Employee Data Privacy -What Employers Need to Know

 
security-2168234_1920.jpg

Employers typically do not realize the amount of personally identifiable information (PII) that they maintain concerning their employees or that they can be held liable to employees for failing to adequately protect PII.  The definition of PII varies by state.  Thus, depending on the state (or states) in which a company has offices, or in which employees reside, protected PII can include employees':

  • Social Security numbers.

  • Bank routing numbers.

  • Home addresses.

  • Home phone numbers.

  • Personal email addresses.

  • Driver's license numbers.

  • Medical information.

  • Mother's maiden names.

PII must generally be maintained confidentially and protected from unauthorized access or disclosure.  Such protection typically includes maintaining documents containing PII in locked cabinets or secured with encryption, password protection, and/or restricted access on a company's servers.

Employee related PII is protected by a patchwork of data privacy and other legislation at both the state and federal level. For example, the Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), the Federal Trade Commission (FTC) Act, as well as state data privacy laws, all govern the protection of employee PII. In addition, data breach notification requirements vary from state to state.

To comply with the various data privacy laws, employers must understand (1) how PII is defined in the jurisdictions in which they are located and their employees reside, (2) what PII they collect concerning their employees, (3) how that PII is maintained, (4) how applicable law requires that employee PII is protected, (5) whether the employer's policies and practices comply with applicable data privacy laws, and (6) the employer's notification obligations if a data breach occurs.

Employers should consult with data privacy counsel to ensure that they are adequately protecting employee PII; thus, protecting themselves from liability. If you have questions concerning your business's handling of employee PII, we can help.