Sony Pictures Entertainment, Inc. is the latest high-profile business victim of data theft. The consequences have been significant. In response to threats of violence, Sony has reconsidered its range of options for the release and distribution of its feature film The Interview. Also last week, three separate federal class actions were filed in California by employees claiming that their private information had been impermissibly disclosed.
In the wake of this crisis, and as more is learned, employers should consider the following issues:
1. All employers are vulnerable to cyber attacks and data breaches, regardless of their industry, size, or location. The risk for data breach is not limited to big box retailers, the financial industry, or government agencies. A data breach crisis is no longer limited to the risk of releasing credit card numbers and personal identification numbers. The risks to data breaches extend to the disclosure of private email addresses, employee Social Security numbers, private salary information, medical information, trade secrets, confidential business information, employee files, and other personal identifying information.
2. Emails should not be considered private. Executives, managers, and employees should be aware that their private emails may be discovered and disclosed. Whether through data breaches, unlawful disclosure, or a simple discovery request in a lawsuit, private emails may become public. Employees at every level should be made aware or reminded that if they would not want to see their emails published on news websites or Twitter, they should not click “send.”
3. State laws impose new and differing requirements upon employers when a data breach occurs. Most states now have laws mandating the steps an employer must take in the event of a data breach. Typically, those state laws require immediate notification to those impacted, along with other security precautions such as the offer of credit monitoring.
4. Insurance may not always cover a data breach. Employers’ insurance policies may not provide coverage in the event of damages arising from a data breach. Although insurance companies do offer data breach coverage, the coverage is typically optional, must be elected, and includes many limitations. Employers should examine their current coverages and determine if they are covered in the event of a data breach and exactly what their insurance covers (e.g., response and notification expenses, public relations expenses, interruption in business damages, forensic services, defense and liability expenses, etc.)
5. Employers may have potential for liability, even if they are the victims of a cyber attack or international terrorism. Regardless of whether the employer is a victim of a careless hacker or a coordinated act of international terrorism, the employer-victim may have potential liability for those whose data was breached. In the growing list of lawsuits filed this year in data breach cases, employers are expected to have taken precautions to secure private information. Often it is not the data breach, but the employer’s prior failure to take data security precautions, that creates potential liability.
6. Employers’ rights to restrict employee data use present complicated issues. One of the precautions many employers take to protect their networks is to prohibit employees’ non-work related use of technology. This month, however, the National Labor Relations Board issued a significant opinion in Purple Communications, Inc. holding that employers are presumed to have committed an unfair labor practice if they restrict personal, non-work related email use. The rationale of the decision is that the National Labor Relations Act affords employees the right to communicate with one another about union organization, and email use restrictions infringe upon those rights. The decision creates a conflict for employers between the critical need to safeguard networks and the recognition of the rights of workers to use email for non-work related activity.
7. The law is changing and growing daily. As data breaches and cyberterrorism grow in number, variety, and frequency, the law grows and changes in response to the threats and issues presented. Employers need to carefully and regularly monitor their emerging obligations under state and federal laws and regulations, as well as the developing data privacy common law.
8. All employers should add a data breach risk audit to their 2015 agendas.
9. Employers should take data security precautions to minimize the risk of liability for data breach. Necessary security precautions vary depending upon the organization and the type of data maintained electronically, but some precautions might include
- firewalls;
- effective password protection;
- data encryption;
- data storage security;
- antivirus and malware protection and prevention;
- security applications;
- continuous updates of security hardware and software;
- user training and education;
- device security; and
- monitoring.
10. Employers should include data breach scenarios in their emergency and crisis planning. The best time to create an emergency response plan is before an emergency occurs. Employers should create response teams that include representatives from various departments, including information technology, operations, public relations, and legal to create a ready response plan in the event of a data breach.