Tag Archives: data breach

In 2018, Resolve to Keep Employment Records Secure

Contributed by Noah A. Frank, February 8, 2018

Though hacked systems are alarming, too often, data breaches come from much more obvious sources, such as computers without passwords (or weak ones), files left sitting out on desks, and even briefcases left on airplanes (like Department of Homeland Security analysis of terrorist threats at the Super Bowl). An employer’s exposure for data breaches can be significant. At minimum fines, civil suits (including class actions), lost trust and bad publicity, and remediation costs.

Data breach 2

Lock on a computer keyboard

In 2017 alone, some of the major headline data breaches include the Paradise Papers and Panama Papers scandals (two data breaches totaling 3.9TB of data and 24.5M documents), a credit reporting agency, a telecom provider and a wholly owned web service provider. As we previously discussed, employers are obligated through various statues and regulations to keep and maintain many types of employment records containing significant personal, confidential, and highly sensitive information. Such records range from job applications and resumes, to tax forms and benefits applications, to medical records stemming from workers’ compensation, disability, and FMLA claims. These records contain employees’ (and their dependents’) addresses, phone numbers, social security numbers, dates of birth, banking and financial information, and highly sensitive medical information. Other internal files may contain client information, usernames, and even passwords that employees keep the same across work and personal accounts. In short, employers maintain all of the information necessary to completely hack sensitive information exposing all employees to possible identity theft, or other adverse use of their private information. 

Data Security in the 21st Century

The significant data breach risks require companies to practice good record maintenance hygiene. Some important and simple steps to follow in 2018 include:

  • Secure electronic systems: restrict access to necessary programs, folders, and files, with employees using unique, memorable passwords/passphrases. Perform a physical “audit” to ensure employees are not storing passwords beneath keyboards (yes, it still happens!).
  • Utilize protection: lock offices, install privacy screen filters, keep files secured. Remember, a data breach can be as simple as one prying employee looking in another’s file left on a desk – or the cleaning service pocketing an entire file.
  • Keep communications confidential: avoid unintentional disclosure through speakerphone and group printers.
  • Enable remote wipe capabilities in case portable devices are lost, stolen, or otherwise compromised.
  • Plan for the unexpected: establish protocols to secure systems and maintain data integrity should it be necessary to terminate an employee, including the chief technology officer, and how to handle a data breach should it occur.
  • Engage legal counsel as necessary to perform audits of policy and practice, address high risk situations to ensure legal compliance, and shepherd remediation and handle concise communications if and when a breach occurs.

Through strategic planning and implementation of security policies and protocols, companies can be prepared to efficiently address situations in a fluid and dynamic manner without impeding operations.

 

Illinois Employer Faces Class Action for Using Fingerprints to Track Attendance

Contributed by Suzanne Newcomb, October 5, 2017

Data Protection Keyboard

Technology allowing employers to use biometric data tools to track attendance and maintain worksite security abounds. Purveyors hype the advanced technology’s ability to accurately validate time entries, eliminate fraud, and better control access to the workplace or to sensitive areas within the workplace. If these systems are so readily available, it must be legal for employers to use them, right? As with seemingly everything involving HR and the workplace, it depends.

Last week, a group of Chicago-area employees filed a class action suit, alleging their employer’s use of worker fingerprints for time-tracking purposes violates the state’s biometric information privacy law. Specifically, the employees claimed that their employer failed to:

  • Properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored and used;
  • Provide a publically available retention schedule and guidelines for permanently destroying their fingerprints; and
  • Obtain their written consent before obtaining fingerprints.

In 2008, Illinois became the first state to explicitly regulate the use of “biometric identifiers” which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and their derivatives, regardless of how that information is captured, converted, stored, or shared. 740 ILCS 14/10. The Illinois Biometric Information Privacy Act (BIPA) applies broadly to any individual or entity other than the government, and therefore encompasses all private-sector employers operating within the state.

Illinois Biometrics Legislation Sets Trend

Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Many states, including Illinois, have data breach notification laws that cover biometric information, as well as other sensitive personal information.

Employers operating exclusively in jurisdictions that have not regulated the use of biometric information specifically could still face breach of privacy or negligence claims if their employee’s biometric information is compromised.

Tips for Employers

Due to the growing number of data breaches, employers are encouraged to ensure they have protocols in place to safeguard all of the personal information they possess, particularly biometric information.

Whether you are thinking about adopting and using biometric data or have already implemented this technology, it is vital that employers take the following steps before collecting any biometric data to ensure their use complies with the growing regulation in this area:

  1. Assemble a team of experienced legal, cyber-security, and data-breach experts prior to selecting or implementing any technology that uses biometrics. Involve this team in vetting potential vendors, negotiating the terms of vendor contracts, and developing protocols.
  2. Carefully draft policies and procedures to safeguard and properly destroy biometric information, as well as protocols in case of a breach. Ensure those policies, procedures, and protocols (and those of your outside vendors) comply with all applicable laws, including notice and disclosure requirements.
  3. Clearly disclose to your employees, in writing, your intent to collect and use biometric information, the ways the information will be used, the means by which the information will be collected, maintained, and eventually destroyed, as well as the safeguards the company has put in place to secure this information.
  4. Obtain each employee’s informed written content prior to collecting any biometric information. Consider good faith objections and requests for accommodation and analyze and address those requests in accordance with all applicable laws.
  5. Continue to monitor changing federal, state and local regulations in this area.