MEMBER QUESTION

I was recently contacted by my employer stating that someone had applied for unemployment benefits using my Social Security number name and Job title. My employer notified me by email to be aware of this but stated that they conducted a security audit and found that there was no breach on their end and that the matter was currently being investigated by the department of labor and FBI. What responsibilities does an employer have to the employee when this happens? What should the employee do?

WNYLRC ATTORNEY'S RESPONSE

For this answer, we are again joined by Jessica Keltz, associate attorney at the Law Office of Stephanie Adams, PLLC.

This question takes us back to the SHIELD Act. Last discussed by Ask The Lawyer at the end of 2019 (https://www.wnylrc.org/ask-the-lawyer/raqs/100). The SHIELD Act requires businesses (and other entities that conduct business, such as, yes, libraries) that collect personal data to institute compliance measures including assessing security risks, implementing new data security measures, and securely destroying private information when it is no longer needed for business purposes.

We will take the two questions separately.

First, what responsibilities does an employer have to the employee when this happens?

If your library is not part of a large institution such as a university or a hospital, its compliance responsibilities likely fall under the SHIELD Act requirements for “small businesses.”

The act’s definition of a “small business” is:

"Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.

Compliance requirements for small businesses under the SHIELD Act are more generalized; they simply need to ensure that their data security safeguards are appropriate for their business’ size, complexity, scope of activities, and the sensitivity of the information the business handles.  Within those guidelines, libraries that fall under the “small business” requirements should have a data breach plan.

The event that the member described is certainly cause to be concerned that a data breach had occurred, and the library should have a plan to address it. What does addressing it look like? The most important elements are being able to evaluate whether a breach occurred (which it seems like the employer was able to do), and disclosing to the potential victim that a breach may have occurred (which the employer definitely did).

If the library had found that a data breach did occur, staff or a contract data security expert should re-evaluate the library’s security protocols to make sure to prevent the problem in the future; but in this case, as a breach did not occur, this may not be necessary.

In the case of a data breach or potential data breach (and this falls under “potential”), the employer is also required to disclose the concern to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. By notifying you this event occurred, the employer has complied with the requirement.

Meanwhile, what can an employee in this position do?

First: as soon as possible, the employee should consider involving their own attorney.  The risks posed by this situation are too critical.  For those who can’t afford an attorney, contact the local county bar association to learn about pro bono assistance in your region.

Second, assuming the employer has complied with their obligations under the SHIELD Act, since this involved a fraudulent claim for unemployment from the New York State Department of Labor (“NYSDOL”), the employee should work with the NYSDOL to learn all they can about the incident.

This starts with contacting NYSDOL’s fraud department at https://labor.ny.gov/agencyinfo/uifraud.shtm, to see what they can share about the abuse of your personal information.  Armed with whatever other information is gathered from NYSDOL, the employee (or their attorney) can then look at their own credit history and other uses of their identity for potential breaches (social media and e-mail accounts).

While this is going on, be extra-wary of any calls, emails, or other contact requesting any personal information.  Always require people to call back or write to you with any out-of-the-blue-seeming inquiry.  Make sure the people close to you know you are on heightened alert.  Consider changing all passwords (just make sure you keep a good record of the changes in a very secure place).

The Federal Trade Commission offers guidelines on when and how to place a “fraud alert” on your credit, to stop new accounts from being opened using your name and information.

https://www.consumer.ftc.gov/articles/0275-place-fraud-alert.  Any person who learns their information may have been illegally accessed should also request a free credit history from one of the three main credit bureaus, and review their credit report for any unexpected checks or accounts. Depending on what you find when you do so, consider freezing your credit and reporting the theft of your identity to the Federal Trade Commission.

And finally, if any employee has reason to believe their employer or a contract provider is at fault for a breach (even if the employer or contract provider denies it) it is even more critical that the employee consult their own attorney as soon as possible.  There are too many variables to give general guidance on this, but broadly speaking, the more you have at stake (employment-related information, direct deposit information, health and benefit-related information, and of course, a potential dispute with an employer) the more important it is to act quickly.

The scenario the member describes is nerve-wracking, and the member was right to reach out about it. Don’t go it alone!

