You may have a top-notch security incident response plan and a crack team for data breach response…but have you checked to be sure that your company’s HR policies are on the same team with you? Personnel Management is one of the most important—yet often overlooked—of the 10 activity channels for effective data breach response. In the crunch of handling an actual data security incident, your company’s HR policies will either pave or block the road to a nimble, successful response.
Of course, various policies are important for prevention of data security breaches, including policies for such matters as authorized computer systems, e-communications, and Internet use; authorized data and system access; strong passwords; use of encryption and encryption keys; mobile device safeguards; precluding or limiting storage of company data on home or other personal devices; and the like. But other policy provisions are essential for effective security breach response:
1. Duty to report potential security incidents & cooperate in investigations
HR policies should impose a duty on employees to promptly report any circumstances that may give rise to a data breach, such as the loss or theft of devices containing protected information, and to cooperate in any ensuing investigation. The policy should explain exactly how an employee should so report to the company. Employees are obligated to cooperate with an employer in a workplace investigation where the employer has a policy that clearly states employees are expected to cooperate and participate in investigations.
In Rowe v. Guardian Auto. Products, Inc. an employer discharged an employee for refusing to cooperate in a workplace violence investigation. The employee claimed that the employer invaded her privacy by asking her questions about a domestic violence incident in which her co-worker and live-in boyfriend injured her. The employer’s policy required employees to report threats of violence, including potential acts or threats by or against an employee, and to cooperate with investigations that may be implemented following a report of any such possible violence. The policy provided that an employee who failed to comply with an investigation could be subject to corrective discipline, including termination. The employee refused to answer the employer’s questions, and the employer subsequently terminated the employee for failing to cooperate with its policy. The court denied the employees’ invasion of privacy claims because the violent incident was a legitimate concern for the employer and the questions were relevant to a publicly known event.
2. Accessing company-owned systems & devices
In response to a data security incident, your company will need the ability to access and forensically investigate its own computer systems and devices, including information created and stored by employees. Generally, an employer can freely access and retrieve data stored on company systems and devices if it establishes that employees have no reasonable expectation of privacy for such information. Court decisions, such as in Quon v. City of Ontario and United States v. King, support an employer’s right to take investigative measures on devices that the company owns for employee use. HR policies should clearly provide that the company has the right to monitor company systems and device usage and to access data stored in company systems and devices, and that employees have no reasonable expectation of privacy in data stored or accessed using company systems and devices.
3. Accessing company data in employee-owned devices
In some incident scenarios, particularly for companies with a Bring Your Own Device (BYOD) policy or practice, incident response may require investigation of smartphones and other data storage devices owned by employees. Without employee consent, company access to such devices and data will create legal exposure. For example, under the Stored Communications Act, 18 U.S.C. §2701, it is a federal crime to “intentionally access without authorization a facility through which an electronic communication service is provided.” Similarly, under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, it is a federal crime to intentionally gain unauthorized access to, or exceed authorized access to, a computer connected to the Internet.
In Pure Power Boot Camp v. Warrior Fitness Boot Camp, the court found that an employer’s access to an employee’s email in the employee’s personal email account was unauthorized by the employee, and therefore violated the Stored Communications Act. The employer was able to access the employee’s personal email accounts because he stored his username and password on a company computer. The employer then used information from one personal email to access another personal email. The employee did not store any of his personal email content on the employer’s computers, servers, or systems, and he neither sent nor received his personal email directly through the company’s email system. The court found that the employee had a reasonable expectation of privacy in his personal email accounts because nothing in the employer’s HR policies suggested that merely accessing and viewing personal email over the Internet through the employer’s computers would render all of his personal emails in private email accounts subject to inspection by his employer.
Therefore, companies should obtain employee consent to investigate and access company data in BYOD devices that could be involved in a data breach. Consent in advance is crucial, as employees are less likely to give consent at the time of investigation or at termination, especially when they believe they are the focus of an investigation.
4. Mobile device location and remote lock/“kill”
If a mobile device containing protected information (whether or not encrypted) has gone missing or has been stolen, it is invaluable for the company to have the ability to geolocate the device, to remotely lock or “kill” the device, or otherwise make its data inaccessible. Company policies should lay the groundwork for such actions by disclosing such company capabilities to employees and ensuring that they have no reasonable expectation of privacy in device data or in the potential monitoring of the device’s location.
For example, under the Electronic Communications Privacy Act (“ECPA”), it is unlawful to intentionally intercept any wire, oral, or electronic communication. However, the ECPA carves out specific exceptions that allow employers to monitor communications with prior employee consent and to obtain access to employee email messages the employer stores. So, even under the ECPA, the right company policies may allow employers to access employee communications.
5. Premises searches
In other incidents, a physical search of company premises may be needed, such as to account for missing data storage devices, or in a rogue employee scenario. If such searches include locations used solely by individual employees, such as locked desk drawers, there may potentially be exposure to employees claiming a reasonable expectation of privacy, unaddressed by policy.
In O’Connor v. Ortega (480 U.S. 709 ), the Supreme Court recognized that employees may have “substantial” privacy expectations in private property maintained at their workplaces. The Court held that a physician had a reasonable expectation of privacy in his desk and file cabinets located in his office where he did not share his desk or file cabinets with any other employees, and the desk and file cabinet contained only personal items. Also, the employer had not established any policy discouraging employees from storing personal papers and effects in their desks or file cabinets. Accordingly, the Court found that the physician had a reasonable expectation of privacy at least in his desk and file cabinets.
Thus, companies prudently should obtain employee consent allowing the company to physically search an employee’s desk, locker, or other storage area on the company’s premises in the event of a reasonably suspected data security incident.
6. Other considerations
Companies must be cognizant of how these provisions interact with other policies in their employee handbook, and with workplace laws. Policy provisions addressing data security breach response must be reconciled with other company policies addressing such matters as confidentiality, anti-harassment, and equal opportunity in employment. NLRB rulings limit the circumstances in which employers can monitor employee activities, as potentially infringing activities protected under the National Labor Relations Act. In a unionized workplace, the employer should check the provisions of any collective bargaining agreement against HR policy provisions addressing data security breach response. And public sector employers must consider constitutional issues for state actors, such as for workplace searches.