[BreachExchange] Employee Data Security: Perquisite or Prerequisite?

Thu May 26 19:11:59 EDT 2016

http://www.jdsupra.com/legalnews/employee-data-security-perquisite-or-61968/

One of the many costs of doing business in this day and age is the threat
of a data breach.  In the past several years data breach incidents have
occurred with increasing frequency.  From Target to eBay and Sony to Ashley
Madison, cybercriminals have caused much consternation among organizations,
governments, and consumers.  While protection of consumer data is a
critical issue for any entity, organizations are remiss if they do not
focus on protection of employee data as well.  Protection of employee data
should not be seen as a benefit of employment, rather a requirement from
the first employee hired to the last employee terminated, and everyone in
between.  Given the often sensitive nature of employee data, it is a
category of information which requires protection from external
cyberattacks, internal malicious actors, and innocent human errors.

Organizations obtain and store, among other things, employee social
security numbers, birthdates, home addresses, medical and health records,
and now even biometric data from wearable devices.  The critical mass of
employee data means cybercriminals are more interested in, and quite
capable of, launching a variety of attacks on organizations, often directly
through employees, in an attempt to access the information.  Moreover, the
prolific use of multiple devices by employees, as well as the increase in
BYOD policies, means there are more access points to data, many of which
are not secure.  These realities come together to form a perfect storm,
resulting in innocent mishaps or intentional attacks carried out with
increasing ease and frequency.

Data breaches can be attributed to cyberespionage, denial-of-service
attacks, insider attacks, phishing schemes, and human error, to name a
few.  No matter what type of attack, organizations need to ensure they are
doing everything in their power to protect employee data.  Employee
Relations Manager at McManis Faulkner, Cathy Reeves, advises that
“employees’ personal data must be kept safe, secure and up to date.  Access
to personal information should be limited only to those people in your
company who have a legitimate need to know.”  A failure to do so could
result in adverse consequences for the organization and employees, ranging
from improper use of the employee data, litigation resulting from damage to
employees or failure to notify when required, as well as financial harm
from litigation and also post-breach recovery efforts.

Confucius said, “A man who does not think and plan long ahead will find
trouble right at his door.”  This could not be more true in the context of
data security.  Planning and taking a proactive approach to data protection
requires, at a minimum:

- Knowledge of data types, locations, and access points;
- Knowledge of who has access to particular types of data—current and
former employees;
- Strong internal policies and protocols regarding sensitive data;
- Implementation of and employee training on internal policies and
protocols regarding sensitive data;
- Employee acknowledgment regarding authorized and unauthorized access to
and usage of sensitive data;
- Frequent internal security audits, monitoring and testing of data
infrastructure;
- Patching of any vulnerabilities in data infrastructure; and
- Data breach incident response plan.

The above list is not meant to be exhaustive, nor reflective of all that is
necessary to prevent a data breach.  The list does, however, represent that
protection of employee data is a task which requires thought and planning,
executive level involvement, and a unity of efforts across departments
within an organization.  With a proactive approach and a proper plan in
place, organizations are in a better position to provide employees with the
requisite level of protection relative to their sensitive data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160526/e104a8bd/attachment.html>