In a recent court case, one company that thought it was buttoned-up against ID theft ended up paying $550K to employees because of a security breach. That’s just one example of how new data security laws are raising the stakes for HR and IT.

The potential costs of an HR data breach are huge. The loss of customer information has gotten most of the attention lately, but employee data is causing its own share of problems, too.

For example, Union Pacific Railroad recently made headlines after data about many of its current and former employees was stolen. Last December, the company was ordered to pay $550,000 to recover the money they lost due to identity theft.

Look out for new laws

Employers are already familiar with the Health Insurance Portability and Accountability Act (HIPAA), which requires them to protect employees’ medical info. But the threat of identity theft has resulted in a new type of legislation that’s popping up across the country: data breach notification laws. So far there are no federal regs about what employers need to do if information is compromised, but states are filling in the holes themselves.

Thirty-eight states have laws on the books right now, and more state legislatures are considering them. The specifics vary from state to state, but typically, the rules cover specific types of data (such as social security numbers, bank account info, etc.) and require companies to notify the victims of a breach within a certain amount of time.

Generally, if a company breaks the law, people whose data is lost can sue - sometimes even if they don’t lose any money because of the breach.

(To read about the laws, state-by-state, go here.)

Plan Ahead

Of course, the best way to avoid going to court under one of those laws is to keep breaches from happening in the first place.

The key is cooperation between HR and IT. Here are some things both departments can do to limit the risk as much as possible:

• Encrypt HR data. Many of the breach laws give employers a safe harbor if data is lost or stolen, but is encrypted so criminals can’t access it.
• Don’t collect info you don’t need. And don’t keep any sensitive stuff around for longer than you have to (for example, unnecessary information about employees who’ve left the company). Store the sensitive data separate from the rest and make sure access is only given to employees who need it.
• Hire the right people. Many data thefts are inside jobs; others are caused accidentally by negligent employees. Extensive background checks when hiring employees who will deal with sensitive data can help keep the human factor in check.
• Don’t use the data the wrong way. One common practice is to use part of a SSN to form an employee ID number. Even using the last four digits and sticking it on an employee’s ID badge creates an unnecessary risk.
• Keep the non-tech stuff safe, too. It’s easy to forget, but paper records need protection just as much as computer files. Make sure file cabinets are locked and documents are shredded when you no longer need them.

Tags: data breach, employee data, HR security, identity theft