Cheezhead Recruiting News and Opinion

A former employee of Aetna has filed a lawsuit against the Hartford-based insurer after the company’s job application site was hacked and the employee’s personal information was compromised.

The lead plaintiff, Cornelius Allison, worked for Aetna from December 1998 through May 2005 and applied in January 2009 for another position at Aetna. His personal information, along with the Social Security numbers of current and former employees and people who received job offers from Aetna, were stored on a job application site maintained by an outside vendor. The site was hacked recently, which the Hartfort Courant says is the second breach of privacy in recent times.

According to the suit filed last week in U.S. District Court in Pennsylvania, the plaintiff alleges that Aetna failed “to adequately protect the private personal information of its current, former, and potential employees.” The lawsuit also alleges negligence, breach of implied contract, negligent misrepresentation and invasion of privacy.

The application site stored about 450,000 email addresses from people who had submitted resumes or applications. Some of the emails were copied by the hackers.

After the breach, Aeta offered free credit monitoring for a year to around 65,000 people who had Social Security numbers on the site’s database.

Aetna spokeswoman Cynthia Michener released this statement to the Hartford Courant:

Aetna did the right thing by proactively notifying people about this incident and offering free credit monitoring, even though our independent IT security consultant has not determined that any information was accessed beyond e-mail addresses It’s unfortunate that we’re being sued for acting with integrity and honesty.

Martin Snyder, president of Main Sequence Technologies, which provides on-demand or licensed recruitment software under the flagship brand of PCRecruiter, weighed in on the lawsuit and the insurer’s response.

“We don’t yet know the full nature of the attack on Aetna, and we probably never will since the vendor will play it close to the vest,” he said. “I certainly hope it was not a case of negligence but rather that of a determined attacker out of the blue.”

Snyder said he thinks Michener’s response was inadequately phrased.

“Michener was given a bad frame to push here,” Snyder said. “To note that Aetna ‘did the right thing by proactively notifying people about this incident and offering free credit monitoring’ is a stupid thing to say; obviously there was zero chance of them not doing the right thing. To then say that ‘it’s unfortunate that we’re being sued for acting with integrity and honesty’ shows an almost childlike understanding of our legal system.

“A better frame would be, ‘it’s unfortunate that the civil legal system had to be involved with this matter, as we believe that Aetna has acted appropriately from start to finish. We hope the illegal actors who caused the problem will be caught and punished and Aetna will certainly cooperate across the board to help produce that outcome.’”

Snyder said that this lawsuit will have implications for how firms buy and use systems. He adds that if you can keep Social Security numbers out of your applicant tracking system, you have a much lower risk profile on that system.

So what else can companies do to protect themselves against future lawsuits if hackers compromise their systems?

“As a buyer, it may be pretty smart to get some language in your agreements regarding notice of possible attacks: how soon, what threshold, means of notice, and handling info for third-parties,” Snyder said. “Language regarding indemnification for credit-monitoring, litigation, and PR costs in the event of serious attack could help too since that stuff is expensive.”

Popularity: unranked [?]