A recent ruling from the Pennsylvania Supreme Court on an employee lawsuit against the University of Pittsburgh Medical Center stemming from a data breach should put all employers on notice.
As part of hiring any employee, employers need to collect personal information – date of birth, social security number, address, full name, and more. But when the organization faces a data breach, are they responsible should employee data be stolen?
In February of 2014, UPMC confirmed a data breach where hackers stole the personal information of about 62,000 current and former employees. Hackers used the data to file fake tax returns to receive tax refund money.
Employees sued UPMC, in which the case was thrown out by two lower courts. But the Pennsylvania Supreme Court reinstated the lawsuit, stating “An employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system."
This ruling doesn’t mean the UPMC is guilty, but it does mean the case lives on. This should serve as a warning to every organization; the potential exists that, should a data breach occur where employee data is stolen, you may be held responsible.
With the primary means of attack still revolving around phishing and social engineering, organizations need to find ways to empower employees to identify fake emails and websites that are used as part of an elaborate scam. Security Awareness Training provides employees with the education necessary to empower them to become a part of your security stance. With employees vigilant, keeping a security focus in mind as they interact with email and the web, organizations reduce the attack surface, thereby lowering the likelihood of becoming a victim to a data breach.
Should the UPMC case find in favor of the employees, organizations everywhere will need to shore up their security efforts around employee data. Stopping an attack before it begins by making the employee part of the security defense through Security Awareness Training is the first step.