By Jason C. Gavejian & Joseph J. Lazzarotti with Jackson Lewis P.C
Most human resources professionals are concerned about the privacy and security of the vast amounts of personal information they manage. This article discusses steps to consider taking against the challenges.
Deluge of Data
Challenges HR professionals face to protect the data they manage include:
- The amount of personal information includes not just current employees. It also includes former employees, temporary employees, contractors, and applicants. These numbers can increase quickly with acquisitions, higher levels of turnover, and other workplace changes. Further, added to that amount is the personal information of families and other individuals, such as guardians or beneficiaries.
- That breadth of information is continually increasing. Consider the impact various channels of electronic communication, devices, and applications have had on the generation of confidential and personal information. For the HR professional, the ubiquity of these new technologies has resulted in the collection of more and more data, vastly increasing the data footprint of organizations.
- At the same time, record retention and destruction programs intended to contain the amount of personal information can be difficult to develop and maintain, allowing that footprint to grow virtually uninterrupted.
- This information frequently is some of the most sensitive information about an individual: Social security numbers, bank account numbers, retirement account information, physical and mental health information, genetic information, biometric information, and so on.
- HR departments often have to rely on other departments, the IT department in particular, for the tools or budgets to meet applicable data privacy and security obligations. They also have to rely on third-party service providers that provide a wide range of HR support services, such as payroll, employee benefits, and leave management processing and storing sensitive personal information.
- The growing regulatory burden.
State of the Law for Employee Data
For good reason, many of the statutes or regulations on employee personal information seek to address a concern for cyberattacks. In the third quarter of 2022 alone, there were at least 15 million records exposed throughout the world due to data breaches, a 37 percent increase from the same quarter in 2020 — and this is just from reported breaches. Additionally, there is an array of existing laws intended to ensure confidentiality and nondiscrimination in the workplace. That is, some of these laws seek to ensure confidentiality and nondiscrimination for employees by limiting the persons who may have access to certain information.
Following are examples of statutes and regulations covering both categories, privacy and security:
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA includes comprehensive privacy and security regulations that apply to health plans and health care providers. HR professionals are likely most familiar with these requirements as they relate to the group health plans sponsored by the company, in particular, self-funded group health plans and health flexible spending arrangements. Compliance includes comprehensive policies and procedures, training, and other measures. HR professionals in the healthcare industry potentially have added layers of responsibility, including ensuring employees are trained to comply with HIPAA and involvement in complaints regarding misuse of protected health information.
- Americans With Disabilities Act (ADA): In the normal course of HR administration, a company is likely to access or acquire information concerning an employee’s disability or other medical information. The ADA requires certain protections for medical information obtained from employees in connection with medical examinations and inquiries, leave of absence administration, and processing reasonable accommodations. This includes limiting access to supervisors, managers, and third parties.
- Genetic Information Nondiscrimination Act (GINA): Under GINA, the genetic information of an employee (or applicant) includes information about the manifestation of disease in that employee’s (or applicant’s) family members, including the employee’s (or applicant’s) spouse. Except in limited situations, GINA prohibits the collection of that information by employers (and their agents), as well as the use of that information to discriminate. The ubiquity of social media communications and expansive monitoring devices and applications make a collection of genetics more common than one might think. In addition, such information is subject to essentially the same confidentiality and reasonable safeguard requirements as medical information under the ADA.
- The California Consumer Privacy Act (CCPA): This caught many employers’ attention when, at the end of 2022, the exemption for employee information expired. This meant that employers needed to, among other things, update their notices to employees and applicants, expand their website privacy policies, and implement reasonable safeguards to protect employee and applicant information. However, California is not an outlier regarding requirements to secure the personal information of employees. New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires businesses to implement safeguards for the “private information” of New York residents, including employee information such as social security numbers.
- State Protections for Social Security Numbers: Several states (including Virginia) have passed laws on the protection of employee’s social security numbers. Some states limit the collection of employee’s social security numbers, others require limiting access to employee’s social security numbers. Awareness of the state law protections is important as nearly all employers collect this information for employment purposes.
- Breach Notification Laws: All 50 states, as well as certain cities such as New York City and Washington, D.C., require a business to provide notice when there has been a “breach” of “personal information” owned by the business. HR professionals should be keyed into not only safeguarding personal information but also the response should a breach occur. Often there are distinct issues to be addressed for employees, including shaping communications about the incident appropriately.
- Vendor Contract Mandates: HR departments typically rely on third-party service providers to support many HR functions – payroll, benefit plan enrollment, recruiting, retirement plan administration, and so on. A number of states require organizations that share personal information (including social security numbers and other data) with third-party service providers to obtain from those providers written assurances that they will safeguard that personal information. Some of these states include California, Maryland, Massachusetts, New York, and Oregon.
