Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and prevent alteration, corruption or access by unauthorized third parties.
Appropriate technical and organizational measures should be implemented to ensure a level of security appropriate to the risk.
In the US, there are no general rules, restrictions or registration requirements related to employee personal data. Instead, security requirements are generally designed to protect specific types of personal information. For example, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that employers take certain steps to safeguard Protected Health Information (PHI) obtained or created by HIPAA-covered employer group health plans. When handling PHI under HIPAA, employers are expected to implement detailed administrative, physical and technical safeguards.
Several states require data owners to place reasonable and appropriate safeguards on personal information, particularly Social Security Numbers (SSNs) and driver’s licenses. Massachusetts and Oregon require data owners, including employers, to implement comprehensive, written information security programs for personal data, including SSNs and driver’s licenses. In recent years, some states have expanded the definition of personal information to include data such as health information, biometric information and online account credentials.
For example, the California Privacy Rights and Enforcement Act (CPRA), effective January 1, 2023, requires covered businesses to implement reasonable security practices and procedures to protect the personal information of consumers. This includes the obligation to ensure that third-parties, who receive personal information, provide the same level of protection.
Information security laws in the United States often include the following practices:
In addition, there are certain requirements around securely deleting data. The large majority of states have document destruction laws in place. While the laws differ by state, there is generally a requirement that SSNs and/or driver’s license numbers are destroyed in a secure manner. The Fair Credit Reporting Act (FCRA) includes regulations that require background check reports and associated personal information are also securely destroyed.