Responding to Breach of Employee Information Can Be Challenging

Responding to breaches involving employee information can be challenging, primarily because the affected employees see other affected colleagues at the coffee station, in the lunch room, or even walking down the hallway.  Unlike most breaches, the affected employees have more opportunity to talk about a breach event with others affected.  Also, whether legitimate or not, employees have an unspoken expectation that their employer will protect their personal information.  We see call center rates and credit monitoring uptake rates in the 30-40% range following a breach involving employees which is much higher than what we see when the affected people are not employees.

The Federal Trade Commission (FTC) announced on Tuesday, May 3rd that it had reached a settlement with two companies involving the breach of information of almost 65,000 customer employees. Both settlements focused on allegations of inadequate security practices being in place.  The FTC looked at network security and password management policies in place.  No fine was issued, however, the companies involved will be subject to third-party security audits for 20 years.

In these cases, the employers were not the cause of the breach, but rather vendors used by the employer were involved. Still, employees expect that the companies their employer does business with will protect their information as well.  There have been 34 complaints filed by the FTC since 2001 arising out of inadequate protection of personal information.

There is a gold mine of personal information in Human Resource Departments and companies need to identity their vulnerabilities as they relates to data leakage.  

• Where is sensitive information being stored?
• Who has access to the information? 
• Does the company have IT logs that can track that access?
• Are policies and procedures in place to safeguard information?
• Does the organization have a training program in place to protect the sensitive information it maintains? 

Many of these may seem like common sense questions, but these are exactly the types of questions the regulators will ask following a breach.   Additionally, companies need to review their vendor contracts and make sure that the contracts reflect the current state of privacy and data security laws.  Some of you will be shocked to find out what you have agreed to in those old and dusty contracts. At the end of the day, when we are dealing with employee breaches, it does not matter who caused the breach because the employer will still feel the fallout.