Categories: Technology

In light of the many high profile cyber-attacks on businesses this past year, employers should assess their vulnerability relative to data breaches and take steps to protect themselves from hackers as well as more innocuous business practices that could result in data breaches. Businesses that handle protected health information are regulated under HIPAA to adopt administrative, technical, and physical safeguards to protect the confidentiality of this information. However, various state and federal laws place duties upon employers to protect non-HIPAA-covered sensitive information in a secure manner.  Considering the recent hacking attacks, as well as the Obama Administration’s focus on cyber-security issues businesses should understand their risk relative to cyber security and consider adopting these safeguards to reduce their vulnerability to a business acceptable level. As discussed below, businesses should protect their customers, employees, and themselves by: (1) conducting a risk assessment to identify their system’s vulnerabilities; (2) adopting and regularly auditing compliance with network security policies; and (3) utilizing physical safeguards to deny unauthorized users system access.

In the wake of the massive attacks against Sony, its employees have filed a putative class action Michael Corona and Christina Mathis v. Sony Pictures Entertainment Inc., No. 2:14-cv-9600 in the U.S. District Court for the Central District of California, alleging that Sony was negligent for allowing itself to be hacked. The Complaint alleges that Sony breached its duty to its employees to implement technical safeguards, specifically: “failing to properly and adequately encrypt data, losing control of and failing to timely regain control over Sony Network’s cryptographic keys, and improperly storing and retaining” personal identifying information. Businesses should conduct a risk assessment or penetration test to determine their network’s vulnerabilities and ensure that they are exercising reasonable care in protecting employee information. This will allow businesses to identify and address their most pressing vulnerabilities.

Even the most formidable of technical safeguards can be compromised without adequate administrative safeguards such as policies regarding the storage of confidential information and computer use. In addition to implementing these policies it is vital that employers adequately train employees regarding these policies. ICANN, the nonprofit organization in charge of assigning internet domain names, was hacked this past year. The hackers penetrated ICANN’s security using a “spear phishing” attack against ICANN’s employees. The hackers disguised emails containing malware as internal ICANN emails, and an employee fell for the ruse. Adopting robust internet security policies and educating employees on how to follow these policies greatly reduces the risk of an employee compromising network security. Employers should also audit their network security policies on an annual basis or as systems change to ensure compliance with these policies.

By limiting access to workstations and electronic media, companies can implement physical safeguards to protect confidential information. By requiring employees to keep doors locked and not leave company devices unattended, as well as enforcing and educating employees regarding these policies, employers can reduce their vulnerability to hackers.

In addition to HIPAA and common law negligence claims, victims of hacking are subject to state laws requiring them to notify everyone whose information may have been compromised. Because each state’s law protects residents of that particular state, companies may be subject to a variety of different disclosure requirements. For example, an employer with employees in California, Virginia, and New York would be subject to three different sets of laws governing the content of the disclosure and who is entitled to receive it.[1] All three laws punish failure to promptly disclose a data breach with consequential damages associated with the cost of identity theft protection, and the economic consequences of identity theft. New York’s law also provides for punitive damages of up to $150,000 for knowing or reckless failures to promptly disclose.

More data breach reporting laws are likely on the way. The Obama administration recently proposed a federal data breach reporting law and the New York Attorney General recently proposed measures to toughen New York’s law. Businesses should carefully monitor new legislative developments to ensure compliance with the most up to date guidance in this rapidly transforming area of the law. Epstein Becker & Green, P.C., attorneys can assist in conducting risk assessments and penetration tests and assist in developing network security policies.

[1] California Civil Code § 179.80; Code of Virginia § 18.2-186.6; New York General Business Law § 899-aa.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.