those other than the employee, and the requirement to report a theft or loss of the equipment.
● Consult with a technology and/or forensic expert about potential areas of exposure, compliance and security of electronic data.
This may seem like a lot to worry and think about. But, in today’s world, there are always private eyes out there watching where we are storing personal data and trying to gain access to use and exploit it for their own personal benefit. Awareness is the starting point. Being proactive now will help you avoid the need to be reactive in the future.
Disclaimer: The information provided on this web site is for informational purposes only and not for the purpose of providing legal advice. Use of and access to this Web site do not create an attorney-client relationship between East Coast Risk Management or our employment law attorney and the user or browser.