These days, data breaches that expose personal information seem to happen so often that consumers have come to expect such failures.
“There is data fatigue,” said Terry Ray, chief technology officer for Imperva, a data security firm. When a company announces a security breach, “it almost doesn’t even hit the stock anymore,” he said, and many consumers brush it off and keep shopping or doing business with the company.
But people may be less blasé about the idea that their personal data has been put at risk by their employers, who consumers have entrusted with not only their names and addresses but their Social Security numbers, W-2 forms, bank accounts for direct deposits and even biometric data like fingerprints.
“People don’t expect that their employer is going to lose data,” said Risa Boerner, who leads the data security and workplace privacy group at the law firm Fisher Phillips. “They feel more betrayed and upset if it’s their employer.”
Yet the exposure of employee data happens more often than people may realize, say employment lawyers and data security experts. For instance, the Seattle Times reported Nov. 9 that Nordstrom had alerted employees last week of a security breach that exposed data such as their names, Social Security numbers, salaries and checking account numbers.
The company’s co-president, Blake Nordstrom, sent a memo and apology to employees, according to the newspaper, saying the company was “investigating an incident where a contract worker improperly handled some Nordstrom employee data,” saying “we have no evidence data was shared or used inappropriately.” The report did not say the data was lost, only that Nordstrom was notifying workers “out of an abundance of caution,” and noted that consumer data was not affected.
The exposure of consumer data often gets much more attention because of the vastly higher number of people affected, which can drive media coverage when authorities are notified. But lawyers who represent employers say companies may also be less likely to publicize when employees’ data is exposed for several reasons.
For one, when data is exposed, states typically require that individuals be notified. Because companies don’t always have a way to notify all the consumers who could have been affected by a breach, they may post information on their web site and alert the media, in addition to reaching out to individuals and regulators, to meet their notice requirements, said Joseph Lazzarotti, who co-leads the privacy and data security practice for the law firm Jackson Lewis.
“But with employees, you’re not going to have that problem,” he said, as companies typically know how to reach their employees, and can notify them without making more public announcements.
They may also be concerned about the reputation hit of a potential breach. Even if employees are unlikely to quit a company the same way consumers can — making a choice to shop elsewhere after a security problem — “it’s not like there’s no negative consequences,” Boerner said. “It’s bad publicity, and it can be bad for the relationship with your workforce.”
Yet there are also more ways that employees’ data can be at risk than there are for consumer data. “Unlike credit cards, where you might have one or two core locations where that data is stored and monitored, employee data is all over the place,” Ray, of Imperva, said. And even if many companies consider employee data protection important, they may prioritize the monitoring of data that’s regulated or that makes the biggest difference to the bottom line.
Besides a pure security breach by an external hacker, there is also the risk that an employee’s laptop with worker data might be lost or stolen, or that a disgruntled employee could take data and publish it, as one worker did for 100,000 of his colleagues at the British supermarket chain Morrisons. The company recently failed to overturn a British court decision saying it would need to compensate thousands of workers after a rogue colleague posted info like bank account details and birth dates online, the Financial Times reported.
Such disgruntled worker breaches are rare, however. A more common risk occurs because many companies outsource much of their human resources data to outside firms, such as payroll vendors, benefits administrators or other third-party providers.
“This can be a serious, serious problem,” Boerner said. “You can do everything in terms of training your employee, but if you’re handling it to a third party and they’re not setting the same standard as you, you’re putting that data at risk.”
Perhaps the biggest risk for employee data is through “phishing” scams, in which an employee might get an email from a cybercriminal posing as a vendor asking for login information or impersonating a senior executive asking to see employees’ W-2s. In January, the IRS issued a notice saying complaints it had received about the W-2 scam — which it says criminals use to file fraudulent tax returns or sell on the dark net — had jumped from 100 in 2016 to 900 in 2017.