It has become almost commonplace to hear that a government agency or private corporation has been the victim of a data security breach. As a result, hundreds of customers’ or employees’ personal data is at risk of being used for criminal purposes such as identity theft. Approximately 70 percent of those breaches are caused by an insider. In many cases, a laptop computer containing sensitive information is lost or stolen from a car or home. Other times, someone hacks into a system containing confidential information.
In response to this steady drumbeat of breaches, a majority of states have enacted “notification” laws. These laws are typically triggered when some combination of a person’s unencrypted personal information (such as first and last name, address, social security number, and driver’s license number) is compromised. The organization that suffered the breach must notify the individuals affected and, in some jurisdictions (e.g., New York), state agencies. A breach may trigger notification laws in the state where the company does business as well as the states in which residents have been or might be affected by the breach.
In addition to state notification laws, there are industry-specific laws that regulate data privacy and security. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to safeguard protected health information of patients, and the Gramm-Leach-Bliley Act requires financial institutions to protect consumers’ financial information. Even those in unregulated industries often maintain sensitive personal information concerning their employees, including social security numbers and medical records (e.g., for workers’ compensation claims), family and medical leave requests, and requests for accommodation.
What to Save, What to Shred: What New Laws Say About Handling Personnel Files
In light of this patchwork of laws and the ever-increasing threat of a data breach, there are some basic steps you can and should take to keep your data secure and prepare yourself for a breach. In developing safeguards for sensitive data, you should remember that employees are not only the most likely candidates for causing a security breach but also the best defense against incurring one in the first place. The following steps for safeguarding sensitive data are by no means exhaustive, but they’re a good starting point in the process.
Step 1: Perform background checks
Thorough interviews and background checks are critical to minimize the likelihood of hiring someone who poses an undue security risk. Background checks may include, among other things, verifying employment history and checking references and criminal records. The failure to properly screen an applicant would almost certainly be used against a company if the person stole information and had a history of such misconduct that was easily discoverable.
Step 2: Develop appropriate policies
Most organizations have handbooks that are distributed to employees. Handbooks should be regularly reviewed and updated to ensure that appropriate data security policies exist and that they accurately reflect the current business model and technological advances.
In developing or updating data security policies, it’s important to involve the right players, which typically include a mix of people from management, HR, IT, and inside or outside counsel. Next, you should map out the key data in their possession so you can analyze the legal requirements for security, the chain of custody for information, who has access to it, who requires access to certain aspects of the data, and so on. Finally, the policy must be developed, tested, and implemented.
Data security policies have many elements, and they will vary depending on the nature and size of your business. Still, there are some common themes. In addition to a critical incident response plan (discussed below), a data security policy might cover:
- use of laptops (at home or when traveling) and other portable devices;
- password protection and encryption;
- data backup and disposal procedures, including disposal rules promulgated by the Federal Trade Commission under the Fair and Accurate Credit Transactions Act;
- data classification and access;
- e-mail and blogging; and
- limitations on downloading, printing, and transmitting information, especially to third parties, home computers, or other nonsecure recipients.
Step 3: Create a critical-incident response plan
You should prepare a critical-incident response plan before an incident occurs. The plan should identify a person or position responsible for receiving and investigating reports concerning data breaches. In light of the potential legal liability associated with a breach — which can involve criminal law enforcement, state or federal agencies, or an individual or group of potentially affected persons — it’s critical to involve inside or outside counsel as soon as possible to protect, to the extent allowed, communications related to the event under the attorney-client privilege.
Step 4: Train and supervise employees
A data security policy that sits on a shelf gathering dust is not only unhelpful, but a person affected by a breach would surely argue that the company’s failure to follow its own policy amounts to negligence. Therefore, it’s critical to train and supervise employees so that they know and understand how to keep information secure and what to do if a breach occurs. Consider training employees on the policy during a routine orientation process and as part of an annual review or whenever the policies are revised or updated.
Audit your workplace policies and procedures with the Employment Practices Self-Audit Workbook
Step 5: Review your contracts
If you contract with vendors or other third parties to handle or process transactions or other information, be sure to analyze what kind of safeguards they have in place to protect the confidential information to which they will have access. Employees should know what information they can and can’t share with third parties. Another concern is what liability, if any, you or the vendors will have in the event of a breach. It’s better to address those issues at the beginning of the relationship as opposed to after a breach has occurred.
Bottom line
There’s no way to completely protect against a data breach, but a few simple steps can go a long way in minimizing the risk and potentially avoiding a lawsuit if a breach does occur.
For more information on data security, you can contact Mark Wiletsky at the firm of Holland & Hart LLP in Boulder. He can be reached at (303) 473-2864.