The 2012 elections placed a number of marijuana initiatives before state voters around the United States, ranging from efforts to legalize the sale and use of marijuana for recreational purposes to further expansion of the "medical marijuana" laws that currently exist in 17 states and the District of Columbia. Voters in Colorado and Washington passed initiatives directing their states to decriminalize the possession of marijuana by adults for recreational use. Oregon voters, in contrast, rejected a ballot initiative that would have legalized marijuana for recreational use. Massachusetts has adopted a "medical marijuana" law that decriminalizes the use and possession of marijuana by state residents with debilitating medical conditions. Montana voters appear to have authorized amendments to that state's existing medical marijuana law that narrow who is eligible to use marijuana for medical reasons. To learn more, please see Littler's ASAP, Marijuana Laws Liberalized in Colorado, Washington – But Effect on Workplace Policies Likely Small, by Nancy Delogu and Chris Leh.
The Attorney General for the Commonwealth of Massachusetts reached an agreement with South Shore Hospital over claims the hospital failed to protect confidential health information for hundreds of thousands of consumers. The Attorney General filed the lawsuit under both state information security laws and the federal Health Insurance Portability and Accountability Act (HIPAA).
The problem arose when the hospital shipped three boxes containing more than 400 unencrypted back-up tapes to an off-site vendor. The hospital had contracted with the vendor to erase the tapes and resell them. The tapes contained significant amounts of confidential information such as patients’ names, Social Security numbers, bank account numbers and medical diagnoses. Only one of the three boxes arrived at its intended destination.
To learn more about the settlement, please continue reading at Littler's Healthcare Employment Counsel.
Effective May 4, 2012, the Massachusetts Criminal Offender Record Information ("CORI") Reform Act (the Act), which was enacted in August 2010 with the controversial "ban the box" legislation, will significantly change the way employers access, use and maintain information obtained through the Commonwealth's CORI system. The Act will allow all employers access to a new online records system, but also imposes obligations on employers that acquire criminal history information from private sources, such as consumer reporting agencies (background report vendors). Employers should review their hiring and background check policies now to determine whether any updates are necessary. To learn about the Act and its potential implications for employers, please continue reading Littler's ASAP, Massachusetts Employers Face New Obligations When Conducting Background Checks Involving Criminal History Records, by Christopher Kaczmarek, Carie Torrence, and Joseph Lazazzero.
By Ellen Giblin
The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.
In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).
Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.
What does this mean to my company?
The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.
What should my company do?
Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.
What are the consequences of not complying?
The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action.
Photo credit: dra_schwartz
With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.
Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:
- The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
- A Written Information Security Plan (WISP) cannot be produced.
- The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
- The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
- Unfairness or deception around the purpose for which the data was originally collected.
- Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.
Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.
Businesses should carefully review the data handling and protection practices of vendors. If a business notifies the AG of a security breach caused by a vendor, the AG likely will not subject the business to a full investigation where the business can produce (a) evidence of due diligence conducted by the business before selecting the vendor, or (b) a contract that addresses the vendor’s obligations to protect the security of personal information received from the business.
Scott Schafer advised businesses to notify his office in virtually all cases of a suspected breach. He stated that
[E]veryone should know that not notifying us is the first mistake.”
He pointed out that although encryption can be regarded as a “safe harbor” from the statutory breach notification obligation, that is not the case where the breach also compromised the encryption key, which (according to Schafer) occurs with relative frequency. Schafer pointedly advised that all back-up media tapes should be encrypted and handled with appropriate safeguards while in transit to a vendor for disposal. Further, Schafer opined that encryption algorithms that are unbreakable today are likely to be broken in the near future as computing power continues to increase. If a business relies upon inadequate encryption to justify a decision not to comply with the Notice Law, the AG will view the failure to notify as a violation subject to fine. The AG will assist businesses by reviewing and suggesting revisions to proposed breach notices that must be sent to Massachusetts residents to report a data breach under the Notice Law.
The implementation of the Regulations is still evolving, but the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation is taking a collaborative approach to enforcement. They are working with businesses to improve administrative, physical and technical safeguards for personal information of Massachusetts’ residents and to create and maintain the policies and practices that ensure the protections remain current. Schafer noted in closing that he is in frequent contact with his counterparts in other states and territories with data breach notification laws. He often compares notes on which businesses have given notice of recent incidents. Schafer noted that data breach notifications are public record and are accessible under the Freedom of Information Act.
The AG’s office continues to meet with local Chambers of Commerce and small businesses in Massachusetts to close the gap between education and compliance. Businesses that have the resources and are of medium and large scope and size should not expect the same leniency. Such businesses must have the required administrative, physical and technical safeguards in place and conduct the appropriate risk assessment with respect to their employee and customer information. They also must provide privacy training to their telecommuting workforce subject to the Regulations. Businesses should ensure that they have the necessary policies and risk assessments in place to protect valuable employee and customer information and offer training for employees in the policies that are implemented to safeguard that information.
This entry was written by Ellen M. Giblin.
