“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.

lock1Last night I had the opportunity to speak to the Colonial Total Rewards Association on the topic of Data Privacy and HR.  I titled the presentation “Is Your HR Data Going Rogue” and really focused on the role that Human Resources professionals should play in ensuring that company data is secured.

For those who have been following the blog for a while, you know that I’ve spoken a bit about this before (see some posts here and here).

Lest you think, this could NEVER happen at your company, the headlines from the last few weeks show otherwise. Company after company keep reporting major  data breaches — in part due to a W-2 scam that keeps claiming victims (see here, here, here and here if you’re not convinced).

Even technology companies are not immune. My favorite blurb from the last month was the following:

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Oops.

So if even tech companies are victims of data breaches, is there any hope for the rest of us? Well, yes. It’s not easy but there are several steps that employers can take.

  1. Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice.  And the first step in that is that HR should learn the basics of data privacy.
  2. Assess – HR has access to lots of data; where is it and who has access?  Where are you “leaking” data when it comes to your employees?
  3. Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
  4. Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
  5. Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
  6. Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.

Once you’ve made it through, it’s time to start back at the beginning. Learn from your mistakes in a data breach and re-assess your vulnerabilities.

Data privacy and the need for companies to view it as a key part of your company’s culture should be an integral part of your employee onboarding and training.  My thanks again to CTRA for the invitation to speak to the group and the great conversation we had last night.

starrMy colleague Gary Starr returns today with a story worth reading about the need for employers to secure confidential information.  Although it is based on Massachusetts, the concepts it covers may have some carryover to employers elsewhere as well.  

Employers that maintain records of their employees and customers and allow employees have access to confidential information have long needed policies that not only secure the information, but ensure that employees who have been granted access to such information are complying with the corporate policies and are trustworthy.

An insurance agency in Massachusetts thought it had done everything right, but was sued for negligence in its retention of an employee that it thought was trustworthy, but was not.

An employee used her computer to access confidential information that she then gave to her boyfriend about the identity of a witness to a car accident in which the boyfriend had been involved with her car.  The boyfriend used that information to contact and threaten the witness.  The witness reported the threat to the police and ultimately the boyfriend and the employee pleaded guilty to witness intimidation and conspiracy.  After the police visited the employer to obtain information about the threat, which was traced back to the employee, the employer fired the employee.

That, however, did not end the tale.

The witness then sued the employer for failing to safeguard personal information, and for negligent retention and negligent supervision.  While the trial court dismissed the case, the appellate court has determined that the facts alleged are sufficient to go to trial.

Where did the employer go wrong?  The company had adopted a data security plan and policy that prohibited employees from accessing or using personal information for personal purposes.  The computer software even required employees, who wished to access the data base with confidential information, to agree to use the information for one of four limited purposes, all of which were business related.

Those were positive steps.

The problem arose because the unrestricted access did not stop the employee from reviewing information that had an impact on her personally.  The second failure had to do with an inadequate investigation of the employee’s background and simply taking the employees word about a weapons arrest that occurred during her employment in another state.

The employee told her boss that the arrest was a misunderstanding, that she was clearing it up, and subsequently said it was resolved.  The employer simply took her word for it.

What he would have discovered with a very simple inquiry was that there were serious issues with her honesty and fitness for accessing other people’s personal information.  The company could have learned that she was traveling with her boyfriend when they were stopped for speeding and that she was arrested for having two semi-automatic guns concealed in her purse, one had the serial numbers filed off and the other was stolen.  She also had a half-mask and police scanner.  After her arrest, she told the company that there had been a misunderstanding as the weapons belonged to her boyfriend, that she didn’t know anything about them and that she was exonerated.

Her story was not true, but her account itself should have raised questions about her having access to personal information.

The court said that the company had a duty to protect the confidential information and that it was foreseeable that the employee could access information and use it for personal gain.  The company had an obligation to investigate the employee’s continuing fitness after the arrest.  The court said that a jury could decide that the failure to take action under these circumstances was unreasonable as the company knew about the weapons charge and could have learned of her lies and her willingness to commit a crime with her boyfriend.  The company did not take sufficient steps to limit the risk of harm to those whose personal information its employees could access.

There are steps to take to avoid this problem.  After an employee is hired, that does not end the need to be vigilant about their fitness for the job.  When information comes to light that may raise questions about the actions of an employee, an employer cannot simply take his/her word for what occurred.  It must take affirmative steps to explore what the underlying issue is, analyze the employee’s story, and assess the risk the employee poses if access to confidential information is abused or if other employees and the public may be put at risk.

 

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.

Real hackers are more fearsome than this one.

