Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach. While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft. In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code.
Here are five key points for employers to consider as they confront these statutes.
- Be Prepared. Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data. Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
- Train HR Professionals. In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples. HR employees and others who work with personal information should be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks. The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
- Determine Your Notice Obligations. When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws. To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state. In some circumstances, a security breach may not trigger a legal obligation to notify — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
- Help Your Employees. Employees may view themselves as innocent victims when their employer suffers a security breach and expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance. Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891. This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
- Learn From Your Mistakes. After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.