[BreachExchange] Once More unto the Breach: Practical Tips When Employee Data is Compromised

[Audrey McNeil]

http://www.natlawreview.com/article/once-more-unto-breach-
practical-tips-when-employee-data-compromised

In 2016, U.S. private employers and government agencies reported more than
1,000 data security breaches, up 40 percent from 2015. Recent high profile
examples include:

2014 theft of unencrypted laptops at Coca-Cola, which compromised sensitive
data concerning 74,000 then-current and former employees;
2016 incident in which a Boeing employee sent personal data regarding
36,000 employees across a four-state area in a spreadsheet to his spouse;
and
2017 breach that compromised data from 95,000 job applicants at McDonalds
Canada.

Employers confronting the seemingly daunting task of protecting sensitive
and private employee data may look to computer security expert Gene
Spafford’s famous conclusion: “The only truly secure system is one that is
powered off, cast in a block of concrete and sealed in a lead-lined room
with armed guards.”

But, in the real world, employers must power on their computer systems
absent a protective concrete barrier and armed guards. What steps must
employers take when the security of employee data is breached or an
unauthorized access and compromise has occurred? Let’s take a look.

All states, except for Alabama and South Dakota and the District of
Columbia, require notification to affected individuals when personal
information regularly gathered and stored by employers, such as Social
Security numbers and driver’s license information, is compromised. In the
last few years, twelve states have reinforced data breach notification
laws. Some notable examples include:

Illinois – In 2016, Illinois amended its data breach notification law to
expand the categories of protected data to include health insurance
information, medical information, unique biometric data and an individual’s
user name or email address, in combination with a password or security
prompt and corresponding response that would permit access to an online
account (for example, log-in credentials).
Tennessee – In 2016, Tennessee amended its data breach notification law to
define a breach as any “unauthorized acquisition of computerized data that
materially compromises the security, confidentiality, or integrity of
personal information maintained by the information holder.” The Tennessee
law defines personal information to include an individual’s first name or
first initial and last name, when combined with his or her (1) Social
Security number, (2) driver’s license number or (3) information that would
permit access to a financial account. Earlier this year, the Tennessee
legislature clarified that its 2016 amendment does not apply to information
encrypted pursuant to the Federal Information Processing Standard 140-2, so
long as the encryption key is not obtained by an unauthorized person.
Virginia – Last year, Virginia became the first state to expand its data
breach notification law to specifically require employers and payroll
service providers to notify the attorney general upon discovering
“unauthorized access and acquisition of unencrypted and unredacted
computerized data containing a taxpayer identification number in
combination with the income tax withheld for that taxpayer” where the
employer or provider reasonably believes the breach “has caused, or will
cause, identity theft or other fraud.” In an effort to thwart W-2 phishing
scams, the attorney general’s office will notify the Department of Taxation
of the compromised employer. The Department may, in turn, use that
information to flag taxpayers whose W-2 information might be misused to
obtain a false tax return.

As recent years demonstrate, data breach notification laws continue to
develop as breach risks increase and data scammers adapt to changing laws.
Employers seeking to manage and reduce their liability risk for data
breaches can adopt certain practices as they monitor continuing state law
developments:

Exercise reasonable care when collecting and maintaining personal
identification or other sensitive information regarding employees and
applicants.
Actively monitor applicable state law requirements in states where offices
or other operations are maintained.
Develop, review and revise as necessary administrative, physical and
technical personal information safeguards.
Develop, review and revise as necessary a security incident response plan
in accordance with applicable breach response requirements.
Develop and implement a security incident response team trained to comply
with pertinent data breach notification laws.
Develop relationships with identity protection services and vendors that
support the security incident response plan.
Conduct mock breach incident simulations/drills testing safeguard and
incident response effectiveness.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170605/d346c717/attachment.html>