Most employers maintain records with sensitive information relating to their employees, such as social security numbers or similar information. When a data breach occurs and this information is disclosed without authorization, employers may have legal obligations to notify employees affected by the breach.
For example, Minnesota law has a data breach notification requirement that would require an employer to notify employees “in the most expedient time possible and without unreasonable delay” of a suspected data breach. The law provides that:
Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, . . . or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.
See Minn. Stat. § 325E.61. For purposes of the statute, “personal information” is defined to include unencrypted data including an individual’s first name or first initial and last name in combination with any of the following: (i) a social security number; (ii) a driver’s license number or Minnesota identification card number; or (iii) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
For a mass data breach affecting 500 or more individuals at a time, the employer would also need to provide notification within 48 hours to “all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis . . . of the timing, distribution, and content of the notices.”
Takeaway: When a data breach affecting employee data occurs, an employer may need to comply quickly with notification obligations under applicable state law. In the event of a data breach, it is important for employers to check the notification requirements for each state where affected employees are located.