New employees attending orientation at Atlantic General Hospital in Berlin, Md., barely have time to gulp down their first cups of coffee before Jim Brannon begins talking about privacy.
The human resource chief at the 51-bed hospital serving the mostly rural population on Maryland’s Eastern Shore, Brannon begins a cautionary tale that hits home with his mostly female audience: At another small hospital a decade ago, he recalls, an irate patient called to complain that an employee had approached her in a group at church and congratulated her on being pregnant. The problem: The mother-to-be hadn’t told her friends and family.
“This is a small town. People talk, and they want to be caring,” Brannon told two dozen new employees last May. “But that doesn’t mean they don’t deserve privacy.”
The stakes are high for a hospital where an indiscretion by a single loose-lipped employee can result in huge penalties under the Health Insurance Portability and Accountability Act (HIPAA). Brannon says preventing slips has become a critical part of his job -- on par with traditional HR duties such as compliance with wage and hour laws.
“My biggest role is to avoid liability for the organization,” he says, wryly adding: “A government investigation is never any fun.”
Outside of health care and other highly regulated businesses such as banking and insurance, though, HR professionals’ role in keeping data safe tends to be limited to employee records. But a spate of recent privacy breaches -- across organizational divisions and industries -- has many privacy advocates calling for a proactive approach from human resource professionals.
The Right To Be Left Alone
Most people cherish the concept of privacy -- a term U.S. Supreme Court Justice Louis Brandeis famously described in an 1890 Harvard Law Review as the “right to be left alone.” The Constitution doesn’t explicitly mention a right to privacy, but Brandeis is widely credited for discovering a constitutionally protected privacy right in the Fourth Amendment, the prohibition against unwarranted search and seizure.
The Founding Fathers were specifically concerned with curbing government abuses. But the concept of privacy has grown so universally appealing that U.S. citizens have come to expect it in many areas of daily life. In the workplace, managers and employees often go head-to-head about privacy-related issues such as drug testing, video surveillance and e-mail monitoring.
Yet both sides agree that employees have a reasonable expectation of privacy when it comes to their personal data. These expectations are supported by federal laws such as HIPAA; the Gramm-Leach-Bliley Act of 1999, providing protection for financial information; and state laws and court rulings.
And yet it’s difficult to open a newspaper or watch the nightly news without seeing reports of thousands, and sometimes millions, of names, addresses, Social Security numbers (SSNs), health records and other data released improperly.
Since 2005, more than 200 million personal records have been wrongly exposed, according to the Privacy Rights Clearinghouse, a San Diego advocacy group. Moreover, the number of breaches occurring annually appears to be growing. In the first half of 2008, breaches were up 69 percent over last year. Some 37 percent of those breaches occurred at businesses, according to the Identity Theft Resource Center, another San Diego nonprofit.
Such information constitutes a treasure for identity thieves as well as aggressive marketers bent on reaching potential customers, says Beth Givens, the clearinghouse’s director. Meanwhile, the mishandling of medical information often humiliates victims and could lead to unfair treatment by co-workers, insurers, landlords, and even family and friends.
Human resource departments have been hit hard by privacy breaches.
In 2007, for instance, Connecticut drug manufacturer Pfizer learned that a former employee had improperly downloaded personnel files before he left the company. Purloined records included employee names and addresses, SSNs, bank account information, military records, and driver’s license numbers. The incident spurred an investigation by Connecticut’s attorney general.
And this spring, prosecutors in Manhattan charged a former patient-admissions employee at New York-Presbyterian Hospital/Weill Cornell Medical Center with stealing nearly 50,000 patient files and selling some of them.
To be sure, nefarious employees are not always behind privacy slips. More than 80 percent of nearly 500 companies surveyed in 2006 by the Ponemon Institute, a Michigan security consultancy, reported loss or theft of a laptop or other computer device containing sensitive data.
In fact, adding to Pfizer’s data theft woes, company officials this spring reported a rash of laptop thefts, including one piece of equipment containing 13,000 employee records.
Also this spring, Stanford University officials announced that they would be redoubling efforts to lock down data after discovering the theft of a laptop containing personal information affecting 72,000 current and former employees.
