And Alabama makes 50: Data breach map is now complete

By: Ann Potratz

Publication: Employment Law & Regulatory Alert

Date Posted: 09/21/2018

Beginning with California in 2002, states have been increasingly focused on data security. In June, Alabama became the 50th state to enact a data breach law, completing a complicated patchwork of state regulations that dictate everything from how companies must store sensitive data to how many days they have to notify victims following a breach.

Given recent headlines about a string of high-profile data breaches at big-box retailers, it’s easy to assume these laws were created to protect customers, not employees. However, in most states, any entity that collects and owns personal data is subject to enforcement — even small employers with the data of a handful of employees must adhere to the same guidelines as huge national corporations with the data of millions of customers.

Are you collecting too much?

When creating online job applications, most employers don’t think twice about requesting extensive personal information, from social media profiles to social security numbers. After all, more detailed information equals more insight into candidates, right? And presumably, more insight equals better hiring decisions.

However, not only are there restrictions on what type of data can be collected, storing such information electronically adds another layer of risk. As states continue to pass increasingly tough laws, employers may need to reassess the types of data they collect and when.

Start slowly

Instead of loading an online employment application with every question you can think of, try asking less. It might seem counterintuitive, but consider what you’re really looking for up front, and make sure each field has a distinct purpose. Many applicants will be weeded out immediately because they lack basic qualifications, such as years of experience, and you won’t need further personal details to make that decision.

The result of a shorter initial application is win-win. Your company ends up storing less sensitive (and irrelevant) data, and potential applicants are met with a much more straightforward initial application process.

Consider your compliance

Companies that don’t ask extensive personal questions on job applications are still at risk when it comes to personnel data, given that sensitive employee information is now handled almost exclusively electronically (think bank routing numbers, tax details, even biometric data like fingerprints and facial scans).

As technology adapts, so should your approach to data storage. Check to see if your state, or a state in which you do business, has recently updated its laws regarding data protection. Even if it hasn’t, regularly assessing how you handle your employees’ sensitive data is the first step in keeping it safe.

Key to remember: State data breach laws continue to evolve, with many becoming stricter and more complicated. Consider collecting only the necessary data, and stay up-to-date on your state’s regulations.

About the author
Ann Potratz - Human Resources Editor

Ann is an editor on the Human Resources Publishing Team, she specializes in employment law issues such as discrimination, sexual harassment, background checks, terminations, and security.

Expert Help Icon

Have a compliance question for Ann? The J. J. Keller Expert Help tool provides you direct access to Ann and other trusted experts to help answer your toughest compliance questions.

Employment Law & Regulatory Alert Newsletter

This article was featured in the Employment Law & Regulatory Alert newsletter.

The Employment Law & Regulatory Alert newsletter explains why you need to care, what you need to do, and how your business could be affected by HR industry news and hot topics. Click Here to trial this newsletter for free or view our full library of HR compliance publications.