Who said that companies only have to be concerned with protecting the personal information of clients?
I have been reading and studying the privacy laws very carefully for several years and I've found the same thread over and over. These laws are in effect to protect the public from having their personal information stolen, lost, or otherwise misused. It's about identity theft, not compliance. And nowhere is it written that companies don't need to bother with employees' personal information.
Other laws require that companies who lose data contact everyone at risk that the information has been breached. Why do these so called "notification" laws exist? Is it so a business can be in compliance? No, it is to try and protect the public. Disregarding employee data from the mix won't help either. Aren't they part of the public too? Businesses have a special obligation to their employees.
Every expert in the field of privacy protection that I have read says the same thing when asked about which businesses are covered by which laws. The response is always the same. "It's the smart and responsible thing to do regardless of the nature of the business." If every business were to initiate a plan to safeguard the information they hold on employees and clients who would be left out?
On the practical side having such a plan which includes employees greatly reduces the employers' exposure to law suits filed by employees if they are exposed to increased risk at work. Arming employees with a good risk averse identity theft protection service can nearly eliminate lost work time on the part of employees and their families who have identity theft problems off the job too, if restoration is a part of the service.
Employers, toss out that compliance thinking and develop a mindset of complete security. You will accomplish a greater goal. It is to your advantage.
Remember, when you protect the information you keep on others you are protecing them. When someone else does it they are protecting you.