From application to termination, employee privacy considerations live throughout all stages of the employment lifecycle. Thus, employers should take heed of best practices and mechanisms when handling employee personal information far beyond the applicant screening stage of employment. However, is having policies relating to the security and protection of this employee data enough?

Privacy considerations prior to employment commonly include rules and best practices concerning background screenings, which the Fair Credit Reporting Act (“FCRA”) regulates. During the employment stage, privacy considerations commonly include substance testing, workplace surveillance, and employee misconduct. Of course, especially since the COVID pandemic began at the onset of 2020, encouraging many employers to implement work-from-home opportunities, issues relating to monitoring employee communication and device tracking on employer-owned devices and personal devices used for work purposes emerged increasingly. At the post-employment stage, a primary privacy consideration when ending the employment relationship with a former employee is properly restricting or terminating access to workplace facilities and devices with physical and electronic information. What does that look like? That may include deactivating or returning identification badges, key fobs, and PINs allowing entry into the facility, keeping a record to ensure all employer-owned devices are returned, or implementing post-termination contracts.

Here, Tesla may have unintentionally dropped the ball during the employment stage of the employment lifecycle. However, IT security and data protection policies were reportedly in place. So, what may have been the issue? This Tesla data breach comes after Reuters reported in April 2023 that a group of Tesla employees privately shared via internal messaging systems customer information, including videos and images recorded through car cameras. According to The Guardian, the Handelsblatt (foreign media outlet) report stated Tesla was failing to adequately protect access to customer and employee data. The Guardian further reported Handelsblatt quoted a Tesla attorney blaming the 100-gigabyte data breach on a "disgruntled former employee" who worked as a service technician.

Insider data breaches like this are a potential consequence when failing to create and enforce an effective information management program. Four essential pillars companies should aim for when developing information management programs include (1) discovery, (2) build, (3) communication, and (4) evolution. Within the discovery pillar, analyzing and characterizing potential targets of privacy threats for the purpose of discovering ways to combat privacy risks is paramount for the security and protection of collected data. This risk analysis generally consists of collected personal information being inventoried and classified according to its level of sensitivity; flows of data identified in a manner that illustrates what data is at risk, in transit, or in use; limits on employee access to data based on their need to perform their job; and regularly conducted self-assessments for accountability purposes. The build of an effective information management program should gather the results of the risk analysis to develop internal privacy policies for employees and contractors and external privacy notices for consumers based on fair information practices. These privacy policies and privacy notices should be documented and communicated to their respective audiences. Communication of privacy policies to internal employees may require additional training and certifications. Lastly, as privacy-related laws, market conditions, and company needs change and evolve, it is essential for there to be a review and update framework that allows for continued compliance, security, and protection.

Merely having policies in place is not enough. Taking these steps, in addition to other best practices, will help to prevent insider data breach incidents like this one.