Not a Member? Get access to HR news and resources that you can trust.
Here is how HR can help prevent the missteps that could cost your company big in court.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
60+ new SHRM Seminar dates in 10 U.S. cities and virtually.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
Reduce the risk of litigation and build confidence in data handling by becoming a privacy champion.
New employees attending orientation at Atlantic General Hospital in Berlin, Md., barely have time to gulp down their first cups of coffee before Jim Brannon begins talking about privacy.The human resource chief at the 51-bed hospital serving the mostly rural population on Maryland’s Eastern Shore, Brannon begins a cautionary tale that hits home with his mostly female audience: At another small hospital a decade ago, he recalls, an irate patient called to complain that an employee had approached her in a group at church and congratulated her on being pregnant. The problem: The mother-to-be hadn’t told her friends and family.“This is a small town. People talk, and they want to be caring,” Brannon told two dozen new employees last May. “But that doesn’t mean they don’t deserve privacy.”The stakes are high for a hospital where an indiscretion by a single loose-lipped employee can result in huge penalties under the Health Insurance Portability and Accountability Act (HIPAA). Brannon says preventing slips has become a critical part of his job -- on par with traditional HR duties such as compliance with wage and hour laws.“My biggest role is to avoid liability for the organization,” he says, wryly adding: “A government investigation is never any fun.”Outside of health care and other highly regulated businesses such as banking and insurance, though, HR professionals’ role in keeping data safe tends to be limited to employee records. But a spate of recent privacy breaches -- across organizational divisions and industries -- has many privacy advocates calling for a proactive approach from human resource professionals.
The Right To Be Left Alone
Most people cherish the concept of privacy -- a term U.S. Supreme Court Justice Louis Brandeis famously described in an 1890 Harvard Law Review as the “right to be left alone.” The Constitution doesn’t explicitly mention a right to privacy, but Brandeis is widely credited for discovering a constitutionally protected privacy right in the Fourth Amendment, the prohibition against unwarranted search and seizure.The Founding Fathers were specifically concerned with curbing government abuses. But the concept of privacy has grown so universally appealing that U.S. citizens have come to expect it in many areas of daily life. In the workplace, managers and employees often go head-to-head about privacy-related issues such as drug testing, video surveillance and e-mail monitoring. Yet both sides agree that employees have a reasonable expectation of privacy when it comes to their personal data. These expectations are supported by federal laws such as HIPAA; the Gramm-Leach-Bliley Act of 1999, providing protection for financial information; and state laws and court rulings.And yet it’s difficult to open a newspaper or watch the nightly news without seeing reports of thousands, and sometimes millions, of names, addresses, Social Security numbers (SSNs), health records and other data released improperly. Since 2005, more than 200 million personal records have been wrongly exposed, according to the Privacy Rights Clearinghouse, a San Diego advocacy group. Moreover, the number of breaches occurring annually appears to be growing. In the first half of 2008, breaches were up 69 percent over last year. Some 37 percent of those breaches occurred at businesses, according to the Identity Theft Resource Center, another San Diego nonprofit. Such information constitutes a treasure for identity thieves as well as aggressive marketers bent on reaching potential customers, says Beth Givens, the clearinghouse’s director. Meanwhile, the mishandling of medical information often humiliates victims and could lead to unfair treatment by co-workers, insurers, landlords, and even family and friends.
Human resource departments have been hit hard by privacy breaches. In 2007, for instance, Connecticut drug manufacturer Pfizer learned that a former employee had improperly downloaded personnel files before he left the company. Purloined records included employee names and addresses, SSNs, bank account information, military records, and driver’s license numbers. The incident spurred an investigation by Connecticut’s attorney general.And this spring, prosecutors in Manhattan charged a former patient-admissions employee at New York-Presbyterian Hospital/Weill Cornell Medical Center with stealing nearly 50,000 patient files and selling some of them. To be sure, nefarious employees are not always behind privacy slips. More than 80 percent of nearly 500 companies surveyed in 2006 by the Ponemon Institute, a Michigan security consultancy, reported loss or theft of a laptop or other computer device containing sensitive data. In fact, adding to Pfizer’s data theft woes, company officials this spring reported a rash of laptop thefts, including one piece of equipment containing 13,000 employee records. Also this spring, Stanford University officials announced that they would be redoubling efforts to lock down data after discovering the theft of a laptop containing personal information affecting 72,000 current and former employees.But such incidents pale in comparison to the 2006 theft of U.S. Department of Veterans Affairs computer equipment containing personally identifiable information for some 26.5 million veterans and active-duty military employees. The equipment went missing from the home of a benefits officer.Mishandling old-fashioned paper records also worries privacy experts. In June, officials at New Mexico’s Department of Workforce Solutions acknowledged that a janitor had placed four boxes of employment records containing names and SSNs in a trash bin following a move. The documents were discovered by an employee who saw papers flying out of the trash on a windy day.Punctuating ongoing concerns about mishandling paper documents, Texas Attorney General Greg Abbott is suing several large retailers, including CVS and RadioShack, after finding documents -- with customer names, addresses and active credit card numbers -- in stores’ dumpsters.
