A common misconception in securing information is that businesses only need to protect consumer and patient data. This would mean privacy mandates only apply to merchants who accept credit cards for payment or the healthcare industry. This simply is not true.
University of Pittsburgh Medical Center (UPMC) recently reported a breach that affected 27,000 of its employees. Typically, a medical center breach would involve stolen patient information. However, UPMC's case is unusual in that employee data, not patient data, was compromised. The breach involved the loss of tax records which impacted 788 employees who experienced some form of tax fraud and several other employees who had bank accounts wiped clean.
As a result of the breach, a class-action lawsuit was filed against UPMC where the plaintiffs allege UPMC failed to disclose the data breach in a timely manner and failed to adequately protect employee information. Interestingly, the healthcare industry does not mandate the protection of employee data and the disclosure of an employee information breach. In many states, it's quite simply a state law which many healthcare organizations overlook as they do not realize that these specific laws apply to them.
Data protection and privacy laws have been passed in 47 states with number 48, New Mexico, on its way. States have recognized that organizations of all sizes are a treasure trove of employee data that can be used to perpetrate fraud and identity theft. These laws cross state borders. If a business operates in Nevada, and hires an employee in California, the business is now impacted by both Nevada and California data protection and privacy laws.
Oftentimes, companies do not know which laws impact them and consequently do not take necessary measures to protect their employees' information. These companies do so at their own risk as the results of a breach are costly. Costs come from fines levied by the State's Attorney General, class-action lawsuits filed by employees, and notification fees. A breach also tarnishes the company's reputation and can decrease the company's growth as potential new-hires will gravitate towards competitors for employment, knowing full well that the breached organization does not value the privacy of employee information.