Companies maintain extraordinary amounts of data about their businesses and the people they employ. And typically, it’s HR that is responsible for establishing the policies that safeguard that data—as well as lawfully managing inappropriate disclosures. Risks can be high. But by anticipating data leaks or thefts, taking steps to prevent them, and studying what the law requires, HR can create a solid plan of action that keeps the company focused on business, not breaches.
Amy L. Malone, Esq. (Associate and Certified Information Privacy Professional) supported by Richard H. Block, Esq. (Member, and an expert in labor and employment law) of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. visited TemPositions’ HR Roundtable Series on Thursday, November 14, 2013 to share their advice on securing employee data. Combining their perspectives on corporate & securities and employment law, they outlined a series of HR strategies for data (and data breach) management.
“There are only two types of businesses,” Malone began. “Those that have experienced a data breach, and those that have not yet realized they’ve experienced a data breach.”
Disclosures are remarkably common, she stressed. They can range from very large to very small, and are often the result of innocent mistakes. But under the law, they can all be considered quite serious. As Malone explained, we’ve all seen banks and credit card companies issue press releases acknowledging large-scale data theft. But even small companies can come under scrutiny—and face penalties—for putting employee privacy or security at risk.
What’s essential, then, is compliance. And this can be a complicated exercise. There is no one federal law governing data breaches, with the exception of the medical record-focused Health Insurance Portability and Accountability Act (HIPAA). So instead of following a single national standard, HR must navigate the specific laws of 46 states, including New York, that have passed legislation governing how employees maintain data privacy and handle breaches.
While this can seem daunting, both Malone and Block agreed, tackling the challenge is essential. It’s helpful to begin by considering all the data that HR collects…and all the ways the company could lose track of it.
The Scope of HR Data Collection
HR departments store a vast breadth of information about employees. They collect state ID or driver license information, passports and/or immigration documents, and social security numbers. They often store health insurance and claims information and sometimes even biometric data. Personnel files include compensation details, performance evaluations and disciplinary histories. Some employers, Malone noted, are even collecting fingerprints.
What’s more, companies are collecting this information about more and more people—which only increases the scope of their potential risk. In addition to employees, HR often stores information about job applicants, independent contractors and retirees. Depending on the types of benefit plans offered, they may also maintain dependent/beneficiary information. And of course, there’s customer data to protect.
With so much risk on the table, Malone counseled, it’s helpful to live by a simple rule: “If you do not need it, don’t collect it.” This approach is especially helpful when it comes to applicants, who may not even begin a relationship with the company. Most employers hold onto applicant data for some time, to ensure they won’t need to defend against employment discrimination suits (or just to keep a decent candidate on the radar). But for that entire period, they assume risk.
As Block piped in to add, companies can minimize that risk by using up-to-date employment application forms, ideally approved by general counsel. Unfortunately, he’s found the vast majority of boilerplate application forms (available online) to be “inappropriate” in one form or another. While it was once common practice to request salary expectations and social security numbers on these forms, for example, it may no longer be lawful—or wise.
Notably, should a breach occur, the matter is subject to the laws of the state in which the applicant resides. That means whenever a company receives an application from an out-of-state hopeful, they’ll need to refer to the laws in that state to determine what information may be collected and how it should be managed.
A Note on Service Providers
Many companies engage third parties, including cloud providers, to handle payroll, benefits administration or other HR-related functions. These companies also collect volumes of sensitive data.
Too often, employers assume these providers are in compliance with all related data security and privacy laws. But it is the company that bears legal responsibility for everything they do.
“Service providers are a huge black hole,” Malone warned. “You can outsource the function, but you can’t outsource the compliance.” Under the law, if a data breach occurs, the employer remains responsible for the information being mishandled and/or disclosed. Service providers (in most cases) are only required to inform the company that a breach took place.
These partners must therefore be carefully vetted to ensure they secure data to the company’s standard—and indemnify their clients to the fullest extent possible (contractually).
The IT Factor
While companies can monitor the data they collect moving forward, they must also consider any “legacy systems” still in use, Malone went on. Past records may include highly sensitive information that should be purged. And outdated databases often prompt users to input unnecessary data—like social security numbers. Some processes, like background checks, require this info. But older systems won’t prompt users to delete data that’s no longer needed.
Of course, computer systems throughout the company store sensitive data that is vulnerable to breach. Departing employees often take information that includes trade secrets or customer data. They may make personal use of customer information. In worst case scenarios, they may sell customer or employee data for fraudulent use or ID theft. While these systems may not be directly governed by HR on a day-to-day basis, any breach will be HR’s challenge to manage.
