This is part of a series of articles by Wright Lindsey Jennings’ labor and employment team examining key trends for employers and the workplace in 2018. The series was featured in Arkansas Business. According to a recent CNBC survey, about 28 percent of CFOs believe that the threat of cyber-attacks is the biggest external threat they face. With the sensitive personal information collected from employees (e.g. social security numbers, birth dates, bank account information, health information), employers are prime targets. In addition to the threat of cyber attacks, neglecting to protect employee records can implicate federal laws like the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Americans with Disabilities Act, or the Health Insurance Portability and Accountability Act. Issues with state laws on protection of sensitive information may also arise (i.e. the Arkansas Personal Information Protection Act). With that in mind, are some important things for employers to think about regarding secure data in the workplace.
Making sure employees are not releasing information via the virtual world has become integral. According to Dell EMC, phishing costs organizations around the world $4.5 billion every year and over half of internet users get at least one phishing email per day.
Phishing is a type of hacking that involves sending unsuspecting individuals trick emails. Opening the emails and replying or clicking the wrong link or attachment allows hackers to obtain confidential information, infiltrate secure systems — even take control of computers.
For example, in February, a human resources employee at Lincare Holdings Inc. divulged data including addresses and Social Security numbers after receiving a phishing email from someone posing as a company executive. Some of the employees at the home health care company filed suit in a Florida federal court, alleging that the breach exposed some of 14,000 employees to identity theft and other financial harm. The employees contend that Lincare should have been cautious against data breaches because of similar breaches that had occurred at other companies since 2016 and from warnings about phishing scams from the FBI and IRS.
Hackers are even “kidnapping” data and demanding a ransom for the return of it. In November, it was revealed that Uber had hidden the hack of more than a year’s worth of information involving 57 million customers and drivers. Instead of alerting users and authorities, it paid a $100,000 ransom to hackers to have the information returned.
Training employees to recognize these scams can help. Many phishing emails have spelling mistakes or poor grammar. Phishing emails usually request personal information via email while legitimate emails typically do not. Employees should be trained not to click on unexpected attachments and embedded links in suspicious emails.
Having a response plan in place can mitigate damage from breaches. Make sure you comply with federal and state laws relating to data breaches in the event of a cyber attack. Most states (including Arkansas) have laws that require notifying authorities and any customers/employees affected by the breach if there is a reasonable likelihood of harm. Consider taking all affected equipment offline and consulting a data forensics team and legal counsel to investigate.
Employers should also be aware of risks associated with biometric technology, which has become one of the more popular ways to restrict access to areas holding confidential and proprietary information.
Many businesses are using biometrics to restrict employees’ access to specific areas, computer systems, data and devices. Some are using it to restrict nonemployees’ access into facilities as well. For example, Wells Fargo Bank uses hand geometry to prevent unauthorized access to the bank’s data centers.
Using biometric technology, a person’s physical characteristic or trait is scanned, converted into a digital code and stored in order to confirm identification and access to certain areas. Some of the types of scans used include facial recognition, hand geometry, voice recognition and fingerprint recognition. Due to the advancement and popularity, biometric technology is becoming more affordable, not only for large businesses, but smaller ones as well.
In addition to the security benefits, another appeal of biometric technology is its ability to ensure more accurate records of employees’ hours. For example, Coca-Cola uses hand-scanning technology to keep track of employees’ time and attendance. Woolworths Supermarkets, an Australian supermarket chain, operates the world’s largest time attendance system featuring biometrics, monitoring time and attendance for about 100,000 employees with finger imaging technology. With the rise in the number of wage and hour suits, ensuring accurate time records at the same time as ensuring data security seems to be a great opportunity for employers.
But additional data collection and security concerns come with this technology.
First, there is the question of compliance with federal and state laws. While there are no federal laws in place that restrict the use of biometric technology, there are state laws that do constrain or have the possibility of constraining the use of biometric technology.
Three states (Illinois, Texas, and Washington) have actual biometric privacy laws. These laws require providing a reason for the collection when collecting biometric information and obtaining consent for the collection. Other states, including Arkansas, have basic information protection acts that protect sensitive personal information. Arkansas’ Personal Information Protection Act requires businesses to implement and maintain reasonable security measures for sensitive personal information in electronic form.
Employers in Illinois have found themselves on the wrong side of Illinois’ Biometric Information Privacy Act (BIPA), with at least 30 employment class actions alleging violations of the BIPA filed in Illinois state court since July. Most of the complaints allege that employers are collecting employees’ fingerprints for use in connection with biometric timekeeping systems but failing to follow the notice and consent requirements.
Also, some employees are hesitant to use biometric technology. A telling example is a West Virginia lawsuit, EEOC v. Consol Energy Inc.
In June, a jury awarded an employee $600,000 after he was required to use a biometric hand scanner despite the fact that he refused to do so based on his religious belief that the technology amounted to the mark of the beast from the Bible’s Book of Revelation.
The employer implemented a biometric hand-scanner system in order to better monitor the attendance and work hours of its employees. The employee refused to use the scanner because he said it presented a threat to his core religious commitments as a devout evangelical Christian. Although the employer was providing an alternative to employees who could not use the hand scanner for non-religious reasons by allowing them to manually record their time, it refused to accommodate the employee’s religious objection. Employers everywhere should be mindful of this verdict, which was affirmed on appeal.
Based on the discussion above, here’s a New Year resolution list for data security:
- Develop and enforce policies and procedures concerning storage, use and access to sensitive information.
- Ensure compliance with federal and state laws related to data collection and security.
- Inform and train employees on data security measures.
- Update protection technology.
- Develop a response plan in case a breach occurs.