What Does The Crazy Quilt of Security Breach Laws Mean for Employers as Massachusetts Becomes the 39th State to Enact One?

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

  •  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
  • Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
  • Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
  • Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
  • Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

Privacy Policy

The publishing lawyer and law firm values the privacy of its clients and Web/blog site viewers. Any of the following personal information that may be made available to the lawyer or firm when browsing or navigating the site shall be kept confidential:

  • First and last name
  • Company, home, postal or other physical address
  • Other contact information, for example, telephone number, fax number, email address, and other similar information
  • Title or position in a company or an organization
  • Occupation
  • Industry
  • Personal interests
  • Any other information needed to provide a service you requested

Examples of scenarios where our visitors provide their personal information include, but may not be limited, to:

  • Emailing, calling or communicating with the lawyer or law firm.
  • Posting a question or comment through the site.
  • Requesting literature.
  • Registering to attend a seminar or any event.
  • Participating in an online survey.
  • Requesting inclusion in an email or other mailing list.
  • Submitting an entry for a contest or other promotions.
  • Logging in to the site, thus requiring a user name and/or a password.
  • Any other business-related reason.

The lawyer or law firm provides you the opportunity to agree or decline to give your personal information via the Internet. The lawyer or firm will inform you of the purpose for the collection and does not intend to transfer your personal information to third parties without your consent, except under the limited conditions described under the discussion entitled “Information Sharing and Disclosure” below. If you choose to provide us with your personal information, we may transfer that information, within the law firm or to a third party service provider as necessary.

Domain Information Collection

The lawyer or firm may collect domain information to enable us to analyze how our visitors use this site. This data enables us to become more familiar with which people visit our site, how often they visit, and what parts of the site they visit most often. The lawyer or firm uses this information to improve its Web-based offerings. This information is collected automatically and requires no action on your part.

Use of Cookies and Tracking User Traffic

Some pages on this site may use “cookies”—small files that the site places on your hard drive for identification purposes. A cookie file can contain information such as a user ID to track the pages visited, but the only personal information a cookie can contain is information you supply yourself. These files are used for site registration and customization the next time you visit us.

Some parts of the site may also use cookies to track user traffic patterns. The lawyer or firm does this in order to determine the usefulness of our Web site information to our users and to see how effective our navigational structure is in helping users reach that information. Please note that cookies cannot read data off of your hard drive. Your Web browser may allow you to be notified when you are receiving a cookie, giving you the choice to accept it or not. If you prefer not to receive cookies while browsing our Web site, you can set your browser to warn you before accepting cookies and refuse the cookie when your browser alerts you to its presence. You can also refuse all cookies by turning them off in your browser, By not accepting cookies, some pages may not fully function and you may not be able to access certain information on this site.

Information Sharing and Disclosure

Your personal information is never shared outside the lawyer or firm without your permission, except under conditions listed below:

  • Consenting to share your information to a third party service provider working on our behalf to serve you.
  • Requiring us to provide you with a product or service.

The lawyer or firm will also disclose your personal information, if required to do so by law, or in urgent circumstances, to protect personal safety, the public or our sites.

Internet Security

The lawyer or firm strives to protect your personal information; however, we urge you to take every precaution to protect your personal data when you are on the Internet. Change your passwords often, use a combination of letters

Protecting the Privacy of Children

Children under 13 years old are not the target audience for our Web site. To protect their privacy, the lawyer or firm prohibits the solicitation of personal information from these children.

Links to Third Party Sites

This site may contain links to other sites. The lawyer or firm does not share your personal information with those Web sites and is not responsible for their privacy practices. We encourage you to learn about the privacy policies of those companies.

Changes to this Privacy Policy

The lawyer or firm reserves the right to change, modify or update this policy at any time without notice. Any substantial changes in the way we use your personal information will be posted on this site.

If you have questions or concerns about our Privacy Policy, please email us at the contact information on the site.