If your company uses older systems, Malone and Block agreed, it’s important for HR to monitor them more closely. And moving forward, HR should aggressively press leadership to upgrade to more current, secure systems. The investment can be large, and resistance to change is normal. In such cases, it can be helpful to quantify the risks, helping the COO understand just how much the company has to lose. Often, this puts the necessary investment in perspective.
“Your IT budget should hurt,” Malone concluded. “That’s what we often say.”
Typical Threats to Data Security
Ask people how most data breaches occur, and they’ll likely reply, “Hacking.” After all, we’ve all seen high-profile cases of computer hackers targeting large companies that manage a lot of data, like Twitter. But digital break-ins from beyond the company’s network (and employee base) are actually quite rare, and don’t tend to threaten small to mid-size organizations. In most cases, companies find their greatest data security threat is simple human error.
Nine times out of 10, employees disclose confidential information within their daily routines, Malone noted. And the examples are countless. A single digit in a fax number is keyed incorrectly. An old spreadsheet with hidden columns of sensitive data is forwarded via email in haste. Auto-prefill on a company’s email platform causes a message to go to the wrong “Steve.” A sensitive document is left behind on a photocopier.
Employees can also be careless with confidential information that they carry outside the office. Paper files or stick drives brought home for the weekend are mislaid and discovered by a third party. A laptop is left in plain view inside a car and tempts a thief. Discarded personnel files are discarded in a non-secure trash receptacle, un-shredded.
Because these are acts of inattention and not malice, it’s tempting to think there’s not much an employer can do to prevent them. But there are definite steps that companies can take—and sensible practices that can be put in place—that reduce the risk of the “casual” breach.
Common Sense Safeguards Against Human-Error Disclosures
Whether sensitive data is being stored physically, digitally or both, “access minimization” offers a strong first line of defense, Malone explained. Ensure that only employees who truly need access to data to complete their core job functions can retrieve it. In some cases, an employee may need only temporary access to accomplish a task. Ensure that once their work is complete, their access also terminates.
Physical storage is easier to see and track. Servers and backup tapes should always be kept behind locked doors. Sensitive records kept in paper files should be kept within HR in locked cabinets, accessible only by specific employees.
Create policies that govern the use of objects that employees may carry with them. Laptops, company smart phones, stick drives and paper files are all company property. State clearly in the employee manual that it is a violation of company policy to leave these items in unsecured locations, like cars. Stress that all company property must remain in the employee’s control at all times, and coach managers/supervisors to reduce the movement of these items, as practical.
On the subject of managers/supervisors, both Malone and Block counseled attendees to forbid creation of independent personnel files. While supervisors can and should document the performance of their employees, all confidential employee information should be maintained by HR and stored within its control. Only HR has the expertise to ensure the records are lawful.
Digital storage can also be “locked away” thanks to the advancement of encryption. When the content of computer files, backup tapes, emails, stick drives, and smart phones is encrypted, IT can typically destroy it (or otherwise render it useless) remotely. Most states strongly support this approach, Malone stressed. In many cases, if encrypted data is destroyed before being accessed, the law will not consider the employer to have suffered a breach.
Of course, some employees will need access to encrypted information to perform their functions. Again, practice access minimization, and follow local state laws for protecting digital records with regularly-updated passwords. Provide employees with a password generator to create strong, impossible-to-guess passwords, or train workers on avoiding common password combinations/formulas.
Bear in mind that these restrictions may feel punitive to employees. As HR puts each new policy in place, it’s important to communicate why access to information may be restricted and what noncompliance with the new company policies could mean in terms of legal and financial risk. When employees understand the company’s concerns, they may be less likely to carelessly include a social security number on a document, or leave a paper file on a car seat during lunch.
Should a breach occur, state laws are specific when it comes to notifying anyone whose security or privacy may have been compromised. For local employers, the New York Data Breach Notification Law prescribes exactly who the company must notify when sensitive information “becomes disclosed or even temporary available for access beyond appropriate parties.”
Mintz Levin maintains its own spreadsheet (available here) tracking the individual requirements of each state. But any HR department can create their own, as long as it includes how each state defines a breach, how much time the company has to notify appropriate parties (including whether or not those parties include state regulators or agencies), and a breakdown of what must be included in the notification.
New York law is strict, Malone noted. Employers must notify not just those whose data may have been disclosed, but the Attorney General and consumer protection agencies. They must also log the incident through an online portal specifically established to track breaches. And in terms of timing, New York requires employees to issue notifications “without unreasonable delay.”
