Data affecting millions of workers has been hacked in a huge breach of security at the Office of Personnel Management (OPM), the HR department for the US Federal government. Jo Faragher reports.
The breach is suspected to have been carried out in April by Chinese cyber-hackers, and almost four million current and past government employees are thought to have been affected, across every federal agency.
US data protection lawAlmost all 50 US states have a data protection law, so how the law affects employers is determined on where they are based. There is not currently a federal law, but one has been introduced. If implemented, this could preempt the state laws.
Under the suggested law, the Personal Data Notification and Protection Act (s.177), any business that engages in or affects interstate commerce and that processes or stores personal information for more than 10,000 individuals over a 12-month period will have to comply.
If a breach occurs, notice would have to be given without unreasonable delay when the business entity learns of the breach. This generally means within 30 days, but there are exceptions (for example, if notice would slow down a criminal investigation).
If more than 5,000 residents are affected, then the breach must be communicated to a source of media that is likely to reach those individuals.
Covered entities must report known breaches to any entity designated by the Secretary of Homeland Security at least 72 hours before notice is given to the affected individuals.
This information shall also be made available to other appropriate agencies for law enforcement, national security or other computer security purposes, if the breach affects:
- more than 5,000 individuals;
- a database with personal information of more than 500,000 individuals;
- databases owned by the Federal government; or
- data concerning employees and contractors of the Federal government
The data includes employee job assignments, performance reviews and training. Some security experts have suggested that the data could be used to impersonate or blackmail federal employees.
The OPM has responded by offering free credit monitoring services and identity theft insurance to those employees who have been affected.
Here in the UK, breaches such as this have, in the past, attracted fines for those with custody of the data.
In 2010, the Information Commissioner fined Brighton and Sussex Hospitals NHS Trust £325,000 after sensitive records were found on hard drives sold on eBay.
And earlier this year, Sussex Police was fined £160,000 after a data breach meant a DVD containing an interview with a victim of sexual abuse was leaked.
At present, fines issued by the Information Commissioner are capped at £500,000, but proposed new EU data protection legislation could see the introduction of far more punitive fines of up to EU100,000, or 5% of a company’s annual turnover.
If the regulation is passed, any business that has European customers will need to comply with the new requirements, which includes adopting reasonable steps to implement procedures and policies to protect the data from attack.
“If there was to be a breach like the one in the US that affected millions of people, we could see significant fines,” says Steven Lorber, consultant partner at law firm Lewis Silkin.
It is not only data protection law that can throw up potential liabilities for employers, adds Carl Richards, a partner at King & Wood Mallesons: “There are lots of potential bites of the cherry. An employee could argue that there is a freestanding negligence claim because you lost their data, or argue their right to privacy under article 8 of the Human Rights Act.”
Either way, the onus is and will be on the employer to show they have taken adequate measures to protect the data – Principle 1 of the current Data Protection Act requires companies to “process data fairly and lawfully”.
In practice, employers should be able to show that they have policies in place discouraging people from, for example, downloading email attachments on certain devices or preventing them from taking work laptops home.
A further step would be to add physical barriers to certain functions on employer-controlled systems, such as blocks on certain websites.
However, as more and more organisations move to cloud-based HR systems, accessing them from smart phones or other mobile devices, will this affect their data protection liabilities?
The obligations are the same, that they there is adequate security and encryption of that data, according to Lorber. “Generally, the employer will be considered the data controller in this case [and therefore liable for the data even while it is in the cloud]. The cloud provider is normally the data processor and not primarily responsible at present,” he says. “However, the new regulations may see the data processor jointly liable.”
Richards adds that wherever data is stored, courts will look to whether or not an employer has minimised the risk of a breach, either from an external source (as in the case of the OPM), or an internal, “unwitting insider” who downloads malware or accidentally leaves a laptop lying around.
They will also consider any action plans they have in place to deal with breaches should they happen – such as immediately informing the Information Commissioner, how the breach is shared with employees, and whether any compensation is offered.
While the proposed EU Regulations are still in draft stage, and unlikely to come into force until at least 2017, we may see some employers “made an example of” if and when they are introduced, Richards predicts: “Lots of organisations are still behind the curve on this and it may take a test case with a sizeable fine to get data protection higher up on the agenda.”