San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

• Print
• Trackbacks

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

• Print
• Trackbacks

More and more businesses — especially those in highly regulated industries such as banking, telecommunications, and health care — are engaging in “vendor management” as they implement increasingly rigorous information security programs.  Confirming the trustworthiness of vendors’ employees who are permitted on premises or who are authorized access to sensitive information is a cornerstone of such programs.  Consequently, these businesses are starting to make a variety of demands in contract negotiations and requests for proposals (RFPs) for background checks and drug-testing of vendor employees.

The demands vary based upon the industry and the company.  At a minimum, these businesses require their vendors to certify that employees who will be working on the customer’s account have successfully completed a background check and a drug screen.  At the other end of the spectrum, businesses specify the contents of background and drug screens and demand the right to audit the results or even conduct their own background checks and drug tests of the vendor’s employees.

These demands put vendors “between a rock and a hard place.”  On the one hand, vendors want to maintain strong relationships with valued customers and win contracts with new customers.  On the other hand, turning over background checks and drug test results to a customer can raise red flags with the vendor’s workforce regarding their privacy.  And, if not properly handled, the issue can mushroom into an employee relations nightmare and expose the vendor to privacy-based claims.  The problem is particularly acute for vendors who have not previously required current employees, or even job applicants, to submit to background checks or drug tests.

Here are three of the steps vendors might consider to avoid this catch 22:

• Print
• Trackbacks