Protecting Employee Data: Navigating the Risks of Cybersecurity Breaches and Legal Liabilities for Employers

From employee resumes to FMLA request paperwork, small to medium sized employers control vaults of sensitive data, personally identifying information (PII), and protected health information (PHI).  Cybercriminals are relentlessly developing new methods of stealing employers’ data and gaining unauthorized access to internal networks.  When a data breach occurs, employers could be at fault, facing serious liability.

Online personnel records have taken the place of paper files.  There are countless benefits to ditching the file room but one major drawback: the information your employees trust you to keep secure is now available to anyone with an internet connection and the skills to hack into your network. 

Taking protective measures is critical.  Employers should prioritize tightening network security using methods like two-step authentication and automatic logouts after a period of inactivity.  Email passwords should be changed frequently and employees should be trained on avoiding and reporting email scams.

If one bad actor is able to log onto your network, they may be able to leak all of your employee data.  Employers may be concerned about laws like the ADA and HIPAA and focus on protecting health information.  But Social Security numbers, birthdates from an employee calendar, bank account numbers from direct deposit information, family member information from emergency contact forms, and names of previous employers from resumes are valuable, high-quality data for identity theft-and these come from the basic personnel file alone.

A hacker with access to a company email address may impersonate the company in countless forums, soliciting personal and financial information from others or setting up its own malicious websites using the company email for authenticity. 

Depending on state law, the latter hacker may not have caused a data breach on behalf of the company, although the company will spend millions of dollars rescuing its reputation.  The hacker who accessed the company’s network will have exposed that company to liability under state and federal data breach laws.

Federal and state data protection laws vary on the type of data that causes a data breach, how a breach is defined, whom the hacked employer must notify and how and when affected individuals must be notified.  Failure to follow notification procedures may subject employers to fines up to $500,000 per violation.

Individuals whose data was breached may also bring claims against their employers, former employers, or prospective employers for negligence, negligence per se, breach of contract, breach of implied contract, invasion of privacy, violation of state unfair and deceptive trade practices act statutes, and violations of state privacy statutes.  Many plaintiffs in a data breach affecting a group of individuals seek class certification. Working with a cybersecurity expert to protect your company from unauthorized network and email access is critical.  Having experienced employment law attorneys to educate and counsel you on data privacy laws is essential.