As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.
As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.
While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.
As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee’s access to the Agency’s systems been terminated.
Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company’s current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.