Okay, okay.  I realize the headline is a bit misleading.  But it isn’t every day that you hear about a data breach at Home Depot in which 56 MILLION credit cards may have been hacked. To put that into perspective, that’s 16 million MORE than the infamous Target breach!

But this is an employment law blog, not a shopping one. So, why does this matter to human resources professionals and companies? Because if hackers can access credit card information, they are going to try to hack into your work files.

It isn’t a matter of “if”. It’s a matter of when they will attempt to do so.

Don’t take my word for it. This comes from the head of the military’s cybersecurity division.  Admiral Mike Rogers has been preaching for months of the need for companies to take data privacy and cybersecurity seriously.  A recent news post reported on the importance Rogers has placed on this area for private businesses.

Corporations must successfully deal with cybersecurity threats, because such threats can have direct impacts on business and reputation, Rogers told the business audience.“You have to consider [cybersecurity threats] every bit as foundational as we do in our ability to maneuver forces as a military construct,” he said.

I have little doubt you’ll hear a lot more about this at an upcoming Data Privacy and Cybersecurity Summit that I’ve been helping to put together here at Shipman & Goodwin, in conduction with CT SHRM.

It’s scheduled to be held on October 16, 2014 from 8a to 2p at the Crowne Plaza in Cromwell, CT.

The cost is just $75, which includes continental breakfast, coffee, buffet lunch, and the materials.  Full details as well as registration can be found here.

Speakers include myself, Shipman & Goodwin attorneys Scott Cowperthwait, Cathy Intravia and William Roberts as well as industry experts from Adnet Technologies, the Connecticut Attorney General’s office, ESPN, the FBI, FINEX North America, General Electric Company, JPD Forensic Accounting, Quinnipiac University, United Therapeutics Corporation, and United Technologies Corporation (UTC).

Hope to see you there. Register soon as spots have been filling up over the last week.

Back in May, I talked about how data privacy was becoming a bigger issue for companies. Included in that, is the notion that human resources will play a key role in protecting information.

Today comes work of a massive coordinated effort by Chinese hackers to seek personal information on tens of thousands of government workers.  The New York Times lead article for today states:

Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

The article goes on to note that private companies, particularly those in the defense industry, have continued to see an increase in cyber attacks on items such a personnel data.

In Connecticut, there are hundreds of government contractors and subcontractors who work on defense contracts.  But there are many more that remain a target as well.

There should be little doubt now that the personal information about your employees remains an at-risk area for companies.

I’ll have details soon on a symposium coming this fall on data privacy and workplace issues. For now, save the date of October 16h and watch this space for more information.

 

Last Thursday, I had the opportunity to speak at the Tri-State SHRM Conference held at Foxwoods Resort Casino.  The session was led by Marc Kroll of Comp360 and I thank him publicly for both the invitation and the coordination. But a post about the great work that HR consultants like Marc do is a topic for another post.

If there was a phrase that I’m sure HR personnel never thought they’d hear discussed at a Human Resources conference it would’ve been “data privacy”.  After all, shouldn’t that be something for a Information Technology summit?

But in presenting the topic: “Pirates of the Data Stream: HR’s Role In Securing Corporate Information” to a full room,  it confirmed what I had been seeing anecdotally — that HR personnel have an increasing role in making sure company data remains private.  I was approached aftewards by several people who appreciated the focus on the topic.

There were several suggestions we talked about in detail at the conference.  I’ll highlight just a few things we discussed:

  • Have a policy. Yes, it’s a cliche. But you still need one.  And make sure it’s workable.   Your policy is no good if no one follows it.
  • Train and educate your workforce (with particular emphasis on your senior executives) on the need to take reasonable steps to protect confidential company data.  This can’t just be for new employees, but needs to be an ongoing effort.
  • Audit yourself to determine where your data leakage is coming from. And don’t just focus on the electronic data; your personnel files in paper format still need to be secured as well.  Consider hiring a third-party to help find the holes in your data storage.
  • Use agreements with restrictive covenants that prohibit employee use of confidential data not only when the employee is working for you, but also when the employee leaves.

And lest you think that this is mere scaremongering, the headlines from this morning illustrate that this issue is continuing to move to the mainstream: Target’s CEO stepped down because of a massive data breach last fall.

Human Resources has a significant role to play in preserving company and employee data.  It’s time to begin the discussion at your company if you haven’t already.   If you need assistance in that endeavor, consult your lawyer or your favorite HR consultant.

Numbers everywhere

Every once in a while, it’s worth taking a look at statistics in the employment law arena to get a sense of trends with the law and what employers should focus on.For those that have been paying attention, retaliation claims are now the most filed type of charge filed at the Equal Employment Opportunity Committee nationwide.In fiscal year 2012 (the last publicly available data), there were 99,412 charges filed (down from a peak of 99,922 in 2010).  Of those, 38.1% of charges were retaliation-based — up from just 22.6 percent in 1997.