MEMBER QUESTION

What recourse may a library board take, if a former director removes all library files from a library owned computer that relate to the running of the public library?

WNYLRC ATTORNEY'S RESPONSE

Every employer struggles with this issue: give employees enough access to electronic information to do their jobs, but protect that information from accidental disclosure, file corruption, and theft.

Solid practices like routine security updates, back-ups, password re-sets, and employee training can help a library avoid the worst IT disasters.  But what if someone in a position of trust simply abuses their access?  What if a scenario like the member's question should arise?

There is a process to address this type of scenario.  In order to ease an adrenalized mind,[1] it is presented below in grid form.

Upon suspicion that files have been removed or inappropriately removed by a former library employee, follow these steps to assess what recourse a board might have:

Action	Why you do this	Results
1.  Upon suspicion that files have been removed, if possible, do not take further steps alone. Create an "Initial Response Team" of at least two people to do the next four steps, and designate one of them as the note-taker and document-keeper. If your library's computer system is supplied or supported by a cooperative library system, one of these people should be from the system.[2] Organizing a time-line and take photos or screenshots of information showing the potential problem.	The facts you assemble and first steps you take may have far-reaching consequences for your library's response and recovery, as well as for the potential wrong doer. At this stage, however, you'll just be documenting what appears to be missing.  No deep-dive investigation.   It should only take an hour or two.[3]	Initial Response Team formed and responsibilities of team members made clear. Note-taker assembling information.
2.  Without letting it take more than an hour (or two) and without making any changes to your system, assess and create an informal list of what appears to be missing (file types, specific types of information, locations), when this was noticed, and what the first signs of the concern were.  This will be your "Initial Inventory."	You need to have a foundation for your next steps, so you're creating a quick description of the possible situation.	An Initial Inventory you will use in the next few steps. Note: The "Initial Inventory" is not an attempt to assess what happened, just to list what might be missing, and a few initial details.
3.  Look over the Initial Inventory.  Could any of the missing files contain personal/private information, such as: name, address, date of birth, ssn, library card number, credit card information, contact information, banking information, health-related information, computer use, passwords, or circulation records?	If the answer is "yes," add the phrase "…possibly includes loss or compromise of private information and/or library patron records" to the Initial Inventory.	This part of the Initial Inventory will help those assessing the issue quickly appreciate the possible privacy and confidentiality  implications of the situation.
4.  Contact the library's insurance carrier, and alert them that you may have had a loss of data related to "unauthorized computer access that may involve a former employee." If your Initial Inventory includes a "yes" to Step #3, also state: "The situation may have involve personal and confidential information." If your initial contact is by phone, confirm the notice via a letter or e-mail.	Depending on your library's insurance type, you may be covered for this type of event. Notifying your carrier and following up in writing will help the library determine if the carrier will provide coverage and/or assistance for the event.	Timely notice to the library's insurance carrier, enabling your carrier to let you know if you have coverage and if they can provide assistance in recovering from the event. NOTE:  If the event is covered, some or all of the remaining steps could be impacted by the participation of the carrier.
5.  With the Initial Inventory complete and the carrier on notice, the board (or director, if the board has delegated the right amount of authority to them) must decide who is in charge of next steps: the full board, a board committee, the Director and a team, or any combination of people needed to assess the matter.  This "Response Team" should have the power to appoint a qualified professional to assess the situation, to retain legal assistance if warranted, and to recommend a final course of action to the board. In no event should a report to the board (or Executive Committee) extend the timeline for arranging a response beyond 3 business days.	Unauthorized computer access involving a former director (or any employee) is serious enough to warrant board involvement, whether or not personal and confidential information. This is especially true since, in a worst-case scenario, the library may have to report a data breach, expend resources to re-create or retrieve the information, work with an insurance carrier to recover from the loss, consider if any aspects of the former employee's contract or severance apply (if there was either/or) and based on what is discovered, consider whether or not to file a report with law enforcement.	Clarity as to who is in charge, what level of authority they are working with, and who they will bring on to assist with the investigation and recovery.
6.  Alert the library's lawyer by sending them a copy of the Initial Inventory, and connect them to the Response Team, so they can assist at needed.	It will be the lawyer's responsibility to work with the Response Team and others to ensure the library is positioned to seek relief from the carrier or the former employee, to assess any relevant contracts (for instance, if the files were deleted from a cloud server), and to advise the board about filing a report with law enforcement, or pursuing civil remedies.	Attorney-client privileged input to help assess response options in the best interests of the library.
7.  The Response Team should retain a qualified IT/data security professional to assess and develop an "Incident Report" with a Final Inventory of what is confirmed as missing, a conclusion as to how it went missing, and if/how it can be recovered.	This should be done within 3 days of discovery and before there are any changes to the system.   Ideally, this work should only be performed after the library and the IT professional sign a written contract that is reviewed by the lawyer.	A contract with a qualified firm; A certificate of insurance from the professional firm; A written Incident Report from the firm.
8. Based on the value, sensitivity, and type of information in the Final Inventory, work with the IT professional and lawyer to assess any legal steps the library must take to recover or to give required notifications of data breach.	Depending on what went missing, the library could have concerns under any number of laws.	The final recommendation should be a memo to the board, regarding any necessary steps (or confirming not are needed).
9.  Based on the complete Incident Report's assessment of what is  missing, how it went missing, and if/how it can be recovered, and any relevant details about the employee, develop a course of action.	For more on this aspect, see the rest of this RAQ.	Recourse.