But such incidents pale in comparison to the 2006 theft of U.S. Department of Veterans Affairs computer equipment containing personally identifiable information for some 26.5 million veterans and active-duty military employees. The equipment went missing from the home of a benefits officer.
Mishandling old-fashioned paper records also worries privacy experts. In June, officials at New Mexico’s Department of Workforce Solutions acknowledged that a janitor had placed four boxes of employment records containing names and SSNs in a trash bin following a move. The documents were discovered by an employee who saw papers flying out of the trash on a windy day.
Punctuating ongoing concerns about mishandling paper documents, Texas Attorney General Greg Abbott is suing several large retailers, including CVS and RadioShack, after finding documents -- with customer names, addresses and active credit card numbers -- in stores’ dumpsters.
Most breaches probably don’t result in identity theft, according to a June 2007 report by the U.S. Government Accountability Office. In addition, the risk of any one individual being victimized declines when huge quantities of data are compromised, the researchers note.
Attempts by workers and union officials to sue an employer they perceive as careless with their personal data have so far been unsuccessful -- in part because damages are so hard to prove, according to attorney Tanya Forsheit, a partner at Proskauer Rose LLP in Los Angeles.
“Plaintiffs have been running into trouble where they have insufficient evidence of injury,” she says.
But HR professionals have other liabilities to worry about, including potentially crippling federal fines.
Alpharetta, Ga.-based data broker ChoicePoint Inc., for instance, paid a record $10 million in civil penalties and $5 million in consumer redress in 2006 to settle Federal Trade Commission (FTC) charges that its security and record handling procedures violated consumers’ privacy rights and various federal laws.
And drug manufacturer Eli Lilly and Co. agreed to follow a four-stage information security program for 20 years to settle an FTC complaint lodged after an employee mistakenly released nearly 700 e-mail addresses collected through the company’s Prozac.com web site.
In handling cases, regulators and law enforcement officials may be indifferent to the cause of the breach -- whether the data were under the watch of HR or another division, or if the lapse stemmed from criminal intent or innocent mistake. “Even the unintentional release of sensitive medical information is a serious breach of consumers’ trust,” scolded J. Howard Beales III, then head of the FTC’s Bureau of Consumer Protection, in a 2002 statement announcing the Lilly settlement. “Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information.”
State regulators add impetus to the privacy movement: New provisions of the Texas Business and Commerce Code, for instance, require businesses to develop retention and disposal procedures for personal information and provide for fines of up to $500 for each record that could potentially land in the wrong hands. In addition, the state’s new Identity Theft Enforcement Act could impose fines of up to $50,000 for each similar violation -- even for a single record.
State identity theft laws put even greater pressure on HR professionals to keep a close watch on employee records and other private data, says attorney Audrey Mross, head of the labor and employment law section at law firm Munck Carter in Dallas.
Most states require businesses to come clean following a breach. At least 43 states have laws requiring organizations to notify anyone whose personal information has been compromised and to pay for consumer-credit monitoring services in some instances, according to the National Conference of State Legislatures.
Keeping a lid on data is challenging because threats come from so many directions, says Amy Yates, a director in the security and privacy practice at Deloitte & Touche LLP in Chicago and a former chief privacy officer.
Unscrupulous employees constitute one risk. In April, for instance, a former administrative specialist at UCLA Medical Center was indicted by a federal grand jury for allegedly selling information to the media from medical records of celebrity patients.
Then, consider the snoops: Every few years, Congress summons IRS officials to Capitol Hill to answer for repeated instances of snooping. Since 1998, 471 IRS employees have been removed, 452 have been suspended, and 934 have resigned after sneaking peeks at confidential taxpayer records. In 2007, cases of employee prying increased by nearly 20 percent from the previous year, according to the U.S. Treasury Department’s inspector general, who testified before the Senate Finance Committee in April. In May, Justice officials charged five IRS employees in California with snooping.
Nevertheless, the majority of privacy lapses aren’t caused by evildoers, privacy experts say; they result from mistakes. “Employees do a lot of stupid things,” says Givens, ticking off a litany of innocent, but potentially devastating, employee slips. Among them:
- Circulating electronic spreadsheets with employee SSNs hidden but easily accessible. For documents in Excel, hidden data fields are easily revealed with a couple of clicks.
