Don’t Become the Next Sony: How HR Can Win the War on Data

Let’s get one thing straight: Your computer networks face a greater risk from an angry ex-employee or bored teenager than from Kim Jong Un. 

Although North Korea launched the massive attack last month that opened the vault on Sony Pictures’ employee data, home-grown hackers are causing even more damage in less-publicized assaults. You’ve heard about data leaks at companies like Target and Home Depot, but a surprising 44% of small businesses have also suffered a cyber assault, according to the National Small Business Association.

Most attacks result in data breaches that anger customers and employees, plus they smack the company with a major PR black eye. The administrative and legal costs can run high. In Sony’s case, the company is facing several lawsuits by employees whose private data was disclosed online.

What’s HR to do? In the new edition of the HR Specialist Employment Law newsletter, attorneys from Ogletree Deakins said HR should consider the following issues:

1. No employer is immune. All are vulnerable to cyber attacks and data breaches, regardless of their industry, size or location.  And a data breach crisis is no longer limited to the risk of releasing credit card numbers and personal identification numbers. They extend to the disclosure of private email addresses, employee Social Security numbers, private salary information, medical information, trade secrets, confidential business information, employee files and other personal identifying information.

HR Memos D

2. Email messages should not be considered private. Executives, managers and employees should be aware that their private emails may be discovered and disclosed. Whether through data breaches, unlawful disclosure or a simple discovery request in a lawsuit, private emails may become public. Employees at every level should be reminded that if they would not want to see their emails published on news websites or Twitter, they should not click “send.”

3. State laws impose new and differing requirements on employers when a data breach occurs. Most states now have laws mandating the steps an employer must take in the event of a data breach. Typically, those laws require immediate notification to those impacted, along with other security precautions, such as the offer of credit monitoring.

4. Insurance may not always cover a data breach. Employers’ insurance policies may not provide coverage in the event of damages arising from a data breach. Although insurance companies do offer data breach coverage, the coverage is typically optional, must be elected and includes many limitations. Employers should determine exactly what their insurance covers (e.g., response and notification expenses, public relations expenses, interruption in business damages, forensic services, defense and liability expenses, etc.)

5. Think twice before denying nonwork use to company networks. One of the precautions many employers take to protect their networks is to prohibit employees’ nonwork related use of technology. However, in December, the National Labor Relations Board issued a significant opinion holding that employers are presumed to have committed an unfair labor practice if they restrict personal, nonwork related email use. (Purple Communications) The decision creates a conflict for employers between the critical need to safeguard networks and the recognition of the rights of workers to use email for nonwork activity..

6. Employers should include data breach scenarios in their emergency and crisis planning. The best time to create an emergency response plan is before an emergency occurs. Employers should create response teams that include representatives from various departments, including IT, operations, public relations and legal to create a ready response plan in the event of a data breach. A first good step: All  employers should add a data breach risk audit to their 2015 agendas.