Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Most U.S. companies are required to tell their employees and other stakeholders when their personal information has been compromised.
But many notices are too vague to be useful to the victims, privacy experts say.
At least 43 states, plus the District of Columbia and Puerto Rico, have enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislatures. But all too often, companies leave out critical details of the breach, according to Beth Givens, director of the Privacy Rights Clearinghouse, a not-for-profit consumer-advocacy group in San Diego that compiles information on data breaches.
It's not just consumers and customers who are victimized by data breaches. In many instances it's data from a company's employee data base that is compromised. A listing of data breaches posted on the PRC web site and confirmed independently by SHRM Online shows several major breaches of employee data during the first three weeks of May 2008. Among them:
Givens, in a telephone interview with SHRM Online, said she frequently receives complaints from workers frustrated by their employer's response to a personnel file data breach. Without referencing specific incidents, she said some victims are put off by what they perceive to be a lack of contrition on the part of their employer. But some feel as though they are left in the dark and not provided the assistance they believe they need to guard their credit and prevent the theft of their identity.
Ideally, she said, an employer will provide the following information and services to workers believed to be affected by such a breach:
A recent survey by security vendors confirms the inadequacy of many organizations' data breach notices. In a survey released in April 2008, by the Michigan-based Ponemon Institute, 63 percent of respondents said notification letters they received offered no direction on the steps consumers should take to protect their personal information. About half of respondents rated the timeliness, clarity and quality of the notification as either fair or poor. Two percent of respondents that had been notified of a data breach experienced identity theft as a result of the breach, while 64 percent were unsure if they were a victim of identity theft.
State Data Breach Notification Laws
Ariz. Rev. Stat. § 44-7501 (2007 S.B. 1042, Chapter 23)
Ark. Code § 4-110-101 et seq.
Cal. Civ. Code § 1798.82
Colo. Rev. Stat. § 6-1-716
Conn. Gen Stat. 36a-701(b)
Del. Code tit. 6, § 12B-101 et seq.
Fla. Stat. § 817.5681
Ga. Code §§ 10-1-910, -911
Haw. Rev. Stat. § 487N-2
Idaho Code §§ 28-51-104 to 28-51-107
815 ILCS 530/1 et seq.
Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.
2008 S.F. 2308
Kan. Stat. 50-7a01, 50-7a02
La. Rev. Stat. § 51:3071 et seq.
Me. Rev. Stat. tit. 10 §§ 1347 et seq.
Md. Code, Com. Law § 14-3501 et seq.
2007 H.B. 4144, Chapter 82
Mich. Comp. Laws § 445.61 et seq.
Minn. Stat. §§ 325E.61, 325E.64
Mont. Code § 30-14-1701 et seq.
Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nev. Rev. Stat. 603A.010 et seq.
N.H. Rev. Stat. §§ 359-C:19 et seq.
N.J. Stat. 56:8-163
N.Y. Gen. Bus. Law § 899-aa
N.C. Gen. Stat § 75-65
N.D. Cent. Code § 51-30-01 et seq.
Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Okla. Stat. § 74-3113.1
2007 S.B. 583, Chapter 759
73 Pa. Stat. § 2303 (link not available) (2005 S.B. 712, Act 94)
R.I. Gen. Laws § 11-49.2-1 et seq.
2008 S.B. 453, Act 190
Tenn. Code § 47-18-2107
Tex. Bus. & Com. Code § 48.001 et seq.
Utah Code §§ 13-44-101, -102, -201, -202, -310
Vt. Stat. tit. 9 § 2430 et seq.
2008 S.B. 307, Chapter 566
Wash. Rev. Code § 19.255.010
2008 S.B. 340, Chapter 37
Wis. Stat. § 895.507
Wyo. Stat. § 40-12-501 to -501
District of Columbia
D.C. Code § 28- 3851 et seq.
2005 H.B. 1184, Law 111
Source: National Conference of State Legislatures.
Rita Zeidner is senior writer for HR Magazine.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
SHRM Annual Conference & Exposition
SHRM’s HR Vendor Directory contains over 10,000 companies