Q My company recently experienced a data breach in which some of our employees’ personal information was accessed. Are there any employment laws that apply to this situation, and what can I do to protect this data going forward?

A Yes, there are some general rules to follow and steps employers may take going forward. A breach affecting employee data is a costly and time-consuming ordeal for California businesses of any size. To minimize legal risks associated with such a breach, an employer in California should take immediate corrective action. This generally includes, at a minimum, a response to the current breach and prospective steps to prevent a future breach.

In California, employers commonly maintain and keep the private personal information of their employees. This information includes social security numbers necessary to verify work eligibility, health information necessary to document medical accommodations, payroll and timekeeping records necessary to calculate accurate payment of wage, and bank information necessary to process direct deposit of wages. This type of information is protected from unauthorized disclosure by the individual right to privacy under California and federal constitutional privacy laws. In addition to this general right to privacy, other specific laws further protect this information. For example, the California Civil Code requires businesses to maintain reasonable security procedures to prevent data breaches and provide notice to affected individuals if a breach occurs. Moreover, under the California Consumer Privacy Act, which only applies to some employers, employees may have a private right of action associated with a data breach. Together, these protections and potential risks make it critical for employers to respond quick and implement safeguards going forward.

In general, a data breach occurs whenever unencrypted employee private information or the ability to access such unencrypted data, is reasonably believed to have been acquired by an unauthorized person. If a data breach occurs, the employer should notify all affected employees of the breach as soon as possible. The notice should include, at a minimum, details about the breach, the types of information compromised and the remedial and prospective steps the employer is taking to address the situation. The notice should also encourage employees to ask questions and receive updates on the situation. Businesses required to notify more than 500 California residents about a breach must also submit a sample copy of the notification to the Attorney General. Non-compliance with these rules may lead to penalties and legal risk.

Employers can minimize the potential of a burdensome data breach by maintaining reasonable security procedures and practices. Such policies and procedures may include encryption and security measures for employee data, regular data audits and risk assessments, third-party vendor due diligence, review of contractual language with vendors and customers, and a review of legal updates on the topic. Employers should also consider training Human Resources, supervisors and other individuals with access to employee data. Training may occur periodically and cover important topics such as privacy laws, security measures, company practices and remedial steps to take in response to a data breach.

Employers with questions about minimizing the risk of a data breach or how to deal with an ongoing breach, should consult with a team comprised of both information technology individuals and legal counsel.

Marco Lucido is a lawyer with Fenton & Keller in Monterey. This column is intended to answer questions of general interest and should not be construed as legal advice. Email queries to email@fentonkeller.com