How Employers Should Respond to a Data Breach

Employers hold vast amounts of sensitive employee data including Social Security numbers, bank account information, medical records, and tax documents. When a data breach occurs, employers must act quickly to comply with notification laws, minimize damage, and maintain employee trust.

Immediate Response Steps

When you discover or suspect a data breach:

• Assemble your incident response team (IT, legal, HR, communications, and executive leadership)
• Contain the breach by isolating affected systems, changing passwords, and blocking unauthorized access
• Preserve evidence for investigation and potential law enforcement involvement
• Determine the scope of the breach: what data was accessed, how many individuals are affected, and how the breach occurred
• Engage a forensic IT specialist if the breach is significant or the cause is unknown
• Do not destroy any evidence or attempt to cover up the breach

Legal Notification Requirements

All 50 states, the District of Columbia, and most U.S. territories have data breach notification laws:

• Notification timelines vary by state, ranging from 30 to 90 days after discovery
• Most states require notification to affected individuals and to the state attorney general
• Some states require notification to consumer reporting agencies when the breach exceeds a certain number of individuals
• The specific information required in the notice varies by state
• If employees are located in multiple states, you must comply with each state's law

Federal laws may also apply depending on the type of data breached (HIPAA for health information, GLBA for financial data).

Notifying Affected Employees

Your breach notification to employees should include:

• A description of what happened and when
• The types of personal information involved
• Steps the company is taking to address the breach
• Steps employees can take to protect themselves
• Contact information for questions
• Information about credit monitoring or identity theft protection services you are offering

Be clear, honest, and timely. Delayed or evasive notifications increase distrust and potential legal exposure.

Mitigating Harm

Help affected employees protect themselves:

• Offer free credit monitoring and identity theft protection services for at least 12 months
• Provide instructions for placing fraud alerts or credit freezes
• Set up a dedicated helpline or point of contact for employee questions
• Monitor for signs of misuse of the compromised data

Preventing Future Breaches

After addressing the immediate crisis, strengthen your defenses:

• Conduct a thorough post-incident review to identify root causes
• Update security policies and procedures based on lessons learned
• Implement or improve encryption for sensitive data at rest and in transit
• Review and restrict access to sensitive employee data on a need-to-know basis
• Conduct regular security training for all employees
• Implement multi-factor authentication for systems containing personal data
• Develop or update your incident response plan
• Consider cyber liability insurance if you do not already have it