Skip to main content

Featured

How Security Architecture Supports Business Drivers

The Enterprise Information Security Architect is a crucial position within IT security and is often challenging and stressful. The job forms the “glue” that bridges the technological aspects of security and business drivers. The architect must have a solid understanding of the business architecture to design the best security systems possible that not only do not impede the business but enable business opportunities.  Also, the position must exhibit a management presence to articulate to senior executives the conceptual architecture and how it will impact business operations.
Through the many years as a security practitioner, I find organizations who are using existing security controls that are not effective. When engaged in these projects part of the risk assessment conducted is determining if there is sufficient protection for information that should be shared with employees, customers, business partners, and the general public. The risk assessment is a crucial step when designing…

Protecting Employee Data is an Organization’s Legal Obligation or Is It?


In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was an obligation under the law. They mainly had to disclose it under the state’s breach disclosure legislation that contained weak or no imposing consequences. Most entities took steps publicly disclosing the breach and actions made to mitigate. The employees and customers affected by the offense were in all cases offered credit monitoring services for a year but no compensation for what might happen in the future. The rub is, how can anyone define or prove if a cybercriminal committed physical harm?

Negligence and Duty

Unlike physical harm, most data breaches are not categorized to justify compensation. However, these events have proved to be far more dangerous making it a life or death situation that goes beyond any legal argument. For example, on November 2, 2018, Yahoo reported CIA informants were murdered by Iran when computer systems were breached disclosing their identities. The potential also exists with medical data that results in delayed and denied medical coverages. More importantly, tampered medical data can have catastrophic outcomes for patients.

Indeed, the legal responsibility whether or not an employer must protect their data is left for the courts to decide. Corporate litigation attorneys will often defend their position against employee allegations with various and outdated arguments that have yet kept pace with the new cyber world.
  • Tort:  Defending these employee lawsuits corporate entities often will argue it is a matter of tort law such as breaking a contractual obligation. It poses a threat to employees signing arbitration agreements that are designed to bypass litigation a growing trend common in all industries.
  • No Physical Harm: One of the more common defenses is citing an old doctrine where negligence is not a cause because no physical or property harm occurred to the plaintiffs. But what happens if an injury occurs in the future? Cybercriminals will wait for a window of opportunity to unleash their fury at a time of their choosing.
  • No Affirmative Duty: The argument here, in a nutshell, is asserting they are not in the business of providing data security and merely holders of employee data as part of the employee/employer relationship. The employer will argue they expend enormous resources to protect employee data. Data breaches will always occur and are a fact of life resulting in a belief that security is futile.
  • No Precedence: Today’s legal system relies on precedent outcomes, and indeed we are in unchartered territory. Because of this uncertainty, defense attorneys will build on that ambiguity to prevail owing to the fact judges also are in the same boat may rule in their favor. However, a jury may think differently.

Pennsylvania Supreme Court Ruling

In a class-action lawsuit filed against the University of Pittsburgh Medical Center (UPMC), the court ruled on November 21, 2018, that an employer has the legal obligation to protect the confidentiality of information it has collected.

This ruling will have significant implications for future breach litigation affecting employee data further enforcing security and privacy programs. However, even if the best security measures implemented breaches will occur, nothing is 100% secure.

Hazardous Road Ahead

It is obvious to point out employers have employees at a disadvantage by forcing them to relinquish their right to litigate against them in the event of a data breach and against all allegations in general. Their vehicle of choice is the arbitration agreement they must sign in exchange for employment citing the extraordinarily high cost of litigation.

Employees provide personal, financial, and healthcare data which the employer has a tort duty to protect under the law as ruled in Pennsylvania. However, that may not apply if waiving the right to privacy and security is affirmed in an arbitration agreement.