Recently, a staffing company agreed to, among other things, pay Massachusetts $230,000 to settle a lawsuit related to a data breach. In December 2020, the staffing company learned that its network had been compromised. It received communication from a third-party who encrypted files in the staffing company’s network and threatened to publicly release sensitive data. Upon investigation, the staffing company learned that a manager’s improper handling of a phishing email caused the data breach. From the breach, the third-party obtained names and social security numbers of the staffing company’s employees and job placement service users.
The Commonwealth of Massachusetts became involved because the personal information compromised included that of over 3,000 Massachusetts residents. Through its investigation, the Massachusetts’ Attorney General learned that the staffing company did not have a written information security program as required by state law. In addition, the staffing company failed to implement appropriate safeguards to protect the personal information of its employees and job placement service users.
In settlement of the lawsuit filed by the Massachusetts’ Attorney General, the staffing company agreed to monetary compensation and to take numerous steps. Those steps included: create a written information security program and have annual tests conducted; develop and maintain appropriate data security policies, procedures, and programs; conduct annual assessments, for three years, of its systems, policies, and procedures; designate a specific employee as being responsible for implementing and maintaining the company’s data security policies, procedures, and programs; and conduct annual employee trainings concerning the importance of personal information security and the company’s data security policies, procedures, and programs.
In all, this incident provides several useful lessons. First, companies should take steps to ensure they know and comply with applicable state laws. Here, it was a Rhode Island company, but Massachusetts law applied because its employees and job placement service users included Massachusetts residents. Second, companies should ensure that they have appropriate data security policies, procedures, and programs in place. Last, but not least, companies should ensure that they adequately and routinely train employees on their data security programs, polices, and procedures. Had the staffing company manager not improperly handled the phishing email, this data breach would not have occurred.
If you have questions about this or other Data Privacy and Cybersecurity or Labor and Employment issues, please contact Andrew Cleves or another member of the Frantz Ward Data Privacy and Cybersecurity or Labor and Employment Practice Groups.