8
Imagine a scenario where a laptop containing employees’ per- sonal information, including names, addresses, Social Security numbers, and health information, is stolen from your company. Regrettably, this kind of situation is not uncommon. The Privacy Rights Clearinghouse—a consumer information and advocacy organization—estimates that over 350 million records containing sensitive personal information have been involved in security breaches in the United States since January 2005. 1 In addition, identity theft in the United States has become increasingly com- mon, with the Federal Trade Commission estimating that as many as nine million Americans have their identities stolen each year. 2 Not all, or even most, of these situations involve data breaches by employers. However, whether the breach is due to a hacker, a lost laptop, data theft by an unhappy departing employee, or any other security breakdown, employers must be armed with a plan of attack to deal with such breaches and be aware of all applica- ble laws controlling their responses. Employers clearly have a need to gather and maintain personal information regarding employees and applicants. However, the sheer number of data-security breaches in recent years has led 45 states 3 and the federal government to enact some form of a security- breach notification law that addresses how businesses—including private and public employers—use, maintain, and respond to breaches of personal data. COMMON ELEMENTS OF STATE SECURITY-BREACH STATUTES At least two states, Connecticut and Michigan, have laws that explicitly apply to employers’ maintenance of employees’ ©2010 Wiley Periodicals, Inc. Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/ert.20299 59 Workplace Privacy and Data Security William C. Martucci and Jennifer K. Oldvader State Regulations Update

Workplace privacy and data security

Embed Size (px)

Citation preview

Page 1: Workplace privacy and data security

Imagine a scenario where a laptop containing employees’ per-sonal information, including names, addresses, Social Securitynumbers, and health information, is stolen from your company.Regrettably, this kind of situation is not uncommon. The PrivacyRights Clearinghouse—a consumer information and advocacyorganization—estimates that over 350 million records containingsensitive personal information have been involved in securitybreaches in the United States since January 2005.1 In addition,identity theft in the United States has become increasingly com-mon, with the Federal Trade Commission estimating that as manyas nine million Americans have their identities stolen each year.2

Not all, or even most, of these situations involve data breaches byemployers. However, whether the breach is due to a hacker, a lostlaptop, data theft by an unhappy departing employee, or anyother security breakdown, employers must be armed with a planof attack to deal with such breaches and be aware of all applica-ble laws controlling their responses.

Employers clearly have a need to gather and maintain personalinformation regarding employees and applicants. However, thesheer number of data-security breaches in recent years has led 45states3 and the federal government to enact some form of a security-breach notification law that addresses how businesses—includingprivate and public employers—use, maintain, and respond tobreaches of personal data.

COMMON ELEMENTS OF STATE SECURITY-BREACH STATUTES

At least two states, Connecticut and Michigan, have laws thatexplicitly apply to employers’ maintenance of employees’

©2010 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/ert.20299

59

Workplace Privacy and Data Security

William C. Martucci and Jennifer K. Oldvader

State Regulations Update

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 59

Page 2: Workplace privacy and data security

Employment Relations Today

personal information. Other states, including California, Nebraska, NewYork, Michigan, and Oklahoma, have passed laws prohibiting employersfrom using employees’ Social Security numbers for identification pur-poses. These laws generally prohibit employers from printing anemployee’s complete Social Security number on paychecks, direct depositnotices, and cards or tags required for the individual to access products,services, or benefits, or requiring the employee to use his/her Social Secu-rity number to access Web sites (unless a password or other authentica-tion device is also required). In most instances, an employer may use four digits of the Social Security number, as opposed to the full nine-digitnumber. Most other states have more general laws requiring individualsand businesses alike to protect the security and confidentiality of “per-sonal information” in their possession. In general, state laws contain the following elements:

1. Applicability. Although the reach of each state’s law varies, privateemployers are generally covered. Most state statutes apply only to elec-tronically maintained data.

2. Definition of personal information. Protected personal informationgenerally consists of the person’s name and one or more of the followingdata elements that are not encrypted: Social Security number, driver’slicense number, or financial account number along with any requiredPIN code. Encrypted, redacted, and public information are generallyexcluded from the definition of personal information.

