HR Data Breaches Can Leave Holes in Corporate Pockets

Employee data breaches are becoming like leaky roofs for companies—frustrating but familiar. And as such, experts say, organizations are getting smarter about preventing the kind of personal information exposures that can anger workers and damage a firm’s reputation.

Some employers have faced lawsuits related to breaches. And challenges persist when it comes to protecting employees’ privacy, including the difficulty of safeguarding sensitive information when so many workers take computers home or on the road. But through steps such as training and data encryption, organizations are finding ways to keep a tight grasp on employee information.

“It is now a routine concern,” says Doug Rosinski, an attorney with law firm Ogletree, Deakins, Nash, Smoak & Stewart.

Serious issue
During the past few years, the issue of employee data breaches has come to the fore for businesses and workers. That’s partly because of the related rash of consumer data exposures, in which banks and other organizations have lost control of key information. It also stems from the way millions of Americans have had to wrestle with the headache of identity theft.

What’s more, a number of high-profile cases involving lost or stolen employee data have focused attention on the issue.

Among the most public of the snafus was a May 2006 incident involving the U.S. Department of Veterans Affairs. In that case, computer equipment with data including names, Social Security numbers and dates of birth for as many as 26.5 million veterans and other individuals was stolen from the home of a VA employee.

Also key to the growing awareness is a set of state laws on data breach notification. California led the way with a statute passed several years ago.

Under California law, a business that maintains unencrypted computerized data that includes certain personal information must notify any California resident “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Other states have similar legislation, says Alan Raul, an attorney specializing in privacy and information security issues with the law firm Sidley Austin.

It is not so much that organizations have gotten sloppier with their data in recent years as the law has put a spotlight on the matter, he says.

“The spate of apparent data breaches was not triggered by changes in practice,” Raul says.

Since early 2006, there typically have been four to six media accounts of human resources data breaches per month, according to research by Don Harris, founder of consulting firm HR Privacy Solutions.

That number spiked in October 2007 to eight, but hit lows of just two for both September and November. Harris says the lulls could signal companies’ determination to keep themselves out of the papers on the data breach front.

“Maybe more and more employers are waking up and saying, ‘I just don’t want to be there. I want to do something about it,’ ” Harris says.

Legal liability
Still, a number of organizations have found themselves on the receiving end of lawsuits related to employee data exposures.

Among them is Union Pacific, the transportation giant that operates Union Pacific Railroad. Union Pacific, which employs about 50,000 workers, has acknowledged a series of eight data breach incidents between April 2006 and January 2007, most of which involved stolen laptop computers.

Those breaches gave rise to three lawsuits. The lost or stolen equipment in the incidents was judged to contain personal information for 35,738 current and former Union Pacific employees from across the U.S., according to a court document.

Union Pacific employees weren’t just worried about the dangers of missing computer equipment with personal information; they also fretted about the way the company used their Social Security numbers for a wide variety of purposes, says Robert O’Connor Jr., an Omaha, Nebraska-based attorney who represented employees in the litigation. Employees were even asked to disclose their Social Security number in filling out a reimbursement form when purchasing work shoes, O’Connor says.

“You’d go to Red Wing shoes and you’d have to put your Social Security number on it, instead of your employee identification number,” he says.

In December, a court approved a settlement that creates a $550,000 fund for paying half of a current or former employee’s identity theft losses, up to a maximum of $25,000 per person. The company also agreed to phase in a set of measures related to the protection of current and former employees’ confidential data. Union Pacific said that as a general matter it “will cease using Social Security Numbers as a routine means of identifying its employees.” It also pledged to encrypt all data files stored on company laptop computers.

Union Pacific spokesman James Barnes declined to comment on the allegation about shoe reimbursement. He said the company is focused on a future of better safeguarding employee data in order to give workers “peace of mind” on the issue.

“We’re going to extraordinary lengths to protect the identities of our employees, and that includes their Social Security numbers,” he says.

The VA also has been hit with a data breach lawsuit, one focused on the May 2006 incident. Attorney Rosinski, who is representing plaintiffs in the suit, says the two sides are in mediation talks.

Authorities eventually recovered the stolen computer equipment, and the VA says an FBI investigation concluded that no veterans’ personal information had been accessed or compromised. Rosinski, however, isn’t convinced.

“You can never prove it wasn’t taken,” he says.

The VA has weathered other troubles related to data protection. For example, three computers containing information on 12,000 veterans were stolen from a VA medical center in Indianapolis last year.

The agency says it has worked to improve its data security practices. It updated required annual privacy and cyber security training and has hosted satellite broadcasts on information security. It also has encrypted most VA laptops.

New ways of working
An emerging difficulty in employment-related data protection is the way organizations’ traditional boundaries are expanding to include mobile work and outsourcing.

Using electronic job boards to recruit candidates, for example, is a form of outsourcing—one that has proved to be somewhat hazardous. Last year, job board Monster said employer client log-in credentials had been compromised and used to illegally download contact information for 1.3 million job seekers.

Employee “homework” represents another challenge for companies, attorney Raul says.

The number of Americans whose employer allows them to work remotely at least one day per month jumped from 7.6 million in 2004 to 12.4 million in 2006, according to a report announced last year by professional association WorldatWork.

Raul says that employees who lug their laptops home may end up sharing them with family members, who in turn may download software. In other words, he argues, the potential is there for remote workers to expose sensitive employee data to hackers.

“Are all of the defensive measures that are available at the office available at the home?” he asks.

In addition, cyber criminals are growing more sophisticated, Raul says. The number of employee data exposure incidents may drop, he says, “but those breaches that do occur could possibly be more serious.”

Raul says companies ought to set policies for acceptable remote computer usage, as well as ask tough questions about whether sensitive data truly needs to be taken home. He also recommends creating formal agreements with vendors about how they treat an organization’s data.

Another key, he says, is encryption—which means altering data so that it cannot be understood by unauthorized people. In recent years it has become easier to encrypt the contents of a computer without seriously lowering the performance of the machine, he says.

“Many more companies are encrypting information that is contained on laptops,” he says.

Attorney O’Connor also sees encryption as crucial as organizations seek to safeguard employees’ confidential data.

“They need to encrypt, and they need to stop using Social Security numbers,” he says.

Rosinski says the private sector is headed in the right direction.

“The market is driving the employers to do the right things,” he says.

Consultant Harris also sees progress on employee privacy. He says hundreds of companies now have “chief privacy officers.” What’s more, he notices greater awareness of international data privacy rules.

“To me, it’s a sign that the whole privacy scene is starting to mature,” he says.