Today — January 28, 2009 — is National Data Privacy Day, which, according to a January 2009 Resolution of the House of Representatives, “constitutes an international collaboration and a nationwide and statewide effort to raise awareness about data privacy and the protection of personal information on the Internet.” This reference to “international collaboration” is not precatory. Canada and the 27 Member States of the European Union also are seeking to focus attention on data privacy today by celebrating their own National Data Privacy Day. In light of two recent events that preceded National Data Privacy Day by only one week, HR departments should take note.
On January 22, 2009, Barack Obama’s first full day as President, he outlined, on the Whitehouse.gov website, his plan to enhance the nation’s cybersecurity. Two central planks of that plan will have a direct impact on employers. First, the plan calls on private industry to “secure personal data stored . . . on private systems” and to institute a “common standard for securing such data.” Second, the plan would create national standards for corporate security breach notification. Put simply, federal data protection and security breach notification legislation is on the way; it is just a matter of time. Such legislation most likely would have the beneficial effect of relieving multi-state employers from the burdens of complying with a patchwork of state data protection and security breach notification laws. Federal legislation, however, also would bring the substantial resources and enforcement power of the federal government to an area of the law that has, to date, seen only fledgling enforcement by the states.
On the day before the cybersecurity announcement--Inauguration Day--Heartland Payment Systems, Inc., one of the five largest credit card processors in the U.S., announced that its computer network had been hacked at some unknown time in 2008. The cybercriminals reportedly planted malicious software on Heartland’s network that might have duplicated as many as 100 million credit cards. Although Heartland has not yet revealed the number of affected credit card holders (and, indeed, may never be able to get an exact count), one respected commentator predicted that Hearland’s would be the “biggest breach ever.” Lesson learned: if a credit card processor--with a presumed interest in enhanced information security--can be breached, other organizations are vulnerable as well.
This confluence of events should serve as a clarion call to corporate HR departments — the repositories of the “crown jewels of ID theft,” i.e., an employee’s Social Security number, bank account number, rate of pay, and date of birth — that data privacy no longer is a “back burner” issue. Beyond that, enhancing information security in these times of severe fiscal constraints can be accomplished with virtually no out-of-pocket expense on hardware or software. A few no-cost steps are listed below:
- Administrative Access Controls: Restrict access to paper documents and electronic files containing personal information to those with a need to know and limit authorized access to the minimum personal information necessary to perform legitimate business activities.
- Establish Clearance Procedures: Only employees who have demonstrated their trustworthiness through years of service or who have been subject to a background check should be authorized to access personal information. Temporary workers generally should not be given access.
- Promptly Modify Access Rights: Terminated employees should not be permitted to access physical locations where personal information is stored, and their electronic access should be terminated upon termination of employment. Rights of access to personal information in paper and electronic form should be modified as job responsibilities change.
- Control Off-Site Use of Personal Information: Require that employees obtain prior approval before removing any personal information, whether in paper or electronic form, from corporate facilities. Personal information in paper form should be returned, and electronic information should be deleted, promptly after the business purpose that justified the off-site transfer has been accomplished.
- Vendor Management: Engage in due diligence with respect to information security before selecting a vendor who will receive personal information. Vendor agreements should contain provisions that address data security with specificity.
- Ensure Proper Destruction of Personal Information: Personal information in paper form should be shredded. Electronic personal information should be rendered irretrievable before discarding the equipment on which it is stored.