October 20, 2016 Articles

Data Privacy and Protection: Considerations When Producing Employment Data

High-profile cybersecurity incidents involving the loss of personal, confidential information continue to be on the rise.

By Jeremy Guinta and Angela Sabbe – October 20, 2016

High-profile cybersecurity incidents involving the loss of personal, confidential information continue to be on the rise, as reflected by several recent developments in labor and employment actions. These types of data breaches can cause significant damage to a company’s reputation and financial bottom line, as well as impose an undue burden on individuals whose personal information has been compromised. Whether or not the security breach was due to negligence or a malevolent actor, the damage done by these types of incidents can be minimized.

Data Breaches in Labor and Employment Actions
There are thousands of new labor and employment actions throughout the country each year, and each has the potential for sensitive data to be produced and potentially breached. These cases generally involve producing and transmitting millions of sensitive records of human resource, timekeeping, and payroll data for thousands or tens of thousands of employees:

  • Human Resource Data: This data typically includes job movement records (e.g., hire, termination, and promotion). It also includes job title, date of birth, employment review records, gender, employee name, employee address, employee number, and possibly Social Security number as either the employee number or a separate data element.
  • Timekeeping Data: Typically, this data includes an employee’s clock-in and clock-out information, employee name, and employee number.
  • Payroll Data: This data typically includes employee bank account information, deductions, check information, wage amounts, and name and address.
  • Application Data: This data could include past employment history, name, address, phone numbers, Social Security number, login information, and dates and times of access to various systems.

The last two years have been rife with incidences of such data breaches. Some examples include the following:

  • An unknown number of current and former Snapchat employees had their personal, confidential payroll information compromised through a phishing attack in February 2016. An employee with access to this data received an email, which appeared to be sent by the company’s CEO, requesting the payroll information. The employee, not realizing that it was a scam, turned over the information via email.
  • T-Mobile and Experian suffered a breach in October 2015 that put 15 million T-Mobile customers’ personal information, including Social Security and driver’s license numbers, at risk.
  • In June 2015, information in the U.S. Office of Personnel Management’s background check database was breached, affecting nearly 20 million current, former, and prospective federal employees and contractors. The breach also impacted almost two million spouses and cohabitants of the employees and contractors. A large variety of data was breached, including Social Security numbers; residency, educational, and employment history; health, criminal, and financial history; and information on immediate family members. Additionally, information related to background check findings, fingerprints, and usernames and passwords used to fill out the information were also compromised.

Overall, 25 percent of data breaches involve negligence of an employee or contractor, and 29 percent involve problems with IT systems and/or business processes.

Figure 1: Root Cause of a Data Breach

Consequences of Data Breaches
Data breaches can lead to liability and loss of reputation in the marketplace. On average, data security incidents in the U.S. cost companies $6.5 million, averaging $217 per compromised record. Larry Ponemon, Cost of Data Breaches Rise Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis,’ SecurityIntelligence (May 27, 2015); Data Breach Investigations Report, Verizon (2016). These costs continue to increase year after year. Although employers hit with a data breach do not face the same costs associated with lost revenue and customer turnover that plague businesses that lose customer data, other costs associated with internal investigations, legal and consulting services, and notification and remediation remain. Thus, it is critical for all parties involved with data production to be properly trained and to understand the importance of protecting the data.

Minimizing the Risk
As noted, data under a production order can contain personal information for each employee and should be protected before being produced and while being analyzed. Regardless of how this information is protected during the normal course of business, companies facing litigation need to be aware that this data will likely be produced to their counsel, opposing counsel, and independent experts working on behalf of, or adverse to, them and will be outside of their direct control. Data can be at risk while in transit between systems internally or while in transit externally to another system, contractor, or third party.

The systems on which the data will reside may or may not have proper protections in place. It is imperative that companies understand the security protocols in place by third parties and how the data will be transmitted and stored.

In litigation matters, there are several very simple steps, such as encrypting the data and removing personally identifiable information, that can be taken to ensure that, even if a system is compromised, the data is protected and loss is minimized. These steps are discussed in further detail below.

Counsel Should Ask Questions Before Transmitting Data

  • How will the data be transmitted, and how will it be secured during transmission?
  • How is the transmitted data going to be stored on the third party’s system?
  • What is the third party’s data privacy protection policy?
  • Does the business associate’s agreement or job arrangement contract discuss liability/cost for handling a data security incident while the data is in the control of the third party?
  • Who will have access to the data?
  • How will the data be destroyed after the litigation case has ended?

Companies Should Take Precautionary Actions Before Transmitting the Data

  • Anonymize the data unless the analysis or production is being compelled without redactions. Removing or replacing personally identifiable information with dummy IDs is a best practice. For example, this type of information should be anonymized, when possible:
    • SSN
    • Employee name
    • Employee address
    • Date of birth, gender, and/or race
    • Bank account information, check processing or routing information, and direct deposit information
  • Encrypt the data using strong encryption. Encryption standards are continually evolving, and not all encryption methods provide the same level of security.

Counsel and Companies Should Use Best Practices for the Data Transmission
The data should only be sent using a secure protocol such as Secure FTP (File Transfer Protocol). Hard media, such as a hard drive or USB stick, should be avoided due to risks associated with potential loss. If the data must be produced using hard media, the file and the disk should be encrypted. Finally, once the litigation process is finalized, the data should be returned to the company stakeholder if produced on hard media or destroyed (i.e., deleted and wiped to eliminate metadata) if produced electronically. The data should not be retained on any third-party system, and agreements regarding the retention or elimination of data once the litigation process is finalized should be reached before any data is transmitted.

Conclusion
In sum, litigators and the companies that they represent should be acutely aware of the risks involved with production and transmission of sensitive data. The reputational and financial risk that companies and their counsel face when data is compromised during the litigation process is immense. As such, litigators should be proactive in asking the right questions regarding data privacy and protection, access, transmission, storage, and destruction to help minimize the risk to their client.

 

Keywords: litigation, employment and labor relations law, privacy, protection, employment, labor, data breach

 

Jeremy Guinta and Angela Sabbe are associate directors with Navigant in Los Angeles, California.


Navigant Consulting is the Litigation Advisory Services Sponsor of the ABA Section of Litigation. This article should be not construed as an endorsement by the ABA or ABA Entities.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).