Tag Archives: Data security

In 2018, Resolve to Keep Employment Records Secure

Contributed by Noah A. Frank, February 8, 2018

Though hacked systems are alarming, too often, data breaches come from much more obvious sources, such as computers without passwords (or weak ones), files left sitting out on desks, and even briefcases left on airplanes (like Department of Homeland Security analysis of terrorist threats at the Super Bowl). An employer’s exposure for data breaches can be significant. At minimum fines, civil suits (including class actions), lost trust and bad publicity, and remediation costs.

Data breach 2

Lock on a computer keyboard

In 2017 alone, some of the major headline data breaches include the Paradise Papers and Panama Papers scandals (two data breaches totaling 3.9TB of data and 24.5M documents), a credit reporting agency, a telecom provider and a wholly owned web service provider. As we previously discussed, employers are obligated through various statues and regulations to keep and maintain many types of employment records containing significant personal, confidential, and highly sensitive information. Such records range from job applications and resumes, to tax forms and benefits applications, to medical records stemming from workers’ compensation, disability, and FMLA claims. These records contain employees’ (and their dependents’) addresses, phone numbers, social security numbers, dates of birth, banking and financial information, and highly sensitive medical information. Other internal files may contain client information, usernames, and even passwords that employees keep the same across work and personal accounts. In short, employers maintain all of the information necessary to completely hack sensitive information exposing all employees to possible identity theft, or other adverse use of their private information. 

Data Security in the 21st Century

The significant data breach risks require companies to practice good record maintenance hygiene. Some important and simple steps to follow in 2018 include:

  • Secure electronic systems: restrict access to necessary programs, folders, and files, with employees using unique, memorable passwords/passphrases. Perform a physical “audit” to ensure employees are not storing passwords beneath keyboards (yes, it still happens!).
  • Utilize protection: lock offices, install privacy screen filters, keep files secured. Remember, a data breach can be as simple as one prying employee looking in another’s file left on a desk – or the cleaning service pocketing an entire file.
  • Keep communications confidential: avoid unintentional disclosure through speakerphone and group printers.
  • Enable remote wipe capabilities in case portable devices are lost, stolen, or otherwise compromised.
  • Plan for the unexpected: establish protocols to secure systems and maintain data integrity should it be necessary to terminate an employee, including the chief technology officer, and how to handle a data breach should it occur.
  • Engage legal counsel as necessary to perform audits of policy and practice, address high risk situations to ensure legal compliance, and shepherd remediation and handle concise communications if and when a breach occurs.

Through strategic planning and implementation of security policies and protocols, companies can be prepared to efficiently address situations in a fluid and dynamic manner without impeding operations.


Salary History Inquiry Bill Down But Far From Out

Contributed by Noah A. Frank, September 19, 2017


On June 28, 2017, HB 2462, an amendment to the Illinois Equal Pay Act, passed both chambers of Illinois General Assembly. The bill would have made an employer’s inquiry into an applicants’ wage, benefits, and other compensation history an unlawful form of discrimination. Even worse for Illinois employers, the bill would allow for compensatory damages, special damages of up to $10,000, injunctive relief, and attorney fees through a private cause of action with a five (5) year statute of limitations.

On August 25, 2017, Governor Rauner vetoed the bill with a special message to the legislature that, while the gender wage gap must be eliminated, Illinois’ new law should be modeled after Massachusetts’s “best-in-the-country” law on the topic, and that he would support a bill that more closely resembled Massachusetts’ law.

The bill, which passed 91 to 24 in the House, and 35 to 18 in the Senate, could be reintroduced as new or amended legislation following the Governor’s statement, or the General Assembly could override the veto (71 votes are needed in the House, and 36 in the Senate, so this is possible) with the current language.

Why is this important?

With the Trump Administration, we have seen an increase in local regulation of labor and employment law. This means that employers located in multiple states, counties, and cities must carefully pay attention to the various laws impacting their workforces. Examples of this type of “piecemeal legislation” we have already seen in Illinois and across the country include local ordinances impacting minimum wage, paid sick leave, and other mandated leaves. Additionally, laws that go into effect in other jurisdictions may foreshadow changes at home as well (e.g., Illinois’s governor pointing towards Massachusetts’s exemplary statue).

