Thursday, December 1, 2016

Data Security for Employers: An Update

Employers store, manage, and share sensitive data about employees. The Navigator and other commentators have written a lot about issues related to personally identifiable informationhealth-related data, and employee privacy, as well as data security in general. Compiling and maintaining sensitive information is a necessary part of the employer-employee relationship, but it creates risks of liability. It’s essential that employers stay aware of the issues and risks created when new technologies emerge and new web-based HR services are offered. As we come to the end of a year that has seen many technological advances, we think it’s a good time to review old and new risks.

Employee data and mobile devices. It is now common practice for employers to allow employees access to company data and systems from a mobile device. Mobile devices include both company-provided or personally owned home computers, laptops, and smartphones. It is critical that employers have and enforce security policies that protect company and employee data that can be accessed from mobile devices.

Employee data and wearables. Wearables of all kinds – from fitness trackers to access badges to location monitoring devices – are being adopted by employers large and small, and can provide valuable information and management tools. Each wearable device comes with its own security risks, however, and employers need to understand how the data collected is transmitted, stored, and analyzed. Employers should make certain that wearables do not function as access points to company data or put company systems at risks. It’s also important to be sure that devices do not collect information that the employer should not have. Location monitoring devices should function only when employees are working, and fitness trackers should not provide employers with employee-specific health information. How wearables work and their business purpose should be clearly explained to employees.

Employee data and third-party vendors.  Employers who use third party administrators and vendors for benefit plans, payroll, performance management, wellness programs, or employee monitoring transmit and share confidential information about their employees. It’s the employer’s responsibility to make sure that administrators and vendors handle that information with care. Contracts for such services seldom include protection from liability for the employer if sensitive information is mishandled, so it’s important to carefully research and fully understand the product, processes, data security policies, and history of any provider.

Employee data compromised by data breaches. Employers can be vulnerable to lawsuits brought as a result of data breaches. Although some jurisdictions recognize only a limited statutory right to privacy in such situations, the Sixth Circuit recently held that plaintiffs whose personal data was stolen by hackers have standing to sue based on the risk of future fraud or identity theft. The Seventh Circuit has also recognized that plaintiffs have standing when hackers obtain their private information, but the Third Circuit has held that an increased risk of identity theft resulting from a data breach is too speculative to establish standing to sue either an employer or a third party responsible for the breach.  

Here are some suggestions for managing the risks associated with gathering, storing, and using sensitive data about employees:
  • Keep policies related to employee data up to date, and make sure they cover newly-acquired technology. 
  • As new mobile devices are acquired, make sure they meet data security requirements.
  • Never adopt new technology – wearable or otherwise – without inquiring about data security and making sure your security needs will be met.
  • Require third party administrators and vendors who handle employee information to provide you with their updated data security policies. Ask if your organization will be indemnified in the event that the vendor or administrator suffers a data breach.
  • Keep asking who needs access to what information in your internal information systems, and limit access to those with a legitimate need to know.  
  • Review access protocols at least once a year and remind employees – particularly those who handle sensitive employee data – of their responsibility to keep information secure.
  • Insist that managers and supervisors model best practices related to both hi-tech data security and low-tech management of confidential information.
  • Remember that just because you can access and store data, it’s not necessarily wise to do so.
Posted by Judy Langevin