About twelve years ago, when most people had never heard the term “data breach”, a colleague asked me what type of law I practiced. I tried to explain that I helped companies collect, secure, and share data, and, when data was inadvertently lost or breached, I helped them take steps to minimize any adverse impact. He thought for a while and said “what types of companies need to be worried about a data breach?”   He was surprised when I looked him in the eye and said every company needs to be concerned about a data breach.

The reason was simple. Every company, whether its mission is manufacturing, sales, service, retail, or software, has employees and, if you have employees, then you have extremely sensitive personal information in your possession – e.g., Social Security numbers, direct deposit numbers, tax forms, passport information, health information, etc.

Since then, the world has changed. One of the largest department stores lost information relating to nearly one third of the United States population in a month; one of the largest health care providers lost information relating to another quarter of our population; major political parties have been hacked; so, too, have our federal and state governments.

When you examine the hundreds of data breaches and thousands of data security incidents that occur each year, a large number of them still involve human resource-related issues. This includes situations in which human resource data was inadvertently lost or was wrongfully acquired by a third-party hacker or, in a small number of cases, a current or former employee maliciously stole or released information.  

Since the first publication of our data breach handbook in 2014, the legal ramifications for mishandling a data security incident have become more severe. In the United States, the number of federal and state laws that claim to regulate data security has mushroomed. The European Union has also enacted a new General Data Protection Regulation which will extend the United States framework for responding to data breaches across the EU, but with significantly enhanced penalties. The EU’s version of data breach notifications might best be characterized as US law on steroids and will be sure to cause more sleepless nights on the other side of the Atlantic.

In order to effectively respond to a data security incident, human resource professionals and labor and employment attorneys must understand what a “security incident” entails, what their organization should do to prepare itself before an incident occurs, and what practical considerations will confront the organization when an incident arises. Effective response also requires understanding and preparing for the possibility that a data security incident may lead to lawsuits, regulatory investigations, or public scrutiny.

This handbook provides a basic framework to assist human resource professionals and labor and employment attorneys with handling a security incident. Section I explains what security incidents are, how often they occur, and which types of organizations are most at risk. It also discusses the costs that a security breach may impose on an organization. Section II outlines how human resource professionals can help their organization prepare for a security incident.

Click here to read full handbook.