Photo credit: callum bennetts
Multi-State Employers Must Revise Job Applications to Address New Massachusetts Background Check Law
Recently enacted legislation in Massachusetts will significantly affect employers’ use of criminal history information for employment purposes. While most provisions of the new law (pdf) do not go into effect until May 2012, one provision, effective on November 4, 2010, requires the immediate attention of multi-state employers.
This provision generally prohibits employers from inquiring in an “initial written application form” about an applicant’s criminal history. Two narrow exceptions permit questions about criminal history if a federal or state regulation (1) disqualifies the applicant from employment in the open position based on a criminal conviction; or (2) bars the employer from hiring for one or more positions an individual with a criminal conviction. The second exception, as written in the statute, is ambiguous. It is unclear whether an employer who is barred from hiring a convicted criminal for certain positions may inquire into an applicants’ criminal history on the initial employment application used for a variety of positions, including those that can be filled by a convicted criminal. This issue is particularly important for multi-state employers who use a standard job application form for all jurisdictions.
Before the new law’s November effective date, all multi-state employers should carefully reviewany job application form that is completed by Massachusetts applicants. If the employer has no position for which federal or state law prohibits the hiring of a convicted criminal, the employer should add an instruction to Massachusetts applicants, immediately below any question seeking information about criminal history, directing Massachusetts applicants not to respond. If the employer has one or more positions for which federal or state law prohibits the hiring of a convicted criminal, the employer should consider an instruction which directs Massachusetts applicants not to answer the question unless they are applying for one or more of a list of specified positions. The list would include those positions for which state or federal law prohibits the hiring of a convicted criminal.
Notably, the new law imposes no restriction on an employer’s ability to inquire into an applicant’s criminal history at any point in the hiring process after the initial written employment application has been submitted. Multi-state employers should note, however, that Massachusetts law prohibits employers from asking applicants about certain criminal records at any stage of the hiring process. To comply with these restrictions, employers must refrain from asking about any of the categories of criminal history listed below, or if asking a broad question that might otherwise call for disclosure, instruct the applicant not to disclose any of the below-listed categories:
• arrests not resulting in a conviction;
• sealed records;
• crimes committed while a juvenile unless charged as an adult;
• convictions for misdemeanors where the date of conviction precedes the question by more than five years; and
• first convictions for misdemeanors involving drunkenness, simple assault, speeding, minor traffic violations, affray, or disturbance of the peace.
In light of these restrictions, employers should exercise caution when making any oral inquiry related to criminal history. A better approach would be to move the written question about criminal history from the initial application to a later stage of the hiring process. For example, employers who require applicants to complete a background check authorization after screening the initial written application could add to the background check paperwork provided to Massachusetts applicants a written inquiry into the applicant’s criminal history. That inquiry would include a listing of the categories of criminal history that the applicant should not disclose. This approach allows employers to require a written answer to an inquiry into criminal history before making the final employment decision while complying with the new Massachusetts restriction.
To learn more about this legislation and its implications for employers, please see Littler ASAP, “Massachusetts Becomes the Second State to ‘Ban the Box’ on All Employment Applications” by Carie Torrence.
Photo credit: petebax
Massachusetts Regulators Provide Significant Insight Into Enforcement of Stringent Information Security Regulations That Are Effective as of Today (March 1, 2010)
Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.
In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.
During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.
Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:
- Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
- In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
- Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
- Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
- Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts.
This entry was written by Philip L. Gordon.
In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:
- New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.
- Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.
- Break For Small Businesses: The prior regulations applied equally to businesses of all seizes. The revised regulations are scalable. In other words, the “appropriate” administrative, technical and physical safeguards may vary depending on (a) “the size, type and scope of business” involved; (b) the business’ available resources; (c) “the amount of stored data”; and (d) “the need for security and confidentiality of both consumer and employee information.”
- Elimination Of Several Onerous Requirements: OCABR has completely deleted requirements that data owners (a) collect only the minimum necessary personal information, (b) retain such information for only as long as is necessary to achieve the purpose for which the information was collected, (c) restrict access to personal information to those with a need to know, and (d) identify all locations and devices where personal information is stored. These requirements were among the most burdensome in the regulations as previously drafted.
- Less Prescription: The revised regulations eliminate several provisions which specified how certain safeguards should be accomplished. First, the requirement to provide physical safeguards previously mandated “a written procedure that sets forth the manner in which access to . . . records [containing personal information] is restricted.” The revised regulations merely require “[r]easonable restrictions upon physical access to records containing personal information. Second, the previous regulations required that data owners restrict terminated employees’ access to personal information “by immediately terminating their physical access and electronic access to such records, including deactivating their passwords and user names,” whereas the revised regulations eliminates the quoted language. Third, rather than requiring a “comprehensive, written information security program,” the revised regulations now require a comprehensive information security program “that is written in one or more readily accessible parts.” Finally, the definition of “encryption” no longer requires “the use of an algorithmic process” so long as the process results in “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”
Massachusetts Regulatory Agency Revises the Massachusetts Data Security Breach Regulations and Further Extends Compliance Deadline
On Thursday, February 12, 2009, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) publicly disclosed key changes to the controversial Massachusetts data security breach regulations, 201 CMR 17.00. Taking into account testimony heard from business associations and employers at a public hearing last month, OCABR has further delayed the implementation deadline and somewhat loosened employers’ obligations with respect to third-party service providers and mandatory encryption requirements.
