In light of the many high profile cyber-attacks on businesses this past year, employers should assess their vulnerability relative to data breaches and take steps to protect themselves from hackers as well as more innocuous business practices that could result in data breaches. Businesses that handle protected health information are regulated under HIPAA to adopt administrative, technical, and physical safeguards to protect the confidentiality of this information. However, various state and federal laws place duties upon employers to protect non-HIPAA-covered sensitive information in a secure manner. Considering the recent hacking attacks, as well as the Obama Administration’s focus on cyber-security issues businesses should understand their risk relative to cyber security and consider adopting these safeguards to reduce their vulnerability to a business acceptable level. As discussed below, businesses should protect their customers, employees, and themselves by: (1) conducting a risk assessment to identify their system’s vulnerabilities; (2) adopting and regularly auditing compliance with network security policies; and (3) utilizing physical safeguards to deny unauthorized users system access.
In the wake of the massive attacks against Sony, its employees have filed a putative class action Michael Corona and Christina Mathis v. Sony Pictures Entertainment Inc., No. 2:14-cv-9600 in the U.S. District Court for the Central District of California, alleging that Sony was negligent for allowing itself to be hacked. The Complaint alleges that Sony breached its duty to its employees to implement technical safeguards, specifically: “failing to properly and adequately encrypt data, losing control of and failing to timely regain control over Sony Network’s cryptographic keys, and improperly storing and retaining” personal identifying information. Businesses should conduct a risk assessment or penetration test to determine their network’s vulnerabilities and ensure that they are exercising reasonable care in protecting employee information. This will allow businesses to identify and address their most pressing vulnerabilities.
Even the most formidable of technical safeguards can be compromised without adequate administrative safeguards such as policies regarding the storage of confidential information and computer use. In addition to implementing these policies it is vital that employers adequately train employees regarding these policies. ICANN, the nonprofit organization in charge of assigning internet domain names, was hacked this past year. The hackers penetrated ICANN’s security using a “spear phishing” attack against ICANN’s employees. The hackers disguised emails containing malware as internal ICANN emails, and an employee fell for the ruse. Adopting robust internet security policies and educating employees on how to follow these policies greatly reduces the risk of an employee compromising network security. Employers should also audit their network security policies on an annual basis or as systems change to ensure compliance with these policies.
By limiting access to workstations and electronic media, companies can implement physical safeguards to protect confidential information. By requiring employees to keep doors locked and not leave company devices unattended, as well as enforcing and educating employees regarding these policies, employers can reduce their vulnerability to hackers.
In addition to HIPAA and common law negligence claims, victims of hacking are subject to state laws requiring them to notify everyone whose information may have been compromised. Because each state’s law protects residents of that particular state, companies may be subject to a variety of different disclosure requirements. For example, an employer with employees in California, Virginia, and New York would be subject to three different sets of laws governing the content of the disclosure and who is entitled to receive it.[1] All three laws punish failure to promptly disclose a data breach with consequential damages associated with the cost of identity theft protection, and the economic consequences of identity theft. New York’s law also provides for punitive damages of up to $150,000 for knowing or reckless failures to promptly disclose.
More data breach reporting laws are likely on the way. The Obama administration recently proposed a federal data breach reporting law and the New York Attorney General recently proposed measures to toughen New York’s law. Businesses should carefully monitor new legislative developments to ensure compliance with the most up to date guidance in this rapidly transforming area of the law. Epstein Becker & Green, P.C., attorneys can assist in conducting risk assessments and penetration tests and assist in developing network security policies.
[1] California Civil Code § 179.80; Code of Virginia § 18.2-186.6; New York General Business Law § 899-aa.