Race discrimination claims — while up in terms of raw numbers from 15 years prior — are actually at their lowest levels percentage-wise in the last 15 years.  Instead, national origin claims and religion claims have each risen a few percentage points over the last 15 years — though even national origin claims seemed to have peaked in 2009.

Not surprisingly, in light of changes that were made to the Americans with Disabilities Act in 2009, disability discrimination claims are up sharply the last few years from 14,893 claims in 2005 to 26,379 claims in 2012.

Equal Pay Act claims — which some people projected would increase dramatically after the Ledbetter Fair Pay Act in 2009 — have remained fairly flat the last few years.  Up a little, but just by a few dozen.  Not enough to really move the needle on such claims.

In Connecticut, unfortunately, the Commission on Human Rights and Opportunities (CHRO) has had issues with its computer system and hasn’t been able to update its statistics since 2010. 

(The EEOC does keep some statistics on claims are filed in Connecticut with the EEOC itself, but because those claims are typically investigated and handled through the CHRO, the EEOC statistics are really incomplete.)

But the CHRO statistics are hopefully coming soon.

Continue Reading Employment Law Statistics Tell Part of a Story; Still Waiting for CHRO

Several years ago, Connecticut passed a law that, for the first time, required employers to take special precautions to protect the personal data of their employees. 

For a refresher, you can see my prior posts here and here

Now, there is news of some tweaks to the law with some implications for employers and companies.  My colleague, Steve Bonafonte, has this update:

For those of us who were watching proposed legislation on data breaches unsuccessfully move its way through the 2012 General Session, we see now that it was passed as part of the Connecticut General Assembly’s Special Session by attaching it as Section 130 of the Budget Bill.

The new statute, Section 36a-701b, is effective October 1, 2012. 

It requires the reporting of a “breach of security” to the Connecticut Attorney General.  This is in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., Connecticut Department of Insurance Bulletin IC-25).   

Failure to comply constitutes an unfair trade practice under Connecticut General Statutes Section 42-110b  and is enforceable by the Attorney General.

What’s the takeaway for employers? This is yet another reminder that businesses should have a system to monitor and adjust internal data breach response policies and procedures in order to comply with these actively changing laws, particularly when it comes to protecting the private information of your employees.

While Connecticut-based businesses ought to give special attention to Connecticut law, the laws of other states may apply if you maintain or use personal information of residents of those states.   Additionally, these laws are increasingly providing for more active enforcement mechanisms that enable monetary damages or fines – both of which can be costly to defend and harmful to the brand reputation of the business if reported in the media.

With all the focus lately on social media, it’s easy for forget that there are other laws and issues that remain vitally important to employers. One of them is the need for employees to understand the importance of compliance with data privacy laws.  I talked in 2008 about a new law in Connecticut that may have been overlooked.

In today’s guest post, my fellow law partner, Steven Bonafonte shares a recent case that emphasizes what can happen with an employer doesn’t take its obligations seriously.  My thanks to Steve for the post.

We routinely hear stories about “Data Breaches” “Identity Theft” “Credit Monitoring” and other data loss-related events in the media.

These reports are becoming more frequent – almost routine – and may run the risk of being overlooked by many companies, even those who are in the business of collecting, processing or otherwise using confidential information of individuals.

One recent case, however, illustrates why employers should not be complacent when it comes to data breaches. They are anything BUT “routine”. 

The Wall Street Journal recently reported on the bankruptcy of a national medical records firm after over 14,000 medical records were compromised during a burglary of their California offices in December 2011.

The burglary occurred on December 31, 2011, was discovered just three days later.  It was promptly reported to law enforcement. Nonetheless, the company was required to report the incident to various state and federal regulators as well as notify each of the potentially affected individuals.

The company stated that “The cost of dealing with the breach was prohibitive” in its explanation of why it was seeking protection under Chapter 7 bankruptcy. Chapter 7 bankruptcy (unlike Chapter 11) is used when the company is to be liquidated and its proceeds distributed to its creditors, so it appears as if this firm is headed out of business permanently.

Fortunately, events such as this are usually avoidable with the right combination of preventive legal and technical counseling.

It also is critical from a risk management and a business continuity perspective that companies have a legally defensible system of controls in place to meet their regulatory and contractual responsibilities.

Having the minimum of: policies and procedures for managing sensitive personal data, technology controls such as encryption and other data loss prevention software, physical security and a critical incident response plan will go a long way toward avoiding this unfortunate result.

Importantly, the responsibility should be emphasized to employees and to human resources as well.  Breaches of an employee’s privacy may be just as costly as a customer.