The Sony Hacking Lawsuit
A lawsuit has been filed in the Central District of California on 12/14/2014 on behalf of former employees of Sony Corporation claiming that former employees have been damaged by the hacking of Sony’s IT systems. The complaint filed in Los Angeles federal court claims that Sony “failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years” and “subsequently failed to timely protect confidential information of its current and former employees from law-breaking hackers.”
The scale of the breach is breathtaking. According to the suit over 47,000 employees had data revealed including: unique social security numbers and names, birth dates, home addresses, email addresses, salary information. According to Identity Finder LLC, the personal information was copied more than 1.1 million times throughout the 601 files stolen by hackers. The personal info was found in more than 500 spreadsheets, 75 PDF files, and several Word documents, none of which were password protected.
HRIS Systems Security Obligations and Liability
The exposure of sensitive employee information should give everyone in the HRIS industry some concern. The Sony hacking situation is unique in that the attackers appear to have stolen all sorts of data with the very public intention of harming the company. How often is employee data stolen when it is never publicly revealed? Let’s face it, no company wants it revealed that hackers stole employee data. That is bad press and feeds more legal exposure. There is no way of knowing how many times this happens because companies won’t disclose it and if it is discovered, things will be settled quietly out of court. Can you imagine the impact to a payroll/HRIS provider like ADP or Paychex if they were hacked and it became known that sensitive employee identity, wage, performance and health insurance information was exposed to the criminal elements around the globe? According to ADP, they serve over 400,000 clients and pay 31 million people worldwide. If they were hacked like this is it would be game over.
Impact for Cloud HRIS Vendors
Companies who outsource their HRIS and Payroll to a cloud based vendor may want to take a hard look at their exposure should that vendor get hacked and their employees damaged. Many PEOs have moved from in house IT datacenters, to cloud based providers. All PEOs need to take a hard look at their security practices for with their clients/employee information. PEOs using cloud based solutions need to review their agreements and determine just who is on the hook if something like this happens to them.
Image courtesy of Alexandre Dulaunoy at flickr