What’s an employer’s responsibility to provide notification of a data security breach?

by on
in HR Management,Human Resources

Q. We maintain employee personnel information in an HR software program. We have discovered that a former employee hacked into the database and copied 100 employees’ first and last names, addresses, Social Security numbers and driver’s license numbers. Do we have to notify the employees? Some of them live and work in Ohio.

A. Michigan’s Security Breach Notification Act covers the information contained in your personnel database. The information taken by the former employee is “personal information” under the act since it links employees’ first and last names to their Social Security and driver’s license numbers. Under the terms of the law, a “breach” has occurred, since the former employee has obtained unauthorized access to and acquisition of data that compromises the security or confidentiality of personal information.

Unless the company can reasonably determine that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to a Michigan resident, you must provide notice to those individuals whose personal information is at risk. The company must give notice to employees who are Michigan residents without unreasonable delay.

While the act does not require notice to residents of other states, I recommend notifying the employees who are Ohio residents because Ohio has a similar law.

Leave a Comment