September 25, 2020

Volume X, Number 269

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

Hacked? Compromised Information May Trigger Employer’s Duty to Notify Affected Employees

Hackers are getting creative. As they gather information about potential targets for identify theft and other cybercrimes, they increasingly target companies’ human resources departments. Employee records often contain troves of sensitive personal information that would be valuable to such criminals – from original employee applications with social security numbers and driver’s license numbers, bank draft forms with bank account information, and W2 forms and other tax documents. And when employee data is compromised, employers may be responsible for notifying them.

Duty to Notify.

Louisiana law generally requires notification to Louisiana residents when their computerized personal information is acquired and accessed without authorization. But notification is not required if it is determined that, “after a reasonable investigation,” there “is no reasonable likelihood of harm” to Louisiana residents. If notification is required, the “owner” or “licensee” of the compromised data – such as an employer with hacked HR records – must notify affected Louisiana residents “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach.” (If the breach is discovered by a third party – such as outsourced service provider, cloud vendor, or other data processor – it must notify the data owner, which in turn must notify affected individuals.) Within 10 days of notifying Louisiana residents, the law also requires separate notice to the Louisiana Attorney General; failure to timely notify the Attorney General may result in fines of up to $5,000 per day.

Securing Personal Information.

Louisiana law also generally requires businesses to protect Louisiana residents’ digital personal information. The law requires businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And when disposing of computerized data that includes Louisiana residents’ personal information, businesses must “take all reasonable steps to destroy or arrange for the destruction of the records … by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” Failure to implement, maintain, and follow such requirements is deemed an unfair act or practice under the law.

The Take Away.

Thorough preparation is the best way to quickly contain a data breach. Employees with access to records containing personal information should participate in a semi-annual review of the company’s incident response plan. And because HR records often contain digital personal information of employees, employers should ensure that their HR professionals are familiar with the company’s security procedures and practices, too. Employers should also take care that they are properly disposing of digital HR records in accordance with their document destruction policies and the law.

For more on Louisiana’s Breach Notification Law, see Micah Fincher and Jessica Engler, One Year Later: Louisiana’s Database Security Breach Notification Law 2.0, Louisiana Bar Journal, Vol. 67, No. 2 (August/ September 2019).

© 2020 Jones Walker LLPNational Law Review, Volume IX, Number 226


About this Author

Micah J. Fincher, Jones Walker, Trademark Infringements Lawyer, Patent Litigation Attorney

Micah Fincher is an associate in the firm's Intellectual Property (IP) section within the Business & Commercial Litigation Practice Group. His practice focuses on both protecting clients' intellectual property rights and defending those accused of infringing others' intellectual property. He also has extensive transactional experience, including leading complex contract negotiations. 

Litigation. Mr. Fincher has experience in handling complex patent, trademark, and copyright cases in both state and federal courts and Section 337...