Data Security Issues for Staffing Firms After the Equifax Breach
As has been widely reported, last month Equifax Inc. announced that it suffered a data breach that compromised the personal information of as many as 145 million consumers in the United States (almost one-half of the entire U.S. population). The stolen information primarily included names, Social Security numbers, birth dates, addresses and driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers were accessed. Residents in the United Kingdom and Canada were also impacted.
Although individuals (rather than businesses) were most directly impacted by the Equifax breach, this event highlights some important issues for staffing firms to consider:
Your firm is ultimately responsible for any legally-protected information you provide to your vendors, including Equifax.
Equifax offers a suite of services for staffing firms and other employers, some of which may require your firm to provide legally-protected information about your employees and applicants to Equifax. If your firm provided any employee information to Equifax, you should immediately determine whether that information was compromised in the Equifax breach (particularly if Equifax did not also gather that particular information from other sources). If such information may have been compromised, you should speak with your legal counsel. This is because your firm is generally responsible for the security of any legally-protected information – such as Social Security numbers, driver’s license numbers, and financial account information with any required password – that your firm provides to its vendors (which may include Equifax). If your vendor were to suffer a data breach, it might only be obligated to report the breach to you (its customer). It would then be the customer’s (i.e., your) obligation to provide legally-required notifications to the individuals whose data was breached.
Forty-eight states, the District of Columbia and a number of U.S. territories have data breach notification laws that require entities that own, license or maintain legally-protected information to notify affected residents if their information is compromised in a data breach. Some laws also require notification to law enforcement authorities, as well as to the affected individuals. Some laws also have deadlines by which notifications must be sent, while other states simply state that notifications must be made expediently and without unreasonable delay. Importantly, if the data breach involves protected information of residents of multiple states, your firm would be required to comply with the breach notification requirements of each applicable state.
Firms that do not comply with these notification laws may face enforcement actions, litigation and penalties. Accordingly, if your vendor suffers a data breach involving legally-protected information that you had provided to that vendor, you will likely need to comply with these notification laws promptly.
The effect on future background and credit checks on employees.
To the extent they are legally permitted to do so, staffing firms could conduct background checks on their employees and applicants, including employment and income verifications, as well as credit checks. As part of the background check process, staffing firms may obtain information from Equifax, TransUnion and Experian. Staffing firms should not face any liability as a result of the Equifax breach, simply if they had received information from Equifax.
Even if obtaining credit information, salary history or other background check information about employees or applicants is permitted in your jurisdiction, you should consider whether you truly need such a broad range of information about the employee or applicant in question. Background check vendors can provide you a tremendous amount of information, some of which is not necessarily relevant to every type of position you are trying to fill. Any legally-protected information that your firm maintains on its systems could be compromised later, which can lead to your firm incurring significant costs. Therefore as a general rule, the less legally-protected information your firm has, the better.
The Equifax breach may lead to complexities and uncertainty in your future background checks. For example, obtaining credit information (to the extent you are permitted to do so) will become more difficult for employees and applicants who have placed a “credit freeze” or a “lock” on their files with Equifax, Experian or TransUnion. Indeed, many governmental agencies and commentators have urged individuals to consider placing such a credit freeze or a lock on their files. If your firm plans to run a credit check on an employee who has established a credit freeze or lock, then you will need to decide whether (a) to ask the employee to “unfreeze” or “unlock” their files to allow you to run the credit check (which is possible to do, but may involve a fee), or (b) to forego running a credit check on that employee.
If you do obtain a credit report on an employee, it is possible that criminals may have fraudulently used his/her personal information to open accounts in his/her name. If an employee’s credit score seems too low in light of the employee’s particular circumstances, this may be a reason for the low score. Thus, additional due diligence may be required.
Try to mitigate the damage if your vendors suffer a data breach.
Although the Equifax data breach has dominated the cybersecurity news lately, companies of all sizes and in all industries (including the staffing industry) face persistent cyber threats. In addition, as the Equifax breach highlighted, sensitive information is not necessarily safe in the hands of third parties. Indeed, your own vendors represent one of the biggest risks in your data security structure.
Despite the risks that vendors present, as a general matter, your vendors have very few obligations to you under existing law. As noted above, if your vendor suffers a data breach, it is typically your obligation to provide the legally-required notifications. This may be a very costly endeavor. Another problem is that your firm may not have access to information regarding your vendors’ data breaches that must be disclosed under the various states’ notification laws. Moreover, your vendors might not adequately investigate or remediate the data breaches that they suffer, so information that you had provided to those vendors may be susceptible to additional data breaches.
To address these issues, your firm should conduct a reasonable level of due diligence on the vendors to whom your firm may provide legally-protected or other sensitive information. As part of that due diligence process, you should review and understand the vendors’ data security policies and procedures. Among other things, the due diligence process should focus on the extent to which the vendor:
- has adopted and enforces appropriate security policies and procedures;
- has created appropriate incident response and disaster recovery plans, and tests them regularly;
- complies with applicable federal, state, local laws, including privacy laws and laws that prohibit unfair or deceptive practices;
- has created a reliable program to maintain its information technology infrastructure and operations that are consistent with your privacy and data security objectives; and
- has identified data breaches and vulnerabilities, and how it remediated those breaches and vulnerabilities.
In addition to performing due diligence, you should consider adding provisions in your vendor contracts to address the cybersecurity risks that your vendors face. Ideally, your contracts with vendors to whom you provide legally-protected or other sensitive information will address the following issues:
- Which personnel at the vendor will have access to legally-protected and other sensitive information that you will provide to the vendor? As the client, you may want to contractually limit the universe of people at the vendor who have access to the sensitive information you provide to the vendor. If fewer people at the vendor have access to that sensitive information, it is less likely that something will go awry.
