Several recent data privacy breaches underscore the vulnerability of sensitive employee information to mishandling. Whether the documents are retained on paper or electronically doesn’t seem to matter; in either form, human error and a breakdown of good data privacy practices are allowing personally identifiable information, including employee names, addresses, Social Security numbers and employment records to escape their employer’s watch.
On June 5, 2008, administrators at Stanford University learned that a laptop computer containing records of approximately 62,000 current and former employees had been compromised. According to a notice on the university’s web site, data on the laptop included:
Name, gender, date of birth.
Social Security number.
Salary, business title, office location, office phone number, and e-mail address while employed by Stanford.
Home address and phone number while employed by Stanford.
Stanford ID card number and employee number.
Two days later, New Mexico officials acknowledged that state documents with names and Social Security numbers were thrown into a trash bin behind the state’s Department of Workforce Solutions office in Roswell. The documents were discovered by an employee in a nearby building, who saw the papers flying out of the trash on a windy day.
Unsecured data housed on laptops is an increasingly common source of accidental privacy data breaches, privacy experts say. More than 80 percent of nearly 500 companies surveyed in 2006 by the Ponemon Institute, a Michigan security consultancy, reported the loss or theft of a laptop or other computer device containing sensitive data. Officials at a Connecticut drug manufacturer have reported a rash of recent laptop thefts, including one containing 13,000 employee records.
Nefarious employees are also behind a spate of recent data breaches of confidential nonemployee data. In May 2008, the Justice Department arrested five Internal Revenue Service employees in California for improperly accessing confidential taxpayer files.
Since 2005, more than 200 million sensitive and private personal files have been released improperly by hundreds of organizations, according to the Privacy Rights Clearinghouse, a San Diego-based advocacy group.
In some cases employers—particularly those handling health, banking or insurance records—can be subject to huge fines for not adequately protecting private consumer or employee data.
A growing number of states require employers to provide free credit monitoring services to workers affected by a breach.
Rita Zeidner is a senior writer for HR Magazine.