Protect Your Employees’ Personal Information or You’re Putting Your Business at Risk
For the past few years, data breaches have made news headlines and raised awareness for data privacy and cybersecurity. Some of the most well publicized data breach stories have been the breaches of Sony, Target, Home Depot, Neiman Marcus, and Anthem. While the news coverage of these data breaches has significantly raised awareness of data security and privacy issues, it could also leave businesses with the impression that cybersecurity is an issue primarily relevant only to multinational companies, large retailers, and insurance companies. That is not the case.
All employers, regardless of the nature of their business, should be cognizant of cybersecurity issues, particularly as those issues relate to employee personal information. Most employers, through the usual course of business, collect and maintain a tremendous amount of personal information from their employees. For example, an employer typically has access to and maintains the following information about its employees:
- Social Security numbers;
- Contact information, such as postal address, email address, and phone numbers;
- Financial information, such as bank routing numbers and 401(k) accounts;
- Health and medical information obtained in connection with workers’ compensation claims or disability or medical leaves of absence; and
- Medical, life, and other insurance information.
Depending upon the particular laws applicable to a given employer, some or most of this information qualifies as Personally Identifiable Information (PII) and is subject to data privacy protections and breach notification obligations. For example, in New Jersey, PII includes Social Security numbers, driver’s license numbers, and financial account numbers in combination with a required security code, access code or password. New York adds passwords, access codes, personal identification numbers (PINs), and mother’s maiden names to the list of PII.
Given the vast amounts of PII that employers maintain, all employers should review their data collection, storage, and security practices from both a legal and technological perspective to ensure that the PII of their employees is protected. In addition to reviewing data security practices, employers should familiarize themselves with applicable data breach notification laws so as to be prepared in the event of a data breach, as the triggering events and notice requirements vary from state to state.
Failure to provide reasonable protection for PII or to comply with breach notification laws could result in government enforcement actions and liability to affected individuals.
Future posts on this topic will delve in to further detail as to employee monitoring and privacy rights and data breach notification obligations.
As the law continues to evolve on these matters, please note that this article is current as of date and time of publication and may not reflect subsequent developments. The content and interpretation of the issues addressed herein is subject to change. Cole Schotz P.C. disclaims any and all liability with respect to actions taken or not taken based on any or all of the contents of this publication to the fullest extent permitted by law. This is for general informational purposes and does not constitute legal advice or create an attorney-client relationship. Do not act or refrain from acting upon the information contained in this publication without obtaining legal, financial and tax advice. For further information, please do not hesitate to reach out to your firm contact or to any of the attorneys listed in this publication.