RESPONDING TO INADVERTENT
DISCLOSURES OF EMPLOYEE
AND CONSUMER PERSONAL
INFORMATION
By: Drake T. Land, RBE Attorney
B
usiness owners increasingly store employee and consumer personal data in a digital format. This
development holds numerous advantages for owners, including offsite storage of otherwise voluminous
documents and searchable databases of information. However, this development has also led to an increase
in inadvertent disclosures of personal information and data breaches as those seeking to wrongfully obtain
the information become more sophisticated. The Office of the Indiana Attorney General reports an increase
in reported security breaches from 396 breaches in 2014 to over 600 in the first four months of 2017. 1
The inadvertent disclosure of employee and consumer information can come in many forms:
• External hacking of private servers;
• Phishing attacks (the act of sending a fraudulent request for information from a person who claims to be a
trustworthy source or individual);
• Internal employee error; or
• Targeted data theft by internal source.
Cybercriminal email attacks are becoming more common. These typically happen in two ways. First, a criminal
can hack into a business or personal email account and draft phishing requests for information (and divert the
response to their email account) or review past email transactions for employee or consumer personal information.
Alternatively, the criminal can create a fake email account and pose as a company official or executive. Using the
fraudulent account, the criminal will send phishing requests for protected information.
Independent of how the disclosures occur, a business has certain reporting duties upon discovery of the breach
of data (for example of its employees or customers) (referenced in this article as “affected individuals”). Failure
to properly adhere to these duties is cause for action from the Office of the State Attorney General, fines of up
to $150,000 for each “deceptive act,” and additional costs. 2 If private financial or credit card information is
disclosed, the business will be subject to other obligations and fees/penalties under laws protecting financial
privacy as well as the contractual requirements o f credit card issuers. 3
What to do in the Event of a Data Breach
Each state has different reporting requirements and many individual states have separate requirements dependent
on the number of affected individuals residing in that state. Importantly, a disclosure must be reported to the state
26
Riley Bennett Egloff LLP - June2017