Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Data protection

US Government HR hacked: what if such a data breach happened in the UK?

by Jo Faragher 8 Jun 2015
by Jo Faragher 8 Jun 2015

Data affecting millions of workers has been hacked in a huge breach of security at the Office of Personnel Management (OPM), the HR department for the US Federal government. Jo Faragher reports.

The breach is suspected to have been carried out in April by Chinese cyber-hackers, and almost four million current and past government employees are thought to have been affected, across every federal agency.

US data protection law

[typography font=”Molengo” size=”1.0″ size_format=”em” color=”#202020″]Almost all 50 US states have a data protection law, so how the law affects employers is determined on where they are based. There is not currently a federal law, but one has been introduced. If implemented, this could preempt the state laws.

Under the suggested law, the Personal Data Notification and Protection Act (s.177), any business that engages in or affects interstate commerce and that processes or stores personal information for more than 10,000 individuals over a 12-month period will have to comply.

If a breach occurs, notice would have to be given without unreasonable delay when the business entity learns of the breach. This generally means within 30 days, but there are exceptions (for example, if notice would slow down a criminal investigation).

If more than 5,000 residents are affected, then the breach must be communicated to a source of media that is likely to reach those individuals.

Covered entities must report known breaches to any entity designated by the Secretary of Homeland Security at least 72 hours before notice is given to the affected individuals.

This information shall also be made available to other appropriate agencies for law enforcement, national security or other computer security purposes, if the breach affects:

  • more than 5,000 individuals;
  • a database with personal information of more than 500,000 individuals;
  • databases owned by the Federal government; or
  • data concerning employees and contractors of the Federal government

Ashley Shaw, legal editor, XpertHR US[/typography]

The data includes employee job assignments, performance reviews and training. Some security experts have suggested that the data could be used to impersonate or blackmail federal employees.

The OPM has responded by offering free credit monitoring services and identity theft insurance to those employees who have been affected.

Here in the UK, breaches such as this have, in the past, attracted fines for those with custody of the data.

In 2010, the Information Commissioner fined Brighton and Sussex Hospitals NHS Trust £325,000 after sensitive records were found on hard drives sold on eBay.

And earlier this year, Sussex Police was fined £160,000 after a data breach meant a DVD containing an interview with a victim of sexual abuse was leaked.

At present, fines issued by the Information Commissioner are capped at £500,000, but proposed new EU data protection legislation could see the introduction of far more punitive fines of up to EU100,000, or 5% of a company’s annual turnover.

If the regulation is passed, any business that has European customers will need to comply with the new requirements, which includes adopting reasonable steps to implement procedures and policies to protect the data from attack.

“If there was to be a breach like the one in the US that affected millions of people, we could see significant fines,” says Steven Lorber, consultant partner at law firm Lewis Silkin.

It is not only data protection law that can throw up potential liabilities for employers, adds Carl Richards, a partner at King & Wood Mallesons: “There are lots of potential bites of the cherry. An employee could argue that there is a freestanding negligence claim because you lost their data, or argue their right to privacy under article 8 of the Human Rights Act.”

Either way, the onus is and will be on the employer to show they have taken adequate measures to protect the data – Principle 1 of the current Data Protection Act requires companies to “process data fairly and lawfully”.

In practice, employers should be able to show that they have policies in place discouraging people from, for example, downloading email attachments on certain devices or preventing them from taking work laptops home.

A further step would be to add physical barriers to certain functions on employer-controlled systems, such as blocks on certain websites.

However, as more and more organisations move to cloud-based HR systems, accessing them from smart phones or other mobile devices, will this affect their data protection liabilities?

The obligations are the same, that they there is adequate security and encryption of that data, according to Lorber. “Generally, the employer will be considered the data controller in this case [and therefore liable for the data even while it is in the cloud]. The cloud provider is normally the data processor and not primarily responsible at present,” he says. “However, the new regulations may see the data processor jointly liable.”

Richards adds that wherever data is stored, courts will look to whether or not an employer has minimised the risk of a breach, either from an external source (as in the case of the OPM), or an internal, “unwitting insider” who downloads malware or accidentally leaves a laptop lying around.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

They will also consider any action plans they have in place to deal with breaches should they happen – such as immediately informing the Information Commissioner, how the breach is shared with employees, and whether any compensation is offered.

While the proposed EU Regulations are still in draft stage, and unlikely to come into force until at least 2017, we may see some employers “made an example of” if and when they are introduced, Richards predicts: “Lots of organisations are still behind the curve on this and it may take a test case with a sizeable fine to get data protection higher up on the agenda.”

Jo Faragher

Jo Faragher has been an employment and business journalist for 20 years. She regularly contributes to Personnel Today and writes features for a number of national business and membership magazines. Jo is also the author of 'Good Work, Great Technology', published in 2022 by Clink Street Publishing, charting the relationship between effective workplace technology and productive and happy employees. She won the Willis Towers Watson HR journalist of the year award in 2015 and has been highly commended twice.

previous post
The six most competitive sectors in the UK
next post
Tribunal watch: Unfair dismissal for smelling of alcohol at work

You may also like

‘Polygamous working’ is a minefield for HR

14 May 2025

M&S pauses hiring as it deals with cyber...

2 May 2025

Remote working may have triggered jump in employee...

17 Apr 2025

GMC ‘erases’ records on doctors who change gender

21 Feb 2025

What’s HR’s role in ethical AI adoption?

6 Feb 2025

Top 10 HR questions January 2025: TUPE employee...

4 Feb 2025

LinkedIn accused of using user data to train...

23 Jan 2025

Deliveroo, Just Eat and Uber face calls for...

20 Jan 2025

EU AI Act: What HR needs to know

8 Jan 2025

AI Act comes into force in EU: how...

2 Aug 2024

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+