Breach notification in your record management policy

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

Your record management policy now needs to include notification procedures

Breach notification is really the heart of data security issues and record management policy right now in the US. We’ll focus on California’s breach notification law as an example. It was the first law that’s going to be passed and it’s the basis for most of the other state breach notification laws.

Now, a breach is defined in a rather specific way under the record management policy and laws. California is a pretty standard example. It defines a breach as an unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.

I’ll just briefly go over a couple of important ideas here. The first one is the idea of unauthorized acquisition.

Unauthorized employee acquisition in your record management policy
You’ll see that there is an important exception here for employers, which is that a good faith acquisition of information by an employee is not a breach as long as there is no subsequent disclosure of the information.

Now, we all know for instance that it’s not uncommon for an employee to accidentally get into data that maybe he or she wasn’t supposed to have access to. But if as long as the employee was acting in good faith in the course of the employment and doesn’t disclose the information to anybody else, you don’t need to give notice. It’s the basic gist to this exception.

Now, in contrast of course, if the employee was acting a bad faith for instance using information or trying to collect it for a bad purpose or if the employee disclosed it to somebody else, then you can have a breach notification situation.

Bad faith acquisitions under a record management policy
Let’s say that you have just put together a database of the top 500 costumers you have in the company. You’ve listed lots of information about them and for whatever reason you have credit card information on them. Now, you send it to your five top sales managers so you need to know the information. But accidentally, one of the email addresses is mistyped. It goes to a different employee within the company. Oops!

So if we stop there and assume that the employee is told to delete the email and doesn’t use the information, yes there had been an unauthorized acquisition but it was in good faith by the employee, he had no intention of using the information, it didn’t go any further.

However, let’s take this a step further and say that that employee who gets this data takes to look at and thinks, “Wow! My cousin could really use this information and forwards it outside the company.”

There you’ve just exited the good faith acquisition exception in a record management policy. And it’s quite likely you have a breach notification situation on your hands. So, the idea is a good faith acquisition is not covered but you really need to look at the situation to determine that that exception applies to you.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.