Hacked? Compromised Information May Trigger Employer’s Duty to Notify Affected Employees
Hackers are getting creative. As they gather information about potential targets for identify theft and other cybercrimes, they increasingly target companies’ human resources departments. Employee records often contain troves of sensitive personal information that would be valuable to such criminals – from original employee applications with social security numbers and driver’s license numbers, bank draft forms with bank account information, and W2 forms and other tax documents. And when employee data is compromised, employers may be responsible for notifying them.
Duty to Notify.
Louisiana law generally requires notification to Louisiana residents when their computerized personal information is acquired and accessed without authorization. But notification is not required if it is determined that, “after a reasonable investigation,” there “is no reasonable likelihood of harm” to Louisiana residents. If notification is required, the “owner” or “licensee” of the compromised data – such as an employer with hacked HR records – must notify affected Louisiana residents “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach.” (If the breach is discovered by a third party – such as outsourced service provider, cloud vendor, or other data processor – it must notify the data owner, which in turn must notify affected individuals.) Within 10 days of notifying Louisiana residents, the law also requires separate notice to the Louisiana Attorney General; failure to timely notify the Attorney General may result in fines of up to $5,000 per day.
Securing Personal Information.
Louisiana law also generally requires businesses to protect Louisiana residents’ digital personal information. The law requires businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And when disposing of computerized data that includes Louisiana residents’ personal information, businesses must “take all reasonable steps to destroy or arrange for the destruction of the records … by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” Failure to implement, maintain, and follow such requirements is deemed an unfair act or practice under the law.
The Take Away.
Thorough preparation is the best way to quickly contain a data breach. Employees with access to records containing personal information should participate in a semi-annual review of the company’s incident response plan. And because HR records often contain digital personal information of employees, employers should ensure that their HR professionals are familiar with the company’s security procedures and practices, too. Employers should also take care that they are properly disposing of digital HR records in accordance with their document destruction policies and the law.
For more on Louisiana’s Breach Notification Law, see Micah Fincher and Jessica Engler, One Year Later: Louisiana’s Database Security Breach Notification Law 2.0, Louisiana Bar Journal, Vol. 67, No. 2 (August/ September 2019).