[BreachExchange] Is It Really My Responsibility to Look After My Employees Data?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 26 19:00:03 EDT 2018


https://www.smallbizdaily.com/responsibility-look-after-employees-data/

Every business owner and entrepreneur gather a large amount of personal and
sensitive information about their employees. Employee data is collected for
many different reasons such as evaluations, application processes,
organizational and legislative purposes. Employee data typically consists
of the full name(s), dates of birth, residential addresses, photos, social
security numbers, ID or passport copies, medical or physical records, and
all the sensitive information from meetings (i.e. discussions about
employees, potential cases of misconduct, etc), evaluations and personal
conversations.

Furthermore, as our technology evolves so are the information management
systems that many businesses use. The increasing user-friendly software
applications also present the opportunity to outsource several tasks which
is an upcoming trend, yet this increases the complexity and potential risks
as employee data is flowing through multiple channels.

In this article, we don’t dive into the soup mix of all the specific laws
and regulations on this topic, considering the laws and regulations are
very different from country to country, and within the U.S. even from state
to state. Interestingly, the laws on personal information in Europe are way
more extensive and stricter in comparison to the U.S.

It’s of utmost importance for employers to maintain the privacy of their
employees and protect sensitive personal information.

Why?

There’s a number of different reasons, however, the possible result of
losing important employee information may cost a business heavily by losing
clients, investors, or customers. This could eventually lead to losing the
business as a whole.

Hackers could use personal data such as social security numbers or bank
account details to execute illegal transactions, identity theft, fraud, and
extortion. For the employer, this could turn into a very costly lawsuit
coming their way. Aside from the fact that one or multiple employees fall
victim to data loss, the remaining workforce is highly likely to lose trust
and motivation to work for someone who is careless with their personal
information. Which could then lead to losing a chunk of your workforce,
lower productivity, or lower job satisfaction. All these factors indirectly
result in loss of revenue and profit.

The legal team of a business carries out the required necessities in order
to create a digital environment in which employee data protection is as
secure as possible. With that comes a lot of responsibility, however, at
the end of the day the one who is responsible in most situations is the
employer. The security team is not liable for the type of data that is
collected nor decide who has access to the data. Therefore, the protection
of sensitive data must be regarded as highly important which means that
appropriate security measures have to be implemented to maintain the
security of this data and treat it as such.

What can you do as an employer?

1) Restricted Access

Every employer should think carefully about who has access to sensitive
employee data and restrict the number of people with full access as much as
possible. Generally speaking, the fewer people have access, the less likely
the chance for a human mistake to cause leakage of personal data. Employers
should consider that not all employees in for example HR, need all the
available employee data in order to perform their tasks.

2) Data encryption

It’s important to create proper protocols when it comes to sharing employee
data and the security team has to set up a safe environment where all the
data is encrypted while the encryption key is safely stored and only
accessible by a very select group of people.

In case you’re running a business that’s operating in the cloud without an
in-house server, make sure to hire a cloud specialist in order to develop a
safe and secure online platform to store employee data.

3) Security Protocols & Contingency Plan

Apart from working closely together with your security team to prevent any
leakage of data and setting up security protocols, every employer should
also think about a contingency plan for when things go sideways.

Prevention policies are important but it’s impossible to prevent every
attack or human error from happening which could cause data leaks.

Every company should have a protocol in place for when the system is
breached, immediate response steps for the security team, the legal team
knows what to do, and different scenarios are already rehearsed. You want
to minimize the risk of being surprised and face a situation in which no
one knows what to do.

Imagine your database is being hacked and no one knows what to do, that’s
the perfect recipe for a huge disaster.

4) Communication

Communication is key for many businesses in many different ways. As it is
when it comes down to data protection and security policies. Every employer
should raise awareness and communicate to all of its employees about the
importance of data security and the potential risks. Employees also carry
responsibility when dealing with important information and everyone should
work together as a team to maintain a safe environment for employee data.

But remember: in most situations, the employer carries the final
responsibility.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180426/6024ab7f/attachment.html>


More information about the BreachExchange mailing list