Data Breach Notification and the Multinational Employer: Part 1

By: 4Ps--Marketing Click author's name for more of his/her articles

Imagine a serious data security breach that leaks names and private data of a multinational's employees across a number of countries. The breach might be due to a hacker, to a lost laptop, to data stolen by a rogue departing employee, or to any other security breakdown. Whatever the situation, the legal question quickly becomes: What are a multinational employer's obligations to notify affected employees, and government authorities, of the fact that human resources data leaked?

The answer depends on "applicable" law. In the human resources data context, the laws applicable can be, at minimum, the laws of all jurisdictions where affected employees are based, because a multinational employer will often be subject to personal jurisdiction in all countries where it employs staff (a multinational often transacts business and serves as a "data controller" in each locale where it has employees; in addition, a multinational might also be subject to data laws in jurisdictions where it does not have employees, such as where it has servers). As such, although a security breach itself—the hacking, the lost laptop, the rogue employee data theft—usually occurs in just a single country, the applicable employee breach-notification requirements will often be the notice mandates (if any) of all jurisdictions where there are affected employees. Complying with applicable law after a data breach that affects employees across a number of countries, therefore, means ascertaining, and following, the notification rules of each of the home jurisdictions of breach-victim employees.

Speaking broadly, we can address global data breach-notification compliance from three geographical perspectives: the United States, Europe and the rest of the world.

United States: US state laws regulate breach-notification obligations to US residents, often including employees, whose data get compromised in a breach. (As of mid-2009, federal bills were pending which could pre-empt this area with federal legislation.) While data protection/privacy in the US generally tends to be regulated less comprehensively than in jurisdictions like the European Union and Canada, in this specific context—security breach notification—US states impose some of the world's toughest obligations. Since 2003, when California passed a groundbreaking and influential data security breach notification law, 44 US states have imposed laws requiring breach notice in certain contexts. These laws generally require database owners to notify affected "customers" or other data subjects, including employees, of a breach. Some of these laws also require notice to state attorneys general or credit bureaus. Many of these laws provide a private right of action.

Pointer: Develop a cross-border breach-notification response strategy that complies with each affected country's mandates on notifying both employees and government data agencies.

When a US-based multinational suffers a data security breach
within the US, most of the affected employees may prove to be US residents. In these cases, US state data-breach obligations may drive the multinational's global breach-notification strategy: US employees will likely need to be notified of the breach consistent with US state laws; human nature being what it is, these employees can be expected to discuss the data breach with co-workers abroad. Notifying all affected employees that

A breach of their data occurred is often recommended, even where notice is not legally compelled. For these reasons, a sound human resources strategy will often be for the multinational employer to notify all employee breach victims, worldwide—although a key issue can be timing (breach notices may need to be expedited, or delayed in some jurisdictions).

In Part 2 we shall discuss implications of data breach notification on the multinational employer in Europe and beyond.

Article Source: ABC Article Directory

About The Author: White and Case has extensive experience of complex employment challenges with the ability to tailor policies according to International labor law and International employment law. Frequently representing clients in the US, European Union and Asia, White and Case are first-rate practitioners knowledgable about all workforce-related issues.