Are companies doing enough to protect confidential employee information? That is a question many employees and employers are asking themselves after the Wall Street Journal and other news outlets reported Chinese operatives hacked into the Office of Personnel Management’s digital files and stole employee records and security clearance information for as many as four million current and retired federal employees and government contractors. Federal employees now must worry that their personally identifiable information will end up on the black market and ultimately in the hands of identity thieves.
While the federal government can hide behind its sovereign immunity, private employers may find themselves in court if a similar cyberbreach leads to the disclosure of confidential employee information. Case in point: a federal judge in California recently denied a Motion to Dismiss a suit filed by nine Sony Entertainment employees regarding the cyberattack purportedly carried out by North Korean hackers in retaliation for “The Interview.” See Corona v. Sony Pictures Entertainment Inc., No. 2:14-CV-09600 CC.D. Cal., filed Dec. 15, 2014. Many employers devote significant resources to protect sensitive digital trade secret and business information, but do not give the same attention to cybersecurity to protect confidential employee information. Employers who fail to protect confidential employee information do so at their own peril. The law requires employers to take affirmative steps to safeguard certain employee information. For example, employers covered by the Americans with Disabilities Act (“ADA”) are obligated to “take steps to guarantee the security of the employee’s medial information…” See EEOC Techinical Assistance Guide, § 6.5. Similarly, the Health Insurance Portability and Accountability Act (“HIPAA”) requires employers to protect certain employee health and medical information. See 45 C.F.R. § 164 (2007).
In the age of computer hackers, malware, and phishing scams, locking a paper file in a filing cabinet and closely guarding the key may seem like the easiest and safest way to protect confidential employee information. Employers, however, are moving away from paper files. Electronic files eliminate the need for physical storage, which saves both money and time. Moreover, employers who maintain physical files may not be able to completely escape the need to digitize certain confidential employee information such as payroll information for thirdparty payroll administrators or healthcare information for insurance providers. Thus, employers must familiarize themselves with cybersecurity and take steps to ensure that employee information is safe. The following is a list of ten steps employers can use to help maintain the security of confidential employee information: