Businesses of all sizes wrestle with the complex interplay of privacy rights and data security in the workplace. If you aren’t wrestling with it, then you may have already been pinned. Let’s get you up off the mat.
To illustrate the issue, let’s take an everyday situation. Suppose that a local landscaping company (“the Company”) has recently experienced a welcomed growth spurt. In response, the Company has increased its field staff and its office staff. The office staff, a total of four employees, are assigned workplaces with computers connected to a local server, with a central database of customers, scheduling, payment information, and other sensitive data.
As in many workplaces, the office is adjacent to the crew areas, and the office has coffee, water, and snacks available. This, the lure of easy conversation, and some budding romances, makes the office space a cozy place for crews to come in and relax between jobs. Of course, like any modern-day workforce, the crews and office staff have smartphones, and their faces are often seen hovering over lighted screens, type-type-typing away to destinations unknown.
This all seems rather quaint, idyllic even, until a data breach occurs.
What is a Data Breach?
The term “data breach” encompasses a variety of issues and interests. From the Company’s side, a data breach could mean a departing employee downloading the Company’s customer database, including pricing, and walking out the door and down the street to the nearest competitor. For an employee, a data breach could mean a hacker or fellow employee accessing the employee’s HR file, wage information, social security number, or worker’s compensation file. For the Company’s customers, a data breach would include the unauthorized use of credit card information.
In today’s workplace, a data breach could can occur in any number of ways, some which are distinctly “low-tech,” such as the innocent but careless conversation of an office manager about a workmen’s compensation or medical leave situation within earshot of co-workers. A more up-to-date breach might start with an on-line shopping excursion that unknowingly infects the Company’s IT infrastructure. And, of course, the present day presents the use of smartphones and other data devices to download sensitive information from the Company server.
Why You Need a WISP
Though the threats are endless, the Company’s options are clear. In Massachusetts the Company is required, under Massachusetts General Laws c. 93H and 201 CMR §17, to take proactive, and reasonable steps to develop and implement a comprehensive written information security program (“WISP”). The WISP program must include, among other things, the appointment of a “Privacy Officer” and the adoption of reasonable policies regarding the storage, access, and transmittal of personal information. A failure to adopt these regulations opens up the employer to claims not only by the Attorney General, but also claims by any persons who might be harmed by a data breach.
The regulations and laws in this area make it clear that there is no “one-size-fits-all” approach. The defensive steps that are required to be taken by a large, multinational corporation would likely bankrupt our landscaping Company. Nonetheless, the smaller Company is legally obligated to identify the threats and adopt reasonable safeguards to prevent those threats from materializing.
Your Employees Have a Right to Privacy, Too
In drafting and implementing its protocols, however, the Company must be mindful that under Massachusetts General Laws, c. 214, §1B, every person, including an employee has “a right against unreasonable, substantial or serious interference with his privacy.” What’s “reasonable” in this context is typically a matter of expectations.
If our landscaper does not adopt any policies regarding the use of smartphones in the office, then he or she may run into trouble when a sudden decision is made to confiscate the office manager’s smart phone and search its contents to determine whether client data has been compromised. On the other hand, if a policy has been adopted, in advance, prohibiting the use of smartphones in the office area, then a reasonable expectation has been set and can be enforced.
A Privacy Officer Can Balance Data Security Requirements with Privacy Rights
A critical piece of this puzzle is the appointment of a Privacy Officer, as required by Massachusetts regulation. A Privacy Officer is typically a management-level employee responsible for identifying privacy and data threats and implementing policies throughout the workforce. A Privacy Officer should be proactive about internal policies, but should also be even-handed and consistent in implementation. To go back to the issue of setting employee expectations, the Privacy Officer cannot condone smartphone use in the server room by one employee, and then seek to confiscate and search the smartphone of another employee for the same issue.
The modern workplace presents employers with the complex task of balancing the requirements of data security with the individual’s rights to privacy. Make your life a little easier by identifying the threats to your data, drafting and adopting a WISP, appointing a Privacy Officer, and taking reasonable steps to enforce your policies.
Founded in 1887, Mountain, Dearborn & Whiting, LLP, provides expert legal counsel regarding estate planning and trusts, family law and probate matters, business and corporate law, banking and commercial law, real estate and land use, taxation services and diverse litigation matters.