Employers have begun to increase efforts to protect confidential information; however, security breaches are still a regular occurrence. Security breaches bypass an employer’s security systems, enabling unauthorized individuals to access secured and unsecured information. Under federal and state law, employers are required to provide notice to relevant parties when certain security breaches occur. Unfortunately, because of the complexity and variance across state laws, compliance with data breach notification requirements can be difficult.
Implementing guidelines for protecting an employer’s confidential information can greatly reduce the possibility of a data breach and assist in repairs and recovery. Last month, we explained the importance of having cyber security protocols in greater detail, and how some employers will soon be required to have expansive written policies. For more information on cyber security policies, see our general article and our article explaining required programs.
If an unauthorized user has reached confidential information, such as employee health information or trade secrets and intellectual property, it is considered a data breach. When a data breach occurs, the initial reaction is to try to minimize damages as much as possible, which can include restricting knowledge of the breach to a select few. Notifying relevant parties presents employers with significant issues, such as expenses and reputational loss. However, failure to notify all persons involved can often allow more data breaches, slow the repair process, and prevent new safeguards from being implemented.
Local Statutes
In 2002, in order to protect businesses, organizations, employees, and consumers, California became the first state to require employers to notify relevant parties of data breaches. Since then, 47 states, as well as the District of Columbia and Puerto Rico, have enacted similar statutes. Although many of these statutes look similar in form, some states are beginning to move away from the California model by broadening definitions and eliminating exemptions.
Traversing individual data breach notification laws can be difficult and expensive, especially after a breach has already occurred. This task becomes increasingly complex for multi-state employers, as the variations between state laws can sometimes be the difference between nominal fines and costly lawsuits.
Requirements
Employers are required to respond to data breaches in specific ways, which vary depending on the state in which the employer operates. Generally, when a breach occurs, an employer must first attempt to mitigate any further damage to consumers, employees, and the employer. Additionally, notice of the breach must be provided to all relevant parties, which includes consumers, vendors, and employees.
Most states do not require notification to be provided within a specific time frame; rather, it must be given after employers have had some time to investigate and secure their systems. In certain circumstances, the laws also allow for additional time for employers to remedy the breach. Currently, eight states mandate that notice be given within a certain time frame, regardless of the employer’s actions. In these situations, the only way that the notification period can be extended is if it is requested by law enforcement.
Encrypted data, which has been converted into a cipher or code, is generally exempt from the notification requirement because most states view encryption as the best available protection for information. However, Tennessee is now the first state to mandate notification, regardless of encryption. Since the announcement of Tennessee’s amendment, California lawmakers have begun debating whether to eliminate their encryption exemption. If more states elect to follow Tennessee’s example, even this simple exemption will create compliance issues for multi-state employers.
Practical Considerations
Providing notice for breaches of confidential information can become an employer’s worst nightmare. Not only do employers have to admit that their security has been breached, but they also have to make sure that they are complying with every applicable state law. Furthermore, sending data breach notices is time consuming.
Employers can reduce their risk of breach, and subsequently their risk of providing notice, by implementing detailed cyber security policies and training employees on how to properly respond to breaches. Keeping up-to-date on the ever-changing notification requirements will also enable employers to act properly and promptly in order to avoid additional damage or fines for failure to comply with notice laws.