Hacking, Extortion and Human Resources
It is not often that employers and HR practitioners have to worry about extortion, but the recent story about Drake International makes this a good time to remind employers of their obligations with employee personal information.
Drake was the victim of a computer hacking and extortion scheme. Instead of kidnapping a person, hackers are now stealing sensitive information and demanding a ransom for its return. In Drake's case, it was information about its clients and their job searches.
Employers always have a variety of sensitive personal information about their employees, and usually much of it is kept in some electronic form. In years past, this type of information was kept in locked filing cabinets or locked offices. The new issue is whether your computer systems provide at least as good protection as the old lock and key.
British Columbia's Personal Information Protection Act applies to all private sector employers with employees in BC. There are restrictions on the collection, use and disclosure of employee personal information. There are also specific provisions on safekeeping personal information which must be considered in light of what happened to Drake.
Section 34 of PIPA requires employers to:
"protect personal information in its custody or under its control by making reasonable security arrangements ...".
What does that mean in this day and age? It probably means that protection measures have to at least keep up with the sophistication of hackers. And the more stories there are like what happened to Drake, chances are that employers will be held to an ever higher standard.
The Privacy Commissioners are trying to keep abreast of this issue. BC's, Alberta's and the federal Privacy Commissioner have recently published a joint statement about cloud computing. The BC Privacy Commissioner has also published guidance for businesses and organizations that includes general ideas of what is required to comply with section 34 of PIPA.
These materials can be found at this link: Privacy Commissioner guidance. The cloud computing piece was published June 14, 2012 and the general guidance is titled "A Guide to PIPA for businesses and organizations" and was published April 10, 2012.
Now is a good time to review the measures in place to protect the employee personal information in your custody or under your control.
Drake employee personal information employer duties privacy