- Data Destruction Requirements: Over 30 states have enacted data destruction laws (Delaware being one of the most recent states enacting such a law) that require businesses to destroy records containing certain personal information by shredding, erasing, or using any other means to render the information unreadable or undecipherable. Connecticut, Florida, Maryland, Massachusetts, New York, and South Carolina are among the 30 states with data disposal requirements.
The courts have ruled on employee protections. Most recently, a federal appeals court overturned the dismissal of a class action against a company that suffered a ransomware attack that compromised current and former employee’s social security numbers. The court found that traditional negligence covered the employees’ claims. As far back as 2018, a state court held employers that who collect personal information from employees have a common law duty to use reasonable security measures.
Where Can Employers Start?
A good place to start is with the Federal Trade Commission’s guide for businesses. It recommends the following steps:
- Know the personal information being collected;
- Scale down the information being collected;
- Protect the information that needs to be collected;
- Ensure proper disposal of information not needed; and
- Create a plan for when security incidents occur.
Checklist for Employers
While cybersecurity may be complicated, the checklist for compliance is not. Following is a high-level checklist for employers:
- Perform a risk assessment.
- Ensure leadership and management understand the importance of a compliance plan.
- Develop policies and procedures for the collection, retention, and protection of data.
- Train employees on good cybersecurity practices.
- Obtain cybersecurity insurance.
- Vet and audit vendors to ensure employee data is not put at risk by their practices.
- Continually audit and review practices as technology and the company changes.
If you’d like to speak to an HR expert about your business, connect with us.
JACKSON LEWIS P.C. (“FIRM”) PROVIDES THE INFORMATION IN THIS POST FOR GENERAL INFORMATIONAL PURPOSES ONLY. THIS POST SHOULD NOT BE RELIED UPON OR REGARDED AS, LEGAL ADVICE. NO ONE ACCESSING OR REVIEWING THIS POST, WHETHER OR NOT A CURRENT CLIENT OF THE FIRM, SHOULD ACT OR REFRAIN FROM ACTING ON THE BASIS OF SUCH CONTENT OR INFORMATION, WITHOUT FIRST CONSULTING WITH AND ENGAGING A QUALIFIED, LICENSED ATTORNEY, AUTHORIZED TO PRACTICE LAW IN SUCH PERSON’S PARTICULAR STATE, CONCERNING THE PARTICULAR FACTS AND CIRCUMSTANCES OF THE MATTER AT ISSUE. THE POST MAY NOT REFLECT CURRENT LEGAL DEVELOPMENTS, OR LAWS OR RULES THAT MAY APPLY IN PARTICULAR JURISDICTIONS. THE FIRM AND ITS LAWYERS EXPRESSLY DISCLAIM ALL LIABILITY IN CONNECTION WITH ACTIONS TAKEN OR NOT TAKEN BASED ON ANY OR ALL OF THE CONTENTS OR INFORMATION ACCESSIBLE THROUGH THIS SITE. ANY INFORMATION ABOUT PRIOR RESULTS ATTAINED BY THE FIRM OR ITS LAWYERS IS NOT A GUARANTEE OR WARRANTY THAT A SIMILAR OUTCOME WILL BE ACHIEVED.
THE FIRM IS NOT RESPONSIBLE FOR THE CONTENT, OPERATION, LINKS OR TRANSMISSIONS, OR ANY INFORMATION PROVIDED ON ANY OTHER PART OF ASURE SOFTWARE, INC.’S WEBSITE OR ANY THIRD-PARTY WEBSITE WHICH MAY BE ACCESSED BY A LINK FROM THIS WEBSITE.
NOTHING PROVIDED BY THE FIRM IS INTENDED TO FORM, AND WILL NOT CREATE, AN ATTORNEY-CLIENT RELATIONSHIP.
THIS POST MAY BE CONSIDERED ATTORNEY ADVERTISING UNDER THE RULES OF SOME STATES. THE HIRING OF AN ATTORNEY IS AN IMPORTANT DECISION THAT SHOULD NOT BE BASED SOLELY UPON ADVERTISEMENTS.
STATEMENT IN COMPLIANCE WITH TEXAS RULES OF PROFESSIONAL CONDUCT: UNLESS OTHERWISE INDICATED IN INDIVIDUAL ATTORNEY BIOGRAPHIES, LAWYERS RESIDENT IN THE FIRM’S VARIOUS OFFICES ARE NOT CERTIFIED BY THE TEXAS BOARD OF LEGAL SPECIALIZATION.