It’s a digital world and with every stroke of the keyboard, data is being collected. It seems so easy, collecting data, sending online forms, emails and digital signatures. While the digital transfer of information makes our life easy, securing the data is not so and it’s very important for businesses to secure and protect their employee’s data. If they don’t, they put their employees at risk, lose trust and sacrifice company morale.

Businesses that collect sensitive information from employees must take appropriate steps to properly secure and dispose of it. Depending on the type of personal information that is collected and how it will be used, employers may be subject to a number of requirements under federal and state laws.

What is Considered Personal Information

Personal information is generally defined as a person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or data element is unencrypted or not protected by another method that renders the data unreadable or unusable:

  • Social Security number
  • Financial account number, or credit or debit card number, and any required security code, access code, or password that would permit access to the person’s account
  • Driver license number or state identification card number

Requirements for Employers

Any person who conducts business and maintains personal information generally must implement and maintain reasonable procedures to:

  • Prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business; and
  • Destroy (or arrange for the destruction of) records containing personal information that are not to be retained, by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable.

Disclosure of System Security Breach

  • A person who owns or licenses computerized data that includes personal information concerning an employee generally must, when the person becomes aware of a breach of system security, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes.
  • If such investigation reveals that the misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur, the person must provide notification to each affected person.
  • A person who maintains computerized data that includes personal information that the person does not own or license generally must notify and cooperate with the owner or licensee of the information of any breach of system security immediately following the person’s discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur.

For More Information

Interpretation of the law is time consuming, confusing and risky especially if you are going at it alone. Enlist your lawyer and the experts at ZM Ventures. There are federal regulations and state regulations that require employers to comply with specific procedures to safeguard the personal information of employees. Our experts can audit your internal systems to make sure your business is maintaining reasonable procedures to protect data.

Marie Zolezzi, CEO and Founder of ZM Ventures has contributed to the HR functions of many large firms in the Silicon Valley, Intermountain West and the Pacific Northwest. Marie is a skilled HR practitioner with unique expertise in HR business partnering, conflict resolution, employee investigations, one-on-one coaching and organization management. She is also a skilled board advisor to the Board of Directors needing input from an HR thought leader. To contact Marie Zolezzi, send an email to

Leave a Reply

Your email address will not be published. Required fields are marked *