Most breaches probably don’t result in identity theft, according to a June 2007 report by the U.S. Government Accountability Office. In addition, the risk of any one individual being victimized declines when huge quantities of data are compromised, the researchers note. Attempts by workers and union officials to sue an employer they perceive as careless with their personal data have so far been unsuccessful -- in part because damages are so hard to prove, according to attorney Tanya Forsheit, a partner at Proskauer Rose LLP in Los Angeles.“Plaintiffs have been running into trouble where they have insufficient evidence of injury,” she says. But HR professionals have other liabilities to worry about, including potentially crippling federal fines.Alpharetta, Ga.-based data broker ChoicePoint Inc., for instance, paid a record $10 million in civil penalties and $5 million in consumer redress in 2006 to settle Federal Trade Commission (FTC) charges that its security and record handling procedures violated consumers’ privacy rights and various federal laws. And drug manufacturer Eli Lilly and Co. agreed to follow a four-stage information security program for 20 years to settle an FTC complaint lodged after an employee mistakenly released nearly 700 e-mail addresses collected through the company’s Prozac.com web site.In handling cases, regulators and law enforcement officials may be indifferent to the cause of the breach -- whether the data were under the watch of HR or another division, or if the lapse stemmed from criminal intent or innocent mistake. “Even the unintentional release of sensitive medical information is a serious breach of consumers’ trust,” scolded J. Howard Beales III, then head of the FTC’s Bureau of Consumer Protection, in a 2002 statement announcing the Lilly settlement. “Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information.”State regulators add impetus to the privacy movement: New provisions of the Texas Business and Commerce Code, for instance, require businesses to develop retention and disposal procedures for personal information and provide for fines of up to $500 for each record that could potentially land in the wrong hands. In addition, the state’s new Identity Theft Enforcement Act could impose fines of up to $50,000 for each similar violation -- even for a single record.State identity theft laws put even greater pressure on HR professionals to keep a close watch on employee records and other private data, says attorney Audrey Mross, head of the labor and employment law section at law firm Munck Carter in Dallas.Most states require businesses to come clean following a breach. At least 43 states have laws requiring organizations to notify anyone whose personal information has been compromised and to pay for consumer-credit monitoring services in some instances, according to the National Conference of State Legislatures.
Keeping a lid on data is challenging because threats come from so many directions, says Amy Yates, a director in the security and privacy practice at Deloitte & Touche LLP in Chicago and a former chief privacy officer.Unscrupulous employees constitute one risk. In April, for instance, a former administrative specialist at UCLA Medical Center was indicted by a federal grand jury for allegedly selling information to the media from medical records of celebrity patients.Then, consider the snoops: Every few years, Congress summons IRS officials to Capitol Hill to answer for repeated instances of snooping. Since 1998, 471 IRS employees have been removed, 452 have been suspended, and 934 have resigned after sneaking peeks at confidential taxpayer records. In 2007, cases of employee prying increased by nearly 20 percent from the previous year, according to the U.S. Treasury Department’s inspector general, who testified before the Senate Finance Committee in April. In May, Justice officials charged five IRS employees in California with snooping.Nevertheless, the majority of privacy lapses aren’t caused by evildoers, privacy experts say; they result from mistakes. “Employees do a lot of stupid things,” says Givens, ticking off a litany of innocent, but potentially devastating, employee slips. Among them:
Lock Down Privacy
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies