A large portion of the data breaches that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.

Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part discusses laws that require employers to provide information to employees concerning how the employer treats employee information.

In 2005, Michigan became the first state to pass a statute requiring employers to create a privacy policy that explains to employees what the employer does with their Social Security Numbers, and with whom the numbers are disclosed. Other states, such as New York, Connecticut, Massachusetts, and Texas, have adopted similar statutes. Although not required by law, many employers choose to include information on data security measures within employee privacy policies. If such policies are not drafted carefully, they can inadvertently impose obligations concerning the protection of employee information that are greater than those otherwise imposed by law. Conversely, employee privacy policies create an opportunity to help set employee expectations for how the employer will respond to a security incident, and what types of services the employee can expect from the employer in the event of a breach.

When drafting or reviewing an employee privacy policy you should consider the following implications on data security:

  • Does the privacy policy guarantee that employee information will remain confidential in all situations? If so, it may create a standard that is impossible for the employer to meet.
  • Does the privacy policy explain how employee Social Security Numbers and other personal information are protected? If so, is the information provided accurate and precise?
  • Does the privacy policy describe what disciplinary measures might be taken against employees who cause the inadvertent disclosure of sensitive personal information?
  • Will the privacy policy be published in an employee handbook, procedures manual, or similar document? If not, will each employee be able to access the policy?
  • Does the privacy policy use terms that might be misunderstood or misconstrued by a regulator or a plaintiff’s attorney?
  • Does the privacy policy discuss the different ways in which the employer may contact an employee if a security breach impacts the employee’s information?
  • Does the privacy policy explain that the employer may decide not to communicate with employees about a security incident until an investigation is complete in order to ensure that the information provided to employees is accurate and precise?

TIP: If you have a website privacy policy, that policy may be written broadly enough to encompass the information that you collect about your employees. If it is, you may be able to avoid drafting a separate stand-alone employee-specific policy.