Retail. Financial services. Health care. Energy. Not an industry has been spared when it comes to recent data and cyber breaches, and the colossal damage that occurs to the interests of the company, its employees, and third parties (customers, vendors, etc.) due to a breach. Whether by employees disclosing things through social media or by outside hackers wreaking havoc, the news continues to be riddled with cyber-related issues that your company should be thinking about if you haven’t already.
The government continues to take action. For example, the Florida Senate just recently passed unique legislation imposing certain obligations on companies to secure personal information and to provide certain notice when a breach occurs. Among the highlights of the Florida Information Protection Act of 2014:
- Personal information is defined to include an individual’s first name or first initial and last name, together with one or more of a social security number, driver’s license or passport number, bank/credit/debit card number and password, medical- or health insurance-related information, and e-mail address and password.
- Covered entities must take “reasonable measures to protect and secure data in electronic form containing personal information.
- Covered entities must comply with certain substantive and procedural notification requirements upon a breach of security affecting 500 or more individuals in Florida. Separate notice requirements apply to the affected individuals, as well as to the State Department of Legal Affairs.
Employer Take Away: What should you as an employer take away from this development?
You know an issue is a critical component of an employer’s operations when government entities – any government entity – can act relatively quickly on an bipartisan basis to propose and adopt legislation addressing the issue. Here are 4 questions for you on this one:
1. Has your company internally audited whether you are at risk for a data breach prior to a breach occurring?
2. Has your company developed protocols and practices for how to respond internally and externally in the event of a breach?
3. Has your company reviewed existing and potential insurance policies as one strategy for cyber risk management? An interesting article in today’s New York Times talks about developments with cyber insurance.
4. If you’re not in Florida, has your company figured out what the data breach requirements may be in your company’s jurisdiction?
Michael C. Schmidt is the vice chair of the firm’s Labor & Employment Department, and the office managing partner, vice chair, of the New York Midtown office, where he is resident. For more than two decades, Mike has concentrated his practice on representing companies and management in all facets of employment law, such as: (i) defense in litigation involving wage and hour (overtime and unpaid compensation), discrimination, harassment, retaliation and whistle-blowing, non-competes and trade secrets, and disability and other leave-related issues; (ii) day-to-day counseling and in-house training on issues from hiring to firing, and other questions unique to his client’s industries and business; and (iii) drafting and reviewing employment agreements, termination and severance agreements, confidentiality and non-competes, and employment policies and manuals.
Social Media Employment Law Blog is devoted to the interplay between social media and employment law, an extremely topical and significant area of law for employers in this new technology era. Published and edited by 