Employers amass big data on their employees. Under state and federal laws, the employer has an absolute and non-delegable duty to prevent disclosure and misuse of that data, to notify employees of any potential security breach, and to use the data only for the purpose for which it was ostensibly collected. With employee big data, comes employer big responsibility.
How is Employee Big Data Collected and Stored?
While some companies may still drag paper personnel files from desk to desk, the vast majority have electrified their record-keeping through a human resources information system. In a nutshell, HRIS is a specialty software application or platform that allows HR professionals to use electronically stored employee information to populate forms and automate common HR tasks. More than a simple database, HRIS is designed to house disparate and seemingly unrelated pieces of information for use in combinations to make legally compliant as well as business savvy decisions.
For instance, HRIS automates the company’s employee benefits and enrollment programs, vacation, sick leave, PTO and other forms of leave taking, mandatory state and federal filings (like the EEO1 reports, OSHA or workers’ compensation forms), applicant tracking, and employee training, evaluation and even discipline and termination information. A competent HRIS program allows the HR pro to look up the date of hire, number of vacation days accrued, whether Joe has signed his arbitration agreement, or has any leave left under FMLA – all through a handful of key strokes.
What Employee Big Data Is Found in an HRIS?
Personal: Name, age and date of birth, home and email addresses, social security number, telephone number, passport numbers, photograph, I-9 status, next of kin information, literacy, language skills, religion, marriage and domestic partner information and status (which could reveal sexual orientation, divorce, children born outside of marriage, etc.), religious beliefs and observances, employee’s and family member’s military service history (under USERRA, FMLA and CFRA).
Financial: Banks and Lenders (through job verifications), bank account numbers, balance and deposit dates, money and debt (through direct deposit programs), bankruptcy, property owned and liens against property (through background screening), garnishment.
Medical: Insurance and renewal dates, life insurance totals and beneficiaries, medical conditions, disabilities, treatment, prescriptions, leave status, surgical history, drug and alcohol history and rehabilitation efforts, names of doctors and health care providers, smoking, drinking, weight and nutritional habits (through health and wellness programs and incentives), medical conditions and disabilities of immediate family members,
Credit, Criminal and Cars: Employee credit and criminal history (which could include a mug shot!), character references and statements (from background screenings), DMV records, including points and DUI information, insurability, prior accidents, driver’s license number, insurance policy number and renewal dates (on those who drive for the company), type of hands-free phone and user history (for distracted driving prevention policies).
(And let’s not even get started on a document management system (DMS) that also stores, categorizes and files email correspondence! No matter how strong your electronic communications policy is, most employees use their work email addresses for all manner of personal communications and while emails are not necessarily folded into HRIS, laws protecting employee data apply to that contained in emails stored in an employer’s DMS.)
What Laws Protect Employee Big Data?
The information identified above is private. Some is embarrassing and some could cause mischief and real damage if disclosed.
In some states, private information is protected by a constitutional provision. For instance, Article I, Section 1 of the California Constitution states: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” Cal. Const. Art. I, Sect. 1. This has been defined by case law to protect an employee’s educational, personnel, health and medical, and financial records.
Federal and state law protects specific information from disclosure or use, such as:
- HIPAA (Health Insurance Portability Act) (Federal) medical records and other personal health information. (Summary of Privacy Rule)
- MIC (Medical Information Confidentiality) (State – CA) medical information from marketing use and disclosure. Cal. Civ. Code §§ 56-56.37
- GINA (Genetic Information Nondiscrimination Act) (Federal) genetic test results. 29 USC 201 § et seq.
- Alcohol and Drug Testing: Testing results and leave for rehabilitation. Various, including HIPAA and MIC, along with Family and Medical Leave and California Family Rights Acts (FMLA and CFRA).
Disclosure and Abuse Prevention
Employee data is valuable.
Identity Theft: When information is grouped, it can personally identify the subject. For instance, personally identifying information consisting of the person’s name together with their DOB and SSN, is the key to obtaining a false identity – commonly referred to as “identity theft” which, in turn, allows the thief to set up bank accounts, borrow money, open credit cards, transfer real property, lease cars or property, change your social media and other electronic passwords and user names, and commit all manner of malicious and damaging mischief against the employee and his or her employer.
Mailing Lists, Advertisers and Other Commercial Users: Let’s say you have a dispatch and distribution center in a mid-sized Midwestern US city with a local work force of 1,000. A mailing list of 1,000 consumers, sortable by demographics, income, health and debt, is worth thousands of dollars. A spreadsheet with your employee information, easily generated by most HRIS, could be worth thousands of dollars both nationally and locally, and it could be sold over and over and over.
As an employer, however, you have the duty to protect this information from disclosure and misuse under the following laws:
- FACTA (Fair and Accurate Credit Transactions Act). (Federal) Employers that collect personal information or consumer reports about customers or employees for a business purpose must safeguard such information and to use reasonable measures to destroy the information before it is discarded FACTA is enforced by the FTC. 15 USC § 1681, et. seq.
- CFAA (Computer Fraud and Abuse Act). (Federal) The CFAA allows suit against someone who furthers a fraud or obtains anything of value by accessing a computer without authorization or by exceeding authorized access. While not always successful in court, the CFAA has been used to sue an employee who misappropriates information from a company-owned computer. 18 USC § 1030.
- CMA (Computer Misuse and Abuse Act) (State – CA) It is a crime to knowingly access and, without permission, use, misuse, abuse, damage, contaminate, disrupt or destroy a computer, computer system, computer network, computer service, computer data or computer program. Depending on the violation, CMA can support fines and imprisonment, as well as remedies recoverable in civil actions. Cal. Penal Code § 502.
Steps on Disclosure
Both FACTA (above) and California’s DPA (Data Protection Act) prescribe mandatory action by the employer should they discover that personally identifying information has been disclosed. In California, owners of computerized data must tell impacted residents that their unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice must be followed by the provision of certain remedial action also mandated by the statute. Cal. Civ. Code §§ 1798.80, et seq. If you have an HRIS or otherwise store personal employee information on your company’s computer network (and who doesn’t?), you should create a policy for use and disclosure of the data and a plan for the emergency situation that arises when it is inadvertently disclosed or intentionally hacked. HR professionals should consult with their company’s in-house counsel or outside employment counsel to determine which of these laws apply the data stored on the company’s computers.
Caveat: With my apologies please note this ubiquitous disclaimer. Although I am an employment lawyer, this article is for informational purposes only and cannot be construed as legal advice. You should always seek counsel before acting upon legal information found on the Internet. Nothing takes the place of a lawyer who knows your business and the laws of the state in which it operates.