- Sending an employment or severance agreement as an e-mail attachment when the document still has the track-changes tool enabled. If the document was used as a template, the sender may unwittingly be sharing internal data never intended for the viewer, including how much others were paid.
- Leaving confidential documents unattended on a public computer screen, or lying on a desk or in an unlocked file cabinet.
- Tossing unshredded documents in the trash.
- Accessing sensitive files from home on a computer that houses file-sharing software -- particularly programs teenagers use to download music or games. Doing so potentially opens up any file on the computer to any stranger using the file-sharing program.
Lock Down Privacy
The most effective strategy for preventing breaches incorporates administrative, procedural and technical safeguards, privacy experts say.
Employers can begin to lay a foundation for privacy awareness with a policy statement that makes a direct link between employees’ roles and the organization’s mission, says attorney Bob Tobias, director of the Institute for the Study of Public Policy Implementation at American University in Washington, D.C., and a former longtime president of the union representing IRS workers.
Yet highfalutin ideals may only go so far in preventing breaches; employees need to understand the serious consequences of their actions, notes Catherine B. Bishop, SPHR, executive vice president of Great West Casualty Co. in South Sioux City, Neb.
At Great West, employees sign confidentiality statements on their first day at work. The document makes it clear that violation of the agreement, which spells out how employees may use data, may be grounds for termination. Moreover, employees learn that company officials will cooperate with law enforcement if a breach occurs.
Employee awareness remains key to privacy protection strategies, and HR professionals can play a role in ensuring that employees receive the training required to ensure good privacy hygiene, says K Rudolph, president of Native Intelligence Inc., an Ellicott City, Md., privacy company. To be effective, training must be tailored to employees’ specific tasks.
“Sure, there are companies that just want to check the box and get through an audit requirement,” she says, noting that online privacy training programs are commercially available. She doesn’t recommend them because “The training needs of a customer service employee are different than an engineer’s.”
Employers need to make it clear to employees why widely accepted practices -- such as downloading file-sharing programs -- are risky. And they should explain why it may be warranted for an employer to block such downloads.
Aside from the benefits of having workers who understand your business needs, avoiding penalties serves as a compelling argument for providing privacy training.
Harold Datz, an employment law professor at several Washington, D.C., law schools and former chief counsel at the National Labor Relations Board, compares the rationale for privacy training to that for sexual harassment training. If a company can show that training was part of its risk-reduction strategy, a judge or enforcement official may be sympathetic and inclined to go easy on fines, he says.
HR professionals can structure employee responsibilities to enforce privacy principles and avoid potential conflicts of interest, according to Bishop. As Great West’s chief ethics officer, for instance, she has been required to ensure that information handled by claims adjusters who assess damages doesn’t get mixed in with data used by underwriters to assess risk.
“HR [professionals have] to know who has access to what,” she explains.
Attorney Forsheit recommends designating a chief privacy officer to oversee and coordinate aspects of a privacy protection strategy that encompasses information technology, human resources, online security, marketing, public relations and legal affairs.
A number of organizations are taking heed: Membership in the International Association of Privacy Professionals (IAPP) has grown to more than 5,000 since the organization formed eight years ago, according to Trevor Hughes, the group’s executive director.
The IAPP’s governing board includes executives from major companies such as Procter & Gamble, Disney and General Electric.
Lastly, privacy protection strategies should include technical safeguards such as filters and monitoring tools that control what information comes into and goes out of a network. Many managers resist controlling access to data too tightly for fear of hamstringing employees or making them feel like their own privacy is breached. HR professionals can support rational decisions about access, support adoption of preventive technology and make sure employees understand why such safeguards have become necessary.
“The alternative is what?” Hughes asks rhetorically. “That you ignore the risk?”
In the end, even top brass isn’t immune from privacy challenges.
“I was at my daughter’s school,” says Brannon, the hospital HR chief, “and one of the other parents came up and said, ‘Hey, I’m going to be going over to [the hospital] later today.’ ”
Brannon almost took the bait but caught himself before asking the kinds of questions anyone might wonder about.
“In those kinds of instances, you just gotta say, ‘Gee, I hope everything turns out OK.’ ”