With all the focus lately on social media, it’s easy for forget that there are other laws and issues that remain vitally important to employers. One of them is the need for employees to understand the importance of compliance with data privacy laws. I talked in 2008 about a new law in Connecticut that may have been overlooked.
In today’s guest post, my fellow law partner, Steven Bonafonte shares a recent case that emphasizes what can happen with an employer doesn’t take its obligations seriously. My thanks to Steve for the post.
We routinely hear stories about “Data Breaches” “Identity Theft” “Credit Monitoring” and other data loss-related events in the media.
These reports are becoming more frequent – almost routine – and may run the risk of being overlooked by many companies, even those who are in the business of collecting, processing or otherwise using confidential information of individuals.
One recent case, however, illustrates why employers should not be complacent when it comes to data breaches. They are anything BUT “routine”.
The Wall Street Journal recently reported on the bankruptcy of a national medical records firm after over 14,000 medical records were compromised during a burglary of their California offices in December 2011.
The burglary occurred on December 31, 2011, was discovered just three days later. It was promptly reported to law enforcement. Nonetheless, the company was required to report the incident to various state and federal regulators as well as notify each of the potentially affected individuals.
The company stated that “The cost of dealing with the breach was prohibitive” in its explanation of why it was seeking protection under Chapter 7 bankruptcy. Chapter 7 bankruptcy (unlike Chapter 11) is used when the company is to be liquidated and its proceeds distributed to its creditors, so it appears as if this firm is headed out of business permanently.
Fortunately, events such as this are usually avoidable with the right combination of preventive legal and technical counseling.
It also is critical from a risk management and a business continuity perspective that companies have a legally defensible system of controls in place to meet their regulatory and contractual responsibilities.
Having the minimum of: policies and procedures for managing sensitive personal data, technology controls such as encryption and other data loss prevention software, physical security and a critical incident response plan will go a long way toward avoiding this unfortunate result.
Importantly, the responsibility should be emphasized to employees and to human resources as well. Breaches of an employee’s privacy may be just as costly as a customer.