3. Definition of breach. Some statutes define a breach using an “acquisi-tion-based trigger,” meaning that there has been a breach any time unen-crypted personal information is acquired without authorization. Otherstates define breach using a “risk-based” analysis that examines the likeli-hood of harm. For example, the Tennessee statute defines breach “asunauthorized acquisition of unencrypted computerized data that materi-ally compromises the security, confidentiality, or integrity of personalinformation maintained by the information holder.”4 Both types ofstatutes generally exclude the “good-faith acquisition” of personal datafrom the definition of breach. Good-faith acquisition is often defined asobtaining data for a legitimate purpose in a manner that does not repre-sent a threat to confidentiality.

4. Notification obligations in the event of a breach.a. When, how, and to whom notice should be made. Generally,

notice is required to all residents of the state whose personal informa-tion was affected by the breach. Some states also require notice tocredit reporting agencies, the police, the state attorney general, and/orother government entities.

William C. Martucci and Jennifer K. OldvaderEmployment Relations Today DOI 10.1002/ert

60

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 60

Page 3: Workplace privacy and data security

Summer 2010

State Regulations UpdateEmployment Relations Today DOI 10.1002/ert

61

b. Contents of the notice. State law requirements vary concerning thecontents of the notice. However, they routinely require:i. Description of the incident in general terms;ii. The approximate date of breach; andiii. The type of personal information obtained as a result of the secu-

rity breach.c. Method of notice. The specific methods vary by state; however, the

following methods are generally permitted:i. Written notice;ii. Electronic notice, for those persons for whom the employer has a

valid e-mail address and who have agreed to receive communica-tions electronically (the notice generally must conform with theprovisions of 15 U.S.C. § 7001);

iii. Telephonic notice, provided that contact is made directly with theaffected persons; and

iv. Substitute notice, if the business demonstrates that the cost of pro-viding notice would exceed $250,000 or that the affected class ofsubject persons to be notified exceeds 500,000, or if the businessdoes not have sufficient contact information to utilize the abovemethods. Substitute notice usually must consist of the following:• E-mail notice when the business has an e-mail address for the

subject persons,• Conspicuous posting of the notice on the Web-site page of the

business, if one is maintained, and• Notification to major statewide media.

d. Time period for notice. Typically, notice must be made within30–45 days. However, most states have an exception where noticemay be delayed per the request of law enforcement.

5. Penalties. The consequences of noncompliance include civil penalties.State laws vary as to who has standing to enforce. Some state statues pro-vide for a private right of action, whereas others limit enforcement pow-ers to the state attorney general.

6. Proactive security measures. Some states require proactive securitymeasures in addition to post-breach notice requirements. These statutesrequire employers to develop policies and procedures that would protectpersonal information from unauthorized destruction, disclosure, mainte-nance, or acquisition.

RECENT STATE LAW INITIATIVES

As noted earlier, by early 2010, 45 states had adopted laws that address thesecurity, maintenance, and/or destruction of personal information, as well as

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 61

Page 4: Workplace privacy and data security

Employment Relations Today

an entity’s obligation in the event that the security of such data is breached.With ever-growing media attention on security breaches and identity theft,these laws are continuing to evolve and become more protective. Indeed, inthe first few months of 2010, Florida, Kansas, Kentucky, Michigan, NewYork, and Pennsylvania all introduced or reintroduced legislation oramended legislation addressing this issue. The following summarizes thecurrent efforts in these states.

Florida

Florida has introduced bills5 in both of its legislative houses that wouldrequire companies to follow federal guidelines when disposing of personaldata. The bills would require all business and government entities that collectpersonal information to follow the “Guidelines for Media Sanitization” set bythe National Institute of Standards and Technology. These guidelines requirebusinesses to make all personal data that is being disposed of inaccessible.

Kansas

The Kansas bill6 would require government agencies to conduct a “vulnera-bility” scan of their networks periodically, but not less than once per year.

