Protecting Employee Data From a Human Resources Perspective

Originally published in the October 2018 issue of HR News.

Combatting cyber-threats and protecting data is not only the job of an IT department. Human resource professionals play a critical role in safeguarding personally identifiable information as well. Indeed, if there is one area in every company that has in its possession a literal treasure trove of sensitive information, it is Human Resource. Who else has access to employees’ names, addresses, dates of birth, social security numbers, bank account information (for direct depositing of paychecks), health and medical information (originating form health insurance applications, flex plan reimbursement materials) and financial information, especially if your company has a self-directed 401K plan and contributions are automatically deducted from payroll. Needless to say, a data breach implicating your Human Resources department could be devastating. So what can you as a human resource professional do to assist in maintaining the integrity of your company’s data? Plenty.

Collaborate with IT and Legal departments:

In order to know how to protect employee data, it is critical to understand what data you have in your possession and where the weaknesses are in your data maintenance. Human Resource department heads should meet with their Information Technology counterparts to insure that they have an understanding of the various data privacy threats they face. While not needing to be an IT expert, a head of Human Resources having a solid understanding of how data is maintained and utilized by a company will assist in insuring that the company overall has an adequate understanding of that information as well.

Similarly, meeting with your company’s legal counsel and discussing any industry specific legal obligations for data privacy is helpful. For instance, if your company is a healthcare company or financial institutions, understanding that HIPAA and the Gramm Leach Bliley Act applies to you will inform how you view data you utilize on a daily basis and respond if there is a data breach. By identifying specific classes of information that may be governed by separate laws and regulations beyond more generic data protections laws, a company can take additional steps to insure compliance with the more specific law. For example, in the event of a data breach, HIPAA requires that notice be sent to affected individuals within a specific time frame, while many state data privacy laws do not possess a similar requirement. In order to understand how your company needs to respond to any potential data breach, you must first know what laws, and their respective timing requirements, govern the data your company holds.

Education and Monitoring

Human Resource professionals are likely involved in periodic employee training and monitoring of employee activities. As such, it is important to insure that such training is undertaken on a regular basis and includes topics such as securing mobile devices, data safeguards for remote employees, password protection and recognizing common cyber-threats like social engineering, phishing and ransomware. Make all training mandatory and insure that proof of attendance becomes part of an employee’s personnel file. Doing so will insure employee education is current, while also creating a record of reasonable training to be used as business records evidence to buttress any defense to litigation your company may be subjected to in the aftermath of a cyber-breach. Maintaining such records may also be a condition of a cyber-insurance policy maintained by a company.

Also consider monitoring employees’ computer usage to detect employees accessing documents that they are not supposed to or unusual downloading activity. Insure that you have a computer privacy policy in place first which advises employees that they are subject to monitoring and have no expectation of privacy in their work devices. Doing so is a legal requirement but can also act as a deterrent to some employees who will limit their on-line usage for fear of employer access to their browser history, This in turn reduces the chances of employees accessing suspicious websites at work. Begin data privacy training during the onboarding process by providing all data privacy policies and procedures during any orientation or training for new employees. It is important to encourage employees from their first day of employment to understand that timely notice of any possible Data breach is crucial and that while all data privacy events must be reported, innocent mistakes happen. While employees can be disciplined for breaches of data privacy protocols it is important to foster an environment wherein employees feel free to report problems and are not in fear of retribution for such reporting.

Finally, be vigilant and keep watch for “rogue” employees, those individuals who are dissatisfied with work and may be prone to destroying materials or taking sensitive materials with them should they leave the company, or worse, those who may affirmatively try to hurt a company through the release of sensitive information. One way to prevent employees from going “rogue” is to encourage them to share any grievances with the company’s HR office so that the problem can be discussed and hopefully resolved internally.

You may download a copy of the article here.