Every time a company laptop is lost or a password is inadvertently disclosed, the door is opened for a serious data breach. Employees are at risk of identity theft or other crimes, and employers could be liable for failure to protect their employees' compromised personal identifying information, or "PII." To protect their employees and themselves, employers must ensure that their PII policies cover the familiar basics, such as employees' social security numbers and financial information— but that's not necessarily all. The recent enactment of expansive data security laws means that, in a growing number of states, employers must also provide protections for additional types of employee PII, such as home addresses, cellular telephone numbers, and email addresses. As a result of these new laws, employers are increasingly at risk of lawsuits based on misuse of employee PII. What's more, some states call for administrative investigations and stiff civil penalties when a breach occurs. And no employer wants to be embarrassed by the sensational news stories that so often follow a security breach. Establishing comprehensive PII policies will protect not only the employee data, but also the company's reputation and ultimately its bottom line.

Under most data security laws, PII is any information that can be used alone, or with other sources, to uniquely identify a single person. Because modern technology has made it easier to amass large quantities of PII, and because technology is so easily portable, PII is extremely vulnerable to breaches. In response to this growing threat, legislatures have enacted a variety of laws to limit the accessibility to and distribution of PII. At least thirty states have passed laws protecting social security numbers, and all fifty states have laws criminalizing the use of PII for identity theft. Almost all states require notification when a breach occurs. Increasingly, however, state legislatures are determining that these protections are insufficient, and they are imposing new and expanded duties on employers to safeguard the PII of their employees.