Hacked! Limiting employer liability for breaches of employee data — Business Management Daily: Free Reports on Human Resources, Employment Law, Office Management, Office Communication, Office Technology and Small Business Tax Business Management Daily
  • LinkedIn
  • YouTube
  • Twitter
  • Facebook
  • Google+

Hacked! Limiting employer liability for breaches of employee data

Get PDF file

by on
in Employment Law,FMLA Guidelines,HR Management,Human Resources,Leaders & Managers,Management Training,Office Management,Records Retention

Imagine this nightmare scenario: You’ve contracted with a vendor to enter personnel data into a new computer system. You give the vendor confidential data regarding your employees, including their Social Security numbers, addresses, names of dependents, health records and bank account routing numbers. Then the vendor notifies you that employee data was somehow stolen or lost. What do you do?

It happens more often than anyone would like to admit. The Federal Trade Commission estimates that 9 million Americans have their identities stolen each year. More than 262 million records have been breached since January 2005.

Make sure your company is in compliance and has an action plan in place. Personnel Records: What to Keep, What to Toss

Recently, Aetna employees in Pennsylvania filed a class-action complaint in federal court (Allison v. Aetna, Inc. C.A. No. 2:09-2560) alleging that Aetna failed to adequately protect their personal information, which was hacked from the company’s web site.

Limiting your liability


Many security breaches happen when third-party vendors—benefits providers, for example—handle employee information. A good contract with your vendor is your best protection against liability.

Specify that the vendor should limit the number of people who have access to the data, ensure it’s encrypted, maintain a secure location and make sure any transmission is done in a controlled, protected manner. Include notification requirements if a security breach occurs, and cite the specific state and federal notification laws the vendor must follow.

Involve your attorney in drafting and reviewing the contract.

It should stipulate that the vendor is legally responsible for any data breach that occurs during its engagement, and that it will indemnify you and your employees for any actions arising from such a breach.

Not surprisingly, vendors are often reluctant to include that type of language in their contracts. Employers that are tempted to sue the vendor for negligence or other causes of action should know that courts will often dismiss actions brought before the harm has occurred. In other words, it is difficult to pursue an action for potential identity theft.

Ideally, the contract should obligate the vendor to pay any damages resulting from the data loss, no matter when it occurs.

Let employment attorney Joe Beachboard, Esq., map your company's personnel records retention schedule. Personnel Records: What to Keep, What to Toss

The offshore factor

More vendors are performing their services in other countries, which makes controlling risk more difficult.

International laws and enforcement practices are wild cards, but offshoring also presents practical difficulties in managing data security.

You should negotiate contract language that requires the vendor to obtain your approval before moving work offshore. Also, because offshore work is likely to be less costly for the vendor, you should seek the vendor’s agreement to pass that cost savings onto you.

Personnel Records: What to Keep, What to Toss reviews record-keeping requirements in light of the new laws and regulations, as well as best practices for gathering, storing and destroying personnel records.

FTC’s ‘Red Flags Rule’

Employers and vendors also should be aware of their potential obligations to comply with the Federal Trade Commission’s Red Flags Rule.

Taking effect Aug.1, the rule requires financial institutions and creditors with covered accounts to develop and implement written identity-theft prevention procedures designed to detect “red flags” that suggest possible identity theft.

The rule applies to banks, credit unions and the like, as well as a broadly defined group of creditors, which includes entities that regularly defer payment for goods and services and bill customers later.

Health care providers, utility companies and telecommunications companies probably fall within this definition.

Are you confidently up to date on the 2009 changes to recordkeeping management? Test your knowledge:
  • How does the new Lilly Ledbetter Fair Pay Act change the retention requirements for your payroll records?
  • What’s the general retention rule of thumb you can safely apply to almost any HR record?
  • How long must you retain: applications, résumés, FMLA certifications, payroll records, safety records and much more?
  • Do the new I-9 rules affect how you handle immigration records?
  • Are you officially overdue for reviewing your files to ensure all employee information is up to date?
  • Your recordkeeping duties change when you “reasonably anticipate” litigation. But what does THAT mean? And which records must you retain in such cases?
  • 70% of corporate records are stored electronically. Do you know the new Federal Rules of Civil Procedure for storing and deleting company emails?
Get the answers to these questions and more! Buy the CD now...

Leave a Comment

Previous post:

Next post: