[BreachExchange] How Employers Can Become Experts at Data Breaches: Talking about security with employees

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=950f4096-6a10-4ac9-a58f-
cece79386398

A large portion of the data breaches that occur each year involve human
resource related issues. This includes situations in which HR data was
lost, employees were inadvertently responsible for the loss of information
about other people, or, in a small number of cases, a current or former
employee maliciously stole or released information.

Bryan Cave has put together a multi-part series to help human resource
managers understand, prepare for, and react to, a data breach. This part
discusses laws that require employers to provide information to employees
concerning how the employer treats employee information.

In 2005, Michigan became the first state to pass a statute requiring
employers to create a privacy policy that explains to employees what the
employer does with their Social Security Numbers, and with whom the numbers
are disclosed. Other states, such as New York, Connecticut, Massachusetts,
and Texas, have adopted similar statutes. Although not required by law,
many employers choose to include information on data security measures
within employee privacy policies. If such policies are not drafted
carefully, they can inadvertently impose obligations concerning the
protection of employee information that are greater than those otherwise
imposed by law. Conversely, employee privacy policies create an opportunity
to help set employee expectations for how the employer will respond to a
security incident, and what types of services the employee can expect from
the employer in the event of a breach.

When drafting or reviewing an employee privacy policy you should consider
the following implications on data security:

- Does the privacy policy guarantee that employee information will remain
confidential in all situations? If so, it may create a standard that is
impossible for the employer to meet.
- Does the privacy policy explain how employee Social Security Numbers and
other personal information are protected? If so, is the information
provided accurate and precise?
- Does the privacy policy describe what disciplinary measures might be
taken against employees who cause the inadvertent disclosure of sensitive
personal information?
- Will the privacy policy be published in an employee handbook, procedures
manual, or similar document? If not, will each employee be able to access
the policy?
- Does the privacy policy use terms that might be misunderstood or
misconstrued by a regulator or a plaintiff’s attorney?
- Does the privacy policy discuss the different ways in which the employer
may contact an employee if a security breach impacts the employee’s
information?
- Does the privacy policy explain that the employer may decide not to
communicate with employees about a security incident until an investigation
is complete in order to ensure that the information provided to employees
is accurate and precise?

TIP: If you have a website privacy policy, that policy may be written
broadly enough to encompass the information that you collect about your
employees. If it is, you may be able to avoid drafting a separate
stand-alone employee-specific policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171110/1e354967/attachment.html>