Employers Need To Safeguard Employee Information From Cyberattacks
In today’s tech-dependent world, it is no longer a question of if a data breach will happen in an organization, but a question of when.
In an article by regular blog contributor on the Workforce.com website, Jon Hyman asserts that employers by law may or may not have a legal obligation to safeguard the private information of their employees; certainly it should have a moral one.
In the recent case of Enslin v. Coca-Cola which was tried in the 3rd Circuit Court of Appeals, the court found for the defendant in the case. In it, a former employee of Coca-Cola had been stealing older laptops that had been used by the company’s HR department. Some of the data on the older machines contained employee information such a social security and driver’s license numbers. The plaintiff in the case alleged that the theft of the laptops led to the exposure of their personal data so that a number of their online accounts were accessed and a number of unauthorized purchases were made. The court found in favor of the defendant because there was no reasonable way for a jury to conclude that the access of the plaintiff’s personal information led to the access of their personal accounts.
While other cases have also ended up with a similar conclusion and have ruled that an employer should not have to “incur potentially significant costs to increase security measures” when preventing such data breaches cannot be absolutely guaranteed, at times the court has ruled in the opposite direction and conclude that an employer does have the duty to ”exercise reasonable care in obtaining, securing, safeguarding, deleting, and protecting the personal and tax information (of workers) within its control from being compromised, lost, stolen, accessed, and misused by unauthorized persons.”
Hyman suggests there are a number of steps that employers should try to take to better safeguard their workers’ personal data.
- Use encryption, firewalls and secure, regularly updated passwords to protect sensitive information.
- Train all employees about appropriate data security measures.
- Have a data breach response plan which includes advising employees and others who may have been exposed by the data breach in compliance with state and federal laws.
- Consider reasonable, commercially available data security solutions. In most instances and for most organizations, this is far less expensive than having to repair the damage after a data breach.