Not a Member? Get access to HR news and resources that you can trust.
Here is how HR can help prevent the missteps that could cost your company big in court.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
Most U.S. companies are required to tell their employees and other stakeholders when their personal information has been compromised.
But many notices are too vague to be useful to the victims, privacy experts say.
At least 43 states, plus the District of Columbia and Puerto Rico, have enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislatures. But all too often, companies leave out critical details of the breach, according to Beth Givens, director of the Privacy Rights Clearinghouse, a not-for-profit consumer-advocacy group in San Diego that compiles information on data breaches.
It's not just consumers and customers who are victimized by data breaches. In many instances it's data from a company's employee data base that is compromised. A listing of data breaches posted on the PRC web site and confirmed independently by SHRM Online shows several major breaches of employee data during the first three weeks of May 2008. Among them:
Givens, in a telephone interview with SHRM Online, said she frequently receives complaints from workers frustrated by their employer's response to a personnel file data breach. Without referencing specific incidents, she said some victims are put off by what they perceive to be a lack of contrition on the part of their employer. But some feel as though they are left in the dark and not provided the assistance they believe they need to guard their credit and prevent the theft of their identity.
Ideally, she said, an employer will provide the following information and services to workers believed to be affected by such a breach:
A recent survey by security vendors confirms the inadequacy of many organizations' data breach notices. In a survey released in April 2008, by the Michigan-based Ponemon Institute, 63 percent of respondents said notification letters they received offered no direction on the steps consumers should take to protect their personal information. About half of respondents rated the timeliness, clarity and quality of the notification as either fair or poor. Two percent of respondents that had been notified of a data breach experienced identity theft as a result of the breach, while 64 percent were unsure if they were a victim of identity theft.
State Data Breach Notification Laws
Ariz. Rev. Stat. § 44-7501 (2007 S.B. 1042, Chapter 23)
Ark. Code § 4-110-101 et seq.
Cal. Civ. Code § 1798.82
Colo. Rev. Stat. § 6-1-716
Conn. Gen Stat. 36a-701(b)
Del. Code tit. 6, § 12B-101 et seq.
Fla. Stat. § 817.5681
Ga. Code §§ 10-1-910, -911
Haw. Rev. Stat. § 487N-2
Idaho Code §§ 28-51-104 to 28-51-107
815 ILCS 530/1 et seq.
Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.
2008 S.F. 2308
Kan. Stat. 50-7a01, 50-7a02
La. Rev. Stat. § 51:3071 et seq.
Me. Rev. Stat. tit. 10 §§ 1347 et seq.
Md. Code, Com. Law § 14-3501 et seq.
2007 H.B. 4144, Chapter 82
Mich. Comp. Laws § 445.61 et seq.
Minn. Stat. §§ 325E.61, 325E.64
Mont. Code § 30-14-1701 et seq.
Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nev. Rev. Stat. 603A.010 et seq.
N.H. Rev. Stat. §§ 359-C:19 et seq.
N.J. Stat. 56:8-163
N.Y. Gen. Bus. Law § 899-aa
N.C. Gen. Stat § 75-65
N.D. Cent. Code § 51-30-01 et seq.
Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Okla. Stat. § 74-3113.1
2007 S.B. 583, Chapter 759
73 Pa. Stat. § 2303 (link not available) (2005 S.B. 712, Act 94)
R.I. Gen. Laws § 11-49.2-1 et seq.
2008 S.B. 453, Act 190
Tenn. Code § 47-18-2107
Tex. Bus. & Com. Code § 48.001 et seq.
Utah Code §§ 13-44-101, -102, -201, -202, -310
Vt. Stat. tit. 9 § 2430 et seq.
2008 S.B. 307, Chapter 566
Wash. Rev. Code § 19.255.010
2008 S.B. 340, Chapter 37
Wis. Stat. § 895.507
Wyo. Stat. § 40-12-501 to -501
District of Columbia
D.C. Code § 28- 3851 et seq.
2005 H.B. 1184, Law 111
Source: National Conference of State Legislatures.
Rita Zeidner is senior writer for HR Magazine.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Don’t Lose Sight! What Does Poor Preventive Care Cost Your Business?
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies