Almost all states have laws that require you to notify employees if Social Security numbers, addresses and other information targeted by identity thieves may have been disclosed due to a lost laptop, misplaced backup file, hacked internal website or other leak, says Linda Foley, founder of nonprofit group Identity Theft Resource Center. And Patrick M. Gavin, an attorney at Husch Blackwell, says that new laws and reinterpretations of existing ones increasingly require employers to safeguard employee records. "You see an expansion of law that protects employee data," Gavin says. "And you see that phenomenon going across both federal and state laws."
The most publicized losses of employee data involve large firms with thousands of employees. But small companies are at risk, too. "Anyone who has [a private company with] at least 15 employees is going to be covered by the Americans With Disabilities Act, which has privacy and confidentiality provisions as it applies to people's physical and mental health," Gavin says.
The biggest risk comes from civil lawsuits filed by employees. While regulators require securing data, they have generally been slow to impose punishments. But class action lawsuits claiming companies didn't secure data properly or failed to notify affected individuals can result in damages that might bankrupt a small company. "It's a serious risk," Gavin says. "There are more filings of these types of suits."
Securing data starts with doing proper background checks on new hires, especially if the person will handle payroll or similar data, says Foley. After that, focus on physical security--keeping sensitive records under lock and key and limiting access only to those who need it. Make internal websites and computer networks hacker-resistant, perhaps getting a forensic IT expert to audit them. Finally, have a plan for notifying current and former employees by mail, e-mail, phone or through the media if a breach occurs. Check your state laws for specific notification requirements. And be aware that some states require notifying residents who may have been affected, even if you don't do business there.
Lawsuits over lost employee data are among the most easily preventable legal risks. A small amount of prevention can save a lot of cure. Says Gavin, "Waiting for a problem to crop up and dealing with it later is not a wise course of action."
Mark Henricks writes on business and technology for leading publications and is author of Not Just a Living.