Protecting Employers Since 1985
Not if, But When: Employers Must Have Plan in Place to React to; Data Breaches Compromising Employee Records
On behalf of Wessels Sherman posted in Other on Saturday, June 24, 2017.
Last year U.S. companies and government agencies reported 1,093 data security breaches, a 40 percent increase from 2015. The high-profile breaches include the hacking that affected more than 1,000 Wendy’s Co. chains in July 2016. Just last week, McDonald’s Canada announced that data of 95,000 of its job applicants were compromised in a cyber-breach. But, it’s not only cyber hacking that can cause security breaches for companies; in 2014, the thet of unencrypted laptops at Coca-Cola, revealed sensitive information of about 74,000 current and former employees at the company. Last fall, a Boeing worker inadvertently exposed the personal data of 36,000 Boeing employees in four states by sending a spreadsheet to his spouse. According to a UK-based study, employee error, like that in the Boeing case, is most often to blame for data security breaches.
Since the majority of employers maintain employee records that include sensitive information, such as social security numbers and driver’s license numbers, a data breach of employment information can be catastrophic. Given the likelihood that such breaches and computer hacking may continue to grow, employers must have plans in place and know what to do when sensitive information of their employees is compromised in a data security breach.
Minnesota Statute Section 325E.61, requires an employer to notify employees “in the most expedient time possible and without unreasonable delay.” This obligation applies to employers if “personal information” is disclosed in a security breach. “Personal information” includes a social security number, a driver’s license or Minnesota identification card number, and an account number or a credit or debit card number, in combination with a required code that would permit access to the person’s financial account. Depending on the severity of the breach, notice may be provided in writing, electronically, via web postings, and / or through dissemination by major statewide media.
Minnesota employers that fall victim to a mass data breach (affecting 500 or more individuals) have additional obligations. Within 48 hours, they must provide notification to “all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis … of the timing, distribution and content of the notices.” In addition, Minnesota law restricts the use of social security numbers in an employment setting by prohibiting a number of acts involving social security numbers (i.e. requiring an individual to transmit the number over an unsecured or unencrypted internet connection).
Like Minnesota, the majority of states now have a notice requirement when a security breach compromises commonly-held private information. Some states go well beyond the Minnesota statute. For example, on January 1, 2017, Illinois’ data breach notification law was amended to include expanded categories of trigger data (data content that triggers a notice requirement). Today Illinois’ trigger data includes health insurance information, medical information, unique biometric data, and log-in credentials. In addition, if the breach impacts more than 250 Illinois residents, companies have an obligation to notify the Illinois attorney general. While employer duties and obligations under the state laws vary, the laws often share the same basic requirement: that an employer must notify employees if a security breach compromised or is reasonably believed to have compromised, personal information of the employees.
While the statutory obligation to notify employees may be clear, the courts are not settled on whether an employer has a contractual obligation to secure an employee’s personal information. In the Coca-Cola data breach referenced above, a former employee sued Coca-Cola alleging that the company had failed to secure his data and to promptly notify employees of the breach. A Pennsylvania federal judge found that Coca-Cola had no contractual obligation to secure an ex-employee’s personal information. The District Court analyzed Coca-Cola’s Employee Code of Conduct and concluded that the document imposed no duty on the employer.
Conversely, a district court in California ruled in the favor of former and current employees in a claim brought against Seagate Technologies, Inc. for a data breach that resulted in the thet of W-2 forms. The Court held that Seagate had a duty to its former and current employees, and their spouses and dependents, to protect personal information. The court concluded that the employees provided their information as a condition of employment “with the understanding their employer would guard that information.”
With the law on this topic clearly in flux, as well as varying state laws, employers should take steps to prevent a data breach and protect employees’ data. For Minnesota employers, as well as employers in other states, the following steps are of utmost importance:
1. Mandate security training for employees and teach employees to reach out to the IT department to avoid accidental data breaches.
2. Avoid using social security numbers as employee identification numbers and eliminate data collection forms that include requests for unnecessary personal data.
3. Ensure that data stored electronically is in a secure computer system. Limit access to the data and avoid taking data off-site.
4. Purchase cyber-liability coverage from your insurance broker.
5. Review current policies to safeguard data and create a comprehensive plan to respond to a security breach. Conduct simulations to test the effectiveness of a response plan.
6. Review your employee handbook and consider changes may limit potential contractual liability for data breaches.
7. Check the notification requirements for each state where your employees are located.
8. Develop template notification letters to use in the event of a breach.
9. In the event of a breach:
a. Treat your employees like clients or customers, regardless of your legal requirements.
b. Notify employees quickly to meet obligations under Minnesota (and many other) state laws.
c. Offer free credit monitoring services.
d. Provide immediate notice to law enforcement and employees.
COVID-19 Resources
Stay up-to-date about developments in the Midwest
Contact us at any of our four Midwest locations
Schedule your confidential consultation
Contact Wessels Sherman if you would like to speak with one of our experienced labor and workplace attorneys, contact any of our four office locations and schedule a consultation.