Almost all states have security breach laws that require notification (at least) of individuals when a data holder suffers unauthorized disclosure of certain personally identifiable information.
The important facts to know are the definitions of personally identifiable information and what it takes to achieve “safe harbor” in the event of disclosure.
The usual definition of personally identifiable information is the combination of social security number or financial account information along with a name and/or other individual data. If the disclosure lacks one or the other items (e.g. just a list of SS numbers or account numbers without names) than it will not be subject to the notification requirement.
A critical thing to know is that if the data is encrypted (e.g. scrambled/hashed/masked or otherwise electronically obscured) when the unauthorized disclosure occurs, safe harbor is established. There have been proposed federal laws that do away with the safe harbor for encryption, but as of now, none of been enacted into law.
Another critical thing to know is that some states prohibit the transmission of unencrypted personal information. There are few available guidelines as to the kind and sufficiency of any particular encryption methods. The NIS (National Institute of Standards) does provide a standard securing sensitive (but unclassified) material by U.S. Government agencies and, as a likely consequence, it may eventually become the de facto encryption standard for commercial transactions in the private sector.
If you are storing or working with Social Security numbers or other legally protected information and you have not cleared the entire process with your legal resource, you may be subjecting yourself to extreme risk of major notification (and perhaps credit-monitoring and other indirect damages) expense, and a very harmful hit to your business reputation.
When it comes to this type of information, finding ways to collect and transact it with fewer touchpoints is an excellent way to decrease information systems risk exposure. If you are using an ATS or Recruitment Software system, make sure you check with your vendor to ensure that those pertinent data are in fact encrypted, and be sure that all required configurations are in place and tested to ensure compliance.