Picture this: Your accountant has access to all of your employees' records which she keeps on her computer system. One day, against better judgment, she leaves the laptop in her car. The laptop gets stolen. Next thing you know, your employees are victims of identity theft. (Accountants loosing laptops seems to be a common occurrence. See here, here and here). What to do?
Don't try to sweep these kinds of accidents under the rug. New York has a new law that tells you exactly what businesses must do under these circumstances. The new law requires employers to notify employees of a misappropriation of employees' personal information immediately.
The law is called Security Breach and Notification Act and the part applicable to businesses can be found in Section 899-aa of New York's General Business Law (sorry, can't link to it directly, go here ▶ "Laws of New York" ▶ GBS General Business ▶ Article 39-F ▶ 899 AA)
If you do business in New York, you must disclose to a New York resident when their private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
An employee's social security number, driver's license number, account number, credit card number and similar information are all considered personal information.
If any of this information is stolen or anything else happens that makes it likely that unauthorized persons have access to it, you must - in the most expedient time possible without unreasonable delay - inform the affected employees in the manner provided by the law.
It seems to be a no-brainer to keep that sort of information safe in the first place in order to avoid security breaches and prevent employee law suits based on negligent handling of their information. In any event, good advice would be to:
- keep employee information secure by putting in place appropriate security measures for inhouse recording and archiving and requiring similar standards from outside consultants who have access to the information (leaving a laptop in the car should definitely not be allowed!);
- limit the number of employees and outside consultants who have access to the information;
- educate employees about consequences of unauthorized access and disclosure of personal information.
For more information see New York's Office of Cyber Security & Critical Infrastructure Coordination.
****Legal Information is not Legal Advice****