- Representations and warranties by the vendor. In your contract, you may ask your vendor to make various data security representations and warranties to your firm, such as: (a) the vendor did not suffer any recent data security incidents or breaches other than what has been disclosed to you; (b) the vendor’s collection, use, storage and disposal of sensitive information will comply with all applicable data protection laws, regulations and directives; (c) there are no regulatory actions pending or threatened against the vendor relating to any data security incident or vulnerability; and (d) the vendor employs personnel who are qualified to maintain the information security program.
- The vendor’s obligation to notify you if they suffer a data breach. Consider including a provision in your contract that requires your vendor to promptly notify you of any actual or suspected data breach that the vendor suffers.
- Oversight of your vendor’s data security procedures and practices. As a customer, your firm may wish to conduct periodic audits of your vendor’s data security practices and its facilities. Alternatively, you may wish to require your firm’s vendors to complete periodic questionnaires regarding its data security practices and the threats they face in relation to the sensitive information you furnish the vendor. These provisions should be included in your contracts with vendors to whom you provide legally-protected or other sensitive information.
- Indemnification. Consider adding a provision that requires the vendor to indemnify you for any losses that your firm suffers as a result of the vendor’s failure to comply with its data privacy and security obligations or as a result of any data breaches the vendor suffers.
- Vendors’ Communications With Your Employees. You may also encourage your vendors that possess sensitive information about your employees to communicate directly with your employees about how they can keep their data secure on the vendors’ systems.
Finally, if your clients provide sensitive information to you as their vendor, then you should likewise expect your clients to conduct due diligence on your data security systems and procedures. You should also expect those clients to require you to accept data privacy and security obligations in your contracts with them.
Review and enhance your firm’s own data security practices and procedures.
The Equifax breach also serves as a reminder for all staffing firms to periodically review their own data security procedures, incident response plans and cyber insurance coverage. Indeed, your clients, employees and job candidates expect that your firm will maintain the privacy and security of their confidential personal information, including Social Security numbers, driver's license and other government-issued identification card numbers, bank account information, and credit and debit card numbers.
Below are some of the major items to consider in reviewing and enhancing your firm’s data security practices and procedures:
- Keep your firm’s system as secure as practicable. It is not possible to keep your system 100% secure, regardless of how much money you spend on cybersecurity. However, you can reduce your risk by having the latest antivirus, firewall, web browser and operating systems.
- Prepare and maintain a written information security program. An effective written information security program will describe the measures that your firm is taking to protect the security and confidentiality of personal and other sensitive information that it collects and maintains. This program should be updated as necessary.
- Establish a records retention policy. Your firm should establish a records retention policy, which includes a requirement to destroy documents containing sensitive information that you no longer need, so long as you are not required to retain those documents under applicable laws.
- Prepare an effective incident response plan, and test it. If you have not done so already, your firm should have a data breach incident response plan in place, and that plan should be tested and updated regularly. Among other things, an effective incident response plan will specify which individuals will be contacted if a potential breach occurs, and will specify the steps to follow in responding to the breach.
- Back up your critical data regularly. Reduce the likelihood of losing your firm’s data in a “ransomware” attack or other disaster by maintaining regular backups of critical systems and data.
- Train your employees. A company’s own employees are a primary source of data security risk. Your firm’s employees should be trained on basic cybersecurity hygiene, and training sessions should be scheduled regularly. New kinds of threats are constantly emerging, and best practices are evolving. Your employees should continuously be up to date on what to do and what not to do.
- Limit access to sensitive information within your firm. Ensure that access to legally-protected and other sensitive information is limited only to those employees of yours that actually need such access. Not everyone in your firm needs to have access to the firm’s most sensitive information.
- Maintain physical security. Many firms focus intently on cybersecurity, as they should. However, physical security is also extremely important. Your firm should restrict access to its physical space to make it more difficult for intruders to gain access. In addition, paper documents containing legally-protected and other sensitive information should be kept in a locked cabinet or locked desk drawer.
- Consider obtaining cyber insurance. Cyber insurance coverage will protect your firm against certain losses that may occur in a data breach. Your insurance broker should be able to assist your firm in obtaining appropriate cyber coverage, and your legal counsel can help you understand the scope of that coverage.
Staffing firms should promptly determine whether any sensitive information they provided to Equifax was compromised (particularly if Equifax did not also gather that particular information from other sources). If so, you should speak with your legal counsel. In any event, all staffing firms should treat the Equifax breach as a wake-up call to strengthen their own data security practices, and to ensure that their vendors do the same.
 Certain jurisdictions prohibit or restrict employers from conducting employment or income verifications, credit checks, or other types of background checks on employees or applicants. For example, under the Stop Credit Discrimination in Employment Act, most employers in New York City are prohibited from checking applicants’ credit history to make employment decisions. Under New York City Law, employers and staffing firms may not inquire about a job candidate's salary or compensation history, and may not perform background checks, until a conditional offer of employment has been made.
For more information on the topic discussed, contact:
Employment Notes, a newsletter produced by Tannenbaum Helpern Syracuse & Hirschtritt LLP’s Employment Law practice, provides insights on recent employment caselaw, legislation and other legal developments impacting employer policies, human resource strategies and related best practices. To subscribe to the newsletter, email firstname.lastname@example.org.