Had it become law, this amendment would have effective required employers to keep applications and interview records (even for those they did not hire) for five years to comply with the statute of limitations for an unlawful wage inquiry (the Illinois Equal Pay Act already imposes a five year status of limitations for other discriminatory pay practices). By contrast, under Federal law, application records must be kept for only one year from the date of making the record or the personnel action involved (2 years for educational institutions and state and local governments).

What do you do now?

While the law has not gone into effect as of the date of this blog, it is likely that some form of the salary history amendment will ultimately become law in Illinois. Businesses should carefully review their job applications, interview questions, and related policies to avoid inquiries that may lead to challenges in the hiring process.

Additionally, record retention (and destruction!) policies should be reviewed for compliance with these and other statutes – as well as to ensure data integrity and security.

Finally, seek the advice of experienced employment counsel for best practices in light of national trends to remain proactive with an ounce of prevention

Done in by the photocopier….Do you have policies in place to protect your company from disclosing sensitive information?

Contributed by Michael D. Wong, Tim Lessman and Colin Gainer

Recently Affinity Health Plan, Inc. (Affinity) entered into a $1,215,780 settlement with the U.S. Department of Health and Human Resources (DHHS) as a result of inadvertently disclosing medical records stored on a leased photocopier’s internal hard drive.  Affinity had leased photocopiers and then failed to properly erase the photocopiers’ internal hard drives when returning them to the leasing company.  Affinity was unceremoniously notified of this breach of data security by CBS evening news, which contacted Affinity regarding an investigative report it was conducting where it had been able to purchase a photocopier previously leased by Affinity that contained personal identifying information and medical information for over 300,000 people.  Affinity subsequently self-reported this breach to the DHHS and entered into the $1,215,780 settlement. 

That settlement is a prime example of how technology has changed and so must company security policies and protocol.  Now an individual can store more data and documents on a cell phone or in a “cloud” on the World Wide Web than on some of the first computers and floppy disks.  As Affinity learned many modern photocopiers have internal hard drives that store data from scans, faxes or copies.  Technology has created significant security concerns for companies on how to handle and manage sensitive data, employment records, medical records and other documents that include personal identifying information, social security numbers, health/medical information, credit/background reports, and confidential or proprietary business information.  Disclosure of such information can create liability through claims for privacy violations, fines for violating HIPAA and claims by the Federal Trade Commission, DHHS and other governmental agencies. 

Now more than ever, identifying sensitive data and implementing a formidable policy to safeguard it are crucial steps in protecting a company from any potential data and privacy breaches.  Any policy should address the procedure for securing data processed on any electronic device that stores data, including photocopiers, printers, personal computers, laptops, tablets/iPads, smart phones, flash drives, and other electronic devices.  Options often include having data on the electronic device encrypted, set the device to overwrite the data, and having a procedure for how to dispose of devices and return leased devices.  Of specific concern are leased devices as such are typically re-leased or sold to third parties.  Prior to the return of a leased device to a vendor, make arrangements for any data on the device’s hard drive to be removed, secured, overwritten or wiped to ensure that any data on it is unreadable and/or unusable by anyone else.  While a leasing company or vendor may provide this service, you should still make sure that such is done prior to the return of the device.  Additionally, if you have a contract with a leasing company or vendor for this service, make sure you carefully review the contract and understand any release of liability or indemnity clause relating to the service.   

Just as important as having policies and procedures in place to safeguard information, however, is having a plan in place to swiftly address any breaches and to minimize the potential adverse consequences. Companies may also consider cyber liability insurance coverage as part of a plan.  This type of coverage is specifically designed to protect companies when data breaches occur, as standard insurance policies may not offer sufficient protection.

The extent of the potential liabilities faced by companies related to data breaches can be daunting.  However, with proper planning, preparation and implementation, companies can minimize the risks they face.