Highlights of the amendments to the regulations are:
Effective Date: Previously set to go into effect on May 1, 2009, the compliance date has been delayed until January 1, 2010.
Third-Party Service Providers: The original regulations required all employers to obtain: (a) by May 1, 2009, contractual assurances from their third-party vendors having access to Massachusetts residents’ personal information that the vendors are capable of safeguarding this information; and (b) by January 1, 2010, written certifications from each vendor that it has adopted a comprehensive information security program in compliance with Massachusetts regulations (201 CMR 17.00 et seq.).
The amended regulation no longer requires that employers obtain contractual assurances or a certification of compliance from third-party vendors. Instead, the regulations now require employers to take
all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.”
OCABR did not provide any guidance on how employers are expected to satisfy this requirement.
Encryption Requirements: Initially, the regulations required that employers encrypt all data that was transmitted wirelessly. OCABR’s revised rules now specifically limit this encryption requirement to data containing personal information that is transmitted wirelessly. Additionally, personal information stored on laptops and other portable devices must be encrypted by January 1, 2010.
On Friday November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a press release postponing the deadline for businesses to comply with recently promulgated regulations mandating the implementation of a “comprehensive written information security program.” As discussed in a previous blog post, the regulations require corporate human resource departments to implement a range of policies and procedures to safeguard the personal information of employees who are Massachusetts residents.
OCABR had initially required that companies comply with these regulations by January 1, 2009. The administrative agency apparently recognized the need to extend the compliance deadline after hearing the business community’s concerns over being forced to bear an additional financial burden in the midst of an economic downturn.
The new deadlines apply to three different sections of the regulations and are set forth below:
Written Information Security Program: The general deadline to comply with the regulations is now May 1, 2009. This means that by May 1, businesses must have developed and implemented what the regulations refer to as “a comprehensive, written information security program” to safeguard all personal information kept in paper and electronic format.
Third-Party Service Providers: By May 1, 2009, companies must be able to demonstrate that they have taken steps to verify that third-party service providers with access to the personal information of their clients, customers or employees have the capacity to protect such information. In addition, on or before January 1, 2010, businesses must obtain written certifications that such third-party service providers have established written, comprehensive information security programs designed to protect personal information.
Encryption: Businesses are now required to encrypt all personal information stored on laptops by May 1, 2009, and to ensure that all other portable devices (including PDAs, memory sticks, DVDs, etc.) are encrypted by January 1, 2010.
This entry was co-authored by Jennifer Bombard McGovern.
New Massachusetts Regulations Impose Substantial Obligations on Human Resources Departments to Safeguard Employees' Personal Information
New Massachusetts regulations, effective January 1, 2009, are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.
While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .
Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law
Misdirected e-mail, lost and stolen laptops, and security flaws in corporate websites, when they expose employee personnel information to unauthorized individuals, are now more than a potential embarrassment; they are a legal compliance challenge, especially for multi-state employers. With Massachusetts recently becoming the 39th state to pass a notice-of-security-breach statute, it is just a matter of time before all fifty states require notice of a security breach. While these statutes share a common thread, their requirements can materially vary, complicating the determination whether an employer has a legal obligation to notify employees and, if so, the steps that the employer must take to discharge its legal responsibilities.
Regrettably, it no longer is a matter of "if", but "when," human resources professionals and in-house counsel will be required to confront this legal compliance challenge. In a 2007 study conducted by the Ponemon Institute, a leading think tank on privacy and data protection, 85% of respondents had suffered a security breach within the previous 24 months, and 81% had been required to notify individuals of the breach. With the centralization and digitization of employees' personal data into computerized human resources information systems (HRIS), security breaches involving personnel information are likely to become increasingly common and involve ever larger numbers of current and former employees, raising the stakes each time a security breach occurs.
Reviewing the provisions of the new Massachusetts notice law with reference to the thirty eight notice statutes which preceded it helps to highlight the most significant similarities and the most salient differences among these laws. With a full view of the variegated, legislative landscape, employers can more readily determine when and how they are required to provide notice. Click here to download and continue reading full-length Litter Insight publication: Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law.
What Does The Crazy Quilt of Security Breach Laws Mean for Employers as Massachusetts Becomes the 39th State to Enact One?
On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach. While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft. In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code.
Here are five key points for employers to consider as they confront these statutes.
- Be Prepared. Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data. Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
- Train HR Professionals. In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples. HR employees and others who work with personal information should be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks. The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
- Determine Your Notice Obligations. When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws. To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state. In some circumstances, a security breach may not trigger a legal obligation to notify — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
- Help Your Employees. Employees may view themselves as innocent victims when their employer suffers a security breach and expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance. Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891. This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
- Learn From Your Mistakes. After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.