Recent Decisions Shine Light on Employer Liability for Data Breaches of Employee Personal Information
An employee improperly accesses his employer’s computer network and steals the names, birthdates, and social security numbers of his fellow employees to use for illegal financial gain. A criminal hacks into that same network for similar illegal purposes. Because employers regularly obtain, store, and use confidential employee personally identifiable information (“PII”) as part of their business operations, they are targets for this kind of activity. But what legal responsibility do employers have to their employees when PII is misappropriated by an employee, or stolen by hackers in a data breach?
Phase 2 of the U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) HIPAA audit program is in process. Unlike OCR’s initial Phase 1 Pilot audits, which addressed only Covered Entities, Phase 2 also focuses on Business Associate compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.
Well this is unsettling – the person responsible for the massive data breaches at Yahoo was its general counsel? CorporateCounsel speculates about what this means for in-house counsel: are their jobs at risk over cybersecurity? And I wonder – what if a company does not have in-house counsel, or has turnover in IT? Who else will be held accountable for data breaches?
I had the opportunity to attend The Cybersecurity and Privacy Protection Conference at Cleveland-Marshall College of Law this week, and thought I would share a Top 10.
When businesses think of data security, they often think first and foremost of protecting the valuable, often intangible assets that make up the essence of the business from theft and release by malevolent outsiders.