By: Thomas B. Caswell, Judith Bevis Langevin, and Kate Bischoff, Zelle Hofmann Voelbel & Mason LLP
All employers have personnel data on their information technology systems and devices. This data includes personally identifiable information (PII) such as names, addresses, birth dates and Social Security numbers of employees and their family members. In light of high-profile, employee-led lawsuits like those stemming from cyber attacks at Sony Pictures Entertainment Inc. and the University of Pittsburgh Medical Center, employers are rightly concerned about the security of their data and the potential liability (and attorneys’ fees) that could result if they are hacked and personnel data is leaked. To answer some questions about employer liability for the hacking of personnel data and about the potential for insurance coverage, we put these questions to lawyers practicing in the employment, cyber and insurance arenas.
Q: Our employer clients are concerned about the possibility that they could be hacked. What should we tell them?
A: They are right to be concerned, regardless of their size or number of employees. Small and medium-sized companies are no less likely to be hacked than large corporations. In fact, in the wake of the well-publicized data breaches at Target Corp., Home Depot Inc., TJX Companies Inc. and others, most large corporations have undertaken extensive retooling of their systems and procedures, leaving small and medium-sized companies as the “low hanging fruit” for hackers. While implementing defensive measures cannot immunize employers of any size from data theft, it should be a focus of attention, regardless of an organization’s size. As an illustration of the trend toward hacking smaller organizations, consider this: In 2011, the median number of records exposed per breach was 45,000. Over the next two years, this number sharply declined to 29,000 in 2012, and to a mere 1,000 in 2013.
Q: If an employer is hacked and personnel information is accessed, what claims could an employee (or group of employees) bring against that employer? What about claims by the government?
A: Legal actions that could be brought by employees would be based on the exposure of PII and any damages resulting from that exposure. Individual or class claims could be based on state or federal statutes or might include common law negligence, invasion of privacy, breach of express or implied contract or misrepresentation. As this area of litigation expands, we are likely to see additional causes of action develop. Some statutes allow a governmental entity to impose penalties in the event of PII exposure, separate from any claims by employees, and it’s important to remember that almost all states require employers to notify employees of a breach or risk penalties for failing to do so.
When assessing their risk, employers should remember that what constitutes PII varies greatly from state to state. It can include any combination of a person’s first name (or first initial) and last name with other information, such as their Social Security number, driver’s license number, credit card information, password, security codes or pins or unique biometric data. Some states have expanded the definition of PII to include names in combination with zip codes, usernames and passwords and a mother’s maiden name, or Social Security number alone (not combined with a name) and electronic signatures.
Q: If an employer has business insurance that covers claims of negligence, would it cover claims brought because of a cybersecurity breach?
A: Generally speaking, traditional (i.e., non-cyber specific) insurance policies have limited coverage and sometimes no coverage for loss, damage and potential liability resulting from cybersecurity breaches. There are exceptions, but no employer should assume that its business insurance includes cyber-related coverage. This is true regardless of whether the breach occurred as a result of the employer’s negligence or despite the employer’s best efforts to protect its information.
Q: What kinds of risks do cyber insurance policies cover for employers?
A: There are an increasing number of insurance carriers writing cyber-specific coverage, which more and more businesses are purchasing. Cyber insurance policies typically have several coverage provisions that can help an employer manage the risks and high costs associated with cyber-related losses. Generally, cyber policies will cover an employer’s liability for a cyber attack that results in damages, even if employer negligence or breach of contract is claimed. The available coverage may also include important protection for the very significant costs employers will face for: (1) breach response and related services; (2) regulatory action coverage; and (3) digital asset losses.
Coverage for breach response and related services addresses the costs associated with complying with data breach notification laws. Regulatory action coverage generally indemnifies an insured for the expenses associated with a civil proceeding or demand brought by the Federal Trade Commission, Federal Communications Commission, or other federal, state or local government agencies because of an actual or alleged violation of privacy regulations. Digital asset coverage will pay an employer the costs incurred to repair, replace or otherwise recreate needed data that is stolen or otherwise made non-usable in a hacking or other cyber security breach event.
Q: What do you advise your clients to do to best protect themselves from a lawsuit over a cyberattack?
A: While there is no sure fire way for any entity to protect itself from the possibility of being the victim of a cyber attack, data exposure or the target of a legal claim based on data exposure, there are best practices. These include:
- training employees on cyber security generally and on employer policies and practices specifically;
- keeping computers and other Internet-ready devices clean and protected from malware and viruses;
- changing passwords often and requiring that passwords conform to minimum length and composition requirements;
- compartmentalizing data, restricting access to data based on business need and getting rid of old data and employee information and;
- considering hiring a company to evaluate your IT systems and detect vulnerabilities.