Kentucky

Kentucky, which does not currently have a data-security law, has introduceda bill7 that would apply only to governmental agencies and require agenciesto safeguard personal information in the same manner that it must be safe-guarded under the federal Gramm-Leach-Bliley Act.8

Michigan

Michigan is considering several new bills. The first would actually ease personal-data-disposal requirements, mandating that companies and agenciesdestroy only “unencrypted, unredacted personal information” as it relates tostate residents.9 A second bill10 would make businesses and agencies thatadopt comprehensive data-security measures to protect personal informationimmune from civil liability for damages due to security breaches.

New York

The New York data-security bill11 would amend its current InformationSecurity Breach and Notification Act12 to establish a general encryption

William C. Martucci and Jennifer K. OldvaderEmployment Relations Today DOI 10.1002/ert

62

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 62

Page 5: Workplace privacy and data security

Summer 2010

State Regulations UpdateEmployment Relations Today DOI 10.1002/ert

63

standard as a safe harbor for entities seeking to avoid giving breach noticeto individuals under the Act. The bill would also require businesses andstate agencies to implement and maintain reasonable security safeguards.The bill would also mandate notification of certain breaches to the stateattorney general.

Pennsylvania

The Pennsylvania bill13 would amend the state’s current notification law14 torequire public agencies to notify state residents of a breach of their personalinformation within seven days after the breach is discovered. The currentlaw requires any entity that collects such information to provide noticewithout unreasonable delay.

OVERVIEW OF FEDERAL NOTIFICATION REQUIREMENTS AND PENDING LEGISLATION

Federal law currently places few obligations on employers to notify employ-ees concerning breaches of personal data. However, recent changes to theHealth Insurance Portability and Accountability Act of 1996 (HIPAA) do placenotification obligations on employers when they learn that their employees’unsecured protected health information (PHI) has been breached.

In February 2010, the Health Information Technology for Economic andClinical Health (HITECH) Act,15 enacted as part of the American Recoveryand Reinvestment Act of 2009, became effective. The HITECH Act signifi-cantly changed the privacy and security rules of HIPAA. Under the new law,employers are required to take the following steps when they learn that thePHI of employees participating in HIPAA-covered plans has been breached:

• Notify major media outlets and the Department of Health and HumanServices if a breach involves 500 or more plan participants.

• Notify affected individuals within 60 days of becoming aware of thebreach.

• Provide in the notice to individuals, at a minimum, five specific cate-gories of information.

• Deliver the notice by first-class mail to each affected individual’s lastknown address.

In addition to the changes brought by the HITECH Act, the House ofRepresentatives passed the Data Accountability and Trust Act (DATA)16 onDecember 8, 2009. DATA would establish federal data-security standardsand create a national breach-notification standard. It would apply to

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 63

Page 6: Workplace privacy and data security

Employment Relations Today

individuals engaged in interstate commerce who own or possess data inelectronic form containing personal information17 (or contracts to have anythird-party entity maintain such data). Under this broad definition, mostbusinesses in the United States would, therefore, be subject to the Act andbe required to establish and implement appropriate data-security policiesand procedures. The policies and procedures would have to:

• Describe the procedures to be used in the collection, use, sale, dissemi-nation, and maintenance of personal information.

• Name an officer or other point person concerning the management ofinformation security.

• Develop a process for identifying and assessing any reasonably foresee-able vulnerabilities in the person’s electronic systems, including regu-larly monitoring for breaches of security.

• Detail a process for taking preventive and corrective action to mitigateagainst these vulnerabilities.

• Implement a process for disposing of obsolete data in electronic formcontaining personal information.

In the event of a security breach, DATA also provides a notification stan-dard. This standard is similar to that implemented by the new HIPAA rulesand discussed earlier. DATA would require this notice only if there is a rea-sonable risk of identity theft, fraud, or other unlawful conduct. In additionto notice, entities would be required to assist affected persons in obtainingcertain credit information, including providing credit reports at no cost tothe affected individual.

