What do Target, Sony, Anthem, Marriott, and Neiman Marcus have in common? If you answered that they’ve all experienced major data breaches in the last two years, you would be correct. Some were caused by external forces and hacking activity, but others have been caused by failures of security by third-party vendors or by employee negligence. Of the employee negligence, studies show that levels of access provided to temporary employees are responsible for more than 20% of insider data breaches.
Don’t wait for the worst to occur before creating your action plan. Review your staffing agreements to determine whether the liability of temporary worker-caused data breaches is allocated as between you and your client and to what extent. Once that call comes in from a client regarding a data breach, it is likely that the client has already performed enough forensics to be able to identify the source of the compromise.
To be agile and ready to respond to a breach at a client company, staffing firms should be prepared with a well-developed program. Here are six strategies that should be part of an effective plan.
1. Gather Information on Your Obligations
Forty-eight states have data breach notification laws that require some type of notice be provided to individuals—and in some cases to attorneys general—in the event that personal information goes missing. In most states, “personal information” constitutes name plus Social Security number, driver’s license number, credit card number, and financial information, but there are states that have expanded the definition of what “personal information” is for purposes of data breach notification. Response to a data breach can be costly. Your client may expect that you will step up and either provide or pay for notification efforts, and in many cases, some form of credit monitoring or identity protection.
For every state in which the staffing firm operates or may operate (remember, personal information is protected under the laws of the residence of the affected individual), collect information on state data breach laws. In particular, investigate how each state defines personal information and a breach, and what each requires in terms of notification.
- Who is required to give notice to whom, and when is a service provider responsible?
- Who qualifies as an affected individual, when must he or she be notified, and how must the company do it?
- Are state agencies or regulators involved?
Also—make sure to check on your obligations, if any, under the Health Insurance Portability and Accountability Act. HIPAA operates alongside state laws, but does not replace them. Any company that self-insures is considered a “covered entity” under HIPAA and must safeguard its data and make notifications as prescribed under that law—in addition to acting in compliance with state-specific laws on general data breaches.
2. Train Employees on Handling Sensitive Data
Armed with the knowledge of how state law defines breaches, educate your workers on how to avoid them before sending them out to client sites. Clients have their own data protection obligations, but consider formalizing compliance with data protection laws as part of your internal training, add a privacy session to your on-boarding process, and coach existing contingent workers on how to handle confidential information appropriately. Remember, most disclosures are the result of simple carelessness or ignorance. Raise awareness to reduce risks.
Although the staffing firm can provide some data security awareness to the temporary workers it will provide to employers, each place of employment will have differing security policies and procedures. Your staffing agreement should address the issue of on-site training for workers on client company data security. Too many times, assumptions are made that one or the other is providing necessary security training, or if it is provided, the training does not cover necessary information.
Providing the contingent worker with the proper data security training necessary to perform the job is actually the responsibility of both the host company and the staffing company, much like on-the-job safety. Sometimes client companies express concern that providing training may increase the risk of co-employment. It’s important to note that, while providing data security training may be a small factor toward co-employment status, other factors are much more legally dispositive, such as the day-to-day direction of the worker. The bottom line is that the identical or equivalent data security training given to full-time employees should be automatically given to the contingent worker.
Fortunately, there are some basic strategies staffing firms can implement to help ensure temporary and contract employees get the training they need to perform effectively on the job.
3. Provide Adequate and Thorough Training
The main strategies behind training cover two main subject areas—access and documentation.
Review inside access. Request information from your clients with respect to data security issues prior to engaging any of your resources. This will enable you to understand what potential risks may exist and what type of training you will need to provide.
Ask the client to allow you to review the data security training that it has in place for its full-time employees. Remember that clients may request to review your data security training once it is established to ensure nothing has been overlooked. This should be viewed as a joint responsibility as part of a known, team-executed onboarding plan.
Ask and document. Be sure to document the types of personal information that employees will be expected to access and how the client company provisions (and terminates) that access. According to recent surveys, temporary employees with administrative access to company networks are responsible for more than 40% of internal data breaches.
A recent survey of 125 U.S. retailers found that 37% of responding companies say they have no way of identifying which systems temporary employees may have accessed. That same survey also found that more than a quarter of respondents have no idea if their temporary employees have ever accessed and/or sent any personal data they should not have accessed or sent.
If the client does not have a plan for provisioning and firewalling access to the company by temporary employees, then you should not act as an insurer. Document the allocation of risk and consider appropriate limitations of liability in your staffing agreement.
4. Be Prepared: Assemble an Incident Response Team
Now that you know what the law requires when breaches occur, you can form a specialized taskforce. This group will likely be most effective when it spans many disciplines, including
- Human resources
- Senior management
- Information management/security
- Corporate security
- Corporate communications
Train each team member on his or her individual responsibilities, focusing on process and approvals. It’s helpful to identify, for example, who will authorize each step of investigating a breach, and who will ultimately sign notification letters, or who will interface with the client on such letters.
Determining these roles in advance will streamline your response when it counts—in the moment of crisis following a breach at a client company when the client points back at your worker.
5. Prepare Boilerplate Notifications
Finally, the staffing firm should draft templates for notification letters—or work with a legal partner to do so—keeping all state mandates in mind. These may need to be created for employees, law enforcement, regulators, state agencies, and, in extreme cases, consumer reporting agencies.
Generally, most notification requirements include
- Type(s) of breached data
- Description of the breach event
- Date and/or length of time that information was exposed
- Indications, if any, that leaked data has been misused
- Steps the company is taking to prevent future breaches
- Offers of remediation, as appropriate (e.g., employer-provided credit monitoring)
It is possible to draft a single letter that fulfills the requirements of every state. But it will need to be prepared in collaboration with your client, and your client may not want to disclose all details of a breach in all cases. Continue to partner with the client and the client’s incident response team, especially those charged with safeguarding the company’s reputation, to determine the best approach.
Finally, assume that your correspondence will reach the general public, as covered by media. While not every breach becomes a front-page story, it’s always best to prepare as if yours will be.
6. Review Insurance Policies
Make sure to review and update your errors and omissions (E&O) coverage. Data breaches caused by temporary employees supplied by your staffing firm to a client company may be covered by your E&O policy, but exclusions may erode coverage.
Cyberliability policies will cover a breach of personal information held by your staffing firm, but not likely a breach at a client company caused by a temporary employee.
Cynthia Larose, Esq., is chair of the privacy and information security practice at Mintz Levin Cohn Ferris Glovsky and Popeo PC in Boston. She is a certified information privacy professional and has extensive experience in privacy, data security, and information management matters. Send feedback on this article to firstname.lastname@example.org. Follow ASA on Twitter @StaffingTweets and on Instagram @americanstaffingassociation.
This material is not intended, and should not be relied on, as legal advice. ASA members should consult with their own counsel about the legal matters discussed here.