Q. We maintain employee personnel information in an HR software program. We have discovered that a former employee hacked into the database and copied 100 employees’ first and last names, addresses, Social Security numbers and driver’s license numbers. Do we have to notify the employees? Some of them live and work in Ohio.
A. Michigan’s Security Breach Notification Act covers the information contained in your personnel database. The information taken by the former employee is “personal information” under the act since it links employees’ first and last names to their Social Security and driver’s license numbers. Under the terms of the law, a “breach” has occurred, since the former employee has obtained unauthorized access to and acquisition of data that compromises the security or confidentiality of personal information.
Unless the company can reasonably determine that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to a Michigan resident, you must provide notice to those individuals whose personal information is at risk. The company must give notice to employees who are Michigan residents without unreasonable delay.
While the act does not require notice to residents of other states, I recommend notifying the employees who are Ohio residents because Ohio has a similar law.
- How to Fire an Employee the Legal Way: 6 Termination Guidelines
- Carrot or stick? Motivating managers to finish reviews
- HR Gossip Girl: The Legal Risk of Letting One Secret Slip
- Are we on the hook for seasonal employees' unemployment compensation claims?
- Contemplating a RIF? Use clear criteria for who loses job