But people may be less blasé about the idea that their personal data has been put at risk by their employers, whom consumers have entrusted with not only their names and addresses but also their Social Security numbers, W-2 forms, bank accounts for direct deposits and even biometric data such as fingerprints.
“People don’t expect that their employer is going to lose data,” said Risa Boerner, who leads the data security and workplace privacy group at the law firm Fisher Phillips. “They feel more betrayed and upset if it’s their employer.”
Yet the exposure of employee data happens more often than people may realize, say employment lawyers and data security experts. For instance, the Seattle Times reported Nov. 9 that Nordstrom had alerted employees last week of a security breach that exposed data such as their names, Social Security numbers, salaries and checking account numbers.
Company co-president Blake Nordstrom sent a memo and apology to employees, according to the newspaper, saying the company was “investigating an incident where a contract worker improperly handled some Nordstrom employee data.” He also said, “We have no evidence data was shared or used inappropriately.” The report did not say the data was lost, only that Nordstrom was notifying workers “out of an abundance of caution,” and noted that consumer data was not affected. In an email, Nordstrom spokeswoman Emily Sterken said the company didn’t have anything additional to share beyond the Seattle Times’s report. “Right now, our focus is on taking care of our employees.”
The exposure of consumer data often gets much more attention because of the vastly higher number of people affected, which can drive media coverage when authorities are notified. But lawyers who represent employers say companies may also be less likely to publicize when employees' data is exposed, for several reasons.
For one, when data is exposed, states typically require that individuals be notified. Because companies don’t always have a way to notify all the consumers who could have been affected by a breach, they may post information on their website and alert the media, in addition to reaching out to individuals and regulators, to meet their notice requirements, said Joseph Lazzarotti, who co-leads the privacy and data security practice for the law firm Jackson Lewis.
“But with employees, you’re not going to have that problem,” he said, as companies typically know how to reach their employees and can notify them without making more public announcements.
They may also be concerned about the reputation hit of a potential breach. Even if employees are unlikely to quit a company the same way consumers can — making a choice to shop elsewhere after a security problem — “it’s not like there’s no negative consequences,” Boerner said. “It’s bad publicity, and it can be bad for the relationship with your workforce.”
Yet there are also more ways that employees' data can be at risk than there are for consumer data. “Unlike credit cards, where you might have one or two core locations where that data is stored and monitored, employee data is all over the place,” Ray, of Imperva, said. And even if many companies consider employee data protection important, they may prioritize the monitoring of data that’s regulated or that makes the biggest difference to the bottom line.
“Where does employee data fall in that list of priorities?” he said. “I will say it’s almost never at the top of that list.”
Besides a pure security breach by an external hacker, there is also the risk that an employee’s laptop with worker data might be lost or stolen, or that a disgruntled employee could take data and publish it, as one worker did for 100,000 of his colleagues at the British supermarket chain Morrisons. The company recently failed to overturn a British court decision saying it would need to compensate thousands of workers after a rogue colleague posted information such as bank account details and birth dates online, the Financial Times reported.
Such breaches by disgruntled employees are rare, however. A more common risk occurs because many companies outsource much of their human resources data to outside firms, such as payroll vendors, benefits administrators or other third-party providers.
“This can be a serious, serious problem,” Boerner said. “You can do everything in terms of training your employee, but if you’re handing it to a third party and they’re not setting the same standard as you, you’re putting that data at risk.”
Perhaps the biggest risk for employee data is through “phishing” scams, in which an employee might get an email from a cybercriminal posing as a vendor asking for log-in information or impersonating a senior executive asking to see employees' W-2s. In January, the Internal Revenue Service issued a notice saying complaints it had received about the W-2 scam — which it says criminals use to file fraudulent tax returns or sell on the dark net — had jumped from 100 in 2016 to 900 in 2017. More than 200 employers were victimized in 2017, the IRS notice also said.
Lawyers say that the ability of employees to seek recourse depends on a number of factors, including the state they live in, how the employer handled the incident and whether they are able to show they suffered damages from the exposure. There have been some class-action settlements awarded to employees hit by the W-2 phishing scam.
The safety of employee data is likely to become more of a focus for companies after Europe’s General Data Protection Regulation came into force this year, some lawyers said. The hefty fines and extra precautions large corporations face for their European employees and consumers could carry over to improved scrutiny for their U.S. counterparts. At global companies, Boerner said, “your employer is being more mindful because they have to do it to comply” with Europe’s laws now.
Some states, meanwhile, have expanded laws to include the coverage of biometric data, such as fingerprints or facial scans, under data privacy laws.
Some workers rights advocates are concerned employers could over-collect data such as fingerprints or facial scans. Lewis Maltby, president of the National Workrights Institute, suggests “employers should only use that level of security where they really need it, such as getting into a bank vault,” he said. If hackers were to access biometric data, he said, the results could be “devastating. You can get a new bank account or Social Security number, even if it’s hard. You can’t get new fingerprints.”
Many companies are training workers to spot phishing emails by planting fakes, with some even running contests to see which corporate teams can avoid clicking on them the most, awarding the winning groups prizes such as extra paid time off, said John Litchfield, a lawyer with Foley & Lardner in Chicago. “I think the weakest link [for employee data] is these phishing scams, which are becoming much more sophisticated,” he said. “It’s harder and harder for people to recognize them.”
Ray said Nordstrom made the right moves after the exposure was discovered — identifying it, taking action, informing people quickly and then putting some kind of remediation in place. Affected Nordstrom employees will reportedly receive two years of identity protection services, something Ray said companies don’t always offer unless it’s clear that a breach, and not just a potential one, has already occurred. “That actually goes further to build trust in employees,” he said.