DATA is now pending before the Senate and may be substantiallychanged before enactment, if it is passed at all. However, Congress’s recentchanges to HIPAA as well as the ever-growing list of state standards suggestthat implementation of a national standard is simply a matter of time. Ifsigned into law, DATA would preempt state notification laws, truly providingfor a national standard.

DEVELOPING ADEQUATE DATA-SECURITY POLICIES

All employers should develop both policies that seek to safeguard employeepersonal information as well as protocols to follow in the event of a breach.Even companies that operate in the remaining handful of states that do notrequire such policies or notification should implement a data-security planin light of the ever increasing regulation in this area and the fact that federallegislation, such as DATA, may soon create nationwide standards applicableto virtually all employers. Although employers must make sure that these

William C. Martucci and Jennifer K. OldvaderEmployment Relations Today DOI 10.1002/ert

64

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 64

Page 7: Workplace privacy and data security

Summer 2010

State Regulations UpdateEmployment Relations Today DOI 10.1002/ert

65

policies and protocols comply with all applicable state law requirements,policies and protocols should include the following basic elements:

• Define personal information using definitions supplied by the applicablestate law.

• Collect only that personal information that is necessary to conduct theemployer’s business.

• Implement administrative, technical, and physical safeguards to ensurethe security and confidentiality of personal information. Again, thesesafeguards must be consistent with applicable state law and, if related topersonal health information, with HIPAA as well.

• Designate an employee who is responsible for maintaining the com-pany’s IT security program.

• Identify reasonably foreseeable risks to the security, confidentiality,and/or integrity of records containing personal information; evaluate pos-sible methods to alleviate these risks.

• Train employees on information security, and discipline them for violat-ing the security policy.

• Carefully review any breach-notification requirements contained inapplicable state law with legal counsel and develop a protocol to followin the event of a breach.

• Supervise any third-party service providers who may be providing stor-age or other maintenance of personal information.

CONCLUSION

Employers must be mindful of the increasing number of state laws affectingtheir maintenance of employee personal information and placing specificobligations on them in the event of a breach. With the increasing ability ofemployees to work remotely, and for data to be passed from a secured net-work to an unsecured computer, employers must move to protect personalinformation and ensure that all personnel handling this information are wellaware of policies restricting its use and maintenance.

NOTES

1. http://www.privacyrights.org/ar/ChronDataBreaches.htm#2010.2. http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html.3. Only Alabama, Kentucky, Mississippi, New Mexico, and South Dakota currently lack such a law.4. Tenn. Code § 47-18-2107.5. Senate Bill 586 and House Bill 279.6. House Bill No. 2408.

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 65

Page 8: Workplace privacy and data security

Employment Relations Today

7. House Bill No. 107.8. 15 U.S.C. 6801–6809.9. House Bill No. 4374.

10. Senate Bill No. 717.11. Senate Bill 3760.12. N.Y. Gen. Bus. Law § 899-aa.13. Senate Bill No. 155.14. 73 Pa. Stat. § 2301, et seq.15. Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Divi-

sion A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA),Pub. L. No. 111-5 (Feb. 17, 2009).

16. H.R. 2221.17. DATA defines the term “personal information” to mean an individual’s first name or initial and last

name, or address, or phone number, in combination with any one or more of the following for thatindividual:• Social Security number,• Driver’s license number or other state identification number, and• Financial account number, or credit or debit card number, and any required security code, access

code, or password that is necessary to permit access to an individual’s financial account.

William C. Martucci and Jennifer K. OldvaderEmployment Relations Today DOI 10.1002/ert

66

William C. Martucci is a partner with Shook, Hardy & Bacon LLP,where he serves as the practice group leader of the National Employ-ment Litigation and Policy Group. He is included in The Best Lawyers in America for employment litigation and in Euromoney’s Guide toLeading U.S. Labor & Employment Lawyers. He may be contacted [email protected]. Jennifer K. Oldvader practices with Shook, Hardy &Bacon, LLP, in the National Employment Litigation and Policy Group.She may be contacted at [email protected].

ert372_11_59-66.qxd 7/9/10 7:11 AM Page 66