Employers' obligation to protect employees' personal information

As a business owner, you want to keep your company's proprietary and confidential information protected from prying eyes. Everything, from your bank accounts and sales data to your intellectual property and the private information customers share with your business, like credit card numbers.

Similarly, you need to protect your employees' Personally Identifiable Information (PII), such as social security numbers and bank accounts. You need this information to provide your employees their pay or benefits, but you also need to recognize the risk of possessing this data and your duty to safeguard it as a custodian of this data.

In February, the Internal Revenue Service issued a warning to businesses' and other entities' Human Relations departments that there was a phishing scam involving emails to HR or payroll departments. An email would appear to emanate from the entities' executive requesting employee lists and Form W-2s. The email may also request addresses, dates of birth and social security numbers.

The response would provide cyber criminals with this information, which they would use to engage in identity theft, like the filing of false tax return information. To prevent such a data breach, and the attendant liability for the release of this confidential data, the IRS recommends businesses adopt strict written policies for management for such HR data.

Of course, your business should already have such a comprehensive policy in place governing all data practices and especially those involving confidential information that is sensitive or held for a third-party.

Something as simple as requiring a phone call to the ostensible requesting party to confirm they made the request could help prevent a potentially damaging data breach from occurring. If you have yet to put in place such a program, any time devoted to the creation, implementation and training of personnel would be much less significant than the cost of repairing the damage from such a release.