How Secure Is Your Data And What Can It Cost You?
Employers constantly deal with maintaining personnel, medical and other confidential records related to employees. Some companies keep everything forever, but this leads to crowded storerooms and increased liability in the event of lost or stolen records. In recent years, this issue has extended to electronic data related to employees, customers, and vendors. Still, many companies continue to rely on the “keep everything” approach with little regard to current technology.
Every week seems to bring another data breach related to employees or customers of nationally-recognized companies. Statistics show that approximately one-third of data breaches result from hacking attacks from outside individuals or entities. The other two-thirds, however, arise from either careless/negligent employees, e.g. an HR employee who loses a laptop or smartphone containing confidential information, or rogue employees who steal the information. When a breach does occur, federal and state law can require notification to affected individuals. Breaches can also result in lost goodwill and civil liability including identity-theft damages and paying for credit monitoring services for breached individuals. Many employers literally do not recover from the financial impact of such a data breach. For publicly-traded companies, breaches can result in SEC-mandated disclosures and even shareholder suits if a breach negatively impacts stock price.
Although data security is partially an IT issue, it is also an employment issue for any company that wants to utilize best practices or minimize potential liability. Fortunately, there are steps that an employer can take to both minimize the risk of liability and mitigate any potential financial impact of a breach. In addition to only storing necessary records and information for the right period of time and in the proper format, an employer should be able to show a court or governmental agency that it took reasonable steps to protect confidential data within its possession. More than 40 states already impose data breach obligations on companies, and some jurisdictions even require a written information security program (WISP) outlining what they have done to protect confidential data. This involves using specific policies and employment agreements related to the storage and dissemination of electronic data, as well as training of supervisors and other individuals with data access.
If even sophisticated entities have been impacted by significant data breaches, is any entity really safe? The steps that prudent employers can take to minimize their risk are an inexpensive investment toward building as much protection as possible.
For additional information, please contact William Barath at 614-462-2311 or William.Barath@icemiller.com, or any member of Ice Miller’s Labor and Employment group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.