What happens as part of number "9," is the actual answer to the member's question.  But until a library follows steps "1" through "8," it can't fully know its options under "9."

And what can happen as part of "9"?  The range of consequences for unauthorized computer access and/or data destruction is vast, running from criminal penalties to civil remedies.  And if considered with solutions for how a library can recover from the loss, there are further possibilities.

If I was on the board where a former director removed all the library files from a library owned-computer that relate to the running of the public library, at the end of the day, here's what I'd want get out of "The Files Are Gone" process:

• Know if the files were simply removed, or if they were removed and accessed/disclosed beyond the library;
• If they were disclosed beyond the library, what the library must do to address that (including special considerations if personal or confidential information was accessed);
• If the files were only removed, know if they can easily be replaced, or if they were the library's only copy;
• If they can't be easily replaced, how much it will cost to replace them, and any negative impacts we'll experience until we do;
• How we have concluded the files were removed by the former employee, if they were an employee when they did it, and what the due process is for addressing that;
• If (based on all the information gathered, and more that will be specific to the situation), the board should contact the police, or consider a civil claim against the former employee.

By demanding solid, well-documented and qualified answer to these questions (What happened?  how does it impact the library?  What can we do?) a board member is being a good fiduciary, and positioning the library to identify the best recourse.

Now let's say that, in the grand scheme of things, the "missing files" appear to be pretty minor (and do not involve private information).  Let's say that, for whatever reason, the outgoing employee deleted all the library's "standard operating procedures." Not the policies--those are on the library's website and backed up in numerous places - but all the details about (as the question says) "running the library:"  How to organize the courier manifest.  The templates for the volunteer letters and community meeting notices.  The budget template and calendar for strategic planning.  Their own emails on their library account.  Nothing private, no circulation or credit card information, but a body of work that represent hundreds of compensated hours…lost.

This may seem like the kind of loss that isn’t dire enough to warrant the steps I have outlined above, but it absolutely is.  First, only a professional can say when data is truly "lost" (especially emails).  And even if, at the end of the day, there is a board decision not to pursue any consequences (privately, civilly or criminally), such (in)action must be based on good information--not just the result of a decision not to investigate in the first place.

The budget for such response, if planned carefully, can be very modest (under $1500).[4]  Reaching out to a library's system and regional council to find the professional you need might help the library get those services at a reasonable price (and again, depending on the system-library service agreement, much more).

Why am I adamant about this follow-through, even for a "small" incident?  Because sometimes a "small" incident is only the tip of a much larger iceberg.  Unauthorized data destruction by a former employee could be a serious breach of their duty, the law--and even their oath of office.  But it might not be.  The right response, and the fair response, can only be formulated through careful documentation and analysis.

This is what positions the board to know what recourse it can take, when presented with such a serious situation.

Thank you for trusting "Ask the Lawyer" with this sensitive question.