Preparing for a Breach
Don’t wait for the worst to occur before creating your action plan, Malone advised. In order to be ready to respond to a breach lawfully and swiftly, the company can take these sequential steps:
- Gather Information on Your Obligations
For every state in which the company operates or may operate (remember, applicant information is protected under the laws of their home state), collect information on breach law. In particular, investigate how each state defines a breach and what each requires in terms of notification. Who qualifies as an affected individual, when must they be notified, and how must the company do it? Are state agencies or regulators involved?NOTE: Remember your HIPAA obligations (if any). HIPAA operates alongside state laws, but does not replace them. Any company that self-insures is considered a “covered entity” under HIPAA and must safeguard its data and make notifications as prescribed under that law—in addition to acting in compliance with state-specific laws on general data breaches.
- Train Employees on Handling Sensitive Data
Armed with the knowledge of how state law defines breaches, educate your employees on how to avoid them. Formalize compliance with data protection laws as part of the employee handbook, add a privacy session to your on-boarding process, and coach existing employees on how to handle confidential information appropriately. Remember, most disclosures are the result of simple carelessness or ignorance. Raise employee awareness to reduce risks.
- Assemble your Incident Response Team
Now that you know what the law requires the company to do when breaches occur, HR can form a specialized task force.Malone recommends a group that spans many disciplines:- Human resources
– Senior management
– Information management/security
– Corporate security
– Corporate communications
Train each team member on their individual responsibilities, focusing on process and approvals. It’s helpful to identify, for example, who will authorize each step of investigating a breach, and who will ultimately sign notification letters. Determining these roles in advance will streamline your response when it counts—in the moment of crisis following a breach.
- Prepare Boilerplate Notifications
Finally, HR should draft templates for notification letters (or work with a legal partner to do so), keeping all state mandates in mind. These may need to be created for employees, law enforcement, regulators, state agencies and, in extreme cases, consumer reporting agencies.Generally, most notification requirements include:- Type(s) of breached data
– Description of the breach event
– Date and/or length of time that information was exposed
– Indications (if any) that leaked data has been misused
– Steps the company is taking to prevent future breaches
– Offers of remediation, as appropriate (e.g., employer-provided credit monitoring)
It is possible, Malone noted, to draft a single letter that fulfills the requirements of every state. But leadership may not want to disclose all details of a breach in all cases. Continue to partner with the Incident Response Team, especially those charged with safeguarding the company’s reputation, to determine the best approach.
And finally, assume that your correspondence will reach the general public, as covered by media. While not every breach becomes a front-page story, it’s always best to prepare as if yours will be.
What To Do When Breaches Occur
Unfortunately for many companies, even their best efforts at prevention fail. But with a response plan in place, Malone stressed, HR can help the company resist the urge to panic and get straight to work managing the breach.
First, before any thought of notifications, confirm that the breach has been contained or work immediately to contain it. It’s important to appear—and remain—in control.
Carefully identify who was affected, exactly what information leaked, and how. When you do notify the affected parties, you’ll want to reassure them that the company has identified the root cause of the breach and that the information is now securely back in your control. Remember, your notifications may also reach the data thieves. You don’t want to alert them to the potential value of encrypted data, for example, before IT has a chance to destroy it remotely.
Occasionally, HR may discover a leak that the law doesn’t strictly define as a breach—and be tempted to overlook it. But notifying may still make good sense. Malone offered the example of a company accidentally distributing passwords used by employees to access an intranet portal on hobbies. While recipes might not seem like sensitive information, the passwords could be. After all, many people use the same password for multiple sites—including those for banking.
Ultimately, the law is there to tell you when your employees must be protected, Malone noted. But companies often notify whenever they feel their employees should be. Rather than react defensively to hide a disclosure, consider the risks, however small. Often, giving employees a heads-up is just the right thing to do.
Be Ready, Reduce Risk
As they finished their presentation, Malone and Block urged attendees to embrace the challenge of preparing for breaches. Every step in this process—from learning about notifications to considering the day-to-day handling of sensitive information—empowers the company. By being proactive, HR can reduce both the risk of a breach and its severity. And when the inevitable occurs, they’ll be ready to take the lead and manage the incident with confidence.
“It’s all about being prepared,” Malone concluded. “Because it’s not a matter of if, but when.”
Anne DeAcetis is a freelance writer based in New York. Reach her at email@example.com.
The HR Roundtable is a breakfast forum for human resources professionals in New York City sponsored by The TemPositions Group of Companies. TemPositions, one of the largest staffing companies in the New York tri-state area with operations in California, has been helping businesses with their short- and long-term staffing needs since 1962. Visit them online at www.tempositions.com or email them at firstname.lastname@example.org.