For the past few years, data breaches have made news headlines and raised awareness for data privacy and cybersecurity.  Some of the most well publicized data breach stories have been the breaches of Sony, Target, Home Depot, Neiman Marcus, and Anthem.  While the news coverage of these data breaches has significantly raised awareness of data security and privacy issues, it could also leave businesses with the impression that cybersecurity is an issue primarily relevant only to multinational companies, large retailers, and insurance companies.  That is not the case.

All employers, regardless of the nature of their business, should be cognizant of cybersecurity issues, particularly as those issues relate to employee personal information.  Most employers, through the usual course of business, collect and maintain a tremendous amount of personal information from their employees.  For example, an employer typically has access to and maintains the following information about its employees:

  • Social Security numbers;
  • Contact information, such as postal address, email address, and phone numbers;
  • Financial information, such as bank routing numbers and 401(k) accounts;
  • Health and medical information obtained in connection with workers’ compensation claims or disability or medical leaves of absence; and
  • Medical, life, and other insurance information.

Depending upon the particular laws applicable to a given employer, some or most of this information qualifies as Personally Identifiable Information (PII) and is subject to data privacy protections and breach notification obligations.  For example, in New Jersey, PII includes Social Security numbers, driver’s license numbers, and financial account numbers in combination with a required security code, access code or password.  New York adds passwords, access codes, personal identification numbers (PINs), and mother’s maiden names to the list of PII.

Given the vast amounts of PII that employers maintain, all employers should review their data collection, storage, and security practices from both a legal and technological perspective to ensure that the PII of their employees is protected.  In addition to reviewing data security practices, employers should familiarize themselves with applicable data breach notification laws so as to be prepared in the event of a data breach, as the triggering events and notice requirements vary from state to state.

Failure to provide reasonable protection for PII or to comply with breach notification laws could result in government enforcement actions and liability to affected individuals.

Future posts on this topic will delve in to further detail as to employee monitoring and privacy rights and data breach notification obligations.