Demonstrating both Congressional and Presidential commitment to this issue, the National Cybersecurity Protection Act of 2014 (Pub.L. 113-282 (2014)) (“NCPA”) was enacted in December 2014, requiring federal agencies to notify individuals affected by a data breach “as expeditiously as practicable and without unreasonable delay” after discovery. In furtherance of his personal commitment to the issue, President Obama called for a national data breach notification law and a consumer privacy bill of rights to protect individual identity in his State of the Union Address on January 20, 2015.
III. Pro-Active Measures and Recommendations
Forty-seven states, the District of Columbia, Guam and Puerto Rico have enacted data breach notification statutes; leaving only Alabama, New Mexico, and South Dakota without such a law.
2. Identify a team to address security issues within the
In early 2014, the Kaiser Foundation Health Plan, Inc. settled a suit brought by the California Attorney General (AG), wherein the AG alleged that Kaiser violated state breach notification law by its unreasonable delay in advising affected individuals after learning that a hard drive containing personal information of Kaiser employees was sold at a thrift store. California v. Kaiser Found. Health Plan, Inc., No. RG14711370 (Cnty. Alameda Super. Ct. Jan 24, 2014). Without admitting liability, Kaiser agreed to pay $150,000 in penalties and costs, and agreed to non-monetary terms such as employee training, review and updating of encryption and related policies, and conducting related periodic audits with reports to the AG's office. Multi-state employers should become familiar with the state laws where they operate as the laws vary widely from state to state.
3. Consider encrypting data containing sensitive employee or
Employers are increasingly being sued by employees whose personal information has been compromised as the result of a security breach. For example, with two lawsuits already pending, on January 2, 2015, a third Class Action Complaint was filed against Sony seeking “actual damages” for injuries resulting from the data breach which allegedly compromised the personally identifiable information of thousands of Sony employees. Rodriguez v. Sony Pictures Ent., Inc., No. 2:15-cv0014, U.S. District Court, Central District of California. According to the Complaint, the information released included “social security numbers, names, birth dates, addresses, passport and visa information, salary information, private medical documents and information and other sensitive information.” The claim further alleges that an earlier security audit performed on Sony’s system revealed “serious gaps in Sony’s monitoring of data systems,” and that Sony failed to secure the sensitive data despite “multiple warnings from independent auditors and experts,” thereby breaching its duty to exercise reasonable care in maintaining IT security procedures, infrastructure, personnel and protocols, and by failing to dispose of sensitive employee information that it no longer needed. Although the Sony cases are in the early stages, and liability, if any, has certainly not yet been determined, the allegations in these lawsuits provide insight into public expectations regarding maintaining security of sensitive employee information. Such cases against companies experiencing data security breaches will continue to evolve and will be watched as possible harbingers of employer liability for employee data security issues.
Clearly, employers should take steps to address possible cybersecurity incidents before they occur and protect sensitive company and employee information. Some recommendations in this regard include the following:
1. Create an Incident Response policy and update existing Internet Usage, Social Media, Confidentiality, Information Security, Document Retention/Destruction and related policies; make sure these policies include a statement that there should be no expectation of privacy in the company electronic systems, which may be monitored for company data security purposes. organization (including IT as well as one officer or manager to have primary responsibility for overseeing compliance with the relevant policies.) customer information.
4. Conduct a risk assessment to assess internal system vulnerabilities and to gain an understanding of the company’s use, storage, and location of sensitive data.
5. Evaluate the potential impact of a compromise of sensitive information to the company, its employees or customers and how the risks could be reduced; for example, discontinue use/ storage of employee Social Security numbers for identification.
6. Don’t fail to consider data in mobile devices, phones, and laptops, whether company or employee-owned; require unique passwords to these devices and limit access only to employees.
7. Consider cybersecurity insurance, which may cover expenses related to management of a data breach incident. Cybersecurity policies typically cover losses arising from business interruption, destruction of data and property, and reputational harm, but may also cover losses that a company causes to its customers and others, such as harms arising from the exposure of personally identifiable information through a data breach. For more information, see the July 2014 Cybersecurity Insurance Event Readout Report, issued by the U.S. Department of Homeland Security, at www.dhs.gov/publication/ cybersecurity-insurance.
8. Train employees/managers on applicable policies; train managers regarding cybersecurity risks. Include training on appropriate content of emails and other company communications, and use of a professional tone at all times.
9. Limit access to sensitive data only to those individuals with a true need to know.
10. Keep software, firewalls, virus protection systems and operating systems up to date, engaging outside professionals to conduct periodic audits; follow recommendations from the audits, or at least be prepared to explain if not followed.
Mary Moffatt Helms, Attorney Wimberley Lawson mhelms@wimberlylawson.com www.wimberlylawson.com www.HRProfessionalsMagazine.com
21